1 | #include "globals.h"
|
---|
2 | #include "reader-common.h"
|
---|
3 | #include <stdlib.h>
|
---|
4 |
|
---|
5 | //02102009 Dingo35 (=original author of this module):
|
---|
6 | //-added detection of EMM-GA; this kind of EMM has not been documented yet, no update takes place (yet)
|
---|
7 | //-solved bug in validity date
|
---|
8 | //-eliminated unnecessary buffers
|
---|
9 | //-added printing of PBM info
|
---|
10 |
|
---|
11 | extern uchar cta_cmd[], cta_res[];
|
---|
12 | extern ushort cta_lr;
|
---|
13 | static unsigned short pmap=0; // provider-maptable
|
---|
14 | unsigned long long serial ;
|
---|
15 | char *card;
|
---|
16 |
|
---|
17 | #define CMD_LEN 5
|
---|
18 |
|
---|
19 | static int card_write(uchar *cmd, uchar *data, int wflag)
|
---|
20 | {
|
---|
21 | int l;
|
---|
22 | uchar buf[256];
|
---|
23 | memcpy(buf, cmd, CMD_LEN);
|
---|
24 | l=wflag ? cmd[4] : 0;
|
---|
25 | if (l && data) memcpy(buf+CMD_LEN, data, l);
|
---|
26 | l=reader_cmd2icc(buf, CMD_LEN+l);
|
---|
27 | return(l);
|
---|
28 | }
|
---|
29 |
|
---|
30 | #define write_cmd(cmd, data) \
|
---|
31 | { \
|
---|
32 | if (card_write(cmd, data, 1)) return(0); \
|
---|
33 | }
|
---|
34 |
|
---|
35 | #define read_cmd(cmd, data) \
|
---|
36 | { \
|
---|
37 | if (card_write(cmd, data, 0)) return(0); \
|
---|
38 | }
|
---|
39 |
|
---|
40 | int set_provider_info(int i)
|
---|
41 | {
|
---|
42 | static uchar ins12[] = { 0xc1, 0x12, 0x00, 0x00, 0x19 }; // get provider info
|
---|
43 | int year, month, day;
|
---|
44 | struct tm *lt;
|
---|
45 | time_t t;
|
---|
46 | int valid=0;//0=false, 1=true
|
---|
47 | char l_name[16+8+1]=", name: ";
|
---|
48 |
|
---|
49 | ins12[2]=i;//select provider
|
---|
50 | read_cmd(ins12, NULL); // show provider properties
|
---|
51 | cs_debug("hexdump:%s", cs_hexdump (0, cta_res, 27));
|
---|
52 |
|
---|
53 | if ((cta_res[25] != 0x90) || (cta_res[26] != 0x00)) return (0);
|
---|
54 | reader[ridx].prid[i][0]=0;
|
---|
55 | reader[ridx].prid[i][1]=0;//blanken high byte provider code
|
---|
56 | memcpy(&reader[ridx].prid[i][2], cta_res, 2);
|
---|
57 |
|
---|
58 | year = (cta_res[22]>>1) + 1990;
|
---|
59 | month = ((cta_res[22]&0x1)<< 3) | (cta_res[23] >>5);
|
---|
60 | day = (cta_res[23]&0x1f);
|
---|
61 | t=time(NULL);
|
---|
62 | lt=localtime(&t);
|
---|
63 | if (lt->tm_year + 1900 != year)
|
---|
64 | valid = (lt->tm_year + 1900 < year);
|
---|
65 | else if (lt->tm_mon + 1 != month)
|
---|
66 | valid = (lt->tm_mon + 1 < month);
|
---|
67 | else if (lt->tm_mday != day)
|
---|
68 | valid = (lt->tm_mday < day);
|
---|
69 |
|
---|
70 | memcpy(l_name+8, cta_res+2, 16);
|
---|
71 | l_name[sizeof(l_name)]=0;
|
---|
72 | trim(l_name+8);
|
---|
73 | l_name[0]=(l_name[8]) ? ',' : 0;
|
---|
74 | reader[ridx].availkeys[i][0]=valid; //misusing availkeys to register validity of provider
|
---|
75 | cs_log("provider: %d, valid: %i%s, expiry date: %4d/%02d/%02d",
|
---|
76 | i+1, valid,l_name, year, month, day);
|
---|
77 | memcpy(&reader[ridx].sa[i][0], cta_res+18, 4);
|
---|
78 | if (valid==1) //if not expired
|
---|
79 | cs_log("SA: %s", cs_hexdump(0, cta_res+18, 4));
|
---|
80 | // cs_log("SA:%02X%02X%02X%02X.",cta_res[18],cta_res[19],cta_res[20],cta_res[21]);
|
---|
81 | return(1);
|
---|
82 | }
|
---|
83 |
|
---|
84 | int seca_card_init(uchar *atr, int atrsize)
|
---|
85 | {
|
---|
86 | uchar buf[256];
|
---|
87 | static uchar ins0e[] = { 0xc1, 0x0e, 0x00, 0x00, 0x08 }; // get serial number (UA)
|
---|
88 | static uchar ins16[] = { 0xc1, 0x16, 0x00, 0x00, 0x07 }; // get nr. of prividers
|
---|
89 | int i;
|
---|
90 |
|
---|
91 | // Unlock parental control
|
---|
92 | // c1 30 00 01 09
|
---|
93 | // 00 00 00 00 00 00 00 00 ff
|
---|
94 | static uchar ins30[] = { 0xc1, 0x30, 0x00, 0x01, 0x09 };
|
---|
95 | static uchar ins30data[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff };
|
---|
96 |
|
---|
97 | buf[0]=0x00;
|
---|
98 | if ((atr[10]!=0x0e) || (atr[11]!=0x6c) || (atr[12]!=0xb6) || (atr[13]!=0xd6)) return(0);
|
---|
99 | switch(atr[7]<<8|atr[8])
|
---|
100 | {
|
---|
101 | case 0x5084: card="Generic"; break;
|
---|
102 | case 0x5384: card="Philips"; break;
|
---|
103 | case 0x5130:
|
---|
104 | case 0x5430:
|
---|
105 | case 0x5760: card="Thompson"; break;
|
---|
106 | case 0x5284:
|
---|
107 | case 0x5842:
|
---|
108 | case 0x6060: card="Siemens"; break;
|
---|
109 | case 0x7070: card="Canal+ NL"; break;
|
---|
110 | default: card="Unknown"; break;
|
---|
111 | }
|
---|
112 | reader[ridx].caid[0]=0x0100;
|
---|
113 | memset(reader[ridx].prid, 0xff, sizeof(reader[ridx].prid));
|
---|
114 | read_cmd(ins0e, NULL); // read unique id
|
---|
115 | reader[ridx].hexserial[0]=0;
|
---|
116 | reader[ridx].hexserial[1]=0;
|
---|
117 | memcpy(reader[ridx].hexserial+2, cta_res+2, 6);
|
---|
118 | serial = b2ll(5, cta_res+3) ;
|
---|
119 | cs_ri_log("type: seca, caid: %04X, serial: %llu, card: %s v%d.%d",
|
---|
120 | reader[ridx].caid[0], serial, card, atr[9]&0x0F, atr[9]>>4);
|
---|
121 | read_cmd(ins16, NULL); // read nr of providers
|
---|
122 | pmap=cta_res[2]<<8|cta_res[3];
|
---|
123 | for (reader[ridx].nprov=0, i=pmap; i; i>>=1)
|
---|
124 | reader[ridx].nprov+=i&1;
|
---|
125 |
|
---|
126 | for (i=0; i<16; i++)
|
---|
127 | if (pmap&(1<<i))
|
---|
128 | {
|
---|
129 | if (!set_provider_info(i))
|
---|
130 | return(0);
|
---|
131 | else
|
---|
132 | sprintf((char *) buf+strlen((char *)buf), ",%04lX", b2i(2, &reader[ridx].prid[i][2]));
|
---|
133 | }
|
---|
134 |
|
---|
135 | cs_ri_log("providers: %d (%s)", reader[ridx].nprov, buf+1);
|
---|
136 | // Unlock parental control
|
---|
137 | if( cfg->ulparent != 0 ){
|
---|
138 | write_cmd(ins30, ins30data);
|
---|
139 | cs_log("ins30_answer: %02x%02x",cta_res[0], cta_res[1]);
|
---|
140 | }else {
|
---|
141 | cs_log("parental locked");
|
---|
142 | }
|
---|
143 | cs_log("ready for requests");
|
---|
144 | return(1);
|
---|
145 | }
|
---|
146 |
|
---|
147 | static int get_prov_index(char *provid) //returns provider id or -1 if not found
|
---|
148 | {
|
---|
149 | int prov;
|
---|
150 | for (prov=0; prov<reader[ridx].nprov; prov++) //search for provider index
|
---|
151 | if (!memcmp(provid, &reader[ridx].prid[prov][2], 2))
|
---|
152 | return(prov);
|
---|
153 | return(-1);
|
---|
154 | }
|
---|
155 |
|
---|
156 |
|
---|
157 | int seca_do_ecm(ECM_REQUEST *er)
|
---|
158 | {
|
---|
159 | static unsigned char ins3c[] = { 0xc1,0x3c,0x00,0x00,0x00 }; // coding cw
|
---|
160 | static unsigned char ins3a[] = { 0xc1,0x3a,0x00,0x00,0x10 }; // decoding cw
|
---|
161 | int i;
|
---|
162 |
|
---|
163 | i=get_prov_index((char *) er->ecm+3);
|
---|
164 | if ((i == -1) || (reader[ridx].availkeys[i][0] == 0)) //if provider not found or expired
|
---|
165 | return (0);
|
---|
166 | ins3c[2]=i;
|
---|
167 | ins3c[3]=er->ecm[7]; //key nr
|
---|
168 | ins3c[4]=(((er->ecm[1]&0x0f) << 8) | er->ecm[2])-0x05;
|
---|
169 |
|
---|
170 | //memcpy(ins3cdata,er->ecm+8,256-8);
|
---|
171 | cs_debug("do_ecm:ins3c=%s", cs_hexdump (0, ins3c, 10));
|
---|
172 | write_cmd(ins3c, er->ecm+8); //ecm request
|
---|
173 | cs_debug("do_ecm_answer:%02x%02x",cta_res[0], cta_res[1]);
|
---|
174 |
|
---|
175 | static unsigned char ins30[] = { 0xC1, 0x30, 0x00, 0x02, 0x09 };
|
---|
176 | static unsigned char ins30data[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF };
|
---|
177 | /* We need to use a token */
|
---|
178 | if (cta_res[0] == 0x90 && cta_res[1] == 0x1a) {
|
---|
179 | write_cmd(ins30, ins30data);
|
---|
180 | cs_debug("do_ins30_answer:%02x%02x",cta_res[0], cta_res[1]);
|
---|
181 | write_cmd(ins3c, er->ecm+8); //ecm request
|
---|
182 | cs_debug("do_ecm_answer2:%02x%02x",cta_res[0], cta_res[1]);
|
---|
183 | }
|
---|
184 |
|
---|
185 | if ((cta_res[0] != 0x90) || (cta_res[1] != 0x00)) return (0);
|
---|
186 | read_cmd(ins3a, NULL); //get cw's
|
---|
187 | cs_debug("cwdump:%s", cs_hexdump(0, cta_res,18));
|
---|
188 | if ((cta_res[16] != 0x90) || (cta_res[17] != 0x00)) return (0);//exit if response is not 90 00 //TODO: if response is 9027 ppv mode is possible!
|
---|
189 | memcpy(er->cw,cta_res,16);
|
---|
190 | return(1);
|
---|
191 |
|
---|
192 | }
|
---|
193 |
|
---|
194 | int seca_do_emm(EMM_PACKET *ep)
|
---|
195 | { //return 1;
|
---|
196 | static unsigned char ins40[] = { 0xc1,0x40,0x00,0x00,0x00 };
|
---|
197 | //uchar ins40data[256];
|
---|
198 | int i,ins40data_offset;
|
---|
199 | int emm_length = ((ep->emm[1] & 0x0f) << 8) + ep->emm[2];
|
---|
200 |
|
---|
201 | cs_debug("EMM:%s", cs_hexdump (0, ep->emm, emm_length + 3));
|
---|
202 | ep->type = ep->emm[0];
|
---|
203 | switch (ep->type) {
|
---|
204 | case 0x84: //shared EMM
|
---|
205 | {
|
---|
206 | //to test if SA matches
|
---|
207 | //first find out prov id
|
---|
208 | i=get_prov_index((char *) ep->emm+3);
|
---|
209 | if (i == -1)
|
---|
210 | return(0);
|
---|
211 | //prov id found, now test for SA (only first 3 bytes, custom byte does not count)
|
---|
212 | if (memcmp (ep->emm + 5, reader[ridx].sa[i], 3)) {
|
---|
213 | cs_log("EMM: Shared update did not match; EMM SA:%02X%02X%02X, provider %i, Reader SA:%s.", ep->emm[5], ep->emm[6], ep->emm[7], i + 1, cs_hexdump (0, reader[ridx].sa[i], 3));
|
---|
214 | return(0);
|
---|
215 | }
|
---|
216 | else {
|
---|
217 | cs_log("EMM: Shared update matched for EMM SA %02X%02X%02X, provider %i.", ep->emm[5], ep->emm[6], ep->emm[7], i + 1);
|
---|
218 | ins40[3]=ep->emm[9];
|
---|
219 | ins40[4]= emm_length - 0x07;
|
---|
220 | ins40data_offset = 10;
|
---|
221 | //memcpy(ins40data,ep->emm+10,256-10);
|
---|
222 | }
|
---|
223 | break;
|
---|
224 | }//end shared EMM
|
---|
225 | case 0x82: //unique EMM
|
---|
226 | {
|
---|
227 | //first test if UA matches
|
---|
228 | if (memcmp (reader[ridx].hexserial + 2, ep->emm + 3, 6)) {
|
---|
229 | cs_log("EMM: Unique update did not match; EMM Serial:%02X%02X%02X%02X%02X%02X, Reader Serial:%s.", ep->emm[3], ep->emm[4], ep->emm[5], ep->emm[6], ep->emm[7], ep->emm[8], cs_hexdump (0, reader[ridx].hexserial + 2, 6));
|
---|
230 | return(0);
|
---|
231 | }
|
---|
232 | else {
|
---|
233 | //first find out prov id
|
---|
234 | i=get_prov_index((char *) ep->emm+9);
|
---|
235 | cs_log("EMM: Unique update matched EMM Serial:%02X%02X%02X%02X%02X, provider %i.", ep->emm[3], ep->emm[4], ep->emm[5], ep->emm[6], ep->emm[7], ep->emm[8], i + 1);
|
---|
236 |
|
---|
237 | if (i==-1)
|
---|
238 | return(0);
|
---|
239 | ins40[3]=ep->emm[12];
|
---|
240 | ins40[4]= emm_length - 0x0A;
|
---|
241 | ins40data_offset = 13;
|
---|
242 | //memcpy(ins40data,ep->emm+13,256-13);
|
---|
243 | }
|
---|
244 | break;
|
---|
245 | } //end unique EMM
|
---|
246 | case 0x88: //GA???
|
---|
247 | case 0x89: //GA???
|
---|
248 | cs_log("EMM: Congratulations, you have discovered a Global EMM on SECA. This has not been decoded yet, so send this output to authors:");
|
---|
249 | cs_log("EMM: %s", cs_hexdump (0, ep->emm, emm_length));
|
---|
250 | return 0; //no update took place
|
---|
251 | break;
|
---|
252 | default:
|
---|
253 | return 0; //unknown
|
---|
254 | } //end of switch
|
---|
255 |
|
---|
256 | ins40[2]=i;
|
---|
257 | cs_debug("do_emm:ins40=%02x%02x%02x%02x%02x first 16 bytes of ins40data=%s", ins40[0], ins40[1], ins40[2], ins40[3], ins40[4], cs_hexdump (0, ep->emm + ins40data_offset, 16));
|
---|
258 | write_cmd(ins40, ep->emm + ins40data_offset); //emm request
|
---|
259 | cs_debug("emmdump:%s", cs_hexdump(0, cta_res, 18));
|
---|
260 | //TODO if ((cta_res[16] != 0x90) || (cta_res[17] != 0x00)) return (0);
|
---|
261 | // if ((cta_res[16] != 0x90) || (cta_res[17] != 0x19))
|
---|
262 | // seca_card_init(); //if return code = 90 19 then PPUA changed. //untested!!
|
---|
263 | // else
|
---|
264 | if (cta_res[0] == 0x97) {
|
---|
265 | cs_log("EMM: Update not necessary.");
|
---|
266 | return(1); //Update not necessary
|
---|
267 | }
|
---|
268 | if ((cta_res[0] == 0x90) && ((cta_res[1] == 0x00) || (cta_res[1] == 0x19)))
|
---|
269 | if (set_provider_info(i) != 0) //after successfull EMM, print new provider info
|
---|
270 | return(1);
|
---|
271 | return(0);
|
---|
272 |
|
---|
273 | }
|
---|
274 |
|
---|
275 | int seca_card_info (void)
|
---|
276 | {
|
---|
277 | //Seca Package BitMap records (PBM) can be used to determine whether the channel is part of the package that the seca-card can decrypt. This module reads the PBM
|
---|
278 | //from the SECA card. It cannot be used to check the channel, because this information seems to reside in the CA-descriptor, which seems not to be passed on through servers like camd, newcamd, radegast etc.
|
---|
279 | //
|
---|
280 | //This module is therefore optical only
|
---|
281 |
|
---|
282 | static unsigned char ins34[] = {
|
---|
283 | 0xc1, 0x34, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00
|
---|
284 | }; //data following is provider Package Bitmap Records
|
---|
285 | static unsigned char ins32[] = {
|
---|
286 | 0xc1, 0x32, 0x00, 0x00, 0x20
|
---|
287 | }; // get PBM
|
---|
288 | //uchar ins32data[64];
|
---|
289 | int prov;
|
---|
290 | uchar result[260];
|
---|
291 | ushort result_size;
|
---|
292 |
|
---|
293 | for (prov = 0; prov < reader[ridx].nprov; prov++) {
|
---|
294 | ins32[2] = prov;
|
---|
295 | write_cmd (ins34, ins34 + 5); //prepare card for pbm request
|
---|
296 | read_cmd(ins32, NULL); //pbm request
|
---|
297 | uchar pbm[8]; //TODO should be arrayed per prov
|
---|
298 | switch (cta_res[0]) {
|
---|
299 | case 0x04:
|
---|
300 | cs_log ("No PBM for provider %i", prov + 1);
|
---|
301 | break;
|
---|
302 | case 0x83:
|
---|
303 | cs_debug ("PBM dump for provider%i: %s", prov + 1, cs_hexdump (0, cta_res, 32));
|
---|
304 | //cs_log ("PBM dump for provider%i: %s", prov + 1, cs_hexdump (0, cta_res, l));
|
---|
305 | memcpy (pbm, cta_res + 1, 8);
|
---|
306 | cs_log ("PBM for provider %i: %s", prov + 1, cs_hexdump (0, pbm, 8));
|
---|
307 | break;
|
---|
308 | default:
|
---|
309 | cs_log ("ERROR: PBM returns unknown byte %02x", cta_res[0]);
|
---|
310 | }
|
---|
311 | }
|
---|
312 |
|
---|
313 | reader[ridx].online = 1; // by okmikel
|
---|
314 | return (1);
|
---|
315 | }
|
---|
316 |
|
---|