Digital+ Spain is inderdaad open op emu

S

spirit

Op de galaxis ontvanger is deze idd te zien op emu..
Men heeft de flash dump (ROM) al uitgesplitst..Men is bezig om nu de RAM dump te ontrafelen..
Men is bezig voor de Pioneer en Philips ontvangers...

Hier een gedeelte van de dump:

Code: 
 ROM:7FE83E4B ; ---------------------------------------------------------------------------
ROM:7FE83E4B
ROM:7FE83E4B loc_7FE83E4B:                           ; CODE XREF: CA_CHOICE+79j
ROM:7FE83E4B                 ldl     0               ; Ar = sub_7FE09B2D();
ROM:7FE83E4C                 ldc     1800h
ROM:7FE83E50                 diff
ROM:7FE83E51                 cj      loc_7FE83E5A    ; ifn( sub_7FE09B2D() - 1800h ) jmp loc_7FE83E5A;
ROM:7FE83E52                 ldl     0               ; Ar = sub_7FE09B2D();
ROM:7FE83E53                 eqc     1801h
ROM:7FE83E57                 cj      loc_7FE84449    ; ifn( (sub_7FE09B2D() == 1801h) ) jmp loc_7FE84449;
ROM:7FE83E5A
ROM:7FE83E5A loc_7FE83E5A:                           ; CODE XREF: CA_CHOICE+ECj
ROM:7FE83E5A                 ldc     1
ROM:7FE83E5B                 ldl     39h ; '9'       ; Ar = 0xC0480000;
ROM:7FE83E5D                 stnl    19BCh           ; *(int *)(0xC0480000 + 066F0h) = 1;
ROM:7FE83E61                 ldc     1
ROM:7FE83E62                 ldl     39h ; '9'       ; Ar = 0xC0480000;
ROM:7FE83E64                 stnl    19BBh           ; *(int *)(0xC0480000 + 066ECh) = 1;
ROM:7FE83E68                 ldl     3Bh ; ';'       ; Ar = Param_02;
ROM:7FE83E6A                 ldnlp   1               ; Ar = Param_02 + 04h;
ROM:7FE83E6B                 lb
ROM:7FE83E6C                 ldc     603h
ROM:7FE83E6F                 ldpi    ref_7FE84474    ; "Nagra system! Length is %02X\n"
ROM:7FE83E71                 ldl     39h ; '9'       ; Ar = 0xC0480000;
ROM:7FE83E73                 call    loc_7FEBB874    ; (0x7FE84474, *(char *)(Param_02 + 04h), Local_-57, ...)
ROM:7FE83E78                 ldc     617h
ROM:7FE83E7B                 ldpi    ref_7FE84494    ; "ecm is:\n"
ROM:7FE83E7D                 ldl     39h ; '9'       ; Ar = 0xC0480000;
ROM:7FE83E7F                 call    loc_7FEBB874    ; (0x7FE84494, loc_7FEBB874(), Local_-57, ...)
ROM:7FE83E84                 ldl     3Ah ; ':'       ; Ar = Param_01;
ROM:7FE83E86                 ldl     3Bh ; ';'       ; Ar = Param_02;
ROM:7FE83E88                 ldl     39h ; '9'       ; Ar = 0xC0480000;
ROM:7FE83E8A                 call    nullsub_38      ; (Param_02, Param_01, Local_-57, ...)
ROM:7FE83E8D                 ldl     0               ; Ar = sub_7FE09B2D();
ROM:7FE83E8E                 eqc     1800h
ROM:7FE83E92                 cj      loc_7FE83EEB    ; ifn( (sub_7FE09B2D() == 1800h) ) jmp loc_7FE83EEB;
ROM:7FE83E94                 ldl     3Bh ; ';'       ; Ar = Param_02;
ROM:7FE83E96                 adc     3
ROM:7FE83E97                 lb
ROM:7FE83E98                 ldc     3
ROM:7FE83E99                 diff
ROM:7FE83E9A                 cj      loc_7FE83EAC    ; ifn( *(char *)(Param_02 + 3) - 3 ) jmp loc_7FE83EAC;
ROM:7FE83E9C                 ldc     5FFh
ROM:7FE83E9F                 ldpi    ref_7FE844A0    ; "system-nagra: invalid ECM\n"
ROM:7FE83EA1                 ldl     39h ; '9'       ; Ar = 0xC0480000;
ROM:7FE83EA3                 call    loc_7FEBB874    ; (0x7FE844A0, *(char *)(Param_02 + 3) - 3, Local_-57, ...)
ROM:7FE83EA8                 ajw     38h
ROM:7FE83EAA                 ret                     ; return loc_7FEBB874();
ROM:7FE83EAC ; ---------------------------------------------------------------------------
dus nog ff wachten :biggrin:
 
Allemaal positieve ontwikkelingen de laatse tijd.
word weer gezellig in de wintermaanden


gr gogo
 
Ben niet zo Nagra achtig .. zou het kunnen dat Premiere ook een deukje krijgt ? .. Haaaaaaaaaahahahahaha .. Hij is fijn !

Cya..
 
ze gaan beginnen met een ram dump..
ze gebruiken daarvoor Jkeys en dan heb je gegevens nodig vanaf c0000000 - 800000..
wordt vervolgd...
 
Ja het is open op Galaxis de foto's zijn gemaakt op een Topfield dus rara hoe komt het open op een Topfield of zijn het oude foto's.

GR
 
Laatste nieuws :

Ze zijn erg druk mee bezig..
zijn tot nu toe nog geen tegenvallers

Ramdump is dus nu bekend :

Code: 
RAM:C0103CA8 CAID_1801:                              ; CODE XREF: EMU_CA_CHOICE+1A9j
RAM:C0103CA8                 ldc     0
RAM:C0103CA9                 ldl     3Bh ; ';'       ; Ar = Param_02;
RAM:C0103CAB                 ldl     39h ; '9'       ; Ar = 0xC013EC58;
RAM:C0103CAD                 call    nagra2_routine_0 ; (Param_02, 0, Local_-57, ...)
RAM:C0103CB2                 stl     1               ; Local_-56 = sub_C011CCBE();

En er zijn 6 tal routines al bekend van de 9 hier is een van de routine
Code: 
byte nagra2_4101_ecm[0x4C]={
	0x81,0x70,0x47,0x07,0x45,0x41,0x01,0x86,0x00,0x88,  0x71,0xCC,0x7F,0x2B,0x1E,0x98,
	0x00,0x51,0x1F,0xA3,0xF4,0xE2,0x5E,0x78,0xE8,0x1D,  0x1E,0x38,0x33,0xE2,0x90,0x8C,
	0x78,0x0C,0x0D,0x6A,0x21,0x92,0x1F,0x92,0xF0,0x56,  0x4C,0x02,0x78,0xC4,0x8D,0x2E,
	0x68,0x5C,0x84,0x4C,0x51,0x7A,0xDA,0xFB,0x89,0xD5,  0xFE,0xE3,0x4A,0xE4,0x4E,0xDA,
	0x34,0x94,0x2F,0x12,0xBB,0x17,0xD7,0x0A,0xD5,0x32,  0x00,0x00
};

byte data_64bytes[0x40]={
	0xD9,0x1F,0xB4,0x82,0xF5,0x4C,0x45,0x35,0x62,0x1D,  0x84,0x5F,0x7E,0xC4,0xAB,0x4D,
	0xC9,0x30,0x9D,0xED,0x26,0xB5,0x40,0x30,0x84,0x8E,  0xB6,0x39,0x68,0x97,0x75,0x29,
	0xFE,0x8F,0xF1,0x86,0x13,0x27,0x61,0x71,0xE5,0x7B,  0xDA,0x8A,0x47,0xAC,0x99,0x37,
	0x03,0xCC,0xE2,0xA1,0xCB,0x07,0x19,0x98,0xEC,0xCB,  0x32,0x7E,0xF6,0x3C,0xCE,0xA7
};

byte data_16bytes[0x10]={
	0xF5,0x36,0x55,0x68,0xF5,0x46,0x63,0x32,0x52,0xEE,  0xD5,0x00,0x88,0x1E,0x5A,0x37
};

byte EVEN_CW[8]={
	0x5C,0x6C,0x98,0x60,0xA7,0x88,0x74,0xA3
};

byte ODD_CW[8]={
	0xAD,0x12,0x1C,0xDB,0x71,0xBC,0x83,0xB0
};


int nagra2_routine_0(byte arg_01) {	// RAM:C011CCBE
     var4 = 0;
     var5 = 0;
     memcpy(0x4C, &ecm, nagra2_4101_ecm);	//length, dest_address, src_address
     memcpy(0x40, &data64, data_64bytes);	//length, dest_address, src_address
     memcpy(0x10, &data16, data_16bytes);	//length, dest_address, src_address
     byte[&var4] = 3;
     memcpy(0x50, &ecm, arg_01);	//length, dest_address, src_address
     _printf__("\nSTEP 1 & 2 :\n");
     var0 = &var4;
     var1 = 0x40;
     var2 = 1;
     sub_C0108AA5(&ecm+0xA, &data64);
     ecm+0x49 = (((ecm+9) & 0x80) | (ecm+0x49));
     _printf__("\nSTEP 3 :\n");
     var0 = &ecm+0xA;
     var1 = 1;
     var2 = 8;
     sub_C0108F78(&data16, &ecm+0xA);
     _printf__("\nSTEP 4 :\n");
     var0 = &var4;
     var1 = 0x40;
     var2 = 1;
     sub_C0108AA5(&ecm+0xA, &data64);
     _printf__("\nSTEP 5 :\n");
     var0 = 0;
     while(1) {
          var0+&var0x19 = &ecm+(0x49 - var0);
          var0 = var0 + 1;
          if((0x40 < var0)) {
			  memcpy(0x40, &ecm+0xA, &var0x19);	//length, dest_address, src_address
		     _printf__("\nSTEP 6 :\n");
		     var0 = ecm+0x13;
		     _printf__("\nProvider : %02X %02X\n", ecm+0x12);
		     _printf__("\nCW even : %02X\n", (ecm+7 & 0xF));
		     var0 = ((ecm+2)+3);
			 if((var0 < -1)) {
				 _printf__("\nCW odd : %02X\n");
			     if((var5 == 1)) {
					 return(1);
				 }
			     return(0);
			 }
		     while(1) {
		          if((((ecm+var0) != 0) || ((ecm+var0 - 1) != 9) || ((ecm+var0 - 2) != 0x10))) {
					  if((((var0+&ecm) != 0) || ((ecm+var0 - 1) != 9) || ((ecm+var0 - 2) != 0x11))) {
					  var0 = var0 - 1;
				      if((var0 < -1)) {
						  _printf__("\nCW odd : %02X\n");
							  if((var5 == 1)) {
								 return(1);
						 	  }
							  return(0);
						  }
					  }	
				      _printf__("\nProvider: %02X %02X\n");
			          var1 = 0;
			          var2 = var0 + 1;
			          while(1) {
			               var1 = var1 + 1;
			               if((8 < var1)) {
							  memcpy(8, EVEN_CW, ((var0+&ecm)+1));	//length, dest_address, src_address
					          var5 = 1;
						   }
			          };
				  }
		          _printf__("\nKey in use is: %x\n");
		          var1 = 0;
		          var2 = var0 + 1;
		          while(1) {
		               var1 = var1 + 1;
		               if((8 < var1)) {
						   memcpy(8, ODD_CW, ((var0+&ecm)+1));	//length, dest_address, src_address
				           var5 = 1;
					   }
		          };	// End while
		     };	// End while
		  }
	 }
}

mensen nog even geduld ;)

ps staat ook onder coderingen... maar hier moet hij staan...

excuus
Spirit
 
Hij is er tussen uit @Spirit. ;)

Let trouwens wel een beetje op in hoeverre je de logs plaatst @Spirit...
 
Goh ik ga ook een weekje met vakantie... Maar, Hij is fijn!

GR Fred.
 
Ja twilight je bent weer te laat hopelijk heb je een fijne vakantie gehad...lol
 
Alle stappen zijn ze mee klaar..
ze moeten nu uitzoeken wat er gebeurt met "do_ecm" na het oproepen van "nagra2_ecm"

Code: 
loc_C0103C73:
	sub_C0101D66(var_ext_0);
	sub_C01030F4(var_ext_0);
	sub_C0102143(var_ext_0);
	sub_C01024AD(var_ext_0);
	init_nagrarom_dat(var_ext_0);
	if(!( (var0 == 0x1801) == 0)) goto CAID_1801;
	var1 = nagra_decode(ecm + 5, (byte[(&ecm[1])]));
	goto CAID_1800;
CAID_1801:
	var1 = nagra2_routine_0(ecm);
CAID_1800:
	if(!var1) goto loc_C0103CF1;
	sub_C01267A6 (1, (&var_ext_0[NAGRA_CW]), 0);
	sub_C008994C(); // null
	var_ext_0[0x19BB] = 0;	//index is word offset	// 00000000
	printf("cw is:\n");
	nullsub_4(var_ext_0, (&var_ext_0[NAGRA_CW]), 8);
	goto CAID_NOT_FOUND;
loc_C0103CF1:
	var_ext_0[0x19BB] = 1;	//index is word offset	// 00000000
	printf("turn on autoroll!\n");
	goto CAID_NOT_FOUND;...
 
De volgende is ook open :
DISH Network 61.5?W (ID 0101) Nagra-2 ;)

Code: 
// -- Nagra2 -------------------------------------------------------------------

// DISH Network 61.5?W (ID 0101)
static byte dish_ECMmod[0x40]={
	0xAB,0xC5,0x7C,0xFA,0x14,0xC4,0x14,0xA8,0x4C,0x3E,  0xB1,0x96,0x9F,0x5F,0x99,0x93,
	0x62,0x19,0xB4,0x85,0xE9,0xB9,0x6A,0x20,0xC3,0x31,  0x95,0x63,0xC8,0x0D,0x13,0x74,
	0x3C,0xCD,0xDE,0xDF,0x67,0x1B,0xBE,0xDC,0x9C,0x5D,  0x31,0xEB,0xA5,0xBA,0xE2,0x60,
	0x42,0x39,0xC6,0xE7,0x07,0x29,0xE9,0x99,0x91,0x71,  0xBD,0x0F,0xFE,0x37,0x5F,0xBA
};
static byte dish_Ikey[0x10]={
	0xC3,0xAE,0x57,0x16,0x02,0x9E,0xD0,0x00,0x5F,0x24,  0xB1,0xE9,0x9C,0xD3,0xEA,0xDC
};
static byte dish_EMMmod[0x60]={
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,  0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,  0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,  0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,  0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,  0x00,0x00,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,  0x00,0x00,0x00,0x00,0x00,0x00
};
static byte dish_IkeyEMM[0x10]={
	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,  0x00,0x00,0x00,0x00,0x00,0x00
};

// D+ 30?W (ID 4101)
static byte d_plus_ECMmod[0x40]={
	0xD9,0x1F,0xB4,0x82,0xF5,0x4C,0x45,0x35,0x62,0x1D,  0x84,0x5F,0x7E,0xC4,0xAB,0x4D,
	0xC9,0x30,0x9D,0xED,0x26,0xB5,0x40,0x30,0x84,0x8E,  0xB6,0x39,0x68,0x97,0x75,0x29,
	0xFE,0x8F,0xF1,0x86,0x13,0x27,0x61,0x71,0xE5,0x7B,  0xDA,0x8A,0x47,0xAC,0x99,0x37,
	0x03,0xCC,0xE2,0xA1,0xCB,0x07,0x19,0x98,0xEC,0xCB,  0x32,0x7E,0xF6,0x3C,0xCE,0xA7
};
static byte d_plus_Ikey[0x10]={
	0xF5,0x36,0x55,0x68,0xF5,0x46,0x63,0x32,0x52,0xEE,  0xD5,0x00,0x88,0x1E,0x5A,0x37
};
static byte d_plus_EMMmod[0x60]={
	0xD1,0x66,0xF8,0x85,0xE9,0x71,0x9A,0xCC,0x6A,0xE9,  0xA3,0x39,0x7E,0xB5,0xB5,0x0E,
	0x31,0x8B,0xBE,0xFD,0xE4,0x56,0x5B,0xFD,0x9B,0xC1,  0x09,0x48,0x46,0x0D,0xD7,0x55,
	0x78,0xB4,0x08,0x06,0x6A,0xB0,0xC3,0x63,0x04,0x1A,  0x8F,0x89,0xB2,0x17,0x61,0xF1,
	0xE3,0xA0,0x7F,0xBA,0xCE,0xD5,0xEF,0x48,0x5A,0x86,  0x08,0xCB,0x28,0xEF,0xD2,0x69,
	0xB8,0xA2,0x80,0x76,0x8D,0xA8,0x36,0xC6,0xC6,0x10,  0xF5,0x01,0x01,0x66,0x21,0x88,
	0x80,0x54,0x25,0x30,0x9C,0xAE,0x7C,0x2B,0x92,0xD5,  0x22,0x41,0xEC,0xC1,0xC5,0xB2
};
static byte d_plus_IkeyEMM[0x10]={
	0x44,0xA5,0x58,0x04,0x2C,0xBF,0x04,0x6A,0x23,0x02,  0xBF,0x3B,0x5A,0x9D,0xEA,0x53
};

void swapbytes (byte *data, int len) {
	byte tempBUF[256];
	int i;

	for(i=0; i<len; i++) tempBUF[i]=data[(len-1)-i];
	memcpy (data, tempBUF, len);
}

int nagra2_ecm(byte *ecm, byte *dw) {
	byte tmpBuff[0x10], key[0x10], mod[0x40];
	int i,j,k;
	unsigned short EK[IDEAKEYLEN];

	const int ecmParm = 0xA;
	const int ecmLen = ecm[2];
	const int ecmLastByte = ecmLen+2;
	const int bProviderIdHigh = ecm[0x05];
	const int CryptLen = 0x40;

	switch (bProviderIdHigh) {
	case 0x01:	// DISH Network 61.5?W
		memcpy (key,dish_Ikey,16);
		memcpy (mod,dish_ECMmod,CryptLen);
		break;
	case 0x41:	// D+ 30?W
		memcpy (key,d_plus_Ikey,16);
		memcpy (mod,d_plus_ECMmod,CryptLen);
		break;
	}	

	DecryptRSA (ecm+ecmParm, mod, nagraExp, CryptLen, 1);
	ecm[ecmLastByte] = ((ecm[9] & 0x80) | (ecm[ecmLastByte]));
	ecm = ecm+ecmParm; // parse ECM

	ideaExpandKey(key, EK);
	for ( i=(CryptLen/8)-1; i>-1; i-- ) {
		ideaCipher(ecm+(i*8), ecm+(i*8), EK);
		if (i>0) for (j=0; j<8; j++) ecm[(i*8)+j] ^= ecm[(i-1)*8+j];
	}
	DecryptRSA (ecm, mod, nagraExp, CryptLen, 1);

	swapbytes (ecm, CryptLen);
	k = 0; // cw found
	for (i=0; i<ecmLen; i++) {
		if(ecm[i] == 0x10 && ecm[i+1] == 0x09 && ecm[i+2] == 0) {
			memcpy(dw+8, ecm+i+3, 8);
			i+= 11;
			k++;
		}
		if(ecm[i] == 0x11 && ecm[i+1] == 0x09 && ecm[i+2] == 0) {
			memcpy(dw, ecm+i+3, 8);
			i+= 11;
			k++;
		}
	}

	#ifdef DEBUG
		printf("\necm decrypted: \n");
		dump (ecm, CryptLen);
	#endif

	if(k) {
		if( ecm[0x0e]==0x10 && ecm[0x0f]==0x80 ) {	// DCWs inversed
			memcpy(tmpBuff, dw, 16);
			memcpy(dw+8, tmpBuff, 8);
			memcpy(dw, tmpBuff+8, 8);
		}
		return true;
	}
	else return false;	// system-nagra2: failed to get CW
}

int nagra2_emm(byte *emm) {
	byte mod[0x60], key[0x10];
	int i,j,k;
	unsigned short EK[IDEAKEYLEN];

	const int emmParm = 0xA;
	const int emmLen = emm[2];
	const int emmLastByte = emmLen+2;
	const int bProviderIdHigh = emm[0x05];
	const int CryptLen = 0x60;

	switch (bProviderIdHigh) {
	case 0x01:	// DISH Network 61.5?W
		memcpy (key,dish_IkeyEMM,16);
		memcpy (mod,dish_EMMmod,CryptLen);
		break;
	case 0x41:	// D+ 30?W
		memcpy (key,d_plus_IkeyEMM,16);
		memcpy (mod,d_plus_EMMmod,CryptLen);
		break;
	}

	DecryptRSA (emm+emmParm, mod, nagraExp, CryptLen, 1);
	emm[emmLastByte] = ((emm[9] & 0x80) | (emm[emmLastByte]));
	emm = emm+emmParm; // parse EMM

	ideaExpandKey(key, EK); 
	for (i=11; i>-1; i--) {
		ideaCipher(emm+(i*8), emm+(i*8), EK);
		if (i>0) for (j=0; j<8; j++) emm[(i*8)+j] ^= emm[(i-1)*8+j];
	}

	DecryptRSA (emm, mod, nagraExp, CryptLen, 1);

	swapbytes (emm, CryptLen);

	#ifdef DEBUG
		printf("\nemm decrypted: \n");
		dump (emm, CryptLen);
	#endif

	return true;
}

Gaat lekker nu...
 
ik zal eens een ontvangst poging doen hier op de holterberg, 101 meter nap...61.5?W...hehehe
 
Ja, leuk!
Schoteltje van 10 meter neer zetten...
 
Je moet ingelogd zijn om te kunnen reageren. Log in | Registreer



Hosting Fun

SPECIALE SERVICE

  » Fun op Twitter
  » Fun op Facebook
  » Image hosting
  » Internet Radio

Advertenties

Terug
Bovenaan Onderaan