2 * Bulcrypt card reader for OSCAM
3 * Copyright (C) 2012 Unix Solutions Ltd.
5 * Authors: Anton Tinchev (atl@unixsol.org)
6 * Georgi Chorbadzhiyski (gf@unixsol.org)
8 * This program is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
21 * =========================================================================
23 * For more information read the code and the comments. We have tried to
24 * write clear code with lots of comments so it is easy for others to
25 * understand what is going on. There are some things marked *FIXME*,
26 * that are mostly unknown or not fully understand.
28 * WHAT WAS TESTED AND WAS WORKING:
29 * - Cards with bulcrypt v1 ("cherga"/carpet) are working (we have cards
30 * that report CardType: 0x4c and 0x75.
31 * - Cards return valid code words for subscribed channels.
32 * - Tested with channels encrypted with CAID 0x5581 and 0x4aee on
33 * Hellas 39E. Both MPEG2 (SD) and H.264 (SD and HD) channels were
35 * - Brand new cards were inited without ever being put into providers STBs.
36 * as long the protocol you are using is sending EMMs to the card.
37 * - AU was working (subscription dates and packages were updated)
38 * as long the protocol you are using is sending EMMs to the card.
40 * WHAT WE DON'T KNOW (YET!):
41 * - How to deobfuscate v2 codewords.
44 * - Many thanks to ilian_71 @ satfriends forum for the protocol info.
45 * - Shouts to yuriks for oscam-ymod, pity it is violating the GPL.
51 #ifdef READER_BULCRYPT
52 #include "oscam-work.h"
53 #include "reader-common.h"
55 static const uchar atr_carpet
[] = { 0x3b, 0x20, 0x00 };
57 // *FIXME* We do not know how every 4th byte of the sess_key is calculated.
58 // Currently they are correct thou and code words checksums are correct are
60 static const uchar sess_key
[] = { 0xF2, 0x21, 0xC5, 0x69,
61 0x28, 0x86, 0xFB, 0x9E,
62 0xC0, 0x20, 0x28, 0x06,
63 0xD2, 0x23, 0x72, 0x31
66 static const uchar cmd_set_key
[] = { 0xDE, 0x1C, 0x00, 0x00, 0x0A,
68 0x56, 0x47, 0x38, 0x29,
69 0x10, 0xAF, 0xBE, 0xCD
72 static const uchar cmd_set_key_v2
[] = { 0xDE, 0x1C, 0x00, 0x00, 0x0A,
74 0x00, 0x00, 0x00, 0x00,
75 0x00, 0x00, 0x00, 0x00
80 static const uchar cmd_card_v2_key1
[] = { 0xDE, 0x12, 0x00, 0x00, 0x00, 0x00 };
81 static const uchar cmd_card_v2_key2
[] = { 0xDE, 0x1E, 0x00, 0x00, 0x12, 0x00 };
83 static const uchar cmd_cardtype1
[] = { 0xDE, 0x16, 0x00, 0x00, 0x00, 0x00 };
84 static const uchar cmd_cardtype2
[] = { 0xDE, 0x1E, 0x00, 0x00, 0x03, 0x00 };
86 // Response2: 01 01 4C 90 00 or 01 01 xx 90 00
87 // xx - 4C or 75 (Card type)
89 static const uchar cmd_unkn_0a1
[] = { 0xDE, 0x0A, 0x00, 0x00, 0x00, 0x00 };
90 static const uchar cmd_unkn_0a2
[] = { 0xDE, 0x1E, 0x00, 0x00, 0x03, 0x00 };
92 // Response2: 08 01 00 90 00
94 static const uchar cmd_cardsn1
[] = { 0xDE, 0x18, 0x00, 0x00, 0x00, 0x00 };
95 static const uchar cmd_cardsn2
[] = { 0xDE, 0x1E, 0x00, 0x00, 0x06, 0x00 };
97 // Response2: 02 04 xx xx xx xy 90 00
98 // xx - Card HEX serial
99 // y - Unknown *FIXME*
101 static const uchar cmd_ascsn1
[] = { 0xDE, 0x1A, 0x00, 0x00, 0x00, 0x00 };
102 static const uchar cmd_ascsn2
[] = { 0xDE, 0x1E, 0x00, 0x00, 0x0F, 0x00 };
104 // Response2: 05 0D xx xx 20 xx xx xx xx xx xx 20 xx xx xx 90 00
105 // xx - Card ASCII serial
107 static const uchar cmd_ecm_empty
[] = { 0xDE, 0x20, 0x00, 0x00, 0x00, 0x00 };
110 static const uchar cmd_ecm
[] = { 0xDE, 0x20, 0x00, 0x00, 0x4c };
111 // The last byte is ECM length
113 static const uchar cmd_ecm_get_cw
[] = { 0xDE, 0x1E, 0x00, 0x00, 0x13, 0x00 };
114 // Response: 0A 11 80 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 90 00
115 // 80 - Returned codeword type? *FIXME*
116 // xx - Obfuscated CW
118 static const uchar cmd_emm1
[] = { 0xDE, 0x02, 0x82, 0x00, 0xb0 };
119 // Response: 90 00 (EMM written OK) or
120 // Response: 90 0A (Subscription data was updated)
121 // The last byte is EMM length (0xb0)
123 static const uchar cmd_emm2
[] = { 0xDE, 0x04, 0x00, 0x00, 0xb0 };
124 // Response: 90 00 (EMM written OK)
125 // cmd_emm[2] = emm_cmd1
126 // cmd_emm[3] = emm_cmd2
127 // The last byte is EMM length (0xb0)
129 static const uchar cmd_sub_info1
[] = { 0xDE, 0x06, 0x00, 0x00, 0x00, 0x00 };
130 static const uchar cmd_sub_info2
[] = { 0xDE, 0x1E, 0x00, 0x00, 0x2B, 0x00 };
131 // See bulcrypt_card_info() for reponse description
135 uint8_t bulcrypt_version
;
138 static int32_t bulcrypt_card_init(struct s_reader
*reader
, ATR
*newatr
)
142 char card_serial
[16];
143 const uchar
*set_key_command
;
149 if(memcmp(atr
, atr_carpet
, MIN(sizeof(atr_carpet
), atr_size
)) != 0)
153 rdr_log(reader
, "ATR_len=3 but ATR is unknown: %s",
154 cs_hexdump(1, atr
, atr_size
, tmp
, sizeof(tmp
)));
159 if(!cs_malloc(&reader
->csystem_data
, sizeof(struct bulcrypt_data
)))
161 struct bulcrypt_data
*csystem_data
= reader
->csystem_data
;
164 memset(reader
->prid
, 0, sizeof(reader
->prid
));
165 memset(reader
->hexserial
, 0, sizeof(reader
->hexserial
));
166 memset(card_serial
, 0, sizeof(card_serial
));
168 rdr_log(reader
, "Bulcrypt card detected, checking card version.");
170 // Do we have Bulcrypt V2 card?
171 write_cmd(cmd_card_v2_key1
, NULL
);
172 write_cmd(cmd_card_v2_key2
, NULL
);
173 if(cta_lr
< 18 || (cta_res
[0] != 0x11 && cta_res
[1] != 0x10))
176 csystem_data
->bulcrypt_version
= 1;
177 set_key_command
= cmd_set_key
;
182 csystem_data
->bulcrypt_version
= 2;
183 set_key_command
= cmd_set_key_v2
;
186 // Set CW obfuscation key
187 write_cmd(set_key_command
, set_key_command
+ 5);
188 if(cta_lr
< 2 || (cta_res
[0] != 0x90 && cta_res
[1] != 0x00))
190 rdr_log(reader
, "(cmd_set_key) Unexpected card answer: %s",
191 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
195 rdr_log(reader
, "Bulcrypt v%d card detected.%s", csystem_data
->bulcrypt_version
,
196 csystem_data
->bulcrypt_version
!= 1 ? " *UNSUPPORTED CARD VERSION*" : "");
199 write_cmd(cmd_cardtype1
, NULL
);
200 write_cmd(cmd_cardtype2
, NULL
);
201 if(cta_lr
< 5 || (cta_res
[0] != 0x01 && cta_res
[1] != 0x01))
203 rdr_log(reader
, "(cmd_cardtype) Unexpected card answer: %s",
204 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
207 card_type
= cta_res
[2]; // We have seen 0x4c and 0x75
209 // *FIXME* Unknown command
210 write_cmd(cmd_unkn_0a1
, NULL
);
211 write_cmd(cmd_unkn_0a2
, NULL
);
213 // Read card HEX serial
214 write_cmd(cmd_cardsn1
, NULL
);
215 write_cmd(cmd_cardsn2
, NULL
);
216 if(cta_lr
< 6 || (cta_res
[0] != 0x02 && cta_res
[1] != 0x04))
218 rdr_log(reader
, "(card_sn) Unexpected card answer: %s",
219 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
222 memcpy(reader
->hexserial
, cta_res
+ 2, 4);
223 // Skip bottom four bits (they are 0x0b on our cards)
224 reader
->hexserial
[3] = reader
->hexserial
[3] & 0xF0;
226 // Read card ASCII serial
227 write_cmd(cmd_ascsn1
, NULL
);
228 write_cmd(cmd_ascsn2
, NULL
);
229 if(cta_lr
< 15 || (cta_res
[0] != 0x05 && cta_res
[1] != 0x0d))
231 rdr_log(reader
, "(asc_sn) Unexpected card answer: %s",
232 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
235 memcpy(card_serial
, cta_res
+ 2, 13);
236 cta_lr
= strlen(card_serial
);
237 for(i
= 0; i
< cta_lr
; i
++)
239 if(card_serial
[i
] == ' ')
242 if(!isdigit((uchar
)card_serial
[i
]))
243 { card_serial
[i
] = '*'; }
246 // Write empty ECM, *FIXME* why are we doing this? To prepare the card somehow?
247 write_cmd(cmd_ecm_empty
, NULL
);
249 // The HEX serial have nothing to do with Serial (they do not match)
250 rdr_log_sensitive(reader
, "CAID: 0x4AEE|0x5581, CardType: 0x%02x, Serial: {%s}, HexSerial: {%02X %02X %02X %02X}",
253 reader
->hexserial
[0], reader
->hexserial
[1], reader
->hexserial
[2], reader
->hexserial
[3]);
255 rdr_log(reader
, "Ready for requests.");
260 static int cw_is_valid(struct s_reader
*reader
, unsigned char *cw
)
262 unsigned int i
= 0, cnt
= 0;
272 rdr_log(reader
, "Invalid CW (all zeroes)");
276 uchar cksum1
= cw
[0] + cw
[1] + cw
[2];
277 uchar cksum2
= cw
[4] + cw
[5] + cw
[6];
278 if(cksum1
!= cw
[3] || cksum2
!= cw
[7])
281 { rdr_log(reader
, "Invalid CW (cksum1 mismatch expected 0x%02x got 0x%02x)", cksum1
, cw
[3]); }
283 { rdr_log(reader
, "Invalid CW (cksum2 mismatch expected 0x%02x got 0x%02x)", cksum2
, cw
[7]); }
291 Bulcrypt ECM structure:
293 80 70 - ECM header (80 | 81)
294 4c - ECM length after this field (0x4c == 76 bytes)
295 4f 8d 87 0b - unixts == 1334675211 == Tue Apr 17 18:06:51 EEST 2012
296 00 66 - *FIXME* Program number?
300 xx yy zz .. - Encrypted ECM payload (64 bytes)
303 static int32_t bulcrypt_do_ecm(struct s_reader
*reader
, const ECM_REQUEST
*er
, struct s_ecm_answer
*ea
)
307 struct bulcrypt_data
*csystem_data
= reader
->csystem_data
;
311 int32_t ecm_len
= check_sct_len(er
->ecm
, 3);
312 if(ecm_len
< 64 || ecm_len
> 188)
314 rdr_log(reader
, "Wrong ECM length: %d", ecm_len
);
318 // CMD: DE 20 00 00 4C
319 memcpy(ecm_cmd
, cmd_ecm
, sizeof(cmd_ecm
));
320 ecm_cmd
[4] = er
->ecm
[2]; // Set ECM length
321 memcpy(ecm_cmd
+ sizeof(cmd_ecm
), er
->ecm
+ 3, ecm_cmd
[4]);
324 write_cmd(ecm_cmd
, ecm_cmd
+ 5);
327 rdr_log(reader
, "(ecm_cmd) Unexpected card answer: %s",
328 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
332 if(cta_res
[0] == 0x90 && cta_res
[1] == 0x03)
334 rdr_log(reader
, "No active subscription.");
338 if(!(cta_res
[0] == 0x90 && cta_res
[1] == 0x13))
340 rdr_log(reader
, "(ecm_cmd) Unexpected card answer: %s",
341 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
346 write_cmd(cmd_ecm_get_cw
, NULL
);
348 // rdr_log(reader, "CW_LOG: %s", cs_hexdump(1, cta_res, cta_lr, tmp, sizeof(tmp)));
349 if(cta_lr
< 20 || (cta_res
[0] != 0x0a && cta_res
[1] != 0x11))
351 rdr_log(reader
, "(get_cw) Unexpected card answer: %s",
352 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
356 // *FIXME* is the bellow info true?
357 // 0x80 (ver 1) is supported
358 // 0xc0 (ver 2) is *NOT* supported currently
359 if(cta_res
[2] == 0xc0)
361 rdr_log(reader
, "Possibly unsupported codeword (bulcrypt v2): %s",
362 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
363 // *FIXME* commented for testing, this really should be an error
367 // Remove code word obfuscation
368 uchar
*cw
= cta_res
+ 3;
369 if(csystem_data
->bulcrypt_version
== 1)
372 for(i
= 0 ; i
< 16; i
++)
374 cw
[i
] = cw
[i
] ^ sess_key
[i
];
378 if(er
->ecm
[0] == 0x81)
380 // Even/Odd CWs should be exchanged
381 memcpy(ea
->cw
, cw
+ 8, 8);
382 memcpy(ea
->cw
+ 8, cw
, 8);
386 memcpy(ea
->cw
, cw
, 8);
387 memcpy(ea
->cw
+ 8, cw
+ 8, 8);
390 // Check if DCW is valid
391 if(!cw_is_valid(reader
, ea
->cw
) || !cw_is_valid(reader
, ea
->cw
+ 8))
398 Bulcrypt EMMs structure
400 All EMMs are with section length 183 (0xb7)
401 3 bytes section header
405 82 70 - UNUQUE_EMM_82|8a
406 b4 - Payload length (0xb4 == 180)
407 xx xx xx xy - Card HEX SN (the last 4 bits (y) must be masked)
410 85 70 - GLOBAL_EMM_85|8b
411 b4 - Payload length (0xb4 == 180)
412 xx xx yy yy - Card HEX SN (the last 16 bits (y) must be masked)
415 84 70 - SHARED_EMM_84
416 b4 - Payload length (0xb4 == 180)
417 xx xx - Card HEX SN Prefix
423 8f 70 b4 ff ff ff ff ff ff ff ff ff .. .. (ff to the end)
425 Stats for EMMs collected for a period of 1 hours and 24 minutes
427 2279742 - 82 70 b4 - unique_82
428 19051 - 8a 70 b4 - unique_8a (polaris equivallent of 0x82)
429 199949 - 84 70 b4 - shared_84
430 595309 - 85 70 b4 - global_85
431 6417 - 8b 70 b4 - global_8b (polaris equivallent of 0x85)
432 74850 - 8f 70 b4 - filler
434 Total EMMs for the period: 3175317
437 #define BULCRYPT_EMM_UNIQUE_82 0x82 // Addressed at single card (updates subscription info)
438 #define BULCRYPT_EMM_UNIQUE_8a 0x8a // Addressed at single card (like 0x82) used for Polaris
439 #define BULCRYPT_EMM_SHARED_84 0x84 // Addressed to 4096 cards (updates keys)
440 #define BULCRYPT_EMM_GLOBAL_85 0x85 // Addressed at 4096 cards (updates packages)
441 #define BULCRYPT_EMM_GLOBAL_8b 0x8b // Addressed at 4096 cards (like 0x85) used for Polaris
442 #define BULCRYPT_EMM_FILLER 0x8f // Filler to pad the EMM stream
444 static int32_t bulcrypt_get_emm_type(EMM_PACKET
*ep
, struct s_reader
*reader
)
446 char dump_emm_sn
[64];
447 int32_t emm_len
= check_sct_len(ep
->emm
, 3);
449 memset(ep
->hexserial
, 0, 8);
453 rdr_log_dbg(reader
, D_TRACE
| D_EMM
, "emm_len < 176 (%u): %s",
454 emm_len
, cs_hexdump(1, ep
->emm
, 12, dump_emm_sn
, sizeof(dump_emm_sn
)));
462 case BULCRYPT_EMM_UNIQUE_82
:
465 case BULCRYPT_EMM_UNIQUE_8a
:
468 case BULCRYPT_EMM_SHARED_84
:
471 case BULCRYPT_EMM_GLOBAL_85
:
474 case BULCRYPT_EMM_GLOBAL_8b
:
480 if(ep
->type
== UNIQUE
)
482 // The serial numbers looks like this:
484 memcpy(ep
->hexserial
, ep
->emm
+ 3, 4);
485 ret
= reader
->hexserial
[0] == ep
->hexserial
[0] &&
486 reader
->hexserial
[1] == ep
->hexserial
[1] &&
487 reader
->hexserial
[2] == ep
->hexserial
[2] &&
488 ((reader
->hexserial
[3] & 0xF0) == (ep
->hexserial
[3] & 0xF0));
492 // To match EMM_84, EMM_85, EMM_8b
494 memcpy(ep
->hexserial
, ep
->emm
+ 3, 2);
495 ret
= reader
->hexserial
[0] == ep
->hexserial
[0] &&
496 reader
->hexserial
[1] == ep
->hexserial
[1];
501 char dump_card_sn
[64];
502 cs_hexdump(1, reader
->hexserial
, 4, dump_card_sn
, sizeof(dump_card_sn
));
503 cs_hexdump(1, ep
->hexserial
, 4, dump_emm_sn
, sizeof(dump_emm_sn
));
504 rdr_log_sensitive(reader
, "EMM_%s-%02x, emm_sn = {%s}, card_sn = {%s}",
505 ep
->type
== UNIQUE
? "UNIQUE" :
506 ep
->type
== SHARED
? "SHARED" :
507 ep
->type
== GLOBAL
? "GLOBAL" : "??????",
516 static int32_t bulcrypt_get_emm_filter(struct s_reader
*rdr
, struct s_csystem_emm_filter
**emm_filters
, unsigned int *filter_count
)
518 if(*emm_filters
== NULL
)
520 const unsigned int max_filter_count
= 5;
521 if(!cs_malloc(emm_filters
, max_filter_count
* sizeof(struct s_csystem_emm_filter
)))
524 struct s_csystem_emm_filter
*filters
= *emm_filters
;
529 filters
[idx
].type
= EMM_UNIQUE
;
530 filters
[idx
].enabled
= 1;
531 filters
[idx
].filter
[0] = 0x82;
532 filters
[idx
].filter
[1] = rdr
->hexserial
[0];
533 filters
[idx
].filter
[2] = rdr
->hexserial
[1];
534 filters
[idx
].filter
[3] = rdr
->hexserial
[2];
535 filters
[idx
].filter
[4] = rdr
->hexserial
[3];
536 filters
[idx
].mask
[0] = 0xFF;
537 filters
[idx
].mask
[1] = 0xFF;
538 filters
[idx
].mask
[2] = 0xFF;
539 filters
[idx
].mask
[3] = 0xFF;
540 filters
[idx
].mask
[4] = 0xF0;
543 filters
[idx
].type
= EMM_UNIQUE
;
544 filters
[idx
].enabled
= 1;
545 filters
[idx
].filter
[0] = 0x8a;
546 filters
[idx
].filter
[1] = rdr
->hexserial
[0];
547 filters
[idx
].filter
[2] = rdr
->hexserial
[1];
548 filters
[idx
].filter
[3] = rdr
->hexserial
[2];
549 filters
[idx
].filter
[4] = rdr
->hexserial
[3];
550 filters
[idx
].mask
[0] = 0xFF;
551 filters
[idx
].mask
[1] = 0xFF;
552 filters
[idx
].mask
[2] = 0xFF;
553 filters
[idx
].mask
[3] = 0xFF;
554 filters
[idx
].mask
[4] = 0xF0;
557 filters
[idx
].type
= EMM_SHARED
;
558 filters
[idx
].enabled
= 1;
559 filters
[idx
].filter
[0] = 0x84;
560 filters
[idx
].filter
[1] = rdr
->hexserial
[0];
561 filters
[idx
].filter
[2] = rdr
->hexserial
[1];
562 filters
[idx
].mask
[0] = 0xFF;
563 filters
[idx
].mask
[1] = 0xFF;
564 filters
[idx
].mask
[2] = 0xFF;
567 filters
[idx
].type
= EMM_GLOBAL
;
568 filters
[idx
].enabled
= 1;
569 filters
[idx
].filter
[0] = 0x85;
570 filters
[idx
].filter
[1] = rdr
->hexserial
[0];
571 filters
[idx
].filter
[2] = rdr
->hexserial
[1];
572 filters
[idx
].mask
[0] = 0xFF;
573 filters
[idx
].mask
[1] = 0xFF;
574 filters
[idx
].mask
[2] = 0xFF;
577 filters
[idx
].type
= EMM_GLOBAL
;
578 filters
[idx
].enabled
= 1;
579 filters
[idx
].filter
[0] = 0x8b;
580 filters
[idx
].filter
[1] = rdr
->hexserial
[0];
581 filters
[idx
].filter
[2] = rdr
->hexserial
[1];
582 filters
[idx
].mask
[0] = 0xFF;
583 filters
[idx
].mask
[1] = 0xFF;
584 filters
[idx
].mask
[2] = 0xFF;
593 static int32_t bulcrypt_do_emm(struct s_reader
*reader
, EMM_PACKET
*ep
)
601 // xx == EMM type (emm[0])
602 // yy == EMM type2 (emm[5])
603 // B0 == EMM len (176)
604 memcpy(emm_cmd
, cmd_emm1
, sizeof(cmd_emm1
));
605 memcpy(emm_cmd
+ sizeof(cmd_emm1
), ep
->emm
+ 7, 176);
609 case BULCRYPT_EMM_UNIQUE_82
:
610 emm_cmd
[2] = ep
->emm
[0]; // 0x82
612 case BULCRYPT_EMM_UNIQUE_8a
: // Polaris equivallent of 0x82
616 case BULCRYPT_EMM_SHARED_84
:
617 emm_cmd
[2] = ep
->emm
[0]; // 0x84
618 emm_cmd
[3] = ep
->emm
[5]; // 0x0b
620 case BULCRYPT_EMM_GLOBAL_85
:
621 case BULCRYPT_EMM_GLOBAL_8b
: // Polaris 0x85 equivallent of 0x85
622 memcpy(emm_cmd
, cmd_emm2
, sizeof(cmd_emm2
));
623 emm_cmd
[2] = ep
->emm
[5]; // 0xXX (Last bytes of the serial)
624 emm_cmd
[3] = ep
->emm
[6]; // 0x0b
629 write_cmd(emm_cmd
, emm_cmd
+ 5);
630 if(cta_lr
!= 2 || cta_res
[0] != 0x90 || (cta_res
[1] != 0x00 && cta_res
[1] != 0x0a && cta_res
[1] != 0x12))
632 rdr_log(reader
, "(emm_cmd) Unexpected card answer: %s",
633 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
637 // V2 answers of 82 EMM
638 if(cta_res
[0] == 0x90 && cta_res
[1] == 0x12)
640 write_cmd(cmd_card_v2_key2
, NULL
);
641 if(cta_res
[18] == 0x90 && cta_res
[19] == 0x12)
643 write_cmd(cmd_card_v2_key2
, NULL
);
647 if(ep
->emm
[0] == BULCRYPT_EMM_UNIQUE_82
&& cta_res
[0] == 0x90 && (cta_res
[1] == 0x0a || cta_res
[1] == 0x00))
649 rdr_log(reader
, "Your subscription data was updated.");
650 add_job(reader
->client
, ACTION_READER_CARDINFO
, NULL
, 0);
656 static char *dec2bin_str(unsigned int d
, char *s
)
658 unsigned int i
, r
= 8;
660 for(i
= 1; i
< 256; i
<<= 1)
661 { s
[--r
] = (d
& i
) == i
? '+' : '-'; }
665 static int32_t bulcrypt_card_info(struct s_reader
*reader
)
668 time_t last_upd_ts
, subs_end_ts
;
672 rdr_log(reader
, "Reading subscription info.");
674 cs_clear_entitlement(reader
);
676 write_cmd(cmd_sub_info1
, NULL
);
677 write_cmd(cmd_sub_info2
, NULL
);
681 rdr_log(reader
, "(info_cmd) Unexpected card answer: %s",
682 cs_hexdump(1, cta_res
, cta_lr
, tmp
, sizeof(tmp
)));
686 // Response contains:
688 // 4F 8F 00 E9 - Unix ts set by UNIQUE_EMM_82
689 // 3C 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF
690 // 3C 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF
693 last_upd_ts
= b2i(4, cta_res
+ 3);
694 subs_end_ts
= last_upd_ts
+ (31 * 86400); // *FIXME* this is just a guess
696 reader
->card_valid_to
= subs_end_ts
;
698 gmtime_r(&last_upd_ts
, &tm
);
699 memset(tmp
, 0, sizeof(tmp
));
700 strftime(tmp
, sizeof(tmp
), "%Y-%m-%d %H:%M:%S %Z", &tm
);
701 rdr_log(reader
, "Subscription data last update : %s", tmp
);
703 gmtime_r(&subs_end_ts
, &tm
);
704 memset(tmp
, 0, sizeof(tmp
));
705 strftime(tmp
, sizeof(tmp
), "%Y-%m-%d %H:%M:%S %Z", &tm
);
706 rdr_log(reader
, "Subscription should be active to : %s", tmp
);
708 unsigned int subs1
= b2i(2, cta_res
+ 3 + 4 + 16);
709 unsigned int subs2
= b2i(2, cta_res
+ 3 + 4 + 16 + 18);
713 rdr_log(reader
, "No active subscriptions (0x%04x, 0x%04x)", subs1
, subs2
);
718 rdr_log(reader
, "Subscription data 1 (0x%04x): %s",
719 subs1
, dec2bin_str(subs1
, tmp
));
720 rdr_log(reader
, "Subscription data 2 (0x%04x): %s",
721 subs2
, dec2bin_str(subs2
, tmp
));
723 // Configure your tiers to get subscription packets name resolution
724 // # Example oscam.tiers file
725 // 5581:0001|Economic
726 // 5581:0002|Standard
730 // 5581:0020|Unknown Package 20
731 // 5581:0040|Film Plus - Sport Plus HD & Hobby TV HD
732 // 5581:0080|Unknown Package 80
733 for(i
= 1; i
< 256; i
<<= 1)
737 cs_add_entitlement(reader
, 0x4AEE,
741 last_upd_ts
, /* start_ts */
742 subs_end_ts
, /* end_ts */
746 cs_add_entitlement(reader
, 0x5581,
750 last_upd_ts
, /* start_ts */
751 subs_end_ts
, /* end_ts */
755 get_tiername(i
, 0x4aee, tmp
);
757 { get_tiername(i
, 0x5581, tmp
); }
758 rdr_log(reader
, " Package %02x is active: %s", i
, tmp
);
763 rdr_log(reader
, "End subscription info.");
767 const struct s_cardsystem reader_bulcrypt
=
770 .caids
= (uint16_t[]){ 0x5581, 0x4AEE, 0 },
771 .do_emm
= bulcrypt_do_emm
,
772 .do_ecm
= bulcrypt_do_ecm
,
773 .card_info
= bulcrypt_card_info
,
774 .card_init
= bulcrypt_card_init
,
775 .get_emm_type
= bulcrypt_get_emm_type
,
776 .get_emm_filter
= bulcrypt_get_emm_filter
,