Nagra Hex Block Decryption Research

Unique Mode will only work with extracted keys of the device the card is paired to.
to my knowledge ther is no public information of how to get unique cwpk of the module (cap102)
 
hello
I have a Max card and ci+ modul and it works with the global key but Arena 1, 3 and 5 do not work
What is the method for extracting unique keys

i use this config

[reader]
label = Max_1830
protocol = mouse
device = /dev/ttyUSB22
cacheex = 1
cacheex_allow_request = 1
cacheex_block_fakecws = 1
caid = 1830
mod1 = 9AB78201C1BA2786EEDBAB070FE498305AD6EF49CC5CFCD00352162DAC6E4DAB14B1A64ED76BD185D09468DB6CD1DEEFA6F4C8FD184FE97FF1C59514FF810DF7AE027B9B3B7C6BFD7A8BAF8CE1D2573AB575FFF6B3C69C6AD529EE8D9281BA2C6B2CEF7B8A8868D985F1685B533BB7D7
mod2 = E4C4CEFEAA0E49553FD4E1E3EA584EC8EDBB0C49154E22822C73804A31E4B77AB8EE61EA7B94A5C63F007CDFA877B9EE855433CD54E5897DDF1209340EA2725170C4295A8CDD056BDBD8E37C070C65C611536C25E164A0CF1169AB248FCCD275B3DC79496D168820487C68013F53BA79
key3588 = CC749F9BDC8617EA89D71FCCD7F13EA2D24F12833303108741D182145F07F7B18C548BDD541FF81568D538F8CAB0F4867FE11B1455D5D415994733C487E2589456D18DA580648C6A7701059AB2A011C34F11F68C52715FC2A34882C7E8D86E6EEA0104B6AF58017D6E01397DD3D17CD3756FE6CDA5715188E05D5F3AC266C70644B97AFF4A27A2C6
key3460 = AECF7DB631805A7DE10A7C2EC3CB3EFAD98AAA22ED2A42A8F1DAD8B1D281C8A9275E65BFA7F661FE9DFBF091A0EFC03A917C5900D041F399EDA9FC97C6B794BDAC524092658F5017090D55B71B2BB97027CABF89406B7D84A637EE0B9E24C06D
data50 = B6711C868C3EE72533A4E08C1364B83AEEFDEBE9FB54156A8776D872CBC41FF2E5EA2CBAF4F26A58C521EC53E310FC494354E49ECE6CD0F9631B724FAB0C8BAEC1F66C346AD2DB1CB3871AF44C1E1592
mod50 = DB9E1F1BD23C6153444E444D8E6C471E162EC63C599D44F476E0D40C3840E0FDB7B63D174DD73B575543983F2F2DFB94E3644958AE642C91636A6BE55528478EB7A422479598C68E6F1FC9D647BBC4D5
ecmheader = 0
nuid = 8453746F
cwekey = 9FC88E3318E647E1E5F8B261DC89F6D0
fix07 = 0
detect = cd
nagra_read = 1
detect_seca_nagra_tunneled_card= 2
mhz = 368
cardmhz = 368
group = 1
blockemm-unknown = 1
blockemm-u = 1
blockemm-s = 1
blockemm-g = 1
audisabled = 1
auprovid = 00AA80
read_old_classes = 0

thanks
desolder the flash chip, read it with a programmer and find a way to decrypt block 016c
 
The keys you already have them
you still missing two keys in your config, you need to add key3310 and idird to your config and it's ok.
use the latest attached oscam with it's config:

[reader]
label = Max_1830
protocol = mouse
device = /dev/ttyUSB22
autospeed = 0
caid = 1830
nuid = xxxxxx
cwekey = xxxxxxxxxxxxxxx
mod1 = xxxx
mod2 = xxxx
key3588 = xxxx
key3460 = xxxx
key3310 = 339Dxxxxxxxxxxxxxxxxxxxxxxxxx //search in your doc and you will find it
data50 = xxxxx
mod50 = xxxxx
idird = 67xxxxAC //search in your doc and you will find it
ecmheader = 0
detect = cd
detect_seca_nagra_tunneled_card= 2
mhz = 368
cardmhz = 368
ident = 1830:000000,00AA80,00AA81
group = 1
emmcache = 1,1,2,0
blockemm-unknown = 1
auprovid = 00AA80
Hello
Thank you for your help
I have IRDID For card : 67A--F45
I want key3310 can you send it to me
thanks
 
The keys you already have them
you still missing two keys in your config, you need to add key3310 and idird to your config and it's ok.

key3310 = 339Dxxxxxxxxxxxxxxxxxxxxxxxxx //search in your doc and you will find it
data50 = xxxxx
mod50 = xxxxx
idird = 67xxxxAC //search in your doc and you will find it

Dear copy paste man.. Do you know what this is about? You probably have no idea what the CAP102 module is and how block 016c is encrypted there.
 
The keys you already have them
you still missing two keys in your config, you need to add key3310 and idird to your config and it's ok.
use the latest attached oscam with it's config:

[reader]
label = Max_1830
protocol = mouse
device = /dev/ttyUSB22
autospeed = 0
caid = 1830
nuid = xxxxxx
cwekey = xxxxxxxxxxxxxxx
mod1 = xxxx
mod2 = xxxx
key3588 = xxxx
key3460 = xxxx
key3310 = 339Dxxxxxxxxxxxxxxxxxxxxxxxxx //search in your doc and you will find it
data50 = xxxxx
mod50 = xxxxx
idird = 67xxxxAC //search in your doc and you will find it
ecmheader = 0
detect = cd
detect_seca_nagra_tunneled_card= 2
mhz = 368
cardmhz = 368
ident = 1830:000000,00AA80,00AA81
group = 1
emmcache = 1,1,2,0
blockemm-unknown = 1
auprovid = 00AA80
Hi, could you give me an oscam cak7 unit for caid 1861? The public oscam doesn't work for me.
 
post above and you don't even know how to configure oscam properly and now you're playing an expert on encrypted block 016c in the module and you want a dump.. interesting ...
 
you know how to decrypt the encrypted block 016c of the CAP102?

00020000h: 29 57 86 0F 56 ED 6B E7 51 C2 CD 1D 75 46 03 F9
00020010h: 88 09 90 37 94 AA B5 EB 0F 1A B0 35 15 A4 15 78
00020020h: 90 43 44 08 D4 45 C1 4C B8 5D FD D7 5B AF 50 87
00020030h: D3 B9 F0 D7 20 B0 06 15 C2 95 C6 7E 38 ED A1 67
00020040h: 6B DB D4 AC 47 F0 68 A5 15 57 15 09 87 94 48 27
00020050h: 2A 84 E7 2F 28 C9 9D 29 7D 81 1B C6 A1 C5 FC 9A
00020060h: BB F7 4A AF 3D CF 6F 9F D0 B4 02 A6 2D CE 13 18
.......................................................................................
 
Hello
Thank you for your help
I have IRDID For card : 67A--F45
I want key3310 can you send it to me
thanks
Hello,
why you didn't say that the reader you posted before is not yours ?
i was confusing you with another user (@agatazit) which the DATA are from his module.
and in his config he blured just 'key3310' and 'idird' ... and i have them but i will not send them to you.

Ask, to the clever ones : @_vladovlado.., @fogo..., @_klivoklivo..., @jumbojumbo, ...etc Alias aka: @karlo.e to help you
....🖕💩
 
Last edited:
hello
I have a Max card and ci+ modul and it works with the global key but Arena 1, 3 and 5 do not work
What is the method for extracting unique keys

i use this config

[reader]
label = Max_1830
protocol = mouse
device = /dev/ttyUSB22
cacheex = 1
cacheex_allow_request = 1
cacheex_block_fakecws = 1
caid = 1830
mod1 = 9AB78201C1BA2786EEDBAB070FE498305AD6EF49CC5CFCD00352162DAC6E4DAB14B1A64ED76BD185D09468DB6CD1DEEFA6F4C8FD184FE97FF1C59514FF810DF7AE027B9B3B7C6BFD7A8BAF8CE1D2573AB575FFF6B3C69C6AD529EE8D9281BA2C6B2CEF7B8A8868D985F1685B533BB7D7
mod2 = E4C4CEFEAA0E49553FD4E1E3EA584EC8EDBB0C49154E22822C73804A31E4B77AB8EE61EA7B94A5C63F007CDFA877B9EE855433CD54E5897DDF1209340EA2725170C4295A8CDD056BDBD8E37C070C65C611536C25E164A0CF1169AB248FCCD275B3DC79496D168820487C68013F53BA79
key3588 = CC749F9BDC8617EA89D71FCCD7F13EA2D24F12833303108741D182145F07F7B18C548BDD541FF81568D538F8CAB0F4867FE11B1455D5D415994733C487E2589456D18DA580648C6A7701059AB2A011C34F11F68C52715FC2A34882C7E8D86E6EEA0104B6AF58017D6E01397DD3D17CD3756FE6CDA5715188E05D5F3AC266C70644B97AFF4A27A2C6
key3460 = AECF7DB631805A7DE10A7C2EC3CB3EFAD98AAA22ED2A42A8F1DAD8B1D281C8A9275E65BFA7F661FE9DFBF091A0EFC03A917C5900D041F399EDA9FC97C6B794BDAC524092658F5017090D55B71B2BB97027CABF89406B7D84A637EE0B9E24C06D
data50 = B6711C868C3EE72533A4E08C1364B83AEEFDEBE9FB54156A8776D872CBC41FF2E5EA2CBAF4F26A58C521EC53E310FC494354E49ECE6CD0F9631B724FAB0C8BAEC1F66C346AD2DB1CB3871AF44C1E1592
mod50 = DB9E1F1BD23C6153444E444D8E6C471E162EC63C599D44F476E0D40C3840E0FDB7B63D174DD73B575543983F2F2DFB94E3644958AE642C91636A6BE55528478EB7A422479598C68E6F1FC9D647BBC4D5
ecmheader = 0
nuid = 8453746F
cwekey = 9FC88E3318E647E1E5F8B261DC89F6D0
fix07 = 0
detect = cd
nagra_read = 1
detect_seca_nagra_tunneled_card= 2
mhz = 368
cardmhz = 368
group = 1
blockemm-unknown = 1
blockemm-u = 1
blockemm-s = 1
blockemm-g = 1
audisabled = 1
auprovid = 00AA80
read_old_classes = 0

thanks
You need to extract your own data from the CI+ module that this card is paired to. As @rtznfrtz said there is no known public way to extract the data from the module that your card is paired to yet. So, currently this card is only working with GLOBAL mode.
 
Back
Top