3 #include "cscrypt/bn.h"
4 #include "reader-common.h"
6 static int32_t RSA_CNX(struct s_reader
*reader
, uint8_t *msg
, uint8_t *mod
, uint8_t *exp
, uint32_t cta_lr
, uint32_t modbytes
, uint32_t expbytes
)
9 uint32_t n
= 0, pre_size
= 0, size
= 0;
11 BIGNUM
*bn_mod
, *bn_exp
, *bn_data
, *bn_res
;
15 pre_size
= 2 + 4 + msg
[5];
17 /*size of data to decryption*/
18 if(msg
[1] > (pre_size
- 2))
19 { size
= msg
[1] - pre_size
+ 2; }
21 if(cta_lr
> (pre_size
+ size
) && size
>= modbytes
&& size
< 128)
27 rdr_log_dbg(reader
, D_READER
, "RSA Error in RSA_CNX");
31 bn_mod
= BN_CTX_get(ctx
);
32 bn_exp
= BN_CTX_get(ctx
);
33 bn_data
= BN_CTX_get(ctx
);
34 bn_res
= BN_CTX_get(ctx
);
37 BN_bin2bn(mod
, modbytes
, bn_mod
); // rsa modulus
38 BN_bin2bn(exp
, expbytes
, bn_exp
); // exponent
39 BN_bin2bn(msg
+ pre_size
, modbytes
, bn_data
);
40 BN_mod_exp(bn_res
, bn_data
, bn_exp
, bn_mod
, ctx
);
42 n
= BN_bn2bin(bn_res
, data
);
44 size
-= modbytes
; // 3
47 /*Check if second round is needed*/
50 /*check if length of data from first RSA round will be enough to padding rest of data*/
51 if((n
+ size
) >= modbytes
)
54 /*move the remaining data at the beginning of the buffer*/
55 memcpy(msg
, msg
+ pre_size
, size
);
56 /*padding buffer with data from first round*/
57 memcpy(msg
+ size
, data
+ (n
- (modbytes
- size
)), modbytes
- size
);
59 BN_bin2bn(msg
, modbytes
, bn_data
);
60 BN_mod_exp(bn_res
, bn_data
, bn_exp
, bn_mod
, ctx
);
61 n
= BN_bn2bin(bn_res
, data
);
63 { ret
= -1; } /*RSA key is probably wrong*/
66 { ret
= -3; } /*wrong size of data for second round*/
70 { memcpy(msg
, data
, n
); }
76 { ret
= -2; } /*wrong size of data*/
81 static time_t chid_date(const uint8_t *ptr
, char *buf
, int32_t l
)
85 memset(&timeinfo
, 0, sizeof(struct tm
));
89 timeinfo
.tm_year
= 90 + (ptr
[1] >> 4) + (((ptr
[0] >> 5) & 7) * 10);
90 timeinfo
.tm_mon
= (ptr
[1] & 0xf) - 1;
91 timeinfo
.tm_mday
= ptr
[0] & 0x1f;
92 timeinfo
.tm_isdst
= -1;
93 rc
= mktime(&timeinfo
);
94 strftime(buf
, l
, "%Y/%m/%d", &timeinfo
);
99 static int32_t read_record(struct s_reader
*reader
, const uint8_t *cmd
, const uint8_t *data
, uint8_t *cta_res
)
102 uint8_t insCA
[] = { 0xDD, 0xCA, 0x00, 0x00, 0x00 };
104 write_cmd(cmd
, data
); // select record
105 if(cta_res
[0] != 0x98)
108 insCA
[4] = cta_res
[1]; // get len
109 write_cmd(insCA
, NULL
); // read record
111 if((cta_res
[cta_lr
- 2] != 0x90) || (cta_res
[cta_lr
- 1]))
117 static uint8_t PairingECMRotation(struct s_reader
*reader
, const ECM_REQUEST
*er
, int32_t n
)
119 uint8_t cta_res
[CTA_RES_LEN
] = { 0x00 };
120 uint8_t ins26
[] = { 0xDD, 0x26, 0x00, 0x00, 0x03, 0x10, 0x01, 0x00 };
121 uint8_t cnxcurrecm
= 0;
123 if(0x0 != reader
->rsa_mod
[0] && n
> 3 &&
124 0x54 == er
->ecm
[n
- 3] &&
125 0x02 == er
->ecm
[n
- 2] &&
126 0x00 == er
->ecm
[n
- 1])
131 if((0 == reader
->cnxlastecm
) != (0 == cnxcurrecm
))
133 if(0 == cnxcurrecm
) // not paired
138 if(read_record(reader
, ins26
, ins26
+ 5, cta_res
) <= 0)
139 { rdr_log(reader
, "PairingECMRotation - ERROR"); }
141 reader
->cnxlastecm
= cnxcurrecm
;
145 static int32_t conax_card_init(struct s_reader
*reader
, ATR
*newatr
)
147 uint8_t cta_res
[CTA_RES_LEN
];
149 static const uint8_t ins26
[] = { 0xDD, 0x26, 0x00, 0x00, 0x03, 0x10, 0x01, 0x40 };
150 uint8_t ins82
[] = { 0xDD, 0x82, 0x00, 0x00, 0x11, 0x11, 0x0f, 0x01, 0xb0, 0x0f, 0xff,
151 0xff, 0xfb, 0x00, 0x00, 0x09, 0x04, 0x0b, 0x00, 0xe0, 0x30, 0x2b };
156 if((hist_size
< 4) || (memcmp(hist
, "0B00", 4)))
159 reader
->caid
= 0xB00;
161 if((n
= read_record(reader
, ins26
, ins26
+ 5, cta_res
)) <= 0) { return ERROR
; } // read caid, card-version
163 for(i
= 0; i
< n
; i
+= cta_res
[i
+ 1] + 2)
168 cardver
= cta_res
[i
+ 2];
172 reader
->caid
= (cta_res
[i
+ 2] << 8) | cta_res
[i
+ 3];
176 // Ins82 command needs to use the correct CAID reported in nano 0x28
177 ins82
[17] = (reader
->caid
>> 8) & 0xFF;
178 ins82
[18] = (reader
->caid
) & 0xFF;
180 if((n
= read_record(reader
, ins82
, ins82
+ 5, cta_res
)) <= 0) { return ERROR
; } // read serial
184 for(j
= 0, i
= 2; i
< n
; i
+= cta_res
[i
+ 1] + 2)
189 if(cta_res
[i
+ 5] != 0x00)
191 memcpy(reader
->hexserial
, &cta_res
[i
+ 3], 6);
195 memcpy(reader
->sa
[j
], &cta_res
[i
+ 5], 4);
203 memset(reader
->prid
, 0x00, sizeof(reader
->prid
));
205 rdr_log_sensitive(reader
, "type: Conax, caid: %04X, serial: {%llu}, hex serial: {%02x%02x%02x%02x}, card: v%d",
206 reader
->caid
, (unsigned long long) b2ll(6, reader
->hexserial
), reader
->hexserial
[2],
207 reader
->hexserial
[3], reader
->hexserial
[4], reader
->hexserial
[5], cardver
);
209 rdr_log(reader
, "Providers: %d", reader
->nprov
);
211 for(j
= 0; j
< reader
->nprov
; j
++)
213 rdr_log(reader
, "Provider: %d Provider-Id: %06X", j
+ 1, b2i(4, reader
->prid
[j
]));
214 rdr_log_sensitive(reader
, "Provider: %d SharedAddress: {%08X}", j
+ 1, b2i(4, reader
->sa
[j
]));
220 static int32_t conax_send_pin(struct s_reader
*reader
)
223 uint8_t insPIN
[] = { 0xDD, 0xC8, 0x00, 0x00, 0x07, 0x1D, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00 }; // Last four are the Pin-Code
224 memcpy(insPIN
+ 8, reader
->pincode
, 4);
226 write_cmd(insPIN
, insPIN
+ 5);
227 rdr_log_dbg(reader
, D_READER
, "Sent pincode to card.");
232 static int32_t conax_do_ecm(struct s_reader
*reader
, const ECM_REQUEST
*er
, struct s_ecm_answer
*ea
)
235 int32_t i
, j
, n
, num_dw
= 0, rc
= 0;
236 uint8_t insA2
[] = { 0xDD, 0xA2, 0x00, 0x00, 0x00 };
237 uint8_t insCA
[] = { 0xDD, 0xCA, 0x00, 0x00, 0x00 };
239 uint8_t exp
[] = { 0x01, 0x00, 0x01 };
242 if((n
= check_sct_len(er
->ecm
, 3)) < 0)
248 if(0x0 != PairingECMRotation(reader
, er
, n
))
249 { buf
[2] = 2; } // card will answer with encrypted dw
253 memcpy(buf
+ 3, er
->ecm
, n
);
256 write_cmd(insA2
, buf
); // write Header + ECM
258 while((cta_res
[cta_lr
- 2] == 0x98) && // Antwort
259 ((insCA
[4] = cta_res
[cta_lr
- 1]) > 0) && (insCA
[4] != 0xFF))
261 write_cmd(insCA
, NULL
); // Codeword auslesen
263 if((cta_res
[cta_lr
- 2] == 0x98) || ((cta_res
[cta_lr
- 2] == 0x90)))
265 /*checks if answer is encrypted with RSA algo and decrypts it if needed*/
266 if(0x81 == cta_res
[0] && 2 == cta_res
[2] >> 5) /*81 XX 5X*/
268 if(0x00 == cta_res
[cta_lr
- 1])
269 { rc
= RSA_CNX(reader
, cta_res
, reader
->rsa_mod
, exp
, cta_lr
, 64u, 3u); }
271 { rc
= -4; } /*card has no right to decode this channel*/
276 for(i
= 0; i
< cta_lr
- 2 && num_dw
< 2; i
+= cta_res
[i
+ 1] + 2)
281 if((cta_res
[i
+ 1] >= 0xD) && !((n
= cta_res
[i
+ 4]) & 0xFE))
284 memcpy(ea
->cw
+ (n
<< 3), cta_res
+ i
+ 7, 8);
290 if((cta_res
[i
+ 1] == 0x02 && cta_res
[i
+ 2] == 0x00 && cta_res
[i
+ 3] == 0x00) || \
291 (cta_res
[i
+ 1] == 0x02 && cta_res
[i
+ 2] == 0x40 && cta_res
[i
+ 3] == 0x00))
293 else if(strcmp(reader
->pincode
, "none"))
295 conax_send_pin(reader
);
296 write_cmd(insA2
, buf
); // write Header + ECM
298 while((cta_res
[cta_lr
- 2] == 0x98) && // Antwort
299 ((insCA
[4] = cta_res
[cta_lr
- 1]) > 0) && (insCA
[4] != 0xFF))
301 write_cmd(insCA
, NULL
); // Codeword auslesen
303 if((cta_res
[cta_lr
- 2] == 0x98) ||
304 ((cta_res
[cta_lr
- 2] == 0x90) && (!cta_res
[cta_lr
- 1])))
306 for(j
= 0; j
< cta_lr
- 2; j
+= cta_res
[j
+ 1] + 2)
308 if((cta_res
[j
] == 0x25) && // access: is cw
309 (cta_res
[j
+ 1] >= 0xD) && // 0xD: 5 header + 8 cw
310 !((n
= cta_res
[j
+ 4]) & 0xFE)) // cw idx must be 0 or 1
313 memcpy(ea
->cw
+ (n
<< 3), cta_res
+ j
+ 7, 8);
330 rdr_log(reader
, "conax decode ECM problem - RSA key is probably faulty");
334 rdr_log(reader
, "conax RSA pairing - wrong size of data");
338 rdr_log(reader
, "conax RSA pairing- wrong size of data for second round");
342 rdr_log(reader
, "card has no right to decode this channel");
346 /* answer 9011 - conax smart card need reset */
347 if(2 <= cta_lr
&& 0x90 == cta_res
[cta_lr
- 2] && 0x11 == cta_res
[cta_lr
- 1])
349 rdr_log(reader
, "conax card hangs - reset is required");
350 reader
->card_status
= UNKNOWN
;
359 static int32_t conax_get_emm_type(EMM_PACKET
*ep
, struct s_reader
*rdr
)
364 rdr_log_dbg(rdr
, D_EMM
, "Entered conax_get_emm_type ep->emm[2]=%02x", ep
->emm
[2]);
366 for(i
= 0; i
< rdr
->nprov
; i
++)
368 ok
= (!memcmp(&ep
->emm
[6], rdr
->sa
[i
], 4));
375 memset(ep
->hexserial
, 0, 8);
376 memcpy(ep
->hexserial
, &ep
->emm
[6], 4);
377 rdr_log_dbg_sensitive(rdr
, D_EMM
, "SHARED, ep->hexserial = {%s}",
378 cs_hexdump(1, ep
->hexserial
, 8, tmp_dbg
, sizeof(tmp_dbg
)));
383 if(!memcmp(&ep
->emm
[6], rdr
->hexserial
+ 2, 4))
386 memset(ep
->hexserial
, 0, 8);
387 memcpy(ep
->hexserial
+ 2, &ep
->emm
[6], 4);
388 rdr_log_dbg_sensitive(rdr
, D_EMM
, "UNIQUE, ep->hexserial = {%s}",
389 cs_hexdump(1, ep
->hexserial
, 8, tmp_dbg
, sizeof(tmp_dbg
)));
395 rdr_log_dbg(rdr
, D_EMM
, "GLOBAL");
396 memset(ep
->hexserial
, 0, 8);
402 static int32_t conax_get_emm_filter(struct s_reader
*rdr
, struct s_csystem_emm_filter
**emm_filters
, unsigned int *filter_count
)
404 if(*emm_filters
== NULL
)
406 const unsigned int max_filter_count
= 2 + rdr
->nprov
;
407 if(!cs_malloc(emm_filters
, max_filter_count
* sizeof(struct s_csystem_emm_filter
)))
410 struct s_csystem_emm_filter
*filters
= *emm_filters
;
415 filters
[idx
].type
= EMM_GLOBAL
;
416 filters
[idx
].enabled
= 0; // FIXME: dont see any conax global EMM yet
417 filters
[idx
].filter
[0] = 0x82;
418 filters
[idx
].mask
[0] = 0xFF;
419 filters
[idx
].filter
[8] = 0x70;
420 filters
[idx
].mask
[8] = 0xFF;
423 for(prov
= 0; prov
< rdr
->nprov
; prov
++)
425 filters
[idx
].type
= EMM_SHARED
;
426 filters
[idx
].enabled
= 1;
427 filters
[idx
].filter
[0] = 0x82;
428 filters
[idx
].mask
[0] = 0xFF;
429 memcpy(&filters
[idx
].filter
[4], rdr
->sa
[prov
], 4);
430 memset(&filters
[idx
].mask
[4], 0xFF, 4);
434 filters
[idx
].type
= EMM_UNIQUE
;
435 filters
[idx
].enabled
= 1;
436 filters
[idx
].filter
[0] = 0x82;
437 filters
[idx
].mask
[0] = 0xFF;
438 memcpy(&filters
[idx
].filter
[4], rdr
->hexserial
+ 2, 4);
439 memset(&filters
[idx
].mask
[4], 0xFF, 4);
448 static int32_t conax_do_emm(struct s_reader
*reader
, EMM_PACKET
*ep
)
451 uint8_t insCA
[] = { 0xDD, 0xCA, 0x00, 0x00, 0x00 };
452 uint8_t insEMM
[] = { 0xDD, 0x84, 0x00, 0x00, 0x00 };
456 const int32_t l
= ep
->emm
[2];
461 memcpy(buf
+ 2, ep
->emm
, buf
[1]);
462 write_cmd(insEMM
, buf
);
464 if(cta_res
[0] == 0x98)
466 insCA
[4] = cta_res
[1];
467 write_cmd(insCA
, NULL
);
470 rc
= ((cta_res
[0] == 0x90) && (cta_res
[1] == 0x00));
478 static int32_t conax_card_info(struct s_reader
*reader
)
481 int32_t type
, i
, j
, k
= 0, n
= 0, l
;
483 char provname
[32], pdate
[32], chid
[32];
484 static const uint8_t insC6
[] = { 0xDD, 0xC6, 0x00, 0x00, 0x03, 0x1C, 0x01, 0x00 };
485 static const uint8_t ins26
[] = { 0xDD, 0x26, 0x00, 0x00, 0x03, 0x1C, 0x01, 0x01 };
486 uint8_t insCA
[] = { 0xDD, 0xCA, 0x00, 0x00, 0x00 };
487 char *txt
[] = { "Package", "PPV-Event" };
488 static const uint8_t *cmd
[] = { insC6
, ins26
};
489 time_t start_t
= 0, end_t
= 0;
490 uint32_t cxclass
= 0;
492 cs_clear_entitlement(reader
); // reset the entitlements
494 for(type
= 0; type
< 2; type
++)
497 write_cmd(cmd
[type
], cmd
[type
] + 5);
498 while(cta_res
[cta_lr
- 2] == 0x98)
500 insCA
[4] = cta_res
[cta_lr
- 1]; // get len
501 write_cmd(insCA
, NULL
); // read
503 if((cta_res
[cta_lr
- 2] == 0x90) || (cta_res
[cta_lr
- 2] == 0x98))
505 for(j
= 0; j
< cta_lr
- 2; j
+= cta_res
[j
+ 1] + 2)
507 provid
= (cta_res
[j
+ 2 + type
] << 8) | cta_res
[j
+ 3 + type
];
510 for(k
= 0, i
= j
+ 4 + type
; (i
< j
+ cta_res
[j
+ 1]); i
+= cta_res
[i
+ 1] + 2)
515 l
= (cta_res
[i
+ 1] < (sizeof(provname
) - 1)) ? cta_res
[i
+ 1] : sizeof(provname
) - 1;
516 memcpy(provname
, cta_res
+ i
+ 2, l
);
523 rdr_log(reader
, "%s: %d, id: %04X%s, date: %s - %s, name: %s",
524 txt
[type
], ++n
, provid
, chid
, pdate
, pdate
+ 16, trim(provname
));
526 // add entitlements to list
527 cs_add_entitlement(reader
, reader
->caid
, b2ll(4, reader
->prid
[0]),
528 provid
, cxclass
, start_t
, end_t
, type
+ 1, 1);
533 if(k
== 0) { start_t
= chid_date(cta_res
+ i
+ 2, pdate
, 15); }
534 else { end_t
= chid_date(cta_res
+ i
+ 2, pdate
+ 16, 15) /* add 23:59:59 here: */ + 0x1517F; }
538 case 0x20: // Provider classes
539 case 0x90: // (?) not sure what this is, saw it once in log
540 snprintf(chid
, sizeof(chid
), ", classes: %02X%02X%02X%02X",
541 cta_res
[i
+ 2], cta_res
[i
+ 3], cta_res
[i
+ 4] , cta_res
[i
+ 5]);
542 cxclass
= b2ll(4, &cta_res
[i
+ 2]);
546 rdr_log(reader
, "%s: %d, id: %04X%s, date: %s - %s, name: %s",
547 txt
[type
], ++n
, provid
, chid
, pdate
, pdate
+ 16, trim(provname
));
549 // add entitlements to list
550 cs_add_entitlement(reader
, reader
->caid
, b2ll(4, reader
->prid
[0]),
551 provid
, cxclass
, start_t
, end_t
, type
+ 1, 1);
556 rdr_log(reader
, "ready for requests");
560 const struct s_cardsystem reader_conax
=
563 .caids
= (uint16_t[]){ 0x0B, 0 },
564 .do_emm
= conax_do_emm
,
565 .do_ecm
= conax_do_ecm
,
566 .card_info
= conax_card_info
,
567 .card_init
= conax_card_init
,
568 .get_emm_type
= conax_get_emm_type
,
569 .get_emm_filter
= conax_get_emm_filter
,