|
is this a bit of hope or more bulls**t
|
|
|
cragis187
Newbie
|
9. March 2010 @ 12:32 |
Link to this message
|
this is not my own work but thought it may be interesting
How Nagra3 Cams Were Hacked & Cracked.
This was posted on another site by Carddoctor. Is it just the usual crap?
c/p:
Hello hack satellite pirates.
You will find this an interesting read.
Credit goes to Packin18 & Edmonton Guy for original concepts and n3 roms and eeproms
dumps from dish and bell providers currently making way around irc and private
underground forums around the net. Thank Packin18 for your N3 fix and no other.
A virgin non sub card was inserted into a modified blue T911 mod loader with 4053 muxs.
The virgin non sub card was reset and the atr was sent as usual.
A packet containing nops with a bclr instruction at the end was sent to the n3 cam.
When the last bit of the checksum was sent to the cam 16 additional clocks followed.
The cam was soft reset by sending the RST cam pin low from high.
As the cam rst pin swung low a bunch of glitching followed.
This glitching carried on until the RST cam pin came high again.
This glitching carried on for the first clock.
200+ additional clocks were sent to the card.
The cam i/o line was monitored for a full cycle low i/o pin result of the bclr instruction.
The cam was quickly reset, glitched, & clocked a few hundred times again. repeatidly.
When the full cycle low i/o pin signal was seen N3 cams were hacked.
The bclr instructions were removed and replaced with more bsets and bclr instructions
that ROR'd rom and eeprom a bit at a time out of the cam i/o pin without need for the
rom routines that usually handle I/O output.
What Happened?
The packet was stored in the I/O buffer and the card reset before packet processing.
The reset caused the program counter and the stack pointer to reset but not ram values.
The packet full of nops that pulled the i/o line low stayed resident in ram on soft reset.
The card was reset and the addressbus latching of the reset vector was glitched until
the new reset vector became the i/o buffer where NOPS and BCLR code opened N3.
N3 roms/eeproms (142/206/240) for all providers has successfully been dumped.
(interestingly enough this attack works on all N1/N2 cams/icams as well)
(i dont have any dave cams do you?)
so anyway if ur like me and most of this is just gobbiledeygook then heres a simplier way .. they took a new card let the provider hammer it with there info and then took the card and dumped the info anfter it opened up n3 .. i think thats it
now wheather this is true who knows .. but it would be great that means in about a week or 2 there would be a emulation for pc card users and then the code could be put into a bin ..
but i really won't believe it untill i am watching bev again on cardless and iks less system. Make up your own mind but heres hoping.
craig bell
This message has been edited since posting. Last time this message was edited on 10. March 2010 @ 05:41
|
|
Advertisement
|
|
|
|
|
jackoooh
Member
|
9. March 2010 @ 16:07 |
Link to this message
|
|
nagra 3 has been in europe for over 3 years and still hasnt been hacked or doesent look likely in the near future
j casey
|
Senior Member
|
9. March 2010 @ 18:06 |
Link to this message
|
|
the guys at digital kaos have being running some interesting threads on this. lets just wait and see where it leads. ultimately there will or won't be a CAM distributed but lots of people are trying and thats good.
|
Senior Member
|
9. March 2010 @ 18:16 |
Link to this message
|
|
Why does it mention Bell, Dish and Dave and then talk about a virgin card?? One's US and one's UK?!
|
|
jackoooh
Member
|
9. March 2010 @ 19:17 |
Link to this message
|
Originally posted by fintannl:
the guys at digital kaos have being running some interesting threads on this. lets just wait and see where it leads. ultimately there will or won't be a CAM distributed but lots of people are trying and thats good.
we are all beleivers but?
j casey
|
Senior Member
|
9. March 2010 @ 19:34 |
Link to this message
|
But lots. Just reading the threads the options are wide and varying. As pointed out int the starview thread whay does the box die after a year. How can this be dealt with. In the dreambox realm, what are the challenges up and coming. What has happened to the Eurovox and how can this system be made to work. Its just a ball of fun and lots of people are sharing their experience. So it is not a glass half empty but very much a glass half full and needing further replenishment
|
|
cragis187
Newbie
|
10. March 2010 @ 05:40 |
Link to this message
|
Originally posted by Mooley:
Why does it mention Bell, Dish and Dave and then talk about a virgin card?? One's US and one's UK?!
as i said at the top of it all this is not my work and really and trully its like trying to read it in stereo. I came across it and thought to myself there may be some hope. I was hoping the likes of yourself and maybe scouse would understand it a bit better than me. Or any of the senoir members for that fact.
craig bell
|
Senior Member
|
10. March 2010 @ 12:29 |
Link to this message
|
Originally posted by cragis187:
this is not my own work but thought it may be interesting
How Nagra3 Cams Were Hacked & Cracked.
This was posted on another site by Carddoctor. Is it just the usual crap?
c/p:
Hello hack satellite pirates.
You will find this an interesting read.
Credit goes to Packin18 & Edmonton Guy for original concepts and n3 roms and eeproms
dumps from dish and bell providers currently making way around irc and private
underground forums around the net. Thank Packin18 for your N3 fix and no other.
A virgin non sub card was inserted into a modified blue T911 mod loader with 4053 muxs.
The virgin non sub card was reset and the atr was sent as usual.
A packet containing nops with a bclr instruction at the end was sent to the n3 cam.
When the last bit of the checksum was sent to the cam 16 additional clocks followed.
The cam was soft reset by sending the RST cam pin low from high.
As the cam rst pin swung low a bunch of glitching followed.
This glitching carried on until the RST cam pin came high again.
This glitching carried on for the first clock.
200+ additional clocks were sent to the card.
The cam i/o line was monitored for a full cycle low i/o pin result of the bclr instruction.
The cam was quickly reset, glitched, & clocked a few hundred times again. repeatidly.
When the full cycle low i/o pin signal was seen N3 cams were hacked.
The bclr instructions were removed and replaced with more bsets and bclr instructions
that ROR'd rom and eeprom a bit at a time out of the cam i/o pin without need for the
rom routines that usually handle I/O output.
What Happened?
The packet was stored in the I/O buffer and the card reset before packet processing.
The reset caused the program counter and the stack pointer to reset but not ram values.
The packet full of nops that pulled the i/o line low stayed resident in ram on soft reset.
The card was reset and the addressbus latching of the reset vector was glitched until
the new reset vector became the i/o buffer where NOPS and BCLR code opened N3.
N3 roms/eeproms (142/206/240) for all providers has successfully been dumped.
(interestingly enough this attack works on all N1/N2 cams/icams as well)
(i dont have any dave cams do you?)
so anyway if ur like me and most of this is just gobbiledeygook then heres a simplier way .. they took a new card let the provider hammer it with there info and then took the card and dumped the info anfter it opened up n3 .. i think thats it
now wheather this is true who knows .. but it would be great that means in about a week or 2 there would be a emulation for pc card users and then the code could be put into a bin ..
but i really won't believe it untill i am watching bev again on cardless and iks less system. Make up your own mind but heres hoping.
In my opinion it's garbage as they can't seem to decide what system it's on but also what side of the Atlantic they are on! They say can't wait to see Bev and their using a virgin non sub card?? Doesn't make any sense.
This message has been edited since posting. Last time this message was edited on 10. March 2010 @ 12:30
|
Senior Member
|
10. March 2010 @ 14:46 |
Link to this message
|
could be right mooley. if it does come to something we will know in due course. what strikes me as strange with all this nagra and particularly the starview stuff is what is the big deal about throwing the box in a bin after a year. fine the share provider cuts you off after a year. but isn't it clear that what the share provider has managed to read a nagra3 card and share it. so then clearly this knowledge is available somewhere. so by the end of the year most likely all this information will be public in which case people can set up their own shares with the sv6 on nagra3. so i wouldn't be binning any sv6
|
Senior Member
|
10. March 2010 @ 18:14 |
Link to this message
|
|
Absolutely fintan they have managed to share the N3 card and I do believe you'll see a lot more sharing over the next while. I'm not even binning my DM500c's as I believe they are running on a share already on the N3 system. Not mine mind you. Don't ask me where though people it's all private share between others not me.
|
|
HMS2448
Newbie
|
10. March 2010 @ 19:26 |
Link to this message
|
|
This is old and BS. Also, just so you know, when you see virgin in an article about NA providers they are referring to a never glitched, subbed, or programmed card. Not to be confused with the Virgin you guys are familiar with.
|
Senior Member
|
11. March 2010 @ 05:43 |
Link to this message
|
|
absolutely no idea what you mean. why is this old and bs. is there some information source that proves this
|
Senior Member
|
11. March 2010 @ 08:39 |
Link to this message
|
|
Ah so thats what the 'virgin' was referring to cheers!
|
|
HMS2448
Newbie
|
11. March 2010 @ 15:02 |
Link to this message
|
Originally posted by fintannl:
absolutely no idea what you mean. why is this old and bs. is there some information source that proves this
Exact same C&P posted at NA sat sites. Edmonton Guy used to be pretty infamous in NA for BS and money grabbing scams. BTW Packin18 and ED are the same person. New here so I'm not sure on link rules but if you Google Packin18 you'll find the original post from Carddoctor on FTAbins back in 2008.
|
AfterDawn Addict
3 product reviews
|
11. March 2010 @ 15:07 |
Link to this message
|
|
yet more N3 rubbish, hearsay and conjecture by the sounds of it...........
|
|
rodmc
Suspended due to non-functional email address
|
11. March 2010 @ 15:27 |
Link to this message
|
|
Hey guys
I dont profess to be an expert in cryptography, but I do have a bit of basic knowledge, so heres my take.
Ive seen it posted on here and heard it from elsewhere that N3 will employ RSA. If this is the case then I do believe we are truly shafted.
From what I know, the algorithm employs the use of extremely large prime numbers, this makes reverse engineering the algorithm extremely difficult if not near impossible.
I may be wrong and maybe someone else will correct me, but like I say if it is RSA then we're goosed.
|
Senior Member
|
11. March 2010 @ 17:59 |
Link to this message
|
I believe it does indeed employ RSA. But it is being shared and does work on IKS so it's a start. The standalone bin is probably not going to happen for a long long time but there are always workarounds and I have a feeling that IKS will be the next thing over here in UK and Ireland. Can't see it being anything else for quite a while unfortunately.
Oh and c/s will always continue to exist unfortunately (and I mean that from a standalone bin stance by the way).
This message has been edited since posting. Last time this message was edited on 11. March 2010 @ 18:01
|
Senior Member
|
12. March 2010 @ 01:49 |
Link to this message
|
Sorry, i picked up the comments the wrong way. what i was saying is that cs has already been proven on nagra3 with the sv6 so it does seem that this will be an alternative for some time to come. as of yet i haven't seen the ins and outs of how this has been achieved but i have no doubt that it will become public knowledge in due course. as for the cracking of nagra3, well i suspect that like NDS this will be an improbability and while there is conjecture there is no working CAM currently available
|
|
HMS2448
Newbie
|
13. March 2010 @ 13:04 |
Link to this message
|
No problem. CS is very achievable with N3 and has been running in NA since before N3 was even fully implemented and the swap to N3 had very little effect. Using the provider's boxes, there was no down time from N2 to N3 on CS when using freeware and small network sharing. All it takes is a dump of the subbed box or of the N2 card that was subbed in said box previously. RSA isn't even that big of a hurdle if you have a married box and cam. It was used in NA for N2, and was able to be faked once the cams were compromised. All RSA, IDEA, or anything else implemented in N3 can do is most likely force the use of married cams and IRDs, if the cards get dumped. Speculation here is the swap focused on mostly hardware security upgrades and not software. So they are banking on Nagra and ST getting it right this time. Bad move I think, judging from Nagra's past track record.
|
Senior Member
|
13. March 2010 @ 13:21 |
Link to this message
|
HMS, good reply. My primary experience is in the sat cs area. To this end I have detailed all that is necessary within current threads. I wonder could you be so kind as to put what you say in laymans terms to the afterdawn users. From the sat side there are the folowing issues
- using a paired card in a dreambox
- emulator to allow card share
and thats it. Now the info has been supplied to read the sly card in the dreambox. Also CCCAM 2.1.4 is ready to provide the cs option.
Can you explain how this is achieved from the Nagra3 card point of view. From my understanding there is boxkey and rsakey issues. How are these overcome. And what emulator is recommended
|
Member
|
13. March 2010 @ 19:59 |
Link to this message
|
|
When they refer to "virgin", they're not referring to the provider........VIRGIN, as in unused....as in a brand new card, never inserted in a reciever.
Sounds like they're on about american providers and are hacking a brand new unused card.
Just my 2 cents worth.
|
|
pac2000
Junior Member
|
14. March 2010 @ 15:20 |
Link to this message
|
Just So You Know What HMS Is On About Here's A Quote On RSA
"In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography. It is the first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations."
Is Nagravision 3 hacked?
YES, but not fully. Some boxes are able to view some channels encrypted using Nagravision 3 through a technique called "card sharing" whereby the encryption status of an existing paid subscriber card is disseminated to other receivers through the use of a networked connection. Many hackers in the underground FTA testing community are working hard to further crack this security implementation as they have done in the recent past with Nagravision 2. Current underground projects are limited to channels which can be subscribed to. Channels that are not available for subscription such as Special Events and Pay-Per-View programming have so far remained unavailable.
PAC2000
|
|
HMS2448
Newbie
|
20. March 2010 @ 20:40 |
Link to this message
|
Originally posted by fintannl:
HMS, good reply. My primary experience is in the sat cs area. To this end I have detailed all that is necessary within current threads. I wonder could you be so kind as to put what you say in laymans terms to the afterdawn users. From the sat side there are the folowing issues
- using a paired card in a dreambox
- emulator to allow card share
and thats it. Now the info has been supplied to read the sly card in the dreambox. Also CCCAM 2.1.4 is ready to provide the cs option.
Can you explain how this is achieved from the Nagra3 card point of view. From my understanding there is boxkey and rsakey issues. How are these overcome. And what emulator is recommended
For NA sat you must have a subbed box and cam. The box must be jtaggable or you need a dump from the N2 cam that was previously subbed to the box. This is to work around the RSA. There are 2 programs available to use to CS, one is rqcs (or something like that) and the other is NKShare. Both require having Boxkeys and RSA info (here it is the Secodary Key or DT08 from the cam or IRD flash) entered in the config files. The subbed card then goes in an ISO (or PowerSync type unlocker can also be used for NKShare) on a PC running the Server software. The same PC also runs the Client software with a EMU interface connected to the sub IRD. The cs Server program is usually passing all EMMs through to keep channel tiers updated. Other clients are connected to the Server PC through the net, or LAN with a EMU device and PC running only the Client program. The config file for the client must include the tiers the sub has paid for, most run wide open tiers including a wide open PPV tier. This allows the clients to recieve any PPV the sub orders, or any new channels added to the sub package. I haven't read much on rqcs, but I know it will share to FTA recievers like the Dreambox as well as others. NKShare is for Echostar NA IRDs only and the clients need to have a N2 cam image, but is alot more stable. The way it works is the Client tunes to a channel, the IRD requests the CW (control word) for authorization from the sub card, instead of a card we have an emulator set up, the Client SW forwards the request to the Server PC, the Server PC requests the CW from the card in the ISO, the card thinks it is the subbed box requesting the CW so it calculates the CW using the RSA keys and sends it back to the client, opening the channel for viewing. All of the public/commercial IKS or CS servers work with the same basic principle, hence the reason all of the currently working solutions need internet connections and are missing PPV and Sports. There is no hacking of the N3 card being done at all. They are exploiting a flaw from N2 that wasn't cleaned up in N3. So nobody should buy into the claims "more channels are coming soon" or "we are getting close". Also connecting to a public server is a VERY bad idea. NA providers have already shut down and sued the pants off of a few here and it wouldn't be too difficult to track end users. I hope this is the info you were interested in, if not I'll try and clarify more for you.
|
Senior Member
|
21. March 2010 @ 15:55 |
Link to this message
|
Originally posted by Mooley:
Absolutely fintan they have managed to share the N3 card and I do believe you'll see a lot more sharing over the next while. I'm not even binning my DM500c's as I believe they are running on a share already on the N3 system. Not mine mind you. Don't ask me where though people it's all private share between others not me.
only little bit of problem with this is to extract the RSA key from the legit box, can be done but until them that is what is stopping card sharing a legit VM subscription.
|
|
Advertisement
|
|
|
Senior Member
|
21. March 2010 @ 17:01 |
Link to this message
|
|
Have heard of a couple of people capable of getting this information if you send them your box. One is in Poland. If they are already doing it for people I'm sure the method will become public soon enough, I would imagine.
Please, please, please use the search box at top right of site before asking a question that has already been answered.
This message has been edited since posting. Last time this message was edited on 21. March 2010 @ 17:02
|
