source: branches/smartreader/reader-nagra.c@ 821

Last change on this file since 821 was 821, checked in by rorothetroll, 13 years ago

resyn with trunk

File size: 18.4 KB
Line 
1#include "globals.h"
2#include "reader-common.h"
3#include "cscrypt/idea.h"
4#include <termios.h>
5#include <unistd.h>
6#ifdef OS_LINUX
7#include <linux/serial.h>
8#endif
9
10IDEA_KEY_SCHEDULE ksSession;
11extern uchar cta_res[];
12extern ushort cta_lr;
13int is_pure_nagra=0;
14int is_tiger=0;
15int has_dt08=0;
16unsigned char rom[15];
17unsigned char plainDT08RSA[64];
18unsigned char IdeaCamKey[16];
19unsigned char irdId[] = {0xff,0xff,0xff,0xff};
20unsigned char camid[] = {0xff,0xff,0xff,0xff};
21unsigned char sessi[16];
22unsigned char signature[8];
23unsigned char cam_state[3];
24unsigned char static_dt08[73];
25unsigned char prv0401[] = {0x00, 0x00, 0x04, 0x01};
26unsigned char prv3411[] = {0x00, 0x00, 0x34, 0x11};
27
28// Card Status checks
29#define HAS_CW ((cam_state[2]&6)==6)
30#define RENEW_SESSIONKEY ((cam_state[0]&128)==128 || (cam_state[0]&64)==64 || (cam_state[0]&32)==32)
31#define SENDDATETIME ((cam_state[0]&16)==16)
32// Datatypes
33#define DT01 0x01
34#define IRDINFO 0x00
35#define TIERS 0x05
36#define DT06 0x06
37#define CAMDATA 0x08
38
39#define MAX_REC 20
40#define SYSTEM_NAGRA 0x1800
41#define SYSTEM_MASK 0xFF00
42
43unsigned char XorSum(const unsigned char *mem, int len)
44{
45 unsigned char cs;
46 cs=0x00;
47 while(len>0)
48 {
49 cs ^= *mem++;
50 len--;
51 }
52 return cs;
53}
54
55static time_t tier_date(ulong date, char *buf, int l)
56{
57 time_t ut=870393600L+date*(24*3600);
58 if (buf)
59 {
60 struct tm *t;
61 t=gmtime(&ut);
62 snprintf(buf, l, "%04d/%02d/%02d", t->tm_year+1900, t->tm_mon+1, t->tm_mday);
63 }
64 return(ut);
65}
66
67int do_cmd(unsigned char cmd, int ilen, unsigned char res, int rlen, unsigned char *data)
68{
69 /*
70 here we build the command related to the protocol T1 for ROM142 or T14 for ROM181
71 the only different that i know is the command length byte msg[4], this msg[4]+=1 by a ROM181 smartcard (_nighti_)
72 one example for the cmd$C0
73 T14 protocol: 01 A0 CA 00 00 03 C0 00 06 91
74 T1 protocol: 21 00 08 A0 CA 00 00 02 C0 00 06 87
75 */
76 int msglen=ilen+6;
77 unsigned char msg[msglen];
78 static char nagra_head[] = {0xA0, 0xCA, 0x00, 0x00};
79
80 memset(msg, 0, msglen);
81 memcpy(msg,nagra_head,4);
82 msg[4] = ilen;
83 msg[5] = cmd;
84 int dlen=ilen-2;
85 msg[6] = dlen;
86 if(data && dlen>0) memcpy(msg+7,data,dlen);
87 msg[dlen+7] = rlen;
88 if (dlen<0)
89 {
90 cs_debug("[nagra-reader] invalid data length encountered");
91 return 0;
92 }
93 if (is_pure_nagra==1) msg[4]+=1;
94 if (is_tiger)
95 {
96 msg[4]--;
97 msg[6]--;
98 }
99 if(!reader_cmd2icc(msg,msglen))
100 {
101 cs_sleepms(10);
102 if(cta_res[0]!=res)
103 {
104 cs_debug("[nagra-reader] result not expected (%02x != %02x)",cta_res[0],res);
105 return 0;
106 }
107 if((cta_lr-2)!=rlen)
108 {
109 cs_debug("[nagra-reader] result length expected (%d != %d)",(cta_lr-2),rlen);
110 return 0;
111 }
112 return cta_lr;
113 }
114 return 0;
115}
116
117int SetIFS(unsigned char size)
118{
119 unsigned char buf[5];
120 int ret;
121 // NAD, PCB, LEN
122 buf[0] = 0x21;
123 buf[1] = 0xC1; // IFS Request cmd
124 buf[2] = 0x01; // cmd length
125 buf[3] = size; // Information Field size
126 buf[4] = XorSum(buf,4); //lrc byte
127
128 cs_debug("[nagra-reader] IFS cmd: %s", cs_hexdump (1, buf, 5));
129 ret = reader_cmd2api(buf, 5);
130 cs_debug("[nagra-reader] IFS response: %s", cs_hexdump (1, cta_res, cta_lr));
131 if ((cta_lr!=5) || (ret!=OK))
132 {
133 cs_debug("[nagra-reader] setting IFS to %02x failed", size);
134 return 0;
135 }
136 cs_debug("[nagra-reader] IFS is now %02x", size);
137 return 1;
138}
139
140void ReverseMem(unsigned char *vIn, int len)
141{
142 unsigned char temp;
143 int i;
144 for(i=0; i < (len/2); i++)
145 {
146 temp = vIn[i];
147 vIn[i] = vIn[len-i-1];
148 vIn[len-i-1] = temp;
149 }
150}
151
152void Signature(unsigned char *sig, const unsigned char *vkey,const unsigned char *msg, int len)
153{
154 IDEA_KEY_SCHEDULE ks;
155 unsigned char v[8];
156 unsigned char b200[16];
157 unsigned char b0f0[8];
158 memcpy(b200,vkey,sizeof(b200));
159 int i;
160 int j;
161 for(i=0; i<len; i+=8)
162 {
163 idea_set_encrypt_key(b200,&ks);
164 memset(v,0,sizeof(v));
165 idea_cbc_encrypt(msg+i,b0f0,8,&ks,v,IDEA_DECRYPT);
166 for(j=7; j>=0; j--) b0f0[j]^=msg[i+j];
167 memcpy(b200+0,b0f0,8);
168 memcpy(b200+8,b0f0,8);
169 }
170 memcpy(sig,b0f0,8);
171 return;
172}
173
174int CamStateRequest(void)
175{
176 if(do_cmd(0xC0,0x02,0xB0,0x06,NULL))
177 {
178 memcpy(cam_state,cta_res+3,3);
179 cs_debug("[nagra-reader] Camstate: %s",cs_hexdump (1, cam_state, 3));
180 }
181 else
182 {
183 cs_debug("[nagra-reader] CamStateRequest failed");
184 return 0;
185 }
186 return (1);
187}
188
189void DateTimeCMD(void)
190{
191 do_cmd(0xC8,0x02,0xB8,0x06,NULL);
192
193 /*
194 [sci0] <- 21 00 08 a0 ca 00 00 02 c8 00 06 8f
195 [sci0] -> 12 00 08
196 [sci0] -> b8 04 19 90 7b f4 90 00
197 */
198}
199
200void getCamID(void)
201{
202 /*
203 Hack:
204 Get camid. For provider 0401/3411 camid is 0xff,0xff,0xff,0xff.
205 for other provider we will take them from hexserial
206 */
207 if ((memcmp(prv3411,&reader[ridx].prid[0],4)==0) || (memcmp(prv0401,&reader[ridx].prid[0],4)==0))
208 {
209 memset(camid,0xff,4);
210 }
211 else
212 {
213 memcpy(camid,reader[ridx].hexserial,4);
214 }
215}
216
217int NegotiateSessionKey(void)
218{
219 unsigned char cmd2b[] = {0x21, 0x40, 0x48, 0xA0, 0xCA, 0x00, 0x00, 0x43, 0x2B, 0x40, 0x1C, 0x54, 0xd1, 0x26, 0xe7, 0xe2, 0x40, 0x20, 0xd1, 0x66, 0xf4, 0x18, 0x97, 0x9d, 0x5f, 0x16, 0x8f, 0x7f, 0x7a, 0x55, 0x15, 0x82, 0x31, 0x14, 0x06, 0x57, 0x1a, 0x3f, 0xf0, 0x75, 0x62, 0x41, 0xc2, 0x84, 0xda, 0x4c, 0x2e, 0x84, 0xe9, 0x29, 0x13, 0x81, 0xee, 0xd6, 0xa9, 0xf5, 0xe9, 0xdb, 0xaf, 0x22, 0x51, 0x3d, 0x44, 0xb3, 0x20, 0x83, 0xde, 0xcb, 0x5f, 0x35, 0x2b, 0xb0, 0xce, 0x70, 0x02, 0x00};
220 unsigned char negot[64];
221 unsigned char tmp[64];
222 unsigned char idea1[16];
223 unsigned char idea2[16];
224 unsigned char sign1[8];
225 unsigned char sign2[8];
226
227 if (!has_dt08) // if we have no valid dt08 calc then we use rsa from config and hexserial for calc of sessionkey
228 {
229 memcpy(plainDT08RSA, reader[ridx].rsa_mod, 64);
230 memcpy(signature,reader[ridx].nagra_boxkey, 8);
231 }
232 if (is_tiger)
233 {
234 unsigned char d1[] = {0xd2};
235 if(!do_cmd(0xd1,0x03,0x51,0x42,d1))
236 {
237 cs_debug("[nagra-reader] CMD$D1 failed");
238 return 0;
239 }
240 }
241 else
242 {
243 if(!do_cmd(0x2a,0x02,0xaa,0x42,NULL))
244 {
245 cs_debug("[nagra-reader] CMD$2A failed");
246 return 0;
247 }
248 }
249
250 // RSA decrypt of cmd$2a data, result is stored in "negot"
251 ReverseMem(cta_res+2, 64);
252 //cs_debug("[nagra-reader] plainDT08RSA: %s", cs_hexdump (1, plainDT08RSA, 32));
253 //cs_debug("[nagra-reader] plainDT08RSA: %s", cs_hexdump (1, &plainDT08RSA[32], 32));
254 unsigned char vFixed[] = {0,1,2,3};
255 BN_CTX *ctx = BN_CTX_new();
256 BIGNUM *bnN = BN_CTX_get(ctx);
257 BIGNUM *bnE = BN_CTX_get(ctx);
258 BIGNUM *bnCT = BN_CTX_get(ctx);
259 BIGNUM *bnPT = BN_CTX_get(ctx);
260 BN_bin2bn(plainDT08RSA, 64, bnN);
261 BN_bin2bn(vFixed+3, 1, bnE);
262 BN_bin2bn(cta_res+2, 64, bnCT);
263 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
264 memset(negot, 0, 64);
265 BN_bn2bin(bnPT, negot + (64-BN_num_bytes(bnPT)));
266 //cs_debug("[nagra-reader] DT08 decrypted $2a data: %s", cs_hexdump (1, negot, 32));
267 //cs_debug("[nagra-reader] DT08 decrypted $2a data: %s", cs_hexdump (1, &negot[32], 32));
268
269 memcpy(tmp, negot, 64);
270 ReverseMem(tmp, 64);
271
272 // build sessionkey
273 // first halve is IDEA Hashed in chuncs of 8 bytes using the Signature1 from dt08 calc, CamID-Inv.CamID(16 bytes key) the results are the First 8 bytes of the Session key
274 memcpy(idea1, signature, 8);
275 memcpy(idea1+8, reader[ridx].hexserial, 4);
276 idea1[12] = ~reader[ridx].hexserial[0]; idea1[13] = ~reader[ridx].hexserial[1]; idea1[14] = ~reader[ridx].hexserial[2]; idea1[15] = ~reader[ridx].hexserial[3];
277
278 Signature(sign1, idea1, tmp, 32);
279 memcpy(idea2,sign1,8); memcpy(idea2+8,sign1,8);
280 Signature(sign2, idea2, tmp, 32);
281 memcpy(sessi,sign1,8); memcpy(sessi+8,sign2,8);
282
283 // prepare cmd$2b data
284 BN_bin2bn(negot, 64, bnCT);
285 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
286 memset(cmd2b+10, 0, 64);
287 BN_bn2bin(bnPT, cmd2b+10 + (64-BN_num_bytes(bnPT)));
288 BN_CTX_end(ctx);
289 BN_CTX_free (ctx);
290 ReverseMem(cmd2b+10, 64);
291
292 IDEA_KEY_SCHEDULE ks;
293 idea_set_encrypt_key(sessi,&ks);
294 idea_set_decrypt_key(&ks,&ksSession);
295
296 if (!is_tiger)
297 {
298 if(!do_cmd(0x2b,0x42,0xab,0x02, cmd2b+10))
299 {
300 cs_debug("[nagra-reader] CMD$2B failed");
301 return 0;
302 }
303 }
304 else
305 {
306 if(!do_cmd(0xd2,0x42,0x52,0x03, cmd2b+10))
307 {
308 cs_debug("[nagra-reader] CMD$D2 failed");
309 return 0;
310 }
311 }
312
313 cs_debug("[nagra-reader] session key: %s", cs_hexdump(1, sessi, 16));
314
315 if (!is_tiger)
316 {
317 if (!CamStateRequest())
318 {
319 cs_debug("[nagra-reader] CamStateRequest failed");
320 return 0;
321 }
322 if SENDDATETIME
323 {
324 DateTimeCMD();
325 }
326 if RENEW_SESSIONKEY
327 {
328 cs_ri_log("Negotiate sessionkey was not successfull! Please check rsa key and boxkey");
329 return 0;
330 }
331 }
332 return 1;
333}
334
335void decryptDT08(void)
336{
337
338 unsigned char vFixed[] = {0,1,2,3};
339 unsigned char v[72];
340 unsigned char buf[72];
341 unsigned char sign2[8];
342 int i, n;
343 BN_CTX *ctx;
344 BIGNUM *bn_mod, *bn_exp, *bn_data, *bn_res;
345
346 memcpy(static_dt08, &cta_res[12], 73);
347 // decrypt RSA Part of dt08
348 bn_mod = BN_new ();
349 bn_exp = BN_new ();
350 bn_data = BN_new ();
351 bn_res = BN_new ();
352 ctx= BN_CTX_new();
353 if (ctx == NULL) cs_debug("[nagra-reader] RSA Error in dt08 decrypt");
354 //cs_debug("[nagra-reader] DT08 RSA modulus: %s", cs_hexdump (1, reader[ridx].rsa_mod, 32));
355 //cs_debug("[nagra-reader] DT08 RSA modulus: %s", cs_hexdump (1, &reader[ridx].rsa_mod[32], 32));
356 ReverseMem(static_dt08+1, 64);
357 BN_bin2bn (reader[ridx].rsa_mod, 64, bn_mod); // rsa modulus
358 BN_bin2bn (vFixed+3, 1, bn_exp); // exponent
359 BN_bin2bn (static_dt08+1, 64, bn_data);
360 //cs_debug("[nagra-reader] DT08 crypted rsa: %s", cs_hexdump (1, static_dt08+1, 32));
361 //cs_debug("[nagra-reader] DT08 crypted rsa: %s", cs_hexdump (1, static_dt08+33, 32));
362 BN_mod_exp (bn_res, bn_data, bn_exp, bn_mod, ctx);
363 memset (static_dt08+1, 0, 64);
364 n = BN_bn2bin (bn_res, static_dt08+1);
365 ReverseMem(static_dt08+1, n);
366 //cs_debug("[nagra-reader] DT08 decrypted rsa: %s", cs_hexdump (1, static_dt08+1, 32));
367 //cs_debug("[nagra-reader] DT08 decrypted rsa: %s", cs_hexdump (1, static_dt08+33, 32));
368
369 // RSA data can never be bigger than the modulo
370 static_dt08[64] |= static_dt08[0] & 0x80;
371
372 // IdeaCamKey
373 memcpy (&IdeaCamKey[0], reader[ridx].nagra_boxkey, 8);
374 memcpy (&IdeaCamKey[8], irdId, 4);
375 for (i = 0; i < 4; i++)
376 IdeaCamKey[12 + i] = ~irdId[i];
377 //cs_debug("[nagra-reader] DT08 Plainkey: %s", cs_hexdump (1, IdeaCamKey, 16));
378
379 // now IDEA decrypt
380 IDEA_KEY_SCHEDULE ks;
381 idea_set_encrypt_key(IdeaCamKey,&ks);
382 idea_set_decrypt_key(&ks,&ksSession);
383 //cs_debug("[nagra-reader] dt08 idea part: %s", cs_hexdump (1, static_dt08+65, 8));
384 memcpy (&buf[0], static_dt08+1, 64);
385 memcpy (&buf[64], static_dt08+65, 8);
386 //cs_debug("[nagra-reader] dt08 64byte rsa decrypted + 8last byte: %s", cs_hexdump (1, buf, 64));
387 //cs_debug("[nagra-reader] dt08 64byte rsa decrypted + 8last byte: %s", cs_hexdump (1, &buf[64], 8));
388 memset(v,0,sizeof(v));
389 memset(static_dt08,0,sizeof(static_dt08));
390 idea_cbc_encrypt(buf,static_dt08,72,&ksSession,v,IDEA_DECRYPT);
391 //cs_debug("[nagra-reader] dt08 72byte idea decrypted: %s", cs_hexdump (1, &static_dt08[0], 36));
392 //cs_debug("[nagra-reader] dt08 72byte idea decrypted: %s", cs_hexdump (1, &static_dt08[35], 37));
393
394 getCamID();
395 cs_debug("[nagra-reader] using camid %sfor dt08 calc",cs_hexdump (1,camid,4));
396
397 // Calculate signature
398 memcpy (signature, static_dt08, 8);
399 memset (static_dt08 + 0, 0, 4);
400 memcpy (static_dt08 + 4, camid, 4);
401 Signature(sign2,IdeaCamKey,static_dt08,72);
402
403 BN_CTX_free (ctx);
404 //cs_debug("[nagra-reader] dt08 sign1: %s", cs_hexdump (0, signature, 8));
405 //cs_debug("[nagra-reader] dt08 sign2: %s", cs_hexdump (0, sign2, 8));
406
407 if (memcmp (signature, sign2, 8)==0)
408 {
409 has_dt08=1;
410 memcpy (plainDT08RSA, static_dt08+8, 64);
411 cs_debug("[nagra-reader] DT08 signature check ok");
412 }
413 else
414 {
415 has_dt08=0;
416 cs_debug("[nagra-reader] DT08 signature check nok");
417 }
418}
419
420void addProvider(int id)
421{
422 int i;
423 int toadd=1;
424 for (i=0; i<reader[ridx].nprov; i++)
425 {
426 if ((cta_res[7]==reader[ridx].prid[i][2]) && (cta_res[8]==reader[ridx].prid[i][3]))
427 {
428 toadd = 0;
429 }
430 }
431 if (toadd)
432 {
433 reader[ridx].prid[reader[ridx].nprov][0]=0;
434 reader[ridx].prid[reader[ridx].nprov][1]=0;
435 reader[ridx].prid[reader[ridx].nprov][2]=cta_res[7];
436 reader[ridx].prid[reader[ridx].nprov][3]=cta_res[8];
437 memcpy(reader[ridx].sa[reader[ridx].nprov], reader[ridx].sa[0], 4);
438 reader[ridx].nprov+=1;
439 }
440}
441
442int ParseDataType(unsigned char dt)
443{
444 char ds[16], de[16];
445 ushort chid;
446 switch(dt)
447 {
448 case IRDINFO:
449 {
450 reader[ridx].prid[0][0]=0x00;
451 reader[ridx].prid[0][1]=0x00;
452 reader[ridx].prid[0][2]=cta_res[7];
453 reader[ridx].prid[0][3]=cta_res[8];
454 reader[ridx].caid[0] =(SYSTEM_NAGRA|cta_res[11]);
455 memcpy(irdId,cta_res+14,4);
456 cs_debug("[nagra-reader] CAID: %04X, IRD ID: %s",reader[ridx].caid[0], cs_hexdump (1,irdId,4));
457 cs_debug("[nagra-reader] ProviderID: %s",cs_hexdump (1,reader[ridx].prid[0],4));
458 return 1;
459 }
460 case TIERS:
461 if ((cta_lr>33) && (chid=b2i(2, cta_res+11)))
462 {
463 int id=(cta_res[7]*256)|cta_res[8];
464 tier_date(b2i(2, cta_res+20)-0x7f7, ds, 15);
465 tier_date(b2i(2, cta_res+13)-0x7f7, de, 15);
466 cs_ri_log("|%04X|%04X |%s |%s |", id,chid, ds, de);
467 addProvider(id);
468 }
469 case 0x08:
470 case 0x88: if (cta_res[11] == 0x49) decryptDT08();
471 default:
472 return 1;
473 }
474 return 0;
475}
476
477int GetDataType(unsigned char dt, int len, int shots)
478{
479 int i;
480 for(i=0; i<shots; i++)
481 {
482 if(!do_cmd(0x22,0x03,0xA2,len,&dt))
483 {
484 cs_debug("[nagra-reader] failed to get datatype %02X",dt);
485 return 0;
486 }
487 if((cta_res[2]==0) && (dt != 0x08 || dt != 0x88)) return 1;
488 if(!ParseDataType(dt&0x0F)) return 0;
489 if ((dt != 0x08 || dt != 0x88) && (cta_res[11] == 0x49)) return 1; //got dt08 data
490 dt|=0x80; // get next item
491 }
492 return 1;
493}
494
495int nagra2_card_init(uchar *atr, int atrlen)
496{
497 memset(rom, 0, 15);
498 reader[ridx].nprov = 1;
499 memset (reader[ridx].sa, 0xff, sizeof (reader[ridx].sa));
500 reader[ridx].caid[0]=SYSTEM_NAGRA;
501
502 if (memcmp(atr+11, "DNASP", 5)==0)
503 {
504 //if(SetIFS(0xFE) != 1) return 0;
505 cs_debug("[nagra-reader] detect native nagra card T1 protocol");
506 memcpy(rom,atr+11,15);
507 }
508 else if (memcmp(atr+11, "TIGER", 5)==0)
509 {
510 //if(SetIFS(0xFE) != 1) return 0;
511 cs_debug("[nagra-reader] detect nagra tiger card");
512 memcpy(rom,atr+11,15);
513 memset(reader[ridx].hexserial, 0xff, 4); // take 0xff as cardserial?
514 is_tiger=1;
515 }
516 else if (!memcmp(atr+4, "IRDETO", 6))
517 {
518 cs_debug("[nagra-reader] detect Irdeto tunneled nagra card");
519 if(!reader[ridx].nagra_native) return 0;
520 cs_debug("[nagra-reader] using nagra mode");
521 is_pure_nagra=1;
522 if(!do_cmd(0x10,0x02,0x90,0x11,0))
523 {
524 cs_debug("[nagra-reader] get rom version failed");
525 return 0;
526 }
527 memcpy(rom,cta_res+2,15);
528 }
529 else return 0;
530
531 if (!is_tiger)
532 {
533 CamStateRequest();
534 if(!do_cmd(0x12,0x02,0x92,0x06,0))
535 {
536 cs_debug("[nagra-reader] get Serial failed");
537 return 0;
538 }
539 memcpy(reader[ridx].hexserial, cta_res+2, 4);
540 cs_debug("[nagra-reader] SER: %s", cs_hexdump (1, reader[ridx].hexserial, 4));
541 memcpy(reader[ridx].sa[0], cta_res+2, 4);
542
543 if(!GetDataType(DT01,0x0E,MAX_REC)) return 0;
544 cs_debug("[nagra-reader] DT01 DONE");
545 CamStateRequest();
546 if(!GetDataType(IRDINFO,0x39,MAX_REC)) return 0;
547 cs_debug("[nagra-reader] IRDINFO DONE");
548 CamStateRequest();
549 if(!GetDataType(CAMDATA,0x55,10)) return 0;
550 cs_debug("[nagra-reader] CAMDATA Done");
551 if(!GetDataType(0x04,0x44,MAX_REC)) return 0;
552 cs_debug("[nagra-reader] DT04 DONE");
553 CamStateRequest();
554
555 if (!memcmp(rom+5, "181", 3)==0) //dt05 is not supported by rom181
556 {
557 cs_ri_log("-----------------------------------------");
558 cs_ri_log("|id |tier |valid from |valid to |");
559 cs_ri_log("+----+--------+------------+------------+");
560 if(!GetDataType(TIERS,0x57,MAX_REC)) return 0;
561 cs_ri_log("-----------------------------------------");
562 CamStateRequest();
563 }
564
565 if(!GetDataType(DT06,0x16,MAX_REC)) return 0;
566 cs_debug("[nagra-reader] DT06 DONE");
567 CamStateRequest();
568 }
569 if (!NegotiateSessionKey())
570 {
571 cs_debug("[nagra-reader] NegotiateSessionKey failed");
572 return 0;
573 }
574
575 return 1;
576}
577
578int nagra2_card_info(void)
579{
580 int i;
581 cs_ri_log("ROM: %c %c %c %c %c %c %c %c", rom[0], rom[1], rom[2],rom[3], rom[4], rom[5], rom[6], rom[7]);
582 cs_ri_log("REV: %c %c %c %c %c %c", rom[9], rom[10], rom[11], rom[12], rom[13], rom[14]);
583 cs_ri_log("SER: %s", cs_hexdump (1, reader[ridx].hexserial, 4));
584 cs_ri_log("CAID: %04X",reader[ridx].caid[0]);
585 cs_ri_log("Prv.ID: %s(sysid)",cs_hexdump (1,reader[ridx].prid[0],4));
586 for (i=1; i<reader[ridx].nprov; i++)
587 {
588 cs_ri_log("Prv.ID: %s",cs_hexdump (1,reader[ridx].prid[i],4));
589 }
590 cs_log("ready for requests");
591 return 1;
592}
593
594void nagra2_post_process(void)
595{
596 //Todo: Do not block!//
597 CamStateRequest();
598 cs_sleepms(10);
599 if RENEW_SESSIONKEY NegotiateSessionKey();
600 if SENDDATETIME DateTimeCMD();
601}
602
603int nagra2_do_ecm(ECM_REQUEST *er)
604{
605 if (!is_tiger)
606 {
607 int retry=0;
608 if(!do_cmd(er->ecm[3],er->ecm[4]+2,0x87,0x02, er->ecm+3+2))
609 {
610 cs_debug("[nagra-reader] nagra2_do_ecm failed, retry");
611 if(!do_cmd(er->ecm[3],er->ecm[4]+2,0x87,0x02, er->ecm+3+2))
612 {
613 cs_debug("[nagra-reader] nagra2_do_ecm failed");
614 return (0);
615 }
616
617 }
618 cs_sleepms(5);
619 while(!CamStateRequest() && retry < 5)
620 {
621 retry++;
622 cs_sleepms(15);
623 }
624 cs_sleepms(5);
625 if (HAS_CW && do_cmd(0x1C,0x02,0x9C,0x36,NULL))
626 {
627 unsigned char v[8];
628 memset(v,0,sizeof(v));
629 idea_cbc_encrypt(&cta_res[30],er->cw,8,&ksSession,v,IDEA_DECRYPT);
630 memset(v,0,sizeof(v));
631 idea_cbc_encrypt(&cta_res[4],er->cw+8,8,&ksSession,v,IDEA_DECRYPT);
632 if ((memcmp(prv3411,&reader[ridx].prid[0],4)==0) || (memcmp(prv0401,&reader[ridx].prid[0],4)==0))
633 {
634 unsigned char tt[8];
635 memcpy(&tt[0],&er->cw[0],8);
636 memcpy(&er->cw[0],&er->cw[8],8);
637 memcpy(&er->cw[8],&tt[0],8);
638 }
639 return (1);
640 }
641 }
642 else
643 {
644 if(!do_cmd(0xd3,er->ecm[4]+2,0x53,0x16, er->ecm+3+2))
645 {
646 //53 14 01 00 00 00
647 //94 8c 3e f7 49 a8 c7 23 //cw1?
648 //9a 67 e3 e1 d4 c1 c7 83 //cw0?
649 //90 0
650 unsigned char v[8];
651 memset(v,0,sizeof(v));
652 idea_cbc_encrypt(&cta_res[14],er->cw,8,&ksSession,v,IDEA_DECRYPT);
653 memset(v,0,sizeof(v));
654 idea_cbc_encrypt(&cta_res[6],er->cw+8,8,&ksSession,v,IDEA_DECRYPT);
655 return (1);
656 }
657 }
658
659 return(0);
660}
661
662int nagra2_do_emm(EMM_PACKET *ep)
663{
664 if(!do_cmd(ep->emm[8],ep->emm[9]+2,0x84,0x02,ep->emm+8+2))
665 {
666 cs_debug("[nagra-reader] nagra2_do_emm failed");
667 return (0);
668 }
669 cs_sleepms(300);
670 nagra2_post_process();
671 return 1;
672}
Note: See TracBrowser for help on using the repository browser.