irdeto2 Algorithm

B

bis

VIP
Messages
5,037
Irdeto Sage Demo Key Calculator - Art
 
#include <psppower.h>
#include <pspkernel.h>
#include <pspdebug.h>
#include <pspctrl.h>
#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <pspdisplay.h>
#include <pspaudiolib.h>
#include <pspaudio.h>
#include <png.h>
#include <pspgu.h>
#include <pspgum.h>
#include <pspsdk.h>
#include <math.h>
#include <malloc.h>
#include <limits.h>
#include "main.h"
#include "graphics.h"
#include "intraFont.h"
#include "pin.h"
#include "phone.h"
PSP_MODULE_INFO("IrdetoSage", 0, 1, 1);
PSP_MAIN_THREAD_ATTR(0);
sample_t* loop_buffer; //
short mic_level; //
int sam; //
int samsel; //
int samlock; //
int ssel; //
int step; // step counter
int alga; //
int algb; //
int algc; //
int del; // delay
int running; // program running flag
char fillerx[120]; //
char filler[120]; //
char fillerb[120]; //
u8 temp; //
unsigned int i; //
u8 HMK[9]; // 10 byte hex master key
u8 HMKX[9]; // 10 byte hex master key copy
u8 MK[7]; // 8 byte key EMK => PMK
u8 work; // work byte
int parity; // odd / even status flag
u8 hasha[256] = {
0xDA, 0x26, 0xE8, 0x72, 0x11, 0x52, 0x3E, 0x46,
0x32, 0xFF, 0x8C, 0x1E, 0xA7, 0xBE, 0x2C, 0x29,
0x5F, 0x86, 0x7E, 0x75, 0x0A, 0x08, 0xA5, 0x21,
0x61, 0xFB, 0x7A, 0x58, 0x60, 0xF7, 0x81, 0x4F,
0xE4, 0xFC, 0xDF, 0xB1, 0xBB, 0x6A, 0x02, 0xB3,
0x0B, 0x6E, 0x5D, 0x5C, 0xD5, 0xCF, 0xCA, 0x2A,
0x14, 0xB7, 0x90, 0xF3, 0xD9, 0x37, 0x3A, 0x59,
0x44, 0x69, 0xC9, 0x78, 0x30, 0x16, 0x39, 0x9A,
0x0D, 0x05, 0x1F, 0x8B, 0x5E, 0xEE, 0x1B, 0xC4,
0x76, 0x43, 0xBD, 0xEB, 0x42, 0xEF, 0xF9, 0xD0,
0x4D, 0xE3, 0xF4, 0x57, 0x56, 0xA3, 0x0F, 0xA6,
0x50, 0xFD, 0xDE, 0xD2, 0x80, 0x4C, 0xD3, 0xCB,
0xF8, 0x49, 0x8F, 0x22, 0x71, 0x84, 0x33, 0xE0,
0x47, 0xC2, 0x93, 0xBC, 0x7C, 0x3B, 0x9C, 0x7D,
0xEC, 0xC3, 0xF1, 0x89, 0xCE, 0x98, 0xA2, 0xE1,
0xC1, 0xF2, 0x27, 0x12, 0x01, 0xEA, 0xE5, 0x9B,
0x25, 0x87, 0x96, 0x7B, 0x34, 0x45, 0xAD, 0xD1,
0xB5, 0xDB, 0x83, 0x55, 0xB0, 0x9E, 0x19, 0xD7,
0x17, 0xC6, 0x35, 0xD8, 0xF0, 0xAE, 0xD4, 0x2B,
0x1D, 0xA0, 0x99, 0x8A, 0x15, 0x00, 0xAF, 0x2D,
0x09, 0xA8, 0xF5, 0x6C, 0xA1, 0x63, 0x67, 0x51,
0x3C, 0xB2, 0xC0, 0xED, 0x94, 0x03, 0x6F, 0xBA,
0x3F, 0x4E, 0x62, 0x92, 0x85, 0xDD, 0xAB, 0xFE,
0x10, 0x2E, 0x68, 0x65, 0xE7, 0x04, 0xF6, 0x0C,
0x20, 0x1C, 0xA9, 0x53, 0x40, 0x77, 0x2F, 0xA4,
0xFA, 0x6D, 0x73, 0x28, 0xE2, 0xCD, 0x79, 0xC8,
0x97, 0x66, 0x8E, 0x82, 0x74, 0x06, 0xC7, 0x88,
0x1A, 0x4A, 0x6B, 0xCC, 0x41, 0xE9, 0x9D, 0xB8,
0x23, 0x9F, 0x3D, 0xBF, 0x8D, 0x95, 0xC5, 0x13,
0xB9, 0x24, 0x5A, 0xDC, 0x64, 0x18, 0x38, 0x91,
0x7F, 0x5B, 0x70, 0x54, 0x07, 0xB6, 0x4B, 0x0E,
0x36, 0xAC, 0x31, 0xE6, 0xD6, 0x48, 0xAA, 0xB4};
u8 hashb[256] = {
0x8E, 0xD5, 0x32, 0x53, 0x4B, 0x18, 0x7F, 0x95,
0xBE, 0x30, 0xF3, 0xE0, 0x22, 0xE1, 0x68, 0x90,
0x82, 0xC8, 0xA8, 0x57, 0x21, 0xC5, 0x38, 0x73,
0x61, 0x5D, 0x5A, 0xD6, 0x60, 0xB7, 0x48, 0x70,
0x2B, 0x7A, 0x1D, 0xD1, 0xB1, 0xEC, 0x7C, 0xAA,
0x2F, 0x1F, 0x37, 0x58, 0x72, 0x88, 0xFF, 0x87,
0x1C, 0xCB, 0x00, 0xE6, 0x4E, 0xAB, 0xEB, 0xB3,
0xF7, 0x59, 0x71, 0x6A, 0x64, 0x2A, 0x55, 0x4D,
0xFC, 0xC0, 0x51, 0x01, 0x2D, 0xC4, 0x54, 0xE2,
0x9F, 0x26, 0x16, 0x27, 0xF2, 0x9C, 0x86, 0x11,
0x05, 0x29, 0xA2, 0x78, 0x49, 0xB2, 0xA6, 0xCA,
0x96, 0xE5, 0x33, 0x3F, 0x46, 0xBA, 0xD0, 0xBB,
0x5F, 0x84, 0x98, 0xE4, 0xF9, 0x0A, 0x62, 0xEE,
0xF6, 0xCF, 0x94, 0xF0, 0xEA, 0x1E, 0xBF, 0x07,
0x9B, 0xD9, 0xE9, 0x74, 0xC6, 0xA4, 0xB9, 0x56,
0x3E, 0xDB, 0xC7, 0x15, 0xE3, 0x80, 0xD7, 0xED,
0xEF, 0x13, 0xAC, 0xA1, 0x91, 0xC2, 0x89, 0x5B,
0x08, 0x0B, 0x4C, 0x02, 0x3A, 0x5C, 0xA9, 0x3B,
0xCE, 0x6B, 0xA7, 0xE7, 0xCD, 0x7B, 0xA0, 0x47,
0x09, 0x6D, 0xF8, 0xF1, 0x8B, 0xB0, 0x12, 0x42,
0x4A, 0x9A, 0x17, 0xB4, 0x7E, 0xAD, 0xFE, 0xFD,
0x2C, 0xD3, 0xF4, 0xB6, 0xA3, 0xFA, 0xDF, 0xB8,
0xD4, 0xDA, 0x0F, 0x50, 0x93, 0x66, 0x6C, 0x20,
0xD8, 0x8A, 0xDD, 0x31, 0x1A, 0x8C, 0x06, 0xD2,
0x44, 0xE8, 0x23, 0x43, 0x6E, 0x10, 0x69, 0x36,
0xBC, 0x19, 0x8D, 0x24, 0x81, 0x14, 0x40, 0xC9,
0x6F, 0x2E, 0x45, 0x52, 0x41, 0x92, 0x34, 0xFB,
0x5E, 0x0D, 0xF5, 0x76, 0x25, 0x77, 0x63, 0x65,
0xAF, 0x4F, 0xCC, 0x03, 0x9D, 0x0C, 0x28, 0x39,
0x85, 0xDE, 0xB5, 0x7D, 0x67, 0x83, 0xBD, 0xC3,
0xDC, 0x3C, 0xAE, 0x99, 0x04, 0x75, 0x8F, 0x97,
0xC1, 0xA5, 0x9E, 0x35, 0x0E, 0x3D, 0x1B, 0x79};
void printgreen(void);
void printgreenX(void);
void printscreen(void);
void algostep(void);
void audioLoopStop(void);
void rotateright(void);
void rotateleft(void);
void decryptEMK(void);
void encryptPMK(void);
intraFont* ltn8;
void audioOutputLoopCallback(void* buf, unsigned int length, void *userdata) {
sample_t* ubuf = (sample_t*) buf;
int i;
if (samlock == 1) {
if (samsel == 1) {
for (i = 0; i < 1024; i++) {
ubuf.l = pin[sam+1] + (pin[sam]*256);
ubuf.r = ubuf.l;
sam++;
sam++;
if (sam > 97009) {
ubuf.l = 0;
ubuf.r = 0;
samlock = 0;
}
}
}
if (samsel == 2) {
for (i = 0; i < 1024; i++) {
ubuf.l = phone[sam+1] + (phone[sam]*256);
ubuf.r = ubuf.l;
sam++;
sam++;
if (sam < 44) {
ubuf.l = 0;
ubuf.r = 0;
}
if (sam > 11532) {
ubuf.l = 0;
ubuf.r = 0;
samlock = 0;
}
}
}
}
if (samlock == 0) {
int bbb;
for (bbb = 0; bbb < 1024; bbb++) {
ubuf[bbb].l = 0xFFFF;
ubuf[bbb].r = 0xFFFF;
}
}
}

void audioLoopStart() {
loop_buffer = (sample_t*) malloc(PSP_NUM_AUDIO_SAMPLES * sizeof(sample_t));
sceKernelDelayThread(200000);
pspAudioSetChannelCallback(0, audioOutputLoopCallback, NULL);
}
int main(void) {
intraFontInit();
ltn8 = intraFontLoad("flash0:/font/ltn8.pgf",INTRAFONT_CACHE_ASCII);
if(!ltn8) sceKernelExitGame();
initGraphics();
running = 1; // set program running flag
loop_buffer = NULL;
pspAudioInit();
sceDisplayWaitVblankStart();
sceDisplayWaitVblankStart();
audioLoopStart();
sceDisplayWaitVblankStart();
sceDisplayWaitVblankStart();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
samsel = 2; // select intro sample
clearScreen(0);
sprintf(fillerx, "IRDETO SAGE");
guStart();
intraFontSetStyle(ltn8, 2.5f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, fillerx);
intraFontSetStyle(ltn8, 1.5f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 170, "Key Cypher Demo - Art 2008!");
sprintf(filler, "PSP Intrafont library by BenHur");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 230, filler);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
for(del=0; del<300; del++) {sceDisplayWaitVblankStart();}
sprintf(fillerx, "Irdeto Key Cypher Demo - Art 2008");
clearScreen(0);
sprintf(filler, " ");
guStart();
intraFontSetStyle(ltn8, 1.0f,0xFFFF5555,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 130, filler);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
 
HMK[9] = 0x11; // copy initial values to key arrays
HMK[8] = 0x11;
HMK[7] = 0x11;
HMK[6] = 0x11;
HMK[5] = 0x11;
HMK[4] = 0x11;
HMK[3] = 0x11;
HMK[2] = 0x11;
HMK[1] = 0x11;
HMK[0] = 0x11;
MK[7] = 0x22; MK[6] = 0x22; MK[5] = 0x22; MK[4] = 0x22; MK[3] = 0x22; MK[2] = 0x22; MK[1] = 0x22; MK[0] = 0x22;
// MK[7] = 0xE7; MK[6] = 0xF6; MK[5] = 0xA0; MK[4] = 0xDB; MK[3] = 0xB2; MK[2] = 0x93; MK[1] = 0xC3; MK[0] = 0xB7;
clearScreen(0);
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMK[0],HMK[1],HMK[2],HMK[3],HMK[4],HMK[5],HMK[6],HMK[7],HMK[8],HMK[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "EMK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 250, "PRESS X TO DECRYPT");
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
int stopper;
stopper = 0;
while (stopper == 0) {
SceCtrlData xpad;
sceCtrlSetSamplingMode(1);
sceCtrlPeekBufferPositive(&xpad, 1);
if(xpad.Buttons & PSP_CTRL_CROSS) {
stopper = 1;
}
if(xpad.Buttons & PSP_CTRL_CIRCLE) {
stopper = 2;
}
if(xpad.Buttons & PSP_CTRL_TRIANGLE) {
stopper = 3;
}
} // while
 
if (stopper == 1) {decryptEMK();printgreen();}
if (stopper == 2) {encryptPMK();printgreen();}
if (stopper == 3) {
decryptEMK();printgreen();
for(del=0; del<10; del++) {HMK[del] = HMKX[del];}
encryptPMK();printgreenX();
}
 
while (running == 1) {
clearScreen(0); // intrafont action
sceDisplayWaitVblankStart();
flipScreen();
clearScreen(0); // intrafont action
guStart();
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 145, "DONE!");
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
for(del=0; del<100; del++) {sceDisplayWaitVblankStart();}
running = 0;
} // running
audioLoopStop(); // stop audio routine
pspAudioEnd();
sceKernelExitGame(); // exit program
return 0;
} // main ************
 
void algostep() {
if(HMK[alga]&1) {parity = 1;} else {parity = 0;}
work = HMK[alga] ^ MK[algb];
if (parity == 1) {MK[algc] = hasha[work] ^ MK[algc];} else {MK[algc] = hashb[work] ^ MK[algc];}
printscreen();
}
void printscreen() {
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMK[0],HMK[1],HMK[2],HMK[3],HMK[4],HMK[5],HMK[6],HMK[7],HMK[8],HMK[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
clearScreen(0);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "MK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
clearScreen(0);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "MK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
 
 
 
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
if (ssel == 0) {
samsel = 2; // select intro sample
} else {
samsel = 1; // select intro sample
ssel = 0;
}
 
 
for(del=0; del<2; del++) {sceDisplayWaitVblankStart();}
}
void printgreen() {
clearScreen(0);
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMKX[0],HMKX[1],HMKX[2],HMKX[3],HMKX[4],HMKX[5],HMKX[6],HMKX[7],HMKX[8],HMKX[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "PMK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFF55EF55,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
samsel = 1; // select intro sample
for(del=0; del<2; del++) {sceDisplayWaitVblankStart();}
for(del=0; del<650; del++) {sceDisplayWaitVblankStart();}
 
}
void printgreenX() {
clearScreen(0);
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMKX[0],HMKX[1],HMKX[2],HMKX[3],HMKX[4],HMKX[5],HMKX[6],HMKX[7],HMKX[8],HMKX[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "EMK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFF55EF55,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
samsel = 1; // select intro sample
for(del=0; del<2; del++) {sceDisplayWaitVblankStart();}
for(del=0; del<650; del++) {sceDisplayWaitVblankStart();}
 
}
void rotateright() {
temp = (HMK[9] << 7); // rotate HMK right once
HMK[9] = (HMK[8] << 7) | (HMK[9] **** 1);
HMK[8] = (HMK[7] << 7) | (HMK[8] **** 1);
HMK[7] = (HMK[6] << 7) | (HMK[7] **** 1);
HMK[6] = (HMK[5] << 7) | (HMK[6] **** 1);
HMK[5] = (HMK[4] << 7) | (HMK[5] **** 1);
HMK[4] = (HMK[3] << 7) | (HMK[4] **** 1);
HMK[3] = (HMK[2] << 7) | (HMK[3] **** 1);
HMK[2] = (HMK[1] << 7) | (HMK[2] **** 1);
HMK[1] = (HMK[0] << 7) | (HMK[1] **** 1);
HMK[0] = temp | (HMK[0] **** 1);
ssel = 1;
printscreen();
}
void rotateleft() {
temp = (HMK[0] **** 7); // rotate HMK right once
HMK[0] = (HMK[1] **** 7) | (HMK[0] << 1);
HMK[1] = (HMK[2] **** 7) | (HMK[1] << 1);
HMK[2] = (HMK[3] **** 7) | (HMK[2] << 1);
HMK[3] = (HMK[4] **** 7) | (HMK[3] << 1);
HMK[4] = (HMK[5] **** 7) | (HMK[4] << 1);
HMK[5] = (HMK[6] **** 7) | (HMK[5] << 1);
HMK[6] = (HMK[7] **** 7) | (HMK[6] << 1);
HMK[7] = (HMK[8] **** 7) | (HMK[7] << 1);
HMK[8] = (HMK[9] **** 7) | (HMK[8] << 1);
HMK[9] = temp | (HMK[9] << 1);
ssel = 1;
printscreen();
}
void encryptPMK() {
for(del=0; del<10; del++) {HMKX[del] = HMK[del];}
for(step=0; step<13; step++) {rotateright();}
alga = 7; algb = 5; algc = 0;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 0; algb = 0; algc = 3;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 0;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 0; algb = 2; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 2;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 0; algb = 4; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 4;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 0; algb = 6; algc = 1;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 6;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 7; algb = 7; algc = 0;
algostep();
alga = 6; algb = 6; algc = 7;
algostep();
alga = 5; algb = 5; algc = 6;
algostep();
alga = 4; algb = 4; algc = 5;
algostep();
alga = 3; algb = 3; algc = 4;
algostep();
alga = 2; algb = 2; algc = 3;
algostep();
alga = 1; algb = 1; algc = 2;
algostep();
alga = 0; algb = 0; algc = 1;
algostep();
rotateleft();
alga = 9; algb = 5; algc = 0;
algostep();
alga = 8; algb = 2; algc = 5;
algostep();
alga = 7; algb = 7; algc = 2;
algostep();
alga = 6; algb = 4; algc = 7;
algostep();
alga = 5; algb = 1; algc = 4;
algostep();
alga = 4; algb = 6; algc = 1;
algostep();
alga = 3; algb = 3; algc = 6;
algostep();
alga = 2; algb = 0; algc = 3;
algostep();
alga = 1; algb = 7; algc = 0;
algostep();
alga = 0; algb = 6; algc = 7;
algostep();
rotateleft();
alga = 9; algb = 5; algc = 6;
algostep();
alga = 8; algb = 4; algc = 5;
algostep();
alga = 7; algb = 3; algc = 4;
algostep();
alga = 6; algb = 2; algc = 3;
algostep();
alga = 5; algb = 1; algc = 2;
algostep();
alga = 4; algb = 0; algc = 1;
algostep();
alga = 3; algb = 5; algc = 0;
algostep();
alga = 2; algb = 2; algc = 5;
algostep();
alga = 1; algb = 7; algc = 2;
algostep();
alga = 0; algb = 4; algc = 7;
algostep();
rotateleft();
alga = 9; algb = 1; algc = 4;
algostep();
alga = 8; algb = 6; algc = 1;
algostep();
alga = 7; algb = 3; algc = 6;
algostep();
alga = 6; algb = 0; algc = 3;
algostep();
alga = 5; algb = 7; algc = 0;
algostep();
alga = 4; algb = 6; algc = 7;
algostep();
alga = 3; algb = 5; algc = 6;
algostep();
alga = 2; algb = 4; algc = 5;
algostep();
alga = 1; algb = 3; algc = 4;
algostep();
alga = 0; algb = 2; algc = 3;
algostep();
rotateleft();
alga = 9; algb = 1; algc = 2;
algostep();
alga = 8; algb = 0; algc = 1;
algostep();
alga = 7; algb = 5; algc = 0;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 0; algb = 0; algc = 3;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 0;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 0; algb = 2; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 2;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 0; algb = 4; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 4;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 0; algb = 6; algc = 1;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 6;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 7; algb = 7; algc = 0;
algostep();
for(step=7; step>0; step--) { // round one
if(HMK[step]&1) {parity = 1;} else {parity = 0;}
work = HMK[step] ^ MK[step];
if (parity == 1) {MK[step+1] = hasha[work] ^ MK[step+1];} else {MK[step+1] = hashb[work] ^ MK[step+1];}
printscreen();
} // step
alga = 0; algb = 0; algc = 1;
if(HMK[alga]&1) {parity = 1;} else {parity = 0;}
work = HMK[alga] ^ MK[algb];
if (parity == 1) {MK[algc] = hasha[work] ^ MK[algc];} else {MK[algc] = hashb[work] ^ MK[algc];}
}
void decryptEMK() {
for(del=0; del<10; del++) {HMKX[del] = HMK[del];}
rotateright();
for(step=0; step<7; step++) { // round one
if(HMK[step]&1) {parity = 1;} else {parity = 0;}
work = HMK[step] ^ MK[step];
if (parity == 1) {MK[step+1] = hasha[work] ^ MK[step+1];} else {MK[step+1] = hashb[work] ^ MK[step+1];}
printscreen();
} // step
alga = 7; algb = 7; algc = 0;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 9; algb = 3; algc = 6;
algostep();
rotateright();
alga = 0; algb = 6; algc = 1;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 9; algb = 3; algc = 4;
algostep();
rotateright();
alga = 0; algb = 4; algc = 5;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 9; algb = 7; algc = 2;
algostep();
rotateright();
alga = 0; algb = 2; algc = 5;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 9; algb = 7; algc = 0;
algostep();
rotateright();
alga = 0; algb = 0; algc = 3;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 7; algb = 5; algc = 0;
algostep();
alga = 8; algb = 0; algc = 1;
algostep();
alga = 9; algb = 1; algc = 2;
algostep();
rotateright();
alga = 0; algb = 2; algc = 3;
algostep();
alga = 1; algb = 3; algc = 4;
algostep();
alga = 2; algb = 4; algc = 5;
algostep();
alga = 3; algb = 5; algc = 6;
algostep();
alga = 4; algb = 6; algc = 7;
algostep();
alga = 5; algb = 7; algc = 0;
algostep();
alga = 6; algb = 0; algc = 3;
algostep();
alga = 7; algb = 3; algc = 6;
algostep();
alga = 8; algb = 6; algc = 1;
algostep();
alga = 9; algb = 1; algc = 4;
algostep();
rotateright();
alga = 0; algb = 4; algc = 7;
algostep();
alga = 1; algb = 7; algc = 2;
algostep();
alga = 2; algb = 2; algc = 5;
algostep();
alga = 3; algb = 5; algc = 0;
algostep();
alga = 4; algb = 0; algc = 1;
algostep();
alga = 5; algb = 1; algc = 2;
algostep();
alga = 6; algb = 2; algc = 3;
algostep();
alga = 7; algb = 3; algc = 4;
algostep();
alga = 8; algb = 4; algc = 5;
algostep();
alga = 9; algb = 5; algc = 6;
algostep();
rotateright();
alga = 0; algb = 6; algc = 7;
algostep();
alga = 1; algb = 7; algc = 0;
algostep();
alga = 2; algb = 0; algc = 3;
algostep();
alga = 3; algb = 3; algc = 6;
algostep();
alga = 4; algb = 6; algc = 1;
algostep();
alga = 5; algb = 1; algc = 4;
algostep();
alga = 6; algb = 4; algc = 7;
algostep();
alga = 7; algb = 7; algc = 2;
algostep();
alga = 8; algb = 2; algc = 5;
algostep();
alga = 9; algb = 5; algc = 0;
algostep();
rotateright();
alga = 0; algb = 0; algc = 1;
algostep();
alga = 1; algb = 1; algc = 2;
algostep();
alga = 2; algb = 2; algc = 3;
algostep();
alga = 3; algb = 3; algc = 4;
algostep();
alga = 4; algb = 4; algc = 5;
algostep();
alga = 5; algb = 5; algc = 6;
algostep();
alga = 6; algb = 6; algc = 7;
algostep();
alga = 7; algb = 7; algc = 0;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 9; algb = 3; algc = 6;
algostep();
rotateright();
alga = 0; algb = 6; algc = 1;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 9; algb = 3; algc = 4;
algostep();
rotateright();
alga = 0; algb = 4; algc = 5;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 9; algb = 7; algc = 2;
algostep();
rotateright();
alga = 0; algb = 2; algc = 5;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 9; algb = 7; algc = 0;
algostep();
rotateright();
alga = 0; algb = 0; algc = 3;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 7; algb = 5; algc = 0;
if(HMK[alga]&1) {parity = 1;} else {parity = 0;}
work = HMK[alga] ^ MK[algb];
if (parity == 1) {MK[algc] = hasha[work] ^ MK[algc];} else {MK[algc] = hashb[work] ^ MK[algc];}
}



CM CW Decrypted:
807031F70405003200060028F283D57D7B2F00C7E814AE065C 72156B6109EBBA24BA4ED7CC2795177F9D012049276690CBB7 F761
Keys Decrypt ECM CW:
OP KEY 06 : 88A4160D2643EC48E2753C36AEAE236D
ECM SEED : 94B249D7D873C04C432949379CB4964C
ECM SEED Prepare : 0852008627608B684B4A811AD902AB48
ECM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-------------------------------------------------------------------------------------------------------------
ECM CW Decrypted:
807031F704050032000600 28 03FC3401400200437812061200000045409050B10008081220 0000CD04020000 6E805C470922678E
8070 ---**** Haeder Type EMM ( 80=CW0 Active Or 81= CW1 Active )
31 ---**** Len (Hex: 0x31 (Dec: 49 Bytes))
F70405
0032 ---**** Channel ID
00 ---**** Provider
06 ---**** Index OPKEY
00
28 ---**** Len (Hex: 0x28 = (Dec: 8*5=40 Bytes))
03FC3401
40 ---**** Nano Date
02 ---**** Len Date
0043 ---**** Date ??
78 ---**** Nano Update DCW
12 ---**** Len
06 ---**** Index OPKEY
12 ---**** 80=12 || 81=13
00000045409050B100080812200000CD ---**** DCW Decrypted
04 02 00 00
6E805C470922678E ---**** Signature MAC
Log:
-------------------- Kasita Botonnou @ Irdeto2 --------------------
OP KEY 06 : 88A4160D2643EC48E2753C36AEAE236D
ECM SEED : 94B249D7D873C04C432949379CB4964C
ECM SEED Prepare : 0852008627608B684B4A811AD902AB48
ECM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-------------------- Kasita Botonnou @ Irdeto2 --------------------
DCW DECRYPTED OK : 00000045409050B100080812200000CD By K. Botonnou
-------------------- Kasita Botonnou @ Irdeto2 --------------------
Key Used Is Inde : 06
-------------------- Kasita Botonnou @ Irdeto2 --------------------
Sig Correct!!! : 6E805C470922678E


void audioLoopStop() {
pspAudioSetChannelCallback(0, NULL, NULL);
}


---------------------------------------------------------------------------------------------------------
Antes De Todo vamos a ver las keys necesarios para Desencrytar una EMM o sea para hacer un Auto Update: -
-
ART : 060400 -
PMK : AF38DA5E9E00AADB 39A1BCBCB060DEA3 Adrress: 08D7 -
EMM-Seed : DA65344511C953D8 6EDAF329EF20376E -
Common-IV: 5BC9E74A983AA5A7 903B000000000000 -
---------------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------------
y La EMM OPKEY Encrypatada (Encrypt) es la siguiente: - -
-------------------------------------------------------- -
EMM: 82403F0208D7000030384913FC3C61266ED85CD727D1E7A657 83F97DF52C7BD5996F330C884F922A06191338FB13E -
68B6BD26AFCFE180C9340BA9A3152EB37327046 -
---------------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------------
Vamos a hacer un analisis a esta EMM OPKEY la cual esta Encriptada (Encrypt): - -
------------------------------------------------------------------------------- -
82403F <<------ Haeder { 3F= Longitud Hex:0x3F Dec:63 } -
02 <<------ Type Group 00 -
08D7 <<------ Address -
0000 <<------ Relleno -
30 <<------ Provider ID -
38 <<------ Longitud De Bytes (Hex: 0x38 = (Dec: 8*7=56 Bytes)) -
4913FC3C61266ED8 <<------ Data 1 Encrypt -
5CD727D1E7A65783 <<------ Data 2 Encrypt -
F97DF52C7BD5996F <<------ Data 3 Encrypt -
330C884F922A0619 <<------ Data 4 Encrypt -
1338FB13E68B6BD2 <<------ Data 5 Encrypt -
6AFCFE180C9340BA <<------ Data 6 Encrypt -
9A3152EB37327046 <<------ Data 7 Encrypt (Signature) -
---------------------------------------------------------------------------------------------------------

El Algortimo Usado para Desencriptar una EMM o ECM deIrdeto 2 es el algortimo 3DES CBC
aqui no hablamos sobe este algortimo ya es conocido

Ahora Vamos a empezar paso a paso y veremos todo el proceso de desencriptar una EMM Ir2 hasta el calculo de la firma (Signature)
Los Pasos Son:
1- Prepared EMM_SEED (Encrypt 3DESCBC)
2- Decrypt EMM (Decrypt 3DESCBC)
3- Decrypt Nano (Decrypt 3DESCBC)
4- CalculateMAC (Encrypt 3DESCBC)


****************************************
1- Prepared EMM_SEED (Encrypt 3DESCBC) ************************************************** *******
**************************************** *
*
Primer paso hacemos una preparacion de la Key EMM_Seed con el Algortimo 3DES CBC (Encrypt) *
ya tenemos la PMK como la Key que vamos a usar para el algortimo 3DES CBC *
EMM_Seed es Data o el mensaje que damos al algortimo 3DES CBC *
y IV es el que usa el algortimo 3DES CBC para hacer el XOR *
*
*
PMK = AF38DA5E9E00AADB 39A1BCBCB060DEA3 (16 bytes) Key 3DES CBC (K1=K3) *
EMM Seed = DA65344511C953D8 6EDAF329EF20376E (16 bytes) Data 3DES CBC *
IV = 0000000000000000 (08 bytes) IV 3DES CBC ******************
*
*
Pues Empezamos: ************************************************** *********************
*
DA65344511C953D8 {Xor} 0000000000000000 = DA65344511C953D8 {Encrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = E046C69E8CB4A40D *
Data 8 Bytes'ES' IV 3DES CBC Result PMK Key 3DES CBC Bloc1 Emm_Seed Prepared ok *
*
6EDAF329EF20376E {Xor} E046C69E8CB4A40D = 8E9C35B763949363 {Encrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = A16E52AF4CAE6A15 *
Data 8 Bytes'ES' Blo1 Emm_Seed Pre Result PMK Key 3DES CBC Bloc2 Emm_Seed Prepared ok *
*
*
EMM_Seed Preparado = E046C69E8CB4A40D A16E52AF4CAE6A15 (After Despues de Prepararlo con el algortimo usado 3DES CBC) **********************
*
*
ya esta terminado el primer paso lo que era hacer un 3DES CBC para perparar la EMM_SEED *
EMM_SEED Prepared: E046C69E8CB4A40D A16E52AF4CAE6A15 *
*
************************************************** ************************************************** ****************************

**********************************
2- Decrypt EMM (Decrypt 3DESCBC) ************************************************** **********************************
********************************** *
*
Ya estamos en el segundo paso y siempre con el algotimo 3DESCBC pero ahora hay que Desencriptar (Decrypt 3DES CBC) *
y lo que tenemos que Desencriptar son los bloqueos cifrado en la EMM ya son 7 bloqueos como habamos Visto arriba *
*
y lo necesario aqui es Data son datos de la Emm Cifrados y vamos a Desencriptar 8 a 8 Bytes *
EMM_Seed Prepared como la Key que vamos a usar para el algortimo 3DES CBC *****************
y la key EMM_IV como Key de IV que usamos para el Xor de 3DESCBC *
*
Data = (Ocho a ocho bytes (son datos de emm los cuales estan cifrados)) *
EMM_Seed Prepared = E046C69E8CB4A40D A16E52AF4CAE6A15 (Preparado va a ser la key 3des) *
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (Solo 8 bytes primeros) *
*
Los bloqueos datos de la EMM que tenemos son 7 bloqueos pues 7 Roundas *
--------------------------------------------------------------------- *
- 4913FC3C61266ED8 <<------ Data 1 Encrypt Rounda 1 - *
- 5CD727D1E7A65783 <<------ Data 2 Encrypt Rounda 2 - *
- F97DF52C7BD5996F <<------ Data 3 Encrypt Rounda 3 - *
- 330C884F922A0619 <<------ Data 4 Encrypt Rounda 4 - *
- 1338FB13E68B6BD2 <<------ Data 5 Encrypt Rounda 5 - *
- 6AFCFE180C9340BA <<------ Data 6 Encrypt Rounda 6 - *
- 9A3152EB37327046 <<------ Data 7 Encrypt (Signature) Rounda 7 - *
--------------------------------------------------------------------- *
*
Empezamos a Descifrar ocho a ocho Bytes con el algortimo 3DES CBC : *
*
************************************************** ******************************
EMM Encrypted:
82403F0208D7000030 [38] || 4913FC3C61266ED8 || 5CD727D1E7A65783 || F97DF52C7BD5996F || 330C884F922A0619 || 1338FB13E68B6BD2 || 6AFCFE180C9340BA || 9A3152EB37327046
|| RONDA 1 || RONDA 2 || RONDA 3 || RONDA 4 || RONDA 5 || RONDA 6 || RONDA 7
Datos Cifrados.......................................... .................................................. ...............................

RONDA 1: 4913FC3C61266ED8 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 1BCAE45570C5F5B6 {Xor} 5BC9E74A983AA5A7 = 4003031FE8FF5011 (Result Bloc 1)
Data 1 EMM_Seed Prepared Key 3DES CBC = Result EMM_IV Data 1 Decrypted
RONDA 2: 5CD727D1E7A65783 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 51273A5AEA69A0D4 {Xor} 4913FC3C61266ED8 = 1834C6668B4FCE0C (Result Bloc 2)
Data 2 EMM_Seed Prepared Key 3DES CBC = Result Data 1 Encrypt Data 2 Decrypted
RONDA 3: F97DF52C7BD5996F {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 6FCDD4CF587C99E4 {Xor} 5CD727D1E7A65783 = 331AF31EBFDACE67 (Result Bloc 3)
Data 3 EMM_Seed Prepared Key 3DES CBC = Result Data 2 Encrypt Data 3 Decrypted
RONDA 4: 330C884F922A0619 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 0C2DE40CAC49DDA7 {Xor} F97DF52C7BD5996F = F5501120D79C44C8 (Result Bloc 4)
Data 4 EMM_Seed Prepared Key 3DES CBC = Result Data 3 Encrypt Data 4 Decrypted
RONDA 5: 1338FB13E68B6BD2 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 2C7359CB7AF8C78A {Xor} 330C884F922A0619 = 1F7FD184E8D2C193 (Result Bloc 5)
Data 5 EMM_Seed Prepared Key 3DES CBC = Result Data 4 Encrypt Data 5 Decrypted
RONDA 6: 6AFCFE180C9340BA {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 69AFD81AA6896233 {Xor} 1338FB13E68B6BD2 = 7A972309400209E1 (Result Bloc 6)
Data 6 EMM_Seed Prepared Key 3DES CBC = Result Data 5 Encrypt Data 6 Decrypted
RONDA 7: 9A3152EB37327046 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 35FC7911E95FB504 {Xor} 6AFCFE180C9340BA = 5F008709E5CCF5BE (Result Bloc 7)
Data 7 EMM_Seed Prepared Key 3DES CBC = Result Data 6 Encrypt Data 7 Decrypted

Result All Round's = Data EMM Decrypted:
---------------------------------------------------------------------
- 4003031FE8FF5011 <<------ Data 1 Decrypt Rounda 1 -
- 1834C6668B4FCE0C <<------ Data 2 Decrypt Rounda 2 -
- 331AF31EBFDACE67 <<------ Data 3 Decrypt Rounda 3 -
- F5501120D79C44C8 <<------ Data 4 Decrypt Rounda 4 -
- 1F7FD184E8D2C193 <<------ Data 5 Decrypt Rounda 5 -
- 7A972309400209E1 <<------ Data 6 Decrypt Rounda 6 -
- 5F008709E5CCF5BE <<------ Data 7 Decrypt (Signature) Rounda 7 -
---------------------------------------------------------------------

EMM Decrypted:
82403F0208D7000030 [38] || 4003031FE8FF5011 || 1834C6668B4FCE0C || 331AF31EBFDACE67 || F5501120D79C44C8 || 1F7FD184E8D2C193 || 7A972309400209E1 || 5F008709E5CCF5BE
|| RONDA 1 || RONDA 2 || RONDA 3 || RONDA 4 || RONDA 5 || RONDA 6 || RONDA 7
Datos Descifrados....................................... .................................................. ...............................
Ahora ya tenemos la EMM Desencriptada pero no las OPKEYs, porque en Irdeto 2 tanto la EMM como OPKEYs Estan Encriptadas
desues de Desencritar la EMM llega el paso de desecnriptar las OPKEYS que se encuentran dentro de la EMM desencriptada

Primero Vamos a hacer un analisis a la EMM despues de que ha sido desencriptada
---------------------------------------------------------------------------------------------------------
Vamos a hacer un analisis a esta EMM la cual esta Desencriptada (Decrypted): - -
------------------------------------------------------------------------------- -
82403F <<------ Haeder { 3F= Longitud Hex:0x3F Dec:63 } -
02 <<------ Type Group 00 -
08D7 <<------ Address -
0000 <<------ Relleno -
30 <<------ Provider ID -
38 <<------ Longitud De Bytes (Hex: 0x38 = (Dec: 8*7=56 Bytes)) -
40 03 03 1F E8 FF -
50 11 18 <<------ Nano 50 °° Len 0x11 °° Index 18/4 = 06 -
34C6668B4FCE0C331AF31EBFDACE67F5 <<------ OPKEY Encrypt -
501120 <<------ Nano 50 °° Len 0x11 °° Index 20/4 = 08 -
D79C44C81F7FD184E8D2C1937A972309 <<------ OPKEY Encrypt -
40 <<------ Nano 40
02 <<------ Len
09 E1 <<------ Date?? -
5F008709E5CCF5BE <<------ Firma (Signature) -
---------------------------------------------------------------------------------------------------------
Donde esta el Nano 50 mas adelante + 3 bytes se encuentra La OPKEY
y hay otro caso que se puede encontrar tambien Nano 10 11 XX a la vez de 50 11 XX
y el index se divide sobre 4 y nos da el index que soportan los EMU's de Nuestros aparatos Reciver
si en la EMM es 08 pues se divide sobre 4 y resultado es Index 02
si en la EMM es 10 pues se divide sobre 4 y resultado es Index 04
si en la EMM es 18 pues se divide sobre 4 y resultado es Index 06
si en la EMM es 20 pues se divide sobre 4 y resultado es Index 08 ...

Veremos la EMM con otra manera
EMM Decrypted (OPKEYS EnCrypt):
82403F0208D7000030 [38] || 4003031FE8FF 501118 || 34C6668B4FCE0C33 1AF31EBFDACE67F5 || 501120 || D79C44C81F7FD184 E8D2C1937A972309 || 400209E1 5F008709E5CCF5BE
|| OPKEY ENCRYPT || || OPKEY ENCRYPT ||
************************************************** *******************************************
Pues ya tenemos las OPKEYS Encriptadas dentro de una emm Desencriptada, *
para la esencriptacion de estas OPKEYS Vamos al tercer Paso *
*
************************************************** ***********************

____________________________________
3- Nano Decrypt (Decrypt 3DES CBC) __________________________________________________ __________________________________________________ ________________________________
____________________________________
Pues como siempre el algortimo usado para Desencriptar estas OPKEYS es siempre 3DES CBC

Lo que necesitamos Data1 y Data2 son OPKEYs Encriptada y la key PMK y EMM_iv :
Data1 = 34C6668B4FCE0C33 1AF31EBFDACE67F5 (OPKEY ENCRYPT) <<-- OPKEY 06 (18)
Data2 = D79C44C81F7FD184 E8D2C1937A972309 (OPKEY ENCRYPT) <<-- OPKEY 08 (20)
PMK = AF38DA5E9E00AADB 39A1BCBCB060DEA3 (PMK PLEY MASTER KEY)
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (( IV 3DES CBC ) Solo usamos 8 bytes primeros)

vamos a Desencriptar La Primera OPKEY y luego la segunda ya la manera de desncriptar la primera es la misma que la segunda () Decrypt 3DESCBC)
-----------------------------
Data1 = 34C6668B4FCE0C33 1AF31EBFDACE67F5 (OPKEY ENCRYPT) <<-- OPKEY 06 (18)
Bloc 1 Encrypt Bloc 2 Encrypt

RONDA 1: 34C6668B4FCE0C33 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 98143F086A0A05B0 {Xor} 5BC9E74A983AA5A7 = C3DDD842F230A017
Bloc 1 Encrypt PMK Key 3DES CBC Result IV 3DES CBC Bloc1 OPKEY Decrypted

RONDA 2: 1AF31EBFDACE67F5 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 78DCF6648AB2F85E {Xor} 34C6668B4FCE0C33 = 4C1A90EFC57CF46D (OPKEY Decr)
Bloc 2 Encrypt PMK Key 3DES CBC Result Bloc1 Encrypt Bloc2 OPKEY Decrypted

OPKEY 06 (18) Decrypted: C3DDD842F230A017 4C1A90EFC57CF46D <<<< ----- ya tenemos la OPKEY Desencriptada por fin!!!!!!!!!!!!!!!
Bloc1 Decrypted Bloc2 Decrypted
-----------------------------
Data2 = D79C44C81F7FD184 E8D2C1937A972309 (OPKEY ENCRYPT) <<-- OPKEY 08 (20)
Bloc 1 Encrypt Bloc 2 Encrypt

RONDA 1: D79C44C81F7FD184 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 29F3F9202EB28219 {Xor} 5BC9E74A983AA5A7 = 723A1E6AB68827BE (OPKEY Decr)
Bloc 1 Encrypt PMK Key 3DES CBC Result IV 3DES CBC Bloc1 OPKEY Decrypted

RONDA 2: E8D2C1937A972309 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 43D5635A1C483DAD {Xor} D79C44C81F7FD184 = 944927920337EC29 (OPKEY Decr)
Bloc 2 Encrypt PMK Key 3DES CBC Result Bloc1 Encrypt Bloc2 OPKEY Decrypted
OPKEY 08 (20) Decrypted: 723A1E6AB68827BE 944927920337EC29 <<<< ----- ya tenemos la OPKEY Desencriptada por fin!!!!!!!!!!!!!!!
Bloc1 Decrypted Bloc2 Decrypted
-----------------------------
__________________________________________________ _________________________________
************************************************** ************ _
OPKEY 06 (18) Decrypted: C3DDD842F230A017 4C1A90EFC57CF46D * _
OPKEY 08 (20) Decrypted: 723A1E6AB68827BE 944927920337EC29 * _
************************************************** ************ _
_
_
Ahora ya tenemso la EMM y OPKEY's Desencriptadas: _
_
82403F <<-- Haeder _
02 <<-- Type Group 00 _
08D7 <<-- Adress _
0000 <<-- Relleno _
30 <<-- Provider ID Group _
38 <<-- Len (Hex: 0x38 = (Dec: 8*7=56 Bytes)) _
4003031FE8FF _
50 11 18 Nano 50 + Len 11 + Index 18 / 4 = 06 _
C3DDD842F230A017 4C1A90EFC57CF46D <<-- OP KEY Decrypt _
50 11 20 Nano 50 + Len 11 + Index 20 / 4 = 06 _
723A1E6AB68827BE 944927920337EC29 <<-- OP KEY Decrypt _
40 <<------ Nano 40 -
02 <<------ Len -
09 E1 <<------ Date?? _
5F008709E5CCF5BE <<------ Signature _
__________________________________________________ ______________________________

*************************************
4- CalculateMAC (3DES CBC Encrypt) ************************************************** *********************
************************************* *
*
Vamos ya estamos en el paso cuatro 4 y lo que vemos aqui es como se calcula la firma (Calculate Signature) *************************
*
Cojimos la EMM OPKEYS la cual esta Desencriptada: *
82403F0208D7000030384003031FE8FF501118C3DDD842F230 A0174C1A90EFC57CF46D501120723A1E6AB68827BE94492792 0337EC29400209E15F008709E5CCF5BE *************
*
*
EMM OPKKEY Decrypt: ||Delete|| (vamos a eliminar el haeder + 00 + Signature estan puestos entre ||xx|| ) *
*
||82403F||0208D700||00||30384003031FE8FF501118C3DD D842F230A0174C1A90EFC57CF46D501120723A1E6AB68827BE 944927920337EC29400209E1||5F008709E5CCF5BE|| *
*
y nos queda algo asi:
0208D70030384003031FE8FF501118C3DDD842F230A0174C1A 90EFC57CF46D501120723A1E6AB68827BE944927920337EC29 400209E1

- La separamos en Bloqueos:
0208D70030384003 Bloque 1
031FE8FF501118C3 Bloque 2
DDD842F230A0174C Bloque 3
1A90EFC57CF46D50 Bloque 4
1120723A1E6AB688 Bloque 5
27BE944927920337 Bloque 6
EC29400209E1 Bloque 7
- Como veis tenemos 7 bloqueos y cada bloqueo tiene 8 bytes menos el ultimo que solo lleva 6 bytes, ahora le anadimos 2 bytes al bloqueo 7
y estos 2 Bytes son las que estan en el segundo octeto de EMM-IV
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (necesitas estos dos bytes 903B para el calculo de la firma)
---- ----
- Despues de anadir estos dos bytes en el bloqueo 7 nos queda algo asi:
0208D70030384003 Bloque 1
031FE8FF501118C3 Bloque 2
DDD842F230A0174C Bloque 3
1A90EFC57CF46D50 Bloque 4
1120723A1E6AB688 Bloque 5
27BE944927920337 Bloque 6
EC29400209E1903B Bloque 7 <<<--- Add 2 Bytes de EMM_IV del segundo octeto

y la key 3DES es la que habiamos perparado en primer paso:
EMM_Seed Prepared: E046C69E8CB4A40DA16E52AF4CAE6A15 Key 3DES

ahora vamos a calcular la firma en 7 Rondas son 7 bloqueos:

|| 0208D70030384003 || 031FE8FF501118C3 || DDD842F230A0174C || 1A90EFC57CF46D50 || 1120723A1E6AB688 || 27BE944927920337 || EC29400209E1903B
|| RONDA 1 || RONDA 2 || RONDA 3 || RONDA 4 || RONDA 5 || RONDA 6 || RONDA 7

RONDA 1: 0208D70030384003 {Xor} 0000000000000000 = 0208D70030384003 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = AA8B12A7467A145F
Data 8 Bytes'ES' IV 3DES CBC Result EMM_Seed Prepared Key 3DES CBC Result Bloque 1
RONDA 2: AA8B12A7467A145F {Xor} 031FE8FF501118C3 = A994FA58166B0C9C {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = CDA5BB939E3BD120
Data 8 Bytes'ES' Bloque 2 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 2
RONDA 3: CDA5BB939E3BD120 {Xor} DDD842F230A0174C = 107DF961AE9BC66C {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 484B0E88CA120795
Data 8 Bytes'ES' Bloque 3 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 3
RONDA 4: 484B0E88CA120795 {Xor} 1A90EFC57CF46D50 = 52DBE14DB6E66AC5 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 287467CA90373AB3
Data 8 Bytes'ES' Bloque 4 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 4
RONDA 5: 287467CA90373AB3 {Xor} 1120723A1E6AB688 = 395415F08E5D8C3B {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = DB92F3C8E9730646
Data 8 Bytes'ES' Bloque 5 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 5
RONDA 6: DB92F3C8E9730646 {Xor} 27BE944927920337 = FC2C6781CEE10571 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = C815564DC98CDE6C
Data 8 Bytes'ES' Bloque 6 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 6
RONDA 7: C815564DC98CDE6C {Xor} EC29400209E1903B = 243C164FC06D4E57 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 5F008709E5CCF5BE *
Data 8 Bytes'ES' Bloque 7 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 7 *
*
*
Result final de la Ronda 7 es = 5F008709E5CCF5BE <<<--- Coindciden!!! == *
5F008709E5CCF5BE <<<--- Signature de la EMMOPKEY Decrypt *
*
************************************************** ************************************************** **********************************************

EMM PMK Decrypted:
824038C3FFFFFF0000003043ECF812DBB2F3B44C6AA1377479 D96E3C712B3670325DBF06F739CD488224A85949B939206612 4336F0F10AFAC8B81B
Keys Decrypt EMM PMK:
HMK0 Axi : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HMK1 Exi : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
EMM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-----------------------------------------------------------------------------------------------------------------------
EMM PMK Decrypted:
8240 38 C3 FFFFFF 0000 00 30 010268240033333333333333333333333333333333 44444444444444444444444444444444 555566 AA54268F60038015
8240 ---**** Haeder Type EMM
38 ---**** Len (Hex: 0x38 (Dec: 56 Bytes))
C3 ---**** C3/CB PMK
FFFFFF ---**** Hex Serial
0000 ---**** Relleno
00 ---**** Provider ID Group
30 ---**** Len (Hex: 0x30 = (Dec: 8*6=48 Bytes))
01 ---****
02 ---****
68 ---**** Nano Update PMK
24 ---**** Len Data --**** Index
00 ---**** Index [00=00 | 01=10 | 02=20 | 03=30 | 04=40]
33333333333333333333333333333333 ---**** PMK0
44444444444444444444444444444444 ---**** PMK1
555566 ---**** Provider ID
AA54268F60038015 ---**** Signature MAC

Log:
-------- Kasita Botonnou @ Irdeto2 --------
PMK0 Enc : 8F754A711A62ACA8CC6F200370A6E332
PMK0 Dec : 33333333333333333333333333333333
-------- Kasita Botonnou @ Irdeto2 --------
PMK1 Enc : 8B8EC848BBCDA309423A4B528539EDCA
PMK1 Dec : 44444444444444444444444444444444
-------- Kasita Botonnou @ Irdeto2 --------
Log:
-------- Kasita Botonnou @ Irdeto2 --------
HMK0 Axi : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HMK1 Exi : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
EMM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-------- Kasita Botonnou @ Irdeto2 --------
Hash OK : Signature Correct!!!
Sig MAC : AA54268F60038015 OK
 
B

bis

VIP
Messages
5,037
ART: 060 400 -
PMK: AF38DA5E9E00AADB 39A1BCBCB060DEA3 Adrress: 08D7 -
EMM-Seed: DA65344511C953D8 6EDAF329EF20376E -
Common-IV: 5BC9E74A983AA5A7 903B000000000000 -
-------------------------------------------------- -------------------------------------------------- -----


-------------------------------------------------- -------------------------------------------------- -----
and the EMM OPKEY Encrypatada (Encrypt) is as follows: - -
-------------------------------------------------- ------ -
EMM: 82403F0208D7000030384913FC3C61266ED85CD727D1E7A657 83F97DF52C7BD5996F330C884F922A06191338FB13E -
68B6BD26AFCFE180C9340BA9A3152EB37327046 -
-------------------------------------------------- -------------------------------------------------- -----


-------------------------------------------------- -------------------------------------------------- -----
Let's do an analysis to this OPKEY EMM which is encrypted (Encrypt): - -
-------------------------------------------------- ----------------------------- -
Haedo <<------ 3F 82403F (length = Hex: 0x3F Dec: 63) -
Group Type <<------ 02 00 -
<<------ 08D7 Address -
Fill <<------ 0000 -
30 <<------ Provider ID -
38 <<------ Length Of Bytes (Hex: 0x39 = (Dec: 8 * 7 = 56 bytes)) -
<<------ 4913FC3C61266ED8 Encrypt Data 1 -
<<------ 5CD727D1E7A65783 Encrypt Data 2 -
<<------ F97DF52C7BD5996F Encrypt Data 3 -
<<------ 330C884F922A0619 Encrypt Data 4 -
<<------ 1338FB13E68B6BD2 Encrypt Data 5 -
<<------ 6AFCFE180C9340BA Encrypt Data 6 -
<<------ 9A3152EB37327046 Encrypt Data 7 (Signature) -
-------------------------------------------------- -------------------------------------------------- -----


The algorithm used to decrypt an EMM or ECM deIrdeto 2 is the algorithm 3DES CBC
not talking here sobe this algorithm is already known


Now Let's start step by step and see the whole process to decrypt an EMM R2 to calculate the signature (Signature)

The steps are:
1 - Prepared EMM_SEED (Encrypt 3DESCBC)
2 - EMM Decrypt (Decrypt 3DESCBC)
3 - Nano Decrypt (Decrypt 3DESCBC)
4 - CalculateMAC (Encrypt 3DESCBC)




****************************************
1 - Prepared EMM_SEED (Encrypt 3DESCBC) ****************************************** ***************
**************************************** *
*
First we make a preparation step of the algorithm EMM_Seed Key 3DES CBC (Encrypt) *
we already have the PMK as the Key you'll use for the algorithm 3DES CBC *
Data EMM_Seed or the message is that we give the algorithm 3DES CBC *
and IV is the 3DES algorithm using the CBC to do the XOR *
*
*
PMK = AF38DA5E9E00AADB 39A1BCBCB060DEA3 (16 bytes) Key 3DES CBC (K1 = K3) *
Seed = DA65344511C953D8 6EDAF329EF20376E EMM (16 bytes) * Data 3DES CBC
IV = 0000000000000000 (08 bytes) ****************** IV 3DES CBC
*
*
Then started: *********************************************** ************************
*
0000000000000000) (DA65344511C953D8 Xor Encrypt = (3DES) DA65344511C953D8 AF38DA5E9E00AADB 39A1BCBCB060DEA3 = E046C69E8CB4A40D *
Data 8 Bytes'ES 'IV 3DES 3DES CBC CBC Key Results Bloc1 PMK Emm_Seed Prepared ok *
*
6EDAF329EF20376E) (Xor Encrypt E046C69E8CB4A40D = (3DES) 8E9C35B763949363 AF38DA5E9E00AADB 39A1BCBCB060DEA3 = A16E52AF4CAE6A15 *
Data 8 Bytes'ES 'Pre Result Emm_Seed Blo1 PMK Key 3DES CBC Bloc2 Emm_Seed Prepared ok *
*
*
Prepared EMM_Seed = E046C69E8CB4A40D A16E52AF4CAE6A15 (After After preparing with the algorithm used 3DES CBC) **********************
*
*
already completed the first step was to make a 3DES CBC Supplement of the EMM_SEED *
Prepared EMM_SEED: E046C69E8CB4A40D A16E52AF4CAE6A15 *
*
************************************************** ************************************************** ****************************



**********************************
2 - EMM Decrypt (Decrypt 3DESCBC) ****************************************** ******************************************
********************************** *
*
We are in the second step and always with the algotimo 3DESCBC but we must now Decrypt (Decrypt 3DES CBC) *
and what we have to decrypt encrypted blocks are already in the EMM habamos seven blocks as seen above *
*
and what is needed here Data is Encrypted data and we Emm Decrypt * Bytes 8-8
Key Prepared EMM_Seed as we will use for the algorithm 3DES CBC *****************
EMM_IV key and IV as Key to use for the Xor of 3DESCBC *
*
Data = (Eight to eight bytes (emm are data which are encrypted)) *
Prepared EMM_Seed = E046C69E8CB4A40D A16E52AF4CAE6A15 (Prepared will be the key 3des) *
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (only first 8 bytes) *
*
The EMM data blocks that we are 7 blocks for Round 7 *
-------------------------------------------------- ------------------- *
- Encrypt Data 1 <<------ 4913FC3C61266ED8 Round 1 - *
- 5CD727D1E7A65783 <<------ Encrypt Data 2 Round 2 - *
- F97DF52C7BD5996F <<------ Encrypt Data 3 Round 3 - *
- 330C884F922A0619 <<------ Encrypt Data 4 Round 4 - *
- 1338FB13E68B6BD2 <<------ Encrypt Data 5 Round 5 - *
- 6AFCFE180C9340BA <<------ Encrypt Data 6 Round 6 - *
- 9A3152EB37327046 <<------ Encrypt Data 7 (Signature) Round 7 - *
-------------------------------------------------- ------------------- *
*
Deciphering started eight to eight Bytes 3DES algorithm with the CBC: *
*
************************************************** ******************************
EMM Encrypted:
82403F0208D7000030 [38] | | 4913FC3C61266ED8 | | 5CD727D1E7A65783 | | F97DF52C7BD5996F | | 330C884F922A0619 | | 1338FB13E68B6BD2 | | 6AFCFE180C9340BA | | 9A3152EB37327046
| | Round 1 | | Round 2 | | Round 3 | | Round 4 | | Round 5 | | ROUND 6 | | ROUND 7
Encrypted Data ................................................ .................................................. .........................


ROUND 1: 3DES Decrypt) (4913FC3C61266ED8 E046C69E8CB4A40D A16E52AF4CAE6A15 = (Xor) 1BCAE45570C5F5B6 4003031FE8FF5011 5BC9E74A983AA5A7 = (Result Bloc 1)
Prepared EMM_Seed Data 1 Key 3DES CBC = Result EMM_IV Decrypted Data 1

ROUND 2: 3DES Decrypt) (5CD727D1E7A65783 E046C69E8CB4A40D A16E52AF4CAE6A15 = (Xor) 51273A5AEA69A0D4 1834C6668B4FCE0C 4913FC3C61266ED8 = (Result Bloc 2)
Data 2 Key 3DES CBC Prepared EMM_Seed Result = Encrypt Data 1 Data 2 Decrypted

ROUND 3: 3DES Decrypt) (F97DF52C7BD5996F E046C69E8CB4A40D A16E52AF4CAE6A15 = (Xor) 6FCDD4CF587C99E4 331AF31EBFDACE67 5CD727D1E7A65783 = (Result Bloc 3)
Prepared EMM_Seed Key Data 3 = Result 3DES CBC Encrypt Data 2 Data 3 Decrypted

ROUND 4: 3DES Decrypt) (330C884F922A0619 E046C69E8CB4A40D A16E52AF4CAE6A15 = (Xor) 0C2DE40CAC49DDA7 F5501120D79C44C8 F97DF52C7BD5996F = (Result Bloc 4)
Key Data Prepared 4 EMM_Seed CBC = 3DES Encrypt Data 3 Data Results 4 Decrypted

ROUND 5: 3DES Decrypt) (1338FB13E68B6BD2 E046C69E8CB4A40D A16E52AF4CAE6A15 = (Xor) 2C7359CB7AF8C78A 1F7FD184E8D2C193 330C884F922A0619 = (Result Bloc 5)
Prepared EMM_Seed Key Data 5 = Result 3DES CBC Encrypt Data 4 Data 5 Decrypted

ROUND 6: 3DES Decrypt) (6AFCFE180C9340BA E046C69E8CB4A40D A16E52AF4CAE6A15 = (Xor) 69AFD81AA6896233 7A972309400209E1 1338FB13E68B6BD2 = (Result Bloc 6)
Key Data Prepared in June EMM_Seed CBC = 3DES Encrypt Data 5 Results 6 Decrypted Data

ROUND 7: 3DES Decrypt) (9A3152EB37327046 E046C69E8CB4A40D A16E52AF4CAE6A15 = (Xor) 35FC7911E95FB504 5F008709E5CCF5BE 6AFCFE180C9340BA = (Result Bloc 7)
Prepared EMM_Seed Key Data 7 = Result 3DES CBC Encrypt Data 6 Data 7 Decrypted



Results All Round's Decrypted EMM = Data:
-------------------------------------------------- -------------------
- 4003031FE8FF5011 <<------ Decrypt Data 1 Round 1 -
- 1834C6668B4FCE0C <<------ Decrypt Data 2 Round 2 -
- 331AF31EBFDACE67 <<------ Decrypt Data 3 Round 3 -
- F5501120D79C44C8 <<------ Decrypt Data 4 Round 4 -
- 1F7FD184E8D2C193 <<------ Decrypt Data 5 Round 5 -
- 7A972309400209E1 <<------ Decrypt Data 6 Round 6 -
- Data 7 5F008709E5CCF5BE <<------ Decrypt (Signature) Round 7 -
-------------------------------------------------- -------------------


Decrypted EMM:
82403F0208D7000030 [38] | | 4003031FE8FF5011 | | 1834C6668B4FCE0C | | 331AF31EBFDACE67 | | F5501120D79C44C8 | | 1F7FD184E8D2C193 | | 7A972309400209E1 | | 5F008709E5CCF5BE
| | Round 1 | | Round 2 | | Round 3 | | Round 4 | | Round 5 | | ROUND 6 | | ROUND 7
Data ................................................ Deciphered .................................................. ......................

We now have the decrypted EMM but not OPKEYs, Irdeto 2 because both are encrypted EMM as OPKEYs
EMM Desencritar desu step comes the OPKEYS desecnriptar found in the decrypted EMM


First Let's do an analysis after the EMM has been decrypted

-------------------------------------------------- -------------------------------------------------- -----
Let's do an analysis of this which is decrypted EMM (Decrypted): - -
-------------------------------------------------- ----------------------------- -
Haedo <<------ 3F 82403F (length = Hex: 0x3F Dec: 63) -
Group Type <<------ 02 00 -
<<------ 08D7 Address -
Rellenot <<------ 0000 -
30 <<------ Provider ID -
38 <<------ Length Of Bytes (Hex: 0x39 = (Dec: 8 * 7 = 56 bytes)) -
40 March 1903 E8 1F FF -
Nano <<------ 50 November 1918 50 ° ° ° ° Index Len 0x11 18 / 4 = 06 -
Encrypt OPKEY <<------ 34C6668B4FCE0C331AF31EBFDACE67F5 -
Nano <<------ 501 120 50 ° ° ° ° Index Len 0x11 20 / 4 = 08 -
Encrypt OPKEY <<------ D79C44C81F7FD184E8D2C1937A972309 -
40 February 2009 E1 -
<<------ 5F008709E5CCF5BE Signature (Signature) -
-------------------------------------------------- -------------------------------------------------- -----

Where is the Nano 50 3 bytes later is The OPKEY
and no other case can also find Nano in October 1911 while XX 50 11 XX
and the index is divided over four and gives us the index that supports the EMU's from Our appliances Reciver
whether the EMM is 08 because it is divided on 4 and 02 Index result
whether the EMM is as divided on 10 April and 04 Index result
whether the EMM is as divided on 18 April and 06 Index result
whether the EMM is 20 since April and is divided over 08 Index result is ...


We will see the EMM with another way

Decrypted EMM (OPKEYS Encrypt):
82403F0208D7000030 [38] | | 4003031FE8FF 501 118 | | 34C6668B4FCE0C33 1AF31EBFDACE67F5 | | 501 120 | | D79C44C81F7FD184 E8D2C1937A972309 | | 400209E1 5F008709E5CCF5BE
| | OPKEY ENCRYPT | | | | OPKEY ENCRYPT | |

************************************************** *******************************************
Well, we have the OPKEYS Encrypted within a decrypted emm *
for these OPKEYS esencriptacion Let the third Step *
*
************************************************** ***********************


____________________________________
3 - Nano Decrypt (Decrypt 3DES CBC) __________________________________________________ __________________________________________________ ________________________________
____________________________________

Well as always the algorithm used to decrypt these OPKEYS is always 3DES CBC


What we need OPKEYs Data1 and Data2 are encrypted and the key PMK and EMM_iv:

Data1 = 34C6668B4FCE0C33 1AF31EBFDACE67F5 (OPKEY ENCRYPT) <<- OPKEY 06 (18)
Data2 = D79C44C81F7FD184 E8D2C1937A972309 (OPKEY ENCRYPT) <<- OPKEY 08 (20)
= AF38DA5E9E00AADB 39A1BCBCB060DEA3 PMK (PMK pley MASTER KEY)
5BC9E74A983AA5A7 903B000000000000 EMM_IV = ((IV 3DES CBC) We use only first 8 bytes)


we will decrypt the First OPKEY and then second how desncriptar the first is the same as the second () Decrypt 3DESCBC)
-----------------------------

Data1 = 34C6668B4FCE0C33 1AF31EBFDACE67F5 (OPKEY ENCRYPT) <<- OPKEY 06 (18)
Bloc 1 Bloc 2 Encrypt Encrypt


ROUND 1: 3DES Decrypt) (34C6668B4FCE0C33 AF38DA5E9E00AADB 98143F086A0A05B0 39A1BCBCB060DEA3 = (Xor) 5BC9E74A983AA5A7 = C3DDD842F230A017
Key Encrypt PMK Bloc 1 Result IV 3DES 3DES CBC CBC OPKEY Bloc1 Decrypted


ROUND 2: 3DES Decrypt) (1AF31EBFDACE67F5 AF38DA5E9E00AADB 78DCF6648AB2F85E 39A1BCBCB060DEA3 = (Xor) 34C6668B4FCE0C33 = 4C1A90EFC57CF46D (OPKEY Decr)
Key Encrypt PMK Bloc 2 Results Bloc1 3DES CBC Encrypt OPKEY Bloc2 Decrypted


OPKEY 06 (18) Decrypted: C3DDD842F230A017 4C1A90EFC57CF46D <<<<----- and we finally decrypted OPKEY !!!!!!!!!!!!!!!
Decrypted Bloc1 Bloc2 Decrypted
-----------------------------
Data2 = D79C44C81F7FD184 E8D2C1937A972309 (OPKEY ENCRYPT) <<- OPKEY 08 (20)
Bloc 1 Bloc 2 Encrypt Encrypt


ROUND 1: 3DES Decrypt) (D79C44C81F7FD184 AF38DA5E9E00AADB 29F3F9202EB28219 39A1BCBCB060DEA3 = (Xor) 5BC9E74A983AA5A7 = 723A1E6AB68827BE (OPKEY Decr)
Key Encrypt PMK Bloc 1 Result IV 3DES 3DES CBC CBC OPKEY Bloc1 Decrypted


ROUND 2: 3DES Decrypt) (E8D2C1937A972309 AF38DA5E9E00AADB 43D5635A1C483DAD 39A1BCBCB060DEA3 = (Xor) D79C44C81F7FD184 = 944927920337EC29 (OPKEY Decr)
Key Encrypt PMK Bloc 2 Results Bloc1 3DES CBC Encrypt OPKEY Bloc2 Decrypted

OPKEY 08 (20) Decrypted: 723A1E6AB68827BE 944927920337EC29 <<<<----- and we finally decrypted OPKEY !!!!!!!!!!!!!!!
Decrypted Bloc1 Bloc2 Decrypted
-----------------------------
__________________________________________________ _________________________________
************************************************** _ ************
OPKEY 06 (18) Decrypted: C3DDD842F230A017 4C1A90EFC57CF46D * _
OPKEY 08 (20) Decrypted: 723A1E6AB68827BE 944927920337EC29 * _
************************************************** _ ************
_
_
Now the MA and OPKEY tenemso's decrypted: _
_
82403F <<- _ Haedo
02 <<- Type Group 00 _
08D7 <<- Address _
0000 _
30 <<- _ Group Provider ID
38 <<- Len (Hex: 0x39 = (Dec: 8 * 7 = 56 bytes)) _
_ 4003031FE8FF
50 November 1918 Nano 50 Len 11 Index 18 / 4 = 06 _
C3DDD842F230A017 4C1A90EFC57CF46D <<- Decrypt _ KEY OP
50 November 1920 Nano 50 Len 11 Index 20 / 4 = 06 _
723A1E6AB68827BE 944927920337EC29 <<- Decrypt _ KEY OP
_ 400209E1
5F008709E5CCF5BE -**** Signature _
__________________________________________________ ______________________________



*************************************
4 - CalculateMAC (3DES CBC Encrypt) ****************************************** *****************************
************************************* *
*
We are already in step four 4 and what we see here is how to calculate the signature (Calculate Signature) *************************
*
We took the EMM OPKEYS which is decrypted: *
************* 82403F0208D7000030384003031FE8FF501118C3DDD842F230 A0174C1A90EFC57CF46D501120723A1E6AB68827BE94492792 0337EC29400209E15F008709E5CCF5BE
*
*
OPKKEY EMM Decrypt: | | Delete | | (let's eliminate haedo Signature 00 are placed between | | xx | |) *
*
| | 82403F | | 0208D700 | | 00 | | 30384003031FE8FF501118C3DDD842F230A0174C1A90EFC57C F46D501120723A1E6AB68827BE944927920337EC29400209E1 | | 5F008709E5CCF5BE | | *
*
and we have something like this:
0208D70030384003031FE8FF501118C3DDD842F230A0174C1A 90EFC57CF46D501120723A1E6AB68827BE944927920337EC29 400209E1


- The split in blocks:

Block 1 0208D70030384003
Block 2 031FE8FF501118C3
DDD842F230A0174C Block 3
1A90EFC57CF46D50 Block 4
1120723A1E6AB688 Block 5
27BE944927920337 Block 6
EC29400209E1 Block 7

- As you can see we have 7 blocks and each block is 8 bytes less than the last one that only takes 6 bytes, now we add two bytes to lock 7
and these two bytes are those that are in the second octet of EMM-IV

EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (two bytes 903B need to calculate the signature)
---- ----
- After adding these two bytes in the block in July we have something like this:

Block 1 0208D70030384003
Block 2 031FE8FF501118C3
DDD842F230A0174C Block 3
1A90EFC57CF46D50 Block 4
1120723A1E6AB688 Block 5
27BE944927920337 Block 6
Block 7 EC29400209E1903B <<<--- EMM_IV Add two bytes of the second octet


3DES key and we had Supplement of the first step:
EMM_Seed Prepared: Key 3DES E046C69E8CB4A40DA16E52AF4CAE6A15



Now we will calculate the signature on 7 Rounds are 7 blocks:


| | 0208D70030384003 | | 031FE8FF501118C3 | | DDD842F230A0174C | | 1A90EFC57CF46D50 | | 1120723A1E6AB688 | | 27BE944927920337 | | EC29400209E1903B
| | Round 1 | | Round 2 | | Round 3 | | Round 4 | | Round 5 | | ROUND 6 | | ROUND 7


ROUND 1: (Xor) 0208D70030384003 0208D70030384003 0000000000000000 = () E046C69E8CB4A40D 3DES Encrypt A16E52AF4CAE6A15 = AA8B12A7467A145F
Data 8 Bytes'ES 'IV 3DES CBC Key Results Prepared EMM_Seed 3DES CBC Block 1 Result

ROUND 2: (Xor) AA8B12A7467A145F A994FA58166B0C9C 031FE8FF501118C3 = () E046C69E8CB4A40D 3DES Encrypt A16E52AF4CAE6A15 = CDA5BB939E3BD120
Data 8 Bytes'ES 'Block 2 Results Key 3DES CBC Prepared EMM_Seed Block 2 Results

ROUND 3: CDA5BB939E3BD120) (Xor Encrypt DDD842F230A0174C = (3DES) 107DF961AE9BC66C E046C69E8CB4A40D A16E52AF4CAE6A15 = 484B0E88CA120795
Data 8 Bytes'ES 'Block 3 Key Result Prepared EMM_Seed 3DES CBC Block 3 Results

ROUND 4: (Xor) 484B0E88CA120795 52DBE14DB6E66AC5 1A90EFC57CF46D50 = () E046C69E8CB4A40D 3DES Encrypt A16E52AF4CAE6A15 = 287467CA90373AB3
Data 8 Bytes'ES 'Prepared EMM_Seed Block 4 Key Result Result 3DES CBC Block 4

ROUND 5: 287467CA90373AB3) (Xor Encrypt 1120723A1E6AB688 = (3DES) 395415F08E5D8C3B E046C69E8CB4A40D A16E52AF4CAE6A15 = DB92F3C8E9730646
Data 8 Bytes'ES 'Block 5 EMM_Seed Prepared Key Result Result 3DES CBC Block 5

ROUND 6: (Xor) DB92F3C8E9730646 FC2C6781CEE10571 27BE944927920337 = () E046C69E8CB4A40D 3DES Encrypt A16E52AF4CAE6A15 = C815564DC98CDE6C
Data 8 Bytes'ES 'Block 6 EMM_Seed Prepared Key Result Result 3DES CBC Block 6

ROUND 7: (Xor) C815564DC98CDE6C 243C164FC06D4E57 EC29400209E1903B = () E046C69E8CB4A40D 3DES Encrypt A16E52AF4CAE6A15 = 5F008709E5CCF5BE *
Data 8 Bytes'ES 'Block 7 EMM_Seed Prepared Key Result Result 3DES CBC Block 7 *
*
*
Final Results of Round 7 is = 5F008709E5CCF5BE <<<--- Coindciden! == *
Signature of <<<--- 5F008709E5CCF5BE EMMOPKEY Decrypt *
*
************************************************** ************************************************** **********************************************
 
T

tasoscy

Registered
Messages
2
All this info are great!!

Any body knows and want to help on how to open nova I2 married cards and tweak keys??
 
You must log in or register to reply here.
Top