search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Attempt to count descramblers used properly
[oscam.git] / reader-irdeto.c
blob3ed3047cddb9ab163ba33f529f1f2dd4e99ee5d4
1 #include "globals.h"
2 #ifdef READER_IRDETO
3 #include "oscam-time.h"
4 #include "reader-common.h"
5 #include "reader-irdeto.h"
6
7 static const uint8_t CryptTable[256] =
8 {
9 0xDA, 0x26, 0xE8, 0x72, 0x11, 0x52, 0x3E, 0x46,
10 0x32, 0xFF, 0x8C, 0x1E, 0xA7, 0xBE, 0x2C, 0x29,
11 0x5F, 0x86, 0x7E, 0x75, 0x0A, 0x08, 0xA5, 0x21,
12 0x61, 0xFB, 0x7A, 0x58, 0x60, 0xF7, 0x81, 0x4F,
13 0xE4, 0xFC, 0xDF, 0xB1, 0xBB, 0x6A, 0x02, 0xB3,
14 0x0B, 0x6E, 0x5D, 0x5C, 0xD5, 0xCF, 0xCA, 0x2A,
15 0x14, 0xB7, 0x90, 0xF3, 0xD9, 0x37, 0x3A, 0x59,
16 0x44, 0x69, 0xC9, 0x78, 0x30, 0x16, 0x39, 0x9A,
17 0x0D, 0x05, 0x1F, 0x8B, 0x5E, 0xEE, 0x1B, 0xC4,
18 0x76, 0x43, 0xBD, 0xEB, 0x42, 0xEF, 0xF9, 0xD0,
19 0x4D, 0xE3, 0xF4, 0x57, 0x56, 0xA3, 0x0F, 0xA6,
20 0x50, 0xFD, 0xDE, 0xD2, 0x80, 0x4C, 0xD3, 0xCB,
21 0xF8, 0x49, 0x8F, 0x22, 0x71, 0x84, 0x33, 0xE0,
22 0x47, 0xC2, 0x93, 0xBC, 0x7C, 0x3B, 0x9C, 0x7D,
23 0xEC, 0xC3, 0xF1, 0x89, 0xCE, 0x98, 0xA2, 0xE1,
24 0xC1, 0xF2, 0x27, 0x12, 0x01, 0xEA, 0xE5, 0x9B,
25 0x25, 0x87, 0x96, 0x7B, 0x34, 0x45, 0xAD, 0xD1,
26 0xB5, 0xDB, 0x83, 0x55, 0xB0, 0x9E, 0x19, 0xD7,
27 0x17, 0xC6, 0x35, 0xD8, 0xF0, 0xAE, 0xD4, 0x2B,
28 0x1D, 0xA0, 0x99, 0x8A, 0x15, 0x00, 0xAF, 0x2D,
29 0x09, 0xA8, 0xF5, 0x6C, 0xA1, 0x63, 0x67, 0x51,
30 0x3C, 0xB2, 0xC0, 0xED, 0x94, 0x03, 0x6F, 0xBA,
31 0x3F, 0x4E, 0x62, 0x92, 0x85, 0xDD, 0xAB, 0xFE,
32 0x10, 0x2E, 0x68, 0x65, 0xE7, 0x04, 0xF6, 0x0C,
33 0x20, 0x1C, 0xA9, 0x53, 0x40, 0x77, 0x2F, 0xA4,
34 0xFA, 0x6D, 0x73, 0x28, 0xE2, 0xCD, 0x79, 0xC8,
35 0x97, 0x66, 0x8E, 0x82, 0x74, 0x06, 0xC7, 0x88,
36 0x1A, 0x4A, 0x6B, 0xCC, 0x41, 0xE9, 0x9D, 0xB8,
37 0x23, 0x9F, 0x3D, 0xBF, 0x8D, 0x95, 0xC5, 0x13,
38 0xB9, 0x24, 0x5A, 0xDC, 0x64, 0x18, 0x38, 0x91,
39 0x7F, 0x5B, 0x70, 0x54, 0x07, 0xB6, 0x4B, 0x0E,
40 0x36, 0xAC, 0x31, 0xE6, 0xD6, 0x48, 0xAA, 0xB4
41 };
42
43 static const uint8_t sc_GetCountryCode[] = { 0x02, 0x02, 0x03, 0x00, 0x00 };
44 static const uint8_t sc_GetCountryCode2[] = { 0x02, 0x0B, 0x00, 0x00, 0x00 };
45
46 static const uint8_t sc_GetCamKey384CZ[] =
47 {
48 0x02, 0x09, 0x03, 0x00, 0x40,
49 0x18, 0xD7, 0x55, 0x14, 0xC0, 0x83, 0xF1, 0x38,
50 0x39, 0x6F, 0xF2, 0xEC, 0x4F, 0xE3, 0xF1, 0x85,
51 0x01, 0x46, 0x06, 0xCE, 0x7D, 0x08, 0x2C, 0x74,
52 0x46, 0x8F, 0x72, 0xC4, 0xEA, 0xD7, 0x9C, 0xE0,
53 0xE1, 0xFF, 0x58, 0xE7, 0x70, 0x0C, 0x92, 0x45,
54 0x26, 0x18, 0x4F, 0xA0, 0xE2, 0xF5, 0x9E, 0x46,
55 0x6F, 0xAE, 0x95, 0x35, 0xB0, 0x49, 0xB2, 0x0E,
56 0xA4, 0x1F, 0x8E, 0x47, 0xD0, 0x24, 0x11, 0xD0
57 };
58
59 static const uint8_t sc_GetCamKey384DZ[] =
60 {
61 0x02, 0x09, 0x03, 0x00, 0x40,
62 0x27, 0xF2, 0xD6, 0xCD, 0xE6, 0x88, 0x62, 0x46,
63 0x81, 0xB0, 0xF5, 0x3E, 0x6F, 0x13, 0x4D, 0xCC,
64 0xFE, 0xD0, 0x67, 0xB1, 0x93, 0xDD, 0xF4, 0xDE,
65 0xEF, 0xF5, 0x3B, 0x04, 0x1D, 0xE5, 0xC3, 0xB2,
66 0x54, 0x38, 0x57, 0x7E, 0xC8, 0x39, 0x07, 0x2E,
67 0xD2, 0xF4, 0x05, 0xAA, 0x15, 0xB5, 0x55, 0x24,
68 0x90, 0xBB, 0x9B, 0x00, 0x96, 0xF0, 0xCB, 0xF1,
69 0x8A, 0x08, 0x7F, 0x0B, 0xB8, 0x79, 0xC3, 0x5D
70 };
71
72 static const uint8_t sc_GetCamKey384FZ[] =
73 {
74 0x02, 0x09, 0x03, 0x00, 0x40,
75 0x62, 0xFE, 0xD8, 0x4F, 0x44, 0x86, 0x2C, 0x21,
76 0x50, 0x9A, 0xBE, 0x27, 0x15, 0x9E, 0xC4, 0x48,
77 0xF3, 0x73, 0x5C, 0xBD, 0x08, 0x64, 0x6D, 0x13,
78 0x64, 0x90, 0x14, 0xDB, 0xFF, 0xC3, 0xFE, 0x03,
79 0x97, 0xFA, 0x75, 0x08, 0x12, 0xF9, 0x8F, 0x84,
80 0x83, 0x17, 0xAA, 0x6F, 0xEF, 0x2C, 0x10, 0x1B,
81 0xBF, 0x31, 0x41, 0xC3, 0x54, 0x2F, 0x65, 0x50,
82 0x95, 0xA9, 0x64, 0x22, 0x5E, 0xA4, 0xAF, 0xA9
83 };
84
85 /* some variables for acs57 (Dahlia for ITA dvb-t) */
86 #define ACS57EMM 0xD1
87 #define ACS57ECM 0xD5
88 #define ACS57GET 0xD2
89 /* end define */
90
91 typedef struct chid_base_date
92 {
93 uint16_t caid;
94 uint16_t acs;
95 char c_code[4];
96 uint32_t base;
97 } CHID_BASE_DATE;
98
99 struct irdeto_data
100 {
101 int32_t acs57; // A flag for the ACS57 ITA DVB-T
102 uint16_t acs;
103 char country_code[3]; // irdeto country code.
104 };
105
106 static void XRotateLeft8Byte(uint8_t *buf)
107 {
108 int32_t k;
109 uint8_t t1 = buf[7];
110 uint8_t t2 = 0;
111
112 for(k = 0; k <= 7; k++)
113 {
114 t2 = t1;
115 t1 = buf[k];
116 buf[k] = (buf[k] << 1) | (t2 >> 7);
117 }
118 }
119
120 static void ReverseSessionKeyCrypt(const uint8_t *camkey, uint8_t *key)
121 {
122 uint8_t localkey[8], tmp1, tmp2;
123 int32_t idx1, idx2;
124
125 memcpy(localkey, camkey, 8);
126
127 for(idx1 = 0; idx1 < 8; idx1++)
128 {
129 for(idx2 = 0; idx2 < 8; idx2++)
130 {
131 tmp1 = CryptTable[key[7] ^ localkey[idx2] ^ idx1];
132 tmp2 = key[0];
133 key[0] = key[1];
134 key[1] = key[2];
135 key[2] = key[3];
136 key[3] = key[4];
137 key[4] = key[5];
138 key[5] = key[6] ^ tmp1;
139 key[6] = key[7];
140 key[7] = tmp1 ^ tmp2;
141 }
142 XRotateLeft8Byte(localkey);
143 }
144 }
145
146 static uint8_t XorSum(const uint8_t *mem, int len)
147 {
148 uint8_t cs = 0;
149 while(len > 0)
150 {
151 cs ^= *mem++;
152 len--;
153 }
154 return cs;
155 }
156
157 static time_t chid_date(struct s_reader *reader, uint32_t date, char *buf, int32_t l)
158 {
159 // Irdeto date starts 01.08.1997 which is
160 // 870393600 seconds in unix calendar time
161 //
162 // The above might not be true for all Irdeto card
163 // we need to find a way to identify cards to set the base date
164 // like we did for NDS
165 //
166 // this is the known default value.
167
168 uint32_t date_base;
169
170 if((reader->caid >> 8) == 0x06)
171 {
172 date_base = 946598400L; // this is actually 31.12.1999, 00:00 default for irdeto card
173 }
174 else
175 {
176 date_base = 870393600L; // this is actually 01.08.1997, 00:00 default for betacrypt cards
177 }
178
179 // CAID, ACS, Country, base date D. M. Y, h : m
180 CHID_BASE_DATE table[] = {
181 {0x0662, 0x0608, "ITA", 944110500L}, // 01.12.1999, 23.55
182 {0x0616, 0x0608, "ITA", 944110500L}, // 01.12.1999, 23.55 //nitegate
183 {0x0647, 0x0005, "ITA", 946598400L}, // 31.12.1999, 00:00 //Redlight irdeto
184 {0x0664, 0x0608, "TUR", 946598400L}, // 31.12.1999, 00:00
185 {0x0624, 0x0006, "CZE", 946598400L}, // 30.12.1999, 16:00 //skyklink irdeto
186 {0x0624, 0x0006, "SVK", 946598400L}, // 30.12.1999, 16:00 //skyklink irdeto
187 {0x0666, 0x0006, "SVK", 946598400L}, // 30.12.1999, 16:00 //cslink irdeto
188 {0x0668, 0x0006, "SVK", 946598400L}, // 30.12.1999, 00:00 //Towercom Irdeto
189 {0x0666, 0x0006, "CZE", 946598400L}, // 30.12.1999, 16:00 //cslink irdeto
190 {0x0653, 0x0608, "HUN", 946598400L}, // 31.12.1999, 00:00 //upc ice irdeto
191 {0x0653, 0x0005, "HUN", 946598400L}, // 31.12.1999, 00:00 //upc ice irdeto
192 {0x0650, 0x0608, "AUT", 946598400L}, // 31.12.1999, 00:00 //orf P410 irdeto
193 {0x0650, 0x0005, "AUT", 946598400L}, // 31.12.1999, 00:00 //orf P410 irdeto
194 {0x0648, 0x0608, "AUT", 946598400L}, // 31.12.1999, 00:00 //orf ice irdeto
195 {0x0648, 0x0005, "AUT", 946598400L}, // 31.12.1999, 00:00 //orf ice irdeto
196 {0x0627, 0x0608, "EGY", 946598400L}, // 30.12.1999, 16:00
197 {0x0602, 0x0606, "NLD", 946598400L}, // 31.12.1999, 08:00 //Ziggo irdeto caid: 0602, acs: 6.06
198 {0x0602, 0x0505, "NLD", 946598400L}, // 31.12.1999, 00:00 //Ziggo irdeto caid: 0602, acs: 5.05
199 {0x0606, 0x0005, "NLD", 946598400L}, // 31.12.1999, 00:00 //Caiway irdeto card caid: 0606, acs: 0.05
200 {0x0606, 0x0605, "NLD", 946598400L}, // 31.12.1999, 00:00 //Caiway irdeto card caid: 0606, acs: 6.05
201 {0x0606, 0x0606, "NLD", 946598400L}, // 31.12.1999, 00:00 //Caiway irdeto card caid: 0606, acs: 6.06
202 {0x0606, 0x0006, "ZAF", 946598400L}, // 31.12.1999, 00:00 //dstv irdeto
203 {0x0604, 0x1541, "GRC", 977817600L}, // 26.12.2000, 00:00
204 {0x0604, 0x1542, "GRC", 977817600L}, // 26.12.2000, 00:00
205 {0x0604, 0x1543, "GRC", 977817600L}, // 26.12.2000, 00:00
206 {0x0604, 0x1544, "GRC", 977817600L}, // 26.12.2000, 17:00
207 {0x0604, 0x0608, "EGY", 999993600L}, // 08.09.2001, 17:00
208 {0x0604, 0x0606, "EGY", 1003276800L}, // 16.10.2001, 17:00
209 {0x0604, 0x0605, "GRC", 1011052800L}, // 15.01.2002, 00:00 //nova irdeto
210 {0x0604, 0x0606, "GRC", 1011052800L}, // 15.01.2002, 00:00 //nova irdeto
211 {0x0604, 0x0607, "GRC", 1011052800L}, // 15.01.2002, 00:00 //nova irdeto
212 {0x0604, 0x0608, "GRC", 1011052800L}, // 15.01.2002, 00:00 //nova irdeto
213 {0x0604, 0x0005, "GRC", 1011052800L}, // 15.01.2002, 00:00 //mova irdeto
214 {0x0604, 0x0606, "NLD", 1066089600L}, // 14.10.2003, 00:00
215 {0x0610, 0x0608, "NLD", 1066089600L}, // 14.10.2003, 00:00 //Ziggo irdeto caid: 0610, acs: 6.08
216 {0x0604, 0x0608, "NLD", 1066089600L}, // 14.10.2003, 00:00 //Ziggo irdeto caid: 0604, acs: 6.08
217 {0x0604, 0x0605, "NLD", 1066089600L}, // 14.10.2003, 00:00 //Ziggo irdeto caid: 0604, acs: 6.05
218 {0x0604, 0x0005, "NLD", 1066089600L}, // 14.10.2003, 00:00 //Ziggo irdeto caid: 0604, acs: 0.05
219 {0x0628, 0x0606, "MCR", 1159574400L}, // 29.09.2006, 00:00
220 {0x0652, 0x0005, "MCR", 1206662400L}, // 28.03.2008, 00:00 //Raduga caid:0652, acs: 0.05
221 {0x0652, 0x0608, "MCR", 1206662400L}, // 28.03.2008, 00:00 //Raduga caid:0652, acs: 6.08
222 {0x0, 0x0, "", 0L}
223 };
224
225 // now check for specific providers base date
226 int32_t i = 0;
227 struct irdeto_data *csystem_data = reader->csystem_data;
228
229 while(table[i].caid)
230 {
231 if((reader->caid == table[i].caid) && (csystem_data->acs == table[i].acs)
232 && (!memcmp(csystem_data->country_code, table[i].c_code, 3)))
233 {
234 date_base = table[i].base;
235 break;
236 }
237 i++;
238 }
239
240 time_t ut = date_base + date * (24 * 3600);
241 if(buf)
242 {
243 struct tm t;
244 cs_gmtime_r(&ut, &t);
245 l = 27;
246 snprintf(buf, l, "%04d/%02d/%02d", t.tm_year + 1900, t.tm_mon + 1, t.tm_mday);
247 }
248 return (ut);
249 }
250
251 static int32_t irdeto_do_cmd(struct s_reader *reader, uint8_t *buf, uint16_t good, uint8_t *cta_res, uint16_t *p_cta_lr)
252 {
253 int32_t rc;
254 if((rc = reader_cmd2icc(reader, buf, buf[4] + 5, cta_res, p_cta_lr)))
255 {
256 return (rc); // result may be 0 (success) or negative
257 }
258
259 if(*p_cta_lr < 2)
260 {
261 return (0x7F7F); // this should never happen
262 }
263
264 return (good != b2i(2, cta_res + *p_cta_lr - 2));
265 }
266
267 #define reader_chk_cmd(cmd, l) { if (reader_cmd2icc(reader, cmd, sizeof(cmd), cta_res, &cta_lr)) return ERROR; if (l && (cta_lr!=l)) return ERROR; }
268
269 static int32_t irdeto_card_init_provider(struct s_reader *reader)
270 {
271 def_resp;
272 int32_t i, p;
273 uint8_t buf[256] = {0};
274 struct irdeto_data *csystem_data = reader->csystem_data;
275
276 uint8_t sc_GetProvider[] = { 0x02, 0x03, 0x03, 0x00, 0x00 };
277 uint8_t sc_Acs57Prov[] = { 0xD2, 0x06, 0x03, 0x00, 0x01, 0x3C };
278 uint8_t sc_Acs57_Cmd[] = { ACS57GET, 0xFE, 0x00, 0x00, 0x00 };
279
280 /*
281 * Provider
282 */
283 memset(reader->prid, 0xff, sizeof(reader->prid));
284
285 for(buf[0] = i = p = 0; i < reader->nprov; i++)
286 {
287 int32_t acspadd = 0;
288 if(csystem_data->acs57 == 1)
289 {
290 acspadd = 8;
291 sc_Acs57Prov[3] = i;
292 irdeto_do_cmd(reader, sc_Acs57Prov, 0x9021, cta_res, &cta_lr);
293 int32_t acslength = cta_res[cta_lr - 1];
294 sc_Acs57_Cmd[4] = acslength;
295 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
296 sc_Acs57Prov[5]++;
297 sc_Acs57_Cmd[3]++;
298 }
299 else
300 {
301 sc_GetProvider[3] = i;
302 reader_chk_cmd(sc_GetProvider, 0);
303 }
304
305 if(((cta_lr == 26) && ((!(i & 1)) || (cta_res[0] != 0xf))) || (csystem_data->acs57 == 1))
306 {
307 reader->prid[i][4] = p++;
308
309 // maps the provider id for Betacrypt from FFFFFF to 000000,
310 // fixes problems with cascading CCcam and OSCam
311 if(caid_is_betacrypt(reader->caid))
312 {
313 memset(&reader->prid[i][0], 0, 4);
314 }
315 else
316 {
317 memcpy(&reader->prid[i][0], cta_res + acspadd, 4);
318 }
319
320 if(!memcmp(cta_res + acspadd + 1, &reader->hexserial, 3))
321 {
322 reader->prid[i][3] = 0xFF;
323 }
324
325 snprintf((char *) buf + strlen((char *)buf), sizeof(buf) - strlen((char *)buf), ",%06x", b2i(3, &reader->prid[i][1]));
326 }
327 else
328 {
329 reader->prid[i][0] = 0xf;
330 }
331 }
332
333 if(p)
334 {
335 rdr_log(reader, "active providers: %d (%s)", p, buf + 1);
336 }
337
338 return OK;
339 }
340
341 static int32_t irdeto_card_init(struct s_reader *reader, ATR *newatr)
342 {
343 def_resp;
344 get_atr;
345 int32_t camkey = 0;
346 uint8_t buf[256] = { 0 };
347 uint8_t sc_GetCamKey383C[] = {
348 0x02, 0x09, 0x03, 0x00, 0x40,
349 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
350 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
351 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
352 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
353 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
354 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
355 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
356 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
357
358 uint8_t sc_GetASCIISerial[] = { 0x02, 0x00, 0x03, 0x00, 0x00 };
359 uint8_t sc_GetHEXSerial[] = { 0x02, 0x01, 0x00, 0x00, 0x00 };
360 uint8_t sc_GetSCDetails[] = { 0x02, 0x1E, 0x00, 0x00, 0x00 };
361 uint8_t sc_GetCardFile[] = { 0x02, 0x0E, 0x02, 0x00, 0x00 };
362
363 uint8_t sc_Acs57CamKey[70] = { 0xD2, 0x12, 0x03, 0x00, 0x41};
364 uint8_t sc_Acs57Country[] = { 0xD2, 0x04, 0x00, 0x00, 0x01, 0x3E };
365 uint8_t sc_Acs57Ascii[] = { 0xD2, 0x00, 0x03, 0x00, 0x01, 0x3F };
366 uint8_t sc_Acs57Hex[] = { 0xD2, 0x02, 0x03, 0x00, 0x01, 0x3E };
367 uint8_t sc_Acs57CFile[] = { 0xD2, 0x1C, 0x02, 0x00, 0x01, 0x30 };
368 uint8_t sc_Acs57_Cmd[] = { ACS57GET, 0xFE, 0x00, 0x00, 0x00 };
369
370 int32_t acspadd = 0;
371 int32_t acs57 = 0;
372
373 if(!memcmp(atr + 4, "IRDETO", 6))
374 {
375 acs57 = 0;
376 }
377 else
378 {
379 if((!memcmp(atr + 5, "IRDETO", 6)) || (((atr[6] == 0xC4) && (atr[9] == 0x8F) && (atr[10] == 0xF1)) && reader->force_irdeto))
380 {
381 acs57 = 1;
382 acspadd = 8;
383 rdr_log(reader, "Hist. Bytes: %s", atr + 5);
384 }
385 else
386 {
387 return ERROR;
388 }
389 }
390
391 if(!cs_malloc(&reader->csystem_data, sizeof(struct irdeto_data)))
392 {
393 return ERROR;
394 }
395 struct irdeto_data *csystem_data = reader->csystem_data;
396 csystem_data->acs57 = acs57;
397
398 rdr_log(reader, "detect irdeto card");
399 if((array_has_nonzero_byte(reader->rsa_mod, 64) > 0) && (!reader->force_irdeto || csystem_data->acs57)) // we use rsa from config as camkey
400 {
401 char tmp_dbg[65];
402 rdr_log_dbg(reader, D_READER, "using camkey data from config");
403 rdr_log_dbg(reader, D_READER, " camkey: %s", cs_hexdump(0, reader->boxkey, sizeof(reader->boxkey), tmp_dbg, sizeof(tmp_dbg)));
404 if(csystem_data->acs57 == 1)
405 {
406 memcpy(&sc_Acs57CamKey[5], reader->rsa_mod, 0x40);
407 rdr_log_dbg(reader, D_READER, "camkey-data: %s", cs_hexdump(0, &sc_Acs57CamKey[5], 32, tmp_dbg, sizeof(tmp_dbg)));
408 rdr_log_dbg(reader, D_READER, "camkey-data: %s", cs_hexdump(0, &sc_Acs57CamKey[37], 32, tmp_dbg, sizeof(tmp_dbg)));
409 }
410 else
411 {
412 memcpy(&sc_GetCamKey383C[5], reader->rsa_mod, 0x40);
413 rdr_log_dbg(reader, D_READER, "camkey-data: %s", cs_hexdump(0, &sc_GetCamKey383C[5], 32, tmp_dbg, sizeof(tmp_dbg)));
414 rdr_log_dbg(reader, D_READER, "camkey-data: %s", cs_hexdump(0, &sc_GetCamKey383C[37], 32, tmp_dbg, sizeof(tmp_dbg)));
415 }
416 }
417 else
418 {
419 if(csystem_data->acs57 == 1)
420 {
421 rdr_log(reader, "WARNING: ACS57 card can require the CamKey from config");
422 }
423 else
424 {
425 memcpy(reader->boxkey, "\x11\x22\x33\x44\x55\x66\x77\x88", 8);
426 }
427 }
428
429 /*
430 * Get Irdeto Smartcard Details - version - patch level etc
431 */
432 if(csystem_data->acs57 == 0)
433 {
434 if(!irdeto_do_cmd(reader, sc_GetSCDetails, 0, cta_res, &cta_lr))
435 {
436 rdr_log(reader, "Irdeto SC %0x version %0x revision %0x, patch level %0x", cta_res[0 + acspadd], cta_res[1 + acspadd], cta_res[2 + acspadd], cta_res[5 + acspadd]);
437 }
438 }
439
440 /*
441 * CountryCode
442 */
443 if(csystem_data->acs57 == 1)
444 {
445 irdeto_do_cmd(reader, sc_Acs57Country, 0x9019, cta_res, &cta_lr);
446 int32_t acslength = cta_res[cta_lr - 1];
447 sc_Acs57_Cmd[4] = acslength;
448 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
449 }
450 else
451 {
452 reader_chk_cmd(sc_GetCountryCode, 18);
453 }
454 csystem_data->acs = (cta_res[0 + acspadd] << 8) | cta_res[1 + acspadd];
455 reader->caid = (cta_res[5 + acspadd] << 8) | cta_res[6 + acspadd];
456 memcpy(csystem_data->country_code, cta_res + 13 + acspadd, 3);
457 rdr_log(reader, "caid: %04X, acs: %x.%02x, country code: %c%c%c",
458 reader->caid, cta_res[0 + acspadd], cta_res[1 + acspadd], cta_res[13 + acspadd], cta_res[14 + acspadd], cta_res[15 + acspadd]);
459
460 /*
461 * Ascii/Hex-Serial
462 */
463 if(csystem_data->acs57 == 1)
464 {
465 irdeto_do_cmd(reader, sc_Acs57Ascii, 0x901D, cta_res, &cta_lr);
466 int32_t acslength = cta_res[cta_lr - 1];
467 sc_Acs57_Cmd[4] = acslength;
468 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
469 }
470 else
471 {
472 reader_chk_cmd(sc_GetASCIISerial, 22);
473 }
474 memcpy(buf, cta_res + acspadd, 10);
475 buf[10] = 0;
476 if(csystem_data->acs57 == 1)
477 {
478 irdeto_do_cmd(reader, sc_Acs57Hex, 0x903E, cta_res, &cta_lr);
479 int32_t acslength = cta_res[cta_lr - 1];
480 sc_Acs57_Cmd[4] = acslength;
481 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
482 }
483 else
484 {
485 reader_chk_cmd(sc_GetHEXSerial, 18);
486 }
487 reader->nprov = cta_res[10 + acspadd];
488 memcpy(reader->hexserial, cta_res + 12 + acspadd, 4);
489
490 rdr_log_sensitive(reader, "providers: %d, ascii serial: {%s}, hex serial: {%02X%02X%02X}, hex base: {%02X}",
491 reader->nprov, buf, reader->hexserial[0], reader->hexserial[1], reader->hexserial[2], reader->hexserial[3]);
492
493 /*
494 * CardFile
495 */
496 if(csystem_data->acs57 == 1)
497 {
498 irdeto_do_cmd(reader, sc_Acs57CFile, 0x9049, cta_res, &cta_lr);
499 int32_t acslength = cta_res[cta_lr - 1];
500 sc_Acs57_Cmd[4] = acslength;
501 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
502 sc_Acs57CFile[2] = 0x03;
503 sc_Acs57CFile[5]++;
504 irdeto_do_cmd(reader, sc_Acs57CFile, 0x9049, cta_res, &cta_lr);
505 acslength = cta_res[cta_lr - 1];
506 sc_Acs57_Cmd[4] = acslength;
507 sc_Acs57_Cmd[2] = 0x03;
508 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
509 sc_Acs57_Cmd[2] = 0x00;
510 }
511 else
512 {
513 for(sc_GetCardFile[2] = 2; sc_GetCardFile[2] < 4; sc_GetCardFile[2]++)
514 {
515 reader_chk_cmd(sc_GetCardFile, 0);
516 }
517 }
518
519 /*
520 * CamKey
521 */
522 if(((atr[14] == 0x03) && (atr[15] == 0x84) && (atr[16] == 0x55)) || (((atr[14] == 0x53) && (atr[15] == 0x20) && (atr[16] == 0x56))))
523 {
524 switch(reader->caid)
525 {
526 case 0x1702:
527 camkey = 1;
528 break;
529
530 case 0x1722:
531 camkey = 2;
532 break;
533
534 case 0x1762:
535 camkey = 3;
536 break;
537
538 // case 0x0624: camkey = 4; break; //ice 0D96/0624 has short ATR
539 default:
540 camkey = 5;
541 break;
542 }
543 }
544
545 if(((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)) // acs 6.08 and ice 0D96/0624 and 0D97/0653
546 {
547 camkey = 4;
548 sc_Acs57CamKey[2] = 0;
549 }
550
551 // Dirthy hack for Ziggo will be removed when optimum values are find on these T14 cards for v2 and triple
552 // There are also other readers suffering from simmilar issue for those cards.
553 if(((reader->caid == 0x0604) || (reader->caid == 0x1722)) && (reader->typ == R_SMART) && (reader->smart_type >= 2))
554 {
555 // Quick and dirty containment for the SmargoV2,Triple and Ziggo irdeto caid: 0604 using smartreader protocol
556 camkey = 999;
557 }
558 // end dirthy hack
559
560 rdr_log_dbg(reader, D_READER, "set camkey for type=%d", camkey);
561
562 switch(camkey)
563 {
564 case 1:
565 reader_chk_cmd(sc_GetCamKey384CZ, 10);
566 break;
567
568 case 2:
569 reader_chk_cmd(sc_GetCamKey384DZ, 10);
570 break;
571
572 case 3:
573 reader_chk_cmd(sc_GetCamKey384FZ, 10);
574 break;
575
576 case 4:
577 {
578 int32_t i, crc = 61;
579 crc ^= 0x01, crc ^= 0x02, crc ^= 0x09;
580 crc ^= sc_Acs57CamKey[2], crc ^= sc_Acs57CamKey[3], crc ^= (sc_Acs57CamKey[4] + 1);
581
582 for(i = 5; i < (int)sizeof(sc_Acs57CamKey) - 1; i++)
583 {
584 crc ^= sc_Acs57CamKey[i];
585 }
586 sc_Acs57CamKey[69] = crc;
587
588 if(((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666))
589 {
590 sc_Acs57CamKey[69] = XorSum(sc_Acs57CamKey, 69) ^ 0x3f ^(sc_Acs57CamKey[0] & 0xf0) ^ 0x1b;
591 if(irdeto_do_cmd(reader, sc_Acs57CamKey, 0x9011, cta_res, &cta_lr))
592 {
593 rdr_log(reader, "You have a bad Cam Key set");
594 return ERROR;
595 }
596 }
597 else
598 {
599 irdeto_do_cmd(reader, sc_Acs57CamKey, 0x9012, cta_res, &cta_lr);
600 }
601
602 int32_t acslength = cta_res[cta_lr - 1];
603 sc_Acs57_Cmd[4] = acslength;
604 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
605 } break;
606
607 // dirthy hack ziggo nl card smartredaer v2 and triple will be removed after findings optimum T14 values for v2 and triple
608 case 999:
609 {
610 // For some reason only 4 to 5 bytes are received, while 8 bytes are expected.
611 int32_t rc;
612 rc = reader_cmd2icc(reader, sc_GetCamKey383C, sizeof(sc_GetCamKey383C), cta_res, &cta_lr);
613 rdr_log_dbg(reader, D_READER, "SmargoV2 camkey exchange containment: Ignoring returncode (%d), should have been 0.", rc);
614 rdr_log_dbg(reader, D_READER, "In case cardinit NOK and/or no entitlements, retry by restarting oscam.");
615 } break; // end dirthy hack
616
617 default:
618 if(csystem_data->acs57 == 1)
619 {
620 int32_t i, crc = 0x76;
621
622 for(i = 6; i < (int)sizeof(sc_Acs57CamKey) - 1; i++)
623 {
624 crc ^= sc_Acs57CamKey[i];
625 }
626
627 sc_Acs57CamKey[69] = crc;
628 irdeto_do_cmd(reader, sc_Acs57CamKey, 0x9012, cta_res, &cta_lr);
629 int32_t acslength = cta_res[cta_lr - 1];
630 sc_Acs57_Cmd[4] = acslength;
631 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
632 }
633 else
634 {
635 reader_chk_cmd(sc_GetCamKey383C, 0);
636 } break;
637 }
638
639 if(((reader->cardmhz != 600) && (reader->typ != R_INTERNAL)) || ((reader->typ == R_INTERNAL) && ((reader->mhz < 510) || (reader->cardmhz > 690))))
640 {
641 rdr_log(reader, "WARNING: For Irdeto cards you will have to set '%s= 600' in oscam.server", (reader->typ == R_INTERNAL ? "mhz" : "cardmhz") );
642 }
643
644 return irdeto_card_init_provider(reader);
645 }
646
647 int32_t irdeto_do_ecm(struct s_reader *reader, const ECM_REQUEST *er, struct s_ecm_answer *ea)
648 {
649 def_resp;
650 cta_lr = 0; // suppress compiler error
651 static const uint8_t sc_EcmCmd[] = { 0x05, 0x00, 0x00, 0x02, 0x00 };
652 uint8_t sc_Acs57Ecm[] = { 0xD5, 0x00, 0x00, 0x02, 0x00 };
653 uint8_t sc_Acs57_Cmd[] = { ACS57ECM, 0xFE, 0x00, 0x00, 0x00 };
654 uint8_t cta_cmd[MAX_ECM_SIZE];
655 struct irdeto_data *csystem_data = reader->csystem_data;
656
657 int32_t i = 0, acspadd = 0;
658 if(csystem_data->acs57 == 1)
659 {
660 int32_t crc = 63;
661 sc_Acs57Ecm[4] = er->ecm[2] - 2;
662 if(((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)) //crc for orf, cslink, skylink, upcdirect
663 {
664 sc_Acs57Ecm[2] = 0;
665 crc ^= 0x01;
666 crc ^= 0x05;
667 crc ^= sc_Acs57Ecm[2];
668 crc ^= sc_Acs57Ecm[3];
669 crc ^= (sc_Acs57Ecm[4] - 1);
670
671 for(i = 6; i < er->ecm[2] + 4; i++)
672 {
673 crc ^= er->ecm[i];
674 }
675 }
676 else
677 {
678 sc_Acs57Ecm[2] = er->ecm[6];
679 crc ^= 0x01;
680 crc ^= 0x05;
681 crc ^= sc_Acs57Ecm[2];
682 crc ^= sc_Acs57Ecm[3];
683 crc ^= (sc_Acs57Ecm[4] - 1);
684
685 for(i = 6; i < er->ecm[3] - 5; i++)
686 {
687 crc ^= er->ecm[i];
688 }
689 }
690
691 memcpy(cta_cmd, sc_Acs57Ecm, sizeof(sc_Acs57Ecm));
692 memcpy(cta_cmd + 5, er->ecm + 6, er->ecm[2] - 1);
693 cta_cmd[er->ecm[2] + 2] = crc;
694
695 irdeto_do_cmd(reader, cta_cmd, 0, cta_res, &cta_lr);
696 int32_t acslength = cta_res[cta_lr - 1];
697
698 // If acslength != 0x1F you don't have the entitlements or you camkey is bad
699 if(acslength != 0x1F)
700 {
701 switch(acslength)
702 {
703 case 0x09:
704 rdr_log(reader, "Maybe you don't have the entitlements for this channel");
705 break;
706
707 default:
708 rdr_log(reader, "Maybe you have a bad Cam Key set it from config file");
709 break;
710 }
711 return ERROR;
712 }
713 sc_Acs57_Cmd[4] = acslength;
714 cta_lr = 0;
715 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
716 acspadd = 8;
717 }
718 else
719 {
720 memcpy(cta_cmd, sc_EcmCmd, sizeof(sc_EcmCmd));
721 cta_cmd[4] = (er->ecm[2]) - 3;
722 memcpy(cta_cmd + sizeof(sc_EcmCmd), &er->ecm[6], cta_cmd[4]);
723
724 int32_t try = 1;
725 int32_t ret;
726 do
727 {
728 if(try > 1)
729 {
730 snprintf(ea->msglog, MSGLOGSIZE, "%.22s irdeto_do_cmd try nr %i", reader->label, try);
731 }
732
733 ret = (irdeto_do_cmd(reader, cta_cmd, 0x9D00, cta_res, &cta_lr));
734 ret = ret || (cta_lr < 24);
735 if(ret)
736 {
737 switch(cta_res[cta_lr - 2])
738 {
739 case 0x26: // valid for V6 and V7 cards *26 rare case card gets locked if bad EMM being written
740 {
741 snprintf(ea->msglog, MSGLOGSIZE, "%.19s cardstatus: LOCKED", reader->label);
742 return E_CORRUPT;
743 }
744
745 case 0x27: // valid for V6 and V7 cards Time sync EMMs
746 {
747 snprintf(ea->msglog, MSGLOGSIZE, "%.23s need global EMMs first", reader->label);
748 return E_CORRUPT;
749 }
750
751 case 0x33: // valid for all cards *33 comes in 2 cases Either Card Requires to be init with Dynamic RSA AKA cmd28/A0 or Pairing Enabled
752 {
753 snprintf(ea->msglog, MSGLOGSIZE, "%.26s dynamic RSA init or pairing enabled", reader->label);
754 return ERROR;
755 }
756
757 case 0x35: // valid for V6 and V7 cards Time sync EMMs
758 {
759 snprintf(ea->msglog, MSGLOGSIZE, "%.23s need global EMMs first", reader->label);
760 return E_CORRUPT;
761 }
762
763 case 0x90: // valid for all cards
764 {
765 snprintf(ea->msglog, MSGLOGSIZE,"%.26s unsubscribed channel or chid missing", reader->label);
766 return ERROR;
767 }
768
769 case 0x92: // valid for all cards
770 {
771 snprintf(ea->msglog, MSGLOGSIZE,"%.22s regional chid missing", reader->label);
772 return ERROR;
773 }
774
775 case 0x9E: // valid for all cards *9E comes in 2 cases if card not fully updated OR if pairing Enabled
776 {
777 if(cta_res[cta_lr - 1] == 0x65)
778 {
779 snprintf(ea->msglog, MSGLOGSIZE,"%.24s chipset pairing enabled", reader->label);
780 return ERROR;
781 }
782 else
783 {
784 snprintf(ea->msglog, MSGLOGSIZE,"%.11s needs EMMs", reader->label);
785 return E_CORRUPT;
786 }
787 }
788
789 case 0xA0: // valid for all cards
790 {
791 snprintf(ea->msglog, MSGLOGSIZE,"%.17s surflock enabled", reader->label);
792 return E_CORRUPT;
793 }
794
795 default: // all other error status
796 {
797 snprintf(ea->msglog, MSGLOGSIZE, "%.16s irdeto_do_cmd [%d] %02x %02x", reader->label, cta_lr, cta_res[cta_lr - 2], cta_res[cta_lr - 1]);
798 break;
799 }
800 }
801 }
802 try++;
803 }
804 while((try < 3) && (ret));
805
806 if(ret)
807 {
808 return ERROR;
809 }
810 }
811
812 if((cta_res[5]== 0x36) || (cta_res[5]== 0x37) || (cta_res[5]== 0x24) || (cta_res[5]== 0x25))
813 {
814 snprintf(ea->msglog, MSGLOGSIZE, "cw needs tweaking");
815 }
816
817 ReverseSessionKeyCrypt(reader->boxkey, cta_res + 6 + acspadd);
818 ReverseSessionKeyCrypt(reader->boxkey, cta_res + 14 + acspadd);
819 memcpy(ea->cw, cta_res + 6 + acspadd, 16);
820 return OK;
821 }
822
823 static int32_t irdeto_get_emm_type(EMM_PACKET *ep, struct s_reader *rdr)
824 {
825 int32_t i, l = (ep->emm[3] & 0x07);
826 int32_t base = (ep->emm[3] >> 3);
827 char dumprdrserial[l * 3], dumpemmserial[l * 3];
828
829 rdr_log_dbg(rdr, D_EMM, "Entered irdeto_get_emm_type ep->emm[3]=%02x", ep->emm[3]);
830
831 switch(l)
832 {
833 case 0:
834 // global emm, 0 bytes addressed
835 ep->type = GLOBAL;
836 rdr_log_dbg(rdr, D_EMM, "GLOBAL base = %02x", base);
837
838 if(base & 0x10) // hex serial based?
839 {
840 if(base == rdr->hexserial[3]) // does base match?
841 {
842 return 1;
843 }
844 else
845 {
846 return 0; // base doesnt match!
847 }
848 }
849 else
850 {
851 return 1;
852 } // provider based, match all!
853
854 case 2:
855 // shared emm, 2 bytes addressed
856 ep->type = SHARED;
857 memset(ep->hexserial, 0, 8);
858 memcpy(ep->hexserial, ep->emm + 4, l);
859 cs_hexdump(1, rdr->hexserial, l, dumprdrserial, sizeof(dumprdrserial));
860 cs_hexdump(1, ep->hexserial, l, dumpemmserial, sizeof(dumpemmserial));
861 rdr_log_dbg_sensitive(rdr, D_EMM, "SHARED l = %d ep = {%s} rdr = {%s} base = %02x",
862 l, dumpemmserial, dumprdrserial, base);
863
864 if(base & 0x10)
865 {
866 // hex addressed
867 return ((base == rdr->hexserial[3]) && (!memcmp(ep->emm + 4, rdr->hexserial, l)));
868 }
869 else
870 {
871 if(!memcmp(ep->emm + 4, rdr->hexserial, l))
872 {
873 return 1;
874 }
875
876 // provider addressed
877 for(i = 0; i < rdr->nprov; i++)
878 {
879 if((base == rdr->prid[i][0]) && (!memcmp(ep->emm + 4, &rdr->prid[i][1], l)))
880 {
881 return 1;
882 }
883 }
884 }
885 rdr_log_dbg(rdr, D_EMM, "neither hex nor provider addressed or unknown provider id");
886 return 0;
887
888 case 3:
889 // unique emm, 3 bytes addressed
890 ep->type = UNIQUE;
891 memset(ep->hexserial, 0, 8);
892 memcpy(ep->hexserial, ep->emm + 4, l);
893 cs_hexdump(1, rdr->hexserial, l, dumprdrserial, sizeof(dumprdrserial));
894 cs_hexdump(1, ep->hexserial, l, dumpemmserial, sizeof(dumpemmserial));
895 rdr_log_dbg_sensitive(rdr, D_EMM, "UNIQUE l = %d ep = {%s} rdr = {%s} base = %02x",
896 l, dumpemmserial, dumprdrserial, base);
897
898 if(base & 0x10) // unique hex addressed
899 {
900 return ((base == rdr->hexserial[3]) && (!memcmp(ep->emm + 4, rdr->hexserial, l)));
901 }
902 else
903 {
904 if(!memcmp(ep->emm + 4, rdr->hexserial, l))
905 {
906 return 1;
907 }
908
909 // unique provider addressed
910 for(i = 0; i < rdr->nprov; i++)
911 {
912 if((base == rdr->prid[i][0]) && (!memcmp(ep->emm + 4, &rdr->prid[i][1], l)))
913 {
914 return 1;
915 }
916 }
917 }
918 rdr_log_dbg(rdr, D_EMM, "neither hex nor provider addressed or unknown provider id");
919 return 0;
920
921 default:
922 ep->type = UNKNOWN;
923 rdr_log_dbg(rdr, D_EMM, "UNKNOWN");
924 return 1;
925 }
926 }
927
928 static int32_t irdeto_get_emm_filter(struct s_reader *rdr, struct s_csystem_emm_filter **emm_filters, unsigned int *filter_count)
929 {
930 if(*emm_filters == NULL)
931 {
932 const unsigned int max_filter_count = 3 + (rdr->nprov * 2);
933 if(!cs_malloc(emm_filters, max_filter_count * sizeof(struct s_csystem_emm_filter)))
934 {
935 return ERROR;
936 }
937
938 struct s_csystem_emm_filter *filters = *emm_filters;
939 *filter_count = 0;
940
941 unsigned int idx = 0;
942
943 filters[idx].type = EMM_GLOBAL;
944 filters[idx].enabled = 1;
945 filters[idx].filter[0] = 0x82;
946 filters[idx].mask[0] = 0xFF;
947 filters[idx].filter[1] = 0xF8;
948 filters[idx].mask[1] = 0x07;
949 idx++;
950
951 filters[idx].type = EMM_UNIQUE;
952 filters[idx].enabled = 1;
953 filters[idx].filter[0] = 0x82;
954 filters[idx].mask[0] = 0xFF;
955 filters[idx].filter[1] = 0xFB;
956 filters[idx].mask[1] = 0x07;
957 memcpy(&filters[idx].filter[2], rdr->hexserial, 3);
958 memset(&filters[idx].mask[2], 0xFF, 3);
959 idx++;
960
961 // Shared on Hex Serial only for Betacrypt
962 if(caid_is_betacrypt(rdr->caid))
963 {
964 filters[idx].type = EMM_SHARED;
965 filters[idx].enabled = 1;
966 filters[idx].filter[0] = 0x82;
967 filters[idx].mask[0] = 0xFF;
968 filters[idx].filter[1] = 0xFA;
969 filters[idx].mask[1] = 0x07;
970 memcpy(&filters[idx].filter[2], rdr->hexserial, 2);
971 memset(&filters[idx].mask[2], 0xFF, 2);
972 idx++;
973 }
974
975 int32_t i;
976 for(i = 0; i < rdr->nprov; i++)
977 {
978 // 00XX00 provider is a not initialised not used provider
979 if((rdr->prid[i][1] == 0xFF) || ((rdr->prid[i][1] == 0x00) && (rdr->prid[i][3] == 0x00) && (rdr->caid != 0x0647)))
980 {
981 continue;
982 }
983
984 filters[idx].type = EMM_UNIQUE;
985 filters[idx].enabled = 1;
986 filters[idx].filter[0] = 0x82;
987 filters[idx].mask[0] = 0xFF;
988 filters[idx].filter[1] = 0xFB;
989 filters[idx].mask[1] = 0x07;
990 memcpy(&filters[idx].filter[2], &rdr->prid[i][1], 3);
991 memset(&filters[idx].mask[2], 0xFF, 3);
992 idx++;
993
994 filters[idx].type = EMM_SHARED;
995 filters[idx].enabled = 1;
996 filters[idx].filter[0] = 0x82;
997 filters[idx].mask[0] = 0xFF;
998 filters[idx].filter[1] = 0xFA;
999 filters[idx].mask[1] = 0x07;
1000 memcpy(&filters[idx].filter[2], &rdr->prid[i][1], 2);
1001 memset(&filters[idx].mask[2], 0xFF, 2);
1002 idx++;
1003 }
1004
1005 *filter_count = idx;
1006 }
1007
1008 return OK;
1009 }
1010
1011 static int32_t irdeto_get_tunemm_filter(struct s_reader *rdr, struct s_csystem_emm_filter **emm_filters, unsigned int *filter_count)
1012 {
1013 if(*emm_filters == NULL)
1014 {
1015 const unsigned int max_filter_count = 3;
1016 if(!cs_malloc(emm_filters, max_filter_count * sizeof(struct s_csystem_emm_filter)))
1017 {
1018 return ERROR;
1019 }
1020
1021 struct s_csystem_emm_filter *filters = *emm_filters;
1022 *filter_count = 0;
1023
1024 unsigned int idx = 0;
1025
1026 filters[idx].type = EMM_GLOBAL;
1027 filters[idx].enabled = 1;
1028 filters[idx].filter[0] = 0x82;
1029 filters[idx].mask[0] = 0xFF;
1030 idx++;
1031
1032 filters[idx].type = EMM_SHARED;
1033 filters[idx].enabled = 1;
1034 filters[idx].filter[0] = 0x83;
1035 filters[idx].filter[1] = rdr->hexserial[1];
1036 filters[idx].filter[2] = rdr->hexserial[0];
1037 filters[idx].filter[3] = 0x10;
1038 filters[idx].filter[4] = 0x00;
1039 filters[idx].filter[5] = 0x10;
1040 memset(&filters[idx].mask[0], 0xFF, 6);
1041 idx++;
1042
1043 filters[idx].type = EMM_UNIQUE;
1044 filters[idx].enabled = 1;
1045 filters[idx].filter[0] = 0x83;
1046 filters[idx].filter[1] = rdr->hexserial[1];
1047 filters[idx].filter[2] = rdr->hexserial[0];
1048 filters[idx].filter[3] = 0x10;
1049 filters[idx].filter[4] = rdr->hexserial[2];
1050 filters[idx].filter[5] = 0x00;
1051 memset(&filters[idx].mask[0], 0xFF, 6);
1052 idx++;
1053
1054 *filter_count = idx;
1055 }
1056
1057 return OK;
1058 }
1059
1060 void irdeto_add_emm_header(EMM_PACKET *ep)
1061 {
1062 uint8_t bt_emm[MAX_EMM_SIZE];
1063 static const char *typtext[] = { "unknown", "unique", "shared", "global" };
1064 memset(bt_emm, 0, sizeof(bt_emm));
1065
1066 ep->type = UNKNOWN;
1067 if((ep->emm[0] == 0x83) && (ep->emm[5] == 0x10))
1068 {
1069 if(ep->emm[7] == 0x00)
1070 {
1071 ep->type = UNIQUE;
1072 }
1073 else
1074 {
1075 ep->type = SHARED;
1076 }
1077 }
1078 else
1079 {
1080 if(ep->emm[0] == 0x82)
1081 {
1082 ep->type = GLOBAL;
1083 }
1084 }
1085
1086 if((ep->type != UNKNOWN) && (ep->emmlen == 142))
1087 {
1088 cs_log_dbg(D_EMM, "[TUN_EMM] Type: %s - rewriting header", typtext[ep->type]);
1089 }
1090 else
1091 {
1092 return;
1093 }
1094
1095 // BETACRYPT/IRDETO EMM HEADER:
1096 static uint8_t headerD0[6] = { 0x82, 0x70, 0x89, 0xd0, 0x01, 0x00 }; // GLOBAL
1097 static uint8_t headerD2[8] = { 0x82, 0x70, 0x8b, 0xd2, 0x00, 0x00, 0x01, 0x00 }; // SHARED
1098 static uint8_t headerD3[9] = { 0x82, 0x70, 0x8c, 0xd3, 0x00, 0x00, 0x00, 0x01, 0x00 }; // UNIQUE
1099
1100 switch(ep->type)
1101 {
1102 case UNIQUE:
1103 memcpy(bt_emm, headerD3, sizeof(headerD3));
1104 memcpy(bt_emm + sizeof(headerD3), ep->emm + 8, ep->emmlen - 8);
1105 bt_emm[4] = ep->emm[4];
1106 bt_emm[5] = ep->emm[3];
1107 bt_emm[6] = ep->emm[6];
1108 ep->emmlen = 143;
1109 break;
1110
1111 case SHARED:
1112 memcpy(bt_emm, headerD2, sizeof(headerD2));
1113 memcpy(bt_emm + sizeof(headerD2), ep->emm + 8, ep->emmlen - 8);
1114 bt_emm[4] = ep->emm[4];
1115 bt_emm[5] = ep->emm[3];
1116 ep->emmlen = 142;
1117 break;
1118
1119 case GLOBAL:
1120 memcpy(bt_emm, headerD0, sizeof(headerD0));
1121 memcpy(bt_emm + sizeof(headerD0), ep->emm + 8, ep->emmlen - 8);
1122 ep->emmlen = 140;
1123 break;
1124 }
1125 memcpy(ep->emm, bt_emm, sizeof(bt_emm));
1126 }
1127
1128 #define ADDRLEN 4 // Address length in EMM commands
1129
1130 static int32_t irdeto_do_emm(struct s_reader *reader, EMM_PACKET *ep)
1131 {
1132 def_resp;
1133 static const uint8_t sc_EmmCmd[] = { 0x01, 0x00, 0x00, 0x00, 0x00 };
1134 static uint8_t sc_Acs57Emm[] = { 0xD1, 0x00, 0x00, 0x00, 0x00 };
1135 uint8_t sc_Acs57_Cmd[] = { ACS57EMM, 0xFE, 0x00, 0x00, 0x00 };
1136 struct irdeto_data *csystem_data = reader->csystem_data;
1137 uint8_t cta_cmd[272];
1138
1139 if(ep->emm[0] != 0x82)
1140 {
1141 rdr_log_dbg(reader, D_EMM, "Invalid EMM: Has to start with 0x82, but starts with %02x!", ep->emm[0]);
1142 return ERROR;
1143 }
1144
1145 int32_t i, l = (ep->emm[3] & 0x07), ok = 0;
1146 int32_t mode = (ep->emm[3] >> 3);
1147 uint8_t *emm = ep->emm;
1148
1149 if(mode & 0x10)
1150 {
1151 // hex addressed
1152 ok = ((mode == reader->hexserial[3]) && ((!l) || (!memcmp(&emm[4], reader->hexserial, l))));
1153 }
1154 else
1155 {
1156 ok = !memcmp(&emm[4], reader->hexserial, l);
1157
1158 // provider addressed
1159 for(i = 0; i < reader->nprov && !ok; i++)
1160 {
1161 ok = ((mode == reader->prid[i][0]) && ((!l) || (!memcmp(&emm[4], &reader->prid[i][1], l))));
1162 }
1163 }
1164
1165 if(ok)
1166 {
1167 l++;
1168 if(l <= ADDRLEN)
1169 {
1170 if(csystem_data->acs57 == 1)
1171 {
1172 int32_t dataLen = 0;
1173
1174 if(ep->type == UNIQUE)
1175 {
1176 dataLen = ep->emm[2] - 1;
1177 }
1178 else
1179 {
1180 dataLen = ep->emm[2];
1181 }
1182
1183 if((dataLen < 7) || (dataLen > ((int32_t)sizeof(ep->emm) - 6)) || (dataLen > ((int32_t)sizeof(cta_cmd) - 9)))
1184 {
1185 rdr_log_dbg(reader, D_EMM, "dataLen %d seems wrong, faulty EMM?", dataLen);
1186 return ERROR;
1187 }
1188
1189 if((ep->type == GLOBAL) && (((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)))
1190 {
1191 dataLen += 2;
1192 }
1193
1194 int32_t crc = 63;
1195 sc_Acs57Emm[4] = dataLen;
1196 memcpy(&cta_cmd, sc_Acs57Emm, sizeof(sc_Acs57Emm));
1197 crc ^= 0x01;
1198 crc ^= 0x01;
1199 crc ^= 0x00;
1200 crc ^= 0x00;
1201 crc ^= 0x00;
1202 crc ^= (dataLen - 1);
1203 memcpy(&cta_cmd[5], &ep->emm[3], 10);
1204
1205 if(ep->type == UNIQUE)
1206 {
1207 memcpy(&cta_cmd[9], &ep->emm[9], dataLen - 4);
1208 }
1209 else
1210 {
1211 if((ep->type == GLOBAL) && (((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)))
1212 {
1213 memcpy(&cta_cmd[9], &ep->emm[6], 1);
1214 memcpy(&cta_cmd[10], &ep->emm[7], dataLen - 6);
1215 // cta_cmd[9]=0x00;
1216 }
1217 else if(((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)) //only orf, cslink, skylink, upcdirect
1218 {
1219 memcpy(&cta_cmd[9], &ep->emm[8], dataLen - 4);
1220 }
1221 else
1222 {
1223 memcpy(&cta_cmd[10], &ep->emm[9], dataLen - 6);
1224 }
1225 }
1226
1227 for(i = 5; i < dataLen + 4; i++)
1228 {
1229 crc ^= cta_cmd[i];
1230 }
1231
1232 cta_cmd[dataLen - 1 + 5] = crc;
1233 irdeto_do_cmd(reader, cta_cmd, 0, cta_res, &cta_lr);
1234 int32_t acslength = cta_res[cta_lr - 1];
1235 sc_Acs57_Cmd[4] = acslength;
1236 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
1237
1238 rdr_log_dbg(reader, D_EMM,"response %02X %02X %02X %02X %02X (%s)",
1239 cta_res[0], cta_res[1], cta_res[2], cta_res[3], cta_res[4],
1240 (((cta_res[2] == 0) || (cta_res[2] == 0x7B) || (cta_res[2] == 0x7C)) ? "OK" : "ERROR"));
1241
1242 if((cta_res[2] == 0x7B) || (cta_res[2] == 0x7C)) // chid already written or chid already up to date
1243 {
1244 return SKIPPED;
1245 }
1246
1247 if(cta_res[2] == 0x00)
1248 {
1249 return OK;
1250 }
1251 return ERROR; // all other
1252 }
1253 else // non acs57 based cards
1254 {
1255 const int32_t dataLen = SCT_LEN(emm) - 5 - l; // sizeof of emm bytes (nanos)
1256
1257 if((dataLen < 1) || (dataLen > ((int32_t)sizeof(ep->emm) - 5 - l))
1258 || (dataLen > ((int32_t)sizeof(cta_cmd) - (int32_t)sizeof(sc_EmmCmd) - ADDRLEN)))
1259 {
1260 rdr_log_dbg(reader, D_EMM, "dataLen %d seems wrong, faulty EMM?", dataLen);
1261 return ERROR;
1262 }
1263
1264 uint8_t *ptr = cta_cmd;
1265 memcpy(ptr, sc_EmmCmd, sizeof(sc_EmmCmd)); // copy card command
1266 ptr[4] = dataLen + ADDRLEN; // set card command emm size
1267 ptr += sizeof(sc_EmmCmd);
1268 emm += 3;
1269 memset(ptr, 0, ADDRLEN); // clear addr range
1270 memcpy(ptr, emm, l); // copy addr bytes
1271 ptr += ADDRLEN;
1272 emm += l;
1273 memcpy(ptr, &emm[2], dataLen); // copy emm bytes]
1274 irdeto_do_cmd(reader, cta_cmd, 0, cta_res, &cta_lr);
1275
1276 rdr_log_dbg(reader, D_EMM,"response %02X %02X %02X %02X %02X (%s)",
1277 cta_res[0], cta_res[1], cta_res[2], cta_res[3], cta_res[4],
1278 (((cta_res[cta_lr-2] == 0) || (cta_res[cta_lr-2] == 0x7B) || (cta_res[cta_lr-2] == 0x7C)) ? "OK" : "ERROR"));
1279
1280 if((cta_res[cta_lr-2] == 0x7B) || (cta_res[cta_lr-2] == 0x7C)) // chid already written or chid already up to date
1281 {
1282 return SKIPPED;
1283 }
1284
1285 if(cta_res[cta_lr-2] == 0x00)
1286 {
1287 return OK;
1288 }
1289
1290 return ERROR; // all other
1291 }
1292 }
1293 else
1294 {
1295 rdr_log_dbg(reader, D_EMM, "addrlen %d > %d", l, ADDRLEN);
1296 return ERROR;
1297 }
1298 }
1299 else
1300 {
1301 rdr_log_dbg(reader, D_EMM, "EMM skipped since its hexserial or base doesnt match with this card!");
1302 return SKIPPED;
1303 }
1304 }
1305
1306 static int32_t irdeto_card_info(struct s_reader *reader)
1307 {
1308 def_resp;
1309 int32_t i, p;
1310 struct irdeto_data *csystem_data = reader->csystem_data;
1311
1312 cs_clear_entitlement(reader); // reset the entitlements
1313
1314 uint8_t sc_GetChanelIds[] = { 0x02, 0x04, 0x00, 0x00, 0x01, 0x00 };
1315 uint8_t sc_Acs57Code[] = { 0xD2, 0x16, 0x00, 0x00, 0x01 , 0x37 };
1316 uint8_t sc_Acs57Prid[] = { 0xD2, 0x08, 0x00, 0x00, 0x02, 0x00, 0x00 };
1317 uint8_t sc_Acs57_Cmd[] = { ACS57GET, 0xFE, 0x00, 0x00, 0x00 };
1318
1319 /*
1320 * ContryCode2
1321 */
1322 int32_t acspadd = 0;
1323 if(csystem_data->acs57 == 1)
1324 {
1325 acspadd = 8;
1326 reader_chk_cmd(sc_Acs57Code, 0);
1327 int32_t acslength = cta_res[cta_lr - 1];
1328 sc_Acs57_Cmd[4] = acslength;
1329 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
1330 }
1331 else
1332 {
1333 reader_chk_cmd(sc_GetCountryCode2, 0);
1334 }
1335
1336 if(((cta_lr > 9) && !(cta_res[cta_lr - 2] | cta_res[cta_lr - 1])) || (csystem_data->acs57 == 1))
1337 {
1338 rdr_log_dbg(reader, D_READER, "max chids: %d, %d, %d, %d",
1339 cta_res[6 + acspadd], cta_res[7 + acspadd], cta_res[8 + acspadd], cta_res[9 + acspadd]);
1340
1341 /*
1342 * Provider 2
1343 */
1344 for(i = p = 0; i < reader->nprov; i++)
1345 {
1346 int32_t j, k, chid, first = 1;
1347 char t[32];
1348
1349 if(reader->prid[i][4] != 0xff)
1350 {
1351 p++;
1352 sc_Acs57Prid[3] = i;
1353 sc_GetChanelIds[3] = i; // provider at index i
1354 j = 0;
1355
1356 // for (j=0; j<10; j++) => why 10 .. do we know for sure the there are only 10 chids !!!
1357 // shouldn't it me the max chid value we read above ?!
1358
1359 while(1) // will exit if cta_lr < 61 .. which is the correct break condition.
1360 {
1361 if(csystem_data->acs57 == 1)
1362 {
1363 int32_t crc = 63;
1364 sc_Acs57Prid[5] = j;
1365 crc ^= 0x01;
1366 crc ^= 0x02;
1367 crc ^= 0x04;
1368 crc ^= sc_Acs57Prid[2];
1369 crc ^= sc_Acs57Prid[3];
1370 crc ^= (sc_Acs57Prid[4] - 1);
1371 crc ^= sc_Acs57Prid[5];
1372 sc_Acs57Prid[6] = crc;
1373 irdeto_do_cmd(reader, sc_Acs57Prid, 0x903C, cta_res, &cta_lr);
1374 int32_t acslength = cta_res[cta_lr - 1];
1375
1376 if(acslength == 0x09)
1377 {
1378 break;
1379 }
1380
1381 sc_Acs57_Cmd[4] = acslength;
1382 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
1383
1384 if(cta_res[10] == 0xFF)
1385 {
1386 break;
1387 }
1388
1389 cta_res[cta_lr - 3] = 0xff;
1390 cta_res[cta_lr - 2] = 0xff;
1391 cta_res[cta_lr - 1] = 0xff;
1392 acspadd = 8;
1393 }
1394 else
1395 {
1396 sc_GetChanelIds[5] = j; // chid at index j for provider at index i
1397 reader_chk_cmd(sc_GetChanelIds, 0);
1398 }
1399
1400 // if (cta_lr<61) break; // why 61 (0 to 60 in steps of 6 .. is it 10*6 from the 10 in the for loop ?
1401 // what happen if the card only send back.. 9 chids (or less)... we don't see them
1402 // so we should check whether or not we have at least 6 bytes (1 chid).
1403 if(cta_lr < 6)
1404 {
1405 break;
1406 }
1407
1408 for(k = 0 + acspadd; k < cta_lr; k += 6)
1409 {
1410 chid = b2i(2, cta_res + k);
1411 if(chid && chid != 0xFFFF)
1412 {
1413 time_t date, start_t, end_t;
1414
1415 start_t = chid_date(reader, date = b2i(2, cta_res + k + 2), t, 16);
1416 end_t = chid_date(reader, date + cta_res[k + 4], t + 16, 16);
1417
1418 // todo: add entitlements to list but produces a warning related to date variable
1419 cs_add_entitlement(reader, reader->caid, b2i(3, &reader->prid[i][1]), chid, 0, start_t, end_t, 3, 1);
1420
1421 if(first)
1422 {
1423 rdr_log(reader, "entitlements for provider: %d, id: %06X", p, b2i(3, &reader->prid[i][1]));
1424 first = 0;
1425 }
1426 rdr_log(reader, "chid: %04X, date: %s - %s", chid, t, t + 16);
1427 }
1428 }
1429 j++;
1430 }
1431 }
1432 }
1433 }
1434 rdr_log(reader, "ready for requests");
1435 return OK;
1436 }
1437
1438 const struct s_cardsystem reader_irdeto =
1439 {
1440 .desc = "irdeto",
1441 .caids = (uint16_t[]){ 0x06, 0x17, 0 },
1442 .do_emm = irdeto_do_emm,
1443 .do_ecm = irdeto_do_ecm,
1444 .card_info = irdeto_card_info,
1445 .card_init = irdeto_card_init,
1446 .get_emm_type = irdeto_get_emm_type,
1447 .get_emm_filter = irdeto_get_emm_filter,
1448 .get_tunemm_filter = irdeto_get_tunemm_filter,
1449 };
1450
1451 #endif
Open Source Conditional Access Modul