Het is wel door een vertaal machine gegaan ondanks dat toch redelijk te volgen. Origineel gepost door Lagos op de Huts.
Niet in perfect Engels maar door de vertaalmachine leesbaar gemaakt:
To emulate the S*ca2 without the aid of an original card come used the following tools:
- THE hash Table worn Bx nell' algorithm of SuperEncription - The key RSA and the representative of
decriptazione for l' ECM table 1001 - The operating key 0D (key in use to March)
Before all, you should know that we have 3 tables of hash in our cards S*ca2. The tables are: 9x, Bx and Fx.
The tables Bx and Fx are situated in the eeprom of the card, the eeprom was sicurmente dumpata across the utilization of an unlooper or of a glitcher, the content of the eeprom however is not of public dominion (who it extracted it did not publish).
The table 9x to difference of the other, it is not found in the eeprom but directly in the rom of the card, and there is not valid information that affirm that the rom is dumpata been. If it was dumpata been, however also its content is not at present of public dominion.
Even though, how said, the dump of the eeprom not pits of public dominion, is clear than some dealer without scruples to the beginnings of the year have it used by to produce some cards pirate called Titanium or KnotCards, the whose file I is not of public dominion and come used from persons that live this do not like a hobby but like a work quite remunerato.
The I believe that the tables Bx used in the emulatori for Dragon Cam and for DreamBox were actual dumpati from these cards pirate, or someone come in possession of the file that stuffed has given to do them for them and to extract it the necessary tables to realize these emulatori.
The nice thing is that the tables is not at present of public dominion, but is easy to identify them in the binary file "Scam" to the inside of 5 mega of the file IMG used by the emulatore for DreamBox.
The thing except for nice is that if S_K_Y wanted (and because ever should not want it?), switchare will be able all of the ECM and the EMM to a different table. For example it all switchare to the table of hash would be able Fx just to begin, the that would put out all of the emulatori for a little one of time, but first or then also the tebella Fx verrebbe disgraced seen that, how I said poc' or rather, dumpata was together with all the eeprom. To this point S_K_Y would be able well all switchare on the table of hash 9x the that would guarantee the hardest blow against all of the users interested in solutions piratesche (emulatori, waf*r, titanium, etc. ..)
For who it chiededndo is how it comes used the table Bx in the varied emulatori, here a couple of stringhe with that I will want to I explain the ideas:
This is an example of ECM like we we receive it:
C14001Bx5C1001236382606FAB41DCEBD40B034F59D0CD090A 0196D42642E2FF 2FF399741920FA956DD1C06314F6F2099989C66653347162D6 E8D063A3051F2A653C4FB751CEBCD6D887EE70CEE11CF3DA61 F434603F01BDF95FBF593D665BEB4A
and this is an example of EMM for like we receive it:
C14001B0631003E7C2019B9870CD01D2A01CE5FBF66304DB0B 1CB8DB2DE4832E 4D6BCDEC87106A6E3F6D76294730583355BB4E4AAAB52AEFEE C74DC369D488D47E756394C715FBB1D2C1F76AEDE39DEFBD50 C9795A45840EFEEC75FBF6630367822F9AA952804681
We look at the initial part of every condenses, the same one tells us that:
C1 = Class of the order 40 or 3C = indicates the worn Ins in the order, the ins 40 is used by the EMM, the ins 3C is used by the ECM 01 = indicates the service provider (the Italian service provider 01 is -> S_k_y (0070), in Spain the prov 01 is -> C@nal+ (0064), and so on. ..) B0 or B1 = the low nibble indicates the key that signando is the order, cosicch? 0 is for MK 00 and 1 is for MK 01, the high nibble indicates the hash table used by to encrypt the whole order, from the beginning of the transmissions in coding S*ca2 until our days, the hash was used table Bx but how I said above: <<Perch? mai S_K_Y dovrebbe continuare ad usarla ora?>> 5C either 63 or other value = indicates the length (LEN) of the part staying of the condenses. 1001 either 1003 = indicateno the tables used in the ECM or in the EMM. We have three tables potentially attivabili for the ECM and the EMM: the table 1001, the 1003 and the 1005, have also the possibility of to activate an useless table: the table 1007 (that does not work like the precedents and that therefore consider.. "Weird" and useless). Every table works with an actual key RSA and with the public representative. Every table is different from ECM to EMM, cosicch? if we knowed the key RSA for the table ECM 1001 of the service provider 0070, could
not use it for decriptare the EMM 1001 of the same service provider. If we had the key RSA for the table EMM 1003 for the service provider 0070 would not be able it utilazzare for decriptare the EMM 1003 of the service provider 0071. And so on. ...
For who it has not still clear the concept, here a diagram of how the key are distributed RSA (every key have to be of 90 bytes) all the keys included in the diagram are DIFFERENT between of them:
ECM 1001 - Service Provider 01 ----> This comes used in the emulatori ECM 1003 - Service Provider 01 ECM 1005
- Service Provider 01 EMM 1001 - Service Provider 01 EMM 1003 - Service Provider 01 ----> This comes used ALSO
in the titanium EMM 1005 - Service Provider 01
ECM 1001 - Service Provider 02 ECM 1003 - Service Provider 02 ECM 1005 - Service Provider 02 EMM 1001 -
Service Provider 02 EMM 1003 - Service Provider 02 EMM 1005 - Service Provider 02
ECM 1001 - Service Provider 03 ECM 1003 - Service Provider 03 ECM 1005 - Service Provider 03 EMM 1001 -
Service Provider 03 EMM 1003 - Service Provider 03 EMM 1005 - Service Provider 03
(I omit the relevant part to the service provider 00 and 04 because doing not interest to the until of the speech).
Who it realized the emulatori for Dragon Cam and everything of utilization DreamBox these keys ALONE the useful one for decriptare the SSE of the ECM based on table 1001.
The control words (or crypted words), in fact, at present are encrypted with the table ECM 1001. The first one what that does the emulatore just receives an ECM is to remove the SSE to the last 90 bytes so as to to find the 8 bytes that constitute the Crypted Word (the argument of the dwarf one D1 supplies 16 bytes that form the CW1 and the CW2). The CW arrives with an order C13C01Bx5C1001 where, how you will have understood:
C1 = is the class of the order 3C = is the ins used by to send off the Crypted Word of the flow DVB 01 = is the service provider Bx = now have quite clear that B represents the hush table used to encrypt the order in SuperEncription, while x represents the operating key C either D
or AND that signer? the order 5C = is the lughezza of the order that will follow (LEN) 1001 =It represents the table ECM 1001 worn AT PRESENT!
Here the finished operations from the emulatore:
- it receives the ecm that is encrypted with the table ECM 1001 relevant to the service provider 01, signato with the operating key in use at present (the 0D of March) everything encrypted in IF with the table of hash Bx - decripta the order and takes the 8 bytes of the crypted word of the
DVB - answers with a C1 3A contenentente the value decriptato of the CW, therefore returns the Decrypted Wordit does not ask for some type of criptazione)
All this gives us the sight of the channels.
But for how much time it will last? According to me, very little..
The following examples show us like S_K_Y can safeguard the actual interest, putting out the emulatori:
1) Could change the operating key (the emulatore the united states the key of March and is not autoaggiornante for a simple motive: the same includes alone the table ECM 1001 and not the table EMM 1003 that comes used to encrypt the updatings C1400xB15C) 2) switchare Would Be able the table ECM from 1001 to 1003 or to 1005 (seen that these last use of the key RSA do not of public dominion or however3) switchare Would Be able all of the order (attivazioni, updatings, ecm, all how much. ..) from hash table Bx to the table Fx
that is simply always little secure for the make that was dumpata but still not of public dominion. Or it could use a more drastic solution: the total passage to the table of hash 9x that is attractive favorite in the rom!!
I hope that this explanation you result of help to whoever is asked itself how work the emulatori gone out from little time, and if someone itself same still asking why these emulatori do not work also on other service provider, this someone should remember that:
- The tables of hash of the other service provider I is not of public dominion - The tables ECM or EMM of the other service provider use key RSA not of public dominion - much service provider in Europe use card more "resisting" of those used in Italy (we use the Version 7.0_A and the Version 7.0_B in Italy and in Spain, other Countries use versions of card with except for
bug or however do not retained at present buggate).
Avensis
