alsouthster
01-13-2007, 04:22 AM
This was posted at another forum which had posted it from another forum ....claiming to be a leak...interesting...but no gurantee whatsoever to its authenticity
C&P
"The gist of some interesting policies and directions that I want to share with everyone. It looks like we might well be towing the end of the line as far as N2 testing goes. Nagravision is getting aggressive now. As of early 2007, DISH Network and Bell ExpressVu have been confronting very serious issues with satellite signal piracy. (see wikipedia.org article on Nagravision).
Anyway, here is what the Nagrastar people are working on. First off, as you all know, Nagra looped a lot of ROM102 cards last month using an EMM packet called B1. The way they did it is by performing key changes using dynamic code embedded in a B1 EMM. Since the key change code is now dynamic, it cannot be anticipated anymore. The only way to roll the keys is to "execute" the code embedded in a B1 EMM and "see" what happens. The problem with this approach is that the next key roll could be a Trojan horse loop command. This is exactly what happened last month. Not only were all ROM102 cards looped, but as a further precaution to unlooping, the executed B1 command also erased the maprom which is needed to perform all the Nagra encryption/decryption routines.
Lately (as of Jan 03, 2007), Nagra's B1 EMM commands used to roll the keys are using practically every opcode and jumping to every random executable ROM location to perform a simple key roll. This is serious business. These EMM commands have to be thought out by a programmers ahead of time and then tested before being used in the data stream.
Furthermore, they are not only using a couple of these commands, but different ones on a daily or twice daily basis. Not a single keyroll packet has been repeated yet. Nagra now has the plastic testers by the balls. If you let through any B1 EMM, your card will eventually get looped. If you block all the B1 EMMs, you will have to manually change the keys 2-3 times daily. I guess something is better than nothing, but widespread plastic testing without any downtime is a thing of the past.
But why are they going after plastic testers so aggressively? Isn't FTA a more serious piracy problem for them? The answer is yes and FTA will be next. The noose for FTA stbs is being prepared as you read this. The noose is known as EMM 64. Although there are no global EMM 64 packets in the stream right now, several coders have confirmed that EMM 64 is indeed being used in private packets being addressed by IRD #. An EMM 64 command is simply a command that sends encrypted executable code to the IRD. If this code is not sent by the cam to the IRD or not executed properly by the IRD, then something bad usually happens. For those that remember the Nagra 1 days, that "something bad" was location ID 01. Yup, EMM 64 was being used to do that.
This time, I doubt it will be something as simple as location ID 01. After all, there are hardly any plastic testers left using E*hostar IRDs. Instead, EMM 64 will be used to alter the control words in a way only an actual E*hostar IRD can perform. Since an FTA stb is not an E*hostar IRD, getting the correct control words will be problematic.
Some of the Kudelsky people also discussed the possibility of a new map call coming down the pipes, but in the end, it was agreed that an original dump of maprom is quietly circulating among most of the elite coders and that reversing any unknown calls could be done within days. The possibility of using something called MECM80 was also mentioned. This is similar to the Nagra 1 scenario where proper assembly of the control words requires correct EMM decryption and correct ECM decryption. It was concluded that this would not deter most testing methods that can perform 768 bit RSA in under 1 second.
Finally, the possibility of using EMM-S packets instead of EMM-G packets to deliver the IDEA keys was dicussed. This is in fact already being done by ExpressVU quite successfully to deter signal pirates from viewing the NFL ticket. They may adopt this approach to other lucrative programming packages like adult/ppv and ethnic programming. An EMM-S packet is a private packet that can only be decrypted by the card it has been sent to. In other words, the updates would come down card specific. If you are not subscribed, you don't get any of the card updates.
Since the latest card revisions have now been unlocked, this approach would not work very well until all cards are locked down again. Quick, everyone make a dump of your subbed cards while you still can. Expect a new revision locking you out again very soon.
Things are sure going to get interesting.
PS to SI:
Your witch hunt is useless. I own you assholes and yes you DO have a leak."
C&P
"The gist of some interesting policies and directions that I want to share with everyone. It looks like we might well be towing the end of the line as far as N2 testing goes. Nagravision is getting aggressive now. As of early 2007, DISH Network and Bell ExpressVu have been confronting very serious issues with satellite signal piracy. (see wikipedia.org article on Nagravision).
Anyway, here is what the Nagrastar people are working on. First off, as you all know, Nagra looped a lot of ROM102 cards last month using an EMM packet called B1. The way they did it is by performing key changes using dynamic code embedded in a B1 EMM. Since the key change code is now dynamic, it cannot be anticipated anymore. The only way to roll the keys is to "execute" the code embedded in a B1 EMM and "see" what happens. The problem with this approach is that the next key roll could be a Trojan horse loop command. This is exactly what happened last month. Not only were all ROM102 cards looped, but as a further precaution to unlooping, the executed B1 command also erased the maprom which is needed to perform all the Nagra encryption/decryption routines.
Lately (as of Jan 03, 2007), Nagra's B1 EMM commands used to roll the keys are using practically every opcode and jumping to every random executable ROM location to perform a simple key roll. This is serious business. These EMM commands have to be thought out by a programmers ahead of time and then tested before being used in the data stream.
Furthermore, they are not only using a couple of these commands, but different ones on a daily or twice daily basis. Not a single keyroll packet has been repeated yet. Nagra now has the plastic testers by the balls. If you let through any B1 EMM, your card will eventually get looped. If you block all the B1 EMMs, you will have to manually change the keys 2-3 times daily. I guess something is better than nothing, but widespread plastic testing without any downtime is a thing of the past.
But why are they going after plastic testers so aggressively? Isn't FTA a more serious piracy problem for them? The answer is yes and FTA will be next. The noose for FTA stbs is being prepared as you read this. The noose is known as EMM 64. Although there are no global EMM 64 packets in the stream right now, several coders have confirmed that EMM 64 is indeed being used in private packets being addressed by IRD #. An EMM 64 command is simply a command that sends encrypted executable code to the IRD. If this code is not sent by the cam to the IRD or not executed properly by the IRD, then something bad usually happens. For those that remember the Nagra 1 days, that "something bad" was location ID 01. Yup, EMM 64 was being used to do that.
This time, I doubt it will be something as simple as location ID 01. After all, there are hardly any plastic testers left using E*hostar IRDs. Instead, EMM 64 will be used to alter the control words in a way only an actual E*hostar IRD can perform. Since an FTA stb is not an E*hostar IRD, getting the correct control words will be problematic.
Some of the Kudelsky people also discussed the possibility of a new map call coming down the pipes, but in the end, it was agreed that an original dump of maprom is quietly circulating among most of the elite coders and that reversing any unknown calls could be done within days. The possibility of using something called MECM80 was also mentioned. This is similar to the Nagra 1 scenario where proper assembly of the control words requires correct EMM decryption and correct ECM decryption. It was concluded that this would not deter most testing methods that can perform 768 bit RSA in under 1 second.
Finally, the possibility of using EMM-S packets instead of EMM-G packets to deliver the IDEA keys was dicussed. This is in fact already being done by ExpressVU quite successfully to deter signal pirates from viewing the NFL ticket. They may adopt this approach to other lucrative programming packages like adult/ppv and ethnic programming. An EMM-S packet is a private packet that can only be decrypted by the card it has been sent to. In other words, the updates would come down card specific. If you are not subscribed, you don't get any of the card updates.
Since the latest card revisions have now been unlocked, this approach would not work very well until all cards are locked down again. Quick, everyone make a dump of your subbed cards while you still can. Expect a new revision locking you out again very soon.
Things are sure going to get interesting.
PS to SI:
Your witch hunt is useless. I own you assholes and yes you DO have a leak."