0963 ecm length for missing hd channels

eon

eon

DW Regular
Joined
Jan 14, 2010
Messages
348
Reaction score
166
Location
Salford
A little investigation reveals that the HD channels not clearing now have a new ecm header and length

Normal HD channel - header= 80707A000001,81707A000001 - length 250 characters.
80707A0000010ED0049B58FFFF0081112001000087677E0A40CA9D0164D4CD44D6529059C004424768514F502261B3DFD517E54AF5591F15D97D4440D26D5DCBF53BEB823813A80EFD7B192DF38746E75D1EEB5EFB33AB84E515AD0188AD042BF1A0BECA152DCA168A564CD005D6F27C7B28C49198DDD2ACD77A7B2427

Permium HD (movies+sports) - header=807081000001,807081000001 - length 264 characters.
8070810000010ED0049BDBFFFF008111200100000A6E7E0A483E805964E9F61C597E9060C004C8A0EC79A9A63E91823CC957F673499C65F3C975F8FF6AC09A135281E347E82571540C549C6F5857BE756B8CE3B31B9371BF76E793DFD285BA14C3FF8D94794CDFEB0CB90AC18676C10D5E8CEC7106793079AFBE657BEF47E49B9897BC94

Blocked HD Channels - header=807082000001,817082000001 - length 266 characters.
8170820000010ED0049C63FFFF00811120010000936F7E0A224DBCCB4D5F8BD536399061C00403E556338D635D70CAFF2E188DB7F94FE35AC3C288D5263A643833FE5FD8237CE739CF9FB2011DA8AD777F1D509CFCCF09DD23B4D3B68EDC25655211F4FDCA2D36637E707E1E9E5F7EEF522283B9ED5249700125FDCC99C95F0BF3A24FBE21
 
This is what I have read on another forum which may/may not be of help:-

================================================================================

Sky's new pairing doesn't introduce any significant differences to the existing NDS data, that data is still encrypted so only a genuine card can decrypt it, but what it does do is add an additional layer of encryption between the box/card to prevent their cards from being used in card servers like oscam.

A new HD box running the latest firmware is able to take the incomming NDS data [ECMs/EMMs] from the MPEG stream and further encrypt it before sending it to the card.

An old HD box (or an SD box) just continues as it did before, extracting the NDS data from the MPEG stream and feeding it to the card.

This design allows Sky to alter NOTHING to the existing NDS code, which is essential to (a) prevent loggers/hackers from running comparators over logs from the then/now data streams and (b) allow older boxes to work as before.

Remember, the change has NOT happened at the NDS level, it has happened at the firmware level of both the new HD boxes and the existing cards.

It's the boxes that are instructed to use the pairing algo [or not] for a particular channel(s) [or more accurately, entitlement group/level]

If you place a card in a new HD box, the card will be instructed to accept the newly encrypted data using the box's pairing key...

If you then move the card back to oscam, it will continue to expect that encrypted data for that channel(s) and try to decrypt it...
Of course, as the incomming data is NOT encrypted (coming from oscam for example) you'll get nothing worthwhile back..

So what happens when you put a card back in oscam or put it back in an SD box or an old HD box and leave it..?
If the card is unable to verify it's running in a new HD box [after x amount of time (or cycles) or following a new install/pairing process], it reverts back to the original system we all know and love, which is of course easy for most to share.
[I'm sure their lawyers have reminded Sky not to enforce a blackout on paying customers for fear of prosecution or maybe Sky have acknowledged some people may use their own older boxes in the event of a failure..]

How long Sky allow the card to revert back on the other hand is the question most payservers should be considering..

As it stands now the new system does nothing to prevent c/s, however, once Sky are happy they have updated all the smartcards (all those EMMs you've been seeing...) and have completed most (if not all) of the box upgrades, expect to see some disruption.

When this will be, you'll have to ask the boys over at Sky (and I'm not talking about their installers / customer support agents here lol)

Here's a quick overview of both the old and new data exchange:

Current:
ECM/EMM Data is fed to the box via the MPEG stream, it then passes it to the card for a response.

New:
ECM/EMM Data is fed to the box via the MPEG stream, it then futher encrypts the data using a pairing key before passing it on to the card. The card decrypts this in order to then decrypt and process the original ECM/EMM command. The reply is then encrypted [again using the pairing key] and sent back to the box, which then decrypts and executes it.
Both the original ECM/EMM data and the reply have not changed, the only thing that has changed is the way the data was exchanged between the box and the card..

As has been mentioned (and seemingly ignored) in this thread beforehand, it is possible to use a card which has been updated to the new system by dumping the key from a new HD box (pretty much in the same way you dump an RSA key from a Nagra3 UK Cable box) which then allows the use of something like newcs, utilising the receiver ID of course.

This information is not publically available as this would allow both ViasatHD and Sky (shortly) to be shared and to be honest, many that have worked on this are sick of all the exploitation...

================================================================================
 
theres no proof

if they had dumps .etc
then maybe

right now its all rumors i think

any1 willing to be a guinea pig??? ;)

hd box
dump it before new pairing upgrade

then dump it after new pairing upgrade

if there is a rsa then there will be a big chunk of code neard the boxkey that will be rsa
and more than likely it will be encrypted

last time i did a bit of reasearch the whole dump is encrypted

Also whoever posted above post on other forum if it was true he would be able to tell u abit more about rsa and location or even header

.etc
 
Last edited:
I don't know if this will mean anything but i have been logging emms for the last few weeks and managed to catch the emms coming through before and at the time of the missing hd channels, now on the log i have a unique emm written to my card under a different serial, just the 1 emm but it is defiantly a different serial for the card.

2014/04/22 17:44:04 036XXXXX00000000
2014/04/22 18:13:14 026XXXXX00000000
2014/04/23 07:14:49 036XXXXX00000000

Obviously the XXX's are to replace my serial, don't want to post it on a forum lol
 
fes_786 said:
theres no proof

if they had dumps .etc
then maybe

right now its all rumors i think

any1 willing to be a guinea pig??? ;)

hd box
dump it before new pairing upgrade

then dump it after new pairing upgrade

if there is a rsa then there will be a big chunk of code neard the boxkey that will be rsa
and more than likely it will be encrypted

last time i did a bit of reasearch the whole dump is encrypted

Also whoever posted above post on other forum if it was true he would be able to tell u abit more about rsa and location or even header

.etc
Click to expand...

I have got a DRX895 pre update, i could dump it depending on what TSOP it is. However i don't fancy pairing my card with it to do another dump......
 
Could u open it up and take pics of the chips??

And then we need a person who got same type of box but who has taken the hit

Compare both dumps

Box key will b different
MAC address will b different
And new pairing key will b different

But first need to know what chip is in there
 
Here are some pics, tbh i not got the reader to that chip

GL512P10FFCR1

Any way to jtag it or get the dump another way? There are 3 header points that i can see

IMG_0027.JPGIMG_0028.JPGIMG_0029.JPGIMG_0031.JPGIMG_0032.JPGIMG_0035.JPGIMG_0042.JPGIMG_0043.JPGIMG_0044.JPGIMG_0045.JPG
 
Last edited:
Missed some pics, can only add 10 at a time.

IMG_0048.JPGIMG_0050.JPGIMG_0051.JPGIMG_0053.JPGIMG_0055.JPG
 
Last edited:
told u sky aint stupid

that chip is a ebga 64 package and 512mb in size

it CAN be protected and most probably is!

u can buy a new blank one for £12

i will check if my programmer supports it

here is the datasheet

Zippyshare.com - S29GL-P_00[1].pdf
 
fes_786 said:
told u sky aint stupid

that chip is a ebga 64 package and 512mb in size

it CAN be protected and most probably is!

u can buy a new blank one for £12

i will check if my programmer supports it

here is the datasheet

Zippyshare.com - S29GL-P_00[1].pdf
Click to expand...

The chip is protected, but can we jtag gain access another way? I remember reading about 2 years ago somewhere that someone was working on porting E2 to a sky box, apparently they had most of it running but missing a few drivers. Whether it was the DRX890 i don't know but i do know it had a broardcom chip. I will try to remember where i seen it and search for it cause they must have had access to get that far
 
eon said:
The chip is protected, but can we jtag gain access another way? I remember reading about 2 years ago somewhere that someone was working on porting E2 to a sky box, apparently they had most of it running but missing a few drivers. Whether it was the DRX890 i don't know but i do know it had a broardcom chip. I will try to remember where i seen it and search for it cause they must have had access to get that far
Click to expand...

It was a thomson box

Enigma 2 working on thomson Sky HD box - Technical - Digital Spy Forums

Sky HD Box mod ???? - Techwatch forums
 
You must log in or register to reply here.

Similar threads

Grimeire
Recommend any decent channels that are free that i am missing
Replies
10
Views
1K
Abu Baniaz
A
craigneuk
General News Sky Sports Channels to go HD from oct 1st
Replies
5
Views
888
cactikid
cactikid
alimac
    • Like
Web Video Cast | Browser to TV (Chromecast/DLNA/+) v4.4.0 build 1484
Replies
0
Views
288
alimac
alimac
johnny bravo
Are virmin messing about?
Replies
2
Views
2K
johnny bravo
johnny bravo
spud1966
Team REBUG is back with nice new update to their BEST CFW Ever for the PlayStation 3 console!
Replies
0
Views
2K
spud1966
spud1966
Back
Top