Nagra Hex block Decryption

Status
Not open for further replies.
dognaldo said:
Try flashcatUSB + bga24 socket (find in aliexpres........)


View attachment 123358
Click to expand...
flashcat is clone of blackcat usb and i think is available only in america
i have there another clone blackcat usb ive bought it from ebay they sent from china
but... it has some problems with hardware only spi 3.01 hex file can be loaded to it
so it works only with older firmware flashcat/blackcat
need to find correct schematic of original blackcat usb

as about flashrom for me flashcat/blackat is much better
1. it has nice software and any new flash can be easy added
2. flashrom has problems with M25PX16 macronix flash which was found in certain ci+ , it has problem to identiffy bga format ;)
 
56809 is a 3232CS Series. I guess 58XXX is 6464 or 7272 in CS means it hasn´t the Bug anymore for glitch the regular AT90SC32/64/72/144C
 
bolle2k said:
56809 is a 3232CS Series. I guess 58XXX is 6464 or 7272 in CS means it hasn´t the Bug anymore for glitch the regular AT90SC32/64/72/144C
Click to expand...
you can still "glitching" latest smartcards but not with glitches like you knows from past ;)
clock glitch was fixed up from 7272sc series
 
but in reality even if you glitch you wont knows whats was glitched and especially if eeprom using hardware encryption
whats you can only do there is DFA attack with glitching included
not DPA but differentiall fault analisys
 
Would this be a Rom180???

;-------------------------------------------------------------------------------
; MICROCHIP OVERVIEW
; AT58808 16-bit microcontroller
; 16 Kb ROM
; 164 Kb EEPROM
; 16 Kb FLASH
; STANDARD ATR
; 3B F7 11 00 01 40 96 70 70 0A 0E 6C B6 D6
;
; INSTRUCTION SET: compatible with 8051/52 standard set
;-------------------------------------------------------------------------------
 
Aseal said:
Would this be a Rom180???

;-------------------------------------------------------------------------------
; MICROCHIP OVERVIEW
; AT58808 16-bit microcontroller
; 16 Kb ROM
; 164 Kb EEPROM
; 16 Kb FLASH
; STANDARD ATR
; 3B F7 11 00 01 40 96 70 70 0A 0E 6C B6 D6
;
; INSTRUCTION SET: compatible with 8051/52 standard set
;-------------------------------------------------------------------------------
Click to expand...
no
this informations comming from old seca siemens cpu
siemens has 8051 instruction set
thats not atmel or microchip old fake informations there
 
Spectre said:
I decapped a UK ROM180 die some years ago when they were first issued and I found that the overall die dimensions were different to one which someone in Southern Europe had measured (die is approximately 3.14mm x 3.9mm here).

Some other measurements are here: Interesting info about stripped Nagra smart card chips

Which claim the ROM180 die to be 3.08mm x 3.02mm suggesting it is different.

Here are some micrographs of identification found on it if anyone is interested. These are the only visible markings outside of the tamper mesh.

View attachment 123446

View attachment 123447
Click to expand...

the pdf files are offline, anyone have them?thanks
 
Block 0886?
I read that it decodes in a similar way to block 016c,
using a new cryptographic algorithm other than IDEA


:cool::cool::cool::cool::cool::cool::cool::cool::cool::cool:
 
kinko55 said:
Thanks to everyone who replied to my question about the programmer to use for dumping.
I have a new question and please if someone who can privide just a litte knewledge by answer yes or no it will be a good thing.
I've just take the decesion to open my ci modul to dump for dump and as I'm a nobby in electronic aI'm facing some issue and I'm blocked at the first stage but perhaps I have reason for what I'm thinking about.

so I will attach 2 pics of my ci-modul front and back.
I see there is 3 memroy in front of the ci-modul and at the back there is also 3 places where I think we connect some pins to read the bga memory without desoldering the bga or the cpu or the flash?

so what they think some specialiste here? I have reason yes or no?
Please if anyone could give a little reply or litte help I will be so happy and it will give me more energy to continue to try dumping this modul.

The flash memory is Adesto® AT45DB161E its a BGA 8 PINS.

Kind regards to all.
Click to expand...

Could you tell us, from which provider your CI+ CAM is?

It seem to be from manufacturer SmarDTV. There is a serial number and a product code.

Serial is like this:

Systemcode + Year + Week + Manufacturing site + Serial Number

SSSSYYWWMNNNNN

Product code is like this:

Type of CPU + Provider + Version + Revision

P/N: CI03xx XXXNN RX.X

I would like to know serial but of course without the last 5 digits and the product code.
 
I just had a private conversation with kinko55:

CAM is from UPC Switzerland, P/N: CI0311-CBB01 R1.2

SmarDTV CAP 100 CPU: nagra block 16C is extractable
 
In general: If CAM has SmarDTV CAP 102 - you can see this from P/N starting with CI0355 the is no known way at the moment.

CAMs with P/N starting with CI0315 may be possible, but I don't know which CPU is inside.
 
Status
Not open for further replies.

Similar threads

eon
    • Like
ND$ EMM Breakdown
Replies
0
Views
3K
eon
eon
Mick
New File Added: DreamboxEDIT (dreamedit) 5.2.0.0 without setup
Replies
0
Views
5K
Mick
Mick
Mick
New File Added: DreamboxEDIT (dreamedit) 5.2.0.0 with setup
Replies
3
Views
4K
Mick
Mick
R
Help with DVB-C, Plugins and Nagra 2 decryption.
Replies
1
Views
6K
willin
willin
irlam
Team Xecuter RGH2.0 For CoolRunner Rev A and B
Replies
4
Views
9K
dibbers
dibbers
Back
Top