search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
revert breaks some stupid old compilers
[oscam.git] / reader-cryptoworks.c
blob9bbc5ae9a8576dc4ccdadf62c0b295d04854e3dd
1 #include "globals.h"
2 #ifdef READER_CRYPTOWORKS
3 #include "cscrypt/bn.h"
4 #include "oscam-config.h"
5 #include "oscam-emm.h"
6 #include "reader-common.h"
7
8 struct bignum_st;
9 struct cryptoworks_data
10 {
11 BIGNUM *exp;
12 BIGNUM *ucpk;
13 int32_t ucpk_valid;
14 };
15
16 #define CMD_LEN 5
17
18 static const char *cs_cert = "oscam.cert";
19
20 static int search_boxkey(struct s_reader *rdr, uint16_t caid, char *key)
21 {
22 int i, rc = 0;
23 FILE *fp;
24 char c_caid[512];
25
26 fp = fopen(get_config_filename(c_caid, sizeof(c_caid), cs_cert), "r");
27 if(fp)
28 {
29 for(; (!rc) && fgets(c_caid, sizeof(c_caid), fp);)
30 {
31 char *c_provid, *c_key;
32
33 c_provid = strchr(c_caid, '#');
34 if(c_provid)
35 { *c_provid = '\0'; }
36 if(!(c_provid = strchr(c_caid, ':')))
37 { continue; }
38 *c_provid++ = '\0';
39 if(!(c_key = strchr(c_provid, ':')))
40 { continue; }
41 *c_key++ = '\0';
42 if(word_atob(trim(c_caid)) != caid)
43 { continue; }
44 if((i = (strlen(trim(c_key)) >> 1)) > 256)
45 { continue; }
46 if(cs_atob((uchar *)key, c_key, i) < 0)
47 {
48 rdr_log(rdr, "ERROR: wrong key in \"%s\"", cs_cert);
49 continue;
50 }
51 rc = 1;
52 }
53 fclose(fp);
54 }
55 return rc;
56 }
57
58 static void RotateBytes1(unsigned char *out, unsigned char *in, int32_t n)
59 {
60 // loop is executed atleast once, so it's not a good idea to
61 // call with n=0 !!
62 out += n;
63 do
64 {
65 *(--out) = *(in++);
66 }
67 while(--n);
68 }
69
70 static void RotateBytes2(unsigned char *in, int32_t n)
71 {
72 // loop is executed atleast once, so it's not a good idea to
73 // call with n=0 !!
74 unsigned char *e = in + n - 1;
75 do
76 {
77 unsigned char temp = *in;
78 *in++ = *e;
79 *e-- = temp;
80 }
81 while(in < e);
82 }
83
84 static int32_t Input(BIGNUM *d, unsigned char *in, int32_t n, int32_t LE)
85 {
86 if(LE)
87 {
88 unsigned char tmp[n];
89 RotateBytes1(tmp, in, n);
90 return (BN_bin2bn(tmp, n, d) != 0);
91 }
92 else
93 { return (BN_bin2bn(in, n, d) != 0); }
94 }
95
96 static int32_t Output(struct s_reader *reader, unsigned char *out, int32_t n, BIGNUM *r, int32_t LE)
97 {
98 int32_t s = BN_num_bytes(r);
99 if(s > n)
100 {
101 unsigned char buff[s];
102 rdr_log_dbg(reader, D_READER, "rsa: RSA len %d > %d, truncating", s, n);
103 BN_bn2bin(r, buff);
104 memcpy(out, buff + s - n, n);
105 }
106 else if(s < n)
107 {
108 int32_t l = n - s;
109 rdr_log_dbg(reader, D_READER, "rsa: RSA len %d < %d, padding", s, n);
110 memset(out, 0, l);
111 BN_bn2bin(r, out + l);
112 }
113 else
114 { BN_bn2bin(r, out); }
115 if(LE)
116 { RotateBytes2(out, n); }
117 return (s);
118 }
119
120 static int32_t cw_RSA(struct s_reader *reader, unsigned char *out, unsigned char *in, int32_t n, BIGNUM *exp, BIGNUM *mod, int32_t LE)
121 {
122 int32_t rc = 0;
123 BN_CTX *ctx;
124 BIGNUM *r, *d;
125 ctx = BN_CTX_new();
126 r = BN_new();
127 d = BN_new();
128 if(Input(d, in, n, LE))
129 {
130 if(BN_mod_exp(r, d, exp, mod, ctx))
131 { rc = Output(reader, out, n, r, LE); }
132 else
133 { rdr_log(reader, "rsa: mod-exp failed"); }
134 }
135 BN_CTX_free(ctx);
136 BN_free(d);
137 BN_free(r);
138 return (rc);
139 }
140
141 static time_t chid_date(uchar *ptr, char *buf, int32_t l)
142 {
143 time_t rc = 0;
144 struct tm timeinfo;
145 memset(&timeinfo, 0, sizeof(struct tm));
146 if(buf)
147 {
148 timeinfo.tm_year = 90 + (ptr[0] >> 1);
149 timeinfo.tm_mon = (((ptr[0] & 1) << 3) | (ptr[1] >> 5)) - 1;
150 timeinfo.tm_mday = ptr[1] & 0x1f;
151 rc = mktime(&timeinfo);
152 strftime(buf, l, "%Y/%m/%d", &timeinfo);
153 }
154 return (rc);
155 }
156
157
158 static int32_t select_file(struct s_reader *reader, uchar f1, uchar f2, uchar *cta_res, uint16_t *p_cta_lr)
159 {
160 uint16_t cta_lr;
161 uchar insA4[] = {0xA4, 0xA4, 0x00, 0x00, 0x02, 0x00, 0x00};
162 insA4[5] = f1;
163 insA4[6] = f2;
164 write_cmd(insA4, insA4 + 5); // select file
165 *p_cta_lr = cta_lr;
166 return ((cta_res[0] == 0x9f) && (cta_res[1] == 0x11));
167 }
168
169 static int32_t read_record(struct s_reader *reader, uchar rec, uchar *cta_res)
170 {
171 uint16_t cta_lr;
172 uchar insA2[] = {0xA4, 0xA2, 0x00, 0x00, 0x01, 0x00};
173 uchar insB2[] = {0xA4, 0xB2, 0x00, 0x00, 0x00};
174
175 insA2[5] = rec;
176 write_cmd(insA2, insA2 + 5); // select record
177 if(cta_res[0] != 0x9f)
178 { return (-1); }
179 insB2[4] = cta_res[1]; // get len
180 write_cmd(insB2, NULL); // read record
181 if((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1]))
182 { return (-1); }
183 return (cta_lr - 2);
184 }
185
186 /*
187 int32_t cryptoworks_send_pin(struct s_reader * reader)
188 {
189 unsigned char insPIN[] = { 0xA4, 0x20, 0x00, 0x00, 0x04, 0x00,0x00,0x00,0x00 }; //Verify PIN
190
191 if(reader->pincode[0] && (reader->pincode[0]&0xF0)==0x30)
192 {
193 memcpy(insPIN+5,reader->pincode,4);
194
195 write_cmd(insPIN, insPIN+5);
196 rdr_log_dbg(reader, D_READER, "Sent pincode to card.");
197 if((cta_res[0]==0x98)&&(cta_res[1]==0x04)) rdr_log(reader, "bad pincode");
198
199 return OK;
200 }
201
202 return(0);
203 }
204 */
205
206 static int32_t cryptoworks_disable_pin(struct s_reader *reader)
207 {
208 def_resp;
209 unsigned char insPIN[] = { 0xA4, 0x26, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00 }; //disable PIN
210
211 if(reader->pincode[0] && (reader->pincode[0] & 0xF0) == 0x30)
212 {
213 memcpy(insPIN + 5, reader->pincode, 4);
214
215 write_cmd(insPIN, insPIN + 5);
216 rdr_log(reader, "disable pincode to card");
217 if((cta_res[0] == 0x98) && (cta_res[1] == 0x04)) { rdr_log(reader, "bad pincode"); }
218 return ERROR;
219 }
220 return OK;
221 }
222
223 static int32_t cryptoworks_card_init(struct s_reader *reader, ATR *newatr)
224 {
225 get_atr;
226 def_resp;
227 int32_t i;
228 uint32_t mfid = 0x3F20;
229 static const uchar cwexp[] = { 1, 0 , 1};
230 uchar insA4C[] = {0xA4, 0xC0, 0x00, 0x00, 0x11};
231 uchar insB8[] = {0xA4, 0xB8, 0x00, 0x00, 0x0c};
232 uchar issuerid = 0;
233 char issuer[20] = {0}, tmp[11];
234 char *unknown = "unknown", *pin = unknown, ptxt[CS_MAXPROV << 2] = {0};
235
236 if((atr[6] != 0xC4) || (atr[9] != 0x8F) || (atr[10] != 0xF1)) { return ERROR; }
237
238 if(!cs_malloc(&reader->csystem_data, sizeof(struct cryptoworks_data)))
239 { return ERROR; }
240 struct cryptoworks_data *csystem_data = reader->csystem_data;
241
242 rdr_log(reader, "card detected");
243 rdr_log(reader, "type: CryptoWorks");
244
245 reader->caid = 0xD00;
246 reader->nprov = 0;
247 memset(reader->prid, 0, sizeof(reader->prid));
248
249 write_cmd(insA4C, NULL); // read masterfile-ID
250 if((cta_res[0] == 0xDF) && (cta_res[1] >= 6))
251 { mfid = (cta_res[6] << 8) | cta_res[7]; }
252
253 select_file(reader, 0x3f, 0x20, cta_res, &cta_lr);
254 insB8[2] = insB8[3] = 0; // first
255 for(cta_res[0] = 0xdf; cta_res[0] == 0xdf;)
256 {
257 write_cmd(insB8, NULL); // read provider id's
258 if(cta_res[0] != 0xdf) { break; }
259 if(((cta_res[4] & 0x1f) == 0x1f) && (reader->nprov < CS_MAXPROV))
260 {
261 snprintf(ptxt + strlen(ptxt), sizeof(ptxt) - strlen(ptxt), ",%02X", cta_res[5]);
262 reader->prid[reader->nprov++][3] = cta_res[5];
263 }
264 insB8[2] = insB8[3] = 0xff; // next
265 }
266 for(i = reader->nprov; i < CS_MAXPROV; i++)
267 { memset(&reader->prid[i][0], 0xff, 4); }
268
269 select_file(reader, 0x2f, 0x01, cta_res, &cta_lr); // read caid
270 if(read_record(reader, 0xD1, cta_res) >= 4)
271 { reader->caid = (cta_res[2] << 8) | cta_res[3]; }
272
273 if(read_record(reader, 0x80, cta_res) >= 7) // read serial
274 { memcpy(reader->hexserial, cta_res + 2, 5); }
275 rdr_log_sensitive(reader, "type: CryptoWorks, caid: %04X, ascii serial: {%llu}, hex serial: {%s}",
276 reader->caid, (unsigned long long) b2ll(5, reader->hexserial), cs_hexdump(0, reader->hexserial, 5, tmp, sizeof(tmp)));
277
278 if(read_record(reader, 0x9E, cta_res) >= 66) // read ISK
279 {
280 uchar keybuf[256];
281 BIGNUM *ipk;
282 if(search_boxkey(reader, reader->caid, (char *)keybuf))
283 {
284 ipk = BN_new();
285 BN_bin2bn(cwexp, sizeof(cwexp), csystem_data->exp);
286 BN_bin2bn(keybuf, 64, ipk);
287 cw_RSA(reader, cta_res + 2, cta_res + 2, 0x40, csystem_data->exp, ipk, 0);
288 BN_free(ipk);
289 csystem_data->ucpk_valid = (cta_res[2] == ((mfid & 0xFF) >> 1));
290 if(csystem_data->ucpk_valid)
291 {
292 cta_res[2] |= 0x80;
293 BN_bin2bn(cta_res + 2, 0x40, csystem_data->ucpk);
294 rdr_log_dump_dbg(reader, D_READER, cta_res + 2, 0x40, "IPK available -> session-key:");
295 }
296 else
297 {
298 csystem_data->ucpk_valid = (keybuf[0] == (((mfid & 0xFF) >> 1) | 0x80));
299 if(csystem_data->ucpk_valid)
300 {
301 BN_bin2bn(keybuf, 0x40, csystem_data->ucpk);
302 rdr_log_dump_dbg(reader, D_READER, keybuf, 0x40, "session-key found:");
303 }
304 else
305 { rdr_log(reader, "invalid IPK or session-key for CAID %04X !", reader->caid); }
306 }
307 }
308 }
309 if(read_record(reader, 0x9F, cta_res) >= 3)
310 { issuerid = cta_res[2]; }
311 if(read_record(reader, 0xC0, cta_res) >= 16)
312 {
313 cs_strncpy(issuer, (const char *)cta_res + 2, sizeof(issuer));
314 trim(issuer);
315 }
316 else
317 { cs_strncpy(issuer, unknown, sizeof(issuer)); }
318
319 select_file(reader, 0x3f, 0x20, cta_res, &cta_lr);
320 select_file(reader, 0x2f, 0x11, cta_res, &cta_lr); // read pin
321 if(read_record(reader, atr[8], cta_res) >= 7)
322 {
323 cta_res[6] = 0;
324 pin = (char *)cta_res + 2;
325 }
326 rdr_log(reader, "issuer: %s, id: %02X, bios: v%d, pin: %s, mfid: %04X", issuer, issuerid, atr[7], pin, mfid);
327 rdr_log(reader, "providers: %d (%s)", reader->nprov, ptxt + 1);
328
329 cryptoworks_disable_pin(reader);
330
331 return OK;
332 }
333
334 static int32_t cryptoworks_do_ecm(struct s_reader *reader, const ECM_REQUEST *er, struct s_ecm_answer *ea)
335 {
336 def_resp;
337 int32_t r = 0;
338 unsigned char ins4C[] = { 0xA4, 0x4C, 0x00, 0x00, 0x00 };
339 unsigned char insC0[] = { 0xA4, 0xC0, 0x00, 0x00, 0x1C };
340 unsigned char nanoD4[10];
341 struct cryptoworks_data *csystem_data = reader->csystem_data;
342 int32_t secLen = check_sct_len(er->ecm, -5 + (csystem_data->ucpk_valid ? sizeof(nanoD4) : 0));
343
344 if(secLen > 5)
345 {
346 int32_t i;
347 const uchar *ecm = er->ecm;
348 uchar buff[MAX_LEN];
349
350 if(csystem_data->ucpk_valid)
351 {
352 memcpy(buff, er->ecm, secLen);
353 nanoD4[0] = 0xD4;
354 nanoD4[1] = 0x08;
355 for(i = 2; i < (int)sizeof(nanoD4); i++)
356 { nanoD4[i] = rand(); }
357 memcpy(&buff[secLen], nanoD4, sizeof(nanoD4));
358 ecm = buff;
359 secLen += sizeof(nanoD4);
360 }
361
362 ins4C[3] = csystem_data->ucpk_valid ? 2 : 0;
363 ins4C[4] = secLen - 5;
364 write_cmd(ins4C, ecm + 5);
365 if(cta_res[cta_lr - 2] == 0x9f)
366 {
367 insC0[4] = cta_res[cta_lr - 1];
368 write_cmd(insC0, NULL);
369 for(i = 0; i < secLen && r < 2;)
370 {
371 int32_t n = cta_res[i + 1];
372 switch(cta_res[i])
373 {
374 case 0x80:
375 rdr_log_dbg(reader, D_READER, "nano 80 (serial)");
376 break;
377 case 0xD4:
378 rdr_log_dbg(reader, D_READER, "nano D4 (rand)");
379 if(n < 8 || memcmp(&cta_res[i], nanoD4, sizeof(nanoD4)))
380 {
381 rdr_log_dbg(reader, D_READER, "random data check failed after decrypt");
382 }
383 break;
384 case 0xDB: // CW
385 rdr_log_dbg(reader, D_READER, "nano DB (cw)");
386 if(n == 0x10)
387 {
388 memcpy(ea->cw, &cta_res[i + 2], 16);
389 r |= 1;
390 }
391 break;
392 case 0xDF: // signature
393 rdr_log_dbg(reader, D_READER, "nano DF %02x (sig)", n);
394 if(n == 0x08)
395 {
396 if((cta_res[i + 2] & 0x50) == 0x50 && !(cta_res[i + 3] & 0x01) && (cta_res[i + 5] & 0x80))
397 { r |= 2; }
398 }
399 else if(n == 0x40) // camcrypt
400 {
401 if(csystem_data->ucpk_valid)
402 {
403 cw_RSA(reader, &cta_res[i + 2], &cta_res[i + 2], n, csystem_data->exp, csystem_data->ucpk, 0);
404 rdr_log_dbg(reader, D_READER, "after camcrypt");
405 r = 0;
406 secLen = n - 4;
407 n = 4;
408 }
409 else
410 {
411 rdr_log(reader, "valid UCPK needed for camcrypt!");
412 return ERROR;
413 }
414 }
415 break;
416 default:
417 rdr_log_dbg(reader, D_READER, "nano %02x (unhandled)", cta_res[i]);
418 break;
419 }
420 i += n + 2;
421 }
422 }
423
424 /*
425 #ifdef LALL
426 if ((cta_res[cta_lr-2]==0x9f)&&(cta_res[cta_lr-1]==0x1c))
427 {
428 write_cmd(insC0, NULL);
429 if ((cta_lr>26)&&(cta_res[cta_lr-2]==0x90)&&(cta_res[cta_lr-1]==0))
430 {
431 if (rc=(((cta_res[20]&0x50)==0x50) &&
432 (!(cta_res[21]&0x01)) &&
433 (cta_res[23]&0x80)))
434 memcpy(ea->cw, cta_res+2, 16);
435 }
436 }
437 #endif
438 */
439 }
440 //return(rc ? 1 : 0);
441 return ((r == 3) ? 1 : 0);
442 }
443
444 static uint32_t cryptoworks_get_emm_provid(unsigned char *buffer, int32_t len)
445 {
446 uint32_t provid = 0;
447 int32_t i = 0;
448
449 for(i = 0; i < len;)
450 {
451 switch(buffer[i])
452 {
453 case 0x83:
454 provid = buffer[i + 2] & 0xfc;
455 return provid;
456 break;
457 default:
458 i += buffer[i + 1] + 2;
459 break;
460 }
461
462 }
463 return provid;
464 }
465
466 static int32_t cryptoworks_get_emm_type(EMM_PACKET *ep, struct s_reader *rdr)
467 {
468 char dumprdrserial[16], dumpemmserial[16];
469
470 rdr_log_dbg(rdr, D_EMM, "Entered cryptoworks_get_emm_type ep->emm[0]=%02x", ep->emm[0]);
471 switch(ep->emm[0])
472 {
473 case 0x82:
474 if(ep->emm[3] == 0xA9 && ep->emm[4] == 0xFF && ep->emm[13] == 0x80 && ep->emm[14] == 0x05)
475 {
476 ep->type = UNIQUE;
477 memset(ep->hexserial, 0, 8);
478 memcpy(ep->hexserial, ep->emm + 5, 5);
479 cs_hexdump(1, rdr->hexserial, 5, dumprdrserial, sizeof(dumprdrserial));
480 cs_hexdump(1, ep->hexserial, 5, dumpemmserial, sizeof(dumpemmserial));
481 i2b_buf(4, cryptoworks_get_emm_provid(ep->emm + 12, ep->emmlen - 12), ep->provid);
482 rdr_log_dbg_sensitive(rdr, D_EMM, "UNIQUE, ep = {%s} rdr = {%s}", dumpemmserial, dumprdrserial);
483 return (!memcmp(ep->emm + 5, rdr->hexserial, 5)); // check for serial
484 }
485 break;
486 case 0x84:
487 if(ep->emm[3] == 0xA9 && ep->emm[4] == 0xFF && ep->emm[12] == 0x80 && ep->emm[13] == 0x04)
488 {
489 ep->type = SHARED;
490 memset(ep->hexserial, 0, 8);
491 memcpy(ep->hexserial, ep->emm + 5, 4);
492 cs_hexdump(1, rdr->hexserial, 4, dumprdrserial, sizeof(dumprdrserial));
493 cs_hexdump(1, ep->hexserial, 4, dumpemmserial, sizeof(dumpemmserial));
494 i2b_buf(4, cryptoworks_get_emm_provid(ep->emm + 12, ep->emmlen - 12), ep->provid);
495 rdr_log_dbg_sensitive(rdr, D_EMM, "SHARED, ep = {%s} rdr = {%s}", dumpemmserial, dumprdrserial);
496 return (!memcmp(ep->emm + 5, rdr->hexserial, 4)); // check for SA
497 }
498 break;
499 case 0x86:
500 if(ep->emm[3] == 0xA9 && ep->emm[4] == 0xFF && ep->emm[5] == 0x83
501 && ep->emm[6] == 0x01 && (ep->emm[8] == 0x85 || ep->emm[8] == 0x84 || ep->emm[8] == 0x8C))
502 {
503 rdr_log_dbg(rdr, D_EMM, "SHARED (Header)");
504 ep->type = SHARED;
505 i2b_buf(4, cryptoworks_get_emm_provid(ep->emm + 8, ep->emmlen - 8), ep->provid);
506 // We need those packets to pass otherwise we would never
507 // be able to complete EMM reassembly
508 return 1;
509 }
510 break;
511 case 0x88:
512 case 0x89:
513 if(ep->emm[3] == 0xA9 && ep->emm[4] == 0xFF && ep->emm[8] == 0x83 && ep->emm[9] == 0x01)
514 {
515 rdr_log_dbg(rdr, D_EMM, "GLOBAL");
516 ep->type = GLOBAL;
517 i2b_buf(4, cryptoworks_get_emm_provid(ep->emm + 8, ep->emmlen - 8), ep->provid);
518 return 1;
519 }
520 break;
521 case 0x8F:
522 ep->type = UNKNOWN;
523 rdr_log_dbg(rdr, D_EMM, "0x8F via camd3");
524
525 switch(ep->emm[4])
526 {
527 case 0x44:
528 i2b_buf(4, cryptoworks_get_emm_provid(ep->emm + 8, ep->emmlen - 8), ep->provid);
529 ep->type = GLOBAL;
530 break;
531 case 0x48:
532 i2b_buf(4, cryptoworks_get_emm_provid(ep->emm + 12, ep->emmlen - 12), ep->provid);
533 ep->type = SHARED;
534 break;
535 case 0x42:
536 i2b_buf(4, cryptoworks_get_emm_provid(ep->emm + 12, ep->emmlen - 12), ep->provid);
537 ep->type = UNIQUE;
538 break;
539 }
540 return 1;
541
542 /* FIXME: Seems to be that all other EMM types are rejected by the card */
543 default:
544 ep->type = UNKNOWN;
545 rdr_log_dbg(rdr, D_EMM, "UNKNOWN");
546 return 0; // skip emm
547 }
548
549 rdr_log_dbg(rdr, D_EMM, "invalid");
550 return 0;
551 }
552
553 static int32_t cryptoworks_get_emm_filter(struct s_reader *rdr, struct s_csystem_emm_filter **emm_filters, unsigned int *filter_count)
554 {
555 if(*emm_filters == NULL)
556 {
557 const unsigned int max_filter_count = 4;
558 if(!cs_malloc(emm_filters, max_filter_count * sizeof(struct s_csystem_emm_filter)))
559 { return ERROR; }
560
561 struct s_csystem_emm_filter *filters = *emm_filters;
562 *filter_count = 0;
563
564 int32_t idx = 0;
565
566 filters[idx].type = EMM_GLOBAL;
567 filters[idx].enabled = 1;
568 filters[idx].filter[0] = 0x88;
569 filters[idx].mask[0] = 0xFE;
570 filters[idx].filter[1] = 0xA9;
571 filters[idx].mask[1] = 0xFF;
572 filters[idx].filter[2] = 0xFF;
573 filters[idx].mask[2] = 0xFF;
574 idx++;
575
576 filters[idx].type = EMM_SHARED;
577 filters[idx].enabled = 1;
578 filters[idx].filter[0] = 0x86;
579 filters[idx].mask[0] = 0xFF;
580 filters[idx].filter[1] = 0xA9;
581 filters[idx].mask[1] = 0xFF;
582 filters[idx].filter[2] = 0xFF;
583 filters[idx].mask[2] = 0xFF;
584 idx++;
585
586 filters[idx].type = EMM_SHARED;
587 filters[idx].enabled = 1;
588 filters[idx].filter[0] = 0x84;
589 filters[idx].mask[0] = 0xFF;
590 filters[idx].filter[1] = 0xA9;
591 filters[idx].mask[1] = 0xFF;
592 filters[idx].filter[2] = 0xFF;
593 filters[idx].mask[2] = 0xFF;
594 memcpy(&filters[idx].filter[3], rdr->hexserial, 4);
595 memset(&filters[idx].mask[3], 0xFF, 4);
596 idx++;
597
598 filters[idx].type = EMM_UNIQUE;
599 filters[idx].enabled = 1;
600 filters[idx].filter[0] = 0x82;
601 filters[idx].mask[0] = 0xFF;
602 filters[idx].filter[1] = 0xA9;
603 filters[idx].mask[1] = 0xFF;
604 filters[idx].filter[2] = 0xFF;
605 filters[idx].mask[2] = 0xFF;
606 memcpy(&filters[idx].filter[3], rdr->hexserial, 5);
607 memset(&filters[idx].mask[3], 0xFF, 5);
608 idx++;
609
610 *filter_count = idx;
611 }
612
613 return OK;
614 }
615
616 static int32_t cryptoworks_do_emm(struct s_reader *reader, EMM_PACKET *ep)
617 {
618 def_resp;
619 uchar insEMM_GA[] = {0xA4, 0x44, 0x00, 0x00, 0x00};
620 uchar insEMM_SA[] = {0xA4, 0x48, 0x00, 0x00, 0x00};
621 uchar insEMM_UA[] = {0xA4, 0x42, 0x00, 0x00, 0x00};
622 uchar *emm = ep->emm;
623
624 if(emm[0] == 0x8f && emm[3] == 0xA4)
625 {
626 //camd3 emm
627 write_cmd(emm + 3, emm + 3 + CMD_LEN);
628 }
629 else
630 {
631 switch(ep->type)
632 {
633 //GA
634 case GLOBAL:
635 insEMM_GA[4] = ep->emm[2] - 2;
636 if(emm[7] == insEMM_GA[4] - 3)
637 {
638 write_cmd(insEMM_GA, emm + 5);
639 }
640 break;
641
642 //SA
643 case SHARED:
644 insEMM_SA[4] = ep->emm[2] - 6;
645 if(emm[11] == insEMM_SA[4] - 3)
646 {
647 write_cmd(insEMM_SA, emm + 9);
648 }
649 break;
650
651 //UA
652 case UNIQUE:
653 insEMM_UA[4] = ep->emm[2] - 7;
654 if(emm[12] == insEMM_UA[4] - 3)
655 {
656 //cryptoworks_send_pin(); //?? may be
657 write_cmd(insEMM_UA, emm + 10);
658 }
659 break;
660 }
661 }
662
663 if((cta_res[0] == 0x90) && (cta_res[1] == 0x00))
664 {
665 return OK;
666 }
667 if((cta_res[0] == 0x94) && (cta_res[1] == 0x04)) // emm already written before, entitlement / key is already up to date -> skipped
668 {
669 return SKIPPED;
670 }
671
672 rdr_log_dbg(reader, D_EMM, "%s(): type %d - response %02X %02X", __func__, ep->type, cta_res[0], cta_res[1]);
673 return ERROR;
674 }
675
676 static int32_t cryptoworks_card_info(struct s_reader *reader)
677 {
678 def_resp;
679 int32_t i;
680 uchar insA21[] = {0xA4, 0xA2, 0x01, 0x00, 0x05, 0x8C, 0x00, 0x00, 0x00, 0x00};
681 uchar insB2[] = {0xA4, 0xB2, 0x00, 0x00, 0x00};
682 char l_name[20 + 8] = ", name: ";
683
684 cs_clear_entitlement(reader); // reset the entitlements
685
686 for(i = 0; i < reader->nprov; i++)
687 {
688 l_name[8] = 0;
689 select_file(reader, 0x1f, reader->prid[i][3], cta_res, &cta_lr); // select provider
690 select_file(reader, 0x0e, 0x11, cta_res, &cta_lr); // read provider name
691 if(read_record(reader, 0xD6, cta_res) >= 16)
692 {
693 cs_strncpy(l_name + 8, (const char *)cta_res + 2, sizeof(l_name) - 9);
694 l_name[sizeof(l_name) - 1] = 0;
695 trim(l_name + 8);
696 }
697 l_name[0] = (l_name[8]) ? ',' : 0;
698 rdr_log(reader, "provider: %d, id: %02X%s", i + 1, reader->prid[i][3], l_name);
699 select_file(reader, 0x0f, 0x20, cta_res, &cta_lr); // select provider class
700 write_cmd(insA21, insA21 + 5);
701 if(cta_res[0] == 0x9f)
702 {
703 insB2[4] = cta_res[1];
704 for(insB2[3] = 0; (cta_res[0] != 0x94) || (cta_res[1] != 0x2); insB2[3] = 1)
705 {
706 write_cmd(insB2, NULL); // read chid
707 if(cta_res[0] != 0x94)
708 {
709 char ds[16], de[16];
710
711 // todo: add entitlements to list but produces a warning related to date variable
712 cs_add_entitlement(reader, reader->caid, reader->prid[i][3], b2i(2, cta_res + 6), 0,
713 chid_date(cta_res + 28, ds, sizeof(ds) - 1),
714 chid_date(cta_res + 30, de, sizeof(de) - 1), 3, 1);
715
716 rdr_log(reader, "chid: %02X%02X, date: %s - %s, name: %s",
717 cta_res[6], cta_res[7], ds, de, trim((char *) cta_res + 10));
718 }
719 }
720 }
721
722 select_file(reader, 0x0f, 0x00, cta_res, &cta_lr); // select provider channel
723 write_cmd(insA21, insA21 + 5);
724 if(cta_res[0] == 0x9f)
725 {
726 insB2[4] = cta_res[1];
727 for(insB2[3] = 0; (cta_res[0] != 0x94) || (cta_res[1] != 0x2); insB2[3] = 1)
728 {
729 write_cmd(insB2, NULL); // read chid
730 if(cta_res[0] != 0x94)
731 {
732 char ds[16], de[16];
733
734 // todo: add entitlements to list but produces a warning related to date variable
735 cs_add_entitlement(reader, reader->caid, reader->prid[i][3], b2i(2, cta_res + 6), 0,
736 chid_date(cta_res + 28, ds, sizeof(ds) - 1),
737 chid_date(cta_res + 30, de, sizeof(de) - 1), 3, 1);
738
739 cta_res[27] = 0;
740 rdr_log(reader, "chid: %02X%02X, date: %s - %s, name: %s",
741 cta_res[6], cta_res[7], ds, de, trim((char *)cta_res + 10));
742 }
743 }
744 }
745 }
746 rdr_log(reader, "ready for requests");
747 return OK;
748 }
749
750 static int32_t cryptoworks_reassemble_emm(struct s_reader *rdr, struct s_client *client, EMM_PACKET *ep)
751 {
752 uchar *buffer = ep->emm;
753 int16_t *len = &ep->emmlen;
754 int16_t emm_len = 0;
755
756 // Cryptoworks
757 // Cryptoworks EMM-S have to be assembled by the client from an EMM-SH with table
758 // id 0x84 and a corresponding EMM-SB (body) with table id 0x86. A pseudo EMM-S
759 // with table id 0x84 has to be build containing all nano commands from both the
760 // original EMM-SH and EMM-SB in ascending order.
761 //
762 if(*len > 500) { return 0; }
763
764 if (!client->cw_rass && !cs_malloc(&client->cw_rass, sizeof(*client->cw_rass)))
765 {
766 cs_log("[cryptoworks] ERROR: Can't allocate EMM reassembly buffer.");
767 return 0;
768 }
769 struct emm_rass *r_emm = client->cw_rass;
770
771 switch(buffer[0])
772 {
773 case 0x82 : // emm-u
774 rdr_log_dbg(rdr, D_EMM, "unique emm (EMM-U)");
775 break;
776
777 case 0x84: // emm-sh
778 rdr_log_dbg(rdr, D_EMM, "shared emm (EMM-SH)");
779 if(!memcmp(r_emm->emm, buffer, *len))
780 { return 0; }
781
782 if(ep->emm[11] == ep->emm[2] - 9)
783 {
784 rdr_log_dbg(rdr, D_EMM, "received assembled EMM-S");
785 return 1;
786 }
787
788 memcpy(r_emm->emm, buffer, *len);
789 r_emm->emmlen = *len;
790 rdr_log_dbg(rdr, D_EMM, "EMM-SH only in memcpy");
791 return 0;
792
793 case 0x86: // emm-sb
794 rdr_log_dbg(rdr, D_EMM, "shared emm (EMM-SB)");
795 if(!r_emm->emmlen)
796 { return 0; }
797
798 // we keep the first 12 bytes of the 0x84 emm (EMM-SH)
799 // now we need to append the payload of the 0x86 emm (EMM-SB)
800 // starting after the header (&buffer[5])
801 // then the rest of the payload from EMM-SH
802 // so we should have :
803 // EMM-SH[0:12] + EMM-SB[5:len_EMM-SB] + EMM-SH[12:EMM-SH_len]
804 // then sort the nano in ascending order
805 // update the emm len (emmBuf[1:2])
806 //
807
808 emm_len = *len - 5 + r_emm->emmlen - 12;
809 unsigned char *tmp, *assembled;
810 if(!cs_malloc(&tmp, emm_len))
811 { return 0; }
812 if(!cs_malloc(&assembled, emm_len + 12))
813 {
814 free(tmp);
815 return 0;
816 }
817 unsigned char *assembled_EMM;
818 if(!cs_malloc(&assembled_EMM, emm_len + 12))
819 {
820 free(assembled);
821 free(tmp);
822 return 0;
823 }
824 memcpy(tmp, &buffer[5], *len - 5);
825 memcpy(tmp + *len - 5, &r_emm->emm[12], r_emm->emmlen - 12);
826 memcpy(assembled_EMM, r_emm->emm, 12);
827 emm_sort_nanos(assembled_EMM + 12, tmp, emm_len);
828
829 assembled_EMM[1] = ((emm_len + 9) >> 8) | 0x70;
830 assembled_EMM[2] = (emm_len + 9) & 0xFF;
831
832 if(assembled_EMM[11] != emm_len) // sanity check
833 {
834 // error in emm assembly
835 rdr_log_dbg(rdr, D_EMM, "Error assembling EMM-S");
836 free(assembled_EMM);
837 return 0;
838 }
839
840 //copy back the assembled emm in the working buffer
841 memcpy(buffer, assembled_EMM, emm_len + 12);
842 *len = emm_len + 12;
843
844 free(tmp);
845 free(assembled);
846
847 r_emm->emmlen = 0;
848
849 rdr_log_dump_dbg(rdr, D_EMM, buffer, *len, "shared emm (assembled):");
850 free(assembled_EMM);
851 break;
852
853 case 0x88: // emm-g
854 case 0x89: // emm-g
855 rdr_log_dbg(rdr, D_EMM, "global emm (EMM-G)");
856 break;
857 }
858 return 1;
859 }
860
861 const struct s_cardsystem reader_cryptoworks =
862 {
863 .desc = "cryptoworks",
864 .caids = (uint16_t[]){ 0x0D, 0 },
865 .do_emm_reassembly = cryptoworks_reassemble_emm,
866 .do_emm = cryptoworks_do_emm,
867 .do_ecm = cryptoworks_do_ecm,
868 .card_info = cryptoworks_card_info,
869 .card_init = cryptoworks_card_init,
870 .get_emm_type = cryptoworks_get_emm_type,
871 .get_emm_filter = cryptoworks_get_emm_filter,
872 };
873
874 #endif
Open Source Conditional Access Modul