NDS CW is crypted, trying to decrypt unique pairing mode 0x8B (CAID 0987)

[emmiko]

Spoiler

Here another example of a decrypted payload, same CAID/card

• Spoiler

  2020/03/17 16:34:37 0C25C09B r (reader) Decrypted payload
  [*]2020/03/17 16:34:37 0C25C09B r (reader) 3B 20 4F 0D B1 64 43 A5 00 00 03 23 03 01 22 02
  [*]2020/03/17 16:34:37 0C25C09B r (reader) 00 80 0E 02 03 00 0F 06 00 00 00 00 00 00 20 04
  [*]2020/03/17 16:34:37 0C25C09B r (reader) 00 00 00 00 25 11 00 00 00 00 00 00 00 00 00 00
  [*]2020/03/17 16:34:37 0C25C09B r (reader) 00 00 00 00 00 00 00 2A 04 03 23 00 00 55 01 8B
  [*]2020/03/17 16:34:37 0C25C09B r (reader) 56 08 00 00 00 00 00 00 00 00 45 03 40 00 80 2B
  [*]2020/03/17 16:34:37 0C25C09B r (reader) 02 00 00

And the card just goes in this mode with correct ins7e/boxid, you don't really have a choice..

What that mode means compared to x81 or x83...no Idea...but it gives a ECW, probably 3DES encrypted.

yes

 

[DarkStarXxX]

Yes, no Chance.

 

[emmiko]

Yes, no Chance.

:coldsweat:

 

[Alex2018]

too big address space, It will take much more time to find than you alive.

 

[clemenss]

Because:

DES -> 56 bit -> few days
3DES -> 112 bit -> few days x 2^56 = a few trillion days

There are so much more possibilities that a bruteforce is not feasable with current hardware.

 

[jordansv]

Hello everybody

und ich versuche, 24 Positionen zu setzen. Ich muss versuchen, 0987 Caid NDS-Karte mit Oscam zu betreiben. Außerdem gibt es eine Ins7E-Nutzlast ab 6E 73 6B 20
und ich versuche 24 Position zu setzen und fügte hinzu "0000000000010202030002020203" (6E736B202F47AC57XXXXXXXX0000000000010202030002020203 )
aber "classD3 ins54: no cw --> Card needs pairing/extra data" auf oscam log anzeigen
and i chnage that ins7E payload to (6E736B202F47AC57XXXXXXXX08CB7D8600010202030002020203)
dann zeige wie unten oscam log

Spoiler

2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] classD3 ins54: Tag55_01 = 8B, CW-overcrypt may not required
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] classD3 ins54: CW is crypted, trying to decrypt unique pairing mode 0x8B
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] crypted CW is: 0000000000000000DF355BD6E398CC59
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] k1 for unique pairing mode is not set
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] cardreader_do_ecm: after csystem->do_ecm rc=0
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] cardreader_do_ecm: ret rc=0
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] cardreader_process_ecm: cardreader_do_ecm returned rc=0 (ERROR=0)
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] Error processing ecm for caid 0987, provid 000000, srvid 0002, servicename: 0987@000000:0002 unknown
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] ecm hash: 77C85B02BD63C4629C5BECE6DF89716D real time: 102 ms
2020/03/01 16:38:03 488EA4EA c (ecm) local (0987 & / 044E / 1215 / 0002 / I: 77C85B02BD63C4629C5BECE6DF89716D # CW = 00000000000000000000000000000000): not found (133 ms) by v13
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] write to cardreader
2020/03/01 16:38:03 1E19BEB9 r (reader) D1 5C 00 00 04
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] Answer from cardreader:
2020/03/01 16:38:03 1E19BEB9 r (reader) 00 00 00 00 90 20
2020/03/01 16:38:03 488EA4EA c (dvbapi) Demuxer 0 restarting decoding requests after 1 ms with 1 enabled and 4 disabled ecmpids!
2020/03/01 16:38:03 488EA4EA c (dvbapi) Demuxer 0 trying to descramble PID 2 CAID 0987 PROVID 000000 ECMPID 1215 ANY CHID PMTPID 120C VPID 120D
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] local emm reader
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] cardreader_do_checkhealth: reader->card_status = 2, ret = 1
2020/03/01 16:38:03 1E19BEB9 r (reader) v13 [videoguard2] write to cardreader
2020/03/01 16:38:03 1E19BEB9 r (reader) D1 42 00 00 92 90 90 60 01 5F 23 B6 57 A9 6C E7
2020/03/01 16:38:03 1E19BEB9 r (reader) 4A 1D ED 21 E8 BD 68 4A 6A 75 94 2B CE 5B BE 54
2020/03/01 16:38:03 1E19BEB9 r (reader) 92 BE 00 6A AA 76 34 14 8C 30 2B 05 F2 FA 87 0D
2020/03/01 16:38:03 1E19BEB9 r (reader) C9 14 F5 8B 4C 65 28 6D 43 29 EF E4 B5 49 AC E4
2020/03/01 16:38:03 1E19BEB9 r (reader) 8E 48 BB 6A A6 F0 E5 AE 30 BE 03 AC E7 C6 52 C4
2020/03/01 16:38:03 1E19BEB9 r (reader) 4F 16 80 83 89 82 C4 A3 D0 6E 59 46 72 62 45 D2
2020/03/01 16:38:03 1E19BEB9 r (reader) 58 9F 3B B5 02 39 A3 9F 05 79 82 24 74 D2 51 51
2020/03/01 16:38:03 1E19BEB9 r (reader) 61 95 27 72 63 C7 80 FF 1C CA 3C 61 86 2E 9D 5B
2020/03/01 16:38:03 1E19BEB9 r (reader) 6E 78 96 FB 12 38 60 EA 43 14 CA 99 8D A6 D1 6D
2020/03/01 16:38:03 1E19BEB9 r (reader) 28 D2 2F 2A 71 DB 1E
2020/03/01 16:38:04 1E19BEB9 r (reader) v13 [videoguard2] Answer from cardreader:
2020/03/01 16:38:04 1E19BEB9 r (reader) 90 20
2020/03/01 16:38:04 1E19BEB9 r (reader) v13 [videoguard2] local emm reader
2020/03/01 16:38:04 1E19BEB9 r (reader) v13 [videoguard2] cardreader_do_checkhealth: reader->card_status = 2, ret = 1
2020/03/01 16:38:04 1E19BEB9 r (reader) v13 [videoguard2] write to cardreader
2020/03/01 16:38:04 1E19BEB9 r (reader) D1 42 00 00 92 90 90 60 01 23 33 FB 50 D9 D7 52
2020/03/01 16:38:04 1E19BEB9 r (reader) 75 F1 8D F3 78 B2 2F 30 E9 E5 18 49 76 92 6F BB
2020/03/01 16:38:04 1E19BEB9 r (reader) 6F 90 7A 18 F3 0F 7A DD 6D E0 7F AD 8E D9 6B 5D
2020/03/01 16:38:04 1E19BEB9 r (reader) 00 68 4A 94 5A D9 43 29 6B 4E E5 87 84 FA 2E 9F
2020/03/01 16:38:04 1E19BEB9 r (reader) AE 5B 78 C9 13 94 77 B1 06 C3 DB 8A 8D A6 02 BB
2020/03/01 16:38:04 1E19BEB9 r (reader) F9 EF C3 59 FB 8F 14 AF A7 45 17 2A FB C2 B7 94
2020/03/01 16:38:04 1E19BEB9 r (reader) 0B 3A 5C 2A 92 3F EF 1A CA CA 86 53 76 67 A8 04
2020/03/01 16:38:04 1E19BEB9 r (reader) F2 4B 96 42 48 09 FD 05 A5 F2 CD 8F 41 2C 25 8A
2020/03/01 16:38:04 1E19BEB9 r (reader) 32 99 69 19 E1 10 EC 67 ED 2A D7 B1 47 47 BC C5
2020/03/01 16:38:04 1E19BEB9 r (reader) 73 69 18 91 43 B1 87
2020/03/01 16:38:04 1E19BEB9 r (reader) v13 [videoguard2] Answer from cardreader:
2020/03/01 16:38:04 1E19BEB9 r (reader) 90 20
2020/03/01 16:38:04 488EA4EA c (ecm) local (0987 & / 044E / 1215 / 0002 / I: 77C85B02BD63C4629C5BECE6DF89716D # CW = 00000000000000000000000000000000): not found (82 ms) by v13
2020/03/01 16:38:04 1E19BEB9 r (reader) v13 [videoguard2] cardreader_do_checkhealth: reader->card_status = 2, ret = 1
2020/03/01 16:38:04 488EA4EA c (dvbapi) Demuxer 0 restarting decoding requests after 1 ms with 1 enabled and 4 disabled ecmpids!
2020/03/01 16:38:04 488EA4EA c (dvbapi) Demuxer 0 trying to descramble PID 2 CAID 0987 PROVID 000000 ECMPID 1215 ANY CHID PMTPID 120C VPID 120D
2020/03/01 16:38:05 488EA4EA c (ecm) local (0987 & / 044E / 1215 / 0002 / I: 77C85B02BD63C4629C5BECE6DF89716D # CW = 00000000000000000000000000000000): not found (5 ms) by v13
2020/03/01 16:38:05 488EA4EA c (dvbapi) Demuxer 0 restarting decoding requests after 1 ms with 1 enabled and 4 disabled ecmpids!
2020/03/01 16:38:05 488EA4EA c (dvbapi) Demuxer 0 trying to descramble PID 2 CAID 0987 PROVID 000000 ECMPID 1215 ANY CHID PMTPID 120C VPID 120D
2020/03/01 16:38:05 1E19BEB9 r (reader) v13 [videoguard2] local emm reader
2020/03/01 16:38:05 1E19BEB9 r (reader) v13 [videoguard2] cardreader_do_checkhealth: reader->card_status = 2, ret = 1
2020/03/01 16:38:05 1E19BEB9 r (reader) v13 [videoguard2] write to cardreader
2020/03/01 16:38:05 1E19BEB9 r (reader) D1 42 00 00 1E 90 1C 40 01 3A 49 4D 85 4D CD 9F
2020/03/01 16:38:05 1E19BEB9 r (reader) AC 65 CB 5C 24 06 91 FC 96 B6 51 7B 21 78 64 A1
2020/03/01 16:38:05 1E19BEB9 r (reader) CE 15 C5
2020/03/01 16:38:05 1E19BEB9 r (reader) v13 [videoguard2] Answer from cardreader:
2020/03/01 16:38:05 1E19BEB9 r (reader) 90 20

Ist es möglich, einen k1_unique-Piaring-Schlüssel mit Brute-Force-Angriff zu erhalten?
Außerdem kann ich DCW nicht finden und ist es möglich, mit STB zu kommen?


Vielen Dank

Try it this way.
ins7E "0000000000010202030000000000" (6E736B202F47AC57XXXXXXXX0000000000010202030000000000 )
And show Tag55_01 =???

 

[sasika]

[QUOTE = "jordansv, post: 3761316, member: 329460"]
Try it this way.
ins7E "0000000000010202030000000000" (6E736B202F47AC57XXXXXXXX0000000000010202030000000000)
And show Tag55_01 = ???
[/ QUOTE]

I change that like as you told and now day 55_01_0B

• 2020/03/24 09:04:56 382E2974 r (reader) D8 7B EE 0D 91 23 92 55 00 00 03 23 03 01 22 02
• 2020/03/24 09:04:56 382E2974 r (reader) 00 80 0E 02 03 00 0F 06 00 00 00 00 00 00 20 04
• 2020/03/24 09:04:56 382E2974 r (reader) 00 00 00 00 25 11 00 00 00 00 00 00 00 00 00 00 00
• 2020/03/24 09:04:56 382E2974 r (reader) 00 00 00 00 00 00 00 2A 04 03 23 00 00 55 01 0B
• 2020/03/24 09:04:56 382E2974 r (reader) 56 08 00 00 00 00 00 00 00 00 45 03 40 00 80 2B

Any idea?

Thanks

also after restart oscam it's look line

• D2H_NDS [videoguard2] Decrypted payload
• 2020/03/24 10:23:57 05C171CB r (reader) 00 00 00 00 00 00 00 00 00 00 03 23 03 00 22 02
• 2020/03/24 10:23:57 05C171CB r (reader) 00 80 0E 02 00 00 0F 06 00 10 00 00 00 00 20 04
• 2020/03/24 10:23:57 05C171CB r (reader) 00 00 00 00 25 11 00 00 00 00 00 00 00 00 00 00
• 2020/03/24 10:23:57 05C171CB r (reader) 00 00 00 00 00 00 00 2A 04 03 23 00 00 55 01 88
• 2020/03/24 10:23:57 05C171CB r (reader) 56 08 00 00 00 00 00 00 00 00 45 03 40 00 80 2B
• 2020/03/24 10:23:57 05C171CB r (reader) 02 00 00

 

[clemenss]

I don't know what you are all trying...
It does not matter which mode the card is in (All those mode numbers we don't know what they mean only Cisco knows), as long as you get an ECW.
In the last payload (x88) there is no ECW, in the other (x8B) there is one.

If you have an ECW, the question is how is this ECW encrypted.
If 3DES (or AES or whatever not bruteforceable standard anno 2020) -> no possibilities
If DES -> Possible, if you are able to get a DCW somewhere from (you could also bruteforce it for a given stream, especially if 48 bit CWs are used, for 64bit CWs it's hard)

But my guess is: it's 3DES so just give up.
If you are able to get a DCW somehow try tro bruteforce the ECW/DCW...if not it's very likely 3DES.

 

[sasika]

6E736B202F47AC571xxxxxxxx8CB7D8600010202030000000000

also i put like this and same

• D2H_NDS [videoguard2] Decrypted payload
• 2020/03/24 10:32:36 05C171CB r (reader) 58 6F 96 F6 79 60 19 19 00 00 03 23 03 01 22 02
• 2020/03/24 10:32:36 05C171CB r (reader) 00 80 0E 02 03 00 0F 06 00 00 00 00 00 00 20 04
• 2020/03/24 10:32:36 05C171CB r (reader) 00 00 00 00 25 11 00 00 00 00 00 00 00 00 00 00
• 2020/03/24 10:32:36 05C171CB r (reader) 00 00 00 00 00 00 00 2A 04 03 23 00 00 55 01 8B
• 2020/03/24 10:32:36 05C171CB r (reader) 56 08 00 00 00 00 00 00 00 00 45 03 40 00 80 2B
• 2020/03/24 10:32:36 05C171CB r (reader) 02 00 00

Thanks for your explain

 

[jordansv]

7E is not correct for this card...

 

[Ghafar]

Spoiler

I don't know what you are all trying...
It does not matter which mode the card is in (All those mode numbers we don't know what they mean only Cisco knows), as long as you get an ECW.
In the last payload (x88) there is no ECW, in the other (x8B) there is one.

If you have an ECW, the question is how is this ECW encrypted.
If 3DES (or AES or whatever not bruteforceable standard anno 2020) -> no possibilities
If DES -> Possible, if you are able to get a DCW somewhere from (you could also bruteforce it for a given stream, especially if 48 bit CWs are used, for 64bit CWs it's hard)

But my guess is: it's 3DES so just give up.
If you are able to get a DCW somehow try tro bruteforce the ECW/DCW...if not it's very likely 3DES.

Spoiler

DCW key anyone Please Help ......

• HD [videoguard2] Decrypted payload
• 2020/03/26 00:31:32 1D1F94C1 r (reader) 98 72 8F 8F 79 DE A6 8D 00 00 00 4F 00 01 22 02
• 2020/03/26 00:31:32 1D1F94C1 r (reader) 00 00 0E 02 01 00 0F 04 00 00 00 00 20 04 00 00
• 2020/03/26 00:31:32 1D1F94C1 r (reader) 00 00 25 11 00 00 00 00 00 00 00 00 00 00 00 00
• 2020/03/26 00:31:32 1D1F94C1 r (reader) 00 00 00 00 00 2A 04 00 4F 00 00 55 01 83 56 08
• 2020/03/26 00:31:32 1D1F94C1 r (reader) 00 00 00 00 00 00 00 00
• 2020/03/26 00:31:32 1D1F94C1 r (reader) HD [videoguard2] classD3 ins54: CW is crypted, trying to decrypt unique pairing mode 0x83
• 2020/03/26 00:31:32 1D1F94C1 r (reader) HD [videoguard2] crypted CW is: 98728F8F79DEA68D0000000000000000
• 2020/03/26 00:31:32 1D1F94C1 r (reader) HD [videoguard2] use k1(DES) for CW decryption in unique pairing mode
• 2020/03/26 00:31:32 1D1F94C1 r (reader) HD [videoguard2] decrypted CW is: D6A92361201EB35F0000000000000000
• 2020/03/26 00:31:32 1D1F94C1 r (reader) HD [videoguard2] cardreader_do_ecm: after csystem->do_ecm rc=1
• 2020/03/26 00:31:32 1D1F94C1 r (reader) HD [videoguard2] cardreader_do_ecm: ret rc=1
• 2020/03/26 00:31:32 1D1F94C1 r (reader) HD [videoguard2] cardreader_process_ecm: cardreader_do_ecm returned rc=1 (ERROR=0)
• 2020/03/26 00:31:32 1D1F94C1 r (reader) HD [videoguard2] ecm hash: CA596CF10B87117504E4E114D2569040 real time: 140 ms
• 2020/03/26 00:31:32 78F4257B c (ecm) ABC (09AA@000000/02BC/0CFD/63:CA596CF10B87117504E4E114D2569040:0F06000000000000:smile:: found (140 ms) by HD - TLC @ Rs 2
• 2020/03/26 00:31:32 78F4257B c (ecm) cw:
• 2020/03/26 00:31:32 78F4257B c (ecm) D6 A9 23 61 20 1E B3 5F 00 00 00 00 00 00 00 00

 

[fun7]

We write all about german providers here and not about indian. Nobody here from germany
a) knows your provider
b) can give you dcw
c) can give you your unqiue key

 

[Ghafar]

[QUOTE = "fun7, post: 3762688, member: 560877"]
We write all about german providers here and not about indian. Nobody here from germany
a) knows your provider
b) can give you dcw
c) can give you your unique key

Sir Thank u For Repley
Sir please guid me how can i get unique key

 

[Betatester_2000]

Because:

DES -> 56 bit -> few days
3DES -> 112 bit -> few days x 2^56 = a few trillion days

There are so much more possibilities that a bruteforce is not feasable with current hardware.

@Ghafar : You've already gotten the correct answer. There is no way possible to bruteforce or calculate your unique Key.

 

[vladtimmy]

[videoguard2] classD3 ins54: Tag55_01 = 8B, ONLY 3DES PARING K1=K2 K3