search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
- Add support of ORF P4 Irdeto mode
[oscam.git] / reader-nagra.c
blob742ffd325a9d62ee56b1245415e935ad7783e48f
1 #include "globals.h"
2 #ifdef READER_NAGRA
3 #include "cscrypt/bn.h"
4 #include "cscrypt/idea.h"
5 #include "oscam-time.h"
6 #include "reader-common.h"
7 #include "oscam-work.h"
8
9 struct nagra_data
10 {
11 IDEA_KEY_SCHEDULE ksSession;
12 int8_t is_pure_nagra;
13 int8_t is_tiger;
14 int8_t is_n3_na;
15 int8_t has_dt08;
16 int8_t swapCW;
17 uint8_t ExpiryDate[2];
18 uint8_t ActivationDate[2];
19 uint8_t plainDT08RSA[64];
20 uint8_t IdeaCamKey[16];
21 uint8_t sessi[16];
22 uint8_t signature[8];
23 uint8_t cam_state[3];
24 };
25
26 // Card Status checks
27 #define HAS_CW() ((csystem_data->cam_state[2]&6)==6)
28 #define RENEW_SESSIONKEY() ((csystem_data->cam_state[0]&128)==128 || (csystem_data->cam_state[0]&64)==64 || (csystem_data->cam_state[0]&32)==32 || (csystem_data->cam_state[2]&8)==8)
29 #define SENDDATETIME() (csystem_data->cam_state[0]&8)
30 // Datatypes
31 #define DT01 0x01
32 #define IRDINFO 0x00
33 #define TIERS 0x05
34 #define DT06 0x06
35 #define CAMDATA 0x08
36
37 #define SYSTEM_NAGRA 0x1800
38 #define SYSTEM_MASK 0xFF00
39
40
41 static time_t tier_date(uint32_t date, char *buf, int32_t l)
42 {
43 time_t ut = 870393600L + date * (24 * 3600);
44 if(buf)
45 {
46 struct tm t;
47 t.tm_isdst = -1;
48 cs_gmtime_r(&ut, &t);
49 snprintf(buf, l, "%04d/%02d/%02d", t.tm_year + 1900, t.tm_mon + 1, t.tm_mday);
50 }
51 return ut;
52 }
53
54 static char *nagra_datetime(struct s_reader *rdr, uint8_t *ndays, int32_t offset, char *result, time_t *t)
55 {
56 struct nagra_data *csystem_data = rdr->csystem_data;
57 struct tm tms;
58 memset(&tms, 0, sizeof(tms));
59 int32_t days = (ndays[0] << 8 | ndays[1]) + offset;
60 int32_t sec = 0;
61 if(!csystem_data->is_tiger)
62 { sec = (ndays[2] << 8 | ndays[3]); }
63 if(days > 0x41B4 && sizeof(time_t) < 8) // to overcome 32-bit systems limitations
64 { days = 0x41A2; } // 01-01-2038
65 tms.tm_year = 92;
66 tms.tm_mday = days + 1;
67 tms.tm_sec = sec;
68 time_t ut = mktime(&tms);
69 if(t)
70 { *t = ut; }
71 if(csystem_data->is_tiger)
72 { snprintf(result, 11, "%02d/%02d/%04d", tms.tm_mday, tms.tm_mon + 1, tms.tm_year + 1900); }
73 else
74 { snprintf(result, 17, "%04d/%02d/%02d %02d:%02d", tms.tm_year + 1900, tms.tm_mon + 1, tms.tm_mday, tms.tm_hour, tms.tm_min); }
75 return result;
76 }
77
78 static int32_t do_cmd(struct s_reader *reader, unsigned char cmd, int32_t ilen, unsigned char res, int32_t rlen, const unsigned char *data, unsigned char *cta_res, uint16_t *p_cta_lr)
79 {
80 /*
81 here we build the command related to the protocol T1 for ROM142 or T14 for ROM181
82 the only different that i know is the command length byte msg[4], this msg[4]+=1 by a ROM181 smartcard (_nighti_)
83 one example for the cmd$C0
84 T14 protocol: 01 A0 CA 00 00 03 C0 00 06 91
85 T1 protocol: 21 00 08 A0 CA 00 00 02 C0 00 06 87
86 */
87 int32_t msglen = ilen + 6;
88 unsigned char msg[msglen];
89 static const char nagra_head[] = {0xA0, 0xCA, 0x00, 0x00};
90 struct nagra_data *csystem_data = reader->csystem_data;
91
92 memset(msg, 0, msglen);
93 memcpy(msg, nagra_head, 4);
94 msg[4] = ilen;
95 msg[5] = cmd;
96 int32_t dlen = ilen - 2;
97 msg[6] = dlen;
98 if(data && dlen > 0) { memcpy(msg + 7, data, dlen); }
99 msg[dlen + 7] = rlen;
100 if(dlen < 0)
101 {
102 rdr_log_dbg(reader, D_READER, "invalid data length encountered");
103 return ERROR;
104 }
105 if(csystem_data->is_pure_nagra == 1)
106 {
107 msg[4] += 1;
108 }
109 if(!reader_cmd2icc(reader, msg, msglen, cta_res, p_cta_lr))
110 {
111 cs_sleepms(5);
112 if(cta_res[0] != res)
113 {
114 rdr_log_dbg(reader, D_READER, "result not expected (%02x != %02x)", cta_res[0], res);
115 return ERROR;
116 }
117 if((*p_cta_lr - 2) != rlen)
118 {
119 rdr_log_dbg(reader, D_READER, "result length expected (%d != %d)", (*p_cta_lr - 2), rlen);
120 return ERROR;
121 }
122 return *p_cta_lr;
123 }
124 return ERROR;
125 }
126
127 static void ReverseMem(unsigned char *vIn, int32_t len)
128 {
129 unsigned char temp;
130 int32_t i;
131 for(i = 0; i < (len / 2); i++)
132 {
133 temp = vIn[i];
134 vIn[i] = vIn[len - i - 1];
135 vIn[len - i - 1] = temp;
136 }
137 }
138
139 static void Signature(unsigned char *sig, const unsigned char *vkey, const unsigned char *msg, int32_t len)
140 {
141 IDEA_KEY_SCHEDULE ks;
142 unsigned char v[8];
143 unsigned char b200[16];
144 unsigned char b0f0[8];
145 memcpy(b200, vkey, sizeof(b200));
146 int32_t i;
147 int32_t j;
148 for(i = 0; i < len; i += 8)
149 {
150 idea_set_encrypt_key(b200, &ks);
151 memset(v, 0, sizeof(v));
152 idea_cbc_encrypt(msg + i, b0f0, 8, &ks, v, IDEA_DECRYPT);
153 for(j = 7; j >= 0; j--) { b0f0[j] ^= msg[i + j]; }
154 memcpy(b200 + 0, b0f0, 8);
155 memcpy(b200 + 8, b0f0, 8);
156 }
157 memcpy(sig, b0f0, 8);
158 return;
159 }
160
161 static int32_t CamStateRequest(struct s_reader *reader)
162 {
163 def_resp;
164 struct nagra_data *csystem_data = reader->csystem_data;
165 char tmp_dbg[10];
166 if(do_cmd(reader, 0xC0, 0x02, 0xB0, 0x06, NULL, cta_res, &cta_lr))
167 {
168 memcpy(csystem_data->cam_state, cta_res + 3, 3);
169 rdr_log_dbg(reader, D_READER, "Camstate: %s", cs_hexdump(1, csystem_data->cam_state, 3, tmp_dbg, sizeof(tmp_dbg)));
170 }
171 else
172 {
173 rdr_log_dbg(reader, D_READER, "CamStateRequest failed");
174 return ERROR;
175 }
176 return OK;
177 }
178
179 static void DateTimeCMD(struct s_reader *reader)
180 {
181 def_resp;
182 if(!do_cmd(reader, 0xC8, 0x02, 0xB8, 0x06, NULL, cta_res, &cta_lr))
183 {
184 rdr_log_dbg(reader, D_READER, "DateTimeCMD failed!");
185 }
186
187 }
188
189 static int32_t NegotiateSessionKey_Tiger(struct s_reader *reader)
190 {
191 def_resp;
192 unsigned char exponent = 0x11;
193 unsigned char parte_fija[120];
194 unsigned char parte_variable[88];
195 unsigned char d1_rsa_modulo[88];
196 unsigned char d2_data[88];
197 unsigned char sign1[8];
198 unsigned char sk[16];
199 unsigned char tmp[104];
200 unsigned char idea_key[16];
201 unsigned char rnd[88];
202 char tmp2[17];
203 struct nagra_data *csystem_data = reader->csystem_data;
204
205 if(!do_cmd(reader, 0xd1, 0x02, 0x51, 0xd2, NULL, cta_res, &cta_lr))
206 {
207 rdr_log_dbg(reader, D_READER, "CMD$D1 failed");
208 return ERROR;
209 }
210
211 BN_CTX *ctx = BN_CTX_new();
212 #ifdef WITH_LIBCRYPTO
213 BN_CTX_start(ctx);
214 #endif
215 BIGNUM *bnN = BN_CTX_get(ctx);
216 BIGNUM *bnE = BN_CTX_get(ctx);
217 BIGNUM *bnCT = BN_CTX_get(ctx);
218 BIGNUM *bnPT = BN_CTX_get(ctx);
219 BN_bin2bn(reader->rsa_mod, 120, bnN);
220 BN_bin2bn(&exponent, 1, bnE);
221 BN_bin2bn(&cta_res[90], 120, bnCT);
222 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
223 memset(parte_fija, 0, 120);
224 BN_bn2bin(bnPT, parte_fija + (120 - BN_num_bytes(bnPT)));
225 BN_CTX_end(ctx);
226 BN_CTX_free(ctx);
227
228 rdr_log_dbg(reader, D_READER, "---------- SIG CHECK ---------------------");
229 memset(tmp, 0, 104);
230 memcpy(tmp + 4, parte_fija + 11, 100);
231 memset(idea_key, 0x37, 16);
232 Signature(sign1, idea_key, tmp, 104);
233 rdr_log_dbg(reader, D_READER, "sign1: %s", cs_hexdump(0, sign1, 8, tmp2, sizeof(tmp2)));
234 rdr_log_dbg(reader, D_READER, "sign2: %s", cs_hexdump(0, parte_fija + 111, 8, tmp2, sizeof(tmp2)));
235 if(!memcmp(parte_fija + 111, sign1, 8) == 0)
236 {
237 rdr_log_dbg(reader, D_READER, "signature check nok");
238 rdr_log_dbg(reader, D_READER, "------------------------------------------");
239 return ERROR;
240 }
241 rdr_log_dbg(reader, D_READER, "signature check ok");
242 rdr_log_dbg(reader, D_READER, "------------------------------------------");
243
244 memcpy(reader->hexserial + 2, parte_fija + 15, 4);
245 memcpy(reader->sa[0], parte_fija + 15, 2);
246
247 memcpy(reader->irdId, parte_fija + 19, 4);
248 memcpy(d1_rsa_modulo, parte_fija + 23, 88);
249
250 ReverseMem(cta_res + 2, 88);
251 BN_CTX *ctx1 = BN_CTX_new();
252 #ifdef WITH_LIBCRYPTO
253 BN_CTX_start(ctx1);
254 #endif
255 BIGNUM *bnN1 = BN_CTX_get(ctx1);
256 BIGNUM *bnE1 = BN_CTX_get(ctx1);
257 BIGNUM *bnCT1 = BN_CTX_get(ctx1);
258 BIGNUM *bnPT1 = BN_CTX_get(ctx1);
259 BN_bin2bn(d1_rsa_modulo, 88, bnN1);
260 BN_bin2bn(&exponent, 1, bnE1);
261 BN_bin2bn(cta_res + 2, 88, bnCT1);
262 BN_mod_exp(bnPT1, bnCT1, bnE1, bnN1, ctx1);
263 memset(parte_variable, 0, 88);
264 BN_bn2bin(bnPT1, parte_variable + (88 - BN_num_bytes(bnPT1)));
265 BN_CTX_end(ctx1);
266 BN_CTX_free(ctx1);
267
268 csystem_data->ActivationDate[0] = parte_variable[65];
269 csystem_data->ActivationDate[1] = parte_variable[66];
270 csystem_data->ExpiryDate[0] = parte_variable[69];
271 csystem_data->ExpiryDate[1] = parte_variable[70];
272
273 reader->prid[0][0] = 0x00;
274 reader->prid[0][1] = 0x00;
275 reader->prid[0][2] = parte_variable[73];
276 reader->prid[0][3] = parte_variable[74];
277 reader->caid = (SYSTEM_NAGRA | parte_variable[76]);
278 memcpy(sk, &parte_variable[79], 8);
279 memset(sk + 8, 0xBB, 8);
280 rdr_log_sensitive(reader, "type: NAGRA, caid: %04X, IRD ID: {%s}", reader->caid, cs_hexdump(1, reader->irdId, 4, tmp2, sizeof(tmp2)));
281 rdr_log(reader, "ProviderID: %s", cs_hexdump(1, reader->prid[0], 4, tmp2, sizeof(tmp2)));
282
283 memcpy(rnd, sk, 8);
284 memset(&rnd[8], 0xBB, 79);
285 rnd[87] = 0x6B;
286 ReverseMem(rnd, 88);
287
288
289 BN_CTX *ctx3 = BN_CTX_new();
290 #ifdef WITH_LIBCRYPTO
291 BN_CTX_start(ctx3);
292 #endif
293 BIGNUM *bnN3 = BN_CTX_get(ctx3);
294 BIGNUM *bnE3 = BN_CTX_get(ctx3);
295 BIGNUM *bnCT3 = BN_CTX_get(ctx3);
296 BIGNUM *bnPT3 = BN_CTX_get(ctx3);
297 BN_bin2bn(d1_rsa_modulo, 88, bnN3);
298 BN_bin2bn(&exponent, 1, bnE3);
299 BN_bin2bn(rnd, 88, bnCT3);
300 BN_mod_exp(bnPT3, bnCT3, bnE3, bnN3, ctx3);
301 memset(d2_data, 0, 88);
302 BN_bn2bin(bnPT3, d2_data + (88 - BN_num_bytes(bnPT3)));
303 BN_CTX_end(ctx3);
304 BN_CTX_free(ctx3);
305 ReverseMem(d2_data, 88);
306
307 if(!do_cmd(reader, 0xd2, 0x5a, 0x52, 0x03, d2_data, cta_res, &cta_lr))
308 {
309 rdr_log_dbg(reader, D_READER, "CMD$D2 failed");
310 return ERROR;
311 }
312 if(cta_res[2] == 0x00)
313 {
314 memcpy(csystem_data->sessi, sk, 16);
315 IDEA_KEY_SCHEDULE ks;
316 idea_set_encrypt_key(csystem_data->sessi, &ks);
317 idea_set_decrypt_key(&ks, &csystem_data->ksSession);
318 rdr_log_dbg(reader, D_READER, "Tiger session key negotiated");
319 return OK;
320 }
321 rdr_log(reader, "Negotiate sessionkey was not successful! Please check tivusat rsa key");
322 return ERROR;
323
324 }
325
326 static int32_t NegotiateSessionKey(struct s_reader *reader)
327 {
328 def_resp;
329 unsigned char negot[64];
330 unsigned char cmd2b[] = {0x21, 0x40, 0x4D, 0xA0, 0xCA, 0x00, 0x00, 0x47, 0x27, 0x45,
331 0x1C, 0x54, 0xd1, 0x26, 0xe7, 0xe2, 0x40, 0x20,
332 0xd1, 0x66, 0xf4, 0x18, 0x97, 0x9d, 0x5f, 0x16,
333 0x8f, 0x7f, 0x7a, 0x55, 0x15, 0x82, 0x31, 0x14,
334 0x06, 0x57, 0x1a, 0x3f, 0xf0, 0x75, 0x62, 0x41,
335 0xc2, 0x84, 0xda, 0x4c, 0x2e, 0x84, 0xe9, 0x29,
336 0x13, 0x81, 0xee, 0xd6, 0xa9, 0xf5, 0xe9, 0xdb,
337 0xaf, 0x22, 0x51, 0x3d, 0x44, 0xb3, 0x20, 0x83,
338 0xde, 0xcb, 0x5f, 0x35, 0x2b, 0xb0, 0xce, 0x70,
339 0x01, 0x02, 0x03, 0x04, //IRD nr
340 0x00
341 };//keynr
342 unsigned char tmp[64];
343 unsigned char idea1[16];
344 unsigned char idea2[16];
345 unsigned char sign1[8];
346 unsigned char sign2[8];
347 struct nagra_data *csystem_data = reader->csystem_data;
348
349 if(csystem_data->is_tiger)
350 {
351 if(!NegotiateSessionKey_Tiger(reader))
352 {
353 rdr_log_dbg(reader, D_READER, "NegotiateSessionKey_Tiger failed");
354 return ERROR;
355 }
356 return OK;
357 }
358
359 if(!csystem_data->has_dt08) // if we have no valid dt08 calc then we use rsa from config and hexserial for calc of sessionkey
360 {
361 rdr_log_dbg(reader, D_READER, "No valid DT08 calc using rsa from config and serial from card");
362 memcpy(csystem_data->plainDT08RSA, reader->rsa_mod, 64);
363 memcpy(csystem_data->signature, reader->boxkey, 8);
364 }
365
366 if((csystem_data->is_n3_na) && (!do_cmd(reader, 0x29, 0x02, 0xA9, 0x04, NULL, cta_res, &cta_lr)))
367 {
368 rdr_log_dbg(reader, D_READER, "Nagra3: CMD$29 failed");
369 return ERROR;
370 }
371
372 memcpy(tmp, reader->irdId, 4);
373 tmp[4] = 0; //keynr 0
374
375 if(!csystem_data->is_n3_na)
376 {
377 if(!do_cmd(reader, 0x2a, 0x02, 0xaa, 0x42, NULL, cta_res, &cta_lr))
378 {
379 rdr_log_dbg(reader, D_READER, "CMD$2A failed");
380 return ERROR;
381 }
382 }
383 else if(!do_cmd(reader, 0x26, 0x07, 0xa6, 0x42, tmp, cta_res, &cta_lr))
384 {
385 rdr_log_dbg(reader, D_READER, "CMD$26 failed");
386 return ERROR;
387 }
388
389 // RSA decrypt of cmd$2a data, result is stored in "negot"
390 ReverseMem(cta_res + 2, 64);
391 unsigned char vFixed[] = {0, 1, 2, 3};
392 BN_CTX *ctx = BN_CTX_new();
393 #ifdef WITH_LIBCRYPTO
394 BN_CTX_start(ctx);
395 #endif
396 BIGNUM *bnN = BN_CTX_get(ctx);
397 BIGNUM *bnE = BN_CTX_get(ctx);
398 BIGNUM *bnCT = BN_CTX_get(ctx);
399 BIGNUM *bnPT = BN_CTX_get(ctx);
400 BN_bin2bn(csystem_data->plainDT08RSA, 64, bnN);
401 BN_bin2bn(vFixed + 3, 1, bnE);
402 BN_bin2bn(cta_res + 2, 64, bnCT);
403 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
404 memset(negot, 0, 64);
405 BN_bn2bin(bnPT, negot + (64 - BN_num_bytes(bnPT)));
406
407 memcpy(tmp, negot, 64);
408 ReverseMem(tmp, 64);
409
410 // build sessionkey
411 // first halve is IDEA Hashed in chuncs of 8 bytes using the Signature1 from dt08 calc, CamID-Inv.CamID(16 bytes key) the results are the First 8 bytes of the Session key
412 memcpy(idea1, csystem_data->signature, 8);
413 memcpy(idea1 + 8, reader->hexserial + 2, 4);
414 idea1[12] = ~reader->hexserial[2];
415 idea1[13] = ~reader->hexserial[3];
416 idea1[14] = ~reader->hexserial[4];
417 idea1[15] = ~reader->hexserial[5];
418
419 Signature(sign1, idea1, tmp, 32);
420 memcpy(idea2, sign1, 8);
421 memcpy(idea2 + 8, sign1, 8);
422 Signature(sign2, idea2, tmp, 32);
423 memcpy(csystem_data->sessi, sign1, 8);
424 memcpy(csystem_data->sessi + 8, sign2, 8);
425
426 // prepare cmd$2b data
427 BN_bin2bn(negot, 64, bnCT);
428 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
429 memset(cmd2b + 10, 0, 64);
430 BN_bn2bin(bnPT, cmd2b + 10 + (64 - BN_num_bytes(bnPT)));
431 BN_CTX_end(ctx);
432 BN_CTX_free(ctx);
433 ReverseMem(cmd2b + 10, 64);
434
435 IDEA_KEY_SCHEDULE ks;
436 idea_set_encrypt_key(csystem_data->sessi, &ks);
437 idea_set_decrypt_key(&ks, &csystem_data->ksSession);
438
439 memcpy(cmd2b + 74, reader->irdId, 4);
440 cmd2b[78] = 0; //keynr
441
442 if(!csystem_data->is_n3_na)
443 {
444 if(!do_cmd(reader, 0x2b, 0x42, 0xab, 0x02, cmd2b + 10, cta_res, &cta_lr))
445 {
446 rdr_log_dbg(reader, D_READER, "CMD$2B failed");
447 return ERROR;
448 }
449 }
450 else if(!do_cmd(reader, 0x27, 0x47, 0xa7, 0x02, cmd2b + 10, cta_res, &cta_lr))
451 {
452 rdr_log_dbg(reader, D_READER, "CMD$27 failed");
453 return ERROR;
454 }
455
456 rdr_log_dbg(reader, D_READER, "session key negotiated");
457
458 DateTimeCMD(reader);
459
460 if(!CamStateRequest(reader))
461 {
462 rdr_log_dbg(reader, D_READER, "CamStateRequest failed");
463 return ERROR;
464 }
465 if RENEW_SESSIONKEY()
466 {
467 rdr_log(reader, "Negotiate sessionkey was not successful! Please check rsa key and boxkey");
468 return ERROR;
469 }
470
471 return OK;
472 }
473
474 static void decryptDT08(struct s_reader *reader, unsigned char *cta_res)
475 {
476 unsigned char vFixed[] = {0, 1, 2, 3};
477 unsigned char v[72];
478 unsigned char buf[72];
479 unsigned char sign2[8];
480 unsigned char static_dt08[73];
481 unsigned char camid[4];
482 char tmp_dbg[13];
483 int32_t i, n;
484 BN_CTX *ctx;
485 BIGNUM *bn_mod, *bn_exp, *bn_data, *bn_res;
486 struct nagra_data *csystem_data = reader->csystem_data;
487
488 memcpy(static_dt08, &cta_res[12], 73);
489 // decrypt RSA Part of dt08
490 bn_mod = BN_new();
491 bn_exp = BN_new();
492 bn_data = BN_new();
493 bn_res = BN_new();
494 ctx = BN_CTX_new();
495 if(ctx == NULL)
496 {
497 rdr_log_dbg(reader, D_READER, "RSA Error in dt08 decrypt");
498 }
499 ReverseMem(static_dt08 + 1, 64);
500 BN_bin2bn(reader->rsa_mod, 64, bn_mod); // rsa modulus
501 BN_bin2bn(vFixed + 3, 1, bn_exp); // exponent
502 BN_bin2bn(static_dt08 + 1, 64, bn_data);
503 BN_mod_exp(bn_res, bn_data, bn_exp, bn_mod, ctx);
504 memset(static_dt08 + 1, 0, 64);
505 n = BN_bn2bin(bn_res, static_dt08 + 1);
506 BN_CTX_free(ctx);
507 ReverseMem(static_dt08 + 1, n);
508
509 // RSA data can never be bigger than the modulo
510 static_dt08[64] |= static_dt08[0] & 0x80;
511
512 // IdeaCamKey
513 memcpy(&csystem_data->IdeaCamKey[0], reader->boxkey, 8);
514 memcpy(&csystem_data->IdeaCamKey[8], reader->irdId, 4);
515 for(i = 0; i < 4; i++)
516 { csystem_data->IdeaCamKey[12 + i] = ~reader->irdId[i]; }
517
518 // now IDEA decrypt
519 IDEA_KEY_SCHEDULE ks;
520 idea_set_encrypt_key(csystem_data->IdeaCamKey, &ks);
521 idea_set_decrypt_key(&ks, &csystem_data->ksSession);
522 memcpy(&buf[0], static_dt08 + 1, 64);
523 memcpy(&buf[64], static_dt08 + 65, 8);
524 memset(v, 0, sizeof(v));
525 memset(static_dt08, 0, sizeof(static_dt08));
526 idea_cbc_encrypt(buf, static_dt08, 72, &csystem_data->ksSession, v, IDEA_DECRYPT);
527
528 if(csystem_data->swapCW == 1)
529 {
530 memset(camid, 0xff, 4);
531 }
532 else
533 {
534 memcpy(camid, reader->hexserial + 2, 4);
535 }
536 rdr_log_dbg(reader, D_READER, "using camid %s for dt08 calc", cs_hexdump(1, camid, 4, tmp_dbg, sizeof(tmp_dbg)));
537
538 // Calculate csystem_data->signature
539 memcpy(csystem_data->signature, static_dt08, 8);
540 memset(static_dt08 + 0, 0, 4);
541 memcpy(static_dt08 + 4, camid, 4);
542 Signature(sign2, csystem_data->IdeaCamKey, static_dt08, 72);
543
544 if(memcmp(csystem_data->signature, sign2, 8) == 0)
545 {
546 csystem_data->has_dt08 = 1;
547 memcpy(csystem_data->plainDT08RSA, static_dt08 + 8, 64);
548 rdr_log_dbg(reader, D_READER, "DT08 signature check ok");
549 }
550 else
551 {
552 csystem_data->has_dt08 = 0;
553 rdr_log_dbg(reader, D_READER, "DT08 signature check nok");
554 }
555
556 BN_free(bn_mod);
557 BN_free(bn_exp);
558 BN_free(bn_data);
559 BN_free(bn_res);
560 }
561
562 static void addProvider(struct s_reader *reader, unsigned char *cta_res)
563 {
564 int32_t i;
565 int32_t toadd = 1;
566 for(i = 0; i < reader->nprov; i++)
567 {
568 if((cta_res[7] == reader->prid[i][2]) && (cta_res[8] == reader->prid[i][3]))
569 {
570 toadd = 0;
571 }
572 }
573 if(toadd)
574 {
575 reader->prid[reader->nprov][0] = 0;
576 reader->prid[reader->nprov][1] = 0;
577 reader->prid[reader->nprov][2] = cta_res[7];
578 reader->prid[reader->nprov][3] = cta_res[8];
579 memcpy(reader->sa[reader->nprov], reader->sa[0], 4);
580 reader->nprov += 1;
581 }
582 }
583
584 static int32_t ParseDataType(struct s_reader *reader, unsigned char dt, unsigned char *cta_res, uint16_t cta_lr)
585 {
586 struct nagra_data *csystem_data = reader->csystem_data;
587 char ds[20], de[16];
588 uint16_t chid;
589 switch(dt)
590 {
591 case IRDINFO:
592 {
593 reader->prid[0][0] = 0;
594 reader->prid[0][1] = 0;
595 reader->prid[0][2] = cta_res[7];
596 reader->prid[0][3] = cta_res[8];
597 if(((cta_res[7] == 0x34) && (cta_res[8] == 0x11)) || ((cta_res[7] == 0x04) && (cta_res[8] == 0x01))) //provider 3411, 0401 needs cw swap
598 {
599 rdr_log_dbg(reader, D_READER, "detect provider with swap cw!");
600 csystem_data->swapCW = 1;
601 }
602
603 reader->prid[1][0] = 0x00;
604 reader->prid[1][1] = 0x00;
605 reader->prid[1][2] = 0x00;
606 reader->prid[1][3] = 0x00;
607 memcpy(reader->sa[1], reader->sa[0], 4);
608 reader->nprov += 1;
609
610 reader->caid = (SYSTEM_NAGRA | cta_res[11]);
611 memcpy(reader->irdId, cta_res + 14, 4);
612 if(reader->csystem_active) // do not output on init but only afterwards in card_info
613 {
614 rdr_log_sensitive(reader, "IRD ID: {%s}", cs_hexdump(1, reader->irdId, 4, ds, sizeof(ds)));
615 nagra_datetime(reader, cta_res + 24, 0, ds, &reader->card_valid_to);
616 rdr_log(reader, "active to: %s", ds);
617 }
618 return OK;
619 }
620 case TIERS:
621 if((cta_lr > 33) && (chid = b2i(2, cta_res + 11)))
622 {
623 int32_t id = (cta_res[7] * 256) | cta_res[8];
624 int32_t offset = ((reader->caid == 0x1830 || reader->caid == 0x1843)
625 && chid == 0x0BEA) ? -21 : 0;
626
627 // todo: add entitlements to list
628 cs_add_entitlement(reader,
629 reader->caid,
630 id,
631 chid,
632 0,
633 tier_date(b2i(2, cta_res + 20) - 0x7f7, ds, 15),
634 tier_date(b2i(2, cta_res + 13) - 0x7f7 + offset, de, 15),
635 4,
636 1);
637
638
639 // tier_date(b2i(2, cta_res+20)-0x7f7, ds, 15);
640 // tier_date(b2i(2, cta_res+13)-0x7f7, de, 15);
641 rdr_log(reader, "|%04X|%04X |%s |%s |", id, chid, ds, de);
642 addProvider(reader, cta_res);
643 }
644 case 0x08:
645 case 0x88:
646 if(cta_res[11] == 0x49) { decryptDT08(reader, cta_res); }
647 default:
648 return OK;
649 }
650 return ERROR;
651 }
652
653 static int32_t GetDataType(struct s_reader *reader, unsigned char dt, int32_t len)
654 {
655 def_resp;
656 int32_t result = OK;
657 while(result == OK)
658 {
659 if(!do_cmd(reader, 0x22, 0x03, 0xA2, len, &dt, cta_res, &cta_lr))
660 {
661 rdr_log_dbg(reader, D_READER, "failed to get datatype %02X", dt);
662 result = ERROR;
663 break;
664 }
665
666 if((cta_res[2] == 0) && ((dt&0x80) == 0x80))
667 {
668 result = OK;
669 break;
670 }
671
672 if(!ParseDataType(reader, dt & 0x0F, cta_res, cta_lr))
673 {
674 result = ERROR;
675 break;
676 }
677
678 if((cta_res[11] == 0x49) && ((dt&0x80) == 0x80))
679 {
680 result = OK;
681 break;
682 }
683 dt |= 0x80; // get next item
684 }
685 return result;
686 }
687
688 static int32_t nagra2_card_init(struct s_reader *reader, ATR *newatr)
689 {
690 get_atr;
691 def_resp;
692 memset(reader->rom, 0, 15);
693 static const uchar ins80[] = { 0x80, 0xCA, 0x00, 0x00, 0x11 }; // switch to nagra layer
694 static const uchar handshake[] = { 0xEE, 0x51, 0xDC, 0xB8, 0x4A, 0x1C, 0x15, 0x05, 0xB5, 0xA6, 0x9B, 0x91, 0xBA, 0x33, 0x19, 0xC4, 0x10 }; // nagra handshake
695 int8_t ins7e11_state = 0;
696
697 int8_t is_pure_nagra = 0;
698 int8_t is_tiger = 0;
699 int8_t is_n3_na = 0;
700 memset(reader->irdId, 0xff, 4);
701 memset(reader->hexserial, 0, 8);
702
703 cs_clear_entitlement(reader); // reset the entitlements
704
705 if(memcmp(atr + 11, "DNASP240", 8) == 0 || memcmp(atr + 11, "DNASP241", 8) == 0)
706 {
707 rdr_log(reader, "detect nagra 3 NA card");
708 memcpy(reader->rom, atr + 11, 15);
709 is_n3_na = 1;
710 }
711 else if(memcmp(atr + 11, "DNASP", 5) == 0)
712 {
713 rdr_log(reader, "detect native nagra card");
714 memcpy(reader->rom, atr + 11, 15);
715 }
716 else if(memcmp(atr + 11, "TIGER", 5) == 0 || (memcmp(atr + 11, "NCMED", 5) == 0))
717 {
718 rdr_log(reader, "detect nagra tiger card");
719 memcpy(reader->rom, atr + 11, 15);
720 is_tiger = 1;
721 }
722 else if((!memcmp(atr + 4, "IRDETO", 6)) && ((atr[14] == 0x03) && (atr[15] == 0x84) && (atr[16] == 0x55)))
723 {
724 rdr_log(reader, "detect irdeto tunneled nagra card");
725 if(!array_has_nonzero_byte(reader->rsa_mod, 64))
726 {
727 rdr_log(reader, "no rsa key configured -> using irdeto mode");
728 return ERROR;
729 }
730 if(reader->force_irdeto)
731 {
732 rdr_log(reader, "rsa key configured but irdeto mode forced -> using irdeto mode");
733 return ERROR;
734 }
735 rdr_log(reader, "rsa key configured -> using nagra mode");
736 is_pure_nagra = 1;
737 if(!cs_malloc(&reader->csystem_data, sizeof(struct nagra_data)))
738 { return ERROR; }
739 struct nagra_data *csystem_data = reader->csystem_data;
740 csystem_data->is_pure_nagra = is_pure_nagra;
741 if(!do_cmd(reader, 0x10, 0x02, 0x90, 0x11, 0, cta_res, &cta_lr))
742 {
743 rdr_log_dbg(reader, D_READER, "get rom version failed");
744 return ERROR;
745 }
746 memcpy(reader->rom, cta_res + 2, 15);
747 }
748 else if(reader->detect_seca_nagra_tunneled_card && memcmp(atr + 7, "pp", 2) == 0 && ((atr[9]&0x0F) >= 10))
749 {
750 rdr_log(reader, "detect seca/nagra tunneled card");
751
752 if(!cs_malloc(&reader->csystem_data, sizeof(struct nagra_data)))
753 { rdr_log(reader,"mem alloc error"); return ERROR; }
754 if(!card_write(reader, ins80, handshake, cta_res, &cta_lr)) // try to init nagra layer
755 {
756 if(cta_res[0] == 0x61 && cta_res[1] == 0x10)
757 {
758 reader->seca_nagra_card = 1;
759 if ((reader->typ == R_SMART || reader->typ == R_INTERNAL || is_smargo_reader(reader)) && !reader->ins7e11_fast_reset)
760 {
761 ins7e11_state = 1;
762 reader->ins7e11_fast_reset = 1;
763 }
764 reader->card_atr_length = 23;
765 const struct s_cardreader *crdr_ops = reader->crdr;
766 if (!crdr_ops) return ERROR;
767 call(crdr_ops->activate(reader, newatr)); //read nagra atr
768 get_atr2;
769 memcpy(reader->rom, atr2 + 8, 15);// get historical bytes containing romrev from nagra atr
770 rdr_log(reader,"Nagra layer found");
771 rdr_log(reader,"Rom revision: %.15s", reader->rom);
772 reader->card_atr_length = 14;
773 reader->seca_nagra_card = 2;
774 call(crdr_ops->activate(reader, newatr));// read seca atr to switch back
775 if ((reader->typ == R_SMART || reader->typ == R_INTERNAL || is_smargo_reader(reader)) && ins7e11_state == 1)
776 {
777 ins7e11_state = 0;
778 reader->ins7e11_fast_reset = 0;
779 }
780 }
781 else
782 {
783 rdr_log(reader," Nagra atr not ok");
784 return ERROR;
785 }
786 }
787 NULLFREE(reader->csystem_data);
788 return ERROR; // quitting csystem still not having needed commands to run on nagra layer
789 }
790 else { return ERROR; }
791
792 // Private data may be already allocated, see above (the irdeto check).
793 if(!reader->csystem_data)
794 {
795 if(!cs_malloc(&reader->csystem_data, sizeof(struct nagra_data)))
796 { return ERROR; }
797 }
798 struct nagra_data *csystem_data = reader->csystem_data;
799 csystem_data->is_pure_nagra = is_pure_nagra;
800 csystem_data->is_tiger = is_tiger;
801 csystem_data->is_n3_na = is_n3_na;
802
803 reader->nprov = 1;
804
805 if(!csystem_data->is_tiger)
806 {
807 CamStateRequest(reader);
808 if(!do_cmd(reader, 0x12, 0x02, 0x92, 0x06, 0, cta_res, &cta_lr))
809 {
810 rdr_log_dbg(reader, D_READER, "get serial failed");
811 return ERROR;
812 }
813 memcpy(reader->hexserial + 2, cta_res + 2, 4);
814 memcpy(reader->sa[0], cta_res + 2, 2);
815
816 if(!GetDataType(reader, DT01, 0x0E)) { return ERROR; }
817 rdr_log_dbg(reader, D_READER, "DT01 DONE");
818 CamStateRequest(reader);
819 if(!GetDataType(reader, IRDINFO, 0x39)) { return ERROR; }
820 rdr_log_dbg(reader, D_READER, "IRDINFO DONE");
821 CamStateRequest(reader);
822 if(!GetDataType(reader, CAMDATA, 0x55)) { return ERROR; }
823 rdr_log_dbg(reader, D_READER, "CAMDATA Done");
824 if(!GetDataType(reader, 0x04, 0x44)) { return ERROR; }
825 rdr_log_dbg(reader, D_READER, "DT04 DONE");
826 CamStateRequest(reader);
827 if(!GetDataType(reader, DT06, 0x16)) { return ERROR; }
828 rdr_log_dbg(reader, D_READER, "DT06 DONE");
829 CamStateRequest(reader);
830 }
831 if(!NegotiateSessionKey(reader))
832 {
833 rdr_log_dbg(reader, D_READER, "NegotiateSessionKey failed");
834 return ERROR;
835 }
836 rdr_log(reader, "ready for requests");
837 return OK;
838 }
839
840 typedef struct
841 {
842 char date1[11];
843 char date2[11];
844 uint8_t type;
845 uint16_t value;
846 uint16_t price;
847 } ncmed_rec;
848
849 static time_t tiger_date2time(const char *date)
850 {
851 struct tm timeinfo;
852 int32_t y, m, d;
853
854 sscanf(date, "%02d/%02d/%04d", &d, &m, &y);
855 memset(&timeinfo, 0, sizeof(struct tm));
856 timeinfo.tm_year = y - 1900;
857 timeinfo.tm_mon = m - 1;
858 timeinfo.tm_mday = d;
859
860 return mktime(&timeinfo);
861 }
862
863 static int32_t reccmp(const void *r1, const void *r2)
864 {
865 int32_t v1, v2, y, m, d;
866 sscanf(((ncmed_rec *)r1)->date1, "%02d/%02d/%04d", &d, &m, &y);
867 v1 = y * 372 + 1 + m * 31 + d;
868 sscanf(((ncmed_rec *)r2)->date1, "%02d/%02d/%04d", &d, &m, &y);
869 v2 = y * 372 + 1 + m * 31 + d;
870 return (v1 == v2) ? 0 : (v1 < v2) ? -1 : 1;
871 }
872
873 static int32_t reccmp2(const void *r1, const void *r2)
874 {
875 char rec1[13], rec2[13];
876 snprintf(rec1, sizeof(rec1), "%04X", ((ncmed_rec *)r1)->value);
877 memcpy(rec1 + 4, ((ncmed_rec *)r1)->date2 + 6, 4);
878 memcpy(rec1 + 8, ((ncmed_rec *)r1)->date2 + 3, 2);
879 memcpy(rec1 + 10, ((ncmed_rec *)r1)->date2, 2);
880 snprintf(rec2, sizeof(rec2), "%04X", ((ncmed_rec *)r2)->value);
881 memcpy(rec2 + 4, ((ncmed_rec *)r2)->date2 + 6, 4);
882 memcpy(rec2 + 8, ((ncmed_rec *)r2)->date2 + 3, 2);
883 memcpy(rec2 + 10, ((ncmed_rec *)r2)->date2, 2);
884 rec1[12] = rec2[12] = 0;
885 return strcmp(rec2, rec1);
886 }
887
888 static int32_t nagra2_card_info(struct s_reader *reader)
889 {
890 int32_t i;
891 char currdate[11], tmp[64];
892 struct nagra_data *csystem_data = reader->csystem_data;
893 rdr_log(reader, "ROM: %c %c %c %c %c %c %c %c", reader->rom[0], reader->rom[1], reader->rom[2], reader->rom[3], reader->rom[4], reader->rom[5], reader->rom[6], reader->rom[7]);
894 rdr_log(reader, "REV: %c %c %c %c %c %c", reader->rom[9], reader->rom[10], reader->rom[11], reader->rom[12], reader->rom[13], reader->rom[14]);
895 rdr_log_sensitive(reader, "SER: {%s}", cs_hexdump(1, reader->hexserial + 2, 4, tmp, sizeof(tmp)));
896 rdr_log(reader, "CAID: %04X", reader->caid);
897 rdr_log(reader, "Prv.ID: %s(sysid)", cs_hexdump(1, reader->prid[0], 4, tmp, sizeof(tmp)));
898 for(i = 1; i < reader->nprov; i++)
899 {
900 rdr_log(reader, "Prv.ID: %s", cs_hexdump(1, reader->prid[i], 4, tmp, sizeof(tmp)));
901 }
902 cs_clear_entitlement(reader); //reset the entitlements
903 if(csystem_data->is_tiger)
904 {
905 rdr_log(reader, "Activation Date : %s", nagra_datetime(reader, csystem_data->ActivationDate, 0, currdate, 0));
906 rdr_log(reader, "Expiry Date : %s", nagra_datetime(reader, csystem_data->ExpiryDate, 0, currdate, &reader->card_valid_to));
907 }
908 if(reader->nagra_read && csystem_data->is_tiger && memcmp(reader->rom, "NCMED", 5) == 0)
909 {
910 ncmed_rec records[255];
911 int32_t num_records = 0;
912 uint8_t tier_cmd1[] = { 0x00, 0x00 };
913 uint8_t tier_cmd2[] = { 0x01, 0x00 };
914 def_resp;
915 int32_t j;
916 do_cmd(reader, 0xD0, 0x04, 0x50, 0x0A, tier_cmd1, cta_res, &cta_lr);
917 if(cta_lr == 0x0C)
918 {
919 int32_t prepaid = 0;
920 int32_t credit = 0;
921 int32_t balance = 0;
922
923 uint16_t credit_in = cta_res[8] << 8 | cta_res[9];
924 uint16_t credit_out = cta_res[5] << 8 | cta_res[6];
925 balance = (credit_in - credit_out) / 100;
926
927 for(i = 0; i < 13; ++i)
928 {
929 tier_cmd2[1] = i;
930 do_cmd(reader, 0xD0, 0x04, 0x50, 0xAA, tier_cmd2, cta_res, &cta_lr);
931 if(cta_lr == 0xAC)
932 {
933 //rdr_log_dump(reader, cta_res, cta_lr, "NCMED Card Record %d", i+1);
934 for(j = 2; j < cta_res[1] - 14; ++j)
935 {
936 if(cta_res[j] == 0x80 && cta_res[j + 6] != 0x00)
937 {
938 int32_t val_offs = 0;
939 nagra_datetime(reader, &cta_res[j + 6], 0, records[num_records].date2, 0);
940
941 switch(cta_res[j + 1])
942 {
943 case 0x00:
944 case 0x01:
945 case 0x20:
946 case 0x21:
947 case 0x29:
948 nagra_datetime(reader, &cta_res[j + 8], 0, records[num_records].date1, 0);
949 val_offs = 1;
950 break;
951
952 case 0x80:
953 nagra_datetime(reader, &cta_res[j + 6], 0, records[num_records].date1, 0);
954 val_offs = 1;
955 break;
956
957 default:
958 rdr_log(reader, "Unknown record : %s", cs_hexdump(1, &cta_res[j], 17, tmp, sizeof(tmp)));
959 }
960 if(val_offs > 0)
961 {
962 records[num_records].type = cta_res[j + 1];
963 records[num_records].value = cta_res[j + 4] << 8 | cta_res[j + 5];
964 records[num_records++].price = cta_res[j + 11] << 8 | cta_res[j + 12];
965 }
966 j += 16;
967 }
968 }
969 }
970 }
971 if(reader->nagra_read == 1)
972 { qsort(records, num_records, sizeof(ncmed_rec), reccmp); }
973 else
974 { qsort(records, num_records, sizeof(ncmed_rec), reccmp2); }
975
976 int32_t euro = 0;
977 char tiername[83];
978 time_t rawtime;
979 struct tm timeinfo;
980 time(&rawtime);
981 localtime_r(&rawtime, &timeinfo);
982 snprintf(currdate, sizeof(currdate), "%02d/%02d/%04d", timeinfo.tm_mday, timeinfo.tm_mon + 1, timeinfo.tm_year + 1900);
983
984 for(i = 0; i < num_records; ++i)
985 {
986 switch(records[i].type)
987 {
988 case 0x00:
989 case 0x01:
990 if(reccmp(records[i].date2, currdate) >= 0)
991 {
992 if(reader->nagra_read == 2)
993 rdr_log(reader, "Tier : %04X, expiry date: %s %s",
994 records[i].value, records[i].date2, get_tiername(records[i].value, reader->caid, tiername));
995 else if(reader->nagra_read == 1)
996 {
997 euro = (records[i].price / 100);
998 rdr_log(reader, "Activation : ( %04X ) from %s to %s (%3d euro) %s",
999 records[i].value, records[i].date1, records[i].date2, euro, get_tiername(records[i].value, reader->caid, tiername));
1000 }
1001 cs_add_entitlement(reader, reader->caid, b2ll(4, reader->prid[0]), records[i].value, 0, tiger_date2time(records[i].date1), tiger_date2time(records[i].date2)+ 0x1517F, 4, 1);
1002 }
1003 break;
1004
1005 case 0x20:
1006 case 0x21:
1007 if(reccmp(records[i].date2, currdate) >= 0)
1008 {
1009 if(reader->nagra_read == 2)
1010 {
1011 rdr_log(reader, "Tier : %04X, expiry date: %s %s",
1012 records[i].value, records[i].date2, get_tiername(records[i].value, reader->caid, tiername));
1013 }
1014 cs_add_entitlement(reader, reader->caid, b2ll(4, reader->prid[0]), records[i].value, 0, tiger_date2time(records[i].date1), tiger_date2time(records[i].date2)+ 0x1517F, 4, 1);
1015 }
1016 break;
1017 }
1018 if(reader->nagra_read == 2)
1019 {
1020 while(i < num_records - 1 && records[i].value == records[i + 1].value)
1021 { ++i; }
1022 }
1023 }
1024
1025 for(i = 0; i < num_records; ++i)
1026 {
1027 switch(records[i].type)
1028 {
1029 case 0x80:
1030 if(reader->nagra_read == 1)
1031 {
1032 euro = (records[i].price / 100) - prepaid;
1033 credit += euro;
1034 prepaid += euro;
1035 if(euro)
1036 rdr_log(reader, "Recharge : %s (%3d euro)",
1037 records[i].date2, euro);
1038 }
1039 break;
1040
1041 case 0x20:
1042 case 0x21:
1043 if(reader->nagra_read == 1)
1044 {
1045 euro = records[i].price / 100;
1046 credit -= euro;
1047 rdr_log(reader, "Subscription : ( %04X ) from %s to %s (%3d euro) %s",
1048 records[i].value, records[i].date1, records[i].date2, euro, get_tiername(records[i].value, reader->caid, tiername));
1049 }
1050 break;
1051
1052 case 0x29:
1053 euro = records[i].price / 100;
1054 if(reader->nagra_read == 1) { credit -= euro; }
1055 rdr_log(reader, "Event purchase : ( %04X ) from %s to %s (%3d euro)",
1056 records[i].value, records[i].date1, records[i].date2, euro);
1057 break;
1058 }
1059 }
1060 if(reader->nagra_read == 1)
1061 { rdr_log(reader, "Credit : %3d euro", credit); }
1062 else
1063 { rdr_log(reader, "Credit : %3d euro", balance); }
1064 }
1065 }
1066 else
1067 {
1068 def_resp;
1069 char tmp_dbg[13];
1070 CamStateRequest(reader);
1071 if(!do_cmd(reader, 0x12, 0x02, 0x92, 0x06, 0, cta_res, &cta_lr))
1072 {
1073 rdr_log_dbg(reader, D_READER, "get serial failed");
1074 return ERROR;
1075 }
1076 memcpy(reader->hexserial + 2, cta_res + 2, 4);
1077 rdr_log_dbg_sensitive(reader, D_READER, "SER: {%s}", cs_hexdump(1, reader->hexserial + 2, 4, tmp_dbg, sizeof(tmp_dbg)));
1078 memcpy(reader->sa[0], cta_res + 2, 2);
1079 reader->nprov = 1;
1080 if(!GetDataType(reader, IRDINFO, 0x39)) { return ERROR; }
1081 rdr_log_dbg(reader, D_READER, "IRDINFO DONE");
1082 CamStateRequest(reader);
1083
1084 if(!memcmp(reader->rom + 5, "181", 3) == 0) //dt05 is not supported by rom181
1085 {
1086 rdr_log(reader, "-----------------------------------------");
1087 rdr_log(reader, "|id |tier |valid from |valid to |");
1088 rdr_log(reader, "+----+--------+------------+------------+");
1089 if(!GetDataType(reader, TIERS, 0x57)) { return ERROR; }
1090 rdr_log(reader, "-----------------------------------------");
1091 CamStateRequest(reader);
1092 }
1093 }
1094 return OK;
1095 }
1096
1097 void nagra2_post_process(struct s_reader *reader)
1098 {
1099 struct nagra_data *csystem_data = reader->csystem_data;
1100 if(!csystem_data->is_tiger)
1101 {
1102 CamStateRequest(reader);
1103 if RENEW_SESSIONKEY() { NegotiateSessionKey(reader); }
1104 if SENDDATETIME() { DateTimeCMD(reader); }
1105 }
1106 }
1107
1108 static int32_t nagra2_do_ecm(struct s_reader *reader, const ECM_REQUEST *er, struct s_ecm_answer *ea)
1109 {
1110 def_resp;
1111 struct nagra_data *csystem_data = reader->csystem_data;
1112 if(!csystem_data->is_tiger)
1113 {
1114 int32_t retry = 0;
1115 if(csystem_data->is_n3_na)
1116 {
1117 unsigned char ecm_pkt[256 + 16];
1118 memset(ecm_pkt, 0, sizeof(ecm_pkt));
1119 memcpy(ecm_pkt, er->ecm + 3 + 2, er->ecm[4]);
1120
1121 while(!do_cmd(reader, er->ecm[3] + 1, er->ecm[4] + 5 + 2, 0x88, 0x04, ecm_pkt, cta_res, &cta_lr))
1122 {
1123 if(retry == 0)
1124 { rdr_log_dbg(reader, D_READER, "nagra2_do_ecm (N3_NA) failed, retry"); }
1125 else
1126 {
1127 rdr_log_dbg(reader, D_READER, "nagra2_do_ecm (N3_NA) failed, retry failed!");
1128 return ERROR;
1129 }
1130 retry++;
1131 cs_sleepms(10);
1132 }
1133 }
1134 else
1135 {
1136 if(reader->ecmcommand < 5) // cache ecm commands until ecmcommand cache is full
1137 {
1138 reader->ecmcommandcache[reader->ecmcommand] = er->ecm[3];
1139 reader->ecmcommand++;
1140 if(reader->ecmcommand == 5) // cache is full, comparing!
1141 {
1142 int32_t t = 0;
1143 int32_t matchfound = 0;
1144 reader->ecmcommand++; // No more caching of ecm commands, next ecms will be compared!
1145 while(t < 5)
1146 {
1147 if(reader->ecmcommandcache[t] == er->ecm[3]) { matchfound++; }
1148 t++;
1149 }
1150 if(matchfound != 5)
1151 {
1152 reader->ecmcommand = 0; // reset ecm filter, start a new auto filter attempt
1153 rdr_log_dbg(reader, D_READER, "Auto ecm command filter caid %04X failed!", reader->caid);
1154 }
1155 else
1156 {
1157 reader->ecmcommandcache[0] = er->ecm[3]; // Passed the filter, store the normal ecm command for this reader!
1158 rdr_log_dbg(reader, D_READER, "Auto ecm command filter caid %04X set to command %02X", reader->caid, er->ecm[3]);
1159 }
1160 }
1161 }
1162 else if(reader->ecmcommandcache[0] != er->ecm[3])
1163 {
1164 rdr_log_dbg(reader, D_READER, "Warning: received an abnominal ecm command %02X for caid: %04X, ignoring!", er->ecm[3], reader->caid);
1165 memset(ea, 0, sizeof(struct s_ecm_answer)); // give it back 00000000 to not disturb the loadbalancer for valid ecm requests on this channel.
1166 return OK;
1167 }
1168
1169 while(!do_cmd(reader, er->ecm[3], er->ecm[4] + 2, 0x87, 0x02, er->ecm + 3 + 2, cta_res, &cta_lr))
1170 {
1171 if(retry == 0)
1172 { rdr_log_dbg(reader, D_READER, "nagra2_do_ecm failed, retry"); }
1173 else
1174 {
1175 rdr_log_dbg(reader, D_READER, "nagra2_do_ecm failed, retry failed!");
1176 return ERROR;
1177 }
1178 retry++;
1179 cs_sleepms(10);
1180 }
1181 }
1182 cs_sleepms(10);
1183
1184 retry = 0;
1185 while(!CamStateRequest(reader) && retry < 3)
1186 {
1187 rdr_log_dbg(reader, D_READER, "CamStateRequest failed, try: %d", retry);
1188 retry++;
1189 cs_sleepms(10);
1190 }
1191 if(HAS_CW() && (do_cmd(reader, 0x1C, 0x02, 0x9C, 0x36, NULL, cta_res, &cta_lr)))
1192 {
1193 unsigned char v[8];
1194 memset(v, 0, sizeof(v));
1195 idea_cbc_encrypt(&cta_res[30], ea->cw, 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1196 memset(v, 0, sizeof(v));
1197 idea_cbc_encrypt(&cta_res[4], ea->cw + 8, 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1198 if(csystem_data->swapCW == 1)
1199 {
1200 rdr_log_dbg(reader, D_READER, "swap cws");
1201 unsigned char tt[8];
1202 memcpy(&tt[0], &ea->cw[0], 8);
1203 memcpy(&ea->cw[0], &ea->cw[8], 8);
1204 memcpy(&ea->cw[8], &tt[0], 8);
1205 }
1206 return OK;
1207 }
1208 }
1209 else
1210 {
1211 //check ECM prov id
1212 if(memcmp(&reader->prid[0][2], er->ecm + 5, 2))
1213 { return ERROR; }
1214
1215 // ecm_data: 80 30 89 D3 87 54 11 10 DA A6 0F 4B 92 05 34 00 ...
1216 //serial_data: A0 CA 00 00 8C D3 8A 00 00 00 00 00 10 DA A6 0F .
1217 unsigned char ecm_trim[150];
1218 memset(ecm_trim, 0, 150);
1219 memcpy(&ecm_trim[5], er->ecm + 3 + 2 + 2, er->ecm[4] + 2);
1220 if(do_cmd(reader, er->ecm[3], er->ecm[4] + 5, 0x53, 0x16, ecm_trim, cta_res, &cta_lr))
1221 {
1222 if(cta_res[2] == 0x01)
1223 {
1224
1225 unsigned char v[8];
1226 memset(v, 0, sizeof(v));
1227 idea_cbc_encrypt(&cta_res[14], ea->cw, 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1228 memset(v, 0, sizeof(v));
1229 idea_cbc_encrypt(&cta_res[6], ea->cw + 8, 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1230 return OK;
1231 }
1232 rdr_log_dbg(reader, D_READER, "can't decode ecm");
1233 return ERROR;
1234 }
1235 }
1236 return ERROR;
1237 }
1238
1239 int32_t nagra2_get_emm_type(EMM_PACKET *ep, struct s_reader *rdr) //returns 1 if shared emm matches SA, unique emm matches serial, or global or unknown
1240 {
1241 switch(ep->emm[0])
1242 {
1243 case 0x83:
1244 case 0x87:
1245 memset(ep->hexserial, 0, 8);
1246 ep->hexserial[0] = ep->emm[5];
1247 ep->hexserial[1] = ep->emm[4];
1248 ep->hexserial[2] = ep->emm[3];
1249 if(ep->emm[7] == 0x10)
1250 {
1251 ep->type = SHARED;
1252 return (!memcmp(rdr->hexserial + 2, ep->hexserial, 3));
1253 }
1254 else
1255 {
1256 ep->hexserial[3] = ep->emm[6];
1257 ep->type = UNIQUE;
1258 return (!memcmp(rdr->hexserial + 2, ep->hexserial, 4));
1259 }
1260 case 0x82:
1261 case 0x84:
1262 ep->type = GLOBAL;
1263 return 1;
1264 default:
1265 ep->type = UNKNOWN;
1266 return 1;
1267 }
1268 }
1269
1270 static int32_t nagra2_get_emm_filter(struct s_reader *rdr, struct s_csystem_emm_filter **emm_filters, unsigned int *filter_count)
1271 {
1272 if(*emm_filters == NULL)
1273 {
1274 const unsigned int max_filter_count = 3;
1275 if(!cs_malloc(emm_filters, max_filter_count * sizeof(struct s_csystem_emm_filter)))
1276 { return ERROR; }
1277
1278 struct s_csystem_emm_filter *filters = *emm_filters;
1279 *filter_count = 0;
1280
1281 int32_t idx = 0;
1282
1283 filters[idx].type = EMM_GLOBAL;
1284 filters[idx].enabled = 1;
1285 filters[idx].filter[0] = 0x86;
1286 filters[idx].mask[0] = 0xF9; // 0x82, 0x84 and 0x86
1287 idx++;
1288
1289 filters[idx].type = EMM_SHARED;
1290 filters[idx].enabled = 1;
1291 filters[idx].filter[0] = 0x87;
1292 filters[idx].filter[1] = rdr->hexserial[4];
1293 filters[idx].filter[2] = rdr->hexserial[3];
1294 filters[idx].filter[3] = rdr->hexserial[2];
1295 filters[idx].filter[4] = 0x00;
1296 filters[idx].filter[5] = 0x10;
1297 filters[idx].mask[0] = 0xFB; // 0x83 and 0x87
1298 memset(&filters[idx].mask[1], 0xFF, 5);
1299 idx++;
1300
1301 filters[idx].type = EMM_UNIQUE;
1302 filters[idx].enabled = 1;
1303 filters[idx].filter[0] = 0x87;
1304 filters[idx].filter[1] = rdr->hexserial[4];
1305 filters[idx].filter[2] = rdr->hexserial[3];
1306 filters[idx].filter[3] = rdr->hexserial[2];
1307 filters[idx].filter[4] = rdr->hexserial[5];
1308 filters[idx].filter[5] = 0x00;
1309 filters[idx].mask[0] = 0xFB; // 0x83 and 0x87
1310 memset(&filters[idx].mask[1], 0xFF, 5);
1311 idx++;
1312
1313 *filter_count = idx;
1314 }
1315
1316 return OK;
1317 }
1318
1319 static int32_t nagra2_do_emm(struct s_reader *reader, EMM_PACKET *ep)
1320 {
1321 def_resp;
1322 struct nagra_data *csystem_data = reader->csystem_data;
1323 if(!csystem_data->is_tiger)
1324 {
1325 if(!do_cmd(reader, ep->emm[8], ep->emm[9] + 2, 0x84, 0x02, ep->emm + 8 + 2, cta_res, &cta_lr))
1326 {
1327 rdr_log_dbg(reader, D_READER, "nagra2_do_emm failed");
1328 return ERROR;
1329 }
1330 // for slow t14 nagra cards, we must do additional timeout
1331 if(csystem_data->is_pure_nagra == 1)
1332 {
1333 cs_sleepms(300);
1334 }
1335 cs_sleepms(250);
1336 nagra2_post_process(reader);
1337 }
1338 else
1339 {
1340 //check EMM prov id
1341 if(memcmp(&reader->prid[0][2], ep->emm + 10, 2))
1342 {
1343 rdr_log_dbg(reader, D_READER, "EMM skipped since provider doesnt match!");
1344 return SKIPPED;
1345 }
1346 // emm_data: 82 70 8E 00 00 00 00 00 D3 87 8D 11 C0 F4 B1 27 2C 3D 25 94 ...
1347 //serial_data: A0 CA 00 00 8C D3 8A 01 00 00 00 00 C0 F4 B1 27 2C 3D 25 94 ...
1348 unsigned char emm_trim[150] = { 0x01, 0x00, 0x00, 0x00, 0x00 };
1349 memcpy(&emm_trim[5], ep->emm + 3 + 5 + 2 + 2, ep->emm[9] + 2);
1350 if(!do_cmd(reader, ep->emm[8], ep->emm[9] + 5, 0x53, 0x16, emm_trim, cta_res, &cta_lr))
1351 {
1352 rdr_log_dbg(reader, D_READER, "nagra2_do_emm failed");
1353 return ERROR;
1354 }
1355 cs_sleepms(300);
1356 }
1357 if(ep->type != GLOBAL)
1358 {
1359 struct timeb now;
1360 cs_ftime(&now);
1361 int64_t gone = comp_timeb(&now, &reader->emm_last);
1362 if(gone > 3600*1000)
1363 {
1364 add_job(reader->client, ACTION_READER_CARDINFO, NULL, 0); // refresh entitlement since it might have been changed!
1365 }
1366 }
1367 return OK;
1368 }
1369
1370 const struct s_cardsystem reader_nagra =
1371 {
1372 .desc = "nagra",
1373 .caids = (uint16_t[]){ 0x18, 0 },
1374 .do_emm = nagra2_do_emm,
1375 .do_ecm = nagra2_do_ecm,
1376 .post_process = nagra2_post_process,
1377 .card_info = nagra2_card_info,
1378 .card_init = nagra2_card_init,
1379 .get_emm_type = nagra2_get_emm_type,
1380 .get_emm_filter = nagra2_get_emm_filter,
1381 };
1382
1383 #endif
Open Source Conditional Access Modul