Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

ma1386

Registered
Messages
184
Hi

I have a question why the tandberg keys of fox network @turksat

In some days ago worked in my device but now disabled!!?

The guys said keys still active but not work for me but when published in days ago worked

What's happen to this package?!
 

barney115

Donating Member
Staff member
Administrator
Messages
24,683
Hi

I have a question why the tandberg keys of fox network @turksat

In some days ago worked in my device but now disabled!!?

The guys said keys still active but not work for me but when published in days ago worked

What's happen to this package?!
When keys are posted public do not expect them to last longer than 24hr most times a lot less as we see time and time again with this package :(
 

strong5000

Registered
Messages
367
powervu, tandberg,biss will gone when people keep key posted public . i not understand why some person keep do that always.

here only need solution(tool or way) eoungh .
 

ma1386

Registered
Messages
184
powervu, tandberg,biss will gone when people keep key posted public . i not understand why some person keep do that always.

here only need solution(tool or way) eoungh .


Unfortunately many thing.... goes under ground Cause at end for money!
 

ma1386

Registered
Messages
184
For those who use iks server sharing and enterd tandberg key (FOX NETWORK) in box key OF YOUR DEVICE and not work

It should turn off iks or sds SERVER and refresh the channel

Because these SERVER not allow keys become active!
 

ma1386

Registered
Messages
184
For those who use iks server sharing and enterd tandberg key (FOX NETWORK) in box key OF YOUR DEVICE and not work

It should turn off iks or sds SERVER and refresh the channel

Because these SERVER not allow keys become active!

After turned it off SERVER if it has problem once again turn off device from stb
 
O

ooOO_SORGOS_OOoo

http://www.sat-universe.com/showpost.php?p=2036922977&postcount=16 is its work ?
my receiver vu solo2
vti 13
oscam 11390 and not work

YOU NEED correct conf.

SoftCam.Key add true/correct keys

this is example keys : AABBCCDDEEFF0011

T : SYSTEM
26D5 : PROVIDER ID
01 OR 00 : INDEX
AABBCCDDEEFF0011 : CHANNEL KEY
FOX CRIME HD : definition, description , comment , channel name


if you dont add index your key file,oscam,ncam,mgcamd,cccam,gbox,vplug,fausto or other emu cant read keys.

dont forgetten


Code:
[LIST=1]
[*]T 26D5 01: AABBCCDDEEFF0011 ; FOX CRIME HD

[*]T 26D6 01: AABBCCDDEEFF0011 ; NAT GEO HD

[*]T 26D7 01: AABBCCDDEEFF0011 ; FX HD

[*]T 26D8 01: AABBCCDDEEFF0011 ; NAT GEO PEOPLE HD

[*]T 26D9 01: AABBCCDDEEFF0011 ; 24 KITCHEN HD

[*]T 26DA 01: AABBCCDDEEFF0011 ; FOX LIFE HD

[*]T 26DB 01: AABBCCDDEEFF0011 ; NAT GEO WILD HD

[*]T 26DC 01: AABBCCDDEEFF0011 ; FOX SPORTS HD
[/LIST]
 
O

ooOO_SORGOS_OOoo

For those who use iks server sharing and enterd tandberg key (FOX NETWORK) in box key OF YOUR DEVICE and not work

It should turn off iks or sds SERVER and refresh the channel

Because these SERVER not allow keys become active!

After turned it off SERVER if it has problem once again turn off device from stb



it is not server problem ;)

@lider pls use oscam emu

oscam cant read keys ;)
 

ma1386

Registered
Messages
184
YOU NEED correct conf.

SoftCam.Key add true/correct keys

this is example keys : AABBCCDDEEFF0011

T : SYSTEM
26D5 : PROVIDER ID
01 OR 00 : INDEX
AABBCCDDEEFF0011 : CHANNEL KEY
FOX CRIME HD : definition, description , comment , channel name


if you dont add index your key file,oscam,ncam,mgcamd,cccam,gbox,vplug,fausto or other emu cant read keys.

dont forgetten


Code:
[LIST=1]
[*]T 26D5 01: AABBCCDDEEFF0011 ; FOX CRIME HD

[*]T 26D6 01: AABBCCDDEEFF0011 ; NAT GEO HD

[*]T 26D7 01: AABBCCDDEEFF0011 ; FX HD

[*]T 26D8 01: AABBCCDDEEFF0011 ; NAT GEO PEOPLE HD

[*]T 26D9 01: AABBCCDDEEFF0011 ; 24 KITCHEN HD

[*]T 26DA 01: AABBCCDDEEFF0011 ; FOX LIFE HD

[*]T 26DB 01: AABBCCDDEEFF0011 ; NAT GEO WILD HD

[*]T 26DC 01: AABBCCDDEEFF0011 ; FOX SPORTS HD
[/LIST]


I enterd keys works fine but without connecting to iks server

If you turn on iks SERVER suddenly Miss the channels!

Perhaps iks SERVER use Oscam!
 

cayoenrique

Member
Messages
475
I did stop looking on this 6 month ago. But I wonder if there is something new.

Where we where, 1 year ago Anubis_Ir said:
An update and closing this thread!

ECM: 80702AEC2800000691FFEA5F07BD6131080498F850F70BD5E8E030BC5A859EE877667971D50EDD8893455D17E3
Analysis
- NanoEC, Mode: EA
- AES overencryption ((Mode & 0x20) != 0)
- No fix checksums of CW(CW 64bytes) ((Mode & 0x40) != 0)
- New Mode of descrambler/It's not the normal CSA ((Mode & 0x80) != 0)

Which means it's now something like PowerVU. PowerVU can use both DES(New Mode of descrambler) and CSA(the normal descrambler) for the final stage.

But some other people where looking at:
The problem is mainly AES KEY

Can we at least confirm what this alternative scrambling method is please then I think that’s it.

So I ask on more time:
1) Have any one got lucky on finding Video/Audio scrambling method? I am speakinhg of Anubis_Ir new found ECM type
Code:
ECM: 80702AEC2800000691FFEA5F07BD6131080498F850F70BD5E8E030BC5A859EE877667971D50EDD8893455D17E3

2) What about if anyone re-upload:
_https://mega.nz/#!19AiFKQQ!xdjfQVpreWI4epkXFC-CRlSBg_Qt9pKTsWuBvAASErg

As it was the only ts file people said cw's where rolling. File from post

The 1st byte of the posted AES keys is the actual index of the key and shouldn't be used as part of the actual key.
For example if you have this key
Code:
<Struct N="key#2" V="01XYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYD152"/>
Ignore the first byte (1st 2 characters), Then the actual AES-KEY01 would be XYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXY. And you can get consecutive DCW's with it (which means the algo is correct), but without picture.


@Those who work with `CSA Rainbow tables`. Can you get working CWs of these channels lately?
Can you search these values in tables B8xFF or B8x00? 779B1CA2582FA0F7 and 0FEB5AAE7AC18AD0 for this file
_https://mega.nz/#!19AiFKQQ!xdjfQVpreWI4epkXFC-CRlSBg_Qt9pKTsWuBvAASErg

Thanks ahead
 
Last edited:

cayoenrique

Member
Messages
475
Funny when I use smiles (moticons) they all get deleted or label as spam.

If by gentlemen you are referring to me. Yes, I did quit in May. When I got so many like you fighting on me. Then moderators start deleting my posts. To many situations in just a couple of days.

As I am receiving less complains I thought it was time to ask one more time. Hope not to be wrong.

"AES"
See AES 128 bit is not a challenge as 128 bit BF is in fact unpractical. So I understand if no one is playing with this. But there are facts in the clear text 16 byte message that makes it interesting.

"alternative scrambling method"
This is where some of you should stop using Steroids or stop behave like emotional abusers. Finding alternative scrambling method is a challenge withing grasp. Clearly that old file with rolling cw can make a difference. But we will never know as helping is not in the users with steroids agenda. Again hope I am wrong. Thanks in advance if any repost that file.
 
Last edited:
C

campag5242

I'm taking another look at this after a year or so. To summarise:

1. Anubis_Ir reversed this D5/T3 style EC tag ECM, and with the AES keys that were/are available, we are able to see an encouraging cycling pattern of odd/even CWs.
2. Anubis_Ir was the first to point out that the supplied AES IV might be wrong, and we'd still see the CW cycling pattern. Where did that IV come from? And why the doubt - the rest of the reversing appears perfect?
3. The AV (elementary) streams are not crypted with DVB-CSA / 48 bit key - other cyphers must be tried.

Broadcom 74xx chipsets can use 1DES/3DES/DVB/Multi2/AES

Of those candidate cyphers - and there may be others - 3DES & AES can be rejected as their key is > 64 bits.

I'm assuming that the IV *is* correct, then testing different cyphers on the stream. Test method:

1. I've logged ecms covering one crypto period, and captured payloads marked with the PUSI bit set for the same period.
2. After applying the correct key / cypher, the first 3 bytes of those payloads with PUSI bit set should decrypt to known plaintext 00 00 01.

I've tried CSA with uncorrected checksums, both enc & dec. I've tried DES, enc & dec, ecb & cbc. Doesn't seem to be those, but I might be wrong.

Multi2 is new to me, used in the Japanese digital TV standard ARIB B25. There' a variable number of rounds (but it appears 32 are used in Japan). And an extra system_key, quoted in some literature as the same across all DVB usage (or at least that's how I read it).

Anyone know what the needed multi2 DVB system_key might be?
 

007.4

VIP
Messages
364
Good work.
Have you tried the various tests with checksum corrected CWs?
ie Convert the 64bit CWs produced to 48bit CWs and add back the correct checksums?

EDIT
Scrap that idea. On the channels I looked at, full 64bit CWs are currently employed.
 
Last edited:
C

campag5242

Here's the captured payloads for anyone who wants to play. Relevant ECMs inside the crypto period:
Code:
47 47 D9 1B 00 80 70 2A EC 28 00 00 06 B6 FF E9 71 92 17 6E 82 B3 22 AD 2C 1B 6F 97 3F D8 F0 AA B0 12 D4 62 0B AB 79 FD 1C 25 D9 F9 46 E8 E6 BA 13 8C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
dCWs: 07FB65A624AC0ED4:2A6980590E392A79

47 47 D9 17 00 81 70 2A EC 28 00 00 06 B6 FF E9 F5 FE A4 1E 23 C6 46 3A FB 71 E5 6E A0 CC 98 EB D2 5A 19 BA 14 F5 9B 8C BD CE C2 6C 99 77 7D 23 9D 63 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
dCWs: C87C88A2F80C827F:2A6980590E392A79
Correct CW cycling is observed (IV used is the Anubis_Ir one).

Next, payloads from the video pid with PUSI bit set, & captured between those two ECMs. The first three use the initial even key, second three the odd key.
Code:
47 42 00 97 66 D2 FF 63 98 89 F3 1D CA FA D0 43 1E 9B 3E 0C 95 4E 8C 9D 25 E4 BF 07 EC F1 F2 81 8B 62 65 88 41 FC CB 87 59 47 C5 E0 DF C1 9B F4 FF F3 5F 02 94 86 DC 9B 8A D7 1D 77 20 B9 BE 98 2B 82 6B 8C A6 8B 33 D6 7E AF B9 D5 45 11 DB A7 B8 1D AB 92 C4 FC 3A B4 F7 13 C8 FE 11 75 4F 80 B6 A9 B5 92 AA C9 F0 C1 58 BE 8C 59 28 95 E1 0B F0 3E 8F BE 28 CA CD 42 15 24 CF 27 5F 83 A7 DD 6E 25 9E 77 79 EA CE 53 E9 13 45 F1 6F 6F 58 2D FC 12 55 CD CD B4 AC 50 19 45 D6 98 E0 D3 95 71 0D C6 7E CD E8 53 47 13 46 69 68 84 9B 56 25 17 68 56 F8 54 F2 B3 3E 3F 7F 59 D5 3C
47 42 00 9C 15 13 5F A0 73 83 F8 39 FC C3 4B D6 2A 27 BC 9D 45 22 D3 C4 31 F5 0E B5 0D 07 76 01 6B DB 6F A1 51 74 6E A9 99 D3 CE 88 A5 E1 A2 83 66 3A 42 82 2D D6 DE 08 94 18 34 CD 69 C4 C3 F6 1A E8 3D 9A 50 50 DE 83 27 27 B6 A4 8F F9 16 1C 82 16 2C AB D6 DD 9D A7 2E 20 68 73 0B 48 AD 64 69 59 6C F3 E8 C0 D6 EB 5D 10 B8 5E 4E 5D C2 59 37 4F D7 23 9E 84 A3 2D 84 1E 64 1B DB FE 5A 08 98 60 3E D9 10 80 C0 94 60 B6 CF F3 E7 D5 8E 86 60 66 51 AB A2 AD 27 95 BF FE 8F 82 8D DD FC 7E 8F BE 72 18 A4 21 4B 83 CA D6 36 48 EC 51 4E 53 57 EC 9C 76 7E D5 BF B8 62 3F 18 6F
47 42 00 9E AE 99 AE 25 09 E8 07 BF 32 41 27 12 61 59 58 BE 43 11 88 17 C1 C0 3E 2B EE AC 8E 91 09 92 B3 21 7F DC 74 26 D3 35 D0 66 CA 2C D2 C7 A4 CD 8F E1 99 07 CB 13 EB CF 31 A9 4B 34 EF 2F 0E 26 C0 5B 1D 5C 81 A9 BA F2 49 BC AB E4 45 B5 FE 52 1B 16 E6 9F 3F A4 AB 97 29 4A 01 0A BA CE B1 AF 5B 0F 56 A1 66 BA 7C ED FB 1F 78 C4 EA 1A FF 88 E1 AB 76 07 90 05 33 F5 D1 6B 11 BA 62 02 6F 68 45 51 C9 90 0C 4A 50 29 35 F9 B7 1F 79 32 3F 73 70 14 2E 1D 52 51 28 75 F9 BC 86 F0 31 B3 85 0F 48 33 05 4E DE DE 1B 82 8C A4 9A 73 66 F9 81 3A 96 03 78 1C 52 F5 D1 8A 82 38

47 42 00 DA 70 F5 C0 10 16 1F EE CF 3E 1B DC AE B9 A1 B2 05 D5 00 EA C9 E2 29 EF 68 02 26 EF 8C 46 B3 C0 D1 2F 81 39 5D C7 46 00 13 D8 DF E6 48 C1 E8 32 4A 9F 7A 2D BD 27 B8 63 AD D0 78 97 A4 D3 43 FD 72 9D 16 55 25 2A 5B 4D 67 74 98 5F 1C DB FF 4F E4 B0 A0 F7 58 E3 5E AD EC CA C5 C0 0F 45 B9 69 17 5F 1E 1D A3 37 C5 FC 41 B1 E1 07 CD E0 FC 8F 1B 9C 18 D0 8E F8 F7 B1 4B 82 46 19 C2 FC 89 CF EE C5 7F 7D B7 78 E9 D8 F3 8C 28 5A 33 AF ED 6C 72 CB C8 1C 03 DB C7 DF CA 94 CF F7 0B 48 B0 C0 67 D4 1A 8F E1 6F 33 B0 55 AF 7F 46 7C 6F 3D 58 06 5C 0C 3B E3 9D D6 99 A7
47 42 00 D3 82 58 F8 3E FE 93 30 E3 D4 E9 41 33 B6 76 23 FA 40 DB E6 F7 E3 BE 35 06 E5 61 F6 11 7A 24 4E A6 5A 99 47 83 5F 34 7E 66 E0 64 36 4C 21 02 98 80 B2 96 4F 29 DF E3 38 07 D7 4F 06 01 CF 90 DA 12 A1 B9 85 63 61 94 AA 0E FE 7A E8 D4 4B 4D 30 0F 40 23 BA D5 13 CF 1B 2C D0 DD 08 B4 4B EA DA 73 B7 D4 9E 4E E8 EB DA 14 55 B3 0E 31 9C 48 FE B6 BA 95 1F C7 FF D2 D1 C4 7E 11 E2 9B BF 43 C1 69 06 98 73 A2 6F FA 9B 30 2C D6 10 55 58 0E AB 37 EB 94 21 24 DA 3F D2 ED A1 2E 13 DD 07 A2 AB 92 15 66 49 C7 0C B6 2A 98 5D F7 14 FD 78 24 55 88 EF 1F 0C DA 20 A3 D8 82
47 42 00 DB 2E 93 D1 8D 20 F1 D2 DF D2 45 B6 18 CC 29 8A E7 23 B1 B9 64 62 B0 C7 AF 1C 93 C4 96 0E 71 08 B5 CE D4 85 2F 60 51 09 70 BA 1E 41 D3 A3 F4 18 3E B0 B9 06 09 1D 80 64 BE 39 8B 9B C4 57 4E DE 09 C1 22 46 9D AA C2 71 F1 41 55 8D 86 4E F7 BA AF 5D 07 58 56 FA 2A 17 6E 23 D3 29 02 8B 2B CF 4B 1D D2 AA 8D 48 7B 52 3B BE 4F 4D A5 02 E1 B1 49 27 D4 C9 64 90 18 8A 82 85 28 86 AF 88 A0 BE 3B 32 71 55 B8 17 C5 38 70 5B 59 36 61 93 24 6C 11 51 6A FC 19 0A 20 79 C0 7F AF 92 B0 E6 C6 12 2C E9 72 5D E0 03 E0 BB 42 FD 7F DA 86 C4 88 F8 06 89 78 DC 4F 09 54 A1 E4
Iff the AES IV used in decrypting the EC tag ECMs is correct, then using those dCWs with the correct cypher should reveal the first three bytes of all six payloads to be 00 00 01...
 
Top