RAS encryption

Francescone

Member
Messages
686
Any chance to get RAS encrypted broadcasts? It could seems not so difficult because RAS user keys are based on a 7-digit number, so it seems similar to BISS but simpler. Anyway, I don't know if RAS is based on common scrambling like BISS.... and I don't know about possible tools to get keys from recorded TS files. Please help.
 

Francescone

Member
Messages
686
RAS IS THE OLD CONDITIONAL ACCESS SYSTEM
Well, not so old I'm afraid. You know, RAS is actually used by some broadcaster for customized football and other sports feeds (not international signals), probably because no one is interesting anymore in this "old" system. I will appreciate any possible information about possible viewing. Thanks.
 
Messages
1,064
I have seen RAS encrypted feeds at 12.5W this week with 7200 and 14400sr. Also sometimes Italian feeds at 8W encrypted with RAS too. So yes it would be great if we can find a way to decrypt it.
 

Francescone

Member
Messages
686
Right. I referred exactly to those feeds. Not only this week.... also in the past, and probably in next future as I know. As I said, I don't know if the 7-digit RAS key is in TS signal. Any user has more infos? Thanks.
 

kebien

Registered
Messages
1,329
I think RAS doesn't use an ECM,but why don;t you record the full TS of those feeds to analyze them and see what's about?
 

Francescone

Member
Messages
686
Yes, full TS recording seems a very good idea. I have one TBS5925 so I can try to record as soon as I find a feed. But once I got my TS file, I don't know how to analyze it to find useful information. Could you please help? Thanks.
 

serkanguzel

Registered
Messages
1,442
Vplug don't log ;

Code:
+-------------------------------------------------+
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loading Cryptoworks.mdl ...
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loaded module: Cryptoworks.mdl, Version: V 1.0, Author: DebugProcess
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loading Irdeto.mdl ...
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loaded module: Irdeto.mdl, Version: V 1.1, Author: V
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loading nagra.mdl ...
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loaded module: nagra.mdl, Version: V 1.8, Author: V
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loading ***.mdl ...
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loaded module: ***.mdl, Version: V 1.1, Author: V
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loading PowerVu.mdl ...
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loaded module: PowerVu.mdl, Version: V 1.4, Author: PowerVU CSA Test
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loading Seca.mdl ...
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loaded module: Seca.mdl, Version: V 1.3, Author: V
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loading Viaccess.mdl ...
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Loaded module: Viaccess.mdl, Version: V 1.4, Author: DebugProcess
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - v_keys.db'deki key sayisi: 1008
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - v_sids.db'deki satir sayisi: 4190
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - dvbdream.exe 2.7.4.0 - vPlug2.4.6
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - vPlug's location: C:\dvbdream\Plugins\pip00\
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - Working dir: C:\dvbdream\Plugins\pip00\
[29.11.2015 17:48:37] - dvbdream2.7.4.0: - MD-API Version 03.00 - 1.06 [MD-API]
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - freq=12468, tp_id=$A4DC, SID=$3C28, PMT=$0020
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - Cached ECM-PID:-1($FFFFFFFF)
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - IgnoreThisCAID: $FFFF
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - IgnoreThisCAID: $FFFF
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - >Pid: $1FFF Ignored!
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - freq=12468, tp_id=$A4DC, SID=$3C28, PMT=$0020
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - Cached ECM-PID:-1($FFFFFFFF)
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - IgnoreThisCAID: $FFFF
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - IgnoreThisCAID: $FFFF
[29.11.2015 17:48:38] - dvbdream2.7.4.0:NG WILD HD - >Pid: $1FFF Ignored!
[29.11.2015 17:53:15] - dvbdream2.7.4.0:NG WILD HD - ECM-PID aktive ediliyor: $1FFF
[29.11.2015 17:53:15] - dvbdream2.7.4.0:NG WILD HD - IgnoreThisCAID: $FFFF
[29.11.2015 17:53:15] - dvbdream2.7.4.0:NG WILD HD - >Pid: $1FFF Ignored!
[29.11.2015 17:53:15] - dvbdream2.7.4.0:NG WILD HD - v_sids.db'deki satir sayisi: 4191
[29.11.2015 17:53:15] - dvbdream2.7.4.0:NG WILD HD - Adding new ecm-pid=8191($1FFF) to v_sids.db
[29.11.2015 17:53:37] - dvbdream2.7.4.0:NG WILD HD - Change in files has been detected.
[29.11.2015 17:53:37] - dvbdream2.7.4.0:NG WILD HD - v_keys.db'deki key sayisi: 1008
[29.11.2015 17:53:37] - dvbdream2.7.4.0:NG WILD HD - v_
 

kebien

Registered
Messages
1,329
Of course it won;t log ,I already told you I suspected RAS do not send ECM,so it actually works with a single key per session,similar to BISS.

Log the FULL TS,as a RECORD IT WITH ALL DATA,RAW,so we have a chance to analyze it.
My suspicions continues that this system is the same as BISS,but instead of CSA it uses DES video.
How large is the key?
Anyway,start with a good recording,post it here
 

serkanguzel

Registered
Messages
1,442
Of course it won;t log ,I already told you I suspected RAS do not send ECM,so it actually works with a single key per session,similar to BISS.

Log the FULL TS,as a RECORD IT WITH ALL DATA,RAW,so we have a chance to analyze it.
My suspicions continues that this system is the same as BISS,but instead of CSA it uses DES video.
How large is the key?
Anyway,start with a good recording,post it here

Full TS records, 2 minutes ;


With DVB Dream v2.7.4
http://s6.dosya.tc/server4/goukqa/D_HD_12468_H_9580_20151129_1848_VPID_4400.rar.html


With ProgDVB Pro v6.51.7
http://s6.dosya.tc/server4/tbovk1/12468_H_9580.rar.html


With Transedit v4.1.0.0
http://s6.dosya.tc/server4/of4lp2/42E_12468_H_11-29_19-07-08.rar.html
 

kebien

Registered
Messages
1,329
Ok,thanks

This is CAT
09 04 0C 00 E0 C0 DD 18 A9 35
Assuming CA id is 0x0C00 (NTL RAS)
EMM pid should be right after 0x00C0 but is not present in TS.
PMT doesn't show any ECM pid.
Is clearly using a single key per session.

Now the complicated part,since it is said the key is 7 bytes,and nobody knows the algorithm it uses,a lot of guess work is involved.

Assuming the video packets follow the standard structure,you could start thinking you can get crypt8 ,but not knowing in which way it is encrypted opens up a lot of possibilities.
If it were using CSA,rainbow or cudabiss could find a control word,but if it is using DES,there is no tool to bruteforce a key.
 
Last edited:

kebien

Registered
Messages
1,329
can anyone see if you record long enough you can get a crypt8 out of it?
keep in mind is all a guess work,nothing is known about RAS to determine anything.
 

serkanguzel

Registered
Messages
1,442
can anyone see if you record long enough you can get a crypt8 out of it?
keep in mind is all a guess work,nothing is known about RAS to determine anything.

OK. No problem long record and upload.

How many MB ?

4 GB is it enough ? 4 GB. great when it does not work the CSA.
 

kebien

Registered
Messages
1,329
4GB? I'd say 15 minutes.
See if you can get a crypt 8.
Keep in mind you might not find it,or that won;t be good for the experiment,but not sure anyone has tried,that i know
 

harshy

Registered
Messages
736
I believe this encryption and that encryption beginning with T and ends with g also works similar but again without receiver no one can understand algorithm
 

Francescone

Member
Messages
686
Now the complicated part,since it is said the key is 7 bytes,and nobody knows the algorithm it uses,a lot of guess work is involved.
No, it's not 7 byte, just 7 digits. I recently saw one person in a broadcast studio introducing all parameters in a professional receiver. He inserted frequency, symbol rate.... and RAS key. It was just a 7-digit number (not letters), for example 1234567, so I think that just 1 million of keys are available. This man told me they receive a different fixed key for each feed, so the operations are exactly like BISS (they introduce a fixed key in the receiver), but the key is simpler, and I don't know if crypt8 method could be used to find the key.
Thank you to all users that provided good TS recordings.
 

Francescone

Member
Messages
686
I forgot to say I don't think that RAS is similar to T******g encryption. T******g does not public any key, and each receiver must be remotely authorized from the feed provider, and you see any key.
 
Top