Kudelski N3 bits and pieces, plus thoughts on key \/ rsa extraction from flash.
\nN3 Notes mostly from forum posts by TheCoder<\/p>\n
These are notes for future reference more than anything else, so please no excited emails about how its wrong, or right, or can I hack your box.<\/font><\/p>\n — The DT06 method transfers a compressed form of an rsa pq keyset from which the CAM public\/private rsa keyset and its associated modulus can be derived.<\/p>\n The DT08 method transfers the cam modulus along with the IRD number of the married box. The public rsa key is not transferred but it is implied that the box already knows this value.<\/p>\n The Secondary key method does not involve a transfer. It imples that the box already knows the cards matching CAM modulus and rsa public key value.<\/p>\n Various boxes, depending on make\/model, may use any of the above pre-pair key transfer methods but it could be useful to know which box uses which method.<\/p>\n http:\/\/www.digital-kaos.co.uk\/forums\/f10\/people-n3-cards-82421\/<\/p>\n Instructions: rs If the responses vary significantly from the above, with the 00’s replaced with some varying data, then its likely your card had the specified tier and is probably using the corresponding pairing method.<\/p>\n If the DT06 response contains lots of 00’s then its NOT DT06 pairing For non DT08 cards (mostly the newer boxes) each box has a unique cam_n already built into its firmware – this can only be extracted from the actual box itself.<\/p>\n About the Algorithm,<\/p>\n N2 encrytion was based on the following algorithm -> If Using DT08 (0a) on the card : DT08 (0A) = IdeaEncrypt(CamN\/Ird#\/Boxkey\/Idea Signature,Ird_Ideakey) ^ D mod Ird N.<\/p>\n Ird requests DT08. If Using Secondary Key (SK) on the Ird. Later, establish session key (0C datatype on the card): This all happens as ird boots. ——–<\/p>\n and pay special attention on CMD$2A ??<\/p>\n it should reply the CAMID serial number + 64 bytes random key generated and then shortly after encrypted with the CAM(AKA Conditional Access Module or SmartCard) RSA primary 96 bytes from the card… the so famous RSA modulus keys 96bytes at eeprom $8xxx on the ROM110 days.. From the card (this cmd is also the first step of the SessionKey negotiation)<\/p>\n shortly after the receiver receives this card reply.. and will decrypt it using the Secondary Key which is also 96bytes, this key is build up by using the following information stored in the receivers flash..<\/p>\n IR IR IR IR ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ 00 03 F1 F1 total 96 bytes..<\/p>\n IR = Receiver serial number once we decrypt the cmd2A we extract from inside the original 64byte random key generated in the card, then we will apply the IDEA encryption algo on the first 32bytes from the 64 byte random key to hash out the session key.<\/p>\n So this first 32 bytes are extracted from the 64byte random key and will be encryted using the IDEA SIGNATURE key… this key will be generated by the following information<\/p>\n IdeaKey generation BBBBBBBBBBBBBBBB = Boxkey result from F1 xor F2 so the IDEA signature key for encrypting the first 32bytes extracted from the 64 random seek key is<\/p>\n BBBBBBBBBBBBBBBBCCCCCAMIDCAM<\/p>\n once applied the IDEA encryption we will have the result 16 byte sessionkey.. which will be stored in the receiver flash for a few hours… to be more precise around 5 hours..<\/p>\n Now going back to the calculation done before, the receiver decrypted the cmd$2Aencrypted by the card with the RSA primary 96 stored in the card. but, before the 32byte keys was taken for the idea signature encryption.. the receiver.. re-encrypted the 64byte random key using the SECONDARY KEY RSA 96 stored in the receiver flash, which i just stated above how to get this key… the card will receive the cmd$2b and will decrypt it using the PRIMARY RSA modulus key 96. in orde to make the card pairing , u need to know the RSA_N+BOXKEY+IRD NUMBER+CARD SERIAL number or CAMID…<\/p>\n then with them all together we can start comunication between the card.. and on the CMD$2A and $2B we will have the SessionKey negotiation which i just explained previously.<\/p>\n if for example on one side or the other we have different BKand RSA… we will a session key failure.. and without this Sessionkey we will not be able to decrypt the CM$1C or $9C related stuff<\/p>\n this means that if negotiation of session key succeds, then the receiver will send the ECM$07 to the card, which will then be decrypted by simply just using the ECM RSA modulus key and the ECM IdeaKey to decrypt the Control Words \/ CWs.<\/p>\n once they are decrypted the card will send them to the RECEIVER.. this is normally done via CMD$1C obviously this CMD is encrypted with the Sessionkey 16 BYTES described above.. once it arrives at the Receiver end, you will use the same Sessionkey 16byte to decrypt that CMD$1C and extract the REAL DCWs Decrypted Control Words to open up the Video and Audio stream related for that XX amount of seconds…<\/p>\n Now this Session key is refreshed every 5 hours.. this means that every 5 hours a new session key is produced.. so every 5 hours the card generates another 64byte random seed key using other RSA algo inside the card.., and will then send this 64 byte seed key to the receiver again.<\/p>\n Shortly followed by all the procedure described above to extract the new session key again.<\/p>\n —————-<\/p>\n Given that ================================================== Pop flash back onto something else, read, dump. eg Get box key, rsa key (if req. based on a check of DT type from the actual subbed card) Been there, done that for data recovery on faulty flash drives, plus most of the places I know down at QJlu have SMD \/ BGA desoldering capability or better.<\/p>\n Bunnies blog is fairly good at explaining the basics (albeit for xbox) – http:\/\/www.xenatera.com\/bunnie\/proj\/anatak\/xboxmod.html<\/a><\/p>\n Most boxes use ARM based SoC’s for things. Also possible to just throw up a dev board, and interface to that.<\/p>\n Although most boxes also have some form of OS running, so just as feasible to dump flash that way also assuming serial or jtag access and a bootloader is available.<\/p>\n
\nThere are three different pairing methods used N3 boxes presently. These are DT06, DT08 and Secondary key.<\/p>\n
\n1 Stick your N2\/N3 card in your card reader
\n2 Run NagraEdit – DO NOT ATTEMPT TO READ YOUR CARD !!!
\n3 Select the Comm Tab. This should give you an upper and lower text pane
\n4 Cut\/Paste the scriptt below into the top pane
\n5 Press the “Send D2C” button\/icon
\n6 Results should appear in bottom pane
\n7 Interpret your results based on info below.
\nScript – Read DT06\/DT08
\nCode:<\/p>\n
\ntx 21 C1 01 FE 1F
\nrx
\ntx 21 00 08 A0 CA 00 00 02 12 00 06 55
\ndl 02 00
\nrx
\ndl 02 00
\ntx 21 00 09 A0 CA 00 00 03 22 01 00 1C 7E
\ndl 02 00
\nrx
\ndl 02 00
\nmg *
\nmg *** DT06 info ***
\ntx 21 00 09 A0 CA 00 00 03 22 01 06 13 **
\ndl 02 00
\nrx
\nmg DT06 response1
\ndl 02 00
\ntx 21 40 09 A0 CA 00 00 03 22 01 86 13 **
\ndl 02 00
\nrx
\ndl 02 00
\nmg DT06 response2
\nmg *** End DT06 info ***
\nmg *
\nmg *** DT08 info ***
\ntx 21 40 09 A0 CA 00 00 03 22 01 08 13 **
\ndl 02 00
\nrx
\nmg DT08 response1
\ndl 02 00
\ntx 21 00 09 A0 CA 00 00 03 22 01 C8 55 **
\ndl 02 00
\nrx
\ndl 02 00
\nmg DT08 response2
\ntx 21 40 09 A0 CA 00 00 03 22 01 88 55 **
\ndl 02 00
\nrx
\nmg DT08 response3
\ndl 02 00
\nmg *** End DT08 info ***
\n*******
\nJust to clarify :
\nThe important bits your looking at are the DT06\/DT08 responses (the bits that start with Rx: )
\nie RX: 12 00 15 A2 11 08 E0 00 00 00 5E 01 20 00 00 00
\n00 00 00 00 00 00 90 00 B3
\nRX: 12 40 15 A2 11 00 00 00 00 00 00 00 00 00 00 00
\n00 00 00 00 00 00 90 00 64
\nRX: 12 00 15 A2 11 00 00 00 00 00 00 00 00 00 00 00
\n00 00 00 00 00 00 90 00 24
\nand
\nRX: 12 40 57 A2 53 00 00 00 00 00 00 00 00 00 00 00
\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\n00 00 00 00 00 00 00 00 90 00 64<\/p>\n
\nIf the DT08 response contains lots of 00’s then its NOT DT08 pairing
\nIf its not DT06 or DT08 then its probably secondary key.<\/p>\n
\ndecrypted message = ( (IDEA( ( (EncryptedMsg ^ 3)Mod N1) ,IdeaKey) ) ^3) Mod N1
\nThats 2 distinct algorithms. An RSA algorithm (performed twice) and an IDEA algorithm.
\nThe key for the RSA algorithm is something like –
\nRSA EMM-G=15A811B2065DF39CD48C9C958E7B406345295B09D0E9A18A 9B92C5FD7761CAAFAB830880F1F06B4E4477F157EA10D0AFC3 FDDB1ED2E7E83E89F03FF81237047DB76F79D6A2CFD75A7255 D72E52E7F47B96C2DFBDEBFC80CE927F6AD351FDF0BF8DA13F F62295BFBAF29035A230136D0B4AA99D38DD8B0465F2C709FC 8818173C
\nWhich, as you can see, is a 128 byte (1024 bit) number. This is the main encryption key for EMM decryption.
\nThe IDEA algorithm, which acts as an inner layer to the RSA has a standard 16 byte (128 bit) IDEA key.
\nThere is no algorithm in N2 (or N3) that only uses an 8 byte (64 bit) key although some providers have opted to use 3DES rather than IDEA as an inner layer. This uses three separate 8 bye (64 bit – only 56 bits used) keys to form an amalgam 168 bit DES algorithm.<\/p>\n
\nThe Dt08 (0a datatype on card) is created by the provider and sent to the card at sub time.
\nThe dt08 contains the Cam N public rsa key along with ird\/boxkey.
\nThe dt08 is IDEA encrypted with the Idea Key made from ird\/boxkey\/inverted ird.
\nThe dt08 is RSA encrypted using Ird N (public rsa key) and Ird D (private key and uknown by anyone but provider).
\nIrd N = N1 xored N2
\nIrd N1= A4E9B585932F90282FD70C908176E8605E6B2CE629335A0FC1 5B31DAB0BFC6FEEB88CFC69649994CD3FE039C9965C620C4D5 828E9153998EE4AE0E8C25644DF3 xor
\nIrd N1= 237280AAB36BE4B21FC71FBF08218E532A545E744D7B007FF8 69BA426831C4AC653F3825ADE9358FCD1F0239EC447CBC2765 CC0AEBE437AF2270FC461C2FA042
\nIrd N = 879B352F2044749A3010132F89576633743F729264485A7039 328B98D88E02528EB7F7E33BA0ACC31EE101A57521BA9CE3B0 4E847AB7AE21C6DEF2CA394BEDB1
\nThe Ird N1,N2,Ideakey exist in the tsop.
\nIrd E = 3
\nIrd D = UKNOWN, this is the reason you can’t create your own dt08 without changing the N1\/N2 on the tsop, you must know Ird D.<\/p>\n
\nCard sends back the dt08 (0a)
\nIrd decrypts the dt08.
\nDecrypted dt08 = IdeaDecrypt(DT08,Ird_IdeaKey) ^ 3 mod Ird N.
\nIt checks the ird # and boxkeys in the Decrypted 08 if they match what is on ird,
\nit stores the Cam N in the decrypted 08 in ird memmory.<\/p>\n
\nIrd checks for SK exists on the ird, if it does, the dt08 will never be requested\/ignored from the card.
\nIrd validates the SK with idea signature in the SK (using IIIIIIII01924314051647990A9C4E1 where I = irdnumber).
\nIrd takes the Cam N in the SK and puts it in ird memmory
\nNote : Cam N is not even encrypted in the sk, very weak method compared to dt08.<\/p>\n
\nIrd requests 2a data from card.
\nRandom 2a is sent from card to ird.
\nIrd performs some Idea signing (leave it to you to look up 2a\/2b routines)
\nIrd comes up with session key from the 2a message sent from Cam.
\nIrd encrypts the session key with rsa.
\nEncrypted 2B = (2B data with 16 byte session idea key) ^ 3 mod Cam N.
\nSends encrypted data back to card in 2b message.
\nCam decrypts 2B with Cam N, Cam D. Decrypted 2B = (Encrypted 2B) ^ Cam D mod Cam N.
\nIf valid, store session key in ram and on card for later use.<\/p>\n
\nWhen you select a channel.
\nIrd sends Cmd 07 ECM message with control words encrypted.
\nCam decrypts the control words rencrypts them with Idea encryption using the session key established above.
\nThe ird then requests the control words.
\nThe Cam sends them back in the 1C response.
\nThe ird decrypts the control words with with Idea encryption using the session key established above.
\nSends the control words to the mpeg decoder.
\n8 seconds of video.
\nRepeat 07\/1C process over and over.<\/p>\n
\nF1 F1 F1 F1 F1 F1 SK SK SK SK SK SK SK SK SK SK
\nSK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
\nSK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
\nSK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
\nSK SK SK SK SK SK F2 F2 F2 F2 F2 F2 F2 F2 CR CR<\/p>\n
\nXX = Unimportant
\nEE = RSA public exponent for STB
\nF1 = SK signature 1 used to calculate the box key
\nF2 = SK signature 2 used to calculate the box key
\nSK = RSA public modulus N
\nCR = CRC Checksum
\nBB = BoxKey result from xoring F1 with F2 keys stored in the flash firmware from the receiver<\/p>\n
\nBB BB BB BB BB BB BB BB + CC CC CC CC + CA MI DC AM<\/p>\n
\nCCCCCCCC = IRD number from receiver stored in Flash firmware
\nCA MI DC AM = CAM ID or Smart Card serial number converted in HEX, which can also be extracted by simply sending INS CMD$12 to the card..<\/p>\n
\nonce decrypted it simply just extracted the first 32bytes of the 64 byte seed key generated by the card. this 32 bytes were used for calculation of the 16byte sessionkey..<\/p>\n
\nand will send it back to the card on cmd$2B<\/p>\n
\nand will extract just the first 32bytes.. and by using the BOXKEY+IRD+CAMID stored in the card, the card will also calculate the same 16 byte session key.<\/p>\n
\nSK 96 BYTES
\n==================================================
\n11111111<----------------------------FIRST 4 BYTES---- IRD\nXXXXXXXXXXXXXXXXXXXX<--NEXT 10 BYTES---- unknown\n1111111111111111<--------8 BYTES---- Y1---WRITE DOWN\n==================================================\n11111111111111111111111111111111-_\n11111111111111111111111111111111-_-_\"N\" 64 Bytes\n11111111111111111111111111111111-_-\n11111111111111111111111111111111-\n==================================================\n1111111111111111<-------8 BYTES--- Y2-----WRITE DOWN\nXXXX<-------------------2 BYTES--- CHECKSUM\n==================================================\nY2 Xor Y1 = BOXKEY\n==================================================\n\n006e convert from hex gives you 110 bytes block cipher\n\nird 4 bytes\nbk 8 bytes\nsk 96 bytes\n\nleaving us with 02bytes used to encrypt, decrypt above.\n\n\neg:\n\n00 00 00 6e 34 0d 20 1c 03 03 70 80 5a 8e dd 24\nac cc a4 a6 e2 da 86 91 29 18 0b a6 23 6d fa c4\n05 7f 1b 20 97 eb 0c 19 b3 39 2f 1e cb 9b 67 4d\ned 10 f5 65 ec 0d c7 35 ac f0 b8 89 b0 51 59 22\n69 85 d5 f1 93 48 7a 84 6e 1f b4 24 83 79 db 02\n4d b0 9c 5e 8b df 89 57 9c 5a 7f 9a cc 87 51 3b\n15 6b 15 cc c4 2f 66 e7 e6 75 4f 24 f2 07 85 0d\ndb b0 3d e2 64 dd e9 54 ad 77 60 e7 8f a6 cd a6\n46 c3 b8 fa e4 e7 51 2d 6a 2f 95 68 56 b5 78 34\n17 6b b8 48 38 87 c4 95 e5 b0 41 2c 95 e1 24 aa\n4b 2a 6f 8c 90 53 29 a9 6b 3d 0a b5 92 1c 95 ec\n72 b9 54 a9 99 f5 f3 dd f4 0f 60 c3 25 5b 5b 81\n22 e8 79 c5 be 8f 3c 89 2b 8a ad ba 27 b0 c2 f7\nb1 4f 08 d5 37 2a 97 c5 f0 07 9d 99 be c7 8a a9\ncf 5a c5 45 ce 1e 25 43 81 95 7a 22 33 ed 93 74\n\nGives:\n\n00 00 00 63 (length)\n\n0d 20 1c 03 03 70 80 5a 8e dd (unknown)\n\n24 ac cc a4 a6 e2 da 86 (y1)\n\n91 29 18 0b a6 23 6d fa c4\n05 7f 1b 20 97 eb 0c 19 b3 39 2f 1e cb 9b 67 4d\ned 10 f5 65 ec 0d c7 35 ac f0 b8 89 b0 51 59 22\n69 85 d5 f1 93 48 7a 84 6e 1f b4 24 83 79 db 02\n4d b0 9c 5e 8b df 89 (64 bytes)\n\n57 9c 5a 7f 9a cc 87 51 (y2)\n\nY2 XOR Y1 = 0x579c5a7f9acc8751 xor 0x24accca4a6e2da86 = 42 12 8C F2 39 39 55 FA\n\nSo, a flash dump would be helpful..\n\nPossible Scenario's - \nBGA, TSOP, TLGA etc.. desoldering for Flash. \nPut in a socket. eg from \nhttp:\/\/shop37051047.taobao.com\/<\/a> or http:\/\/shop34694309.taobao.com\/?search=y<\/a><\/p>\n
\nhttp:\/\/item.taobao.com\/item.htm?id=7422440993<\/a><\/p>\n
\nPop flash back in socket.<\/p>\n