Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

natedogg20050

Donating Member
Messages
409
@JimBizkit
I think you mean multiple EMM keys. The key index of which EMM key to use is contained in EMM table 83h. You use this key to decrypt the ECM key.
The plain ECM key (only one) is used to decrypt the ECM to give the even and odd CWs.
======
@All
I've now determined the EMM key table for Arena Sports on 39°E and assuming they use the same master EMM key it is totally different to the one obtained from Colibri's log. Furthermore, it appears to change on the fly within the space of a few minutes.

eg
encrypted EMMs for the same EMM key block

Code:
Key index block 1x =    82 70 8A 00 51 17 E3 F0 84 E4 82 FF [B]FD[/B]   92 B6 D3 6A 74 ....
and then a minute or so later
Key index block 1x  =   82 70 8A 00 52 C5 DE F0 84 E4 82 FF [B]FD[/B]   FA F2 0E 6C 61 ....

So the EMM key table appears to be different for each provider and furthermore it changes very often.

is 39E not using Bullcrypt and Irdeto 2 ?
 

hoffmann

Registered
Messages
313
Hacking CA system challenge *Tandberg*

For me the program does not go! It gives me error.It does not work on windows?
att
hoffmann
 

drhans

Registered
Messages
116
@JimBizkit
I think you mean multiple EMM keys. The key index of which EMM key to use is contained in EMM table 83h. You use this key to decrypt the ECM key.
The plain ECM key (only one) is used to decrypt the ECM to give the even and odd CWs.
======
@All
I've now determined the EMM key table for Arena Sports on 39°E and assuming they use the same master EMM key it is totally different to the one obtained from Colibri's log. Furthermore, it appears to change on the fly within the space of a few minutes.

eg
encrypted EMMs for the same EMM key block

Code:
Key index block 1x =    82 70 8A 00 51 17 E3 F0 84 E4 82 FF [B]FD[/B]   92 B6 D3 6A 74 ....
and then a minute or so later
Key index block 1x  =   82 70 8A 00 52 C5 DE F0 84 E4 82 FF [B]FD[/B]   FA F2 0E 6C 61 ....

So the EMM key table appears to be different for each provider and furthermore it changes very often.

I also checked Arena log to compare and I don't see EMM table 83, it seems the ECM key will also be in table 82?

From Arena's ECMs, it would seem that the entitlement ID is 00 00 00 01

Code:
47 4D 18 16 00 80 70 18 EE 16 00 00 00 01 F3 A2 F3 E9 D2 1B EE FB 8C 21 33 03 18 C8 F0 FF CA 06
47 4D 18 18 00 81 70 18 EE 16 00 00 00 01 F3 A2 F3 E9 D2 1B EE FB DD 4E 75 F5 57 B0 00 AC 8A 22
47 4D 18 1B 00 80 70 18 EE 16 00 00 00 01 25 C5 A3 D4 D0 B2 07 CC DD 4E 75 F5 57 B0 00 AC 47 24

But since the table 83 is not there, the ECM key would be stored somewhere else I guess.

What I'm also not sure about is whether the "master firmware EMM" key which Colibri posted is really universal. That sounds very unlikely, but maybe it is, if it's factory default. So how is it?
 

007.4

VIP
Messages
364
I also checked Arena log to compare and I don't see EMM table 83, it seems the ECM key will also be in table 82?

From Arena's ECMs, it would seem that the entitlement ID is 00 00 00 01

Code:
47 4D 18 16 00 80 70 18 EE 16 00 00 00 01 F3 A2 F3 E9 D2 1B EE FB 8C 21 33 03 18 C8 F0 FF CA 06
47 4D 18 18 00 81 70 18 EE 16 00 00 00 01 F3 A2 F3 E9 D2 1B EE FB DD 4E 75 F5 57 B0 00 AC 8A 22
47 4D 18 1B 00 80 70 18 EE 16 00 00 00 01 25 C5 A3 D4 D0 B2 07 CC DD 4E 75 F5 57 B0 00 AC 47 24

But since the table 83 is not there, the ECM key would be stored somewhere else I guess.

What I'm also not sure about is whether the "master firmware EMM" key which Colibri posted is really universal. That sounds very unlikely, but maybe it is, if it's factory default. So how is it?

In the short log I made I could not find 83h EMMs either. Perhaps a longer one is needed?

Without finding an encrypted ECM key in a 83h EMM we cannot test the universality of the "master" EMM key.
Perhaps Colibri can confirm it, or not?
 
M

mauricelugher

_https://mega.nz/#!gpoSnb6T!kneVSL2PtSpEXEfldvPtYNx2rSw7R7rDZOBHHFLNs78

usage: poc <input file> <service id> <output file>
Code:
poc ts_0100_11141H_28500_prg3.ts 3 out.ts

decrypted file will not open with vlc for me, but works fine with dvb players



Code:
[Emu] info: FFDecsa parallel mode = 32
[Emu] stream found pmt pid: 576
[Emu] stream found emm_pid: 1F4
[Emu] stream found ecm_pid: 56F
[Emu] stream found video pid: 515
[Emu] stream found audio pid: 51F
[Emu] stream found audio pid: 520
[Emu] stream found audio pid: 521
[Emu] stream found audio pid: 522
[Emu] stream found audio pid: 523
[Emu] stream found audio pid: 524
[Emu] stream found audio pid: 525
got nano E4 keys (block_index 0)
ecm key for entitlement 16AB found! (using emm_key_index: 0)
7B 4B D5 9B 22 7A 61 00 
 
odd cw:
80 D1 00 51 ED 92 AD 2C 
even cw:
A8 FD 18 BD 70 71 0C ED 
 
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
 
odd cw:
80 D1 00 51 ED 92 AD 2C 
even cw:
07 66 AD 1A 97 78 AB BA 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
 
odd cw:
58 AC 1D 21 82 56 30 08 
even cw:
07 66 AD 1A 97 78 AB BA 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
 
odd cw:
58 AC 1D 21 82 56 30 08 
even cw:
72 01 37 AA 88 16 7F 1D 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
 
odd cw:
B4 29 B5 92 6B CE 9D D6 
even cw:
72 01 37 AA 88 16 7F 1D 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
 
odd cw:
B4 29 B5 92 6B CE 9D D6 
even cw:
E9 69 C1 13 A3 D8 10 8B 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
 
odd cw:
7C 44 CC 8C 1C 9F 6D 28 
even cw:
E9 69 C1 13 A3 D8 10 8B 
 
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
 
odd cw:
7C 44 CC 8C 1C 9F 6D 28 
even cw:
ED F6 3C 1F 03 CD 5C 2C 
 
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)
 
odd cw:
30 E4 D7 EB 5C D0 E5 11 
even cw:
ED F6 3C 1F 03 CD 5C 2C 
 
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)
 
odd cw:
30 E4 D7 EB 5C D0 E5 11 
even cw:
58 E2 72 AC AE CB EF 68 
 
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 1)
 
odd cw:
86 FA 8D 0D 0A 85 37 C6 
even cw:
58 E2 72 AC AE CB EF 68 
 
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 2)

Offline decrypting works well with modySat, cw log file like this:

Code:
# this is an ModySat cw log file 
#
# type:
# MODYSAT -f ModySat.cwl -i ModySat_crypted.ts -o ModySat_clean.ts
#
 
00 A8 FD 18 BD 70 71 0C ED 
01 80 D1 00 51 ED 92 AD 2C 
00 07 66 AD 1A 97 78 AB BA
01 58 AC 1D 21 82 56 30 08
00 72 01 37 AA 88 16 7F 1D 
01 B4 29 B5 92 6B CE 9D D6
00 E9 69 C1 13 A3 D8 10 8B
01 7C 44 CC 8C 1C 9F 6D 28
00 ED F6 3C 1F 03 CD 5C 2C
01 30 E4 D7 EB 5C D0 E5 11
00 58 E2 72 AC AE CB EF 68
01 86 FA 8D 0D 0A 85 37 C6
 

dale_para_bajo

Registered
Messages
646
I did not you guys where having some fun. I am sorry to arrive late. I guess I need a lot to learn to catch up.

@Colibri.DVB Thanks, keep this type of project going on. I love to learn form all of you masters. My admiration to all of you coders.

I know there is a lot of good coders that made to here but my cudos to @JimBizkit for the nice source code.

To the guys that are having trouble with Windows, like @harshy & @hoffmann . It works it just that we need to learn the differences from gnu linux to windows. Small issues do not worry.

I use "TDM-GCC", but you can use any GNU.

Makefile has to be adjusted:

Code:
poc is not recognized as an internal or external command
This happens because your line 29 should read "BIN = poc.exe"

Code:
poc.c:947:5: error: 'for' loop initial declarations are only allowed in C99 mode
poc.c:947:5: note: use option -std=c99 or -std=gnu99 to compile your code
poc.c:968:7: error: 'for' loop initial declarations are only allowed in C99 mode
Makefile:36: recipe for target `poc.o' failed
make: *** [poc.o] Error 1
The answer is on the message, your line 22 should read:
"CC_WARN=-W -Wall -Wshadow -Wredundant-decls -std=c99"

Now if after removing the errors you still can not have a working out.ts
I found that in my case the optimization flag "-o3" is causing issues. You can try to compile with -02.

So at the end here is my working Makefile
Code:
UNAME := $(shell uname -s)
CC ?= gcc
STRIP ?= strip
TARGETHELP := $(shell $(CC) --target-help 2>&1)

CFLAGS=-I. -O2
ifneq (,$(findstring sse2,$(TARGETHELP)))
CFLAGS=-I. -O2 -funroll-loops -fomit-frame-pointer -mmmx -msse -msse2 -msse3
else ifneq (,$(findstring mplt,$(TARGETHELP)))
CFLAGS=-I. -O2 -funroll-loops -fomit-frame-pointer -mplt
else ifneq (,$(findstring m4-300,$(TARGETHELP)))
CFLAGS=-I. -O2 -fPIC -funroll-loops -fomit-frame-pointer -m4-300
else
CFLAGS=-I. -O2 -funroll-loops
endif

LFLAGS=-lpthread
#LFLAGS=-L. -lpthread -ldvbcsa

CC_WARN=-W -Wall -Wshadow -Wredundant-decls -std=c99
SRCS = cscrypt/des.c ffdecsa/ffdecsa.c poc.c 

Q = @
SAY = @echo
OBJS = $(SRCS:.c=.o)
DEPS = $(SRCS:.c=.d)
BIN = poc.exe

all: poc

-include $(OBJS:.o=.d)

%.o: %.c
	$(Q)$(CC) $(CC_WARN) -c -o $@ $< $(CFLAGS)
	$(SAY) "CC	$<"
	$(Q)$(CC) $(CC_WARN) -MM $(CFLAGS) $*.c > $*.d

poc: $(OBJS)
	$(Q)$(CC) $(CC_WARN) -o $(BIN) $(OBJS) $(CFLAGS) $(LFLAGS)
	$(STRIP) $(BIN)
	
clean:
	rm -rf $(BIN) $(OBJS) $(DEPS) out.ts
	
.PHONY: poc

So try it, it works. Now I need to learn the basics from you masters.
 

007.4

VIP
Messages
364
@007.4
can you post your emm log? Maybe the E1 nano is in another EMM. Or the E7 nano is used.

Here is a short EMM log (PID 0x81). There are loads of E1 (nanos?) but E1_01 rather than E1_12. I could not find E7 or EE nanos.
 
Messages
44
Thanks for the offline decrypter. So we can continue.

Here is an record from an other freq.
ts_0100_12689H_28499_prg19.ts
_https://mega.nz/#!wIpGjZBK!4J0DWbUsOuzkVFeOViEViwHEtshB0lLFPgIX11OVg9k

I guess our offline decrypter is unable to decrypt it yet.
We must implement the handling of a special byte in the EMM tab id 82 first.

Infos of the bytes we know so far:

EMM TabId83:
47 41 F4 18
00
83
70 40
02: Permission type
7E FF 74 C1 FE 87 28 BD 7B E9 C5 F7 73 F7 EF 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00: 26h permission data bytes
31: KeyIdx of the EMM-Key
CF D0: Checksum
F0 14: & 0x0FFF -> remaining length
E1: tag
12: length of the tag
00 00 16 AB: entitlement ID
00: not relevant for us
51 EE FB 6B: not relevant for us
F6 AE C3 3B 77 5D 64 47: crypted data
FF: filler byte

EMM TabId82:
47 41 F4 1B: TS header
00: Offset
82: Table ID
70 8A: & 0x0FFF -> Section length
00: Permission type
5D: *** the handling of this byte is important ***
D1 98: Checksum
F0 84: & 0x0FFF -> remaining length
E4: tag
82: length of the tag
FF: not relevant
FF: & 0x03 -> BlockIdx
<10h * 8 encrypted bytes>


Permission type can have the following values:
00: 0 permission data bytes will follow
01: Ah permission data bytes will follow
02: 26h permission data bytes will follow
For hacking the permission type and data bytes aren't relevant.


If you compare the above EMMs, what do you guess can be the meaning of the green byte.

If we know the meaning I have an download for you (not a TS) that is needed to implement it.
 
Messages
44
@JimBizkit: Yes
The real range of a KeyIdx byte in tab id 82 and 83 is 00..7Fh.

Typically tab id 82 use only range 40h..7Fh.
Typically tab id 83 use only range 0..3Fh.

range 0..3Fh represents the 40h EMM-Keys that are stored in RAM.
range 40h..7Fh represents the 40h EMM-Keys that are stored in ROM/firmware.

in the first post I posted only the (for my first recording) needed EMM key with KeyIdx 58h (D5 B0 49 40 0D FB 83 25).

Typically every few minutes the EMM key index in tab id 82h will increment ( ... 7Dh, 7Eh, 7Fh, 40h, 41h, ...).

So we need the firmware to extract the 40h EMM keys (the firmware isn't encrypted).

firmware_update.zip
_https://mega.nz/#!1Q5zVLrQ!M6MIm2WKcC1Y79BCVT9thy0kt10wMGPFDj7t9gHVKBY

You don't need a disassembler.
There is a single big block present with all 40h keys together and you have already one EMM key that you can use as search pattern to find the block.
 

JimBizkit

Registered
Messages
128
Did someone already find the 40h keys in the firmware?
I cannot locate the D5 B0 ... key.
Ignoring DES key parity did not help.


Edit:
I found it. :)
 
Last edited:
Messages
44
JimBizkit found it already. For the others:

One of the files contains .gz compressed moduls.

After extracting it with the hex editor, rename it to .gz and decompress it. Then you will find the keys.

In the .bat file there is a mapping from the following names to file names:
mainboard only
H264 4:2:2 only (S15148)
mainboard and H264 4:2:2
g.703 cards (S15183)
J2K card (S15955)
IP Input card and IP/S2 Card (S15100)
SKIT descrambler card (S15678)
BSkyB descrambler card (S15441)
upgrade mainboard from 5.6.X
3G HD Output Card (S15145)
Multi Standard Decoder card (S16056)

The RAS and Tandberg decryption is always on board (and not on a separate descrambler card like BSkyB).

So which is the relevant file?

If you have the file you will find a header with the modul info (like modul lenght) at the beginning of the file.
 

JimBizkit

Registered
Messages
128
poc 1.2
_https://mega.nz/#!0d5SmLpD!vjQf2a1SsK17inZoR9wFn94v5Ep6FQGsddEgZr6ufl4

Code:
poc ts_0100_12689H_28499_prg19.ts 19 out.ts



Code:
[Emu] info: FFDecsa parallel mode = 32
[Emu] stream found pmt pid: BB6
[Emu] stream found emm_pid: 1F4
[Emu] stream found pcr_pid: BB7
[Emu] stream found ecm_pid: BAF
[Emu] stream found video pid: B55
[Emu] stream found audio pid: B5F
[Emu] stream found audio pid: B60
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
ecm key for entitlement 1773 found! (using emm_key_index: 20)
D6 B6 78 D3 F6 45 3D 00 
 
odd cw:
5F 86 49 2E 4E AD 41 3C 
even cw:
A6 D4 EB 65 0C E0 D9 C5 
 
 
odd cw:
85 37 89 45 6D B9 06 2C 
even cw:
A6 D4 EB 65 0C E0 D9 C5 
 
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
 
odd cw:
85 37 89 45 6D B9 06 2C 
even cw:
70 4B 6B 26 E6 E4 54 1E 
 
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
 
odd cw:
E5 FE 0D F0 50 4F E4 83 
even cw:
70 4B 6B 26 E6 E4 54 1E 
 
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 2)
 
odd cw:
E5 FE 0D F0 50 4F E4 83 
even cw:
84 89 5B 68 79 6D 3E 24 
 
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
 
odd cw:
AB 4F CD C7 BD 32 DB CA 
even cw:
84 89 5B 68 79 6D 3E 24 
 
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 2)
got nano E4 keys (block_index 3)
 
odd cw:
AB 4F CD C7 BD 32 DB CA 
even cw:
A1 44 8B 70 25 7B 7C 1C 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
 
odd cw:
D3 81 20 74 CB DF 9B 45 
even cw:
A1 44 8B 70 25 7B 7C 1C 
 
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
 
odd cw:
D3 81 20 74 CB DF 9B 45 
even cw:
8C 67 77 6A 3E 6D 81 2C 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
 
odd cw:
50 ED 94 D1 62 36 8D 25 
even cw:
8C 67 77 6A 3E 6D 81 2C 
 
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
 
odd cw:
50 ED 94 D1 62 36 8D 25 
even cw:
68 CB 34 67 45 C6 F3 FE 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
 
odd cw:
2B 90 8C 47 AA 0F D0 89 
even cw:
68 CB 34 67 45 C6 F3 FE 
 
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 3)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
 
odd cw:
2B 90 8C 47 AA 0F D0 89 
even cw:
7B 96 59 6A B0 84 3F 73 
 
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
 
odd cw:
DE 8C E9 53 2B 20 27 72 
even cw:
7B 96 59 6A B0 84 3F 73 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
 
odd cw:
DE 8C E9 53 2B 20 27 72 
even cw:
6B 6C F4 CB BA A9 B8 1B 
 
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 0)
got nano E4 keys (block_index 1)
 
Messages
44
Here are the full TS original files (not only filtered for one program):

ts_0100_11141H_28500.ts
_https://mega.nz/#!REwCTZhJ!A2o-oIhEgYiNmFXaNmGxB14iqtqYkQhftf_qq9Yp0Vk

ts_0100_12689H_28499.ts
_https://mega.nz/#!EcxB2BRD!NFmjxuft3DTzoKeg8yFWm0j50MKHWTEu01oHTyd2IZs
 

JimBizkit

Registered
Messages
128
some screens of the other channels:



Thanks a lot for the challenge Colibri.DVB! It was a lot of fun doing it.
 
Last edited:

007.4

VIP
Messages
364
Wow, that took some finding!

In main.bin after decompressing. The first two ROM keys (index 0x40 and 0x41).

Code:
0086c04ch: A2 DC C1 2F 2F 26 0B 9E 13 F7 A8 29 F2 34 6D 0B ; ¢ÜÁ//&.ž.÷¨)ò4m.

I've also extracted the keys from a much newer firmware update (7_23_0) and the ROM keys remain the same.
 
Last edited:
Top