Understanding DES

[cayoenrique]

@dvlajkovic I had always said same thing. I can help you or anyone else to improve the code.

@ashoknek You are half correct. The mode you described is some time called 2TDEA.
From wiki

Key1 ≠ Key2 ,are independent, and Key1 = Key3 . Sometimes known as 2TDEA or double-length keys




But there are one extra official mode where:

Key1 ≠ Key2 , Key2 ≠ Key3 , and Key3 ≠ Key1 All three keys are independent. Sometimes known as 3TDEA or triple-length keys.

And there are other old deprecated and not official ways.

@all
I will be posting my 1rst OpenCL code for DES HERE

Just in case here is the download link

OCLDes_003W.zip (30.12 KB)

https://workupload.com/file/RbtaQduxssr

 

[cayoenrique]

Lab004

In Lab004 we will study the Feed Hunting process. A process very common among Sat-Universe (SU) users.

Lets create some definitions:
Stream Signal - Any signal coming from the satellite that have some useful media transmitted that can be play or read. For our purpose when we say stream signal we will be talking about Video or Audio or Video+Audio.
TS Log - A record of a streaming signal.
Open Stream - People use many term to name a signal that is NOT Encrypted, many say Free To Air (FTA), on the clear(OTC), open or just free. We will say Open to establish that it is not encrypted and watchable.
Feed Hunting - A Sat-Universe (SU) user scan the sky, looking for satellites signals that he could try to see if he can later watch. Once he detect a new candidate, he proceed to record a Full Transponder TS log. SU user hope that he can find useful information in the ts log that will allow him to open the stream in the future.
Service ID (SID) - in general SID represent a Video+Audio Channel. But it can be many number of stream compilations.
Over-the-top media service (OTT) - Todays definition, media content delivered over the Internet. But OTT has been long used before of IPTV on the internet. The OLD definition is just Over-The-Top. And in satellite means that a PID is NOT use for a single Stream media like Video or Audio. Instead multi-stream media is Packed in a single PID. Yes like a FULL transponder inside a single PID. The most common was IP over Satellite Links (IPSAT). But there is T2MI, DTT and others. In the other hand there is Digital Storage Media Command and Control ( DSM-CC) - DATA Carousel, witch uses MultiStream. Most common is Multi-encapsulation (MPE).
Conditional Access Identification (CAID ) - It define what type of encryption is in used. Method by which one can obfuscate a digital-television stream, with access provided only to those with valid decryption subscription..
Crypt8 - I have not seen a definition, so here is mine, Crypt8 are the 1rst 8 byte sequence in the PAY Load, when a whole or part of the Pay Load of a 188 TS gets repeated several time.

Once the SU user have a TS Log he will use TransEdit to study the various PIDs, Service IDs, and the CAID system used.

In general the process from goes from Log => Crypt8 => CSA CW.

To get the Crypt8 SU user uses colibri's CSA RBT. You do not need to have GPU to search for crypt8. GPU is only require to find CSA CW.
If the crypt8 is from the video PID and uses the h264 codec, then it is the FFh table. If the crypt8 is from the video PID and uses the mpeg2 codec, then it is the 00h table. If there are 3 similar high counting crypt8's, then may be the 030000h table.

For this LAB004 we will be using example_tandberg_EE.ts
Lets create some working directories.

[WINKEY]+R  CMD [ENTER]
> mkdir "C:\Apps\Home\cryptodir\Labs\004"
> cd C:\Apps\Home\cryptodir\Labs\004
> copy C:\Apps\Home\ts_examples\example_tandberg_EE.ts example_tandberg_EE.ts

If you are WIN GUI fanatic, you can use transedit to inspect our example_tandberg_EE.ts.

PID  HexPID  StreamType  Encrypted kbps  Percent ServiceName
0    0x0000  PAT            -      15.14      0.80  N/A
2228 0x08B4  H.264 Video    $     1705.67   90.16  _Service 465
2229 0x08B5  MPEG Audio     $      138.79    7.34  _Service 465
2230 0x08B6  PMT            -      15.14     0.80  _Service 465
3154 0x0C52  ECM/EMM        -      12.15     0.64  _Service 465
3354 0x0D1A  ECM/EMM        -      5.02      0.27  _Service 465

Lets do it in a NONE GUI fashion. 1rs we find the SID number of our channel.

> ffprobe -hide_banner -i example_tandberg_EE.ts > out.txt 2>&1
>  type out.txt | busybox grep Stream -B5
  Program 461 
  Program 462 
  Program 463 
  Program 464 
  Program 465 
  Stream #0:0[0x8b4]: Video: h264 ([27][0][0][0] / 0x001B), none, 90k tbr, 90k tbn
  Stream #0:1[0x8b5](scc): Audio: mp3 ([3][0][0][0] / 0x0003), 0 channels, fltp

Previous of the streams we are interested, we see Program 465. We can see then that our SID is 465. WE can also see that we have 2 streams: "[0x8b4]: Video: h264" and "[0x8b5](scc): Audio: mp3"

We can use oetsdec.exe to try to decrypt. In this sample it will decrypt as we have the key store, So assume key is unknown and Ignore it did decrypt the file. But we can use it transponder analysis.
oetsdec.exe will create a log.txt. Then we can inspect log.txt to show us the transponder analysis.

>oetsdec.exe  example_tandberg_EE.ts 465 out.ts
> type log.txt | busybox grep "stream found"
[Emu] stream found pmt pid: 0x08B6 (2230)
[Emu] stream found pat pid: 0x0000 (0000)
[Emu] stream found ecm pid: 0x0D1A (3354)
[Emu] stream found video pid: 0x08B4 (2228)
[Emu] stream found Audio pid count: 0x0001
[Emu] stream found Audio pid: 0x08B5 (2229)
[Emu] stream found caid: 0x1010 (4112)

From previous sample we know what are the PIDS been used and that CAID=0x1010 is Tandberg, ECMPID=0x0D1A VPID=0x08B4 APID=0x08B5.

Now lets us colibri's CSA RBT to get crypt8. My results shows

9A E1 DC 0F 63 46 2D 53  #[O] PID:08B4h
13 48 57 0B 6A E5 8B E3  #[E] PID:08B4h
00 7D 10 7D 6D 73 94 AB  #[O] PID:08B4h

As you see we have both ODD [O] and EVEN [E] keys. And we can see [O] and [E] crypt8 keeps changing. They are not constant. This is because our sample is a TS that have a CAS in this case Tandberg.
In general Feed Hunters look for streams that their [O] and [E] do not change. And that no CAID nor ECM are shown, an indicative that BISS is in used.


After you do run your CSARBT you should find one of this CWs

9A E1 DC 0F 63 46 2D 53  #[O] PID:08B4h ==> 38 5F 62 F9 4F CA BC D5
13 48 57 0B 6A E5 8B E3  #[E] PID:08B4h ==> 1E E4 4F 51 05 69 CD 3B 
00 7D 10 7D 6D 73 94 AB  #[O] PID:08B4h ==> 8F 8E 4A 67 1C F3 97 A6

Lets resume. Up to here I had show to the newbie what a feed hunter do to find his BISS CWs. Nothing new here.

 

[cayoenrique]

Lab004 Part II

In Lab004 we did study the Feed Hunting process. A process very common among Sat-Universe (SU) users.

Now we will try to introduce you to ECMS. As explained I will start with Tandberg ECM as is one of the most simple to understand. Now we ow the knowledge for this to master colibri. He originaly started the following thread.
Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

Yes I know it has 100 pages. But you should at least read the first. That is you reference book for this LAB. Now the other source of information is Oscam-Emu, thanks again for those that work in that project. Now I said this once. But here is again for your information, with corrected line numbers for oetsdec_034W.zip

The original tool sources are around for poc.exe. Now days sources are in Oscam-emu.
Best is to study in my program ostsdec. Look into oetsdec/oscamfiles/module-emulator-director.c

In line 67 you will find int8_t director_ecm(uint8_t *ecm, uint8_t *dw)
Type EC is broken as there is no solution for decrypting Video.

But we can test type ED and EE. See
Line 110 for case 0xEC
Line 222 for case 0xED

And here is the file just in case you do not have it
oetsdec_034W.zip (127.05 KB)

https://workupload.com/file/s6f3Hhx2XMz

Ok lets start. From previous step we know how to find out ECM PID

>oetsdec.exe example_tandberg_EE.ts 465 out.ts
> type log.txt | busybox grep "stream found"
[Emu] stream found pmt pid: 0x08B6 (2230)
[Emu] stream found pat pid: 0x0000 (0000)
[Emu] stream found ecm pid: 0x0D1A (3354)
[Emu] stream found video pid: 0x08B4 (2228)
[Emu] stream found Audio pid count: 0x0001
[Emu] stream found Audio pid: 0x08B5 (2229)
[Emu] stream found caid: 0x1010 (4112)

Now as a remind, when we use ">" to pipe binary files in windows it will fail. To make it work we need to use a Linux shell. So we surround the wanted command with busybox sh -c "..."

We are going to tell dvbsnoop to extract pid 0x0D1A. And we will create a new file called example_tandberg_EE_ECMPID=0x0D1A.ts with it

busybox sh -c "dvbsnoop -if example_tandberg_EE.ts -s ts -b 0x0D1A  > example_tandberg_EE_ECMPID=0x0D1A.ts"

Now we are interested in listing all UNIQUE ECMs. Lets place them in File ECMs.txt

busybox od -An -t x1 --width=188 example_tandberg_EE_ECMPID_0x0D1A.ts | busybox head -n -1 | busybox cut -b17-96 | busybox sort | busybox uniq > ECMs.txt

busybox - hold some bash utilities to parse data
od -An -t x1 --width=188 example_tandberg_EE_ECMPID_0x0D1A.ts - output to screen binary file example_tandberg_EE_ECMPID_0x0D1A.ts
...An - do not print address lines
...-t x1 -print in HEX format
...--width=188 - print 188 bytes per line.
head -n -1 - drop last line because it is printing a text mesage from dvbsnoop that it is not part of ECMs
cut -b17-96 - cutout and print only the selected characters
sort - Sort all lines
uniq - after sort ONLY print out lines that are different, eliminating duplicates

At the end we see the following inside our ECMs.txt file

>type ECMs.txt
80 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc 82 60 95 a9 71 fc dd d1 eb f6
81 70 18 ee 16 00 00 00 03 49 4c 83 9d d7 e0 f9 e7 82 60 95 a9 71 fc dd d1 87 1a
81 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc b5 66 08 ac 0e 39 aa a0 73 63

So we have 3 ECMs that are unique

As you see in this Part II I have show you how to get unique ECMs printed in readable Hex format from your TS file. I hope you like it.

 

[cayoenrique]

Lab004 Part III

In Lab003 we learn how to get ECMs in readable format.

Lets start by looking at how was the original 188 bytes TS looks like for 1 ECM

474D1A1A00817018EE1600000003494C839DD7E0F9E7826095A971FCDDD1871AFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

474D1A1A - TS Header
00 - I am not sure, but @Me2019H and I seems to believe this 00 means that Payload has no PES encapsulation
817018EE1600000003494C839DD7E0F9E7826095A971FCDDD1871A - This is the ECM

Lets try to describe the contents of each ECM section.

80 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc 82 60 95 a9 71 fc dd d1 eb f6

For this we can use oetsdec/oscamfiles/module-emulator-director.c

Position	Name				Value					Description
00			Table ID 			80 					means 80 EVEN ECM, 81 means ODD ECM
01.04..07	Private Indicator	7
01:00..03 											**see below as this 4 bits are part of ecmLen
02			ecmLen				018					means ECM payload length = 0x18 = 24  bytes
03			nanoType			EE					Tandberg ECM type
04			nanoLength			16					Section lengh = 0x16 = 22 bytes
05-26		nanoData
05-06		??					0000				??
07-08		entitlementId		0003				entitlementId is used to select what ECM Key should be used
09-17		dw+8				aa22aac1aec51ddc	Encrypted CSA EVEN Key
18-24		dw					826095a971fcddd1	Encrypted CSA ODD Key
25-26 		payloadChecksum		ebf6				checksum

Finally to decrypt Encrypted CSA EVEN Key or Encrypted CSA ODD Key we use DES decrypt

 

[cayoenrique]

I believe I made a mistake on the table odd and even positions are swap'

Position	Name				Value					Description
00			Table ID 			80 					means 80 EVEN ECM, 81 means ODD ECM
01.04..07	Private Indicator	7
01:00..03 											**see below as this 4 bits are part of ecmLen
02			ecmLen				018					means ECM payload length = 0x18 = 24  bytes
03			nanoType			EE					Tandberg ECM type
04			nanoLength			16					Section lengh = 0x16 = 22 bytes
05-26		nanoData
05-06		??					0000				??
07-08		entitlementId		0003				entitlementId is used to select what ECM Key should be used
09-17		dw+8				aa22aac1aec51ddc	Encrypted CSA ODD Key
18-24		dw					826095a971fcddd1	Encrypted CSA Even Key
25-26 		payloadChecksum		ebf6				checksum

 

[cayoenrique]

Ok This is not really part of the LAB. But previous versions of oetsdec was showing even and odd keys wrongly swap. So for correctness I have to make a little change to oetsdec. This one will label correctly OOD vs Even CSA Keys

Download and save to C:\Apps\Home\cryptodir\Labs\004 as we are going to replace existing binary

oetsdec_035W.zip (196.95 KB)

https://workupload.com/file/P3VXBYzyZwD

as always pass:www.sat-universe.com

Lest extract and copy the files

> 7z -pwww.sat-universe.com x oetsdec_035W.zip
> del C:\Apps\home\bin\oetsdec.exe
> copy oetsdec_035W\oetsdec.exe C:\Apps\home\bin\
> rmdir /s /f oetsdec_035W
> move oetsdec_035W.zip C:\Apps\home\zipfiles

Now we can re-do

> oetsdec.exe example_tandberg_EE.ts 465 out.ts
> type log.txt 
oetsdec - oscam emu ts decrypt v0.35 by Enrique
  Build up from sources of Osemu and Oscam-Emu patch files
  All thanks go to their developers
  No warranties, use at your own risk
***
ecm:
81 70 18 EE 16 00 00 00 03 AA 22 AA C1 AE C5 1D 
DC B5 66 08 AC 0E 39 AA A0 73 63 
nanoType : EE
INFO: Using entitlement id 0003
T 0003 01 33f710

even cw:
8F 8E 4A 67 1C F3 97 A6 
odd cw:
1E E4 4F 51 05 69 CD 3B 

See you guys tomorrow with the continuation of how to brute force the ECM key. ;)

 

[K2TSET]

Here is a FPGA version for many cores in parallel, have not tried myself but looks pretty good documented
https://github.com/aletempiac/DES-cracker

I did try to use this code on a different relative small FPGA and had to do some modifications to have it to work on the board I had here
I managed to get 8 x DES cores in 1 chip running @ 400Mhz = 3.2 Gkeys/s so a complete range would be about 260 days on 1 chip.

I did try those test data:

Plaintext:
000001F85D8A7F01
Ciphertext:
3643CDE63F679D20
Found Key:
7ACC40D5BC8980 = 56 bit  
7A67101A5BE52601 =64 bit

Plaintext:
0000000000000003
Ciphertext:
8F 95 2F E8 CE 85 B5 16
Found Key:
00 00 00 01 00 00 00 = 56 bit

Both worked fine

To be useful for any purpose the code have to be optimized to not just be 8x separate cores but to use anything they might have in common to reduce the logic needed, so a chip can have more cores and potential higher Fmax.
Sure more chips will decrease the BF time.

I will not do anything further on this for now

 

[cayoenrique]

K2TSET

I have no knowledge nor study that code. yes completely Idiot. Now it is Interesting. How I said if extra byte = 256 times more. And if you crack CSA key in average about a DAY, then DES is 256 times more slow, witch gave you in an experiment of some one else, about that 260 days.

HEHEHEHE.

Now do not feel too bad, here is the Secrete told in colibri's thread https://www.sat-universe.com/index....erg-no-keys-allowed-in-chat-section-s.295303/

That some how all Tandb3rg ECM Keys end up having ##############01 last 7 bits fix to = 0. This means Tandb3rg Full search ECM DES key 128 times faster. So at the end should come up that Tandb3rs ECM brute force is just twice the time for CSA Key!! Or about 2 days. So it is reachable. just as Dale used to do it in the past.

 

[Me2019H]

Lab004 Part II
80 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc 82 60 95 a9 71 fc dd d1 eb f6
81 70 18 ee 16 00 00 00 03 49 4c 83 9d d7 e0 f9 e7 82 60 95 a9 71 fc dd d1 87 1a
81 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc b5 66 08 ac 0e 39 aa a0 73 63

80 70 18
81 70 18
81 70 18

Always 18 in decimal = 24 i think that's mean there are 24 byte encrypted

 

[cayoenrique]

I got some eye exam that has blind me for a some time. So I have not been able to continue. But instead I am lucky that I am having some chit-chat with my friends. This feels like a classroom.

@Me2019H YESSSS . Makes me happy that you are putting some effort.

But I guess you have not realice that the info is all in the last Table.
Now for learning, better that the table is Sources from oetsdec_035W.zip. Go into:

oetsdec\oscamfiles\module-emulator-director.c:67

int8_t director_ecm(uint8_t *ecm, uint8_t *dw)
{
uint8_t nanoType, nanoLength;
uint8_t *nanoData;
uint32_t pos = 3;
uint32_t entitlementId;
uint32_t ks[32];
uint8_t ecmKey[8];
uint16_t ecmLen = SCT_LEN(ecm);

This is defined at oetsdec\oscamfiles\subs_from_oscam.h:186

#define SCT_LEN(sct) (3+((sct[1]&0x0f)<<8)+sct[2])

SCT_LEN stands for SeCTion LENgth.
Ignore the 3. 3 is added by Oscam just to use this number to print the whole ECM from start to finish. Again ignore that 3.

Lets look again at how it start.

80 70 18 ee 16

For all ECM you are going to see this structure more or less

Position	Name				Value					Description
00			Table ID 			80 					means 80 EVEN ECM, 81 means ODD ECM
01.04..07	Private Indicator	7
01:00..03 											**see below as this 4 bits are part of ecmLen
02			ecmLen				018					means ECM payload length = 0x18 = 24  bytes
03			nanoType			EE					Tandb3rg ECM type
04			nanoLength			16					Section lengh = 0x16 = 22 bytes

80 : Table ID = 80 means 80 EVEN ECM, 81 means ODD ECM
7#: Private Indicator 7 (Note:this are 4 bits that can be set by provider, so expect this number to change)
0 18 : Means there are 0x018 bytes that follow as part of this section ( ecmLen )
ee : Nano Type, this means Tandb3rg ECM type EE is to follow in this (nano) subsection
16 : subsection length - Means there are 0x16 bytes that follow as part of this subsection ( nanoLength )

And you can see its meaning inside Oscam
oetsdec\oscamfiles\module-emulator-director.c:86

        nanoType = ecm[pos];
        nanoLength = ecm[pos + 1];

where pos = 3;

SO000ooooo What my point in all this. To prove you ALL that you can find MOST if not ALL the answers inside Oscam Sources. BIG THANNKS to all people that work in that project.

 

[Me2019H]

You mentioned it before. It seems that I read the post quickly and did not notice it
Thank you

 

[Me2019H]

Now lets us colibri's CSA RBT to get crypt8. My results shows

9A E1 DC 0F 63 46 2D 53  #[O] PID:08B4h
13 48 57 0B 6A E5 8B E3  #[E] PID:08B4h
00 7D 10 7D 6D 73 94 AB  #[O] PID:08B4h

Sorry but ho did you ue colibri's CSA RBT to get crypt8

 

[cayoenrique]

So no have CSA RBT experience yet. This is in fact easy once you have it working. But for a Newbie this can be confusing for the same time.
I have not seen a good tutorial I guess they may have been in the past but lost as it is so old.

CSA RBT is at:

http://colibri.bplaced.net/csa_rainbow_table.htm

For a newbie, I strongly suggest not to try CSA-Rainbow-Table-Tool Rv2, this was colibri effort to force people to share tables. But It will cause you headache.
Notice the name seems similar Rv2 vs old V2? Weird no.

As a note: When my Good AMD GPU was working I did prefer V.1.23 with a small table, just to have basics. But as you are now like me, no good GPU. Then best will be v2.05.


I guess best option for us know is to use V2.

http://colibri.bplaced.net/CSA-Rainbow-Table-Tool_20141225_package.zip

To search you do not need RBT tables witch are over 1.5 TB. But you need I believe MS VC2012 Redistributable

Extract CSA-Rainbow-Table-Tool_20141225_package.zip Then Extract CSA-Rainbow-Table-Tool_V2.05.zip You end up with CSA-Rainbow-Table-Tool.exe
Execute CSA-Rainbow-Table-Tool.exe

You will see:

Click on C8 Crypt8. Then Browse to your file C:\Apps\home\cryptodir\Labs\004\example_tandberg_EE.ts
You can leave all other fields clear. Then Hit [START]

If you are interested on the tables and you have an 8TB disk for storage then the tables where uploaded by orangebirds in his cloud at:

https://csar.birds.web.id/

I guess for this test you need B8hxFFh, be clear that you may need the 1.5T, notice that this is just for FF and you need at least B8hx00h also !!

https://csar.birds.web.id/v2/CSA_B8hxFFh/

Now you do not have that Luxury. Then SU is you friend. You can request crypt8 here Post Crypt8's here inc. Sat & Freq. [Request Or Post] PLEASE DO NOT POST BISS KEYS HERE POST KEYS IN BISS KEY SECTION/PM

 

[Me2019H]

no have CSA RBT experience yet. This is in fact easy once you have it working. But for a Newbie this can be confusing for the same time.
I have not seen a good tutorial I guess they may have been in the past but lost as it is so old.

But Colibri.DVB is a member in this forum why he don't explain it for the Newbies
and why he didn't help you GPGPU using Opencl project

If you are interested on the tables and you have an 8TB disk for storage then the tables where uploaded by orangebirds in his cloud at:

Why do we need tables!! Is there another way?

 

[cayoenrique]

1rst of all I have ONLY BIG THANKS to master colibri. Without his help we could not have understanding of powervu or Tandb3rg.

In the past he took time to explain it all. So he is one of the GOOD ones.

Helping others is s risk game. What we do by teaching is on the border line between what is lawful or not. Well study crypt, or even testing for faults, should be allow in all part of the word. But using crypt knowledge to watch Digital Rights Management (DRM) in media is unlawful in most countries. In America there are heavy fine for doing this.

Now taking a part colibri, as I said he is one of the Good ones. In general people with the knowledge of chrytography are professionals that most likely have a nice university degree. They had to learn the hardway and in general they judge others for not been like them. I on the other hand, believe that not all people have an opportunity to go to University. But there are Smart People that do not have the opportunity of been in University. At least they have the ambition to learn. Just need a little help to get there. Just like you.

Now for some reason I do not understand, many professionals end up meeting on particular forums. There they share between them. But it require a none common professional user to take that info from that hidden forum and bring it here where most of us can see it. Now this people show up here but they limit the amount of post they do. They do not help because they are bad, no, it is in there character to reserve their opinions. Now PLEASE do not judge others. You can get judge back and get push aside. Just be happy with what we get and always thanks others for the help they provide. You will get far if you be this way.

Why do we need tables!! Is there another way?

The Right question is in fact: What are RBT and why we used them?

1) But before anything lets understand the problem.

CSA Key have 48bit. At the beginning of computers, but before GPU, Brute forcing CSA key took more than years that the ones you can live!!!

2) One solution will be to precompute ALL Keys for a particular Clear Value. Lets say 00 00 00 00 00 00 00 00, and have a BIG table with all the Keys. In that way you ONLY have to look at your table and get the Key you needed...
Lets see how much memory we need.

Data = 8byte long. and Key is 6 byte long. This means that for each single value you need 14 bytes of storage.
1 TB = 1099511627776 bytes

Lets calculate how many values we need to store, 2^48 = 281474976710656 bytes =

So the total amount of data I need to save for my tables is = 281474976710656 * 14 = 3940649673949184 = 3584 TB.

3584 TB requires a lot of disk. And that calculation was done on the beginning of computers!! So not even government had that amount of memory space.


Now what we did in last analysis is called. Time Memory Trade Off ( TMTO ). If we could do it we would have changes 100 years of Life to a 3584 TB memory table.....

3) What if I can have a table that is some what compress. Now I will trade off some time back decompressing but my memory is smaller!!! But if compression ratio is lets say 50%, I will still need 1792 TB memory table

4) Another solution is a Rainbow table.
In this fashion, we compute an encryption of

DATA 0000000000000000 lets say with Key 0000000000000000, and the encrypted is 123456789ABCDEF

Now we can use the last output encryption as the new key for the next value

DATA 0000000000000000 lets say with Key 1234567890A12345, and the encrypted is FDECBA987654321

And we repeat this cycle 0x1000 0r 2^12 = 4096 times

This means every time we use a memory we have inside that single storage the knowledge of 4096 values.

So our old 3584 TB memory table / 4096 = 0.875 TB, ahaaaaa now I can buy a 1 TB Disk and fit that table!!!

This is a simplified explanation. There are many other thinks to consider.

In reverse order, now when you need a Key for a crypt8 you need a GPU to compute 0x1000 keys. Remeber the result of an encryption becomes the new key to use. At the end we have 4096 posible end values.
We then proceed to compare our 4096 endvalues to the ones stored in our RBT tables. If the endvalues stored in our RBT table equals one of the one 4096 we did compute. WALLAAA, most likely our needed Key, is part of the KNOLEDGEstore in that string of the RBT endvalue that match.

Up to here we had found that one 14 bytes that is part of our RBT table most likely have the key.
To get our key out of the 14bytes we then have to recompute again the original string for that 14 bytes. Every time we do an encryption we compare its output with the crypt8 we have. If we find that crpt8, then the key previously used for the RBT string is infact our NEEDED Key.

Conclusion. colibri and his helpers took I guess a round 1 or few years to put this tables, Thanks to those now you do not need 100 years of life, instead you need a nice 8TB SSD disk to have it all at you finger tips.


Reference

https://en.wikipedia.org/wiki/Space%E2%80%93time_tradeoff
https://en.wikipedia.org/wiki/Rainbow_table

 

[Me2019H]

Now PLEASE do not judge others. You can get judge back and get push aside. Just be happy with what we get and always thanks others for the help they provide. You will get far if you be this way.

I'm sorry I didn't mean to judge anyone, I just want everyone to put their hands together to reach a better outcome. I prefer teamwork, that's what I meant

Helping others is s risk game. What we do by teaching is on the border line between what is lawful or not. Well study crypt, or even testing for faults, should be allow in all part of the word. But using crypt knowledge to watch Digital Rights Management (DRM) in media is unlawful in most countries. In America there are heavy fine for doing this.

But master colibri is trying to decrypt Tandb3rg

 

[cayoenrique]

He did. In fact this is an example of his teaching. In 2016 he opened this thread => Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

That was the thread I ask you guys to read at least the beginning.

 

[cayoenrique]

Lab004 Part IV

IMPORTANT NOTICE:
I need to clarify something.
For most program when you see a Key labeled 00 we say it is Even. But if we see a single 1 like in 01 it is ODD.
I decided wrongly without known to use Modysat as a reference. Boy I made a mistake. Modysat in fact have the keys swap. I wrongly assume that Modysat was the correct and I decided to change my programs and swap the keys. BOYyyy! I was wrong. It turns out, my programs where right. So I am so sorry for the confusion. I will have to resubmit oetsdec_035W program to return the key values at the correct positions.

Now this can serve as a Special LAB. Finding out what key is require to decrypt a stream.

Since I assume this is for Newbies, let me explain how the Video decoding process work. The process needs to warranty that you will be able to extract a new key from ECM, before the encrypted data requiring that particular key show up.
The process is divided in two. They called it Even and ODD. So at any given time you have 2 keys, one ODD and one Even. One will be the current to be used, the other will be the NEXT to be used.

Lets look again at colibri'ss TS Header Chart

If the TSC = 00, Audio is not encrypted.
1rst bit means Encrypted or NOT.
0 Where 0 means not encrypted

2nd bit means what type of encryption if 1rst bit = 1
10 Even Encrypted
11 ODD Encrypted

So to repeate second bit in TSC tell us if it is Even or ODD

0 Even Encrypted
1 ODD Encrypted

PLEASE SEE THE POINT. Your Video PID use this bits in the header to tell a program if it is encrypted and with what key (even/odd). We are going to used this protocol to determine when is Even or ODD.

Lets use a TS that produce a crypt8. In this way you get the whole picture. Lets look again at CSA RBT results.

9A E1 DC 0F 63 46 2D 53  #[O] PID:08B4h ==> 38 5F 62 F9 4F CA BC D5
13 48 57 0B 6A E5 8B E3  #[E] PID:08B4h ==> 1E E4 4F 51 05 69 CD 3B 
00 7D 10 7D 6D 73 94 AB  #[O] PID:08B4h ==> 8F 8E 4A 67 1C F3 97 A6

In the next LAB we are going to see what is this crypto8 9A E1 DC 0F 63 46 2D 53 and how to find it.

 

[cayoenrique]

Lab004 Part V

In this Lab we are goinf to see what are Crypt8 and how to find them

9A E1 DC 0F 63 46 2D 53 #[O] PID:08B4h ==> 38 5F 62 F9 4F CA BC D5
13 48 57 0B 6A E5 8B E3 #[E] PID:08B4h ==> 1E E4 4F 51 05 69 CD 3B
00 7D 10 7D 6D 73 94 AB #[O] PID:08B4h ==> 8F 8E 4A 67 1C F3 97 A6

CSA RBT told us that crypt8 9A E1 DC 0F 63 46 2D 53 belongs to an [O] encryption and that it belongs to PID:08B4h

Lets get this PID 1rst separate in a single file.


[WINKEY]+R CMD [ENTER]

> cd C:\Apps\Home\cryptodir\Labs\004
> busybox sh -c "dvbsnoop -if example_tandberg_EE.ts -s ts -b 0x08B4 > example_tandberg_EE_VPID_0x08B4.ts"
> dir example_tandberg_EE* 
Volume in drive C has no label.
Volume Serial Number is 0000-0000

Directory of C:\Apps\Home\cryptodir\Labs\004

10/28/2023   2:09 AM     2,371,620  example_tandberg_EE_decrypted.ts
10/25/2023   4:20 PM             0  example_tandberg_EE_ECMPID
10/25/2023   4:24 PM         9,929  example_tandberg_EE_ECMPID_0x0D1A.ts
10/28/2023   2:40 PM     3,324,933  example_tandberg_EE_VPID_0x08B4.ts
10/25/2023  11:47 AM           330  example_tandberg_EE.csv
10/28/2023   2:18 AM            54  example_tandberg_EE.cwl
10/25/2023   9:53 PM            86  example_tandberg_EE.cwl_000
10/28/2023   2:00 AM           113  example_tandberg_EE.cwl.001
 7/27/2016   9:06 PM     3,687,808  example_tandberg_EE.ts
10/25/2023  11:47 AM         3,899  example_tandberg_EE.xml
      10 files                9,398,772 bytes
       0 directories      4,774,830,080 bytes free


C:\Apps\Home\cryptodir\Labs\004>

So as you can see as as big as the original Channel record. Yes Video has 3.2 MB of the Total 3.5 MB. It is nice to know Video cosume most of the bandwith.

Now I wil like to have the binary data in hex so that I can inspect and see what crypt8 9A E1 DC 0F 63 46 2D 53 Is all about?
Lets do it again to have a smaller file. Lets limit lines to 1000, we should end up with a 165KB. And finnaly store in asccii so that we can inspect it.

> del example_tandberg_EE_VPID_0x08B4.ts
> busybox sh -c "dvbsnoop -if example_tandberg_EE.ts -s ts -n 1000 -b 0x08B4 > example_tandberg_EE_VPID_0x08B4.ts"
> busybox od -An -t x1 --width=188 example_tandberg_EE_VPID_0x08B4.ts > VPID_0x08B4_1000lines.txt

Now this is weird we ask for a file called VPID_0x08B4_1000lines.txt with 1000 TS lines of 188 bytes long. Lets see how many we got? For this we use busybox wc -l, means used word count command but provide me the number of lines instead.

> type VPID_0x08B4_1000lines.txt | busybox wc -l
896

Do not ask me why!! 896 lines are fine for me.

Now lets find uniq and then count lines, ignoring 1rst 4 bytes of header. This will tell us if there are repeated lines.

C:\Apps\Home\cryptodir\Labs\004>type VPID_0x08B4_1000lines.txt | busybox uniq -f 4 | busybox wc -l
734

Ahaaaaa!!! after sorting and printing unique we get less lines. That means 896 - 734 = 162 TS lines that repeats.

Now lets see a few lines that repeat and print the first 3

>type VPID_0x08B4_1000lines.txt | busybox uniq -f 4 -d | busybox head -n 3
47 08 b4 d7 9a e1 dc 0f 63 46 2d 53 d0 e1 26 73 e3 c9 36 cd f6 a5 94 ed 76 48 a4 a2 e8 f8 e8 a4 39 0d f1 19 4d 63 6c dc d9 15 24 ed f2 a5 9b 62 ed b7 01 f1 3f c3 e5 ba d1 23 2c 59 83 99 92 70 61 b2 fe 94 c5 7c df cb 69 12 d8 bb 5f cc 2e ca d4 e1 7e 5a 8d a3 a7 e2 21 62 7e d0 0c e5 b1 a1 6d 97 27 3b 43 f4 67 79 39 c0 c5 db 84 9f b2 44 5e 49 64 44 0b 0c 56 ab c4 7a 9a 6c f9 95 5d 80 84 6f 98 bd bc a3 a0 44 f3 c9 48 23 04 89 f7 80 3d e6 d5 d9 fc d2 5e d5 dc 90 62 fc 5b 01 3b 61 33 6f 39 aa 86 31 ad 50 70 39 a5 c9 5f c8 f0 b4 4d ac 16 32 5a fb 6d 58 ea 17 2e 13

47 08 b4 d0 9a e1 dc 0f 63 46 2d 53 d0 e1 26 73 e3 c9 36 cd f6 a5 94 ed 76 48 a4 a2 e8 f8 e8 a4 39 0d f1 19 4d 63 6c dc d9 15 24 ed f2 a5 9b 62 ed b7 01 f1 3f c3 e5 ba d1 23 2c 59 83 99 92 70 61 b2 fe 94 c5 7c df cb 69 12 d8 bb 5f cc 2e ca d4 e1 7e 5a 8d a3 a7 e2 21 62 7e d0 0c e5 b1 a1 6d 97 27 3b 43 f4 67 79 39 c0 c5 db 84 9f b2 44 5e 49 64 44 0b 0c 56 ab c4 7a 9a 6c f9 95 5d 80 84 6f 98 bd bc a3 a0 44 f3 c9 48 23 04 89 f7 80 3d e6 d5 d9 fc d2 5e d5 dc 90 62 fc 5b 01 3b 61 33 6f 39 aa 86 31 ad 50 70 39 a5 c9 5f c8 f0 b4 4d ac 16 32 5a fb 6d 58 ea 17 2e 13

47 08 b4 d7 9a e1 dc 0f 63 46 2d 53 d0 e1 26 73 e3 c9 36 cd f6 a5 94 ed 76 48 a4 a2 e8 f8 e8 a4 39 0d f1 19 4d 63 6c dc d9 15 24 ed f2 a5 9b 62 ed b7 01 f1 3f c3 e5 ba d1 23 2c 59 83 99 92 70 61 b2 fe 94 c5 7c df cb 69 12 d8 bb 5f cc 2e ca d4 e1 7e 5a 8d a3 a7 e2 21 62 7e d0 0c e5 b1 a1 6d 97 27 3b 43 f4 67 79 39 c0 c5 db 84 9f b2 44 5e 49 64 44 0b 0c 56 ab c4 7a 9a 6c f9 95 5d 80 84 6f 98 bd bc a3 a0 44 f3 c9 48 23 04 89 f7 80 3d e6 d5 d9 fc d2 5e d5 dc 90 62 fc 5b 01 3b 61 33 6f 39 aa 86 31 ad 50 70 39 a5 c9 5f c8 f0 b4 4d ac 16 32 5a fb 6d 58 ea 17 2e 13

Boy, congrats, you are getting good with this .

As expected the 4th byte that is part of the TS header is the one that change. Why? because it is a counter form 0x#0 to - 0x#F.

Now lets see what is the crypt8. crypt8 are repersented by a line that repeats encrypted, and a crypt8 are in fact just the first 8 bytes. So lest print only one repeated TS line and show ONLY 1rst 8 bytes.

> type VPID_0x08B4_1000lines.txt | busybox uniq -f 4 -d | busybox head -n 1 | busybox cut -c14-37
9a e1 dc 0f 63 46 2d 53

So as you see we have capture our 1rst crypt8 without the use od CSA RBT, Just by using bash commands. Don't you want to learn to use them?

And it just happens to be as the one capture by CSA RBT
9A E1 DC 0F 63 46 2D 53 #[O] PID:08B4h ==> 38 5F 62 F9 4F CA BC D5

Now CSA RBT claims that it requires an [O] ODD key

Lets see at the ts header 47 08 b4 d7 9a e1 dc 0f 63 46 2d 53
47 08 b4 d7
Where
47 is Sync
08 b4 is PID
d This is what we are going to look
7 Counter

hex number d , transforming byte into bits is
1101

remeber colibris TS Header Chart
10 Even Encrypted
11 ODD Encrypted

So our 1101 means that it is in fact [O] ODD CSA encrypted key
And CSA RBT Search told us that we are going to need a CSA Key ==> 38 5F 62 F9 4F CA BC D5
To decrypt 9a e1 dc 0f 63 46 2d 53 into 0xFFFFFFFFFFFFFFFF

 

[cayoenrique]

Lab004 Part VI continue

1) Now Lets go back to the ECMs. We took one ECM as sample.
80 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc 82 60 95 a9 71 fc dd d1 eb f6

The corrected parsed table look like this:

Position	Name				Value					Description
00			Table ID 			80 					means 80 EVEN ECM, 81 means ODD ECM
01.04..07	Private Indicator	7
01:00..03 											**see below as this 4 bits are part of ecmLen
02			ecmLen				018					means ECM payload length = 0x18 = 24  bytes
03			nanoType			EE					Tandberg ECM type
04			nanoLength			16					Section lengh = 0x16 = 22 bytes
05-26		nanoData
05-06		??					0000				??
07-08		entitlementId		0003				entitlementId is used to select what ECM Key should be used
09-17		dw+8				aa22aac1aec51ddc	Encrypted CSA EVEN Key
18-24		dw					826095a971fcddd1	Encrypted CSA ODD Key
25-26 		payloadChecksum		ebf6				checksum

As you see we found our self having 2 encrypted keys:
aa22aac1aec51ddc - Encrypted CSA ODD Key
826095a971fcddd1 - Encrypted CSA Even Key

Now when I say CSA is because once decrypted the clear bytes are to be use to decrypt CSA Video or Audio.

BUTTTT!!! VERY IMPORTANT this 8 bytes inside ECM are encrypted using DES. So to decrypt this 8 bytes we need to use DES

2) We learn that our test file C:\Apps\Home\cryptodir\Labs\004\example_tandberg_EE.ts has 3 different or unique ECMs. Do not confuce on how many they are. As per each ECM may repeated 20 or 30 times each .

>type ECMs.txt
80 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc 82 60 95 a9 71 fc dd d1 eb f6
81 70 18 ee 16 00 00 00 03 49 4c 83 9d d7 e0 f9 e7 82 60 95 a9 71 fc dd d1 87 1a
81 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc b5 66 08 ac 0e 39 aa a0 73 63

Now IMPORTANT ECMs.txt have the ECMs out of order. Why? because in order to get only unique we did sorted 1rst. To get them back in correct order it is easy. I will show you.
You know that there is always 2 keys. When ECM start 80 next key will be Even, when is 81 next key will be Odd

80 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc82 60 95 a9 71 fc dd d1 eb f6
81 70 18 ee 16 00 00 00 03 49 4c 83 9d d7 e0 f9 e782 60 95 a9 71 fc dd d1 87 1a
81 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dcb5 66 08 ac 0e 39 aa a0 73 63

At firs look you know 80 has to be between the two 81. Why? because they go in alternating sequence.

81 70 18 ee 16 00 00 00 03 49 4c 83 9d d7 e0 f9 e782 60 95 a9 71 fc dd d1 87 1a
80 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dc82 60 95 a9 71 fc dd d1 eb f6
81 70 18 ee 16 00 00 00 03 aa 22 aa c1 ae c5 1d dcb5 66 08 ac 0e 39 aa a0 73 63

Can you see the Sequence? Now It seems correct. If we had more we could easily find out by trying to continue the sequence.
1rst 81 is saying, next key is ODD (82 60 95 a9 71 fc dd d1). So in the next ECM 80 Current Key should be the last ODD repeated (82 60 95 a9 71 fc dd d1).. And yes it is.
Then as a hwole, 80 is saying, next key is Even (aa 22 aa c1 ae c5 1d dc) and as we said the key thats repeats ( Current Key ) is the ODD (82 60 95 a9 71 fc dd d1).
And the the sequence repeats over and over. Uff!, that in fact was not that hard. Don't you think?

Now Lets thy to BruteForce ECM 81 , new Future encrypted key is (82 60 95 a9 71 fc dd d1).

From CSA RBT we got

9A E1 DC 0F 63 46 2D 53  #[O] PID:08B4h ==> 38 5F 62 F9 4F CA BC D5
13 48 57 0B 6A E5 8B E3  #[E] PID:08B4h ==> 1E E4 4F 51 05 69 CD 3B 
00 7D 10 7D 6D 73 94 AB  #[O] PID:08B4h ==> 8F 8E 4A 67 1C F3 97 A6

Put attention, This PID:08B4h is the Video stream in H.264.
PLEASE notice that 1rst and last lines have [O] This means encryption is ODD
The one in the middle has [E] This means encryption is EVEN.

So first one say that Key 38 5F 62 F9 4F CA BC D5 should be ODD

38 5F 62 F9 4F CA BC D5 represent the CSA Key required to encrypt FFFFFFFFFFFFFFFF into crypt8 9A E1 DC 0F 63 46 2D 53

We decided to use 1rst ECM 81. So we will then assume then that encrypted (82 60 95 a9 71 fc dd d1) will decrypt into 38 5F 62 F9 4F CA BC D5​

​

This will be the DES pair we need to bruteforce the ECM key we require to find out. We will then put this inside OCLDes.cfg

PES1:826095A971FCDDD1385F62984FCABCD5
DECTYPE:2 # ECB Tandberg - Type EE
STARTKEY:0052C12900000000

I know why PES1? To have 1 single program with minimal changes, I am been force to put the Crypt/Clear pair and label it PES1. Yes it is not a PES but in fact represent a KEY value.
And to select Tandberg EE FAST decryption we are going to type the following also inside OCLDes.cfg

Finally if we try bruteforce from 0000000000000000 it will take some time. From ECM data I see 00 03, this is entitlementId. I happens that I know that key it is
T 0003 00 52614F2CB05D3801.
So to speed up the finding I will start search at, STARTKEY:0052C12900000000 I know I am cheating...