First you have to get your hands on a dump.
The problem is to remove a chip which is clued to the mainboard at newer boxes, read the content and mount it again without bricking the box.
cs vm on dbox? need a team
- Thread starter JIMMYQ
- Start date
First you have to get your hands on a dump.
The problem is to remove a chip which is clued to the mainboard at newer boxes, read the content and mount it again without bricking the box.
Dazza
Inactive User
- Joined
- Sep 16, 2007
- Messages
- 2,838
- Reaction score
- 66
I agree, sadly I think with the current mindset that seems to be setting in a bit here, there is a danger of throwing the baby out with the bathwater, or tarring everybody with the same brush.
Of course there are people who want everything on plate, but not everybody will be capable of getting in depth, whether for time reasons, or lack of commitment, or dare I say even just sheer brain power. (Or somewhere in between on all three counts.) Everybody had to start somewhere, once upon a time.
Myself, I'm more than willing to learn and try things, time and my own brain capabilities permitting. However, I'm tending to get my info elsewhere currently, for fear of being accused of wanting to be spoon fed, or being ranted at.
Just my 2p worth, 'natch.
I agree, sadly I think with the current mindset that seems to be setting in a bit here, there is a danger of throwing the baby out with the bathwater, or tarring everybody with the same brush.
Of course there are people who want everything on plate, but not everybody will be capable of getting in depth, whether for time reasons, or lack of commitment, or dare I say even just sheer brain power. (Or somewhere in between on all three counts.) Everybody had to start somewhere, once upon a time.
Myself, I'm more than willing to learn and try things, time and my own brain capabilities permitting. However, I'm tending to get my info elsewhere currently, for fear of being accused of wanting to be spoon fed, or being ranted at.
Just my 2p worth, 'natch.
I have you ever considered that the spoon fed comment and rants are to get you to get off your arse and try something? anthing????
guys there is enough info available here and all over the net its just a matter of reading,learning, and then putting it into practice . since i started this thread ive learnt lots and experimenting so why not learn experiment and then put your ideas forward instead of waiting for someone else to do all the work. And making silly comments ....lol
Its all possible and has been done (not be me "yet") but im working hard to get to the bottom of itroud:
. since i started this thread ive learnt lots and experimenting so why not learn experiment and then put your ideas forward instead of waiting for someone else to do all the work. And making silly comments ....lolIts all possible and has been done (not be me "yet") but im working hard to get to the bottom of it
roud:guys there is enough info available here and all over the net its just a matter of reading,learning, and then putting it into practice
Its all possible and has been done (not be me "yet") but im working hard to get to the bottom of it
What's the current status of you getting the RSA details from the box? Without this everything is useless
As an aside...
How big are the control words and how do they relate (I don't just mean "they decrypt it", I mean the algorithm) to the decryption of the whatever stage of the stream that they work on?
A complete datasheet of a MPEG decoder used in any boy would be of interest to me.
How big are the control words and how do they relate (I don't just mean "they decrypt it", I mean the algorithm) to the decryption of the whatever stage of the stream that they work on?
A complete datasheet of a MPEG decoder used in any boy would be of interest to me.
the_dvd_guru
Inactive User
- Joined
- Mar 13, 2006
- Messages
- 276
- Reaction score
- 9
well i would be lying if i said a lot so i wont say a lot, but i am a member on other sites that have "traders" on them that are indeed has you call em hackers.
why do people get so uptight about traders? do you really think you would have any hacks for cable without them? mosc cards that come out was done for profit not for fun and would you really have the ondigi hack because of a hobbist in his backroom - come on get real.
most hacks if not all hacks get done for profit then slowly filtered down to the hobbyist to play with.
so nature the trader coz you are going to need em....
on a personal level i would not bother trying to hack(wont happen) but to utilise what you already have C/S is the way forward - little c/s group for you and your family on a vpn and no one is any wiser.........
I see that where I was going had been considered before:
http://en.wikipedia.org/wiki/Common_Scrambling_Algorithm
Reading the paper at the bottom, it looks a bit like work on my screen anyway, for a change.
If CSA is still used?
I thought that parts of the video itself may be predictable. Especially with the way MPEG compression works. I don't know what the decryption is performed on yet, anyone know?
I'll go off and look at this while everyone fiddles with CS. Imagine being able to do-away with cards!
I think the AViA GTX and another chip was used in the older Pace units as this overview shows. Can someone confirm what they were? Seems that the MPEG decoding was done by a seperate IC, is that after decryption?
What happens if you feed these things bogus CWs?
http://en.wikipedia.org/wiki/Common_Scrambling_Algorithm
Reading the paper at the bottom, it looks a bit like work on my screen anyway, for a change.
If CSA is still used?
I thought that parts of the video itself may be predictable. Especially with the way MPEG compression works. I don't know what the decryption is performed on yet, anyone know?
I'll go off and look at this while everyone fiddles with CS
. Imagine being able to do-away with cards!I think the AViA GTX and another chip was used in the older Pace units as this overview shows. Can someone confirm what they were? Seems that the MPEG decoding was done by a seperate IC, is that after decryption?
What happens if you feed these things bogus CWs?
I like this bit:
"Were CSA to be broken, encrypted DVB transmissions would be decipherable, regardless of any proprietary conditional access system used. This could seriously compromise paid digital television services, as DVB has been standardised on for digital terrestrial television in Europe and elsewhere, and is used by many satellite television providers. No attack has yet been published, however."
You seen it here first. Attacking the CSA implementation is the way forward!
Some insight into the descrambling provided by Xilinx:
http://www.xilinx.com/publications/3rd_party/products/Helion_DVB_CSA_AllianceCORE_data_sheet.pdf
"Were CSA to be broken, encrypted DVB transmissions would be decipherable, regardless of any proprietary conditional access system used. This could seriously compromise paid digital television services, as DVB has been standardised on for digital terrestrial television in Europe and elsewhere, and is used by many satellite television providers. No attack has yet been published, however."
You seen it here first
. Attacking the CSA implementation is the way forward!Some insight into the descrambling provided by Xilinx:
http://www.xilinx.com/publications/3rd_party/products/Helion_DVB_CSA_AllianceCORE_data_sheet.pdf
Last edited:
edcase
Inactive User
- Joined
- May 2, 2005
- Messages
- 1,161
- Reaction score
- 18
I like this bit:
"Were CSA to be broken, encrypted DVB transmissions would be decipherable, regardless of any proprietary conditional access system used. This could seriously compromise paid digital television services, as DVB has been standardised on for digital terrestrial television in Europe and elsewhere, and is used by many satellite television providers. No attack has yet been published, however."
You seen it here first
Some insight into the descrambling provided by Xilinx:
http://www.xilinx.com/publications/3rd_party/products/Helion_DVB_CSA_AllianceCORE_data_sheet.pdf
There have been mumblings for a while about bruteforce attacks on CSA using FPGAs decrypting looking for headers. I dont know of anyone thats actually tried it though.
I think it would be seriously pushing it for time, because lets face it, you wouldnt be using something like that direct in a box, it would a cardshare server type effort - without the card.
If the TV people got wind that the CSA was broken in that way it wouldnt last long before a new standard was seen.
@the_dvd_guru... Most traders are nobheads. They are the main reason that most of the coders stopped posting interesting things. Theyre certainly the reason that I stopped playing with cable anyway.
I think CSA3 was implemented in 2008 although CSA was still secure.
I've been reading about the brute forcing using multiple hardware threads in FPGAs. I see that finding something recognisable in the stream can narrow the key space.
Train an Artificial Neural Net to look for things in scrambled stream?
The implementation of CSA in the boxes might have holes in it?
"Digital broadcast data
To understand how CA is used, we first need to look at the data it encrypts. Each individual program that a broadcaster provides is composed of many elements, such as video, audio and text. In digital television, these elements are converted into digital form using the MPEG-2 codec. The MPEG-2 data associated with each program are broken up into many packets, and the sum total of these packets for each program is called the program elementary stream (PES). The PES for each program is then multiplexed together with those of other programs. This stream of multiplexed programs is then broken up into 188-byte packets for transmission, at which point it is called the digital video broadcast (DVB) MPEG-2 transport stream (TS). The CA service can scramble the programming data either at the PES level or the TS level. (For digital terrestrial TV, however, the ATSC specifies that scrambling must take place at the TS level.)"
Some more reading:
nagravision.com/online/online02/article_7.html
broadcastengineering.com/mag/broadcasting_conditional_access/
I've been reading about the brute forcing using multiple hardware threads in FPGAs. I see that finding something recognisable in the stream can narrow the key space.
Train an Artificial Neural Net to look for things in scrambled stream?
The implementation of CSA in the boxes might have holes in it?
"Digital broadcast data
To understand how CA is used, we first need to look at the data it encrypts. Each individual program that a broadcaster provides is composed of many elements, such as video, audio and text. In digital television, these elements are converted into digital form using the MPEG-2 codec. The MPEG-2 data associated with each program are broken up into many packets, and the sum total of these packets for each program is called the program elementary stream (PES). The PES for each program is then multiplexed together with those of other programs. This stream of multiplexed programs is then broken up into 188-byte packets for transmission, at which point it is called the digital video broadcast (DVB) MPEG-2 transport stream (TS). The CA service can scramble the programming data either at the PES level or the TS level. (For digital terrestrial TV, however, the ATSC specifies that scrambling must take place at the TS level.)"
Some more reading:
nagravision.com/online/online02/article_7.html
broadcastengineering.com/mag/broadcasting_conditional_access/
the on-digi hack was done by murdoch the same as the n1 hack this was done not for the traders but to try to make sat companys buy the sky encryption off him
Your real problem with brute forcing CSA is the timeframe. You effectively have 8 seconds to break a 48 bit key. While that is possible its unlikely to be viable outside of a lab due to the expensive nature of the required hardware. Maybe in a few years but chances are that CSA3 will be in use anyway by then.
Need a way of telling the key has been found as well.
I'll order some Virtex boards at work!
They will probably want to phase out older STBs that aren't CSA3 capable.
I wonder what encryption is used on the headend satellite downlink.
I'll order some Virtex boards at work!
They will probably want to phase out older STBs that aren't CSA3 capable.
I wonder what encryption is used on the headend satellite downlink
.
Dazza
Inactive User
- Joined
- Sep 16, 2007
- Messages
- 2,838
- Reaction score
- 66
Yes mate, and I have. but if people post and immediately get jumped on, and accused of wanting to be spoon fed, then it has a negative effect IMO. (I'm not talking about people who post bollox simply asking/saying where can I download fix, but people who are looking to get involved and find things for them to utilise on their own gear.)
But anyway, I'm really not looking to fall out, just stating my thoughts on it, rightly or wrongly.
Seems that there was a few papers on the brute-force CSA attack but nothing practical.
No one any idea on the downlinks? L-Band? Daft idea but turns cable into satellite.
No one any idea on the downlinks? L-Band? Daft idea but turns cable into satellite.
edcase
Inactive User
- Joined
- May 2, 2005
- Messages
- 1,161
- Reaction score
- 18
Im sure if decrypted with the correct key the data will have a header in a known format.
If its the wrong key it will be garbage (unless by chance it matches a header, unlikely though), so once you see the header you have won - for the next 8 seconds at least lol.
Dont think its that easy !
The dvb header info on TS packets isn't encrypted, only the actual packet data content. You'd have to retrieve a full encapsulated data packet (more than likely multiple 188 byte TS packets) and then try and decode that. I'm not even sure that would work because of the compressive nature of Mpeg streamdata where the decompression often relies on previous packets.
Some good pictures here:
une.edu.ve/~jduran/Dvb.htm
TSReader?
tsreader.com/tsreader/index.html
une.edu.ve/~jduran/Dvb.htm
TSReader?
tsreader.com/tsreader/index.html
Last edited:
the_dvd_guru
Inactive User
- Joined
- Mar 13, 2006
- Messages
- 276
- Reaction score
- 9
dont wish to piss on ya chips but if ya can brute-force CSA then your wasting your time on N3 move over to NDS........
N3 will not be hacked for a lonnnnnnnnnnnnnnnng time.........
N3 will not be hacked for a lonnnnnnnnnnnnnnnng time.........
Similar threads
- Sticky
