sorgente oscam

[alfredo1]

ragazzi e che ne dite tanto se fixamo questo emu visto che unica sorgente che mi trovo a disposizione .




Line
1 #include "globals.h"
2 #include "reader-common.h"
3
4 #ifdef HAVE_AES
5 typedef unsigned long u32;
6 #endif
7
8 extern uchar cta_cmd[], cta_res[];
9 extern ushort cta_lr;
10
11 #define CMD_LEN 5
12
13 static unsigned char nds_Seed[] = {
14 0x56, 0x01, 0x40, 0x00, 0x20, 0x00,
15 0xB9, 0xD5, 0xEF, 0xD5, 0xF5, 0xD5, 0xFB, 0xD5, 0x31, 0xD6, 0x43, 0xD6, 0x55, 0xD6, 0x61, 0xD6, 0x85, 0xD6, 0x9D,
16 0xD6, 0xAF, 0xD6, 0xC7, 0xD6, 0xD9, 0xD6, 0x09, 0xD7, 0x15, 0xD7, 0x21, 0xD7, 0x27, 0xD7, 0x3F, 0xD7, 0x45, 0xD7,
17 0xB1, 0xD7, 0xBD, 0xD7, 0xDB, 0xD7, 0x11, 0xD8, 0x23, 0xD8, 0x29, 0xD8, 0x2F, 0xD8, 0x4D, 0xD8, 0x8F, 0xD8, 0xA1,
18 0xD8, 0xAD, 0xD8, 0xBF, 0xD8, 0xD7, 0xD8,
19 0x01, 0x00, 0xCF, 0x13, 0xE0, 0x60, 0x54, 0xAC, 0xAB, 0x99, 0xE6, 0x0C, 0x9F, 0x5B, 0x91, 0xB9, 0x72, 0x72, 0x4D,
20 0x5B, 0x5F, 0xD3, 0xB7, 0x5B, 0x01, 0x4D, 0xEF, 0x9E, 0x6B, 0x8A, 0xB9, 0xD1, 0xC9, 0x9F, 0xA1, 0x2A, 0x8D, 0x86,
21 0xB6, 0xD6, 0x39, 0xB4, 0x64, 0x65, 0x13, 0x77, 0xA1, 0x0A, 0x0C, 0xCF, 0xB4, 0x2B, 0x3A, 0x2F, 0xD2, 0x09, 0x92,
22 0x15, 0x40, 0x47, 0x66, 0x5C, 0xDA, 0xC9
23 };
24
25 static const u32 Te4[256] = {
26 0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
27 0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
28 0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
29 0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
30 0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
31 0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
32 0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
33 0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
34 0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
35 0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
36 0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
37 0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
38 0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
39 0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
40 0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
41 0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
42 0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
43 0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
44 0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
45 0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
46 0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
47 0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
48 0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
49 0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
50 0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
51 0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
52 0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
53 0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
54 0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
55 0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
56 0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
57 0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
58 0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
59 0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
60 0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
61 0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
62 0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
63 0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
64 0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
65 0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
66 0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
67 0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
68 0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
69 0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
70 0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
71 0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
72 0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
73 0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
74 0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
75 0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
76 0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
77 0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
78 0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
79 0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
80 0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
81 0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
82 0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
83 0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
84 0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
85 0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
86 0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
87 0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
88 0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
89 0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
90 };
91
92 static unsigned char d0_b4_00_00_40_Value[0x40];
93 static unsigned char oldHBuffer[0x10];
94 static unsigned char d0BCKey[0x10];
95 static unsigned char d3BEKey[0x10];
96
97
98 static void nSwap (unsigned char i_key[16], unsigned char o_key[16]);
99 static void eSwap (unsigned char i_key[16], unsigned char o_key[16]);
100 static void nLookup (unsigned char i_key[16], unsigned char o_key[16]);
101
102 static void xor16 (unsigned char i_val1[16], unsigned char i_val2[16], unsigned char o_val[16]);
103
104 static void do_d0b4 (unsigned char *msgBody);
105 static void extractModule (unsigned char seedBuffer[0x86], unsigned char *outBuffer);
106 static void processD0BC (unsigned char exp_seedBuffer[0x86], unsigned char *outbuffer);
107 static void handle_d0_Class (unsigned char *msgFrmCard, unsigned char *msgBody, unsigned char *msgStatus);
108 static void handle_d1_Class (unsigned char *msgFrmCard, unsigned char *msgBody, unsigned char *msgStatus);
109 static void handle_d3_Class (unsigned char *msgFrmCard, unsigned char *msgBody, unsigned char *msgStatus);
110
111 static unsigned char cw1[0x8];
112 static unsigned char cw2[0x8];
113
114 static int ndsRouteClass (unsigned char *msgFrmCard, int msgFrmCardsize, unsigned char *cw1, unsigned char *cw2);
115 static void get_D0_B4_PublicModule (unsigned char *module);
116
117 static int CommandSendCardCAM (unsigned char *command, char *answer);
118 static int CommandSendCAMCard (unsigned char *command, char *status, unsigned char *payload);
119
120 static unsigned char nds_SC_UA[4] = { 0, 0, 0, 0 };
121
122 static unsigned int nds_SC_CAID = 0x0900;
123 static unsigned char nds_IRD_BoxID[4] = { 0, 0, 0, 0 };
124
125 static unsigned char nds_supportedIns[0xFF];
126 static unsigned char ndsCommand[0xFF];
127
128 static unsigned char CardAnswer[0xFF];
129 static unsigned char d3BEKey[0x10];
130 static char DCW1[19];
131
132 ///====================================================================================================
133 /*
134 static int card_write(uchar *cmd, const uchar *data, int wflag)
135 {
136 int l;
137 uchar buf[MAX_LEN];
138 memcpy(buf, cmd, CMD_LEN);
139 l=wflag ? cmd[4] : 0;
140 if (l && data) memcpy(buf+CMD_LEN, data, l);
141 //cs_log("EMM: %s",cs_hexdump(1,buf,CMD_LEN+l));
142 l=reader_cmd2icc(buf, CMD_LEN+l);
143 return(l);
144 }
145
146 #define write_cmd(cmd, data) \
147 { \
148 if (card_write(cmd, data, 1)) return(0); \
149 }
150
151 #define read_cmd(cmd) \
152 { \
153 if (card_write(cmd, NULL, 0)) return(0); \
154 }
155 */
156 //==============================================================
157
158 static AES_KEY aeskey;
159
160 static void nds_aes_set_key (char *key)
161 {
162 AES_set_encrypt_key ((unsigned char *)key, 128, &aeskey);
163 }
164
165 static int CommandSendCardCAM(unsigned char *command, char *answer_payload)
166 {
167 int insLenData = command[4];
168
169 if (!reader_cmd2icc (command, CMD_LEN)) {
170 answer_payload[0] = command[1];
171 memcpy (&answer_payload[1], cta_res, insLenData);
172 return 0; //success
173 }
174 else
175 return -1;//error
176
177 }
178
179 static int CommandSendCAMCard (unsigned char *command, char *status, unsigned char *answer_payload)
180 {
181 int insLenData = command[4];
182 unsigned char tmpPayLoad[0xFF];
183
184 memcpy (tmpPayLoad, command, 5);
185 memcpy (tmpPayLoad + 5, answer_payload, insLenData);
186
187 if (!reader_cmd2icc (tmpPayLoad, CMD_LEN + insLenData)) {
188 memcpy (status, &cta_res[cta_lr - 2], 2);
189 }
190 else
191 return -1;
192
193 return 0;
194 }
195
196 static void nSwap (unsigned char i_val[16], unsigned char o_val[16])
197 {
198 int i, y, a = 0;
199 for (i = 0; i < 0x4; i++) {
200 for (y = 0; y < 0x4; y++) {
201 o_val[a] = i_val[(y * 4) + i];
202 a++;
203 }
204 }
205 }
206
207 static void nLookup (unsigned char i_key[16], unsigned char o_key[16])
208 {
209 int i;
210 unsigned char flg, lastVal;
211
212 flg = (i_key[0xF] % 2) << 7;
213 for (i = 0; i < 0x10; i++) {
214 lastVal = i_key;
215 o_key = Te4[(i_key >> 1) | flg] & 0xFF;
216 flg = (lastVal % 2) << 7;
217 }
218 }
219
220
221 static void xor16 (unsigned char i_val1[16], unsigned char i_val2[16], unsigned char o_val[16])
222 {
223 int i;
224 for (i = 0; i < 0x10; i++) {
225 o_val = i_val1 ^ i_val2;
226 }
227 }
228
229
230
231 static int ndsRouteClass (unsigned char *msgFrmCard, int msgFrmCardsize, unsigned char *cw1, unsigned char *cw2)
232 {
233 unsigned char *msgBody;
234 unsigned char *msgStatus;
235 int i;
236 msgBody = msgFrmCard + 5;
237 msgStatus = msgFrmCard + msgFrmCardsize - 2;
238 switch (msgFrmCard[0]) {
239 case 0xD0:
240 handle_d0_Class (msgFrmCard, msgBody, msgStatus);
241 break;
242 case 0xD1:
243 handle_d1_Class (msgFrmCard, msgBody, msgStatus);
244 break;
245 case 0xD3:
246 handle_d3_Class (msgFrmCard, msgBody, msgStatus);
247 if (msgFrmCard[1] == 0x54) {
248 for (i = 0; i < 8; i++) {
249 cw1 = msgBody;
250 cw2 = msgBody[0x24 + i];
251 }
252 }
253 break;
254 }
255 return 0;
256 }
257
258
259 static void get_D0_B4_PublicModule (unsigned char *module)
260 {
261 extractModule (nds_Seed, module);
262 }
263
264 static void handle_d0_Class (unsigned char *msgFrmCard, unsigned char *msgBody, unsigned char *msgStatus)
265 {
266 switch (msgFrmCard[1]) {
267 case 0xB4:
268 do_d0b4 (msgBody);
269 break;
270 case 0xBC:
271 processD0BC (nds_Seed, msgBody);
272 break;
273 }
274 }
275
276 static void do_d0b4 (unsigned char *msgBody)
277 {
278 int i;
279 for (i = 0; i < 0x40; i++) {
280 d0_b4_00_00_40_Value = msgBody;
281 }
282 }
283
284
285
286 static void recalc_Module (unsigned short *buffer, unsigned short *index, unsigned short value, unsigned int sumValue)
287 {
288 int i = 0, a = 0;
289 unsigned int tmpBuff;
290 if (*index != 0) {
291 do {
292 tmpBuff = buffer[a];
293 tmpBuff = tmpBuff * value;
294 tmpBuff = tmpBuff + sumValue;
295 buffer[a] = tmpBuff;
296 sumValue = tmpBuff >> 16;
297 i++;
298 a++;
299 } while (i < *index);
300 }
301 if (sumValue != 0) {
302 buffer[*index] = sumValue;
303 *index = *index + 1;
304 }
305 }
306
307 static void extractModule (unsigned char seedBuffer[0x86], unsigned char *outBuffer)
308 {
309 int i, a;
310 unsigned short index[1], tmpVal;
311 unsigned short tmpSeedBuffer[0x20];
312 unsigned short tmpSeedBufferOut[0x20];
313 a = 0;
314 for (i = 0; i < 0x20; i++) {
315 tmpVal = seedBuffer[a + 6];
316 tmpSeedBuffer = seedBuffer[a + 1 + 6] << 8 | tmpVal;
317 a = a + 2;
318 }
319 index[0] = 0x1;
320 tmpSeedBufferOut[0] = 1;
321 for (i = 0; i < 0x20; i++) {
322 recalc_Module (tmpSeedBufferOut, index, tmpSeedBuffer, 0);
323 }
324 for (i = 0; i < 0x20; i++) {
325 outBuffer[(i * 2)] = tmpSeedBufferOut & 0xFF;
326 outBuffer[(i * 2) + 1] = (tmpSeedBufferOut >> 8) & 0xFF;
327 }
328
329 }
330
331 static void extractExponent (unsigned char seedBuffer[0x86], unsigned char *outBuffer)
332 {
333 int i;
334 for (i = 0; i < 0x40 {
335 outBuffer = seedBuffer[i + 0x46 + 1];
336 outBuffer[i + 1] = seedBuffer[i + 0x46];
337 i = i + 2;
338 }
339 }
340
341 static unsigned short lmul (unsigned short value)
342 {
343 unsigned int var1;
344 var1 = ((value * 4) + value);
345 var1 = (var1 << 4) + var1;
346 var1 = (var1 << 8) + var1;
347 var1 = (((var1 * 2) + value) >> 16) & 0xFFFF;
348 return var1;
349
350 }
351
352 static void recalc_BC_Expo (unsigned short value, unsigned int index, unsigned short *expoBuffer,
353 unsigned short *seedBuffer)
354 {
355 unsigned int i, a, val3;
356 unsigned short val1, val2, tmpExp, tmpSed;
357 if (index != 0) {
358 tmpExp = expoBuffer[index - 1];
359 tmpSed = seedBuffer[index];
360 val1 = tmpSed - tmpExp;
361 a = index - 2;
362 for (i = 0; (signed) i < index - 1; i++) {
363 val3 = seedBuffer[a] * val1;
364 val3 = val3 % seedBuffer[index];
365 val1 = val3 - expoBuffer[a];
366 if (val1 > val3) {
367 val1 = val1 + tmpSed;
368 }
369 a--;
370 }
371 val2 = val1 + value;
372 if (value > val2 || val2 > seedBuffer[index]) {
373 val2 = val2 - seedBuffer[index];
374 }
375 val3 = expoBuffer[index] * val2;
376 expoBuffer[index] = val3 % seedBuffer[index];
377
378 }
379 else {
380 expoBuffer[index] = value;
381 }
382 }
383
384 static void processD0BC (unsigned char exp_seedBuffer[0x86], unsigned char *outbuffer)
385 {
386 unsigned short seedBuffer[0x20];
387 unsigned short expoBuffer[0x20];
388 unsigned short dataBuffer[0x20];
389 unsigned int i, a, x, value, tmpVal;
390 unsigned short seedVal;
391 unsigned short index[1];
392
393 a = 0;
394 for (i = 0; i < 0x20; i++) {
395 expoBuffer = exp_seedBuffer[a + 0x46 + 1] << 8 | exp_seedBuffer[a + 0x46];
396 a = a + 2;
397 }
398
399 a = 0;
400 for (i = 0; i < 0x20; i++) {
401 seedBuffer = exp_seedBuffer[a + 0x6 + 1] << 8 | exp_seedBuffer[a + 0x6];
402 a = a + 2;
403 }
404
405 a = 0;
406 for (i = 0; i < 0x20; i++) {
407 dataBuffer = outbuffer[a + 1] << 8 | outbuffer[a];
408 a = a + 2;
409 }
410 for (x = 0; x < 0x20; x++) {
411 seedVal = seedBuffer[x] & 0xFFFF;
412 value = 0;
413 for (i = 0x20; i > 0; i--) {
414 tmpVal = value << 16 | dataBuffer[i - 1];
415 tmpVal = tmpVal / seedVal;
416 value = dataBuffer[i - 1] - (tmpVal * seedVal) & 0xFFFF;
417 }
418
419 tmpVal = lmul (seedVal) | 1;
420 a = 1;
421 while (tmpVal != 0) {
422 if (tmpVal % 2 == 1) {
423 a = a * value % seedVal & 0xFFFF;
424 }
425 value = value * value % seedVal & 0xFFFF;
426 tmpVal = tmpVal / 2;
427 }
428 recalc_BC_Expo ((unsigned short) a, x, expoBuffer, seedBuffer);
429 }
430 a = 0x1F;
431 index[0] = 0;
432 for (i = 0; i < 0x20; i++) {
433 recalc_Module (dataBuffer, index, seedBuffer[a], expoBuffer[a]);
434 a = a - 1;
435 }
436 for (i = 0; i < 0x20; i++) {
437 outbuffer[(i * 2)] = dataBuffer & 0xFF;
438 outbuffer[(i * 2) + 1] = (dataBuffer >> 8) & 0xFF;
439 }
440 nSwap (outbuffer, d0BCKey);
441 nds_aes_set_key ((char *)d0BCKey);
442 }
443
444
445
446 static void handle_d1_Class (unsigned char *msgFrmCard, unsigned char *msgBody, unsigned char *msgStatus)
447 {
448 int msgLen, a, rounds, roundIndex = 0;
449 unsigned char insHeader[0x10];
450 unsigned char insBody[0x10];
451 unsigned char buffer[0x10];
452 unsigned char tmpbuff1[0x10];
453 unsigned char tmpbuff2[0x10];
454
455 msgLen = msgStatus - msgBody;
456 rounds = msgLen / 0x10;
457
458 memset (tmpbuff1, 0, 0x10);
459 memset (tmpbuff2, 0, 0x10);
460 memset (buffer, 0, 0x10);
461
462 memset (insBody, 0, 0x10);
463 memset (insHeader, 0, 0x10);
464
465 memcpy (insHeader, msgFrmCard, 0x5);
466
467
468 xor16 (insHeader, oldHBuffer, tmpbuff1);
469 memcpy (oldHBuffer, tmpbuff1, 0x10);
470
471 for (a = 0; a < rounds + 2; a++) {
472 if (a == rounds) {
473 memset (insBody, 0, 0x10);
474 memcpy (insBody, msgBody + roundIndex, (msgLen) % 0x10);
475 }
476 else if (a == rounds + 1) {
477 memset (insBody, 0, 0x10);
478 memcpy (insBody + 5, msgStatus, 0x2);
479 }
480 else {
481 memcpy (insBody, msgBody + roundIndex, 0x10);
482 }
483 xor16 (tmpbuff1, insBody, tmpbuff2);
484
485 nSwap (tmpbuff2, buffer);
486 AES_encrypt (buffer, buffer, &aeskey);
487 nSwap (buffer, tmpbuff2);
488 roundIndex = roundIndex + 0x10;
489 xor16 (tmpbuff2, oldHBuffer, tmpbuff1);
490
491 }
492 memcpy (oldHBuffer, tmpbuff2, 0x10);
493 }
494
495
496
497
498
499 static void handle_d3_Class (unsigned char *msgFrmCard, unsigned char *msgBody, unsigned char *msgStatus)
500 {
501 int i, msgLen, rounds, roundIndex = 0;
502 unsigned char insHeader[0x10];
503 unsigned char insBody[0x10];
504 unsigned char insStatus[0x10];
505 unsigned char tmpbuff1[0x10];
506 unsigned char tmpbuff2[0x10];
507 unsigned char wBuffer[0x10];
508 unsigned char dispBuffer[0x100];
509
510 //aes_context ctx;
511
512 if (msgFrmCard[4] > 0x10) {
513 msgFrmCard[4] = msgFrmCard[4] - 0x10;
514 }
515
516 if (msgFrmCard[1] == 0xBE) {
517 memset (oldHBuffer, 0, 0x10);
518 }
519 memcpy (tmpbuff1, oldHBuffer, 0x10); // Get from oldHbuffer
520
521
522 memset (wBuffer, 0, 0x10);
523 memset (insHeader, 0, 0x10);
524 memcpy (insHeader, msgFrmCard, 0x5);
525
526 memset (insStatus, 0, 0x10);
527 memcpy (insStatus + 5, msgStatus, 0x2);
528
529 memset (insBody, 0, 0x10);
530 memcpy (insBody, msgBody, 0x10);
531
532 xor16 (insHeader, oldHBuffer, oldHBuffer);
533
534 msgLen = msgFrmCard[4];
535 rounds = msgLen / 0x10;
536 /*Rounds */
537 if (msgFrmCard[1] != 0xBE) {
538 rounds++;
539 }
540 for (i = 0; i < rounds; i++) {
541 wBuffer[0] = wBuffer[0] + i;
542 xor16 (wBuffer, oldHBuffer, wBuffer);
543
544 nSwap (wBuffer, tmpbuff2);
545 AES_encrypt (tmpbuff2, tmpbuff2, &aeskey);
546 nSwap (tmpbuff2, wBuffer);
547 memcpy (tmpbuff1, msgBody + roundIndex, 0x10);
548
549 xor16 (wBuffer, tmpbuff1, dispBuffer + roundIndex);
550 if (i == msgLen / 0x10) {
551 memset (dispBuffer + roundIndex + (msgLen - roundIndex), 0, 0x10 - (msgLen - roundIndex));
552 }
553 xor16 (dispBuffer + roundIndex, oldHBuffer, oldHBuffer);
554 nLookup (oldHBuffer, oldHBuffer);
555
556 roundIndex = roundIndex + 0x10;
557 }
558 xor16 (oldHBuffer, insStatus, oldHBuffer);
559 nSwap (oldHBuffer, tmpbuff2);
560 AES_encrypt (tmpbuff2, tmpbuff2, &aeskey);
561 nSwap (tmpbuff2, oldHBuffer);
562
563 /*Get Phase from Last 16 Bytes */
564 memcpy (oldHBuffer, msgStatus - 0x10, 0x10);
565
566 nSwap (oldHBuffer, tmpbuff2);
567 AES_encrypt (tmpbuff2, tmpbuff2, &aeskey);
568 nSwap (tmpbuff2, oldHBuffer);
569
570 memcpy (msgBody, dispBuffer, msgLen);
571
572 if (msgFrmCard[1] == 0xBE) {
573 nSwap (dispBuffer, d3BEKey);
574 nds_aes_set_key ((char *)d3BEKey);
575 }
576
577 }
578
579
580 static int nds_getInsParams (unsigned char *insHeader, unsigned char *dir, unsigned char *len)
581 {
582 int i, a, retval;
583 retval = 1;
584 a = 4;
585 for (i = 0; i < nds_supportedIns[2]; i++) {
586 if (insHeader[1] == nds_supportedIns[a + 1]) {
587 *len = nds_supportedIns[a + 2];
588 *dir = nds_supportedIns[a + 3];
589 retval = 0;
590 }
591 a = a + 4;
592 }
593 return retval;
594 }
595
596 static void nds_createEcmInsFromRawEcm (unsigned char *rawEcm, unsigned char *ecmIns)
597 {
598 unsigned char ecmINSHeader[5] = { 0xD1, 0x40, 0x40, 0x80, 0xFF };
599 int insLen;
600 insLen = rawEcm[2] - 0xF;
601 ecmINSHeader[4] = insLen;
602 memset (ecmIns, 0, 0xFF);
603 memcpy (ecmIns, ecmINSHeader, 5);
604 memcpy (ecmIns + 6, rawEcm + 19, insLen + 0x12);
605 //cs_log("ECM: %s",cs_hexdump(0,ecmIns,ecmINSHeader[4]+5));
606 }
607
608 static int nds_AskInsLen (unsigned char ins[5])
609 {
610 unsigned char oldP2;
611 int error = 0;
612 oldP2 = ins[3];
613 ins[3] = 0x80; // getLengh
614 ins[4] = 0x01; // getLengh
615 error = CommandSendCardCAM (ins, (char *) CardAnswer);
616 ins[3] = oldP2; // getLengh
617 if (error) {
618 return -1;
619 }
620 else {
621 ins[4] = CardAnswer[1]; // update lenght
622 }
623 return 0;
624 }
625
626 static int nds_buildIncomingCommandWSB (unsigned char *isoHeader, unsigned char *commandPayload,
627 unsigned char *statusBytes, unsigned char *outCommand)
628 {
629 unsigned int len;
630 memcpy(outCommand, isoHeader, 5);
631 len = 5;
632 memcpy(outCommand + len, commandPayload, isoHeader[4]);
633 len += isoHeader[4];
634 memcpy(outCommand + len, statusBytes,2);
635 len += 2;
636 return len;
637 }
638
639 static int nds_buildIncomingCommand (unsigned char *isoHeader, unsigned char *cardResponse, unsigned char *outCommand)
640 {
641 unsigned int len;
642 memcpy(outCommand, isoHeader, 5);
643 len = 5;
644 memcpy(outCommand + len, cardResponse + 1, isoHeader[4] + 2);
645 len += isoHeader[4] + 2;
646 return len;
647 }
648
649 static void nds_parseUAInfo (unsigned char *uaInsData)
650 {
651 nds_SC_UA[0] = uaInsData[8];
652 nds_SC_UA[1] = uaInsData[9];
653 nds_SC_UA[2] = uaInsData[10];
654 nds_SC_UA[3] = uaInsData[11];
655
656 nds_SC_CAID = (uaInsData[0x1D] << 8) | (uaInsData[0x1E]);
657 }
658
659 static void nds_parseBoxIDInfo (unsigned char *boxIDData)
660 {
661 if (reader[ridx].pincode[0])
662 return;
663
664 int i;
665 //int index=0;
666 for (i = 0; i < 0x8F; i++) {
667 if ((boxIDData == 0x00) && (boxIDData[i + 1] == 0xF3)) {
668 //index=i+1;
669 memcpy (&nds_IRD_BoxID, &boxIDData[i + 2], sizeof (nds_IRD_BoxID));
670 }
671 }
672
673 //nds_IRD_BoxID[0]=boxIDData[index+1];
674 //nds_IRD_BoxID[1]=boxIDData[index+2];
675 //nds_IRD_BoxID[2]=boxIDData[index+3];
676 //nds_IRD_BoxID[3]=boxIDData[index+4];
677 }
678
679
680 static unsigned int nds_getSupportedIns (void)
681 {
682 unsigned int retval = 0;
683 static unsigned char ndsBoot_GetSupportedIns[] = { 0xd0, 0x74, 0x01, 0x00, 0xFF };
684 nds_AskInsLen (ndsBoot_GetSupportedIns);
685 CommandSendCardCAM (ndsBoot_GetSupportedIns, (char *) CardAnswer);
686 memcpy (nds_supportedIns, CardAnswer + 1, ndsBoot_GetSupportedIns[4]);
687 return retval;
688 }
689
690 static unsigned int nds_sendCommandToCard (unsigned char *insHeader, unsigned char *cmdPayload, unsigned char *cmdOut)
691 {
692 unsigned char dir, len, cmdLen;
693 nds_getInsParams (insHeader, &dir, &len);
694 if ((len == 0xFF) & (dir == 2)) {
695 nds_AskInsLen (insHeader);
696 }
697 if (len != 0xFF) {
698 insHeader[4] = len;
699 }
700 if (insHeader[0] == 0xD3) {
701 insHeader[4] = len + 0x10;
702 }
703 if (dir >= 2) { //Card -> Cam
704 CommandSendCardCAM (insHeader, (char *) CardAnswer);
705 cmdLen = nds_buildIncomingCommand (insHeader, CardAnswer, cmdOut);
706 }
707 if (dir <= 1) { //Cam -> Card
708 CommandSendCAMCard (insHeader, (char *) CardAnswer, cmdPayload);
709 cmdLen = nds_buildIncomingCommandWSB (insHeader, cmdPayload, CardAnswer, cmdOut);
710 }
711
712 ndsRouteClass (cmdOut, cmdLen, cw1, cw2);
713 return 0;
714 }
715
716 static unsigned int nds_getUAandBoxId ()
717 {
718 static unsigned char ndsBoot_GetPhoneInfo[] = { 0xd0, 0x36, 0x00, 0x00, 0x00 };
719 static unsigned char ndsBoot_SendBoxid[] = { 0xd0, 0x4C, 0x00, 0x00, 0x00 };
720 static unsigned char ndsBoxID_Payload[] = { 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x02, 0x04 };
721 static unsigned char ndsBoot_GetUAInfo[] = { 0xd0, 0x58, 0x00, 0x00, 0x00 };
722 nds_sendCommandToCard (ndsBoot_GetPhoneInfo, NULL, ndsCommand);
723 nds_parseBoxIDInfo (ndsCommand);
724 memcpy (ndsBoxID_Payload, nds_IRD_BoxID, 4);
725 nds_sendCommandToCard (ndsBoot_SendBoxid, ndsBoxID_Payload, ndsCommand);
726 cs_log ("BoxID: %02X%02X%02X%02X (%02X %02X)", ndsBoxID_Payload[0], ndsBoxID_Payload[1], ndsBoxID_Payload[2],
727 ndsBoxID_Payload[3], cta_res[cta_lr - 2], cta_res[cta_lr - 1]);
728 nds_sendCommandToCard (ndsBoot_GetUAInfo, NULL, ndsCommand);
729 nds_parseUAInfo (ndsCommand);
730 return 0;
731 }
732
733 static unsigned int nds_getUAandBoxId_D1 ()
734 {
735 static unsigned char ndsBoot_SendBoxid[] = { 0xd1, 0x4C, 0x00, 0x00, 0x00 };
736 static unsigned char ndsBoxID_Payload[] = { 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x02, 0x04 };
737 static unsigned char ndsBoot_GetUAInfo[] = { 0xd1, 0x58, 0x00, 0x00, 0x00 };
738 memcpy (ndsBoxID_Payload, nds_IRD_BoxID, 4);
739 nds_sendCommandToCard (ndsBoot_GetUAInfo, NULL, ndsCommand);
740 nds_sendCommandToCard (ndsBoot_SendBoxid, ndsBoxID_Payload, ndsCommand);
741 cs_log ("BoxID: %02X%02X%02X%02X (%02X %02X)", ndsBoxID_Payload[0], ndsBoxID_Payload[1], ndsBoxID_Payload[2],
742 ndsBoxID_Payload[3], cta_res[cta_lr - 2], cta_res[cta_lr - 1]);
743 return 0;
744 }
745
746
747 static unsigned int nds_getCamCryptKeys ()
748 {
749 static unsigned char ndsBoot_SendModul[] = { 0xd0, 0xb4, 0x00, 0x00, 0x00 };
750 static unsigned char ndsBoot_AskD0Key[] = { 0xd0, 0xbc, 0x00, 0x00, 0x00 };
751 static unsigned char ndsBoot_AskD3Key[] = { 0xd3, 0xbe, 0x00, 0x00, 0x00 };
752
753 static unsigned char ndsModul_Payload[0x40];
754 get_D0_B4_PublicModule (ndsModul_Payload);
755 nds_sendCommandToCard (ndsBoot_SendModul, ndsModul_Payload, ndsCommand);
756 nds_sendCommandToCard (ndsBoot_AskD0Key, NULL, ndsCommand);
757
758 nds_sendCommandToCard (ndsBoot_AskD3Key, NULL, ndsCommand);
759
760 return 0;
761 }
762
763
764 static int ndsBoot (void)
765 {
766 static unsigned char ndsBoot_Get7416[] = { 0xd0, 0x74, 0x16, 0x00, 0x00 };
767
768 nds_getSupportedIns ();
769 nds_sendCommandToCard (ndsBoot_Get7416, NULL, ndsCommand);
770 nds_getUAandBoxId ();
771 nds_getCamCryptKeys ();
772 nds_getUAandBoxId_D1 ();
773
774 return 1;
775 }
776
777
778 ///====================================================================================================
779 int nds_card_init (uchar * atr, int atrsize)
780 {
781 if (atrsize < 14 || (atr[10] != 0x69 && atr[11] != 0xFF && atr[12] != 0x4A && atr[13] != 0x50))
782 return (0);
783
784 if (reader[ridx].pincode[0]) {
785 nds_IRD_BoxID[0] = (gethexval (reader[ridx].pincode[0]) << 4) | gethexval (reader[ridx].pincode[1]);
786 nds_IRD_BoxID[1] = (gethexval (reader[ridx].pincode[2]) << 4) | gethexval (reader[ridx].pincode[3]);
787 nds_IRD_BoxID[2] = (gethexval (reader[ridx].pincode[4]) << 4) | gethexval (reader[ridx].pincode[5]);
788 nds_IRD_BoxID[3] = (gethexval (reader[ridx].pincode[6]) << 4) | gethexval (reader[ridx].pincode[7]);
789 }
790
791 ndsBoot ();
792 reader[ridx].caid[0] = nds_SC_CAID;
793 reader[ridx].hexserial[0] = nds_SC_UA[0];
794 reader[ridx].hexserial[1] = nds_SC_UA[1];
795 reader[ridx].hexserial[2] = nds_SC_UA[2];
796 reader[ridx].hexserial[3] = nds_SC_UA[3];
797
798 cs_ri_log ("type: nds, card: %c%c.%d, boxID: %02X%02X%02X%02X, caid: %04X, ascii serial: %ld, hex serial: %s",
799 atr[17], atr[18], atr[19],
800 nds_IRD_BoxID[0], nds_IRD_BoxID[1], nds_IRD_BoxID[2], nds_IRD_BoxID[3], reader[ridx].caid[0],
801 (reader[ridx].hexserial[0] << 24 | reader[ridx].hexserial[1] << 16 | reader[ridx].
802 hexserial[2] << 8 | reader[ridx].hexserial[3]), cs_hexdump (0, reader[ridx].hexserial, 4));
803
804 reader[ridx].nprov = 1;
805 memset (reader[ridx].prid, 0, sizeof (reader[ridx].prid));
806 memset (reader[ridx].sa, 0xFF, sizeof (reader[ridx].sa));
807 memcpy (reader[ridx].sa, reader[ridx].hexserial, 3);
808 reader[ridx].sa[0][3] = 0;
809
810 cs_ri_log ("NDS-Provider:%d", reader[ridx].nprov);
811
812 int j;
813 for (j = 0; j < reader[ridx].nprov; j++) {
814 cs_ri_log ("Provider:%d Provider-Id:%06X", j + 1, b2ll (4, reader[ridx].prid[j]));
815 cs_ri_log ("Provider:%d SharedAddress:%08X", j + 1, b2ll (4, reader[ridx].sa[j]));
816 }
817
818 cs_log ("ready for requests");
819 return (1);
820 }
821
822 int nds_do_ecm (ECM_REQUEST * er)
823 {
824 static unsigned char ndsEcm_GetDW[] = { 0xd3, 0x54, 0x00, 0x00, 0x00 };
825
826 unsigned char insHeader[5];
827 nds_createEcmInsFromRawEcm (er->ecm, CardAnswer);
828 memcpy (insHeader, CardAnswer, 5);
829 memcpy (ndsCommand, CardAnswer + 5, insHeader[4]);
830
831 nds_sendCommandToCard (insHeader, ndsCommand, CardAnswer);
832 nds_sendCommandToCard (ndsEcm_GetDW, NULL, CardAnswer);
833
834 if (er->ecm[0] == 0x80)
835 memcpy (er->cw, cw1, 8);
836
837 if (er->ecm[0] == 0x81)
838 memcpy (er->cw + 8, cw1, 8);
839
840 if (er->cw[0] == 0 && er->cw[8] == 0)
841 return 0;
842 return 1;
843 }
844
845 static int nds_AddrMode (unsigned char *data)
846 {
847 switch (data[3] & 0xC0) {
848 case 0x40:
849 return 3;
850 case 0x80:
851 return 2;
852 default:
853 return 0;
854 }
855 }
856
857 static unsigned int nds_NumAddr (unsigned char *data)
858 {
859 return ((data[3] & 0x30) >> 4) + 1;
860 }
861
862 static unsigned char *nds_PayloadStart (unsigned char *data)
863 {
864 //return &data[4 + NumAddr(data)*4 + 2];
865 if (nds_AddrMode (data) == 0)
866 return &data[4];
867 else
868 return &data[4 + nds_NumAddr (data) * 4];
869 }
870
871 int nds_do_emm (EMM_PACKET * ep)
872 {
873 unsigned char insEMM[] = { 0xD1, 0x42, 0x00, 0x00, 0x00 };
874
875 int lenEMM, rc = 0;
876
877 unsigned char *payloaddata = nds_PayloadStart (ep->emm);
878 switch (payloaddata[0]) {
879 case 2:
880 lenEMM = payloaddata[payloaddata[1] + 2];
881 payloaddata += 3 + payloaddata[1]; // skip len specifier
882 break;
883 default:
884 //EMM: bad payload type byte
885 return 0;
886 }
887
888 if (lenEMM <= 8 || lenEMM > 188) {
889 return 0;
890 }
891
892 insEMM[4] = lenEMM;
893 nds_sendCommandToCard (insEMM, payloaddata, ndsCommand);
894 //cs_log("EMM A: %s",cs_hexdump(1,cta_res,cta_lr));
895 rc = ((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0x00));
896
897 return (rc);
898 }
899
900 static void nds_RevDateCalc (const unsigned char *Date, int *year, int *mon, int *day, int *hh, int *mm, int *ss)
901 {
902 *year = (Date[0] / 12) + 2000;
903 *mon = (Date[0] % 12) + 1;
904 *day = Date[1];
905 *hh = Date[2] / 8;
906 *mm = (0x100 * (Date[2] - *hh * 8) + Date[3]) / 32;
907 *ss = (Date[3] - *mm * 32) * 2;
908 }
909
910 int nds_card_info (void)
911 {
912 int i = 0;
913
914 unsigned char ins2a[] = { 0xd0, 0x2a, 0x00, 0x00, 0x00 };
915 nds_sendCommandToCard (ins2a, NULL, ndsCommand);
916
917 unsigned char ins76[] = { 0xd0, 0x76, 0x00, 0x00, 0x00 };
918 ins76[3] = 0x7f;
919 ins76[4] = 2;
920
921 nds_sendCommandToCard (ins76, NULL, ndsCommand);
922 //cs_log("A: %s...",cs_hexdump(1,cta_res,cta_lr));
923 //cs_log("A: %s...",cs_hexdump(1,ndsCommand,cta_lr));
924 ins76[3] = 0;
925 ins76[4] = 0;
926 int num = cta_res[1];
927
928 for (i = 0; i < num; i++) {
929 ins76[2] = i;
930 nds_sendCommandToCard (ins76, NULL, ndsCommand);
931 //cs_log("A: %s...",cs_hexdump(1,cta_res,cta_lr));
932 if (cta_res[5 + 2] == 0 && cta_res[5 + 3] == 0)
933 break;
934 int y, m, d, H, M, S;
935 nds_RevDateCalc (&cta_res[5 + 4], &y, &m, &d, &H, &M, &S);
936 cs_ri_log ("chid: %02x%02x, date: %04d-%02d-%02d %02d:%02d:%02d", cta_res[5 + 2], cta_res[5 + 3], y, m, d, H, M, S);
937 }
938
939 return (1);
940 }

 

[delle1982]

AW: sorgente oscam

ciao ragazzi mi potete spiegarmi come faccio ad far caminare la Oscam con il Debian 5 e con il Smargo USB.

Grazie non so dove iniziare. mi serverebbe un HOWTO.

 

[Dj Amon]

AW: sorgente oscam

Alfredo mi sa che hai ragione. Da qualche giorno si parla sempre piu' di questa Oscam. Sembrerebbe che con essa (naturalmente modificata e riprogrammata) tornerebbe la luce.

 

[didim]

AW: sorgente oscam

Mah...... fino adesso la oscam riesce a leggere le carte nostre ma ha lo stesso problema delle altre emu..... almeno cosi sta nel forum ufficiale, poi se hanno scoperto altro ninso

 

[felice2202]

AW: sorgente oscam

adesso funziona sky?

 

[qpalym]

AW: sorgente oscam

NO se non viene la nuova CCcam non funziona niente.

 

[alfredo1]

AW: sorgente oscam

Du musst dich Anmelden oder Registrieren um den Inhalt der Angebote zu sehen!

ma la nuova cccam chi la dovrebbe portare ? Babbo natale o la befana?
io lo detto su un altro 3d allora meglio la befana , perche con il babbo natale si rischia di trovarsi con un caxxo nel sedere. comunque i fatti non ti stanno danto ragione. la oscam credo che ha fatto un bel passo avanti

 

[Dj Amon]

AW: sorgente oscam

Du musst dich Anmelden oder Registrieren um den Inhalt der Angebote zu sehen!

Sono d' accordo con te.

 

[qpalym]

AW: sorgente oscam

Du musst dich Anmelden oder Registrieren um den Inhalt der Angebote zu sehen!

Che passo a fatto avanti la Oscam ? Io non vedo niente , tu si ? Perfavore e inutile di continuare a discudere - tanto non si cambia niente.

 

[Dj Amon]

AW: sorgente oscam

Du musst dich Anmelden oder Registrieren um den Inhalt der Angebote zu sehen!

In giro si legge che la oscam funzioni bene, ma alcuni scrivono anche che funziona per 30 secondi e poi si blocca per 5 min e cosi' via. Il fatto e' che la oscam funziona si, ma l' algoritmo non e' ancora stato azzeccato e se non si azzecca allora rimaniamo al buio. Dobbiamo lavorare su un algoritmo diverso, ma e' molto difficile.

 

[alfredo1]

AW: sorgente oscam

Du musst dich Anmelden oder Registrieren um den Inhalt der Angebote zu sehen!

vi do un grande indizio. se volete la pista giusta da battere e informarvi su un certo ciarlatano . costui E´stato battezato ciarlatano dal sotto scritto hai grandi tempi dfs . in seguito se ribattezato da solo con lo stesso nome. quindi una bella ricerca su gogle su ciarlatano .
costui vede come cliente . ma solo perche`ha un grande giro .
non esiste cccam fixata esiste una gbox r con questa hanno risolto i poblemi gia 2 giorni dopo attacco . oscam gira propio grazie a questa fixa .
quindi accopiata germania piamonte pista da battere server tedesco cliente leccaculo piamontese . E mi prendo tutte le respüonsabilita`di quel che ho detto .
dite ma come fai a dirlo . lo dico perche`lo so e con me sono daccordo tutti i vecchi amici che come me si trovano ancora a vacillare nel buio .
un altra nota fate attenzione su hotmail girano truffatori non fatevi prendere in giro con la storia del emu
ciao

 

[maxmax]

AW: sorgente oscam

Quelli si che erano tempi Digitalfreesat :dfingers::diablo: