schwarzekatze
Member
- Joined
- May 1, 2021
- Messages
- 25
- Reaction score
- 4
i didnt dig deep how it exactly works but basically from my opinion is just otp key matterHi guys, anybody already know how dCWPK is generated (on receiver or card)?
There is a lot of false or just useless information that goes nowhere, but anyway this is what I discovery and tested for now about CAK6.3 and CWPK.
Need send NUID to CMD2A to can receive CW (crypted by 3DES), without this no CW is received in some or all HD channels.
This is a example of CMD2A:
A0 CA 00 00 1E 2A 1C 00 FF FF FF FF 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 11 42
A0 CA 00 00 => Header
1E => All Size without Header
2A => Command
1C = > Data Size
00 => ?? (not know)
FF FF FF FF => NUID
00 08 => OTP-CSC (maybe?)
00 00 => OTA-CSC (maybe?)
00 00 00 00 00 00 00 00 => ?? (not know)
00 00 00 00 00 00 00 00 => ?? (not know)
00 => ?? (not know)
22 11 => Provider ID
42 => Expected Response Size
After a lot of tests I discovery:
CWPK only change if NUID is changed.
OTP-CSC or OTA-CSC needs to be filled to enable CWPK, if both are 00 not will enable CWPK.
Change Provider ID or fill ?? data with random values not make any differ in CWPK.
All tests were performed on a DNASP142 RevG13
from my opinion provider A have root key AABBFF and its smartcards have same key
now when provider A smartcard receive nuid BBAACCFF it calculate SCK key from BBAACCFF+AABBFF = ECW encrypt dcw with sck calculated from obffuscated BBAACCFF+AABBFF value
in stb side cpu calculate same sck key from BBAACCFF+AABBFF it just does ecw decrypt , whether smartcard does dcw encrypt
now provider B doing exactly same with one exception - with the different otp key:
root key CCBBAA:
FFDDAACC+CCBBAA = ECW encrypt dcw smartcard side and dcw decrypt stb cpu side
it so called global dcw pairing closed to 1 provider
it is tied to 1 provider because obffuscated sck values have been calculated from unique otp key so even if you send provider A nuid to provider B smartcard it would calculate you wrong ecw because otp_key calculated sck would not match