Nos obligan a molestarte con la obviedad de que este sitio usa cookies OK | Más información
receptor viark

Chincheta Autor Tema: NAGRA 3 CARDS ON LINUX BOXES.Dreamboxes and compables 7000,7020,500s,5620s  (Leído 25365 veces)

14/02/2009, 00:23

Desconectado delgui

e encontrado esto aver si alguien puede investigar

No tienes permiso para ver los enlaces. Regístrate o Autentícate

14/02/2009, 02:17Respuesta #1

Desconectado Sankocho

----------------------------------                                 __  __  __ ___    __  __
The NagraVision3 hacking FAQ                                      /_/ /_/ /_/ | |   /_/ /_/
Revision: 00000000                                                |_|/_/ /_/  |_|  /_/  |_|
                                                                  | || | | |  | |  | |  | |
                                                                  --  --  --   -    --   --
Contents:         

0: Openers
  0.1: Introduction/About me
  0.2: Where to find this FAQ
  0.3: Contributors
  0.4    :D    etractors
1: The T=1 protocol
  1.1: NagraVision2 ATR
  1.2: NagraVision's packet structure I: The ISO-specified portion
  1.2.1: Chained messages
  1.3: NagraVision's packet structure II: The IRD-to-CAM information field
  1.4: NagraVision's packet structure III: The CAM-to-IRD information field
  1.5: The status word
2: Commands
  2.1: Command list
  2.2: Command lengths, expected replies, and reply lengths
  2.3: Command breakdown
     2.3.Rom152.CMD.04: CMD $04/RSP $84 Entitlement Management Message (EMM)
     2.3.Rom152.CMD.07: CMD $07/RSP $87 Entitlement Control Message (ECM)
     2.3.Rom152.CMD.12: CMD $12/RSP $92 Serial Number Request
     2.3.Rom152.CMD.15: CMD $15/RSP $95 Processing cycle request
     2.3.Rom152.CMD.17: CMD $17/RSP $97 Special Entitlement Management Message Cmd17 (EMM)
     2.3.Rom152.CMD.18: CMD $18/RSP $98 Special Entitlement Management Message Cmd18 (EMM)
     2.3.Rom152.CMD.1A: CMD $1A/RSP $9A Control Word Request (video decryption key request)
     2.3.Rom152.CMD.1C: CMD $1C/RSP $1C Control Word Request (video decryption key request)
     2.3.Rom152.CMD.22: CMD $22/RSP $A2 Data item request
     2.3.Rom152.CMD.2A: CMD $2A/RSP $AA MECM key request
     2.3.Rom152.CMD.2B: CMD $2B/RSP $AB MECM key update
     2.3.Rom152.CMD.32: CMD $32/RSP $F2 Request for encryption of data to be sent in callback
     2.3.Rom152.CMD.33: CMD $33/RSP $F3 Request for data encrypted by previous command $32
     2.3.Rom152.CMD.48: CMD $48/RSP $78 Special Entitlement Management Message Cmd48 (EMM)
     2.3.Rom152.CMD.49: CMD $49/RSP $79 Get EMMPlaintext from Cmd48
     2.3.Rom152.CMD.4A: CMD $4A/RSP $7A Special Encrypt Message Cmd4A
     2.3.Rom152.CMD.64: CMD $64/RSP $E4 Write IRD info
     2.3.Rom152.CMD.65: CMD $65/RSP $E5 Get IRD Command from EmmCmd64
     2.3.Rom152.CMD.68: CMD $68/RSP $E8 Process UROM2 Data
     2.3.Rom152.CMD.69: CMD $69/RSP $E9 Process UROM2 Data
     2.3.Rom152.CMD.6A: CMD $6A/RSP $EA Update Provider Filter
     2.3.Rom152.CMD.6B: CMD $6B/RSP $EB Update and play with DecryptKey no 7A and Provider Filter
     2.3.Rom152.CMD.6C: CMD $6C/RSP $EC Update Provider Filter
     2.3.Rom152.CMD.6D: CMD $6D/RSP $ED Update or Create DecryptKeyno24
     2.3.Rom152.CMD.C4: CMD $C4/RSP $84 Special Entitlement Management Message CmdC4 (EMM)
     2.3.Rom152.CMD.C7: CMD $C7/RSP $B7 Request for ID of updated data items
     2.3.Rom152.CMD.C8: CMD $C8/RSP $B8 Request for date/time
         27Rom Total
     2.3.FW.CMD.05:     CMD $05/RSP $85 unknow
     2.3.FW.CMD.08:     CMD $08/RSP $88 unknow
     2.3.FW.CMD.16:     CMD $16/RSP $96 unknow
     2.3.FW.CMD.19:     CMD $19/RSP $99 unknow
     2.3.FW.CMD.27:     CMD $27/RSP $A7 unknow
     2.3.FW.CMD.28:     CMD $28/RSP $A8 unknow
     2.3.FW.CMD.29:     CMD $29/RSP $A9 unknow
     2.3.FW.CMD.2C:     CMD $2C/RSP $AC unknow
     2.3.FW.CMD.2D:     CMD $2D/RSP $AD unknow
     2.3.FW.CMD.63:     CMD $63/RSP $E3 unknow
     2.3.FW.CMD.6E:     CMD $6E/RSP $EE unknow
     2.3.FW.CMD.C9:     CMD $C9/RSP $B9 unknow
         12FW Total
  2.4: Basic command sequences
     2.4.1: Finding out if the card is busy or has new information
     2.4.2: Finding out what data types in the card's database have changed
     2.4.3: Retrieving a specific data item from the card
     2.4.4: Getting the data required to decrypt the video stream
3: EMM commands
  3.1: EMM command list
  3.2: EMM command breakdown
     3.2.01: EMM command $01   Set up for EMM commands
     3.2.10: EMM command $10   Spending limit item create
     3.2.12: EMM command $12   Create subscription tier
     3.2.13: EMM command $13   PPV Service
     3.2.20: EMM command $20   Modify subscription dates
     3.2.46: EMM command $46   Create and update Dt08 ItemId0A
     3.2.47: EMM command $47   DT06 key update for key no 30 (CMD48)
     3.2.48: EMM command $48   Create and update Dt08 ItemId0A
     3.2.49: EMM command $49   Create and update Dt08 ItemId0A
     3.2.42: EMM command $42   DT06 key update
     3.2.4F: EMM command $4F   CW Extra encryption
     3.2.54: EMM command $54   Update blackout bytes
     3.2.81: EMM command $81   Master program provider activation
     3.2.83: EMM command $83   Change EMM system ID
     3.2.64: EMM command $64   Encrypt IRD command
     3.2.90: EMM command $90   Create ItemID0B
     3.2.85: EMM command $85   Create ItemID04
     3.2.9F: EMM command $9F   EmmHeader for nextemmcmd by Cmp UpstatMsb:Lsb
     3.2.A1: EMM command $A1-AF Emm Filter by CamId
     3.2.B1: EMM command $B1   Execute code from RAM
       3.2.B1.0801 List: Emm Command $B1 List of packet 41 42 43 44 45 46 47
     3.2.C4: EMM command $C4   EmmCmdXX with Extra encryption Layer
     3.2.C5: EMM command $C5   WriteEEp at 311E and 311F and Update Date_Copy
     3.2.E0: EMM command $E0   ItemID Update
     3.2.E3: EMM command $E3   Write eeprom
       3.2.E3: EMM command $E3   Write eeprom, Sub section all EmmcmdE3 packet for Rom102Rev241 to Rom102Rev242
   3.2.E3: EMM Command $E3   write eeprom,   Sub Section Understand EmmcmdE3 by dasm
     3.2.F3: EMM command $F3   
4: 21-xx data types
  4.1    :D    ata type list
  4.2    :D    ata type breakdown
   4.2.00    :D    ata Type$00   Mapped ItemID[01] - IRD INFO
   4.2.01    :D    ata Type$01   Mapped ItemID[02] - System Type
   4.2.02    :D    ata Type$02   Mapped ItemId[03] -
   4.2.03    :D    ata Type$03   Mapped ItemID[04] -
   4.2.04    :D    ata Type$04   Mapped ItemID[05] - Provider Info
   4.2.--    :D    ata Type$--   Mapped ItemID[06] - Decrypt Keys
   4.2.05    :D    ata Type$05   Mapped ItemID[07] - Tier
   4.2.06    :D    ata Type$06   Mapped ItemID[08] - Provider Filter
   4.2.07    :D    ata Type$07   Mapped ItemID[09] - Spending Limit
   4.2.08    :D    ata Type$08   Mapped ItemID[0A] - DT08+C8
   4.2.      :D    ata Type$   Mapped ItemID[0B] -
   4.2.      :D    ata Type$   Mapped ItemID[0C] -
   4.2.      :D    ata Type$   Mapped ItemID[FF] - DTMatchany
5: The backdoors
  5.1: The backdoor passwords
  5.2: The backdoor commands
6: Inside NagraVision cards
  6.1: The MCU core
  6.2: AA-06 vs AA-07
7: Glossary
  7.1: Glossary
8: Encryption
  8.1: ECM encryption
     8.1.1: The encryption algorithm
  8.2: EMM encryption
  8.3: The valid hash
9: Hacks
10: Firmware versions of the various E* cards
  10.102: ROM152 firmware versions
11: Writing code for NagraVision cards
  11.3: ROM152 cards
     11.3.1: Bug-catcher modules
     11.3.2: Hooking in a bug-catcher
     11.3.3: Useful routines and memory locations
        11.3.3.1: Utility routines
        11.3.3.2    :D    atabase routines
        11.3.3.3: Low-level routines
        11.3.3.4: Encryption/decryption routines
     11.3.4: Memory usage
        11.3.4.1: ZP RAM
        11.3.4.2: Other RAM
        11.3.4.3: Tables in ROM and EEPROM
    11.3.5: MAPROM
13: Stream
  13.1:   Bootup sequence 0101
  13.2:   Bootup sequence 0101 cut
  13.3:   Bootup sequence 0801
  13.4:   Bootup sequence 0801 cut
  13.8:   Nagra_3_config1.1.cfg for T-Rex Nagra-Tool
  13.9:   DASM ROM152_ND13_A0FF-INTERCEPT-autoVCC_20.XVB   
   Blockerv7 Backdoor dasm
   Blockerv7 emmhandler dasm
        22sk dasm
   _______________________________________ _______________________________________ _______________________
  /|                                                                                                   /|
 / |                                                                                                  / |
/__|_________________________________________________________________________________________________/  |
|  |                                                                                                 |  |
|  |     Special thanks to Stunteam, Stuntguy, No1b4me,Bobigboys,IDAPRO,Dbdan,                       |  |
|  |_________________________________________________________________________________________________|__|
|  /                                                                                                 |  /
| /                                                                                                  | /
|/___________________________________________________________________________________________________|/

#####################################################################################################
#####################################################################################################


#####################################################################################################
#####################################################################################################
#section00: Openers
#0: Openers
#####################################################################################################
hello

#####################################################################################################
#####################################################################################################
#  1.1: NagraVision2 ATR
#
#####################################################################################################

  3F ...                                              Convention
   |
   |_____________ Inverse convention (data is inverted)

  FF 95 00 FF 91 ...                                  Initial parm setup
   |  |  |  |  |
   |  |  |  |  |_ Td1=91 (Ta2 and Td2 will be sent, Protocol is async
   |  |  |  |              half duplex block format)
   |  |  |  |____ Tc1=FF (Guard time=257 bits)
   |  |  |_______ Tb1=00 (No Vpp)
   |  |__________ Ta1=95 (F=512, D=16; Bit period=(512/16) (32) clocks)
   |_____________  T0=FF (Ta1, Tb1, Tc1, and Td1 will be sent, 15
                           historical characters will be sent)

  81 71 ...                                           Secondary parameters
   |  |
   |  |__________ Td2=71 (Ta3, Tb3, and Tc3 will be sent, protocol is async
   |                       half duplex block format)
   |_____________ Ta2=81 (Mode change not allowed, Protocol is async half
                           duplex block format)

  FF 47 00 ...                                        T=1 specific parameters
   |  |  |
   |  |  |_______ Tc3=00 (LRC (XOR-type) error checking to be used)
   |  |__________ Tb3=47 (Char wait time is 25 bit times, block wait time
   |                       is 634.9 mSec + 11 bit times) (1 bit time=7.111
   |                       uSec)
   |_____________ Ta3=FF (Receive block size=0xFF bytes (255 bytes decimal)

  44 4E 41 53 50 53 30 31 20 52 65 76 36 34 30 ...    Historical bytes
   |                                         |
   |_____ ___________________________________|
         |
         |_______ ASCII text: "DNASPS01 Rev640". 

  05
   |_____________ Checksum (all other bytes XORed together except the First "3F"byte)

#####################################################################################################
#####################################################################################################
#  1.2: NagraVision's packet structure I: The ISO-specified portion
#
#####################################################################################################

Bit convention note (C/P from wapo source) , and meltro correction
      ------------------------------------------------------------
       NOTE: For RS-232, the output is normally low.
       We must drive it high for start, stop, or data bits.
       Using 115,200 baud, 1 start bit, 1 stop bit, no parity bit.
       Order of bits sent is:
       Start, LSB.....MSB, Stop


       NOTE: For ATR message (from CAM to IRD at ~12,097 baud):
      
       Bits are inverted (1 vs 0), i.e. if you want to send
       a 1 then you drive the pin low.
       1 start bit (always 1, which is 0 volts),
       8 data bits,
       3 stop bits (always 0, which is 5 volts),
       no parity bits.
       Order of bits sent is:
       Start, MSB.....LSB, Stop
       This is backwards from the way RS-232 does it.
       Bit duration is 82.7 uS
       Byte duration is 992 uS




       Data rate specified for IRD/CAN normal comms is 140,625.
       Bits are inverted (1 vs 0), i.e. if you want to send
       a 1 then you drive the pin low.
       1 start bit (always 1, which is 0 volts),
       8 data bits,
       2 stop bits (always 0, which is 5 volts),
       no parity bits.

       Or is it 1 parity and 1 stop?
      
       Order of bits sent is:
       Start, MSB.....LSB, Stop
       This is backwards from the way RS-232 does it.
       Bit duration is 7.11 uS
       Byte duration is 78.2 uS
      ------------------------------------------------------------
#####################################################################################################
#####################################################################################################
#section1.5
#The status word
#####################################################################################################
N1 + N2 status word

        SW1     SW2     Meaning
        ------  ------  -----------------------------------------------
        63      00      Password(s) incorrect
        69      82      Need password for access to backdoor commands
        69      85      EEPROM data area pointer no good (Doesn't point to
                         an address in the $Exxx range)
        69      86      Bad address in backdoor read/write memory command
        6A      00      P1 and/or P2 byte incorrect
        6B      00      Incorrect reference
        6C      FF      Requested too few data bytes in $21 command
        6D      00      Instruction not supported
        6E      00      CLA not supported
        6E      00      P1 and/or P2 byte incorrect (note: This is a bug in
                         the ROM3 code...in theory, this situation should
                         produce an SW1/SW2 of 6A 00, but it doesn't (in fact,
                         nothing does))
        6F      00      Command not supported
        90      00      Command completed successfully

   90   01   ???



#####################################################################################################
#####################################################################################################
#section2.1 commands
#Nagra1 and Nagra2 Command list From Rom and Firmware
#####################################################################################################
A0 CA 00 00 HEADER Command list, ROM2-3-10-11-101(007)-102(103)-S01(640)
(always need correction somewhere in table)
-----   ------  ------  -----   ------  -----   ------------------------------------------------------------
                 Data      RSP   
CMD #FW Length  Length  RSP #   Length  Type     Description
-----   ------  ------  -----   ------  -----   ------------------------------------------------------------
00  Y     00     Varies  00     00     N1     Entitlement Management Message (EMM)
00  Y     4D     53     80     05     N1     Entitlement Management Message (EMM)
01  Y     4D     53     81     05     N1     PPV Entitlement Management Message
02  Y     4D     53     82     05     N1     MECM key update
03  Y     00     Varies  83     05     N1     Entitlement Control Message
04  Y     00     Varies  84     02     N2     Entitlement Management Message (EMM)
04  Y     00     Varies  84     02     N2     Entitlement Management Message (EMM)
05  Y     00     Varies  85     05     ??
07  Y     00     Varies  87     02     N2     Entitlement Control Message
08  Y     00     Varies  88     04     ??
12  Y     02     08     92     06     N1/N2   Serial Number Request
13  Y     03     09     93     00     N1     Control Word Request (video decryption key request)
14  Y     02     08     94     06     N1     Processing cycle request
15  Y     02     08     95     08     N2     Processing cycle request
16  Y     00     Varies  96     04     ??
17  Y     00     Varies  97     02     N2     Special Entitlement Management Message Cmd17 (EMM)
18  Y     00     Varies  98     02     N2     Special Entitlement Management Message Cmd18 (EMM)
19  Y     00     Varies  99     04     ??
1A  Y     02     08     9A     00     N2     Control Word Request (video decryption key request)
1C  Y     02     08     9C     36     N2     Control Word Request (video decryption key request)
20  Y     06     0C     A0     03     N1     Data items available request
21  Y     00     Varies  A1     00     N1     Data item request
22  Y     03     09     A2     00     N2     Data item request
26  Y     07/02     0D/08     A6/86     42/00     N2
27  Y     47     4D     A7     02     ??
28  Y     03     09     A8     1A     ??
29  Y     02     08     A9     04     ??
2A  Y     02     08     AA     42     N2     MECM key request
2B  Y     42     48     AB     02     N2     MECM key update
2C  Y     02     08     AC     42     ??
2D  Y     42     48     AD     02     ??
30  Y     05     0B     F0     05     N1     Request for encryption of data to be sent in callback
31  Y     02     08     F1     52     N1     Request for data encrypted by previous command $30
32  Y     05     0B     F2     03     N2     Request for encryption of data to be sent in callback
33  Y     02     08     F3     00     N2     Request for data encrypted by previous command $32
40  Y     02     08     70     04     N1     EEPROM data space available request
41  Y     00/02     Varies  71/C1     03/00     N1/N2     PPV buy write
42  Y     09     0F     72     03     N1     PPV buy link
48     02     08     78     02?     N2     Special Entitlement Management Message Cmd48 (EMM)   
49     02     08     79     56?     N2     Get EMMPlaintext from Cmd48
4A     XX     XX     7A     xx     N2     Special Encrypt Message Cmd4A
55     05     0B     D5     06     N1     Mail Read
56     05     0B     D6     06     N1     Delete Mail
60  Y     02     08     E0     42     N1     Get IRD command
61  Y     16     1C     E1     03     N1     Write IRD info
63  Y     12     18     E3     03     ??
64  Y     12     18     E4     03     N2     Write IRD info
65  Y     02     08     E5     52     N2     Get IRD Command from EmmCmd64
68  Y     00     Varies  E8     03     N2     Process UROM2 Data
69  Y     00     Varies  E9     02     N2     Process UROM2 Data
6A  Y     04     0A     EA     02     N2     Update Provider Filter
6B  Y     07     0D     EB     02     N2     Update and play with DecryptKey no 7A and Provider Filter
6C  Y     03     09     EC     02     N2     Update Provider Filter
6D           ED              N2     Update or Create DecryptKeyno24
6E  Y     00     Varies  EE     04     N2
99  Y     1A     20     99     1A     N1     Anti-piracy message
C0  Y     02     08     B0     06     N1/N2   CAM status request
C1  Y     02     08     B1     04     N1     Request for ID of updated data items
C4  Y     00     Varies  B4     02     N2     Special Entitlement Management Message CmdC4 (EMM)
C7  Y     02     08     B7     04     N2     Request for ID of updated data items
C8  Y     02     08     B8     06     N2     Request for date/time
C9  Y     00     Varies  B9     04     ??
-----   ------  ------  -----   ------  -----   ------------------------------------------------------------
      Data      RSP         RSP    Cmd
CMD #FW Length  Length  RSP #   Length  Type   Description
-----   ------  ------  -----   ------  -----   ------------------------------------------------------------
Y in table = Include in firmware list see below

From FW, Firmware 2700-2800
CMD
C0 12 99 60 40 14 C1 20-21 03 13 02 00 01 30 31
41 42 61 2C 2D 05 65 15-C8 22 C7 07 08 1C 1A 2A
2B 26 27 28 29 04 04 17-16 18 19 32 33 C4 C9 64
63 68 6E 69 6A 6B 6C 00

Length
02 02 1A 02 02 02 02 06-00 00 03 4D 4D 4D 05 02
00 09 16 02 42 00 02 02-02 03 02 00 00 02 02 02
42 07 47 03 02 00 00 00-00 00 00 05 02 00 00 12
12 00 00 00 04 07 03 00

RSP #
B0 92 99 E0 70 94 B1 A0-A1 83 93 82 80 81 F0 F1
71 72 E1 AC AD 85 E5 95-B8 A2 B7 87 88 9C 9A AA
AB A6 A7 A8 A9 84 84 97-96 98 99 F2 F3 B4 B9 E4
E3 E8 EE E9 EA EB EC 00

Rsp lengths:
06 06 1A 42 04 06 04 03-00 05 00 05 05 05 05 52
03 03 03 42 02 05 52 08-06 00 04 02 04 36 00 42
02 42 02 1A 04 02 02 02-04 02 04 03 00 02 04 03
03 03 04 02 02 02 02 00




#####################################################################################################
#####################################################################################################
#section2.2 commands
#Command Breakdown
#####################################################################################################

initial test was on virgin rom.
rom101 was 007
rom102 was 103
romS01 was 640

N3Rom Command and Firmware Command

#####################################################################################################
#####################################################################################################
#Cmd.04
#Rom:101-102-S01
#      Data               RSP    Cmd
#CMD #   Length  Length  RSP #   Length  Type   Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#04     00     Varies  84     02     N2     Entitlement Management Message (EMM)
#04     00     Varies  84     02     N2     Entitlement Management Message (EMM)
#####################################################################################################
S01 accept more big packet
each ecm or emm packet need more recent date than eeprom

768 bit

CD 5C 06                    call    CmpZPtoZP3P               ; Compare ZP RAM to ZP RAM
                                                              ; (Params: Start1, Start2, Length)
             ; ---------------------------------------------------------------------------
8A                          dc.b {EMMBUFF+$A}                 ; Valid Date IF lower or equal
82                          dc.b {EMMBUFF+2}                  ; EEprom Date(2HL)Time(1H) from 30DD, 30DE,30DF,
03                          dc.b 3
             ; ---------------------------------------------------------------------------
23 1A                       jrule   DecodeECM_EMM_CompareDate_BADDATE ; Jump if (C + Z = 1)


  21 00 6D ; A0 CA 00 00                ;Standard header
             67                         ;Instruction length
             04                         ;Command
             65                         ;Command data length
             09 01                      ;Providor
             81 00 10                   ;Key select byte
             F5 F9 5D DE 10 A6 5D FB    ;Signature
             28 9D 78 5C 10 E1 CA 38    ;Encrypted Package #0
             1B A6 45 7E 9E 28 2C C6    ;Encrypted Package #1
             3F E2 90 1A 8F 64 DF EA    ;Encrypted Package #2
             20 34 E5 AD BB 94 E5 05    ;Encrypted Package #3
             8B A0 7B 22 51 20 47 98    ;Encrypted Package #4
             52 43 64 9E 55 7B 4E B6    ;Encrypted Package #5
             93 F5 45 1F 09 2D C7 FD    ;Encrypted Package #6
             5D A4 C0 87 1B E3 B1 1E    ;Encrypted Package #7
             8B B7 74 BC 90 C9 00 42    ;Encrypted Package #8
             A1 09 BF D0 76 EF 7D 10    ;Encrypted Package #9
             58 AB 77 FE 71 61 9B BB    ;Encrypted Package #A
             02                         ;Expected response length
             CA                         ;Checksum

  12 00 04 ; 84                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             02                         ;Checksum

Key select byte
81 00 10 or 81 00 90 Single CAM
82 00 10 or 82 00 90 All CAMs


  21 40 6D ; A0 CA 00 00
             67
             04
             65
             09 01
             82 00 90
             EE 73 55 9F B9 D5 02 7A
             64 1E 72 0E 3F 61 11 26
             D2 5C F2 AB DF 20 8D 89
             75 CB A5 23 2C C3 E6 52
             FD 60 F8 53 34 4B 28 6F
             64 1D 6D 94 FD 5E D9 D9
             47 80 5C AA 73 F1 4C 06
             7A 88 35 58 E8 5A 8F 37
             BA 18 EC 94 C5 40 58 7C
             59 46 4B DD FC B7 D3 BB
             4C A8 57 C7 43 11 8C D3
             6B 4F 87 07 DC D9 D9 4E
             02
             C4


             09 01                  ;Emmbuff+00, Provider
             13 E5 63 EA D8 B6               ;Signature
             09 01                  ;PROVIDER 
             13 DB 00 01               ;Date VALID EMMBUFF8A
             14 34 03 84               ;Date2 Always compare with eepromDate30DD
             42 00 10 06 08 00 10 10   F2 6F 9D 76 A8 03 DF C7  ;Emmcmd42
             71 B1 BD F2 EA A1 D1 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 07 DC
             D9 D9 4E 02 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00
             00 00 00 00 00 00 00




IDEA Keys in eeprom

00 --> Unknown
01 --> for EMM-S
02 --> for EMM-G
03 --> for EMM signing
06 --> for ECM
07 --> for ECM signing
09 --> for cmd 32/33
0B --> unknown
 



Ready to send packet:

21 00 6D A0 CA 00 00 67 04 65 09 01 81 00 10 F5 F9 5D DE 10 A6 5D FB 28 9D 78 5C 10 E1 CA 38 1B A6 45 7E 9E 28 2C C6 3F E2 90 1A 8F 64 DF EA 20 34 E5 AD BB 94 E5 05 8B A0 7B 22 51 20 47 98 52 43 64 9E 55 7B 4E B6 93 F5 45 1F 09 2D C7 FD 5D A4 C0 87 1B E3 B1 1E 8B B7 74 BC 90 C9 00 42 A1 09 BF D0 76 EF 7D 10 58 AB 77 FE 71 61 9B BB 02 CA

12 00 04 84 00 90 00 02
#####################################################################################################
#####################################################################################################
#Cmd.05
#Rom:FWOnly
#      Data               RSP    Cmd
#CMD #   Length  Length  RSP #   Length  Type   Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#05     00     Varies  85     05     ??
#####################################################################################################


Ready to send packet:
21 00 08 A0 CA 00 00 00 05 00 05 43

12 00 02 6F 00 7F            Rom 101-102-S01 command not supported



#####################################################################################################
#####################################################################################################
#Cmd.07
#Rom:101-102-S01
#      Data               RSP    Cmd
#CMD #   Length  Length  RSP #   Length  Type   Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#07     00     Varies  87     02     N2     Entitlement Control Message
#####################################################################################################
   This command is used to prime the card to return video decryption keys to
the IRD.  Contained within this command's encrypted packets are information
pertaining to the program tier the user is attempting to view, the correct
audio and video decryption keys for the channel, current date and time, and so
forth.  When a card receives a $1C command, it will re-encrypt the decryption
keys using the IRD's 8-byte key and return them to the IRD if it (the card)
believes that the program tier that the user is attempting to watch is one for
which they are authorized.
   In addition to information about the program that the user is attempting to
watch, the $07 command contains information about the encryption method used,
how many encrypted video keys are present, and so forth.

   Example of a $07 command and its response:

  21 00 4D ; A0 CA 00 00                ;Standard header
             47                         ;Instruction length
             07                         ;Command
             45                         ;Command data length
             01 01                      ;System ID
             86 00         ;key select?
             88                         ;values = 08 or 88
             46 FE 13 E9 56 82 74 E1    ;Data Package #0
             6A 25 B4 75 9A 11 {D3} B2    ;Data Package #1
             {52 EC 50 6A} 5C 19 83 E7    ;Data Package #2
             48 B4 65 4C A5 47 2F 84    ;Data Package #3
             E6 C3 0B 16 A4 9A 4E AE    ;Data Package #4
             B7 01 41 0E E6 54 D8 2C    ;Data Package #5
             BC 9E 9B 5E 24 E6 48 CF    ;Data Package #6
             96 A9 E1 76 1A 2D F0 89    ;Data Package #7
             02                         ;Expected response length
             4C                         ;Checksum

  12 00 04 ; 87                         ;Response code
             00                         ;Response data length
             90 00                      ;SW1/SW2: Successful completion
             01                         ;Checksum

Ready to send packet:
21 00 4D A0 CA 00 00 47 07 45 01 01 86 00 88 46 FE 13 E9 56 82 74 E1 6A 25 B4 75 9A 11 D3 B2 52 EC 50 6A 5C 19 83 E7 48 B4 65 4C A5 47 2F 84 E6 C3 0B 16 A4 9A 4E AE B7 01 41 0E E6 54 D8 2C BC 9E 9B 5E 24 E6 48 CF 96 A9 E1 76 1A 2D F0 89 02 4C

12 00 04 87 00 90 00 01
#####################################################################################################
#####################################################################################################
#Cmd.08
#Rom:FWOnly
#      Data               RSP    Cmd
#CMD #   Length  Length  RSP #   Length  Type   Description
#-----   ------  ------  -----   ------  -----   ----------------------------------------------------
#08     00     Varies  88     04     ??
#####################################################################################################

Ready to send packet:
21 00 08 A0 CA 00 00 00 08 00 04 4F

12 00 02 6F 00 7F            Rom 101-102-S01 command not supported


###########################################################

14/02/2009, 13:59Respuesta #2

Desconectado delgui

y eso significa???

14/02/2009, 17:41Respuesta #3

Conectado duke

  • Administrador Global
  • ****
  • Gracias
  • -Dada: 732
  • -Recibida: 5295
  • Mensajes: 123947
  • __d u k e__
No tienes permiso para ver los enlaces. Regístrate o Autentícate
y eso significa???

¿? esta en la web que tu indicas.....

14/02/2009, 18:03Respuesta #4

Desconectado delgui

jejeje lo se jeje pero por si alguien entiende k si significa k ya esta abierto o no esta abierto o con eso se puede

14/02/2009, 18:43Respuesta #5

Conectado elgeneral

  • El del VietNan
  • Administrador Global
  • ****
  • Gracias
  • -Dada: 120
  • -Recibida: 1875
  • Mensajes: 20905
abierto no esta nada aun que se sepa

pero mira esta info en la que dicen que la siguiente version de CCcam 3.0 lo abre todo no se si sera cierto pienso que es la ansiedad del personal


Cccam 3.0 new info
coming soon
for a perfect CCcam 3.0


AUTOMATIC K eyupdate for following providers
Premiere, Premiere Star, Digital+ ( Nagra 3 )
SSR SRG ( Schweizer Fernsehen ) ( Viaccess )

Cryptoworks hardencoded bug on CAID 0d22 ( Arena / Tividi )
Only ok with version Version 2.0.1
Channels : AXN, RTL Crime, History Channel, Kinowelt TV don't work because of parental control ( PIN )

NAGRA 2/3 new ROM 142 support
TV Cabo on Hispisat 30 degrees
( Polsat in future )

IRDETO card support improovement
and IIRDETO 2 Version 2 card support

Entitlements corrections
some cards are showing entitlements in HEX form
Chid 7D2B - date 0xcb5 valid 0xfe
Chid 00E1 - date 0xcb5 valid 0xf1

KATHREIN UFS 910 receiver support

TRIPLE DRAGON receiver support

REELBOX receiver support

FRITZBOX ROUTER support
( executable in FRITZBOX router )

NSLU2 support Debianslug
( LSB executable )

Multi EMU
CCcam should be able to run in one session with an other EMU
( CCcam with MGCAMD or CCcam with CAMD3 or CCcam with NP )

NEWCS card's -> LOAD BALANCE
CCCam should be able to identify identical cards connected by newccamd protocol to balance load onto these cards

CAID remapping
CCcam should request ECM under a different CAID
( for example : TV Cabo CAID remap 1802 -> 1801)

LOG output via UDP Port

Shares expiration for clients ( DATE )
F: user password 2 0 0 { 0:0:3 ) 15.05.2008
Client will get shares until 15.05.2008 ( defined date behind F: line ) Then the shares will expires

Remote AU ( ***update ) support
**** on server ( Internet CS or Local CS will update **** on client box )
Update Softcam.*** via server for client box

0 Hop filtering
All 0 HOP servers should be filtered/deleted for better CS performance
( Example : In CCcam.cfg : ZERO HOP FILTERING : YES )

More than 1 client access per F: line
( Clients who have more than one receiver. Not like yet : 1 line for 1 client )
( Example : In CCcam.cfg: F: user password x.x.x. { x } 2
= 2 accesses with one F: line

EMM on decode failed switchable
( for CPU speed improovement )

EMU / CARDREADER / CS -> PRIORITY SETTING
( Define in CCcam.cfg which priority should have : CS / EMU / CARDREADERS )

Emded cardreaders -> ENABLE / DISABLE function

NP EMU ( G: lines ) improvement
( error connections & errors in peers )

REMM/AU to CAMD3 and NEWCS servers

EMM PARSING
on different providers

Understanding of griffin encryption : Bulsatcom & Athina Sat cards

More options for the local cards used at anytime on the server (DM or PC)
Use only these SID`s or ECM PID`s for this card on sci reader or ****** reader.
Also to add a parameter to force CCcam to access only these readers.
For
now if you start newcs before and occuppies the readers then its ok
otherwise no other option to force CCcam not to use them.

Change the parameters for SID`s on F: line and C: line
They should make it to ALLOW only these sids and BLOCK all the others.
For now is ALLOW all and BLOCK these,which it doesnt work ok with Irdeto cards and a lot of load is hammering identical cards
( CAID 0604 - N***, Showtime, ART )
What a mess if you have 3 cards like them ...

One "open" protocol as server
( for example NEWCS ) for use in heterogene EMU networks

More than one CA/ID per L    :(    CAMD3) line
( Wildcards )

Possibility to use the postinit in mode auto not only when CCcam start
Like the NP EMU, where you can place a file on tmp and he send directly to slot.

Dbox2 Multicam cardreader support
Examples : COM2 = /dev/tts/1 and/or COM1 = /dev/tts/2

Support of pure NAGRA cards
Kabel Deutschland - K09 card
ENTAVIO smartcard

Support improvement of SC8in1 cardreader
Problem : Often loosing cards
SC8in1 recognizing in all different CCcam versions ( CCcam.x86 )

Load On Demand (LOD) feature
Load On Demand ( LOD ) for different modules ( functions )
Load On Demand for WebIf / NewCS / G**X / ...

Support of feynman protocol from "new" NEWCS

Possibility to add a card coming from a local server as local card to CCcam instead of HOP1 card.
( L: , N: , R: lines )

PID logging file ( PID.INFO )
like MGCAMD does -> easier way to create a CCcam.prio
ECM: CaID: 0x1801 -> CaPID: 0x1672 ProvID: 000000
ECM: CaID: 0x1702 -> CaPID: 0x100E ProvID: 000000

VIASAT Nordic card initialize failure
Since CCcam version 1.2.0 -> Failure to initialize these cards - NDS - CAID 090F
( With CCcam 1.1.1 work fine )

Gl***l limit list feature
GL***LLIMITS: { 0:0:0, 100:2f:2, 1002, 100:36:2, .... } and on C: line if you want to use this list :
C    :(     { caid:id(:uphops), caid:id(:uphops), ... } )
Note
: if {} limits are added, you can make changes to the settings from
gl***l - the one from C: line has higher priority than the gl***l list

15/02/2009, 17:01Respuesta #6

Desconectado gumito

pero vamos a ver, y esto que significa

 

GoogleTagged





PadreDeFamilia
!! ADVERTENCIAS !!: Las informaciones aquí publicadas NO CONTIENEN KEYS para la decodificación de ningún sistema: NO SON OPERATIVOS en sistemas SAT que precisen de su correspondiente suscripción. ESTA TOTALMENTE PROHIBIDO EL USO DE ESTAS INFORMACIONES PARA LA MODIFICACIÓN O DEFRAUDACIÓN DE SISTEMAS DE ACCESO CONDICIONAL. ESTOS FOROS SON MODERADOS Y NO SE PERMITE LA PUBLICACIÓN DE INFORMACIONES ILEGALES POR PARTE DE LOS USUARIOS. EN CASO DE DETECTARSE ESTE TIPO DE INFORMACIONES, LOS USUARIOS SERÁN EXCLUIDOS DE ESTAS PÁGINAS.
PROHIBIDA LA PUBLICACIÓN DE ENLACES A FIRMWARES ILEGALES