search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Attempt to count descramblers used properly
[oscam.git] / reader-conax.c
blob00317be77139303edde42b1dbdaddbb4425662aa
1 #include "globals.h"
2 #ifdef READER_CONAX
3 #include "cscrypt/bn.h"
4 #include "reader-common.h"
5
6 static int32_t RSA_CNX(struct s_reader *reader, uint8_t *msg, uint8_t *mod, uint8_t *exp, uint32_t cta_lr, uint32_t modbytes, uint32_t expbytes)
7 {
8 int32_t ret = 0;
9 uint32_t n = 0, pre_size = 0, size = 0;
10 BN_CTX *ctx;
11 BIGNUM *bn_mod, *bn_exp, *bn_data, *bn_res;
12 uint8_t data[64];
13
14 /*prefix size*/
15 pre_size = 2 + 4 + msg[5];
16
17 /*size of data to decryption*/
18 if(msg[1] > (pre_size - 2))
19 { size = msg[1] - pre_size + 2; }
20
21 if(cta_lr > (pre_size + size) && size >= modbytes && size < 128)
22 {
23 ctx = BN_CTX_new();
24
25 if(ctx == NULL)
26 {
27 rdr_log_dbg(reader, D_READER, "RSA Error in RSA_CNX");
28 }
29
30 BN_CTX_start(ctx);
31 bn_mod = BN_CTX_get(ctx);
32 bn_exp = BN_CTX_get(ctx);
33 bn_data = BN_CTX_get(ctx);
34 bn_res = BN_CTX_get(ctx);
35
36 /*RSA first round*/
37 BN_bin2bn(mod, modbytes, bn_mod); // rsa modulus
38 BN_bin2bn(exp, expbytes, bn_exp); // exponent
39 BN_bin2bn(msg + pre_size, modbytes, bn_data);
40 BN_mod_exp(bn_res, bn_data, bn_exp, bn_mod, ctx);
41
42 n = BN_bn2bin(bn_res, data);
43
44 size -= modbytes; // 3
45 pre_size += modbytes;
46
47 /*Check if second round is needed*/
48 if(0 < size)
49 {
50 /*check if length of data from first RSA round will be enough to padding rest of data*/
51 if((n + size) >= modbytes)
52 {
53 /*RSA second round*/
54 /*move the remaining data at the beginning of the buffer*/
55 memcpy(msg, msg + pre_size, size);
56 /*padding buffer with data from first round*/
57 memcpy(msg + size, data + (n - (modbytes - size)), modbytes - size);
58
59 BN_bin2bn(msg, modbytes, bn_data);
60 BN_mod_exp(bn_res, bn_data, bn_exp, bn_mod, ctx);
61 n = BN_bn2bin(bn_res, data);
62 if(0x25 != data[0])
63 { ret = -1; } /*RSA key is probably wrong*/
64 }
65 else
66 { ret = -3; } /*wrong size of data for second round*/
67 }
68
69 if(0 == ret)
70 { memcpy(msg, data, n); }
71
72 BN_CTX_end(ctx);
73 BN_CTX_free(ctx);
74 }
75 else
76 { ret = -2; } /*wrong size of data*/
77
78 return ret;
79 }
80
81 static time_t chid_date(const uint8_t *ptr, char *buf, int32_t l)
82 {
83 time_t rc = 0;
84 struct tm timeinfo;
85 memset(&timeinfo, 0, sizeof(struct tm));
86
87 if(buf)
88 {
89 timeinfo.tm_year = 90 + (ptr[1] >> 4) + (((ptr[0] >> 5) & 7) * 10);
90 timeinfo.tm_mon = (ptr[1] & 0xf) - 1;
91 timeinfo.tm_mday = ptr[0] & 0x1f;
92 timeinfo.tm_isdst = -1;
93 rc = mktime(&timeinfo);
94 strftime(buf, l, "%Y/%m/%d", &timeinfo);
95 }
96 return (rc);
97 }
98
99 static int32_t read_record(struct s_reader *reader, const uint8_t *cmd, const uint8_t *data, uint8_t *cta_res)
100 {
101 uint16_t cta_lr;
102 uint8_t insCA[] = { 0xDD, 0xCA, 0x00, 0x00, 0x00 };
103
104 write_cmd(cmd, data); // select record
105 if(cta_res[0] != 0x98)
106 { return (-1); }
107
108 insCA[4] = cta_res[1]; // get len
109 write_cmd(insCA, NULL); // read record
110
111 if((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1]))
112 { return (-1); }
113
114 return (cta_lr - 2);
115 }
116
117 static uint8_t PairingECMRotation(struct s_reader *reader, const ECM_REQUEST *er, int32_t n)
118 {
119 uint8_t cta_res[CTA_RES_LEN] = { 0x00 };
120 uint8_t ins26[] = { 0xDD, 0x26, 0x00, 0x00, 0x03, 0x10, 0x01, 0x00 };
121 uint8_t cnxcurrecm = 0;
122
123 if(0x0 != reader->rsa_mod[0] && n > 3 &&
124 0x54 == er->ecm[n - 3] &&
125 0x02 == er->ecm[n - 2] &&
126 0x00 == er->ecm[n - 1])
127 {
128 cnxcurrecm = 1;
129 }
130
131 if((0 == reader->cnxlastecm) != (0 == cnxcurrecm))
132 {
133 if(0 == cnxcurrecm) // not paired
134 { ins26[7] = 0x30; }
135 else
136 { ins26[7] = 0x40; }
137
138 if(read_record(reader, ins26, ins26 + 5, cta_res) <= 0)
139 { rdr_log(reader, "PairingECMRotation - ERROR"); }
140 }
141 reader->cnxlastecm = cnxcurrecm;
142 return cnxcurrecm;
143 }
144
145 static int32_t conax_card_init(struct s_reader *reader, ATR *newatr)
146 {
147 uint8_t cta_res[CTA_RES_LEN];
148 int32_t i, j, n;
149 static const uint8_t ins26[] = { 0xDD, 0x26, 0x00, 0x00, 0x03, 0x10, 0x01, 0x40 };
150 uint8_t ins82[] = { 0xDD, 0x82, 0x00, 0x00, 0x11, 0x11, 0x0f, 0x01, 0xb0, 0x0f, 0xff,
151 0xff, 0xfb, 0x00, 0x00, 0x09, 0x04, 0x0b, 0x00, 0xe0, 0x30, 0x2b };
152
153 uint8_t cardver = 0;
154
155 get_hist;
156 if((hist_size < 4) || (memcmp(hist, "0B00", 4)))
157 { return ERROR; }
158
159 reader->caid = 0xB00;
160
161 if((n = read_record(reader, ins26, ins26 + 5, cta_res)) <= 0) { return ERROR; } // read caid, card-version
162
163 for(i = 0; i < n; i += cta_res[i + 1] + 2)
164 {
165 switch(cta_res[i])
166 {
167 case 0x20:
168 cardver = cta_res[i + 2];
169 break;
170
171 case 0x28:
172 reader->caid = (cta_res[i + 2] << 8) | cta_res[i + 3];
173 }
174 }
175
176 // Ins82 command needs to use the correct CAID reported in nano 0x28
177 ins82[17] = (reader->caid >> 8) & 0xFF;
178 ins82[18] = (reader->caid) & 0xFF;
179
180 if((n = read_record(reader, ins82, ins82 + 5, cta_res)) <= 0) { return ERROR; } // read serial
181
182 reader->nprov = 0;
183
184 for(j = 0, i = 2; i < n; i += cta_res[i + 1] + 2)
185 {
186 switch(cta_res[i])
187 {
188 case 0x23:
189 if(cta_res[i + 5] != 0x00)
190 {
191 memcpy(reader->hexserial, &cta_res[i + 3], 6);
192 }
193 else
194 {
195 memcpy(reader->sa[j], &cta_res[i + 5], 4);
196 j++;
197 reader->nprov++;
198 }
199 break;
200 }
201 }
202
203 memset(reader->prid, 0x00, sizeof(reader->prid));
204
205 rdr_log_sensitive(reader, "type: Conax, caid: %04X, serial: {%llu}, hex serial: {%02x%02x%02x%02x}, card: v%d",
206 reader->caid, (unsigned long long) b2ll(6, reader->hexserial), reader->hexserial[2],
207 reader->hexserial[3], reader->hexserial[4], reader->hexserial[5], cardver);
208
209 rdr_log(reader, "Providers: %d", reader->nprov);
210
211 for(j = 0; j < reader->nprov; j++)
212 {
213 rdr_log(reader, "Provider: %d Provider-Id: %06X", j + 1, b2i(4, reader->prid[j]));
214 rdr_log_sensitive(reader, "Provider: %d SharedAddress: {%08X}", j + 1, b2i(4, reader->sa[j]));
215 }
216
217 return OK;
218 }
219
220 static int32_t conax_send_pin(struct s_reader *reader)
221 {
222 def_resp;
223 uint8_t insPIN[] = { 0xDD, 0xC8, 0x00, 0x00, 0x07, 0x1D, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00 }; // Last four are the Pin-Code
224 memcpy(insPIN + 8, reader->pincode, 4);
225
226 write_cmd(insPIN, insPIN + 5);
227 rdr_log_dbg(reader, D_READER, "Sent pincode to card.");
228
229 return OK;
230 }
231
232 static int32_t conax_do_ecm(struct s_reader *reader, const ECM_REQUEST *er, struct s_ecm_answer *ea)
233 {
234 def_resp;
235 int32_t i, j, n, num_dw = 0, rc = 0;
236 uint8_t insA2[] = { 0xDD, 0xA2, 0x00, 0x00, 0x00 };
237 uint8_t insCA[] = { 0xDD, 0xCA, 0x00, 0x00, 0x00 };
238
239 uint8_t exp[] = { 0x01, 0x00, 0x01 };
240 uint8_t buf[256];
241
242 if((n = check_sct_len(er->ecm, 3)) < 0)
243 { return ERROR; }
244
245 buf[0] = 0x14;
246 buf[1] = n + 1;
247
248 if(0x0 != PairingECMRotation(reader, er, n))
249 { buf[2] = 2; } // card will answer with encrypted dw
250 else
251 { buf[2] = 0; }
252
253 memcpy(buf + 3, er->ecm, n);
254 insA2[4] = n + 3;
255
256 write_cmd(insA2, buf); // write Header + ECM
257
258 while((cta_res[cta_lr - 2] == 0x98) && // Antwort
259 ((insCA[4] = cta_res[cta_lr - 1]) > 0) && (insCA[4] != 0xFF))
260 {
261 write_cmd(insCA, NULL); // Codeword auslesen
262
263 if((cta_res[cta_lr - 2] == 0x98) || ((cta_res[cta_lr - 2] == 0x90)))
264 {
265 /*checks if answer is encrypted with RSA algo and decrypts it if needed*/
266 if(0x81 == cta_res[0] && 2 == cta_res[2] >> 5) /*81 XX 5X*/
267 {
268 if(0x00 == cta_res[cta_lr - 1])
269 { rc = RSA_CNX(reader, cta_res, reader->rsa_mod, exp, cta_lr, 64u, 3u); }
270 else
271 { rc = -4; } /*card has no right to decode this channel*/
272 }
273
274 if(0 == rc)
275 {
276 for(i = 0; i < cta_lr - 2 && num_dw < 2; i += cta_res[i + 1] + 2)
277 {
278 switch(cta_res[i])
279 {
280 case 0x25:
281 if((cta_res[i + 1] >= 0xD) && !((n = cta_res[i + 4]) & 0xFE))
282 {
283 rc |= (1 << n);
284 memcpy(ea->cw + (n << 3), cta_res + i + 7, 8);
285 ++num_dw;
286 }
287 break;
288
289 case 0x31:
290 if((cta_res[i + 1] == 0x02 && cta_res[i + 2] == 0x00 && cta_res[i + 3] == 0x00) || \
291 (cta_res[i + 1] == 0x02 && cta_res[i + 2] == 0x40 && cta_res[i + 3] == 0x00))
292 { break; }
293 else if(strcmp(reader->pincode, "none"))
294 {
295 conax_send_pin(reader);
296 write_cmd(insA2, buf); // write Header + ECM
297
298 while((cta_res[cta_lr - 2] == 0x98) && // Antwort
299 ((insCA[4] = cta_res[cta_lr - 1]) > 0) && (insCA[4] != 0xFF))
300 {
301 write_cmd(insCA, NULL); // Codeword auslesen
302
303 if((cta_res[cta_lr - 2] == 0x98) ||
304 ((cta_res[cta_lr - 2] == 0x90) && (!cta_res[cta_lr - 1])))
305 {
306 for(j = 0; j < cta_lr - 2; j += cta_res[j + 1] + 2)
307 {
308 if((cta_res[j] == 0x25) && // access: is cw
309 (cta_res[j + 1] >= 0xD) && // 0xD: 5 header + 8 cw
310 !((n = cta_res[j + 4]) & 0xFE)) // cw idx must be 0 or 1
311 {
312 rc |= (1 << n);
313 memcpy(ea->cw + (n << 3), cta_res + j + 7, 8);
314 ++num_dw;
315 }
316 }
317 }
318 }
319 }
320 break;
321 }
322 }
323 }
324 }
325 }
326
327 switch(rc)
328 {
329 case -1:
330 rdr_log(reader, "conax decode ECM problem - RSA key is probably faulty");
331 break;
332
333 case -2:
334 rdr_log(reader, "conax RSA pairing - wrong size of data");
335 break;
336
337 case -3:
338 rdr_log(reader, "conax RSA pairing- wrong size of data for second round");
339 /* fallthrough */
340
341 case -4:
342 rdr_log(reader, "card has no right to decode this channel");
343 break;
344 }
345
346 /* answer 9011 - conax smart card need reset */
347 if(2 <= cta_lr && 0x90 == cta_res[cta_lr - 2] && 0x11 == cta_res[cta_lr - 1])
348 {
349 rdr_log(reader, "conax card hangs - reset is required");
350 reader->card_status = UNKNOWN;
351 }
352
353 if(rc == 3)
354 { return OK; }
355 else
356 { return ERROR; }
357 }
358
359 static int32_t conax_get_emm_type(EMM_PACKET *ep, struct s_reader *rdr)
360 {
361 int32_t i, ok = 0;
362 char tmp_dbg[17];
363
364 rdr_log_dbg(rdr, D_EMM, "Entered conax_get_emm_type ep->emm[2]=%02x", ep->emm[2]);
365
366 for(i = 0; i < rdr->nprov; i++)
367 {
368 ok = (!memcmp(&ep->emm[6], rdr->sa[i], 4));
369 if(ok) { break; }
370 }
371
372 if(ok)
373 {
374 ep->type = SHARED;
375 memset(ep->hexserial, 0, 8);
376 memcpy(ep->hexserial, &ep->emm[6], 4);
377 rdr_log_dbg_sensitive(rdr, D_EMM, "SHARED, ep->hexserial = {%s}",
378 cs_hexdump(1, ep->hexserial, 8, tmp_dbg, sizeof(tmp_dbg)));
379 return 1;
380 }
381 else
382 {
383 if(!memcmp(&ep->emm[6], rdr->hexserial + 2, 4))
384 {
385 ep->type = UNIQUE;
386 memset(ep->hexserial, 0, 8);
387 memcpy(ep->hexserial + 2, &ep->emm[6], 4);
388 rdr_log_dbg_sensitive(rdr, D_EMM, "UNIQUE, ep->hexserial = {%s}",
389 cs_hexdump(1, ep->hexserial, 8, tmp_dbg, sizeof(tmp_dbg)));
390 return 1;
391 }
392 else
393 {
394 ep->type = GLOBAL;
395 rdr_log_dbg(rdr, D_EMM, "GLOBAL");
396 memset(ep->hexserial, 0, 8);
397 return 1;
398 }
399 }
400 }
401
402 static int32_t conax_get_emm_filter(struct s_reader *rdr, struct s_csystem_emm_filter **emm_filters, unsigned int *filter_count)
403 {
404 if(*emm_filters == NULL)
405 {
406 const unsigned int max_filter_count = 2 + rdr->nprov;
407 if(!cs_malloc(emm_filters, max_filter_count * sizeof(struct s_csystem_emm_filter)))
408 { return ERROR; }
409
410 struct s_csystem_emm_filter *filters = *emm_filters;
411 *filter_count = 0;
412
413 int idx = 0, prov;
414
415 filters[idx].type = EMM_GLOBAL;
416 filters[idx].enabled = 0; // FIXME: dont see any conax global EMM yet
417 filters[idx].filter[0] = 0x82;
418 filters[idx].mask[0] = 0xFF;
419 filters[idx].filter[8] = 0x70;
420 filters[idx].mask[8] = 0xFF;
421 idx++;
422
423 for(prov = 0; prov < rdr->nprov; prov++)
424 {
425 filters[idx].type = EMM_SHARED;
426 filters[idx].enabled = 1;
427 filters[idx].filter[0] = 0x82;
428 filters[idx].mask[0] = 0xFF;
429 memcpy(&filters[idx].filter[4], rdr->sa[prov], 4);
430 memset(&filters[idx].mask[4], 0xFF, 4);
431 idx++;
432 }
433
434 filters[idx].type = EMM_UNIQUE;
435 filters[idx].enabled = 1;
436 filters[idx].filter[0] = 0x82;
437 filters[idx].mask[0] = 0xFF;
438 memcpy(&filters[idx].filter[4], rdr->hexserial + 2, 4);
439 memset(&filters[idx].mask[4], 0xFF, 4);
440 idx++;
441
442 *filter_count = idx;
443 }
444
445 return OK;
446 }
447
448 static int32_t conax_do_emm(struct s_reader *reader, EMM_PACKET *ep)
449 {
450 def_resp;
451 uint8_t insCA[] = { 0xDD, 0xCA, 0x00, 0x00, 0x00 };
452 uint8_t insEMM[] = { 0xDD, 0x84, 0x00, 0x00, 0x00 };
453 uint8_t buf[255];
454 int32_t rc = 0;
455
456 const int32_t l = ep->emm[2];
457
458 insEMM[4] = l + 5;
459 buf[0] = 0x12;
460 buf[1] = l + 3;
461 memcpy(buf + 2, ep->emm, buf[1]);
462 write_cmd(insEMM, buf);
463
464 if(cta_res[0] == 0x98)
465 {
466 insCA[4] = cta_res[1];
467 write_cmd(insCA, NULL);
468 }
469
470 rc = ((cta_res[0] == 0x90) && (cta_res[1] == 0x00));
471
472 if(rc)
473 { return OK; }
474 else
475 { return ERROR; }
476 }
477
478 static int32_t conax_card_info(struct s_reader *reader)
479 {
480 def_resp;
481 int32_t type, i, j, k = 0, n = 0, l;
482 uint16_t provid = 0;
483 char provname[32], pdate[32], chid[32];
484 static const uint8_t insC6[] = { 0xDD, 0xC6, 0x00, 0x00, 0x03, 0x1C, 0x01, 0x00 };
485 static const uint8_t ins26[] = { 0xDD, 0x26, 0x00, 0x00, 0x03, 0x1C, 0x01, 0x01 };
486 uint8_t insCA[] = { 0xDD, 0xCA, 0x00, 0x00, 0x00 };
487 char *txt[] = { "Package", "PPV-Event" };
488 static const uint8_t *cmd[] = { insC6, ins26 };
489 time_t start_t = 0, end_t = 0;
490 uint32_t cxclass = 0;
491
492 cs_clear_entitlement(reader); // reset the entitlements
493
494 for(type = 0; type < 2; type++)
495 {
496 n = 0;
497 write_cmd(cmd[type], cmd[type] + 5);
498 while(cta_res[cta_lr - 2] == 0x98)
499 {
500 insCA[4] = cta_res[cta_lr - 1]; // get len
501 write_cmd(insCA, NULL); // read
502
503 if((cta_res[cta_lr - 2] == 0x90) || (cta_res[cta_lr - 2] == 0x98))
504 {
505 for(j = 0; j < cta_lr - 2; j += cta_res[j + 1] + 2)
506 {
507 provid = (cta_res[j + 2 + type] << 8) | cta_res[j + 3 + type];
508 chid[0] = '\0';
509
510 for(k = 0, i = j + 4 + type; (i < j + cta_res[j + 1]); i += cta_res[i + 1] + 2)
511 {
512 switch(cta_res[i])
513 {
514 case 0x01:
515 l = (cta_res[i + 1] < (sizeof(provname) - 1)) ? cta_res[i + 1] : sizeof(provname) - 1;
516 memcpy(provname, cta_res + i + 2, l);
517 provname[l] = '\0';
518 break;
519
520 case 0x30:
521 if(k > 1)
522 {
523 rdr_log(reader, "%s: %d, id: %04X%s, date: %s - %s, name: %s",
524 txt[type], ++n, provid, chid, pdate, pdate + 16, trim(provname));
525
526 // add entitlements to list
527 cs_add_entitlement(reader, reader->caid, b2ll(4, reader->prid[0]),
528 provid, cxclass, start_t, end_t, type + 1, 1);
529
530 k = 0;
531 chid[0] = '\0';
532 }
533 if(k == 0) { start_t = chid_date(cta_res + i + 2, pdate, 15); }
534 else { end_t = chid_date(cta_res + i + 2, pdate + 16, 15) /* add 23:59:59 here: */ + 0x1517F; }
535 ++k;
536 break;
537
538 case 0x20: // Provider classes
539 case 0x90: // (?) not sure what this is, saw it once in log
540 snprintf(chid, sizeof(chid), ", classes: %02X%02X%02X%02X",
541 cta_res[i + 2], cta_res[i + 3], cta_res[i + 4] , cta_res[i + 5]);
542 cxclass = b2ll(4, &cta_res[i + 2]);
543 break;
544 }
545 }
546 rdr_log(reader, "%s: %d, id: %04X%s, date: %s - %s, name: %s",
547 txt[type], ++n, provid, chid, pdate, pdate + 16, trim(provname));
548
549 // add entitlements to list
550 cs_add_entitlement(reader, reader->caid, b2ll(4, reader->prid[0]),
551 provid, cxclass, start_t, end_t, type + 1, 1);
552 }
553 }
554 }
555 }
556 rdr_log(reader, "ready for requests");
557 return OK;
558 }
559
560 const struct s_cardsystem reader_conax =
561 {
562 .desc = "conax",
563 .caids = (uint16_t[]){ 0x0B, 0 },
564 .do_emm = conax_do_emm,
565 .do_ecm = conax_do_ecm,
566 .card_info = conax_card_info,
567 .card_init = conax_card_init,
568 .get_emm_type = conax_get_emm_type,
569 .get_emm_filter = conax_get_emm_filter,
570 };
571
572 #endif
Open Source Conditional Access Modul