[HELP] Conax

majorge · Sep 11, 2014

Oh noes another Conax thread !

This one will be a little different, I promise.

After I start let me introduce myself, I'm from Portugal, I know a 'few' things and cracking is my hobby, I have this small project that I want to finish.

Here in Portugal there is one provider that uses Conax CAS7, unfortunately they paired it since 2008.
I start digging and searching and I found old methods of recovering the bk key or rsa key (thanks sega24 :thum

, but most of them are outdated and don't work for this kind of box.

So, I started from the beginning.
The box is a Kaon G3 (DVB-C) with 2 processors (BCM3255 and BCM7401), 256MB RAM, 64MB ROM and the most important part it runs linux

This distribution to be more exact:

Code:

Linux (none) 2.6.12-4.2-brcmstb #3 Fri Aug 14 18:53:18 KST 2009 7403a0

So after messing with the box I could connect using telnet and have root shell.

I dumped the RAM, the file system but there is no evidence of RSA keys.

I found one binary that is executed in the beginning and is responsible for everything. I'm analyzing it right now (size 8MB).

So I started this thread in hope that anyone with experience with conax could help me because if I have code execution must be easy, right?

Thanks

njunwa wamavoko · Sep 11, 2014

majorge said:
Oh noes another Conax thread !

This one will be a little different, I promise.

After I start let me introduce myself, I'm from Portugal, I know a 'few' things and cracking is my hobby, I have this small project that I want to finish.

Here in Portugal there is one provider that uses Conax CAS7, unfortunately they paired it since 2008.
I start digging and searching and I found old methods of recovering the bk key or rsa key (thanks sega24 :thum, but most of them are outdated and don't work for this kind of box.

So, I started from the beginning.
The box is a Kaon G3 (DVB-C) with 2 processors (BCM3255 and BCM7401), 256MB RAM, 64MB ROM and the most important part it runs linux

This distribution to be more exact:

Code:

Linux (none) 2.6.12-4.2-brcmstb #3 Fri Aug 14 18:53:18 KST 2009 7403a0

So after messing with the box I could connect using telnet and have root shell.

I dumped the RAM, the file system but there is no evidence of RSA keys.

I found one binary that is executed in the beginning and is responsible for everything. I'm analyzing it right now (size 8MB).

So I started this thread in hope that anyone with experience with conax could help me because if I have code execution must be easy, right?

Thanks

Open the box and connect Jtag interface on the decoder to your PC using Jtag cable and use Jtag software to get flash dump
After that open it with HEX editor and get your RSA keys:thum:

majorge · Sep 11, 2014

njunwa wamavoko said:
Open the box and connect Jtag interface on the decoder to your PC using Jtag cable and use Jtag software to get flash dump
After that open it with HEX editor and get your RSA keys:thum:

I'm afraid that is not so simple.
I have access using dd command. But I don't know what to look for.

klivo · Sep 11, 2014

majorge said:
Oh noes another Conax thread !

This one will be a little different, I promise.

After I start let me introduce myself, I'm from Portugal, I know a 'few' things and cracking is my hobby, I have this small project that I want to finish.

Here in Portugal there is one provider that uses Conax CAS7, unfortunately they paired it since 2008.
I start digging and searching and I found old methods of recovering the bk key or rsa key (thanks sega24 :thum, but most of them are outdated and don't work for this kind of box.

So, I started from the beginning.
The box is a Kaon G3 (DVB-C) with 2 processors (BCM3255 and BCM7401), 256MB RAM, 64MB ROM and the most important part it runs linux

This distribution to be more exact:

Code:

Linux (none) 2.6.12-4.2-brcmstb #3 Fri Aug 14 18:53:18 KST 2009 7403a0

So after messing with the box I could connect using telnet and have root shell.

I dumped the RAM, the file system but there is no evidence of RSA keys.

I found one binary that is executed in the beginning and is responsible for everything. I'm analyzing it right now (size 8MB).

So I started this thread in hope that anyone with experience with conax could help me because if I have code execution must be easy, right?

Thanks

you can send me this dump ? i few years back finded AU RSA for one portugal friend and after decrypted ECM rsa

majorge · Sep 11, 2014

Working on it
(need 3 posts lol)

mehra · Sep 12, 2014

good luck

very good luck dear majorge. Go ahead. :thum::thum::thum:

majorge · Sep 13, 2014

Last updates:

The kernel its too old

I can't run GDB FTPd or SSH.
There isn't any relevant information on the memory and search on 256MB its a blind shot, I'm a little out of options.

Its possible to calculate the RSA key using ECM logs? or reading the card with an external reader?

I've a few experience with nagra 3 cards but conax is new to me.

klivo · Sep 13, 2014

majorge said:
Last updates:

The kernel its too old
I can't run GDB FTPd or SSH.
There isn't any relevant information on the memory and search on 256MB its a blind shot, I'm a little out of options.

Its possible to calculate the RSA key using ECM logs? or reading the card with an external reader?

I've a few experience with nagra 3 cards but conax is new to me.

i answered you via PM.. you provider use HW pairing .. not RSA !!

zia9355420 · Oct 18, 2014

Dear Klivo, u know this method. plz pm me.

how to send ecm to dishtv conax card in dreambox and how to get the RSA keys. Please send software and procedure in PM. I want to try this new method.

thanks

drakker · Oct 24, 2014

Dear Klivo, u know this method. plz pm me.

how to send ecm to digitalb hd conax card in dreambox and how to get the RSA keys. Please send software and procedure in PM. I want to try this new method.

klivo · Oct 24, 2014

for all:

conax use on this moment 3 type pairing

1, very old RSA - dish tv sd, and old N-ka card
2, HW pairing - Digitalbania, T-Home, dish hd etc etc
3, AES pairing - VIP croatia

this is the same as car.. one use petrol and second diesel and three gas or power

BTW: I am not teather about hacking, I no have nothing for this !!!

gopro · Nov 25, 2014

RSA pairing is broken and HW pairing is impossible to break.

md.rokon · Dec 14, 2014

help

Dear sir,klivo
dish tv recharge now.change RSA new key.or star mark 32 digit change.inpu rsa key input dreambox but not done .so..how to input 32 digit key??

01000000470100000000000000000000303735314142463134534D32313334380000000000000000303136303239313933393700000000000000000000000000303030303331333037303100000000000000000000000000*FE6AE98F90374F8DE0878ECED766E2C0*0000000000000000000000000000000000000000000000004705011002000000008000800000000000000000000000000000000000000000000000000000000000000000000000009632AC4415D4DA6607A1AC301672015281481BCB4B8A785C00A38716A1D1C17B51F879D976BDD87B28AF361C77C220EABD94C41C981300CDA8F47B8FA036EAABF91E9E05EFD476B7329624C82F9127D29C84ABAE0D2ED95F32DCD9CB091EEBFEFFCD63197B09E711414D506B3D6BE3997810E453CD97D2E65D909F9ECAB1AC1B00

rdxneel · Dec 15, 2014

klivo doesnt know anything....

md.rokon · Dec 15, 2014

re

rdxneel said:
klivo doesnt know anything....

you know ??

rdxneel · Dec 15, 2014

no. klivo worked many days for me but no result. he wants money first but no feedback.

erhatic · Dec 15, 2014

rdxneel said:
no. klivo worked many days for me but no result. he wants money first but no feedback.

Hmm, this not correct fron you!!
Klivo is my friend and he have solution for last attack yout provider. He maked for you trial oscam only dvb-api supported and speak you : " this is oscam only for you and is free. If you want oscam for you commercial server on dm500 having 100 user you must pay !! "

This is all ..

#//cc'prime · Dec 16, 2014

erhatic said:
This is all ..

yes, for you and so be it

for others solution is very easy
just change public key in oscam and dont pay any cheater like klivo
the same like calc rsa from ecm is still possible the same way cards still works fine in CS
like i say, just change public key in oscam
do it by yourself - for free

sweetymeety45 · Dec 16, 2014

hi

#//cc'prime said:
yes, for you and so be it

for others solution is very easy
just change public key in oscam and dont pay any cheater like klivo
the same like calc rsa from ecm is still possible the same way cards still works fine in CS
like i say, just change public key in oscam
do it by yourself - for free

how to change public key in oscam please pm me

erhatic · Dec 16, 2014

#//cc'prime said:
yes, for you and so be it

for others solution is very easy
just change public key in oscam and dont pay any cheater like klivo
the same like calc rsa from ecm is still possible the same way cards still works fine in CS
like i say, just change public key in oscam
do it by yourself - for free

Public key in oscam ? What you drinken ? Oscam is only cardreader and rsa key you can pasted in config section .

[HELP] Conax

majorge

njunwa wamavoko

majorge

klivo

Banned

majorge

mehra

majorge

klivo

Banned

zia9355420

drakker

Banned

klivo

Banned

gopro

md.rokon

rdxneel

Registered

md.rokon

rdxneel

Registered

erhatic

Banned

#//cc'prime

sweetymeety45

Registered

erhatic

Banned