tbelisle
08-04-2005, 08:50 PM
Interesting but Not Encouraging Read.........
--------------------------------------------------------------------------------
This is a c/p from Fordman, he is on the staff @ Card Coders.
I recently had the opportunity to talk a respected person in this hobby. What transpired in this conversation was that there is some truth to these rumours although some have been grossly exagerated. I myself was given the opportunity to see it at work and it does indeed work. With that being said i'd like to say this:
This announcement is written hopefully to serve many purposes. The first is to address the rumors currently running rampant about a nagra2 hack. The second topic is to inform the public what to expect from a nagra2 hack, which will help discern future rumors from fiction, and to hopefully just all around give a better understanding of the futile nature of hacking this generation of smart cards, commericially or publically.
Both of the above topics tie in very closing due to one word seen tossed around the internet in the most recent rumor, "clone". Please be aware that if and when a nagra 2 hack becomes available, the only way to get around the new card <-> Ird encryption for control words will be to clone the camid on the cards, and to clone every ird with the boxkey and ird from that sub. Before I get into the numberous problems this raises, I would fist like to state that method is one of the only 2 methods available. The second method requires firmware modding, and is less secure in a public environment than cloning cam/ird/box. At least with cloning those, along with the dt08, and however the private key is stored for the cmd 2a/2b agreement, some variety of different id's will be in receivers vs. all the same firmware mods which is easily detectable. Now before anyone calls me out on how I would know this, or calls BS, please in these very forums are partial dissasemblies of the ird with the pertanent info as well as good overviews of how the dt08 is decrypted and session keys are established. Nagravision has done an excellent job with the latest round of ecm encryption. It has made things like camsharing more difficult, and things like stable plastic hacks virtually impossible. There likely will be no way around cloning since RSA is involved and we will not be able to create the dt08, or the private key on the card since we do not have required keys.
Therein lies the futility of hacking nagra2, should you actually hack it, it would be childsplay for them to attack the cloned ird's. Should you mod the firmware, they can easily detect the keys inside the ird have been modified. Let us not forget that this is only one method of security as well. Some Nagra2 cards do not have a dt08. A key lies inside the ird. Little is known about this so far, other than cloning would not work with such an ird, and since only certain receivers utilize this key, a one for all hack is no longer within easy grasp. Should nagra2 be compromised, there is no future for public hacking. Privately it can be hacked, but know that pirating TV as you all know and love it is dead.
On to these rumors. There are things about these particular rumors that have an air of truth about them, don't go all crazy about it. The fact that two things in particular are mentioned, one cloning, and two that a certain 301 model doesn't work with it, would certainly be correct of any hack from nagra2 that came from a non certain 301 model. In that there rings truth. However, people have been cloning ird's to move cards around, and it is easy to get duped into seeing what you wish to see.
Be very wary of purchasing any cards if the current rumors hold true. I believe there will be a good amount of time before they attack, but once they do, it's pretty much over. This of course is only based upon the fact of how much more secure session keys have made things with the combination of rsa and IDEA. This doesn't even scratch the surface on what could be inside the card. I would imagine the control words aren't the only thing that uses IDEA and rsa for added security. It also appears that nagra may have not made the same mistake of public keys shared accross multiple rom revisions. It would be easy for them to update the ecm handling of newer roms without revealing the process and swap out all older roms. Strap yourselves in for a ride, because wether the hack is out or not, testing is over as you know it.
--------------------------------------------------------------------------------
This is a c/p from Fordman, he is on the staff @ Card Coders.
I recently had the opportunity to talk a respected person in this hobby. What transpired in this conversation was that there is some truth to these rumours although some have been grossly exagerated. I myself was given the opportunity to see it at work and it does indeed work. With that being said i'd like to say this:
This announcement is written hopefully to serve many purposes. The first is to address the rumors currently running rampant about a nagra2 hack. The second topic is to inform the public what to expect from a nagra2 hack, which will help discern future rumors from fiction, and to hopefully just all around give a better understanding of the futile nature of hacking this generation of smart cards, commericially or publically.
Both of the above topics tie in very closing due to one word seen tossed around the internet in the most recent rumor, "clone". Please be aware that if and when a nagra 2 hack becomes available, the only way to get around the new card <-> Ird encryption for control words will be to clone the camid on the cards, and to clone every ird with the boxkey and ird from that sub. Before I get into the numberous problems this raises, I would fist like to state that method is one of the only 2 methods available. The second method requires firmware modding, and is less secure in a public environment than cloning cam/ird/box. At least with cloning those, along with the dt08, and however the private key is stored for the cmd 2a/2b agreement, some variety of different id's will be in receivers vs. all the same firmware mods which is easily detectable. Now before anyone calls me out on how I would know this, or calls BS, please in these very forums are partial dissasemblies of the ird with the pertanent info as well as good overviews of how the dt08 is decrypted and session keys are established. Nagravision has done an excellent job with the latest round of ecm encryption. It has made things like camsharing more difficult, and things like stable plastic hacks virtually impossible. There likely will be no way around cloning since RSA is involved and we will not be able to create the dt08, or the private key on the card since we do not have required keys.
Therein lies the futility of hacking nagra2, should you actually hack it, it would be childsplay for them to attack the cloned ird's. Should you mod the firmware, they can easily detect the keys inside the ird have been modified. Let us not forget that this is only one method of security as well. Some Nagra2 cards do not have a dt08. A key lies inside the ird. Little is known about this so far, other than cloning would not work with such an ird, and since only certain receivers utilize this key, a one for all hack is no longer within easy grasp. Should nagra2 be compromised, there is no future for public hacking. Privately it can be hacked, but know that pirating TV as you all know and love it is dead.
On to these rumors. There are things about these particular rumors that have an air of truth about them, don't go all crazy about it. The fact that two things in particular are mentioned, one cloning, and two that a certain 301 model doesn't work with it, would certainly be correct of any hack from nagra2 that came from a non certain 301 model. In that there rings truth. However, people have been cloning ird's to move cards around, and it is easy to get duped into seeing what you wish to see.
Be very wary of purchasing any cards if the current rumors hold true. I believe there will be a good amount of time before they attack, but once they do, it's pretty much over. This of course is only based upon the fact of how much more secure session keys have made things with the combination of rsa and IDEA. This doesn't even scratch the surface on what could be inside the card. I would imagine the control words aren't the only thing that uses IDEA and rsa for added security. It also appears that nagra may have not made the same mistake of public keys shared accross multiple rom revisions. It would be easy for them to update the ecm handling of newer roms without revealing the process and swap out all older roms. Strap yourselves in for a ride, because wether the hack is out or not, testing is over as you know it.