Register

Welcome to the RDI-Board Community.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed.


Donate Now Goal amount for this month: 100 EUR, Received: 100 EUR (100%)
Donate to support this site...

Results 1 to 10 of 10
  1. #1
    bme
    Guest
    RDI - Board Default Avatar

    Default What's so Special with Ir**to 2 that makes it different?


    Why is it so difficult to decrypt ir**to 2?

  2. #2
    Platinum member Expert
    Join Date
    Jun 2004
    Location
    29°20'N 47°59'E
    Posts
    5,711
    Posts Thanks / Likes

    Default Re: What's so Special with Ir**to 2 that makes it different?

    Quote Originally Posted by bme
    Why is it so difficult to decrypt ir**to 2?
    dunno about the technicalities about the encryption myself but of course, they make it a point to seal the system in such a way that it's almost impossible to crack. but it's only a matter of time before somebody gets a hold of how this encryption (and all others) will be opened.
    HP-Compaq DC5000 MT 1.5GB RAM
    Debian Squeeze with Smargos
    CCcam 2.1.4

  3. #3
    bme
    Guest
    RDI - Board Default Avatar

    Default

    when tfc used nagravision there was somebody who claimed to have hacked tfc thru his pc.Being in the technical field myself,I was tempted to follow suit by shopping around for a pc card that could accept nagra.Found out that the local cards available in Oman was sold at astronomical prices so my plan did not push thru. I would not be surpriced if this is also true for the case of ir**to 2 at the moment. there is a rumor that somebody has already hacked showtime,which uses ir**to 2. This I have to see.
    The route for nagra was that receivers have come out with features that enabled hacking. And these receivers have become so cheap. I do hope this also happens with ir**to 2.

  4. #4
    Junior Member Master
    RDI - Board Default Avatar

    Join Date
    Jan 2004
    Location
    Pakistan
    Posts
    80
    Posts Thanks / Likes

    Default

    Dear Bme,
    The hallmark of the Irdeto2 cryptosystem is the ECM/CW (Elecronic Control Measures)/(Control Words) techniques that are a pain in the neck. Now you know that these are also present in systems like Viaccess, and sometimes you see providers like TPS changing them, but once in a while, say after two months. Two months is a reasonable time, but what if the ECMs are changed every second! emulating that is the real problem with Irdeto2 otherwise its more like ****** 1.
    For example Nova, an Irdeto2 crypted provider, uses 6 ECM changes every two seconds for the validation of its plain keys and op keys. Now you czn't just go upgrading your receiver or cam every two seconds!. So some sort of an autoupdate card is needed that first updates the ECMs and then changes them every two seconds.
    For your information, a card of this nature is being worked upon and will be available in the near future, so don't worry, its basically this rapid change of ECMs that we are getting to grips with.
    I am not a master of DVb encryption, but I will try my level best to help you. If I know something, I'll share it, If I don't, I'll say sorry.

  5. #5
    canine consultant Expert
    Join Date
    Feb 2004
    Location
    over the Hill, and down the road
    Posts
    1,318
    Posts Thanks / Likes

    Default

    before you go into the ECM, EMM data stream, it might be an idea if you could read the card , which you can,t. IF a series 2 card could be read it's a simple matter to set up a emulater, this will auto log the ECM // EMM updates, and also supply the Plain Key sequance. It goes without aying that signature checking will also be in the equasion.

    But while the cards remain unreadable, you have Zip, and its highly unlikly that this problem will me solved any time soon.

    For the record Ir**to one was never cracked, it wa compromissed, big differance
    regards from OZ bassett

  6. #6
    Junior Member Master
    RDI - Board Default Avatar

    Join Date
    Jan 2004
    Location
    Pakistan
    Posts
    80
    Posts Thanks / Likes

    Default

    Dear Bassett,
    The fact provided by you that an ****** card cannot be read i very true, rather it was true. ****** cards can now be READ! I will now explain.
    The reason an ****** card could not be read previously was because it was encrypted first in the normal crypt then , its formating was changed to that of higher ASCI versions , so that the assembly language took it to a level where even the best pheonix programmer would be unable to read it, simply because it would not understand what had been written. Here is an extract from the assembly language used by Ird***2
    rd_005 MOVWF 0x0023
    Ird_006 MOVLW 0x001f
    GOTO Ird_00d
    Instead og going to the normal 0x0001, which any normal card reader would easily identify, it uses normal CSA subroutine nullification, and nullifies the first 0x0001 routine to jump to 0x0023.This is only available for base compilation under any language supporting a higher ASCI assemlby language format.
    Secondly, there is a problem of key extraction and signature verification. A method has also been worked out for it. Take a look at the following piece of code that may prove to be useful. I am only posting EXTRACTS for secrecy purposes.
    1. For signature verification:

    BOOL CheckSignature(unsigned int *CryptKey, unsigned int *Buffer, int laenge)
    {
    unsigned int Signatur[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
    unsigned int SigBuffer[128];
    unsigned int FillerStart=0x61;

    and the other bit of inforamtion as
    KeyCrypt(Signatur,CryptKey,Loop,0);
    if (( Buffer[laenge]==Signatur[0] ) &&
    ( Buffer[laenge+1]==Signatur[1] ) &&
    ( Buffer[laenge+2]==Signatur[2] ) &&
    ( Buffer[laenge+3]==Signatur[3] ) &&
    ( Buffer[laenge+4]==Signatur[4] )) return(TRUE);
    for ( j=0; j < 4; j++ ) RotateRight10(CryptKey);
    KeyCrypt(Signatur,CryptKey,64,0);
    if (( Buffer[laenge]==Signatur[0] ) &&
    ( Buffer[laenge+1]==Signatur[1] ) &&
    ( Buffer[laenge+2]==Signatur[2] ) &&
    ( Buffer[laenge+3]==Signatur[3] ) &&
    ( Buffer[laenge+4]==Signatur[4] )) return(TRUE);
    return(FALSE);
    this piece is for EMM/ECM autoupdating
    Update_******_Keys(Current_EMM,Provider, IrdetoUpdate.Key_Id[j] ,&******_Ptr->CmdBuffer[IrdetoUpdate.KeyPos[j]], IrdetoUpdate.ChIdH,IrdetoUpdate.ChIdL);
    if ( ******_Information.OWNPKLOG == TRUE ) {
    sprintf(LogZeile,"[Eigen-PlainKey] Provider:%02X Group:%02X %02X XX mit PMK %02X%02X%02X%02X%02X%02X%02X%02X neuer Key :%02X %02X%02X%02X%02X%02X%02X%02X%02X Date:%02X%02X CHId:%02X%02X",Provider,******_Ptr->Extend[0],******_Ptr->Extend[1],IrdetoKarten[i].PlainMasterKey[0],IrdetoKarten[i].PlainMasterKey[1],IrdetoKarten[i].PlainMasterKey[2],IrdetoKarten[i].PlainMasterKey[3],IrdetoKarten[i].PlainMasterKey[4],IrdetoKarten[i].PlainMasterKey[5],IrdetoKarten[i].PlainMasterKey[6],IrdetoKarten[i].PlainMasterKey[7],IrdetoUpdate.Key_Id[j],******_Ptr->CmdBuffer[IrdetoUpdate.KeyPos[j]],******_Ptr->CmdBuffer[IrdetoUpdate.KeyPos[j]+1],******_Ptr->CmdBuffer[IrdetoUpdate.KeyPos[j]+2],******_Ptr->CmdBuffer[IrdetoUpdate.KeyPos[j]+3],******_Ptr->CmdBuffer[IrdetoUpdate.KeyPos[j]+4],******_Ptr->CmdBuffer[IrdetoUpdate.KeyPos[j]+5],******_Ptr->CmdBuffer[IrdetoUpdate.KeyPos[j]+6],******_Ptr->CmdBuffer[IrdetoUpdate.KeyPos[j]+7],IrdetoUpdate.DateIdH,IrdetoUpdate.DateIdL,IrdetoU pdate.ChIdH,IrdetoUpdate.ChIdL);


    Well PIECES of this code will help you better understand what is going on. I don't have the ime right now to explain it to you , but when I do get it , I shall explain it to you in very detail as to how to read a card, and how to write your own Ird***2 card.What I can guarantee is that a pirate card will soon be on the market for the purpose dont loose hope.
    Ok friends, I hope that you have a nice time and enjoy the best of life.
    Bye.
    Leynos
    I am not a master of DVb encryption, but I will try my level best to help you. If I know something, I'll share it, If I don't, I'll say sorry.

  7. #7
    Member Mentor
    RDI - Board Default Avatar

    Join Date
    Mar 2004
    Posts
    919
    Posts Thanks / Likes

    Default

    thanks for the nice info


    check PM please

    bye

  8. #8
    Junior Member Master
    RDI - Board Default Avatar

    Join Date
    Nov 2002
    Location
    Thailand
    Posts
    77
    Posts Thanks / Likes

    Default

    @ leynos_2010

    Thanks for the information.
    But I am still believing the attack on EMM would give more quicker break through than on ECM.
    The process of Decryption implementing on PIC or Fun would be more difficult than writing on MOSC.
    Don't you think writing EMM string to have following parameters as required on MOSC would be easier.

    ChannelID {known 2bytes},ActivationDate {known 2bytes},Timer {required 2 bytes)

    The String would be..

    StandardHeader{known 5bytes},FirstLength{known 1 byte},Provider Nano(known 1 byte},ProviderID{known 3bytes},Filler & SecondLength{known 2bytes},EncryptedDats{Required 16bytes},EncryptedSignature(8Bytes).

    suchas

    01010000001E 03 {Provider 3bytes} 0018 001122334455667788AABBCCDDEEFF00 S1,S2,S3,S4,S5,S6,S7,S8

    Atleast for the time being, we don't have to worry about MKupdates & Keyupdates.

    Please correct if I am wrong & advice as required.

    Thanks & Regards.

  9. #9
    SATELLITE GURU Expert
    Join Date
    Mar 2004
    Location
    Bletchley Park Code Breaking Lab
    Posts
    2,521
    Posts Thanks / Likes

    Default

    Quote Originally Posted by leynos_2010
    Dear Bassett, What I can guarantee is that a pirate card will soon be on the market for the purpose dont loose hope.

    Ok friends, I hope that you have a nice time and enjoy the best of life.
    Bye. Leynos
    Well lets all hope you crack Multichoice Africa PAS10 Cband first as thats covers so many countries...
    If Evolution works, why so many idiots?


  10. #10
    canine consultant Expert
    Join Date
    Feb 2004
    Location
    over the Hill, and down the road
    Posts
    1,318
    Posts Thanks / Likes

    Default


    Right, thanks for that.

    And I always thought it would be hard to crack,, stupid Me. but one little question. since when did a pheonix programmer read the eprom. I always thought you needed an Elvis programmer for that.

    As I said before you do need subscriber details to set up an emulator, and you neglected to speak about that in your post..

    So how do I extract the sub details from a ir***do card. because put simply . Thats ALL you need.
    regards from OZ bassett

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Un aniversat mai special
    By Unuseroarecare in forum DREAMBOX
    Replies: 3
    Last Post: 4th December 2006, 23:28
  2. 1 Decembrie special la HBO
    By Unuseroarecare in forum News
    Replies: 0
    Last Post: 17th November 2006, 22:13
  3. dongle makes receivers descrambled
    By spark2006 in forum RDI - English
    Replies: 4
    Last Post: 5th January 1970, 08:34

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Back to Top