Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*
- Thread starter Colibri.DVB
- Start date
dale_para_bajo
Registered
- Messages
- 646
1rst I am like you my signal is poor. I get error to. But never saw any 0x83.
I had very limited time, last days I wasted trying to fix a mini bud to 43.1W but failed only discovery transponder.
Now in another thread I try to ask what is the clear text to be used for ecm brute force. Do you have any Idea?
In PVU we did used the easy "00". What is to be used here?
I had very limited time, last days I wasted trying to fix a mini bud to 43.1W but failed only discovery transponder.
Now in another thread I try to ask what is the clear text to be used for ecm brute force. Do you have any Idea?
In PVU we did used the easy "00". What is to be used here?
ViaHussun
Donating Member
- Messages
- 4,098
40.5 West
40.5 West
record
http://s5.dosya.tc/server2/cdcfnu/40.5W_3923_V_7000.rar.html
for thanks record otokoc :thum:
ViaHussun
Donating Member
- Messages
- 4,098
105 West
105 West
record
https://cid-cf57d3d23638226a.users.storage.live.com/downloadfiles/V1/Zip?authKey=!ADz6hQwcxIQ51mQ
for thanks record bigredmachine230 :thum:
log
Code:poc 1.5 [Emu] info: FFDecsa parallel mode = 32 [Emu] stream found emm_pid: 1F4 [Emu] stream found pmt pid: 109 [Emu] stream found pcr_pid: 205 [Emu] stream found ecm_pid: 7E4 [Emu] stream found video pid: 205 [Emu] stream found audio pid: 28F [Emu] stream found audio pid: 299 [Emu] stream found audio pid: 2A3 [Emu] got EMM nano tag E0 (EMM_TAG_RECEIVER_ALLOCATION_DESCRIPTOR) for the first time [Emu] got EMM nano tag E4 (EMM_TAG_SECURITY_TABLE_DESCRIPTOR) for the first time [Emu] Keys found in EMM: nano E4 ram keys 0 to F [Emu] Keys found in EMM: nano E4 ram keys 10 to 1F [Emu] Keys found in EMM: nano E4 ram keys 20 to 2F
if you want to brute force:
(1) brute force the cw with the rainbow table tool (like BISS) -> this gives you the cw
(2) get the E1 nano tag from the 83 table, that was sent during the brute forced cw period -> this will give you the encrypted cw
(3) you now have cw and (des-)encrypted cw, you can assume that the last byte of the des key is 00. now brute force the des key -> this is the ecm key
(1) brute force the cw with the rainbow table tool (like BISS) -> this gives you the cw
(2) get the E1 nano tag from the 83 table, that was sent during the brute forced cw period -> this will give you the encrypted cw
(3) you now have cw and (des-)encrypted cw, you can assume that the last byte of the des key is 00. now brute force the des key -> this is the ecm key
That is something that i would wish for myself, a lot of channels on the wetern ark are Digicipher 2
BIG THANKS MATE!!!
That's exactely what I've been asking for, it works on Mgcamd on my E2 box, Openpli 4
and it doesn't work in CCcam or OscamEmu as client, only Mgcamd! (at least for me)
I dm800 hd with OpenPLi 4, you tell me how do you see it with mgcand?
But you should be carefull since the CW from BF do have correct checksum which the output of the des-)encrypted cw might not have
So there might be more solutions
yes you are right, and I made a mistake, correct it should be:
if you want to brute force:
(1) brute force the cw with the rainbow table tool (like BISS) -> this gives you the cw
(2) get the EE nano tag from the ecm, that was sent during the brute forced cw period -> this will give you the encrypted cw
(3) you now have cw and (des-)encrypted cw, you can assume that the last byte of the des key is 00. now brute force the des key -> this is the ecm key
if you want to brute force:
(1) brute force the cw with the rainbow table tool (like BISS) -> this gives you the cw
(2) get the EE nano tag from the ecm, that was sent during the brute forced cw period -> this will give you the encrypted cw
(3) you now have cw and (des-)encrypted cw, you can assume that the last byte of the des key is 00. now brute force the des key -> this is the ecm key
Hm... not sure
This is fine you will somthing like "11 22 33 66 44 55 66 FF"
Yes, but not with the right checksums if you BF for the ECM key it might be like 11 22 33 XX 44 55 66 YY you have no idea what XX and YY would be and therefore there might be more solutions which fit the BF but are wrong so you need more CW's to check it the EMC are valid
Are you sure the last bytes always are 00 ?
dale_para_bajo
Registered
- Messages
- 646
Now I do accepts and I am grateful for the answer. This is very nice.
But to makes it clear, I am a newbee on that tool:
colibri's CSA-Rainbow-Table-Tool comes in to variety; V1 & V2.
But most important that I know:
1-It is only Cuda no AMD GPU?
2-It requires download of Many Gigabytes for the tables?
Do I am correct?
That is the part I am hopeless at the moment. No Cuda only AMD and my internet sucks.
Now the process as explained has 3 parts:
1- I can not do it at the moment.
2- seems simple I guess is another print out to be implemented in your wonderful poc.exe program
3- Is in fact already suggested by colibri to use "_www.cryptool.org" offline program or the online version. Plus latest I check there is a bunch of already programs to brute force DES.
So step 1 is the main objective. Maybe we should open a thread like => Please upload Tandberg EMM/ECM Streams
as we do have for power vu. I guess we need a full TS so that the step 1 can be achieve. Now the question is how small?
Upss I see more post before mine.
Check sums => "11 22 33 XX 44 55 66 YY"
Is or not true those bytes are defined check sum? Why we can not used the common defined bytes?
But to makes it clear, I am a newbee on that tool:
colibri's CSA-Rainbow-Table-Tool comes in to variety; V1 & V2.
But most important that I know:
1-It is only Cuda no AMD GPU?
2-It requires download of Many Gigabytes for the tables?
Do I am correct?
That is the part I am hopeless at the moment. No Cuda only AMD and my internet sucks.
Now the process as explained has 3 parts:
1- I can not do it at the moment.
2- seems simple I guess is another print out to be implemented in your wonderful poc.exe program
3- Is in fact already suggested by colibri to use "_www.cryptool.org" offline program or the online version. Plus latest I check there is a bunch of already programs to brute force DES.
So step 1 is the main objective. Maybe we should open a thread like => Please upload Tandberg EMM/ECM Streams
as we do have for power vu. I guess we need a full TS so that the step 1 can be achieve. Now the question is how small?
Upss I see more post before mine.
Check sums => "11 22 33 XX 44 55 66 YY"
Is or not true those bytes are defined check sum? Why we can not used the common defined bytes?
Last edited:
- Messages
- 24,799
i get that aswell maybbe 12-15 secs freeze then ok but again more freeze for 12-15 secs , i thought it was just myself
i'm using ProgDVB And Vplug aswell and i see same " bad checksum " message in Vplug log .
strange problem maybbe someone can answer why it is
i get that aswell maybbe 12-15 secs freeze then ok but again more freeze for 12-15 secs , i thought it was just myself
i'm using ProgDVB And Vplug aswell and i see same " bad checksum " message in Vplug log .
strange problem maybbe someone can answer why it is
yours sound worse than mine
i dont have it very often and its not periodical ... Can be now a bad checksum , then after 10 minutes the next one, then in 1 minute 2 more , then again after 15 minutes etc ... is bit strange , so if anyone have the answer we will be apriciate it
mrchisholm
Registered
- Messages
- 4
yours sound worse than mine
i dont have it very often and its not periodical ... Can be now a bad checksum , then after 10 minutes the next one, then in 1 minute 2 more , then again after 15 minutes etc ... is bit strange , so if anyone have the answer we will be apriciate it
same problem here with dvbdream and vplug
i got same problem and it was not only bad checksum but also bad sector length (20) instead of 22 for example. freezes were like in 2-5 secs sometimes 30 sec or more. i run it now for 5 mins and no freezes but still once(!)bad checksum message in log. running smartdvb and vplug. maybe depends on provider attitude.
Dale para abajo
You only need to get the rainbow tool,record the TS,run it through the program,then you post the crypt8 in the appropriate section,somebody will post the CW in minutes.
You do not need to have a cuda setup,unless you want to expend in a cuda video card.
The CW is the least you have to worry about,maybe starting to code for the bruteforce attack makes more sense at this point.You must be familiar with cuda,of course.
You only need to get the rainbow tool,record the TS,run it through the program,then you post the crypt8 in the appropriate section,somebody will post the CW in minutes.
You do not need to have a cuda setup,unless you want to expend in a cuda video card.
The CW is the least you have to worry about,maybe starting to code for the bruteforce attack makes more sense at this point.You must be familiar with cuda,of course.