Smartdtv Cam

pipino

Registered
Messages
197
Hello,

doing some experiment with Smartdtv Cam anyway of extracting the RSA key?

the cam is nagra based

CANALREADY_CAM.jpg


cheers
 

K2TSET

Registered
Messages
125
I was looking for the same on a NEOTRON Viaccess cam, used here for DVB-T

I know the firmware are transmitted as update in the ts as a SSU

I the NIT I do see a 0x09 "System Software Update" service
OUI: 0x237C => Neotion
Sector lenght: 0x22
Sector_bytes: 08000001123456780..............

This kind of data are send as a carousel and I never found a way to capture the firmware, and if it was possible I guess it's encrypted and then hard to find the RSA.

Another way could be to open the cam and unsolder the flash are read it and hope the FW are non encrypted.

I was expecting to place a legal card in a OSCAM server and the let different receivers share that card.

But that does not work since the ECM in the ts does have the RSA key flagged so I expect the RSA are needed.

I did a complete record of the ts and at the same time I had logging running between the card and the cam on 2 the different TV's

Both log on card / cam are exact the same during eg a timeslot on 1 min where the cw changed like every 10 sec.

Since I did record the whole TS on a USB tuner at the same time I could now extract the same program and do a BF on the CW and have a clear picture...but the CW are not shown in plain in the return from the card /cam log so I'm a bit surprised on what part the RSA actually are used in the CI

Any way I like to know how to get RSA as well :)
 

pelcmichal

Registered
Messages
17
in smartdtv cam you have more as one RSa.. all is visible in flashdump..
Too for decrypt blocks is used more as one round
 

K2TSET

Registered
Messages
125
I was looking for the same on a NEOTRON Viaccess cam, used here for DVB-T

Another way could be to open the cam and unsolder the flash arn read it and hope the FW are non encrypted.

Ok got the BGA flash un-soldered and wired up and dumped, then uncompressed the 4MB bin image and now I have some file :thum:

Under "ciplus" folder I have:

Code:
01-01-1970  01:00             1.056 brand.der.aes
01-01-1970  01:00                16 clk.aes
01-01-1970  01:00             1.088 device.der.aes
01-01-1970  01:00               256 dh_g.aes
01-01-1970  01:00               256 dh_p.aes
01-01-1970  01:00                32 dh_q.aes
01-01-1970  01:00             1.200 private.der.aes
01-01-1970  01:00                16 random.aes
01-01-1970  01:00             1.024 root.der.aes
01-01-1970  01:00                16 siv.aes
01-01-1970  01:00                16 slk.aes
01-01-1970  01:00                16 usk.aes

The ECM D2 nano for "overencrypt" are D2 02 0D 00
Indicating key 0

I have tried the different 16bytes AES files in Oscam under aeskeys for the reader

multiple 16 bytes AES keys for Viaccess SCs (the used postprocessing AES key is specified through the D2 nano of the ECM)

None have cleared yet.

Any hint on which AES file are the right one to use in respect to D2 nano and over encrypt?
 
Top