ntl dublin nagra 2
- Thread starter velvitjester69
- Start date
beany
Inactive User
- Joined
- Oct 19, 2007
- Messages
- 102
- Reaction score
- 0
Other angle
This thread has got a little bit technical for me, but I see it like this. UPC is in a tight spot here in IRL. The broadcasting commission are near finished testing Free to Air services and by 2010 all broadcasting in Ireland Will be Digital Period.
The majority of Irish households watch RTE1, RTE2, BBC 1 & 2 UTV, Ch4 and 6. This will all be available free as will many of the free channels we currently pay NTHell for.
I don’t think NTL care at the moment about our box’s once you still shell out for you basic cable, your a customer and a customer that can be retained when they have to compete with the Free services.
When FTA goes live, NTL will be glad just to have you pay for the cable into your home and in the future I can see that they and others will provide the signal with the equipment left to the customer just as phoenix relays did in the very early days. The sent the signals out but the receivers like arials and TV sets where the customers own issues.
Their business model is under serious pressure and encryption is a smaller problem then we all might think
This thread has got a little bit technical for me, but I see it like this. UPC is in a tight spot here in IRL. The broadcasting commission are near finished testing Free to Air services and by 2010 all broadcasting in Ireland Will be Digital Period.
The majority of Irish households watch RTE1, RTE2, BBC 1 & 2 UTV, Ch4 and 6. This will all be available free as will many of the free channels we currently pay NTHell for.
I don’t think NTL care at the moment about our box’s once you still shell out for you basic cable, your a customer and a customer that can be retained when they have to compete with the Free services.
When FTA goes live, NTL will be glad just to have you pay for the cable into your home and in the future I can see that they and others will provide the signal with the equipment left to the customer just as phoenix relays did in the very early days. The sent the signals out but the receivers like arials and TV sets where the customers own issues.
Their business model is under serious pressure and encryption is a smaller problem then we all might think
Ginkman
Inactive User
like your thinking beany................seems a more logical outcome.......I have always thaught it would end up that way..........phones and phone lines started out much the same way and are now left to yourself to split and do what you wish with..........
@beany
Free UK channels via irish dtt after 2009 say who?
You find only the irish channels not scrambled at the current irish dtt trial. After 2009 you have the choice to pay UPC or an dtt provider for the uk channels if you are not willing to use satellite.
Free UK channels via irish dtt after 2009 say who?
You find only the irish channels not scrambled at the current irish dtt trial. After 2009 you have the choice to pay UPC or an dtt provider for the uk channels if you are not willing to use satellite.
beany
Inactive User
- Joined
- Oct 19, 2007
- Messages
- 102
- Reaction score
- 0
The Nielsen Television Establishment Reception Survey data (May 2007) estimates that 197,00 (13%) television viewing households in the slate of ireland rely on some form of FTA UK Signal.
Further, Freesat digital satellite spill-over (which now includes all of the BBC Channels and ITV 1. 2. 3 and 4) is available, unencrypted in Ireland to those who have installed satellite receiving equipment.
Based on extracts from the Annual Report British SKY Broadcasting Group Pic. for the year ended 30th June 2007 together with information from the Nielsen Television Reception Establishment Survey (May 2007), They estimate that us much as 39,000 private permanent households may be receiving many of the FTA UK channels through digital means. This amounts to a further circa 2.5% of all permanent private households in the Irish state.
Further, Freesat digital satellite spill-over (which now includes all of the BBC Channels and ITV 1. 2. 3 and 4) is available, unencrypted in Ireland to those who have installed satellite receiving equipment.
Based on extracts from the Annual Report British SKY Broadcasting Group Pic. for the year ended 30th June 2007 together with information from the Nielsen Television Reception Establishment Survey (May 2007), They estimate that us much as 39,000 private permanent households may be receiving many of the FTA UK channels through digital means. This amounts to a further circa 2.5% of all permanent private households in the Irish state.
Fano
Inactive User
DTT is a joke in Ireland.
Its available in very limited areas and has a tiny budget .
It could take eons for it to go National if ever.
Free to air satellite is becoming more popular here but Sky still have too much influence over Astra 2D.
Its available in very limited areas and has a tiny budget .
It could take eons for it to go National if ever.
Free to air satellite is becoming more popular here but Sky still have too much influence over Astra 2D.
velvitjester69
Inactive User
- Joined
- Jul 22, 2007
- Messages
- 836
- Reaction score
- 6
the fact they are already testing it seems like they will be implimenting it this year,fta means nothing becuase i dont know anyone who is happy with 6 channels except my granny.You wont be able to get sports on it so alot of people wont even consider it tbh
Irish dtt is not a joke.
Its expected rte will roll out the irish channels at least via clermont carn, three rock and mt. leinster in autumn 2008. Other transmitters will follow. The irish ddt trial via clermont and 3rock is over in august 2008. Currently rte is testing their channels via dtt at mt. leinster.
The 3 commercial muxes are expected to start in autumn 2009.
beany
Inactive User
- Joined
- Oct 19, 2007
- Messages
- 102
- Reaction score
- 0
Mixed agreement
I agree and disagree - 6 channels is pretty poor :nopity: but they do programme the 10 most watched programmes in this country! There will also be a whole host of Euro DTT channels also available - Sports and Sky channels are a problem if lost, but I cant see UPC investing in Technology for SKY''s benefit ?
We may get the bump :toiletcla at some point but no doubt a new solution
evil: will evolve. If I loose the sports and stuff now. I will def cancel my NTL subscription altogether and move to a sat and freeview mix.
And I will move the older non savvy members (Dad etc) of my family also as will most on this forum I believe.
And don’t think NTL don’t know this. They really need to keep those cables in the homes first and foremost regardless of what the offer. :drink: So lets a relax and ride the wave for now
I agree and disagree - 6 channels is pretty poor :nopity: but they do programme the 10 most watched programmes in this country! There will also be a whole host of Euro DTT channels also available - Sports and Sky channels are a problem if lost, but I cant see UPC investing in Technology for SKY''s benefit ?
We may get the bump :toiletcla at some point but no doubt a new solution
evil: will evolve. If I loose the sports and stuff now. I will def cancel my NTL subscription altogether and move to a sat and freeview mix.And I will move the older non savvy members (Dad etc) of my family also as will most on this forum I believe.
And don’t think NTL don’t know this. They really need to keep those cables in the homes first and foremost regardless of what the offer. :drink: So lets a relax and ride the wave for now
velvitjester69
Inactive User
- Joined
- Jul 22, 2007
- Messages
- 836
- Reaction score
- 6
I agree and disagree - 6 channels is pretty poor :nopity: but they do programme the 10 most watched programmes in this country! There will also be a whole host of Euro DTT channels also available - Sports and Sky channels are a problem if lost, but I cant see UPC investing in Technology for SKY''s benefit ?
We may get the bump :toiletcla at some point but no doubt a new solution
And I will move the older non savvy members (Dad etc) of my family also as will most on this forum I believe.
And don’t think NTL don’t know this. They really need to keep those cables in the homes first and foremost regardless of what the offer. :drink: So lets a relax and ride the wave for now
i dont really understand.dtt is by the irish goverment to broadcast rte,tv3 and a few other over digital terrestrial so they can ditch their analogue service,what has that got to do with sports and cable ntl?ntl will always have sky sports or setanta ,irish dtt has nothing to do with sports and people who want sports and premium channels will either get sky or ntl and wont even look at dtt.think of it this way,how many people know people who dont have sky or ntl and just use the rabbit ears and get rte1+2 etc?not many,so why would this service changing to digital change anyones mind?the only differences is that the channels will now be broadcast in digital and not analogue and a few more will be added.
Last edited:
Fano
Inactive User
Any updates on Nagra 2 implementation ?
velvitjester69
Inactive User
- Joined
- Jul 22, 2007
- Messages
- 836
- Reaction score
- 6
dont know,in the cable tv forum ther was a thread on hacking it,but it has disapeared.dont know why.
n2 system
Hi guys
I normaly do not post in threads like this.....but due to the fact of some reading in this post by mistake..yes mistake.... i have to pronounce myself shortly.......and at the same time spike some curiosity for the young minds.....
Here are the facts and i will have to use some of carwash comments (where are u no see for long time in thise places heheheh sweeping up :Cheers
Anyways.......
1 - As we all know N2 was implanted in other EU countries before it came to UPC and it has been deeply compromised in the past.....which means like any other company would do yeahhh they had to upstake their measure and do a card update like in spain and portugal where they now use R142 and R180 which people say it is the so called N3!!!!
In fact it is nothing compared to N3..... is is the same N2 family system but with a new CPU/chip security measures for Anti Glitch (unloops)
The same N2 cryptographic modules are implemented on this new cards.... the same way as the R110 UPC cards which in reality it will....nevermind
So going back in time and all the great mind here can pretty shure back me up "as i am just a simple servent in this hobbie" that most of the cryptograpic modules used in the old N1 system are still present in the new N2 sytem.....but like anything else in the world, it has suffered from a evolution...
For instance in the N1 cards we can prove that RSA_encryption algorithm is present (if i am not mistakenroud: up to 512bytes encryption)
If my mind does not colapsewe also have DES/3des encryption amongst others....
The only improvement in the N2 system was the bigger lenght of encryption packets maybe due to ist processor core..... for instance i think that the R110 cards support up to 1024bytes encryption algorithm RSA....
Also implemented in N2 System was IDEA encryption algorithm.... and with that a lot of new calculations.....
Please bare in mind that if ntl want's to upgrade firmware in all samsung and pace boxes to support n2 they are pretty well up to standard......
2- As we all know it takes a work team to make this n2 card work ( i mean it need a card + receiver)
One of the big differences in N2 system was the card pairing method which became different... i will explain detailed.
This means that we do not actually need a card eeprom dump to get card information in order to make it work with another receiver, but instead a Flash dump will temporarily fix thing if requested depending upon receivers.....
In europe we have 2 types of receiver for n2 cards this means receiver for DT08_0A card and receiver for DT06_0D cards i will explain their works in a while.....
DT06_0D is a card eeprom 24byte key stored somewhere in $axxx area this key is so famous too for being the key responsible on calculations applied RSA/IDEA algorithm to make card pairing..... in reality all its calculations will generate a 64byte key called RSA_N modulus
This RSA_N modulus is also stored in the receiver firmware from receivers that work with cards DT06_OD... receivers that work with DT08_OA will have this RSA_N modulus sent from card to receiver in another cmd.
So on receivers firmware for DT06_OD cards we have RSA_N key calculated from card DT06_0D key using rsa algorithm this 64byte must match the 64byte key stored in receiver flash.
We also have what we call a BK2 and another 8byte signature key, this BK2= Box key 2 is the old box key used in the N1 old system in our cards r10/r11 etc... this key is also kept in receiver firmware in order to process some calculations with the 8 byte signature key.
The result from this BK2 and 8 byte signature key is what we call card BK..... yes you can actually calculate the BK present in the new N2 card without dumping the card content, just by simply applying a calculation in the old N1 key and this 8 byte signature key.... they would not be dump enough to leave same N1 kye in card... but at the same time used old n1 key to be implemented on extra verification process.
This Bk2 is not important in receiver as 90% of pairing happens with calculations applied on the DT06_OD 24 byte key.
In the N2 system the card activation will occur by the CAM ID number on the card, this means that card will receive from TS Stream Unique CMD$04 emm-u and emm-s to pair card /activate and update subscription status.
Card is sent with the box....but card comes virgin like in the old n1 days.... card comes with IRD/bk/dt06_od 0000's
but the camd id will trigger all the activation process, by simply filtering the emm-s/u correct for that cam id and it will actually write the correct contents in to the card.
So you must assume by saying this all we need to do in order to clone a subscribed card is change cam id in card eeprom dump and here we go ........NO wrong this camd is is written in card eeprom and also in another protected firewalled area in $3000 eeprom content, this is the new things that came implanted in the card..... in order to write in this area you need to be able to calculate all crc and checksums applied.... put it this way if you write in that area without calculating the checksums on the next reset card KAPUT....
So how will we be open to program this cards??? can we use use phoenix programmer to write in to these cards???
Lets say initially NO, we will need to use unlooper with glitch scripts the same way we unloop card.
The only reason why r110 cards were compromised and changed quickly , is the MAP content this means Modular Arithmetic Processor ( we call it the heart of the card, purely because this contains all the algorithm numbers used to calculate alots of info)
This means if you have a MAP dump from R11 with eeprom and rom you will have full control of N1 cards and be able to calculate all functions used in keyroll update routines.....some peeps have some peeps done.
So lets quickly follow the process of N2
the main cmd's used in n2 were also available in N1 but under diff cmd's name
for instance:
CMD$04 = EMM (Entitlement management message) this emm $04 contains all the information used to Update keys in card eeprom and also contains all information used in order to activate cards and etc....
Now you must wonder how can a single cmd do all that......
it is very easy.... this cmd$04 is divided into 3 different groups
EMM-G (Global) this contains all IDEA Key updates and REV updates
EMM-S (Specific card group key) this key is used to a specific card group, this card group contains up to 256 cards normaly with the padron of camd id and this is used to update subscription tier rights etc...
EMM-U (Unique) This emm is normaly sent to a specific cam id number in order to activate card or deactivate.....
Then we have CMD$07 this comand is responsible for our video keys that will open channels.
Basically this cmd is used with IDEA Key to decrypt CW's once CW's are decrypted and a few more checks take place then receiver will open channels
So in order to Decrypt cmd$07 we need 2 keys
IDEA KEY 16 BYTES
and RSA_IDEA
the IDEA KEY =16 bytes is the one that changes constantly they can even change this key every minute if they want.
Basicaly this 16byte idea key is updated in the previou emm$04 and stored in card eeprom
once this is done we need to decrypt incoming CDM$07 ECM = Encrypted Control Message
in order to decrypt ecm$07 we need the folloing IDEA+RSA , once decrypted it will give us the CW's
This cw's are only valid for 15seconds, after that a new ecm will come with new cw's for card to decrypt.
Now you wonder so how does receiver gets CW's ???
Well once card decrypt them the card need to send them to receiver so receiver can open channels.
But unfortunately the card will not send them just like that.
The card will then use RSA calculations to encrypt the CW and then send them to the card, this is related to CMD$1C
So the receiver receives the CW's encrypted and will need to decrypt them....
But how will card do it ???? well the card will use the same RSA_n modulus key stored in receiver flash, the same one responsible for pairing card and will use it for decryption purposes of cw.
Once cw is decrypted in receiver it will open the channels for only 15secs after that is time for more work and with the same method applied a new CW will come for receiver to decrypt and open channels.
Bare in mind this is nothing new this is already used in N1
Card decrypts keys and then send CW's to receiver to open channels
Put it this way
If you find a technique to decrypt CW's instantaneous when sent back to receiver encrypted.... you have the hole world in you hands .... because you do not need to know new idea keys ...once you are capable of decrypting cw's direct you will always have tv open..... and that is all for now as i think i wrote to much information and to some people it will be chinese.
Anyways i recommend people to search on the net for N2 FAQ this will have commented details about all n2 cmds known so far
P.S - This is just a hobbie do not take it seriously or it could permanetly damage your life/family/friends..........
Cheers
Calhordas
what i'm trying to get at is,
If N2 Rom110 A05 has been in use on the continant for a while now, and they still havent cracked it.. we could be waiting a long time.
Its not as if there will suddenly be a break thru, just because a small irish market needs such a crack.
i'm begining to believe that, as soon as N1 is switched off, we could be waiting a long long time before we get to use our box's again
Hi guys
I normaly do not post in threads like this.....but due to the fact of some reading in this post by mistake..yes mistake.... i have to pronounce myself shortly.......and at the same time spike some curiosity for the young minds.....
Here are the facts and i will have to use some of carwash comments (where are u no see for long time in thise places heheheh sweeping up :Cheers
Anyways.......
1 - As we all know N2 was implanted in other EU countries before it came to UPC and it has been deeply compromised in the past.....which means like any other company would do yeahhh they had to upstake their measure and do a card update like in spain and portugal where they now use R142 and R180 which people say it is the so called N3!!!!
In fact it is nothing compared to N3..... is is the same N2 family system but with a new CPU/chip security measures for Anti Glitch (unloops)
The same N2 cryptographic modules are implemented on this new cards.... the same way as the R110 UPC cards which in reality it will....nevermind
So going back in time and all the great mind here can pretty shure back me up "as i am just a simple servent in this hobbie" that most of the cryptograpic modules used in the old N1 system are still present in the new N2 sytem.....but like anything else in the world, it has suffered from a evolution...
For instance in the N1 cards we can prove that RSA_encryption algorithm is present (if i am not mistaken
roud: up to 512bytes encryption)If my mind does not colapsewe also have DES/3des encryption amongst others....
The only improvement in the N2 system was the bigger lenght of encryption packets maybe due to ist processor core..... for instance i think that the R110 cards support up to 1024bytes encryption algorithm RSA....
Also implemented in N2 System was IDEA encryption algorithm.... and with that a lot of new calculations.....
Please bare in mind that if ntl want's to upgrade firmware in all samsung and pace boxes to support n2 they are pretty well up to standard......
2- As we all know it takes a work team to make this n2 card work ( i mean it need a card + receiver)
One of the big differences in N2 system was the card pairing method which became different... i will explain detailed.
This means that we do not actually need a card eeprom dump to get card information in order to make it work with another receiver, but instead a Flash dump will temporarily fix thing if requested depending upon receivers.....
In europe we have 2 types of receiver for n2 cards this means receiver for DT08_0A card and receiver for DT06_0D cards i will explain their works in a while.....
DT06_0D is a card eeprom 24byte key stored somewhere in $axxx area this key is so famous too for being the key responsible on calculations applied RSA/IDEA algorithm to make card pairing..... in reality all its calculations will generate a 64byte key called RSA_N modulus
This RSA_N modulus is also stored in the receiver firmware from receivers that work with cards DT06_OD... receivers that work with DT08_OA will have this RSA_N modulus sent from card to receiver in another cmd.
So on receivers firmware for DT06_OD cards we have RSA_N key calculated from card DT06_0D key using rsa algorithm this 64byte must match the 64byte key stored in receiver flash.
We also have what we call a BK2 and another 8byte signature key, this BK2= Box key 2 is the old box key used in the N1 old system in our cards r10/r11 etc... this key is also kept in receiver firmware in order to process some calculations with the 8 byte signature key.
The result from this BK2 and 8 byte signature key is what we call card BK..... yes you can actually calculate the BK present in the new N2 card without dumping the card content, just by simply applying a calculation in the old N1 key and this 8 byte signature key.... they would not be dump enough to leave same N1 kye in card... but at the same time used old n1 key to be implemented on extra verification process.
This Bk2 is not important in receiver as 90% of pairing happens with calculations applied on the DT06_OD 24 byte key.
In the N2 system the card activation will occur by the CAM ID number on the card, this means that card will receive from TS Stream Unique CMD$04 emm-u and emm-s to pair card /activate and update subscription status.
Card is sent with the box....but card comes virgin like in the old n1 days.... card comes with IRD/bk/dt06_od 0000's
but the camd id will trigger all the activation process, by simply filtering the emm-s/u correct for that cam id and it will actually write the correct contents in to the card.
So you must assume by saying this all we need to do in order to clone a subscribed card is change cam id in card eeprom dump and here we go ........NO wrong this camd is is written in card eeprom and also in another protected firewalled area in $3000 eeprom content, this is the new things that came implanted in the card..... in order to write in this area you need to be able to calculate all crc and checksums applied.... put it this way if you write in that area without calculating the checksums on the next reset card KAPUT....
So how will we be open to program this cards??? can we use use phoenix programmer to write in to these cards???
Lets say initially NO, we will need to use unlooper with glitch scripts the same way we unloop card.
The only reason why r110 cards were compromised and changed quickly , is the MAP content this means Modular Arithmetic Processor ( we call it the heart of the card, purely because this contains all the algorithm numbers used to calculate alots of info)
This means if you have a MAP dump from R11 with eeprom and rom you will have full control of N1 cards and be able to calculate all functions used in keyroll update routines.....some peeps have some peeps done.
So lets quickly follow the process of N2
the main cmd's used in n2 were also available in N1 but under diff cmd's name
for instance:
CMD$04 = EMM (Entitlement management message) this emm $04 contains all the information used to Update keys in card eeprom and also contains all information used in order to activate cards and etc....
Now you must wonder how can a single cmd do all that......
it is very easy.... this cmd$04 is divided into 3 different groups
EMM-G (Global) this contains all IDEA Key updates and REV updates
EMM-S (Specific card group key) this key is used to a specific card group, this card group contains up to 256 cards normaly with the padron of camd id and this is used to update subscription tier rights etc...
EMM-U (Unique) This emm is normaly sent to a specific cam id number in order to activate card or deactivate.....
Then we have CMD$07 this comand is responsible for our video keys that will open channels.
Basically this cmd is used with IDEA Key to decrypt CW's once CW's are decrypted and a few more checks take place then receiver will open channels
So in order to Decrypt cmd$07 we need 2 keys
IDEA KEY 16 BYTES
and RSA_IDEA
the IDEA KEY =16 bytes is the one that changes constantly they can even change this key every minute if they want.
Basicaly this 16byte idea key is updated in the previou emm$04 and stored in card eeprom
once this is done we need to decrypt incoming CDM$07 ECM = Encrypted Control Message
in order to decrypt ecm$07 we need the folloing IDEA+RSA , once decrypted it will give us the CW's
This cw's are only valid for 15seconds, after that a new ecm will come with new cw's for card to decrypt.
Now you wonder so how does receiver gets CW's ???
Well once card decrypt them the card need to send them to receiver so receiver can open channels.
But unfortunately the card will not send them just like that.
The card will then use RSA calculations to encrypt the CW and then send them to the card, this is related to CMD$1C
So the receiver receives the CW's encrypted and will need to decrypt them....
But how will card do it ???? well the card will use the same RSA_n modulus key stored in receiver flash, the same one responsible for pairing card and will use it for decryption purposes of cw.
Once cw is decrypted in receiver it will open the channels for only 15secs after that is time for more work and with the same method applied a new CW will come for receiver to decrypt and open channels.
Bare in mind this is nothing new this is already used in N1
Card decrypts keys and then send CW's to receiver to open channels
Put it this way
If you find a technique to decrypt CW's instantaneous when sent back to receiver encrypted.... you have the hole world in you hands .... because you do not need to know new idea keys ...once you are capable of decrypting cw's direct you will always have tv open..... and that is all for now as i think i wrote to much information and to some people it will be chinese.
Anyways i recommend people to search on the net for N2 FAQ this will have commented details about all n2 cmds known so far
P.S - This is just a hobbie do not take it seriously or it could permanetly damage your life/family/friends..........
Cheers
Calhordas
stig_ohara
Inactive User
- Joined
- Nov 15, 2005
- Messages
- 2
- Reaction score
- 0
definitely, the germans, poles and romanians would piss themselves at a feeble n@gra 1 keyr0ll!!!
beany
Inactive User
- Joined
- Oct 19, 2007
- Messages
- 102
- Reaction score
- 0
Pheeeeew
Great explanation - now im off to lie down ! ! :err:
Great explanation - now im off to lie down ! ! :err:
Hi guys
I normaly do not post in threads like this.....but due to the fact of some reading in this post by mistake..yes mistake.... i have to pronounce myself shortly.......and at the same time spike some curiosity for the young minds.....
Here are the facts and i will have to use some of carwash comments (where are u no see for long time in thise places heheheh sweeping up :Cheers
Anyways.......
1 - As we all know N2 was implanted in other EU countries before it came to UPC and it has been deeply compromised in the past.....which means like any other company would do yeahhh they had to upstake their measure and do a card update like in spain and portugal where they now use R142 and R180 which people say it is the so called N3!!!!
In fact it is nothing compared to N3..... is is the same N2 family system but with a new CPU/chip security measures for Anti Glitch (unloops)
The same N2 cryptographic modules are implemented on this new cards.... the same way as the R110 UPC cards which in reality it will....nevermind
So going back in time and all the great mind here can pretty shure back me up "as i am just a simple servent in this hobbie" that most of the cryptograpic modules used in the old N1 system are still present in the new N2 sytem.....but like anything else in the world, it has suffered from a evolution...
For instance in the N1 cards we can prove that RSA_encryption algorithm is present (if i am not mistaken
If my mind does not colapsewe also have DES/3des encryption amongst others....
The only improvement in the N2 system was the bigger lenght of encryption packets maybe due to ist processor core..... for instance i think that the R110 cards support up to 1024bytes encryption algorithm RSA....
Also implemented in N2 System was IDEA encryption algorithm.... and with that a lot of new calculations.....
Please bare in mind that if ntl want's to upgrade firmware in all samsung and pace boxes to support n2 they are pretty well up to standard......
2- As we all know it takes a work team to make this n2 card work ( i mean it need a card + receiver)
One of the big differences in N2 system was the card pairing method which became different... i will explain detailed.
This means that we do not actually need a card eeprom dump to get card information in order to make it work with another receiver, but instead a Flash dump will temporarily fix thing if requested depending upon receivers.....
In europe we have 2 types of receiver for n2 cards this means receiver for DT08_0A card and receiver for DT06_0D cards i will explain their works in a while.....
DT06_0D is a card eeprom 24byte key stored somewhere in $axxx area this key is so famous too for being the key responsible on calculations applied RSA/IDEA algorithm to make card pairing..... in reality all its calculations will generate a 64byte key called RSA_N modulus
This RSA_N modulus is also stored in the receiver firmware from receivers that work with cards DT06_OD... receivers that work with DT08_OA will have this RSA_N modulus sent from card to receiver in another cmd.
So on receivers firmware for DT06_OD cards we have RSA_N key calculated from card DT06_0D key using rsa algorithm this 64byte must match the 64byte key stored in receiver flash.
We also have what we call a BK2 and another 8byte signature key, this BK2= Box key 2 is the old box key used in the N1 old system in our cards r10/r11 etc... this key is also kept in receiver firmware in order to process some calculations with the 8 byte signature key.
The result from this BK2 and 8 byte signature key is what we call card BK..... yes you can actually calculate the BK present in the new N2 card without dumping the card content, just by simply applying a calculation in the old N1 key and this 8 byte signature key.... they would not be dump enough to leave same N1 kye in card... but at the same time used old n1 key to be implemented on extra verification process.
This Bk2 is not important in receiver as 90% of pairing happens with calculations applied on the DT06_OD 24 byte key.
In the N2 system the card activation will occur by the CAM ID number on the card, this means that card will receive from TS Stream Unique CMD$04 emm-u and emm-s to pair card /activate and update subscription status.
Card is sent with the box....but card comes virgin like in the old n1 days.... card comes with IRD/bk/dt06_od 0000's
but the camd id will trigger all the activation process, by simply filtering the emm-s/u correct for that cam id and it will actually write the correct contents in to the card.
So you must assume by saying this all we need to do in order to clone a subscribed card is change cam id in card eeprom dump and here we go ........NO wrong this camd is is written in card eeprom and also in another protected firewalled area in $3000 eeprom content, this is the new things that came implanted in the card..... in order to write in this area you need to be able to calculate all crc and checksums applied.... put it this way if you write in that area without calculating the checksums on the next reset card KAPUT....
So how will we be open to program this cards??? can we use use phoenix programmer to write in to these cards???
Lets say initially NO, we will need to use unlooper with glitch scripts the same way we unloop card.
The only reason why r110 cards were compromised and changed quickly , is the MAP content this means Modular Arithmetic Processor ( we call it the heart of the card, purely because this contains all the algorithm numbers used to calculate alots of info)
This means if you have a MAP dump from R11 with eeprom and rom you will have full control of N1 cards and be able to calculate all functions used in keyroll update routines.....some peeps have some peeps done.
So lets quickly follow the process of N2
the main cmd's used in n2 were also available in N1 but under diff cmd's name
for instance:
CMD$04 = EMM (Entitlement management message) this emm $04 contains all the information used to Update keys in card eeprom and also contains all information used in order to activate cards and etc....
Now you must wonder how can a single cmd do all that......
it is very easy.... this cmd$04 is divided into 3 different groups
EMM-G (Global) this contains all IDEA Key updates and REV updates
EMM-S (Specific card group key) this key is used to a specific card group, this card group contains up to 256 cards normaly with the padron of camd id and this is used to update subscription tier rights etc...
EMM-U (Unique) This emm is normaly sent to a specific cam id number in order to activate card or deactivate.....
Then we have CMD$07 this comand is responsible for our video keys that will open channels.
Basically this cmd is used with IDEA Key to decrypt CW's once CW's are decrypted and a few more checks take place then receiver will open channels
So in order to Decrypt cmd$07 we need 2 keys
IDEA KEY 16 BYTES
and RSA_IDEA
the IDEA KEY =16 bytes is the one that changes constantly they can even change this key every minute if they want.
Basicaly this 16byte idea key is updated in the previou emm$04 and stored in card eeprom
once this is done we need to decrypt incoming CDM$07 ECM = Encrypted Control Message
in order to decrypt ecm$07 we need the folloing IDEA+RSA , once decrypted it will give us the CW's
This cw's are only valid for 15seconds, after that a new ecm will come with new cw's for card to decrypt.
Now you wonder so how does receiver gets CW's ???
Well once card decrypt them the card need to send them to receiver so receiver can open channels.
But unfortunately the card will not send them just like that.
The card will then use RSA calculations to encrypt the CW and then send them to the card, this is related to CMD$1C
So the receiver receives the CW's encrypted and will need to decrypt them....
But how will card do it ???? well the card will use the same RSA_n modulus key stored in receiver flash, the same one responsible for pairing card and will use it for decryption purposes of cw.
Once cw is decrypted in receiver it will open the channels for only 15secs after that is time for more work and with the same method applied a new CW will come for receiver to decrypt and open channels.
Bare in mind this is nothing new this is already used in N1
Card decrypts keys and then send CW's to receiver to open channels
Put it this way
If you find a technique to decrypt CW's instantaneous when sent back to receiver encrypted.... you have the hole world in you hands .... because you do not need to know new idea keys ...once you are capable of decrypting cw's direct you will always have tv open..... and that is all for now as i think i wrote to much information and to some people it will be chinese.
Anyways i recommend people to search on the net for N2 FAQ this will have commented details about all n2 cmds known so far
P.S - This is just a hobbie do not take it seriously or it could permanetly damage your life/family/friends..........
Cheers
Calhordas
