Understanding CSA

[cayoenrique]

Stop saying "i have Not DVBViewer" I know and it should not be needed. At least is our intention.

If you want to download Latest just go to https://www.sat-universe.com/index.php?threads/dvbviewer-pro-all-versions.99941/page-8

In the past I did download crack made by DVBViewer pro 5.3.2 by Takki & Ahmad from https://www.sat-universe.com/index.php?threads/dvbviewer-pro-all-versions.99941/post-1189041
But links where lost in old SU, and the links from ru are dead anyway.

A link to torrent (magnet) and the Official forum of the hackers

https://pastebin.com/auUJDTpn
https://www.star7arab.com/f.asp?t=611713

Now I have no Idea what is best, or what is more safe in terms of viruses or worms and Trojans. But as I said I had good results with DVBViewer pro 5.3.2 by Takki & Ahmad

I can not upload the file in one shot as my provider moore or less caps me uploads at about 5 MB. So I did split the installation that I have for those that may need it. More stupidity, for unknown reasons when I upload splits then the files will last 7 days only!!!
Here the files
Your partial archive files have a shorter storage period and will be deleted after 7 days.

filename.7z.001 (4.39 MB)
filename.7z.002 (3.79 MB)
md5sum.txt.7z (322.00 B)

https://workupload.com/file/MCmZNUC8SAg
https://workupload.com/file/UVMXa5t2QWD
https://workupload.com/file/9qXG5wpqR3q

One more time YOU guys do not need this. And I do not suggest anyone to download them. Finally you are ONLY responsible to check all files you download for Trojans. I am uploading because I know that is what I be ask in the future.

Now have have install Transedit the way I told you many times with success. No DVBviewer. Lets go over.

Transedit can start as is. But the nice things like Analyze TS File will be gray-out or disable.

This is the way you want it to look when it work. As you can see "Scan Selected" and "Analyze" are grayout OK. But the one we want Analyze TS File is dark.

And just as it reads if it is working you can press [F10] and a popup window will show up so that you can navigate to the TS File you want.
So 1rst Test PLEASE Open Transedit + [ALT]S +[F10] and see if you can get to C:\Apps\home\ts_examples\example_biss.ts


How to make it work.
Please make sure the key is in the appropriate folder C\rogram Files (x86)\Common Files\DVBViewer Shared\6FF000134D41A853.dvbvkey

And you need the reg install so that the program can pick the password.
To install files are located in win_tsapps_2.tar.xz>TransE+HexW.tar>TransE+HexW>Apps\home\programs\TransEdit\key\installkey.bat
Or you could RightClick over win_tsapps_2.tar.xz>TransE+HexW.tar>TransE+HexW>Apps\home\programs\TransEdit\key\transedit.reg and select Install or merge something like that.

In W10 they said to do

1-Open Start
2-Search for Command Prompt
3-Right-click the result and select Run as administrator


But we normally do
[WINKEY]+R CMD [Mouse RightClick] select Run as administrator

> cd C:\Apps\Home\cryptodir\Labs\002
> REG EXPORT "HKLM\Software\Wow6432Node\CM&V"  MyRegTest.reg
> busybox cat MyRegTest.reg

 Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\CM&V]

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\CM&V\DVBViewer]
"ID"=hex:84,63,50,84,1f,3b,d5,ed,9d,49,48,f3,82,93,28,02,36,ae,69,ae,09,e1,e7,\
  1f,21,d5,03,f1,bf,7a,e4,90,cd,f0,d8,55,93,e3,25
"Password"="AAVFGQHEJKCLBVBH"

See that is what we need to see.

As a alternative you could do

> regdedit
Edit>Find>CM&V

So that is what you need for Transedit Analyze TS File to work.


IMPORTANT: If you interest in the DVBViewer pro 5.3.2 by Takki & Ahmad. DO it NOW. Link will be deleted in 7 days...

 

[cayoenrique]

Just in case as I did explain that W10 may require Administrator privileges lets put this install method for the reg.

In W10 they said to do
1-Open Start
2-Search for Command Prompt
3-Right-click the result and select Run as administrator

But we normally do
[WINKEY]+R CMD [Mouse RightClick] select Run as administrator

> cd C:\Apps\Home\programs\TransEdit\key
> REG IMPORT transedit.reg

Close and Reboot PC just in case.

Next time after reboot, lest see if it was installed
[WINKEY]+R CMD [Mouse RightClick] select Run as administrator

> cd C:\Apps\Home\cryptodir\Labs\002
> REG EXPORT "HKLM\Software\Wow6432Node\CM&V"  MyRegTest.reg
> busybox cat MyRegTest.reg

 Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\CM&V]

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\CM&V\DVBViewer]
"ID"=hex:84,63,50,84,1f,3b,d5,ed,9d,49,48,f3,82,93,28,02,36,ae,69,ae,09,e1,e7,\
  1f,21,d5,03,f1,bf,7a,e4,90,cd,f0,d8,55,93,e3,25
"Password"="AAVFGQHEJKCLBVBH"

 

[dvlajkovic]

Drag and Drop the TS over TransEdit.exe didn't work

i have Not DVBViewer Installed in my computer

You can also install an alternative application for sex with TS files: TSReader 2.8.53a
Once installed, press WIN on keyboard, type tsreader and then press CTRL + ENTER on keyboard to start TSReader.
A pop-up will be shown on the screen.
Press F on keyboard to quickly move to File options, select FileLoop, and click on OK.
Now you can choose the TS file you want to play, research streams inside, PIDs, encryptions, etc.

 

[Me2019H]

it works

 

[cayoenrique]

LAB003 Part II

To overview last time we made a copy into C:\Apps\Home\cryptodir\Labs\003\example_biss.ts

We used Transedit to inspect the file and found it is composed of

0x0000 : PAT - This table is the 1rst one we should read.  It specify all the possible Channels(ServiceID) this transponder contain.  
ServiceID = 1 
PMT PID = 0X0100

0x0011 : SDT - This provide The name of the Services and the name of the Provider.  If you look in the left menu you can read
ServiceID = 1
ServiceName=IMG3 EU
ProviderName=CM5000

0X0100 : PMT - PMT Holds the amount and number of all the PIDS that are part of a Service. And Holds also the CAPID
0x0200 H.264 Video
0x1010 MPEG Audio
0x1020 MPEG Audio
0x1030 MPEG Audio
0x1040 MPEG Audio
CAID 0x2600

Today I will show you how to decrypt CSA using oetsdec, witch is an offline decrypter base in oscam emu files. And if you remember I have also provided encrypted examples for you to test. To know how to used it do:
[WINKEY]+R CMD [ENTER]

> cd C:\Apps\Home\cryptodir\Labs\003>
> oetsdec.exe
[Emu] config: Reading config from oetsdec.conf
out.ts: File Not Found
oetsdec - oscam emu ts decrypt v0.34 by Enrique
Build up from sources of Osemu and Oscam-Emu patch files
All thanks go to their developers
No warranties, use at your own risk

[Emu] config: MAINPATH="C:\Apps\Home\bin\"
[Emu] config: debuglog=1
[Emu] sofcamkey: C:\Apps\Home\bin\SoftCam.Key


Ups! usage: oetsdec <input file> <service id> <output file>

As you see you need to know the Channel number we want to decrypt. On transedit we saw it is SID 1. But lest assume you do not know. We can use:

> ffprobe -hide_banner -i example_biss.ts | busybox grep Program 2>&1 
***
Program 1
***

So let me show you how to test any of the samples I provided.
Note: If output name is out.ts at the end it will be play.

oetsdec C:\Apps\Home\ts_examples\example_powervu.ts 10 out.ts
oetsdec C:\Apps\Home\ts_examples\example_irdeto.ts 16 out.ts
oetsdec C:\Apps\Home\ts_examples\example_tandberg_EE.ts 465 out.ts
oetsdec C:\Apps\Home\ts_examples\example_tandberg_ED.ts 1 out.ts
oetsdec C:\Apps\Home\ts_examples\example_biss.ts 1 out.ts

But we are interested in particular example_biss.ts after decryption we will have example_biss_decrypted.ts

> oetsdec example_biss.ts 1 out.ts
> rename out.ts example_biss_decrypted.ts

Ok, Let review what we need. In the OpenCL lab we saw it is important to have 3 PES that are mark as PUSI=1, because then the PES Header will start with 00 00 01.
NOTE: We do this with the Enccrypted TS. But to show you what it looks decrypted and that you can see 00 00 001 we we simulate using the CLEAR TS

We want to use the tools we got to experience this the Windows way.
So if you recalled, you need to Drag&Drop example_biss_decrypted.ts over Transedit to Select single PID 0x1010. Then we Save that PID ONLY. [Start Record[Restart][Stop Record] and rename file appropriately. Finally we need to use HexWorkshop to look at the file.

> HexWorkshop example_biss_decrypted.ts

In HexWorkshop lets search for a 0x1010 with PUSI=1.

A simple ts header for NONE PUSI for PID 0x1010 will start like this 47 10 10.

Lets remember our Pictures

Now look again

So Sync Byte is 47. second byte for our audio PID is 10. But PUSI bit is #1## ####, where # is ignore. In general if #=0 this is 40. See th point the 1 in 10 needs to have 4 added. 4+1 = 5. So for PUSI=1, second digit needs to be 50 not 10. This means we need to search for 47 50 10.


To Search in HexWorlshop you do: [CTRL]+F then

Type :  HexValues  <= select
Value : 475010    <= Type in
Find All Instaces :  check
Hit [OK]

Notice how 475010 have NO spaces

At the bottom you see a list of where 47 50 10 show up. You click on one of them, 1st address is at 0x00003E6C and you can read the values that fallow.

475010350160000001C0030884800523291D4F41FFFDC4009988999A9988776655453428A0000000000000000000***

You can mark by click & drag, then Righclick over mark area, the select Copy. You can open Notepad and paste the values for the future.

As you see this is the Windows GUI way. Many steps. Now lets see how we can simplify by using a non GUI.

NONE GUI Faster method

1st we need the Audio PID 0x1010

> busybox sh -c "dvbsnoop -if example_biss_decrypted.ts -s ts -b 0x1010 -n 2000 > testcard_decrypted_APID=0x1010.ts"

Then we need a way to print atleast 3 lines of starting 00 00 001.

> busybox od -An -t x1 --width=188 testcard_decrypted_APID=0x1010.ts | busybox grep -e"47 50 10" | busybox cut -b20-66 | busybox head -5 > PES_Output.txt

We had explained the dvbsnoop command so I will skip
But second command have new things.

busybox od -An -t x1 --width=188 testcard_decrypted_APID=0x1010.ts
where:
-AN means do not print Address Column, for example 1rst line reads "0000000" then "0000###"
-t x1 measn print hex values
--width=188 Print 188 bytes per line. Weird no I know. Now it is exact 188 becouse the "0000000" does not ocupy 1rst!!

| means Pipe or output of 1rst command outpu as input of second command

busybox grep -e"47 50 10" Means output ONLY single lines that have "47 50 10" as part of their string. remeber lines will start every 188 bytes.

AT this point 1 line looks like this

47 50 10 35 01 60 00 00 01 c0 03 08 84 80 05 23 29 1d 4f 41 ff fd c4 00 99 88 99 9a 99 88 77 66 55 45 34 28 a0 00 00 00 00 00 00 00 00 00 66 bb ea ca eb ab f6 54 51 77 17 61 76 9d 71 e7 a0 7e 28 63 92 29 e4 96 5a a7 9e 79 69 aa 9b 2a b6 eb eb bc 3f 17 0b f4 b1 6d 76 0f 2c 18 e2 45 4d 2c 7d d4 03 3a 13 67 4f ab 14 03 db 22 11 82 d4 aa e6 fe bc c1 dd d1 cf 2e 53 c1 1c 70 cf 14 89 3b 0a 48 b0 c8 8f e3 b4 26 91 86 3d a5 74 01 7c b0 18 46 b6 51 a1 75 d7 13 7f 32 c8 47 80 72 f3 42 0f b8 34 40 84 f0 c1 b4 80 c5 a4 a0 46 be 29 a9 16 52 c9 81 e0 6e e8 52 f2 8b a5 27[/b]

busybox cut -b20-66 means for each line only output cutting from position 20 to position 66.
So 1 single line will look now like this

00 00 01 c0 03 08 84 80 05 23 29 1d 4f 41 ff fd

busybox head -5 Means from the top count ONLY maximum of 5 lines, ignore the rest

> PES_Output.txt Means, finally the screen output is saves to file PES_Output.txt

And the final file will contain PES_Output.txt[/b]

> busybox cat PES_Output.txt
00 00 01 c0 03 08 84 80 05 23 29 1d 4f 41 ff fd
00 00 01 c0 03 08 84 80 05 23 29 1d 60 21 ff fd
00 00 01 c0 03 08 84 80 05 23 29 1d 71 01 ff fd
00 00 01 c0 03 08 84 80 05 23 29 1d 81 e1 ff fd
00 00 01 c0 03 08 84 80 05 23 29 1d 92 c1 ff fd

As you see with two lines we can do our job of finding the needed string for th opencl lab.

 

[Me2019H]

i didn't understand this

So Sync Byte is 47. second byte for our audio PID is 10. But PUSI bit is #1## ####, where # is ignore. In general if #=0 this is 40. See th point the 1 in 10 needs to have 4 added. 4+1 = 5. So for PUSI=1, second digit needs to be 50 not 10. This means we need to search for 47 50 10.

our example
|01000111|0|1|1000000010000
sync Byte PUSI PID=0x1010(13bit)

 

[cayoenrique]

Most people hate math, this is because math is teach in wrong way. This is my explanation.

Time to learn to speak, not even writing and rules for writing. A kid is given 5 years to learn to speak. When you get to Kinder you are expected to get there talking. Every one know if you fail to learn to talk you have hard time in life.


Time to learn basic Add + multiplication. At five we teach a Kid decimal notation. Count from 0 1 2 3 ... 9. Well stupidity tell teachers that decimal is: 1 2 3 .. 10. See from start teachers are wrong.
The next year the are trying to teach add 1+1+=2 ... blabla
And in 1 to two more they teach Multiplication. People the tables that you are to learn is the WHOLE core for the rest of your life. In life all is math and they give at most 3 years for kids to adapt.

Why I say this, because we all do this wrong. I assume you guys should know the basics. But just in case lest start from there.

Every one knows Decimal is: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9.
When you need more you add another column to the left. in this case after 9 is 10. See we added a column for 1#:
10, 11, 12, 13, 14, 15, 16, 17, 18, 19
And it repeats with two.

Lets use a notation D=Decimal, B=binary, O=octal, H-Hexadecimal. Note the dot means nothing are there to mark a space

Computers memory is base on: it is ON or it is OFF. Two stages ON or OFF that we called binary

This is how we count and how it compare to decimal binary and hexadecimal:

Single Digits Binary
D B
-----
0 0
1 1

Some time in the origin they talk about Octal but is not really used
D O .B.
-----------
0 0 000
1 1 001
2 2 010
3 3 011
4 4 100
5 5 101
6 6 110
7 7 111

But in modern computer era we all know Hex
.D H .B.
--------------
00 0 0000
01 1 0001
02 2 0010
03 3 0011
04 4 0100
05 5 0101
06 6 0110
07 7 0111
08 8 1000
09 9 1001
10 A 1010
11 B 1011
12 C 1100
13 D 1101
14 E 1110
15 F 1111

1) Quickly you can see there is something wrong with Hexadecimal. Where those A B ... F come from?
Simply there is no SINGLE number representation over 9. Remember we base our math concept in columns. It has to be b]SINGLE[/b] number representation. So they came up with using the letters A B C D E F, for the missing numbers,

2) You can see also that you need 4 bit columns to represent 1 hex number. We call a 4bit number a NIBBLE

3) But today's computer is base on the concept of Bytes and bytes are 8 bit. This means we have 2 b]NIBBLE[/b] in one byte and if we want we can have 2 columns of hex in one BYTE. Lets show a few example :

.D. H. ....B....
000 00 0000 0000
082 52 0101 0010
160 A0 1010 0000
255 FF 1111 1111

Lets take the second 52 0101 0010 we need 2 Hex columns a 5 and a 2, which has two Nibbles, or 2 set of 4 bit columns

..5. ..2.
0101 0010

OK Next Lets review the question

 

[cayoenrique]

Another more detail explanation of TS HEADER.

This image comes from Master colibri's posted literature

Another way to look at it, this image is from Wikipedia

OK Lets review the question @Me2019 ask "i didn't understand this"

1rst our problem to resolve: Opencl brute force program need us to supply 3 Encrypted PES packet ( 16 bytes long ). Because they are expected to decrypt as 00 00 01

Solution We have a recorded Channel, in our sample C:\Apps\home\cryptodir\Labs\003\example_biss.ts. This is what we should had used. We will use Decrypted data, so that you can see 00 00 01 . I know it is wrong but you lean easier.

So we used our commands and got instead 1 TS file unencrypted with ONLY Audio pid 0x1010. This new ts file is C:\Apps\home\cryptodir\Labs\003\testcard_decrypted_APID=0x1010.ts

So If I look inside the file most TS lines should start with 47 10 10 where
47 Sync Byte
10 10 Pid Number

Now You have a few that should have PUSI=1. Those are the one we are looking for. The question is How we will find them?
1rst byte is just 47 Sync Byte we ignore this.
2ns byte is 10. And is here but PUSI=0

How it will look if PUSI=1.

This is 10 hex in binary
1 0
0001 0000

This is PUSI=1 (40)

4 0
0100 0000


Lets add both together
0001 0000
0100 0000
---------------
0101 0000 this is (50) in HEX

This means if we are looking for a 47 10 10 that have PUSI set to 1 then the number is 47 50 10.

Now what is this (13bit) length for PID'S?
Maximum PID in HEX is 1FFF. It can NOT be a PID 2000, NOPE.
So how many bits are in 1FFF. Lets see

1 F F F
0001 1111 1111 1111

If you count then they are 13. Why? to leave 3 bit space for

Transport Error Indicator (TEI)
Payload Unit Start Indicator (PUSI)
Transport Priority

Do not loos perspective.
All this is to show How we go from a Simple PID to a PID that will have PUSI=1. In this case our Search will be to find 47 50 10
And do not forget that this assigment is done with the Encrypted PID as we so not know what is the KEY to decrypt the TS we are interested.

 

[Me2019H]

Thank you very much for the explanation, it's been a great help in that I understand a bit better now where and how these things are handled.

 

[cayoenrique]

I see a answer too clean. My apologies if I was also to straight in my answer.

A simpler way to look at it. For the MOST part Transport Error Indicator (TEI) and Transport Priority will never going to be set, so they most be 0.
This means that if PUSI=1 you will have ONLY two ( 2 ) possible values!! 4# or 5#.

5# => For PIDS that have 4 Hex digit ( 0x1###) like in 0x1010 or
4# => for PIDS that have 3 Hex digit ( 0x0###) or ( 0x###)
where
# is the 3rd Most Significant Byte of the PID


So 2 possible search
"47 4# ##" or "47 5# ##"

Hope I this explanation is simpler.

 

[Me2019H]

Ifound this
PUSI
-For PES packages,if the PES package is large,the size of a ts package is fixed at 188 bytes.if 188 bytes can not fit,then it needs to be sub-packaged.Assuming a total of 3 packages,then the first package PSUI is 1,and the remaining two packages are 0.Then if the next PES is into three packets,the PUSI of the first ts packet is also 1,and the remaining two packages are 0.
-For PSI packages,if the package is large,it aalso needs to divided into multiplee sections.one section is devided into multiple ts packages.Then similar to PES,the PUSI of the firt ts package needs to be set to 1.At the same time,the first byte of the payload it is pointer_field,indicating the position of the first byte of the new secton.Then the bytes in the middle from the position of pointer_field to the first byte of the new section are the end of the previous section.
-0:the start character of the payload unit is 0,which means it is not frame header,does not conain PES header data,only PES payload(PES payload i one frame of data).

 

[cayoenrique]

Yes the PES info is just what we been saying. PSI, to be honest I never give it much thought as they are never encrypted.

PSI packages, for the most part this PIDs are single line, to short to have multiple ts. So you will see that they are PUSI=1 and NEVER encrypted, or on the clear. Remember our sample
C:\Apps\Home\cryptodir\Labs\003\example_biss_0x0000_PAT.ts

474000110000B00D4321D100000001E100222F77F9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Look is 47 40 and look at all those FF that are added as PAD.

For those that are interested Wiki is always our friend.

https://en.wikipedia.org/wiki/Program-specific_information

Now the last line is about 00 I seen the 00 but have no idea of its meaning Lets see in our C:\Apps\Home\cryptodir\Labs\003\example_biss.ts I remove the FF PAD
This is what I see

0x0000 Pat 474000110000B00D4321D100000001E100222F77F9
0x0001 CAT 4740011D0001B009FFFFDF0000C1F1E518
0x0011 SDT 4740111D0042F0234321D9000000EBFF0001FD001248101906434D3530303007494D473320455562290C95
0x0014 TOT 4740141300707005E278091322
0x0100 PMT 474100100002B0320001CF0000E200F00609042600FFFF03F010F00003F020F00003F030F00003F040F0001BE200F00628046400283F2D77AF86

Separating TS Header and counter. There it are 00 , Interesting...

0x0000 Pat 474000 11 00 00B00D4321D100000001E100222F77F9
0x0001 CAT 474001 1D 00 01B009FFFFDF0000C1F1E518
0x0011 SDT 474011 1D 00 42F0234321D9000000EBFF0001FD001248101906434D3530303007494D473320455562290C95
0x0014 TOT 474014 13 00 707005E278091322
0x0100 PMT 474100 10 00 02B0320001CF0000E200F00609042600FFFF03F010F00003F020F00003F030F00003F040F0001BE200F00628046400283F2D77AF86

Nice finding. Thanks.


Now PSI never have adaptation field this is why we see after 4740XX 1# 00
1# means No adaptation Filed

If this where stream and we see 4740XX 3# Then in 4740XX 3# 05
3# where 3 is in fact 0011 means adaptation files follow by payload.
5# and in this example it saying that adaptation filed has a length of 5 bytes.

 

[cayoenrique]

Reading again

-0:the start character of the payload unit is 0,which means it is not frame header,does not conain PES header data,only PES payload(PES payload i one frame of data).

this part "PES payload(PES payload i one frame of data) "
sugest it is still talking about PES. I may have mis understand. Now I am not sure if the 00 I explain on top are in fact this meaning,

 

[Me2019H]

this is the link trnslate it
https://blog.csdn.net/qq_39977813/article/details/88758958

 

[cayoenrique]

I will translate latter. But looking at pictures with English data it seems pretty interesting. THANKS

 

[Me2019H]

Please do not stop lessons if you have time

 

[cayoenrique]

@Me2019H
I had not been feeling good. So I have been taking a rest. Well I have show on the forum but almost made no work at home.

In general I need to know how many are following and what is the next interest.

In general we done:
Explain what is CSA and posted some code in C and Opencl. We could pass more time in detailing more specific on Stream Cypher, Block Cypher or Key scheduled. This will be good for those that master C and may want to see what can be done to speed it. But It will be of no meaning for those that had no intention to learn to code. And we introduce you guys to OpenCl

We could move to:

A new CAS that require an ECM. Then we could explained its ECM structure and see what we can do to crack an ECM.
Let me place a note here. I am no expert like let say Master colibri. I can only teach you what I think is the process. And how I had try to attack those. And as always NEVER think that you will learn how to crack a CAS. We can only learn, test and see why it is so difficult. Cracking it and be able to use it for a daily practical use is another story. The two most common here as a subject are powervu and tandberg. Please notice that what I do know of both was learn from colibri teaching. So colibri past posts will be the base of the analysis. Finally the best teaching tool/book is OSCAM Emu. Thanks to Oscam guys we do have software emulation solution for all those CAS.

Another option, as I have to finalize T2MI we could go over it on the fly. Listen I have use newspaperman's t2-mi

https://github.com/newspaperman/t2-mi

But never understood how it do works internally. Pick a topic

 

[cayoenrique]

if you go to colibri site.

http://colibri.bplaced.net/csa_rainbow_table.htm

You can find a pdf that most skip because it is in German language.

http://colibri.bplaced.net/DVB_TS_Vollverschluesselung_geknackt.pdf

Many years ago when google started to translate but very bad, Dale's translated this document. It was posted some place here I do not recall.

Here it is again:
Attachment
Please click to download

colibri is analyzing Abertis DTT and how the PID 0x1FFF did create some interesting situation many many years ago when they started.

I explain some where else PID 0x1FFF is use to keep the bit rate of the transponder. It is just a PID that should NOT be encrypted and that transmit just the HEADER + 184 0x00 per TS.
But Abertis DTT is an Encrypted Pack system of the whole transponder. As result PID 0x1FFF ends up been encrypted with the rest of the transponder. Also as result and by luck the header will end been located in different position in the new TS that carry the pack transponder.

In colibri's pdf, he posted this as sample in page 5.

47 1F FF 10 00 00 00 00 <168 wider Bytes> 00 00 00 00 00 00 00 00
00 00 00 00 47 1F FF 10 <168 wider Bytes> 00 00 00 00 00 00 00 00
...
00 00 00 00 00 00 00 00 <168 wider Bytes> 47 1F FF 10 00 00 00 00
00 00 00 00 00 00 00 00 <168 wider Bytes> 00 00 00 00 47 1F FF 10
00 00 00 00 00 00 00 00 <168 wider Bytes> 00 00 00 00 00 00 00 00

This are samples of how he did find the header been place in different positions.

Now pages 7 & 8 explained the reasoning as why all this happening. He explained that due to Adaptation Field and who knows what else, we have at the end a CSA encrypted RESIDUE.
And that CSA definition, state that this last RESIDUE block is ONLY encrypted by Stream Cypher. A residue is when you try to encrypt less than 8 bytes.

At the end, colibri posted this as the encrypted that most repeats on a log he did.

128 mal: ... 66 8B 84 01 ED A4 49 C2 1A 51 7F 94 (= 00 00 00 00)
008 mal: ... 66 8B 84 01 ED A4 49 C2 5D 4E 80 84 (= 47 1F FF 10)
002 mal: ... 66 8B 84 01 ED A4 49 C2 5D 54 A2 84 (= 47 05 DD 10)
003 mal: ... 66 8B 84 01 ED A4 49 C2 5D 54 A2 8B (= 47 05 DD 1F)

Where I guess "mal" means in German amount of times.

Please do not get confuse, he is posting the encrypted part 1rst. At the end inside "(= *** ) the last 4 bytes are what he thinks is the Unencrypted Solution

Lets take Only TS we will need.
... means that before that there are 172 previous bytes of the Total encrypted 184.

... 66 8B 84 01 ED A4 49 C2 1A 51 7F 94 TS 1
... 66 8B 84 01 ED A4 49 C2 5D 54 A2 84 TS 2

So all the original bytes where the same except for the last 4 bytes!! Yes a very special weird case of CSA.

Lets do some definition

STREAM = The Stream cypher of the n data
PLAIN = Unencrypted n data
CRYPT = Encrypted n data
XOR = yes the xor operand
and n is the position in the TS CSA ( 0 -183 )

And we know STREAM, PLAIN and CRYPT blocks are by definition 8 Bytes, but in the case of the Residue it can be ( 0 - 6 ). 7 max, because if you have 8 then you do not need a residue, it is in fact another block to be fully encrypt.
In our sample the the residue is 4 bytes.

Now we have two line so we have:
PLAIN1, PLAIN2
CRYPT1, CRYPT2
STREAM1, STREAM2

And the equations are

STREAM1 xor CRYPT1 = PLAIN1
STREAM2 xor CRYPT2 = PLAIN2

We can rewrite them as
STREAM1 = PLAIN1 xor CRYPT1
STREAM2 = PLAIN2 xor CRYPT2

IF you recall all bytes previous of de Residues are same
... 66 8B 84 01 ED A4 49 C2

This can ONLY happen if STREAM1 = STREAM2. So we can combine both equation in to one

STREAM1 = STREAM2
PLAIN1 xor CRYPT1 = PLAIN2 xor CRYPT2

We can now rewrite the equation as
PLAIN1 xor PLAIN2 = CRYPT1 xor CRYPT2

and we know CRYPT1 and CRYPT2 so we have
PLAIN1 xor PLAIN2 = 1A 51 7F 94 xor 5D 54 A2 84

PLAIN1 xor PLAIN2 = 47 1F FF 10

I now you can easily identify 47 1F FF it is the TS header of PID 0x1FFF. PLEASE notice. Colibri decrypted the two TS, found the CLEAR DATA and he did this without needing a CSA KEY????


Interesting, Colibri concluded that the most repeated crypt where 00 00 00 00 and 47 1F FF 10 as they where the ONLY ones that can reproduce the reuslt xor.

00 00 00 00 xor 47 1F FF 10 = 47 1F FF 10


Now, why am providing this sample. Because from time to time we could find extreme situations that can solve our problems. We need to keep an eye on details.

 

[cayoenrique]

I see some people are asking others to perform some simple task, I guess they do not know how to get their development setup.

I know I had 3 main threads and if you did not follow them from beginning you may not know where to start. Threads are
GPGPU using Opencl
Understanding CSA
Understanding DES


So here I will be try to exposed what we been agree for my suggested tools to work for you.
I am a Linux guy.
But I been ask to provide Windows exe tools and to have it as simple installation as it can be. 1rst there is no simple way. But I can stay away of MSYS2 stuff even when it is the most useful of all methods.

So here is my compromised with all of you.
1) C:\Apps : All our tools are going to be Store under one main directory, so that you can delete all at once in the future. One dir for all.
2) C:\Apps\MSys2\mingw64 : Compiler: All apps will be compile using mingw64. There is no MSys2 requirement. MSys2 Folder is just an empty folder to hold mingw64. In this way we are compatible with those that do want to install MSys2.
3) C:\Apps\OpenCL_IDC : This is the location for IDC, for those that want to have OpenCL. Skip if you want. Not needed for the general tools.
4) C:\Apps\home : This will be our HOME directory for all our Files.
5) C:\Apps\home\bin : This is where we are going to place our build tools. So that they are accessible from any place.
6) C:\Apps\home\bin\busybox : This wonder tool contain the power of many useful Linux commands that will be at you finger tips under windows.
6) Windows PATH : For all this setup to work you need to add the following in your Windows PATH. C:\Apps\MSys2\mingw64\bin;C:\Apps\home\bin;C:\Apps\OpenCL_IDC\bin;C:\Program Files (x86)\7-Zip;

Here I am posting again the PDF with tutorials how to setup this directories and programs.

Attachment
tutorial_opencl_installation_ver_0-01.tar.7z.zip

For general tools, You only need to do 02_Instalin_GNU_Compiler_ver_0.01.pdf the others are to have OpenCL.

Now normally I do no like to provide binaries.
We will need as I say busybox, tstools, Hexeditor, transedit and a few others. I provided 3 zip that contain most of the files needed.
For those that may want to have build from source please ask and I will try to show you how to build most of then. But it will be a more extensive tutorial.

PLEASE as this are binaries, I ask you to pass all using your antivirus app. It is you responsibility not mine to check all that you download.
If you are one of those that love to blame others, PLEASE do not download.

So please download 1rst, then
1) <filename>.tar.7z.zip - Please remove .zip before extract
2) extract <filename>.tar.7z
3) extract <filename>.tar
4) copy files in to C:\Apps\...

If for any reason you can not extract this files in Windows. Please download FREE 7zip extractor from its official page at:

https://www.7-zip.org/download.html

 

[cayoenrique]

In lost SU threads I did teach how to build a few good tools. One of them was tsdec. You may have use it sources in Modysat

Brief history from old Encryption Learning thread

tsdec is a very old program. It has been evolved with time. But as most forums had die there is no record. I think it started with an older program called cwldec.
tsdec is supposed to have capability of encryption. But if you try it does no work. After several days looking at the code this is my conclusion. To encrypt tsdec seems to expect that the Audio and Video has to be reading encrypted even when you are supplying those pids in the clear.!!!!

This is what I think is the reason for all this wrong setup. This is program was build for old boxes. It was assumes that the boxes did not have capability to record the original transponder signal. The user will be force to fake he new a key, but a wrong one. The user set the WRONG key and then record. Sure Bad video will be recorder. My best guess is that the video will be recorded but because it did not clear the Audio and Video will end up having the Transport Scrambling Control set as encrypted.

So why did they use it like this? Well the user will then be allowed to record. Yes the file will not play. But in the future the user will try to find the correct CW keys on the net. Once he finds the correct keys he will have to take the bad recorded file, re-encrypt with the wrong key he use while recording. Then decrypt with the right keys. Finally the user will be able to watch the video. Do not be fool some one may need this program as is this days. If you box can not record a transponder, this is a solution to record a BISS channel.

In contrast today when Audio and Video are in the clear Transport Scrambling Control will be clear. As result tsdec does not encrypt. So we will need to Patch the program to accept todays reality.

There original files where at

https://sourceforge.net/projects/tsdec/

And if you want to clone for there you do

hg clone http://hg.code.sf.net/p/tsdec/code tsdec-code
or
git clone https://github.com/exrom/tsdec

And now you are going to tell me you do not have Git nor Mercurial installed. HE HE HE

So instead just download and save it to C:\Apps\Home\cryptodir\Labs\005 with this

> busybox wget --no-check-certificate https://github.com/exrom/tsdec/archive/refs/heads/master.zip
> mv master.zip tsdec_master.zip
> 7z x tsdec_master.zip

Now if you read the tsdec story and you like to include my patch to improve encryption, download the attached bellow called tsdec.patch.zip and do the following. If not just do make.

So download attachement to C:\Apps\Home\cryptodir\Labs\005\tsdec-master\src

> cd tsdec-master\src
> 7zip e tsdec.patch.zip
> busybox patch -u tsdec.c -i tsdec.patch
> cd C:\Apps\Home\cryptodir\Labs\005\tsdec-master
> make

This binary for those that do not want to build is in win_tsapps_1_V.01.tar.7z.zip attachment on previous post.