Nagra Hex block Decryption

[wasserwaage]

you can set A0A1A2A3 for nuid an 00800000 for optctrl

 

[wasserwaage]

can you init up to cmd 0E?

 

[jor]

I can init up to calculation of RSAN68.

 

[wasserwaage]

great, first fix this step an your init will work up to cmd 0E

 

[jor]

I send the following :

plain DC7E21F600000B0E83F820CB5C0064656D6F34119D7EEECE530980AE6B5AEE3A41CE0975EFA6BF1E984FA4116F43CACDD06E69FA25C1F9118E7AD019C0EB00C0572A40B7FF8ABB2521D750E735A185CDA6D3DEB33D16D494768A828C7025D400D0648C26B95F44FF7370AB43F568A2B1B58A8E025F9606A8C34F15CD99C269B83568114CA0A1A2A300080000CCCCCCCC

cipher
21009680CA000090F04D340691CCBF58763225C68F740DDD3B206169F41CD0B32639BE1A30F1C56D5DBE7D7AF3646A8562363BEF92739B1786F489D20273926494F3CA2BFB22FD03FE0CDA705DFA3D50DB364FADE8911A38EB5EF3C2DD761A925A85D58B0B8DE0A40D81FF8D9710FC6FDA53DA9CC97ADE6548F86943C60866094B617A450E8457B501B461EB05C5475D5FCAE4B5F5568B4020C0

but unfortunately I get 6F01. Any hint ??

 

[blubber83]

dude, there is only dt's until $0e, not much you can do wrong.
so you ask for an example, you have been one given. now you ask again for someone to do the work for you.
whats next? someone needs to craft $03 as well for you?

 

[wasserwaage]

try this cmd 0E example

http://opkg.familienforum.biz/oscam/cas7/cak7-nagra-merlin-pairing-info.txt
it is all there. not everything is correct, but the essence is there.

 

[jor]

I don't think I asked from someone to do the work for me. I just ask from someone who have skills to check what I have done and point where is wrong. Nothing more nothing less. Sorry if that makes you angry. Thanks anyway.

 

[jor]

try this cmd 0E example

I already did it. That's where I started from but there is mistake to the document. At the title it refers cmd02 generic pairing and at the example cmd type is 0E. It also refers that cmd02 sends IRD generic FFFFFFFF+0x70 rsa modulus +diffie hellman byte. At the example I found no such a byte. There must be something little mistake but I cannot find it.

 

[wasserwaage]

i can find cmd 0e unique pairing example.

 

[jor]

Have you tried it successfully to a HD02 card ?? If so, I 'd really appreciate if you could share it via pm hiding sensitive data of course.

 

[wasserwaage]

and you have realy replace the mod block with [9D7E..114C] generic mod

 

[jor]

and you have realy replace the mod block with [9D7E..114C] generic mod

Ok that's the easy part but first I must have the cmd0E unique pairing example for HD02 card DNASP482 RevR24

 

[wasserwaage]

I think you have not really understood the synchronous merlin protocol..

I can init my HD02 with this example authentication data for cmd 0E, in generic mode:

You don't have permission to view the code content. Log in or register now.

If DT05 requenst not include record 20_74, the card not support unique pairing.

 

[jor]

I prepare the following as you advised me :
Plain
42FC232B00000B0E8310D63AF1006B4CA73634119D7EEECE530980AE6B5AEE3A41CE0975EFA6BF1E984FA4116F43CACDD06E69FA25C1F9118E7AD019C0EB00C0572A40B7FF8ABB2521D750E735A185CDA6D3DEB33D16D494768A828C7025D400D0648C26B95F44FF7370AB43F568A2B1B58A8E025F9606A8C34F15CD99C269B83568114CA0A1A2A300080000CCCCCCCC
cipher
21009680CA000090E83E5627B0E2E6145504C56B5C2A25907A688967D9881CC1E4C4BD52DFBEF5C75DBE7D7AF3646A8562363BEF92739B1786F489D20273926494F3CA2BFB22FD03FE0CDA705DFA3D50DB364FADE8911A38EB5EF3C2DD761A925A85D58B0B8DE0A40D81FF8D9710FC6FDA53DA9CC97ADE6548F86943C60866094B617A450E8457B501B461EB05C5475D5FCAE4B5F5568B4020E4
Reply
1200026F017E

How to check about this record 20_74 ???

 

[Benfica200]

I prepare the following as you advised me :
Plain
42FC232B00000B0E8310D63AF1006B4CA73634119D7EEECE530980AE6B5AEE3A41CE0975EFA6BF1E984FA4116F43CACDD06E69FA25C1F9118E7AD019C0EB00C0572A40B7FF8ABB2521D750E735A185CDA6D3DEB33D16D494768A828C7025D400D0648C26B95F44FF7370AB43F568A2B1B58A8E025F9606A8C34F15CD99C269B83568114CA0A1A2A300080000CCCCCCCC
cipher
21009680CA000090E83E5627B0E2E6145504C56B5C2A25907A688967D9881CC1E4C4BD52DFBEF5C75DBE7D7AF3646A8562363BEF92739B1786F489D20273926494F3CA2BFB22FD03FE0CDA705DFA3D50DB364FADE8911A38EB5EF3C2DD761A925A85D58B0B8DE0A40D81FF8D9710FC6FDA53DA9CC97ADE6548F86943C60866094B617A450E8457B501B461EB05C5475D5FCAE4B5F5568B4020E4
Reply
1200026F017E

How to check about this record 20_74 ???

Of course you get error cipher not correct!

KEY: 357E5C68091F37B60B87000B644C9BAD
Data: 42FC232B00000B0E8310D63AF1006B4CA73634119D7EEECE530980AE6B5AEE3A41CE0975EFA6BF1E984FA4116F43CACDD06E69FA25C1F9118E7AD019C0EB00C0572A40B7FF8ABB2521D750E735A185CDA6D3DEB33D16D494768A828C7025D400D0648C26B95F44FF7370AB43F568A2B1B58A8E025F9606A8C34F15CD99C269B83568114CA0A1A2A300080000CCCCCCCC
Resul:
E83E5627B0E2E6145504C56B5C2A259056A0F149FE90BF52750CA90425DA1260A9C6517B015AE64360DC3B1CD9B595123D6EA2673A731E237D1EB77677564ED3A0E6EC8B01E0890BE5C55D1E0F7A32118E568DE3232EF2F57F09EF1CC5550A1484EA3DDBD9097415A212DA10D4CABB1545ED9E7151C4F89B859D472F7185E79261795F6285F73125073DFE9FD8588964

cmd to send:
21009680CA000090E83E5627B0E2E6145504C56B5C2A259056A0F149FE90BF52750CA90425DA1260A9C6517B015AE64360DC3B1CD9B595123D6EA2673A731E237D1EB77677564ED3A0E6EC8B01E0890BE5C55D1E0F7A32118E568DE3232EF2F57F09EF1CC5550A1484EA3DDBD9097415A212DA10D4CABB1545ED9E7151C4F89B859D472F7185E79261795F6285F73125073DFE9FD858896420D3

 

[jor]

Of course you get error cipher not correct!

KEY: 357E5C68091F37B60B87000B644C9BAD
Data: 42FC232B00000B0E8310D63AF1006B4CA73634119D7EEECE530980AE6B5AEE3A41CE0975EFA6BF1E984FA4116F43CACDD06E69FA25C1F9118E7AD019C0EB00C0572A40B7FF8ABB2521D750E735A185CDA6D3DEB33D16D494768A828C7025D400D0648C26B95F44FF7370AB43F568A2B1B58A8E025F9606A8C34F15CD99C269B83568114CA0A1A2A300080000CCCCCCCC
Resul:
E83E5627B0E2E6145504C56B5C2A259056A0F149FE90BF52750CA90425DA1260A9C6517B015AE64360DC3B1CD9B595123D6EA2673A731E237D1EB77677564ED3A0E6EC8B01E0890BE5C55D1E0F7A32118E568DE3232EF2F57F09EF1CC5550A1484EA3DDBD9097415A212DA10D4CABB1545ED9E7151C4F89B859D472F7185E79261795F6285F73125073DFE9FD8588964

cmd to send:
21009680CA000090E83E5627B0E2E6145504C56B5C2A259056A0F149FE90BF52750CA90425DA1260A9C6517B015AE64360DC3B1CD9B595123D6EA2673A731E237D1EB77677564ED3A0E6EC8B01E0890BE5C55D1E0F7A32118E568DE3232EF2F57F09EF1CC5550A1484EA3DDBD9097415A212DA10D4CABB1545ED9E7151C4F89B859D472F7185E79261795F6285F73125073DFE9FD858896420D3

Thank you very much for your time to deal with that silly mistake from my side. The mistake was in the routine for aescbcencrypt after the first 16 bytes. Now it's fixed and everything is ok till DT0E.

 

[little_pob]

7 pages worth of shite, and replies to that shite, deleted.

Any more rule violations will see this thread closed permanently.

 

[jor]

Is it right that for the same provider the RSAN6C value is the same for all cards but the RSAN68 value is NOT the same ??

 

[pachecoso]

Is it right that for the same provider the RSAN6C value is the same for all cards but the RSAN68 value is NOT the same ??

yes it's right