FOX NETWORKS GROUP (Turksat 4A 42°E East Beam) ** CHAT ONLY NO KEYS **

R

rustantenna

Banned
Messages
64
Ok so 1rst impression on ECM analisys is no good.

So stream has changes. And just as EMMs ECM are longer!! Lets see.

Old FOX_CRIME_HD-ECM
47 4A C3 19 00 81 70 18 EE 16 00 00 00 C9 DB 4D 9B D4 D8 89 51 33 C0 DB 87 70 50 E4 B9 39 6C 63
47 4A C3 1A 00 80 70 18 EE 16 00 00 00 C9 E9 B5 7F B4 6D 59 D2 52 C0DB 87 70 50 E4 B9 39 83 0E
47 4A C3 1C 00 81 70 18 EE 16 00 00 00 C9 E9 B5 7F B4 6D 59 D2 52 41 6D 37 D2 53 88 DC 28 D7 E3
Click to expand...

New FOX_CRIME_HD-ECM

Code: 
47 4A C3 12 00 81 70 28 ED 26 00 00 00 C9 D0 9A AA 5E 62 7C 99 ED CA 05 C3 19 D2 4D 61 88 4C 26 88 9C 61 20 85 7B 4D F0 79 90 76 DE 16 30 17 E3 
47 4A C3 1A 00 80 70 28 ED 26 00 00 00 C9 F7 4F F2 E4 36 85 92 4F 3B 86 4F AB 5B 25 6A 1D 5C 8E 67 87 B7 53 9B C5 F2 D5 1C 2E 26 66 E5 CB 57 E3 
47 4A C3 15 00 81 70 28 ED 26 00 00 00 C9 2B 02 B0 19 99 91 B3 24 E7 2E F3 32 5E 92 B2 C5 E3 D0 67 4B 52 E8 48 FA 39 C1 DF 61 F5 E4 7C CC 0A 3C

It seems it still uses same Entitlement C9. So maybe fiji is correct and key is the same?

But look at old data. See how even when 8 byte data was encrypted you could see the CW1 CW0 pattern?
In new ECM stream You can not see the repeated pattern!!! This for me show that ECM Encryption has been change.

It seems to have changed from 2 (8byte) block DES-ECB to a 1 (32Byte) ???-CBC type of encryption?
 
Last edited:
K

kebien

Registered
Messages
1,329
Can you check the EMM spool and see if they are still sending EMM for the same UA's as before?.
I mean to make sure they are using the same irds?
 
R

rustantenna

Banned
Messages
64
To be honest I have not study EMM structure in detail.

You see, here is easy FREE info ends all nice study!. JimBizkit gave us POC.exe and all EMM study was stop as poc.exe resulted in such a nice tool.

Now I do not recall in any place here a post that show how to recognized a UA number from EMM for Tandberg CA. But since you have mentioned can you help?

In powervu we find UA at the end of line 82(unencrypted), just before the 80(encrypted)

47405A1400 8230 9B 1099 01 0E00 0000 068F 005169FD 000003
80.....
Click to expand...

In Tandberg Old structure was like this
4741F41200 8270 B4
01 DE 1D 82 01 6B 27 91 02 08 00 30 30 00 F0 2C E0 2A FF 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 DE 1D 82 01 20 15 DA 02 08 00 30 B3 7A F0 2C E0 2A FF 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 DE 1D 82 01 86 0A DA 02 08 00 30 37 CC F0 2C E0 2A FF 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Click to expand...

New structure seems same
4741F41500 8270 B4
01 DE 1D 82 01 2A 6A DA 02 08 00 01 57 E3 F0 2C E0 2A FF 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 DE 1D 82 01 BB 75 DA 02 08 00 01 3A 3E F0 2C E0 2A FF 01 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 DE 1D 82 01 5C 2F 91 02 08 00 01 74 26 F0 2C E0 2A FF 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Click to expand...

So can you tell me what you consider the UA number?

To be honest I was under the impression that for this CA EMMs where not sent to a particular UA?
 
R

rustantenna

Banned
Messages
64
The other EMM size line. Please note they are truncated

old size from 8A
4741F41E00 8270 8A
00 5B 2C 63 F0 84 E4 82 FF FF 3E 2E F3 4B 34 D1 BB 1F A0 94 81 2D E1 A9 54 18 F9 BD 4D 8C B6 ED D8 BB BD B7 B0 C1 84

4741F41D00 8270 8A
00 5B 17 E3 F0 84 E4 82 FF FC 00 84 1B A0 F8 DE D9 43 A4 95 86 D9 F6 E7 63 24 77 48 29 DC 4F 2B C0 3B A9 7F FB C5 7C
Click to expand...

Newline size from 8A to 92.
4741F41000 8270 92
00 6B 53 63 F0 8C E4 8A 01 FC BA 63 E1 63 BC 24 D6 DC 1E 4C F0 4A 01 F6 38 DA 15 0E F9 E8 0D 41 98 8C 01 FA C2 1E 41

4741F41200 8270 92
00 6B 6D 44 F0 8C E4 8A 01 FD BA 63 E1 63 BC 24 D6 DC 26 7B 8A 77 63 7D 37 C7 45 F8 3C 60 0C 22 97 D1 17 1F 5E 50 F7
Click to expand...

I guess this new size line is what poc.exe complains.

But in tern of UA I still not recognize that number in the line. In any case new receiver or new firmware upgrade what makes the difference?
 
Last edited:
B

bogyman

Donating Member
Messages
190
basicly you are saying that keys is ok but algo need to be fixed ?

i recorded the whole ts using cheap sunplus stb :)
 
R

rustantenna

Banned
Messages
64
Not reallyyyy.

I try to some how agree with what fiji may had said, key "MAY" be same and algo need to be fix.

But that is a to easy statement.

Now what I do really say is that entitlement still is C9.
And most people here try to believed that those are default keys that NEVER Change!! About that I am not sure. So Entitlement may be same but that does not really need to mean that still same key. I hope is the same too.

Now the big problem is figuring out what the new structure is. I guess there is a new firmware and same people that did reverse engineed firmware 1rst time => colibri. Could reverse new structure again. About that, only time will tell.

We can imagine a few skim an try! :)
 
K

kebien

Registered
Messages
1,329
rustantenna said:
To be honest I have not study EMM structure in detail.

You see, here is easy FREE info ends all nice study!. JimBizkit gave us POC.exe and all EMM study was stop as poc.exe resulted in such a nice tool.

Now I do not recall in any place here a post that show how to recognized a UA number from EMM for Tandberg CA. But since you have mentioned can you help?

In powervu we find UA at the end of line 82(unencrypted), just before the 80(encrypted)



In Tandberg Old structure was like this


New structure seems same


So can you tell me what you consider the UA number?

To be honest I was under the impression that for this CA EMMs where not sent to a particular UA?
Click to expand...
In tandberg,the keys are sent globally,this mean you won;t find any UA in table 0x83,keys are sent to all receivers.
And some of the table 0x82 are keys decryption management.
But going by what you posted there could be a UA in those packets
82 70 92 "00 6B 6D 44" F0................
I may be wrong,though,but I think that's it.

The reason would be tier management,the possibility that other channels in the trasponder have a different key.....many reasons to address different receivers using the UA.
You can check by comparing this UA to older logs,and see the repeating pattern.
 
R

rustantenna

Banned
Messages
64
Posted logs on this transponder where only a few. I believe all posted logs where shorts. So it will be really hard to look for patterns.

But it is interesting what you are saying as I did thoght a Little on that. Lets take colibri's post #10

Colibri.DVB said:
...
Here are different EMMs:
47 41 F4 13 00 82 70 8A 00 58 17 E3 F0 84 E4 82 FF FF 90 77 34 86 8D 55 9B 48...
47 41 F4 13 00 82 70 8A 00 58 4D 63 F0 84 E4 82 FF FC 75 22 F8 64 85 B7 9B 05...
47 41 F4 16 00 82 70 8A 00 58 BA 5A F0 84 E4 82 FF FD E5 5C 88 11 5F E1 C7 CB...
47 41 F4 1C 00 82 70 8A 00 58 17 E3 F0 84 E4 82 FF FE 1C 24 A5 AE 21 9B 6D 83...
Is seems green values are not crypted.

@antrabe:
This was an old record from a feed @10°E freq:11141 HOR SR:28500
Click to expand...

See then

Colibri.DVB said:
...
70 8A 00 58 17 E3
70 8A 00 58 4D 63
70 8A 00 58 BA 5A
70 8A 00 58 17 E3
Click to expand...

So maybe those are and that is why only the last 2 hex bytes are different! Remember that is another tandgerg provider. I guess we need to see what jimblits wrote in poc.exe.
 
K

kebien

Registered
Messages
1,329
00 82 70 8A is the packet header,always 4 bytes.
82........ table
70
8A........ packet length

After this is the UA
00 58 17 E3
00 58 4D 63
00 58 BA 5A
00 58 17 E3

After this there is always an F0
After this F0 until the payload,might need more reading into what Colibri wrote.
But apparently this is the UA

[TS header][Packet head][.....UA......]....
47 41 F4 13 00 82 70 8A [ 00 58 17 E3 ] F0 84 E4 82 FF FF 90 77 34 86 8D 55 9B 48...
 
Last edited:
R

rustantenna

Banned
Messages
64
I feel shame on what I wrote. I did copy it without looking.
"82 70 8A" you are totally correct not part of anything else.

Also as i said I always disregarded EMMs as after poc fail there is nothing we can do.

This cause me to write second mistake I said "I believe all posted logs where shorts." But I was thinking in full TS. There are a bunch of people that did in fact try LONG EMMs at home. Maybe one can post an old EMM LOG and make you happy. New log is at

bogyman said:
emm log 50mb
http://www41.zippyshare.com/v/2Pe98yZ6/file.html
Click to expand...

Sad that there is controversy on getting NONE BISS crypt8. We could try to study simple ideas in new ECM stile in an attempt to find the new structure. Now Please do not involve me in any controversy. That is only an Idea.
 
Last edited:
O

ooOO_SORGOS_OOoo

whose interesting this packet?

pls continue messages here only this channels

thank you?
 
M

mauricelugher

rustantenna said:
Ok so 1rst impression on ECM analisys is no good.

So stream has changes. And just as EMMs ECM are longer!! Lets see.

Old FOX_CRIME_HD-ECM


New FOX_CRIME_HD-ECM

Code: 
47 4A C3 12 00 81 70 28 [B]ED[/B] 26 00 00 00 C9 D0 9A AA 5E 62 7C 99 ED CA 05 C3 19 D2 4D 61 88 4C 26 88 9C 61 20 85 7B 4D F0 79 90 76 DE 16 30 17 E3 
47 4A C3 1A 00 80 70 28 [B]ED[/B] 26 00 00 00 C9 F7 4F F2 E4 36 85 92 4F 3B 86 4F AB 5B 25 6A 1D 5C 8E 67 87 B7 53 9B C5 F2 D5 1C 2E 26 66 E5 CB 57 E3 
47 4A C3 15 00 81 70 28 [B]ED[/B] 26 00 00 00 C9 2B 02 B0 19 99 91 B3 24 E7 2E F3 32 5E 92 B2 C5 E3 D0 67 4B 52 E8 48 FA 39 C1 DF 61 F5 E4 7C CC 0A 3C

It seems it still uses same Entitlement C9. So maybe fiji is correct and key is the same?

But look at old data. See how even when 8 byte data was encrypted you could see the CW1 CW0 pattern?
In new ECM stream You can not see the repeated pattern!!! This for me show that ECM Encryption has been change.

It seems to have changed from 2 (8byte) block DES-ECB to a 1 (32Byte) ???-CBC type of encryption?
Click to expand...

By the way here are the names of all the tags I have found in the firmware:
E0 = EMM_TAG_RECEIVER_ALLOCATION_DESCRIPTOR
E1 = EMM_TAG_EVENT_ENTITLEMENT_DESCRIPTOR
E2 = EMM_TAG_EVENT_DEENTITLEMENT_DESCRIPTOR
E3 = EMM_TAG_OAC_COMMAND_DESCRIPTOR
E4 = EMM_TAG_SECURITY_TABLE_DESCRIPTOR
E6 = EMM_TAG_OVER_AIR_DOWNLOAD_DESCRIPTOR
E7 = EMM_TAG_OVERALL_ENTITLEMENT_DESCRIPTOR
E8 = EMM_TAG_OVER_AIR_DOWNLOAD_SWITCH_DESCRIPTOR
EE = ECM_TAG_CW_DESCRIPTOR
We have to catch the emm
47 4A C3 12 00 81 70 28 EE..................
haven't we?
 
A

abra26

Registered
Messages
263
mauricelugher said:
By the way here are the names of all the tags I have found in the firmware:
E0 = EMM_TAG_RECEIVER_ALLOCATION_DESCRIPTOR
E1 = EMM_TAG_EVENT_ENTITLEMENT_DESCRIPTOR
E2 = EMM_TAG_EVENT_DEENTITLEMENT_DESCRIPTOR
E3 = EMM_TAG_OAC_COMMAND_DESCRIPTOR
E4 = EMM_TAG_SECURITY_TABLE_DESCRIPTOR
E6 = EMM_TAG_OVER_AIR_DOWNLOAD_DESCRIPTOR
E7 = EMM_TAG_OVERALL_ENTITLEMENT_DESCRIPTOR
E8 = EMM_TAG_OVER_AIR_DOWNLOAD_SWITCH_DESCRIPTOR
EE = ECM_TAG_CW_DESCRIPTOR
We have to catch the emm
47 4A C3 12 00 81 70 28 EE..................
haven't we?
Click to expand...
no. we have to catch emm with 0x82 AND 0x83 to get ECM key so we need nano E4 in 0x82 AND nano E1 in 0x83.
 
K

kebien

Registered
Messages
1,329
As for clarification,I am wrong about those EMM having a UA.
What looks to be the UA is actually more descriptors and checksums.
Thanks to a friend for pointing that out.
 
fiji

fiji

Member
Messages
1,083
Tigersat T800 HD New Tandberg Fix V2.41 S/W

dqq0so.jpg
 
You must log in or register to reply here.
Top