SU Twitter

Register

FAQ

User Name User Name

Archive

SU Image Hosting

Remember Me?

Members List

Invite Friends

News

Calendar

Contact Us

YouTube

Favorites

ListenToRadio

Sat Universe > Smartcards > Programmers

Log in

Password

SU Arcade Games

BK&RSA

BK&RSA
Programmers
Page 25 of 32 First

<

15

23

Thread Tools
13-03-2015, 20:33

24

25

26

27

>

Last

Display Modes
#241
Join Date: Sep 2014
Posts: 27
Thanks: 11
Thanked 0 Times in 0 Posts
Country:

majorge
Member

If get the dump I can decode the block and give you the bk and rsa
From Pace and Thomson
15-03-2015, 04:38

Q
U
I
C
K

R.e.L.o.A.D.e.D

#242
Join Date: Dec 2011
Posts: 22
Thanks: 17
Thanked 32 Times in 11 Posts
Country:

Member

L
I
~!testing/educational purposes!~
N
K
~!Greetings ALL!~
S
#########################################################
@bubumt
@yvry
@funiy
@x_mann
Guys please understand...the HW pairing stuff are very new type of pairing...So the ground around this stuff are very hot..no one who fallen to his head to
publicate anything fastidious information...It's really rare and dangerous...please try to handle it by discrete and don't ask about it by public...because no one has
help You...No one who wanna get basted for helping in case of this....the time will be solve everything just need to wait a bit...after the operators and big
companies earn enought and calm down...after that they begin to leak any private information over 3rd hand because they need to develop a newest type of
encryption.....it's all about marketing...
#########################################################
@Salvat0re please clarify Your question and let for us know which info You need? Type of decoder or Packet? D+ Spain? Classic N3 CAK_V6? or GolTV ? maybe
other ?...
#########################################################
@bmohsen Very briefly..When the boot-loader was block the connections then You cannot connect over any connection type
TTL_UART_DEBUG/BBS/JTAG....etc..First let's unlock that connection...please check the u-boot..it is your medicine...u-Boot
#########################################################
@Dcroft : Here is the answer for Your questions!
1. No, not possible to pair any N3 card with anything other than factory receiver,which certified by Kudelski group! Where the original cam manager are classic
CAK_V6 or new CAK_CPU!
2. Yes Sir,possible to extract from Your receiver the IRD Plain data for testing/educational purposes,when that receiver still use CAK_V6 and when You are talking
about classic card_rom with [ ATR: 3F FF 95 00 FF 91 81 71 FE 47 00 44 4E 41 53 50 31 34 32 20 52 65 76 47 30 34 10 = ?......q.G.DNASP142 RevG04. ] check
example photo which are taken from oscam, so it is the evidence about working!!!
3. You need to have good tools wich arent so cheap...and knowledge for reflowing/dumping of NOR BGA chipset!!! Or need to find some specialist who help for You
for an testing/educational purposes to Your responsibility!!!
~!Regards!~

Last edited by R.e.L.o.A.D.e.D; 15-03-2015 at 05:02.. Reason: ~!testing/educational purposes!~

The Following 5 Users Say Thank You to R.e.L.o.A.D.e.D For This Useful Post:
Albert-M (19-03-2015), Dani270 (28-10-2015), freon (15-03-2015), funiy (15-03-2015), njunwa wamavoko (15-03-2015)
15-03-2015, 05:47

R.e.L.o.A.D.e.D

#243
Join Date: Dec 2011
Posts: 22
Thanks: 17
Thanked 32 Times in 11 Posts
Country:

Member

!testing/educational purposes!not for 3.party persons!

Dear @fr3n2y:
Yes Sir, possible to extract from (Canal+ [D+] Spain Cisco iPlus C20) receiver the plain IRD data for an testing/educational purposes!!!
I can recommend for You the same as for the member @Dcroft ...Very briefly: "need to have good tools wich arent so cheap...and knowledge for
reflowing/dumping of NOR BGA chipset / cryptographic knowledge...!!! Or need to find some specialist who help for You for an testing/educational purposes to Your
responsibility!!!"
Contact me or I will contact You as soon,and I will explain "everything" what You need to know about it, but only over PM,this forum was set public access for this
topic,everyone can read anything else without login credentials......not secure to talk publicly about too fastidious things...it's cause an encryption change or card
system change...!!! Please understand it's just and hobby...I/We do not want problems...

~!God bless all normal friendly members of this site!~

~!Let's rise the knowledge and learn at rest and at peace!~
By3

Last edited by R.e.L.o.A.D.e.D; 15-03-2015 at 05:59.. Reason: !testing/educational purposes!not for 3.party persons!

The Following 4 Users Say Thank You to R.e.L.o.A.D.e.D For This Useful Post:
Albert-M (19-03-2015), Dani270 (28-10-2015), freon (15-03-2015), funiy (15-03-2015)
15-03-2015, 12:25

#244
Join Date: Sep 2014
Posts: 27
Thanks: 11
Thanked 0 Times in 0 Posts
Country:

majorge
Member

Quote:

Originally Posted by R.e.L.o.A.D.e.D

3. You need to have good tools wich arent so cheap...and knowledge for reflowing/dumping of NOR BGA chipset!!! Or need to find some specialist who
help for You for an testing/educational purposes to Your responsibility!!!
There is a easier way to get the dump
15-03-2015, 13:14

#245
Join Date: Dec 2011
Posts: 75
Thanks: 5
Thanked 28 Times in 25 Posts
Country:

fun7
Senior Member

Can you please stop talking this giant bullshit?

The real reason why providers rolling out chipset security is because people like you exist who make a living on pairing data extraction and in addition youre doing
it for EVERBODY who can pay you no matter what his or her intention is.
Just to give you an IDEA 1@dy: youre helping pushing chipset security, and for NOCS your bga programmers and rework stations going to look like equipment of
the last century
Last edited by fun7; 15-03-2015 at 13:17..
15-03-2015, 15:58

#246
Join Date: Sep 2014
Posts: 27
Thanks: 11
Thanked 0 Times in 0 Posts
Country:

majorge
Member

Quote:

Originally Posted by fun7

Can you please stop talking this giant bullshit?

The real reason why providers rolling out chipset security is because people like you exist who make a living on pairing data extraction and in addition
youre doing it for EVERBODY who can pay you no matter what his or her intention is.
Just to give you an IDEA 1@dy: youre helping pushing chipset security, and for NOCS your bga programmers and rework stations going to look like
equipment of the last century
Just add some xor on it and will be fine
16-03-2015, 01:10

R.e.L.o.A.D.e.D
Member

#247
Join Date: Dec 2011
Posts: 22
Thanks: 17
Thanked 32 Times in 11 Posts
Country:

!testing/educational purposes!not for 3.party persons!

~!Greetings To All!~
Forgot to mention the method about "EEPROM over HDMI"...
But it's also complicated for those who's never work with things like this...
So I will recommend to stay near the old classic ordinary solution, it is the best way for classic memory pairing!!!
EEPROM over HDMI Video
############################################################
Anyway I'm not interested about phlegmatic taunts,"keep it for Yourself",when "u" not able to help,just only taunt, then please STFU..."Klivo and their retarded band"...
Go and let's register on a lot of different nicknames,and on various forum also,but do not be surprised after u get ban for Your attitude...
Again..Again..And Always Against..like infinite reset loop cycle in CPU...really like a virus...more than funny...
When You not able to control Yourself and behavior like normal person,then please first learn this privilege,after that u can speak about any technical things...
This topic was created for exchanging discrete information,learning some new...and posting some useful new's/info's...not for taunting...
I will make this/these post's for those who's need the basics,and my helping hand,who's appreciate these my post's with his modesty!!!
#######################################################
Good forums about JTAG / Tuts for Bootloader, for newbies!
Link-1
Link-2
Link-3
Link-4
**************************************
Link-5

***************************************
Bootloader definition and basics very briefly:
Bootloader Operation is the following operation basically:
The bootloader is located in 'XY' offset, example A00000....
This memory space is write-protected to prevent any accidental modification orcorruption in original NOR Flash!
The reset vector is modified so that when theprocessor is reset, the bootloader executes as first.
The bootloader carries out the following operations very briefly:
Upon reset, the bootloader calculates checksum for
the user code and verifies it with a checksum written
to the last two bytes of the Flash.
If the two checksums match, it means that the pre
vious bootloading attempt was successful and the
bootloader branches to the beginning of the user code
and the user code can execute.
If the checksums do not match, the bootloader executes a customizable user code to perform systemcritical tasks,
such as turning on a fan,or infinite reset cycle and so forth,
and then enters the bootloading mode and repeat the process because the checksum/signature are not valid....
#######################################################
Another some useful website about basics of reverse engineering,to learn something about it at first wave,please use it for testing/educational purposes only!!!
Link-1
Link-2
Link-3
Link-4
#######################################################
Learn coding at online school!:

Link-1
Link-2
Link-3
Link-4
Link-5
Link-6
Link-7

#######################################################

Also very good to have at home in drawn TTL cable and BBS panel...
RS232_Diagram_explanation: (in most cases enough only 3pin TX/RX/GND)_(The USB version are same,only going through FTDI_VCP)

Quick_Look_USB_TTL/BBS:

Serial Connection and Terminal Basics: (Good to know the basics for future,when You begin to use TTL cable)
Link-1
Link-2
Link-3
Link-4
Link-5
Link-6
#######################################################
Please every beginner learn the following Morphy wolf rulez!!!
RuleZ:
Link-1=README

1. No easy way's,every way are work full and valuable /costly, because u need get accessories,and need to learn how to use it..These how's not bring from fruit
tree...They are behind of bloody work...Guys who's begin talking about "how easy" "just one xor" "just 5 min" they talking about b*llsh1t...they just lie or wanna take
You down and get Your money for zero solution...
2. Everything which looks too good to be true, is isn't a true and it's isn't usable...it's just a fake or scam.....rumor...ballad of the liars...
3. There is no full freebies... Please everyone understand,behind every solution are bloody work of some person, every usable "crumb of free information / stuff" are
garnish with alot of rumor and with unusable things...
#######################################################

Btw. Some words from me,for this new type of hardware pairing...All is about securing CW = Wontrol Word,because there is alot of massive IKS..and broadcast
providers must protect their-self from attack... So for this case,security developers make things ever harder and
harder...cwpk_3des_aes/nuid/nocs_sttkdma/bootloaders/cryptocore_cpu_cpuid_signature/selfdestructing_cpu/unique_emm_ecm_combination_fakenano_..etc..etc..etc..
Of course for this need to prepare for the next generation of the penetration test...In first wave good to have CPU and NOR socket in drawer..best way for
testing,when you don't need to solder every time,it's speed up the process...
For the NOR/Nand flashes BGA/TSOP You can use simple EBGA64/TSOP56 socket + copper wire soldered to the motherboard....
Looks something like this:
Link-1
Link-2
Link-3
Link-4
By the wait most known method for get eCWPK key set are dumping NOR flash or catch activation/pairing EMM nano...
One of the known block header for n@gr@v1s1on cak_CPU are 00 00 00 97...Just check Your NEW_RECEIVER dump for this header...

eCWPK encrypted key-set looks in that block something like this structure....
00 00 00 97 = Block Header
XY XY XY XY = NUID unique Number
00 = padding/checksum bytes...
01 = padding/checksum bytes...
XY XY XY = provider id ? But i'm not sure in this fact....
00 = padding/checksum bytes...
01 = padding/checksum bytes..
81 = converted from HEX to DEC gives value 129_in_DEC,it's mean the size of the block which store eCWPK keyset's)
10 = converted from HEX to DEC gives value 16_in_DEC,it's mean the size of the eCWPK key)
(129=128byte + 1byte padding/chksm = 256+2 character)
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA = CWPK0 encrypted
BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB BB = CWPK1 encrypted
CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC = CWPK2 encrypted
DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD = CWPK3 encrypted
EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE = CWPK4 encrypted
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = CWPK5 encrypted
GG GG GG GG GG GG GG GG GG GG GG GG GG GG GG GG = CWPK6 encrypted
HH HH HH HH HH HH HH HH HH HH HH HH HH HH HH HH = CWPK7 encrypted
The missing rest of (8 byte + 2 byte=10byte padding/checksum) key,it's maybe a xor key or something like that...
I didn't have idea... 11 22 33 44 55 66 77 88 99 10 ...need to clarify it...and also the position it's rated down from beginning of the block or from end..

The new STB's certified by Kudelski Group came with more eCWPK keyset...Maybe for future usage..When they plane to change something..So maybe it's just a
reserve...and it's in encrypted state of course it's a basic....
The Conax use only 1 CWPK keyset and two type of algorithm... 3DES ABA-ECB Digitalb + 4byte Box ID from which calculated something extra stuff,like nuid for
n@gr@....VIP Sat Croatia use AES_ECB...4W T-System 3DES ABA-ECB...TNK_HD 3DES ABA-ECB...Hello_HD_9E_Slave_BOX 3DES ABA-ECB etc..etc..etc...
Some example,and explanation..
Link-1
Link-2
##########################################################
Anyway there is some rumor and business speculation behind this...My opinion that's why Kudelski bought the c0nax from Norway's because they steal first the
technology...and later they got a trouble from this...And at the final point the punishment was worse + the shame, like buying the complete company....
Story about sale Link-1

##########################################################
As last words for the N@gr@vision Encryption...
"!Very Briefly!
CAK_V6_XY_revision are pure memory pairing n@gra,almost used in old ST20 decoders, and for some ATMEL cards !
It's working with non chipset pairing mode, normal CMD$2a issued by the box to the card requesting the card to generate the random 64bytes by the cards ASIC,
and encrypting this 64bytes with RSA_D on the card side, then forwarding this 64bytes encrypted with RSA_D to the STB), the STB receives this 64bytes
encrypted with RSA_D and decrypts the same block with RSA_N stored on the STB, then extracts the original 64bytes generated by the card asic and applies the
necessary steps which i will not pronounce here in detail, in fact is public already can be found somewhere, untill it calculates the final 16byte session
key also known as SK. once this is done the cmd changes the necessary data on the 64bytes initially sent from the card, and will prepare it to send the
information modified back to the card, but before it encrypts the newly modified data with the RSA_N stored on the STB side, then sends the information back
to the card on the CMD$2B. which in return will be decrypted on the card side with RSA_D, then extracted the final result modified and will store on the card
side also the newly 16bytes SK generated for the next 5 hours untill new SK pairing session starts!!!

Just try the RSA mechanism with simple calculator/key generator:

Link-1
Link-2
Link-3
Link-4
********************************************************
Now about the new Chipset pairing mechanism, Yes you will need to forward the nuid inserted on initial CMD$2a from the STB. this will trigger the card stating it
will need the new overcrypt (mechanism for the HD channels) and it will generate the Session key in the normal form using RSA+IDEA mechanism for the SD
digital channels, but at the same time it will generate the newly chipset pairing key control word used on the hd package channels.
As you know by now that you have studied probably, this newly CWPK is not sent in any form or way to the STB. as they know from the standard pairing session
key mechanism that it shurelly would be discovered easier.... so in return the new algo is implemented in the STB to generate using the keyllader mechanism
the exact same key on STB cpu core!!! and the actuall same key will be derivated from the NUID on the card side and will be stored on the card.
And as you probably know by now from my previous posts on other forums... this key uses 3DES ABA-ECB mechanism, so it needs to be the exact same key to
encrypt and decrypt data!!!!!
What makes this key unique is the NUID, after applying the correct calculation each STB will contain a unique key.. and that will be it for now..
Going back to card merlin ATMEL Rom4xxx they use newer INIT mechanism, so the cmds shown on is STB/Card log are all encrypted using a 16byte key, which could
be in fact a NUID generated 16byte key also from the chipset, or maybe not!!! and i state that because all STB using the same version have the initial boot
cmds the same, just changes the 16byte data reply on the cmds with unique card data requested...
so it could also be a universal or specific provider key used for all STB from the same provider...
now on pure nagra cards, even if card uses specific chipset pairing, the card will allways reply to the old cmd$2a /$2b normally , the nuid is just to
trigger the card and generate the 16byte key used on requests incoming from the STB on the HD package channels.
If the NUID is not sent on the cmd$2a and $2b the card simply wont reply back the $1c requested from the STB..........
if the NUID is sent on cmd$2a the card will allways reply back to requests of $1c to STB
So if we put it on a laymans terms we can simply say for example that the new chipset pairing algo is nothing more then a 2nd fix SK for the HD channels but
instead of using IDEA they use other flavours like AES or 3DES depending on CA system!!!
1st Step SK decrypt mode
2nd step alocate CA slot for 3DES decrypt mechanism....using keyladder mechanism or direct chipset key derivation level..

Why Chipset Pairing? Simple Quick explanation!!!

There is a OTP area in the chipset that contains unique data

1- this unique data using some other extra data and algorithm will generate a 16 byte key also known as SCK
2- the SCK key in adition with a OTP derivation key from NUID will generate a ROOTKEY using also a algorithm calculation.
3- the ROOT key or R2R-Root128 is the TOP key of the keyllader used to Encrypt or Decrypt all other keys below!!!! using 3DES mechanism or AES depending on
the CA vendor
4- The root key is used to Encrypt and decrypt the RAM2RAM crypto engine key
5- the Ram2RAM crypto engine key is used to encrypt or decrypt the keys below on the keyllader mechanism (this key is also used to Encrypt or decrypt the
Control Word Pairing Keys) this key is also used to encrypt and decrypt other blocks containing data on the RAM side....
6- the control word pairing keys after being decrypted , are also used to encrypt or decrypt the Control Words encrypted 3DES on the card side)
So its a keychain mechanism used world wide by all encryption systems at the moment, they can use AES or 3DES algo depending on the CA vendor system!!!!
This is why things are done inside the chipset.
Now the Control Word pairing keys or CWPK used to decrypt the CWs this can be updated by the CA vendor or Provider via OTA on firmware update to STB (this
keys will be stored on the firmware update but ofcourse encrypted, or they can be updated via EMM stream direct to STB.
Hint = NUID is the secret as its the only thing sent to card on CMD$2a ( and card will generate the correct Key to encrypt the data on the card side
this key will be also a match result from decryption used on the keyllader mechanism on the STB side, as it will need to containt the same key in end to
decrypt eCW on the STB side......

!!!SO THERE IS TWO WAY,WEE NEED TO DECRYPT eCWPK, OR NEED TO REFURBISH THE FACTORY DECODER FOR CUSTOM LINUX FIRMWARE,AND EMULATING THE
CURRENT CHIPSET KEYLADDER MECHANISM!!! (DON'T ASK HOW,BECAUSE IT'S REALLY SECRET, NOT FOR PUBLIC EXPLANATION,THIS IS WHY I EXPLAINED BOOTLOADERS,AND ALL OTHER CRAP,AND I DON'T KNOW THIS SECRET TOO...)

!Very Briefly!"

#######################################################
Another story is the knowledge/possibility about finding vulnerability of CPU and understanding how the factory code work..not enough simple keyset for the
magic..everything are protected with next level of keyset or signature... Also good to know about STTKDMA and NOCS...Nothing impossible,just need to
try/try/try/try and never give it up...
#######################################################
About card init procedure...need to build or buy season logger interface...and clone the factory cam code...for this work are very good the exiting oscam
source..because better to modify,save alot of time...not need to build up from zero code.... Please understand,actual public emulators DO NOT SUPPORT
HARDWARE PAIRING/CONTROL WORLD PAIRING, KEYS etc..etc...!!!
Useful websites for get hardware/info for modifying emu for own card init / pairing procedure...also very good for this stuff when you extract FOTA dump from exiting
transponder...they contain very interesting/fastidious information's!!!
Link-1
Link-2
Link-3
Link-4
Link-5

#######################################################
!!!Please understand everyone who read this topic...these things are for learning of the basics and are strictly for testing/educational purposes!!!
!!!Every member/person must decide for what use it in future... I didn't take any responsibility for this material,because it's just a studying material!!!
!!!As in first wave, I'm not offering any service or solution for HW pairing or anything else, it's just an bit help / boot kick for understanding the basic things and
forgetting about the rumors!!! Actually when someone need real helping hands, I'm able to help by limited condition only in case of memory pairing like all other
GSM/Console engineer!!!
#######################################################

He is my exemplar and hero,without him we cannot penetration test "anything else" than our computer games...
Respect Stefan Kudelski, rest in full calm and in god blessed peace:
Biography

#######################################################
Some historical things / reading material for tonight...
Link-1
Link-2
Link-3
Link-4
#######################################################
~!Btw. Welcome any correction/fix for my material,I will not be offended when someone fix me,it's normal I'm just a human with fail factors!!!
~!God bless all normal friendly members of this site!~
~!Let's rise the knowledge and learn at rest and at peace!~
~!Also many thanks and RESPECT for all the intelligent/clever dude who's not forgetting about normal human behaviour and gives their helping hand with many
patience for others whos really need it!!!~
~!Best Regards!~
By3

Last edited by R.e.L.o.A.D.e.D; 16-03-2015 at 01:26..

The Following 9 Users Say Thank You to R.e.L.o.A.D.e.D For This Useful Post:
asad khan (27-03-2015), chicoze (19-03-2015), Dani270 (28-10-2015), devloper (24-03-2015), kakero (17-07-2015), malagas (29-05-2015), newcslover (16-032015), razor123 (13-12-2015), reblin (10-04-2015)
16-03-2015, 15:51

#248
Join Date: Mar 2012
Posts: 13
Thanks: 14
Thanked 16 Times in 7 Posts
Country:

newcslover
Member

Good info thanks for sharing, no one dare to share such info in public
16-03-2015, 21:35

#249
Join Date: Aug 2009
Posts: 12
Thanks: 0
Thanked 32 Times in 10 Posts
Country:

Onsitbin
Member
usb-uboot

estavas bemn era na praia ehehehehheeheheh ai no Brasil em vez de vires para aqui dizer bytaits e asneira

manual PT Create u-boot:

Link-1
Download Key = MXFnknPAC_EP5hr4bP35o9MWjTiJUYroBqX2hqkfnS0
usb u-boot:
Link-2
Download Key = W6iIJrDvKmxGxb-ABd9Sm4G5vU6mQtaPLJ3b77_Cd4g
Best Regards
by The_Onsitbin
The Following 3 Users Say Thank You to Onsitbin For This Useful Post:
andy16v (22-03-2015), chicoze (19-03-2015), devloper (24-03-2015)
18-03-2015, 19:41

#250
Join Date: Oct 2009

Albert-M

Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
Country:

Junior Member

hello , possible to help me how i can extract from dump hs-3169na .

Note: Visitors from certain countries might see in-text advertising(underlind words in posts).
It is only shown to unregistered visitors or members that haven't made any posts. So you can easily get rid of it.
Page 25 of 32 First

<

15

23

24

25

26

27

>

Last

Previous Thread | Next Thread

Posting Rules
You
You
You
You

may not
may not
may not
may not

post new threads

post replies
post attachments
edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump
Programmers

Forum Rules

Go

All times are GMT +2. The time now is 00:28.

---- SU

Contact Us - Sat Universe - Archive - Privacy Statement - Top

-- English (US)

Dedicated Servers, VPS Servers

WE RECOMMEND HETNiX
Powered by vBulletin
Copyright 2006-2016 - Sat Universe