NDS Card / Oscam - classD3 ins54: no cw --> Card needs pin

[rtznfrtz]

this is 09BD

which is boxid ?

C2 B1 A3 14

 

[007.4]

Correct

 

[Benfica200]

42B1A314 ^ 80000000 = boxid

 

[rb951]

Thanks guys,
These parameters are correct!
Now I need k1
Already receiving ECW,soon I can get and DCW - can someone help calculate it cause my hardware does not have such capabilities

 

[007.4]

Are you sure your provider is using DES? IF it is AND you can get a matching eCW/dCW pair, then BF is possible.
However, if your provider is using 3DES or AES for the overcrypt then BF is not possible.

 

[rb951]

How I can check whether DES or 3DES?

 

[007.4]

Looking at tags 55 01 xx and 56 08 xx xx xx xx xx xx xx xx in the decrypted ECM would be a good starting point.

 

[ohmza]

How I can check whether DES or 3DES?

Look at the ATR of the card. If it has a length of 21 and starts with 3F FD, then it is 3DES. If it has a length of 22 and starts with 3F FF, then it is DES.

 

[rb951]

After 100%
Approaching final keyspace - workload adjusted
There's no key as result.
Any idea?

 

[007.4]

If you have done the BF correctly, then it is not using DES.

 

[tedy58]

@batvidinio
for sure you ARE NOT obtained the correct pair DCW/ECW then you will waste time and power to calculate wrong keys.

 

[Atiqur9875]

Hi all,

here is one Mini TUTO for TTV caid 091F

​

- STEP 1 : Find BoxID / you can do it directly with OsCam (i.e. r11581) with option -S ((reader) tTV [internal] serial: 0000XXXX, BoxID: XXXXXXXX, baseyear: 200X)
- STEP 2 : Find ins7e / you can find it via menu and to adapt it in this format 6E736BXXXXXXXXXXXXXXXXXXXXXXXXXX00010202030002020203 ?
- STEP 3 : how to find k1 /
step 3.1 : you need to switch in debug logs 6 via OsCam LiveLog -> Show Settings -> select 2 + 4 (Switch Debug from 6 to) than search for (Search01: crypted CW is: and Search02: ecm hash than check Found Only
step 3.2 : check with someone who has a working card in order to compare the ECM hash in the same time for the same channel
step 3.3 : once you have one working decrypted CW vs your encrypted CW with the same HASH (the most important thing) you can start DES attack to find your unique k1 via hashcat <hashcat -m 14000 eCW:dCW -o /root/tTV.txt -a 3 -1 /usr/share/hashcat/charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1 -w 4 --force> (you can use vast.ai to RENT a several GPU configs)

For info : with 8x RTX 2080 Ti k1 was calculated in 1 day, 6 hours on 46.23 % ))

Many thanks :
- rumas for link to v13 Sky tuto
- rtznfrtz for detailed help and assitance (hvala ti opet kralju)
- Benfica200 for reader-videoguard2.c workaround

Here is the working reader (AU is activated and works very well) :

label = tTV
description = tTV
protocol = internal
device = /dev/sci1
autospeed = 0
caid = 091F
boxid = your 8char boxID as described in STEP 1
ins7e = your 52char ins7e as described in STEP 2
k1_unique = your 16char k1 calculated as described in STEP 3
fix07 = 0
readtiers = 2
detect = cd
mhz = 450
cardmhz = 2700
ident = 091F:000000
group = 1
emmcache = 1,1,3,0
blockemm-unknown = 1
saveemm-unknown = 1
saveemm-u = 1
saveemm-s = 1
disablecrccws = 1

Good luck and have a nice day

How can i get Crypted K1 key ?

 

[intercepter]

I have problem to find eCW/dCW pair.Card is 091F.This is possible this time?If someone can help I will send him my contact.

 

[Benfica200]

I have problem to find eCW/dCW pair.Card is 091F.This is possible this time?If someone can help I will send him my contact.

I think, this card still use DES.

 

[intercepter]

I think, this card still use DES.

Yes,but I can't get same ecm hash.

 

[Benfica200]

Yes,but I can't get same ecm hash.

Strange.

 

[intercepter]

I found.Thanks.

 

[dishnxt]

I found.Thanks.

DCW ?

 

[intercepter]

eCW-dCW pair.

 

[dishnxt]

Can u tell how you get that