Neue EMM ´s

[sasika]

Spoiler

2022/03/11 12:54:19 36DDFE40 r (reader) CARD2 [mouse] Decrypted payload
2022/03/11 12:54:19 36DDFE40 r (reader) 54 14 00 02 00 01 0A 61 DB 7E D7 6B D9 D1 F4 63
2022/03/11 12:54:19 36DDFE40 r (reader) 75 6C 33 FB 00 01

after writing EMM EK2 got changed so there is only 14byte (0A 61 DB 7E D7 6B D9 D1 F4 63 75 6C 33 FB)
so, any way to find 16byte EK2?

 

[007.4]

I may be wrong but i think the leading "00 01" is part of the 16byte EK.
So in you case it would be "00 01 0A 61 DB 7E D7 6B D9 D1 F4 63 75 6C 33 FB"

Somebody please correct me if I am mistaken.

 

[sasika]

Hi,

but I check with few cards

54 14 00 02 00 01 XX XX XX XX XX XX XX XX XX XX XX XX XX XX 00 01

that 14byte is changed, other all bytes are same

Thanks.

 

[Miese.Ratte]

This doesn't matter. It goes with the leading 00 01 into the key ladder.

 

[kautz8953]

Spoiler

Hi,

but I check with few cards

54 14 00 02 00 01 XX XX XX XX XX XX XX XX XX XX XX XX XX XX 00 01

that 14byte is changed, other all bytes are same

Thanks.

it looks like a 56bit ecw dcw brute force for the K1 determination is possible.

 

[Gelöschtes Mitglied 488570]

This doesn't matter. It goes with the leading 00 01 into the key ladder.

00 01 -> 14 Byte Key ( 2 x 56 Bit Key ?? ) <-00 01 (T)DES

 

[sasika]

it looks like a 56bit ecw dcw brute force for the K1 determination is possible.

now no chance with brute-force (before we got keys via brute-force)

Provider change something and when they change only EK2 got change other all are same,

also can't see any single-byte change on the "Decrypted payload"

this is an old Decrypted payload and channels working

Spoiler

2020/07/15 09:55:01 4A449EE7 r (reader) Card1 [videoguard2] Decrypted payload
2020/07/15 09:55:01 4A449EE7 r (reader) 8A DF 6B 13 0B D3 39 82 00 00 06 A0 06 01 22 02
2020/07/15 09:55:01 4A449EE7 r (reader) 00 00 0E 02 01 00 0F 04 00 00 00 00 20 04 00 00
2020/07/15 09:55:01 4A449EE7 r (reader) 00 00 25 11 00 00 00 00 00 00 00 00 00 00 00 00
2020/07/15 09:55:01 4A449EE7 r (reader) 00 00 00 00 00 2A 04 06 A0 00 00 55 01 83 56 08
2020/07/15 09:55:01 4A449EE7 r (reader) 00 00 00 00 00 00 00 00

and after the change I have seen on oscam log all channels getting "classD3 ins54: no CW --> Card needs pairing/extra data"

also, I update my card then EK2 got changed and that error is gone and all channels dark (and again try to brute-force K1 not found)

and this is new also changes dark

Spoiler

2022/03/15 07:00:33 46D48D1E r (reader) CARD2 [videoguard2] Decrypted payload
2022/03/15 07:00:33 46D48D1E r (reader) 48 97 11 87 21 FC 10 91 00 00 06 A0 06 01 22 02
2022/03/15 07:00:33 46D48D1E r (reader) 00 00 0E 02 01 00 0F 04 00 00 00 00 20 04 00 00
2022/03/15 07:00:33 46D48D1E r (reader) 00 00 25 11 00 00 00 00 00 00 00 00 00 00 00 00
2022/03/15 07:00:33 46D48D1E r (reader) 00 00 00 00 00 2A 04 06 A0 00 00 55 01 83 56 08
2022/03/15 07:00:33 46D48D1E r (reader) 00 00 00 00 00 00 00 00

Thanks.

Spoiler

ins 7423 from total tv 091f,after refresh card on original stb
ins 7423 is same as before card stop working on oscam
54 14 00 02 00 01 xx xx xx xx xx xx xx xx xx xx xx xx xx xx 00 01

after tag 55 01 03 no zeros

(reader) totaltv [videoguard2] Decrypted payload
5D 5F 11 AF ED B5 E9 8F 00 00 00 D3 00 01 22 02
00 00 0E 02 01 00 0F 04 00 00 00 00 20 04 00 00
00 00 25 09 00 00 00 00 00 00 00 00 00 55 01 03

i make log card-stb with saleae logic analyzer ,and see change on last 10 bytes on ins7e
before 00010202030002020203
now 00010002030000000000

what is this des,3des or aes?

Hi @mileta5

Can you tell me how you make log via Saleae logic analyzer for look new ins7E key also what is the baud rate ?

Thanks.

 

[sasika]

HI,

anyone can explain this EMM

when I wrote this emm to card EK2 got change

Spoiler

82 30 - EMM Marker
6E - EMM Length - 110 - OK (110)
40 - Type - unique EMM For Smartcard (1 Sub EMMs)
01 16 8E 6C - Serial Number (Smartcard)
00 - EMM-Type - unknown
00 - IRD EMM Length - 0 - OK (103)
F3 - Card EMM Length - 243 - FAIL (102)
02 - Card Nano Type - unknown
00 - Data
62 - Card Nano Type - unknown
90 - Card Nano Length - 144 - FAIL (98)
60
44 01
CB 54 51 EA 3B 19 1A DD B7 B5 36 5B 44 90 0E E7 - is this EK1 ?
50 C4 4C D9 C5 25 7E F3 6D D6 9E 81 00
DC 93 80 77 15 39 D2 20 73 AC C8 1E 9C 52 80 8E
F4 9E 41 51 6A F9 22 46 C5 1A 2C ED 62 BC 2C 45
5A 13 E0 69 8C 09 F9 40 1B 9E 1B 7F EF 96 90 92
79 30 4C 11 94 71 58 8B 29 65 FC 47 15 87 D8 1F
ED 00

old

Decrypted payload

Spoiler

54 14 00 02 00 01 10 A5 7A 0B ED 66 53 3F D5 F7
74 A9 0B FD 00 01

new

Decrypted payload

Spoiler

54 14 00 02 00 01 30 3C 27 E0 AA 3C 64 80 A6 4A
38 AC F8 95 00 01

 

[Miese.Ratte]

This is a single unique EMM without any extras. The content is hidden inside the nano 90 aka the encrypted part for the card.

when i wrote this emm to card EK2 got chnage

Maybe.

82 30 - EMM Marker
6E - EMM Length - 110 - OK (110)
40 - Type - unique EMM For Smartcard (1 Sub EMMs)
01 16 8E 6C - Serial Number (Smartcard)

ok

00 - EMM-Type - unknown

00 - IRD EMM Length - 0 - OK (103)
F3 - Card EMM Length - 243 - FAIL (102)

This is a filler. I don't know what this is for.

02 - Card Nano Type - unknown

No nano! Here we start with the "EMM type".

...and the following is what you expected to see without the filler.

00 - Data
62 - Card Nano Type - unknown
90 - Card Nano Length - 144 - FAIL (98)
60
44 01
CB 54 51 EA 3B 19 1A DD B7 B5 36 5B 44 90 0E E7 - is this EK1 ?
50 C4 4C D9 C5 25 7E F3 6D D6 9E 81 00
DC 93 80 77 15 39 D2 20 73 AC C8 1E 9C 52 80 8E
F4 9E 41 51 6A F9 22 46 C5 1A 2C ED 62 BC 2C 45
5A 13 E0 69 8C 09 F9 40 1B 9E 1B 7F EF 96 90 92
79 30 4C 11 94 71 58 8B 29 65 FC 47 15 87 D8 1F
ED 00

"is this EK1 ?": No, it's not. This is just encrypted.