VIVO Rent A Car - Your car rental
Върни се   Digital TV Forums - БЪЛГАРСКИЯТ ФОРУМ ЗА ЦИФРОВА ТЕЛЕВИЗИЯ > Шеринг и емулатори > Модули > Irdeto CAM

Отговори
 
Контрол над темата Начин на разглеждане
  #1  
Стар 01-06-2012
demmlik demmlik не е на линия
мега форумец
 

Дата на присъединяване: Feb 2011
Местоположение: Силистра/Nadlac
Мнения: 388
Благодари: 1,109
Получил благодарност:
65 пъти в 49 поста
Сваляния: 136
Ъплоуди: 0
По подразбиране Irdeto V5 epsilon Card

hello friends I post this on other forum but I also post here for share
Irdeto V5 epsilon Card explain - part 1
there be lots of bad information and theory about irdeto and how it work what keys use so I clear this and reset people to think in right way

best way show this is example from real irdeto epsilon irdeto v5 card. it can be easy prove by people as dump of card be in public for many years.

Irdeto support 6 class of message. everyone see class 1 for emm and class 5 for ecm in stream. today lesson I show class 1 message for unique address emm (message to hen) for provId group key update (nano 0x28/0x68)

first some basic information about epsilon v5 card. this card is philips model P5CC036 smartcard and base on intel C51 instruction set but with special extension put by philips to give flexibility, better memory management and 24bit program counter. philips call this SmartMX.

P5CC036 datasheet very hard find (need NDA with philips to get) but many datasheet available for SmartMX that have instruction set for all functions and special registers. it easy to find with google look for 80C51MX or SmartMX.

P5CC036 memory address broken into 2 segments HDATA start from 0x000000 to 0x7FFFFF and ECODE start from 0x800000 to 0xFFFFFF in a single16MB address region. HDATA is used for special registers, ports and RAM and ECODE is for code.

so when looking at epsilon card dump the application code is loaded at start address 0x800000. for P5CC036 ECODE region also contain eeprom start at address 0xC00000

now we have basic information of P5CC036 so we can look at epsilon dump.

when epsilon receive class 1 message with unique address emm function at 0x80855B is called.

here is hex code from dump for the unique address emm function
0x80855B 90 FF FF A5 12 80 0E 15 74 03 F0 7B C0 7A 03 79
0x80856B 05 A5 12 80 54 F7 7A 00 79 0F 7B 00 C0 03 C0 02
0x80857B C0 01 7A 07 79 0E A5 12 80 54 D0 D0 01 D0 02 D0
0x80858B 03 A5 12 80 0D DC EF 64 AA 60 03 02 86 78 90 00
0x80859B 13 E0 FF 7E 00 A5 12 80 55 33 A5 12 80 86 81 A5
0x8085AB 12 80 54 F7 7E 00 7F 14 A5 12 80 55 33 A5 12 80
0x8085BB 55 CC C0 03 C0 02 C0 01 A5 12 80 55 F3 A5 12 80
0x8085CB 54 D2 D0 01 D0 02 D0 03 A5 12 80 0D DC 7B C0 7A
0x8085DB 06 79 15 A5 96 C0 03 C0 02 C0 01 7B C0 7A 06 79
0x8085EB 42 A5 12 80 54 D2 D0 01 D0 02 D0 03 A5 12 80 0D
0x8085FB DC EF 64 AA 70 6A 90 00 0D E0 24 F8 FF E4 34 FF
0x80860B FE A5 12 80 55 33 A5 12 80 86 81 A5 12 80 54 F7
0x80861B 7A 00 7B 0E C0 02 C0 03 AD 76 7F 23 7B C0 7A 06
0x80862B 79 3C A5 12 80 54 D2 D0 03 D0 02 A5 12 80 0D DC
0x80863B BF AA 26 7B C0 7A 06 79 15 A5 96 C0 03 C0 02 C0
0x80864B 01 7F FF 7B C0 7A 06 79 48 A5 12 80 54 D2 D0 01
0x80865B D0 02 D0 03 A5 02 80 0D DC 90 01 07 74 7C 80 12
0x80866B 90 01 07 E0 B4 7C 03 74 7C F0 7F 55 22 90 01 07
0x80867B 74 81 F0 7F 55 22 EF A5 0E 7B C0 7A 05 79 0A 22
0x80868B 90 00 0A A5 12 80 0E 3C E0 FD A5 9C 72 E0 75 F0
0x80869B 03 A4 FF AE F0 90 00 04 A5 12 80 0E 3C A5 04 22

if we look at first line
0x80855B 90 FF FF A5 12 80 0E 15 74 03 F0 7B C0 7A 03 79

we see the opcode 90 we look at instruction set for c51SmartMX we see it mean "mov" or move an immediate value to the data pointer (DPTR) and take two byte following as immediate data. in our example FF FF

so mnemonics for "90 FF FF" -> "mov DPTR, #0xFFFF"

result is we have is
0x80855B 90 FF FF mov DPTR, #0xFFFF

now the next opcode is A5 - from instruction set for c51SmartMX we learn that opcode "A5" is special marker used to identify philips extension opcode (mx) so to look up opcode we use two bytes A5 and 12 to find this opcode is "ecall" or extended subroutine function call and it take 3 bytes of operand in our example 80 0E 15

so mnemonics for "A5 12 80 0E 15" -> "ecall 0x800E15"

result is we have is
0x80855E A5 12 80 0E 15 ecall 0x800E15

using this technique slowly work through all the opcodes to get this:

0x80855B mov DPTR, #0xFFFF
0x80855E ecall 0x800E15

0x808563 mov A, #3
0x808565 movx @DPTR, A
0x808566 mov R3, #0xC0 ; '+'
0x808568 mov R2, #03
0x80856A mov R1, #05

here we see registers R3, R2, R1 are loaded with C0 03 05. I say before that eeprom location of P5CC036 is at 0xC00000. if look here you see this location contain the HSN of this epsilon card.

0x80856C ecall 0x8054F7
0x808571 mov R2, #0
0x808573 mov R1, #0xF
0x808575 mov R3, #0

0x808577 push RAM_3
0x808579 push RAM_2
0x80857B push RAM_1

here we see registers R2, R1 are loaded with 07 0E.

0x80857D mov R2, #7
0x80857F mov R1, #0xE

then subroutine is called to 0x8054D0
0x808581 ecall 0x8054D0

when we look at 0x8054D0 we see it set (no show here but use this technique to see) R3 is loaded with C0

so we have registers R3, R2, R1 are loaded with C0 07 0E. we look at eeprom in this location and we see it contain address of function "memcmp" (this is like C programming function memory compare)

0x808586 pop RAM_1
0x808588 pop RAM_2
0x80858A pop RAM_3

here subroutine is called using the address stored at eeprom location C0 07 0E which is 0x80CD68
0x80858C ecall DPTR (R3R2R1) C0 07 0E -> 0x80CD68

irdeto function memcmp return 0xAA if match successful. this is store in register 7 when subroutine returns

0x808591 mov A, R7

return code is xor
0x808592 xrl A, #0xAA

here we jump to 0x808599 if match good - unique address emm message for card received
0x808594 jz 0x808599

….

0x808599 mov DPTR, #0x13
0x80859C movx A, @DPTR
0x80859D mov R7, A
0x80859E mov R6, #0
0x8085A0 ecall 0x805533

here we see a call to subroutine 0x808681
0x8085A5 ecall 0x808681


when we look at this subroutine 0x808681 we see this function retrieve axe key from eeprom

---> 0x808681 mov A, R7
---> 0x808682 inc R6

registers R3, R2, R1 are loaded with C0 05 0A. we look at eeprom in this location and we see it contain the axi key for this epsilon card
---> 0x808684 mov R3, #0xC0 ; '+'
---> 0x808686 mov R2, #5
---> 0x808688 mov R1, #0xA
---> 0x80868A ret


back to normal flow

0x8085AA ecall 0x8054F7
0x8085AF mov R6, #0
0x8085B1 mov R7, #0x14
0x8085B3 ecall 0x805533

here we see a call to subroutine 0x8055CC
0x8085B8 ecall 0x8055CC

when we look at this subroutine 0x8055CC we see this function retrieve ivpad from eeprom

--->0x8055CC mov A, R7
--->0x8055CD inc R6

registers R3, R2, R1 are loaded with C0 04 EA. we look at eeprom in this location and we see it contain the ivpad for this epsilon card
--->0x8055CF mov R3, #0xC0 ; '+'
--->0x8055D1 mov R2, #4
--->0x8055D3 mov R1, #0xEA
--->0x8055D5 ret


back to normal flow

0x8085BD push RAM_3
0x8085BF push RAM_2
0x8085C1 push RAM_1

here we see a call to subroutine 0x8055F3
0x8085C3 ecall 0x8055F3


when we look at this subroutine 0x8055F3 we see this function retrieve eeprom the address of the irdeto's DES decryptCBC function

--->0x8055F3 mov R5, RAM_76
--->0x8055F5 mov R7, #0x23 ; '#'

registers R2, R1 are loaded with 06 60.
--->0x8055F7 mov R2, #6
--->0x8055F9 mov R1, #0x60

but we know R3 from previous function is still set to C3 we look at eeprom location 0xC00660 and we see it contain the address of irdeto's DES decryptCBC function located at 0x80BA02

--->0x8055FB ret


back to normal flow

0x8085C8 ecall 0x8054D2
0x8085CD pop RAM_1
0x8085CF pop RAM_2
0x8085D1 pop RAM_3

Here the decrypt cbc string function is called
0x8085D3 ecall DPTR (R3R2R1) C0 06 60 -> 0x80BA02 = decryptCBC


function decryptCBC work like in gamma source code and return back result

…..

function for reading exi key is same like ivpad and axe key look at function at 0x8055C4

--->0x8055C4 movx @DPTR, A

registers R3, R2, R1 are loaded with C0 04 FA. we look at eeprom in this location and we see it contain the exi key for this epsilon card

--->0x8055C5 mov R3, #0xC0 ; '+'
--->0x8055C7 mov R2, #4
--->0x8055C9 mov R1, #0xFA ; '·'
--->0x8055CB ret



so what we learn in our lesson -
1. epsilon card standard have ONE set of axi & exi keys.
2. epsilon card standard for class 1 use ONE ivpad
3. no testing of 1030 in standard epsilon code
4. basic smartmx understanding

5. NO waste time bruteforce when epsilon can help find answer to 1030

more lesson to come
Отговори с цитат
Следните потребители БЛАГОДАРЯТ на demmlik за този полезен пост :
emskia (02-06-2012)
Sponsored Links
VIVO Rent A Car  Вземи своят Vu+ сега!  SatPlus  Изработка на уеб сайт, онлайн магазин и реклама
Отговори

Съобщения от Devil M
VIVO Rent A Car  

Тагове
card, epsilon, irdeto, v5


Активни потребители разглеждащи тази тема в момента: 1 (0 членове и 1 гости)
 
Контрол над темата
Начин на разглеждане

Подобни теми
Тема Започнал темата Форум Отговори Последно мнение
Продавам Irdeto Smit и Dragon Cam с loader card Онджичек Приключили продажби 14 08-12-2011 10:56
Продавам Irdeto JSC Sport card bu12tras Приключили продажби 1 19-05-2011 11:30
epsilon card илко80 Смарт карти 0 16-12-2010 15:35
Питане относно Irdeto Card Bulsatcom тракиец HDTV дискусии 4 15-09-2010 16:42
Помощ за старт на Epsilon на DM500S!!! Вацек DREAMBOX 2 18-02-2010 22:52


Всички времена са във формат GMT +3. Часът е 14:43.


DTV-BG Powered by vBulletin Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.