Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

[drhans]

wow, this is messed up! the Main.bin contains that GZ archive, starting from the 0x100 offset and there it really is, all EMM keys in plain sight in the newly decompressed Main.bin file

how does one figure this out without Colibri's hints?

 

[JimBizkit]

it is not uncommon for firmware images to be compressed.
there exist also file carving tools like binwalk, which will search and extract files from firmware images/dumps.

 

[ViaHussun]

can you maybe plugin Tandberg Emu

software specialist
Anubis_Ir :thum:

PowerVU Emu author
http://www.sat-universe.com/member.php?u=219961

 

[merkin]

..how does one figure this out without Colibri's hints?

i suppose you have to disassemble..i once mucked around OCAP box that does DC2 decryption, but its way over my head.
http://www.usbjtag.com/vbforum/showthread.php?t=8645
as far as finding the keys..combo of luck and laziness..are these really "master" keys?

 

[harshy]

you need to compile it (this is the source code). on a linux device or with cygwin on windows you need the gcc and make packages installed, then go to the folder with a command line (shell) and enter
make
and it will compile.

or just start to learn programming with c under linux and you will understand it soon.

I got it working after taking a crash course on Cygwin, great job it works brilliantly plus I learnt how to compile a C file :thum:

 

[Anubis_Ir]

A test .mdl file for vPlug

 

[n3ur0]

Maybe some parameters of feed for test ?

 

[ViaHussun]

A test .mdl file for vPlug
_https://www.sendspace.com/file/a73wtk

very thanks Anubis_Ir :thum:

encrypted record tandberg test
not open

 

[Anubis_Ir]

- Look at the `missing keys` section. You need the `T 16AB 01 Key`. You can find it in the `_readme.txt` file.
- This key was extracted using poc. Here is its windows .exe file:
_https://www.sendspace.com/file/7hx3zp

Test it this way:
poc.exe tandberg_ts_0100_12689H_28499_prg19.ts 19 out.ts
poc.exe Tandberg_ts_0100_11141H_28500_prg3.ts 3 out.ts
and then take a look at its `log.txt` file for
ecm key for entitlement xyz found! (using emm_key_index: zz)
D6 XX XX XX XX XX XX 00 <---- use this ecm key

 

[n3ur0]

- Look at the `missing keys` section. You need the `T 16AB 01 Key`. You can find it in the `_readme.txt` file.
- This key was extracted using poc. Here is its windows .exe file:
_https://www.sendspace.com/file/7hx3zp

Test it this way:
poc.exe tandberg_ts_0100_12689H_28499_prg19.ts 19 out.ts
poc.exe Tandberg_ts_0100_11141H_28500_prg3.ts 3 out.ts
and then take a look at its `log.txt` file for
ecm key for entitlement xyz found! (using emm_key_index: zz)
D6 XX XX XX XX XX XX 00 <---- use this ecm key

after change key should be : D0 6X ... ( for ts_0100_11141H_28500 DX01)
working

 

[ViaHussun]

- Look at the `missing keys` section. You need the `T 16AB 01 Key`. You can find it in the `_readme.txt` file.
- This key was extracted using poc. Here is its windows .exe file:
_https://www.sendspace.com/file/7hx3zp

Test it this way:
poc.exe tandberg_ts_0100_12689H_28499_prg19.ts 19 out.ts
poc.exe Tandberg_ts_0100_11141H_28500_prg3.ts 3 out.ts
and then take a look at its `log.txt` file for
ecm key for entitlement xyz found! (using emm_key_index: zz)
D6 XX XX XX XX XX XX 00 <---- use this ecm key

see please
what problem?

 

[Anubis_Ir]

Do you have these files in the poc.exe dir?
- `ts_0100_12689H_28499_prg19.ts`
- `ts_0100_11141H_28500_prg3.ts`

These files are posted in this topic.

 

[n3ur0]

see please
what problem?

please write in command line :
poc Tandberg_ts_0100_11141H_28500_prg3.ts 1 out.ts

if run.bat i have that same problem

 

[ViaHussun]

these files


there is problem?

 

[ViaHussun]

ts_0100_11141H_28500_prg3 => 182 mb
ts_0100_12689H_28499_prg19 => 214 mb

 

[ViaHussun]

please write in command line :
poc Tandberg_ts_0100_11141H_28500_prg3.ts 1 out.ts

if run.bat i have that same problem

warning
Press any key to continue

ok
after auto close down run.bat

 

[n3ur0]

ts_0100_11141H_28500_prg3 => 182 mb
ts_0100_12689H_28499_prg19 => 214 mb

Files is OK.
But problem with runing file run.bat

You must manually write:
poc.exe Tandberg_ts_0100_11141H_28500_prg3.ts 1 out.ts

example: I have the files in folder g:\POC
WIN+R
cmd <enter>
g: <enter>
cd g:\POC <enter>
poc.exe Tandberg_ts_0100_11141H_28500_prg3.ts 1 out.ts <enter>

 

[ViaHussun]

Files is OK.
But problem with runing file run.bat

You must manually write:
poc.exe Tandberg_ts_0100_11141H_28500_prg3.ts 1 out.ts

example: I have the files in folder g:\POC
WIN+R
cmd <enter>
g: <enter>
cd g:\POC <enter>
poc.exe Tandberg_ts_0100_11141H_28500_prg3.ts 1 out.ts <enter>

warning
command syntax is incorrect

 

[007.4]

I've extracted the RAM EMM keys from two consecutive packets on 39°E, encrypted with different ROM EMM keys. Although the encrypted payload is obviously different the decrypted payloads (RAM keys block index 1x) are identical. So perhaps they do not change too often.

82 70 8A 00  51  17 E3 F0 84 E4 82 FF FD  92 B6 D3..... 
                                                                                                            
82 70 8A 00  52  C5 DE F0 84 E4 82 FF FD  FA F2 0E.....

The question remains. Where are the encrypted ECM keys (normally located in EMM 83 70 40....) to be found?
They are not in the EMM stream nor in the ECM stream. I also checked the Bulcrypt (simulcrypted) EMM stream and they were not their either - although I didn't think they would be!

Has anyone any idea about this?

 

[ViaHussun]

A test .mdl file for vPlug
_https://www.sendspace.com/file/a73wtk

Anubis_Ir plugin very good
ECM ok :thum:
but DWC down