Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

D

drhans

Senior Member
Messages
116
well, the recording posted do not seem to contain table 83, and one of those doesn't even come with the EMM recorded
 
$

$80

Registered
Messages
34
Tandberg uses

Conditional Access
BISS (TT1260/SWO/BISS)

BISS Mode 1 & E
RAS 1 (TT1260/SWO/RAS)

TANDBERG Television RAS 1 Transport Stream CA protection
RAS 2 (TT1260/SWO/RAS2)

TANDBERG Television RAS 2 Transport Stream CA protection
 
V

vtcc

Senior Member
Messages
102
@ Colibri.DVB

This ts file is encryted by Tandberg and it airs 24 x 7.
Hope you can find ECM keys. would like to make tool to hack Tandberg encrytion?
@ Anubis_Ir
would like to make Tandberg plug for DVBViewer and DVB Dream ?
 
Last edited:
V

vtcc

Senior Member
Messages
102
Update
@ Colibri.DVB
_https://mega.nz/#!e9l2nRRb!V1NmJnl9LUNgMjQC8yTl2T2Kyat6R2Okik_nn2082vk
This ts file is encryted by Tandberg and it airs 24 x 7.
Hope you can find ECM keys. would like to make tool to hack Tandberg encrytion?
@ Anubis_Ir
would like to make Tandberg plug for DVBViewer and DVB Dream ?

Note:it is wrong link last post,it is correct this time
 
Last edited:
K

kahub

Well Known Member
Messages
517
ooOO_SORGOS_OOoo said:
Active frequences and sats with tandberg encrypted channels?? How to test it '

We need details for sat, frequences??
Click to expand...

Active frequency is on 42E/12468/H/9580/5/6/S2. 4 channels 24/7 with CAID 1010. I have poor signal because east beam and 5/6. May be good way for record stream.
 
K

K2TSET

Senior Member
Messages
125
Colibri.DVB said:
Yes, every of the 8 DES bytes contains 7 bit (and 1 parity bit).
The 7 bits in the last byte are always 0 (for all 8 ECM keys I have seen).
So it looks like they use only a 2^49 key space for the ECM keys.
May be someone has a recorded Tandberg stream (CAID 1010 and EMM tab ID 82 *AND* 83) from an non olympic event. So we can see if the key space is only 2^49 for olympic events or generally.
Click to expand...

Found on the web
"DES works by encrypting groups of 64 message bits, which is the same as 16 hexadecimal numbers. To do the encryption, DES uses "keys" where are also apparently 16 hexadecimal numbers long, or apparently 64 bits long. However, every 8th key bit is ignored in the DES algorithm, so that the effective key size is 56 bits. But, in any case, 64 bits (16 hexadecimal digits) is the round number upon which DES is organized."

I did a quick test on FPGA with a open core taking 56bit key in and 64bit data in / out to use a sample I did this:

Code: 
[COLOR="RoyalBlue"]See Text file Attached[/COLOR]

I loaded the above 56bit key into the DES core on my FPGA and it does output the correct result, so far fine. :thum:

Sure I will need to add in many cores to run parallel on the FPGA from what I see on the resource use I think it might be possible to have around 100 cores on the FPGA I use.

The fmax I do see are around 200 Mhz with a result on every clock, so this will give around 20 Ghash/s so 2^56 will be around 1000 hours for a full search.

If 2^49 it will be about 8 hours on FPGA

But we have to be sure the last bit are not used, recall that in RAS you will type in a 7 digit decimal number, maby this will fille out the unused bit's?

No idea how fast it can be done on CUDA card, could nice to test if on the new GTX1080 card

I will not be able to do more test on FPGA until midd next week
 
$

$80

Registered
Messages
34
Cuda is faster i can calc arround 1,8 million keys in 1 hour.
There is a cluster Software arround for breaking DES. Even Cryptool got a cluster calc inside.

Normal DES is fucked up with a normal GTX 960 anything above with more shaders is welcome. Like dual Titan or quad!

3DES you can also Brute force too and also AES! All that depends on your known Plaintext.


Theres is big attack possible on encrypted CW´s for pairing too. IT depends all on knowledge.


REMEMBER! DES HAS ONLY 1,8 billion KEYS!
 
N

natedogg20050

Donating Member
Messages
409
$80 said:
Cuda is faster i can calc arround 1,8 million keys in 1 hour.
There is a cluster Software arround for breaking DES. Even Cryptool got a cluster calc inside.

Normal DES is fucked up with a normal GTX 960 anything above with more shaders is welcome. Like dual Titan or quad!

3DES you can also Brute force too and also AES! All that depends on your known Plaintext.


Theres is big attack possible on encrypted CW´s for pairing too. IT depends all on knowledge.


REMEMBER! DES HAS ONLY 1,8 billion KEYS!
Click to expand...
CW in Pairing ? for how long would it work 1 H ?
 
D

dog-man

VIP
Messages
2,395
I must admit that a lot of this just goes over my head, but I have an overclocked GTX 980 Ti waiting to assist if required. :)
 
V

vtcc

Senior Member
Messages
102
n3ur0 said:
something wrong with this ts..
Click to expand...
Try these ts files
_https://mega.nz/#!ftNkDI7S!4pBxcY9YYKjfT7PNY7tGu4sN_gm2AWbueVcCKMlX7HE
_https://mega.nz/#!mwNhSQ4I!Xn_Ln5xIVYxmh3Ifwtl8DvusU8M-gFCHFkneRrkA1Xs


Update
@ Colibri.DVB
_https://mega.nz/#!mwNhSQ4I!Xn_Ln5xIVYxmh3Ifwtl8DvusU8M-gFCHFkneRrkA1Xs
_https://mega.nz/#!ftNkDI7S!4pBxcY9YYKjfT7PNY7tGu4sN_gm2AWbueVcCKMlX7HE
This ts file is encryted by Tandberg and it airs 24 x 7.
Hope you can find ECM keys. would like to make tool to hack Tandberg encrytion?


Note:it is wrong link last post,it is correct this time
 
You must log in or register to reply here.
Top