Nagra Hex block Decryption
- Thread starter fes_786
- Start date
- Status
I extracted with the programmer up2008.Now I do not know what to do, I'm a little lost.
Hi everybody!
I'm trying to learn the old method (016C block) using a bin I have here which already has the extracted bk/rsa from it.
I applied this algorithm, without any success:
1) Create IDEA key concatenating IRD + generic key (101924.....)
2) Get the 45 blocks of 8 byte starting after the 03 03
3) Encrypt this 45 blocks with IDEA algorithm
4) XOR result with original 45 blocks
This method didn't worked and no clue of the extracted RSA on the results. Could someone help me with this?
If you don't want to post this at public forum, just send to me a PM.
Any help will be really appreciated!
I'm trying to learn the old method (016C block) using a bin I have here which already has the extracted bk/rsa from it.
I applied this algorithm, without any success:
1) Create IDEA key concatenating IRD + generic key (101924.....)
2) Get the 45 blocks of 8 byte starting after the 03 03
3) Encrypt this 45 blocks with IDEA algorithm
4) XOR result with original 45 blocks
This method didn't worked and no clue of the extracted RSA on the results. Could someone help me with this?
If you don't want to post this at public forum, just send to me a PM.
Any help will be really appreciated!
It doesn't work for me, that's why I'm asking for someone who can help me to do this...
I understand perfectly, you could teach me how to use this old method, maybe I can get.
thanks
I'm also interested in 016C block CRC/checksum. Any idea?
I have another question. I got almost the 9882 block converted to 016C and decrypted, but some bytes are not ok (I have the good bk&rsa extracted). My question is, could someone tell me if there is some special bit swapping or other operation to do with the 9882 block?
Could someone PM me a 9882 dump in order to know if my dump is corrupted or "my method" is not good, please?
Enviado desde mi D5803 mediante Tapatalk
I have another question. I got almost the 9882 block converted to 016C and decrypted, but some bytes are not ok (I have the good bk&rsa extracted). My question is, could someone tell me if there is some special bit swapping or other operation to do with the 9882 block?
Could someone PM me a 9882 dump in order to know if my dump is corrupted or "my method" is not good, please?
Enviado desde mi D5803 mediante Tapatalk
Hi lads
Been a long time since my visit here and i must admit whilst googling for something else i have stumbled across this old topic....
Ok so first things first...
1- as we all know or most of us do know, there was some features added along the years on the kudos stuff
One of them was the chipset hardware key protection, it means that a new feature on the card and STB cpu side was enabled/activated this feature is mainly used for CW(control word protection) its basically a key stored inside the CPU decrypted that will do the last step decrypt process on the CW returned from the card. After stb side cw decryption with session key, the output cw instead of being forward to the a/v descrambler it still encrypted with 3DES and it needs to be decrypted with 3des key stored inside the CPU. which means the same 3des key stored inside the smartcard was used to encrypt de cw on card side also.
2- as you know there are several types of CPU and each core has its own functionality some old core and some new core..
Normally new core type cpus already contain a new block stored in the STB flash firmware also known as block 0097xxxxxxxxxxxxxxx this block contains the CPUID+cputype architecture+provider id+8 keys encrypted.
this 8 keys are the full key table that will be used on the cpu after decrypted ofcourse on the cpu, the output plain result of this keys will be used to decrypt the control words on the final stage.
3- but on older core versions like sti7105 and few others, there is no 0097block stored on the flash firmware so in this case the CA vendor and provider use a new CAID famously known as CAID 18FE this CAID broadcasts a smaller EMM that contains the encrypted 3DES key inside, this EMM contains the CPUID with bytes inverted ofcourse + encrypted key.
this encrypted keys are then sent to the CPU and decrypted with another Master ROOTKEY inside the CPU. and will output the final 3des CW key and store it on another area of the CPU and there it will be stored to be used on the next incoming ECM from the smartcard side..
as for the new generation with 0097block this keys are not sent via CAID 18FE , but at the CPU STB init the selected key from the block is sent to the CPU and also decrypted with the CPU rootkey, and also the same output decrypted result is then stored on another address of the CPU and will wait for the encrypted CW to be sent from the card also.
So the CAID 18FE is known in the real CAK lib terms as the OTA CSC "Over The Air Chipset Secure Core" and the 0097 block on the flash firmwrae is also known as the OTP CSC "One Time Programmable Chipset Secure Core"
But its allways good to remind of something aldo new core uses the 8 subkeys stored on the block, if provider wishes they can also update new key over OTA CSC meaning they will stop using the keys on the block and use newly update key over the air if they want.
So with that said we know that only options available are 2 options
1- glitch the card , and disassemble the actual code inside the card that generates this 3deskey based on the CPUID+extra data from provider ID stored inside the card
2- Glitch the CPU on the stb and access the CPU to read the plain 3DES key stored inside the CPU and then use it on the EMU side. but again if you do the second option it means u have no access to the card.
but if you are a real geek genious that know how to glitch the smartcard why bother spending time finding how the 3des key for cw overencryption is generation and not move straight into the full ECM , Decrypt keyset to decrypt CW directly on Emulation..
So we know now how to decrypt the 016c block , also how to invert swap bytes of some CPU types sh4 which people call block 9882 , its nothing more then a simple byteswapping BGA programmer machine dump reading.. on the flash which in the end will become also 016c and appply same IDEA algorithm decryption..
again for the 3DES key (nagra generates this key inside the smartcard on boot of the STB/CARD pairing process)thats why they send on new cmd$2a the cpuid of the STB that the card will be running...by receiving from the STB the cpuid on the cmd2a sent to the card.. +provider id and some extra data stored on the card side this will produce the correct plain 3des key.
on the CPU side this key is stored either on the flash block 0097 or sent via EMM but ofcourse this key is encrypted with another secured hw key inside the cpu. so this key will only be decrypted inside the correct CPU with the correct CPUID.
Maybe who knows if some have fully reversed all the map functions on the rom110 maybe... just maybe there could be some hints on how this 3DES key is generated on the RAM side of the smartcard.. and if we send to the card a different CPUID the card will generate a new 3des key on the smartcard RAM that will match the CPUID new sent....
so yeah basically thats what is happening the new secure Hardware chipset feature is nothing more then ......
1- on smartcard init there is some code + input data CPUID +Provider ID sent from STB side on cmd2a to generate the 3des key , this 3des key encrypts the CW extracted previously from the ECM
2- STB side it contains unique master key on each STB cpu that will decrypt the encrypted 3DES key matching to that STB cpuid number, and after decryption of the e3deskey the final result 3des key will be 100% macthing the same key generated on the smartcard side using the same CPUID sent from STB to the card.
ofcourse there is also a new system (not so new around 6 years old) called merlin
its a new complete pairing mechanism used on some providers with new ROM Cards. this does not involve IDEA session key neither IDEA session key instead uses another algorithms and alot more keysets for pairing structure , the ECM structure is also different and EMM also.
and if this was not enough they also applie the Chipset hardware pairing feature enabled which means after doing all new pairing card/stb init, they still have to deal with the same CW 3des key protection mechanism which works exactly the same way
so we have CAK6 and 6.3 aladin which uses normal cmd2a/2b cmd26/27 with idea session key + 3des cpu key pairing cw
and we have new CAK7 and CAK7.5 merlin pairing mechanism that also contains as extra features 3des cpu hw pairing, but one thing they can also share in common the same 016c block which contains extra keys not used on the cak6.3 but might be used on cak7
Hint => So going back to the main conversation of the topic, if you have 1 3deskey+paired cpuid decrypted for one specific provider, you can use this key for all other cards from the same provider companie. because the cards from same provider when u send the same CPUID on CMD2A for all the cards from the same provider this cards will generate the same 3des key inside of all the cards, this key will then encrypt the CW and forward the cw encrypted to the STB, so if the EMU software contains the same CPU+3deskey it will decrypt the cw sent from the card correctly on all the cards from the same provider with the Same CPUid sent on cmd$2a
Benfica200
DW Member ++
- Joined
- Dec 1, 2013
- Messages
- 280
- Reaction score
- 221
Really?!hahahahaha.:hubbahubba:Hi lads
Been a long time since my visit here and i must admit whilst googling for something else i have stumbled across this old topic....
Ok so first things first...
1- as we all know or most of us do know, there was some features added along the years on the kudos stuff
One of them was the chipset hardware key protection, it means that a new feature on the card and STB cpu side was enabled/activated this feature is mainly used for CW(control word protection) its basically a key stored inside the CPU decrypted that will do the last step decrypt process on the CW returned from the card. After stb side cw decryption with session key, the output cw instead of being forward to the a/v descrambler it still encrypted with 3DES and it needs to be decrypted with 3des key stored inside the CPU. which means the same 3des key stored inside the smartcard was used to encrypt de cw on card side also.
2- as you know there are several types of CPU and each core has its own functionality some old core and some new core..
Normally new core type cpus already contain a new block stored in the STB flash firmware also known as block 0097xxxxxxxxxxxxxxx this block contains the CPUID+cputype architecture+provider id+8 keys encrypted.
this 8 keys are the full key table that will be used on the cpu after decrypted ofcourse on the cpu, the output plain result of this keys will be used to decrypt the control words on the final stage.
3- but on older core versions like sti7105 and few others, there is no 0097block stored on the flash firmware so in this case the CA vendor and provider use a new CAID famously known as CAID 18FE this CAID broadcasts a smaller EMM that contains the encrypted 3DES key inside, this EMM contains the CPUID with bytes inverted ofcourse + encrypted key.
this encrypted keys are then sent to the CPU and decrypted with another Master ROOTKEY inside the CPU. and will output the final 3des CW key and store it on another area of the CPU and there it will be stored to be used on the next incoming ECM from the smartcard side..
as for the new generation with 0097block this keys are not sent via CAID 18FE , but at the CPU STB init the selected key from the block is sent to the CPU and also decrypted with the CPU rootkey, and also the same output decrypted result is then stored on another address of the CPU and will wait for the encrypted CW to be sent from the card also.
So the CAID 18FE is known in the real CAK lib terms as the OTA CSC "Over The Air Chipset Secure Core" and the 0097 block on the flash firmwrae is also known as the OTP CSC "One Time Programmable Chipset Secure Core"
But its allways good to remind of something aldo new core uses the 8 subkeys stored on the block, if provider wishes they can also update new key over OTA CSC meaning they will stop using the keys on the block and use newly update key over the air if they want.
So with that said we know that only options available are 2 options
1- glitch the card , and disassemble the actual code inside the card that generates this 3deskey based on the CPUID+extra data from provider ID stored inside the card
2- Glitch the CPU on the stb and access the CPU to read the plain 3DES key stored inside the CPU and then use it on the EMU side. but again if you do the second option it means u have no access to the card.
but if you are a real geek genious that know how to glitch the smartcard why bother spending time finding how the 3des key for cw overencryption is generation and not move straight into the full ECM , Decrypt keyset to decrypt CW directly on Emulation..
So we know now how to decrypt the 016c block , also how to invert swap bytes of some CPU types sh4 which people call block 9882 , its nothing more then a simple byteswapping BGA programmer machine dump reading.. on the flash which in the end will become also 016c and appply same IDEA algorithm decryption..
again for the 3DES key (nagra generates this key inside the smartcard on boot of the STB/CARD pairing process)thats why they send on new cmd$2a the cpuid of the STB that the card will be running...by receiving from the STB the cpuid on the cmd2a sent to the card.. +provider id and some extra data stored on the card side this will produce the correct plain 3des key.
on the CPU side this key is stored either on the flash block 0097 or sent via EMM but ofcourse this key is encrypted with another secured hw key inside the cpu. so this key will only be decrypted inside the correct CPU with the correct CPUID.
Maybe who knows if some have fully reversed all the map functions on the rom110 maybe... just maybe there could be some hints on how this 3DES key is generated on the RAM side of the smartcard.. and if we send to the card a different CPUID the card will generate a new 3des key on the smartcard RAM that will match the CPUID new sent....
so yeah basically thats what is happening the new secure Hardware chipset feature is nothing more then ......
1- on smartcard init there is some code + input data CPUID +Provider ID sent from STB side on cmd2a to generate the 3des key , this 3des key encrypts the CW extracted previously from the ECM
2- STB side it contains unique master key on each STB cpu that will decrypt the encrypted 3DES key matching to that STB cpuid number, and after decryption of the e3deskey the final result 3des key will be 100% macthing the same key generated on the smartcard side using the same CPUID sent from STB to the card.
ofcourse there is also a new system (not so new around 6 years old) called merlin
its a new complete pairing mechanism used on some providers with new ROM Cards. this does not involve IDEA session key neither IDEA session key instead uses another algorithms and alot more keysets for pairing structure , the ECM structure is also different and EMM also.
and if this was not enough they also applie the Chipset hardware pairing feature enabled which means after doing all new pairing card/stb init, they still have to deal with the same CW 3des key protection mechanism which works exactly the same way
so we have CAK6 and 6.3 aladin which uses normal cmd2a/2b cmd26/27 with idea session key + 3des cpu key pairing cw
and we have new CAK7 and CAK7.5 merlin pairing mechanism that also contains as extra features 3des cpu hw pairing, but one thing they can also share in common the same 016c block which contains extra keys not used on the cak6.3 but might be used on cak7
Hint => So going back to the main conversation of the topic, if you have 1 3deskey+paired cpuid decrypted for one specific provider, you can use this key for all other cards from the same provider companie. because the cards from same provider when u send the same CPUID on CMD2A for all the cards from the same provider this cards will generate the same 3des key inside of all the cards, this key will then encrypt the CW and forward the cw encrypted to the STB, so if the EMU software contains the same CPU+3deskey it will decrypt the cw sent from the card correctly on all the cards from the same provider with the Same CPUid sent on cmd$2a
Benfica200
DW Member ++
- Joined
- Dec 1, 2013
- Messages
- 280
- Reaction score
- 221
1-Nagra Unique ID (NUID) – ensures uniquely identified chipsets;
2-Unique device secrets – ensures device secrets are not accessible in memory for secure decryption of secrets,entitlements, content keys and control words;
3-Software authentication – provides software tamper-resistance and secure boot loading via an
embedded RSA key;
4-Debug port protections – prevents observation and modification of software and data in memory during execution; and
5-Persistent Values & Configuration – defines specific secure chipset configurations and values that must set and locked.
Specification and implementation guidelines used by chipset vendor design teams
Nagra certification team and processes to certify chipset implementations
A common cross chipset API to access the NOCS hardware elements
Nagra Black Boxes that are installed in chipset manufacturers around the world for key insertion into the chipsets..
Source-NOCS
2-Unique device secrets – ensures device secrets are not accessible in memory for secure decryption of secrets,entitlements, content keys and control words;
3-Software authentication – provides software tamper-resistance and secure boot loading via an
embedded RSA key;
4-Debug port protections – prevents observation and modification of software and data in memory during execution; and
5-Persistent Values & Configuration – defines specific secure chipset configurations and values that must set and locked.
Specification and implementation guidelines used by chipset vendor design teams
Nagra certification team and processes to certify chipset implementations
A common cross chipset API to access the NOCS hardware elements
Nagra Black Boxes that are installed in chipset manufacturers around the world for key insertion into the chipsets..
Source-NOCS
Benfica200
DW Member ++
- Joined
- Dec 1, 2013
- Messages
- 280
- Reaction score
- 221
ST7111 > help
The following 88 commands are defined:
HELP - <commandname> Displays help string for named commands ans
LIST - <commandname or partial> Lists all strings of command ano
SHOW - <symbolname> Displays symbol values and macro contents
DELETE - <symbolnames> Removes named symbols or macros
IOBASE - <hex/decimal> Sets default I/O radix for input and output
VERIFY - <flag> Sets echo of commands for macro execution
PRINT - Formats and prints variables
SOURCE - <filestring><echoflag> Executes commands from named file
SAVE - <filestring><constflag> Saves macros, var, consts to file
LOG - <filestring><outputflag> Logs all command I/O to named fe
UNSOURCE - <filestring><echoflag> Removes named commands from namede
STATS - <none> Display Symbol Statistics of Testtool
EVAL - <commands> Executes the commands given as argument
GETSTRING - Waits for a string and returns it
CONFIG_TESTTOOL - <num_char_to_match> <return_result> Configure testtool fs
DISPLAY - <Address> <Range> Displays local memory content
DISPLAY_B - <Address> <Range> Displays local memory content in byte t
SEARCH - <String> <Address> <Range> Searchs for local memory conts
FILL - <Address> <Range> <Value> Fill local memory with value
COPY - <Address> <Range> <NewAddress> Copy local memory content
ALLOC - <Size> Allocate some memory in partition
FREE - <Address> Deallocate the memory
LOADMEM - <Filename> <Address> <Maxsize> Loads file at specified as
DUMPMEM - <Filename> <Address> <Size> Dump memory to binary file
PEEK - <Address> Extracts 32 bit memory value
POKE - <Address> <Value> Sets 32 bit memory value
SPEEK - <Address> Extracts 16 bit memory value
SPOKE - <Address> <Value> Sets 16 bit memory value
BPEEK - <Address> Extracts 8 bit memory value
BPOKE - <Address> <Value> Sets 8 bit memory value
GETKEY - Get a key
WAIT - <Milliseconds> Pause operation for a time period
ZAP - Change I/O controls UART/CONSOLE
HISTORY - History of last commands
POLLKEY - Poll a key
QUIT - Quit testtool
cadebug - <module name> <disable print> e: error, w: warning, I: i
FS_DEL - <File Name> Delete a file
nvm_rt - Read persistent memory storage table.
nvm_read - <firstByte> <numByte> read from persistent storage table.
nvm_write - <firstByte> <numByte> write to persistent storage table.
ADP_OSY_TASK - <action> <index/number> : 0 N = delete Nth tasks, 1 N =
ADP_OSY_SEMP - <action> <index/number> : 0 N = delete Nth semaphore, 1 e
ADP_OSY_EVENT - <action> <index/number>: 0 N = free Nth event, 1 N = cret
ADP_OSY_TIMER - <action> <index/number>: 0 N = free Nth timer, 1 N = crer
ADP_OSY_PRINT - <ID> : 0 = task list, 1 = semaphore list, 2 = event listt
ADP_OSY_ABORT - reset CPU
ADP_CA_RESET - <sectionId> <resetMode> reset smart to get ART
ADP_CA_OPEN - open a connection of with a smartcard
ADP_CA_STATUS - get smart card status.
ADP_CA_CLOSE - register to ICC adptation
ADP_CA_LOAD - load test data, used before CAL is integrated
bdcprint - print bdc message
bdcdisplay - <index> the display CAK message 0 and 1
bdcremove - remove the display CAK message
bdcget - <lang index>: get test data: 0 for eng, 1 for ger, 2 forn
sysinfo - get cak info
sysenum - Print alarm enum
sysmsg - Send test alarm to app
sysok - Send test alarm to app
systime - get system time
sysmeta - get system time
syspin - set pin code
checkpin - set pin code
testpin - set pin code
syspc - set parental code
sysnuid - set parental code
setcak - activate/deactivate cak
getcas - get CAK CASID
cakpsi - get svc info
sysird - get IRD data
syszapp - Enable Zapping 1->Create, 2->Enable, 3->disable&Delete
ettlist - Set PP renewable flag
emm - power up/down notification
smartcard - get SMARTCARD display freq for X with Y days left
prod - get PRODUCT display freq for X with Y days left
wkData - set wakeup test data
wkDisable - set wakeup test data - DISABLE
pfData - set profile test data
msgData - set MESSAGE test data
hotline - get HOTLINE no
charge - get phone call charge
fread - read flash content
empty - 1-clean msg data; 2-clean profile data; 3-clean wakeup d
svcid - to get the svcIDs from svcDB
chkids - to get the getDvbIds from svcDB
dvbids - to get the getDvbIds from svcDB
svcindex - to get the svcIndex for given IDs
ST7111 >
and now?
peek cmd?!
The following 88 commands are defined:
HELP - <commandname> Displays help string for named commands ans
LIST - <commandname or partial> Lists all strings of command ano
SHOW - <symbolname> Displays symbol values and macro contents
DELETE - <symbolnames> Removes named symbols or macros
IOBASE - <hex/decimal> Sets default I/O radix for input and output
VERIFY - <flag> Sets echo of commands for macro execution
PRINT - Formats and prints variables
SOURCE - <filestring><echoflag> Executes commands from named file
SAVE - <filestring><constflag> Saves macros, var, consts to file
LOG - <filestring><outputflag> Logs all command I/O to named fe
UNSOURCE - <filestring><echoflag> Removes named commands from namede
STATS - <none> Display Symbol Statistics of Testtool
EVAL - <commands> Executes the commands given as argument
GETSTRING - Waits for a string and returns it
CONFIG_TESTTOOL - <num_char_to_match> <return_result> Configure testtool fs
DISPLAY - <Address> <Range> Displays local memory content
DISPLAY_B - <Address> <Range> Displays local memory content in byte t
SEARCH - <String> <Address> <Range> Searchs for local memory conts
FILL - <Address> <Range> <Value> Fill local memory with value
COPY - <Address> <Range> <NewAddress> Copy local memory content
ALLOC - <Size> Allocate some memory in partition
FREE - <Address> Deallocate the memory
LOADMEM - <Filename> <Address> <Maxsize> Loads file at specified as
DUMPMEM - <Filename> <Address> <Size> Dump memory to binary file
PEEK - <Address> Extracts 32 bit memory value
POKE - <Address> <Value> Sets 32 bit memory value
SPEEK - <Address> Extracts 16 bit memory value
SPOKE - <Address> <Value> Sets 16 bit memory value
BPEEK - <Address> Extracts 8 bit memory value
BPOKE - <Address> <Value> Sets 8 bit memory value
GETKEY - Get a key
WAIT - <Milliseconds> Pause operation for a time period
ZAP - Change I/O controls UART/CONSOLE
HISTORY - History of last commands
POLLKEY - Poll a key
QUIT - Quit testtool
cadebug - <module name> <disable print> e: error, w: warning, I: i
FS_DEL - <File Name> Delete a file
nvm_rt - Read persistent memory storage table.
nvm_read - <firstByte> <numByte> read from persistent storage table.
nvm_write - <firstByte> <numByte> write to persistent storage table.
ADP_OSY_TASK - <action> <index/number> : 0 N = delete Nth tasks, 1 N =
ADP_OSY_SEMP - <action> <index/number> : 0 N = delete Nth semaphore, 1 e
ADP_OSY_EVENT - <action> <index/number>: 0 N = free Nth event, 1 N = cret
ADP_OSY_TIMER - <action> <index/number>: 0 N = free Nth timer, 1 N = crer
ADP_OSY_PRINT - <ID> : 0 = task list, 1 = semaphore list, 2 = event listt
ADP_OSY_ABORT - reset CPU
ADP_CA_RESET - <sectionId> <resetMode> reset smart to get ART
ADP_CA_OPEN - open a connection of with a smartcard
ADP_CA_STATUS - get smart card status.
ADP_CA_CLOSE - register to ICC adptation
ADP_CA_LOAD - load test data, used before CAL is integrated
bdcprint - print bdc message
bdcdisplay - <index> the display CAK message 0 and 1
bdcremove - remove the display CAK message
bdcget - <lang index>: get test data: 0 for eng, 1 for ger, 2 forn
sysinfo - get cak info
sysenum - Print alarm enum
sysmsg - Send test alarm to app
sysok - Send test alarm to app
systime - get system time
sysmeta - get system time
syspin - set pin code
checkpin - set pin code
testpin - set pin code
syspc - set parental code
sysnuid - set parental code
setcak - activate/deactivate cak
getcas - get CAK CASID
cakpsi - get svc info
sysird - get IRD data
syszapp - Enable Zapping 1->Create, 2->Enable, 3->disable&Delete
ettlist - Set PP renewable flag
emm - power up/down notification
smartcard - get SMARTCARD display freq for X with Y days left
prod - get PRODUCT display freq for X with Y days left
wkData - set wakeup test data
wkDisable - set wakeup test data - DISABLE
pfData - set profile test data
msgData - set MESSAGE test data
hotline - get HOTLINE no
charge - get phone call charge
fread - read flash content
empty - 1-clean msg data; 2-clean profile data; 3-clean wakeup d
svcid - to get the svcIDs from svcDB
chkids - to get the getDvbIds from svcDB
dvbids - to get the getDvbIds from svcDB
svcindex - to get the svcIndex for given IDs
ST7111 >
and now?
peek cmd?!
Hi so what does peek and poke have to do with 016c hex block ????????unless you want to read 016c block you can use other cmds for dumping the flash, as for the rest good luck. Spoonfeed is over.
see you all later another day or another year
see you all later another day or another year
Benfica200
DW Member ++
- Joined
- Dec 1, 2013
- Messages
- 280
- Reaction score
- 221
Hex block 016c is no problem!
ST7111 > display_b 0001fd00 24
0001fd00: 00 00 01 6c xx 59 xx 9c 03 03 2f 06 3e 46 b9 a8
ST7111 > display_b 0001fc00
0001fc00: 00 00 00 97 x6 0x a7 xa 00 01 34 11 01 00 01 81
I tried to put the u-boot via minicom / xmodem but no luck! lol
Sending uboo1/u-boot, 8612 blocks: Give your local XMODEM recive command now.
Xmodem sectors/kbytes sent: 0/ 0kRetry 0: Got 45 for sector
ACK ...
Well in simple terms "you don´t decrypt or encrypt the 016C at all with IDEA algorithm..." basicaly all you do is a simple XOR select block after 0303 padding... and apply a XOR on it... but as you know for XOR you need 2 blocks the same size right??? :Cheers: thats where IDEA algorithm kicks in... using IDEA ECB encrypt mode... and the key is the IRD+12byte universal key 1@Qdy = 0x10 byte hex 16decimal idea key...
ok now we need to encrypt this universal block in 8 bytes each from
00 00 00 00 00 00 00 00 all the way up to 00 00 00 00 00 00 00 2C
so its about 45 or 44 rounds of idea encrypt, and the output result will be a full block idea encrypted. This block is used as the 2nd block of the XOR .
This is the unique encrypted block, this block is unique and different for each dump, for a simple fact that each dump has its own IRD which also makes it a unique IDEAkey IRD+101924xxxxxxxxxxxxxx and once unique encrypted block is created, the XOR with original block will result in the unique paired card / stb data...
so you have original block after 0303 xxxxxxxxxxxxx XOR idea_encrypted block = final output result 2008,3008,3310,3140,3460,3588,d008 keys
3140 = RSA_N For CAK5,6,6.3 Pairing...
D008 xor 3008 = Boxkey For cak5,6,6.3 Pairing..
its not rocket science..
Benfica200
DW Member ++
- Joined
- Dec 1, 2013
- Messages
- 280
- Reaction score
- 221
Ird: Cbxxdxxe
2008: xx93cxx129bb0b7a
3008: xx8f9xxa0b131581
3140: Xxa93xxb129bb0b7a3008048f966a0b131581304090e4520e4c27a32106c0aaa191a792b5c5260d7ef351a76959ebe26e87323b693c97e2895786eb19c70ac01
3310: Xx2f5377870ce170xxfd49e2250682xx
3460: Xx7eebxx7dc7f483d521bd276b97dac62ce455d7b34513444563a19966c45d20409eb795821de13258fcbe3ab680f534a5b1d166e75cbbde6091eab851aca7b8ffe6c53ec0d2690938b050a4dcfbb80bfd37bf101d6e6caff4a4e39ffd6de5d7
3588: Xx5843xx94168xx6d0767ab7887e50916bbb0600690130126567f834b99c11397b9d90a6fe3db577a90d4c3d4153c74aa711d5b9248126b05787e8debcfcb623832ef43e11af6f4588fafa51f41c8072039a1cc91bf8bdc54b6510f8fcdd9a2754ed1d61b806c68fc1a4ffde15c0a15f84722e0457cd13f928a2c7cd0e11148c6e57976f5cea85c6
d008: Xxcf10xx4ebf1cxx
e002: 0003
37a7: 87axxceb
boxkey: Xx4086xx45ac0931
rsa key: Xxa93xxb129bb0b7a3008048f966a0b131581304090e4520e4c27a32106c0aaa191a792b5c5260d7ef351a76959ebe26e87323b693c97e2895786eb19c70ac01
37a7: 87AXXCEB?!hehehe
2008: xx93cxx129bb0b7a
3008: xx8f9xxa0b131581
3140: Xxa93xxb129bb0b7a3008048f966a0b131581304090e4520e4c27a32106c0aaa191a792b5c5260d7ef351a76959ebe26e87323b693c97e2895786eb19c70ac01
3310: Xx2f5377870ce170xxfd49e2250682xx
3460: Xx7eebxx7dc7f483d521bd276b97dac62ce455d7b34513444563a19966c45d20409eb795821de13258fcbe3ab680f534a5b1d166e75cbbde6091eab851aca7b8ffe6c53ec0d2690938b050a4dcfbb80bfd37bf101d6e6caff4a4e39ffd6de5d7
3588: Xx5843xx94168xx6d0767ab7887e50916bbb0600690130126567f834b99c11397b9d90a6fe3db577a90d4c3d4153c74aa711d5b9248126b05787e8debcfcb623832ef43e11af6f4588fafa51f41c8072039a1cc91bf8bdc54b6510f8fcdd9a2754ed1d61b806c68fc1a4ffde15c0a15f84722e0457cd13f928a2c7cd0e11148c6e57976f5cea85c6
d008: Xxcf10xx4ebf1cxx
e002: 0003
37a7: 87axxceb
boxkey: Xx4086xx45ac0931
rsa key: Xxa93xxb129bb0b7a3008048f966a0b131581304090e4520e4c27a32106c0aaa191a792b5c5260d7ef351a76959ebe26e87323b693c97e2895786eb19c70ac01
37a7: 87AXXCEB?!hehehe
Last edited:
Benfica200
DW Member ++
- Joined
- Dec 1, 2013
- Messages
- 280
- Reaction score
- 221
Magic_Data-B6711C868C3EE72533A4E08C1364B83AEEFDEBE9FB54156A8776D872CBC41FF2E5EA2CBAF4F26A58C521EC53E310FC494354E49ECE6CD0F9631B724FAB0C8BAEC1F66C346AD2DB1CB3871AF44C1E1592
Magic_Mod-DB9E1F1BD23C6153444E444D8E6C471E162EC63C599D44F476E0D40C3840E0FDB7B63D174DD73B575543983F2F2DFB94E3644958AE642C91636A6BE55528478EB7A422479598C68E6F1FC9D647BBC4D5
Magic_Mod-DB9E1F1BD23C6153444E444D8E6C471E162EC63C599D44F476E0D40C3840E0FDB7B63D174DD73B575543983F2F2DFB94E3644958AE642C91636A6BE55528478EB7A422479598C68E6F1FC9D647BBC4D5
would you care to explain the above data Benfica200 ?
Yeah please explain to us what it does please, we want to learn also i would love to hear what it does.
thanks in advance for you reply me and Andy16v would love to learn from you...
and specially on which firmware or tool you get those keys from..
- Status
