Benfica200
DW Member ++
- Joined
- Dec 1, 2013
- Messages
- 280
- Reaction score
- 221
Forget BOXKEY and RSA_N, now need use,3588,3310 and 3460 of block 016c...
Nagra Hex block Decryption
- Thread starter fes_786
- Start date
- Status
Forget BOXKEY and RSA_N, now need use,3588,3310 and 3460 of block 016c...
bbzzyyczczeek
Inactive User
- Joined
- Nov 17, 2013
- Messages
- 22
- Reaction score
- 0
But how use this key?
ilia
Inactive User
- Joined
- Aug 28, 2016
- Messages
- 13
- Reaction score
- 0
bbzzyyczczeek
Inactive User
- Joined
- Nov 17, 2013
- Messages
- 22
- Reaction score
- 0
I think not.Because this oscam need rsa box key to start card and cwpk key.
I think this key [FONT="]3588,3310 ,3460 we need to calculate cwpk key.[/FONT]
I think this key [FONT="]3588,3310 ,3460 we need to calculate cwpk key.[/FONT]
Benfica200
DW Member ++
- Joined
- Dec 1, 2013
- Messages
- 280
- Reaction score
- 221
LOL:Cheers:
You are completely wrong, these keys are used to calculate other things...
bbzzyyczczeek
Inactive User
- Joined
- Nov 17, 2013
- Messages
- 22
- Reaction score
- 0
But in nagra3 these keys are in block 16c. In nagra4 these are i block 000097 ?
But these are cover with some algo?
But these are cover with some algo?
bbzzyyczczeek
Inactive User
- Joined
- Nov 17, 2013
- Messages
- 22
- Reaction score
- 0
key [FONT=&]3588,3310 ,3460 we need to c[/FONT][FONT=&]calculate other things. But how we can find this key in dump. Its all [/FONT]encrypted.
Key 3310 is IDEA key ????/
Key 3310 is IDEA key ????/
Last edited:
ilia
Inactive User
- Joined
- Aug 28, 2016
- Messages
- 13
- Reaction score
- 0
For Nagra to get your CPWK look in you dump for 00000097
you will find lot of occurance of this !
the one who will help us is a bloc of starting with 00000097 and containing max 11 line.
before thos lines must be FFFF and even After .
you will find lot of occurance of this !
the one who will help us is a bloc of starting with 00000097 and containing max 11 line.
before thos lines must be FFFF and even After .
bbzzyyczczeek
Inactive User
- Joined
- Nov 17, 2013
- Messages
- 22
- Reaction score
- 0
But is encrypted. I think keys 33 10 ...... you must use to find key do decrypt block 000097.
Benfica200
DW Member ++
- Joined
- Dec 1, 2013
- Messages
- 280
- Reaction score
- 221
ilia
Inactive User
- Joined
- Aug 28, 2016
- Messages
- 13
- Reaction score
- 0
any news cak7 n3 global pairing mode ¿ ..
I have the keys and hands are burning need to use jeje
Put some ice on those hands
terrestrial
Inactive User
- Joined
- Feb 15, 2017
- Messages
- 44
- Reaction score
- 11
Can someone tell me if block 00 00 00 97 uses the same trick as the 00 00 01 6C block with 33 10 as the IDEAkey?
DOScam v0.26 coolapi2 has blocks 016c and 0097 inside
i successfully reverse engineering DOSCam and official sh4 nagra merlin firmware
also developed oscam nagra3 reader that work with merlin cards and i can get cw but flag is 5C as urs.
looking to DOSCam i found the guy used blocks 016c and 97 inside and he decrypt block 97 before decrypting cw, but looks he use nxp crypto core.
i successfully reverse engineering DOSCam and official sh4 nagra merlin firmware
also developed oscam nagra3 reader that work with merlin cards and i can get cw but flag is 5C as urs.
looking to DOSCam i found the guy used blocks 016c and 97 inside and he decrypt block 97 before decrypting cw, but looks he use nxp crypto core.
unsigned int __fastcall merlin_decrypt_cw(nagra_data *n_data, _BYTE *cw, int a3)
{
int cwpk_cnt; // r3@1
nagra_data *csystem_data; // r4@1
signed int *fd; // r6@2
bool v6; // zf@4
int v7; // r0@4
signed int v8; // r2@6
_BYTE *v9; // r1@12
int v10; // r2@12
int v11; // r3@12
signed int v12; // r2@16
_BYTE *v14; // [sp+1Ch] [bp-24h]@1
int v15; // [sp+24h] [bp-1Ch]@1
cwpk_cnt = n_data->CWPK_cnt;
csystem_data = n_data;
v14 = cw;
v15 = 8;
if ( !cwpk_cnt )
return 0;
fd = &n_data->crypto_dma;
if ( hw_crypto_init(&n_data->crypto_dma, cw, a3, cwpk_cnt) != 1
|| hw_crypto_open((_DWORD *)csystem_data->crypto_dma) != 1 )
{
return 0;
}
v6 = crypt_open(csystem_data->crypto_dma, 2) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
v6 = crypt_open_slot2(v7, 2) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
v6 = crypt_open_slot3(v7, 0) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
v6 = crypt_open_slot4(v7, 1, v8) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
v6 = crypt_open_slot5(v7, 0) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
if ( !crypto_set_key(v7, 4, 0)
|| !hw_crypto_decrypt(
csystem_data->crypto_dma,
(const void *)csystem_data->CWPK_Ptr,
8u,
0xAu,
0xCu,
0,
0,
0,
dword_F12B8) )
{
goto LABEL_28;
}
v6 = hw_crypto_decrypt(
csystem_data->crypto_dma,
(const void *)(csystem_data->CWPK_Ptr + 8),
8u,
0xBu,
0xDu,
0,
0,
0,
dword_F12B8) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
if ( sub_7F014(v7) != 1 )
return 0;
csystem_data->crypto_dma = 0;
if ( hw_crypto_init(fd, v9, v10, v11) != 1 || hw_crypto_open((_DWORD *)csystem_data->crypto_dma) != 1 )
return 0;
v6 = crypt_open(csystem_data->crypto_dma, 3) == 0;
v7 = csystem_data->crypto_dma;
if ( v6
|| (v6 = crypt_open_slot2(v7, 3) == 0, v7 = csystem_data->crypto_dma, v6)
|| (v6 = crypt_open_slot4(v7, 1, v12) == 0, v7 = csystem_data->crypto_dma, v6)
|| (v6 = crypt_open_slot3(v7, 1) == 0, v7 = csystem_data->crypto_dma, v6)
|| (v6 = crypt_open_slot5(v7, 0) == 0, v7 = csystem_data->crypto_dma, v6) )
{
LABEL_22:
sub_7F014(v7);
return 0;
}
if ( !crypto_set_key(v7, 6, 1) )
{
LABEL_28:
v7 = csystem_data->crypto_dma;
goto LABEL_22;
}
v6 = hw_cbc_decrypt(csystem_data->crypto_dma, (int)&v14, (int)&v14, (int)&v15, 1u, 0, 0, 0, dword_F12B8) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
sub_7F520(v7, 5);
sub_7F520(csystem_data->crypto_dma, 6);
return __clz(sub_7F014(csystem_data->crypto_dma) - 1) >> 5;
}
{
int cwpk_cnt; // r3@1
nagra_data *csystem_data; // r4@1
signed int *fd; // r6@2
bool v6; // zf@4
int v7; // r0@4
signed int v8; // r2@6
_BYTE *v9; // r1@12
int v10; // r2@12
int v11; // r3@12
signed int v12; // r2@16
_BYTE *v14; // [sp+1Ch] [bp-24h]@1
int v15; // [sp+24h] [bp-1Ch]@1
cwpk_cnt = n_data->CWPK_cnt;
csystem_data = n_data;
v14 = cw;
v15 = 8;
if ( !cwpk_cnt )
return 0;
fd = &n_data->crypto_dma;
if ( hw_crypto_init(&n_data->crypto_dma, cw, a3, cwpk_cnt) != 1
|| hw_crypto_open((_DWORD *)csystem_data->crypto_dma) != 1 )
{
return 0;
}
v6 = crypt_open(csystem_data->crypto_dma, 2) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
v6 = crypt_open_slot2(v7, 2) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
v6 = crypt_open_slot3(v7, 0) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
v6 = crypt_open_slot4(v7, 1, v8) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
v6 = crypt_open_slot5(v7, 0) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
if ( !crypto_set_key(v7, 4, 0)
|| !hw_crypto_decrypt(
csystem_data->crypto_dma,
(const void *)csystem_data->CWPK_Ptr,
8u,
0xAu,
0xCu,
0,
0,
0,
dword_F12B8) )
{
goto LABEL_28;
}
v6 = hw_crypto_decrypt(
csystem_data->crypto_dma,
(const void *)(csystem_data->CWPK_Ptr + 8),
8u,
0xBu,
0xDu,
0,
0,
0,
dword_F12B8) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
if ( sub_7F014(v7) != 1 )
return 0;
csystem_data->crypto_dma = 0;
if ( hw_crypto_init(fd, v9, v10, v11) != 1 || hw_crypto_open((_DWORD *)csystem_data->crypto_dma) != 1 )
return 0;
v6 = crypt_open(csystem_data->crypto_dma, 3) == 0;
v7 = csystem_data->crypto_dma;
if ( v6
|| (v6 = crypt_open_slot2(v7, 3) == 0, v7 = csystem_data->crypto_dma, v6)
|| (v6 = crypt_open_slot4(v7, 1, v12) == 0, v7 = csystem_data->crypto_dma, v6)
|| (v6 = crypt_open_slot3(v7, 1) == 0, v7 = csystem_data->crypto_dma, v6)
|| (v6 = crypt_open_slot5(v7, 0) == 0, v7 = csystem_data->crypto_dma, v6) )
{
LABEL_22:
sub_7F014(v7);
return 0;
}
if ( !crypto_set_key(v7, 6, 1) )
{
LABEL_28:
v7 = csystem_data->crypto_dma;
goto LABEL_22;
}
v6 = hw_cbc_decrypt(csystem_data->crypto_dma, (int)&v14, (int)&v14, (int)&v15, 1u, 0, 0, 0, dword_F12B8) == 0;
v7 = csystem_data->crypto_dma;
if ( v6 )
goto LABEL_22;
sub_7F520(v7, 5);
sub_7F520(csystem_data->crypto_dma, 6);
return __clz(sub_7F014(csystem_data->crypto_dma) - 1) >> 5;
}
int __fastcall hw_cbc_decrypt(int a1, int a2, int a3, int a4, unsigned int a5, unsigned __int8 a6, unsigned __int8 a7, unsigned __int8 a8, int a9)
{
int v9; // r4@1
unsigned int v10; // r6@2
_DWORD *v11; // r9@2
int v12; // r10@2
int v13; // r3@2
int v14; // r2@3
int v15; // r1@4
signed int v16; // r11@10
int v17; // r3@18
bool v18; // zf@20
int v19; // r3@20
int v20; // r3@22
signed int v21; // r0@28
int v22; // r7@28
signed int v23; // r8@29
char v24; // r7@36
int v25; // r11@37
int v26; // r3@37
int v27; // r0@42
int v28; // r8@44
int v29; // r0@44
int result; // r0@45
_DWORD *v31; // r11@47
int v32; // r8@47
void *v33; // r0@48
const void *v34; // r1@48
size_t v35; // r2@48
int v36; // ST08_4@49
int v37; // r10@49
_DWORD *v38; // r8@50
int v39; // r5@50
size_t v40; // r2@51
void *v41; // r0@51
int v42; // [sp+10h] [bp-40h]@37
int v43; // [sp+14h] [bp-3Ch]@1
char s; // [sp+18h] [bp-38h]@37
int v45; // [sp+1Ch] [bp-34h]@37
v9 = a4;
v43 = a2;
if ( a5 - 1 <= 7 )
{
v10 = 4 * a5;
v11 = (_DWORD *)a1;
v12 = a3;
v13 = 0;
while ( 1 )
{
v14 = *(_DWORD *)(v9 + v13);
if ( !v14 )
return 0;
v15 = *(_DWORD *)(a1 + 120);
if ( v15 )
{
if ( *(_DWORD *)(v15 + v13) != v14 )
break;
}
v13 += 4;
if ( v13 == v10 )
goto LABEL_8;
}
cnxt_mem_free(a1);
LABEL_8:
if ( !v11[30] && !v11[14] && !v11[22] && (!v9 || !cnxt_mem_malloc((int)v11, a5, v9, a9)) )
return 0;
if ( *((_BYTE *)v11 + 16) == a6 )
{
v16 = 0;
}
else
{
*((_BYTE *)v11 + 16) = a6;
v16 = 1;
}
v17 = v11[9];
if ( v11[7] != a7 )
{
v16 = 1;
v11[7] = a7;
}
v18 = v17 == a8;
v19 = v11[2];
if ( !v18 )
{
v16 = 1;
v11[9] = a8;
}
v18 = v19 == 1;
v20 = v11[5];
if ( !v18 )
{
v16 = 1;
v11[2] = 1;
}
if ( v20 != 3 )
{
v16 = 1;
v11[5] = 3;
}
if ( v11[5] != 3 )
{
v16 = 1;
v11[6] = 3;
}
v21 = crypto_key_size((int)v11);
v22 = v11[102];
if ( v21 == 16 )
v23 = 3;
else
v23 = 1;
if ( v21 == 16 )
v22 *= 2;
if ( v16 || !*v11 )
{
hw_crypto_close(v11);
if ( !hw_crypto_open(v11) )
{
v24 = 0;
goto LABEL_47;
}
v25 = v11[102];
v42 = v11[97];
memset(&s, 0, 0x10u);
v26 = *v11;
v45 = v22;
if ( !v26 )
{
hw_crypto_close(v11);
if ( !hw_crypto_open(v11) )
return 0;
}
if ( cnxt_crypto_set_key(*v11, &s) )
return 0;
v27 = sub_7F568((int)v11);
if ( cnxt_crypto_set_cbc_iv(*v11, v11 + 98, v27) )
return 0;
if ( v42 & (v23 << v25) )
{
v28 = v11[102];
v29 = crypto_key_size((int)v11);
cnxt_crypto_put_key_in_vault(v22, (int)&v11[4 * v28 + 33], v29);
}
}
v24 = 1;
LABEL_47:
v31 = v11;
v32 = 0;
do
{
v33 = (void *)v31[14];
++v31;
v34 = *(const void **)(v12 + v32);
v35 = *(_DWORD *)(v9 + v32);
v32 += 4;
memcpy(v33, v34, v35);
}
while ( v32 != v10 );
v36 = v11[31];
v37 = cnxt_crypto_request_bulk(*v11, v11 + 14, v11 + 22, v11[30]);
if ( !v37 )
{
v38 = v11;
v39 = 0;
do
{
++v38;
v40 = *(_DWORD *)(v9 + v39);
v41 = *(void **)(v43 + v39);
v39 += 4;
memcpy(v41, (const void *)v38[21], v40);
}
while ( v39 != v10 );
++v11[31];
}
if ( v37 )
result = 0;
else
result = v24 & 1;
return result;
}
return 0;
}
{
int v9; // r4@1
unsigned int v10; // r6@2
_DWORD *v11; // r9@2
int v12; // r10@2
int v13; // r3@2
int v14; // r2@3
int v15; // r1@4
signed int v16; // r11@10
int v17; // r3@18
bool v18; // zf@20
int v19; // r3@20
int v20; // r3@22
signed int v21; // r0@28
int v22; // r7@28
signed int v23; // r8@29
char v24; // r7@36
int v25; // r11@37
int v26; // r3@37
int v27; // r0@42
int v28; // r8@44
int v29; // r0@44
int result; // r0@45
_DWORD *v31; // r11@47
int v32; // r8@47
void *v33; // r0@48
const void *v34; // r1@48
size_t v35; // r2@48
int v36; // ST08_4@49
int v37; // r10@49
_DWORD *v38; // r8@50
int v39; // r5@50
size_t v40; // r2@51
void *v41; // r0@51
int v42; // [sp+10h] [bp-40h]@37
int v43; // [sp+14h] [bp-3Ch]@1
char s; // [sp+18h] [bp-38h]@37
int v45; // [sp+1Ch] [bp-34h]@37
v9 = a4;
v43 = a2;
if ( a5 - 1 <= 7 )
{
v10 = 4 * a5;
v11 = (_DWORD *)a1;
v12 = a3;
v13 = 0;
while ( 1 )
{
v14 = *(_DWORD *)(v9 + v13);
if ( !v14 )
return 0;
v15 = *(_DWORD *)(a1 + 120);
if ( v15 )
{
if ( *(_DWORD *)(v15 + v13) != v14 )
break;
}
v13 += 4;
if ( v13 == v10 )
goto LABEL_8;
}
cnxt_mem_free(a1);
LABEL_8:
if ( !v11[30] && !v11[14] && !v11[22] && (!v9 || !cnxt_mem_malloc((int)v11, a5, v9, a9)) )
return 0;
if ( *((_BYTE *)v11 + 16) == a6 )
{
v16 = 0;
}
else
{
*((_BYTE *)v11 + 16) = a6;
v16 = 1;
}
v17 = v11[9];
if ( v11[7] != a7 )
{
v16 = 1;
v11[7] = a7;
}
v18 = v17 == a8;
v19 = v11[2];
if ( !v18 )
{
v16 = 1;
v11[9] = a8;
}
v18 = v19 == 1;
v20 = v11[5];
if ( !v18 )
{
v16 = 1;
v11[2] = 1;
}
if ( v20 != 3 )
{
v16 = 1;
v11[5] = 3;
}
if ( v11[5] != 3 )
{
v16 = 1;
v11[6] = 3;
}
v21 = crypto_key_size((int)v11);
v22 = v11[102];
if ( v21 == 16 )
v23 = 3;
else
v23 = 1;
if ( v21 == 16 )
v22 *= 2;
if ( v16 || !*v11 )
{
hw_crypto_close(v11);
if ( !hw_crypto_open(v11) )
{
v24 = 0;
goto LABEL_47;
}
v25 = v11[102];
v42 = v11[97];
memset(&s, 0, 0x10u);
v26 = *v11;
v45 = v22;
if ( !v26 )
{
hw_crypto_close(v11);
if ( !hw_crypto_open(v11) )
return 0;
}
if ( cnxt_crypto_set_key(*v11, &s) )
return 0;
v27 = sub_7F568((int)v11);
if ( cnxt_crypto_set_cbc_iv(*v11, v11 + 98, v27) )
return 0;
if ( v42 & (v23 << v25) )
{
v28 = v11[102];
v29 = crypto_key_size((int)v11);
cnxt_crypto_put_key_in_vault(v22, (int)&v11[4 * v28 + 33], v29);
}
}
v24 = 1;
LABEL_47:
v31 = v11;
v32 = 0;
do
{
v33 = (void *)v31[14];
++v31;
v34 = *(const void **)(v12 + v32);
v35 = *(_DWORD *)(v9 + v32);
v32 += 4;
memcpy(v33, v34, v35);
}
while ( v32 != v10 );
v36 = v11[31];
v37 = cnxt_crypto_request_bulk(*v11, v11 + 14, v11 + 22, v11[30]);
if ( !v37 )
{
v38 = v11;
v39 = 0;
do
{
++v38;
v40 = *(_DWORD *)(v9 + v39);
v41 = *(void **)(v43 + v39);
v39 += 4;
memcpy(v41, (const void *)v38[21], v40);
}
while ( v39 != v10 );
++v11[31];
}
if ( v37 )
result = 0;
else
result = v24 & 1;
return result;
}
return 0;
}
- Status
