3 #include "cscrypt/bn.h"
4 #include "cscrypt/idea.h"
5 #include "cscrypt/des.h"
6 #include "oscam-time.h"
7 #include "reader-common.h"
8 #include "reader-nagra-common.h"
9 #include "oscam-work.h"
10 #include "oscam-chk.h"
12 int8_t ins7e11_state
= 0;
16 IDEA_KEY_SCHEDULE ksSession
;
22 uint8_t ExpiryDate
[2];
23 uint8_t ActivationDate
[2];
24 uint8_t plainDT08RSA
[64];
25 uint8_t IdeaCamKey
[16];
33 #define HAS_CW() ((csystem_data->cam_state[2]&6)==6)
34 #define RENEW_SESSIONKEY() ((csystem_data->cam_state[0]&128)==128 || (csystem_data->cam_state[0]&64)==64 || (csystem_data->cam_state[0]&32)==32 || (csystem_data->cam_state[2]&8)==8)
35 #define SENDDATETIME() (csystem_data->cam_state[0]&8)
37 #define CW_NEEDS_3DES() ((csystem_data->ird_info&0x18)==0x18)
45 static time_t tier_date(uint32_t date
, char *buf
, int32_t l
)
47 time_t ut
= 870393600L + date
* (24 * 3600);
54 snprintf(buf
, l
, "%04d/%02d/%02d", t
.tm_year
+ 1900, t
.tm_mon
+ 1, t
.tm_mday
);
59 static char *nagra_datetime(struct s_reader
*rdr
, uint8_t *ndays
, int32_t offset
, char *result
, time_t *t
)
61 struct nagra_data
*csystem_data
= rdr
->csystem_data
;
63 memset(&tms
, 0, sizeof(tms
));
64 int32_t days
= (ndays
[0] << 8 | ndays
[1]) + offset
;
67 if(!csystem_data
->is_tiger
)
69 sec
= (ndays
[2] << 8 | ndays
[3]);
72 if(days
> 0x41B4 && sizeof(time_t) < 8) // to overcome 32-bit systems limitations
74 days
= 0x41A2; // 01-01-2038
78 tms
.tm_mday
= days
+ 1;
80 time_t ut
= mktime(&tms
);
87 if(csystem_data
->is_tiger
)
89 snprintf(result
, 27, "%02d/%02d/%04d", tms
.tm_mday
, tms
.tm_mon
+ 1, tms
.tm_year
+ 1900);
93 snprintf(result
, 33, "%04d/%02d/%02d %02d:%02d", tms
.tm_year
+ 1900, tms
.tm_mon
+ 1, tms
.tm_mday
, tms
.tm_hour
, tms
.tm_min
);
98 static int32_t do_cmd(struct s_reader
*reader
, uint8_t cmd
, int32_t ilen
, uint8_t res
, int32_t rlen
, const uint8_t *data
, uint8_t *cta_res
, uint16_t *p_cta_lr
)
101 here we build the command related to the protocol T1 for ROM142 or T14 for ROM181
102 the only different that i know is the command length byte msg[4], this msg[4]+=1 by a ROM181 smartcard (_nighti_)
103 one example for the cmd$C0
104 T14 protocol: 01 A0 CA 00 00 03 C0 00 06 91
105 T1 protocol: 21 00 08 A0 CA 00 00 02 C0 00 06 87
107 int32_t msglen
= ilen
+ 6;
109 static const char nagra_head
[] = {0xA0, 0xCA, 0x00, 0x00};
110 struct nagra_data
*csystem_data
= reader
->csystem_data
;
112 memset(msg
, 0, msglen
);
113 memcpy(msg
, nagra_head
, 4);
116 int32_t dlen
= ilen
- 2;
121 memcpy(msg
+ 7, data
, dlen
);
124 msg
[dlen
+ 7] = rlen
;
127 rdr_log_dbg(reader
, D_READER
, "invalid data length encountered");
131 if(csystem_data
->is_pure_nagra
== 1)
136 if(!reader_cmd2icc(reader
, msg
, msglen
, cta_res
, p_cta_lr
))
140 if(cta_res
[0] != res
)
142 rdr_log_dbg(reader
, D_READER
, "result not expected (%02x != %02x)", cta_res
[0], res
);
146 if((*p_cta_lr
- 2) != rlen
)
148 rdr_log_dbg(reader
, D_READER
, "result length expected (%d != %d)", (*p_cta_lr
- 2), rlen
);
156 static void ReverseMem(uint8_t *vIn
, int32_t len
)
161 for(i
= 0; i
< (len
/ 2); i
++)
164 vIn
[i
] = vIn
[len
- i
- 1];
165 vIn
[len
- i
- 1] = temp
;
169 static void Signature(uint8_t *sig
, const uint8_t *vkey
, const uint8_t *msg
, int32_t len
)
171 IDEA_KEY_SCHEDULE ks
;
175 memcpy(b200
, vkey
, sizeof(b200
));
179 for(i
= 0; i
< len
; i
+= 8)
181 idea_set_encrypt_key(b200
, &ks
);
182 memset(v
, 0, sizeof(v
));
183 idea_cbc_encrypt(msg
+ i
, b0f0
, 8, &ks
, v
, IDEA_DECRYPT
);
185 for(j
= 7; j
>= 0; j
--)
187 b0f0
[j
] ^= msg
[i
+ j
];
189 memcpy(b200
+ 0, b0f0
, 8);
190 memcpy(b200
+ 8, b0f0
, 8);
192 memcpy(sig
, b0f0
, 8);
196 static int32_t CamStateRequest(struct s_reader
*reader
)
199 struct nagra_data
*csystem_data
= reader
->csystem_data
;
202 if(do_cmd(reader
, 0xC0, 0x02, 0xB0, 0x06, NULL
, cta_res
, &cta_lr
))
204 csystem_data
->ird_info
= cta_res
[2];
205 rdr_log_dbg(reader
, D_READER
, "Irdinfo: %02X", csystem_data
->ird_info
);
206 memcpy(csystem_data
->cam_state
, cta_res
+ 3, 3);
207 rdr_log_dbg(reader
, D_READER
, "Camstate: %s", cs_hexdump(1, csystem_data
->cam_state
, 3, tmp_dbg
, sizeof(tmp_dbg
)));
211 rdr_log_dbg(reader
, D_READER
, "CamStateRequest failed");
217 static void DateTimeCMD(struct s_reader
*reader
)
220 if(!do_cmd(reader
, 0xC8, 0x02, 0xB8, 0x06, NULL
, cta_res
, &cta_lr
))
222 rdr_log_dbg(reader
, D_READER
, "DateTimeCMD failed!");
227 static int32_t NegotiateSessionKey_Tiger(struct s_reader
*reader
)
230 uint8_t exponent
= 0x11;
231 uint8_t parte_fija
[120];
232 uint8_t parte_variable
[88];
233 uint8_t d1_rsa_modulo
[88];
238 uint8_t idea_key
[16];
241 struct nagra_data
*csystem_data
= reader
->csystem_data
;
243 if(!do_cmd(reader
, 0xd1, 0x02, 0x51, 0xd2, NULL
, cta_res
, &cta_lr
))
245 rdr_log_dbg(reader
, D_READER
, "CMD$D1 failed");
249 BN_CTX
*ctx
= BN_CTX_new();
250 #ifdef WITH_LIBCRYPTO
253 BIGNUM
*bnN
= BN_CTX_get(ctx
);
254 BIGNUM
*bnE
= BN_CTX_get(ctx
);
255 BIGNUM
*bnCT
= BN_CTX_get(ctx
);
256 BIGNUM
*bnPT
= BN_CTX_get(ctx
);
257 BN_bin2bn(reader
->rsa_mod
, 120, bnN
);
258 BN_bin2bn(&exponent
, 1, bnE
);
259 BN_bin2bn(&cta_res
[90], 120, bnCT
);
260 BN_mod_exp(bnPT
, bnCT
, bnE
, bnN
, ctx
);
261 memset(parte_fija
, 0, 120);
262 BN_bn2bin(bnPT
, parte_fija
+ (120 - BN_num_bytes(bnPT
)));
266 rdr_log_dbg(reader
, D_READER
, "---------- SIG CHECK ---------------------");
268 memcpy(tmp
+ 4, parte_fija
+ 11, 100);
269 memset(idea_key
, 0x37, 16);
270 Signature(sign1
, idea_key
, tmp
, 104);
271 rdr_log_dbg(reader
, D_READER
, "sign1: %s", cs_hexdump(0, sign1
, 8, tmp2
, sizeof(tmp2
)));
272 rdr_log_dbg(reader
, D_READER
, "sign2: %s", cs_hexdump(0, parte_fija
+ 111, 8, tmp2
, sizeof(tmp2
)));
274 if((!memcmp(parte_fija
+ 111, sign1
, 8)) == 0)
276 rdr_log_dbg(reader
, D_READER
, "signature check nok");
277 rdr_log_dbg(reader
, D_READER
, "------------------------------------------");
280 rdr_log_dbg(reader
, D_READER
, "signature check ok");
281 rdr_log_dbg(reader
, D_READER
, "------------------------------------------");
283 memcpy(reader
->hexserial
+ 2, parte_fija
+ 15, 4);
284 memcpy(reader
->sa
[0], parte_fija
+ 15, 3);
286 memcpy(reader
->irdId
, parte_fija
+ 19, 4);
287 memcpy(d1_rsa_modulo
, parte_fija
+ 23, 88);
289 ReverseMem(cta_res
+ 2, 88);
290 BN_CTX
*ctx1
= BN_CTX_new();
291 #ifdef WITH_LIBCRYPTO
294 BIGNUM
*bnN1
= BN_CTX_get(ctx1
);
295 BIGNUM
*bnE1
= BN_CTX_get(ctx1
);
296 BIGNUM
*bnCT1
= BN_CTX_get(ctx1
);
297 BIGNUM
*bnPT1
= BN_CTX_get(ctx1
);
298 BN_bin2bn(d1_rsa_modulo
, 88, bnN1
);
299 BN_bin2bn(&exponent
, 1, bnE1
);
300 BN_bin2bn(cta_res
+ 2, 88, bnCT1
);
301 BN_mod_exp(bnPT1
, bnCT1
, bnE1
, bnN1
, ctx1
);
302 memset(parte_variable
, 0, 88);
303 BN_bn2bin(bnPT1
, parte_variable
+ (88 - BN_num_bytes(bnPT1
)));
307 csystem_data
->ActivationDate
[0] = parte_variable
[65];
308 csystem_data
->ActivationDate
[1] = parte_variable
[66];
309 csystem_data
->ExpiryDate
[0] = parte_variable
[69];
310 csystem_data
->ExpiryDate
[1] = parte_variable
[70];
312 reader
->prid
[0][0] = 0x00;
313 reader
->prid
[0][1] = 0x00;
314 reader
->prid
[0][2] = parte_variable
[73];
315 reader
->prid
[0][3] = parte_variable
[74];
316 reader
->caid
= (SYSTEM_NAGRA
| parte_variable
[76]);
317 memcpy(sk
, &parte_variable
[79], 8);
318 memset(sk
+ 8, 0xBB, 8);
319 rdr_log_sensitive(reader
, "type: NAGRA, caid: %04X, IRD ID: {%s}", reader
->caid
, cs_hexdump(1, reader
->irdId
, 4, tmp2
, sizeof(tmp2
)));
320 rdr_log(reader
, "ProviderID: %s", cs_hexdump(1, reader
->prid
[0], 4, tmp2
, sizeof(tmp2
)));
323 memset(&rnd
[8], 0xBB, 79);
328 BN_CTX
*ctx3
= BN_CTX_new();
329 #ifdef WITH_LIBCRYPTO
332 BIGNUM
*bnN3
= BN_CTX_get(ctx3
);
333 BIGNUM
*bnE3
= BN_CTX_get(ctx3
);
334 BIGNUM
*bnCT3
= BN_CTX_get(ctx3
);
335 BIGNUM
*bnPT3
= BN_CTX_get(ctx3
);
336 BN_bin2bn(d1_rsa_modulo
, 88, bnN3
);
337 BN_bin2bn(&exponent
, 1, bnE3
);
338 BN_bin2bn(rnd
, 88, bnCT3
);
339 BN_mod_exp(bnPT3
, bnCT3
, bnE3
, bnN3
, ctx3
);
340 memset(d2_data
, 0, 88);
341 BN_bn2bin(bnPT3
, d2_data
+ (88 - BN_num_bytes(bnPT3
)));
344 ReverseMem(d2_data
, 88);
346 if(!do_cmd(reader
, 0xd2, 0x5a, 0x52, 0x03, d2_data
, cta_res
, &cta_lr
))
348 rdr_log_dbg(reader
, D_READER
, "CMD$D2 failed");
352 if(cta_res
[2] == 0x00)
354 memcpy(csystem_data
->sessi
, sk
, 16);
355 IDEA_KEY_SCHEDULE ks
;
356 idea_set_encrypt_key(csystem_data
->sessi
, &ks
);
357 idea_set_decrypt_key(&ks
, &csystem_data
->ksSession
);
358 rdr_log_dbg(reader
, D_READER
, "Tiger session key negotiated");
362 rdr_log(reader
, "Negotiate sessionkey was not successful! Please check tivusat rsa key");
366 static int32_t NegotiateSessionKey(struct s_reader
*reader
)
371 0x21, 0x40, 0x4D, 0xA0, 0xCA, 0x00, 0x00, 0x47, 0x27, 0x45,
372 0x1C, 0x54, 0xd1, 0x26, 0xe7, 0xe2, 0x40, 0x20,
373 0xd1, 0x66, 0xf4, 0x18, 0x97, 0x9d, 0x5f, 0x16,
374 0x8f, 0x7f, 0x7a, 0x55, 0x15, 0x82, 0x31, 0x14,
375 0x06, 0x57, 0x1a, 0x3f, 0xf0, 0x75, 0x62, 0x41,
376 0xc2, 0x84, 0xda, 0x4c, 0x2e, 0x84, 0xe9, 0x29,
377 0x13, 0x81, 0xee, 0xd6, 0xa9, 0xf5, 0xe9, 0xdb,
378 0xaf, 0x22, 0x51, 0x3d, 0x44, 0xb3, 0x20, 0x83,
379 0xde, 0xcb, 0x5f, 0x35, 0x2b, 0xb0, 0xce, 0x70,
380 0x01, 0x02, 0x03, 0x04, //IRD nr
385 0xA5, 0xFB, 0x02, 0x76, //NUID
386 0x00, 0x08, //OTP-CSC
387 0x00, 0x00, //OTA-CSC
388 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
389 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
391 0x22, 0x11 }; //Provider ID
398 struct nagra_data
*csystem_data
= reader
->csystem_data
;
400 if(csystem_data
->is_tiger
)
402 if(!NegotiateSessionKey_Tiger(reader
))
404 rdr_log_dbg(reader
, D_READER
, "NegotiateSessionKey_Tiger failed");
410 if(!csystem_data
->has_dt08
) // if we have no valid dt08 calc then we use rsa from config and hexserial for calc of sessionkey
412 rdr_log_dbg(reader
, D_READER
, "No valid DT08 calc using rsa from config and serial from card");
413 memcpy(csystem_data
->plainDT08RSA
, reader
->rsa_mod
, 64);
414 memcpy(csystem_data
->signature
, reader
->boxkey
, 8);
417 if((csystem_data
->is_n3_na
) && (!do_cmd(reader
, 0x29, 0x02, 0xA9, 0x04, NULL
, cta_res
, &cta_lr
)))
419 rdr_log_dbg(reader
, D_READER
, "Nagra3: CMD$29 failed");
423 memcpy(tmp
, reader
->irdId
, 4);
424 tmp
[4] = 0; //keynr 0
426 if(!csystem_data
->is_n3_na
)
428 if (reader
->cak63nuid_length
== 4) //nuid is set
431 cmd2a
[26] = reader
->prid
[0][2];
432 cmd2a
[27] = reader
->prid
[0][3];
434 memcpy(&cmd2a
[1], reader
->cak63nuid
, 4); // inject NUID
436 if (!do_cmd(reader
, 0x2a,0x1E,0xAA,0x42, cmd2a
, cta_res
, &cta_lr
))
438 rdr_log_dbg(reader
, D_READER
, "CMD$2A failed");
444 if(!do_cmd(reader
, 0x2a, 0x02, 0xaa, 0x42, NULL
, cta_res
, &cta_lr
))
446 rdr_log_dbg(reader
, D_READER
, "CMD$2A failed");
452 else if(!do_cmd(reader
, 0x26, 0x07, 0xa6, 0x42, tmp
, cta_res
, &cta_lr
))
454 rdr_log_dbg(reader
, D_READER
, "CMD$26 failed");
458 // RSA decrypt of cmd$2a data, result is stored in "negot"
459 ReverseMem(cta_res
+ 2, 64);
460 uint8_t vFixed
[] = {0, 1, 2, 3};
461 BN_CTX
*ctx
= BN_CTX_new();
462 #ifdef WITH_LIBCRYPTO
465 BIGNUM
*bnN
= BN_CTX_get(ctx
);
466 BIGNUM
*bnE
= BN_CTX_get(ctx
);
467 BIGNUM
*bnCT
= BN_CTX_get(ctx
);
468 BIGNUM
*bnPT
= BN_CTX_get(ctx
);
469 BN_bin2bn(csystem_data
->plainDT08RSA
, 64, bnN
);
470 BN_bin2bn(vFixed
+ 3, 1, bnE
);
471 BN_bin2bn(cta_res
+ 2, 64, bnCT
);
472 BN_mod_exp(bnPT
, bnCT
, bnE
, bnN
, ctx
);
473 memset(negot
, 0, 64);
474 BN_bn2bin(bnPT
, negot
+ (64 - BN_num_bytes(bnPT
)));
476 memcpy(tmp
, negot
, 64);
480 // first halve is IDEA Hashed in chuncs of 8 bytes using the Signature1 from dt08 calc, CamID-Inv.CamID(16 bytes key) the results are the First 8 bytes of the Session key
481 memcpy(idea1
, csystem_data
->signature
, 8);
482 memcpy(idea1
+ 8, reader
->hexserial
+ 2, 4);
483 idea1
[12] = ~reader
->hexserial
[2];
484 idea1
[13] = ~reader
->hexserial
[3];
485 idea1
[14] = ~reader
->hexserial
[4];
486 idea1
[15] = ~reader
->hexserial
[5];
488 Signature(sign1
, idea1
, tmp
, 32);
489 memcpy(idea2
, sign1
, 8);
490 memcpy(idea2
+ 8, sign1
, 8);
491 Signature(sign2
, idea2
, tmp
, 32);
492 memcpy(csystem_data
->sessi
, sign1
, 8);
493 memcpy(csystem_data
->sessi
+ 8, sign2
, 8);
495 // prepare cmd$2b data
496 BN_bin2bn(negot
, 64, bnCT
);
497 BN_mod_exp(bnPT
, bnCT
, bnE
, bnN
, ctx
);
498 memset(cmd2b
+ 10, 0, 64);
499 BN_bn2bin(bnPT
, cmd2b
+ 10 + (64 - BN_num_bytes(bnPT
)));
502 ReverseMem(cmd2b
+ 10, 64);
504 IDEA_KEY_SCHEDULE ks
;
505 idea_set_encrypt_key(csystem_data
->sessi
, &ks
);
506 idea_set_decrypt_key(&ks
, &csystem_data
->ksSession
);
508 memcpy(cmd2b
+ 74, reader
->irdId
, 4);
509 cmd2b
[78] = 0; //keynr
511 if(!csystem_data
->is_n3_na
)
513 if(!do_cmd(reader
, 0x2b, 0x42, 0xab, 0x02, cmd2b
+ 10, cta_res
, &cta_lr
))
515 rdr_log_dbg(reader
, D_READER
, "CMD$2B failed");
519 else if(!do_cmd(reader
, 0x27, 0x47, 0xa7, 0x02, cmd2b
+ 10, cta_res
, &cta_lr
))
521 rdr_log_dbg(reader
, D_READER
, "CMD$27 failed");
525 rdr_log_dbg(reader
, D_READER
, "session key negotiated");
529 if(!CamStateRequest(reader
))
531 rdr_log_dbg(reader
, D_READER
, "CamStateRequest failed");
535 if RENEW_SESSIONKEY()
537 rdr_log(reader
, "Negotiate sessionkey was not successful! Please check rsa key and boxkey");
544 static void decryptDT08(struct s_reader
*reader
, uint8_t *cta_res
)
546 uint8_t vFixed
[] = {0, 1, 2, 3};
550 uint8_t static_dt08
[73];
555 BIGNUM
*bn_mod
, *bn_exp
, *bn_data
, *bn_res
;
556 struct nagra_data
*csystem_data
= reader
->csystem_data
;
558 memcpy(static_dt08
, &cta_res
[12], 73);
559 // decrypt RSA Part of dt08
568 rdr_log_dbg(reader
, D_READER
, "RSA Error in dt08 decrypt");
570 ReverseMem(static_dt08
+ 1, 64);
571 BN_bin2bn(reader
->rsa_mod
, 64, bn_mod
); // rsa modulus
572 BN_bin2bn(vFixed
+ 3, 1, bn_exp
); // exponent
573 BN_bin2bn(static_dt08
+ 1, 64, bn_data
);
574 BN_mod_exp(bn_res
, bn_data
, bn_exp
, bn_mod
, ctx
);
575 memset(static_dt08
+ 1, 0, 64);
576 n
= BN_bn2bin(bn_res
, static_dt08
+ 1);
578 ReverseMem(static_dt08
+ 1, n
);
580 // RSA data can never be bigger than the modulo
581 static_dt08
[64] |= static_dt08
[0] & 0x80;
584 memcpy(&csystem_data
->IdeaCamKey
[0], reader
->boxkey
, 8);
585 memcpy(&csystem_data
->IdeaCamKey
[8], reader
->irdId
, 4);
587 for(i
= 0; i
< 4; i
++)
589 csystem_data
->IdeaCamKey
[12 + i
] = ~reader
->irdId
[i
];
593 IDEA_KEY_SCHEDULE ks
;
594 idea_set_encrypt_key(csystem_data
->IdeaCamKey
, &ks
);
595 idea_set_decrypt_key(&ks
, &csystem_data
->ksSession
);
596 memcpy(&buf
[0], static_dt08
+ 1, 64);
597 memcpy(&buf
[64], static_dt08
+ 65, 8);
598 memset(v
, 0, sizeof(v
));
599 memset(static_dt08
, 0, sizeof(static_dt08
));
600 idea_cbc_encrypt(buf
, static_dt08
, 72, &csystem_data
->ksSession
, v
, IDEA_DECRYPT
);
602 if(csystem_data
->swapCW
== 1)
604 memset(camid
, 0xff, 4);
608 memcpy(camid
, reader
->hexserial
+ 2, 4);
610 rdr_log_dbg(reader
, D_READER
, "using camid %s for dt08 calc", cs_hexdump(1, camid
, 4, tmp_dbg
, sizeof(tmp_dbg
)));
612 // Calculate csystem_data->signature
613 memcpy(csystem_data
->signature
, static_dt08
, 8);
614 memset(static_dt08
+ 0, 0, 4);
615 memcpy(static_dt08
+ 4, camid
, 4);
616 Signature(sign2
, csystem_data
->IdeaCamKey
, static_dt08
, 72);
618 if(memcmp(csystem_data
->signature
, sign2
, 8) == 0)
620 csystem_data
->has_dt08
= 1;
621 memcpy(csystem_data
->plainDT08RSA
, static_dt08
+ 8, 64);
622 rdr_log_dbg(reader
, D_READER
, "DT08 signature check ok");
626 csystem_data
->has_dt08
= 0;
627 rdr_log_dbg(reader
, D_READER
, "DT08 signature check nok");
636 static void addProvider(struct s_reader
*reader
, uint8_t *cta_res
)
640 for(i
= 0; i
< reader
->nprov
; i
++)
642 if((cta_res
[7] == reader
->prid
[i
][2]) && (cta_res
[8] == reader
->prid
[i
][3]))
650 reader
->prid
[reader
->nprov
][0] = 0;
651 reader
->prid
[reader
->nprov
][1] = 0;
652 reader
->prid
[reader
->nprov
][2] = cta_res
[7];
653 reader
->prid
[reader
->nprov
][3] = cta_res
[8];
654 memcpy(reader
->sa
[reader
->nprov
], reader
->sa
[0], 4);
659 static int32_t ParseDataType(struct s_reader
*reader
, uint8_t dt
, uint8_t *cta_res
, uint16_t cta_lr
)
661 struct nagra_data
*csystem_data
= reader
->csystem_data
;
669 reader
->prid
[0][0] = 0;
670 reader
->prid
[0][1] = 0;
671 reader
->prid
[0][2] = cta_res
[7];
672 reader
->prid
[0][3] = cta_res
[8];
674 // provider 3411, 0401 needs cw swap
675 if(((cta_res
[7] == 0x34) && (cta_res
[8] == 0x11)) || ((cta_res
[7] == 0x04) && (cta_res
[8] == 0x01)))
677 rdr_log_dbg(reader
, D_READER
, "detect provider with swap cw!");
678 csystem_data
->swapCW
= 1;
681 reader
->prid
[1][0] = 0x00;
682 reader
->prid
[1][1] = 0x00;
683 reader
->prid
[1][2] = 0x00;
684 reader
->prid
[1][3] = 0x00;
685 memcpy(reader
->sa
[1], reader
->sa
[0], 4);
688 reader
->caid
= (SYSTEM_NAGRA
| cta_res
[11]);
689 memcpy(reader
->irdId
, cta_res
+ 14, 4);
691 // do not output on init but only afterwards in card_info
692 if(reader
->csystem_active
)
694 rdr_log_sensitive(reader
, "IRD ID: {%s}", cs_hexdump(1, reader
->irdId
, 4, ds
, sizeof(ds
)));
695 nagra_datetime(reader
, cta_res
+ 24, 0, ds
, &reader
->card_valid_to
);
696 rdr_log(reader
, "active to: %s", ds
);
702 if((cta_lr
> 33) && (chid
= b2i(2, cta_res
+ 11)))
704 int32_t id
= (cta_res
[7] * 256) | cta_res
[8];
705 int32_t expire_date1
= b2i(2, cta_res
+ 13);
706 int32_t expire_date2
= b2i(2, cta_res
+ 24);
707 int32_t sooner_expire_date
= expire_date1
<= expire_date2
? expire_date1
: expire_date2
;
708 // todo: add entitlements to list
709 cs_add_entitlement(reader
, reader
->caid
, id
, chid
, 0, tier_date(b2i(2, cta_res
+ 20) - 0x7f7, ds
, 15), tier_date(sooner_expire_date
- 0x7f7, de
, 15), 4, 1);
710 rdr_log(reader
, "|%04X|%04X |%s |%s |", id
, chid
, ds
, de
);
711 addProvider(reader
, cta_res
);
717 if(cta_res
[11] == 0x49)
719 decryptDT08(reader
, cta_res
);
729 static int32_t GetDataType(struct s_reader
*reader
, uint8_t dt
, int32_t len
)
736 if(!do_cmd(reader
, 0x22, 0x03, 0xA2, len
, &dt
, cta_res
, &cta_lr
))
738 rdr_log_dbg(reader
, D_READER
, "failed to get datatype %02X", dt
);
743 if((cta_res
[2] == 0) && ((dt
&0x80) == 0x80))
749 if(!ParseDataType(reader
, dt
& 0x0F, cta_res
, cta_lr
))
755 if(((dt
&0x0F) != TIERS
) && (cta_res
[11] == 0x49) && ((dt
&0x80) == 0x80))
760 dt
|= 0x80; // get next item
765 static int32_t nagra2_card_init(struct s_reader
*reader
, ATR
*newatr
)
769 memset(reader
->rom
, 0, 15);
770 static const uint8_t ins80
[] = { 0x80, 0xCA, 0x00, 0x00, 0x11 }; // switch to nagra layer
771 static const uint8_t handshake
[] = { 0xEE, 0x51, 0xDC, 0xB8, 0x4A, 0x1C, 0x15, 0x05, 0xB5, 0xA6, 0x9B, 0x91, 0xBA, 0x33, 0x19, 0xC4, 0x10 }; // nagra handshake
773 int8_t is_pure_nagra
= 0;
776 memset(reader
->irdId
, 0xff, 4);
777 memset(reader
->hexserial
, 0, 8);
779 cs_clear_entitlement(reader
); // reset the entitlements
781 if(memcmp(atr
+ 11, "DNASP240", 8) == 0 || memcmp(atr
+ 11, "DNASP241", 8) == 0)
783 rdr_log(reader
, "detect nagra 3 NA card");
784 memcpy(reader
->rom
, atr
+ 11, 15);
787 else if((memcmp(atr
+ 11, "DNASP", 5) == 0) && (memcmp(atr
+ 11, "DNASP4", 6) != 0))
789 rdr_log(reader
, "detect native nagra card");
790 memcpy(reader
->rom
, atr
+ 11, 15);
792 else if(memcmp(atr
+ 11, "TIGER", 5) == 0 || (memcmp(atr
+ 11, "NCMED", 5) == 0))
794 rdr_log(reader
, "detect nagra tiger card");
795 memcpy(reader
->rom
, atr
+ 11, 15);
798 else if((!memcmp(atr
+ 4, "IRDETO", 6)) && ((atr
[14] == 0x03) && (atr
[15] == 0x84) && (atr
[16] == 0x55)))
800 rdr_log(reader
, "detect irdeto tunneled nagra card");
801 if(!array_has_nonzero_byte(reader
->rsa_mod
, 64))
803 rdr_log(reader
, "no rsa key configured -> using irdeto mode");
807 if(reader
->force_irdeto
)
809 rdr_log(reader
, "rsa key configured but irdeto mode forced -> using irdeto mode");
813 rdr_log(reader
, "rsa key configured -> using nagra mode");
816 if(!cs_malloc(&reader
->csystem_data
, sizeof(struct nagra_data
)))
821 struct nagra_data
*csystem_data
= reader
->csystem_data
;
822 csystem_data
->is_pure_nagra
= is_pure_nagra
;
824 if(!do_cmd(reader
, 0x10, 0x02, 0x90, 0x11, 0, cta_res
, &cta_lr
))
826 rdr_log_dbg(reader
, D_READER
, "get rom version failed");
829 memcpy(reader
->rom
, cta_res
+ 2, 15);
831 else if(!reader
->cak7_mode
&& reader
->detect_seca_nagra_tunneled_card
&& memcmp(atr
+ 7, "pp", 2) == 0 && ((atr
[9]&0x0F) >= 10))
833 rdr_log(reader
, "detect seca/nagra tunneled card");
835 if(!cs_malloc(&reader
->csystem_data
, sizeof(struct nagra_data
)))
837 rdr_log(reader
,"mem alloc error"); return ERROR
;
840 if(!card_write(reader
, ins80
, handshake
, cta_res
, &cta_lr
)) // try to init nagra layer
842 if(cta_res
[0] == 0x61 && cta_res
[1] == 0x10)
844 reader
->seca_nagra_card
= 1;
845 if ((reader
->typ
== R_SMART
|| reader
->typ
== R_INTERNAL
|| is_smargo_reader(reader
)) && !reader
->ins7e11_fast_reset
)
848 reader
->ins7e11_fast_reset
= 1;
851 reader
->card_atr_length
= 23;
852 const struct s_cardreader
*crdr_ops
= reader
->crdr
;
859 call(crdr_ops
->activate(reader
, newatr
)); // read nagra atr
861 memcpy(reader
->rom
, atr2
+ 8, 15); // get historical bytes containing romrev from nagra atr
862 rdr_log(reader
,"Nagra layer found");
863 rdr_log(reader
,"Rom revision: %.15s", reader
->rom
);
864 reader
->card_atr_length
= 14;
865 reader
->seca_nagra_card
= 2;
866 call(crdr_ops
->activate(reader
, newatr
)); // read seca atr to switch back
868 if ((reader
->typ
== R_SMART
|| reader
->typ
== R_INTERNAL
|| is_smargo_reader(reader
)) && ins7e11_state
== 1)
871 reader
->ins7e11_fast_reset
= 0;
876 rdr_log(reader
," Nagra atr not ok");
880 NULLFREE(reader
->csystem_data
);
881 return ERROR
; // quitting csystem still not having needed commands to run on nagra layer
888 // Private data may be already allocated, see above (the irdeto check).
889 if(!reader
->csystem_data
)
891 if(!cs_malloc(&reader
->csystem_data
, sizeof(struct nagra_data
)))
897 struct nagra_data
*csystem_data
= reader
->csystem_data
;
898 csystem_data
->is_pure_nagra
= is_pure_nagra
;
899 csystem_data
->is_tiger
= is_tiger
;
900 csystem_data
->is_n3_na
= is_n3_na
;
904 if(!csystem_data
->is_tiger
)
906 CamStateRequest(reader
);
907 if(!do_cmd(reader
, 0x12, 0x02, 0x92, 0x06, 0, cta_res
, &cta_lr
))
909 rdr_log_dbg(reader
, D_READER
, "get serial failed");
912 memcpy(reader
->hexserial
+ 2, cta_res
+ 2, 4);
913 memcpy(reader
->sa
[0], cta_res
+ 2, 3);
915 if(!GetDataType(reader
, DT01
, 0x0E))
919 rdr_log_dbg(reader
, D_READER
, "DT01 DONE");
920 CamStateRequest(reader
);
921 if(!GetDataType(reader
, IRDINFO
, 0x39))
925 rdr_log_dbg(reader
, D_READER
, "IRDINFO DONE");
926 CamStateRequest(reader
);
927 if(!GetDataType(reader
, CAMDATA
, 0x55))
931 rdr_log_dbg(reader
, D_READER
, "CAMDATA Done");
932 if(!GetDataType(reader
, 0x04, 0x44))
936 rdr_log_dbg(reader
, D_READER
, "DT04 DONE");
937 CamStateRequest(reader
);
938 if(!GetDataType(reader
, DT06
, 0x16))
942 rdr_log_dbg(reader
, D_READER
, "DT06 DONE");
943 CamStateRequest(reader
);
946 if(!NegotiateSessionKey(reader
))
948 rdr_log_dbg(reader
, D_READER
, "NegotiateSessionKey failed");
951 rdr_log(reader
, "ready for requests");
964 static time_t tiger_date2time(const char *date
)
969 sscanf(date
, "%02d/%02d/%04d", &d
, &m
, &y
);
970 memset(&timeinfo
, 0, sizeof(struct tm
));
971 timeinfo
.tm_year
= y
- 1900;
972 timeinfo
.tm_mon
= m
- 1;
973 timeinfo
.tm_mday
= d
;
975 return mktime(&timeinfo
);
978 static int32_t reccmp(const void *r1
, const void *r2
)
980 int32_t v1
, v2
, y
, m
, d
;
981 sscanf(((ncmed_rec
*)r1
)->date1
, "%02d/%02d/%04d", &d
, &m
, &y
);
982 v1
= y
* 372 + 1 + m
* 31 + d
;
983 sscanf(((ncmed_rec
*)r2
)->date1
, "%02d/%02d/%04d", &d
, &m
, &y
);
984 v2
= y
* 372 + 1 + m
* 31 + d
;
985 return (v1
== v2
) ? 0 : (v1
< v2
) ? -1 : 1;
988 static int32_t reccmp2(const void *r1
, const void *r2
)
990 char rec1
[13], rec2
[13];
991 snprintf(rec1
, sizeof(rec1
), "%04X", ((ncmed_rec
*)r1
)->value
);
992 memcpy(rec1
+ 4, ((ncmed_rec
*)r1
)->date2
+ 6, 4);
993 memcpy(rec1
+ 8, ((ncmed_rec
*)r1
)->date2
+ 3, 2);
994 memcpy(rec1
+ 10, ((ncmed_rec
*)r1
)->date2
, 2);
995 snprintf(rec2
, sizeof(rec2
), "%04X", ((ncmed_rec
*)r2
)->value
);
996 memcpy(rec2
+ 4, ((ncmed_rec
*)r2
)->date2
+ 6, 4);
997 memcpy(rec2
+ 8, ((ncmed_rec
*)r2
)->date2
+ 3, 2);
998 memcpy(rec2
+ 10, ((ncmed_rec
*)r2
)->date2
, 2);
999 rec1
[12] = rec2
[12] = 0;
1000 return strcmp(rec2
, rec1
);
1003 static int32_t nagra2_card_info(struct s_reader
*reader
)
1006 char currdate
[27], tmp
[64];
1007 struct nagra_data
*csystem_data
= reader
->csystem_data
;
1008 rdr_log(reader
, "ROM: %c %c %c %c %c %c %c %c", reader
->rom
[0], reader
->rom
[1], reader
->rom
[2], reader
->rom
[3], reader
->rom
[4], reader
->rom
[5], reader
->rom
[6], reader
->rom
[7]);
1009 rdr_log(reader
, "REV: %c %c %c %c %c %c", reader
->rom
[9], reader
->rom
[10], reader
->rom
[11], reader
->rom
[12], reader
->rom
[13], reader
->rom
[14]);
1010 rdr_log_sensitive(reader
, "SER: {%s}", cs_hexdump(1, reader
->hexserial
+ 2, 4, tmp
, sizeof(tmp
)));
1011 rdr_log(reader
, "CAID: %04X", reader
->caid
);
1012 rdr_log(reader
, "Prv.ID: %s(sysid)", cs_hexdump(1, reader
->prid
[0], 4, tmp
, sizeof(tmp
)));
1014 for(i
= 1; i
< reader
->nprov
; i
++)
1016 rdr_log(reader
, "Prv.ID: %s", cs_hexdump(1, reader
->prid
[i
], 4, tmp
, sizeof(tmp
)));
1018 cs_clear_entitlement(reader
); // reset the entitlements
1020 if(csystem_data
->is_tiger
)
1022 rdr_log(reader
, "Activation Date : %s", nagra_datetime(reader
, csystem_data
->ActivationDate
, 0, currdate
, 0));
1023 rdr_log(reader
, "Expiry Date : %s", nagra_datetime(reader
, csystem_data
->ExpiryDate
, 0, currdate
, &reader
->card_valid_to
));
1026 if(reader
->nagra_read
&& csystem_data
->is_tiger
&& (memcmp(reader
->rom
, "NCMED", 5) == 0 || memcmp(reader
->rom
, "TIGER", 5) == 0))
1028 ncmed_rec records
[255];
1029 int32_t num_records
= 0;
1030 uint8_t tier_cmd1
[] = { 0x00, 0x00 };
1031 uint8_t tier_cmd2
[] = { 0x01, 0x00 };
1034 do_cmd(reader
, 0xD0, 0x04, 0x50, 0x0A, tier_cmd1
, cta_res
, &cta_lr
);
1038 int32_t prepaid
= 0;
1040 int32_t balance
= 0;
1042 uint16_t credit_in
= cta_res
[8] << 8 | cta_res
[9];
1043 uint16_t credit_out
= cta_res
[5] << 8 | cta_res
[6];
1044 balance
= (credit_in
- credit_out
) / 100;
1046 for(i
= 0; i
< 13; ++i
)
1049 do_cmd(reader
, 0xD0, 0x04, 0x50, 0xAA, tier_cmd2
, cta_res
, &cta_lr
);
1052 //rdr_log_dump(reader, cta_res, cta_lr, "NCMED Card Record %d", i+1);
1053 for(j
= 2; j
< cta_res
[1] - 14; ++j
)
1055 if(cta_res
[j
] == 0x80 && cta_res
[j
+ 6] != 0x00)
1057 int32_t val_offs
= 0;
1058 nagra_datetime(reader
, &cta_res
[j
+ 6], 0, records
[num_records
].date2
, 0);
1060 switch(cta_res
[j
+ 1])
1067 nagra_datetime(reader
, &cta_res
[j
+ 8], 0, records
[num_records
].date1
, 0);
1072 nagra_datetime(reader
, &cta_res
[j
+ 6], 0, records
[num_records
].date1
, 0);
1077 rdr_log(reader
, "Unknown record : %s", cs_hexdump(1, &cta_res
[j
], 17, tmp
, sizeof(tmp
)));
1082 records
[num_records
].type
= cta_res
[j
+ 1];
1083 records
[num_records
].value
= cta_res
[j
+ 4] << 8 | cta_res
[j
+ 5];
1084 records
[num_records
++].price
= cta_res
[j
+ 11] << 8 | cta_res
[j
+ 12];
1092 if(reader
->nagra_read
== 1)
1094 qsort(records
, num_records
, sizeof(ncmed_rec
), reccmp
);
1098 qsort(records
, num_records
, sizeof(ncmed_rec
), reccmp2
);
1106 localtime_r(&rawtime
, &timeinfo
);
1107 snprintf(currdate
, sizeof(currdate
), "%02d/%02d/%04d", timeinfo
.tm_mday
, timeinfo
.tm_mon
+ 1, timeinfo
.tm_year
+ 1900);
1109 for(i
= 0; i
< num_records
; ++i
)
1111 switch(records
[i
].type
)
1115 if(reccmp(records
[i
].date2
, currdate
) >= 0)
1117 if(reader
->nagra_read
== 2)
1119 rdr_log(reader
, "Tier : %04X, expiry date: %s %s",
1120 records
[i
].value
, records
[i
].date2
, get_tiername(records
[i
].value
, reader
->caid
, tiername
));
1122 else if(reader
->nagra_read
== 1)
1124 euro
= (records
[i
].price
/ 100);
1125 rdr_log(reader
, "Activation : ( %04X ) from %s to %s (%3d euro) %s",
1126 records
[i
].value
, records
[i
].date1
, records
[i
].date2
, euro
, get_tiername(records
[i
].value
, reader
->caid
, tiername
));
1131 b2ll(4, reader
->prid
[0]),
1134 tiger_date2time(records
[i
].date1
),
1135 tiger_date2time(records
[i
].date2
)+ 0x1517F,
1142 if(reccmp(records
[i
].date2
, currdate
) >= 0)
1144 if(reader
->nagra_read
== 2)
1146 rdr_log(reader
, "Tier : %04X, expiry date: %s %s", records
[i
].value
, records
[i
].date2
, get_tiername(records
[i
].value
, reader
->caid
, tiername
));
1151 b2ll(4, reader
->prid
[0]),
1154 tiger_date2time(records
[i
].date1
),
1155 tiger_date2time(records
[i
].date2
)+ 0x1517F,
1161 if(reader
->nagra_read
== 2)
1163 while(i
< num_records
- 1 && records
[i
].value
== records
[i
+ 1].value
)
1170 for(i
= 0; i
< num_records
; ++i
)
1172 switch(records
[i
].type
)
1175 if(reader
->nagra_read
== 1)
1177 euro
= (records
[i
].price
/ 100) - prepaid
;
1182 rdr_log(reader
, "Recharge : %s (%3d euro)", records
[i
].date2
, euro
);
1188 if(reader
->nagra_read
== 1)
1190 euro
= records
[i
].price
/ 100;
1192 rdr_log(reader
, "Subscription : ( %04X ) from %s to %s (%3d euro) %s",
1193 records
[i
].value
, records
[i
].date1
, records
[i
].date2
, euro
, get_tiername(records
[i
].value
, reader
->caid
, tiername
));
1197 euro
= records
[i
].price
/ 100;
1198 if(reader
->nagra_read
== 1) { credit
-= euro
; }
1199 rdr_log(reader
, "Event purchase : ( %04X ) from %s to %s (%3d euro)", records
[i
].value
, records
[i
].date1
, records
[i
].date2
, euro
);
1204 if(reader
->nagra_read
== 1)
1206 rdr_log(reader
, "Credit : %3d euro", credit
);
1210 rdr_log(reader
, "Credit : %3d euro", balance
);
1218 CamStateRequest(reader
);
1220 if(!do_cmd(reader
, 0x12, 0x02, 0x92, 0x06, 0, cta_res
, &cta_lr
))
1222 rdr_log_dbg(reader
, D_READER
, "get serial failed");
1226 memcpy(reader
->hexserial
+ 2, cta_res
+ 2, 4);
1227 rdr_log_dbg_sensitive(reader
, D_READER
, "SER: {%s}", cs_hexdump(1, reader
->hexserial
+ 2, 4, tmp_dbg
, sizeof(tmp_dbg
)));
1228 memcpy(reader
->sa
[0], cta_res
+ 2, 3);
1231 if(!GetDataType(reader
, IRDINFO
, 0x39))
1236 rdr_log_dbg(reader
, D_READER
, "IRDINFO DONE");
1237 CamStateRequest(reader
);
1239 if((!memcmp(reader
->rom
+ 5, "181", 3)) == 0) // dt05 is not supported by rom181
1241 rdr_log(reader
, "-----------------------------------------");
1242 rdr_log(reader
, "|id |tier |valid from |valid to |");
1243 rdr_log(reader
, "+----+--------+------------+------------+");
1245 if(!GetDataType(reader
, TIERS
, 0x57))
1250 rdr_log(reader
, "-----------------------------------------");
1251 CamStateRequest(reader
);
1257 void nagra2_post_process(struct s_reader
*reader
)
1259 struct nagra_data
*csystem_data
= reader
->csystem_data
;
1260 if(!csystem_data
->is_tiger
)
1262 CamStateRequest(reader
);
1263 if RENEW_SESSIONKEY()
1265 NegotiateSessionKey(reader
);
1270 DateTimeCMD(reader
);
1275 static int32_t nagra2_do_ecm(struct s_reader
*reader
, const ECM_REQUEST
*er
, struct s_ecm_answer
*ea
)
1278 struct nagra_data
*csystem_data
= reader
->csystem_data
;
1279 if(!csystem_data
->is_tiger
)
1282 if(csystem_data
->is_n3_na
)
1284 uint8_t ecm_pkt
[256 + 16];
1285 memset(ecm_pkt
, 0, sizeof(ecm_pkt
));
1286 memcpy(ecm_pkt
, er
->ecm
+ 3 + 2, er
->ecm
[4]);
1288 while(!do_cmd(reader
, er
->ecm
[3] + 1, er
->ecm
[4] + 5 + 2, 0x88, 0x04, ecm_pkt
, cta_res
, &cta_lr
))
1292 rdr_log_dbg(reader
, D_READER
, "nagra2_do_ecm (N3_NA) failed, retry");
1296 rdr_log_dbg(reader
, D_READER
, "nagra2_do_ecm (N3_NA) failed, retry failed!");
1305 if(reader
->ecmcommand
< 5) // cache ecm commands until ecmcommand cache is full
1307 reader
->ecmcommandcache
[reader
->ecmcommand
] = er
->ecm
[3];
1308 reader
->ecmcommand
++;
1310 if(reader
->ecmcommand
== 5) // cache is full, comparing!
1313 int32_t matchfound
= 0;
1314 reader
->ecmcommand
++; // No more caching of ecm commands, next ecms will be compared!
1318 if(reader
->ecmcommandcache
[t
] == er
->ecm
[3])
1327 reader
->ecmcommand
= 0; // reset ecm filter, start a new auto filter attempt
1328 rdr_log_dbg(reader
, D_READER
, "Auto ecm command filter caid %04X failed!", reader
->caid
);
1332 reader
->ecmcommandcache
[0] = er
->ecm
[3]; // Passed the filter, store the normal ecm command for this reader!
1333 rdr_log_dbg(reader
, D_READER
, "Auto ecm command filter caid %04X set to command %02X", reader
->caid
, er
->ecm
[3]);
1337 else if(reader
->ecmcommandcache
[0] != er
->ecm
[3])
1339 rdr_log_dbg(reader
, D_READER
, "Warning: received an abnominal ecm command %02X for caid: %04X, ignoring!", er
->ecm
[3], reader
->caid
);
1340 memset(ea
, 0, sizeof(struct s_ecm_answer
)); // give it back 00000000 to not disturb the loadbalancer for valid ecm requests on this channel.
1344 while(!do_cmd(reader
, er
->ecm
[3], er
->ecm
[4] + 2, 0x87, 0x02, er
->ecm
+ 3 + 2, cta_res
, &cta_lr
))
1348 rdr_log_dbg(reader
, D_READER
, "nagra2_do_ecm failed, retry");
1352 rdr_log_dbg(reader
, D_READER
, "nagra2_do_ecm failed, retry failed!");
1362 while(!CamStateRequest(reader
) && retry
< 3)
1364 rdr_log_dbg(reader
, D_READER
, "CamStateRequest failed, try: %d", retry
);
1369 if(HAS_CW() && (do_cmd(reader
, 0x1C, 0x02, 0x9C, 0x36, NULL
, cta_res
, &cta_lr
)))
1372 memset(v
, 0, sizeof(v
));
1377 if(csystem_data
->swapCW
== 1)
1379 rdr_log_dbg(reader
, D_READER
, "swap cws");
1380 idea_cbc_encrypt(&cta_res
[30], &_cwe1
[0], 8, &csystem_data
->ksSession
, v
, IDEA_DECRYPT
);
1381 memset(v
, 0, sizeof(v
));
1382 idea_cbc_encrypt(&cta_res
[4], &_cwe0
[0], 8, &csystem_data
->ksSession
, v
, IDEA_DECRYPT
);
1386 idea_cbc_encrypt(&cta_res
[30], &_cwe0
[0], 8, &csystem_data
->ksSession
, v
, IDEA_DECRYPT
);
1387 memset(v
, 0, sizeof(v
));
1388 idea_cbc_encrypt(&cta_res
[4], &_cwe1
[0], 8, &csystem_data
->ksSession
, v
, IDEA_DECRYPT
);
1390 rdr_log_dbg(reader
, D_READER
, "CW0 after IDEA decrypt: %s", cs_hexdump(1, _cwe0
, 8, tmp_dbg
, sizeof(tmp_dbg
)));
1391 rdr_log_dbg(reader
, D_READER
, "CW1 after IDEA decrypt: %s", cs_hexdump(1, _cwe1
, 8, tmp_dbg
, sizeof(tmp_dbg
)));
1395 rdr_log_dbg(reader
, D_READER
, "3DES encryption of CWs detected. Using CWPK index:%02X", (csystem_data
->ird_info
& 7));
1397 if(reader
->cak63cwekey_length
!= 16)
1399 rdr_log_dbg(reader
, D_READER
, "ERROR: Invalid CWPK, can not decrypt CW");
1403 des_ecb3_decrypt(_cwe0
, reader
->cak63cwekey
);
1404 des_ecb3_decrypt(_cwe1
, reader
->cak63cwekey
);
1405 rdr_log_dbg(reader
, D_READER
, "CW0 after 3DES decrypt: %s", cs_hexdump(1, _cwe0
, 8, tmp_dbg
, sizeof(tmp_dbg
)));
1406 rdr_log_dbg(reader
, D_READER
, "CW1 after 3DES decrypt: %s", cs_hexdump(1, _cwe1
, 8, tmp_dbg
, sizeof(tmp_dbg
)));
1408 if (!cfg
.disablecrccws
&& !reader
->disablecrccws
&& !chk_if_ignore_checksum((ECM_REQUEST
*) er
, &cfg
.disablecrccws_only_for
) && !chk_if_ignore_checksum((ECM_REQUEST
*) er
, &reader
->disablecrccws_only_for
))
1411 if(((_cwe0
[0] + _cwe0
[1] + _cwe0
[2]) & 0xFF) != _cwe0
[3])
1414 rdr_log_dbg(reader
, D_READER
, "CW0 checksum error [0]");
1417 if(((_cwe0
[4] + _cwe0
[5] + _cwe0
[6]) & 0xFF) != _cwe0
[7])
1420 rdr_log_dbg(reader
, D_READER
, "CW0 checksum error [1]");
1423 if(((_cwe1
[0] + _cwe1
[1] + _cwe1
[2]) & 0xFF) != _cwe1
[3])
1426 rdr_log_dbg(reader
, D_READER
, "CW1 checksum error [0]");
1429 if(((_cwe1
[4] + _cwe1
[5] + _cwe1
[6]) & 0xFF) != _cwe1
[7])
1432 rdr_log_dbg(reader
, D_READER
, "CW1 checksum error [1]");
1437 rdr_log_dbg(reader
, D_READER
, "CW Decrypt failed");
1443 rdr_log_dbg(reader
, D_READER
, "checksum test skipped");
1447 memcpy(ea
->cw
, _cwe0
, 0x08);
1448 memcpy(ea
->cw
+ 8, _cwe1
, 0x08);
1455 // check ECM prov id
1456 if(memcmp(&reader
->prid
[0][2], er
->ecm
+ 5, 2))
1461 // ecm_data: 80 30 89 D3 87 54 11 10 DA A6 0F 4B 92 05 34 00
1462 // serial_data: A0 CA 00 00 8C D3 8A 00 00 00 00 00 10 DA A6 0F
1463 uint8_t ecm_trim
[150];
1464 memset(ecm_trim
, 0, 150);
1465 memcpy(&ecm_trim
[5], er
->ecm
+ 3 + 2 + 2, er
->ecm
[4] + 2);
1467 if(do_cmd(reader
, er
->ecm
[3], er
->ecm
[4] + 5, 0x53, 0x16, ecm_trim
, cta_res
, &cta_lr
))
1469 if(cta_res
[2] == 0x01)
1472 memset(v
, 0, sizeof(v
));
1473 idea_cbc_encrypt(&cta_res
[14], ea
->cw
, 8, &csystem_data
->ksSession
, v
, IDEA_DECRYPT
);
1474 memset(v
, 0, sizeof(v
));
1475 idea_cbc_encrypt(&cta_res
[6], ea
->cw
+ 8, 8, &csystem_data
->ksSession
, v
, IDEA_DECRYPT
);
1478 rdr_log_dbg(reader
, D_READER
, "can't decode ecm");
1485 static int32_t nagra2_do_emm(struct s_reader
*reader
, EMM_PACKET
*ep
)
1488 struct nagra_data
*csystem_data
= reader
->csystem_data
;
1489 if(!csystem_data
->is_tiger
)
1491 if(!do_cmd(reader
, ep
->emm
[8], ep
->emm
[9] + 2, 0x84, 0x02, ep
->emm
+ 8 + 2, cta_res
, &cta_lr
))
1493 rdr_log_dbg(reader
, D_READER
, "nagra2_do_emm failed");
1497 // for slow t14 nagra cards, we must do additional timeout
1498 if(csystem_data
->is_pure_nagra
== 1)
1503 nagra2_post_process(reader
);
1508 if(memcmp(&reader
->prid
[0][2], ep
->emm
+ 10, 2))
1510 rdr_log_dbg(reader
, D_READER
, "EMM skipped since provider doesnt match!");
1514 // emm_data: 82 70 8E 00 00 00 00 00 D3 87 8D 11 C0 F4 B1 27 2C 3D 25 94 ...
1515 //serial_data: A0 CA 00 00 8C D3 8A 01 00 00 00 00 C0 F4 B1 27 2C 3D 25 94 ...
1516 uint8_t emm_trim
[150] = { 0x01, 0x00, 0x00, 0x00, 0x00 };
1517 memcpy(&emm_trim
[5], ep
->emm
+ 3 + 5 + 2 + 2, ep
->emm
[9] + 2);
1519 if(!do_cmd(reader
, ep
->emm
[8], ep
->emm
[9] + 5, 0x53, 0x16, emm_trim
, cta_res
, &cta_lr
))
1521 rdr_log_dbg(reader
, D_READER
, "nagra2_do_emm failed");
1527 if(ep
->type
!= GLOBAL
)
1531 int64_t gone
= comp_timeb(&now
, &reader
->emm_last
);
1532 if(gone
> 3600*1000)
1534 add_job(reader
->client
, ACTION_READER_CARDINFO
, NULL
, 0); // refresh entitlement since it might have been changed!
1540 const struct s_cardsystem reader_nagra
=
1543 .caids
= (uint16_t[]){ 0x18, 0 },
1544 .do_emm
= nagra2_do_emm
,
1545 .do_ecm
= nagra2_do_ecm
,
1546 .post_process
= nagra2_post_process
,
1547 .card_info
= nagra2_card_info
,
1548 .card_init
= nagra2_card_init
,
1549 .get_emm_type
= nagra_get_emm_type
,
1550 .get_emm_filter
= nagra_get_emm_filter
,