search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
- fix Building without Nagra not possible at Nagra_Merlin https://trac.streamboard...
[oscam.git] / reader-nagra.c
blob3e67b77d3910be7feb194202a952dca7859d7465
1 #include "globals.h"
2 #ifdef READER_NAGRA
3 #include "cscrypt/bn.h"
4 #include "cscrypt/idea.h"
5 #include "cscrypt/des.h"
6 #include "oscam-time.h"
7 #include "reader-common.h"
8 #include "reader-nagra-common.h"
9 #include "oscam-work.h"
10 #include "oscam-chk.h"
11
12 int8_t ins7e11_state = 0;
13
14 struct nagra_data
15 {
16 IDEA_KEY_SCHEDULE ksSession;
17 int8_t is_pure_nagra;
18 int8_t is_tiger;
19 int8_t is_n3_na;
20 int8_t has_dt08;
21 int8_t swapCW;
22 uint8_t ExpiryDate[2];
23 uint8_t ActivationDate[2];
24 uint8_t plainDT08RSA[64];
25 uint8_t IdeaCamKey[16];
26 uint8_t sessi[16];
27 uint8_t signature[8];
28 uint8_t ird_info;
29 uint8_t cam_state[3];
30 };
31
32 // Card Status checks
33 #define HAS_CW() ((csystem_data->cam_state[2]&6)==6)
34 #define RENEW_SESSIONKEY() ((csystem_data->cam_state[0]&128)==128 || (csystem_data->cam_state[0]&64)==64 || (csystem_data->cam_state[0]&32)==32 || (csystem_data->cam_state[2]&8)==8)
35 #define SENDDATETIME() (csystem_data->cam_state[0]&8)
36 // IRD Info
37 #define CW_NEEDS_3DES() ((csystem_data->ird_info&0x18)==0x18)
38 // Datatypes
39 #define DT01 0x01
40 #define IRDINFO 0x00
41 #define TIERS 0x05
42 #define DT06 0x06
43 #define CAMDATA 0x08
44
45 static time_t tier_date(uint32_t date, char *buf, int32_t l)
46 {
47 time_t ut = 870393600L + date * (24 * 3600);
48 if(buf)
49 {
50 struct tm t;
51 t.tm_isdst = -1;
52 cs_gmtime_r(&ut, &t);
53 l = 27;
54 snprintf(buf, l, "%04d/%02d/%02d", t.tm_year + 1900, t.tm_mon + 1, t.tm_mday);
55 }
56 return ut;
57 }
58
59 static char *nagra_datetime(struct s_reader *rdr, uint8_t *ndays, int32_t offset, char *result, time_t *t)
60 {
61 struct nagra_data *csystem_data = rdr->csystem_data;
62 struct tm tms;
63 memset(&tms, 0, sizeof(tms));
64 int32_t days = (ndays[0] << 8 | ndays[1]) + offset;
65 int32_t sec = 0;
66
67 if(!csystem_data->is_tiger)
68 {
69 sec = (ndays[2] << 8 | ndays[3]);
70 }
71
72 if(days > 0x41B4 && sizeof(time_t) < 8) // to overcome 32-bit systems limitations
73 {
74 days = 0x41A2; // 01-01-2038
75 }
76
77 tms.tm_year = 92;
78 tms.tm_mday = days + 1;
79 tms.tm_sec = sec;
80 time_t ut = mktime(&tms);
81
82 if(t)
83 {
84 *t = ut;
85 }
86
87 if(csystem_data->is_tiger)
88 {
89 snprintf(result, 27, "%02d/%02d/%04d", tms.tm_mday, tms.tm_mon + 1, tms.tm_year + 1900);
90 }
91 else
92 {
93 snprintf(result, 33, "%04d/%02d/%02d %02d:%02d", tms.tm_year + 1900, tms.tm_mon + 1, tms.tm_mday, tms.tm_hour, tms.tm_min);
94 }
95 return result;
96 }
97
98 static int32_t do_cmd(struct s_reader *reader, uint8_t cmd, int32_t ilen, uint8_t res, int32_t rlen, const uint8_t *data, uint8_t *cta_res, uint16_t *p_cta_lr)
99 {
100 /*
101 here we build the command related to the protocol T1 for ROM142 or T14 for ROM181
102 the only different that i know is the command length byte msg[4], this msg[4]+=1 by a ROM181 smartcard (_nighti_)
103 one example for the cmd$C0
104 T14 protocol: 01 A0 CA 00 00 03 C0 00 06 91
105 T1 protocol: 21 00 08 A0 CA 00 00 02 C0 00 06 87
106 */
107 int32_t msglen = ilen + 6;
108 uint8_t msg[msglen];
109 static const char nagra_head[] = {0xA0, 0xCA, 0x00, 0x00};
110 struct nagra_data *csystem_data = reader->csystem_data;
111
112 memset(msg, 0, msglen);
113 memcpy(msg, nagra_head, 4);
114 msg[4] = ilen;
115 msg[5] = cmd;
116 int32_t dlen = ilen - 2;
117 msg[6] = dlen;
118
119 if(data && dlen > 0)
120 {
121 memcpy(msg + 7, data, dlen);
122 }
123
124 msg[dlen + 7] = rlen;
125 if(dlen < 0)
126 {
127 rdr_log_dbg(reader, D_READER, "invalid data length encountered");
128 return ERROR;
129 }
130
131 if(csystem_data->is_pure_nagra == 1)
132 {
133 msg[4] += 1;
134 }
135
136 if(!reader_cmd2icc(reader, msg, msglen, cta_res, p_cta_lr))
137 {
138 cs_sleepms(5);
139
140 if(cta_res[0] != res)
141 {
142 rdr_log_dbg(reader, D_READER, "result not expected (%02x != %02x)", cta_res[0], res);
143 return ERROR;
144 }
145
146 if((*p_cta_lr - 2) != rlen)
147 {
148 rdr_log_dbg(reader, D_READER, "result length expected (%d != %d)", (*p_cta_lr - 2), rlen);
149 return ERROR;
150 }
151 return *p_cta_lr;
152 }
153 return ERROR;
154 }
155
156 static void ReverseMem(uint8_t *vIn, int32_t len)
157 {
158 uint8_t temp;
159 int32_t i;
160
161 for(i = 0; i < (len / 2); i++)
162 {
163 temp = vIn[i];
164 vIn[i] = vIn[len - i - 1];
165 vIn[len - i - 1] = temp;
166 }
167 }
168
169 static void Signature(uint8_t *sig, const uint8_t *vkey, const uint8_t *msg, int32_t len)
170 {
171 IDEA_KEY_SCHEDULE ks;
172 uint8_t v[8];
173 uint8_t b200[16];
174 uint8_t b0f0[8];
175 memcpy(b200, vkey, sizeof(b200));
176 int32_t i;
177 int32_t j;
178
179 for(i = 0; i < len; i += 8)
180 {
181 idea_set_encrypt_key(b200, &ks);
182 memset(v, 0, sizeof(v));
183 idea_cbc_encrypt(msg + i, b0f0, 8, &ks, v, IDEA_DECRYPT);
184
185 for(j = 7; j >= 0; j--)
186 {
187 b0f0[j] ^= msg[i + j];
188 }
189 memcpy(b200 + 0, b0f0, 8);
190 memcpy(b200 + 8, b0f0, 8);
191 }
192 memcpy(sig, b0f0, 8);
193 return;
194 }
195
196 static int32_t CamStateRequest(struct s_reader *reader)
197 {
198 def_resp;
199 struct nagra_data *csystem_data = reader->csystem_data;
200 char tmp_dbg[10];
201
202 if(do_cmd(reader, 0xC0, 0x02, 0xB0, 0x06, NULL, cta_res, &cta_lr))
203 {
204 csystem_data->ird_info = cta_res[2];
205 rdr_log_dbg(reader, D_READER, "Irdinfo: %02X", csystem_data->ird_info);
206 memcpy(csystem_data->cam_state, cta_res + 3, 3);
207 rdr_log_dbg(reader, D_READER, "Camstate: %s", cs_hexdump(1, csystem_data->cam_state, 3, tmp_dbg, sizeof(tmp_dbg)));
208 }
209 else
210 {
211 rdr_log_dbg(reader, D_READER, "CamStateRequest failed");
212 return ERROR;
213 }
214 return OK;
215 }
216
217 static void DateTimeCMD(struct s_reader *reader)
218 {
219 def_resp;
220 if(!do_cmd(reader, 0xC8, 0x02, 0xB8, 0x06, NULL, cta_res, &cta_lr))
221 {
222 rdr_log_dbg(reader, D_READER, "DateTimeCMD failed!");
223 }
224
225 }
226
227 static int32_t NegotiateSessionKey_Tiger(struct s_reader *reader)
228 {
229 def_resp;
230 uint8_t exponent = 0x11;
231 uint8_t parte_fija[120];
232 uint8_t parte_variable[88];
233 uint8_t d1_rsa_modulo[88];
234 uint8_t d2_data[88];
235 uint8_t sign1[8];
236 uint8_t sk[16];
237 uint8_t tmp[104];
238 uint8_t idea_key[16];
239 uint8_t rnd[88];
240 char tmp2[17];
241 struct nagra_data *csystem_data = reader->csystem_data;
242
243 if(!do_cmd(reader, 0xd1, 0x02, 0x51, 0xd2, NULL, cta_res, &cta_lr))
244 {
245 rdr_log_dbg(reader, D_READER, "CMD$D1 failed");
246 return ERROR;
247 }
248
249 BN_CTX *ctx = BN_CTX_new();
250 #ifdef WITH_LIBCRYPTO
251 BN_CTX_start(ctx);
252 #endif
253 BIGNUM *bnN = BN_CTX_get(ctx);
254 BIGNUM *bnE = BN_CTX_get(ctx);
255 BIGNUM *bnCT = BN_CTX_get(ctx);
256 BIGNUM *bnPT = BN_CTX_get(ctx);
257 BN_bin2bn(reader->rsa_mod, 120, bnN);
258 BN_bin2bn(&exponent, 1, bnE);
259 BN_bin2bn(&cta_res[90], 120, bnCT);
260 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
261 memset(parte_fija, 0, 120);
262 BN_bn2bin(bnPT, parte_fija + (120 - BN_num_bytes(bnPT)));
263 BN_CTX_end(ctx);
264 BN_CTX_free(ctx);
265
266 rdr_log_dbg(reader, D_READER, "---------- SIG CHECK ---------------------");
267 memset(tmp, 0, 104);
268 memcpy(tmp + 4, parte_fija + 11, 100);
269 memset(idea_key, 0x37, 16);
270 Signature(sign1, idea_key, tmp, 104);
271 rdr_log_dbg(reader, D_READER, "sign1: %s", cs_hexdump(0, sign1, 8, tmp2, sizeof(tmp2)));
272 rdr_log_dbg(reader, D_READER, "sign2: %s", cs_hexdump(0, parte_fija + 111, 8, tmp2, sizeof(tmp2)));
273
274 if((!memcmp(parte_fija + 111, sign1, 8)) == 0)
275 {
276 rdr_log_dbg(reader, D_READER, "signature check nok");
277 rdr_log_dbg(reader, D_READER, "------------------------------------------");
278 return ERROR;
279 }
280 rdr_log_dbg(reader, D_READER, "signature check ok");
281 rdr_log_dbg(reader, D_READER, "------------------------------------------");
282
283 memcpy(reader->hexserial + 2, parte_fija + 15, 4);
284 memcpy(reader->sa[0], parte_fija + 15, 3);
285
286 memcpy(reader->irdId, parte_fija + 19, 4);
287 memcpy(d1_rsa_modulo, parte_fija + 23, 88);
288
289 ReverseMem(cta_res + 2, 88);
290 BN_CTX *ctx1 = BN_CTX_new();
291 #ifdef WITH_LIBCRYPTO
292 BN_CTX_start(ctx1);
293 #endif
294 BIGNUM *bnN1 = BN_CTX_get(ctx1);
295 BIGNUM *bnE1 = BN_CTX_get(ctx1);
296 BIGNUM *bnCT1 = BN_CTX_get(ctx1);
297 BIGNUM *bnPT1 = BN_CTX_get(ctx1);
298 BN_bin2bn(d1_rsa_modulo, 88, bnN1);
299 BN_bin2bn(&exponent, 1, bnE1);
300 BN_bin2bn(cta_res + 2, 88, bnCT1);
301 BN_mod_exp(bnPT1, bnCT1, bnE1, bnN1, ctx1);
302 memset(parte_variable, 0, 88);
303 BN_bn2bin(bnPT1, parte_variable + (88 - BN_num_bytes(bnPT1)));
304 BN_CTX_end(ctx1);
305 BN_CTX_free(ctx1);
306
307 csystem_data->ActivationDate[0] = parte_variable[65];
308 csystem_data->ActivationDate[1] = parte_variable[66];
309 csystem_data->ExpiryDate[0] = parte_variable[69];
310 csystem_data->ExpiryDate[1] = parte_variable[70];
311
312 reader->prid[0][0] = 0x00;
313 reader->prid[0][1] = 0x00;
314 reader->prid[0][2] = parte_variable[73];
315 reader->prid[0][3] = parte_variable[74];
316 reader->caid = (SYSTEM_NAGRA | parte_variable[76]);
317 memcpy(sk, &parte_variable[79], 8);
318 memset(sk + 8, 0xBB, 8);
319 rdr_log_sensitive(reader, "type: NAGRA, caid: %04X, IRD ID: {%s}", reader->caid, cs_hexdump(1, reader->irdId, 4, tmp2, sizeof(tmp2)));
320 rdr_log(reader, "ProviderID: %s", cs_hexdump(1, reader->prid[0], 4, tmp2, sizeof(tmp2)));
321
322 memcpy(rnd, sk, 8);
323 memset(&rnd[8], 0xBB, 79);
324 rnd[87] = 0x6B;
325 ReverseMem(rnd, 88);
326
327
328 BN_CTX *ctx3 = BN_CTX_new();
329 #ifdef WITH_LIBCRYPTO
330 BN_CTX_start(ctx3);
331 #endif
332 BIGNUM *bnN3 = BN_CTX_get(ctx3);
333 BIGNUM *bnE3 = BN_CTX_get(ctx3);
334 BIGNUM *bnCT3 = BN_CTX_get(ctx3);
335 BIGNUM *bnPT3 = BN_CTX_get(ctx3);
336 BN_bin2bn(d1_rsa_modulo, 88, bnN3);
337 BN_bin2bn(&exponent, 1, bnE3);
338 BN_bin2bn(rnd, 88, bnCT3);
339 BN_mod_exp(bnPT3, bnCT3, bnE3, bnN3, ctx3);
340 memset(d2_data, 0, 88);
341 BN_bn2bin(bnPT3, d2_data + (88 - BN_num_bytes(bnPT3)));
342 BN_CTX_end(ctx3);
343 BN_CTX_free(ctx3);
344 ReverseMem(d2_data, 88);
345
346 if(!do_cmd(reader, 0xd2, 0x5a, 0x52, 0x03, d2_data, cta_res, &cta_lr))
347 {
348 rdr_log_dbg(reader, D_READER, "CMD$D2 failed");
349 return ERROR;
350 }
351
352 if(cta_res[2] == 0x00)
353 {
354 memcpy(csystem_data->sessi, sk, 16);
355 IDEA_KEY_SCHEDULE ks;
356 idea_set_encrypt_key(csystem_data->sessi, &ks);
357 idea_set_decrypt_key(&ks, &csystem_data->ksSession);
358 rdr_log_dbg(reader, D_READER, "Tiger session key negotiated");
359 return OK;
360 }
361
362 rdr_log(reader, "Negotiate sessionkey was not successful! Please check tivusat rsa key");
363 return ERROR;
364 }
365
366 static int32_t NegotiateSessionKey(struct s_reader *reader)
367 {
368 def_resp;
369 uint8_t negot[64];
370 uint8_t cmd2b[] = {
371 0x21, 0x40, 0x4D, 0xA0, 0xCA, 0x00, 0x00, 0x47, 0x27, 0x45,
372 0x1C, 0x54, 0xd1, 0x26, 0xe7, 0xe2, 0x40, 0x20,
373 0xd1, 0x66, 0xf4, 0x18, 0x97, 0x9d, 0x5f, 0x16,
374 0x8f, 0x7f, 0x7a, 0x55, 0x15, 0x82, 0x31, 0x14,
375 0x06, 0x57, 0x1a, 0x3f, 0xf0, 0x75, 0x62, 0x41,
376 0xc2, 0x84, 0xda, 0x4c, 0x2e, 0x84, 0xe9, 0x29,
377 0x13, 0x81, 0xee, 0xd6, 0xa9, 0xf5, 0xe9, 0xdb,
378 0xaf, 0x22, 0x51, 0x3d, 0x44, 0xb3, 0x20, 0x83,
379 0xde, 0xcb, 0x5f, 0x35, 0x2b, 0xb0, 0xce, 0x70,
380 0x01, 0x02, 0x03, 0x04, //IRD nr
381 0x00 };//keynr
382
383 uint8_t cmd2a[] = {
384 0x00,
385 0xA5, 0xFB, 0x02, 0x76, //NUID
386 0x00, 0x08, //OTP-CSC
387 0x00, 0x00, //OTA-CSC
388 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
389 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
390 0x00,
391 0x22, 0x11 }; //Provider ID
392
393 uint8_t tmp[64];
394 uint8_t idea1[16];
395 uint8_t idea2[16];
396 uint8_t sign1[8];
397 uint8_t sign2[8];
398 struct nagra_data *csystem_data = reader->csystem_data;
399
400 if(csystem_data->is_tiger)
401 {
402 if(!NegotiateSessionKey_Tiger(reader))
403 {
404 rdr_log_dbg(reader, D_READER, "NegotiateSessionKey_Tiger failed");
405 return ERROR;
406 }
407 return OK;
408 }
409
410 if(!csystem_data->has_dt08) // if we have no valid dt08 calc then we use rsa from config and hexserial for calc of sessionkey
411 {
412 rdr_log_dbg(reader, D_READER, "No valid DT08 calc using rsa from config and serial from card");
413 memcpy(csystem_data->plainDT08RSA, reader->rsa_mod, 64);
414 memcpy(csystem_data->signature, reader->boxkey, 8);
415 }
416
417 if((csystem_data->is_n3_na) && (!do_cmd(reader, 0x29, 0x02, 0xA9, 0x04, NULL, cta_res, &cta_lr)))
418 {
419 rdr_log_dbg(reader, D_READER, "Nagra3: CMD$29 failed");
420 return ERROR;
421 }
422
423 memcpy(tmp, reader->irdId, 4);
424 tmp[4] = 0; //keynr 0
425
426 if(!csystem_data->is_n3_na)
427 {
428 if (reader->cak63nuid_length == 4) //nuid is set
429 {
430 // inject provid
431 cmd2a[26] = reader->prid[0][2];
432 cmd2a[27] = reader->prid[0][3];
433
434 memcpy(&cmd2a[1], reader->cak63nuid, 4); // inject NUID
435
436 if (!do_cmd(reader, 0x2a,0x1E,0xAA,0x42, cmd2a, cta_res, &cta_lr))
437 {
438 rdr_log_dbg(reader, D_READER, "CMD$2A failed");
439 return ERROR;
440 }
441 }
442 else
443 {
444 if(!do_cmd(reader, 0x2a, 0x02, 0xaa, 0x42, NULL, cta_res, &cta_lr))
445 {
446 rdr_log_dbg(reader, D_READER, "CMD$2A failed");
447 return ERROR;
448 }
449
450 }
451 }
452 else if(!do_cmd(reader, 0x26, 0x07, 0xa6, 0x42, tmp, cta_res, &cta_lr))
453 {
454 rdr_log_dbg(reader, D_READER, "CMD$26 failed");
455 return ERROR;
456 }
457
458 // RSA decrypt of cmd$2a data, result is stored in "negot"
459 ReverseMem(cta_res + 2, 64);
460 uint8_t vFixed[] = {0, 1, 2, 3};
461 BN_CTX *ctx = BN_CTX_new();
462 #ifdef WITH_LIBCRYPTO
463 BN_CTX_start(ctx);
464 #endif
465 BIGNUM *bnN = BN_CTX_get(ctx);
466 BIGNUM *bnE = BN_CTX_get(ctx);
467 BIGNUM *bnCT = BN_CTX_get(ctx);
468 BIGNUM *bnPT = BN_CTX_get(ctx);
469 BN_bin2bn(csystem_data->plainDT08RSA, 64, bnN);
470 BN_bin2bn(vFixed + 3, 1, bnE);
471 BN_bin2bn(cta_res + 2, 64, bnCT);
472 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
473 memset(negot, 0, 64);
474 BN_bn2bin(bnPT, negot + (64 - BN_num_bytes(bnPT)));
475
476 memcpy(tmp, negot, 64);
477 ReverseMem(tmp, 64);
478
479 // build sessionkey
480 // first halve is IDEA Hashed in chuncs of 8 bytes using the Signature1 from dt08 calc, CamID-Inv.CamID(16 bytes key) the results are the First 8 bytes of the Session key
481 memcpy(idea1, csystem_data->signature, 8);
482 memcpy(idea1 + 8, reader->hexserial + 2, 4);
483 idea1[12] = ~reader->hexserial[2];
484 idea1[13] = ~reader->hexserial[3];
485 idea1[14] = ~reader->hexserial[4];
486 idea1[15] = ~reader->hexserial[5];
487
488 Signature(sign1, idea1, tmp, 32);
489 memcpy(idea2, sign1, 8);
490 memcpy(idea2 + 8, sign1, 8);
491 Signature(sign2, idea2, tmp, 32);
492 memcpy(csystem_data->sessi, sign1, 8);
493 memcpy(csystem_data->sessi + 8, sign2, 8);
494
495 // prepare cmd$2b data
496 BN_bin2bn(negot, 64, bnCT);
497 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
498 memset(cmd2b + 10, 0, 64);
499 BN_bn2bin(bnPT, cmd2b + 10 + (64 - BN_num_bytes(bnPT)));
500 BN_CTX_end(ctx);
501 BN_CTX_free(ctx);
502 ReverseMem(cmd2b + 10, 64);
503
504 IDEA_KEY_SCHEDULE ks;
505 idea_set_encrypt_key(csystem_data->sessi, &ks);
506 idea_set_decrypt_key(&ks, &csystem_data->ksSession);
507
508 memcpy(cmd2b + 74, reader->irdId, 4);
509 cmd2b[78] = 0; //keynr
510
511 if(!csystem_data->is_n3_na)
512 {
513 if(!do_cmd(reader, 0x2b, 0x42, 0xab, 0x02, cmd2b + 10, cta_res, &cta_lr))
514 {
515 rdr_log_dbg(reader, D_READER, "CMD$2B failed");
516 return ERROR;
517 }
518 }
519 else if(!do_cmd(reader, 0x27, 0x47, 0xa7, 0x02, cmd2b + 10, cta_res, &cta_lr))
520 {
521 rdr_log_dbg(reader, D_READER, "CMD$27 failed");
522 return ERROR;
523 }
524
525 rdr_log_dbg(reader, D_READER, "session key negotiated");
526
527 DateTimeCMD(reader);
528
529 if(!CamStateRequest(reader))
530 {
531 rdr_log_dbg(reader, D_READER, "CamStateRequest failed");
532 return ERROR;
533 }
534
535 if RENEW_SESSIONKEY()
536 {
537 rdr_log(reader, "Negotiate sessionkey was not successful! Please check rsa key and boxkey");
538 return ERROR;
539 }
540
541 return OK;
542 }
543
544 static void decryptDT08(struct s_reader *reader, uint8_t *cta_res)
545 {
546 uint8_t vFixed[] = {0, 1, 2, 3};
547 uint8_t v[72];
548 uint8_t buf[72];
549 uint8_t sign2[8];
550 uint8_t static_dt08[73];
551 uint8_t camid[4];
552 char tmp_dbg[13];
553 int32_t i, n;
554 BN_CTX *ctx;
555 BIGNUM *bn_mod, *bn_exp, *bn_data, *bn_res;
556 struct nagra_data *csystem_data = reader->csystem_data;
557
558 memcpy(static_dt08, &cta_res[12], 73);
559 // decrypt RSA Part of dt08
560 bn_mod = BN_new();
561 bn_exp = BN_new();
562 bn_data = BN_new();
563 bn_res = BN_new();
564 ctx = BN_CTX_new();
565
566 if(ctx == NULL)
567 {
568 rdr_log_dbg(reader, D_READER, "RSA Error in dt08 decrypt");
569 }
570 ReverseMem(static_dt08 + 1, 64);
571 BN_bin2bn(reader->rsa_mod, 64, bn_mod); // rsa modulus
572 BN_bin2bn(vFixed + 3, 1, bn_exp); // exponent
573 BN_bin2bn(static_dt08 + 1, 64, bn_data);
574 BN_mod_exp(bn_res, bn_data, bn_exp, bn_mod, ctx);
575 memset(static_dt08 + 1, 0, 64);
576 n = BN_bn2bin(bn_res, static_dt08 + 1);
577 BN_CTX_free(ctx);
578 ReverseMem(static_dt08 + 1, n);
579
580 // RSA data can never be bigger than the modulo
581 static_dt08[64] |= static_dt08[0] & 0x80;
582
583 // IdeaCamKey
584 memcpy(&csystem_data->IdeaCamKey[0], reader->boxkey, 8);
585 memcpy(&csystem_data->IdeaCamKey[8], reader->irdId, 4);
586
587 for(i = 0; i < 4; i++)
588 {
589 csystem_data->IdeaCamKey[12 + i] = ~reader->irdId[i];
590 }
591
592 // now IDEA decrypt
593 IDEA_KEY_SCHEDULE ks;
594 idea_set_encrypt_key(csystem_data->IdeaCamKey, &ks);
595 idea_set_decrypt_key(&ks, &csystem_data->ksSession);
596 memcpy(&buf[0], static_dt08 + 1, 64);
597 memcpy(&buf[64], static_dt08 + 65, 8);
598 memset(v, 0, sizeof(v));
599 memset(static_dt08, 0, sizeof(static_dt08));
600 idea_cbc_encrypt(buf, static_dt08, 72, &csystem_data->ksSession, v, IDEA_DECRYPT);
601
602 if(csystem_data->swapCW == 1)
603 {
604 memset(camid, 0xff, 4);
605 }
606 else
607 {
608 memcpy(camid, reader->hexserial + 2, 4);
609 }
610 rdr_log_dbg(reader, D_READER, "using camid %s for dt08 calc", cs_hexdump(1, camid, 4, tmp_dbg, sizeof(tmp_dbg)));
611
612 // Calculate csystem_data->signature
613 memcpy(csystem_data->signature, static_dt08, 8);
614 memset(static_dt08 + 0, 0, 4);
615 memcpy(static_dt08 + 4, camid, 4);
616 Signature(sign2, csystem_data->IdeaCamKey, static_dt08, 72);
617
618 if(memcmp(csystem_data->signature, sign2, 8) == 0)
619 {
620 csystem_data->has_dt08 = 1;
621 memcpy(csystem_data->plainDT08RSA, static_dt08 + 8, 64);
622 rdr_log_dbg(reader, D_READER, "DT08 signature check ok");
623 }
624 else
625 {
626 csystem_data->has_dt08 = 0;
627 rdr_log_dbg(reader, D_READER, "DT08 signature check nok");
628 }
629
630 BN_free(bn_mod);
631 BN_free(bn_exp);
632 BN_free(bn_data);
633 BN_free(bn_res);
634 }
635
636 static void addProvider(struct s_reader *reader, uint8_t *cta_res)
637 {
638 int32_t i;
639 int32_t toadd = 1;
640 for(i = 0; i < reader->nprov; i++)
641 {
642 if((cta_res[7] == reader->prid[i][2]) && (cta_res[8] == reader->prid[i][3]))
643 {
644 toadd = 0;
645 }
646 }
647
648 if(toadd)
649 {
650 reader->prid[reader->nprov][0] = 0;
651 reader->prid[reader->nprov][1] = 0;
652 reader->prid[reader->nprov][2] = cta_res[7];
653 reader->prid[reader->nprov][3] = cta_res[8];
654 memcpy(reader->sa[reader->nprov], reader->sa[0], 4);
655 reader->nprov += 1;
656 }
657 }
658
659 static int32_t ParseDataType(struct s_reader *reader, uint8_t dt, uint8_t *cta_res, uint16_t cta_lr)
660 {
661 struct nagra_data *csystem_data = reader->csystem_data;
662 char ds[20], de[16];
663 uint16_t chid;
664
665 switch(dt)
666 {
667 case IRDINFO:
668 {
669 reader->prid[0][0] = 0;
670 reader->prid[0][1] = 0;
671 reader->prid[0][2] = cta_res[7];
672 reader->prid[0][3] = cta_res[8];
673
674 // provider 3411, 0401 needs cw swap
675 if(((cta_res[7] == 0x34) && (cta_res[8] == 0x11)) || ((cta_res[7] == 0x04) && (cta_res[8] == 0x01)))
676 {
677 rdr_log_dbg(reader, D_READER, "detect provider with swap cw!");
678 csystem_data->swapCW = 1;
679 }
680
681 reader->prid[1][0] = 0x00;
682 reader->prid[1][1] = 0x00;
683 reader->prid[1][2] = 0x00;
684 reader->prid[1][3] = 0x00;
685 memcpy(reader->sa[1], reader->sa[0], 4);
686 reader->nprov += 1;
687
688 reader->caid = (SYSTEM_NAGRA | cta_res[11]);
689 memcpy(reader->irdId, cta_res + 14, 4);
690
691 // do not output on init but only afterwards in card_info
692 if(reader->csystem_active)
693 {
694 rdr_log_sensitive(reader, "IRD ID: {%s}", cs_hexdump(1, reader->irdId, 4, ds, sizeof(ds)));
695 nagra_datetime(reader, cta_res + 24, 0, ds, &reader->card_valid_to);
696 rdr_log(reader, "active to: %s", ds);
697 }
698 return OK;
699 }
700
701 case TIERS:
702 if((cta_lr > 33) && (chid = b2i(2, cta_res + 11)))
703 {
704 int32_t id = (cta_res[7] * 256) | cta_res[8];
705 int32_t expire_date1 = b2i(2, cta_res + 13);
706 int32_t expire_date2 = b2i(2, cta_res + 24);
707 int32_t sooner_expire_date = expire_date1 <= expire_date2 ? expire_date1 : expire_date2;
708 // todo: add entitlements to list
709 cs_add_entitlement(reader, reader->caid, id, chid, 0, tier_date(b2i(2, cta_res + 20) - 0x7f7, ds, 15), tier_date(sooner_expire_date - 0x7f7, de, 15), 4, 1);
710 rdr_log(reader, "|%04X|%04X |%s |%s |", id, chid, ds, de);
711 addProvider(reader, cta_res);
712 }
713 return OK;
714
715 case 0x08:
716 case 0x88:
717 if(cta_res[11] == 0x49)
718 {
719 decryptDT08(reader, cta_res);
720 }
721 return OK;
722
723 default:
724 return OK;
725 }
726 return ERROR;
727 }
728
729 static int32_t GetDataType(struct s_reader *reader, uint8_t dt, int32_t len)
730 {
731 def_resp;
732 int32_t result = OK;
733
734 while(result == OK)
735 {
736 if(!do_cmd(reader, 0x22, 0x03, 0xA2, len, &dt, cta_res, &cta_lr))
737 {
738 rdr_log_dbg(reader, D_READER, "failed to get datatype %02X", dt);
739 result = ERROR;
740 break;
741 }
742
743 if((cta_res[2] == 0) && ((dt&0x80) == 0x80))
744 {
745 result = OK;
746 break;
747 }
748
749 if(!ParseDataType(reader, dt & 0x0F, cta_res, cta_lr))
750 {
751 result = ERROR;
752 break;
753 }
754
755 if(((dt&0x0F) != TIERS) && (cta_res[11] == 0x49) && ((dt&0x80) == 0x80))
756 {
757 result = OK;
758 break;
759 }
760 dt |= 0x80; // get next item
761 }
762 return result;
763 }
764
765 static int32_t nagra2_card_init(struct s_reader *reader, ATR *newatr)
766 {
767 get_atr;
768 def_resp;
769 memset(reader->rom, 0, 15);
770 static const uint8_t ins80[] = { 0x80, 0xCA, 0x00, 0x00, 0x11 }; // switch to nagra layer
771 static const uint8_t handshake[] = { 0xEE, 0x51, 0xDC, 0xB8, 0x4A, 0x1C, 0x15, 0x05, 0xB5, 0xA6, 0x9B, 0x91, 0xBA, 0x33, 0x19, 0xC4, 0x10 }; // nagra handshake
772
773 int8_t is_pure_nagra = 0;
774 int8_t is_tiger = 0;
775 int8_t is_n3_na = 0;
776 memset(reader->irdId, 0xff, 4);
777 memset(reader->hexserial, 0, 8);
778
779 cs_clear_entitlement(reader); // reset the entitlements
780
781 if(memcmp(atr + 11, "DNASP240", 8) == 0 || memcmp(atr + 11, "DNASP241", 8) == 0)
782 {
783 rdr_log(reader, "detect nagra 3 NA card");
784 memcpy(reader->rom, atr + 11, 15);
785 is_n3_na = 1;
786 }
787 else if((memcmp(atr + 11, "DNASP", 5) == 0) && (memcmp(atr + 11, "DNASP4", 6) != 0))
788 {
789 rdr_log(reader, "detect native nagra card");
790 memcpy(reader->rom, atr + 11, 15);
791 }
792 else if(memcmp(atr + 11, "TIGER", 5) == 0 || (memcmp(atr + 11, "NCMED", 5) == 0))
793 {
794 rdr_log(reader, "detect nagra tiger card");
795 memcpy(reader->rom, atr + 11, 15);
796 is_tiger = 1;
797 }
798 else if((!memcmp(atr + 4, "IRDETO", 6)) && ((atr[14] == 0x03) && (atr[15] == 0x84) && (atr[16] == 0x55)))
799 {
800 rdr_log(reader, "detect irdeto tunneled nagra card");
801 if(!array_has_nonzero_byte(reader->rsa_mod, 64))
802 {
803 rdr_log(reader, "no rsa key configured -> using irdeto mode");
804 return ERROR;
805 }
806
807 if(reader->force_irdeto)
808 {
809 rdr_log(reader, "rsa key configured but irdeto mode forced -> using irdeto mode");
810 return ERROR;
811 }
812
813 rdr_log(reader, "rsa key configured -> using nagra mode");
814 is_pure_nagra = 1;
815
816 if(!cs_malloc(&reader->csystem_data, sizeof(struct nagra_data)))
817 {
818 return ERROR;
819 }
820
821 struct nagra_data *csystem_data = reader->csystem_data;
822 csystem_data->is_pure_nagra = is_pure_nagra;
823
824 if(!do_cmd(reader, 0x10, 0x02, 0x90, 0x11, 0, cta_res, &cta_lr))
825 {
826 rdr_log_dbg(reader, D_READER, "get rom version failed");
827 return ERROR;
828 }
829 memcpy(reader->rom, cta_res + 2, 15);
830 }
831 else if(!reader->cak7_mode && reader->detect_seca_nagra_tunneled_card && memcmp(atr + 7, "pp", 2) == 0 && ((atr[9]&0x0F) >= 10))
832 {
833 rdr_log(reader, "detect seca/nagra tunneled card");
834
835 if(!cs_malloc(&reader->csystem_data, sizeof(struct nagra_data)))
836 {
837 rdr_log(reader,"mem alloc error"); return ERROR;
838 }
839
840 if(!card_write(reader, ins80, handshake, cta_res, &cta_lr)) // try to init nagra layer
841 {
842 if(cta_res[0] == 0x61 && cta_res[1] == 0x10)
843 {
844 reader->seca_nagra_card = 1;
845 if ((reader->typ == R_SMART || reader->typ == R_INTERNAL || is_smargo_reader(reader)) && !reader->ins7e11_fast_reset)
846 {
847 ins7e11_state = 1;
848 reader->ins7e11_fast_reset = 1;
849 }
850
851 reader->card_atr_length = 23;
852 const struct s_cardreader *crdr_ops = reader->crdr;
853
854 if (!crdr_ops)
855 {
856 return ERROR;
857 }
858
859 call(crdr_ops->activate(reader, newatr)); // read nagra atr
860 get_atr2;
861 memcpy(reader->rom, atr2 + 8, 15); // get historical bytes containing romrev from nagra atr
862 rdr_log(reader,"Nagra layer found");
863 rdr_log(reader,"Rom revision: %.15s", reader->rom);
864 reader->card_atr_length = 14;
865 reader->seca_nagra_card = 2;
866 call(crdr_ops->activate(reader, newatr)); // read seca atr to switch back
867
868 if ((reader->typ == R_SMART || reader->typ == R_INTERNAL || is_smargo_reader(reader)) && ins7e11_state == 1)
869 {
870 ins7e11_state = 0;
871 reader->ins7e11_fast_reset = 0;
872 }
873 }
874 else
875 {
876 rdr_log(reader," Nagra atr not ok");
877 return ERROR;
878 }
879 }
880 NULLFREE(reader->csystem_data);
881 return ERROR; // quitting csystem still not having needed commands to run on nagra layer
882 }
883 else
884 {
885 return ERROR;
886 }
887
888 // Private data may be already allocated, see above (the irdeto check).
889 if(!reader->csystem_data)
890 {
891 if(!cs_malloc(&reader->csystem_data, sizeof(struct nagra_data)))
892 {
893 return ERROR;
894 }
895 }
896
897 struct nagra_data *csystem_data = reader->csystem_data;
898 csystem_data->is_pure_nagra = is_pure_nagra;
899 csystem_data->is_tiger = is_tiger;
900 csystem_data->is_n3_na = is_n3_na;
901
902 reader->nprov = 1;
903
904 if(!csystem_data->is_tiger)
905 {
906 CamStateRequest(reader);
907 if(!do_cmd(reader, 0x12, 0x02, 0x92, 0x06, 0, cta_res, &cta_lr))
908 {
909 rdr_log_dbg(reader, D_READER, "get serial failed");
910 return ERROR;
911 }
912 memcpy(reader->hexserial + 2, cta_res + 2, 4);
913 memcpy(reader->sa[0], cta_res + 2, 3);
914
915 if(!GetDataType(reader, DT01, 0x0E))
916 {
917 return ERROR;
918 }
919 rdr_log_dbg(reader, D_READER, "DT01 DONE");
920 CamStateRequest(reader);
921 if(!GetDataType(reader, IRDINFO, 0x39))
922 {
923 return ERROR;
924 }
925 rdr_log_dbg(reader, D_READER, "IRDINFO DONE");
926 CamStateRequest(reader);
927 if(!GetDataType(reader, CAMDATA, 0x55))
928 {
929 return ERROR;
930 }
931 rdr_log_dbg(reader, D_READER, "CAMDATA Done");
932 if(!GetDataType(reader, 0x04, 0x44))
933 {
934 return ERROR;
935 }
936 rdr_log_dbg(reader, D_READER, "DT04 DONE");
937 CamStateRequest(reader);
938 if(!GetDataType(reader, DT06, 0x16))
939 {
940 return ERROR;
941 }
942 rdr_log_dbg(reader, D_READER, "DT06 DONE");
943 CamStateRequest(reader);
944 }
945
946 if(!NegotiateSessionKey(reader))
947 {
948 rdr_log_dbg(reader, D_READER, "NegotiateSessionKey failed");
949 return ERROR;
950 }
951 rdr_log(reader, "ready for requests");
952 return OK;
953 }
954
955 typedef struct
956 {
957 char date1[11];
958 char date2[11];
959 uint8_t type;
960 uint16_t value;
961 uint16_t price;
962 } ncmed_rec;
963
964 static time_t tiger_date2time(const char *date)
965 {
966 struct tm timeinfo;
967 int32_t y, m, d;
968
969 sscanf(date, "%02d/%02d/%04d", &d, &m, &y);
970 memset(&timeinfo, 0, sizeof(struct tm));
971 timeinfo.tm_year = y - 1900;
972 timeinfo.tm_mon = m - 1;
973 timeinfo.tm_mday = d;
974
975 return mktime(&timeinfo);
976 }
977
978 static int32_t reccmp(const void *r1, const void *r2)
979 {
980 int32_t v1, v2, y, m, d;
981 sscanf(((ncmed_rec *)r1)->date1, "%02d/%02d/%04d", &d, &m, &y);
982 v1 = y * 372 + 1 + m * 31 + d;
983 sscanf(((ncmed_rec *)r2)->date1, "%02d/%02d/%04d", &d, &m, &y);
984 v2 = y * 372 + 1 + m * 31 + d;
985 return (v1 == v2) ? 0 : (v1 < v2) ? -1 : 1;
986 }
987
988 static int32_t reccmp2(const void *r1, const void *r2)
989 {
990 char rec1[13], rec2[13];
991 snprintf(rec1, sizeof(rec1), "%04X", ((ncmed_rec *)r1)->value);
992 memcpy(rec1 + 4, ((ncmed_rec *)r1)->date2 + 6, 4);
993 memcpy(rec1 + 8, ((ncmed_rec *)r1)->date2 + 3, 2);
994 memcpy(rec1 + 10, ((ncmed_rec *)r1)->date2, 2);
995 snprintf(rec2, sizeof(rec2), "%04X", ((ncmed_rec *)r2)->value);
996 memcpy(rec2 + 4, ((ncmed_rec *)r2)->date2 + 6, 4);
997 memcpy(rec2 + 8, ((ncmed_rec *)r2)->date2 + 3, 2);
998 memcpy(rec2 + 10, ((ncmed_rec *)r2)->date2, 2);
999 rec1[12] = rec2[12] = 0;
1000 return strcmp(rec2, rec1);
1001 }
1002
1003 static int32_t nagra2_card_info(struct s_reader *reader)
1004 {
1005 int32_t i;
1006 char currdate[27], tmp[64];
1007 struct nagra_data *csystem_data = reader->csystem_data;
1008 rdr_log(reader, "ROM: %c %c %c %c %c %c %c %c", reader->rom[0], reader->rom[1], reader->rom[2], reader->rom[3], reader->rom[4], reader->rom[5], reader->rom[6], reader->rom[7]);
1009 rdr_log(reader, "REV: %c %c %c %c %c %c", reader->rom[9], reader->rom[10], reader->rom[11], reader->rom[12], reader->rom[13], reader->rom[14]);
1010 rdr_log_sensitive(reader, "SER: {%s}", cs_hexdump(1, reader->hexserial + 2, 4, tmp, sizeof(tmp)));
1011 rdr_log(reader, "CAID: %04X", reader->caid);
1012 rdr_log(reader, "Prv.ID: %s(sysid)", cs_hexdump(1, reader->prid[0], 4, tmp, sizeof(tmp)));
1013
1014 for(i = 1; i < reader->nprov; i++)
1015 {
1016 rdr_log(reader, "Prv.ID: %s", cs_hexdump(1, reader->prid[i], 4, tmp, sizeof(tmp)));
1017 }
1018 cs_clear_entitlement(reader); // reset the entitlements
1019
1020 if(csystem_data->is_tiger)
1021 {
1022 rdr_log(reader, "Activation Date : %s", nagra_datetime(reader, csystem_data->ActivationDate, 0, currdate, 0));
1023 rdr_log(reader, "Expiry Date : %s", nagra_datetime(reader, csystem_data->ExpiryDate, 0, currdate, &reader->card_valid_to));
1024 }
1025
1026 if(reader->nagra_read && csystem_data->is_tiger && (memcmp(reader->rom, "NCMED", 5) == 0 || memcmp(reader->rom, "TIGER", 5) == 0))
1027 {
1028 ncmed_rec records[255];
1029 int32_t num_records = 0;
1030 uint8_t tier_cmd1[] = { 0x00, 0x00 };
1031 uint8_t tier_cmd2[] = { 0x01, 0x00 };
1032 def_resp;
1033 int32_t j;
1034 do_cmd(reader, 0xD0, 0x04, 0x50, 0x0A, tier_cmd1, cta_res, &cta_lr);
1035
1036 if(cta_lr == 0x0C)
1037 {
1038 int32_t prepaid = 0;
1039 int32_t credit = 0;
1040 int32_t balance = 0;
1041
1042 uint16_t credit_in = cta_res[8] << 8 | cta_res[9];
1043 uint16_t credit_out = cta_res[5] << 8 | cta_res[6];
1044 balance = (credit_in - credit_out) / 100;
1045
1046 for(i = 0; i < 13; ++i)
1047 {
1048 tier_cmd2[1] = i;
1049 do_cmd(reader, 0xD0, 0x04, 0x50, 0xAA, tier_cmd2, cta_res, &cta_lr);
1050 if(cta_lr == 0xAC)
1051 {
1052 //rdr_log_dump(reader, cta_res, cta_lr, "NCMED Card Record %d", i+1);
1053 for(j = 2; j < cta_res[1] - 14; ++j)
1054 {
1055 if(cta_res[j] == 0x80 && cta_res[j + 6] != 0x00)
1056 {
1057 int32_t val_offs = 0;
1058 nagra_datetime(reader, &cta_res[j + 6], 0, records[num_records].date2, 0);
1059
1060 switch(cta_res[j + 1])
1061 {
1062 case 0x00:
1063 case 0x01:
1064 case 0x20:
1065 case 0x21:
1066 case 0x29:
1067 nagra_datetime(reader, &cta_res[j + 8], 0, records[num_records].date1, 0);
1068 val_offs = 1;
1069 break;
1070
1071 case 0x80:
1072 nagra_datetime(reader, &cta_res[j + 6], 0, records[num_records].date1, 0);
1073 val_offs = 1;
1074 break;
1075
1076 default:
1077 rdr_log(reader, "Unknown record : %s", cs_hexdump(1, &cta_res[j], 17, tmp, sizeof(tmp)));
1078 }
1079
1080 if(val_offs > 0)
1081 {
1082 records[num_records].type = cta_res[j + 1];
1083 records[num_records].value = cta_res[j + 4] << 8 | cta_res[j + 5];
1084 records[num_records++].price = cta_res[j + 11] << 8 | cta_res[j + 12];
1085 }
1086 j += 16;
1087 }
1088 }
1089 }
1090 }
1091
1092 if(reader->nagra_read == 1)
1093 {
1094 qsort(records, num_records, sizeof(ncmed_rec), reccmp);
1095 }
1096 else
1097 {
1098 qsort(records, num_records, sizeof(ncmed_rec), reccmp2);
1099 }
1100
1101 int32_t euro = 0;
1102 char tiername[83];
1103 time_t rawtime;
1104 struct tm timeinfo;
1105 time(&rawtime);
1106 localtime_r(&rawtime, &timeinfo);
1107 snprintf(currdate, sizeof(currdate), "%02d/%02d/%04d", timeinfo.tm_mday, timeinfo.tm_mon + 1, timeinfo.tm_year + 1900);
1108
1109 for(i = 0; i < num_records; ++i)
1110 {
1111 switch(records[i].type)
1112 {
1113 case 0x00:
1114 case 0x01:
1115 if(reccmp(records[i].date2, currdate) >= 0)
1116 {
1117 if(reader->nagra_read == 2)
1118 {
1119 rdr_log(reader, "Tier : %04X, expiry date: %s %s",
1120 records[i].value, records[i].date2, get_tiername(records[i].value, reader->caid, tiername));
1121 }
1122 else if(reader->nagra_read == 1)
1123 {
1124 euro = (records[i].price / 100);
1125 rdr_log(reader, "Activation : ( %04X ) from %s to %s (%3d euro) %s",
1126 records[i].value, records[i].date1, records[i].date2, euro, get_tiername(records[i].value, reader->caid, tiername));
1127 }
1128 cs_add_entitlement(
1129 reader,
1130 reader->caid,
1131 b2ll(4, reader->prid[0]),
1132 records[i].value,
1133 0,
1134 tiger_date2time(records[i].date1),
1135 tiger_date2time(records[i].date2)+ 0x1517F,
1136 4,
1137 1);
1138 } break;
1139
1140 case 0x20:
1141 case 0x21:
1142 if(reccmp(records[i].date2, currdate) >= 0)
1143 {
1144 if(reader->nagra_read == 2)
1145 {
1146 rdr_log(reader, "Tier : %04X, expiry date: %s %s", records[i].value, records[i].date2, get_tiername(records[i].value, reader->caid, tiername));
1147 }
1148 cs_add_entitlement(
1149 reader,
1150 reader->caid,
1151 b2ll(4, reader->prid[0]),
1152 records[i].value,
1153 0,
1154 tiger_date2time(records[i].date1),
1155 tiger_date2time(records[i].date2)+ 0x1517F,
1156 4,
1157 1);
1158 } break;
1159 }
1160
1161 if(reader->nagra_read == 2)
1162 {
1163 while(i < num_records - 1 && records[i].value == records[i + 1].value)
1164 {
1165 ++i;
1166 }
1167 }
1168 }
1169
1170 for(i = 0; i < num_records; ++i)
1171 {
1172 switch(records[i].type)
1173 {
1174 case 0x80:
1175 if(reader->nagra_read == 1)
1176 {
1177 euro = (records[i].price / 100) - prepaid;
1178 credit += euro;
1179 prepaid += euro;
1180 if(euro)
1181 {
1182 rdr_log(reader, "Recharge : %s (%3d euro)", records[i].date2, euro);
1183 }
1184 } break;
1185
1186 case 0x20:
1187 case 0x21:
1188 if(reader->nagra_read == 1)
1189 {
1190 euro = records[i].price / 100;
1191 credit -= euro;
1192 rdr_log(reader, "Subscription : ( %04X ) from %s to %s (%3d euro) %s",
1193 records[i].value, records[i].date1, records[i].date2, euro, get_tiername(records[i].value, reader->caid, tiername));
1194 } break;
1195
1196 case 0x29:
1197 euro = records[i].price / 100;
1198 if(reader->nagra_read == 1) { credit -= euro; }
1199 rdr_log(reader, "Event purchase : ( %04X ) from %s to %s (%3d euro)", records[i].value, records[i].date1, records[i].date2, euro);
1200 break;
1201 }
1202 }
1203
1204 if(reader->nagra_read == 1)
1205 {
1206 rdr_log(reader, "Credit : %3d euro", credit);
1207 }
1208 else
1209 {
1210 rdr_log(reader, "Credit : %3d euro", balance);
1211 }
1212 }
1213 }
1214 else
1215 {
1216 def_resp;
1217 char tmp_dbg[13];
1218 CamStateRequest(reader);
1219
1220 if(!do_cmd(reader, 0x12, 0x02, 0x92, 0x06, 0, cta_res, &cta_lr))
1221 {
1222 rdr_log_dbg(reader, D_READER, "get serial failed");
1223 return ERROR;
1224 }
1225
1226 memcpy(reader->hexserial + 2, cta_res + 2, 4);
1227 rdr_log_dbg_sensitive(reader, D_READER, "SER: {%s}", cs_hexdump(1, reader->hexserial + 2, 4, tmp_dbg, sizeof(tmp_dbg)));
1228 memcpy(reader->sa[0], cta_res + 2, 3);
1229 reader->nprov = 1;
1230
1231 if(!GetDataType(reader, IRDINFO, 0x39))
1232 {
1233 return ERROR;
1234 }
1235
1236 rdr_log_dbg(reader, D_READER, "IRDINFO DONE");
1237 CamStateRequest(reader);
1238
1239 if((!memcmp(reader->rom + 5, "181", 3)) == 0) // dt05 is not supported by rom181
1240 {
1241 rdr_log(reader, "-----------------------------------------");
1242 rdr_log(reader, "|id |tier |valid from |valid to |");
1243 rdr_log(reader, "+----+--------+------------+------------+");
1244
1245 if(!GetDataType(reader, TIERS, 0x57))
1246 {
1247 return ERROR;
1248 }
1249
1250 rdr_log(reader, "-----------------------------------------");
1251 CamStateRequest(reader);
1252 }
1253 }
1254 return OK;
1255 }
1256
1257 void nagra2_post_process(struct s_reader *reader)
1258 {
1259 struct nagra_data *csystem_data = reader->csystem_data;
1260 if(!csystem_data->is_tiger)
1261 {
1262 CamStateRequest(reader);
1263 if RENEW_SESSIONKEY()
1264 {
1265 NegotiateSessionKey(reader);
1266 }
1267
1268 if SENDDATETIME()
1269 {
1270 DateTimeCMD(reader);
1271 }
1272 }
1273 }
1274
1275 static int32_t nagra2_do_ecm(struct s_reader *reader, const ECM_REQUEST *er, struct s_ecm_answer *ea)
1276 {
1277 def_resp;
1278 struct nagra_data *csystem_data = reader->csystem_data;
1279 if(!csystem_data->is_tiger)
1280 {
1281 int32_t retry = 0;
1282 if(csystem_data->is_n3_na)
1283 {
1284 uint8_t ecm_pkt[256 + 16];
1285 memset(ecm_pkt, 0, sizeof(ecm_pkt));
1286 memcpy(ecm_pkt, er->ecm + 3 + 2, er->ecm[4]);
1287
1288 while(!do_cmd(reader, er->ecm[3] + 1, er->ecm[4] + 5 + 2, 0x88, 0x04, ecm_pkt, cta_res, &cta_lr))
1289 {
1290 if(retry == 0)
1291 {
1292 rdr_log_dbg(reader, D_READER, "nagra2_do_ecm (N3_NA) failed, retry");
1293 }
1294 else
1295 {
1296 rdr_log_dbg(reader, D_READER, "nagra2_do_ecm (N3_NA) failed, retry failed!");
1297 return ERROR;
1298 }
1299 retry++;
1300 cs_sleepms(10);
1301 }
1302 }
1303 else
1304 {
1305 if(reader->ecmcommand < 5) // cache ecm commands until ecmcommand cache is full
1306 {
1307 reader->ecmcommandcache[reader->ecmcommand] = er->ecm[3];
1308 reader->ecmcommand++;
1309
1310 if(reader->ecmcommand == 5) // cache is full, comparing!
1311 {
1312 int32_t t = 0;
1313 int32_t matchfound = 0;
1314 reader->ecmcommand++; // No more caching of ecm commands, next ecms will be compared!
1315
1316 while(t < 5)
1317 {
1318 if(reader->ecmcommandcache[t] == er->ecm[3])
1319 {
1320 matchfound++;
1321 }
1322 t++;
1323 }
1324
1325 if(matchfound != 5)
1326 {
1327 reader->ecmcommand = 0; // reset ecm filter, start a new auto filter attempt
1328 rdr_log_dbg(reader, D_READER, "Auto ecm command filter caid %04X failed!", reader->caid);
1329 }
1330 else
1331 {
1332 reader->ecmcommandcache[0] = er->ecm[3]; // Passed the filter, store the normal ecm command for this reader!
1333 rdr_log_dbg(reader, D_READER, "Auto ecm command filter caid %04X set to command %02X", reader->caid, er->ecm[3]);
1334 }
1335 }
1336 }
1337 else if(reader->ecmcommandcache[0] != er->ecm[3])
1338 {
1339 rdr_log_dbg(reader, D_READER, "Warning: received an abnominal ecm command %02X for caid: %04X, ignoring!", er->ecm[3], reader->caid);
1340 memset(ea, 0, sizeof(struct s_ecm_answer)); // give it back 00000000 to not disturb the loadbalancer for valid ecm requests on this channel.
1341 return OK;
1342 }
1343
1344 while(!do_cmd(reader, er->ecm[3], er->ecm[4] + 2, 0x87, 0x02, er->ecm + 3 + 2, cta_res, &cta_lr))
1345 {
1346 if(retry == 0)
1347 {
1348 rdr_log_dbg(reader, D_READER, "nagra2_do_ecm failed, retry");
1349 }
1350 else
1351 {
1352 rdr_log_dbg(reader, D_READER, "nagra2_do_ecm failed, retry failed!");
1353 return ERROR;
1354 }
1355 retry++;
1356 cs_sleepms(10);
1357 }
1358 }
1359 cs_sleepms(10);
1360
1361 retry = 0;
1362 while(!CamStateRequest(reader) && retry < 3)
1363 {
1364 rdr_log_dbg(reader, D_READER, "CamStateRequest failed, try: %d", retry);
1365 retry++;
1366 cs_sleepms(10);
1367 }
1368
1369 if(HAS_CW() && (do_cmd(reader, 0x1C, 0x02, 0x9C, 0x36, NULL, cta_res, &cta_lr)))
1370 {
1371 uint8_t v[8];
1372 memset(v, 0, sizeof(v));
1373 uint8_t _cwe0[8];
1374 uint8_t _cwe1[8];
1375 char tmp_dbg[25];
1376
1377 if(csystem_data->swapCW == 1)
1378 {
1379 rdr_log_dbg(reader, D_READER, "swap cws");
1380 idea_cbc_encrypt(&cta_res[30], &_cwe1[0], 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1381 memset(v, 0, sizeof(v));
1382 idea_cbc_encrypt(&cta_res[4], &_cwe0[0], 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1383 }
1384 else
1385 {
1386 idea_cbc_encrypt(&cta_res[30], &_cwe0[0], 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1387 memset(v, 0, sizeof(v));
1388 idea_cbc_encrypt(&cta_res[4], &_cwe1[0], 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1389 }
1390 rdr_log_dbg(reader, D_READER, "CW0 after IDEA decrypt: %s", cs_hexdump(1, _cwe0, 8, tmp_dbg, sizeof(tmp_dbg)));
1391 rdr_log_dbg(reader, D_READER, "CW1 after IDEA decrypt: %s", cs_hexdump(1, _cwe1, 8, tmp_dbg, sizeof(tmp_dbg)));
1392
1393 if(CW_NEEDS_3DES())
1394 {
1395 rdr_log_dbg(reader, D_READER, "3DES encryption of CWs detected. Using CWPK index:%02X", (csystem_data->ird_info & 7));
1396
1397 if(reader->cak63cwekey_length != 16)
1398 {
1399 rdr_log_dbg(reader, D_READER, "ERROR: Invalid CWPK, can not decrypt CW");
1400 return ERROR;
1401 }
1402
1403 des_ecb3_decrypt(_cwe0, reader->cak63cwekey);
1404 des_ecb3_decrypt(_cwe1, reader->cak63cwekey);
1405 rdr_log_dbg(reader, D_READER, "CW0 after 3DES decrypt: %s", cs_hexdump(1, _cwe0, 8, tmp_dbg, sizeof(tmp_dbg)));
1406 rdr_log_dbg(reader, D_READER, "CW1 after 3DES decrypt: %s", cs_hexdump(1, _cwe1, 8, tmp_dbg, sizeof(tmp_dbg)));
1407
1408 if (!cfg.disablecrccws && !reader->disablecrccws && !chk_if_ignore_checksum((ECM_REQUEST*) er, &cfg.disablecrccws_only_for) && !chk_if_ignore_checksum((ECM_REQUEST*) er, &reader->disablecrccws_only_for))
1409 {
1410 int chkok = 1;
1411 if(((_cwe0[0] + _cwe0[1] + _cwe0[2]) & 0xFF) != _cwe0[3])
1412 {
1413 chkok = 0;
1414 rdr_log_dbg(reader, D_READER, "CW0 checksum error [0]");
1415 }
1416
1417 if(((_cwe0[4] + _cwe0[5] + _cwe0[6]) & 0xFF) != _cwe0[7])
1418 {
1419 chkok = 0;
1420 rdr_log_dbg(reader, D_READER, "CW0 checksum error [1]");
1421 }
1422
1423 if(((_cwe1[0] + _cwe1[1] + _cwe1[2]) & 0xFF) != _cwe1[3])
1424 {
1425 chkok = 0;
1426 rdr_log_dbg(reader, D_READER, "CW1 checksum error [0]");
1427 }
1428
1429 if(((_cwe1[4] + _cwe1[5] + _cwe1[6]) & 0xFF) != _cwe1[7])
1430 {
1431 chkok = 0;
1432 rdr_log_dbg(reader, D_READER, "CW1 checksum error [1]");
1433 }
1434
1435 if(chkok == 0)
1436 {
1437 rdr_log_dbg(reader, D_READER, "CW Decrypt failed");
1438 return ERROR;
1439 }
1440 }
1441 else
1442 {
1443 rdr_log_dbg(reader, D_READER, "checksum test skipped");
1444 }
1445 }
1446
1447 memcpy(ea->cw, _cwe0, 0x08);
1448 memcpy(ea->cw + 8, _cwe1, 0x08);
1449
1450 return OK;
1451 }
1452 }
1453 else
1454 {
1455 // check ECM prov id
1456 if(memcmp(&reader->prid[0][2], er->ecm + 5, 2))
1457 {
1458 return ERROR;
1459 }
1460
1461 // ecm_data: 80 30 89 D3 87 54 11 10 DA A6 0F 4B 92 05 34 00
1462 // serial_data: A0 CA 00 00 8C D3 8A 00 00 00 00 00 10 DA A6 0F
1463 uint8_t ecm_trim[150];
1464 memset(ecm_trim, 0, 150);
1465 memcpy(&ecm_trim[5], er->ecm + 3 + 2 + 2, er->ecm[4] + 2);
1466
1467 if(do_cmd(reader, er->ecm[3], er->ecm[4] + 5, 0x53, 0x16, ecm_trim, cta_res, &cta_lr))
1468 {
1469 if(cta_res[2] == 0x01)
1470 {
1471 uint8_t v[8];
1472 memset(v, 0, sizeof(v));
1473 idea_cbc_encrypt(&cta_res[14], ea->cw, 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1474 memset(v, 0, sizeof(v));
1475 idea_cbc_encrypt(&cta_res[6], ea->cw + 8, 8, &csystem_data->ksSession, v, IDEA_DECRYPT);
1476 return OK;
1477 }
1478 rdr_log_dbg(reader, D_READER, "can't decode ecm");
1479 return ERROR;
1480 }
1481 }
1482 return ERROR;
1483 }
1484
1485 static int32_t nagra2_do_emm(struct s_reader *reader, EMM_PACKET *ep)
1486 {
1487 def_resp;
1488 struct nagra_data *csystem_data = reader->csystem_data;
1489 if(!csystem_data->is_tiger)
1490 {
1491 if(!do_cmd(reader, ep->emm[8], ep->emm[9] + 2, 0x84, 0x02, ep->emm + 8 + 2, cta_res, &cta_lr))
1492 {
1493 rdr_log_dbg(reader, D_READER, "nagra2_do_emm failed");
1494 return ERROR;
1495 }
1496
1497 // for slow t14 nagra cards, we must do additional timeout
1498 if(csystem_data->is_pure_nagra == 1)
1499 {
1500 cs_sleepms(300);
1501 }
1502 cs_sleepms(250);
1503 nagra2_post_process(reader);
1504 }
1505 else
1506 {
1507 //check EMM prov id
1508 if(memcmp(&reader->prid[0][2], ep->emm + 10, 2))
1509 {
1510 rdr_log_dbg(reader, D_READER, "EMM skipped since provider doesnt match!");
1511 return SKIPPED;
1512 }
1513
1514 // emm_data: 82 70 8E 00 00 00 00 00 D3 87 8D 11 C0 F4 B1 27 2C 3D 25 94 ...
1515 //serial_data: A0 CA 00 00 8C D3 8A 01 00 00 00 00 C0 F4 B1 27 2C 3D 25 94 ...
1516 uint8_t emm_trim[150] = { 0x01, 0x00, 0x00, 0x00, 0x00 };
1517 memcpy(&emm_trim[5], ep->emm + 3 + 5 + 2 + 2, ep->emm[9] + 2);
1518
1519 if(!do_cmd(reader, ep->emm[8], ep->emm[9] + 5, 0x53, 0x16, emm_trim, cta_res, &cta_lr))
1520 {
1521 rdr_log_dbg(reader, D_READER, "nagra2_do_emm failed");
1522 return ERROR;
1523 }
1524 cs_sleepms(300);
1525 }
1526
1527 if(ep->type != GLOBAL)
1528 {
1529 struct timeb now;
1530 cs_ftime(&now);
1531 int64_t gone = comp_timeb(&now, &reader->emm_last);
1532 if(gone > 3600*1000)
1533 {
1534 add_job(reader->client, ACTION_READER_CARDINFO, NULL, 0); // refresh entitlement since it might have been changed!
1535 }
1536 }
1537 return OK;
1538 }
1539
1540 const struct s_cardsystem reader_nagra =
1541 {
1542 .desc = "nagra",
1543 .caids = (uint16_t[]){ 0x18, 0 },
1544 .do_emm = nagra2_do_emm,
1545 .do_ecm = nagra2_do_ecm,
1546 .post_process = nagra2_post_process,
1547 .card_info = nagra2_card_info,
1548 .card_init = nagra2_card_init,
1549 .get_emm_type = nagra_get_emm_type,
1550 .get_emm_filter = nagra_get_emm_filter,
1551 };
1552
1553 #endif
Open Source Conditional Access Modul