source: trunk/reader-irdeto.c

Last change on this file was 11646, checked in by gorgone, 8 months ago

fix typos
move debug logoutput to debug
  • Property svn:eol-style set to LF
File size: 41.7 KB
Line 
1#include "globals.h"
2#ifdef READER_IRDETO
3#include "oscam-time.h"
4#include "reader-common.h"
5#include "reader-irdeto.h"
6
7static const uint8_t CryptTable[256] =
8{
9 0xDA, 0x26, 0xE8, 0x72, 0x11, 0x52, 0x3E, 0x46,
10 0x32, 0xFF, 0x8C, 0x1E, 0xA7, 0xBE, 0x2C, 0x29,
11 0x5F, 0x86, 0x7E, 0x75, 0x0A, 0x08, 0xA5, 0x21,
12 0x61, 0xFB, 0x7A, 0x58, 0x60, 0xF7, 0x81, 0x4F,
13 0xE4, 0xFC, 0xDF, 0xB1, 0xBB, 0x6A, 0x02, 0xB3,
14 0x0B, 0x6E, 0x5D, 0x5C, 0xD5, 0xCF, 0xCA, 0x2A,
15 0x14, 0xB7, 0x90, 0xF3, 0xD9, 0x37, 0x3A, 0x59,
16 0x44, 0x69, 0xC9, 0x78, 0x30, 0x16, 0x39, 0x9A,
17 0x0D, 0x05, 0x1F, 0x8B, 0x5E, 0xEE, 0x1B, 0xC4,
18 0x76, 0x43, 0xBD, 0xEB, 0x42, 0xEF, 0xF9, 0xD0,
19 0x4D, 0xE3, 0xF4, 0x57, 0x56, 0xA3, 0x0F, 0xA6,
20 0x50, 0xFD, 0xDE, 0xD2, 0x80, 0x4C, 0xD3, 0xCB,
21 0xF8, 0x49, 0x8F, 0x22, 0x71, 0x84, 0x33, 0xE0,
22 0x47, 0xC2, 0x93, 0xBC, 0x7C, 0x3B, 0x9C, 0x7D,
23 0xEC, 0xC3, 0xF1, 0x89, 0xCE, 0x98, 0xA2, 0xE1,
24 0xC1, 0xF2, 0x27, 0x12, 0x01, 0xEA, 0xE5, 0x9B,
25 0x25, 0x87, 0x96, 0x7B, 0x34, 0x45, 0xAD, 0xD1,
26 0xB5, 0xDB, 0x83, 0x55, 0xB0, 0x9E, 0x19, 0xD7,
27 0x17, 0xC6, 0x35, 0xD8, 0xF0, 0xAE, 0xD4, 0x2B,
28 0x1D, 0xA0, 0x99, 0x8A, 0x15, 0x00, 0xAF, 0x2D,
29 0x09, 0xA8, 0xF5, 0x6C, 0xA1, 0x63, 0x67, 0x51,
30 0x3C, 0xB2, 0xC0, 0xED, 0x94, 0x03, 0x6F, 0xBA,
31 0x3F, 0x4E, 0x62, 0x92, 0x85, 0xDD, 0xAB, 0xFE,
32 0x10, 0x2E, 0x68, 0x65, 0xE7, 0x04, 0xF6, 0x0C,
33 0x20, 0x1C, 0xA9, 0x53, 0x40, 0x77, 0x2F, 0xA4,
34 0xFA, 0x6D, 0x73, 0x28, 0xE2, 0xCD, 0x79, 0xC8,
35 0x97, 0x66, 0x8E, 0x82, 0x74, 0x06, 0xC7, 0x88,
36 0x1A, 0x4A, 0x6B, 0xCC, 0x41, 0xE9, 0x9D, 0xB8,
37 0x23, 0x9F, 0x3D, 0xBF, 0x8D, 0x95, 0xC5, 0x13,
38 0xB9, 0x24, 0x5A, 0xDC, 0x64, 0x18, 0x38, 0x91,
39 0x7F, 0x5B, 0x70, 0x54, 0x07, 0xB6, 0x4B, 0x0E,
40 0x36, 0xAC, 0x31, 0xE6, 0xD6, 0x48, 0xAA, 0xB4
41};
42
43static const uint8_t sc_GetCountryCode[] = { 0x02, 0x02, 0x03, 0x00, 0x00 };
44static const uint8_t sc_GetCountryCode2[] = { 0x02, 0x0B, 0x00, 0x00, 0x00 };
45
46static const uint8_t sc_GetCamKey384CZ[] =
47{
48 0x02, 0x09, 0x03, 0x00, 0x40,
49 0x18, 0xD7, 0x55, 0x14, 0xC0, 0x83, 0xF1, 0x38,
50 0x39, 0x6F, 0xF2, 0xEC, 0x4F, 0xE3, 0xF1, 0x85,
51 0x01, 0x46, 0x06, 0xCE, 0x7D, 0x08, 0x2C, 0x74,
52 0x46, 0x8F, 0x72, 0xC4, 0xEA, 0xD7, 0x9C, 0xE0,
53 0xE1, 0xFF, 0x58, 0xE7, 0x70, 0x0C, 0x92, 0x45,
54 0x26, 0x18, 0x4F, 0xA0, 0xE2, 0xF5, 0x9E, 0x46,
55 0x6F, 0xAE, 0x95, 0x35, 0xB0, 0x49, 0xB2, 0x0E,
56 0xA4, 0x1F, 0x8E, 0x47, 0xD0, 0x24, 0x11, 0xD0
57};
58
59static const uint8_t sc_GetCamKey384DZ[] =
60{
61 0x02, 0x09, 0x03, 0x00, 0x40,
62 0x27, 0xF2, 0xD6, 0xCD, 0xE6, 0x88, 0x62, 0x46,
63 0x81, 0xB0, 0xF5, 0x3E, 0x6F, 0x13, 0x4D, 0xCC,
64 0xFE, 0xD0, 0x67, 0xB1, 0x93, 0xDD, 0xF4, 0xDE,
65 0xEF, 0xF5, 0x3B, 0x04, 0x1D, 0xE5, 0xC3, 0xB2,
66 0x54, 0x38, 0x57, 0x7E, 0xC8, 0x39, 0x07, 0x2E,
67 0xD2, 0xF4, 0x05, 0xAA, 0x15, 0xB5, 0x55, 0x24,
68 0x90, 0xBB, 0x9B, 0x00, 0x96, 0xF0, 0xCB, 0xF1,
69 0x8A, 0x08, 0x7F, 0x0B, 0xB8, 0x79, 0xC3, 0x5D
70};
71
72static const uint8_t sc_GetCamKey384FZ[] =
73{
74 0x02, 0x09, 0x03, 0x00, 0x40,
75 0x62, 0xFE, 0xD8, 0x4F, 0x44, 0x86, 0x2C, 0x21,
76 0x50, 0x9A, 0xBE, 0x27, 0x15, 0x9E, 0xC4, 0x48,
77 0xF3, 0x73, 0x5C, 0xBD, 0x08, 0x64, 0x6D, 0x13,
78 0x64, 0x90, 0x14, 0xDB, 0xFF, 0xC3, 0xFE, 0x03,
79 0x97, 0xFA, 0x75, 0x08, 0x12, 0xF9, 0x8F, 0x84,
80 0x83, 0x17, 0xAA, 0x6F, 0xEF, 0x2C, 0x10, 0x1B,
81 0xBF, 0x31, 0x41, 0xC3, 0x54, 0x2F, 0x65, 0x50,
82 0x95, 0xA9, 0x64, 0x22, 0x5E, 0xA4, 0xAF, 0xA9
83};
84
85/* some variables for acs57 (Dahlia for ITA dvb-t) */
86#define ACS57EMM 0xD1
87#define ACS57ECM 0xD5
88#define ACS57GET 0xD2
89/* end define */
90
91typedef struct chid_base_date
92{
93 uint16_t caid;
94 uint16_t acs;
95 char c_code[4];
96 uint32_t base;
97} CHID_BASE_DATE;
98
99struct irdeto_data
100{
101 int32_t acs57; // A flag for the ACS57 ITA DVB-T
102 uint16_t acs;
103 char country_code[3]; // irdeto country code.
104};
105
106static void XRotateLeft8Byte(uint8_t *buf)
107{
108 int32_t k;
109 uint8_t t1 = buf[7];
110 uint8_t t2 = 0;
111
112 for(k = 0; k <= 7; k++)
113 {
114 t2 = t1;
115 t1 = buf[k];
116 buf[k] = (buf[k] << 1) | (t2 >> 7);
117 }
118}
119
120static void ReverseSessionKeyCrypt(const uint8_t *camkey, uint8_t *key)
121{
122 uint8_t localkey[8], tmp1, tmp2;
123 int32_t idx1, idx2;
124
125 memcpy(localkey, camkey, 8);
126
127 for(idx1 = 0; idx1 < 8; idx1++)
128 {
129 for(idx2 = 0; idx2 < 8; idx2++)
130 {
131 tmp1 = CryptTable[key[7] ^ localkey[idx2] ^ idx1];
132 tmp2 = key[0];
133 key[0] = key[1];
134 key[1] = key[2];
135 key[2] = key[3];
136 key[3] = key[4];
137 key[4] = key[5];
138 key[5] = key[6] ^ tmp1;
139 key[6] = key[7];
140 key[7] = tmp1 ^ tmp2;
141 }
142 XRotateLeft8Byte(localkey);
143 }
144}
145
146static uint8_t XorSum(const uint8_t *mem, int len)
147{
148 uint8_t cs = 0;
149 while(len > 0)
150 {
151 cs ^= *mem++;
152 len--;
153 }
154 return cs;
155}
156
157static time_t chid_date(struct s_reader *reader, uint32_t date, char *buf, int32_t l)
158{
159 // Irdeto date starts 01.08.1997 which is
160 // 870393600 seconds in unix calendar time
161 //
162 // The above might not be true for all Irdeto card
163 // we need to find a way to identify cards to set the base date
164 // like we did for NDS
165 //
166 // this is the known default value.
167
168 uint32_t date_base;
169
170 if((reader->caid >> 8) == 0x06)
171 {
172 date_base = 946598400L; // this is actually 31.12.1999, 00:00 default for irdeto card
173 }
174 else
175 {
176 date_base = 870393600L; // this is actually 01.08.1997, 00:00 default for betacrypt cards
177 }
178
179 // CAID, ACS, Country, base date D. M. Y, h : m
180 CHID_BASE_DATE table[] = {
181 {0x0662, 0x0608, "ITA", 944110500L}, // 01.12.1999, 23.55
182 {0x0616, 0x0608, "ITA", 944110500L}, // 01.12.1999, 23.55 //nitegate
183 {0x0647, 0x0005, "ITA", 946598400L}, // 31.12.1999, 00:00 //Redlight irdeto
184 {0x0664, 0x0608, "TUR", 946598400L}, // 31.12.1999, 00:00
185 {0x0624, 0x0006, "CZE", 946598400L}, // 30.12.1999, 16:00 //skyklink irdeto
186 {0x0624, 0x0006, "SVK", 946598400L}, // 30.12.1999, 16:00 //skyklink irdeto
187 {0x0666, 0x0006, "SVK", 946598400L}, // 30.12.1999, 16:00 //cslink irdeto
188 {0x0668, 0x0006, "SVK", 946598400L}, // 30.12.1999, 00:00 //Towercom Irdeto
189 {0x0666, 0x0006, "CZE", 946598400L}, // 30.12.1999, 16:00 //cslink irdeto
190 {0x0653, 0x0608, "HUN", 946598400L}, // 31.12.1999, 00:00 //upc ice irdeto
191 {0x0653, 0x0005, "HUN", 946598400L}, // 31.12.1999, 00:00 //upc ice irdeto
192 {0x0650, 0x0608, "AUT", 946598400L}, // 31.12.1999, 00:00 //orf P410 irdeto
193 {0x0650, 0x0005, "AUT", 946598400L}, // 31.12.1999, 00:00 //orf P410 irdeto
194 {0x0648, 0x0608, "AUT", 946598400L}, // 31.12.1999, 00:00 //orf ice irdeto
195 {0x0648, 0x0005, "AUT", 946598400L}, // 31.12.1999, 00:00 //orf ice irdeto
196 {0x0627, 0x0608, "EGY", 946598400L}, // 30.12.1999, 16:00
197 {0x0602, 0x0606, "NLD", 946598400L}, // 31.12.1999, 08:00 //Ziggo irdeto caid: 0602, acs: 6.06
198 {0x0602, 0x0505, "NLD", 946598400L}, // 31.12.1999, 00:00 //Ziggo irdeto caid: 0602, acs: 5.05
199 {0x0606, 0x0005, "NLD", 946598400L}, // 31.12.1999, 00:00 //Caiway irdeto card caid: 0606, acs: 0.05
200 {0x0606, 0x0605, "NLD", 946598400L}, // 31.12.1999, 00:00 //Caiway irdeto card caid: 0606, acs: 6.05
201 {0x0606, 0x0606, "NLD", 946598400L}, // 31.12.1999, 00:00 //Caiway irdeto card caid: 0606, acs: 6.06
202 {0x0606, 0x0006, "ZAF", 946598400L}, // 31.12.1999, 00:00 //dstv irdeto
203 {0x0604, 0x1541, "GRC", 977817600L}, // 26.12.2000, 00:00
204 {0x0604, 0x1542, "GRC", 977817600L}, // 26.12.2000, 00:00
205 {0x0604, 0x1543, "GRC", 977817600L}, // 26.12.2000, 00:00
206 {0x0604, 0x1544, "GRC", 977817600L}, // 26.12.2000, 17:00
207 {0x0604, 0x0608, "EGY", 999993600L}, // 08.09.2001, 17:00
208 {0x0604, 0x0606, "EGY", 1003276800L}, // 16.10.2001, 17:00
209 {0x0604, 0x0605, "GRC", 1011052800L}, // 15.01.2002, 00:00 //nova irdeto
210 {0x0604, 0x0606, "GRC", 1011052800L}, // 15.01.2002, 00:00 //nova irdeto
211 {0x0604, 0x0607, "GRC", 1011052800L}, // 15.01.2002, 00:00 //nova irdeto
212 {0x0604, 0x0608, "GRC", 1011052800L}, // 15.01.2002, 00:00 //nova irdeto
213 {0x0604, 0x0005, "GRC", 1011052800L}, // 15.01.2002, 00:00 //mova irdeto
214 {0x0604, 0x0606, "NLD", 1066089600L}, // 14.10.2003, 00:00
215 {0x0610, 0x0608, "NLD", 1066089600L}, // 14.10.2003, 00:00 //Ziggo irdeto caid: 0610, acs: 6.08
216 {0x0604, 0x0608, "NLD", 1066089600L}, // 14.10.2003, 00:00 //Ziggo irdeto caid: 0604, acs: 6.08
217 {0x0604, 0x0605, "NLD", 1066089600L}, // 14.10.2003, 00:00 //Ziggo irdeto caid: 0604, acs: 6.05
218 {0x0604, 0x0005, "NLD", 1066089600L}, // 14.10.2003, 00:00 //Ziggo irdeto caid: 0604, acs: 0.05
219 {0x0628, 0x0606, "MCR", 1159574400L}, // 29.09.2006, 00:00
220 {0x0652, 0x0005, "MCR", 1206662400L}, // 28.03.2008, 00:00 //Raduga caid:0652, acs: 0.05
221 {0x0652, 0x0608, "MCR", 1206662400L}, // 28.03.2008, 00:00 //Raduga caid:0652, acs: 6.08
222 {0x0, 0x0, "", 0L}
223 };
224
225 // now check for specific providers base date
226 int32_t i = 0;
227 struct irdeto_data *csystem_data = reader->csystem_data;
228
229 while(table[i].caid)
230 {
231 if((reader->caid == table[i].caid) && (csystem_data->acs == table[i].acs)
232 && (!memcmp(csystem_data->country_code, table[i].c_code, 3)))
233 {
234 date_base = table[i].base;
235 break;
236 }
237 i++;
238 }
239
240 time_t ut = date_base + date * (24 * 3600);
241 if(buf)
242 {
243 struct tm t;
244 cs_gmtime_r(&ut, &t);
245 l = 27;
246 snprintf(buf, l, "%04d/%02d/%02d", t.tm_year + 1900, t.tm_mon + 1, t.tm_mday);
247 }
248 return (ut);
249}
250
251static int32_t irdeto_do_cmd(struct s_reader *reader, uint8_t *buf, uint16_t good, uint8_t *cta_res, uint16_t *p_cta_lr)
252{
253 int32_t rc;
254 if((rc = reader_cmd2icc(reader, buf, buf[4] + 5, cta_res, p_cta_lr)))
255 {
256 return (rc); // result may be 0 (success) or negative
257 }
258
259 if(*p_cta_lr < 2)
260 {
261 return (0x7F7F); // this should never happen
262 }
263
264 return (good != b2i(2, cta_res + *p_cta_lr - 2));
265}
266
267#define reader_chk_cmd(cmd, l) { if (reader_cmd2icc(reader, cmd, sizeof(cmd), cta_res, &cta_lr)) return ERROR; if (l && (cta_lr!=l)) return ERROR; }
268
269static int32_t irdeto_card_init_provider(struct s_reader *reader)
270{
271 def_resp;
272 int32_t i, p;
273 uint8_t buf[256] = {0};
274 struct irdeto_data *csystem_data = reader->csystem_data;
275
276 uint8_t sc_GetProvider[] = { 0x02, 0x03, 0x03, 0x00, 0x00 };
277 uint8_t sc_Acs57Prov[] = { 0xD2, 0x06, 0x03, 0x00, 0x01, 0x3C };
278 uint8_t sc_Acs57_Cmd[] = { ACS57GET, 0xFE, 0x00, 0x00, 0x00 };
279
280 /*
281 * Provider
282 */
283 memset(reader->prid, 0xff, sizeof(reader->prid));
284
285 for(buf[0] = i = p = 0; i < reader->nprov; i++)
286 {
287 int32_t acspadd = 0;
288 if(csystem_data->acs57 == 1)
289 {
290 acspadd = 8;
291 sc_Acs57Prov[3] = i;
292 irdeto_do_cmd(reader, sc_Acs57Prov, 0x9021, cta_res, &cta_lr);
293 int32_t acslength = cta_res[cta_lr - 1];
294 sc_Acs57_Cmd[4] = acslength;
295 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
296 sc_Acs57Prov[5]++;
297 sc_Acs57_Cmd[3]++;
298 }
299 else
300 {
301 sc_GetProvider[3] = i;
302 reader_chk_cmd(sc_GetProvider, 0);
303 }
304
305 if(((cta_lr == 26) && ((!(i & 1)) || (cta_res[0] != 0xf))) || (csystem_data->acs57 == 1))
306 {
307 reader->prid[i][4] = p++;
308
309 // maps the provider id for Betacrypt from FFFFFF to 000000,
310 // fixes problems with cascading CCcam and OSCam
311 if(caid_is_betacrypt(reader->caid))
312 {
313 memset(&reader->prid[i][0], 0, 4);
314 }
315 else
316 {
317 memcpy(&reader->prid[i][0], cta_res + acspadd, 4);
318 }
319
320 if(!memcmp(cta_res + acspadd + 1, &reader->hexserial, 3))
321 {
322 reader->prid[i][3] = 0xFF;
323 }
324
325 snprintf((char *) buf + cs_strlen((char *)buf), sizeof(buf) - cs_strlen((char *)buf), ",%06x", b2i(3, &reader->prid[i][1]));
326 }
327 else
328 {
329 reader->prid[i][0] = 0xf;
330 }
331 }
332
333 if(p)
334 {
335 rdr_log(reader, "active providers: %d (%s)", p, buf + 1);
336 }
337
338 return OK;
339}
340
341static int32_t irdeto_card_init(struct s_reader *reader, ATR *newatr)
342{
343 def_resp;
344 get_atr;
345 int32_t camkey = 0;
346 uint8_t buf[256] = { 0 };
347 uint8_t sc_GetCamKey383C[] = {
348 0x02, 0x09, 0x03, 0x00, 0x40,
349 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
350 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
351 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
352 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
353 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
354 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
355 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
356 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
357
358 uint8_t sc_GetASCIISerial[] = { 0x02, 0x00, 0x03, 0x00, 0x00 };
359 uint8_t sc_GetHEXSerial[] = { 0x02, 0x01, 0x00, 0x00, 0x00 };
360 uint8_t sc_GetSCDetails[] = { 0x02, 0x1E, 0x00, 0x00, 0x00 };
361 uint8_t sc_GetCardFile[] = { 0x02, 0x0E, 0x02, 0x00, 0x00 };
362
363 uint8_t sc_Acs57CamKey[70] = { 0xD2, 0x12, 0x03, 0x00, 0x41};
364 uint8_t sc_Acs57Country[] = { 0xD2, 0x04, 0x00, 0x00, 0x01, 0x3E };
365 uint8_t sc_Acs57Ascii[] = { 0xD2, 0x00, 0x03, 0x00, 0x01, 0x3F };
366 uint8_t sc_Acs57Hex[] = { 0xD2, 0x02, 0x03, 0x00, 0x01, 0x3E };
367 uint8_t sc_Acs57CFile[] = { 0xD2, 0x1C, 0x02, 0x00, 0x01, 0x30 };
368 uint8_t sc_Acs57_Cmd[] = { ACS57GET, 0xFE, 0x00, 0x00, 0x00 };
369
370 int32_t acspadd = 0;
371 int32_t acs57 = 0;
372
373 if(!memcmp(atr + 4, "IRDETO", 6))
374 {
375 acs57 = 0;
376 }
377 else
378 {
379 if((!memcmp(atr + 5, "IRDETO", 6)) || (((atr[6] == 0xC4) && (atr[9] == 0x8F) && (atr[10] == 0xF1)) && reader->force_irdeto))
380 {
381 acs57 = 1;
382 acspadd = 8;
383 rdr_log(reader, "Hist. Bytes: %s", atr + 5);
384 }
385 else
386 {
387 return ERROR;
388 }
389 }
390
391 if(!cs_malloc(&reader->csystem_data, sizeof(struct irdeto_data)))
392 {
393 return ERROR;
394 }
395 struct irdeto_data *csystem_data = reader->csystem_data;
396 csystem_data->acs57 = acs57;
397
398 rdr_log(reader, "detect irdeto card");
399 if((array_has_nonzero_byte(reader->rsa_mod, 64) > 0) && (!reader->force_irdeto || csystem_data->acs57)) // we use rsa from config as camkey
400 {
401 char tmp_dbg[65];
402 rdr_log_dbg(reader, D_READER, "using camkey data from config");
403 rdr_log_dbg(reader, D_READER, " camkey: %s", cs_hexdump(0, reader->boxkey, sizeof(reader->boxkey), tmp_dbg, sizeof(tmp_dbg)));
404 if(csystem_data->acs57 == 1)
405 {
406 memcpy(&sc_Acs57CamKey[5], reader->rsa_mod, 0x40);
407 rdr_log_dbg(reader, D_READER, "camkey-data: %s", cs_hexdump(0, &sc_Acs57CamKey[5], 32, tmp_dbg, sizeof(tmp_dbg)));
408 rdr_log_dbg(reader, D_READER, "camkey-data: %s", cs_hexdump(0, &sc_Acs57CamKey[37], 32, tmp_dbg, sizeof(tmp_dbg)));
409 }
410 else
411 {
412 memcpy(&sc_GetCamKey383C[5], reader->rsa_mod, 0x40);
413 rdr_log_dbg(reader, D_READER, "camkey-data: %s", cs_hexdump(0, &sc_GetCamKey383C[5], 32, tmp_dbg, sizeof(tmp_dbg)));
414 rdr_log_dbg(reader, D_READER, "camkey-data: %s", cs_hexdump(0, &sc_GetCamKey383C[37], 32, tmp_dbg, sizeof(tmp_dbg)));
415 }
416 }
417 else
418 {
419 if(csystem_data->acs57 == 1)
420 {
421 rdr_log(reader, "WARNING: ACS57 card can require the CamKey from config");
422 }
423 else
424 {
425 memcpy(reader->boxkey, "\x11\x22\x33\x44\x55\x66\x77\x88", 8);
426 }
427 }
428
429 /*
430 * Get Irdeto Smartcard Details - version - patch level etc
431 */
432 if(csystem_data->acs57 == 0)
433 {
434 if(!irdeto_do_cmd(reader, sc_GetSCDetails, 0, cta_res, &cta_lr))
435 {
436 rdr_log(reader, "Irdeto SC %0x version %0x revision %0x, patch level %0x", cta_res[0 + acspadd], cta_res[1 + acspadd], cta_res[2 + acspadd], cta_res[5 + acspadd]);
437 }
438 }
439
440 /*
441 * CountryCode
442 */
443 if(csystem_data->acs57 == 1)
444 {
445 irdeto_do_cmd(reader, sc_Acs57Country, 0x9019, cta_res, &cta_lr);
446 int32_t acslength = cta_res[cta_lr - 1];
447 sc_Acs57_Cmd[4] = acslength;
448 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
449 }
450 else
451 {
452 reader_chk_cmd(sc_GetCountryCode, 18);
453 }
454 csystem_data->acs = (cta_res[0 + acspadd] << 8) | cta_res[1 + acspadd];
455 reader->caid = (cta_res[5 + acspadd] << 8) | cta_res[6 + acspadd];
456 memcpy(csystem_data->country_code, cta_res + 13 + acspadd, 3);
457 rdr_log(reader, "caid: %04X, acs: %x.%02x, country code: %c%c%c",
458 reader->caid, cta_res[0 + acspadd], cta_res[1 + acspadd], cta_res[13 + acspadd], cta_res[14 + acspadd], cta_res[15 + acspadd]);
459
460 /*
461 * Ascii/Hex-Serial
462 */
463 if(csystem_data->acs57 == 1)
464 {
465 irdeto_do_cmd(reader, sc_Acs57Ascii, 0x901D, cta_res, &cta_lr);
466 int32_t acslength = cta_res[cta_lr - 1];
467 sc_Acs57_Cmd[4] = acslength;
468 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
469 }
470 else
471 {
472 reader_chk_cmd(sc_GetASCIISerial, 22);
473 }
474 memcpy(buf, cta_res + acspadd, 10);
475 buf[10] = 0;
476 if(csystem_data->acs57 == 1)
477 {
478 irdeto_do_cmd(reader, sc_Acs57Hex, 0x903E, cta_res, &cta_lr);
479 int32_t acslength = cta_res[cta_lr - 1];
480 sc_Acs57_Cmd[4] = acslength;
481 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
482 }
483 else
484 {
485 reader_chk_cmd(sc_GetHEXSerial, 18);
486 }
487 reader->nprov = cta_res[10 + acspadd];
488 memcpy(reader->hexserial, cta_res + 12 + acspadd, 4);
489
490 rdr_log_sensitive(reader, "providers: %d, ascii serial: {%s}, hex serial: {%02X%02X%02X}, hex base: {%02X}",
491 reader->nprov, buf, reader->hexserial[0], reader->hexserial[1], reader->hexserial[2], reader->hexserial[3]);
492
493 /*
494 * CardFile
495 */
496 if(csystem_data->acs57 == 1)
497 {
498 irdeto_do_cmd(reader, sc_Acs57CFile, 0x9049, cta_res, &cta_lr);
499 int32_t acslength = cta_res[cta_lr - 1];
500 sc_Acs57_Cmd[4] = acslength;
501 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
502 sc_Acs57CFile[2] = 0x03;
503 sc_Acs57CFile[5]++;
504 irdeto_do_cmd(reader, sc_Acs57CFile, 0x9049, cta_res, &cta_lr);
505 acslength = cta_res[cta_lr - 1];
506 sc_Acs57_Cmd[4] = acslength;
507 sc_Acs57_Cmd[2] = 0x03;
508 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
509 sc_Acs57_Cmd[2] = 0x00;
510 }
511 else
512 {
513 for(sc_GetCardFile[2] = 2; sc_GetCardFile[2] < 4; sc_GetCardFile[2]++)
514 {
515 reader_chk_cmd(sc_GetCardFile, 0);
516 }
517 }
518
519 /*
520 * CamKey
521 */
522 if(((atr[14] == 0x03) && (atr[15] == 0x84) && (atr[16] == 0x55)) || (((atr[14] == 0x53) && (atr[15] == 0x20) && (atr[16] == 0x56))))
523 {
524 switch(reader->caid)
525 {
526 case 0x1702:
527 camkey = 1;
528 break;
529
530 case 0x1722:
531 camkey = 2;
532 break;
533
534 case 0x1762:
535 camkey = 3;
536 break;
537
538 // case 0x0624: camkey = 4; break; //ice 0D96/0624 has short ATR
539 default:
540 camkey = 5;
541 break;
542 }
543 }
544
545 if(((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)) // acs 6.08 and ice 0D96/0624 and 0D97/0653
546 {
547 camkey = 4;
548 sc_Acs57CamKey[2] = 0;
549 }
550
551 // Dirthy hack for Ziggo will be removed when optimum values are find on these T14 cards for v2 and triple
552 // There are also other readers suffering from simmilar issue for those cards.
553 if(((reader->caid == 0x0604) || (reader->caid == 0x1722)) && (reader->typ == R_SMART) && (reader->smart_type >= 2))
554 {
555 // Quick and dirty containment for the SmargoV2,Triple and Ziggo irdeto caid: 0604 using smartreader protocol
556 camkey = 999;
557 }
558 // end dirthy hack
559
560 rdr_log_dbg(reader, D_READER, "set camkey for type=%d", camkey);
561
562 switch(camkey)
563 {
564 case 1:
565 reader_chk_cmd(sc_GetCamKey384CZ, 10);
566 break;
567
568 case 2:
569 reader_chk_cmd(sc_GetCamKey384DZ, 10);
570 break;
571
572 case 3:
573 reader_chk_cmd(sc_GetCamKey384FZ, 10);
574 break;
575
576 case 4:
577 {
578 int32_t i, crc = 61;
579 crc ^= 0x01, crc ^= 0x02, crc ^= 0x09;
580 crc ^= sc_Acs57CamKey[2], crc ^= sc_Acs57CamKey[3], crc ^= (sc_Acs57CamKey[4] + 1);
581
582 for(i = 5; i < (int)sizeof(sc_Acs57CamKey) - 1; i++)
583 {
584 crc ^= sc_Acs57CamKey[i];
585 }
586 sc_Acs57CamKey[69] = crc;
587
588 if(((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666))
589 {
590 sc_Acs57CamKey[69] = XorSum(sc_Acs57CamKey, 69) ^ 0x3f ^(sc_Acs57CamKey[0] & 0xf0) ^ 0x1b;
591 if(irdeto_do_cmd(reader, sc_Acs57CamKey, 0x9011, cta_res, &cta_lr))
592 {
593 rdr_log(reader, "You have a bad Cam Key set");
594 return ERROR;
595 }
596 }
597 else
598 {
599 irdeto_do_cmd(reader, sc_Acs57CamKey, 0x9012, cta_res, &cta_lr);
600 }
601
602 int32_t acslength = cta_res[cta_lr - 1];
603 sc_Acs57_Cmd[4] = acslength;
604 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
605 } break;
606
607 // dirthy hack ziggo nl card smartredaer v2 and triple will be removed after findings optimum T14 values for v2 and triple
608 case 999:
609 {
610 // For some reason only 4 to 5 bytes are received, while 8 bytes are expected.
611 int32_t rc;
612 rc = reader_cmd2icc(reader, sc_GetCamKey383C, sizeof(sc_GetCamKey383C), cta_res, &cta_lr);
613 rdr_log_dbg(reader, D_READER, "SmargoV2 camkey exchange containment: Ignoring returncode (%d), should have been 0.", rc);
614 rdr_log_dbg(reader, D_READER, "In case cardinit NOK and/or no entitlements, retry by restarting oscam.");
615 } break; // end dirthy hack
616
617 default:
618 if(csystem_data->acs57 == 1)
619 {
620 int32_t i, crc = 0x76;
621
622 for(i = 6; i < (int)sizeof(sc_Acs57CamKey) - 1; i++)
623 {
624 crc ^= sc_Acs57CamKey[i];
625 }
626
627 sc_Acs57CamKey[69] = crc;
628 irdeto_do_cmd(reader, sc_Acs57CamKey, 0x9012, cta_res, &cta_lr);
629 int32_t acslength = cta_res[cta_lr - 1];
630 sc_Acs57_Cmd[4] = acslength;
631 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
632 }
633 else
634 {
635 reader_chk_cmd(sc_GetCamKey383C, 0);
636 } break;
637 }
638
639 if(((reader->cardmhz != 600) && (reader->typ != R_INTERNAL)) || ((reader->typ == R_INTERNAL) && ((reader->mhz < 510) || (reader->cardmhz > 690))))
640 {
641 rdr_log(reader, "WARNING: For Irdeto cards you will have to set '%s= 600' in oscam.server", (reader->typ == R_INTERNAL ? "mhz" : "cardmhz") );
642 }
643
644 return irdeto_card_init_provider(reader);
645}
646
647int32_t irdeto_do_ecm(struct s_reader *reader, const ECM_REQUEST *er, struct s_ecm_answer *ea)
648{
649 def_resp;
650 cta_lr = 0; // suppress compiler error
651 static const uint8_t sc_EcmCmd[] = { 0x05, 0x00, 0x00, 0x02, 0x00 };
652 uint8_t sc_Acs57Ecm[] = { 0xD5, 0x00, 0x00, 0x02, 0x00 };
653 uint8_t sc_Acs57_Cmd[] = { ACS57ECM, 0xFE, 0x00, 0x00, 0x00 };
654 uint8_t cta_cmd[MAX_ECM_SIZE];
655 struct irdeto_data *csystem_data = reader->csystem_data;
656
657 int32_t i = 0, acspadd = 0;
658 if(csystem_data->acs57 == 1)
659 {
660 int32_t crc = 63;
661 sc_Acs57Ecm[4] = er->ecm[2] - 2;
662 if(((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)) //crc for orf, cslink, skylink, upcdirect
663 {
664 sc_Acs57Ecm[2] = 0;
665 crc ^= 0x01;
666 crc ^= 0x05;
667 crc ^= sc_Acs57Ecm[2];
668 crc ^= sc_Acs57Ecm[3];
669 crc ^= (sc_Acs57Ecm[4] - 1);
670
671 for(i = 6; i < er->ecm[2] + 4; i++)
672 {
673 crc ^= er->ecm[i];
674 }
675 }
676 else
677 {
678 sc_Acs57Ecm[2] = er->ecm[6];
679 crc ^= 0x01;
680 crc ^= 0x05;
681 crc ^= sc_Acs57Ecm[2];
682 crc ^= sc_Acs57Ecm[3];
683 crc ^= (sc_Acs57Ecm[4] - 1);
684
685 for(i = 6; i < er->ecm[3] - 5; i++)
686 {
687 crc ^= er->ecm[i];
688 }
689 }
690
691 memcpy(cta_cmd, sc_Acs57Ecm, sizeof(sc_Acs57Ecm));
692 memcpy(cta_cmd + 5, er->ecm + 6, er->ecm[2] - 1);
693 cta_cmd[er->ecm[2] + 2] = crc;
694
695 irdeto_do_cmd(reader, cta_cmd, 0, cta_res, &cta_lr);
696 int32_t acslength = cta_res[cta_lr - 1];
697
698 // If acslength != 0x1F you don't have the entitlements or you camkey is bad
699 if(acslength != 0x1F)
700 {
701 switch(acslength)
702 {
703 case 0x09:
704 rdr_log(reader, "Maybe you don't have the entitlements for this channel");
705 break;
706
707 default:
708 rdr_log(reader, "Maybe you have a bad Cam Key set it from config file");
709 break;
710 }
711 return ERROR;
712 }
713 sc_Acs57_Cmd[4] = acslength;
714 cta_lr = 0;
715 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
716 acspadd = 8;
717 }
718 else
719 {
720 memcpy(cta_cmd, sc_EcmCmd, sizeof(sc_EcmCmd));
721 cta_cmd[4] = (er->ecm[2]) - 3;
722 memcpy(cta_cmd + sizeof(sc_EcmCmd), &er->ecm[6], cta_cmd[4]);
723
724 int32_t try = 1;
725 int32_t ret;
726 do
727 {
728 if(try > 1)
729 {
730 snprintf(ea->msglog, MSGLOGSIZE, "%.22s irdeto_do_cmd try nr %i", reader->label, try);
731 }
732
733 ret = (irdeto_do_cmd(reader, cta_cmd, 0x9D00, cta_res, &cta_lr));
734 ret = ret || (cta_lr < 24);
735 if(ret)
736 {
737 switch(cta_res[cta_lr - 2])
738 {
739 case 0x26: // valid for V6 and V7 cards *26 rare case card gets locked if bad EMM being written
740 {
741 snprintf(ea->msglog, MSGLOGSIZE, "%.19s cardstatus: LOCKED", reader->label);
742 return E_CORRUPT;
743 }
744
745 case 0x27: // valid for V6 and V7 cards Time sync EMMs
746 {
747 snprintf(ea->msglog, MSGLOGSIZE, "%.23s need global EMMs first", reader->label);
748 return E_CORRUPT;
749 }
750
751 case 0x33: // valid for all cards *33 comes in 2 cases Either Card Requires to be init with Dynamic RSA AKA cmd28/A0 or Pairing Enabled
752 {
753 snprintf(ea->msglog, MSGLOGSIZE, "%.26s dynamic RSA init or pairing enabled", reader->label);
754 return ERROR;
755 }
756
757 case 0x35: // valid for V6 and V7 cards Time sync EMMs
758 {
759 snprintf(ea->msglog, MSGLOGSIZE, "%.23s need global EMMs first", reader->label);
760 return E_CORRUPT;
761 }
762
763 case 0x90: // valid for all cards
764 {
765 snprintf(ea->msglog, MSGLOGSIZE,"%.26s unsubscribed channel or chid missing", reader->label);
766 return ERROR;
767 }
768
769 case 0x92: // valid for all cards
770 {
771 snprintf(ea->msglog, MSGLOGSIZE,"%.22s regional chid missing", reader->label);
772 return ERROR;
773 }
774
775 case 0x9E: // valid for all cards *9E comes in 2 cases if card not fully updated OR if pairing Enabled
776 {
777 if(cta_res[cta_lr - 1] == 0x65)
778 {
779 snprintf(ea->msglog, MSGLOGSIZE,"%.24s chipset pairing enabled", reader->label);
780 return ERROR;
781 }
782 else
783 {
784 snprintf(ea->msglog, MSGLOGSIZE,"%.11s needs EMMs", reader->label);
785 return E_CORRUPT;
786 }
787 }
788
789 case 0xA0: // valid for all cards
790 {
791 snprintf(ea->msglog, MSGLOGSIZE,"%.17s surflock enabled", reader->label);
792 return E_CORRUPT;
793 }
794
795 default: // all other error status
796 {
797 snprintf(ea->msglog, MSGLOGSIZE, "%.16s irdeto_do_cmd [%d] %02x %02x", reader->label, cta_lr, cta_res[cta_lr - 2], cta_res[cta_lr - 1]);
798 break;
799 }
800 }
801 }
802 try++;
803 }
804 while((try < 3) && (ret));
805
806 if(ret)
807 {
808 return ERROR;
809 }
810 }
811
812 if((cta_res[5]== 0x36) || (cta_res[5]== 0x37) || (cta_res[5]== 0x24) || (cta_res[5]== 0x25))
813 {
814 snprintf(ea->msglog, MSGLOGSIZE, "cw needs tweaking");
815 }
816
817 ReverseSessionKeyCrypt(reader->boxkey, cta_res + 6 + acspadd);
818 ReverseSessionKeyCrypt(reader->boxkey, cta_res + 14 + acspadd);
819 memcpy(ea->cw, cta_res + 6 + acspadd, 16);
820 return OK;
821}
822
823static int32_t irdeto_get_emm_type(EMM_PACKET *ep, struct s_reader *rdr)
824{
825 int32_t i, l = (ep->emm[3] & 0x07);
826 int32_t base = (ep->emm[3] >> 3);
827 char dumprdrserial[l * 3], dumpemmserial[l * 3];
828
829 rdr_log_dbg(rdr, D_EMM, "Entered irdeto_get_emm_type ep->emm[3]=%02x", ep->emm[3]);
830
831 switch(l)
832 {
833 case 0:
834 // global emm, 0 bytes addressed
835 ep->type = GLOBAL;
836 rdr_log_dbg(rdr, D_EMM, "GLOBAL base = %02x", base);
837
838 if(base & 0x10) // hex serial based?
839 {
840 if(base == rdr->hexserial[3]) // does base match?
841 {
842 return 1;
843 }
844 else
845 {
846 return 0; // base doesnt match!
847 }
848 }
849 else
850 {
851 return 1;
852 } // provider based, match all!
853
854 case 2:
855 // shared emm, 2 bytes addressed
856 ep->type = SHARED;
857 memset(ep->hexserial, 0, 8);
858 memcpy(ep->hexserial, ep->emm + 4, l);
859#ifdef WITH_DEBUG
860 if(cs_dblevel & D_EMM)
861 {
862 cs_hexdump(1, rdr->hexserial, l, dumprdrserial, sizeof(dumprdrserial));
863 cs_hexdump(1, ep->hexserial, l, dumpemmserial, sizeof(dumpemmserial));
864 }
865#endif
866 rdr_log_dbg_sensitive(rdr, D_EMM, "SHARED l = %d ep = {%s} rdr = {%s} base = %02x",
867 l, dumpemmserial, dumprdrserial, base);
868
869 if(base & 0x10)
870 {
871 // hex addressed
872 return ((base == rdr->hexserial[3]) && (!memcmp(ep->emm + 4, rdr->hexserial, l)));
873 }
874 else
875 {
876 if(!memcmp(ep->emm + 4, rdr->hexserial, l))
877 {
878 return 1;
879 }
880
881 // provider addressed
882 for(i = 0; i < rdr->nprov; i++)
883 {
884 if((base == rdr->prid[i][0]) && (!memcmp(ep->emm + 4, &rdr->prid[i][1], l)))
885 {
886 return 1;
887 }
888 }
889 }
890 rdr_log_dbg(rdr, D_EMM, "neither hex nor provider addressed or unknown provider id");
891 return 0;
892
893 case 3:
894 // unique emm, 3 bytes addressed
895 ep->type = UNIQUE;
896 memset(ep->hexserial, 0, 8);
897 memcpy(ep->hexserial, ep->emm + 4, l);
898
899#ifdef WITH_DEBUG
900 if(cs_dblevel & D_EMM)
901 {
902 cs_hexdump(1, rdr->hexserial, l, dumprdrserial, sizeof(dumprdrserial));
903 cs_hexdump(1, ep->hexserial, l, dumpemmserial, sizeof(dumpemmserial));
904 rdr_log_dbg_sensitive(rdr, D_EMM, "UNIQUE l = %d ep = {%s} rdr = {%s} base = %02x",
905 l, dumpemmserial, dumprdrserial, base);
906 }
907#endif
908 if(base & 0x10) // unique hex addressed
909 {
910 return ((base == rdr->hexserial[3]) && (!memcmp(ep->emm + 4, rdr->hexserial, l)));
911 }
912 else
913 {
914 if(!memcmp(ep->emm + 4, rdr->hexserial, l))
915 {
916 return 1;
917 }
918
919 // unique provider addressed
920 for(i = 0; i < rdr->nprov; i++)
921 {
922 if((base == rdr->prid[i][0]) && (!memcmp(ep->emm + 4, &rdr->prid[i][1], l)))
923 {
924 return 1;
925 }
926 }
927 }
928 rdr_log_dbg(rdr, D_EMM, "neither hex nor provider addressed or unknown provider id");
929 return 0;
930
931 default:
932 ep->type = UNKNOWN;
933 rdr_log_dbg(rdr, D_EMM, "UNKNOWN");
934 return 1;
935 }
936}
937
938static int32_t irdeto_get_emm_filter(struct s_reader *rdr, struct s_csystem_emm_filter **emm_filters, unsigned int *filter_count)
939{
940 if(*emm_filters == NULL)
941 {
942 const unsigned int max_filter_count = 3 + (rdr->nprov * 2);
943 if(!cs_malloc(emm_filters, max_filter_count * sizeof(struct s_csystem_emm_filter)))
944 {
945 return ERROR;
946 }
947
948 struct s_csystem_emm_filter *filters = *emm_filters;
949 *filter_count = 0;
950
951 unsigned int idx = 0;
952
953 filters[idx].type = EMM_GLOBAL;
954 filters[idx].enabled = 1;
955 filters[idx].filter[0] = 0x82;
956 filters[idx].mask[0] = 0xFF;
957 filters[idx].filter[1] = 0xF8;
958 filters[idx].mask[1] = 0x07;
959 idx++;
960
961 filters[idx].type = EMM_UNIQUE;
962 filters[idx].enabled = 1;
963 filters[idx].filter[0] = 0x82;
964 filters[idx].mask[0] = 0xFF;
965 filters[idx].filter[1] = 0xFB;
966 filters[idx].mask[1] = 0x07;
967 memcpy(&filters[idx].filter[2], rdr->hexserial, 3);
968 memset(&filters[idx].mask[2], 0xFF, 3);
969 idx++;
970
971 // Shared on Hex Serial only for Betacrypt
972 if(caid_is_betacrypt(rdr->caid))
973 {
974 filters[idx].type = EMM_SHARED;
975 filters[idx].enabled = 1;
976 filters[idx].filter[0] = 0x82;
977 filters[idx].mask[0] = 0xFF;
978 filters[idx].filter[1] = 0xFA;
979 filters[idx].mask[1] = 0x07;
980 memcpy(&filters[idx].filter[2], rdr->hexserial, 2);
981 memset(&filters[idx].mask[2], 0xFF, 2);
982 idx++;
983 }
984
985 int32_t i;
986 for(i = 0; i < rdr->nprov; i++)
987 {
988 // 00XX00 provider is a not initialised not used provider
989 if((rdr->prid[i][1] == 0xFF) || ((rdr->prid[i][1] == 0x00) && (rdr->prid[i][3] == 0x00) && (rdr->caid != 0x0647)))
990 {
991 continue;
992 }
993
994 filters[idx].type = EMM_UNIQUE;
995 filters[idx].enabled = 1;
996 filters[idx].filter[0] = 0x82;
997 filters[idx].mask[0] = 0xFF;
998 filters[idx].filter[1] = 0xFB;
999 filters[idx].mask[1] = 0x07;
1000 memcpy(&filters[idx].filter[2], &rdr->prid[i][1], 3);
1001 memset(&filters[idx].mask[2], 0xFF, 3);
1002 idx++;
1003
1004 filters[idx].type = EMM_SHARED;
1005 filters[idx].enabled = 1;
1006 filters[idx].filter[0] = 0x82;
1007 filters[idx].mask[0] = 0xFF;
1008 filters[idx].filter[1] = 0xFA;
1009 filters[idx].mask[1] = 0x07;
1010 memcpy(&filters[idx].filter[2], &rdr->prid[i][1], 2);
1011 memset(&filters[idx].mask[2], 0xFF, 2);
1012 idx++;
1013 }
1014
1015 *filter_count = idx;
1016 }
1017
1018 return OK;
1019}
1020
1021static int32_t irdeto_get_tunemm_filter(struct s_reader *rdr, struct s_csystem_emm_filter **emm_filters, unsigned int *filter_count)
1022{
1023 if(*emm_filters == NULL)
1024 {
1025 const unsigned int max_filter_count = 3;
1026 if(!cs_malloc(emm_filters, max_filter_count * sizeof(struct s_csystem_emm_filter)))
1027 {
1028 return ERROR;
1029 }
1030
1031 struct s_csystem_emm_filter *filters = *emm_filters;
1032 *filter_count = 0;
1033
1034 unsigned int idx = 0;
1035
1036 filters[idx].type = EMM_GLOBAL;
1037 filters[idx].enabled = 1;
1038 filters[idx].filter[0] = 0x82;
1039 filters[idx].mask[0] = 0xFF;
1040 idx++;
1041
1042 filters[idx].type = EMM_SHARED;
1043 filters[idx].enabled = 1;
1044 filters[idx].filter[0] = 0x83;
1045 filters[idx].filter[1] = rdr->hexserial[1];
1046 filters[idx].filter[2] = rdr->hexserial[0];
1047 filters[idx].filter[3] = 0x10;
1048 filters[idx].filter[4] = 0x00;
1049 filters[idx].filter[5] = 0x10;
1050 memset(&filters[idx].mask[0], 0xFF, 6);
1051 idx++;
1052
1053 filters[idx].type = EMM_UNIQUE;
1054 filters[idx].enabled = 1;
1055 filters[idx].filter[0] = 0x83;
1056 filters[idx].filter[1] = rdr->hexserial[1];
1057 filters[idx].filter[2] = rdr->hexserial[0];
1058 filters[idx].filter[3] = 0x10;
1059 filters[idx].filter[4] = rdr->hexserial[2];
1060 filters[idx].filter[5] = 0x00;
1061 memset(&filters[idx].mask[0], 0xFF, 6);
1062 idx++;
1063
1064 *filter_count = idx;
1065 }
1066
1067 return OK;
1068}
1069
1070void irdeto_add_emm_header(EMM_PACKET *ep)
1071{
1072 uint8_t bt_emm[MAX_EMM_SIZE];
1073 static const char *typtext[] = { "unknown", "unique", "shared", "global" };
1074 memset(bt_emm, 0, sizeof(bt_emm));
1075
1076 ep->type = UNKNOWN;
1077 if((ep->emm[0] == 0x83) && (ep->emm[5] == 0x10))
1078 {
1079 if(ep->emm[7] == 0x00)
1080 {
1081 ep->type = UNIQUE;
1082 }
1083 else
1084 {
1085 ep->type = SHARED;
1086 }
1087 }
1088 else
1089 {
1090 if(ep->emm[0] == 0x82)
1091 {
1092 ep->type = GLOBAL;
1093 }
1094 }
1095
1096 if((ep->type != UNKNOWN) && (ep->emmlen == 142))
1097 {
1098 cs_log_dbg(D_EMM, "[TUN_EMM] Type: %s - rewriting header", typtext[ep->type]);
1099 }
1100 else
1101 {
1102 return;
1103 }
1104
1105 // BETACRYPT/IRDETO EMM HEADER:
1106 static uint8_t headerD0[6] = { 0x82, 0x70, 0x89, 0xd0, 0x01, 0x00 }; // GLOBAL
1107 static uint8_t headerD2[8] = { 0x82, 0x70, 0x8b, 0xd2, 0x00, 0x00, 0x01, 0x00 }; // SHARED
1108 static uint8_t headerD3[9] = { 0x82, 0x70, 0x8c, 0xd3, 0x00, 0x00, 0x00, 0x01, 0x00 }; // UNIQUE
1109
1110 switch(ep->type)
1111 {
1112 case UNIQUE:
1113 memcpy(bt_emm, headerD3, sizeof(headerD3));
1114 memcpy(bt_emm + sizeof(headerD3), ep->emm + 8, ep->emmlen - 8);
1115 bt_emm[4] = ep->emm[4];
1116 bt_emm[5] = ep->emm[3];
1117 bt_emm[6] = ep->emm[6];
1118 ep->emmlen = 143;
1119 break;
1120
1121 case SHARED:
1122 memcpy(bt_emm, headerD2, sizeof(headerD2));
1123 memcpy(bt_emm + sizeof(headerD2), ep->emm + 8, ep->emmlen - 8);
1124 bt_emm[4] = ep->emm[4];
1125 bt_emm[5] = ep->emm[3];
1126 ep->emmlen = 142;
1127 break;
1128
1129 case GLOBAL:
1130 memcpy(bt_emm, headerD0, sizeof(headerD0));
1131 memcpy(bt_emm + sizeof(headerD0), ep->emm + 8, ep->emmlen - 8);
1132 ep->emmlen = 140;
1133 break;
1134 }
1135 memcpy(ep->emm, bt_emm, sizeof(bt_emm));
1136}
1137
1138#define ADDRLEN 4 // Address length in EMM commands
1139
1140static int32_t irdeto_do_emm(struct s_reader *reader, EMM_PACKET *ep)
1141{
1142 def_resp;
1143 static const uint8_t sc_EmmCmd[] = { 0x01, 0x00, 0x00, 0x00, 0x00 };
1144 static uint8_t sc_Acs57Emm[] = { 0xD1, 0x00, 0x00, 0x00, 0x00 };
1145 uint8_t sc_Acs57_Cmd[] = { ACS57EMM, 0xFE, 0x00, 0x00, 0x00 };
1146 struct irdeto_data *csystem_data = reader->csystem_data;
1147 uint8_t cta_cmd[272];
1148
1149 if(ep->emm[0] != 0x82)
1150 {
1151 rdr_log_dbg(reader, D_EMM, "Invalid EMM: Has to start with 0x82, but starts with %02x!", ep->emm[0]);
1152 return ERROR;
1153 }
1154
1155 int32_t i, l = (ep->emm[3] & 0x07), ok = 0;
1156 int32_t mode = (ep->emm[3] >> 3);
1157 uint8_t *emm = ep->emm;
1158
1159 if(mode & 0x10)
1160 {
1161 // hex addressed
1162 ok = ((mode == reader->hexserial[3]) && ((!l) || (!memcmp(&emm[4], reader->hexserial, l))));
1163 }
1164 else
1165 {
1166 ok = !memcmp(&emm[4], reader->hexserial, l);
1167
1168 // provider addressed
1169 for(i = 0; i < reader->nprov && !ok; i++)
1170 {
1171 ok = ((mode == reader->prid[i][0]) && ((!l) || (!memcmp(&emm[4], &reader->prid[i][1], l))));
1172 }
1173 }
1174
1175 if(ok)
1176 {
1177 l++;
1178 if(l <= ADDRLEN)
1179 {
1180 if(csystem_data->acs57 == 1)
1181 {
1182 int32_t dataLen = 0;
1183
1184 if(ep->type == UNIQUE)
1185 {
1186 dataLen = ep->emm[2] - 1;
1187 }
1188 else
1189 {
1190 dataLen = ep->emm[2];
1191 }
1192
1193 if((dataLen < 7) || (dataLen > ((int32_t)sizeof(ep->emm) - 6)) || (dataLen > ((int32_t)sizeof(cta_cmd) - 9)))
1194 {
1195 rdr_log_dbg(reader, D_EMM, "dataLen %d seems wrong, faulty EMM?", dataLen);
1196 return ERROR;
1197 }
1198
1199 if((ep->type == GLOBAL) && (((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)))
1200 {
1201 dataLen += 2;
1202 }
1203
1204 int32_t crc = 63;
1205 sc_Acs57Emm[4] = dataLen;
1206 memcpy(&cta_cmd, sc_Acs57Emm, sizeof(sc_Acs57Emm));
1207 crc ^= 0x01;
1208 crc ^= 0x01;
1209 crc ^= 0x00;
1210 crc ^= 0x00;
1211 crc ^= 0x00;
1212 crc ^= (dataLen - 1);
1213 memcpy(&cta_cmd[5], &ep->emm[3], 10);
1214
1215 if(ep->type == UNIQUE)
1216 {
1217 memcpy(&cta_cmd[9], &ep->emm[9], dataLen - 4);
1218 }
1219 else
1220 {
1221 if((ep->type == GLOBAL) && (((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)))
1222 {
1223 memcpy(&cta_cmd[9], &ep->emm[6], 1);
1224 memcpy(&cta_cmd[10], &ep->emm[7], dataLen - 6);
1225 // cta_cmd[9]=0x00;
1226 }
1227 else if(((reader->caid == 0x0624) && (csystem_data->acs57 == 1)) || (reader->caid == 0x0648) || (reader->caid == 0x0650) || (reader->caid == 0x0653) || (reader->caid == 0x0666)) //only orf, cslink, skylink, upcdirect
1228 {
1229 memcpy(&cta_cmd[9], &ep->emm[8], dataLen - 4);
1230 }
1231 else
1232 {
1233 memcpy(&cta_cmd[10], &ep->emm[9], dataLen - 6);
1234 }
1235 }
1236
1237 for(i = 5; i < dataLen + 4; i++)
1238 {
1239 crc ^= cta_cmd[i];
1240 }
1241
1242 cta_cmd[dataLen - 1 + 5] = crc;
1243 irdeto_do_cmd(reader, cta_cmd, 0, cta_res, &cta_lr);
1244 int32_t acslength = cta_res[cta_lr - 1];
1245 sc_Acs57_Cmd[4] = acslength;
1246 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
1247
1248 rdr_log_dbg(reader, D_EMM,"response %02X %02X %02X %02X %02X (%s)",
1249 cta_res[0], cta_res[1], cta_res[2], cta_res[3], cta_res[4],
1250 (((cta_res[2] == 0) || (cta_res[2] == 0x7B) || (cta_res[2] == 0x7C)) ? "OK" : "ERROR"));
1251
1252 if((cta_res[2] == 0x7B) || (cta_res[2] == 0x7C)) // chid already written or chid already up to date
1253 {
1254 return SKIPPED;
1255 }
1256
1257 if(cta_res[2] == 0x00)
1258 {
1259 return OK;
1260 }
1261 return ERROR; // all other
1262 }
1263 else // non acs57 based cards
1264 {
1265 const int32_t dataLen = SCT_LEN(emm) - 5 - l; // sizeof of emm bytes (nanos)
1266
1267 if((dataLen < 1) || (dataLen > ((int32_t)sizeof(ep->emm) - 5 - l))
1268 || (dataLen > ((int32_t)sizeof(cta_cmd) - (int32_t)sizeof(sc_EmmCmd) - ADDRLEN)))
1269 {
1270 rdr_log_dbg(reader, D_EMM, "dataLen %d seems wrong, faulty EMM?", dataLen);
1271 return ERROR;
1272 }
1273
1274 uint8_t *ptr = cta_cmd;
1275 memcpy(ptr, sc_EmmCmd, sizeof(sc_EmmCmd)); // copy card command
1276 ptr[4] = dataLen + ADDRLEN; // set card command emm size
1277 ptr += sizeof(sc_EmmCmd);
1278 emm += 3;
1279 memset(ptr, 0, ADDRLEN); // clear addr range
1280 memcpy(ptr, emm, l); // copy addr bytes
1281 ptr += ADDRLEN;
1282 emm += l;
1283 memcpy(ptr, &emm[2], dataLen); // copy emm bytes]
1284 irdeto_do_cmd(reader, cta_cmd, 0, cta_res, &cta_lr);
1285
1286 rdr_log_dbg(reader, D_EMM,"response %02X %02X %02X %02X %02X (%s)",
1287 cta_res[0], cta_res[1], cta_res[2], cta_res[3], cta_res[4],
1288 (((cta_res[cta_lr-2] == 0) || (cta_res[cta_lr-2] == 0x7B) || (cta_res[cta_lr-2] == 0x7C)) ? "OK" : "ERROR"));
1289
1290 if((cta_res[cta_lr-2] == 0x7B) || (cta_res[cta_lr-2] == 0x7C)) // chid already written or chid already up to date
1291 {
1292 return SKIPPED;
1293 }
1294
1295 if(cta_res[cta_lr-2] == 0x00)
1296 {
1297 return OK;
1298 }
1299
1300 return ERROR; // all other
1301 }
1302 }
1303 else
1304 {
1305 rdr_log_dbg(reader, D_EMM, "addrlen %d > %d", l, ADDRLEN);
1306 return ERROR;
1307 }
1308 }
1309 else
1310 {
1311 rdr_log_dbg(reader, D_EMM, "EMM skipped since its hexserial or base doesnt match with this card!");
1312 return SKIPPED;
1313 }
1314}
1315
1316static int32_t irdeto_card_info(struct s_reader *reader)
1317{
1318 def_resp;
1319 int32_t i, p;
1320 struct irdeto_data *csystem_data = reader->csystem_data;
1321
1322 cs_clear_entitlement(reader); // reset the entitlements
1323
1324 uint8_t sc_GetChanelIds[] = { 0x02, 0x04, 0x00, 0x00, 0x01, 0x00 };
1325 uint8_t sc_Acs57Code[] = { 0xD2, 0x16, 0x00, 0x00, 0x01 , 0x37 };
1326 uint8_t sc_Acs57Prid[] = { 0xD2, 0x08, 0x00, 0x00, 0x02, 0x00, 0x00 };
1327 uint8_t sc_Acs57_Cmd[] = { ACS57GET, 0xFE, 0x00, 0x00, 0x00 };
1328
1329 /*
1330 * ContryCode2
1331 */
1332 int32_t acspadd = 0;
1333 if(csystem_data->acs57 == 1)
1334 {
1335 acspadd = 8;
1336 reader_chk_cmd(sc_Acs57Code, 0);
1337 int32_t acslength = cta_res[cta_lr - 1];
1338 sc_Acs57_Cmd[4] = acslength;
1339 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
1340 }
1341 else
1342 {
1343 reader_chk_cmd(sc_GetCountryCode2, 0);
1344 }
1345
1346 if(((cta_lr > 9) && !(cta_res[cta_lr - 2] | cta_res[cta_lr - 1])) || (csystem_data->acs57 == 1))
1347 {
1348 rdr_log_dbg(reader, D_READER, "max chids: %d, %d, %d, %d",
1349 cta_res[6 + acspadd], cta_res[7 + acspadd], cta_res[8 + acspadd], cta_res[9 + acspadd]);
1350
1351 /*
1352 * Provider 2
1353 */
1354 for(i = p = 0; i < reader->nprov; i++)
1355 {
1356 int32_t j, k, chid, first = 1;
1357 char t[32];
1358
1359 if(reader->prid[i][4] != 0xff)
1360 {
1361 p++;
1362 sc_Acs57Prid[3] = i;
1363 sc_GetChanelIds[3] = i; // provider at index i
1364 j = 0;
1365
1366 // for (j=0; j<10; j++) => why 10 .. do we know for sure the there are only 10 chids !!!
1367 // shouldn't it me the max chid value we read above ?!
1368
1369 while(1) // will exit if cta_lr < 61 .. which is the correct break condition.
1370 {
1371 if(csystem_data->acs57 == 1)
1372 {
1373 int32_t crc = 63;
1374 sc_Acs57Prid[5] = j;
1375 crc ^= 0x01;
1376 crc ^= 0x02;
1377 crc ^= 0x04;
1378 crc ^= sc_Acs57Prid[2];
1379 crc ^= sc_Acs57Prid[3];
1380 crc ^= (sc_Acs57Prid[4] - 1);
1381 crc ^= sc_Acs57Prid[5];
1382 sc_Acs57Prid[6] = crc;
1383 irdeto_do_cmd(reader, sc_Acs57Prid, 0x903C, cta_res, &cta_lr);
1384 int32_t acslength = cta_res[cta_lr - 1];
1385
1386 if(acslength == 0x09)
1387 {
1388 break;
1389 }
1390
1391 sc_Acs57_Cmd[4] = acslength;
1392 reader_chk_cmd(sc_Acs57_Cmd, acslength + 2);
1393
1394 if(cta_res[10] == 0xFF)
1395 {
1396 break;
1397 }
1398
1399 cta_res[cta_lr - 3] = 0xff;
1400 cta_res[cta_lr - 2] = 0xff;
1401 cta_res[cta_lr - 1] = 0xff;
1402 acspadd = 8;
1403 }
1404 else
1405 {
1406 sc_GetChanelIds[5] = j; // chid at index j for provider at index i
1407 reader_chk_cmd(sc_GetChanelIds, 0);
1408 }
1409
1410 // if (cta_lr<61) break; // why 61 (0 to 60 in steps of 6 .. is it 10*6 from the 10 in the for loop ?
1411 // what happen if the card only send back.. 9 chids (or less)... we don't see them
1412 // so we should check whether or not we have at least 6 bytes (1 chid).
1413 if(cta_lr < 6)
1414 {
1415 break;
1416 }
1417
1418 for(k = 0 + acspadd; k < cta_lr; k += 6)
1419 {
1420 chid = b2i(2, cta_res + k);
1421 if(chid && chid != 0xFFFF)
1422 {
1423 time_t date, start_t, end_t;
1424
1425 start_t = chid_date(reader, date = b2i(2, cta_res + k + 2), t, 16);
1426 end_t = chid_date(reader, date + cta_res[k + 4], t + 16, 16);
1427
1428 // todo: add entitlements to list but produces a warning related to date variable
1429 cs_add_entitlement(reader, reader->caid, b2i(3, &reader->prid[i][1]), chid, 0, start_t, end_t, 3, 1);
1430
1431 if(first)
1432 {
1433 rdr_log(reader, "entitlements for provider: %d, id: %06X", p, b2i(3, &reader->prid[i][1]));
1434 first = 0;
1435 }
1436 rdr_log(reader, "chid: %04X, date: %s - %s", chid, t, t + 16);
1437 }
1438 }
1439 j++;
1440 }
1441 }
1442 }
1443 }
1444 rdr_log(reader, "ready for requests");
1445 return OK;
1446}
1447
1448const struct s_cardsystem reader_irdeto =
1449{
1450 .desc = "irdeto",
1451 .caids = (uint16_t[]){ 0x06, 0x17, 0 },
1452 .do_emm = irdeto_do_emm,
1453 .do_ecm = irdeto_do_ecm,
1454 .card_info = irdeto_card_info,
1455 .card_init = irdeto_card_init,
1456 .get_emm_type = irdeto_get_emm_type,
1457 .get_emm_filter = irdeto_get_emm_filter,
1458 .get_tunemm_filter = irdeto_get_tunemm_filter,
1459};
1460
1461#endif
Note: See TracBrowser for help on using the repository browser.