RAS encryption

Tv channels satfeeds on Ras crypted?

Ras support on Tandberg?

RAS RECEIVER FOR FEEDS PRICE?

Price 3000 Euro?

8w 12631V7500 and 12640V7500 RAS encrypted feeds are active.
We can record TS and analyse it.

Part of Tandberg manual

Multiplexing and Scrambling Functions
The Multiplexer receives packet streams from the Video Compression Module, Audio Encoders and Data Input Module. In addition, the Host Processor generates Service Information (SI) packets which are also fed to the Multiplexer. The Multiplexer generates a transport stream from these packet sources, and inserts NULL packets in the transport stream if no data is available.

The transport stream is fed to the S8489 RAS Scrambling Module which implements the proprietary Remote Authorisation System (RAS 1). This provides an elementary form of security designed simply to prevent open access to the transmitted service. RAS 1 supports two methods of key entry: SNG key mode and fixed link mode.

In SNG key mode, a seven digit key is entered via the front panel controls.

If the receiver is in tracking mode, one key is entered which is
programmed into both the encoder and the receiver. If the receiver is in independent mode, two keys have to be entered, one for the encoder and one for the receiver.

In fixed link mode, an eight digit key is assigned by TANDBERG Television and pre-programmed into the encoder and the receiver.
Scrambling is implemented on the PIDs listed in Table 4.1, and can be switched on and off under user control Equipment Description Instruction Manual: evolution 5000 E5500 Mobile Contribution Encoder Page 4-11 ST.TM.E10033.3 Table 4.1:

PID Scrambling
PIDs Scrambled PIDs
Packet Type PID (Hex) Packet Type PID (Hex)
Video 0x0134
Audio A 0x0100
Audio B 0x0101
RS-232 Data 0x0102
RS-422 Data 0x0104
Teletext 0x0111

NOT Scrambled
NULL 0x1FFF
PCR 0x1FFE
CA 0x00C0
CAT 0x0001
PAT 0x0000
PMT 0x0020
NIT 0x0010
SDT 0x0011
EIT 0x0012
TDT 0x0014

The output from the RAS Scrambling Module is fed to the Modulator. This is as a synchronous parallel interface using a 204-byte packet format over the Backplane to the internal Modulator Module.

Francescone said:

Anyone found something useful in these files? I'm not able to make any deep analysis on my own.

Click to expand...

I did download the RAS file in this thread and if you play it in VLC you will actually see Macrobloking over the most of screen, but in the top left corner you will see a bit of normal video now and then.
Since the key only are 7 digit's I would expect some very simple encryption, mayby just some simple XOR of the TS and the key.

RAS FEED KEYS NOT PUBLIC?

paytv said:

RAS FEED KEYS NOT PUBLIC?

Click to expand...

You do not read the thread?
Even when there were a public key,you cannot open RAS if you do not know the algorythm it uses to convert the public key into a control word,which in appearance is DES,but who really knows with making tons of tests.

I know of no tool to bruteforce a DES key for RAS

kebien said:

I know of no tool to bruteforce a DES key for RAS

Click to expand...

Are you sure it's DES with 56 bit key?

BISS mode 1 is similar to RAS in that it uses a fixed control word to encrypt the data in the transport stream. Unlike RAS, the cramblingalgorithm is non-proprietary, using the DVB Common ScramblingAlgorithm to allow interoperability with other manufacturers’encoding/scrambling equipment.

Scroll down to Menu #4.1 and edit the RAS mode (FIXED KEY MODE or DSNG KEYMODE) and the DSNG key (7-digit number)

7 digit number are not 56 bit!

10^7 are way less than 2^56

K2TSET said:

Are you sure it's DES with 56 bit key?

BISS mode 1 is similar to RAS in that it uses a fixed control word to encrypt the data in the transport stream. Unlike RAS, the cramblingalgorithm is non-proprietary, using the DVB Common ScramblingAlgorithm to allow interoperability with other manufacturers’encoding/scrambling equipment.

Scroll down to Menu #4.1 and edit the RAS mode (FIXED KEY MODE or DSNG KEYMODE) and the DSNG key (7-digit number)

7 digit number are not 56 bit!

10^7 are way less than 2^56

Click to expand...

Is this crackable then, hopefully it is!

If you look on the file uploaded by

serkanguzel said:

My master, I took a long recording. 25 - 30 minutes.

Is it possible for you to examine ?
https://mega.nz/#!KYojgTKJ!Dyf0pKiOuhY7O43vDujGwg9uZHCNfV3lH5CdQfId1O4

Thank you in advance for your efforts.

Click to expand...

Then if you search for the PID 0x1130 and the Payload Unit Start Indicator in a hex editor you will find:

PID 0x1130
Search 47 51 30

47 51 30 3D -- 01 00 00 00 01 E0 00 00 84 80 05 2D
47 51 30 38 -- 01 00 00 00 01 E0 00 00 84 C0 0A 3D
47 51 30 3E -- 01 00 00 00 01 E0 00 00 84 C0 0A 3D

This indicate unencrypted and if you see the 01 00 00 that what a normal Brute Force will try to look for...
So they need to have modified something on the Program steam, this also explain why I do see the top left corner with a litle bit of clean video now and then in VLC..

I tried to demus the TS in tdDemux but it complains on the packets. We will need to try to decode the PS first frame manually to see where it fails in decodning.

K2TSET said:

If you look on the file uploaded by

Then if you search for the PID 0x1130 and the Payload Unit Start Indicator in a hex editor you will find:

PID 0x1130
Search 47 51 30

47 51 30 3D -- 01 00 00 00 01 E0 00 00 84 80 05 2D
47 51 30 38 -- 01 00 00 00 01 E0 00 00 84 C0 0A 3D
47 51 30 3E -- 01 00 00 00 01 E0 00 00 84 C0 0A 3D

This indicate unencrypted and if you see the 01 00 00 that what a normal Brute Force will try to look for...
So they need to have modified something on the Program steam, this also explain why I do see the top left corner with a litle bit of clean video now and then in VLC..

I tried to demus the TS in tdDemux but it complains on the packets. We will need to try to decode the PS first frame manually to see where it fails in decodning.

Click to expand...

I do not fully understand.

But, if you write in order to do respectively, I try to practice.

Regards.

RAS SATFEEDS ?

K2TSET said:

Are you sure it's DES with 56 bit key?

BISS mode 1 is similar to RAS in that it uses a fixed control word to encrypt the data in the transport stream. Unlike RAS, the cramblingalgorithm is non-proprietary, using the DVB Common ScramblingAlgorithm to allow interoperability with other manufacturers’encoding/scrambling equipment.

Scroll down to Menu #4.1 and edit the RAS mode (FIXED KEY MODE or DSNG KEYMODE) and the DSNG key (7-digit number)

7 digit number are not 56 bit!

10^7 are way less than 2^56

Click to expand...

What the manual describe is the action of imputing keys into A RAS RECEIVER,it doesn't not mean the control word to decrypt the video is 7 digits.
(it could be,but is not saying that).
This 7 digits we have no idea how they are handled inside the ird.
I have the impression,and is only my gut feeling that this 7 digits are expanded into something else to produce a sort of control word that is either 56 or 64 bits,I doubt they are using a chipset in their receivers that don't do CSA or DES.

The only way to analyze this is starting with known clean video packets to see what's in there,then try to reverse encrypted packets encryption.
I doubt there are simple xor's.
See here
*************In SNG Key mode, a seven digit key is entered via the front panel on the
Encoder. In Fixed Link mode, an 8 digit key is assigned by TANDBERG
Television and pre-programmed into the Encoder and IRD. Scrambling can
be switched on and off under user control**********
Looks like fixed mode it uses an 8 digit key

8 digits key is 32 bits (half of 64)
7 digits is already 28 bits (half of 56)
Let's just imagine they add an LSB or an MSB to each digit,what does this become?
I mean as a way/exercise of expansion.
That's the first thing I would try to decrypt packets.