PowerVu Chat [only chat, don‘t post keys here]

dahaka

Registered
Messages
700
@ TheHighLander

Colibri.DVB said:
If you you want build a brute force program, the information about the algo can be taken from the PDF files, only the sboxes are missing and the the info which input bits are used for which sboxes.

To get the missing info you need to get the ISE dump. Follow the reference [2] at the end of the PDF to the pvufull.zip.

The sboxes can be find at the following adresses:
EE:09B6 S-Box1 (10h bytes long) 97h...
EE:09C6 S-Box2 (10h bytes long)
EE:09D6 S-Box3 (10h bytes long)
EE:09E6 S-Box4 (10h bytes long)
EE:09F6 S-Box5 (10h bytes long)
EE:0A06 S-Box6 (10h bytes long)
EE:0A16 S-Box7 (10h bytes long)
EE:0A26 S-Box8 (10h bytes long)
EE:0A36 S-Box9 (20h bytes long) ..59h

See also page 6 of
_http://colibri.bplaced.net/Kryptoanalyse%20PowerVu%20TV-Verschluesselung.pdf
Here is a short translation of the text below the S-Box connection picure:
The S-Boxes that converts 7 bits input to 1 bit output need only 16 bytes. 4 input bits are the index of the S-Box and the remaining 3 bits are used to select with bit of the 8 bit output is used.
The S-Boxe that converts 8 bits input to 1 bit output need 32 bytes. 5 input bits are the index of the S-Box and the remaining 3 bits are used to select with bit of the 8 bit output is used.


To get the info which bits of the shift register are used for which sboxes you must disassemble only one single function of the ISE firmware.

It's located at EE:07E1

The following RAM bytes are the internal state of the shift register and their bits are use to feed the sboxes:
byte_4F leftmost byte
byte_50
byte_51
byte_52
byte_53
byte_54
byte_55 rightmost byte

RAM bytes byte_5A and byte_5B stores the intermediate results of S-Box1 to S-Box8 and used to feed the final S-Box9.

In the find EMM keys 84 times faster PDF there are test data that can be used to verify the own shift register implementation.

Btw. because the key can be found 84 times faster you don't need CUDA anymore to find keys that have huge subscribers like AFN.

Also post 35
 

satellite12

Registered
Messages
2
hi...

I am still trying to code up the powervu sbox function... I do not have the tools or experience to reverse engineer the function from HEX.

I figured out the values in the s1-s9 registers. I just need to know what 7 bits from the shift register go into what s-box? and if they stay in order or are reordered? I read the pdf that highlights the function in eep hex but can't quite figure out the relationships.

bits 0-6 --> sX ???
 

Proximator

Registered
Messages
15
PowerVu Logging Project Update (Jan 12, 2015 Update)
Almost all PowerVu keys for C-band satellite 135W have been found:
CMT HD
MTV HD
Nick HD
Palladia HD
Spike HD
Comedy Central HD
Fusion HD
HGTV HD
Food Network HD
DIY HD
Cooking HD
Travel HD
GAC HD
Epix 1 HD
Epix 2 HD
Epix 3 HD
GolTV

http://satellitetesters.com/


They not answer email. How i can help this project?
 

Proximator

Registered
Messages
15
PowerVu Logging Project Update (Jan 23, 2015 Update)

The latest rumors of a USA dealer selling a hacked receiver has NOTHING to do with us! Our project will be released as freeware (most likely on latest dreambox platform). we have added 84x speedup suggested by Colibri, but many transponders still don't have enough EMMs for quick brute force, so we will leave these for last. Keys for satellites 133w and 131w have now been found.
 

mx3000

Registered
Messages
46
Colibri web site closed by federal!

httpcolibribplacednet.jpg
 
O

ooOO_SORGOS_OOoo

Hey dont closed !!!

Code:
[B][COLOR="Red"][URL="http://colibri.bplaced.net"]Colibri web official web site[/URL][/COLOR][/B]
[B][COLOR="Red"][URL="http://colibri.bplaced.net"][URL="http://colibri.bplaced.net/powervu.htm"]POWERVU [/URL][/URL][/COLOR][/B]
 

drfg

Registered
Messages
1
PowerVu implementation questions

I have several questions regarding the PowerVu implementation and hope someone has answers.
If you know a forum where there are PowerVu experts, I would appreciate if you could post this message on this forum to get back answers.


- I receive alternating DES keys when decrypting one channel. Anyone know which keys to keep and which to discard? As example I receive in this order the following decrypted 10h bytes from the Command 0 (Get Base CW) and the corresponding video DES keys:

A000xxxxxxE8E1xxxxxxxxxxxxxxxxxx gives the video DES key 1111111111111111
A000xxxxxxE137xxxxxxxxxxxxxxxxxx gives the video DES key 2222222222222222
A000xxxxxxE8E1xxxxxxxxxxxxxxxxxx gives the video DES key 1111111111111111
A000xxxxxxE137xxxxxxxxxxxxxxxxxx gives the video DES key 2222222222222222
A000xxxxxx3742xxxxxxxxxxxxxxxxxx gives the video DES key 3333333333333333
A000xxxxxxE137xxxxxxxxxxxxxxxxxx gives the video DES key 2222222222222222

The only documentation I found regarding this is in the pdf 'Kryptoanalyse PowerVu TV-Verschluesselung' from Colibri at the page 7:

"Außerdem merkt sich das ISE das ECM[6] Byte. Kommt eine neues Kommando 0 wird das aktuelle ECM[5] Byte mit dem vorherigen ECM[6] Byte verglichen. Sind sie identisch dann wurde die Reihenfolge der ECMs nicht verändert und es wurde auch kein ECM ausgelassen."

Anyone understand that?




- The description for processing the command 1 is not clear. Can someone confirm that the following calculation for the DES key from the command 1 is correct? This calculation is described in the pdf 'Kryptoanalyse PowerVu TV-Verschluesselung' from Colibri at the page 8.
Particulary which shift register should be used to decrypt the 'IV | SeedBase'? Should it be the shift register after the command 0 or the shift register produced after decrypting the part of the ECM in command 1?

Example of calculation:

Shift register after command 0: 11 22 33 44 55 66 77
SeedBase: aa bb cc dd
Base CW: 11 22 33 44 55 66 77

Decrypted part 2 of the ECM in Command 1:
aa bb 11 22 33 44 55 66 77 88 99 11 22 33 44 55
66 77 88 99 11 22 33 44 55 66 77 88 99 aa bb

video iv: 0000110000 in binary
Encrypted Video Seed: 000011000010101010101110111100110011011101 in binary

Decrypted Video Seed: 02 71 ae c2
Video DES key: 13 a8 e6 b0 64 b9 5e b3


Is the video DES key correct?



- Colibri says that the Video and Audio are encrypted using DES (ECB). Anyone knows how to decrypt the video stream if you have the video DES key?

To decrypt a 188 bytes video packet, you have to skip the 4 bytes header (and mark it as unencrypted) and decrypt 23 blocks of 8 bytes using the same DES key?

Something like:

videoPacket[3] &= 0x3f;

DES_key_schedule desKeySchedule;
DES_key_sched((DES_cblock *)desKey, &desKeySchedule);

for(int blockIndex = 0 ; blockIndex < 23 ; blockIndex++)
{
DES_ecb_encrypt((DES_cblock *)(videoPacket + 4 + (blockIndex * 8)), (DES_cblock *)(videoPacket + 4 + (blockIndex * 8)), &desKeySchedule, DES_DECRYPT);
}

Is that correct?



- Colibri says in the PDF PowerVu_management_keys_hacked and in the pdf PowerVuSecrets that the last 4 bytes of the EMM are a DVB CRC32 checksum. I don't manage to verify this checksum. Is there a trick? For the ECM there is no problem and the DVB CRC32 is valid.


Thanks
 

IgorN

Registered
Messages
3
PowerVu Logging Project Update (Feb 03, 2015 Update)
Most channels unlocked on 127W - Galaxy 13.

BBC World HD
NHK HD
Veria HD
TV Japan HD
Caracol
MegaTV
Bloomberg HD
WWE HD
PlayboyTV 1 HD
Playboy TV 2 HD
Crime/Investigation HD
FYI
History 2 HD
History Int HD
NFL 1 HD
NFL 2 HD
NFL 3 HD
NFL 4 HD
NFL 5 HD
NFL 6 HD
http://satellitetesters.com/
 
Top