How found ECM key Tandberg?

[ViaHussun]

How found ECM key?
http://www.sat-universe.com/showpost.php?p=2036692068&postcount=2

info please TheHighLander or dale_para_bajo
Thanks

 

[barney115]

How found ECM key?
http://www.sat-universe.com/showpost.php?p=2036692068&postcount=2

info please TheHighLander or dale_para_bajo
Thanks

Watch this Youtube Video it explains Everything u want to know and will answer your questions :thum:

=>

https://www.youtube.com/watch?v=naIbl7PQdOE

 

[dale_para_bajo]

@ViaHussun I seen your PMs, do not need to send multiple. At most that only make me feel that I been harass. 1 Pm is enough. I will answer when I have time.

Now if the question behind all this is to provoke me to release any executable. It will not happen any time soon.

I would not go into details as then I will received a complain or bann for doing "Flaming or any other inappropriate behavior towards other members is not allowed.".

=========================================================
Introduction.

barney2222's video link is perfect for the type of situation when poc.exe find the key. Nice.

Now lets assume that you do really are interest in knowing what is been done, "How found ECM key?" when poc.exe do not help.

Well only way I know is Brute Force the solution.

Now you want to read:
What is a Brute-force attack:
https://en.wikipedia.org/wiki/Brute-force_attack

The Protocol Use
https://en.wikipedia.org/wiki/Data_Encryption_Standard

The only porpoise of the previous links is to show that understanding what has to be done, requires knowledge witch requires many hours of self learning witch then will allow you to understand a multitude of complex operations.

=============================================================
But you will say in Powervu I has this tool.

You feed a -Log of EMMs- > PVHE > and it output the -Master Key-

Yes Colibri powervu analysis was amazing. Thanks. And latter the implementation of PVHE by anubis_ir was even beautiful.

As a result, most of you has collected the wrong or false Idea that you can do Bruteforce for anything in that simple way. So many of you think where is that tool, so I can do the same in tandberg.

I am sorry to tell you that:

a) Finding the crypt DES Block in Tandberg stream that you can then Find the Clear DES Block is 1 big problem.
b) Now Brute-force a DES Block by itself is another complicated thing.


So in powervu you just ask vplug to record a 20-40meg log of emm. Simple. Finding the DES Clear/Crypt Pair is not that easy. You need to use multiple of other tools to get to the different parts that you need. Just to be able to identify that crypt/clear pair, If you make a simple mistake in the identification, then your many hours to Bruteforce will produce 0 results or Incorrect.

=====================================================
Suggestion.
Before you continue to indirectly ask for a tool. First prove yourself useful by recording a TS file and finding a Valid Clear / Crypt Des Block of information that you then can try to bruteforce.

If you get to that point, then you may be requiring a tool to do Des Brute Force.

 

[dmr0x]

====================================================
Suggestion.
Before you continue to indirectly ask for a tool. First prove yourself useful by recording a TS file and finding a Valid Clear / Crypt Des Block of information that you then can try to bruteforce.

If you get to that point, then you may be requiring a tool to do Des Brute Force.

Colibri could have released tools at the start but instead used it as a learning guide master class.


you should consider providing a ts sample so everyone can learn or try to understand.

 

[dale_para_bajo]

Just for the Record. I did try that from the beginning, as I constantly try to motivate others to join a Brute Force Project. But In general I was ignore. I now ,a few did not have intention to ignore. More like afraid to seen been join forces with a not wanted. But results are results. My post got no replays of interest.

Just an example search for "Coder or Hacker needed for CW-TS analisys". No single positive response. In general I was told "not needed". But now you guys seems to want it. :rant:

Now as your request here is the starting point. Lets use JimBizkit own words:
http://www.sat-universe.com/showpost.php?p=2036683798&postcount=451

 

[SatEze]

Watch this Youtube Video it explains Everything u want to know and will answer your questions :thum:

=>

https://www.youtube.com/watch?v=naIbl7PQdOE

Great tutorial!

 

[dmr0x]

heres a segment from an already know TD enc channel

ive cut it exactly on the key roll
https://mega.nz/#!Xdk1XCaB!dJa6tFPaNLrY27fIC6IMTKY4MxPptUw_rIsJyTyAG-g

decrypted CW is : Dx xx xx xx xx xx x0

cant post keys here but if you want to find it the c8 is in the ts

now to find its(des-)encrypted cw after some sleep, hopefully

 

[dmr0x]

emm/ecm only packets from above ts

https://mega.nz/#!jB8wQZhL!jzOb7bzcUFiyNrlnWYzw9TWn2M9uReXbI9BFb1X9Sjw

 

[dmr0x]

decrypted cw - Dx xx xx xx xx xx xx x0
encrypted cw - 2x xx xx xx xx xx xx 7x

 

[gotya]

decrypted cw - Dx xx xx xx xx xx xx x0
encrypted cw - 2x xx xx xx xx xx xx 7x

so far I knew how to get all those info which you mentioned

decrypted cw - DA XX XX 00 33 XX XX 70
encrypted cw - 26 XX XX 27 XX 72 XX 77

now do we have now to use Cryptool to decrypt both decrypted and encrypted cw to get the ECM key ?

 

[dmr0x]

so far I knew how to get all those info which you mentioned

decrypted cw - DA XX XX 00 33 XX XX 70
encrypted cw - 26 XX XX 27 XX 72 XX 77

now do we have now to use Cryptool to decrypt both decrypted and encrypted cw to get the ECM key ?

no because we not using the EMM key for this example, the ECM key now needs to be brute forced using the decrypted and encrypted cw

if you want experiment getting a ecm key using EMM key Colibri has a guide on page1 of the main hacking ca thread. By page 2 you will have a ecm key

 

[gotya]

no because we not using the EMM key for this example, the ECM key now needs to be brute forced using the decrypted and encrypted cw

if you want experiment getting a ecm key using EMM key Colibri has a guide on page1 of the main hacking ca thread. By page 2 you will have a ecm key

I think in page1 and 2 the stream table 0x83 was carrying the ECM key and with *.poc tool by JimBizkit and Anubis_Ir was solved and work at the moment with all feeds.

but in channels are different like Arena Sports 39E, FOX NETWORKS 42E, Caracol Alterno Channel 2 58W, Univision & Unimas 103W and America TV HD 40.5W that lately published the table 0x83 was not carrying the ECM.

any idea how to BF the DES of the encrypted and decrypted cw ?

decrypted cw - DA XX XX 00 33 XX XX 70
encrypted cw - 26 XX XX 27 XX 72 XX 77

 

[dmr0x]

I think in page1 and 2 the stream table 0x83 was carrying the ECM key and with *.poc tool by JimBizkit and Anubis_Ir was solved and work at the moment with all feeds.

but in channels are different like Arena Sports 39E, FOX NETWORKS 42E, Caracol Alterno Channel 2 58W, Univision & Unimas 103W and America TV HD 40.5W that lately published the table 0x83 was not carrying the ECM.

any idea how to BF the DES of the encrypted and decrypted cw ?

well yeah we could have used poc to get the ecm. The point of my example is to have to get the key when poc cant be used, when keys aint being sent.

 

[gotya]

The point of my example is to have to get the key when poc cant be used, when keys aint being sent.

your example doesn't show how to BF DES ?

 

[dmr0x]

your example doesn't show how to BF DES ?

of course not, read what dale_para_bajo was asking a few posts back.

 

[SatEze]

I think in page1 and 2 the stream table 0x83 was carrying the ECM key and with *.poc tool by JimBizkit and Anubis_Ir was solved and work at the moment with all feeds.

but in channels are different like Arena Sports 39E, FOX NETWORKS 42E, Caracol Alterno Channel 2 58W, Univision & Unimas 103W and America TV HD 40.5W that lately published the table 0x83 was not carrying the ECM.

any idea how to BF the DES of the encrypted and decrypted cw ?

I was about to ask the same question.

 

[gotya]

it wasn't mentioned here too how to decrypt the encrypted ECM { cracking the DES ECM key }

83 70 40 02 7e ff 74 c1 fe 87 28 bd 7b e9 c5 f7 73 f7 ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 cf d0 f0 14 e1 12 00 00 16 ab 00 51 ee fb 6b f6 ae c3 3b 77 5d 64 47

I would say the encrypted ECM key is the following: f6 ae c3 3b 77 5d 64 47
and the key index is 31h

Is it correct?

Yes. So the next step is to decrypt it and post the ECM key.

ECM key:

7B 4B D5 9B 22 7A 61 00

:thum:

The ECM key is correct.
So the next step is to decrpyt the ECM to get both CWs.

CWs (almost ):

38 6B 01 23 EF 03 D8 D5

A8 FD 18 9A 70 71 0C 95

I am just wondering if there is any chance to get the EMM key out of the EMM Pid, similar as to how it is possible in PowerVU.... but I do not see where there could be encrypted 00h bytes

Almost.
The DES decryption was ok.

======================

I logged 12+ hours but no table 83. Maybe they don't send ECM key at all. The only way to get it might be brute force - we know the decrypted CWs (thanks to Bulcrypt simulcrypt) and we know the encrypted Tandberg CWs from the ECM stream. So it should be possible to crack the DES ECM key. I know DES is considered broken but it still might take pretty long time to bruteforce the key. I'm not sure how much time would it take, maybe not so much on a fast CUDA GPU.

 

[xosef1234]

@dmr0x & MaRwAn26:
just take care, I guess your DES encrypted cw is wrong; it should be DB xx xx xx xx xx xx 20
I cannot verify the decrypted cw

anyway, still not clear what you are looking for? everything is explained in the main thread ....

 

[dmr0x]

@dmr0x & MaRwAn26:
just take care, I guess your DES encrypted cw is wrong; it should be DB xx xx xx xx xx xx 20
I cannot verify the decrypted cw

anyway, still not clear what you are looking for? everything is explained in the main thread ....

the theory to bruteforce a ecm key when none are being sent


decrypted DA xx 56 xx 33 xx 3F xx
encrypted DB xx 27 xx 72 xx 77 xx

brain fart. offset 0e for the encrypted key start, not 0d. im to old for this

 

[dale_para_bajo]

From some reports there are about 10 channels(keys) left to find. I suggest you make effort in finding those than wasting time seeing if I will ever release a tool. For new keys you need to identify the channels, get logs and post links. Then hope that a champion is willing to break the ice to produce the crypt8.

What is wrong here? You need to understand your problem. What is your objective. What you have vs what you need to find.

So we had gone from "How found ECM key", to how to BF in less than a page. So you skip finding out what is CSA, DES, BF and for some of you even Tandberg description given by colibri. I know there is not much to do in the forum an you want to learn. But think 1rst if you have the programing skills, math understanding, know the basics of DVB-S, yes what are EMM, ECM. Why there are so many PIDS in TS? What are their uses?

Now, I am not saying you have no chance to learn as others do. I have fate on you guys. You can do it.

But I am saying you pick a very advance subject to start learning.

Now as you simplify everything. There is a posted Clear and Encrypted pair. I have not check its accuracy. Now the most common question "how to BF the ____".

Lest say you find that answer, Then what?
What you had? What you need?
What having encrypted/clear block pair will help you?
If you BF what you expect to have? How it will help you?

Why you can answer that? Because you have not take the time (weeks/month learning) the basics. Doing he steps some one else do without knowing you go in the wrong direction.