Crow
03-04-2005, 01:50 AM
Here is some more information I found on the German forums. It might help shed some light on their advancements with Aladin/Nagra2. I personally don't think they're much ahead of North America. Remember this has been roughly translated so bear with me.
Post #1
That I abgekupfert from @xor16 and am an interesting beginning for the Aladdin map. edit on It concerns "pure Nagra", which by two Betacrypt feature was only extended. Those are: 1. the Betacrypt Class2 and Class5-Handling 2. the handling of the Betacrypt Transportprotokolls The gnawing RA core treats each in and outgoing Message over its IO routines. After the receipt and/or before sending data a SWI Handler is started however in each case (s. Bugcatcher), which accordingly treats the data in the IO Buffer parst and in dependence of the communication direction. That can run off in approximately so: - after the receipt of a complete Message in the first SWI Handler examined up: 1. Class2 or 2nd Class5 (beta) this applies, the appropriate Betacrypt Handler is started. Otherwise the Message, more exactly said transportation minutes and treated from the Message Handler of the gnawing RA core, is gnaw-RA-CONFORMAL converted which is called later in the Idle loop. - after now the answer to the instruction was written by the respective core into the IO Buffer and before IO-SEND one calls, the second SWI Handler called, which converts the Message in the IO Buffer again Betacrypt conformal, if she comes from the gnawing RA core. In this SWI Handler after the RESET also the Nagra ATR in the IO Buffer with the beta ATR is overwritten. Since the originals Nagra ATR is however longer, as the beta ATR, one can pick out remainders of him thereafter still from the IO Buffer. As you see, had to be changed for Aladdin compared with ROM10x not as much in the concept. The difference lies actually only how already existing possibilities are used, since the two SWI's, which are called before sending and after the receipt, were already used with older Rome versions for Bugcatcher. Also the communication parameters changed to Nagra (byte convention etc. direct.) in fueheren Rome versions over appropriate flags were already treated, which are put down in the EEPROM. The gnawing RA core does not receive from the additional Betacrypt Drumherum thus. To that extent it actually acts with the ROM120 around a Nagra-ROM103 with some EPROM extensions fuer's Betacrypt handling. edit off What means for us? We are not at all so far distant from the Aladdin Versionen in Spain and probably also in Poland (future). Tools are there to work on the ROM 10x and which is still many more important, "our" hackers are as we continue to think. Kofler attracts you warmly, the year is rum. mfg qu __________________
Post #2
We turn class to the 2 and class 5 cmd's bc. Class 2 cmd serves for querying the data, which are stored on the map. Those are in bc: ASCII serial NUMBER HEX serial NUMBERS country code ProvID 00 and 01 (directly 00 and 10) the Chids DBoxpin card files Class 5 cmd serves for querying the keys. Those are in bc: Chids Prov key NUMBER 00 Length nanos Sig From this see we, which those admitted of Kartenproggies up-to-date such as KL, nms, numerical control, etc. the bc-portion on the map very well to read to be able. By the way naturally also the "old" Kartenproggies. Therefore one could use also still cb or qc, during processing cmds. and parts of the map know of the map with Dx thereby are still selected, not all bc-parts however some. As nanos to look one can see by this example: card the file1 selects 01 02 0E 02 00. Unfortunately the answers of the map do not look like "in former times". There one could backclose from the answers some on cmd or on the map, goes today perhaps also again, only............ Have meant, that could be interesting for or others mfg qu
Post #3
Rear people @Qualita What is pro VG? Why does the ProvID have 4 bytes, why so long? And DATE so briefly, only 2 byte? And CHID 8 byte, so long? From where do you know that? Since weeks XOR I unsuccessfully the Nanos. Would be grateful for each tip. Does the Nanos have at all a date block? Then the Schreibnanos would have to always write the same date. All Nanos which I tested, writes always start 07BB = 1. Jan.2003 = 1979Tage, expiration 1700=23.Jan.2003=023Tage(inaktiv).Aktiv would have to be FEoo = 254Tage. Thus I have so my doubts whether the date block am at all present. And where sits the CHID, which byte? If I knew that exactly, I would be already a step further. Here times an example which I make in such a way: 01 01 00 00 00 6B D3 00 00 00 04 65 05 01 82 00 98 0C C3 5B 64 56 E9 4D 65 7E C9 6A APPROX. C2 69 F0 C0 48 06 6E F1 84 CE D9 AE 95 F4 6E DF 20 B5 F2 03 81 93 B8 7B 14 B2 BD 48 42 1A 4B 57 5F 4E D5 APPROX. F8 FC D5 BA CD F9 A5 E7 D9 CF 46 A8 23 I/O B5 88 D0 39 5F FD FC AC 39 5A BA 30 BC 58 28 28 C1 BD 95 C1 F4 5D F3 75 10 D0 08 7B 26 0A 09 7A 37 76 CHID 03DE START 07BB(01.Jan.2003=1979Tage) EXPIRATION 1700(23.Jan.2003=23Tage inactively) (FE00=254Tage would be active),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,, geXORt starting from 18.Byte 1.Block Byte1 with 2.Block Byte1, 1.Block Byte2 with 2.Block Byte2, etc.. Block1 with Block2/3/4/5/6/7/8/9/10/11/12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,, 72 0A 31 AE 94 80 BD A5 44 C5 35 95 D2 27 94 CB 99 37 35 BB 76 5C BF 66 8D 50 E3 1F 42 5B F0 2D 4E D9 10 33 09 A7 98 AF F4 3F 8E DE 9B 10 E8 82 D5 0C 1D CC 75 03 F8 OD DC COMPANY 04 99 AA 45 74 3F B6 F3 E7 3C 7E C1 8C D8 99 02 AF 39 A5 9C 5D B5 04 B8 7D 6E 5F 93 7A 13 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,, Fatzit: there 88 actions, 03ED are, but F8 sits between them. Possibly does not participate the date block. Why are the stringers actually long so? That brings me on a new idea with 48 actions to 1.Byte with 2.Byte, 3.Byte with 4.Byte 5.Byte with 6.Byte, 7.Byte with 8.Byte etc.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,, CF 3F BF 28 B7 A0 STARTING FROM 30 4E 9F 4A 77 61 B1 95 F1 12 C3 A6 F5 58 1C 11 1F 04 6F 34 42 16 EE C9 3D E9 A2 50 63 8A E4 00 7C 54 A9 86 C0 73 2C 73 41 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,, Fatzit: 48 actions, wood path Would be for each tip from this situation offering no prospects without specializedChinese leads, gratefully. Much fun
Post #4
Why one holds back oneself with the publications over the Aladdin Entschluesselung still strongly, is also because of the possibility in the EMM to executable code to hide, the keys or other one cmds again changed before it is stored, gecheckt or processed. Here times post office of @nanobot to the thing: edit on The EMM decoding with Nagravision to ROM11 is a quite nice thing, but one can regard the whole on the basis various programs of Zacky. Recommendable still the "EMM studio 3,0" as well as the Smartcard emulator "Sosia 2,20" are in this connection beside the Stuntguy FAQ In the type 7 altogether 5 keys/groups of bytes, which for the EMM decoding are relevant/can be, are record of a Nagra map: The parities keys 0, 1 and 2 with in each case 15 byte, whereby the PK2 is mostly used, the Verify key with 8 byte as well as the EMM key with 64Byte decrypt. Nagra EMMS are doubly RSA coded, whereby also still another permutation element is in the play, in order not to make the thing too easy. The EMM Decrypt key of the EEPROM is the Modulus for the first RSA operation, the exponent in addition is located not in the EEPROM, since it is always the same (it is the smallest possible value; -). This Modulus is mostly called in relevant programs N2. In contrast to it the Modulus and the exponent do not stand for the second RSA operation as plain language in the EEPROM of the map in it. Rather from the selected parity keys (mostly PK2) are produced the prime factors P1 and P2, from which the Modulus N1 and the exponent E1 are then produced for decoding and addition by a combination of XOR linkage. The second Keypair is thus only produced dynamically at run-time. The Verify key serves then "only" still to place the correct transmission of the EMMs surely by a signature. Who would like to know more exactly, times with "Sosia" in a single step mode should regard, it makes fun correctly to regard, what there the people with Kudelski to have invented. It remains saying still that it is possible with Nagra to accommodate in a EMM behind the key update executable machine code which still modifies the straight transferred keys before storage in the EEPROM. Thus becomes clearly why it is so difficult to program a durably functioning OUTER emulation because this must simulate the map practically perfectly. edit off I.e. if "only" 99% of the map admit by dump are, that is not sufficient to accomplish yet an emulation in such a way that the gecryptete transmitter up-remains longer than 10s. This 1% make it possible by variation of the executable code chop destroyed close. That is still more flexibly than the nano-turners of the seca2 more provider. mfg qu
Post #1
That I abgekupfert from @xor16 and am an interesting beginning for the Aladdin map. edit on It concerns "pure Nagra", which by two Betacrypt feature was only extended. Those are: 1. the Betacrypt Class2 and Class5-Handling 2. the handling of the Betacrypt Transportprotokolls The gnawing RA core treats each in and outgoing Message over its IO routines. After the receipt and/or before sending data a SWI Handler is started however in each case (s. Bugcatcher), which accordingly treats the data in the IO Buffer parst and in dependence of the communication direction. That can run off in approximately so: - after the receipt of a complete Message in the first SWI Handler examined up: 1. Class2 or 2nd Class5 (beta) this applies, the appropriate Betacrypt Handler is started. Otherwise the Message, more exactly said transportation minutes and treated from the Message Handler of the gnawing RA core, is gnaw-RA-CONFORMAL converted which is called later in the Idle loop. - after now the answer to the instruction was written by the respective core into the IO Buffer and before IO-SEND one calls, the second SWI Handler called, which converts the Message in the IO Buffer again Betacrypt conformal, if she comes from the gnawing RA core. In this SWI Handler after the RESET also the Nagra ATR in the IO Buffer with the beta ATR is overwritten. Since the originals Nagra ATR is however longer, as the beta ATR, one can pick out remainders of him thereafter still from the IO Buffer. As you see, had to be changed for Aladdin compared with ROM10x not as much in the concept. The difference lies actually only how already existing possibilities are used, since the two SWI's, which are called before sending and after the receipt, were already used with older Rome versions for Bugcatcher. Also the communication parameters changed to Nagra (byte convention etc. direct.) in fueheren Rome versions over appropriate flags were already treated, which are put down in the EEPROM. The gnawing RA core does not receive from the additional Betacrypt Drumherum thus. To that extent it actually acts with the ROM120 around a Nagra-ROM103 with some EPROM extensions fuer's Betacrypt handling. edit off What means for us? We are not at all so far distant from the Aladdin Versionen in Spain and probably also in Poland (future). Tools are there to work on the ROM 10x and which is still many more important, "our" hackers are as we continue to think. Kofler attracts you warmly, the year is rum. mfg qu __________________
Post #2
We turn class to the 2 and class 5 cmd's bc. Class 2 cmd serves for querying the data, which are stored on the map. Those are in bc: ASCII serial NUMBER HEX serial NUMBERS country code ProvID 00 and 01 (directly 00 and 10) the Chids DBoxpin card files Class 5 cmd serves for querying the keys. Those are in bc: Chids Prov key NUMBER 00 Length nanos Sig From this see we, which those admitted of Kartenproggies up-to-date such as KL, nms, numerical control, etc. the bc-portion on the map very well to read to be able. By the way naturally also the "old" Kartenproggies. Therefore one could use also still cb or qc, during processing cmds. and parts of the map know of the map with Dx thereby are still selected, not all bc-parts however some. As nanos to look one can see by this example: card the file1 selects 01 02 0E 02 00. Unfortunately the answers of the map do not look like "in former times". There one could backclose from the answers some on cmd or on the map, goes today perhaps also again, only............ Have meant, that could be interesting for or others mfg qu
Post #3
Rear people @Qualita What is pro VG? Why does the ProvID have 4 bytes, why so long? And DATE so briefly, only 2 byte? And CHID 8 byte, so long? From where do you know that? Since weeks XOR I unsuccessfully the Nanos. Would be grateful for each tip. Does the Nanos have at all a date block? Then the Schreibnanos would have to always write the same date. All Nanos which I tested, writes always start 07BB = 1. Jan.2003 = 1979Tage, expiration 1700=23.Jan.2003=023Tage(inaktiv).Aktiv would have to be FEoo = 254Tage. Thus I have so my doubts whether the date block am at all present. And where sits the CHID, which byte? If I knew that exactly, I would be already a step further. Here times an example which I make in such a way: 01 01 00 00 00 6B D3 00 00 00 04 65 05 01 82 00 98 0C C3 5B 64 56 E9 4D 65 7E C9 6A APPROX. C2 69 F0 C0 48 06 6E F1 84 CE D9 AE 95 F4 6E DF 20 B5 F2 03 81 93 B8 7B 14 B2 BD 48 42 1A 4B 57 5F 4E D5 APPROX. F8 FC D5 BA CD F9 A5 E7 D9 CF 46 A8 23 I/O B5 88 D0 39 5F FD FC AC 39 5A BA 30 BC 58 28 28 C1 BD 95 C1 F4 5D F3 75 10 D0 08 7B 26 0A 09 7A 37 76 CHID 03DE START 07BB(01.Jan.2003=1979Tage) EXPIRATION 1700(23.Jan.2003=23Tage inactively) (FE00=254Tage would be active),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,, geXORt starting from 18.Byte 1.Block Byte1 with 2.Block Byte1, 1.Block Byte2 with 2.Block Byte2, etc.. Block1 with Block2/3/4/5/6/7/8/9/10/11/12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,, 72 0A 31 AE 94 80 BD A5 44 C5 35 95 D2 27 94 CB 99 37 35 BB 76 5C BF 66 8D 50 E3 1F 42 5B F0 2D 4E D9 10 33 09 A7 98 AF F4 3F 8E DE 9B 10 E8 82 D5 0C 1D CC 75 03 F8 OD DC COMPANY 04 99 AA 45 74 3F B6 F3 E7 3C 7E C1 8C D8 99 02 AF 39 A5 9C 5D B5 04 B8 7D 6E 5F 93 7A 13 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,, Fatzit: there 88 actions, 03ED are, but F8 sits between them. Possibly does not participate the date block. Why are the stringers actually long so? That brings me on a new idea with 48 actions to 1.Byte with 2.Byte, 3.Byte with 4.Byte 5.Byte with 6.Byte, 7.Byte with 8.Byte etc.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,, CF 3F BF 28 B7 A0 STARTING FROM 30 4E 9F 4A 77 61 B1 95 F1 12 C3 A6 F5 58 1C 11 1F 04 6F 34 42 16 EE C9 3D E9 A2 50 63 8A E4 00 7C 54 A9 86 C0 73 2C 73 41 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,, Fatzit: 48 actions, wood path Would be for each tip from this situation offering no prospects without specializedChinese leads, gratefully. Much fun
Post #4
Why one holds back oneself with the publications over the Aladdin Entschluesselung still strongly, is also because of the possibility in the EMM to executable code to hide, the keys or other one cmds again changed before it is stored, gecheckt or processed. Here times post office of @nanobot to the thing: edit on The EMM decoding with Nagravision to ROM11 is a quite nice thing, but one can regard the whole on the basis various programs of Zacky. Recommendable still the "EMM studio 3,0" as well as the Smartcard emulator "Sosia 2,20" are in this connection beside the Stuntguy FAQ In the type 7 altogether 5 keys/groups of bytes, which for the EMM decoding are relevant/can be, are record of a Nagra map: The parities keys 0, 1 and 2 with in each case 15 byte, whereby the PK2 is mostly used, the Verify key with 8 byte as well as the EMM key with 64Byte decrypt. Nagra EMMS are doubly RSA coded, whereby also still another permutation element is in the play, in order not to make the thing too easy. The EMM Decrypt key of the EEPROM is the Modulus for the first RSA operation, the exponent in addition is located not in the EEPROM, since it is always the same (it is the smallest possible value; -). This Modulus is mostly called in relevant programs N2. In contrast to it the Modulus and the exponent do not stand for the second RSA operation as plain language in the EEPROM of the map in it. Rather from the selected parity keys (mostly PK2) are produced the prime factors P1 and P2, from which the Modulus N1 and the exponent E1 are then produced for decoding and addition by a combination of XOR linkage. The second Keypair is thus only produced dynamically at run-time. The Verify key serves then "only" still to place the correct transmission of the EMMs surely by a signature. Who would like to know more exactly, times with "Sosia" in a single step mode should regard, it makes fun correctly to regard, what there the people with Kudelski to have invented. It remains saying still that it is possible with Nagra to accommodate in a EMM behind the key update executable machine code which still modifies the straight transferred keys before storage in the EEPROM. Thus becomes clearly why it is so difficult to program a durably functioning OUTER emulation because this must simulate the map practically perfectly. edit off I.e. if "only" 99% of the map admit by dump are, that is not sufficient to accomplish yet an emulation in such a way that the gecryptete transmitter up-remains longer than 10s. This 1% make it possible by variation of the executable code chop destroyed close. That is still more flexibly than the nano-turners of the seca2 more provider. mfg qu