search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
revert breaks some stupid old compilers
[oscam.git] / reader-bulcrypt.c
blob32c840b1cc8358ad85063cb8db41d479b2d3449d
1 /*
2 * Bulcrypt card reader for OSCAM
3 * Copyright (C) 2012 Unix Solutions Ltd.
4 *
5 * Authors: Anton Tinchev (atl@unixsol.org)
6 * Georgi Chorbadzhiyski (gf@unixsol.org)
7 *
8 * This program is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 *
21 * =========================================================================
22 *
23 * For more information read the code and the comments. We have tried to
24 * write clear code with lots of comments so it is easy for others to
25 * understand what is going on. There are some things marked *FIXME*,
26 * that are mostly unknown or not fully understand.
27 *
28 * WHAT WAS TESTED AND WAS WORKING:
29 * - Cards with bulcrypt v1 ("cherga"/carpet) are working (we have cards
30 * that report CardType: 0x4c and 0x75.
31 * - Cards return valid code words for subscribed channels.
32 * - Tested with channels encrypted with CAID 0x5581 and 0x4aee on
33 * Hellas 39E. Both MPEG2 (SD) and H.264 (SD and HD) channels were
34 * decrypted.
35 * - Brand new cards were inited without ever being put into providers STBs.
36 * as long the protocol you are using is sending EMMs to the card.
37 * - AU was working (subscription dates and packages were updated)
38 * as long the protocol you are using is sending EMMs to the card.
39 *
40 * WHAT WE DON'T KNOW (YET!):
41 * - How to deobfuscate v2 codewords.
42 *
43 * PERSONAL MESSAGES:
44 * - Many thanks to ilian_71 @ satfriends forum for the protocol info.
45 * - Shouts to yuriks for oscam-ymod, pity it is violating the GPL.
46 *
47 */
48
49 #include "globals.h"
50
51 #ifdef READER_BULCRYPT
52 #include "oscam-work.h"
53 #include "reader-common.h"
54
55 static const uchar atr_carpet[] = { 0x3b, 0x20, 0x00 };
56
57 // *FIXME* We do not know how every 4th byte of the sess_key is calculated.
58 // Currently they are correct thou and code words checksums are correct are
59 // the deobfuscation.
60 static const uchar sess_key[] = { 0xF2, 0x21, 0xC5, 0x69,
61 0x28, 0x86, 0xFB, 0x9E,
62 0xC0, 0x20, 0x28, 0x06,
63 0xD2, 0x23, 0x72, 0x31
64 };
65
66 static const uchar cmd_set_key[] = { 0xDE, 0x1C, 0x00, 0x00, 0x0A,
67 0x12, 0x08,
68 0x56, 0x47, 0x38, 0x29,
69 0x10, 0xAF, 0xBE, 0xCD
70 };
71
72 static const uchar cmd_set_key_v2[] = { 0xDE, 0x1C, 0x00, 0x00, 0x0A,
73 0x12, 0x08,
74 0x00, 0x00, 0x00, 0x00,
75 0x00, 0x00, 0x00, 0x00
76 };
77 // Response: 90 00
78
79 // V2
80 static const uchar cmd_card_v2_key1[] = { 0xDE, 0x12, 0x00, 0x00, 0x00, 0x00 };
81 static const uchar cmd_card_v2_key2[] = { 0xDE, 0x1E, 0x00, 0x00, 0x12, 0x00 };
82
83 static const uchar cmd_cardtype1[] = { 0xDE, 0x16, 0x00, 0x00, 0x00, 0x00 };
84 static const uchar cmd_cardtype2[] = { 0xDE, 0x1E, 0x00, 0x00, 0x03, 0x00 };
85 // Response1: 90 03
86 // Response2: 01 01 4C 90 00 or 01 01 xx 90 00
87 // xx - 4C or 75 (Card type)
88
89 static const uchar cmd_unkn_0a1[] = { 0xDE, 0x0A, 0x00, 0x00, 0x00, 0x00 };
90 static const uchar cmd_unkn_0a2[] = { 0xDE, 0x1E, 0x00, 0x00, 0x03, 0x00 };
91 // Response1: 90 03
92 // Response2: 08 01 00 90 00
93
94 static const uchar cmd_cardsn1[] = { 0xDE, 0x18, 0x00, 0x00, 0x00, 0x00 };
95 static const uchar cmd_cardsn2[] = { 0xDE, 0x1E, 0x00, 0x00, 0x06, 0x00 };
96 // Response1: 90 06
97 // Response2: 02 04 xx xx xx xy 90 00
98 // xx - Card HEX serial
99 // y - Unknown *FIXME*
100
101 static const uchar cmd_ascsn1[] = { 0xDE, 0x1A, 0x00, 0x00, 0x00, 0x00 };
102 static const uchar cmd_ascsn2[] = { 0xDE, 0x1E, 0x00, 0x00, 0x0F, 0x00 };
103 // Response1: 90 0F
104 // Response2: 05 0D xx xx 20 xx xx xx xx xx xx 20 xx xx xx 90 00
105 // xx - Card ASCII serial
106
107 static const uchar cmd_ecm_empty[] = { 0xDE, 0x20, 0x00, 0x00, 0x00, 0x00 };
108 // Response: 90 00
109
110 static const uchar cmd_ecm[] = { 0xDE, 0x20, 0x00, 0x00, 0x4c };
111 // The last byte is ECM length
112
113 static const uchar cmd_ecm_get_cw[] = { 0xDE, 0x1E, 0x00, 0x00, 0x13, 0x00 };
114 // Response: 0A 11 80 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 90 00
115 // 80 - Returned codeword type? *FIXME*
116 // xx - Obfuscated CW
117
118 static const uchar cmd_emm1[] = { 0xDE, 0x02, 0x82, 0x00, 0xb0 };
119 // Response: 90 00 (EMM written OK) or
120 // Response: 90 0A (Subscription data was updated)
121 // The last byte is EMM length (0xb0)
122
123 static const uchar cmd_emm2[] = { 0xDE, 0x04, 0x00, 0x00, 0xb0 };
124 // Response: 90 00 (EMM written OK)
125 // cmd_emm[2] = emm_cmd1
126 // cmd_emm[3] = emm_cmd2
127 // The last byte is EMM length (0xb0)
128
129 static const uchar cmd_sub_info1[] = { 0xDE, 0x06, 0x00, 0x00, 0x00, 0x00 };
130 static const uchar cmd_sub_info2[] = { 0xDE, 0x1E, 0x00, 0x00, 0x2B, 0x00 };
131 // See bulcrypt_card_info() for reponse description
132
133 struct bulcrypt_data
134 {
135 uint8_t bulcrypt_version;
136 };
137
138 static int32_t bulcrypt_card_init(struct s_reader *reader, ATR *newatr)
139 {
140 int i;
141 char tmp[1024];
142 char card_serial[16];
143 const uchar *set_key_command;
144 uchar card_type;
145
146 get_atr
147 def_resp
148
149 if(memcmp(atr, atr_carpet, MIN(sizeof(atr_carpet), atr_size)) != 0)
150 {
151 if(atr_size == 3)
152 {
153 rdr_log(reader, "ATR_len=3 but ATR is unknown: %s",
154 cs_hexdump(1, atr, atr_size, tmp, sizeof(tmp)));
155 }
156 return ERROR;
157 }
158
159 if(!cs_malloc(&reader->csystem_data, sizeof(struct bulcrypt_data)))
160 { return ERROR; }
161 struct bulcrypt_data *csystem_data = reader->csystem_data;
162
163 reader->nprov = 1;
164 memset(reader->prid, 0, sizeof(reader->prid));
165 memset(reader->hexserial, 0, sizeof(reader->hexserial));
166 memset(card_serial, 0, sizeof(card_serial));
167
168 rdr_log(reader, "Bulcrypt card detected, checking card version.");
169
170 // Do we have Bulcrypt V2 card?
171 write_cmd(cmd_card_v2_key1, NULL);
172 write_cmd(cmd_card_v2_key2, NULL);
173 if(cta_lr < 18 || (cta_res[0] != 0x11 && cta_res[1] != 0x10))
174 {
175 // The card is v1
176 csystem_data->bulcrypt_version = 1;
177 set_key_command = cmd_set_key;
178 }
179 else
180 {
181 // The card is v2
182 csystem_data->bulcrypt_version = 2;
183 set_key_command = cmd_set_key_v2;
184 }
185
186 // Set CW obfuscation key
187 write_cmd(set_key_command, set_key_command + 5);
188 if(cta_lr < 2 || (cta_res[0] != 0x90 && cta_res[1] != 0x00))
189 {
190 rdr_log(reader, "(cmd_set_key) Unexpected card answer: %s",
191 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
192 return ERROR;
193 }
194
195 rdr_log(reader, "Bulcrypt v%d card detected.%s", csystem_data->bulcrypt_version,
196 csystem_data->bulcrypt_version != 1 ? " *UNSUPPORTED CARD VERSION*" : "");
197
198 // Read card type
199 write_cmd(cmd_cardtype1, NULL);
200 write_cmd(cmd_cardtype2, NULL);
201 if(cta_lr < 5 || (cta_res[0] != 0x01 && cta_res[1] != 0x01))
202 {
203 rdr_log(reader, "(cmd_cardtype) Unexpected card answer: %s",
204 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
205 return ERROR;
206 }
207 card_type = cta_res[2]; // We have seen 0x4c and 0x75
208
209 // *FIXME* Unknown command
210 write_cmd(cmd_unkn_0a1, NULL);
211 write_cmd(cmd_unkn_0a2, NULL);
212
213 // Read card HEX serial
214 write_cmd(cmd_cardsn1, NULL);
215 write_cmd(cmd_cardsn2, NULL);
216 if(cta_lr < 6 || (cta_res[0] != 0x02 && cta_res[1] != 0x04))
217 {
218 rdr_log(reader, "(card_sn) Unexpected card answer: %s",
219 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
220 return ERROR;
221 }
222 memcpy(reader->hexserial, cta_res + 2, 4);
223 // Skip bottom four bits (they are 0x0b on our cards)
224 reader->hexserial[3] = reader->hexserial[3] & 0xF0;
225
226 // Read card ASCII serial
227 write_cmd(cmd_ascsn1, NULL);
228 write_cmd(cmd_ascsn2, NULL);
229 if(cta_lr < 15 || (cta_res[0] != 0x05 && cta_res[1] != 0x0d))
230 {
231 rdr_log(reader, "(asc_sn) Unexpected card answer: %s",
232 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
233 return ERROR;
234 }
235 memcpy(card_serial, cta_res + 2, 13);
236 cta_lr = strlen(card_serial);
237 for(i = 0; i < cta_lr; i++)
238 {
239 if(card_serial[i] == ' ')
240 { continue; }
241 // Sanity check
242 if(!isdigit((uchar)card_serial[i]))
243 { card_serial[i] = '*'; }
244 }
245
246 // Write empty ECM, *FIXME* why are we doing this? To prepare the card somehow?
247 write_cmd(cmd_ecm_empty, NULL);
248
249 // The HEX serial have nothing to do with Serial (they do not match)
250 rdr_log_sensitive(reader, "CAID: 0x4AEE|0x5581, CardType: 0x%02x, Serial: {%s}, HexSerial: {%02X %02X %02X %02X}",
251 card_type,
252 card_serial,
253 reader->hexserial[0], reader->hexserial[1], reader->hexserial[2], reader->hexserial[3]);
254
255 rdr_log(reader, "Ready for requests.");
256
257 return OK;
258 }
259
260 static int cw_is_valid(struct s_reader *reader, unsigned char *cw)
261 {
262 unsigned int i = 0, cnt = 0;
263 do
264 {
265 if(cw[i++] == 0)
266 { cnt++; }
267 }
268 while(i < 8);
269
270 if(cnt == 8)
271 {
272 rdr_log(reader, "Invalid CW (all zeroes)");
273 return ERROR;
274 }
275
276 uchar cksum1 = cw[0] + cw[1] + cw[2];
277 uchar cksum2 = cw[4] + cw[5] + cw[6];
278 if(cksum1 != cw[3] || cksum2 != cw[7])
279 {
280 if(cksum1 != cw[3])
281 { rdr_log(reader, "Invalid CW (cksum1 mismatch expected 0x%02x got 0x%02x)", cksum1, cw[3]); }
282 if(cksum2 != cw[7])
283 { rdr_log(reader, "Invalid CW (cksum2 mismatch expected 0x%02x got 0x%02x)", cksum2, cw[7]); }
284 return ERROR;
285 }
286
287 return OK;
288 }
289
290 /*
291 Bulcrypt ECM structure:
292
293 80 70 - ECM header (80 | 81)
294 4c - ECM length after this field (0x4c == 76 bytes)
295 4f 8d 87 0b - unixts == 1334675211 == Tue Apr 17 18:06:51 EEST 2012
296 00 66 - *FIXME* Program number?
297 00 7d - *FIXME*
298 ce 70 - ECM counter
299 0b 88 - ECM type
300 xx yy zz .. - Encrypted ECM payload (64 bytes)
301
302 */
303 static int32_t bulcrypt_do_ecm(struct s_reader *reader, const ECM_REQUEST *er, struct s_ecm_answer *ea)
304 {
305 char tmp[512];
306 uchar ecm_cmd[256];
307 struct bulcrypt_data *csystem_data = reader->csystem_data;
308
309 def_resp
310
311 int32_t ecm_len = check_sct_len(er->ecm, 3);
312 if(ecm_len < 64 || ecm_len > 188)
313 {
314 rdr_log(reader, "Wrong ECM length: %d", ecm_len);
315 return ERROR;
316 }
317
318 // CMD: DE 20 00 00 4C
319 memcpy(ecm_cmd, cmd_ecm, sizeof(cmd_ecm));
320 ecm_cmd[4] = er->ecm[2]; // Set ECM length
321 memcpy(ecm_cmd + sizeof(cmd_ecm), er->ecm + 3, ecm_cmd[4]);
322
323 // Send ECM
324 write_cmd(ecm_cmd, ecm_cmd + 5);
325 if(cta_lr != 2)
326 {
327 rdr_log(reader, "(ecm_cmd) Unexpected card answer: %s",
328 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
329 return ERROR;
330 }
331
332 if(cta_res[0] == 0x90 && cta_res[1] == 0x03)
333 {
334 rdr_log(reader, "No active subscription.");
335 return ERROR;
336 }
337
338 if(!(cta_res[0] == 0x90 && cta_res[1] == 0x13))
339 {
340 rdr_log(reader, "(ecm_cmd) Unexpected card answer: %s",
341 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
342 return ERROR;
343 }
344
345 // Call get_cw
346 write_cmd(cmd_ecm_get_cw, NULL);
347
348 // rdr_log(reader, "CW_LOG: %s", cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
349 if(cta_lr < 20 || (cta_res[0] != 0x0a && cta_res[1] != 0x11))
350 {
351 rdr_log(reader, "(get_cw) Unexpected card answer: %s",
352 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
353 return ERROR;
354 }
355
356 // *FIXME* is the bellow info true?
357 // 0x80 (ver 1) is supported
358 // 0xc0 (ver 2) is *NOT* supported currently
359 if(cta_res[2] == 0xc0)
360 {
361 rdr_log(reader, "Possibly unsupported codeword (bulcrypt v2): %s",
362 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
363 // *FIXME* commented for testing, this really should be an error
364 //return ERROR;
365 }
366
367 // Remove code word obfuscation
368 uchar *cw = cta_res + 3;
369 if(csystem_data->bulcrypt_version == 1)
370 {
371 int i;
372 for(i = 0 ; i < 16; i++)
373 {
374 cw[i] = cw[i] ^ sess_key[i];
375 }
376 }
377
378 if(er->ecm[0] == 0x81)
379 {
380 // Even/Odd CWs should be exchanged
381 memcpy(ea->cw, cw + 8, 8);
382 memcpy(ea->cw + 8, cw, 8);
383 }
384 else
385 {
386 memcpy(ea->cw, cw, 8);
387 memcpy(ea->cw + 8, cw + 8, 8);
388 }
389
390 // Check if DCW is valid
391 if(!cw_is_valid(reader, ea->cw) || !cw_is_valid(reader, ea->cw + 8))
392 { return ERROR; }
393
394 return OK;
395 }
396
397 /*
398 Bulcrypt EMMs structure
399
400 All EMMs are with section length 183 (0xb7)
401 3 bytes section header
402 7 bytes EMM header
403 173 bytes payload
404
405 82 70 - UNUQUE_EMM_82|8a
406 b4 - Payload length (0xb4 == 180)
407 xx xx xx xy - Card HEX SN (the last 4 bits (y) must be masked)
408 payload
409
410 85 70 - GLOBAL_EMM_85|8b
411 b4 - Payload length (0xb4 == 180)
412 xx xx yy yy - Card HEX SN (the last 16 bits (y) must be masked)
413 payload
414
415 84 70 - SHARED_EMM_84
416 b4 - Payload length (0xb4 == 180)
417 xx xx - Card HEX SN Prefix
418 yy -
419 zz -
420 payload
421
422 Padding EMM:
423 8f 70 b4 ff ff ff ff ff ff ff ff ff .. .. (ff to the end)
424
425 Stats for EMMs collected for a period of 1 hours and 24 minutes
426
427 2279742 - 82 70 b4 - unique_82
428 19051 - 8a 70 b4 - unique_8a (polaris equivallent of 0x82)
429 199949 - 84 70 b4 - shared_84
430 595309 - 85 70 b4 - global_85
431 6417 - 8b 70 b4 - global_8b (polaris equivallent of 0x85)
432 74850 - 8f 70 b4 - filler
433
434 Total EMMs for the period: 3175317
435 */
436
437 #define BULCRYPT_EMM_UNIQUE_82 0x82 // Addressed at single card (updates subscription info)
438 #define BULCRYPT_EMM_UNIQUE_8a 0x8a // Addressed at single card (like 0x82) used for Polaris
439 #define BULCRYPT_EMM_SHARED_84 0x84 // Addressed to 4096 cards (updates keys)
440 #define BULCRYPT_EMM_GLOBAL_85 0x85 // Addressed at 4096 cards (updates packages)
441 #define BULCRYPT_EMM_GLOBAL_8b 0x8b // Addressed at 4096 cards (like 0x85) used for Polaris
442 #define BULCRYPT_EMM_FILLER 0x8f // Filler to pad the EMM stream
443
444 static int32_t bulcrypt_get_emm_type(EMM_PACKET *ep, struct s_reader *reader)
445 {
446 char dump_emm_sn[64];
447 int32_t emm_len = check_sct_len(ep->emm, 3);
448
449 memset(ep->hexserial, 0, 8);
450
451 if(emm_len < 176)
452 {
453 rdr_log_dbg(reader, D_TRACE | D_EMM, "emm_len < 176 (%u): %s",
454 emm_len, cs_hexdump(1, ep->emm, 12, dump_emm_sn, sizeof(dump_emm_sn)));
455 ep->type = UNKNOWN;
456 return 0;
457 }
458
459 ep->type = UNKNOWN;
460 switch(ep->emm[0])
461 {
462 case BULCRYPT_EMM_UNIQUE_82:
463 ep->type = UNIQUE;
464 break; // Bulsatcom
465 case BULCRYPT_EMM_UNIQUE_8a:
466 ep->type = UNIQUE;
467 break; // Polaris
468 case BULCRYPT_EMM_SHARED_84:
469 ep->type = SHARED;
470 break;
471 case BULCRYPT_EMM_GLOBAL_85:
472 ep->type = GLOBAL;
473 break; // Bulsatcom
474 case BULCRYPT_EMM_GLOBAL_8b:
475 ep->type = GLOBAL;
476 break; // Polaris
477 }
478
479 bool ret = false;
480 if(ep->type == UNIQUE)
481 {
482 // The serial numbers looks like this:
483 // aa bb cc dd
484 memcpy(ep->hexserial, ep->emm + 3, 4);
485 ret = reader->hexserial[0] == ep->hexserial[0] &&
486 reader->hexserial[1] == ep->hexserial[1] &&
487 reader->hexserial[2] == ep->hexserial[2] &&
488 ((reader->hexserial[3] & 0xF0) == (ep->hexserial[3] & 0xF0));
489 }
490 else
491 {
492 // To match EMM_84, EMM_85, EMM_8b
493 // aa bb -- --
494 memcpy(ep->hexserial, ep->emm + 3, 2);
495 ret = reader->hexserial[0] == ep->hexserial[0] &&
496 reader->hexserial[1] == ep->hexserial[1];
497 }
498
499 if(ret)
500 {
501 char dump_card_sn[64];
502 cs_hexdump(1, reader->hexserial, 4, dump_card_sn, sizeof(dump_card_sn));
503 cs_hexdump(1, ep->hexserial, 4, dump_emm_sn, sizeof(dump_emm_sn));
504 rdr_log_sensitive(reader, "EMM_%s-%02x, emm_sn = {%s}, card_sn = {%s}",
505 ep->type == UNIQUE ? "UNIQUE" :
506 ep->type == SHARED ? "SHARED" :
507 ep->type == GLOBAL ? "GLOBAL" : "??????",
508 ep->emm[0],
509 dump_emm_sn,
510 dump_card_sn);
511 }
512
513 return ret;
514 }
515
516 static int32_t bulcrypt_get_emm_filter(struct s_reader *rdr, struct s_csystem_emm_filter **emm_filters, unsigned int *filter_count)
517 {
518 if(*emm_filters == NULL)
519 {
520 const unsigned int max_filter_count = 5;
521 if(!cs_malloc(emm_filters, max_filter_count * sizeof(struct s_csystem_emm_filter)))
522 { return ERROR; }
523
524 struct s_csystem_emm_filter *filters = *emm_filters;
525 *filter_count = 0;
526
527 int32_t idx = 0;
528
529 filters[idx].type = EMM_UNIQUE;
530 filters[idx].enabled = 1;
531 filters[idx].filter[0] = 0x82;
532 filters[idx].filter[1] = rdr->hexserial[0];
533 filters[idx].filter[2] = rdr->hexserial[1];
534 filters[idx].filter[3] = rdr->hexserial[2];
535 filters[idx].filter[4] = rdr->hexserial[3];
536 filters[idx].mask[0] = 0xFF;
537 filters[idx].mask[1] = 0xFF;
538 filters[idx].mask[2] = 0xFF;
539 filters[idx].mask[3] = 0xFF;
540 filters[idx].mask[4] = 0xF0;
541 idx++;
542
543 filters[idx].type = EMM_UNIQUE;
544 filters[idx].enabled = 1;
545 filters[idx].filter[0] = 0x8a;
546 filters[idx].filter[1] = rdr->hexserial[0];
547 filters[idx].filter[2] = rdr->hexserial[1];
548 filters[idx].filter[3] = rdr->hexserial[2];
549 filters[idx].filter[4] = rdr->hexserial[3];
550 filters[idx].mask[0] = 0xFF;
551 filters[idx].mask[1] = 0xFF;
552 filters[idx].mask[2] = 0xFF;
553 filters[idx].mask[3] = 0xFF;
554 filters[idx].mask[4] = 0xF0;
555 idx++;
556
557 filters[idx].type = EMM_SHARED;
558 filters[idx].enabled = 1;
559 filters[idx].filter[0] = 0x84;
560 filters[idx].filter[1] = rdr->hexserial[0];
561 filters[idx].filter[2] = rdr->hexserial[1];
562 filters[idx].mask[0] = 0xFF;
563 filters[idx].mask[1] = 0xFF;
564 filters[idx].mask[2] = 0xFF;
565 idx++;
566
567 filters[idx].type = EMM_GLOBAL;
568 filters[idx].enabled = 1;
569 filters[idx].filter[0] = 0x85;
570 filters[idx].filter[1] = rdr->hexserial[0];
571 filters[idx].filter[2] = rdr->hexserial[1];
572 filters[idx].mask[0] = 0xFF;
573 filters[idx].mask[1] = 0xFF;
574 filters[idx].mask[2] = 0xFF;
575 idx++;
576
577 filters[idx].type = EMM_GLOBAL;
578 filters[idx].enabled = 1;
579 filters[idx].filter[0] = 0x8b;
580 filters[idx].filter[1] = rdr->hexserial[0];
581 filters[idx].filter[2] = rdr->hexserial[1];
582 filters[idx].mask[0] = 0xFF;
583 filters[idx].mask[1] = 0xFF;
584 filters[idx].mask[2] = 0xFF;
585 idx++;
586
587 *filter_count = idx;
588 }
589
590 return OK;
591 }
592
593 static int32_t bulcrypt_do_emm(struct s_reader *reader, EMM_PACKET *ep)
594 {
595 char tmp[512];
596 uchar emm_cmd[1024];
597
598 def_resp
599
600 // DE 04 xx yy B0
601 // xx == EMM type (emm[0])
602 // yy == EMM type2 (emm[5])
603 // B0 == EMM len (176)
604 memcpy(emm_cmd, cmd_emm1, sizeof(cmd_emm1));
605 memcpy(emm_cmd + sizeof(cmd_emm1), ep->emm + 7, 176);
606
607 switch(ep->emm[0])
608 {
609 case BULCRYPT_EMM_UNIQUE_82:
610 emm_cmd[2] = ep->emm[0]; // 0x82
611 break;
612 case BULCRYPT_EMM_UNIQUE_8a: // Polaris equivallent of 0x82
613 emm_cmd[2] = 0x82;
614 emm_cmd[3] = 0x0b;
615 break;
616 case BULCRYPT_EMM_SHARED_84:
617 emm_cmd[2] = ep->emm[0]; // 0x84
618 emm_cmd[3] = ep->emm[5]; // 0x0b
619 break;
620 case BULCRYPT_EMM_GLOBAL_85:
621 case BULCRYPT_EMM_GLOBAL_8b: // Polaris 0x85 equivallent of 0x85
622 memcpy(emm_cmd, cmd_emm2, sizeof(cmd_emm2));
623 emm_cmd[2] = ep->emm[5]; // 0xXX (Last bytes of the serial)
624 emm_cmd[3] = ep->emm[6]; // 0x0b
625 break;
626 }
627
628 // Write emm
629 write_cmd(emm_cmd, emm_cmd + 5);
630 if(cta_lr != 2 || cta_res[0] != 0x90 || (cta_res[1] != 0x00 && cta_res[1] != 0x0a && cta_res[1] != 0x12))
631 {
632 rdr_log(reader, "(emm_cmd) Unexpected card answer: %s",
633 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
634 return ERROR;
635 }
636
637 // V2 answers of 82 EMM
638 if(cta_res[0] == 0x90 && cta_res[1] == 0x12)
639 {
640 write_cmd(cmd_card_v2_key2, NULL);
641 if(cta_res[18] == 0x90 && cta_res[19] == 0x12)
642 {
643 write_cmd(cmd_card_v2_key2, NULL);
644 }
645 }
646
647 if(ep->emm[0] == BULCRYPT_EMM_UNIQUE_82 && cta_res[0] == 0x90 && (cta_res[1] == 0x0a || cta_res[1] == 0x00))
648 {
649 rdr_log(reader, "Your subscription data was updated.");
650 add_job(reader->client, ACTION_READER_CARDINFO, NULL, 0);
651 }
652
653 return OK;
654 }
655
656 static char *dec2bin_str(unsigned int d, char *s)
657 {
658 unsigned int i, r = 8;
659 memset(s, 0, 9);
660 for(i = 1; i < 256; i <<= 1)
661 { s[--r] = (d & i) == i ? '+' : '-'; }
662 return s;
663 }
664
665 static int32_t bulcrypt_card_info(struct s_reader *reader)
666 {
667 char tmp[512];
668 time_t last_upd_ts, subs_end_ts;
669 struct tm tm;
670 def_resp
671
672 rdr_log(reader, "Reading subscription info.");
673
674 cs_clear_entitlement(reader);
675
676 write_cmd(cmd_sub_info1, NULL);
677 write_cmd(cmd_sub_info2, NULL);
678
679 if(cta_lr < 45)
680 {
681 rdr_log(reader, "(info_cmd) Unexpected card answer: %s",
682 cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
683 return ERROR;
684 }
685
686 // Response contains:
687 // 13 29 0B
688 // 4F 8F 00 E9 - Unix ts set by UNIQUE_EMM_82
689 // 3C 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF
690 // 3C 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF
691 // 90 2B
692
693 last_upd_ts = b2i(4, cta_res + 3);
694 subs_end_ts = last_upd_ts + (31 * 86400); // *FIXME* this is just a guess
695
696 reader->card_valid_to = subs_end_ts;
697
698 gmtime_r(&last_upd_ts, &tm);
699 memset(tmp, 0, sizeof(tmp));
700 strftime(tmp, sizeof(tmp), "%Y-%m-%d %H:%M:%S %Z", &tm);
701 rdr_log(reader, "Subscription data last update : %s", tmp);
702
703 gmtime_r(&subs_end_ts, &tm);
704 memset(tmp, 0, sizeof(tmp));
705 strftime(tmp, sizeof(tmp), "%Y-%m-%d %H:%M:%S %Z", &tm);
706 rdr_log(reader, "Subscription should be active to : %s", tmp);
707
708 unsigned int subs1 = b2i(2, cta_res + 3 + 4 + 16);
709 unsigned int subs2 = b2i(2, cta_res + 3 + 4 + 16 + 18);
710
711 if(subs1 == 0xffff)
712 {
713 rdr_log(reader, "No active subscriptions (0x%04x, 0x%04x)", subs1, subs2);
714 }
715 else
716 {
717 unsigned int i;
718 rdr_log(reader, "Subscription data 1 (0x%04x): %s",
719 subs1, dec2bin_str(subs1, tmp));
720 rdr_log(reader, "Subscription data 2 (0x%04x): %s",
721 subs2, dec2bin_str(subs2, tmp));
722
723 // Configure your tiers to get subscription packets name resolution
724 // # Example oscam.tiers file
725 // 5581:0001|Economic
726 // 5581:0002|Standard
727 // 5581:0004|Premium
728 // 5581:0008|HBO
729 // 5581:0010|Cinemax
730 // 5581:0020|Unknown Package 20
731 // 5581:0040|Film Plus - Sport Plus HD & Hobby TV HD
732 // 5581:0080|Unknown Package 80
733 for(i = 1; i < 256; i <<= 1)
734 {
735 if((subs1 & i) == i)
736 {
737 cs_add_entitlement(reader, 0x4AEE,
738 0, /* provid */
739 i, /* id */
740 0, /* class */
741 last_upd_ts, /* start_ts */
742 subs_end_ts, /* end_ts */
743 4, /* type: Tier */
744 1 /* add */
745 );
746 cs_add_entitlement(reader, 0x5581,
747 0, /* provid */
748 i, /* id */
749 0, /* class */
750 last_upd_ts, /* start_ts */
751 subs_end_ts, /* end_ts */
752 4, /* type: Tier */
753 1 /* add */
754 );
755 get_tiername(i, 0x4aee, tmp);
756 if(tmp[0] == 0x00)
757 { get_tiername(i, 0x5581, tmp); }
758 rdr_log(reader, " Package %02x is active: %s", i, tmp);
759 }
760 }
761 }
762
763 rdr_log(reader, "End subscription info.");
764 return OK;
765 }
766
767 const struct s_cardsystem reader_bulcrypt =
768 {
769 .desc = "bulcrypt",
770 .caids = (uint16_t[]){ 0x5581, 0x4AEE, 0 },
771 .do_emm = bulcrypt_do_emm,
772 .do_ecm = bulcrypt_do_ecm,
773 .card_info = bulcrypt_card_info,
774 .card_init = bulcrypt_card_init,
775 .get_emm_type = bulcrypt_get_emm_type,
776 .get_emm_filter = bulcrypt_get_emm_filter,
777 };
778
779 #endif
Open Source Conditional Access Modul