DigiCipher 2 info

Is there a relationship between the 3 seed keys and the Unit ID? are they somehow derived from it? When a provider authorizes a unit all they must know is the unit ID right? Therefore there must exist a method to derive the seed keys from it right? Because when the EMM is sent it's encrypted with those keys right? I have at times in the past seen old Digicipher II encoders for sale on ebay. If one could reverse engineer one of those in a manner similar to what's been done here, it might reveal even more than this. Those encoders probably have the method to derive the seed keys from unit IDs. Then you'd only need find a valid unit ID. Would that make it any easier?

Why would it be the key derived from the Unit ID?
It could be,but can also be a way to generate the packet intended for this unit,and not related to it.

The only way to target units individually is to sign a packet with the unit ID.And being the receiver the one that rejects any packet that doesn't contain its unit ID.

I would say generating keys using the unit id is a week point if used to generate any key.
It could be used to decrypt packets,and/or in conjunction with other elements,but generating keys internally might not be wise.(becomes weaker when you already know one element that's in plain view)

Another mistake you make : in any encryption system,the key used to encrypt the packets is not the same key that decrypts it.

Why would it be the key derived from the Unit ID?
It could be,but can also be a way to generate the packet intended for this unit,and not related to it.

Click to expand...

Perhaps, I'm mistaken and misunderstanding something here. I admit that I'm not an expert in this field like you guys. However, in the video I interpreted him to say that the Unit ID and the three seed keys were programmed in the receiver from the factory and that any attempt to write to those location resulted in the processor resetting itself. If that's the case, doesn't that mean the 3 seed keys are in the receiver when it leaves the factory and remain the same for the entire life of the receiver? I do know that when the battery goes dead in one these receivers the message you get is something about a "bad seed key".

Another mistake you make : in any encryption system,the key used to encrypt the packets is not the same key that decrypts it.

Click to expand...

Yes, but does there have to be a relationship of some sort between the 2 keys?

What I was thinking was that if the 3 seed keys are used to decrypt the keys that are sent down the stream to the particular unit, the providers must somehow know what keys to use to encrypt those keys and they must encrypt it with keys that will allow the 3 seed keys to get the right result. When you subscribe to a Digicipher II service, all you give them is the unit ID number. The seed keys are in the ram and aren't accessible unless you do the kind of glitching this guy did. So, the question is how does the provider know what keys to encrypt the packets they are sending to your receiver which will contain the keys to unlocking their services? That's the reason I was thinking there must exist some relationship between the unit ID and the seed keys. Granted that relationship might be complex and difficult to figure out. Of course, I may be wrong and perhaps completely misunderstanding the process.

Too much thinking,some things right,some things wrong.

I read the same as you : keys and unit ID are in the receiver from factory.
There are different reasons for one to write to those areas,one would be to clone a receiver using the same unit ID and keys,given you extracted those from original IRD.
And in case the keys are the same in all receivers,you could make a clone from any IRD.
As the battery keep the eeprom memory alive,the lost of unit ID when battery fails would also lose the keys too.
Reason why only the provider can reprogram the eeprom,only them have this information

In principle,the provider knows EVERYTHING.
Know all keys in all receivers.
They also know how to generate and encrypt every message for any receiver in their database.
If there is a relation between the master key they use to encrypt their messages with the one that decrypts,you will never know,because the encryption/decyption system is not reversible.
You don't even know which algorithm is used to encrypt,along with the missing master keys
But the principle is simple : use the unit id as a variable to encrypt the message,use the same unit id as a variable to decrypt the message.......why would the unit ID and other keys used be derived one from another when there is no need to?

We would at least need the ROM. But that guy didn't publish it, right?

I think the rom was already public at the time release DCI105 since flash have simplified xc ic algo in it. Does this rom (booloader) could run on 1bit clock 6502 emu (not sure, but probably this bcm cpu is able to)? Anyway, it could be interesting to see emm encrypt/decrypt tool in future for learning on this old system...From what I read, not so weird that cat begin to change seed key around the time this box was known.

This digicipher2 cas hacked?

Usbjtag had a guy in Mexico with an electron scope who started posting pics of rom and ram areas. He etched into the chip and kept 5v I believe on the eeprom to keep the chip active. Some of it can still be seen. Things went quiet soon after he posted the pictures.

Garlinsky wrote a program that analyzed the ram and rom and manually coded the 1 or 0's to build his map and how he attacked dc2. Yes well ahead of my abilities, but he did show how it was done and he was successful.

For North America a DCII hack would be the best hack ever, way better than Powervu, JMHO.

One guy being successful does not mean everyone can be.
And the whole idea of protection is : it might not be unbreakable,but making things really difficult and out of reach of 99% of people would disappoint those that are naive enough to think they can do it too.

Most probably the simplest equation was not thought out by those either.But can be thought and learn simply.
This is not simple.

I'm thinking the guy on mexico and a few others have it figured out. He stopped posting about it and many pictures links etc are now gone of memory areas. If I had the fix I wouldnt make it public either. It would just get killed quickly

If the tree fall in the woods when nobody is around.....does it make a sound?
There is no science in anything that is not tangible.
Believing,thinking,and anything that proves nothing is just no proof.
But we can believe whatever we want.