Nagra Hex block Decryption

Status
Not open for further replies.
Why people spending so much time in guessing? You have a STB that contains all stuff and you got a CI+ too. The major problem of any device is that you can do the man in the middle. After the RSA handshake for CI+ you have a encrypted data stream that is covered by AES/3DES. The Chip itself you can grab informations with a simple arduino that can do power analysis. To grab the AES KEY´s. Now you are able to listen to the full decrypted communication on both sides. If you have to much money spend 250$ for a Chipwhisperer. Breaking AES is very easy if a IC handels the crypto on hardware. Same work´s for smarcard´s too.... All you need is a grabbing device a shunt resistor and that´s it.
 
bolle2k said:
Why people spending so much time in guessing? You have a STB that contains all stuff and you got a CI+ too. The major problem of any device is that you can do the man in the middle. After the RSA handshake for CI+ you have a encrypted data stream that is covered by AES/3DES. The Chip itself you can grab informations with a simple arduino that can do power analysis. To grab the AES KEY´s. Now you are able to listen to the full decrypted communication on both sides. If you have to much money spend 250$ for a Chipwhisperer. Breaking AES is very easy if a IC handels the crypto on hardware. Same work´s for smarcard´s too.... All you need is a grabbing device a shunt resistor and that´s it.
Click to expand...

very very true, CW is a very good tool for breaking AES / 3DES keys. Hat the friend
 
bozambo said:
very very true, CW is a very good tool for breaking AES / 3DES keys. Hat the friend
Click to expand...
That's not true, Chipwhisperer is not as simple to work as many people say...
Maybe I do not understand anything about it.:rolleyes::);)
 
Going one step further, at the calculation of RSA60 for the cmd03 we just take the first 0x18 of rsamodulus88 and expand them to get 0x60 bytes ??
I already have coded this algo, could someone give the first and last bytes of the result for 3411 provider just to make sure that everything is right?
 
...we just take the first 0x18 of rsamodulus88 and expand them to get 0x60 bytes ??
Click to expand...

yes, your team is right

you can verify the result by using it on rsa example. result of the expand function is p and q.
with p and q and 65537 as public exponent, you can calculate private exponent and modulo.

look, that's simple math
 
and also there is prime test, but if you have no idea what this is maybe you should look for another hobby or learn basic programming and math first.
 
XIL1NX said:
and also there is prime test, but if you have no idea what this is maybe you should look for another hobby or learn basic programming and math first.
Click to expand...

the great question is how to access cpu .......................
 
bolle2k said:
Why people spending so much time in guessing? You have a STB that contains all stuff and you got a CI+ too. The major problem of any device is that you can do the man in the middle. After the RSA handshake for CI+ you have a encrypted data stream that is covered by AES/3DES. The Chip itself you can grab informations with a simple arduino that can do power analysis. To grab the AES KEY´s. Now you are able to listen to the full decrypted communication on both sides. If you have to much money spend 250$ for a Chipwhisperer. Breaking AES is very easy if a IC handels the crypto on hardware. Same work´s for smarcard´s too.... All you need is a grabbing device a shunt resistor and that´s it.
Click to expand...
no its not very easy like you say
smartcards using hardware circuits with implemented countermeasures against current known power analisys
we can hope about smit or smardtv does not using circuits like that...
chipwhisperer is usefull in 99% mainly for hobby microcontrolers if you mean just power analisys ;)
in stb cpu they dont care about power analisys so they dont need to implement all about whats i mentioned at the top of this post
because for cpu like that you would need device x10 times faster than any chipwhisperer with price range which would propably kill you
and even if you pay for device like that you would need to clean power line from stb which is almost impossibly to do on devices large like that
you would need also specific trigger to catch specific events with aes or 3des with crazy price offcourse or done by yourself if you know fpga you can do it for sure
 
Last edited:
but for stb cpu you dont need any power analisys , time showed us about there is no any dvb cpu secured enough against reading pairing keys
not any sti or bcm or mstar or whatever because they all share security circuits with main kernel this systems cant working correctly without sharing modules beetwen each others so anything they can do they could just blaming stb manufactures about fake security and playing on time to reach chipset warranty end
chipset pairing security was popular in 2011 - 2016 year at now is almost fairy tale
 
Last edited:
ok thanks sandy55

it is out of question that I buy a specific material and that says purchase of this nature it is necessarily for a profit what I exclude categorically my approach is simple to find a fault with my own means if there is not it is that the industrialist has to work well what I doubt greatly
 
electron112 said:
ok thanks sandy55

it is out of question that I buy a specific material and that says purchase of this nature it is necessarily for a profit what I exclude categorically my approach is simple to find a fault with my own means if there is not it is that the industrialist has to work well what I doubt greatly
Click to expand...
anything you wanna do to with sca or glitching all must be specific for yours work
not any chipwhisperer would help you without knowing fpga etc. this is totall waiste of money
they have enough and good trigger with full managment for glitching , so you can just buy some kind of fpga development board + download chipwhisperer code and sync this board with yours circuit without managing fpga code just with externall app talking to this fpga
 
Sandy exactly a simple dev board can handle it. It was just a hint so thoose hobby pirates. Even few doesnt know what a prime number is or the RND within DES or AES. Chipset pairing isnt a real magic. But it´s like you get what you payed for security. The used STB´s have so many issues itself and the middleware is creepy. It´s just a jigsaw if you dont have access to that chip, take another . Like the smart tv´s... they gives you root access on the FS and you can gamble with it. U dont need to knock with a slegehammer on a STB :) hehehehehee
 
numind said:
Code: 
You don't have permission to view the code content. Log in or register now.

As for this dump from meo portugal we face new system keys that operate at CPU level, the new lenght of the block (0x886) may give us an idea how complex is the system.

Here another example block for check....

Code: 
You don't have permission to view the code content. Log in or register now.
Click to expand...
this new kernel or whatever is this is already hacked in short time by iks forever , they have meosat 4k working take a look there ;)
 

Attachments

  • meosat.PNG
    meosat.PNG
    416.6 KB · Views: 60
Status
Not open for further replies.

Similar threads

eon
    • Like
ND$ EMM Breakdown
Replies
0
Views
3K
eon
eon
Mick
New File Added: DreamboxEDIT (dreamedit) 5.2.0.0 without setup
Replies
0
Views
5K
Mick
Mick
Mick
New File Added: DreamboxEDIT (dreamedit) 5.2.0.0 with setup
Replies
3
Views
4K
Mick
Mick
R
Help with DVB-C, Plugins and Nagra 2 decryption.
Replies
1
Views
6K
willin
willin
irlam
Team Xecuter RGH2.0 For CoolRunner Rev A and B
Replies
4
Views
9K
dibbers
dibbers
Back
Top