Nagra Hex block Decryption

Status
Not open for further replies.
Thanks for the reply Tojan,
I may have worded that entirely wrong, in an earlier post by Mick he posted that there are 2 blocks of equal size so for example lets call them A and B,block A is encrypted with the IDEA key (IRD + Constant) the result of which is then xor'd with the already encrypted block B this gives us a plaintext block where can read the cam_n.

Block A <<<<<<< is this block the same in all receivers with the same header 016C/E 9882 ??
Block B 016C/E 9882 ( with ird + bk data )

Thanks Andy
 
andy16v said:
Thanks for the reply Tojan,
I may have worded that entirely wrong, in an earlier post by Mick he posted that there are 2 blocks of equal size so for example lets call them A and B,block A is encrypted with the IDEA key (IRD + Constant) the result of which is then xor'd with the already encrypted block B this gives us a plaintext block where can read the cam_n.

Block A <<<<<<< is this block the same in all receivers with the same header 016C/E 9882 ??
Block B 016C/E 9882 ( with ird + bk data )

Thanks Andy
Click to expand...

there is only one block in vm boxes

the block begins with 00 01 6C xx xx xx xx 03 03 where the xx xx xx xx is the IRD. That is why every block will be different and when decrypted will give different cam_n because the key used to decrypt/encrypt will begin with your IRD so key will be xx xx xx xx ff ff ff ff. the ff is the same on every box but as you can see the IRD used will be different so decrypt/encrypt will be different. The 01 6C is the size of the block.

when it comes to the 9882 block the header will be 00 98 82 which is then bit swapped will give you 00 01 6C but this method not used in vm boxes (yet).

then you have the 00 00 97 block which is becoming more common in certain providers (not on vm yet) like sly they using this method for an extra encrypt/decrypt for the HD channels

00 00 97 =151 bytes
xx xx xx xx NUID SOMETHING LIKE SLY IS USING WITH NEW RECEIVER ID
00
01
XX XX provider id ie vm,dish,etc
01 Number of CWPKs active
00
01
81 = 0x81 hexa bytes = 129 bytes (containing the cwpk encrypted keys)
10 = 10 hexadecimal bytes = 16 bytes header CWPK key sizes
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx = CWPK0 encrypted
0000000000000000000000000000 = CWPK1 encrypted
1111111111111111111111111111 = CWPK2 encrypted
2222222222222222222222222222 = CWPK3 encrypted
3333333333333333333333333333 = CWPK4 encrypted
4444444444444444444444444444 = CWPK5 encrypted
5555555555555555555555555555 = CWPK6 encrypted
6666666666666666666666666666 = CWPK7 encrypted
bbbbbbbbbbbb

this method is used at minute for just HD channels but sure if can be used for all channels. going by what i have read about this method it seems the Control word pairing key decrypts Cw encrypted = Final result CW plain key used for audio and video. same as sly blank channels on HD

then on certain providers they have started encrypting the whole flash so unless you know the method used to encrypt/decrypt the flash you wont be able to find any block whether it 00 00 97 00 01 6C etc.

hope that explains better for you.

tr
 
Thanks again Trojan,

i did read somewhere recently about the the 00 00 97 header (cak_CPU) but there doesn't seem to be alot of information will this bind the card to hardware? would the hardware i:d have to be spoofed in some way? getting ahead of my self still looking @ the 016c/e block.

Thanks Andy
 
andy16v said:
Thanks again Trojan,

i did read somewhere recently about the the 00 00 97 header (cak_CPU) but there doesn't seem to be alot of information will this bind the card to hardware? would the hardware i:d have to be spoofed in some way? getting ahead of my self still looking @ the 016c/e block.

Thanks Andy
Click to expand...

No spoofing. what you need is to find the cw pairing keys which going by what i have heard are in the cpu, means unlike other methods, keys are not decrypted /encrypted and stored in ram. They never leave the cpu so unless you have the right hardware and the know how to remove them from the cpu ( as you can see with max-tv and others they can be got) c/s will turn into just big servers /dealers.
 
Is this similar to the Xbox 360 did that not use keys stored on the CPU? This is way above me but very interesting i'm still stuck on decrypting the 016e/c block the actual decrypting routine which part of the block to apply the IDEA key too all of it/part part of it,thanks for all the replies anyway.

Andy
 
Do you need more than the Idea key (ird+constant) and the 00 01 6c is there other information contained with in a full flash dump to be able to decrypt the data?
 
andy16v said:
Do you need more than the Idea key (ird+constant) and the 00 01 6c is there other information contained with in a full flash dump to be able to decrypt the data?
Click to expand...

no........................
 
Thanks again Trojan, Any hints on breaking the block down for decryption? could you take a look at this data for me: if i had an IRD number say "12345678" and a 8 byte data block for example 96 CF 37 C8 5F 20 74 5E encrypt using the idea key (ird+constant) give a value of ?? (EB258CD2AB87FEF9)
 
Last edited:
andy16v said:
Thanks again Trojan, Any hints on breaking the block down for decryption? could you take a look at this data for me: if i had an IRD number say "12345678" and a 8 byte data block for example 96 CF 37 C8 5F 20 74 5E encrypt using the idea key (ird+constant) give a value of ?? (EB258CD2AB87FEF9)
Click to expand...



Hi andy

the best hint i can give you without posting the keys or method (you wouldn't want that anyway)
is look at the dump that has been posted, then look at the decrypted keys posted see if you can decrypt the dump and end up with same keys. since you already know what is used you will get the right keys.

tr
 
Thanks for your time Trojan, and no I don't want the method that would be far to easy I'll just keep trying. I have a few dumps and I'm already using the method your suggesting and coming up with different keys, either my method is wrong/my idea constant key is wrong or encrypting/xoring for wrong data.

Thanks Andy
 
20 08 7dd56df7400b6086
30 08 a37d68e276caa14b
31 40 349ee90aaa6d3c477d7c69b89381bcf9607531b731ce2dce3b df7bed1fd5a894b453610eb54144d63724dcacdfff368c6fd3 2d436121740aa5908591438e1550
d0 08 9e8899d297b724aa

rsa=349ee90aaa6d3c477d7c69b89381bcf9607531b731ce2d ce3bdf7bed1fd5a894b453610eb54144d63724dcacdfff368c 6fd32d436121740aa5908591438e1550

bk=3df5f130e17d85e1
@ Trojan could you enlighten me on the significance of 20 08/30 08/D0 08/31 40/E0 02 ?? if it doesn't give to much away.....

Thanks Andy
 
andy16v said:
20 08 7dd56df7400b6086
30 08 a37d68e276caa14b
31 40 349ee90aaa6d3c477d7c69b89381bcf9607531b731ce2dce3b df7bed1fd5a894b453610eb54144d63724dcacdfff368c6fd3 2d436121740aa5908591438e1550
d0 08 9e8899d297b724aa

rsa=349ee90aaa6d3c477d7c69b89381bcf9607531b731ce2d ce3bdf7bed1fd5a894b453610eb54144d63724dcacdfff368c 6fd32d436121740aa5908591438e1550

bk=3df5f130e17d85e1
@ Trojan could you enlighten me on the significance of 20 08/30 08/D0 08/31 40/E0 02 ?? if it doesn't give to much away.....

Thanks Andy
Click to expand...

forget about 20 08

what you need to know is

30 08 is xor with D0 08 to get your box key both 8 bytes
31 40 is your cam_ 40 bytes hex = 64
D0 08
 
Thanks, Trojan, here the important thing is to learn and someone to show us the light.. :) It is fun and exciting this, after arriving home from my job :) learn..
 
Is it possible to reverse the decrypted key back to the encoded block? so reverse 8 bytes then find those 8 bytes in the original block?
 
andy16v said:
Is it possible to reverse the decrypted key back to the encoded block? so reverse 8 bytes then find those 8 bytes in the original block?
Click to expand...

yes
same method to encrypt as it is to decrypt

but as i said it be easier for you to play with the dump posted, as you have both sets one encrypted and one decrypted so you know what you end up with.
 
Thanks for answering my questions Trojan, can i pm you to check something?

Thanks Andy
 
Did you get the pm Trojan, not showing in my sent messages.... ?
 
Status
Not open for further replies.

Similar threads

eon
    • Like
ND$ EMM Breakdown
Replies
0
Views
3K
eon
eon
Mick
New File Added: DreamboxEDIT (dreamedit) 5.2.0.0 without setup
Replies
0
Views
5K
Mick
Mick
Mick
New File Added: DreamboxEDIT (dreamedit) 5.2.0.0 with setup
Replies
3
Views
4K
Mick
Mick
R
Help with DVB-C, Plugins and Nagra 2 decryption.
Replies
1
Views
6K
willin
willin
irlam
Team Xecuter RGH2.0 For CoolRunner Rev A and B
Replies
4
Views
9K
dibbers
dibbers
Back
Top