Nagra Hex block Decryption

Status
Not open for further replies.
Nope NAND chip is different bga layout from the chip we dump to get details

It's also different chip

oh right my mistake not dumped it thanks for letting me know

ps is tha a cisco box.???
 
The Cisco and TiVo box
Both have 2 chips
1 chip we dump for rsa details
The other is a NAND chip

Both boxs have the same part no chips

So I'm guessing the NAND chip stores firmware and the ebga64 stores the details like a storage chip
 
dunno if it is any help but this was posted on the other forum

ok got a vm cisco box from a boot sale, got the bga chip off ok, not sure i'll get it back on tho, but that doesn't matter cos i only got it to have a play with.

bga has been dumped and i've found the 01 6C block.

so am i right in thinking that somewhere in the bga dump is some pre-computed data that when it is IDEA encrypted (with IRD+CONSTANT) and then this result is XOR'd with the 01 6C block will give the decrypted block?

another question, will this pre-computed data be the same as in another box of the same type?

the answer to both was Yes.
 
looking at the cisco dumps, there seems to be a 128byte block at 120770-1207EF, and a 256byte block at 120809-120908, different for both dumps but the same 25byte string is between these blocks in both dumps. This whole chuck of data is then repeated at 16052D.

my spidey sense is teling me this data could be used somehow ???
 
the ram chips are bga
and no u cant jtag

if u could we wouldnt bother lifting chips
 
in this case, with ram turn on , what is best way to read the memory image off the chip and save it off in a HEX file ? if is a noob question , sorry, but i´m trying to do this with help a logic-analyzer.

[ ] ´s
 
Lift chip

Reball
Then read in programmer that supports it
 
You are talking about flashes and I'm talking about ram's.
 
Last edited:
Ooh sorry


Lift ram chips then see if u can meter the ram points to somewhere else on board (I doubt it)

A data sheet of ram chips would help u determine what point u need to connect to
 
Evening chaps, just wondering how people were getting on with this? Got my dump in hexedit and Got my idea or constant key but I'm stuck. Any pointers would be great ?

Sent from my GT-I9300 using Tapatalk 2
 
Your idea / constant key???

Care to share the address it's located at
 
I could be wrong but from what I understand and im no expert but the idea key is your ird plus a 12 byte set starting with 10? This number is floating about on various European forums?

Sent from my GT-I9300 using Tapatalk 2
 
I could be wrong but from what I understand and im no expert but the idea key is your ird plus a 12 byte set starting with 10? This number is floating about on various European forums?

Sent from my GT-I9300 using Tapatalk 2

Look last post here --> ___http://viaccessfree.biz/forum/showthread.php?t=28564___ posted by alexey1901
I´m not sure.

Немного поправок и дополнений по поводу того как происходит привязка карты к рессиверу , протоколам обмена данными
между ними.
Эта информация относиться только к nagravision в других системах условного доступа может происходить по другому.
Используются 2 способа независимо друг от друга

1) метод SK - использование secondary key.
2) метод DT08 - data type 08.

Если используется Secondary key то рессивер проверяет его наличие в tsop области флэш и если SK присутствует то метод
DT08 не будет использоваться.Рессивер выполняет проверку валидности SK с помощью подсчета сигнатуры используя
IDEA-алгоритм соответствующим ключем который тоже находиться(похоже изначально зашивается и имеет математическую
связь с IRD# - номером рессивера) в tsop. Пример...если IRD# 00000005 то IDEA-key имеет следующее значение
00000005101924314051647990A9C4E2 (4 байта IRD# является началом ключа) SK состоит из boxkey рессивера ,
IRD# , RSA модуля N из смарт-карты (причем в открытом виде) и сигатуры по IDEA-key.
 
Look last post here --> ___http://viaccessfree.biz/forum/showthread.php?t=28564___ posted by alexey1901
I´m not sure.

Немного поправок и дополнений по поводу того как происходит привязка карты к рессиверу , протоколам обмена данными
между ними.
Эта информация относиться только к nagravision в других системах условного доступа может происходить по другому.
Используются 2 способа независимо друг от друга

1) метод SK - использование secondary key.
2) метод DT08 - data type 08.

Если используется Secondary key то рессивер проверяет его наличие в tsop области флэш и если SK присутствует то метод
DT08 не будет использоваться.Рессивер выполняет проверку валидности SK с помощью подсчета сигнатуры используя
IDEA-алгоритм соответствующим ключем который тоже находиться(похоже изначально зашивается и имеет математическую
связь с IRD# - номером рессивера) в tsop. Пример...если IRD# 00000005 то IDEA-key имеет следующее значение
00000005101924314051647990A9C4E2 (4 байта IRD# является началом ключа) SK состоит из boxkey рессивера ,
IRD# , RSA модуля N из смарт-карты (причем в открытом виде) и сигатуры по IDEA-key.

Translated Reads :)

Little changes and additions over the fact how they bind to the card Receivers, communication protocols
therebetween.
This information relates only to nagravision other conditional access systems may be different.
2 methods used independently


1) the method of SK - use secondary key.
2) Method DT08 - data type 08.


If you are using Secondary key is ressiver check its availability in the region tsop flash and if there is a method SK
DT08 will not ispolzovatsya.Receiver checks the validity of SK by counting the signatures using
IDEA-algorithm matching keys which are also (apparently originally sewn and has a mathematical
connection with the IRD # - number ressivera) in tsop. Example ... if IRD # 00000005 IDEA-key that has the following value
00000005101924314051647990A9C4E2 (4 bytes IRD # is the start key) SK consists of boxkey ressivera,
IRD #, RSA modulus N of smart cards (and opened) and signature by IDEA-key.

For those of us that are not Russian :)
 
I have been struggling with this for weeks but believe I am very close now, will confirm my results later.

Sent from my GT-I9300 using Tapatalk 2
 
I have been struggling with this for weeks but believe I am very close now, will confirm my results later.

Sent from my GT-I9300 using Tapatalk 2

Thought i was there but fallen at the last hurdle....gutted..
 
Well not sure what I can say and cant say but here goes. Got my 016c block and split the 96 bytes into 12 blocks of 8 (assuming ive got the right ones) applied the idea key. Then xor'd the results with the originals(new 12 with old 11, new 11 with old 10 etc etc..) my end result wasnt what I expected. Feeling like ive missed something.

Sent from my GT-I9300 using Tapatalk 2
 
Status
Not open for further replies.
Back
Top