Nagra Hex block Decryption

Status
Not open for further replies.
Could someone confirm the following data for 3411 provider for the calculation of RSAN60 :
prime p=ae13.....010f
prime q=e258...a2bd
 
bolle2k said:
Why people spending so much time in guessing? You have a STB that contains all stuff and you got a CI+ too. The major problem of any device is that you can do the man in the middle. After the RSA handshake for CI+ you have a encrypted data stream that is covered by AES/3DES. The Chip itself you can grab informations with a simple arduino that can do power analysis. To grab the AES KEY´s. Now you are able to listen to the full decrypted communication on both sides. If you have to much money spend 250$ for a Chipwhisperer. Breaking AES is very easy if a IC handels the crypto on hardware. Same work´s for smarcard´s too.... All you need is a grabbing device a shunt resistor and that´s it.
Click to expand...

Yup shure, .... , "its like extracting data from a farady cage air-gapped with a scratching needle right... piece of cake" Sounds like a big pile of Chipwhisperer stuck in a shelf for years, need to be out till the end of the week propaganda.

i like the "handels" BTW
 
Last edited:
bolle2k said:
Sandy exactly a simple dev board can handle it. It was just a hint so thoose hobby pirates. Even few doesnt know what a prime number is or the RND within DES or AES. Chipset pairing isnt a real magic. But it´s like you get what you payed for security. The used STB´s have so many issues itself and the middleware is creepy. It´s just a jigsaw if you dont have access to that chip, take another . Like the smart tv´s... they gives you root access on the FS and you can gamble with it. U dont need to knock with a slegehammer on a STB :) hehehehehee
Click to expand...


in the end all u need is the CWs.. why waste time on hardware if you can tackle straight on the DVB CSA algorithm right ;) , aldo hobby pirates should be playing with the CSA scramblers instead, in order to generate their own signed CWs, that would change the game completely :)
 
thanks for reply

and not the cws are the purpose but not in this way the important thing is to understand the box / board process and reproduce the same

I see it this way
 
Today I found some time to deal with cmd03. So after finding right result for keyRSAN60 99E9252B4079E3459FD42FCC177FCC9A5B52E1AB1595EF83953FF2866C3A90B7F5868BD32AB27C5AB765A728D24D765CD0B133CF16F32C1E223D1E78DF22E3D6BAB81FF1B8071E44A55773109ADEC08A149E6BC12CE35B23ACF6D043825825EB
I move a little bit forward ...
data1 : F820CB5C data2 : 56438533 stb ird : 64656D6F card serial : 48D6E5A5
I calculate the 1st step cmd03 payload : 000000FFDB9E1F1BD23C6153444E444D8E6C471E162EC63C599D44F476E0D40C3840E0FDB7B63D174DD73B575543983F2F2DFB94E3644958AE642C91636A6BE55528478EB7A422479598C68E6F1FC9D647BBC4D564656D6FF820CB5C56438533
encrypt it with RSAN60 and get
3AA7E84FD136F786CFFCE80779BB5A7ECE8EB5CF8329B4DD24A56488C8943A82F321B56CC62DAC5678A3898C495065AF96CA3986846A5FA18DF3A52A60B0B852F8DFB9B61AFF5B012ABA9BF7B3A514C0BCF20750F71B88175CB57201B9A38DB0
then I calculate 2nd step cmd03 payload
000000FF48D6E5A53AA7E84FD136F786CFFCE80779BB5A7ECE8EB5CF8329B4DD24A56488C8943A82F321B56CC62DAC5678A3898C495065AF96CA3986846A5FA18DF3A52A60B0B852F8DFB9B61AFF5B012ABA9BF7B3A514C0BCF20750F71B88175CB57201B9A38DB0
encrypt it with RSA68 9D2749FF7606E62DEB1A1B12DBB49ED37426C2E389C0FFA1510A6F54420B040ED007505A75D6042865CA847BB2BEF2A4D3A8B50F9A0310F32996C1171E3F725E75C202A93E4312C5202A231255DB217BF71FF9EA745C5B3FFA88D0C427509419354E9D5860EDA7FF
and get
65AE82110498D752E1C925F5063EA92FCBE2015A7D5B13446FA36E04A0FDD4F856D77C68E684E3617BC7563D45FBCFFCDF9D0DB2772DC591AC84E104A05645BD995C3B9053F34515918E8CA40122A6DC3804C041C7FF5D32A3A956B00C7FC76511DE9F065C5B1511
then I calculate 3rd step of cmd03 payload
000000FF65AE82110498D752E1C925F5063EA92FCBE2015A7D5B13446FA36E04A0FDD4F856D77C68E684E3617BC7563D45FBCFFCDF9D0DB2772DC591AC84E104A05645BD995C3B9053F34515918E8CA40122A6DC3804C041C7FF5D32A3A956B00C7FC76511DE9F065C5B1511
encrypt it with rsa6C
AF626E45A45F8AE484DCDB3FF0FBC51B43976F4BFF93E741406CA34622955BE99F6C9C72A32D169423E3EB59D08AF31C2DC06FB16B5DC6BAF23AD4901EBEE6FE9FD145BC706CF43A9556C2B32F1BC5BDA3499B3132A386E14E91B391264B98303DDDA05F2F431D55CBD72235
and get
6FC8480B948339FCDEBD495CC84289BE9231D221421421ABC7B1D166E784FD4002B14040CCABFDA887C22FD47ACD2299BE7FF28DB2BB00E08A2C500493FC0A0CAB8CF85CFB0AD2FB95D73D110F1CCC7C77FAFAA8E3C7160187B12A9296B5ACD43640CD6DF46AF9C8F102B606
then I calculate the payload of cmd03 to send
DA8258FA00000C036C6FC8480B948339FCDEBD495CC84289BE9231D221421421ABC7B1D166E784FD4002B14040CCABFDA887C22FD47ACD2299BE7FF28DB2BB00E08A2C500493FC0A0CAB8CF85CFB0AD2FB95D73D110F1CCC7C77FAFAA8E3C7160187B12A9296B5ACD43640CD6DF46AF9C8F102B606CCCCCCCCCCCCCCCCCCCCCC
and I send the following cmd
21008680CA00008004084E946156891A9D6328866D1806E5C6116791DB2B8AD8D28676736437A05DEEC8E9AFCA9368AE3E208B1B71404F33E1CECF91EA526415EA9CD75C4F4E8979A7C83F2031002174DAE8E4665AD2F2A6BFD06617BFD430602E7E3062A6C93A38722F361194F885CDEB544BD55AAF4D0C43BDD6A974CB88D13EC31FCF616BB10790B2
but I get no response from card
Could someone check what goes wrong ???
 
you mean this ?? MOD2 86713F416E581727B9D5A1E365876EE6C92CA8D6EC62878BA436A114C8092BFA125189DF6CE1C4BA5D0A6A4F7A96785F5AB95E511C42E6D08894E5257A907DF50314BD3B71751E02E4AA8BD6287937E9019E52D46D417C8E93FBB0EC2222F6C67EE11CCE239DF10ABE01F947AC8FA41B
It's about 3411 provider. Where is it used for ??
 
Mod1 = Used for RSA decrypt of data DT05_00 and DT05_10 (this 2 cmds are used in smartcards with global pairing, this means card can be swapped to another STB from same provider)

Mod2 = used for RSA decrypt of CMD dt05_20 (This cmd is only available in smartcards with unique pairing table) This gets 50% of the DT05_20 Process done, the other 50% is to generate the MDC2
Signature and also to calculate the Flag58 3DES SW key.
 
electron112 said:
Mod1 = Used for RSA decrypt of data DT05_00 and DT05_10 (this 2 cmds are used in smartcards with global pairing, this means card can be swapped to another STB from same provider)

Mod2 = used for RSA decrypt of CMD dt05_20 (This cmd is only available in smartcards with unique pairing table) This gets 50% of the DT05_20 Process done, the other 50% is to generate the MDC2
Signature and also to calculate the Flag58 3DES SW key.
Click to expand...
ok these are included to the well known pdf. What I say is where is rsa mod2 is used at the stage of cmd03 payload formation ??
 
The following are from a real log HD02 in alphacrypt module found on the net :

RSAN6C : AF626E45A45F8AE484DCDB3FF0FBC51B43976F4BFF93E741406CA34622955BE99F6C9C72A32D169423E3EB59D08AF31C2DC06FB16B5DC6BAF23AD4901EBEE6FE9FD145BC706CF43A9556C2B32F1BC5BDA3499B3132A386E14E91B391264B98303DDDA05F2F431D55CBD72235


21 00 16 80 CA 00 00 10 43 CD 0A 86 37 70 1B B3 10 E4 FF 7B 57 D5 57 F6 A0 73
3659222600000B040400009305CCCCCC
12 00 A2 2C CA 23 48 1C 38 0A 20 8C 7A 9C 3C 14 C8 0A D0 1D 7E 2A 83 93 0C F6 31 D1 35 E7 A9 6E 9D C9 EB AB A4 F2 08 32 61 3F B5 86 F6 24 22 0C 80 9A BD EE AC 91 B3 8F 07 81 E5 31 91 CC 42 C3 B9 50 34 39 07 16 C4 E7 64 1C 39 C3 C0 56 7A B4 0C BF EC 82 E6 77 63 81 1F FC CF 0F 8C 82 84 F6 E1 BE 13 F6 D5 05 30 1B D1 1D DD D9 7B C7 8D 60 1D 52 52 A5 D5 69 3D F6 C0 48 2C 2E D0 68 53 D3 FE 6D C9 D3 0D 94 47 B0 2D 1A 44 FD AB 06 D6 F8 7A 45 F5 8C CA 45 71 4D AA 54 1A 3D 4D C6 BB 76 77 44 93 90 00 F2
7DF8735100000B84890000930580E00000003411107C00003411 7A6281A4AFBB83F9CA7283AAC07CBAB0AD110DC8EA5722C8B3505D91A9D75F1B246CB0D799B908D114A960C23380D8E333D7B29B0EA3744F56BFF90C6F2077CA2700DFD9273A927D3B3337CEE416AE8AD7090446600C5B43AB4AA4B864F106F25FE159E9977D6CB6AF66E89F8555579D AD2D77B85D39E531 CCCCCCCCCCCCCCCCCCCCCCCCCCCC

RSA68 : 16A8491922021FD330D8BC70D9C0FD5EA17B07B4FAC5A96836E36DB68F8C8AA09891D4C0D27CB066DED51D563780379E3DAAA44EF95D3AB25610B11DBB58F7863730A6BED865FFC227B41512FC1A89DEB01405CED8E423736D16F01C81F40249093B338C1A1BF009


cmd0E
21 00 96 80 CA 00 00 90 5F C2 BC D6 78 A4 BD 7A 19 9B 01 20 EC 94 D2 5A 33 06 19 B8 B7 E3 5D 15 72 01 97 18 BB D2 A0 EA C6 DE CD E2 87 C0 E4 1F 7C 58 A0 8B 08 2E 2D 7B 8D 87 9B 1E 52 F0 BA 75 01 63 4D 3F 09 5E 3F 71 DD 19 9A 81 EB 13 A8 F1 03 03 2E 23 96 AA E6 19 A2 BE B2 9B BB 2F 0D 3B 5A 76 07 16 5C 1B B4 19 9F 6A 8F 39 6B EA 1D D2 7C 8D FF EB 97 A1 9B 6B EC 82 6E DD 95 45 46 FE 9B 32 FD B5 5D B0 05 E7 07 73 3A 96 F8 18 FF 49 40 29 19 FA CB A9 7F D0 20 F6
F8701BB000000F 0E 83 65EB55EF 00 64656D6F 3411 9D7EEECE530980AE6B5AEE3A41CE0975EFA6BF1E984FA4116F43CACDD06E69FA25C1F9118E7AD019C0EB00C0572A40B7FF8ABB2521D750E735A185CDA6D3DEB33D16D494768A828C7025D400D0648C26B95F44FF7370AB43F568A2B1B58A8E025F9606A8C34F15CD99C269B83568114CA0A3020100080000CCCCCCCC
12 00 22 D6 C3 E8 5E 2E 55 93 1E 14 04 4D 50 4A 27 0B A3 A6 7E 14 89 B7 1C 2A 75 75 CB E9 71 15 57 61 C3 90 00 4A
4E54D40B00000F8E100000021D40 48CD6498 53F67799 008CA0CCCCCCCCCCCCCC

data1 : 65EB55EF
stbird : 64656D6F
card serial : 48CD6498
data2 : 53F67799
provider : 3411

rsa88 : FF4D54D984C85F83E0441945FC56B213243ABA7FBC24D05B 9D7EEECE530980AE6B5AEE3A41CE0975EFA6BF1E984FA4116F43CACDD06E69FA25C1F9118E7AD019C0EB00C0572A40B7FF8ABB2521D750E735A185CDA6D3DEB33D16D494768A828C7025D400D0648C26B95F44FF7370AB43F568A2B1B58A8E025F9606A8C34F15CD99C269B83568114C
RSA60 : 99E9252B4079E3459FD42FCC177FCC9A5B52E1AB1595EF83953FF2866C3A90B7F5868BD32AB27C5AB765A728D24D765CD0B133CF16F32C1E223D1E78DF22E3D6BAB81FF1B8071E44A55773109ADEC08A149E6BC12CE35B23ACF6D043825825EB

which is the 0x6c payload of cmd03 unique pairing ???
 
I calculate it totally wrong and I don[t know where is the mistake ...
1st step
000000FFDB9E1F1BD23C6153444E444D8E6C471E162EC63C599D44F476E0D40C3840E0FDB7B63D174DD73B575543983F2F2DFB94E3644958AE642C91636A6BE55528478EB7A422479598C68E6F1FC9D647BBC4D5 64656D6F 65EB55EF 53F67799
rsa with 99E9252B4079E3459FD42FCC177FCC9A5B52E1AB1595EF83953FF2866C3A90B7F5868BD32AB27C5AB765A728D24D765CD0B133CF16F32C1E223D1E78DF22E3D6BAB81FF1B8071E44A55773109ADEC08A149E6BC12CE35B23ACF6D043825825EB
I get 516FD5F93EFB43CC49616D65255CE50D642ABB0F8FC7251BB2AA854F4FE01BE9DFAF9D9C5D4C61CF4998FA6F695C55E0BD70788E34258B66F94ADE564AA045815FD58E26706CE10909978B0576555FC0BA94D3F9DC03E0F25E36F2702C435975


2nd step
000000FF48CD6498516FD5F93EFB43CC49616D65255CE50D642ABB0F8FC7251BB2AA854F4FE01BE9DFAF9D9C5D4C61CF4998FA6F695C55E0BD70788E34258B66F94ADE564AA045815FD58E26706CE10909978B0576555FC0BA94D3F9DC03E0F25E36F2702C435975
rsa with 16A8491922021FD330D8BC70D9C0FD5EA17B07B4FAC5A96836E36DB68F8C8AA09891D4C0D27CB066DED51D563780379E3DAAA44EF95D3AB25610B11DBB58F7863730A6BED865FFC227B41512FC1A89DEB01405CED8E423736D16F01C81F40249093B338C1A1BF009
I get 01452A7091DC27286C9DB88771DABE8AC1F2C2DDC9606D0A61A2B10E17BB9F1270358F1B42C1F299C8AA3D7F951C7A467446B1AAA72B4E47776FE8DEF0C50767B2A6CAC8134CE3E53BE8C9C9CD7437984296538FB703AE9209A9B8C057CDC7335073F799E831642A


3rd step
000000FF01452A7091DC27286C9DB88771DABE8AC1F2C2DDC9606D0A61A2B10E17BB9F1270358F1B42C1F299C8AA3D7F951C7A467446B1AAA72B4E47776FE8DEF0C50767B2A6CAC8134CE3E53BE8C9C9CD7437984296538FB703AE9209A9B8C057CDC7335073F799E831642A
rsa with AF626E45A45F8AE484DCDB3FF0FBC51B43976F4BFF93E741406CA34622955BE99F6C9C72A32D169423E3EB59D08AF31C2DC06FB16B5DC6BAF23AD4901EBEE6FE9FD145BC706CF43A9556C2B32F1BC5BDA3499B3132A386E14E91B391264B98303DDDA05F2F431D55CBD72235
I get 02EABA8D5302A4A996588E6864E71C2FAA308A6D0908FC9D698B8A11B1FDE941B671155B54AC37AED6AFEB61EFB11A319D57BFE0A5213B08512CB9385D1663162ADC238F261EE472D3594F8F0792B61B8B0C87C8B30D1D6C60D9DE45D78E400068928664A6EF66C7717F1E35
which is NOOOOOT right.
Please someone give me a help ...
 
Status
Not open for further replies.

Similar threads

eon
    • Like
ND$ EMM Breakdown
Replies
0
Views
3K
eon
eon
Mick
New File Added: DreamboxEDIT (dreamedit) 5.2.0.0 without setup
Replies
0
Views
5K
Mick
Mick
Mick
New File Added: DreamboxEDIT (dreamedit) 5.2.0.0 with setup
Replies
3
Views
4K
Mick
Mick
R
Help with DVB-C, Plugins and Nagra 2 decryption.
Replies
1
Views
6K
willin
willin
irlam
Team Xecuter RGH2.0 For CoolRunner Rev A and B
Replies
4
Views
9K
dibbers
dibbers
Back
Top