Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*
- Thread starter Colibri.DVB
- Start date
Many CWs were found but we didn't see any progress here
anyone explain and describe how do we use CWs keys when there is no x83 in ts file
here http://www.sat-universe.com/showpost.php?p=2036684544&postcount=531
**********************
**********************
anyone explain and describe how do we use CWs keys when there is no x83 in ts file
I attached all the CWs keys here
password will be sent by pm for those who are interested
19 CWs were found :thum: by using V1 and V2from 20 Crypt8
Regards !!!
here http://www.sat-universe.com/showpost.php?p=2036684544&postcount=531
**********************
**********************
all 4 CWs keys were found and sent to your inbox :thum:
please help us and share with us here
Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*
dale_para_bajo
Registered
- Messages
- 646
Could you show us in details how to use these CWs keys when found from the crypt8 you provided to get the ECM keys ?
This was how it was explained to me:
I am only trying to follow those instructions to see where I get. I have no program to provide jet or any details. Just gathering info.
So I guess Bruteforce will be a waist of time, long long period, as there is no shortcuts.
I received 1rst PM but not the password for CWs.rar! I guess I need to send you a PM.
I did re-post as requested in: http://www.sat-universe.com/showpost.php?p=2036684734&postcount=20550
But now I see your post =>
I didn't see your help in this Tandberg thread
Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*
so no more Tnadberg CWs keys from me anymore
I am a big admired of all you masters. Yes I consider you a master. I see your help here. For that I have only thanks.
But you guys has to slow down, What is this "so no more Tnadberg CWs keys from me anymore
"Now I see why the CWs.rar has password!
Listen I am a nice unemployed guy that try to learn. I am not BOSS or making any sells. At the moment I have NOTHING to provide as I have NOTHING build. I am trying to see what is needed. As many logs from America has been post that show that poc.exe do not work. So Only solution I see at the moment is Bruteforce the ECM. SO since no body is doing it I thoght I give it a try.
But you masters has to slow down. Every time I try to join and help in this forum I get push and toss by many of you. I am a nice guy not a monster trying to take advantage of all of you.
So, if you guys want me to give it a try, send freely the password or the cw. But no more blackmail.
Last edited:
you understand me wrong
the message in the C8 thread was not for you
it was for gibsondale see here
http://www.sat-universe.com/showpost.php?p=2036684745&postcount=20554
which I gave him CWs keys and I thought he might share his knowledge with us here but he just kept it for himself and he is asking more for CWs that's why I say no more CWs from me.
the password is sent to you dale_para_bajo :thum:
let us hear from you if there is any progress
good luck
the message in the C8 thread was not for you
it was for gibsondale see here
http://www.sat-universe.com/showpost.php?p=2036684745&postcount=20554
which I gave him CWs keys and I thought he might share his knowledge with us here but he just kept it for himself and he is asking more for CWs that's why I say no more CWs from me.
the password is sent to you dale_para_bajo :thum:
let us hear from you if there is any progress
good luck
anyone could explain this in details, I will be appreciate it
just take one crypto period,
use CSA-Rainbow tool to search the crypt8 and to get the plain CW,
in this crypto period look for the ECM pid where the 9th byte in this package is EE,
there you can see the encrypted CWs (see also http://www.sat-universe.com/showpost.php?p=2036680987&postcount=15 ),
depending on whether it is the odd or even crypto period the encrypted cw are the first or second 8 bytes,
now you have encrypted cw and plain cw, so you can bruteforce
This is made simpler as we know the last byte of the ECM Key is 00 however it is complicated as the checksum bytes in the plain CW are manipulated from the DES decrypted CW. Fortunately, one of those CS bytes is the last one so there is only the fourth byte to allow for.
And to clarify the explanation:
keep in mind you will have multiple "hits" with the key,in case you find one.
The idea is the checksum (the 4th and 8th byte of the ecm key) are sent by the provider at random meaning you will have FF options (for each of them) to find the correct ecm key .
Knowing the last byte of the key is always 00,makes it a little simpler (if the case applies to every tandberg channel) to brute force.
007.4
"Fortunately, one of those CS bytes is the last one so there is only the fourth byte to allow for."""
Not really,you are confusing the ECM key last byte with the CW last byte.
in our case,you will have to find the correct 8th byte,since the CW is not using 00,but a random number.
(Or maybe not random,but in any case is not the correct checksum byte)
You would have 256*2 different hits.
I think there is a case study here regarding this apparently random checksum bytes in the ecm.
Before start the brute force attack,I would suggest to check the way this bytes are generated.
Maybe a simple xor,or whatever,but finding this value will speed up the brute force attack on the key exponentially.
keep in mind you will have multiple "hits" with the key,in case you find one.
The idea is the checksum (the 4th and 8th byte of the ecm key) are sent by the provider at random meaning you will have FF options (for each of them) to find the correct ecm key .
Knowing the last byte of the key is always 00,makes it a little simpler (if the case applies to every tandberg channel) to brute force.
007.4
"Fortunately, one of those CS bytes is the last one so there is only the fourth byte to allow for."""
Not really,you are confusing the ECM key last byte with the CW last byte.
in our case,you will have to find the correct 8th byte,since the CW is not using 00,but a random number.
(Or maybe not random,but in any case is not the correct checksum byte)
You would have 256*2 different hits.
I think there is a case study here regarding this apparently random checksum bytes in the ecm.
Before start the brute force attack,I would suggest to check the way this bytes are generated.
Maybe a simple xor,or whatever,but finding this value will speed up the brute force attack on the key exponentially.
Last edited:
I agree that there will be 256^2 CW's possible due to random bytes in the checksum bytes, but you can sure search for only 6 bytes of a CW fit and the check then next CW if that fits as well
I would say if you look on some of the public ECM keys ending on 00
like xx xx xx xx xx xx xx 00 it not due to the keyare 64bit do use 00 as 1 byte, but to the fact that the DES only use 56 bit keys (the first 7 XX's)
When you go from a 64 bit DES key to 56 Key you will remove the 1 parity bit in each byte in the Key and end up with 56 bit
If you try to study some of the 00 keys you will see if there was a parity bit it's not correct, this make me to believe the 00 keys are a full 2^56 DES key without parity bit = very long time BF
BTW why on earth should anyone use 00 in all their important keys?
Last edited:
Hi Kebien
Thank you for your correction. I'm sure both of us know what we mean but make simple errors in writing it down
eg
I'm sure you meant "the 4th and 8th bytes of the CW"
Thank you for your correction. I'm sure both of us know what we mean but make simple errors in writing it down
eg
I'm sure you meant "the 4th and 8th bytes of the CW"
- Messages
- 24,799
Yes OSCAM Emu try reading a few pages back its all already explained ,
Good luck !
cheers ! :thum:
- Messages
- 24,799
you need to totally delete your Vplug Plugins folder and replace it with @ Anubis_IR version which includes V 1.1 of Tandberg Emu Tool
you are still using the old version which gives bad checksum and Freezes too much
You need to Take the correct updated version from Here
=> http://www.sat-universe.com/showpost.php?p=2036683954&postcount=479
Thank to @ Anubis_IR and @ ViaHussun for uploading Fixed files
if you delete all your Vplug Plugin folder and files first then
transfer New Vplug from that link you will not get any more problems , i thought i had done this already myself but all Vplug files must be deleted first or it wont work .
file on the link contains all working Tandberg Keys aswell so you have nothing to worry about .
Good luck : ) :thum:
That is correct too,my mistake.
Corrections are good in the sense those trying to apply the theory must start with the correct statements/affirmations,would be a complete waste of time to start coding based in wrong input.
Good call.
dale_para_bajo
Registered
- Messages
- 646
This is the weirdest of all day!. I know US has its 4 of july. But what happened with the rest of the world!
This post was on a rally now suddenly 0 post from many hours, or a Day!
If I go to new post only 3 show up!
Even my FireFox decided to act weird and without explanations as all updates are disable. It went from ver 29 to version 43. It even show Sync symbol working even when I have no account for that!!! SO I went back to a backup copy. I am a few steps on not using windows any more. Now It seems FireFox will be worthless soon too. This is rediculous all programs want to do with MY HARDWARE what they want. I wonder who owns my PC. It seems it is not me!
Going back to business. So here I am more lost than before. Many hours of study and still I can not match a block of encryption with the proposed crypto8 clear txt. Without that nothing can be done.
I guess I was to ambitious and went right to a new recorded transponder just to fail. I need to go to the basics of colibri sample on page 1, 1rst post. Since we know all about that ts.
So can you guys look at post 49
http://www.sat-universe.com/showpost.php?p=2036681335&postcount=49
That clearly shows that this ts sample has 12 cws
I know nothing of crypto8 but by using ver1.3 I get ONLY
1) So if you see only 3 crypt8 vs 12 cws! Can any one explain this to me?
2) How I am supposed to match crypt8 vs any one of the 12 known cw.
3) Are the "Count:2,99,90" meaning anything?
4) By the way I will really appreciate the solution of those 3 crypto8. As I said it is of the colibri ts sample on page 1 post1.
Thanks ahead.
This post was on a rally now suddenly 0 post from many hours, or a Day!
If I go to new post only 3 show up!
Even my FireFox decided to act weird and without explanations as all updates are disable. It went from ver 29 to version 43. It even show Sync symbol working even when I have no account for that!!! SO I went back to a backup copy. I am a few steps on not using windows any more. Now It seems FireFox will be worthless soon too. This is rediculous all programs want to do with MY HARDWARE what they want. I wonder who owns my PC. It seems it is not me!
Going back to business. So here I am more lost than before. Many hours of study and still I can not match a block of encryption with the proposed crypto8 clear txt. Without that nothing can be done.
I guess I was to ambitious and went right to a new recorded transponder just to fail. I need to go to the basics of colibri sample on page 1, 1rst post. Since we know all about that ts.
So can you guys look at post 49
http://www.sat-universe.com/showpost.php?p=2036681335&postcount=49
That clearly shows that this ts sample has 12 cws
Code:
00 A8 FD 18 BD 70 71 0C ED
01 80 D1 00 51 ED 92 AD 2C
00 07 66 AD 1A 97 78 AB BA
01 58 AC 1D 21 82 56 30 08
00 72 01 37 AA 88 16 7F 1D
01 B4 29 B5 92 6B CE 9D D6
00 E9 69 C1 13 A3 D8 10 8B
01 7C 44 CC 8C 1C 9F 6D 28
00 ED F6 3C 1F 03 CD 5C 2C
01 30 E4 D7 EB 5C D0 E5 11
00 58 E2 72 AC AE CB EF 68
01 86 FA 8D 0D 0A 85 37 C6I know nothing of crypto8 but by using ver1.3 I get ONLY
Code:
PID: 515h Crypt8:7C 90 54 33 D2 AB 0D 4E [E] Count:2
PID: 521h Crypt8:B6 10 6E B4 CF 95 F8 9E [O] Count:99
PID: 521h Crypt8:05 75 45 F3 7A BD 3F F6 [E] Count:901) So if you see only 3 crypt8 vs 12 cws! Can any one explain this to me?
2) How I am supposed to match crypt8 vs any one of the 12 known cw.
3) Are the "Count:2,99,90" meaning anything?
4) By the way I will really appreciate the solution of those 3 crypto8. As I said it is of the colibri ts sample on page 1 post1.
Thanks ahead.
Last edited:
I guess you mean ver 1.03, but you should use the newest version 1.23.
You will see that there are more than those 3 crypt8. Anyway, as far as I know the tool just shows the 8 crypt8 with highest count which does not mean that there are no further crypt8. At the end, since you do not know which crypt8 belongs to which crypto period it will not help you at all.
So the first step is to extract the first crypto period and check for the corresponding crypt8.
Post this crypt8 and we will continue.