Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

[Anubis_Ir]

these files


there is problem?

Open the `run.bat` file with the notepad. it's a normal .txt file.
Then change the file names (according to your files) or add new entries.
also this `3` here
poc ts_0100_11141H_28500_prg3.ts 3 out.ts
is important. for prg3 use 3, for prg19 use 19.



If the key doesn't work anymore, record a full .ts and use poc.exe to find the new ecm-key.

 

[ViaHussun]

very thanks
still negative

 

[ViaHussun]

Anubis_Ir plugin very good
ECM ok :thum:
but DWC down

Edit please plugin

 

[ViaHussun]

Simitar method 2 ok :thum:
http://www.sat-universe.com/showpost.php?p=2036681559&postcount=1


but I need it plugin

 

[Anubis_Ir]

I can play the posted .ts files (using TSReader's transport stream file loop source)

 

[drhans]

I've extracted the RAM EMM keys from two consecutive packets on 39°E, encrypted with different ROM EMM keys. Although the encrypted payload is obviously different the decrypted payloads (RAM keys block index 1x) are identical. So perhaps they do not change too often.

82 70 8A 00  51  17 E3 F0 84 E4 82 FF FD  92 B6 D3..... 
                                                                                                            
82 70 8A 00  52  C5 DE F0 84 E4 82 FF FD  FA F2 0E.....

The question remains. Where are the encrypted ECM keys (normally located in EMM 83 70 40....) to be found?
They are not in the EMM stream nor in the ECM stream. I also checked the Bulcrypt (simulcrypted) EMM stream and they were not their either - although I didn't think they would be!

Has anyone any idea about this?

I logged 12+ hours but no table 83. Maybe they don't send ECM key at all. The only way to get it might be brute force - we know the decrypted CWs (thanks to Bulcrypt simulcrypt) and we know the encrypted Tandberg CWs from the ECM stream. So it should be possible to crack the DES ECM key. I know DES is considered broken but it still might take pretty long time to bruteforce the key. I'm not sure how much time would it take, maybe not so much on a fast CUDA GPU.

 

[K2TSET]

I logged 12+ hours but no table 83. Maybe they don't send ECM key at all. The only way to get it might be brute force - we know the decrypted CWs (thanks to Bulcrypt simulcrypt) and we know the encrypted Tandberg CWs from the ECM stream. So it should be possible to crack the DES ECM key. I know DES is considered broken but it still might take pretty long time to bruteforce the key. I'm not sure how much time would it take, maybe not so much on a fast CUDA GPU.

Sure it's possible

Think "Hashcat" can do it using CUDA but never tried, DES key are "only" 56bit but the DES are not so many rounds. but still 2^56 is a big number to test

Also it might be possible to make a FPGA for that but it will sure take some time to design such a BF engine, I know there are some open FPGA cores for DES around.

 

[007.4]

. Maybe they don't send ECM key at all.

That is the conclusion I came to. They must be using a default ECM key and ATM the only way to find it would be to BF it.

 

[kebien]

anyone willing to make a dll for dvbcore/MD programs? (dvbviewer,dvbdream)

 

[Anubis_Ir]

@kebien
vPlug works with them.
- Test this module.
- How to extract ecm-keys.
- And program number is important.

 

[ViaHussun]

@kebien
vPlug works with them.
- Test this module.
- How to extract ecm-keys.
- And program number is important.

Anubis_Ir thanks
But, dvb player down
I am smartdvb test
sorry

 

[merkin]

@kebien
vPlug works with them.
- Test this module.
- How to extract ecm-keys.
- And program number is important.

can you share your directory structure for using vplug with tsreader? do you use soft-csa?

 

[merkin]

also can anyone help me with structure of OTA firmware download?
i recorded a pid labeled "Software Download".
_https://mega.nz/#!y5cFnB5T

 

[OpenFox]

also can anyone help me with structure of OTA firmware download?
i recorded a pid labeled "Software Download".
_https://mega.nz/#!y5cFnB5T

need a key for downloading from MEGA...

 

[Anubis_Ir]

Anubis_Ir thanks
But, dvb player down
I am smartdvb test
sorry

It works fine. You should select the correct sid/program number:



for ts_0100_12689H_28499_prg19.ts, select sid=19
File menu -> Play transport stream DVB file -> Select SID=19

 

[ViaHussun]

It works fine. You should select the correct sid/program number:



for ts_0100_12689H_28499_prg19.ts, select sid=19
File menu -> Play transport stream DVB file -> Select SID=19

yes add key D0... working
perfect
very thanks Anubis_Ir

 

[djris2]

would this work with live tv or not yet?

 

[Colibri.DVB]

Sure it's possible

Think "Hashcat" can do it using CUDA but never tried, DES key are "only" 56bit but the DES are not so many rounds. but still 2^56 is a big number to test

Also it might be possible to make a FPGA for that but it will sure take some time to design such a BF engine, I know there are some open FPGA cores for DES around.

I have never seen a Tandberg ECM key that is using the full key space 2^56.
Compare all the 8 ECM keys we have so far and you will see something.
So what is the key space that Tandberg is practically using?

 

[djris2]

Im asking Becouse Last Year wimbledon on 7E had been using Tandberg for one of Main Internal feeds, And i think OBS for Sochi Olympics too. I hope for The bestt from you guys

 

[Anubis_Ir]

would this work with live tv or not yet?

It doesn't matter for the DVB-App. It uses the same steps for live streams or recorded streams. Essentially there is no difference in here.