Thanks for the reply Tojan,
I may have worded that entirely wrong, in an earlier post by Mick he posted that there are 2 blocks of equal size so for example lets call them A and B,block A is encrypted with the IDEA key (IRD + Constant) the result of which is then xor'd with the already encrypted block B this gives us a plaintext block where can read the cam_n.
Block A <<<<<<< is this block the same in all receivers with the same header 016C/E 9882 ??
Block B 016C/E 9882 ( with ird + bk data )
Thanks Andy
there is only one block in vm boxes
the block begins with 00 01 6C xx xx xx xx 03 03 where the xx xx xx xx is the IRD. That is why every block will be different and when decrypted will give different cam_n because the key used to decrypt/encrypt will begin with your IRD so key will be xx xx xx xx ff ff ff ff. the ff is the same on every box but as you can see the IRD used will be different so decrypt/encrypt will be different. The 01 6C is the size of the block.
when it comes to the 9882 block the header will be 00 98 82 which is then bit swapped will give you 00 01 6C but this method not used in vm boxes (yet).
then you have the 00 00 97 block which is becoming more common in certain providers (not on vm yet) like sly they using this method for an extra encrypt/decrypt for the HD channels
00 00 97 =151 bytes
xx xx xx xx NUID SOMETHING LIKE SLY IS USING WITH NEW RECEIVER ID
00
01
XX XX provider id ie vm,dish,etc
01 Number of CWPKs active
00
01
81 = 0x81 hexa bytes = 129 bytes (containing the cwpk encrypted keys)
10 = 10 hexadecimal bytes = 16 bytes header CWPK key sizes
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx = CWPK0 encrypted
0000000000000000000000000000 = CWPK1 encrypted
1111111111111111111111111111 = CWPK2 encrypted
2222222222222222222222222222 = CWPK3 encrypted
3333333333333333333333333333 = CWPK4 encrypted
4444444444444444444444444444 = CWPK5 encrypted
5555555555555555555555555555 = CWPK6 encrypted
6666666666666666666666666666 = CWPK7 encrypted
bbbbbbbbbbbb
this method is used at minute for just HD channels but sure if can be used for all channels. going by what i have read about this method it seems the Control word pairing key decrypts Cw encrypted = Final result CW plain key used for audio and video. same as sly blank channels on HD
then on certain providers they have started encrypting the whole flash so unless you know the method used to encrypt/decrypt the flash you wont be able to find any block whether it 00 00 97 00 01 6C etc.
hope that explains better for you.
tr