Hacking CA system challenge Tandberg [ NO Keys Allowed in Chat Section/s ]

Liquor Twát · Jun 25, 2016

I dont have such line in my log text file, pasted file below.
From poc1.2 I know the line is 16AB key but it is not clear to me with poc1.5 what line is good key? There are 6 lines with T......

Code:

[B][COLOR="Red"]NO KEYS IN CHAT SECTIONS PLEASE[/COLOR][/B]

kebien · Jun 25, 2016

JimBizkit

let me make another request.And thank you for the upcoming version.
Would it need a second pass on the emm log in case the ox83 packet is found at the beginning of the log? I mean before it collects the complete key to decrypt it?

JimBizkit · Jun 25, 2016

@Liquor Twát
all are good keys. you can add them all. the others are for other channels or not in use at the time, but are present in the emm stream.
the next version will also print the active entitlement of the selected channel.

@kebien
this is actually a bit more difficult, because there may have been different ram keys in use, at the time the 83 was received. the 83 can be saved until the ram key is known, but then the decrypted key may be wrong.

fiji · Jun 25, 2016

satfan_cn said:
Well, I uploaded here, I hope you can access the file.

68.5E_4065_H.ts

68.5E_4065_H.ts

Here Is Log 68.5E_4065_H No Keys

Code:

poc 1.5
[Emu] info: FFDecsa parallel mode = 32
[Emu] stream found emm_pid: 1F9
[Emu] got EMM nano tag E3 (EMM_TAG_OAC_COMMAND_DESCRIPTOR) for the first time
[Emu] got EMM nano tag E0 (EMM_TAG_RECEIVER_ALLOCATION_DESCRIPTOR) for the first time
[Emu] got EMM nano tag E4 (EMM_TAG_SECURITY_TABLE_DESCRIPTOR) for the first time
[Emu] Keys found in EMM: nano E4 ram keys 20 to 2F
[Emu] Keys found in EMM: nano E4 ram keys 30 to 3F
[Emu] Keys found in EMM: nano E4 ram keys 0 to F
[Emu] Keys found in EMM: nano E4 ram keys 10 to 1F
[Emu] Keys found in EMM: nano E4 ram keys 20 to 2F
[Emu] Keys found in EMM: nano E4 ram keys 30 to 3F
[Emu] Keys found in EMM: nano E4 ram keys 0 to F
[Emu] Keys found in EMM: nano E4 ram keys 10 to 1F
[Emu] Keys found in EMM: nano E4 ram keys 20 to 2F
[Emu] Keys found in EMM: nano E4 ram keys 30 to 3F
[Emu] Keys found in EMM: nano E4 ram keys 0 to F
[Emu] Keys found in EMM: nano E4 ram keys 10 to 1F
[Emu] Keys found in EMM: nano E4 ram keys 20 to 2F
[Emu] Keys found in EMM: nano E4 ram keys 30 to 3F
[Emu] Keys found in EMM: nano E4 ram keys 0 to F
[Emu] Keys found in EMM: nano E4 ram keys 10 to 1F
[Emu] Keys found in EMM: nano E4 ram keys 20 to 2F
[Emu] Keys found in EMM: nano E4 ram keys 30 to 3F
[Emu] Keys found in EMM: nano E4 ram keys 0 to F

* You may need record single channel Set sources As Channel

* present ts file recorded as a transponder

* CNBC CAID Is 1010

Liquor Twát · Jun 25, 2016

@JimBizkit

Thx, I understand now.

cupof · Jun 25, 2016

apart from the odd feed
whats is there to watch ??

is it just feeds ?

bad_access · Jun 25, 2016

42E 12468 H 9850
20hours EMM TS

https://mega.nz/#!gQdyTKbb!zMUgSIFV6vPh1BWQdQ0AThLp32ydpisWU9_deOtLUKg

milan58 · Jun 25, 2016

42°E NAT GEO WILD HD - freq=12467, tp_id=$A4DC, SID=$3337, PMT=$0B2D
For 10 minutes he changed 5 times ProviderID.
ProviderID: CA,0400CA,4A,4000CA,0100CA-key Index 01
For the experiment, I enrolled in the xy key ECM see the log.

kebien · Jun 25, 2016

JimBizkit said:
@kebien
this is actually a bit more difficult, because there may have been different ram keys in use, at the time the 83 was received. the 83 can be saved until the ram key is known, but then the decrypted key may be wrong.

Right,I was thinking the base emm key would change after that 0x83 packet,so making a second round would shield a bad key.
You are spot on.

bad_access · Jun 25, 2016

bad_access said:
42E 12468 H 9850
20hours EMM TS

https://mega.nz/#!gQdyTKbb!zMUgSIFV6vPh1BWQdQ0AThLp32ydpisWU9_deOtLUKg

There is one EMM 0x83

Code:

[B][COLOR="Red"]NO KEYS IN CHAT SECTIONS ![/COLOR][/B]

JimBizkit · Jun 25, 2016

C0der said:
Maybe poc could also put the found RAM-keys in the log?
That way we can see if they are changing over time.

if it says "Keys found in EMM: nano E4 ram keys" the ram keys have changed, it will not log when already known keys are received

ViaHussun · Jun 25, 2016

105 West

record
https://cid-cf57d3d23638226a.users.storage.live.com/downloadfiles/V1/Zip?authKey=!ADz6hQwcxIQ51mQ

for thanks record bigredmachine230 :thum:

log

Code:

poc 1.5
[Emu] info: FFDecsa parallel mode = 32
[Emu] stream found emm_pid: 1F4
[Emu] stream found pmt pid: 109
[Emu] stream found pcr_pid: 205
[Emu] stream found ecm_pid: 7E4
[Emu] stream found video pid: 205
[Emu] stream found audio pid: 28F
[Emu] stream found audio pid: 299
[Emu] stream found audio pid: 2A3
[Emu] got EMM nano tag E0 (EMM_TAG_RECEIVER_ALLOCATION_DESCRIPTOR) for the first time
[Emu] got EMM nano tag E4 (EMM_TAG_SECURITY_TABLE_DESCRIPTOR) for the first time
[Emu] Keys found in EMM: nano E4 ram keys 0 to F
[Emu] Keys found in EMM: nano E4 ram keys 10 to 1F
[Emu] Keys found in EMM: nano E4 ram keys 20 to 2F

kebien · Jun 25, 2016

Is this a bad decrypt?
maybe errors in the TS file? (weak signal)

Code:

[Emu] error: TandbergParseEMMNanoTags: pos(43) + 2 + tagLength(1) > length(44)
emm with errors:
82 70 B4 01 DE 1D 9F 01 D8 A4 8E 01 08 00 31 52 
1A F0 2C E0 2A FF 01 00 00 03 00 00 00 00 00 00 
EB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 
DE 1D B5 01 3A D4 8E 01 08 00 31 3F 00 F0 2C 80 
29 FF 01 00 00 03 00 00 60 00 E0 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 01 DE 1D 82 01 
2A 4C E1 01 08 00 31 DA 30 F0 2C E0 2A FF 01 00 
00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 CB 00 00 00 00 00 00 
00 00 00 00 00 00 00 
[Emu] got EMM nano tag C6 (unknown) for the first time
[Emu] got EMM nano tag DD (unknown) for the first time
[Emu] error: TandbergParseEMMNanoTags: pos(16) + 2 + tagLength(163) > length(44)
emm with errors:
82 70 B4 01 DE 1D 82 01 6D 21 E1 01 08 00 31 F8 
63 F0 2C E0 2A FF 01 00 00 03 00 00 00 00 00 00 
00 00 00 00 00 9C 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 C0 00 00 01 
DE 1D 82 01 3D 27 E1 01 1D 00 31 6C 63 F0 2C E0 
00 C6 01 00 00 03 00 00 00 00 00 00 00 DD 00 00 
A3 00 00 00 00 00 00 54 00 00 00 00 00 00 00 00 
00 00 00 16 00 00 00 00 00 00 00 01 DE 1D 82 01 
63 2D E1 8F 08 00 31 57 E3 F0 2C E0 2A FF 01 00 
00 58 00 00 00 00 00 CF 00 00 00 00 00 00 40 00 
00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 
00 00 CD 80 00 00 00 
[Emu] got EMM nano tag E1 (EMM_TAG_EVENT_ENTITLEMENT_DESCRIPTOR) for the first time
[Emu] Key found in EMM: T FF010000 01 9CFA336D91F166A8
[Emu] got EMM nano tag 39 (unknown) for the first time
[Emu] error: TandbergParseEMMNanoTags: pos(22) + 2 + tagLength(22) > length(44)
emm with errors:
82 70 B4 01 DE 1D 82 01 F6 38 E1 01 08 00 31 F2 
D4 F0 2C E0 2A FF 01 00 00 03 00 00 00 00 F5 00 
00 00 00 00 00 00 00 00 67 00 00 00 67 00 00 00 
00 00 A3 00 00 00 00 00 00 00 00 00 00 00 00 01 
DE 04 82 4C EE 51 E1 01 08 00 31 08 DC F0 2C E1 
12 FF 01 00 00 03 00 00 54 00 9C FA 33 6D 91 F1 
66 A8 00 39 00 00 16 00 A4 00 A3 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 01 F4 1D 75 01 
CC 50 DC 01 08 00 31 17 E3 F0 20 E0 2A FF 01 00 
00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 23 00 00 00 00 00 00 00 00 00 00 00 06 00 
00 00 4D 00 00 00 9F

ViaHussun · Jun 25, 2016

kebien said:

Is this a bad decrypt?
maybe errors in the TS file? (weak signal)

Code:

[Emu] error: TandbergParseEMMNanoTags: pos(43) + 2 + tagLength(1) > length(44)
emm with errors:
82 70 B4 01 DE 1D 9F 01 D8 A4 8E 01 08 00 31 52 
1A F0 2C E0 2A FF 01 00 00 03 00 00 00 00 00 00 
EB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 
DE 1D B5 01 3A D4 8E 01 08 00 31 3F 00 F0 2C 80 
29 FF 01 00 00 03 00 00 60 00 E0 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 01 DE 1D 82 01 
2A 4C E1 01 08 00 31 DA 30 F0 2C E0 2A FF 01 00 
00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 CB 00 00 00 00 00 00 
00 00 00 00 00 00 00 
[Emu] got EMM nano tag C6 (unknown) for the first time
[Emu] got EMM nano tag DD (unknown) for the first time
[Emu] error: TandbergParseEMMNanoTags: pos(16) + 2 + tagLength(163) > length(44)
emm with errors:
82 70 B4 01 DE 1D 82 01 6D 21 E1 01 08 00 31 F8 
63 F0 2C E0 2A FF 01 00 00 03 00 00 00 00 00 00 
00 00 00 00 00 9C 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 C0 00 00 01 
DE 1D 82 01 3D 27 E1 01 1D 00 31 6C 63 F0 2C E0 
00 C6 01 00 00 03 00 00 00 00 00 00 00 DD 00 00 
A3 00 00 00 00 00 00 54 00 00 00 00 00 00 00 00 
00 00 00 16 00 00 00 00 00 00 00 01 DE 1D 82 01 
63 2D E1 8F 08 00 31 57 E3 F0 2C E0 2A FF 01 00 
00 58 00 00 00 00 00 CF 00 00 00 00 00 00 40 00 
00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 
00 00 CD 80 00 00 00 
[Emu] got EMM nano tag E1 (EMM_TAG_EVENT_ENTITLEMENT_DESCRIPTOR) for the first time
[Emu] Key found in EMM: T FF010000 01 9CFA336D91F166A8
[Emu] got EMM nano tag 39 (unknown) for the first time
[Emu] error: TandbergParseEMMNanoTags: pos(22) + 2 + tagLength(22) > length(44)
emm with errors:
82 70 B4 01 DE 1D 82 01 F6 38 E1 01 08 00 31 F2 
D4 F0 2C E0 2A FF 01 00 00 03 00 00 00 00 F5 00 
00 00 00 00 00 00 00 00 67 00 00 00 67 00 00 00 
00 00 A3 00 00 00 00 00 00 00 00 00 00 00 00 01 
DE 04 82 4C EE 51 E1 01 08 00 31 08 DC F0 2C E1 
12 FF 01 00 00 03 00 00 54 00 9C FA 33 6D 91 F1 
66 A8 00 39 00 00 16 00 A4 00 A3 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 01 F4 1D 75 01 
CC 50 DC 01 08 00 31 17 E3 F0 20 E0 2A FF 01 00 
00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 23 00 00 00 00 00 00 00 00 00 00 00 06 00 
00 00 4D 00 00 00 9F

what frequency?

JimBizkit · Jun 25, 2016

@kebien
if you upload the ts file, I will take a look at it

JimBizkit · Jun 25, 2016

poc 1.6

+ now printing active entitlement
+ now supporting raw emm logs (usage: poc emm.bin)
+ now caching unhandled E1 tags until ram keys are received
+ added more permission types

usage:
poc <raw emm stream file>
poc <ts input file> <srvid> <ts output file>

_https://mega.nz/#!UI5lWKhR!o5MGuxtx_ERc3UmMWLladhl5u6DtIHaMvBhDZZoVApE

ViaHussun · Jun 25, 2016

42E 12468 H 9580 DVB S2 8PSK
Nat geo Wild HD

poc 1.6
TS mode
[Emu] info: FFDecsa parallel mode = 32
[Emu] stream found pmt pid: 20
[Emu] stream found pcr_pid: B91
[Emu] stream found ecm_pid: AC9
[Emu] stream found video pid: B91
[Emu] stream found audio pid: BF5
[Emu] stream found emm_pid: 1F4
[Emu] active entitlement: CA
[Emu] got EMM nano tag E0 (EMM_TAG_RECEIVER_ALLOCATION_DESCRIPTOR) for the first time
[Emu] got EMM nano tag E4 (EMM_TAG_SECURITY_TABLE_DESCRIPTOR) for the first time
[Emu] Keys found in EMM: new nano E4 ram keys 30 to 3F
[Emu] Keys found in EMM: new nano E4 ram keys 0 to F
[Emu] Keys found in EMM: new nano E4 ram keys 10 to 1F
[Emu] Keys found in EMM: new nano E4 ram keys 20 to 2F
[Emu] Keys found in EMM: new nano E4 ram keys 30 to 3F

AhmedCeNa · Jun 25, 2016

@ ViaHussun

are we going to see a cw for nat geo wild soon?

harshy · Jun 25, 2016

What's srvid where do we get this info from?

JimBizkit · Jun 25, 2016

that is the channel number / service id.
you can open the ts file with tsreader or transedit, and it will show you the service ids.

Hacking CA system challenge Tandberg [ NO Keys Allowed in Chat Section/s ]

Liquor Twát

Senior Member

kebien

Well Known Member

JimBizkit

Senior Member

fiji

Well Known Member

Liquor Twát

Senior Member

cupof

Senior Member

bad_access

Senior Member

milan58

kebien

Well Known Member

bad_access

Senior Member

JimBizkit

Senior Member

ViaHussun

kebien

Well Known Member

ViaHussun

JimBizkit

Senior Member

JimBizkit

Senior Member

ViaHussun

AhmedCeNa

harshy

Well Known Member

JimBizkit

Senior Member

Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

Senior Member

Well Known Member

Senior Member

Well Known Member

Senior Member

Senior Member

Senior Member

Well Known Member

Senior Member

Senior Member

Well Known Member

Senior Member

Senior Member

Well Known Member

Senior Member

Hacking CA system challenge Tandberg [ NO Keys Allowed in Chat Section/s ]