1 | #include "globals.h"
|
---|
2 | #include "reader-common.h"
|
---|
3 |
|
---|
4 | #include <termios.h>
|
---|
5 | #include <unistd.h>
|
---|
6 | #ifdef OS_LINUX
|
---|
7 | #include <linux/serial.h>
|
---|
8 | #endif
|
---|
9 |
|
---|
10 | #define MAX_ATR_LEN 33 // max. ATR length
|
---|
11 | #define MAX_HIST 15 // max. number of historical characters
|
---|
12 |
|
---|
13 | ////// ====================================================================================
|
---|
14 |
|
---|
15 | int aes_active=0;
|
---|
16 | AES_KEY dkey, ekey;
|
---|
17 | int BASEYEAR = 1997;
|
---|
18 | static void cAES_SetKey(const unsigned char *key)
|
---|
19 | {
|
---|
20 | AES_set_decrypt_key(key,128,&dkey);
|
---|
21 | AES_set_encrypt_key(key,128,&ekey);
|
---|
22 | aes_active=1;
|
---|
23 | }
|
---|
24 |
|
---|
25 | static int cAES_Encrypt(const unsigned char *data, int len, unsigned char *crypt)
|
---|
26 | {
|
---|
27 | if(aes_active) {
|
---|
28 | len=(len+15)&(~15); // pad up to a multiple of 16
|
---|
29 | int i;
|
---|
30 | for(i=0; i<len; i+=16) AES_encrypt(data+i,crypt+i,(const AES_KEY *)&ekey);
|
---|
31 | return len;
|
---|
32 | }
|
---|
33 | return -1;
|
---|
34 | }
|
---|
35 |
|
---|
36 | static int cw_is_valid(unsigned char *cw) //returns 1 if cw_is_valid, returns 0 if cw is all zeros
|
---|
37 | {
|
---|
38 | int i;
|
---|
39 | for (i = 0; i < 8; i++)
|
---|
40 | if (cw[i] != 0) {//test if cw = 00
|
---|
41 | return OK;
|
---|
42 | }
|
---|
43 | return ERROR;
|
---|
44 | }
|
---|
45 | /*
|
---|
46 | unsigned short NdTabB001[0x4][0x20]= {
|
---|
47 | { 0xEAF1,0x0237,0x29D0,0xBAD2,0xE9D3,0x8BAE,0x2D6D,0xCD1B,
|
---|
48 | 0x538D,0xDE6B,0xA634,0xF81A,0x18B5,0x5087,0x14EA,0x672E,
|
---|
49 | 0xF0FC,0x055E,0x62E5,0xB78F,0x5D09,0x0003,0xE4E8,0x2DCE,
|
---|
50 | 0x6BE0,0xAC4E,0xF485,0x6967,0xF28C,0x97A0,0x01EF,0x0100, },
|
---|
51 | { 0xC539,0xF5B9,0x9099,0x013A,0xD4B9,0x6AB5,0xEA67,0x7EB4,
|
---|
52 | 0x6C30,0x4BF0,0xB810,0xB0B5,0xB76D,0xA751,0x1AE7,0x14CA,
|
---|
53 | 0x4F4F,0x1586,0x2608,0x10B1,0xE7E1,0x48BE,0x7DDD,0x5ECB,
|
---|
54 | 0xCFBF,0x323B,0x8B31,0xB131,0x0F1A,0x664B,0x0140,0x0100, },
|
---|
55 | { 0x3C7D,0xBDC4,0xFEC7,0x26A6,0xB0A0,0x6E55,0xF710,0xF9BF,
|
---|
56 | 0x0023,0xE81F,0x41CA,0xBE32,0xB461,0xE92D,0xF1AF,0x409F,
|
---|
57 | 0xFC85,0xFE5B,0x7FCE,0x17F5,0x01AB,0x4A46,0xEB05,0xA251,
|
---|
58 | 0xDC6F,0xF0C0,0x10F0,0x1D51,0xEFAA,0xE9BF,0x0100,0x0100, },
|
---|
59 | { 0x1819,0x0CAA,0x9067,0x607A,0x7576,0x1CBC,0xE51D,0xBF77,
|
---|
60 | 0x7EC6,0x839E,0xB695,0xF096,0xDC10,0xCB69,0x4654,0x8E68,
|
---|
61 | 0xD62D,0x4F1A,0x4227,0x92AC,0x9064,0x6BD1,0x1E75,0x2747,
|
---|
62 | 0x00DA,0xA6A6,0x6CF1,0xD151,0xBE56,0x3E33,0x0128,0x0100, },
|
---|
63 | };
|
---|
64 |
|
---|
65 | unsigned short Hash3[] = {0x0123,0x4567,0x89AB,0xCDEF,0xF861,0xCB52};
|
---|
66 | unsigned char Hash4[] = {0x0B,0x04,0x07,0x08,0x05,0x09,0x0B,0x0A,0x07,0x02,0x0A,0x05,0x04,0x08,0x0D,0x0F};
|
---|
67 |
|
---|
68 | static void postprocess_cw(unsigned char *cw, int nTableIdx)
|
---|
69 | {
|
---|
70 | if (!cw_is_valid(cw)) //if cw is all zero, keep it that way
|
---|
71 | return;
|
---|
72 | unsigned short hk[8],i,j,m=0;
|
---|
73 | for (i = 0; i < 6; i++) hk[2+i]=Hash3[i];
|
---|
74 | for (i = 0; i < 2; i++) {
|
---|
75 | for (j = 0; j < 0x48; j+=2) {
|
---|
76 | if (i)
|
---|
77 | hk[0]=((hk[3] & hk[5]) | ((~hk[5]) & hk[4]));
|
---|
78 | else
|
---|
79 | hk[0]=((hk[3] & hk[4]) | ((~hk[3]) & hk[5]));
|
---|
80 | if (j<8)
|
---|
81 | hk[0]=(hk[0]+((cw[j +1]<<8) | cw[j]));
|
---|
82 | if(j==8) hk[0]=(hk[0]+0x80);
|
---|
83 | hk[0]=(hk[0]+hk[2] + (0xFF & NdTabB001[nTableIdx][m>>1] >> ((m&1)<<3))) ;
|
---|
84 | hk[1] = hk[2];
|
---|
85 | hk[2] = hk[3];
|
---|
86 | hk[3] = hk[4];
|
---|
87 | hk[4] = hk[5];
|
---|
88 | hk[5] = hk[6];
|
---|
89 | hk[6] = hk[7];
|
---|
90 | hk[7] = hk[2]+
|
---|
91 | (((hk[0] << Hash4[m&0xF]) | (hk[0] >> (0x10 - Hash4[m&0xF]))));
|
---|
92 | m=(m+1)&0x3F;
|
---|
93 | }
|
---|
94 | }
|
---|
95 | for (i = 0; i < 6; i++)
|
---|
96 | hk[2+i]+=Hash3[i];
|
---|
97 | for (i = 0; i < 7; i++)
|
---|
98 | cw[i]=hk[2+(i>>1)]>>((i&1)<<3);
|
---|
99 | cw[3] = (cw[0] + cw[1] + cw[2]) & 0xFF;
|
---|
100 | cw[7] = (cw[4] + cw[5] + cw[6]) & 0xFF;
|
---|
101 | cs_ddump (cw, 8, "Postprocessed2 DW:");
|
---|
102 | }
|
---|
103 | */
|
---|
104 |
|
---|
105 | static void swap_lb (unsigned char *buff, int len)
|
---|
106 | {
|
---|
107 |
|
---|
108 | #if __BYTE_ORDER != __BIG_ENDIAN
|
---|
109 | return;
|
---|
110 |
|
---|
111 | #endif /* */
|
---|
112 | int i;
|
---|
113 | unsigned short *tmp;
|
---|
114 | for (i = 0; i < len / 2; i++) {
|
---|
115 | tmp = (unsigned short *) buff + i;
|
---|
116 | *tmp = ((*tmp << 8) & 0xff00) | ((*tmp >> 8) & 0x00ff);
|
---|
117 | }
|
---|
118 | }
|
---|
119 |
|
---|
120 | static inline void __xxor(unsigned char *data, int len, const unsigned char *v1, const unsigned char *v2)
|
---|
121 | {
|
---|
122 | switch(len) { // looks ugly, but the compiler can optimize it very well ;)
|
---|
123 | case 16:
|
---|
124 | *((unsigned int *)data+3) = *((unsigned int *)v1+3) ^ *((unsigned int *)v2+3);
|
---|
125 | *((unsigned int *)data+2) = *((unsigned int *)v1+2) ^ *((unsigned int *)v2+2);
|
---|
126 | case 8:
|
---|
127 | *((unsigned int *)data+1) = *((unsigned int *)v1+1) ^ *((unsigned int *)v2+1);
|
---|
128 | case 4:
|
---|
129 | *((unsigned int *)data+0) = *((unsigned int *)v1+0) ^ *((unsigned int *)v2+0);
|
---|
130 | break;
|
---|
131 | default:
|
---|
132 | while(len--) *data++ = *v1++ ^ *v2++;
|
---|
133 | break;
|
---|
134 | }
|
---|
135 | }
|
---|
136 | #define xor16(v1,v2,d) __xxor((d),16,(v1),(v2))
|
---|
137 | #define val_by2on3(x) ((0xaaab*(x))>>16) //fixed point *2/3
|
---|
138 |
|
---|
139 | unsigned short cardkeys[3][32];
|
---|
140 | unsigned char stateD3A[16];
|
---|
141 |
|
---|
142 | static void cCamCryptVG2_LongMult(unsigned short *pData, unsigned short *pLen, unsigned int mult, unsigned int carry);
|
---|
143 | static void cCamCryptVG2_PartialMod(unsigned short val, unsigned int count, unsigned short *outkey, const unsigned short *inkey);
|
---|
144 | static void cCamCryptVG2_RotateRightAndHash(unsigned char *p);
|
---|
145 | static void cCamCryptVG2_Reorder16A(unsigned char *dest, const unsigned char *src);
|
---|
146 | static void cCamCryptVG2_ReorderAndEncrypt(unsigned char *p);
|
---|
147 | static void cCamCryptVG2_Process_D0(const unsigned char *ins, unsigned char *data);
|
---|
148 | static void cCamCryptVG2_Process_D1(const unsigned char *ins, unsigned char *data, const unsigned char *status);
|
---|
149 | static void cCamCryptVG2_Decrypt_D3(unsigned char *ins, unsigned char *data, const unsigned char *status);
|
---|
150 | static void cCamCryptVG2_PostProcess_Decrypt(unsigned char *buff, int len, unsigned char *cw1, unsigned char *cw2);
|
---|
151 | static void cCamCryptVG2_SetSeed(unsigned char *Key1, unsigned char *Key2);
|
---|
152 | static void cCamCryptVG2_GetCamKey(unsigned char *buff);
|
---|
153 |
|
---|
154 | static void cCamCryptVG2_SetSeed(unsigned char *Key1, unsigned char *Key2)
|
---|
155 | {
|
---|
156 | swap_lb (Key1, 64);
|
---|
157 | swap_lb (Key2, 64);
|
---|
158 | memcpy(cardkeys[1],Key1,sizeof(cardkeys[1]));
|
---|
159 | memcpy(cardkeys[2],Key2,sizeof(cardkeys[2]));
|
---|
160 | swap_lb (Key1, 64);
|
---|
161 | swap_lb (Key2, 64);
|
---|
162 | }
|
---|
163 |
|
---|
164 | static void cCamCryptVG2_GetCamKey(unsigned char *buff)
|
---|
165 | {
|
---|
166 | unsigned short *tb2=(unsigned short *)buff, c=1;
|
---|
167 | memset(tb2,0,64);
|
---|
168 | tb2[0]=1;
|
---|
169 | int i;
|
---|
170 | for(i=0; i<32; i++) cCamCryptVG2_LongMult(tb2,&c,cardkeys[1][i],0);
|
---|
171 | swap_lb (buff, 64);
|
---|
172 | }
|
---|
173 |
|
---|
174 | static void cCamCryptVG2_PostProcess_Decrypt(unsigned char *buff, int len, unsigned char *cw1, unsigned char *cw2)
|
---|
175 | {
|
---|
176 | switch(buff[0]) {
|
---|
177 | case 0xD0:
|
---|
178 | cCamCryptVG2_Process_D0(buff,buff+5);
|
---|
179 | break;
|
---|
180 | case 0xD1:
|
---|
181 | cCamCryptVG2_Process_D1(buff,buff+5,buff+buff[4]+5);
|
---|
182 | break;
|
---|
183 | case 0xD3:
|
---|
184 | cCamCryptVG2_Decrypt_D3(buff,buff+5,buff+buff[4]+5);
|
---|
185 | if(buff[1]==0x54) {
|
---|
186 | memcpy(cw1,buff+5,8);
|
---|
187 | memset(cw2,0,8); //set to 0 so client will know it is not valid if not overwritten with valid cw
|
---|
188 | int ind;
|
---|
189 | for(ind=13; ind<len+13-8; ind++) {
|
---|
190 | if(buff[ind]==0x25) {
|
---|
191 | //memcpy(cw2,buff+5+ind+2,8);
|
---|
192 | memcpy(cw2,buff+ind+3,8); //tested on viasat 093E, sky uk 0963, sky it 919 //don't care whether cw is 0 or not
|
---|
193 | break;
|
---|
194 | }
|
---|
195 | /* if(buff[ind+1]==0) break;
|
---|
196 | ind+=buff[ind+1];*/
|
---|
197 | }
|
---|
198 | }
|
---|
199 | break;
|
---|
200 | }
|
---|
201 | }
|
---|
202 |
|
---|
203 | static void cCamCryptVG2_Process_D0(const unsigned char *ins, unsigned char *data)
|
---|
204 | {
|
---|
205 | switch(ins[1]) {
|
---|
206 | case 0xb4:
|
---|
207 | swap_lb (data, 64);
|
---|
208 | memcpy(cardkeys[0],data,sizeof(cardkeys[0]));
|
---|
209 | break;
|
---|
210 | case 0xbc:
|
---|
211 | {
|
---|
212 | swap_lb (data, 64);
|
---|
213 | unsigned short *idata=(unsigned short *)data;
|
---|
214 | const unsigned short *key1=(const unsigned short *)cardkeys[1];
|
---|
215 | unsigned short key2[32];
|
---|
216 | memcpy(key2,cardkeys[2],sizeof(key2));
|
---|
217 | int count2;
|
---|
218 | for(count2=0; count2<32; count2++) {
|
---|
219 | unsigned int rem=0, div=key1[count2];
|
---|
220 | int i;
|
---|
221 | for(i=31; i>=0; i--) {
|
---|
222 | unsigned int x=idata[i] | (rem<<16);
|
---|
223 | rem=(x%div)&0xffff;
|
---|
224 | }
|
---|
225 | unsigned int carry=1, t=val_by2on3(div) | 1;
|
---|
226 | while(t) {
|
---|
227 | if(t&1) carry=((carry*rem)%div)&0xffff;
|
---|
228 | rem=((rem*rem)%div)&0xffff;
|
---|
229 | t>>=1;
|
---|
230 | }
|
---|
231 | cCamCryptVG2_PartialMod(carry,count2,key2,key1);
|
---|
232 | }
|
---|
233 | unsigned short idatacount=0;
|
---|
234 | int i;
|
---|
235 | for(i=31; i>=0; i--) cCamCryptVG2_LongMult(idata,&idatacount,key1[i],key2[i]);
|
---|
236 | swap_lb (data, 64);
|
---|
237 | unsigned char stateD1[16];
|
---|
238 | cCamCryptVG2_Reorder16A(stateD1,data);
|
---|
239 | cAES_SetKey(stateD1);
|
---|
240 | break;
|
---|
241 | }
|
---|
242 | }
|
---|
243 | }
|
---|
244 |
|
---|
245 | static void cCamCryptVG2_Process_D1(const unsigned char *ins, unsigned char *data, const unsigned char *status)
|
---|
246 | {
|
---|
247 | unsigned char iter[16], tmp[16];
|
---|
248 | memset(iter,0,sizeof(iter));
|
---|
249 | memcpy(iter,ins,5);
|
---|
250 | xor16(iter,stateD3A,iter);
|
---|
251 | memcpy(stateD3A,iter,sizeof(iter));
|
---|
252 |
|
---|
253 | int datalen=status-data;
|
---|
254 | int datalen1=datalen;
|
---|
255 | if(datalen<0) datalen1+=15;
|
---|
256 | int blocklen=datalen1>>4;
|
---|
257 | int i;
|
---|
258 | int iblock;
|
---|
259 | for(i=0,iblock=0; i<blocklen+2; i++,iblock+=16) {
|
---|
260 | unsigned char in[16];
|
---|
261 | int docalc=1;
|
---|
262 | if(blocklen==i && (docalc=datalen&0xf)) {
|
---|
263 | memset(in,0,sizeof(in));
|
---|
264 | memcpy(in,&data[iblock],datalen-(datalen1&~0xf));
|
---|
265 | }
|
---|
266 | else if(blocklen+1==i) {
|
---|
267 | memset(in,0,sizeof(in));
|
---|
268 | memcpy(&in[5],status,2);
|
---|
269 | }
|
---|
270 | else
|
---|
271 | memcpy(in,&data[iblock],sizeof(in));
|
---|
272 |
|
---|
273 | if(docalc) {
|
---|
274 | xor16(iter,in,tmp);
|
---|
275 | cCamCryptVG2_ReorderAndEncrypt(tmp);
|
---|
276 | xor16(tmp,stateD3A,iter);
|
---|
277 | }
|
---|
278 | }
|
---|
279 | memcpy(stateD3A,tmp,16);
|
---|
280 | }
|
---|
281 |
|
---|
282 | static void cCamCryptVG2_Decrypt_D3(unsigned char *ins, unsigned char *data, const unsigned char *status)
|
---|
283 | {
|
---|
284 | if(ins[4]>16) ins[4]-=16;
|
---|
285 | if(ins[1]==0xbe) memset(stateD3A,0,sizeof(stateD3A));
|
---|
286 |
|
---|
287 | unsigned char tmp[16];
|
---|
288 | memset(tmp,0,sizeof(tmp));
|
---|
289 | memcpy(tmp,ins,5);
|
---|
290 | xor16(tmp,stateD3A,stateD3A);
|
---|
291 |
|
---|
292 | int len1=ins[4];
|
---|
293 | int blocklen=len1>>4;
|
---|
294 | if(ins[1]!=0xbe) blocklen++;
|
---|
295 |
|
---|
296 | unsigned char iter[16], states[16][16];
|
---|
297 | memset(iter,0,sizeof(iter));
|
---|
298 | int blockindex;
|
---|
299 | for(blockindex=0; blockindex<blocklen; blockindex++) {
|
---|
300 | iter[0]+=blockindex;
|
---|
301 | xor16(iter,stateD3A,iter);
|
---|
302 | cCamCryptVG2_ReorderAndEncrypt(iter);
|
---|
303 | xor16(iter,&data[blockindex*16],states[blockindex]);
|
---|
304 | if(blockindex==(len1>>4)) {
|
---|
305 | int c=len1-(blockindex*16);
|
---|
306 | if(c<16) memset(&states[blockindex][c],0,16-c);
|
---|
307 | }
|
---|
308 | xor16(states[blockindex],stateD3A,stateD3A);
|
---|
309 | cCamCryptVG2_RotateRightAndHash(stateD3A);
|
---|
310 | }
|
---|
311 | memset(tmp,0,sizeof(tmp));
|
---|
312 | memcpy(tmp+5,status,2);
|
---|
313 | xor16(tmp,stateD3A,stateD3A);
|
---|
314 | cCamCryptVG2_ReorderAndEncrypt(stateD3A);
|
---|
315 |
|
---|
316 | memcpy(stateD3A,status-16,sizeof(stateD3A));
|
---|
317 | cCamCryptVG2_ReorderAndEncrypt(stateD3A);
|
---|
318 |
|
---|
319 | memcpy(data,states[0],len1);
|
---|
320 | if(ins[1]==0xbe) {
|
---|
321 | cCamCryptVG2_Reorder16A(tmp,states[0]);
|
---|
322 | cAES_SetKey(tmp);
|
---|
323 | }
|
---|
324 | }
|
---|
325 |
|
---|
326 | static void cCamCryptVG2_ReorderAndEncrypt(unsigned char *p)
|
---|
327 | {
|
---|
328 | unsigned char tmp[16];
|
---|
329 | cCamCryptVG2_Reorder16A(tmp,p);
|
---|
330 | cAES_Encrypt(tmp,16,tmp);
|
---|
331 | cCamCryptVG2_Reorder16A(p,tmp);
|
---|
332 | }
|
---|
333 |
|
---|
334 | // reorder AAAABBBBCCCCDDDD to ABCDABCDABCDABCD
|
---|
335 |
|
---|
336 | static void cCamCryptVG2_Reorder16A(unsigned char *dest, const unsigned char *src)
|
---|
337 | {
|
---|
338 | int i;
|
---|
339 | int j;
|
---|
340 | int k;
|
---|
341 | for(i=0,k=0; i<4; i++)
|
---|
342 | for(j=i; j<16; j+=4,k++)
|
---|
343 | dest[k]=src[j];
|
---|
344 | }
|
---|
345 |
|
---|
346 | static void cCamCryptVG2_LongMult(unsigned short *pData, unsigned short *pLen, unsigned int mult, unsigned int carry)
|
---|
347 | {
|
---|
348 | int i;
|
---|
349 | for(i=0; i<*pLen; i++) {
|
---|
350 | carry+=pData[i]*mult;
|
---|
351 | pData[i]=(unsigned short)carry;
|
---|
352 | carry>>=16;
|
---|
353 | }
|
---|
354 | if(carry) pData[(*pLen)++]=carry;
|
---|
355 | }
|
---|
356 |
|
---|
357 | static void cCamCryptVG2_PartialMod(unsigned short val, unsigned int count, unsigned short *outkey, const unsigned short *inkey)
|
---|
358 | {
|
---|
359 | if(count) {
|
---|
360 | unsigned int mod=inkey[count];
|
---|
361 | unsigned short mult=(inkey[count]-outkey[count-1])&0xffff;
|
---|
362 | unsigned int i;
|
---|
363 | unsigned int ib1;
|
---|
364 | for(i=0,ib1=count-2; i<count-1; i++,ib1--) {
|
---|
365 | unsigned int t=(inkey[ib1]*mult)%mod;
|
---|
366 | mult=t-outkey[ib1];
|
---|
367 | if(mult>t) mult+=mod;
|
---|
368 | }
|
---|
369 | mult+=val;
|
---|
370 | if((val>mult) || (mod<mult)) mult-=mod;
|
---|
371 | outkey[count]=(outkey[count]*mult)%mod;
|
---|
372 | }
|
---|
373 | else
|
---|
374 | outkey[0]=val;
|
---|
375 | }
|
---|
376 |
|
---|
377 | static const unsigned char table1[256] = {
|
---|
378 | 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5, 0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76,
|
---|
379 | 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0, 0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0,
|
---|
380 | 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc, 0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15,
|
---|
381 | 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a, 0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75,
|
---|
382 | 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0, 0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84,
|
---|
383 | 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b, 0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf,
|
---|
384 | 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85, 0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8,
|
---|
385 | 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5, 0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2,
|
---|
386 | 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17, 0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73,
|
---|
387 | 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88, 0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb,
|
---|
388 | 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c, 0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79,
|
---|
389 | 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9, 0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08,
|
---|
390 | 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6, 0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a,
|
---|
391 | 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e, 0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e,
|
---|
392 | 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94, 0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf,
|
---|
393 | 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68, 0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16,
|
---|
394 | };
|
---|
395 |
|
---|
396 | static void cCamCryptVG2_RotateRightAndHash(unsigned char *p)
|
---|
397 | {
|
---|
398 | unsigned char t1=p[15];
|
---|
399 | int i;
|
---|
400 | for(i=0; i<16; i++) {
|
---|
401 | unsigned char t2=t1;
|
---|
402 | t1=p[i]; p[i]=table1[(t1>>1)|((t2&1)<<7)];
|
---|
403 | }
|
---|
404 | }
|
---|
405 |
|
---|
406 | ////// ====================================================================================
|
---|
407 |
|
---|
408 | unsigned char CW1[8], CW2[8];
|
---|
409 |
|
---|
410 | extern uchar cta_res[];
|
---|
411 | extern ushort cta_lr;
|
---|
412 |
|
---|
413 | extern int io_serial_need_dummy_char;
|
---|
414 |
|
---|
415 | struct CmdTabEntry {
|
---|
416 | unsigned char cla;
|
---|
417 | unsigned char cmd;
|
---|
418 | unsigned char len;
|
---|
419 | unsigned char mode;
|
---|
420 | };
|
---|
421 |
|
---|
422 | struct CmdTab {
|
---|
423 | unsigned char index;
|
---|
424 | unsigned char size;
|
---|
425 | unsigned char Nentries;
|
---|
426 | unsigned char dummy;
|
---|
427 | struct CmdTabEntry e[1];
|
---|
428 | };
|
---|
429 |
|
---|
430 | struct CmdTab *cmd_table=NULL;
|
---|
431 | static void memorize_cmd_table (const unsigned char *mem, int size){
|
---|
432 | cmd_table=(struct CmdTab *)malloc(sizeof(unsigned char) * size);
|
---|
433 | memcpy(cmd_table,mem,size);
|
---|
434 | }
|
---|
435 |
|
---|
436 | static int cmd_table_get_info(const unsigned char *cmd, unsigned char *rlen, unsigned char *rmode)
|
---|
437 | {
|
---|
438 | struct CmdTabEntry *pcte=cmd_table->e;
|
---|
439 | int i;
|
---|
440 | for(i=0; i<cmd_table->Nentries; i++,pcte++)
|
---|
441 | if(cmd[1]==pcte->cmd) {
|
---|
442 | *rlen=pcte->len;
|
---|
443 | *rmode=pcte->mode;
|
---|
444 | return 1;
|
---|
445 | }
|
---|
446 | return 0;
|
---|
447 | }
|
---|
448 |
|
---|
449 | static int status_ok(const unsigned char *status){
|
---|
450 | //cs_log("[videoguard2-reader] check status %02x%02x", status[0],status[1]);
|
---|
451 | return (status[0] == 0x90 || status[0] == 0x91)
|
---|
452 | && (status[1] == 0x00 || status[1] == 0x01
|
---|
453 | || status[1] == 0x20 || status[1] == 0x21
|
---|
454 | || status[1] == 0x80 || status[1] == 0x81
|
---|
455 | || status[1] == 0xa0 || status[1] == 0xa1);
|
---|
456 | }
|
---|
457 |
|
---|
458 | #define write_cmd(cmd, data) (card_write(cmd, data) == 0)
|
---|
459 | #define read_cmd(cmd, data) (card_write(cmd, NULL) == 0)
|
---|
460 |
|
---|
461 | static int read_cmd_len(const unsigned char *cmd)
|
---|
462 | {
|
---|
463 | unsigned char cmd2[5];
|
---|
464 | memcpy(cmd2,cmd,5);
|
---|
465 | cmd2[3]=0x80;
|
---|
466 | cmd2[4]=1;
|
---|
467 | if(!read_cmd(cmd2,NULL) || cta_res[1] != 0x90 || cta_res[2] != 0x00) {
|
---|
468 | cs_debug("[videoguard2-reader] failed to read %02x%02x cmd length (%02x %02x)",cmd[1],cmd[2],cta_res[1],cta_res[2]);
|
---|
469 | return -1;
|
---|
470 | }
|
---|
471 | return cta_res[0];
|
---|
472 | }
|
---|
473 |
|
---|
474 | static int do_cmd(const unsigned char *ins, const unsigned char *txbuff, unsigned char *rxbuff)
|
---|
475 | {
|
---|
476 | unsigned char ins2[5];
|
---|
477 | memcpy(ins2,ins,5);
|
---|
478 | unsigned char len=0, mode=0;
|
---|
479 | if(cmd_table_get_info(ins2,&len,&mode)) {
|
---|
480 | if(len==0xFF && mode==2) {
|
---|
481 | if(ins2[4]==0) ins2[4]=len=read_cmd_len(ins2);
|
---|
482 | }
|
---|
483 | else if(mode!=0) ins2[4]=len;
|
---|
484 | }
|
---|
485 | if(ins2[0]==0xd3) ins2[4]=len+16;
|
---|
486 | len=ins2[4];
|
---|
487 |
|
---|
488 | unsigned char tmp[264];
|
---|
489 | if(!rxbuff) rxbuff=tmp;
|
---|
490 | if(mode>1) {
|
---|
491 | if(!read_cmd(ins2,NULL) || !status_ok(cta_res+len)) return -1;
|
---|
492 | memcpy(rxbuff,ins2,5);
|
---|
493 | memcpy(rxbuff+5,cta_res,len);
|
---|
494 | memcpy(rxbuff+5+len,cta_res+len,2);
|
---|
495 | }
|
---|
496 | else {
|
---|
497 | if(!write_cmd(ins2,(uchar *)txbuff) || !status_ok(cta_res)) return -2;
|
---|
498 | memcpy(rxbuff,ins2,5);
|
---|
499 | memcpy(rxbuff+5,txbuff,len);
|
---|
500 | memcpy(rxbuff+5+len,cta_res,2);
|
---|
501 | }
|
---|
502 |
|
---|
503 | cCamCryptVG2_PostProcess_Decrypt(rxbuff,len,CW1,CW2);
|
---|
504 |
|
---|
505 | // Log decrypted INS54
|
---|
506 | ///if (rxbuff[1] == 0x54) {
|
---|
507 | /// cs_dump (rxbuff, 5, "Decrypted INS54:");
|
---|
508 | /// cs_dump (rxbuff + 5, rxbuff[4], "");
|
---|
509 | ///}
|
---|
510 |
|
---|
511 | return len;
|
---|
512 | }
|
---|
513 |
|
---|
514 | static void rev_date_calc(const unsigned char *Date, int *year, int *mon, int *day, int *hh, int *mm, int *ss)
|
---|
515 | {
|
---|
516 | *year=(Date[0]/12)+BASEYEAR;
|
---|
517 | *mon=(Date[0]%12)+1;
|
---|
518 | *day=Date[1];
|
---|
519 | *hh=Date[2]/8;
|
---|
520 | *mm=(0x100*(Date[2]-*hh*8)+Date[3])/32;
|
---|
521 | *ss=(Date[3]-*mm*32)*2;
|
---|
522 | }
|
---|
523 |
|
---|
524 | typedef struct{
|
---|
525 | unsigned short id;
|
---|
526 | char name[32];
|
---|
527 | } GCC_PACK tier_t;
|
---|
528 |
|
---|
529 | static tier_t skyit_tiers[] =
|
---|
530 | {
|
---|
531 | { 0x0320, "Promo" },
|
---|
532 | { 0x000B, "Service" },
|
---|
533 | { 0x0219, "Mondo HD" },
|
---|
534 | { 0x021A, "Cinema HD" },
|
---|
535 | { 0x021B, "Cinema" },
|
---|
536 | { 0x0222, "Sport HD" },
|
---|
537 | { 0x0224, "Sky Play IT" },
|
---|
538 | { 0x0226, "Mondo" },
|
---|
539 | { 0x0228, "Sport" },
|
---|
540 | { 0x0229, "Disney Channel" },
|
---|
541 | { 0x022A, "Inter Channel" },
|
---|
542 | { 0x022B, "Milan Channel" },
|
---|
543 | { 0x022C, "Roma Channel" },
|
---|
544 | { 0x022D, "Classica" },
|
---|
545 | { 0x022E, "Music & News" },
|
---|
546 | { 0x022F, "Caccia e Pesca" },
|
---|
547 | { 0x023D, "Juventus Channel" },
|
---|
548 | { 0x023E, "Moto TV" },
|
---|
549 | { 0x026B, "Calcio HD" },
|
---|
550 | { 0x0275, "Promo" },
|
---|
551 | { 0x0295, "Calcio" },
|
---|
552 | { 0x0296, "Serie B" },
|
---|
553 | { 0x02FE, "PPV" }
|
---|
554 | };
|
---|
555 |
|
---|
556 | static char *get_tier_name(unsigned short tier_id){
|
---|
557 | static char *empty = "";
|
---|
558 | unsigned int i;
|
---|
559 |
|
---|
560 | switch (reader[ridx].caid[0])
|
---|
561 | {
|
---|
562 | case 0x919:
|
---|
563 | case 0x93b:
|
---|
564 | for (i = 0; i < sizeof(skyit_tiers) / sizeof(tier_t); ++i)
|
---|
565 | if (skyit_tiers[i].id == tier_id)
|
---|
566 | return skyit_tiers[i].name;
|
---|
567 | break;
|
---|
568 | }
|
---|
569 | return empty;
|
---|
570 | }
|
---|
571 |
|
---|
572 | static void read_tiers(void)
|
---|
573 | {
|
---|
574 | static const unsigned char ins2a[5] = { 0xd0,0x2a,0x00,0x00,0x00 };
|
---|
575 | int l;
|
---|
576 | l=do_cmd(ins2a,NULL,NULL);
|
---|
577 | if(l<0 || !status_ok(cta_res+l)) return;
|
---|
578 | static unsigned char ins76[5] = { 0xd0,0x76,0x00,0x00,0x00 };
|
---|
579 | ins76[3]=0x7f; ins76[4]=2;
|
---|
580 | if(!read_cmd(ins76,NULL) || !status_ok(cta_res+2)) return;
|
---|
581 | ins76[3]=0; ins76[4]=0;
|
---|
582 | int num=cta_res[1];
|
---|
583 | int i;
|
---|
584 | reader[ridx].init_history_pos = 0; //reset for re-read
|
---|
585 | memset(reader[ridx].init_history, 0, sizeof(reader[ridx].init_history));
|
---|
586 | for(i=0; i<num; i++) {
|
---|
587 | ins76[2]=i;
|
---|
588 | l=do_cmd(ins76,NULL,NULL);
|
---|
589 | if(l<0 || !status_ok(cta_res+l)) return;
|
---|
590 | if(cta_res[2]==0 && cta_res[3]==0) break;
|
---|
591 | int y,m,d,H,M,S;
|
---|
592 | rev_date_calc(&cta_res[4],&y,&m,&d,&H,&M,&S);
|
---|
593 | unsigned short tier_id = (cta_res[2] << 8) | cta_res[3];
|
---|
594 | char *tier_name = get_tier_name(tier_id);
|
---|
595 | cs_ri_log("[videoguard2-reader] tier: %04x, expiry date: %04d/%02d/%02d-%02d:%02d:%02d %s",tier_id,y,m,d,H,M,S,tier_name);
|
---|
596 | }
|
---|
597 | }
|
---|
598 |
|
---|
599 | int videoguard_card_init(ATR newatr)
|
---|
600 | {
|
---|
601 | get_hist;
|
---|
602 | if ((hist_size < 7) || (hist[1] != 0xB0) || (hist[4] != 0xFF) || (hist[5] != 0x4A) || (hist[6] != 0x50))
|
---|
603 | return ERROR;
|
---|
604 | get_atr;
|
---|
605 | /* known atrs */
|
---|
606 | unsigned char atr_bskyb[] = { 0x3F, 0x7F, 0x13, 0x25, 0x03, 0x33, 0xB0, 0x06, 0x69, 0xFF, 0x4A, 0x50, 0xD0, 0x00, 0x00, 0x53, 0x59, 0x00, 0x00, 0x00 };
|
---|
607 | unsigned char atr_bskyb_new[] = { 0x3F, 0xFD, 0x13, 0x25, 0x02, 0x50, 0x00, 0x0F, 0x33, 0xB0, 0x0F, 0x69, 0xFF, 0x4A, 0x50, 0xD0, 0x00, 0x00, 0x53, 0x59, 0x02 };
|
---|
608 | unsigned char atr_skyitalia[] = { 0x3F, 0xFF, 0x13, 0x25, 0x03, 0x10, 0x80, 0x33, 0xB0, 0x0E, 0x69, 0xFF, 0x4A, 0x50, 0x70, 0x00, 0x00, 0x49, 0x54, 0x02, 0x00, 0x00 };
|
---|
609 | unsigned char atr_skyitalia93b[] = { 0x3F, 0xFD, 0x13, 0x25, 0x02, 0x50, 0x80, 0x0F, 0x33, 0xB0, 0x13, 0x69, 0xFF, 0x4A, 0x50, 0xD0, 0x80, 0x00, 0x49, 0x54, 0x03 };
|
---|
610 | unsigned char atr_directv[] = { 0x3F, 0x78, 0x13, 0x25, 0x03, 0x40, 0xB0, 0x20, 0xFF, 0xFF, 0x4A, 0x50, 0x00 };
|
---|
611 | unsigned char atr_yes[] = { 0x3F, 0xFF, 0x13, 0x25, 0x03, 0x10, 0x80, 0x33, 0xB0, 0x11, 0x69, 0xFF, 0x4A, 0x50, 0x50, 0x00, 0x00, 0x47, 0x54, 0x01, 0x00, 0x00 };
|
---|
612 | unsigned char atr_viasat_new[] = { 0x3F, 0x7D, 0x11, 0x25, 0x02, 0x41, 0xB0, 0x03, 0x69, 0xFF, 0x4A, 0x50, 0xF0, 0x80, 0x00, 0x56, 0x54, 0x03};
|
---|
613 | unsigned char atr_viasat_scandinavia[] = { 0x3F, 0x7F, 0x11, 0x25, 0x03, 0x33, 0xB0, 0x09, 0x69, 0xFF, 0x4A, 0x50, 0x70, 0x00, 0x00, 0x56, 0x54, 0x01, 0x00, 0x00 };
|
---|
614 | unsigned char atr_premiere[] = { 0x3F, 0xFF, 0x11, 0x25, 0x03, 0x10, 0x80, 0x41, 0xB0, 0x07, 0x69, 0xFF, 0x4A, 0x50, 0x70, 0x00, 0x00, 0x50, 0x31, 0x01, 0x00, 0x11 };
|
---|
615 | unsigned char atr_kbw[] = { 0x3F, 0xFF, 0x14, 0x25, 0x03, 0x10, 0x80, 0x54, 0xB0, 0x01, 0x69, 0xFF, 0x4A, 0x50, 0x70, 0x00, 0x00, 0x4B, 0x57, 0x01, 0x00, 0x00};
|
---|
616 | unsigned char atr_get[] = { 0x3F, 0xFF, 0x14, 0x25, 0x03, 0x10, 0x80, 0x33, 0xB0, 0x10, 0x69, 0xFF, 0x4A, 0x50, 0x70, 0x00, 0x00, 0x5A, 0x45, 0x01, 0x00, 0x00};
|
---|
617 | unsigned char atr_foxtel_90b[] = { 0x3F, 0x7F, 0x11, 0x25, 0x03, 0x33, 0xB0, 0x09, 0x69, 0xFF, 0x4A, 0x50, 0x70, 0x00, 0x00, 0x46, 0x44, 0x01, 0x00, 0x00};
|
---|
618 |
|
---|
619 | if ((atr_size == sizeof (atr_bskyb)) && (memcmp (atr, atr_bskyb, atr_size) == 0))
|
---|
620 | {
|
---|
621 | cs_ri_log("[videoguard2-reader] type: VideoGuard BSkyB");
|
---|
622 | /* BSkyB seems to need one additionnal byte in the serial communication... */
|
---|
623 | io_serial_need_dummy_char = 1;
|
---|
624 | BASEYEAR = 2000;
|
---|
625 | }
|
---|
626 | else if ((atr_size == sizeof (atr_bskyb_new)) && (memcmp (atr, atr_bskyb_new, atr_size) == 0))
|
---|
627 | {
|
---|
628 | cs_ri_log("[videoguard2-reader] type: VideoGuard BSkyB - New");
|
---|
629 | }
|
---|
630 | else if ((atr_size == sizeof (atr_skyitalia)) && (memcmp (atr, atr_skyitalia, atr_size) == 0))
|
---|
631 | {
|
---|
632 | cs_ri_log("[videoguard2-reader] type: VideoGuard Sky Italia");
|
---|
633 | }
|
---|
634 | else if ((atr_size == sizeof (atr_directv)) && (memcmp (atr, atr_directv, atr_size) == 0))
|
---|
635 | {
|
---|
636 | cs_ri_log("[videoguard2-reader] type: VideoGuard DirecTV");
|
---|
637 | }
|
---|
638 | else if ((atr_size == sizeof (atr_yes)) && (memcmp (atr, atr_yes, atr_size) == 0))
|
---|
639 | {
|
---|
640 | cs_ri_log("[videoguard2-reader] type: VideoGuard YES DBS Israel");
|
---|
641 | }
|
---|
642 | else if ((atr_size == sizeof (atr_viasat_new)) && (memcmp (atr, atr_viasat_new, atr_size) == 0))
|
---|
643 | {
|
---|
644 | cs_ri_log("[videoguard2-reader] type: VideoGuard Viasat new (093E)");
|
---|
645 | BASEYEAR = 2000;
|
---|
646 | }
|
---|
647 | else if ((atr_size == sizeof (atr_viasat_scandinavia)) && (memcmp (atr, atr_viasat_scandinavia, atr_size) == 0))
|
---|
648 | {
|
---|
649 | cs_ri_log("[videoguard2-reader] type: VideoGuard Viasat Scandinavia");
|
---|
650 | BASEYEAR = 2000;
|
---|
651 | }
|
---|
652 | else if ((atr_size == sizeof (atr_skyitalia93b)) && (memcmp (atr, atr_skyitalia93b, atr_size) == 0))
|
---|
653 | {
|
---|
654 | cs_ri_log("[videoguard2-reader] type: VideoGuard Sky Italia new (093B)");
|
---|
655 | }
|
---|
656 | else if ((atr_size == sizeof (atr_premiere)) && (memcmp (atr, atr_premiere, atr_size) == 0))
|
---|
657 | {
|
---|
658 | cs_ri_log("[videoguard2-reader] type: VideoGuard Sky Germany");
|
---|
659 | }
|
---|
660 | else if ((atr_size == sizeof (atr_kbw)) && (memcmp (atr, atr_kbw, atr_size) == 0))
|
---|
661 | {
|
---|
662 | cs_ri_log("[videoguard2-reader] type: VideoGuard Kabel BW");
|
---|
663 | }
|
---|
664 | else if ((atr_size == sizeof (atr_get)) && (memcmp (atr, atr_get, atr_size) == 0))
|
---|
665 | {
|
---|
666 | cs_ri_log("[videoguard2-reader] type: VideoGuard Get Kabel Norway");
|
---|
667 | BASEYEAR = 2004;
|
---|
668 | }
|
---|
669 | else if ((atr_size == sizeof (atr_foxtel_90b)) && (memcmp (atr, atr_foxtel_90b, atr_size) == 0))
|
---|
670 | {
|
---|
671 | cs_ri_log("[videoguard2-reader] type: VideoGuard Foxtel Australia (090b)");
|
---|
672 | BASEYEAR = 2000;
|
---|
673 | }
|
---|
674 | /* else
|
---|
675 | {
|
---|
676 | // not a known videoguard
|
---|
677 | return (0);
|
---|
678 | }*/
|
---|
679 | //a non videoguard2/NDS card will fail on read_cmd_len(ins7401)
|
---|
680 | //this way also unknown videoguard2/NDS cards will work
|
---|
681 |
|
---|
682 | unsigned char ins7401[5] = { 0xD0,0x74,0x01,0x00,0x00 };
|
---|
683 | int l;
|
---|
684 | if((l=read_cmd_len(ins7401))<0) return ERROR; //not a videoguard2/NDS card or communication error
|
---|
685 | ins7401[4]=l;
|
---|
686 | if(!read_cmd(ins7401,NULL) || !status_ok(cta_res+l)) {
|
---|
687 | cs_log ("[videoguard2-reader] failed to read cmd list");
|
---|
688 | return ERROR;
|
---|
689 | }
|
---|
690 | memorize_cmd_table (cta_res,l);
|
---|
691 |
|
---|
692 | unsigned char buff[256];
|
---|
693 |
|
---|
694 | unsigned char ins7416[5] = { 0xD0,0x74,0x16,0x00,0x00 };
|
---|
695 | if(do_cmd(ins7416, NULL, NULL)<0) {
|
---|
696 | cs_log ("[videoguard2-reader] cmd 7416 failed");
|
---|
697 | return ERROR;
|
---|
698 | }
|
---|
699 |
|
---|
700 | unsigned char ins36[5] = { 0xD0,0x36,0x00,0x00,0x00 };
|
---|
701 | unsigned char boxID [4];
|
---|
702 |
|
---|
703 | if (reader[ridx].boxid > 0) {
|
---|
704 | /* the boxid is specified in the config */
|
---|
705 | int i;
|
---|
706 | for (i=0; i < 4; i++) {
|
---|
707 | boxID[i] = (reader[ridx].boxid >> (8 * (3 - i))) % 0x100;
|
---|
708 | }
|
---|
709 | } else {
|
---|
710 | /* we can try to get the boxid from the card */
|
---|
711 | int boxidOK=0;
|
---|
712 | l=do_cmd(ins36, NULL, buff);
|
---|
713 | if(l>=0) {
|
---|
714 | int i;
|
---|
715 | for(i=0; i<l ;i++) {
|
---|
716 | if(buff[i+1]==0xF3 && (buff[i]==0x00 || buff[i]==0x0A)) {
|
---|
717 | memcpy(&boxID,&buff[i+2],sizeof(boxID));
|
---|
718 | boxidOK=1;
|
---|
719 | break;
|
---|
720 | }
|
---|
721 | }
|
---|
722 | }
|
---|
723 |
|
---|
724 | if(!boxidOK) {
|
---|
725 | cs_log ("[videoguard2-reader] no boxID available");
|
---|
726 | return ERROR;
|
---|
727 | }
|
---|
728 | }
|
---|
729 |
|
---|
730 | unsigned char ins4C[5] = { 0xD0,0x4C,0x00,0x00,0x09 };
|
---|
731 | unsigned char payload4C[9] = { 0,0,0,0, 3,0,0,0,4 };
|
---|
732 | memcpy(payload4C,boxID,4);
|
---|
733 | if(!write_cmd(ins4C,payload4C) || !status_ok(cta_res+l)) {
|
---|
734 | cs_log("[videoguard2-reader] sending boxid failed");
|
---|
735 | return ERROR;
|
---|
736 | }
|
---|
737 |
|
---|
738 | //short int SWIRDstatus = cta_res[1];
|
---|
739 | unsigned char ins58[5] = { 0xD0,0x58,0x00,0x00,0x00 };
|
---|
740 | l=do_cmd(ins58, NULL, buff);
|
---|
741 | if(l<0) {
|
---|
742 | cs_log("[videoguard2-reader] cmd ins58 failed");
|
---|
743 | return ERROR;
|
---|
744 | }
|
---|
745 | memset(reader[ridx].hexserial, 0, 8);
|
---|
746 | memcpy(reader[ridx].hexserial+2, cta_res+3, 4);
|
---|
747 | reader[ridx].caid[0] = cta_res[24]*0x100+cta_res[25];
|
---|
748 |
|
---|
749 | /* we have one provider, 0x0000 */
|
---|
750 | reader[ridx].nprov = 1;
|
---|
751 | memset(reader[ridx].prid, 0x00, sizeof(reader[ridx].prid));
|
---|
752 |
|
---|
753 | /*
|
---|
754 | cs_log ("[videoguard2-reader] INS58 : Fuse byte=0x%02X, IRDStatus=0x%02X", cta_res[2],SWIRDstatus);
|
---|
755 | if (SWIRDstatus==4) {
|
---|
756 | // If swMarriage=4, not married then exchange for BC Key
|
---|
757 | cs_log ("[videoguard2-reader] Card not married, exchange for BC Keys");
|
---|
758 | */
|
---|
759 |
|
---|
760 | unsigned char seed1[] = {
|
---|
761 | 0xb9, 0xd5, 0xef, 0xd5, 0xf5, 0xd5, 0xfb, 0xd5, 0x31, 0xd6, 0x43, 0xd6, 0x55, 0xd6, 0x61, 0xd6,
|
---|
762 | 0x85, 0xd6, 0x9d, 0xd6, 0xaf, 0xd6, 0xc7, 0xd6, 0xd9, 0xd6, 0x09, 0xd7, 0x15, 0xd7, 0x21, 0xd7,
|
---|
763 | 0x27, 0xd7, 0x3f, 0xd7, 0x45, 0xd7, 0xb1, 0xd7, 0xbd, 0xd7, 0xdb, 0xd7, 0x11, 0xd8, 0x23, 0xd8,
|
---|
764 | 0x29, 0xd8, 0x2f, 0xd8, 0x4d, 0xd8, 0x8f, 0xd8, 0xa1, 0xd8, 0xad, 0xd8, 0xbf, 0xd8, 0xd7, 0xd8
|
---|
765 | };
|
---|
766 | unsigned char seed2[] = {
|
---|
767 | 0x01, 0x00, 0xcf, 0x13, 0xe0, 0x60, 0x54, 0xac, 0xab, 0x99, 0xe6, 0x0c, 0x9f, 0x5b, 0x91, 0xb9,
|
---|
768 | 0x72, 0x72, 0x4d, 0x5b, 0x5f, 0xd3, 0xb7, 0x5b, 0x01, 0x4d, 0xef, 0x9e, 0x6b, 0x8a, 0xb9, 0xd1,
|
---|
769 | 0xc9, 0x9f, 0xa1, 0x2a, 0x8d, 0x86, 0xb6, 0xd6, 0x39, 0xb4, 0x64, 0x65, 0x13, 0x77, 0xa1, 0x0a,
|
---|
770 | 0x0c, 0xcf, 0xb4, 0x2b, 0x3a, 0x2f, 0xd2, 0x09, 0x92, 0x15, 0x40, 0x47, 0x66, 0x5c, 0xda, 0xc9
|
---|
771 | };
|
---|
772 | cCamCryptVG2_SetSeed(seed1,seed2);
|
---|
773 |
|
---|
774 | unsigned char insB4[5] = { 0xD0,0xB4,0x00,0x00,0x40 };
|
---|
775 | unsigned char tbuff[64];
|
---|
776 | cCamCryptVG2_GetCamKey(tbuff);
|
---|
777 | l=do_cmd(insB4, tbuff, NULL);
|
---|
778 | if(l<0 || !status_ok(cta_res)) {
|
---|
779 | cs_log ("[videoguard2-reader] cmd D0B4 failed (%02X%02X)", cta_res[0], cta_res[1]);
|
---|
780 | return ERROR;
|
---|
781 | }
|
---|
782 |
|
---|
783 | unsigned char insBC[5] = { 0xD0,0xBC,0x00,0x00,0x00 };
|
---|
784 | l=do_cmd(insBC, NULL, NULL);
|
---|
785 | if(l<0) {
|
---|
786 | cs_log("[videoguard2-reader] cmd D0BC failed");
|
---|
787 | return ERROR;
|
---|
788 | }
|
---|
789 |
|
---|
790 | unsigned char insBE[5] = { 0xD3,0xBE,0x00,0x00,0x00 };
|
---|
791 | l=do_cmd(insBE, NULL, NULL);
|
---|
792 | if(l<0) {
|
---|
793 | cs_log("[videoguard2-reader] cmd D3BE failed");
|
---|
794 | return ERROR;
|
---|
795 | }
|
---|
796 |
|
---|
797 | unsigned char ins58a[5] = { 0xD1,0x58,0x00,0x00,0x00 };
|
---|
798 | l=do_cmd(ins58a, NULL, NULL);
|
---|
799 | if(l<0) {
|
---|
800 | cs_log("[videoguard2-reader] cmd D158 failed");
|
---|
801 | return ERROR;
|
---|
802 | }
|
---|
803 |
|
---|
804 | unsigned char ins4Ca[5] = { 0xD1,0x4C,0x00,0x00,0x00 };
|
---|
805 | l=do_cmd(ins4Ca,payload4C, NULL);
|
---|
806 | if(l<0 || !status_ok(cta_res)) {
|
---|
807 | cs_log("[videoguard2-reader] cmd D14Ca failed");
|
---|
808 | return ERROR;
|
---|
809 | }
|
---|
810 |
|
---|
811 | cs_ri_log("[videoguard2-reader] type: VideoGuard, caid: %04X, serial: %02X%02X%02X%02X, BoxID: %02X%02X%02X%02X",
|
---|
812 | reader[ridx].caid[0],
|
---|
813 | reader[ridx].hexserial[2],reader[ridx].hexserial[3],reader[ridx].hexserial[4],reader[ridx].hexserial[5],
|
---|
814 | boxID[0],boxID[1],boxID[2],boxID[3]);
|
---|
815 |
|
---|
816 | ///read_tiers();
|
---|
817 |
|
---|
818 | cs_log("[videoguard2-reader] ready for requests");
|
---|
819 |
|
---|
820 | return OK;
|
---|
821 | }
|
---|
822 |
|
---|
823 |
|
---|
824 | //Tables for B0 01 xx (00 to 14)
|
---|
825 |
|
---|
826 | unsigned short mem10C1E0[672]={
|
---|
827 | 0xEAF1, 0x237, 0x29D0, 0xBAD2, 0xE9D3, 0x8BAE, 0x2D6D, 0xCD1B, 0x538D, 0xDE6B, 0xA634,
|
---|
828 | 0xF81A, 0x18B5, 0x5087, 0x14EA, 0x672E, 0xF0FC, 0x55E, 0x62E5, 0xB78F, 0x5D09, 0x03,
|
---|
829 | 0xE4E8, 0x2DCE, 0x6BE0, 0xAC4E, 0xF485, 0x6967, 0xF28C, 0x97A0, 0x1EF, 0x100, 0xC539,
|
---|
830 | 0xF5B9, 0x9099, 0x13A, 0xD4B9, 0x6AB5, 0xEA67, 0x7EB4, 0x6C30, 0x4BF0, 0xB810, 0xB0B5,
|
---|
831 | 0xB76D, 0xA751, 0x1AE7, 0x14CA, 0x4F4F, 0x1586, 0x2608, 0x10B1, 0xE7E1, 0x48BE, 0x7DDD,
|
---|
832 | 0x5ECB, 0xCFBF, 0x323B, 0x8B31, 0xB131, 0xF1A, 0x664B, 0x140, 0x100, 0x3C7D, 0xBDC4,
|
---|
833 | 0xFEC7, 0x26A6, 0xB0A0, 0x6E55, 0xF710, 0xF9BF, 0x23, 0xE81F, 0x41CA, 0xBE32, 0xB461,
|
---|
834 | 0xE92D, 0xF1AF, 0x409F, 0xFC85, 0xFE5B, 0x7FCE, 0x17F5, 0x1AB, 0x4A46, 0xEB05, 0xA251,
|
---|
835 | 0xDC6F, 0xF0C0, 0x10F0, 0x1D51, 0xEFAA, 0xE9BF, 0x100, 0x100, 0x1819, 0xCAA, 0x9067,
|
---|
836 | 0x607A, 0x7576, 0x1CBC, 0xE51D, 0xBF77, 0x7EC6, 0x839E, 0xB695, 0xF096, 0xDC10, 0xCB69,
|
---|
837 | 0x4654, 0x8E68, 0xD62D, 0x4F1A, 0x4227, 0x92AC, 0x9064, 0x6BD1, 0x1E75, 0x2747, 0xDA,
|
---|
838 | 0xA6A6, 0x6CF1, 0xD151, 0xBE56, 0x3E33, 0x128, 0x100, 0x4091, 0x9ED, 0xD494, 0x6054,
|
---|
839 | 0x1869, 0x71D5, 0xB572, 0x7BF1, 0xE925, 0xEE2D, 0xEEDE, 0xA13C, 0x6613, 0x9BAB, 0x122D,
|
---|
840 | 0x7AE4, 0x5268, 0xE6C9, 0x50CB, 0x79A1, 0xF212, 0xA062, 0x6B48, 0x70B3, 0xF6B0, 0x6D5,
|
---|
841 | 0xF8AB, 0xECF5, 0x6255, 0xEDD8, 0x79D2, 0x290A, 0xD3CF, 0x14E, 0xACB3, 0x8F6B, 0xF2C,
|
---|
842 | 0xA5D8, 0xE8E0, 0x863D, 0x80D5, 0x5705, 0x658A, 0x8BC2, 0xEE46, 0xD3AE, 0x199, 0x100,
|
---|
843 | 0x4A35, 0xABE4, 0xF976, 0x935A, 0xA8A5, 0xBAE9, 0x24D0, 0x71AA, 0xB3FE, 0x95E, 0xAB06,
|
---|
844 | 0x4CD5, 0x2F0D, 0x1ACB, 0x59F3, 0x4C50, 0xFD27, 0xF8E, 0x191A, 0xEEE7, 0x2F49, 0x3A05,
|
---|
845 | 0x3267, 0x4F88, 0x38AE, 0xFCE9, 0x9476, 0x18C6, 0xF961, 0x4EF0, 0x39D0, 0x42E6, 0xB747,
|
---|
846 | 0xE625, 0xB68E, 0x5100, 0xF92A, 0x86FE, 0xE79B, 0xEE91, 0x21D5, 0x4C3C, 0x683D, 0x5AD1,
|
---|
847 | 0x1B49, 0xF407, 0x194, 0x100, 0x4BF9, 0xDC0D, 0x9478, 0x5174, 0xCB4A, 0x8A89, 0x4D6A,
|
---|
848 | 0xFED8, 0xF123, 0xA8CD, 0xEEE7, 0xA6D1, 0xB763, 0xF5E2, 0xE085, 0x1EF, 0xE466, 0x9FA3,
|
---|
849 | 0x2F68, 0x2190, 0x423F, 0x287F, 0x7F3F, 0x9F6, 0x2111, 0xA963, 0xD0BB, 0x674A, 0xBA72,
|
---|
850 | 0x45F9, 0xF186, 0xB8F5, 0x10, 0xD1B9, 0xB164, 0x9E87, 0x1F49, 0x6950, 0x2DBF, 0x38D3,
|
---|
851 | 0x2EB0, 0x3E8E, 0x91E6, 0xF688, 0x7E41, 0x566E, 0x1B0, 0x100, 0x24A1, 0x73D8, 0xA0C3,
|
---|
852 | 0xF71B, 0xA0A5, 0x2A06, 0xBA46, 0xFEC3, 0xDD4C, 0x52CC, 0xF9BC, 0x3B7E, 0x3812, 0x666,
|
---|
853 | 0xB74B, 0x40F8, 0x28F2, 0x7C81, 0xFC92, 0x6FBD, 0x53D6, 0x72A3, 0xBBDF, 0xB6FC, 0x9CE5,
|
---|
854 | 0x2331, 0xD4F6, 0xC5BB, 0xE8BB, 0x6676, 0x2D9, 0x2F0E, 0xD009, 0xD136, 0xCD09, 0x7551,
|
---|
855 | 0x1826, 0x9D9B, 0x63EA, 0xFC63, 0x68CD, 0x3672, 0xCB95, 0xD28E, 0xF1CD, 0x20CA, 0x14C,
|
---|
856 | 0x100, 0xE539, 0x55B7, 0x989D, 0x21C4, 0x463A, 0xE68F, 0xF8B5, 0xE5C5, 0x662B, 0x35BF,
|
---|
857 | 0x3C50, 0x131, 0xF4BF, 0x38B2, 0x41BC, 0xB829, 0x2B7, 0x6B8F, 0xA25C, 0xAFD2, 0xD84A,
|
---|
858 | 0x2243, 0x53EB, 0xC6C9, 0x2E14, 0x181F, 0x8F96, 0xDF0E, 0xD4C, 0x30F6, 0xFFE1, 0x9DDA,
|
---|
859 | 0x30B6, 0x777E, 0xDA3D, 0xAF77, 0x205E, 0xC90B, 0x856B, 0xB451, 0x3BCC, 0x76C2, 0x8ACF,
|
---|
860 | 0xDCB1, 0xA5E5, 0xDD64, 0x197, 0x100, 0xE751, 0xB661, 0x404, 0xDB4A, 0xE9DD, 0xA400,
|
---|
861 | 0xAF26, 0x3F5E, 0x904B, 0xA924, 0x9E0, 0xE72B, 0x825B, 0x2C50, 0x6FD0, 0xD52, 0x2730,
|
---|
862 | 0xC2BA, 0x9E44, 0x5815, 0xFC47, 0xB21D, 0x67B8, 0xF8B9, 0x47D, 0xB0AF, 0x9F14, 0x741B,
|
---|
863 | 0x4668, 0xBE54, 0xDE16, 0xDB14, 0x7CB7, 0xF2B8, 0x683, 0x762C, 0x9A0, 0x9507, 0x7F92,
|
---|
864 | 0x22C, 0xBA6A, 0x7D52, 0xAF4, 0x1BC3, 0xB46A, 0xC4FD, 0x1C2, 0x100, 0x7611, 0x66F3,
|
---|
865 | 0xEE87, 0xEDD3, 0xC559, 0xEFD4, 0xDC59, 0xF86B, 0x6D1C, 0x1C85, 0x9BB1, 0x3373, 0x763F,
|
---|
866 | 0x4EBE, 0x1BF3, 0x99B5, 0xD721, 0x978F, 0xCF5C, 0xAC51, 0x984, 0x7462, 0x8F0C, 0x2817,
|
---|
867 | 0x4AD9, 0xFD41, 0x6678, 0x7C85, 0xD330, 0xC9F8, 0x1D9A, 0xC622, 0x5AE4, 0xE16A, 0x60F6,
|
---|
868 | 0xFD45, 0x668C, 0x29D6, 0x285, 0x6B92, 0x92C2, 0x21DE, 0x45E0, 0xEF3D, 0x8B0D, 0x2CD,
|
---|
869 | 0x198, 0x100, 0x9E6D, 0x4D38, 0xDEF9, 0xE6F2, 0xF72E, 0xB313, 0x14F2, 0x390A, 0x2D67,
|
---|
870 | 0xC71E, 0xCB69, 0x7F66, 0xD3CF, 0x7F8A, 0x81D9, 0x9DDE, 0x85E3, 0x8F29, 0x36EB, 0xC968,
|
---|
871 | 0x3696, 0x59F6, 0x7832, 0xA78B, 0xA1D8, 0xF5CF, 0xAB64, 0x646D, 0x7A2A, 0xBAF8, 0xAA87,
|
---|
872 | 0x41C7, 0x5120, 0xDE78, 0x738D, 0xDC1A, 0x268D, 0x5DF8, 0xED69, 0x1C8A, 0xBC85, 0x3DCD,
|
---|
873 | 0xAE30, 0xF8D, 0xEC89, 0x3ABD, 0x166, 0x100, 0xB8BD, 0x643B, 0x748E, 0xBD63, 0xEC6F,
|
---|
874 | 0xE23A, 0x9493, 0xDD76, 0xA62, 0x774F, 0xCD68, 0xA67A, 0x9A23, 0xC8A8, 0xBDE5, 0x9D1B,
|
---|
875 | 0x2B86, 0x8B36, 0x5428, 0x1DFB, 0xCD1D, 0x713, 0x29C2, 0x8E8E, 0x5207, 0xA13F, 0x6005,
|
---|
876 | 0x4F5E, 0x52E0, 0xE7C8, 0x6D1C, 0x3E34, 0x581D, 0x2BFA, 0x5E1D, 0xA891, 0x1069, 0x1DA4,
|
---|
877 | 0x39A0, 0xBE45, 0x5B9A, 0x7333, 0x6F3E, 0x8637, 0xA550, 0xC9E9, 0x5C6C, 0x42BA, 0xA712,
|
---|
878 | 0xC3EA, 0x3808, 0x910, 0xAA4D, 0x5B25, 0xABCD, 0xE680, 0x96AD, 0x2CEC, 0x8EBB, 0xA47D,
|
---|
879 | 0x1690, 0xE8FB, 0x1C8, 0x100, 0x73B9, 0x82BC, 0x9EBC, 0xB130, 0xDA5, 0x8617, 0x9F7B,
|
---|
880 | 0x9766, 0x205D, 0x752D, 0xB05C, 0x2A17, 0xA75C, 0x18EF, 0x8339, 0xFD34, 0x8DA2, 0x7970,
|
---|
881 | 0xD0B4, 0x70F1, 0x3765, 0x7380, 0x7CAF, 0x570E, 0x6440, 0xBC44, 0x743, 0x2D02, 0x419,
|
---|
882 | 0xA240, 0x2113, 0x1AD4, 0x1EB5, 0xBBFF, 0x39B1, 0x3209, 0x705F, 0x15F4, 0xD7AD, 0x340B,
|
---|
883 | 0xC2A6, 0x25CA, 0xF412, 0x9570, 0xF4F, 0xE4D5, 0x1614, 0xE464, 0x911A, 0xF0E, 0x7DA,
|
---|
884 | 0xA929, 0x2379, 0xD988, 0xAA6, 0x3B57, 0xBF63, 0x71FB, 0x72D5, 0x26CE, 0xB0AF, 0xCF45,
|
---|
885 | 0x11B, 0x100, 0x9999, 0x98FE, 0xA108, 0x6588, 0xF90B, 0x4554, 0xFF38, 0x4642, 0x8F5F,
|
---|
886 | 0x6CC3, 0x4E8E, 0xFF7E, 0x64C2, 0x50CA, 0xE7F, 0xAD7D, 0x6AAB, 0x33C1, 0xE1F4, 0x6165,
|
---|
887 | 0x7894, 0x83B9, 0xA0C, 0x38AF, 0x5803, 0x18C0, 0xFA36, 0x592C, 0x4548, 0xABB8, 0x1527,
|
---|
888 | 0xAEE9 };
|
---|
889 |
|
---|
890 | typedef struct Attack_data { //dim 0x6C bytes
|
---|
891 | char Unused0[0x10];
|
---|
892 | unsigned char val4[0x40];
|
---|
893 | char Unused1[0x08];
|
---|
894 | unsigned short Val7[0x14];
|
---|
895 | } GCC_PACK MyData;
|
---|
896 |
|
---|
897 |
|
---|
898 | static void PrepareData1(MyData *P1) {
|
---|
899 | unsigned short Tb1[0x6]={0x0123,0x4567,0x89AB,0xCDEF,0xF861,0xCB52};
|
---|
900 | int i;
|
---|
901 | for(i = 0; i < 6; i++) P1->Val7[i] = Tb1[i];
|
---|
902 | }
|
---|
903 |
|
---|
904 | static void PrepareData4(MyData *P1) {
|
---|
905 | int Tb[4]={0x67452301,0xefcdab89,0x98badcfe,0x10325476};
|
---|
906 | int *mybuf = (int*) P1->Val7;
|
---|
907 | int i;
|
---|
908 | for(i = 0; i < 4; i++) mybuf[i] = Tb[i];
|
---|
909 | }
|
---|
910 |
|
---|
911 | static unsigned char AdditionalFunc1(MyData *P1, int P2) {
|
---|
912 | short res;
|
---|
913 | short *buf = (short*) P1->Val7;
|
---|
914 |
|
---|
915 | if(P2&1)
|
---|
916 | res=((buf[(P2>>1)])>>8); //Return HIGH byte
|
---|
917 | else
|
---|
918 | res=(buf[(P2>>1)]); //Return LOW byte
|
---|
919 |
|
---|
920 | return (res & 0xFF);
|
---|
921 | }
|
---|
922 |
|
---|
923 | static unsigned char AdditionalFunc4(MyData *P1, int P2) {
|
---|
924 | int res = 0;
|
---|
925 | int *buf = (int*) P1->Val7;
|
---|
926 |
|
---|
927 | switch (P2&3) {
|
---|
928 | case 0: res=((buf[(P2>>2)])>>0); break;
|
---|
929 | case 1: res=((buf[(P2>>2)])>>8); break;
|
---|
930 | case 2: res=((buf[(P2>>2)])>>16); break;
|
---|
931 | case 3: res=((buf[(P2>>2)])>>24); break;
|
---|
932 | };
|
---|
933 |
|
---|
934 | return (res & 0xFF);
|
---|
935 | }
|
---|
936 |
|
---|
937 | static void Process_1(MyData *Data, int TableIdx) {
|
---|
938 | unsigned char var0=0,var3=0;
|
---|
939 | int var1;
|
---|
940 | short *Tmp=(short*)Data->Val7;
|
---|
941 | int var8 = Tmp[0];//(sword[(var_ext_1 + 4*0x16)]);
|
---|
942 | int var2 = Tmp[1];//(sword[var_ext_1 + 0x5A]);
|
---|
943 | int var5 = Tmp[2];//(sword[(var_ext_1 + 4*0x17)]);
|
---|
944 | int var4 = Tmp[3];//(sword[var_ext_1 + 0x5E]);
|
---|
945 | int var9 = Tmp[4];//(sword[(var_ext_1 + 4*0x18)]);
|
---|
946 | int var6 = Tmp[5];//(sword[var_ext_1 + 0x62]);
|
---|
947 | int var7;
|
---|
948 | int var0xB;
|
---|
949 | int var0xD;
|
---|
950 | int var0xC;
|
---|
951 | int var0xE;
|
---|
952 | int var0xF = 0;
|
---|
953 | short *var0x10 = (short*) mem10C1E0+(TableIdx*0x20);
|
---|
954 | unsigned char var0x11[0x10] = {0x0B,0x04,0x07,0x08,0x05,0x09,0x0B,0x0A,0x07,0x02,0x0A,0x05,0x04,0x08,0x0D,0x0F}; //byte array
|
---|
955 | unsigned char *var0xA = Data->val4;
|
---|
956 | do{
|
---|
957 | var1=0;
|
---|
958 | do{
|
---|
959 | var0xB=((var0xA[(var1*2) +1]<<8)+var0xA[var1*2])&0xFFFF;
|
---|
960 |
|
---|
961 | if(var0xF)
|
---|
962 | var7 = (((var2 & var4) | ((~var4) & var5)) & 0xFFFF);
|
---|
963 | else
|
---|
964 | var7 = (((var2 & var5) | ((~var2) & var4)) & 0xFFFF);
|
---|
965 | if((var0 & 1))
|
---|
966 | var0xC = (var0x10[(var0>>1)])>>8;
|
---|
967 | else
|
---|
968 | var0xC = (var0x10[(var0>>1)]);
|
---|
969 | var0xE = var8;
|
---|
970 | var8 = var2;
|
---|
971 | var0xD = var2;
|
---|
972 | var2 = var5;
|
---|
973 | var5 = var4;
|
---|
974 | var4 = var9;
|
---|
975 | var9 = var6;
|
---|
976 | var6 = ((((var7 + var0xE) + var0xB) + (var0xC & 0xFF)) & 0xFFFF);
|
---|
977 | var7 = var0x11[var3];
|
---|
978 | var6 = ((((var6 << var7) | (var6 >> (0x10 - var7))) + var0xD) & 0xFFFF);
|
---|
979 | var3++;
|
---|
980 | if(var3 == 0x10)
|
---|
981 | var3 = 0;
|
---|
982 | var0 = (var0 + 1) & 0xFF;
|
---|
983 | if(var0 == 0x40)
|
---|
984 | var0 = 0;
|
---|
985 |
|
---|
986 | var1++;
|
---|
987 | }while(var1<0x24);
|
---|
988 | var0xF++;
|
---|
989 | }while(var0xF<2);
|
---|
990 | Tmp[0] = (var8 + Tmp[0]);
|
---|
991 | Tmp[1] = (var2 + Tmp[1]);
|
---|
992 | Tmp[2] = (var5 + Tmp[2]);
|
---|
993 | Tmp[3] = (var4 + Tmp[3]);
|
---|
994 | Tmp[4] = (var9 + Tmp[4]);
|
---|
995 | Tmp[5] = (var6 + Tmp[5]);
|
---|
996 | return;
|
---|
997 | }
|
---|
998 |
|
---|
999 |
|
---|
1000 |
|
---|
1001 | #define I(x, y, z) ((y) ^ ((x) | ~(z)))
|
---|
1002 | #define H(x, y, z) ((x) ^ (y) ^ (z))
|
---|
1003 | #define G(x, y, z) (((x) & (z)) | ((y) & ~(z)))
|
---|
1004 | #define F(x, y, z) (((x) & (y)) | (~(x) & (z)))
|
---|
1005 | #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
|
---|
1006 |
|
---|
1007 | static int Transform_MD5_C069B411(MyData *Data){ // ROM:C069B411
|
---|
1008 | short var0;
|
---|
1009 | short var5;
|
---|
1010 | short var9;
|
---|
1011 |
|
---|
1012 | unsigned int var1;
|
---|
1013 | unsigned int var2;
|
---|
1014 | unsigned char var4;
|
---|
1015 |
|
---|
1016 | unsigned int var6;
|
---|
1017 | unsigned int var7;
|
---|
1018 | unsigned int var8;
|
---|
1019 |
|
---|
1020 | unsigned int var0xA;
|
---|
1021 | unsigned int var0xB;
|
---|
1022 | unsigned int var0xC = 0;
|
---|
1023 | unsigned char *var0xD;
|
---|
1024 | unsigned int var0xE;
|
---|
1025 | unsigned int *mybuf = (unsigned int*) Data->Val7;
|
---|
1026 | unsigned char mem08C0[] = {0x00, 0x01, 0x05, 0x00, 0x01, 0x05, 0x03, 0x07};
|
---|
1027 |
|
---|
1028 |
|
---|
1029 | /*
|
---|
1030 |
|
---|
1031 | int MD5_C[] = {
|
---|
1032 | // round 1
|
---|
1033 | 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
|
---|
1034 | 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501,
|
---|
1035 | 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be,
|
---|
1036 | 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821,
|
---|
1037 | // round 2
|
---|
1038 | 0xf61e2562, 0xc040b340, 0x265e5a51, 0xe9b6c7aa,
|
---|
1039 | 0xd62f105d, 0x2441453, 0xd8a1e681, 0xe7d3fbc8,
|
---|
1040 | 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed,
|
---|
1041 | 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a,
|
---|
1042 | // round 3
|
---|
1043 | 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c,
|
---|
1044 | 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70,
|
---|
1045 | 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x4881d05,
|
---|
1046 | 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665,
|
---|
1047 | // round 4
|
---|
1048 | 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039,
|
---|
1049 | 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1,
|
---|
1050 | 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1,
|
---|
1051 | 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391
|
---|
1052 | };
|
---|
1053 |
|
---|
1054 | */
|
---|
1055 |
|
---|
1056 | unsigned char S[] = {7, 12, 17, 22,
|
---|
1057 | 5, 9, 14, 20,
|
---|
1058 | 4, 11, 16, 23,
|
---|
1059 | 6, 10, 15, 21
|
---|
1060 | };
|
---|
1061 |
|
---|
1062 | var7 = mybuf[0];
|
---|
1063 | var2 = mybuf[1];
|
---|
1064 | var8 = mybuf[2];
|
---|
1065 | var6 = mybuf[3];
|
---|
1066 | var5 = 0;
|
---|
1067 | var9 = 0;
|
---|
1068 |
|
---|
1069 |
|
---|
1070 |
|
---|
1071 | while(var9 < 4) {
|
---|
1072 | var1 = mem08C0[var9+0]; //OK
|
---|
1073 | var0xE = mem08C0[var9+4]; //OK
|
---|
1074 | var0 = 0;
|
---|
1075 |
|
---|
1076 | var0xD = &S[var9*4];
|
---|
1077 |
|
---|
1078 |
|
---|
1079 | while(var0 < 16) {
|
---|
1080 | var4=var1*4;
|
---|
1081 | var0xB = (Data->val4[var4+3] << 24) | (Data->val4[var4+2] << 16) | (Data->val4[var4+1] << 8) | (Data->val4[var4]);
|
---|
1082 | var4 = var9;
|
---|
1083 |
|
---|
1084 | switch (var4) {
|
---|
1085 | case 0: var0xC=F(var2,var8,var6);
|
---|
1086 | break;
|
---|
1087 | case 1: var0xC=G(var2,var8,var6);
|
---|
1088 | break;
|
---|
1089 | case 2: var0xC=H(var2,var8,var6);
|
---|
1090 | break;
|
---|
1091 | case 3: var0xC=I(var2,var8,var6);
|
---|
1092 | break;
|
---|
1093 | }
|
---|
1094 |
|
---|
1095 | var0xA = var6;
|
---|
1096 | var6 = var8;
|
---|
1097 | var8 = var2;
|
---|
1098 | var7 = (((var0xC + var7) + var0xB) + MD5_C[var5]);
|
---|
1099 | var4 = var0xD[var0 & 3];
|
---|
1100 | var2=var2+ROTATE_LEFT(var7,var4);
|
---|
1101 |
|
---|
1102 | var7 = var0xA;
|
---|
1103 | var1 = ((var1 + var0xE) & 0xF);
|
---|
1104 | var0++;
|
---|
1105 | var5++;
|
---|
1106 | };
|
---|
1107 | var9++;
|
---|
1108 | };
|
---|
1109 |
|
---|
1110 |
|
---|
1111 | mybuf[0] = (var7 + mybuf[0]);
|
---|
1112 | mybuf[1] = (var2 + mybuf[1]);
|
---|
1113 | mybuf[2] = (var8 + mybuf[2]);
|
---|
1114 | mybuf[3] = (var6 + mybuf[3]);
|
---|
1115 |
|
---|
1116 | return(0);
|
---|
1117 | }
|
---|
1118 |
|
---|
1119 | /*
|
---|
1120 | 80 70 8E 00 00 01
|
---|
1121 | 28 9E 10 7C 19 04 5B AA 55 81 21 84 01 00 01 01 02 FF FF 80
|
---|
1122 | 01 12 B0 03 0A 00 87 F4 0B 98 99 FF DD 0C 10 C0 80 C2 20 03 17 61 7E 0A A0 7F 9B 14 05 66 3E CD 00 00 90 53 C0 02 94 33 75 1C 54 32 3C E9 21 B4 23 9E A2 D2 2E 85 AE 75 24 2D 71 16 DA 39 88 65 AE C3 0F 10 B2 2A 93 A8 53 00 AD 93 B6 8D C4 30 B1 DE 75 1F A8 3E EF A9 DC AC F1 5F AE B4 8A E9 60 E3 27 FC 64 29 8B ED 5C AA 06 D5 42 D8 2A 6D 48 FA D6 65 A3 F8 C4
|
---|
1123 | */
|
---|
1124 |
|
---|
1125 | static void do_post_dw_hash(unsigned char *DW_INPUT, unsigned char *DW_OUTPUT, unsigned char *ecm_header_data) {
|
---|
1126 | MyData Data;
|
---|
1127 | int a,i,j,ecmi,ecm_header_count;
|
---|
1128 |
|
---|
1129 | //ecm_header_data = 01 03 b0 01 01
|
---|
1130 |
|
---|
1131 | if (!cw_is_valid(DW_INPUT)) //if cw is all zero, keep it that way
|
---|
1132 | return;
|
---|
1133 |
|
---|
1134 | ecm_header_count=ecm_header_data[0];
|
---|
1135 |
|
---|
1136 | for(i=0, ecmi = 1; i<ecm_header_count; i++) {
|
---|
1137 | if(ecm_header_data[ecmi+1] != 0xb0) {
|
---|
1138 | ecmi += ecm_header_data[ecmi]+1;
|
---|
1139 | } else {
|
---|
1140 | switch(ecm_header_data[ecmi+2]) { //b0 01
|
---|
1141 | case 1:
|
---|
1142 | {
|
---|
1143 | memset(Data.val4, 0, sizeof(Data.val4));
|
---|
1144 | memcpy(Data.val4,DW_INPUT,8);
|
---|
1145 | Data.val4[0x8]=0x80;
|
---|
1146 | PrepareData1(&Data);
|
---|
1147 | Process_1(&Data, ecm_header_data[ecmi+3]);
|
---|
1148 | for(a=0;a<8;a++) DW_OUTPUT[a]=AdditionalFunc1(&Data,a);
|
---|
1149 |
|
---|
1150 | break;
|
---|
1151 | }
|
---|
1152 | case 3:
|
---|
1153 | {
|
---|
1154 | memset(Data.val4, 0, sizeof(Data.val4));
|
---|
1155 | memcpy(Data.val4,DW_INPUT,8);
|
---|
1156 | memcpy(Data.val4+8,&ecm_header_data[ecmi+3],ecm_header_data[ecmi]-2);
|
---|
1157 | Data.val4[8+(ecm_header_data[ecmi]-2)]=0x80;
|
---|
1158 | a=(ecm_header_data[ecmi]-2+8);
|
---|
1159 | Data.val4[0x38] = (a << 3);
|
---|
1160 | a = (a >> 5);
|
---|
1161 | for (j=1; j<8; j++)
|
---|
1162 | {
|
---|
1163 | Data.val4[0x38+j] = a;
|
---|
1164 | a = a >> 8;
|
---|
1165 | }
|
---|
1166 | PrepareData4(&Data);
|
---|
1167 | Transform_MD5_C069B411(&Data);
|
---|
1168 | for(a=0;a<8;a++) DW_OUTPUT[a]=AdditionalFunc4(&Data,a);
|
---|
1169 |
|
---|
1170 | break;
|
---|
1171 | }
|
---|
1172 |
|
---|
1173 | case 2:
|
---|
1174 | { /* Method 2 left out */
|
---|
1175 | memcpy(DW_OUTPUT, DW_INPUT, 8);
|
---|
1176 | break;
|
---|
1177 | }
|
---|
1178 | }
|
---|
1179 | }
|
---|
1180 | }
|
---|
1181 | cs_ddump (DW_OUTPUT, 8, "Postprocessed DW:");
|
---|
1182 | }
|
---|
1183 |
|
---|
1184 | int videoguard_do_ecm(ECM_REQUEST *er)
|
---|
1185 | {
|
---|
1186 | unsigned char cw[16];
|
---|
1187 | static unsigned char ins40[5] = { 0xD1,0x40,0x00,0x80,0xFF };
|
---|
1188 | static const unsigned char ins54[5] = { 0xD3,0x54,0x00,0x00,0x00};
|
---|
1189 | int posECMpart2=er->ecm[6]+7;
|
---|
1190 | int lenECMpart2=er->ecm[posECMpart2]+1;
|
---|
1191 | unsigned char tbuff[264];
|
---|
1192 | tbuff[0]=0;
|
---|
1193 | memcpy(&tbuff[1],&(er->ecm[posECMpart2+1]),lenECMpart2-1);
|
---|
1194 | ins40[4]=lenECMpart2;
|
---|
1195 | int l;
|
---|
1196 | l = do_cmd(ins40,tbuff,NULL);
|
---|
1197 | if(l>0 && status_ok(cta_res)) {
|
---|
1198 | l = do_cmd(ins54,NULL,NULL);
|
---|
1199 | if(l>0 && status_ok(cta_res+l)) {
|
---|
1200 | if (!cw_is_valid(CW1)) //sky cards report 90 00 = ok but send cw = 00 when channel not subscribed
|
---|
1201 | return ERROR;
|
---|
1202 | if(er->ecm[0]&1) {
|
---|
1203 | memcpy(er->cw+8,CW1,8);
|
---|
1204 | memcpy(er->cw+0,CW2,8);
|
---|
1205 | }
|
---|
1206 | else {
|
---|
1207 | memcpy(er->cw+0,CW1,8);
|
---|
1208 | memcpy(er->cw+8,CW2,8);
|
---|
1209 | }
|
---|
1210 |
|
---|
1211 |
|
---|
1212 | //test for postprocessing marker
|
---|
1213 | int posB0 = -1;
|
---|
1214 | int i;
|
---|
1215 | for (i = 6; i < posECMpart2; i++)
|
---|
1216 | {
|
---|
1217 | if (er->ecm[i-3] == 0x80 && er->ecm[i] == 0xB0 && ((er->ecm[i+1] == 0x01) ||(er->ecm[i+1] == 0x02)||(er->ecm[i+1] == 0x03) ) ) {
|
---|
1218 | posB0 = i;
|
---|
1219 | break;
|
---|
1220 | }
|
---|
1221 | }
|
---|
1222 |
|
---|
1223 | if (posB0 != -1) {
|
---|
1224 | memcpy(cw, er->cw+0, 16);
|
---|
1225 | do_post_dw_hash(&cw[0], er->cw+0, &er->ecm[posB0-2]);
|
---|
1226 | do_post_dw_hash(&cw[8], er->cw+8, &er->ecm[posB0-2]);
|
---|
1227 | }
|
---|
1228 |
|
---|
1229 | /*
|
---|
1230 | if (posB0 != -1) {
|
---|
1231 | postprocess_cw(er->cw+0, er->ecm[posB0+2]);
|
---|
1232 | postprocess_cw(er->cw+8, er->ecm[posB0+2]);
|
---|
1233 | }
|
---|
1234 |
|
---|
1235 | */
|
---|
1236 |
|
---|
1237 | return OK;
|
---|
1238 | }
|
---|
1239 | }
|
---|
1240 | return ERROR;
|
---|
1241 | }
|
---|
1242 |
|
---|
1243 | static int num_addr(const unsigned char *data)
|
---|
1244 | {
|
---|
1245 | return ((data[3]&0x30)>>4)+1;
|
---|
1246 | }
|
---|
1247 |
|
---|
1248 | static int addr_mode(const unsigned char *data)
|
---|
1249 | {
|
---|
1250 | switch(data[3]&0xC0) {
|
---|
1251 | case 0x40: return 3;
|
---|
1252 | case 0x80: return 2;
|
---|
1253 | default: return 0;
|
---|
1254 | }
|
---|
1255 | }
|
---|
1256 |
|
---|
1257 | static const unsigned char * payload_addr(const unsigned char *data, const unsigned char *a)
|
---|
1258 | {
|
---|
1259 | int s;
|
---|
1260 | int l;
|
---|
1261 | const unsigned char *ptr = NULL;
|
---|
1262 |
|
---|
1263 | switch(addr_mode(data)) {
|
---|
1264 | case 2: s=3; break;
|
---|
1265 | case 3: case 0: s=4; break;
|
---|
1266 | default: return NULL;
|
---|
1267 | }
|
---|
1268 |
|
---|
1269 | int position=-1;
|
---|
1270 | for(l=0;l<num_addr(data);l++) {
|
---|
1271 | if(!memcmp(&data[l*4+4],a+2,s)) {
|
---|
1272 | position=l;
|
---|
1273 | break;
|
---|
1274 | }
|
---|
1275 | }
|
---|
1276 |
|
---|
1277 | /* skip EMM-G but not EMM from cccam */
|
---|
1278 | if (position == -1 && data[1] != 0x00) return NULL;
|
---|
1279 |
|
---|
1280 | int num_ua = (position == -1) ? 0 : num_addr(data);
|
---|
1281 |
|
---|
1282 | /* skip header and the list of addresses */
|
---|
1283 | ptr = data+4+4*num_ua;
|
---|
1284 |
|
---|
1285 | if (*ptr != 0x02) // some clients omit 00 00 separator */
|
---|
1286 | {
|
---|
1287 | ptr += 2; // skip 00 00 separator
|
---|
1288 | if (*ptr == 0x00) ptr++; // skip optional 00
|
---|
1289 | ptr++; // skip the 1st bitmap len
|
---|
1290 | }
|
---|
1291 |
|
---|
1292 | /* check */
|
---|
1293 | if (*ptr != 0x02) return NULL;
|
---|
1294 |
|
---|
1295 | /* skip the 1st timestamp 02 00 or 02 06 xx aabbccdd yy */
|
---|
1296 | ptr += 2 + ptr[1];
|
---|
1297 |
|
---|
1298 | for(l=0;l<position;l++) {
|
---|
1299 |
|
---|
1300 | /* skip the payload of the previous SA */
|
---|
1301 | ptr += 1 + ptr [0];
|
---|
1302 |
|
---|
1303 | /* skip optional 00 */
|
---|
1304 | if (*ptr == 0x00) ptr++;
|
---|
1305 |
|
---|
1306 | /* skip the bitmap len */
|
---|
1307 | ptr++;
|
---|
1308 |
|
---|
1309 | /* check */
|
---|
1310 | if (*ptr != 0x02) return NULL;
|
---|
1311 |
|
---|
1312 | /* skip the timestamp 02 00 or 02 06 xx aabbccdd yy */
|
---|
1313 | ptr += 2 + ptr[1];
|
---|
1314 | }
|
---|
1315 |
|
---|
1316 | return ptr;
|
---|
1317 | }
|
---|
1318 |
|
---|
1319 | int videoguard_get_emm_type(EMM_PACKET *ep, struct s_reader * rdr) //returns TRUE if shared emm matches SA, unique emm matches serial, or global or unknown
|
---|
1320 | {
|
---|
1321 | rdr=rdr;
|
---|
1322 | ep->type=UNKNOWN; //FIXME not sure how this maps onto global, unique and shared!
|
---|
1323 | return TRUE; //FIXME let it all pass without checking serial or SA, without filling ep->hexserial
|
---|
1324 | }
|
---|
1325 |
|
---|
1326 | int videoguard_do_emm(EMM_PACKET *ep)
|
---|
1327 | {
|
---|
1328 | unsigned char ins42[5] = { 0xD1,0x42,0x00,0x00,0xFF };
|
---|
1329 | int rc=ERROR;
|
---|
1330 |
|
---|
1331 | const unsigned char *payload = payload_addr(ep->emm, reader[ridx].hexserial);
|
---|
1332 | while (payload) {
|
---|
1333 | ins42[4]=*payload;
|
---|
1334 | int l = do_cmd(ins42,payload+1,NULL);
|
---|
1335 | if(l>0 && status_ok(cta_res)) {
|
---|
1336 | rc=OK;
|
---|
1337 | }
|
---|
1338 |
|
---|
1339 | cs_log("[videoguard2-reader] EMM request return code : %02X%02X", cta_res[0], cta_res[1]);
|
---|
1340 | //cs_dump(ep->emm, 64, "EMM:");
|
---|
1341 | if (status_ok (cta_res) && (cta_res[1] & 0x01)) {
|
---|
1342 | read_tiers();
|
---|
1343 | }
|
---|
1344 |
|
---|
1345 | if (num_addr(ep->emm) == 1 && (int)(&payload[1] - &ep->emm[0]) + *payload + 1 < ep->l) {
|
---|
1346 | payload += *payload + 1;
|
---|
1347 | if (*payload == 0x00) ++payload;
|
---|
1348 | ++payload;
|
---|
1349 | if (*payload != 0x02) break;
|
---|
1350 | payload += 2 + payload[1];
|
---|
1351 | }
|
---|
1352 | else
|
---|
1353 | payload = 0;
|
---|
1354 |
|
---|
1355 | }
|
---|
1356 |
|
---|
1357 | return(rc);
|
---|
1358 | }
|
---|
1359 |
|
---|
1360 | int videoguard_card_info(void)
|
---|
1361 | {
|
---|
1362 | /* info is displayed in init, or when processing info */
|
---|
1363 | cs_log("[videoguard2-reader] card detected");
|
---|
1364 | cs_log("[videoguard2-reader] type: VideoGuard" );
|
---|
1365 | read_tiers ();
|
---|
1366 | return OK;
|
---|
1367 | }
|
---|
1368 |
|
---|
1369 | void reader_videoguard(struct s_cardsystem *ph)
|
---|
1370 | {
|
---|
1371 | ph->do_emm=videoguard_do_emm;
|
---|
1372 | ph->do_ecm=videoguard_do_ecm;
|
---|
1373 | ph->card_info=videoguard_card_info;
|
---|
1374 | ph->card_init=videoguard_card_init;
|
---|
1375 | ph->get_emm_type=videoguard_get_emm_type;
|
---|
1376 | }
|
---|