source: trunk/reader-nagra.c@ 3181

Last change on this file since 3181 was 3181, checked in by dingo35, 10 years ago

Adding threadsafety FIXMEs, feel free to join checking..

File size: 27.9 KB
Line 
1//FIXME Not checked on threadsafety yet; after checking please remove this line
2#include "globals.h"
3#include "reader-common.h"
4#include "cscrypt/idea.h"
5#include <termios.h>
6#include <unistd.h>
7
8// Card Status checks
9#define HAS_CW() ((reader->cam_state[2]&6)==6)
10#define RENEW_SESSIONKEY() ((reader->cam_state[0]&128)==128 || (reader->cam_state[0]&64)==64 || (reader->cam_state[0]&32)==32 || (reader->cam_state[2]&8)==8)
11#define SENDDATETIME() (reader->cam_state[0]&8)
12// Datatypes
13#define DT01 0x01
14#define IRDINFO 0x00
15#define TIERS 0x05
16#define DT06 0x06
17#define CAMDATA 0x08
18
19#define MAX_REC 20
20#define SYSTEM_NAGRA 0x1800
21#define SYSTEM_MASK 0xFF00
22
23
24static time_t tier_date(ulong date, char *buf, int l)
25{
26 time_t ut=870393600L+date*(24*3600);
27 if (buf)
28 {
29 struct tm *t;
30 t=gmtime(&ut);
31 snprintf(buf, l, "%04d/%02d/%02d", t->tm_year+1900, t->tm_mon+1, t->tm_mday);
32 }
33 return(ut);
34}
35
36static int do_cmd(struct s_reader * reader, unsigned char cmd, int ilen, unsigned char res, int rlen, unsigned char *data, unsigned char * cta_res, unsigned short * p_cta_lr)
37{
38 /*
39 here we build the command related to the protocol T1 for ROM142 or T14 for ROM181
40 the only different that i know is the command length byte msg[4], this msg[4]+=1 by a ROM181 smartcard (_nighti_)
41 one example for the cmd$C0
42 T14 protocol: 01 A0 CA 00 00 03 C0 00 06 91
43 T1 protocol: 21 00 08 A0 CA 00 00 02 C0 00 06 87
44 */
45 int msglen=ilen+6;
46 unsigned char msg[msglen];
47 static const char nagra_head[] = {0xA0, 0xCA, 0x00, 0x00};
48
49 memset(msg, 0, msglen);
50 memcpy(msg,nagra_head,4);
51 msg[4] = ilen;
52 msg[5] = cmd;
53 int dlen=ilen-2;
54 msg[6] = dlen;
55 if(data && dlen>0) memcpy(msg+7,data,dlen);
56 msg[dlen+7] = rlen;
57 if (dlen<0)
58 {
59 cs_debug("[nagra-reader] invalid data length encountered");
60 return ERROR;
61 }
62 if (reader->is_pure_nagra==1)
63 {
64 msg[4]+=1;
65 }
66 if(!reader_cmd2icc(reader, msg,msglen, cta_res, p_cta_lr))
67 {
68 cs_sleepms(5);
69 if(cta_res[0]!=res)
70 {
71 cs_debug("[nagra-reader] result not expected (%02x != %02x)",cta_res[0],res);
72 return ERROR;
73 }
74 if((*p_cta_lr-2)!=rlen)
75 {
76 cs_debug("[nagra-reader] result length expected (%d != %d)",(*p_cta_lr-2),rlen);
77 return ERROR;
78 }
79 return *p_cta_lr;
80 }
81 return ERROR;
82}
83
84static void ReverseMem(unsigned char *vIn, int len)
85{
86 unsigned char temp;
87 int i;
88 for(i=0; i < (len/2); i++)
89 {
90 temp = vIn[i];
91 vIn[i] = vIn[len-i-1];
92 vIn[len-i-1] = temp;
93 }
94}
95
96static void Signature(unsigned char *sig, const unsigned char *vkey,const unsigned char *msg, int len)
97{
98 IDEA_KEY_SCHEDULE ks;
99 unsigned char v[8];
100 unsigned char b200[16];
101 unsigned char b0f0[8];
102 memcpy(b200,vkey,sizeof(b200));
103 int i;
104 int j;
105 for(i=0; i<len; i+=8)
106 {
107 idea_set_encrypt_key(b200,&ks);
108 memset(v,0,sizeof(v));
109 idea_cbc_encrypt(msg+i,b0f0,8,&ks,v,IDEA_DECRYPT);
110 for(j=7; j>=0; j--) b0f0[j]^=msg[i+j];
111 memcpy(b200+0,b0f0,8);
112 memcpy(b200+8,b0f0,8);
113 }
114 memcpy(sig,b0f0,8);
115 return;
116}
117
118static int CamStateRequest(struct s_reader * reader)
119{
120 def_resp;
121 if(do_cmd(reader, 0xC0,0x02,0xB0,0x06,NULL,cta_res,&cta_lr))
122 {
123 memcpy(reader->cam_state,cta_res+3,3);
124 cs_debug("[nagra-reader] Camstate: %s",cs_hexdump (1, reader->cam_state, 3));
125 }
126 else
127 {
128 cs_debug("[nagra-reader] CamStateRequest failed");
129 return ERROR;
130 }
131 return OK;
132}
133
134static void DateTimeCMD(struct s_reader * reader)
135{
136 def_resp;
137 if (!do_cmd(reader, 0xC8,0x02,0xB8,0x06,NULL,cta_res,&cta_lr))
138 {
139 cs_debug("[nagra-reader] DateTimeCMD failed!");
140 }
141
142}
143
144static int NegotiateSessionKey_Tiger(struct s_reader * reader)
145{
146 def_resp;
147 unsigned char vFixed[] = {0,1,2,3,0x11};
148 unsigned char parte_fija[120];
149 unsigned char parte_variable[88];
150 unsigned char d1_rsa_modulo[88];
151 unsigned char d2_data[88];
152 unsigned char sign1[8];
153 unsigned char sk[16];
154 unsigned char tmp[104];
155 unsigned char idea_sig[16];
156 unsigned char random[88];
157
158 if(!do_cmd(reader, 0xd1,0x02,0x51,0xd2,NULL,cta_res,&cta_lr))
159 {
160 cs_debug("[nagra-reader] CMD$D1 failed");
161 return ERROR;
162 }
163
164 BN_CTX *ctx = BN_CTX_new();
165 BIGNUM *bnN = BN_CTX_get(ctx);
166 BIGNUM *bnE = BN_CTX_get(ctx);
167 BIGNUM *bnCT = BN_CTX_get(ctx);
168 BIGNUM *bnPT = BN_CTX_get(ctx);
169 BN_bin2bn(reader->rsa_mod, 120, bnN);
170 BN_bin2bn(vFixed+4, 1, bnE);
171 BN_bin2bn(&cta_res[90], 120, bnCT);
172 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
173 memset(parte_fija, 0, 120);
174 BN_bn2bin(bnPT, parte_fija + (120-BN_num_bytes(bnPT)));
175 BN_CTX_end(ctx);
176 BN_CTX_free (ctx);
177
178 cs_debug("[nagra-reader] ---------- SIG CHECK ---------------------");
179 memset(tmp,0, 104);
180 memcpy(tmp+4, parte_fija+11, 100);
181 memset(idea_sig, 0x37, 16);
182 Signature(sign1, idea_sig, tmp, 104);
183 cs_debug("[nagra-reader] sign1: %s", cs_hexdump (0, sign1, 8));
184 cs_debug("[nagra-reader] sign2: %s", cs_hexdump (0, parte_fija+111, 8));
185 if (!memcmp (parte_fija+111, sign1, 8)==0)
186 {
187 cs_debug("[nagra-reader] signature check nok");
188 cs_debug("[nagra-reader] ------------------------------------------");
189 return ERROR;
190 }
191 cs_debug("[nagra-reader] signature check ok");
192 cs_debug("[nagra-reader] ------------------------------------------");
193
194 memcpy(reader->hexserial+2, parte_fija+15, 4);
195 memcpy(reader->sa[0], parte_fija+15, 2);
196
197 memcpy(reader->irdId, parte_fija+19, 4);
198 memcpy(d1_rsa_modulo,parte_fija+23,88);
199
200 ReverseMem(cta_res+2, 88);
201 BN_CTX *ctx1 = BN_CTX_new();
202 BIGNUM *bnN1 = BN_CTX_get(ctx1);
203 BIGNUM *bnE1 = BN_CTX_get(ctx1);
204 BIGNUM *bnCT1 = BN_CTX_get(ctx1);
205 BIGNUM *bnPT1 = BN_CTX_get(ctx1);
206 BN_bin2bn(d1_rsa_modulo, 88, bnN1);
207 BN_bin2bn(vFixed+4, 1, bnE1);
208 BN_bin2bn(cta_res+2, 88, bnCT1);
209 BN_mod_exp(bnPT1, bnCT1, bnE1, bnN1, ctx1);
210 memset(parte_variable, 0, 88);
211 BN_bn2bin(bnPT1, parte_variable + (88-BN_num_bytes(bnPT1)));
212 BN_CTX_end(ctx1);
213 BN_CTX_free (ctx1);
214
215 reader->prid[0][0]=0x00;
216 reader->prid[0][1]=0x00;
217 reader->prid[0][2]=parte_variable[73];
218 reader->prid[0][3]=parte_variable[74];
219 reader->caid[0] =(SYSTEM_NAGRA|parte_variable[76]);
220 memcpy(sk,&parte_variable[79],8);
221 memcpy(sk+8,&parte_variable[79],8);
222 cs_ri_log(reader, "type: NAGRA, caid: %04X, IRD ID: %s",reader->caid[0], cs_hexdump (1,reader->irdId,4));
223 cs_ri_log(reader, "ProviderID: %s",cs_hexdump (1,reader->prid[0],4));
224
225 memset(random, 0, 88);
226 memcpy(random, sk,16);
227 ReverseMem(random, 88);
228
229
230 BN_CTX *ctx3 = BN_CTX_new();
231 BIGNUM *bnN3 = BN_CTX_get(ctx3);
232 BIGNUM *bnE3 = BN_CTX_get(ctx3);
233 BIGNUM *bnCT3 = BN_CTX_get(ctx3);
234 BIGNUM *bnPT3 = BN_CTX_get(ctx3);
235 BN_bin2bn(d1_rsa_modulo, 88, bnN3);
236 BN_bin2bn(vFixed+4, 1, bnE3);
237 BN_bin2bn(random, 88, bnCT3);
238 BN_mod_exp(bnPT3, bnCT3, bnE3, bnN3, ctx3);
239 memset(d2_data, 0, 88);
240 BN_bn2bin(bnPT3, d2_data + (88-BN_num_bytes(bnPT3)));
241 BN_CTX_end(ctx3);
242 BN_CTX_free (ctx3);
243 ReverseMem(d2_data, 88);
244
245 if(!do_cmd(reader, 0xd2,0x5a,0x52,0x03, d2_data,cta_res,&cta_lr))
246 {
247 cs_debug("[nagra-reader] CMD$D2 failed");
248 return ERROR;
249 }
250 if (cta_res[2] == 0x00)
251 {
252 memcpy(reader->sessi,sk,16);
253 IDEA_KEY_SCHEDULE ks;
254 idea_set_encrypt_key(reader->sessi,&ks);
255 idea_set_decrypt_key(&ks,&reader->ksSession);
256 cs_debug("[nagra-reader] session key negotiated");
257 return OK;
258 }
259 cs_ri_log(reader, "Negotiate sessionkey was not successfull! Please check tivusat rsa key");
260 return ERROR;
261
262}
263
264static int NegotiateSessionKey_N3_NA(struct s_reader * reader, int keynr)
265{
266 def_resp;
267 unsigned char cmd2b[] = {0x21, 0x40, 0x4D, 0xA0, 0xCA, 0x00, 0x00, 0x47, 0x27, 0x45,
268 0x1C, 0x54, 0xd1, 0x26, 0xe7, 0xe2, 0x40, 0x20,
269 0xd1, 0x66, 0xf4, 0x18, 0x97, 0x9d, 0x5f, 0x16,
270 0x8f, 0x7f, 0x7a, 0x55, 0x15, 0x82, 0x31, 0x14,
271 0x06, 0x57, 0x1a, 0x3f, 0xf0, 0x75, 0x62, 0x41,
272 0xc2, 0x84, 0xda, 0x4c, 0x2e, 0x84, 0xe9, 0x29,
273 0x13, 0x81, 0xee, 0xd6, 0xa9, 0xf5, 0xe9, 0xdb,
274 0xaf, 0x22, 0x51, 0x3d, 0x44, 0xb3, 0x20, 0x83,
275 0xde, 0xcb, 0x5f, 0x35, 0x2b, 0xb0, 0xce, 0x70,
276 0x01, 0x02, 0x03, 0x04, //IRD nr
277 0x00};//keynr
278
279 unsigned char negot[64];
280 unsigned char tmp[64];
281 unsigned char idea1[16];
282 unsigned char idea2[16];
283 unsigned char sign1[8];
284 unsigned char sign2[8];
285
286 if (!reader->has_dt08) // if we have no valid dt08 calc then we use rsa from config and hexserial for calc of sessionkey
287 {
288 memcpy(reader->plainDT08RSA, reader->rsa_mod, 64);
289 memcpy(reader->signature,reader->nagra_boxkey, 8);
290 }
291
292 memcpy(tmp, reader->irdId, 4);
293 tmp[4]=keynr;
294 if(!do_cmd(reader, 0x26,0x07,0xa6, 0x42, tmp,cta_res,&cta_lr)) {
295 cs_debug("[nagra-reader] CMD$26 failed");
296 return ERROR;
297 }
298
299 // RSA decrypt of cmd$2a data, result is stored in "negot"
300 ReverseMem(cta_res+2, 64);
301 unsigned char vFixed[] = {0,1,2,3};
302 BN_CTX *ctx = BN_CTX_new();
303 BIGNUM *bnN = BN_CTX_get(ctx);
304 BIGNUM *bnE = BN_CTX_get(ctx);
305 BIGNUM *bnCT = BN_CTX_get(ctx);
306 BIGNUM *bnPT = BN_CTX_get(ctx);
307 BN_bin2bn(reader->plainDT08RSA, 64, bnN);
308 BN_bin2bn(vFixed+3, 1, bnE);
309 BN_bin2bn(cta_res+2, 64, bnCT);
310 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
311 memset(negot, 0, 64);
312 BN_bn2bin(bnPT, negot + (64-BN_num_bytes(bnPT)));
313
314 memcpy(tmp, negot, 64);
315 ReverseMem(tmp, 64);
316
317 // build sessionkey
318 // first halve is IDEA Hashed in chuncs of 8 bytes using the Signature1 from dt08 calc, CamID-Inv.CamID(16 bytes key) the results are the First 8 bytes of the Session key
319 memcpy(idea1, reader->signature, 8);
320 memcpy(idea1+8, reader->hexserial+2, 4);
321 idea1[12] = ~reader->hexserial[2]; idea1[13] = ~reader->hexserial[3]; idea1[14] = ~reader->hexserial[4]; idea1[15] = ~reader->hexserial[5];
322
323 Signature(sign1, idea1, tmp, 32);
324 memcpy(idea2,sign1,8); memcpy(idea2+8,sign1,8);
325 Signature(sign2, idea2, tmp, 32);
326 memcpy(reader->sessi,sign1,8); memcpy(reader->sessi+8,sign2,8);
327
328 // prepare cmd$2b data
329 BN_bin2bn(negot, 64, bnCT);
330 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
331 memset(cmd2b+10, 0, 64);
332 BN_bn2bin(bnPT, cmd2b+10 + (64-BN_num_bytes(bnPT)));
333 BN_CTX_end(ctx);
334 BN_CTX_free (ctx);
335 ReverseMem(cmd2b+10, 64);
336
337 IDEA_KEY_SCHEDULE ks;
338 idea_set_encrypt_key(reader->sessi,&ks);
339 idea_set_decrypt_key(&ks,&reader->ksSession);
340
341 memcpy(cmd2b+74, reader->irdId, 4);
342 cmd2b[78] = keynr;
343 if(!do_cmd(reader, 0x27,0x47,0xa7,0x02,cmd2b+10,cta_res,&cta_lr)) {
344 cs_debug("[nagra-reader] CMD$27 failed");
345 return ERROR;
346 }
347
348 cs_debug("[nagra-reader] session key negotiated");
349
350 DateTimeCMD(reader);
351
352 if (!CamStateRequest(reader))
353 {
354 cs_debug("[nagra-reader] CamStateRequest failed");
355 return ERROR;
356 }
357 if RENEW_SESSIONKEY()
358 {
359 cs_ri_log(reader, "Negotiate sessionkey was not successfull! Please check rsa key and boxkey");
360 return ERROR;
361 }
362
363 return OK;
364}
365
366static int NegotiateSessionKey(struct s_reader * reader)
367{
368 def_resp;
369 unsigned char cmd2b[] = {0x21, 0x40, 0x48, 0xA0, 0xCA, 0x00, 0x00, 0x43, 0x2B, 0x40, 0x1C, 0x54, 0xd1, 0x26, 0xe7, 0xe2, 0x40, 0x20, 0xd1, 0x66, 0xf4, 0x18, 0x97, 0x9d, 0x5f, 0x16, 0x8f, 0x7f, 0x7a, 0x55, 0x15, 0x82, 0x31, 0x14, 0x06, 0x57, 0x1a, 0x3f, 0xf0, 0x75, 0x62, 0x41, 0xc2, 0x84, 0xda, 0x4c, 0x2e, 0x84, 0xe9, 0x29, 0x13, 0x81, 0xee, 0xd6, 0xa9, 0xf5, 0xe9, 0xdb, 0xaf, 0x22, 0x51, 0x3d, 0x44, 0xb3, 0x20, 0x83, 0xde, 0xcb, 0x5f, 0x35, 0x2b, 0xb0, 0xce, 0x70, 0x02, 0x00};
370 unsigned char negot[64];
371 unsigned char tmp[64];
372 unsigned char idea1[16];
373 unsigned char idea2[16];
374 unsigned char sign1[8];
375 unsigned char sign2[8];
376
377 if (reader->is_tiger)
378 {
379 if (!NegotiateSessionKey_Tiger(reader))
380 {
381 cs_debug("[nagra-reader] NegotiateSessionKey_Tiger failed");
382 return ERROR;
383 }
384 return OK;
385 }
386
387 if (reader->is_n3_na)
388 {
389 if (!NegotiateSessionKey_N3_NA(reader, 1))
390 {
391 cs_debug("[nagra-reader] NegotiateSessionKey_N3_NA first time failed");
392 return ERROR;
393 }
394 if (!NegotiateSessionKey_N3_NA(reader, 0))
395 {
396 cs_debug("[nagra-reader] NegotiateSessionKey_N3_NA second time failed");
397 return ERROR;
398 }
399 return OK;
400 }
401
402 if (!reader->has_dt08) // if we have no valid dt08 calc then we use rsa from config and hexserial for calc of sessionkey
403 {
404 memcpy(reader->plainDT08RSA, reader->rsa_mod, 64);
405 memcpy(reader->signature,reader->nagra_boxkey, 8);
406 }
407 if(!do_cmd(reader, 0x2a,0x02,0xaa,0x42,NULL,cta_res,&cta_lr))
408 {
409 cs_debug("[nagra-reader] CMD$2A failed");
410 return ERROR;
411 }
412
413 // RSA decrypt of cmd$2a data, result is stored in "negot"
414 ReverseMem(cta_res+2, 64);
415 unsigned char vFixed[] = {0,1,2,3};
416 BN_CTX *ctx = BN_CTX_new();
417 BIGNUM *bnN = BN_CTX_get(ctx);
418 BIGNUM *bnE = BN_CTX_get(ctx);
419 BIGNUM *bnCT = BN_CTX_get(ctx);
420 BIGNUM *bnPT = BN_CTX_get(ctx);
421 BN_bin2bn(reader->plainDT08RSA, 64, bnN);
422 BN_bin2bn(vFixed+3, 1, bnE);
423 BN_bin2bn(cta_res+2, 64, bnCT);
424 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
425 memset(negot, 0, 64);
426 BN_bn2bin(bnPT, negot + (64-BN_num_bytes(bnPT)));
427
428 memcpy(tmp, negot, 64);
429 ReverseMem(tmp, 64);
430
431 // build sessionkey
432 // first halve is IDEA Hashed in chuncs of 8 bytes using the Signature1 from dt08 calc, CamID-Inv.CamID(16 bytes key) the results are the First 8 bytes of the Session key
433 memcpy(idea1, reader->signature, 8);
434 memcpy(idea1+8, reader->hexserial+2, 4);
435 idea1[12] = ~reader->hexserial[2]; idea1[13] = ~reader->hexserial[3]; idea1[14] = ~reader->hexserial[4]; idea1[15] = ~reader->hexserial[5];
436
437 Signature(sign1, idea1, tmp, 32);
438 memcpy(idea2,sign1,8); memcpy(idea2+8,sign1,8);
439 Signature(sign2, idea2, tmp, 32);
440 memcpy(reader->sessi,sign1,8); memcpy(reader->sessi+8,sign2,8);
441
442 // prepare cmd$2b data
443 BN_bin2bn(negot, 64, bnCT);
444 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx);
445 memset(cmd2b+10, 0, 64);
446 BN_bn2bin(bnPT, cmd2b+10 + (64-BN_num_bytes(bnPT)));
447 BN_CTX_end(ctx);
448 BN_CTX_free (ctx);
449 ReverseMem(cmd2b+10, 64);
450
451 IDEA_KEY_SCHEDULE ks;
452 idea_set_encrypt_key(reader->sessi,&ks);
453 idea_set_decrypt_key(&ks,&reader->ksSession);
454
455 if(!do_cmd(reader, 0x2b,0x42,0xab,0x02, cmd2b+10,cta_res,&cta_lr))
456 {
457 cs_debug("[nagra-reader] CMD$2B failed");
458 return ERROR;
459 }
460
461 cs_debug("[nagra-reader] session key negotiated");
462
463 DateTimeCMD(reader);
464
465 if (!CamStateRequest(reader))
466 {
467 cs_debug("[nagra-reader] CamStateRequest failed");
468 return ERROR;
469 }
470 if RENEW_SESSIONKEY()
471 {
472 cs_ri_log(reader, "Negotiate sessionkey was not successfull! Please check rsa key and boxkey");
473 return ERROR;
474 }
475
476 return OK;
477}
478
479static void decryptDT08(struct s_reader * reader, unsigned char * cta_res)
480{
481 unsigned char vFixed[] = {0,1,2,3};
482 unsigned char v[72];
483 unsigned char buf[72];
484 unsigned char sign2[8];
485 unsigned char static_dt08[73];
486 unsigned char camid[4];
487 int i, n;
488 BN_CTX *ctx;
489 BIGNUM *bn_mod, *bn_exp, *bn_data, *bn_res;
490
491 memcpy(static_dt08, &cta_res[12], 73);
492 // decrypt RSA Part of dt08
493 bn_mod = BN_new ();
494 bn_exp = BN_new ();
495 bn_data = BN_new ();
496 bn_res = BN_new ();
497 ctx= BN_CTX_new();
498 if (ctx == NULL) cs_debug("[nagra-reader] RSA Error in dt08 decrypt");
499 ReverseMem(static_dt08+1, 64);
500 BN_bin2bn (reader->rsa_mod, 64, bn_mod); // rsa modulus
501 BN_bin2bn (vFixed+3, 1, bn_exp); // exponent
502 BN_bin2bn (static_dt08+1, 64, bn_data);
503 BN_mod_exp (bn_res, bn_data, bn_exp, bn_mod, ctx);
504 memset (static_dt08+1, 0, 64);
505 n = BN_bn2bin (bn_res, static_dt08+1);
506 BN_CTX_free (ctx);
507 ReverseMem(static_dt08+1, n);
508
509 // RSA data can never be bigger than the modulo
510 static_dt08[64] |= static_dt08[0] & 0x80;
511
512 // IdeaCamKey
513 memcpy (&reader->IdeaCamKey[0], reader->nagra_boxkey, 8);
514 memcpy (&reader->IdeaCamKey[8], reader->irdId, 4);
515 for (i = 0; i < 4; i++)
516 reader->IdeaCamKey[12 + i] = ~reader->irdId[i];
517
518 // now IDEA decrypt
519 IDEA_KEY_SCHEDULE ks;
520 idea_set_encrypt_key(reader->IdeaCamKey,&ks);
521 idea_set_decrypt_key(&ks,&reader->ksSession);
522 memcpy (&buf[0], static_dt08+1, 64);
523 memcpy (&buf[64], static_dt08+65, 8);
524 memset(v,0,sizeof(v));
525 memset(static_dt08,0,sizeof(static_dt08));
526 idea_cbc_encrypt(buf,static_dt08,72,&reader->ksSession,v,IDEA_DECRYPT);
527
528 if (reader->swapCW==1)
529 {
530 memset(camid,0xff,4);
531 }
532 else
533 {
534 memcpy(camid, reader->hexserial+2,4);
535 }
536 cs_debug("[nagra-reader] using camid %s for dt08 calc",cs_hexdump (1,camid,4));
537
538 // Calculate reader->signature
539 memcpy (reader->signature, static_dt08, 8);
540 memset (static_dt08 + 0, 0, 4);
541 memcpy (static_dt08 + 4, camid, 4);
542 Signature(sign2,reader->IdeaCamKey,static_dt08,72);
543
544 if (memcmp (reader->signature, sign2, 8)==0)
545 {
546 reader->has_dt08=1;
547 memcpy (reader->plainDT08RSA, static_dt08+8, 64);
548 cs_debug("[nagra-reader] DT08 signature check ok");
549 }
550 else
551 {
552 reader->has_dt08=0;
553 cs_debug("[nagra-reader] DT08 signature check nok");
554 }
555}
556
557static void addProvider(struct s_reader * reader, unsigned char * cta_res)
558{
559 int i;
560 int toadd=1;
561 for (i=0; i<reader->nprov; i++)
562 {
563 if ((cta_res[7]==reader->prid[i][2]) && (cta_res[8]==reader->prid[i][3]))
564 {
565 toadd = 0;
566 }
567 }
568 if (toadd)
569 {
570 reader->prid[reader->nprov][0]=0;
571 reader->prid[reader->nprov][1]=0;
572 reader->prid[reader->nprov][2]=cta_res[7];
573 reader->prid[reader->nprov][3]=cta_res[8];
574 memcpy(reader->sa[reader->nprov], reader->sa[0], 4);
575 reader->nprov+=1;
576 }
577}
578
579static int ParseDataType(struct s_reader * reader, unsigned char dt, unsigned char * cta_res, unsigned short cta_lr)
580{
581 char ds[16], de[16];
582 ushort chid;
583 switch(dt)
584 {
585 case IRDINFO:
586 {
587 reader->prid[0][0]=0;
588 reader->prid[0][1]=0;
589 reader->prid[0][2]=cta_res[7];
590 reader->prid[0][3]=cta_res[8];
591 if ( ((cta_res[7] == 0x34) && (cta_res[8] == 0x11)) || ((cta_res[7] == 0x04) && (cta_res[8] == 0x01))) //provider 3411, 0401 needs cw swap
592 {
593 cs_debug("[nagra-reader] detect provider with swap cw!");
594 reader->swapCW=1;
595 }
596
597 reader->prid[1][0]=0x00;
598 reader->prid[1][1]=0x00;
599 reader->prid[1][2]=0x00;
600 reader->prid[1][3]=0x00;
601 memcpy(reader->sa[1], reader->sa[0], 4);
602 reader->nprov+=1;
603
604 reader->caid[0] =(SYSTEM_NAGRA|cta_res[11]);
605 memcpy(reader->irdId,cta_res+14,4);
606 cs_debug("[nagra-reader] type: NAGRA, caid: %04X, IRD ID: %s",reader->caid[0], cs_hexdump (1,reader->irdId,4));
607 cs_debug("[nagra-reader] ProviderID: %s",cs_hexdump (1,reader->prid[0],4));
608 return OK;
609 }
610 case TIERS:
611 if ((cta_lr>33) && (chid=b2i(2, cta_res+11)))
612 {
613 int id=(cta_res[7]*256)|cta_res[8];
614 tier_date(b2i(2, cta_res+20)-0x7f7, ds, 15);
615 tier_date(b2i(2, cta_res+13)-0x7f7, de, 15);
616 cs_ri_log(reader, "|%04X|%04X |%s |%s |", id,chid, ds, de);
617 addProvider(reader, cta_res);
618 }
619 case 0x08:
620 case 0x88: if (cta_res[11] == 0x49) decryptDT08(reader, cta_res);
621 default:
622 return OK;
623 }
624 return ERROR;
625}
626
627static int GetDataType(struct s_reader * reader, unsigned char dt, int len, int shots)
628{
629 def_resp;
630 int i;
631 for(i=0; i<shots; i++)
632 {
633 if(!do_cmd(reader, 0x22,0x03,0xA2,len,&dt,cta_res,&cta_lr))
634 {
635 cs_debug("[nagra-reader] failed to get datatype %02X",dt);
636 return ERROR;
637 }
638 if((cta_res[2]==0) && (dt != 0x08 || dt != 0x88)) return OK;
639 if(!ParseDataType(reader, dt&0x0F, cta_res, cta_lr)) return ERROR;
640 if ((dt != 0x08 || dt != 0x88) && (cta_res[11] == 0x49)) return OK; //got dt08 data
641 dt|=0x80; // get next item
642 }
643 return OK;
644}
645
646int nagra2_card_init(struct s_reader * reader, ATR newatr)
647{
648 get_atr;
649 def_resp;
650 memset(reader->rom, 0, 15);
651 reader->nprov = 1;
652 reader->is_pure_nagra = 0;
653 reader->is_tiger = 0;
654 reader->is_n3_na = 0;
655 reader->has_dt08 = 0;
656 reader->swapCW = 0;
657 memset(reader->irdId, 0xff, 4);
658 memset(reader->hexserial, 0, 8);
659 reader->caid[0]=SYSTEM_NAGRA;
660
661 if(memcmp(atr+11,"DNASP240 Rev906m",16)==0) {
662 cs_ri_log(reader, "detect nagra 3 NA card");
663 memcpy(reader->rom,atr+11,15);
664 reader->is_n3_na=1;
665 }
666 else if (memcmp(atr+11, "DNASP", 5)==0)
667 {
668 cs_ri_log(reader, "detect native nagra card");
669 memcpy(reader->rom,atr+11,15);
670 }
671 else if (memcmp(atr+11, "TIGER", 5)==0 || (memcmp(atr+11, "NCMED", 5)==0))
672 {
673 cs_ri_log(reader, "detect nagra tiger card");
674 memcpy(reader->rom,atr+11,15);
675 reader->is_tiger=1;
676 }
677 else if ((!memcmp(atr+4, "IRDETO", 6)) && ((atr[14]==0x03) && (atr[15]==0x84) && (atr[16]==0x55)))
678 {
679 cs_ri_log(reader, "detect irdeto tunneled nagra card");
680 if(!reader->has_rsa)
681 {
682 cs_ri_log(reader, "no rsa key configured -> using irdeto mode");
683 return ERROR;
684 }
685 if(reader->force_irdeto)
686 {
687 cs_ri_log(reader, "rsa key configured but irdeto mode forced -> using irdeto mode");
688 return ERROR;
689 }
690 cs_ri_log(reader, "rsa key configured -> using nagra mode");
691 reader->is_pure_nagra=1;
692 if(!do_cmd(reader, 0x10,0x02,0x90,0x11,0,cta_res,&cta_lr))
693 {
694 cs_debug("[nagra-reader] get rom version failed");
695 return ERROR;
696 }
697 memcpy(reader->rom,cta_res+2,15);
698 }
699 else return ERROR;
700
701 if (!reader->is_tiger)
702 {
703 CamStateRequest(reader);
704 if(!do_cmd(reader, 0x12,0x02,0x92,0x06,0,cta_res,&cta_lr))
705 {
706 cs_debug("[nagra-reader] get serial failed");
707 return ERROR;
708 }
709 memcpy(reader->hexserial+2, cta_res+2, 4);
710 cs_debug("[nagra-reader] SER: %s", cs_hexdump (1, reader->hexserial+2, 4));
711 memcpy(reader->sa[0], cta_res+2, 2);
712
713 if(!GetDataType(reader, DT01,0x0E,MAX_REC)) return ERROR;
714 cs_debug("[nagra-reader] DT01 DONE");
715 CamStateRequest(reader);
716 if(!GetDataType(reader, IRDINFO,0x39,MAX_REC)) return ERROR;
717 cs_debug("[nagra-reader] IRDINFO DONE");
718 CamStateRequest(reader);
719 if(!GetDataType(reader, CAMDATA,0x55,10)) return ERROR;
720 cs_debug("[nagra-reader] CAMDATA Done");
721 if(!GetDataType(reader, 0x04,0x44,MAX_REC)) return ERROR;
722 cs_debug("[nagra-reader] DT04 DONE");
723 CamStateRequest(reader);
724
725 if (!memcmp(reader->rom+5, "181", 3)==0) //dt05 is not supported by rom181
726 {
727 cs_ri_log(reader, "-----------------------------------------");
728 cs_ri_log(reader, "|id |tier |valid from |valid to |");
729 cs_ri_log(reader, "+----+--------+------------+------------+");
730 if(!GetDataType(reader, TIERS,0x57,MAX_REC)) return ERROR;
731 cs_ri_log(reader, "-----------------------------------------");
732 CamStateRequest(reader);
733 }
734
735 if(!GetDataType(reader, DT06,0x16,MAX_REC)) return ERROR;
736 cs_debug("[nagra-reader] DT06 DONE");
737 CamStateRequest(reader);
738 }
739 if (!NegotiateSessionKey(reader))
740 {
741 cs_debug("[nagra-reader] NegotiateSessionKey failed");
742 return ERROR;
743 }
744 if ((reader->cardmhz != 368) && (reader->is_pure_nagra==0))
745 cs_log("WARNING: For NAGRA2 cards you will have to set 'cardmhz = 368' in oscam.server");
746
747 return OK;
748}
749
750int nagra2_card_info(struct s_reader * reader)
751{
752 int i;
753 cs_ri_log(reader, "ROM: %c %c %c %c %c %c %c %c", reader->rom[0], reader->rom[1], reader->rom[2],reader->rom[3], reader->rom[4], reader->rom[5], reader->rom[6], reader->rom[7]);
754 cs_ri_log(reader, "REV: %c %c %c %c %c %c", reader->rom[9], reader->rom[10], reader->rom[11], reader->rom[12], reader->rom[13], reader->rom[14]);
755 cs_ri_log(reader, "SER: %s", cs_hexdump (1, reader->hexserial+2, 4));
756 cs_ri_log(reader, "CAID: %04X",reader->caid[0]);
757 cs_ri_log(reader, "Prv.ID: %s(sysid)",cs_hexdump (1,reader->prid[0],4));
758 for (i=1; i<reader->nprov; i++)
759 {
760 cs_ri_log(reader, "Prv.ID: %s",cs_hexdump (1,reader->prid[i],4));
761 }
762 cs_log("[nagra-reader] ready for requests");
763 return OK;
764}
765
766void nagra2_post_process(struct s_reader * reader)
767{
768 if (!reader->is_tiger)
769 {
770 CamStateRequest(reader);
771 if RENEW_SESSIONKEY() NegotiateSessionKey(reader);
772 if SENDDATETIME() DateTimeCMD(reader);
773 }
774}
775
776int nagra2_do_ecm(struct s_reader * reader, ECM_REQUEST *er)
777{
778 def_resp;
779 if (!reader->is_tiger)
780 {
781 int retry=0;
782 if(!do_cmd(reader, er->ecm[3],er->ecm[4]+2,0x87,0x02, er->ecm+3+2,cta_res,&cta_lr))
783 {
784 cs_debug("[nagra-reader] nagra2_do_ecm failed, retry");
785 cs_sleepms(10);
786 if(!do_cmd(reader, er->ecm[3],er->ecm[4]+2,0x87,0x02, er->ecm+3+2,cta_res,&cta_lr))
787 {
788 cs_debug("[nagra-reader] nagra2_do_ecm failed, retry failed!");
789 return ERROR;
790 }
791
792 }
793 cs_sleepms(10);
794 while(!CamStateRequest(reader) && retry < 3)
795 {
796 cs_debug("[nagra-reader] CamStateRequest failed, try: %d", retry);
797 retry++;
798 cs_sleepms(10);
799 }
800 if (HAS_CW() && (do_cmd(reader, 0x1C,0x02,0x9C,0x36,NULL,cta_res,&cta_lr)))
801 {
802 unsigned char v[8];
803 memset(v,0,sizeof(v));
804 idea_cbc_encrypt(&cta_res[30],er->cw,8,&reader->ksSession,v,IDEA_DECRYPT);
805 memset(v,0,sizeof(v));
806 idea_cbc_encrypt(&cta_res[4],er->cw+8,8,&reader->ksSession,v,IDEA_DECRYPT);
807 if (reader->swapCW==1)
808 {
809 cs_debug("[nagra-reader] swap cws");
810 unsigned char tt[8];
811 memcpy(&tt[0],&er->cw[0],8);
812 memcpy(&er->cw[0],&er->cw[8],8);
813 memcpy(&er->cw[8],&tt[0],8);
814 }
815 return OK;
816 }
817 }
818 else
819 {
820 //check ECM prov id
821 if (memcmp(&reader->prid[0][2], er->ecm+5, 2))
822 return ERROR;
823
824 // ecm_data: 80 30 89 D3 87 54 11 10 DA A6 0F 4B 92 05 34 00 ...
825 //serial_data: A0 CA 00 00 8C D3 8A 00 00 00 00 00 10 DA A6 0F .
826 unsigned char ecm_trim[150];
827 memset(ecm_trim, 0, 150);
828 memcpy(&ecm_trim[5], er->ecm+3+2+2, er->ecm[4]+2);
829 if(do_cmd(reader, er->ecm[3],er->ecm[4]+5,0x53,0x16, ecm_trim,cta_res,&cta_lr))
830 {
831 if(cta_res[2] == 0x01)
832 {
833
834 unsigned char v[8];
835 memset(v,0,sizeof(v));
836 idea_cbc_encrypt(&cta_res[14],er->cw,8,&reader->ksSession,v,IDEA_DECRYPT);
837 memset(v,0,sizeof(v));
838 idea_cbc_encrypt(&cta_res[6],er->cw+8,8,&reader->ksSession,v,IDEA_DECRYPT);
839 return OK;
840 }
841 cs_debug("[nagra-reader] can't decode ecm");
842 return ERROR;
843 }
844 }
845 return ERROR;
846}
847
848int nagra2_get_emm_type(EMM_PACKET *ep, struct s_reader * rdr) //returns TRUE if shared emm matches SA, unique emm matches serial, or global or unknown
849{
850 switch (ep->emm[0]) {
851 case 0x83:
852 memset(ep->hexserial,0,8);
853 ep->hexserial[0] = ep->emm[5];
854 ep->hexserial[1] = ep->emm[4];
855 ep->hexserial[2] = ep->emm[3];
856 if (ep->emm[7] == 0x10) {
857 ep->type = SHARED;
858 return (!memcmp (rdr->hexserial+2, ep->hexserial, 3));
859 }
860 else {
861 ep->hexserial[3] = ep->emm[6];
862 ep->type = UNIQUE;
863 return (!memcmp (rdr->hexserial+2, ep->hexserial, 4));
864 }
865 case 0x82:
866 ep->type = GLOBAL;
867 return TRUE;
868 default:
869 ep->type = UNKNOWN;
870 return TRUE;
871 }
872}
873
874void nagra2_get_emm_filter(struct s_reader * rdr, uchar *filter)
875{
876 filter[0]=0xFF;
877 filter[1]=3;
878
879
880 filter[2]=GLOBAL;
881 filter[3]=0;
882
883 filter[4+0] = 0x82;
884 filter[4+0+16] = 0xFF;
885
886
887 filter[36]=SHARED;
888 filter[37]=0;
889
890 filter[38+0] = 0x83;
891 filter[38+1] = rdr->hexserial[4];
892 filter[38+2] = rdr->hexserial[3];
893 filter[38+3] = rdr->hexserial[2];
894 filter[38+4] = 0x00;
895 filter[38+5] = 0x10;
896 memset(filter+38+0+16, 0xFF, 6);
897
898
899 filter[70]=UNIQUE;
900 filter[71]=0;
901
902 filter[72+0] = 0x83;
903 filter[72+1] = rdr->hexserial[4];
904 filter[72+2] = rdr->hexserial[3];
905 filter[72+3] = rdr->hexserial[2];
906 filter[72+4] = rdr->hexserial[5];
907 filter[72+5] = 0x00;
908 memset(filter+72+0+16, 0xFF, 6);
909
910 return;
911}
912int nagra2_do_emm(struct s_reader * reader, EMM_PACKET *ep)
913{
914 def_resp;
915 if (!reader->is_tiger)
916 {
917 if(!do_cmd(reader, ep->emm[8],ep->emm[9]+2,0x84,0x02,ep->emm+8+2,cta_res,&cta_lr))
918 {
919 cs_debug("[nagra-reader] nagra2_do_emm failed");
920 return ERROR;
921 }
922 // for slow t14 nagra cards, we must do additional timeout
923 if (reader->is_pure_nagra==1)
924 {
925 cs_sleepms(300);
926 }
927 cs_sleepms(250);
928 nagra2_post_process(reader);
929 }
930 else
931 {
932 //check EMM prov id
933 if (memcmp(&reader->prid[0][2], ep->emm+10, 2))
934 return ERROR;
935
936 // emm_data: 82 70 8E 00 00 00 00 00 D3 87 8D 11 C0 F4 B1 27 2C 3D 25 94 ...
937 //serial_data: A0 CA 00 00 8C D3 8A 01 00 00 00 00 C0 F4 B1 27 2C 3D 25 94 ...
938 unsigned char emm_trim[150];
939 memset(emm_trim, 0, 150);
940 memcpy(&emm_trim[5], ep->emm+3+5+2+2, ep->emm[9]+2);
941 if(!do_cmd(reader, ep->emm[8],ep->emm[9]+5,0x53,0x16, emm_trim,cta_res,&cta_lr))
942 {
943 cs_debug("[nagra-reader] nagra2_do_emm failed");
944 return ERROR;
945 }
946 cs_sleepms(300);
947 }
948 return OK;
949}
950
951void reader_nagra(struct s_cardsystem *ph)
952{
953 ph->do_emm=nagra2_do_emm;
954 ph->do_ecm=nagra2_do_ecm;
955 ph->post_process=nagra2_post_process;
956 ph->card_info=nagra2_card_info;
957 ph->card_init=nagra2_card_init;
958 ph->get_emm_type=nagra2_get_emm_type;
959 ph->get_emm_filter=nagra2_get_emm_filter;
960 ph->caids[0]=0x18;
961}
Note: See TracBrowser for help on using the repository browser.