Nagra Hex block Decryption

razor123 · Dec 5, 2015

Hi guys,
I have flash dump from M?25L3?55D , it's provid 2111 and box N?100?HD. There is not problem to find block 00000097 as the follows :
block header: 00000097
NUID: 8?7?4?D?
0001 Max Number of Provider IDs
provider id: AA70
CWPK active: 05
00 Security Architecture:
CW Key descriptor: 0181 = 0x81 hexa bytes = 129 bytes (containing the cwpk encrypted keys)
Storage table length: 10 = 10 hexadecimal bytes = 16 bytes header CWPK key sizes
CWPK0 encrypted: A9D67213A767E73973CFA3CAAD7C417F
CWPK1 encrypted: 5555067E7DBD32EEA6621DD24CBF8FD6
CWPK2 encrypted: 18D2C9CE4352368ED18E81B588860D0C
CWPK3 encrypted: 5650877A47EA77296A279CB69278DC52
CWPK4 encrypted: C591162D5C409F94A9133B2F1C500F90
CWPK5 encrypted: 2F26DF988FDACD1E68A7B589F4149B41
CWPK6 encrypted: 602E02174C3487D6DCDBF2967423344F
CWPK7 encrypted: C5D91F4A2B3C218110D697552EB3B5DA
0B381EAAFFFD
but I can not to identify the block 0000016C , I've find some similar blocks 0000016A and 0000017C and tried to decrypt them ((IDEA(IRD+1019.....E1 as key > 00 - 02C)) XOR orig.data) , but without success to find block size xx08 , xx40 for the RSA identifiing and data needed for Boxkey XOR. This dump is from non active receiver and I can to send it to anyone for the investigation , for that , please contact me by PM. I've tried also some blocks with 009882 with bit swapping to find 016C and also without success. Could anyone to help me with this ?

XIL1NX · Dec 5, 2015

razor123 said:
Hi guys,
I have flash dump from M?25L3?55D , it's provid 2111 and box N?100?HD. There is not problem to find block 00000097 as the follows :
block header: 00000097
NUID: 8?7?4?D?
0001 Max Number of Provider IDs
provider id: AA70
CWPK active: 05
00 Security Architecture:
CW Key descriptor: 0181 = 0x81 hexa bytes = 129 bytes (containing the cwpk encrypted keys)
Storage table length: 10 = 10 hexadecimal bytes = 16 bytes header CWPK key sizes
CWPK0 encrypted: A9D67213A767E73973CFA3CAAD7C417F
CWPK1 encrypted: 5555067E7DBD32EEA6621DD24CBF8FD6
CWPK2 encrypted: 18D2C9CE4352368ED18E81B588860D0C
CWPK3 encrypted: 5650877A47EA77296A279CB69278DC52
CWPK4 encrypted: C591162D5C409F94A9133B2F1C500F90
CWPK5 encrypted: 2F26DF988FDACD1E68A7B589F4149B41
CWPK6 encrypted: 602E02174C3487D6DCDBF2967423344F
CWPK7 encrypted: C5D91F4A2B3C218110D697552EB3B5DA
0B381EAAFFFD
but I can not to identify the block 0000016C , I've find some similar blocks 0000016A and 0000017C and tried to decrypt them ((IDEA(IRD+1019.....E1 as key > 00 - 02C)) XOR orig.data) , but without success to find block size xx08 , xx40 for the RSA identifiing and data needed for Boxkey XOR. This dump is from non active receiver and I can to send it to anyone for the investigation , for that , please contact me by PM. I've tried also some blocks with 009882 with bit swapping to find 016C and also without success. Could anyone to help me with this ?

You Box use CPU Encrypted 016c Table => Game over for extraction

bbzzyyczczeek · Dec 13, 2015

fes_786 said:
Code:

You don't have permission to view the code content. Log in or register now.

enjoy

please re up the link

bbzzyyczczeek · Dec 14, 2015

I cant edit the post.
I tried too decrypt nagra block.
after 0303 i select 44 block of data and i aply idea key ird+ 101******** then xor with nagra block but dont work.what am I doing wrong.
I think that I'm close but .I am doing mistake but where.a clue ?
Redgast

Benfica200 · Dec 15, 2015

bbzzyyczczeek said:
I cant edit the post.
I tried too decrypt nagra block.
after 0303 i select 44 block of data and i aply idea key ird+ 101******** then xor with nagra block but dont work.what am I doing wrong.
I think that I'm close but .I am doing mistake but where.a clue ?
Redgast

You're doing something wrong ...
The method that calhordas posted, works well!

andy16v · Jan 9, 2016

@ bbzzyyczczeek I have seen some software floating around that will decrypt the block,unsure if it works tho.

Andy

dockmur · Jan 28, 2016

Hey guys

I have a Swiss CS*T card (rom 410) caid 1863 nagra merlin prepared to test here, if you need him any.
I also have the dump of the Humax receiver (NOR & NAND). Any help will be well rewarded.

Those interested in research please contact public or privately. Thank you.

nicovil · Mar 14, 2016

Hi guys!

I hear somewhere that Merlin CAK7 is using a new negotiation protocolo with the card at startup, which uses 3 different keys from bloc 016c (3588, 3460 and 3310), the problem is that this bloc (016c) is encrypted with 3DES + CPU Master key, so it is needed to execute code into the STI CPU to decrypt the flash before to extract that values.

In other hand, we have the bloc 0097, which has the CWPK set, but all these keys are encrypted also with 3DES + CPU Master key.

It will be good to discuss here (perhaps someone already knows that?) these 2 things:

1) Needed hardware for reballing the STI CPU and execute specific code, and see which code is needed to execute (I saw some code to get the CWPK from C0n@x at STI7111, but I don't know if it works with Nagra STB)... then get CWPK set and decrypt 016C block
2) Which protocol is used to initialize the card replacing the old DT08 (CMD$2A) one

What do you think?

sick · Mar 23, 2016

hi nicovil i have some knowledge about your nagra cak7 problem and emu programmation with 1 cwpk and 2 cwpk
send me pm your skype i
we talk more details i have some question about conax hw pairing if you can help

pepem · Mar 23, 2016

hi friend i have any tools for conax i need help cak7 two cwpk and nuid .. talkme

sick said:
hi nicovil i have some knowledge about your nagra cak7 problem and emu programmation with 1 cwpk and 2 cwpk
send me pm your skype i
we talk more details i have some question about conax hw pairing if you can help

sick · Mar 23, 2016

pepem said:
hi friend i have any tools for conax i need help cak7 two cwpk and nuid .. talkme

send me your skype in pm pepem

pepem · Mar 23, 2016

i have problem in my store inbox and not send msj .. sendme you

sick said:
send me your skype in pm pepem

fr3n2y · Mar 23, 2016

sick, you have pm box full, please send me PM to exchange skypes, please

sick · Mar 23, 2016

fr3n2y said:
sick, you have pm box full, please send me PM to exchange skypes, please

send now your skype in pm
my inbox is empty

- - - Updated - - -

pepem said:
i have problem in my store inbox and not send msj .. sendme you

i cant send msg pm send me your email or skype in pm friend

sick · Mar 23, 2016

pepem said:
i have problem in my store inbox and not send msj .. sendme you

send your skype man !!! in pm i cant send anymore

Benfica200 · Mar 23, 2016

sick said:
hi nicovil i have some knowledge about your nagra cak7 problem and emu programmation with 1 cwpk and 2 cwpk
send me pm your skype i
we talk more details i have some question about conax hw pairing if you can help

Conax use mod1,mod2,mod3,boxkey 16 bytes,data50 and mod50,
if you know about cak7 then you must have the base of his!lol

XIL1NX · Mar 23, 2016

are you all serious or really brain damaged to discuss this things in public or skype? you will get visited at home sooner than you can count to 3.

sick · Mar 24, 2016

Benfica200 said:
Conax use mod1,mod2,mod3,boxkey 16 bytes,data50 and mod50,
if you know about cak7 then you must have the base of his!lol

you talk about old conax !! new cas 7 pairing more advenced then wath you said

Benfica200 · Mar 24, 2016

sick said:
you talk about old conax !! new cas 7 pairing more advenced then wath you said

I assume these to refer to it?!
http://security-explorations.com/materials/se-2011-01-hitb2.pdf

sick · Mar 24, 2016

Benfica200 said:
I assume these to refer to it?!
http://security-explorations.com/materials/se-2011-01-hitb2.pdf

its too much general friend i read this before 3 years
the job need more details and search

Nagra Hex block Decryption

Inactive User

Member ++

Inactive User

Inactive User

DW Member ++

Member

Inactive User

Inactive User

Member

Inactive User

Member

Inactive User

Inactive User

Member

Member

DW Member ++

Member ++

Member

DW Member ++

Member

Similar threads

We value your privacy