mardock2009/oscam-2.26.01-11942-802-with-Advanced-fake-dcw-detection
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3181f94e28
oscam-2.26.01-11942-802-wit.../reader-nagra.c
mardock2009 3181f94e28 cacheex-fix
2026-02-17 09:41:05 +00:00

1559 lines
42 KiB
C
Executable File
Raw Blame History

#include "globals.h"
#ifdef READER_NAGRA
#include "cscrypt/bn.h"
#include "cscrypt/idea.h"
#include "cscrypt/des.h"
#include "oscam-time.h"
#include "reader-common.h"
#include "reader-nagra-common.h"
#include "oscam-work.h"
#include "oscam-chk.h"
int8_t ins7e11_state = 0;
struct nagra_data
{
IDEA_KEY_SCHEDULE ksSession;
int8_t is_pure_nagra;
int8_t is_tiger;
int8_t is_n3_na;
int8_t has_dt08;
int8_t swapCW;
uint8_t ExpiryDate[2];
uint8_t ActivationDate[2];
uint8_t plainDT08RSA[64];
uint8_t IdeaCamKey[16];
uint8_t sessi[16];
uint8_t signature[8];
uint8_t ird_info;
uint8_t cam_state[3];
};
// Card Status checks
#define HAS_CW() ((csystem_data->cam_state[2]&6)==6)
#define RENEW_SESSIONKEY() ((csystem_data->cam_state[0]&128)==128 || (csystem_data->cam_state[0]&64)==64 || (csystem_data->cam_state[0]&32)==32 || (csystem_data->cam_state[2]&8)==8)
#define SENDDATETIME() (csystem_data->cam_state[0]&8)
// IRD Info
#define CW_NEEDS_3DES() ((csystem_data->ird_info&0x18)==0x18)
// Datatypes
#define DT01 0x01
#define IRDINFO 0x00
#define TIERS 0x05
#define DT06 0x06
#define CAMDATA 0x08
static time_t tier_date(uint32_t date, char *buf, int32_t l)
{
time_t ut = 870393600L + date * (24 * 3600);
if(buf)
{
struct tm t;
t.tm_isdst = -1;
cs_gmtime_r(&ut, &t);
l = 27;
snprintf(buf, l, "%04d/%02d/%02d", t.tm_year + 1900, t.tm_mon + 1, t.tm_mday);
}
return ut;
}
static char *nagra_datetime(struct s_reader *rdr, uint8_t *ndays, int32_t offset, char *result, time_t *t)
{
struct nagra_data *csystem_data = rdr->csystem_data;
struct tm tms;
memset(&tms, 0, sizeof(tms));
int32_t days = (ndays[0] << 8 | ndays[1]) + offset;
int32_t sec = 0;
if(!csystem_data->is_tiger)
{
sec = (ndays[2] << 8 | ndays[3]);
}
if(days > 0x41B4 && sizeof(time_t) < 8) // to overcome 32-bit systems limitations
{
days = 0x41A2; // 01-01-2038
}
tms.tm_year = 92;
tms.tm_mday = days + 1;
tms.tm_sec = sec;
time_t ut = mktime(&tms);
if(t)
{
*t = ut;
}
if(csystem_data->is_tiger)
{
snprintf(result, 27, "%02d/%02d/%04d", tms.tm_mday, tms.tm_mon + 1, tms.tm_year + 1900);
}
else
{
snprintf(result, 33, "%04d/%02d/%02d %02d:%02d", tms.tm_year + 1900, tms.tm_mon + 1, tms.tm_mday, tms.tm_hour, tms.tm_min);
}
return result;
}
static int32_t do_cmd(struct s_reader *reader, uint8_t cmd, int32_t ilen, uint8_t res, int32_t rlen, const uint8_t *data, uint8_t *cta_res, uint16_t *p_cta_lr)
{
/*
here we build the command related to the protocol T1 for ROM142 or T14 for ROM181
the only different that i know is the command length byte msg[4], this msg[4]+=1 by a ROM181 smartcard (_nighti_)
one example for the cmd$C0
T14 protocol: 01 A0 CA 00 00 03 C0 00 06 91
T1 protocol: 21 00 08 A0 CA 00 00 02 C0 00 06 87
*/
int32_t msglen = ilen + 6;
uint8_t msg[msglen];
static const char nagra_head[] = {0xA0, 0xCA, 0x00, 0x00};
struct nagra_data *csystem_data = reader->csystem_data;
memset(msg, 0, msglen);
memcpy(msg, nagra_head, 4);
msg[4] = ilen;
msg[5] = cmd;
int32_t dlen = ilen - 2;
msg[6] = dlen;
if(data && dlen > 0)
{
memcpy(msg + 7, data, dlen);
}
msg[dlen + 7] = rlen;
if(dlen < 0)
{
rdr_log_dbg(reader, D_READER, "invalid data length encountered");
return ERROR;
}
if(csystem_data->is_pure_nagra == 1)
{
msg[4] += 1;
}
if(!reader_cmd2icc(reader, msg, msglen, cta_res, p_cta_lr))
{
cs_sleepms(5);
if(cta_res[0] != res)
{
rdr_log_dbg(reader, D_READER, "result not expected (%02x != %02x)", cta_res[0], res);
return ERROR;
}
if((*p_cta_lr - 2) != rlen)
{
rdr_log_dbg(reader, D_READER, "result length expected (%d != %d)", (*p_cta_lr - 2), rlen);
return ERROR;
}
return *p_cta_lr;
}
return ERROR;
}
static void ReverseMem(uint8_t *vIn, int32_t len)
{
uint8_t temp;
int32_t i;
for(i = 0; i < (len / 2); i++)
{
temp = vIn[i];
vIn[i] = vIn[len - i - 1];
vIn[len - i - 1] = temp;
}
}
static void Signature(uint8_t *sig, const uint8_t *vkey, const uint8_t *msg, int32_t len)
{
IDEA_KEY_SCHEDULE ks;
uint8_t v[8];
uint8_t b200[16];
uint8_t b0f0[8];
memcpy(b200, vkey, sizeof(b200));
int32_t i;
int32_t j;
for(i = 0; i < len; i += 8)
{
idea_set_encrypt_key(b200, &ks);
memset(v, 0, sizeof(v));
idea_cbc_encrypt(msg + i, b0f0, 8, &ks, v, IDEA_DECRYPT);
for(j = 7; j >= 0; j--)
{
b0f0[j] ^= msg[i + j];
}
memcpy(b200 + 0, b0f0, 8);
memcpy(b200 + 8, b0f0, 8);
}
memcpy(sig, b0f0, 8);
return;
}
static int32_t CamStateRequest(struct s_reader *reader)
{
def_resp;
struct nagra_data *csystem_data = reader->csystem_data;
char tmp_dbg[10];
if(do_cmd(reader, 0xC0, 0x02, 0xB0, 0x06, NULL, cta_res, &cta_lr))
{
csystem_data->ird_info = cta_res[2];
rdr_log_dbg(reader, D_READER, "Irdinfo: %02X", csystem_data->ird_info);
memcpy(csystem_data->cam_state, cta_res + 3, 3);
rdr_log_dbg(reader, D_READER, "Camstate: %s", cs_hexdump(1, csystem_data->cam_state, 3, tmp_dbg, sizeof(tmp_dbg)));
}
else
{
rdr_log_dbg(reader, D_READER, "CamStateRequest failed");
return ERROR;
}
return OK;
}
static void DateTimeCMD(struct s_reader *reader)
{
def_resp;
if(!do_cmd(reader, 0xC8, 0x02, 0xB8, 0x06, NULL, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "DateTimeCMD failed!");
}
}
static int32_t NegotiateSessionKey_Tiger(struct s_reader *reader)
{
def_resp;
uint8_t exponent = 0x11;
uint8_t parte_fija[120];
uint8_t parte_variable[88];
uint8_t d1_rsa_modulo[88];
uint8_t d2_data[88];
uint8_t sign1[8];
uint8_t sk[16];
uint8_t tmp[104];
uint8_t idea_key[16];
uint8_t rnd[88];
char tmp2[17];
struct nagra_data *csystem_data = reader->csystem_data;
if(!do_cmd(reader, 0xd1, 0x02, 0x51, 0xd2, NULL, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "CMD$D1 failed");
return ERROR;
}
BN_CTX *ctx = BN_CTX_new();
#ifdef WITH_LIBCRYPTO
BN_CTX_start(ctx);
#endif
BIGNUM *bnN = BN_CTX_get(ctx);
BIGNUM *bnE = BN_CTX_get(ctx);
BIGNUM *bnCT = BN_CTX_get(ctx);
BIGNUM *bnPT = BN_CTX_get(ctx);
BN_bin2bn(reader->rsa_mod, 120, bnN);
BN_bin2bn(&exponent, 1, bnE);
BN_bin2bn(&cta_res[90], 120, bnCT);
BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
memset(parte_fija, 0, 120);
BN_bn2bin(bnPT, parte_fija + (120 - BN_num_bytes(bnPT)));
BN_CTX_end(ctx);
BN_CTX_free(ctx);
rdr_log_dbg(reader, D_READER, "---------- SIG CHECK ---------------------");
memset(tmp, 0, 104);
memcpy(tmp + 4, parte_fija + 11, 100);
memset(idea_key, 0x37, 16);
Signature(sign1, idea_key, tmp, 104);
rdr_log_dbg(reader, D_READER, "sign1: %s", cs_hexdump(0, sign1, 8, tmp2, sizeof(tmp2)));
rdr_log_dbg(reader, D_READER, "sign2: %s", cs_hexdump(0, parte_fija + 111, 8, tmp2, sizeof(tmp2)));
if((!memcmp(parte_fija + 111, sign1, 8)) == 0)
{
rdr_log_dbg(reader, D_READER, "signature check nok");
rdr_log_dbg(reader, D_READER, "------------------------------------------");
return ERROR;
}
rdr_log_dbg(reader, D_READER, "signature check ok");
rdr_log_dbg(reader, D_READER, "------------------------------------------");
memcpy(reader->hexserial + 2, parte_fija + 15, 4);
memcpy(reader->sa[0], parte_fija + 15, 3);
memcpy(reader->irdId, parte_fija + 19, 4);
memcpy(d1_rsa_modulo, parte_fija + 23, 88);
ReverseMem(cta_res + 2, 88);
BN_CTX *ctx1 = BN_CTX_new();
#ifdef WITH_LIBCRYPTO
BN_CTX_start(ctx1);
#endif
BIGNUM *bnN1 = BN_CTX_get(ctx1);
BIGNUM *bnE1 = BN_CTX_get(ctx1);
BIGNUM *bnCT1 = BN_CTX_get(ctx1);
BIGNUM *bnPT1 = BN_CTX_get(ctx1);
BN_bin2bn(d1_rsa_modulo, 88, bnN1);
BN_bin2bn(&exponent, 1, bnE1);
BN_bin2bn(cta_res + 2, 88, bnCT1);
BN_mod_exp(bnPT1, bnCT1, bnE1, bnN1, ctx1);
memset(parte_variable, 0, 88);
BN_bn2bin(bnPT1, parte_variable + (88 - BN_num_bytes(bnPT1)));
BN_CTX_end(ctx1);
BN_CTX_free(ctx1);
csystem_data->ActivationDate[0] = parte_variable[65];
csystem_data->ActivationDate[1] = parte_variable[66];
csystem_data->ExpiryDate[0] = parte_variable[69];
csystem_data->ExpiryDate[1] = parte_variable[70];
reader->prid[0][0] = 0x00;
reader->prid[0][1] = 0x00;
reader->prid[0][2] = parte_variable[73];
reader->prid[0][3] = parte_variable[74];
reader->caid = (SYSTEM_NAGRA | parte_variable[76]);
memcpy(sk, &parte_variable[79], 8);
memset(sk + 8, 0xBB, 8);
rdr_log_sensitive(reader, "type: NAGRA, caid: %04X, IRD ID: {%s}", reader->caid, cs_hexdump(1, reader->irdId, 4, tmp2, sizeof(tmp2)));
rdr_log(reader, "ProviderID: %s", cs_hexdump(1, reader->prid[0], 4, tmp2, sizeof(tmp2)));
memcpy(rnd, sk, 8);
memset(&rnd[8], 0xBB, 79);
rnd[87] = 0x6B;
ReverseMem(rnd, 88);
BN_CTX *ctx3 = BN_CTX_new();
#ifdef WITH_LIBCRYPTO
BN_CTX_start(ctx3);
#endif
BIGNUM *bnN3 = BN_CTX_get(ctx3);
BIGNUM *bnE3 = BN_CTX_get(ctx3);
BIGNUM *bnCT3 = BN_CTX_get(ctx3);
BIGNUM *bnPT3 = BN_CTX_get(ctx3);
BN_bin2bn(d1_rsa_modulo, 88, bnN3);
BN_bin2bn(&exponent, 1, bnE3);
BN_bin2bn(rnd, 88, bnCT3);
BN_mod_exp(bnPT3, bnCT3, bnE3, bnN3, ctx3);
memset(d2_data, 0, 88);
BN_bn2bin(bnPT3, d2_data + (88 - BN_num_bytes(bnPT3)));
BN_CTX_end(ctx3);
BN_CTX_free(ctx3);
ReverseMem(d2_data, 88);
if(!do_cmd(reader, 0xd2, 0x5a, 0x52, 0x03, d2_data, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "CMD$D2 failed");
return ERROR;
}
if(cta_res[2] == 0x00)
{
memcpy(csystem_data->sessi, sk, 16);
IDEA_KEY_SCHEDULE ks;
idea_set_encrypt_key(csystem_data->sessi, &ks);
idea_set_decrypt_key(&ks, &csystem_data->ksSession);
rdr_log_dbg(reader, D_READER, "Tiger session key negotiated");
return OK;
}
rdr_log(reader, "Negotiate sessionkey was not successful! Please check tivusat rsa key");
return ERROR;
}
static int32_t NegotiateSessionKey(struct s_reader *reader)
{
def_resp;
uint8_t negot[64];
uint8_t cmd2b[] = {
0x21, 0x40, 0x4D, 0xA0, 0xCA, 0x00, 0x00, 0x47, 0x27, 0x45,
0x1C, 0x54, 0xd1, 0x26, 0xe7, 0xe2, 0x40, 0x20,
0xd1, 0x66, 0xf4, 0x18, 0x97, 0x9d, 0x5f, 0x16,
0x8f, 0x7f, 0x7a, 0x55, 0x15, 0x82, 0x31, 0x14,
0x06, 0x57, 0x1a, 0x3f, 0xf0, 0x75, 0x62, 0x41,
0xc2, 0x84, 0xda, 0x4c, 0x2e, 0x84, 0xe9, 0x29,
0x13, 0x81, 0xee, 0xd6, 0xa9, 0xf5, 0xe9, 0xdb,
0xaf, 0x22, 0x51, 0x3d, 0x44, 0xb3, 0x20, 0x83,
0xde, 0xcb, 0x5f, 0x35, 0x2b, 0xb0, 0xce, 0x70,
0x01, 0x02, 0x03, 0x04, //IRD nr
0x00 };//keynr
uint8_t cmd2a[] = {
0x00,
0xA5, 0xFB, 0x02, 0x76, //NUID
0x00, 0x08, //OTP-CSC
0x00, 0x00, //OTA-CSC
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00,
0x22, 0x11 }; //Provider ID
uint8_t tmp[64];
uint8_t idea1[16];
uint8_t idea2[16];
uint8_t sign1[8];
uint8_t sign2[8];
struct nagra_data *csystem_data = reader->csystem_data;
if(csystem_data->is_tiger)
{
if(!NegotiateSessionKey_Tiger(reader))
{
rdr_log_dbg(reader, D_READER, "NegotiateSessionKey_Tiger failed");
return ERROR;
}
return OK;
}
if(!csystem_data->has_dt08) // if we have no valid dt08 calc then we use rsa from config and hexserial for calc of sessionkey
{
rdr_log_dbg(reader, D_READER, "No valid DT08 calc using rsa from config and serial from card");
memcpy(csystem_data->plainDT08RSA, reader->rsa_mod, 64);
memcpy(csystem_data->signature, reader->boxkey, 8);
}
if((csystem_data->is_n3_na) && (!do_cmd(reader, 0x29, 0x02, 0xA9, 0x04, NULL, cta_res, &cta_lr)))
{
rdr_log_dbg(reader, D_READER, "Nagra3: CMD$29 failed");
return ERROR;
}
memcpy(tmp, reader->irdId, 4);
tmp[4] = 0; //keynr 0
if(!csystem_data->is_n3_na)
{
if (reader->cak63nuid_length == 4) //nuid is set
{
// inject provid
cmd2a[26] = reader->prid[0][2];
cmd2a[27] = reader->prid[0][3];
memcpy(&cmd2a[1], reader->cak63nuid, 4); // inject NUID
if (!do_cmd(reader, 0x2a,0x1E,0xAA,0x42, cmd2a, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "CMD$2A failed");
return ERROR;
}
}
else
{
if(!do_cmd(reader, 0x2a, 0x02, 0xaa, 0x42, NULL, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "CMD$2A failed");
return ERROR;
}
}
}
else if(!do_cmd(reader, 0x26, 0x07, 0xa6, 0x42, tmp, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "CMD$26 failed");
return ERROR;
}
// RSA decrypt of cmd$2a data, result is stored in "negot"
ReverseMem(cta_res + 2, 64);
uint8_t vFixed[] = {0, 1, 2, 3};
BN_CTX *ctx = BN_CTX_new();
#ifdef WITH_LIBCRYPTO
BN_CTX_start(ctx);
#endif
BIGNUM *bnN = BN_CTX_get(ctx);
BIGNUM *bnE = BN_CTX_get(ctx);
BIGNUM *bnCT = BN_CTX_get(ctx);
BIGNUM *bnPT = BN_CTX_get(ctx);
BN_bin2bn(csystem_data->plainDT08RSA, 64, bnN);
BN_bin2bn(vFixed + 3, 1, bnE);
BN_bin2bn(cta_res + 2, 64, bnCT);
BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
memset(negot, 0, 64);
BN_bn2bin(bnPT, negot + (64 - BN_num_bytes(bnPT)));
memcpy(tmp, negot, 64);
ReverseMem(tmp, 64);
// build sessionkey
// first halve is IDEA Hashed in chuncs of 8 bytes using the Signature1 from dt08 calc, CamID-Inv.CamID(16 bytes key) the results are the First 8 bytes of the Session key
memcpy(idea1, csystem_data->signature, 8);
memcpy(idea1 + 8, reader->hexserial + 2, 4);
idea1[12] = ~reader->hexserial[2];
idea1[13] = ~reader->hexserial[3];
idea1[14] = ~reader->hexserial[4];
idea1[15] = ~reader->hexserial[5];
Signature(sign1, idea1, tmp, 32);
memcpy(idea2, sign1, 8);
memcpy(idea2 + 8, sign1, 8);
Signature(sign2, idea2, tmp, 32);
memcpy(csystem_data->sessi, sign1, 8);
memcpy(csystem_data->sessi + 8, sign2, 8);
// prepare cmd$2b data
BN_bin2bn(negot, 64, bnCT);
BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
memset(cmd2b + 10, 0, 64);
BN_bn2bin(bnPT, cmd2b + 10 + (64 - BN_num_bytes(bnPT)));
BN_CTX_end(ctx);
BN_CTX_free(ctx);
ReverseMem(cmd2b + 10, 64);
IDEA_KEY_SCHEDULE ks;
idea_set_encrypt_key(csystem_data->sessi, &ks);
idea_set_decrypt_key(&ks, &csystem_data->ksSession);
memcpy(cmd2b + 74, reader->irdId, 4);
cmd2b[78] = 0; //keynr
if(!csystem_data->is_n3_na)
{
if(!do_cmd(reader, 0x2b, 0x42, 0xab, 0x02, cmd2b + 10, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "CMD$2B failed");
return ERROR;
}
}
else if(!do_cmd(reader, 0x27, 0x47, 0xa7, 0x02, cmd2b + 10, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "CMD$27 failed");
return ERROR;
}
rdr_log_dbg(reader, D_READER, "session key negotiated");
DateTimeCMD(reader);
if(!CamStateRequest(reader))
{
rdr_log_dbg(reader, D_READER, "CamStateRequest failed");
return ERROR;
}
if RENEW_SESSIONKEY()
{
rdr_log(reader, "Negotiate sessionkey was not successful! Please check rsa key and boxkey");
return ERROR;
}
return OK;
}
static void decryptDT08(struct s_reader *reader, uint8_t *cta_res)
{
uint8_t vFixed[] = {0, 1, 2, 3};
uint8_t v[72];
uint8_t buf[72];
uint8_t sign2[8];
uint8_t static_dt08[73];
uint8_t camid[4];
char tmp_dbg[13];
int32_t i, n;
BN_CTX *ctx;
BIGNUM *bn_mod, *bn_exp, *bn_data, *bn_res;
struct nagra_data *csystem_data = reader->csystem_data;
memcpy(static_dt08, &cta_res[12], 73);
// decrypt RSA Part of dt08
bn_mod = BN_new();
bn_exp = BN_new();
bn_data = BN_new();
bn_res = BN_new();
ctx = BN_CTX_new();
if(ctx == NULL)
{
rdr_log_dbg(reader, D_READER, "RSA Error in dt08 decrypt");
}
ReverseMem(static_dt08 + 1, 64);
BN_bin2bn(reader->rsa_mod, 64, bn_mod); // rsa modulus
BN_bin2bn(vFixed + 3, 1, bn_exp); // exponent
BN_bin2bn(static_dt08 + 1, 64, bn_data);
BN_mod_exp(bn_res, bn_data, bn_exp, bn_mod, ctx);
memset(static_dt08 + 1, 0, 64);
n = BN_bn2bin(bn_res, static_dt08 + 1);
BN_CTX_free(ctx);
ReverseMem(static_dt08 + 1, n);
// RSA data can never be bigger than the modulo
static_dt08[64] |= static_dt08[0] & 0x80;
// IdeaCamKey
memcpy(&csystem_data->IdeaCamKey[0], reader->boxkey, 8);
memcpy(&csystem_data->IdeaCamKey[8], reader->irdId, 4);
for(i = 0; i < 4; i++)
{
csystem_data->IdeaCamKey[12 + i] = ~reader->irdId[i];
}
// now IDEA decrypt
IDEA_KEY_SCHEDULE ks;
idea_set_encrypt_key(csystem_data->IdeaCamKey, &ks);
idea_set_decrypt_key(&ks, &csystem_data->ksSession);
memcpy(&buf[0], static_dt08 + 1, 64);
memcpy(&buf[64], static_dt08 + 65, 8);
memset(v, 0, sizeof(v));
memset(static_dt08, 0, sizeof(static_dt08));
idea_cbc_encrypt(buf, static_dt08, 72, &csystem_data->ksSession, v, IDEA_DECRYPT);
if(csystem_data->swapCW == 1)
{
memset(camid, 0xff, 4);
}
else
{
memcpy(camid, reader->hexserial + 2, 4);
}
rdr_log_dbg(reader, D_READER, "using camid %s for dt08 calc", cs_hexdump(1, camid, 4, tmp_dbg, sizeof(tmp_dbg)));
// Calculate csystem_data->signature
memcpy(csystem_data->signature, static_dt08, 8);
memset(static_dt08 + 0, 0, 4);
memcpy(static_dt08 + 4, camid, 4);
Signature(sign2, csystem_data->IdeaCamKey, static_dt08, 72);
if(memcmp(csystem_data->signature, sign2, 8) == 0)
{
csystem_data->has_dt08 = 1;
memcpy(csystem_data->plainDT08RSA, static_dt08 + 8, 64);
rdr_log_dbg(reader, D_READER, "DT08 signature check ok");
}
else
{
csystem_data->has_dt08 = 0;
rdr_log_dbg(reader, D_READER, "DT08 signature check nok");
}
BN_free(bn_mod);
BN_free(bn_exp);
BN_free(bn_data);
BN_free(bn_res);
}
static void addProvider(struct s_reader *reader, uint8_t *cta_res)
{
int32_t i;
int32_t toadd = 1;
for(i = 0; i < reader->nprov; i++)
{
if((cta_res[7] == reader->prid[i][2]) && (cta_res[8] == reader->prid[i][3]))
{
toadd = 0;
}
}
if(toadd)
{
reader->prid[reader->nprov][0] = 0;
reader->prid[reader->nprov][1] = 0;
reader->prid[reader->nprov][2] = cta_res[7];
reader->prid[reader->nprov][3] = cta_res[8];
memcpy(reader->sa[reader->nprov], reader->sa[0], 4);
reader->nprov += 1;
}
}
static int32_t ParseDataType(struct s_reader *reader, uint8_t dt, uint8_t *cta_res, uint16_t cta_lr)
{
struct nagra_data *csystem_data = reader->csystem_data;
char ds[20], de[16];
uint16_t chid;
switch(dt)
{
case IRDINFO:
{
reader->prid[0][0] = 0;
reader->prid[0][1] = 0;
reader->prid[0][2] = cta_res[7];
reader->prid[0][3] = cta_res[8];
// provider 3411, 0401 needs cw swap
if(((cta_res[7] == 0x34) && (cta_res[8] == 0x11)) || ((cta_res[7] == 0x04) && (cta_res[8] == 0x01)))
{
rdr_log_dbg(reader, D_READER, "detect provider with swap cw!");
csystem_data->swapCW = 1;
}
reader->prid[1][0] = 0x00;
reader->prid[1][1] = 0x00;
reader->prid[1][2] = 0x00;
reader->prid[1][3] = 0x00;
memcpy(reader->sa[1], reader->sa[0], 4);
reader->nprov += 1;
reader->caid = (SYSTEM_NAGRA | cta_res[11]);
memcpy(reader->irdId, cta_res + 14, 4);
// do not output on init but only afterwards in card_info
if(reader->csystem_active)
{
rdr_log_sensitive(reader, "IRD ID: {%s}", cs_hexdump(1, reader->irdId, 4, ds, sizeof(ds)));
nagra_datetime(reader, cta_res + 24, 0, ds, &reader->card_valid_to);
rdr_log(reader, "active to: %s", ds);
}
return OK;
}
case TIERS:
if((cta_lr > 33) && (chid = b2i(2, cta_res + 11)))
{
int32_t id = (cta_res[7] * 256) | cta_res[8];
int32_t expire_date1 = b2i(2, cta_res + 13);
int32_t expire_date2 = b2i(2, cta_res + 24);
int32_t sooner_expire_date = expire_date1 <= expire_date2 ? expire_date1 : expire_date2;
// todo: add entitlements to list
cs_add_entitlement(reader, reader->caid, id, chid, 0, tier_date(b2i(2, cta_res + 20) - 0x7f7, ds, 15), tier_date(sooner_expire_date - 0x7f7, de, 15), 4, 1);
rdr_log(reader, "|%04X|%04X |%s |%s |", id, chid, ds, de);
addProvider(reader, cta_res);
}
return OK;
case 0x08:
case 0x88:
if(cta_res[11] == 0x49)
{
decryptDT08(reader, cta_res);
}
return OK;
default:
return OK;
}
return ERROR;
}
static int32_t GetDataType(struct s_reader *reader, uint8_t dt, int32_t len)
{
def_resp;
int32_t result = OK;
while(result == OK)
{
if(!do_cmd(reader, 0x22, 0x03, 0xA2, len, &dt, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "failed to get datatype %02X", dt);
result = ERROR;
break;
}
if((cta_res[2] == 0) && ((dt&0x80) == 0x80))
{
result = OK;
break;
}
if(!ParseDataType(reader, dt & 0x0F, cta_res, cta_lr))
{
result = ERROR;
break;
}
if(((dt&0x0F) != TIERS) && (cta_res[11] == 0x49) && ((dt&0x80) == 0x80))
{
result = OK;
break;
}
dt |= 0x80; // get next item
}
return result;
}
static int32_t nagra2_card_init(struct s_reader *reader, ATR *newatr)
{
get_atr;
def_resp;
memset(reader->rom, 0, 15);
static const uint8_t ins80[] = { 0x80, 0xCA, 0x00, 0x00, 0x11 }; // switch to nagra layer
static const uint8_t handshake[] = { 0xEE, 0x51, 0xDC, 0xB8, 0x4A, 0x1C, 0x15, 0x05, 0xB5, 0xA6, 0x9B, 0x91, 0xBA, 0x33, 0x19, 0xC4, 0x10 }; // nagra handshake
int8_t is_pure_nagra = 0;
int8_t is_tiger = 0;
int8_t is_n3_na = 0;
memset(reader->irdId, 0xff, 4);
memset(reader->hexserial, 0, 8);
cs_clear_entitlement(reader); // reset the entitlements
if(memcmp(atr + 11, "DNASP240", 8) == 0 || memcmp(atr + 11, "DNASP241", 8) == 0)
{
rdr_log(reader, "detect nagra 3 NA card");
memcpy(reader->rom, atr + 11, 15);
is_n3_na = 1;
}
else if((memcmp(atr + 11, "DNASP", 5) == 0) && (memcmp(atr + 11, "DNASP4", 6) != 0))
{
rdr_log(reader, "detect native nagra card");
memcpy(reader->rom, atr + 11, 15);
}
else if(memcmp(atr + 11, "TIGER", 5) == 0 || (memcmp(atr + 11, "NCMED", 5) == 0))
{
rdr_log(reader, "detect nagra tiger card");
memcpy(reader->rom, atr + 11, 15);
is_tiger = 1;
}
else if((!memcmp(atr + 4, "IRDETO", 6)) && ((atr[14] == 0x03) && (atr[15] == 0x84) && (atr[16] == 0x55)))
{
rdr_log(reader, "detect irdeto tunneled nagra card");
if(!array_has_nonzero_byte(reader->rsa_mod, 64))
{
rdr_log(reader, "no rsa key configured -> using irdeto mode");
return ERROR;
}
#ifdef READER_IRDETO
if(reader->force_irdeto)
{
rdr_log(reader, "rsa key configured but irdeto mode forced -> using irdeto mode");
return ERROR;
}
#endif
rdr_log(reader, "rsa key configured -> using nagra mode");
is_pure_nagra = 1;
if(!cs_malloc(&reader->csystem_data, sizeof(struct nagra_data)))
{
return ERROR;
}
struct nagra_data *csystem_data = reader->csystem_data;
csystem_data->is_pure_nagra = is_pure_nagra;
if(!do_cmd(reader, 0x10, 0x02, 0x90, 0x11, 0, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "get rom version failed");
return ERROR;
}
memcpy(reader->rom, cta_res + 2, 15);
}
else if(
#ifdef READER_NAGRA_MERLIN
!reader->cak7_mode &&
#endif
reader->detect_seca_nagra_tunneled_card && memcmp(atr + 7, "pp", 2) == 0 && ((atr[9]&0x0F) >= 10))
{
rdr_log(reader, "detect seca/nagra tunneled card");
if(!cs_malloc(&reader->csystem_data, sizeof(struct nagra_data)))
{
rdr_log(reader,"mem alloc error"); return ERROR;
}
if(!card_write(reader, ins80, handshake, cta_res, &cta_lr)) // try to init nagra layer
{
if(cta_res[0] == 0x61 && cta_res[1] == 0x10)
{
reader->seca_nagra_card = 1;
if ((reader->typ == R_SMART || reader->typ == R_INTERNAL || is_smargo_reader(reader)) && !reader->ins7e11_fast_reset)
{
ins7e11_state = 1;
reader->ins7e11_fast_reset = 1;
}
reader->card_atr_length = 23;
const struct s_cardreader *crdr_ops = reader->crdr;
if (!crdr_ops)
{
return ERROR;
}
call(crdr_ops->activate(reader, newatr)); // read nagra atr
get_atr2;
memcpy(reader->rom, atr2 + 8, 15); // get historical bytes containing romrev from nagra atr
rdr_log(reader,"Nagra layer found");
rdr_log(reader,"Rom revision: %.15s", reader->rom);
reader->card_atr_length = 14;
reader->seca_nagra_card = 2;
call(crdr_ops->activate(reader, newatr)); // read seca atr to switch back
if ((reader->typ == R_SMART || reader->typ == R_INTERNAL || is_smargo_reader(reader)) && ins7e11_state == 1)
{
ins7e11_state = 0;
reader->ins7e11_fast_reset = 0;
}
}
else
{
rdr_log(reader," Nagra atr not ok");
return ERROR;
}
}
return ERROR; // quitting csystem still not having needed commands to run on nagra layer
}
else
{
return ERROR;
}
// Private data may be already allocated, see above (the irdeto check).
if(!reader->csystem_data)
{
if(!cs_malloc(&reader->csystem_data, sizeof(struct nagra_data)))
{
return ERROR;
}
}
struct nagra_data *csystem_data = reader->csystem_data;
csystem_data->is_pure_nagra = is_pure_nagra;
csystem_data->is_tiger = is_tiger;
csystem_data->is_n3_na = is_n3_na;
reader->nprov = 1;
if(!csystem_data->is_tiger)
{
CamStateRequest(reader);
if(!do_cmd(reader, 0x12, 0x02, 0x92, 0x06, 0, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "get serial failed");
return ERROR;
}
memcpy(reader->hexserial + 2, cta_res + 2, 4);
memcpy(reader->sa[0], cta_res + 2, 3);
if(!GetDataType(reader, DT01, 0x0E))
{
return ERROR;
}
rdr_log_dbg(reader, D_READER, "DT01 DONE");
CamStateRequest(reader);
if(!GetDataType(reader, IRDINFO, 0x39))
{
return ERROR;
}
rdr_log_dbg(reader, D_READER, "IRDINFO DONE");
CamStateRequest(reader);
if(!GetDataType(reader, CAMDATA, 0x55))
{
return ERROR;
}
rdr_log_dbg(reader, D_READER, "CAMDATA Done");
if(!GetDataType(reader, 0x04, 0x44))
{
return ERROR;
}
rdr_log_dbg(reader, D_READER, "DT04 DONE");
CamStateRequest(reader);
if(!GetDataType(reader, DT06, 0x16))
{
return ERROR;
}
rdr_log_dbg(reader, D_READER, "DT06 DONE");
CamStateRequest(reader);
}
if(!NegotiateSessionKey(reader))
{
rdr_log_dbg(reader, D_READER, "NegotiateSessionKey failed");
return ERROR;
}
rdr_log(reader, "ready for requests");
return OK;
}
typedef struct
{
char date1[11];
char date2[11];
uint8_t type;
uint16_t value;
uint16_t price;
} ncmed_rec;
static time_t tiger_date2time(const char *date)
{
struct tm timeinfo;
int32_t y, m, d;
sscanf(date, "%02d/%02d/%04d", &d, &m, &y);
memset(&timeinfo, 0, sizeof(struct tm));
timeinfo.tm_year = y - 1900;
timeinfo.tm_mon = m - 1;
timeinfo.tm_mday = d;
return mktime(&timeinfo);
}
static int32_t reccmp(const void *r1, const void *r2)
{
int32_t v1, v2, y, m, d;
sscanf(((ncmed_rec *)r1)->date1, "%02d/%02d/%04d", &d, &m, &y);
v1 = y * 372 + 1 + m * 31 + d;
sscanf(((ncmed_rec *)r2)->date1, "%02d/%02d/%04d", &d, &m, &y);
v2 = y * 372 + 1 + m * 31 + d;
return (v1 == v2) ? 0 : (v1 < v2) ? -1 : 1;
}
static int32_t reccmp2(const void *r1, const void *r2)
{
char rec1[13], rec2[13];
snprintf(rec1, sizeof(rec1), "%04X", ((ncmed_rec *)r1)->value);
memcpy(rec1 + 4, ((ncmed_rec *)r1)->date2 + 6, 4);
memcpy(rec1 + 8, ((ncmed_rec *)r1)->date2 + 3, 2);
memcpy(rec1 + 10, ((ncmed_rec *)r1)->date2, 2);
snprintf(rec2, sizeof(rec2), "%04X", ((ncmed_rec *)r2)->value);
memcpy(rec2 + 4, ((ncmed_rec *)r2)->date2 + 6, 4);
memcpy(rec2 + 8, ((ncmed_rec *)r2)->date2 + 3, 2);
memcpy(rec2 + 10, ((ncmed_rec *)r2)->date2, 2);
rec1[12] = rec2[12] = 0;
return strcmp(rec2, rec1);
}
static int32_t nagra2_card_info(struct s_reader *reader)
{
int32_t i;
char currdate[27], tmp[64];
struct nagra_data *csystem_data = reader->csystem_data;
rdr_log(reader, "ROM: %c %c %c %c %c %c %c %c", reader->rom[0], reader->rom[1], reader->rom[2], reader->rom[3], reader->rom[4], reader->rom[5], reader->rom[6], reader->rom[7]);
rdr_log(reader, "REV: %c %c %c %c %c %c", reader->rom[9], reader->rom[10], reader->rom[11], reader->rom[12], reader->rom[13], reader->rom[14]);
rdr_log_sensitive(reader, "SER: {%s}", cs_hexdump(1, reader->hexserial + 2, 4, tmp, sizeof(tmp)));
rdr_log(reader, "CAID: %04X", reader->caid);
rdr_log(reader, "Prv.ID: %s(sysid)", cs_hexdump(1, reader->prid[0], 4, tmp, sizeof(tmp)));
for(i = 1; i < reader->nprov; i++)
{
rdr_log(reader, "Prv.ID: %s", cs_hexdump(1, reader->prid[i], 4, tmp, sizeof(tmp)));
}
cs_clear_entitlement(reader); // reset the entitlements
if(csystem_data->is_tiger)
{
rdr_log(reader, "Activation Date : %s", nagra_datetime(reader, csystem_data->ActivationDate, 0, currdate, 0));
rdr_log(reader, "Expiry Date : %s", nagra_datetime(reader, csystem_data->ExpiryDate, 0, currdate, &reader->card_valid_to));
}
if(reader->nagra_read && csystem_data->is_tiger && (memcmp(reader->rom, "NCMED", 5) == 0 || memcmp(reader->rom, "TIGER", 5) == 0))
{
ncmed_rec records[255];
int32_t num_records = 0;
uint8_t tier_cmd1[] = { 0x00, 0x00 };
uint8_t tier_cmd2[] = { 0x01, 0x00 };
def_resp;
int32_t j;
do_cmd(reader, 0xD0, 0x04, 0x50, 0x0A, tier_cmd1, cta_res, &cta_lr);
if(cta_lr == 0x0C)
{
int32_t prepaid = 0;
int32_t credit = 0;
int32_t balance = 0;
uint16_t credit_in = cta_res[8] << 8 | cta_res[9];
uint16_t credit_out = cta_res[5] << 8 | cta_res[6];
balance = (credit_in - credit_out) / 100;
for(i = 0; i < 13; ++i)
{
tier_cmd2[1] = i;
do_cmd(reader, 0xD0, 0x04, 0x50, 0xAA, tier_cmd2, cta_res, &cta_lr);
if(cta_lr == 0xAC)
{
//rdr_log_dump(reader, cta_res, cta_lr, "NCMED Card Record %d", i+1);
for(j = 2; j < cta_res[1] - 14; ++j)
{
if(cta_res[j] == 0x80 && cta_res[j + 6] != 0x00)
{
int32_t val_offs = 0;
nagra_datetime(reader, &cta_res[j + 6], 0, records[num_records].date2, 0);
switch(cta_res[j + 1])
{
case 0x00:
case 0x01:
case 0x20:
case 0x21:
case 0x29:
nagra_datetime(reader, &cta_res[j + 8], 0, records[num_records].date1, 0);
val_offs = 1;
break;
case 0x80:
nagra_datetime(reader, &cta_res[j + 6], 0, records[num_records].date1, 0);
val_offs = 1;
break;
default:
rdr_log(reader, "Unknown record : %s", cs_hexdump(1, &cta_res[j], 17, tmp, sizeof(tmp)));
}
if(val_offs > 0)
{
records[num_records].type = cta_res[j + 1];
records[num_records].value = cta_res[j + 4] << 8 | cta_res[j + 5];
records[num_records++].price = cta_res[j + 11] << 8 | cta_res[j + 12];
}
j += 16;
}
}
}
}
if(reader->nagra_read == 1)
{
qsort(records, num_records, sizeof(ncmed_rec), reccmp);
}
else
{
qsort(records, num_records, sizeof(ncmed_rec), reccmp2);
}
int32_t euro = 0;
char tiername[83];
time_t rawtime;
struct tm timeinfo;
time(&rawtime);
localtime_r(&rawtime, &timeinfo);
snprintf(currdate, sizeof(currdate), "%02d/%02d/%04d", timeinfo.tm_mday, timeinfo.tm_mon + 1, timeinfo.tm_year + 1900);
for(i = 0; i < num_records; ++i)
{
switch(records[i].type)
{
case 0x00:
case 0x01:
if(reccmp(records[i].date2, currdate) >= 0)
{
if(reader->nagra_read == 2)
{
rdr_log(reader, "Tier : %04X, expiry date: %s %s",
records[i].value, records[i].date2, get_tiername(records[i].value, reader->caid, tiername));
}
else if(reader->nagra_read == 1)
{
euro = (records[i].price / 100);
rdr_log(reader, "Activation : ( %04X ) from %s to %s (%3d euro) %s",
records[i].value, records[i].date1, records[i].date2, euro, get_tiername(records[i].value, reader->caid, tiername));
}
cs_add_entitlement(
reader,
reader->caid,
b2ll(4, reader->prid[0]),
records[i].value,
0,
tiger_date2time(records[i].date1),
tiger_date2time(records[i].date2)+ 0x1517F,
4,
1);
} break;
case 0x20:
case 0x21:
if(reccmp(records[i].date2, currdate) >= 0)
{
if(reader->nagra_read == 2)
{
rdr_log(reader, "Tier : %04X, expiry date: %s %s", records[i].value, records[i].date2, get_tiername(records[i].value, reader->caid, tiername));
}
cs_add_entitlement(
reader,
reader->caid,
b2ll(4, reader->prid[0]),
records[i].value,
0,
tiger_date2time(records[i].date1),
tiger_date2time(records[i].date2)+ 0x1517F,
4,
1);
} break;
}
if(reader->nagra_read == 2)
{
while(i < num_records - 1 && records[i].value == records[i + 1].value)
{
++i;
}
}
}
for(i = 0; i < num_records; ++i)
{
switch(records[i].type)
{
case 0x80:
if(reader->nagra_read == 1)
{
euro = (records[i].price / 100) - prepaid;
credit += euro;
prepaid += euro;
if(euro)
{
rdr_log(reader, "Recharge : %s (%3d euro)", records[i].date2, euro);
}
} break;
case 0x20:
case 0x21:
if(reader->nagra_read == 1)
{
euro = records[i].price / 100;
credit -= euro;
rdr_log(reader, "Subscription : ( %04X ) from %s to %s (%3d euro) %s",
records[i].value, records[i].date1, records[i].date2, euro, get_tiername(records[i].value, reader->caid, tiername));
} break;
case 0x29:
euro = records[i].price / 100;
if(reader->nagra_read == 1) { credit -= euro; }
rdr_log(reader, "Event purchase : ( %04X ) from %s to %s (%3d euro)", records[i].value, records[i].date1, records[i].date2, euro);
break;
}
}
if(reader->nagra_read == 1)
{
rdr_log(reader, "Credit : %3d euro", credit);
}
else
{
rdr_log(reader, "Credit : %3d euro", balance);
}
}
}
else
{
def_resp;
char tmp_dbg[13];
CamStateRequest(reader);
if(!do_cmd(reader, 0x12, 0x02, 0x92, 0x06, 0, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "get serial failed");
return ERROR;
}
memcpy(reader->hexserial + 2, cta_res + 2, 4);
rdr_log_dbg_sensitive(reader, D_READER, "SER: {%s}", cs_hexdump(1, reader->hexserial + 2, 4, tmp_dbg, sizeof(tmp_dbg)));
memcpy(reader->sa[0], cta_res + 2, 3);
reader->nprov = 1;
if(!GetDataType(reader, IRDINFO, 0x39))
{
return ERROR;
}
rdr_log_dbg(reader, D_READER, "IRDINFO DONE");
CamStateRequest(reader);
if((!memcmp(reader->rom + 5, "181", 3)) == 0) // dt05 is not supported by rom181
{
rdr_log(reader, "-----------------------------------------");
rdr_log(reader, "|id |tier |valid from |valid to |");
rdr_log(reader, "+----+--------+------------+------------+");
if(!GetDataType(reader, TIERS, 0x57))
{
return ERROR;
}
rdr_log(reader, "-----------------------------------------");
CamStateRequest(reader);
}
}
return OK;
}
void nagra2_post_process(struct s_reader *reader)
{
struct nagra_data *csystem_data = reader->csystem_data;
if(!csystem_data->is_tiger)
{
CamStateRequest(reader);
if RENEW_SESSIONKEY()
{
NegotiateSessionKey(reader);
}
if SENDDATETIME()
{
DateTimeCMD(reader);
}
}
}
static int32_t nagra2_do_ecm(struct s_reader *reader, const ECM_REQUEST *er, struct s_ecm_answer *ea)
{
def_resp;
struct nagra_data *csystem_data = reader->csystem_data;
if(!csystem_data->is_tiger)
{
int32_t retry = 0;
if(csystem_data->is_n3_na)
{
uint8_t ecm_pkt[256 + 16];
memset(ecm_pkt, 0, sizeof(ecm_pkt));
memcpy(ecm_pkt, er->ecm + 3 + 2, er->ecm[4]);
while(!do_cmd(reader, er->ecm[3] + 1, er->ecm[4] + 5 + 2, 0x88, 0x04, ecm_pkt, cta_res, &cta_lr))
{
if(retry == 0)
{
rdr_log_dbg(reader, D_READER, "nagra2_do_ecm (N3_NA) failed, retry");
}
else
{
rdr_log_dbg(reader, D_READER, "nagra2_do_ecm (N3_NA) failed, retry failed!");
return ERROR;
}
retry++;
cs_sleepms(10);
}
}
else
{
if(reader->ecmcommand < 5) // cache ecm commands until ecmcommand cache is full
{
reader->ecmcommandcache[reader->ecmcommand] = er->ecm[3];
reader->ecmcommand++;
if(reader->ecmcommand == 5) // cache is full, comparing!
{
int32_t t = 0;
int32_t matchfound = 0;
reader->ecmcommand++; // No more caching of ecm commands, next ecms will be compared!
while(t < 5)
{
if(reader->ecmcommandcache[t] == er->ecm[3])
{
matchfound++;
}
t++;
}
if(matchfound != 5)
{
reader->ecmcommand = 0; // reset ecm filter, start a new auto filter attempt
rdr_log_dbg(reader, D_READER, "Auto ecm command filter caid %04X failed!", reader->caid);
}
else
{
reader->ecmcommandcache[0] = er->ecm[3]; // Passed the filter, store the normal ecm command for this reader!
rdr_log_dbg(reader, D_READER, "Auto ecm command filter caid %04X set to command %02X", reader->caid, er->ecm[3]);
}
}
}
else if(reader->ecmcommandcache[0] != er->ecm[3])
{
rdr_log_dbg(reader, D_READER, "Warning: received an abnominal ecm command %02X for caid: %04X, ignoring!", er->ecm[3], reader->caid);
memset(ea, 0, sizeof(struct s_ecm_answer)); // give it back 00000000 to not disturb the loadbalancer for valid ecm requests on this channel.
return OK;
}
while(!do_cmd(reader, er->ecm[3], er->ecm[4] + 2, 0x87, 0x02, er->ecm + 3 + 2, cta_res, &cta_lr))
{
if(retry == 0)
{
rdr_log_dbg(reader, D_READER, "nagra2_do_ecm failed, retry");
}
else
{
rdr_log_dbg(reader, D_READER, "nagra2_do_ecm failed, retry failed!");
return ERROR;
}
retry++;
cs_sleepms(10);
}
}
cs_sleepms(10);
retry = 0;
while(!CamStateRequest(reader) && retry < 3)
{
rdr_log_dbg(reader, D_READER, "CamStateRequest failed, try: %d", retry);
retry++;
cs_sleepms(10);
}
if(HAS_CW() && (do_cmd(reader, 0x1C, 0x02, 0x9C, 0x36, NULL, cta_res, &cta_lr)))
{
uint8_t v[8];
memset(v, 0, sizeof(v));
uint8_t _cwe0[8];
uint8_t _cwe1[8];
char tmp_dbg[25];
if(csystem_data->swapCW == 1)
{
rdr_log_dbg(reader, D_READER, "swap cws");
idea_cbc_encrypt(&cta_res[30], &_cwe1[0], 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
memset(v, 0, sizeof(v));
idea_cbc_encrypt(&cta_res[4], &_cwe0[0], 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
}
else
{
idea_cbc_encrypt(&cta_res[30], &_cwe0[0], 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
memset(v, 0, sizeof(v));
idea_cbc_encrypt(&cta_res[4], &_cwe1[0], 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
}
rdr_log_dbg(reader, D_READER, "CW0 after IDEA decrypt: %s", cs_hexdump(1, _cwe0, 8, tmp_dbg, sizeof(tmp_dbg)));
rdr_log_dbg(reader, D_READER, "CW1 after IDEA decrypt: %s", cs_hexdump(1, _cwe1, 8, tmp_dbg, sizeof(tmp_dbg)));
if(CW_NEEDS_3DES())
{
rdr_log_dbg(reader, D_READER, "3DES encryption of CWs detected. Using CWPK index:%02X", (csystem_data->ird_info & 7));
if(reader->cak63cwekey_length != 16)
{
rdr_log_dbg(reader, D_READER, "ERROR: Invalid CWPK, can not decrypt CW");
return ERROR;
}
des_ecb3_decrypt(_cwe0, reader->cak63cwekey);
des_ecb3_decrypt(_cwe1, reader->cak63cwekey);
rdr_log_dbg(reader, D_READER, "CW0 after 3DES decrypt: %s", cs_hexdump(1, _cwe0, 8, tmp_dbg, sizeof(tmp_dbg)));
rdr_log_dbg(reader, D_READER, "CW1 after 3DES decrypt: %s", cs_hexdump(1, _cwe1, 8, tmp_dbg, sizeof(tmp_dbg)));
if (!cfg.disablecrccws && !reader->disablecrccws && !chk_if_ignore_checksum((ECM_REQUEST*) er, &cfg.disablecrccws_only_for) && !chk_if_ignore_checksum((ECM_REQUEST*) er, &reader->disablecrccws_only_for))
{
int chkok = 1;
if(((_cwe0[0] + _cwe0[1] + _cwe0[2]) & 0xFF) != _cwe0[3])
{
chkok = 0;
rdr_log_dbg(reader, D_READER, "CW0 checksum error [0]");
}
if(((_cwe0[4] + _cwe0[5] + _cwe0[6]) & 0xFF) != _cwe0[7])
{
chkok = 0;
rdr_log_dbg(reader, D_READER, "CW0 checksum error [1]");
}
if(((_cwe1[0] + _cwe1[1] + _cwe1[2]) & 0xFF) != _cwe1[3])
{
chkok = 0;
rdr_log_dbg(reader, D_READER, "CW1 checksum error [0]");
}
if(((_cwe1[4] + _cwe1[5] + _cwe1[6]) & 0xFF) != _cwe1[7])
{
chkok = 0;
rdr_log_dbg(reader, D_READER, "CW1 checksum error [1]");
}
if(chkok == 0)
{
rdr_log_dbg(reader, D_READER, "CW Decrypt failed");
return ERROR;
}
}
else
{
rdr_log_dbg(reader, D_READER, "checksum test skipped");
}
}
memcpy(ea->cw, _cwe0, 0x08);
memcpy(ea->cw + 8, _cwe1, 0x08);
return OK;
}
}
else
{
// check ECM prov id
if(memcmp(&reader->prid[0][2], er->ecm + 5, 2))
{
return ERROR;
}
// ecm_data: 80 30 89 D3 87 54 11 10 DA A6 0F 4B 92 05 34 00
// serial_data: A0 CA 00 00 8C D3 8A 00 00 00 00 00 10 DA A6 0F
uint8_t ecm_trim[150];
memset(ecm_trim, 0, 150);
memcpy(&ecm_trim[5], er->ecm + 3 + 2 + 2, er->ecm[4] + 2);
if(do_cmd(reader, er->ecm[3], er->ecm[4] + 5, 0x53, 0x16, ecm_trim, cta_res, &cta_lr))
{
if(cta_res[2] == 0x01)
{
uint8_t v[8];
memset(v, 0, sizeof(v));
idea_cbc_encrypt(&cta_res[14], ea->cw, 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
memset(v, 0, sizeof(v));
idea_cbc_encrypt(&cta_res[6], ea->cw + 8, 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
return OK;
}
rdr_log_dbg(reader, D_READER, "can't decode ecm");
return ERROR;
}
}
return ERROR;
}
static int32_t nagra2_do_emm(struct s_reader *reader, EMM_PACKET *ep)
{
def_resp;
struct nagra_data *csystem_data = reader->csystem_data;
if(!csystem_data->is_tiger)
{
if(!do_cmd(reader, ep->emm[8], ep->emm[9] + 2, 0x84, 0x02, ep->emm + 8 + 2, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "nagra2_do_emm failed");
return ERROR;
}
// for slow t14 nagra cards, we must do additional timeout
if(csystem_data->is_pure_nagra == 1)
{
cs_sleepms(300);
}
cs_sleepms(250);
nagra2_post_process(reader);
}
else
{
//check EMM prov id
if(memcmp(&reader->prid[0][2], ep->emm + 10, 2))
{
rdr_log_dbg(reader, D_READER, "EMM skipped since provider doesnt match!");
return SKIPPED;
}
// emm_data: 82 70 8E 00 00 00 00 00 D3 87 8D 11 C0 F4 B1 27 2C 3D 25 94 ...
//serial_data: A0 CA 00 00 8C D3 8A 01 00 00 00 00 C0 F4 B1 27 2C 3D 25 94 ...
uint8_t emm_trim[150] = { 0x01, 0x00, 0x00, 0x00, 0x00 };
memcpy(&emm_trim[5], ep->emm + 3 + 5 + 2 + 2, ep->emm[9] + 2);
if(!do_cmd(reader, ep->emm[8], ep->emm[9] + 5, 0x53, 0x16, emm_trim, cta_res, &cta_lr))
{
rdr_log_dbg(reader, D_READER, "nagra2_do_emm failed");
return ERROR;
}
cs_sleepms(300);
}
if(ep->type != GLOBAL)
{
struct timeb now;
cs_ftime(&now);
int64_t gone = comp_timeb(&now, &reader->emm_last);
if(gone > 3600*1000)
{
add_job(reader->client, ACTION_READER_CARDINFO, NULL, 0); // refresh entitlement since it might have been changed!
}
}
return OK;
}
const struct s_cardsystem reader_nagra =
{
.desc = "nagra",
.caids = (uint16_t[]){ 0x18, 0 },
.do_emm = nagra2_do_emm,
.do_ecm = nagra2_do_ecm,
.post_process = nagra2_post_process,
.card_info = nagra2_card_info,
.card_init = nagra2_card_init,
.get_emm_type = nagra_get_emm_type,
.get_emm_filter = nagra_get_emm_filter,
};
#endif
Reference in New Issue View Git Blame Copy Permalink