source: branches/smartreader/reader-nagra.c@ 1049

Last change on this file since 1049 was 1049, checked in by rorothetroll, 13 years ago

resync with trunk
File size: 20.8 KB
Line 
1#include "globals.h"
2#include "reader-common.h"
3#include "cscrypt/idea.h"
4#include <termios.h>
5#include <unistd.h>
6
7IDEA_KEY_SCHEDULE ksSession;
8extern uchar cta_res[];
9extern ushort cta_lr;
10int is_pure_nagra=0;
11int is_tiger=0;
12int has_dt08=0;
13unsigned char rom[15];
14unsigned char plainDT08RSA[64];
15unsigned char IdeaCamKey[16];
16unsigned char irdId[] = {0xff,0xff,0xff,0xff};
17unsigned char camid[] = {0xff,0xff,0xff,0xff};
18unsigned char sessi[16];
19unsigned char signature[8];
20unsigned char cam_state[3];
21unsigned char static_dt08[73];
22unsigned char prv0401[] = {0x00, 0x00, 0x04, 0x01};
23unsigned char prv3411[] = {0x00, 0x00, 0x34, 0x11};
24
25// Card Status checks
26#define HAS_CW ((cam_state[2]&6)==6)
27#define RENEW_SESSIONKEY ((cam_state[0]&128)==128 || (cam_state[0]&64)==64 || (cam_state[0]&32)==32)
28#define SENDDATETIME ((cam_state[0]&16)==16)
29// Datatypes
30#define DT01 0x01
31#define IRDINFO 0x00
32#define TIERS 0x05
33#define DT06 0x06
34#define CAMDATA 0x08
35
36#define MAX_REC 20
37#define SYSTEM_NAGRA 0x1800
38#define SYSTEM_MASK 0xFF00
39
40unsigned char XorSum(const unsigned char *mem, int len)
41{
42 unsigned char cs;
43 cs=0x00;
44 while(len>0)
45 {
46 cs ^= *mem++;
47 len--;
48 }
49 return cs;
50}
51
52static time_t tier_date(ulong date, char *buf, int l)
53{
54 time_t ut=870393600L+date*(24*3600);
55 if (buf)
56 {
57 struct tm *t;
58 t=gmtime(&ut);
59 snprintf(buf, l, "%04d/%02d/%02d", t->tm_year+1900, t->tm_mon+1, t->tm_mday);
60 }
61 return(ut);
62}
63
64int do_cmd(unsigned char cmd, int ilen, unsigned char res, int rlen, unsigned char *data)
65{
66 /*
67 here we build the command related to the protocol T1 for ROM142 or T14 for ROM181
68 the only different that i know is the command length byte msg[4], this msg[4]+=1 by a ROM181 smartcard (_nighti_)
69 one example for the cmd$C0
70 T14 protocol: 01 A0 CA 00 00 03 C0 00 06 91
71 T1 protocol: 21 00 08 A0 CA 00 00 02 C0 00 06 87
72 */
73 int msglen=ilen+6;
74 unsigned char msg[msglen];
75 static char nagra_head[] = {0xA0, 0xCA, 0x00, 0x00};
76
77 memset(msg, 0, msglen);
78 memcpy(msg,nagra_head,4);
79 msg[4] = ilen;
80 msg[5] = cmd;
81 int dlen=ilen-2;
82 msg[6] = dlen;
83 if(data && dlen>0) memcpy(msg+7,data,dlen);
84 msg[dlen+7] = rlen;
85 if (dlen<0)
86 {
87 cs_debug("[nagra-reader] invalid data length encountered");
88 return 0;
89 }
90 if (is_pure_nagra==1)
91 {
92 msg[4]+=1;
93 }
94 if(!reader_cmd2icc(msg,msglen))
95 {
96 cs_sleepms(20);
97 if(cta_res[0]!=res)
98 {
99 cs_debug("[nagra-reader] result not expected (%02x != %02x)",cta_res[0],res);
100 return 0;
101 }
102 if((cta_lr-2)!=rlen)
103 {
104 cs_debug("[nagra-reader] result length expected (%d != %d)",(cta_lr-2),rlen);
105 return 0;
106 }
107 return cta_lr;
108 }
109 return 0;
110}
111
112int SetIFS(unsigned char size)
113{
114 unsigned char buf[5];
115 int ret;
116 // NAD, PCB, LEN
117 buf[0] = 0x21;
118 buf[1] = 0xC1; // IFS Request cmd
119 buf[2] = 0x01; // cmd length
120 buf[3] = size; // Information Field size
121 buf[4] = XorSum(buf,4); //lrc byte
122
123 cs_debug("[nagra-reader] IFS cmd: %s", cs_hexdump (1, buf, 5));
124 ret = reader_cmd2api(buf, 5);
125 if (ret < 0)
126 {
127 cs_debug("[nagra-reader] setting IFS to %02x failed", size);
128 return 0;
129 }
130 cs_debug("[nagra-reader] IFS is now %02x", size);
131 return 1;
132}
133
134void ReverseMem(unsigned char *vIn, int len)
135{
136 unsigned char temp;
137 int i;
138 for(i=0; i < (len/2); i++)
139 {
140 temp = vIn[i];
141 vIn[i] = vIn[len-i-1];
142 vIn[len-i-1] = temp;
143 }
144}
145
146void Signature(unsigned char *sig, const unsigned char *vkey,const unsigned char *msg, int len)
147{
148 IDEA_KEY_SCHEDULE ks;
149 unsigned char v[8];
150 unsigned char b200[16];
151 unsigned char b0f0[8];
152 memcpy(b200,vkey,sizeof(b200));
153 int i;
154 int j;
155 for(i=0; i<len; i+=8)
156 {
157 idea_set_encrypt_key(b200,&ks);
158 memset(v,0,sizeof(v));
159 idea_cbc_encrypt(msg+i,b0f0,8,&ks,v,IDEA_DECRYPT);
160 for(j=7; j>=0; j--) b0f0[j]^=msg[i+j];
161 memcpy(b200+0,b0f0,8);
162 memcpy(b200+8,b0f0,8);
163 }
164 memcpy(sig,b0f0,8);
165 return;
166}
167
168int CamStateRequest(void)
169{
170 if(do_cmd(0xC0,0x02,0xB0,0x06,NULL))
171 {
172 memcpy(cam_state,cta_res+3,3);
173 cs_debug("[nagra-reader] Camstate: %s",cs_hexdump (1, cam_state, 3));
174 }
175 else
176 {
177 cs_debug("[nagra-reader] CamStateRequest failed");
178 return 0;
179 }
180 return (1);
181}
182
183void DateTimeCMD(void)
184{
185 do_cmd(0xC8,0x02,0xB8,0x06,NULL);
186}
187
188void getCamID(void)
189{
190 /*
191 Hack:
192 Get camid. For provider 0401/3411 camid is 0xff,0xff,0xff,0xff.
193 for other provider we will take them from hexserial
194 */
195 if ((memcmp(prv3411,&reader[ridx].prid[0],4)==0) || (memcmp(prv0401,&reader[ridx].prid[0],4)==0))
196 {
197 memset(camid,0xff,4);
198 }
199 else
200 {
201 memcpy(camid,reader[ridx].hexserial,4);
202 }
203}
204
205int NegotiateSessionKey_Tiger(void)
206{
207 unsigned char rsa_modulo[120];
208 unsigned char idea_sig[16];
209 unsigned char vFixed[] = {0,1,2,3,0x11};
210 unsigned char parte_fija[120];
211 unsigned char parte_variable[88];
212 unsigned char d1_rsa_modulo[88];
213 unsigned char rand[88];
214 unsigned char d2_data[88];
215 unsigned char sign1[8];
216 unsigned char sessi1[8];
217 unsigned char sessi2[8];
218 unsigned char tmp[104];
219 unsigned char tmp1[8];
220
221 if(!do_cmd(0xd1,0x02,0x51,0xd2,NULL))
222 {
223 cs_debug("[nagra-reader] CMD$D1 failed");
224 return 0;
225 }
226
227 ReverseMem(rsa_modulo, 120);
228 ReverseMem(&cta_res[90], 120);
229
230 cs_debug("[nagra-reader] crypted parte_fija: %s", cs_hexdump (0, &cta_res[90], 32));
231 cs_debug("[nagra-reader] crypted parte_fija: %s", cs_hexdump (0, &cta_res[122], 32));
232 cs_debug("[nagra-reader] crypted parte_fija: %s", cs_hexdump (0, &cta_res[154], 32));
233 cs_debug("[nagra-reader] crypted parte_fija: %s", cs_hexdump (0, &cta_res[186], 24));
234
235 BN_CTX *ctx = BN_CTX_new();
236 BIGNUM *bnN = BN_CTX_get(ctx);
237 BIGNUM *bnE = BN_CTX_get(ctx);
238 BIGNUM *bnCT = BN_CTX_get(ctx);
239 BIGNUM *bnPT = BN_CTX_get(ctx);
240 BN_bin2bn(rsa_modulo, 120, bnN);
241 BN_bin2bn(vFixed+4, 1, bnE);
242 BN_bin2bn(&cta_res[90], 120, bnCT);
243 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
244 memset(parte_fija, 0, 120);
245 BN_bn2bin(bnPT, parte_fija + (120-BN_num_bytes(bnPT)));
246 BN_CTX_end(ctx);
247 BN_CTX_free (ctx);
248
249 ReverseMem(parte_fija, 120);
250 cs_debug("[nagra-reader] decrypted parte_fija: %s", cs_hexdump (0, parte_fija, 32));
251 cs_debug("[nagra-reader] decrypted parte_fija: %s", cs_hexdump (0, &parte_fija[32], 32));
252 cs_debug("[nagra-reader] decrypted parte_fija: %s", cs_hexdump (0, &parte_fija[64], 32));
253 cs_debug("[nagra-reader] decrypted parte_fija: %s", cs_hexdump (0, &parte_fija[96], 24));
254
255 cs_debug("[nagra-reader] ---------- SIG CHECK ---------------------");
256 memset(tmp,0, 104);
257 memcpy(tmp+4, parte_fija+11, 100); //104
258 Signature(sign1, idea_sig, tmp, 112);
259 cs_debug("[nagra-reader] foo: %s", cs_hexdump (0, tmp, 32));
260 cs_debug("[nagra-reader] foo: %s", cs_hexdump (0, &tmp[32], 32));
261 cs_debug("[nagra-reader] foo: %s", cs_hexdump (0, &tmp[64], 32));
262 cs_debug("[nagra-reader] foo: %s", cs_hexdump (0, &tmp[96], 8));
263 cs_debug("[nagra-reader] sign1: %s", cs_hexdump (0, sign1, 8));
264 cs_debug("[nagra-reader] sign2: %s", cs_hexdump (0, parte_fija+111, 8));
265 if (!memcmp (parte_fija+111, sign1, 8)==0)
266 {
267 cs_debug("[nagra-reader] signature check nok");
268 return 0;
269 }
270 cs_debug("[nagra-reader] ------------------------------------------");
271 cs_debug("[nagra-reader] signature check ok");
272 cs_debug("[nagra-reader] part2 of algo not implemented yet.");
273
274 /*
275 A lot of todo here.
276 Second part of algo removed due it fails
277 */
278
279 if(!do_cmd(0xd2,0x5a,0x52,0x03, d2_data))
280 {
281 cs_debug("[nagra-reader] CMD$D2 failed");
282 return 0;
283 }
284 if (cta_res+2 == 0x00)
285 {
286 memcpy(sessi,sessi1,8); memcpy(sessi+8,sessi2,8);
287 cs_ri_log("[nagra-reader] session key: %s", cs_hexdump(1, sessi, 16));
288 return 1;
289 }
290 cs_ri_log("Negotiate sessionkey was not successfull! Please check rsa key and boxkey");
291 return 0;
292
293}
294
295int NegotiateSessionKey(void)
296{
297 unsigned char cmd2b[] = {0x21, 0x40, 0x48, 0xA0, 0xCA, 0x00, 0x00, 0x43, 0x2B, 0x40, 0x1C, 0x54, 0xd1, 0x26, 0xe7, 0xe2, 0x40, 0x20, 0xd1, 0x66, 0xf4, 0x18, 0x97, 0x9d, 0x5f, 0x16, 0x8f, 0x7f, 0x7a, 0x55, 0x15, 0x82, 0x31, 0x14, 0x06, 0x57, 0x1a, 0x3f, 0xf0, 0x75, 0x62, 0x41, 0xc2, 0x84, 0xda, 0x4c, 0x2e, 0x84, 0xe9, 0x29, 0x13, 0x81, 0xee, 0xd6, 0xa9, 0xf5, 0xe9, 0xdb, 0xaf, 0x22, 0x51, 0x3d, 0x44, 0xb3, 0x20, 0x83, 0xde, 0xcb, 0x5f, 0x35, 0x2b, 0xb0, 0xce, 0x70, 0x02, 0x00};
298 unsigned char negot[64];
299 unsigned char tmp[64];
300 unsigned char idea1[16];
301 unsigned char idea2[16];
302 unsigned char sign1[8];
303 unsigned char sign2[8];
304
305 if (!has_dt08) // if we have no valid dt08 calc then we use rsa from config and hexserial for calc of sessionkey
306 {
307 memcpy(plainDT08RSA, reader[ridx].rsa_mod, 64);
308 memcpy(signature,reader[ridx].nagra_boxkey, 8);
309 }
310 if (is_tiger)
311 {
312 if (!NegotiateSessionKey_Tiger())
313 {
314 cs_debug("[nagra-reader] NegotiateSessionKey_Tiger failed");
315 return 0;
316 }
317 return 1;
318 }
319 if(!do_cmd(0x2a,0x02,0xaa,0x42,NULL))
320 {
321 cs_debug("[nagra-reader] CMD$2A failed");
322 return 0;
323 }
324
325 // RSA decrypt of cmd$2a data, result is stored in "negot"
326 ReverseMem(cta_res+2, 64);
327 //cs_debug("[nagra-reader] plainDT08RSA: %s", cs_hexdump (1, plainDT08RSA, 32));
328 //cs_debug("[nagra-reader] plainDT08RSA: %s", cs_hexdump (1, &plainDT08RSA[32], 32));
329 unsigned char vFixed[] = {0,1,2,3};
330 BN_CTX *ctx = BN_CTX_new();
331 BIGNUM *bnN = BN_CTX_get(ctx);
332 BIGNUM *bnE = BN_CTX_get(ctx);
333 BIGNUM *bnCT = BN_CTX_get(ctx);
334 BIGNUM *bnPT = BN_CTX_get(ctx);
335 BN_bin2bn(plainDT08RSA, 64, bnN);
336 BN_bin2bn(vFixed+3, 1, bnE);
337 BN_bin2bn(cta_res+2, 64, bnCT);
338 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
339 memset(negot, 0, 64);
340 BN_bn2bin(bnPT, negot + (64-BN_num_bytes(bnPT)));
341 //cs_debug("[nagra-reader] DT08 decrypted $2a data: %s", cs_hexdump (1, negot, 32));
342 //cs_debug("[nagra-reader] DT08 decrypted $2a data: %s", cs_hexdump (1, &negot[32], 32));
343
344 memcpy(tmp, negot, 64);
345 ReverseMem(tmp, 64);
346
347 // build sessionkey
348 // first halve is IDEA Hashed in chuncs of 8 bytes using the Signature1 from dt08 calc, CamID-Inv.CamID(16 bytes key) the results are the First 8 bytes of the Session key
349 memcpy(idea1, signature, 8);
350 memcpy(idea1+8, reader[ridx].hexserial, 4);
351 idea1[12] = ~reader[ridx].hexserial[0]; idea1[13] = ~reader[ridx].hexserial[1]; idea1[14] = ~reader[ridx].hexserial[2]; idea1[15] = ~reader[ridx].hexserial[3];
352
353 Signature(sign1, idea1, tmp, 32);
354 memcpy(idea2,sign1,8); memcpy(idea2+8,sign1,8);
355 Signature(sign2, idea2, tmp, 32);
356 memcpy(sessi,sign1,8); memcpy(sessi+8,sign2,8);
357
358 // prepare cmd$2b data
359 BN_bin2bn(negot, 64, bnCT);
360 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
361 memset(cmd2b+10, 0, 64);
362 BN_bn2bin(bnPT, cmd2b+10 + (64-BN_num_bytes(bnPT)));
363 BN_CTX_end(ctx);
364 BN_CTX_free (ctx);
365 ReverseMem(cmd2b+10, 64);
366
367 IDEA_KEY_SCHEDULE ks;
368 idea_set_encrypt_key(sessi,&ks);
369 idea_set_decrypt_key(&ks,&ksSession);
370
371 if(!do_cmd(0x2b,0x42,0xab,0x02, cmd2b+10))
372 {
373 cs_debug("[nagra-reader] CMD$2B failed");
374 return 0;
375 }
376
377 cs_debug("[nagra-reader] session key: %s", cs_hexdump(1, sessi, 16));
378
379 if (!CamStateRequest())
380 {
381 cs_debug("[nagra-reader] CamStateRequest failed");
382 return 0;
383 }
384 if SENDDATETIME
385 {
386 DateTimeCMD();
387 }
388 if RENEW_SESSIONKEY
389 {
390 cs_ri_log("Negotiate sessionkey was not successfull! Please check rsa key and boxkey");
391 return 0;
392 }
393
394 return 1;
395}
396
397void decryptDT08(void)
398{
399
400 unsigned char vFixed[] = {0,1,2,3};
401 unsigned char v[72];
402 unsigned char buf[72];
403 unsigned char sign2[8];
404 int i, n;
405 BN_CTX *ctx;
406 BIGNUM *bn_mod, *bn_exp, *bn_data, *bn_res;
407
408 memcpy(static_dt08, &cta_res[12], 73);
409 // decrypt RSA Part of dt08
410 bn_mod = BN_new ();
411 bn_exp = BN_new ();
412 bn_data = BN_new ();
413 bn_res = BN_new ();
414 ctx= BN_CTX_new();
415 if (ctx == NULL) cs_debug("[nagra-reader] RSA Error in dt08 decrypt");
416 //cs_debug("[nagra-reader] DT08 RSA modulus: %s", cs_hexdump (1, reader[ridx].rsa_mod, 32));
417 //cs_debug("[nagra-reader] DT08 RSA modulus: %s", cs_hexdump (1, &reader[ridx].rsa_mod[32], 32));
418 ReverseMem(static_dt08+1, 64);
419 BN_bin2bn (reader[ridx].rsa_mod, 64, bn_mod); // rsa modulus
420 BN_bin2bn (vFixed+3, 1, bn_exp); // exponent
421 BN_bin2bn (static_dt08+1, 64, bn_data);
422 //cs_debug("[nagra-reader] DT08 crypted rsa: %s", cs_hexdump (1, static_dt08+1, 32));
423 //cs_debug("[nagra-reader] DT08 crypted rsa: %s", cs_hexdump (1, static_dt08+33, 32));
424 BN_mod_exp (bn_res, bn_data, bn_exp, bn_mod, ctx);
425 memset (static_dt08+1, 0, 64);
426 n = BN_bn2bin (bn_res, static_dt08+1);
427 ReverseMem(static_dt08+1, n);
428 //cs_debug("[nagra-reader] DT08 decrypted rsa: %s", cs_hexdump (1, static_dt08+1, 32));
429 //cs_debug("[nagra-reader] DT08 decrypted rsa: %s", cs_hexdump (1, static_dt08+33, 32));
430
431 // RSA data can never be bigger than the modulo
432 static_dt08[64] |= static_dt08[0] & 0x80;
433
434 // IdeaCamKey
435 memcpy (&IdeaCamKey[0], reader[ridx].nagra_boxkey, 8);
436 memcpy (&IdeaCamKey[8], irdId, 4);
437 for (i = 0; i < 4; i++)
438 IdeaCamKey[12 + i] = ~irdId[i];
439 //cs_debug("[nagra-reader] DT08 Plainkey: %s", cs_hexdump (1, IdeaCamKey, 16));
440
441 // now IDEA decrypt
442 IDEA_KEY_SCHEDULE ks;
443 idea_set_encrypt_key(IdeaCamKey,&ks);
444 idea_set_decrypt_key(&ks,&ksSession);
445 //cs_debug("[nagra-reader] dt08 idea part: %s", cs_hexdump (1, static_dt08+65, 8));
446 memcpy (&buf[0], static_dt08+1, 64);
447 memcpy (&buf[64], static_dt08+65, 8);
448 //cs_debug("[nagra-reader] dt08 64byte rsa decrypted + 8last byte: %s", cs_hexdump (1, buf, 64));
449 //cs_debug("[nagra-reader] dt08 64byte rsa decrypted + 8last byte: %s", cs_hexdump (1, &buf[64], 8));
450 memset(v,0,sizeof(v));
451 memset(static_dt08,0,sizeof(static_dt08));
452 idea_cbc_encrypt(buf,static_dt08,72,&ksSession,v,IDEA_DECRYPT);
453 //cs_debug("[nagra-reader] dt08 72byte idea decrypted: %s", cs_hexdump (1, &static_dt08[0], 36));
454 //cs_debug("[nagra-reader] dt08 72byte idea decrypted: %s", cs_hexdump (1, &static_dt08[35], 37));
455
456 getCamID();
457 cs_debug("[nagra-reader] using camid %sfor dt08 calc",cs_hexdump (1,camid,4));
458
459 // Calculate signature
460 memcpy (signature, static_dt08, 8);
461 memset (static_dt08 + 0, 0, 4);
462 memcpy (static_dt08 + 4, camid, 4);
463 Signature(sign2,IdeaCamKey,static_dt08,72);
464
465 BN_CTX_free (ctx);
466 //cs_debug("[nagra-reader] dt08 sign1: %s", cs_hexdump (0, signature, 8));
467 //cs_debug("[nagra-reader] dt08 sign2: %s", cs_hexdump (0, sign2, 8));
468
469 if (memcmp (signature, sign2, 8)==0)
470 {
471 has_dt08=1;
472 memcpy (plainDT08RSA, static_dt08+8, 64);
473 cs_debug("[nagra-reader] DT08 signature check ok");
474 }
475 else
476 {
477 has_dt08=0;
478 cs_debug("[nagra-reader] DT08 signature check nok");
479 }
480}
481
482void addProvider(int id)
483{
484 int i;
485 int toadd=1;
486 for (i=0; i<reader[ridx].nprov; i++)
487 {
488 if ((cta_res[7]==reader[ridx].prid[i][2]) && (cta_res[8]==reader[ridx].prid[i][3]))
489 {
490 toadd = 0;
491 }
492 }
493 if (toadd)
494 {
495 reader[ridx].prid[reader[ridx].nprov][0]=0;
496 reader[ridx].prid[reader[ridx].nprov][1]=0;
497 reader[ridx].prid[reader[ridx].nprov][2]=cta_res[7];
498 reader[ridx].prid[reader[ridx].nprov][3]=cta_res[8];
499 memcpy(reader[ridx].sa[reader[ridx].nprov], reader[ridx].sa[0], 4);
500 reader[ridx].nprov+=1;
501 }
502}
503
504int ParseDataType(unsigned char dt)
505{
506 char ds[16], de[16];
507 ushort chid;
508 switch(dt)
509 {
510 case IRDINFO:
511 {
512 reader[ridx].prid[0][0]=0x00;
513 reader[ridx].prid[0][1]=0x00;
514 reader[ridx].prid[0][2]=cta_res[7];
515 reader[ridx].prid[0][3]=cta_res[8];
516 reader[ridx].caid[0] =(SYSTEM_NAGRA|cta_res[11]);
517 memcpy(irdId,cta_res+14,4);
518 cs_debug("[nagra-reader] CAID: %04X, IRD ID: %s",reader[ridx].caid[0], cs_hexdump (1,irdId,4));
519 cs_debug("[nagra-reader] ProviderID: %s",cs_hexdump (1,reader[ridx].prid[0],4));
520 return 1;
521 }
522 case TIERS:
523 if ((cta_lr>33) && (chid=b2i(2, cta_res+11)))
524 {
525 int id=(cta_res[7]*256)|cta_res[8];
526 tier_date(b2i(2, cta_res+20)-0x7f7, ds, 15);
527 tier_date(b2i(2, cta_res+13)-0x7f7, de, 15);
528 cs_ri_log("|%04X|%04X |%s |%s |", id,chid, ds, de);
529 addProvider(id);
530 }
531 case 0x08:
532 case 0x88: if (cta_res[11] == 0x49) decryptDT08();
533 default:
534 return 1;
535 }
536 return 0;
537}
538
539int GetDataType(unsigned char dt, int len, int shots)
540{
541 int i;
542 for(i=0; i<shots; i++)
543 {
544 if(!do_cmd(0x22,0x03,0xA2,len,&dt))
545 {
546 cs_debug("[nagra-reader] failed to get datatype %02X",dt);
547 return 0;
548 }
549 if((cta_res[2]==0) && (dt != 0x08 || dt != 0x88)) return 1;
550 if(!ParseDataType(dt&0x0F)) return 0;
551 if ((dt != 0x08 || dt != 0x88) && (cta_res[11] == 0x49)) return 1; //got dt08 data
552 dt|=0x80; // get next item
553 }
554 return 1;
555}
556
557int nagra2_card_init(uchar *atr, int atrlen)
558{
559 memset(rom, 0, 15);
560 reader[ridx].nprov = 1;
561 memset (reader[ridx].sa, 0xff, sizeof (reader[ridx].sa));
562 reader[ridx].caid[0]=SYSTEM_NAGRA;
563
564 if (memcmp(atr+11, "DNASP", 5)==0)
565 {
566 if(SetIFS(0xFE) != 1) return 0;
567 cs_debug("[nagra-reader] detect native nagra card T1 protocol");
568 memcpy(rom,atr+11,15);
569 }
570 else if (memcmp(atr+11, "TIGER", 5)==0)
571 {
572 if(SetIFS(0xFE) != 1) return 0;
573 cs_debug("[nagra-reader] detect nagra tiger card");
574 memcpy(rom,atr+11,15);
575 memset(reader[ridx].hexserial, 0xff, 4); // take 0xff as cardserial?
576 is_tiger=1;
577 }
578 else if (!memcmp(atr+4, "IRDETO", 6))
579 {
580 cs_debug("[nagra-reader] detect Irdeto tunneled nagra card");
581 if(!reader[ridx].nagra_native) return 0;
582 cs_debug("[nagra-reader] using nagra mode");
583 is_pure_nagra=1;
584 if(!do_cmd(0x10,0x02,0x90,0x11,0))
585 {
586 cs_debug("[nagra-reader] get rom version failed");
587 return 0;
588 }
589 memcpy(rom,cta_res+2,15);
590 }
591 else return 0;
592
593 if (!is_tiger)
594 {
595 CamStateRequest();
596 if(!do_cmd(0x12,0x02,0x92,0x06,0))
597 {
598 cs_debug("[nagra-reader] get Serial failed");
599 return 0;
600 }
601 memcpy(reader[ridx].hexserial, cta_res+2, 4);
602 cs_debug("[nagra-reader] SER: %s", cs_hexdump (1, reader[ridx].hexserial, 4));
603 memcpy(reader[ridx].sa[0], cta_res+2, 4);
604
605 if(!GetDataType(DT01,0x0E,MAX_REC)) return 0;
606 cs_debug("[nagra-reader] DT01 DONE");
607 CamStateRequest();
608 if(!GetDataType(IRDINFO,0x39,MAX_REC)) return 0;
609 cs_debug("[nagra-reader] IRDINFO DONE");
610 CamStateRequest();
611 if(!GetDataType(CAMDATA,0x55,10)) return 0;
612 cs_debug("[nagra-reader] CAMDATA Done");
613 if(!GetDataType(0x04,0x44,MAX_REC)) return 0;
614 cs_debug("[nagra-reader] DT04 DONE");
615 CamStateRequest();
616
617 if (!memcmp(rom+5, "181", 3)==0) //dt05 is not supported by rom181
618 {
619 cs_ri_log("-----------------------------------------");
620 cs_ri_log("|id |tier |valid from |valid to |");
621 cs_ri_log("+----+--------+------------+------------+");
622 if(!GetDataType(TIERS,0x57,MAX_REC)) return 0;
623 cs_ri_log("-----------------------------------------");
624 CamStateRequest();
625 }
626
627 if(!GetDataType(DT06,0x16,MAX_REC)) return 0;
628 cs_debug("[nagra-reader] DT06 DONE");
629 CamStateRequest();
630 }
631 if (!NegotiateSessionKey())
632 {
633 cs_debug("[nagra-reader] NegotiateSessionKey failed");
634 return 0;
635 }
636
637 return 1;
638}
639
640int nagra2_card_info(void)
641{
642 int i;
643 cs_ri_log("ROM: %c %c %c %c %c %c %c %c", rom[0], rom[1], rom[2],rom[3], rom[4], rom[5], rom[6], rom[7]);
644 cs_ri_log("REV: %c %c %c %c %c %c", rom[9], rom[10], rom[11], rom[12], rom[13], rom[14]);
645 cs_ri_log("SER: %s", cs_hexdump (1, reader[ridx].hexserial, 4));
646 cs_ri_log("CAID: %04X",reader[ridx].caid[0]);
647 cs_ri_log("Prv.ID: %s(sysid)",cs_hexdump (1,reader[ridx].prid[0],4));
648 for (i=1; i<reader[ridx].nprov; i++)
649 {
650 cs_ri_log("Prv.ID: %s",cs_hexdump (1,reader[ridx].prid[i],4));
651 }
652 cs_log("ready for requests");
653 return 1;
654}
655
656void nagra2_post_process(void)
657{
658 CamStateRequest();
659 cs_sleepms(10);
660 if RENEW_SESSIONKEY NegotiateSessionKey();
661 if SENDDATETIME DateTimeCMD();
662}
663
664int nagra2_do_ecm(ECM_REQUEST *er)
665{
666 if (!is_tiger)
667 {
668 int retry=0;
669 if(!do_cmd(er->ecm[3],er->ecm[4]+2,0x87,0x02, er->ecm+3+2))
670 {
671 cs_debug("[nagra-reader] nagra2_do_ecm failed, retry");
672 if(!do_cmd(er->ecm[3],er->ecm[4]+2,0x87,0x02, er->ecm+3+2))
673 {
674 cs_debug("[nagra-reader] nagra2_do_ecm failed");
675 return (0);
676 }
677
678 }
679 cs_sleepms(15);
680 while(!CamStateRequest() && retry < 5)
681 {
682 retry++;
683 cs_sleepms(15);
684 }
685 cs_sleepms(10);
686 if (HAS_CW && do_cmd(0x1C,0x02,0x9C,0x36,NULL))
687 {
688 unsigned char v[8];
689 memset(v,0,sizeof(v));
690 idea_cbc_encrypt(&cta_res[30],er->cw,8,&ksSession,v,IDEA_DECRYPT);
691 memset(v,0,sizeof(v));
692 idea_cbc_encrypt(&cta_res[4],er->cw+8,8,&ksSession,v,IDEA_DECRYPT);
693 if ((memcmp(prv3411,&reader[ridx].prid[0],4)==0) || (memcmp(prv0401,&reader[ridx].prid[0],4)==0))
694 {
695 unsigned char tt[8];
696 memcpy(&tt[0],&er->cw[0],8);
697 memcpy(&er->cw[0],&er->cw[8],8);
698 memcpy(&er->cw[8],&tt[0],8);
699 }
700 return (1);
701 }
702 }
703 else
704 {
705 if(!do_cmd(0xd3,er->ecm[4]+2,0x53,0x16, er->ecm+3+2))
706 {
707 if(cta_res[2] == 0x01)
708 {
709 unsigned char v[8];
710 memset(v,0,sizeof(v));
711 idea_cbc_encrypt(&cta_res[14],er->cw,8,&ksSession,v,IDEA_DECRYPT);
712 memset(v,0,sizeof(v));
713 idea_cbc_encrypt(&cta_res[6],er->cw+8,8,&ksSession,v,IDEA_DECRYPT);
714 return (1);
715 }
716 cs_debug("[nagra-reader] can't decode ecm");
717 return (0);
718 }
719 }
720
721 return(0);
722}
723
724int nagra2_do_emm(EMM_PACKET *ep)
725{
726 if(!do_cmd(ep->emm[8],ep->emm[9]+2,0x84,0x02,ep->emm+8+2))
727 {
728 cs_debug("[nagra-reader] nagra2_do_emm failed");
729 return (0);
730 }
731 cs_sleepms(300);
732 nagra2_post_process();
733 return 1;
734}
Note: See TracBrowser for help on using the repository browser.