Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: trunk/reader-viaccess.c

Last change on this file was 11492, checked in by Gorgone Impertinence, 17 months ago

eliminate build warnings by using the integrated function

cs_strncpy instead of strncpy

Property svn:eol-style set to LF

File size: 75.0 KB

Line
1	#include "globals.h"
2	#ifdef READER_VIACCESS
3	#include "oscam-aes.h"
4	#include "oscam-time.h"
5	#include "oscam-emm.h"
6	#include "reader-common.h"
7	#include "cscrypt/des.h"
8	#include "oscam-work.h"
9
10	struct geo_cache
11	{
12	uint32_t provid;
13	uint8_t geo[256];
14	uint8_t geo_len;
15	int32_t number_ecm;
16	};
17
18	struct viaccess_data
19	{
20	struct geo_cache last_geo;
21	uint8_t availkeys[CS_MAXPROV][16];
22	};
23
24	struct via_date
25	{
26	uint16_t day_s : 5;
27	uint16_t month_s : 4;
28	uint16_t year_s : 7;
29
30	uint16_t day_e : 5;
31	uint16_t month_e : 4;
32	uint16_t year_e : 7;
33	};
34
35	static void parse_via_date(const uint8_t buf, struct via_date vd, int32_t fend)
36	{
37	uint16_t date;
38
39	date = (buf[0] << 8) \| buf[1];
40	vd->day_s = date & 0x1f;
41	vd->month_s = (date >> 5) & 0x0f;
42	vd->year_s = (date >> 9) & 0x7f;
43
44	if(fend)
45	{
46	date = (buf[2] << 8) \| buf[3];
47	vd->day_e = date & 0x1f;
48	vd->month_e = (date >> 5) & 0x0f;
49	vd->year_e = (date >> 9) & 0x7f;
50	}
51	}
52
53	struct emm_rass find_rabuf(struct s_client client, int32_t provid, uint8_t nano, int8_t add)
54	{
55	struct emm_rass *e;
56	LL_ITER it;
57
58	if(!client->ra_buf)
59	{
60	client->ra_buf = ll_create("client->ra_buf");
61	}
62
63	it = ll_iter_create(client->ra_buf);
64
65	while((e = ll_iter_next(&it)) != NULL)
66	{
67	if(!add && e->provid == provid && e->emmlen != 0)
68	{
69	return e;
70	}
71
72	if(add && e->provid == provid && e->emm[0] == nano)
73	{
74	return e;
75	}
76	}
77
78	if(!add)
79	{
80	return NULL;
81	}
82
83	if(!cs_malloc(&e, sizeof(struct emm_rass)))
84	{
85	return NULL;
86	}
87
88	e->provid = provid;
89	ll_append(client->ra_buf, e);
90	return e;
91	}
92
93	static void show_class(struct s_reader reader, const char p, uint32_t provid, const uint8_t *b, int32_t l)
94	{
95	int32_t i, j;
96
97	// b -> via date (4 uint8_ts)
98	b += 4;
99	l -= 4;
100
101	j = l - 1;
102	for(; j >= 0; j--)
103	{
104	for(i = 0; i < 8; i++)
105	{
106	if(b[j] & (1 << (i & 7)))
107	{
108	uint8_t cls;
109	struct via_date vd;
110	parse_via_date(b - 4, &vd, 1);
111	cls = (l - (j + 1)) * 8 + i;
112
113	if(p) // just show class info, dont add entitlement!
114	{
115	rdr_log(reader, "%sclass: %02X, expiry date: %04d/%02d/%02d - %04d/%02d/%02d", p, cls,
116	vd.year_s + 1980, vd.month_s, vd.day_s,
117	vd.year_e + 1980, vd.month_e, vd.day_e);
118	}
119	else
120	{
121	rdr_log(reader, "class: %02X, expiry date: %04d/%02d/%02d - %04d/%02d/%02d", cls,
122	vd.year_s + 1980, vd.month_s, vd.day_s,
123	vd.year_e + 1980, vd.month_e, vd.day_e);
124
125	//convert time:
126	time_t start_t, end_t;
127	struct tm tm;
128	memset(&tm, 0, sizeof(tm));
129	tm.tm_year = vd.year_s + 80; //via year starts in 1980, tm_year starts in 1900
130	tm.tm_mon = vd.month_s - 1; // january is 0 in tm_mon
131	tm.tm_mday = vd.day_s;
132	start_t = cs_timegm(&tm);
133
134	tm.tm_year = vd.year_e + 80; //via year starts in 1980, tm_year starts in 1900
135	tm.tm_mon = vd.month_e - 1; // january is 0 in tm_mon
136	tm.tm_mday = vd.day_e;
137	end_t = cs_timegm(&tm);
138	cs_add_entitlement(reader, reader->caid, provid, cls, cls, start_t, end_t, 5, 1);
139	}
140	}
141	}
142	}
143	}
144
145	static int8_t add_find_class(struct s_reader reader, uint32_t provid, const uint8_t b, int32_t l, int8_t add)
146	{
147	int32_t i, j, freshdate = 0;
148
149	// b -> via date (4 uint8_ts)
150	b += 4;
151	l -= 4;
152
153	j = l - 1;
154	for(; j >= 0; j--)
155	{
156	for(i = 0; i < 8; i++)
157	{
158	if(b[j] & (1 << (i & 7)))
159	{
160	uint8_t cls;
161	cls = (l - (j + 1)) * 8 + i;
162	if(cs_add_entitlement(reader, reader->caid, provid, cls, cls, 0, 0, 5, 0) == NULL && !add)
163	{
164	rdr_log(reader, "provid %06X class %02X not found", provid, cls);
165	freshdate = 1;
166	}
167	else
168	{
169	if(!add)
170	{
171	rdr_log(reader, "provid %06X has matching class %02X", provid, cls);
172	}
173	struct via_date vd;
174	parse_via_date(b - 4, &vd, 1);
175	time_t start_t, end_t;
176	struct tm tm;
177
178	//convert time:
179	memset(&tm, 0, sizeof(tm));
180	tm.tm_year = vd.year_s + 80; // via year starts in 1980, tm_year starts in 1900
181	tm.tm_mon = vd.month_s - 1; // january is 0 in tm_mon
182	tm.tm_mday = vd.day_s;
183	start_t = cs_timegm(&tm);
184
185	tm.tm_year = vd.year_e + 80; // via year starts in 1980, tm_year starts in 1900
186	tm.tm_mon = vd.month_e - 1; // january is 0 in tm_mon
187	tm.tm_mday = vd.day_e;
188	end_t = cs_timegm(&tm);
189
190	if(cs_add_entitlement(reader, reader->caid, provid, cls, cls, start_t, end_t, 5, add) != NULL)
191	{
192	if(!add)
193	{
194	rdr_log(reader, "class %02X provid %06X has already this daterange or newer entitled", cls, provid);
195	}
196	}
197	else
198	{
199	freshdate = 1;
200	}
201	}
202	}
203	}
204	}
205
206	if(freshdate == 0)
207	{
208	return -2;
209	}
210
211	return 1; // emmdate is fresh!
212	}
213
214	static void show_subs(struct s_reader reader, const uint8_t emm)
215	{
216	switch(emm[0])
217	{
218	case 0xA9:
219	{
220	show_class(reader, "nano A9: ", 1, emm + 2, emm[1]);
221	break;
222	}
223
224	case 0xA6:
225	{
226	char szGeo[256];
227
228	memset(szGeo, 0, 256);
229	cs_strncpy(szGeo, (char *)emm + 2, emm[1]);
230	rdr_log(reader, "nano A6: geo %s", szGeo);
231	break;
232	}
233
234	case 0xB6:
235	{
236	uint8_t m; // modexp
237	struct via_date vd;
238
239	m = emm[emm[1] + 1];
240	parse_via_date(emm + 2, &vd, 0);
241	rdr_log(reader, "nano B6: modexp %d%d%d%d%d%d: %02d/%02d/%04d",
242	(m & 0x20) ? 1 : 0,
243	(m & 0x10) ? 1 : 0,
244	(m & 0x08) ? 1 : 0,
245	(m & 0x04) ? 1 : 0,
246	(m & 0x02) ? 1 : 0,
247	(m & 0x01) ? 1 : 0,
248	vd.day_s, vd.month_s, vd.year_s + 1980);
249	break;
250	}
251	}
252	}
253
254	static int32_t chk_prov(struct s_reader reader, uint8_t id, uint8_t keynr)
255	{
256	struct viaccess_data *csystem_data = reader->csystem_data;
257	int32_t i, j, rc;
258
259	for(rc = i = 0; (!rc) && (i < reader->nprov); i++)
260	{
261	if(!memcmp(&reader->prid[i][1], id, 3))
262	{
263	for(j = 0; (!rc) && (j < 16); j++)
264	{
265	if(csystem_data->availkeys[i][j] == keynr)
266	{
267	rc = 1;
268	}
269	}
270	}
271	}
272	return (rc);
273	}
274
275	static int32_t get_maturity(struct s_reader *reader)
276	{
277	/* retrieve maturity rating on the card */
278
279	def_resp;
280
281	uint8_t insac[] = { 0xca, 0xac, 0x00, 0x00, 0x00 }; // select data
282	uint8_t insb8[] = { 0xca, 0xb8, 0x00, 0x00, 0x00 }; // read selected data
283
284	insac[2] = 0x06;
285	write_cmd(insac, NULL); // request maturity rating
286
287	insb8[4] = 0x02;
288	write_cmd(insb8, NULL); // read maturity rating nano + len
289
290	insb8[4] = cta_res[1];
291	write_cmd(insb8, NULL); // read maturity rating
292
293	reader->maturity = cta_res[cta_lr - 3] & 0x0F;
294	if (reader->maturity < 0xF)
295	{
296	rdr_log(reader, "Maturity level [%X]= older than %i years", reader->maturity, reader->maturity);
297	}
298	else
299	{
300	rdr_log(reader, "Maturity level [%X]=no age limit", reader->maturity);
301	}
302	return 0;
303	}
304
305	static int32_t unlock_parental(struct s_reader *reader)
306	{
307	/* disabling parental lock. assuming pin "0000" if no pin code is provided in the config */
308
309	static const uint8_t inDPL[] = { 0xca, 0x24, 0x02, 0x00, 0x09 };
310	uint8_t cmDPL[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F };
311	def_resp;
312
313	if(strcmp(reader->pincode, "none"))
314	{
315	rdr_log(reader, "Using PIN %s", reader->pincode);
316	// the pin need to be coded in bcd, so we need to convert from ascii to bcd, so '1234' -> 0x12 0x34
317	cmDPL[6] = ((reader->pincode[0] - 0x30) << 4) \| ((reader->pincode[1] - 0x30) & 0x0f);
318	cmDPL[7] = ((reader->pincode[2] - 0x30) << 4) \| ((reader->pincode[3] - 0x30) & 0x0f);
319	}
320	else
321	{
322	rdr_log(reader, "Using PIN 0000!");
323	}
324	write_cmd(inDPL, cmDPL);
325
326	if(!(cta_res[cta_lr - 2] == 0x90 && cta_res[cta_lr - 1] == 0))
327	{
328	if(strcmp(reader->pincode, "none"))
329	{
330	rdr_log(reader, "Can't disable parental lock. Wrong PIN? OSCam used %s!", reader->pincode);
331	}
332	else
333	{
334	rdr_log(reader, "Can't disable parental lock. Wrong PIN? OSCam used 0000!");
335	}
336	}
337	else
338	{
339	rdr_log(reader, "Parental lock disabled");
340	get_maturity(reader);
341	}
342
343	return 0;
344	}
345
346	int32_t hdSurEncBasicCrypt_D2_0F_11(int32_t Value, int32_t XorVal)
347	{
348	int32_t i = (Value << 13) - Value + 0x1B59;
349	i = (i * Value) + 0x07CF;
350	return (i ^ XorVal);
351	}
352
353	int32_t hdSurEncCryptLookup_D2_0F_11(uint8_t Value, uint8_t AddrInd)
354	{
355	static const uint8_t lookup[] =
356	{
357	0x94, 0xB2, 0xA9, 0x79, 0xC4, 0xC7, 0x0D, 0x36, 0x6F, 0x24, 0x11, 0xD1, 0xDB, 0x59, 0xD2, 0xA5,
358	0xE1, 0x00, 0xD4, 0x97, 0xA3, 0x2B, 0x11, 0xFA, 0x5F, 0xF1, 0xC1, 0x44, 0xBF, 0x9B, 0x5A, 0xC8,
359	0xF1, 0xE1, 0x99, 0x82, 0x0E, 0xB2, 0x01, 0x09, 0x0C, 0xC8, 0xB3, 0x3B, 0xD1, 0x80, 0x50, 0xE8,
360	0xF5, 0x52, 0x4C, 0xE6, 0x82, 0xAC, 0x58, 0x40, 0xD4, 0x71, 0x87, 0x52, 0x06, 0xEA, 0xA6, 0x27,
361	0xB7, 0xFE, 0x6C, 0x49, 0x47, 0x3B, 0x70, 0x6C, 0xEB, 0xCD, 0xC5, 0x0B, 0x8C, 0x31, 0x29, 0x42,
362	0x4E, 0x10, 0x2B, 0x2D, 0x46, 0xEC, 0x39, 0xA3, 0x90, 0x4B, 0x25, 0x60, 0x9C, 0x62, 0xD4, 0x20,
363	0xF6, 0x16, 0xA8, 0x9C, 0xE4, 0x20, 0xED, 0xC7, 0xBA, 0x5E, 0xB6, 0x4E, 0x03, 0x15, 0xA6, 0xF6,
364	0x23, 0x98, 0x32, 0xC0, 0xAE, 0xA3, 0xFD, 0xD3, 0x7F, 0xF8, 0xED, 0xF0, 0x29, 0x29, 0x12, 0xB3,
365	0xB7, 0x58, 0xAD, 0xA2, 0x58, 0x2C, 0x70, 0x1B, 0xA4, 0x25, 0xE8, 0xA5, 0x43, 0xF1, 0xB9, 0x8F,
366	0x1E, 0x3B, 0x10, 0xDF, 0x52, 0xFE, 0x58, 0x29, 0xAD, 0x3F, 0x99, 0x4D, 0xDF, 0xD2, 0x08, 0x06,
367	0xA1, 0x1C, 0x66, 0x29, 0x26, 0x80, 0x52, 0x8A, 0x5A, 0x73, 0xE7, 0xDF, 0xC1, 0xC4, 0x47, 0x82,
368	0xAB, 0x5C, 0x32, 0xAE, 0x96, 0x04, 0x2B, 0xC3, 0x2D, 0x5A, 0xD2, 0xB0, 0x64, 0x88, 0x97, 0xBF,
369	0x7E, 0x99, 0x60, 0xCC, 0x63, 0x76, 0x66, 0xE9, 0x9A, 0x3D, 0xBB, 0xF7, 0x7F, 0xE4, 0x7C, 0x3F,
370	0xB8, 0x4D, 0x10, 0x8D, 0x2A, 0xEA, 0x3C, 0xD3, 0x03, 0x74, 0xE6, 0x46, 0xC0, 0x29, 0xAE, 0xB0,
371	0x79, 0xBE, 0xCB, 0x18, 0x34, 0xBE, 0x5A, 0xE9, 0x19, 0x8F, 0xA3, 0x8F, 0xD6, 0x6A, 0x6C, 0x88,
372	0x1E, 0x21, 0x08, 0x15, 0xC4, 0xE7, 0xE6, 0xBA, 0x97, 0x9C, 0x4F, 0x89, 0x9F, 0x1A, 0x67, 0x4F,
373	0xC0, 0xD5, 0x72, 0x51, 0x16, 0xB4, 0xD3, 0x8A, 0x1F, 0xE3, 0x92, 0x02, 0x7F, 0x59, 0x56, 0x8F,
374	0x07, 0x8D, 0xC1, 0xC2, 0x42, 0x69, 0x3C, 0xA6, 0xBF, 0x3D, 0xDF, 0x0D, 0xAA, 0x4F, 0x7E, 0x80,
375	0x07, 0x11, 0xE2, 0x94, 0x19, 0x9B, 0x16, 0x26, 0x1A, 0x46, 0x09, 0x0D, 0xB5, 0xB8, 0x8E, 0x01,
376	0x9C, 0xFE, 0x09, 0xB3, 0x60, 0xC2, 0xAE, 0x50, 0x3C, 0x68, 0x75, 0x4A, 0x57, 0xD8, 0x4F, 0xD7,
377	0xA2, 0x76, 0x2C, 0xC1, 0xA2, 0x23, 0xBC, 0x54, 0x2A, 0xDD, 0xF3, 0xDD, 0xA7, 0x34, 0xF7, 0x5C,
378	0xF4, 0x86, 0x23, 0x48, 0x7C, 0x3F, 0x05, 0x40, 0x0E, 0xB0, 0xE5, 0xEB, 0x3E, 0xDF, 0x6A, 0x83,
379	0x65, 0xA0, 0xB2, 0x06, 0xD1, 0x40, 0x79, 0x0D, 0xDE, 0x95, 0x84, 0x96, 0x87, 0x6F, 0xCE, 0x48,
380	0x24, 0x13, 0x0B, 0xF5, 0xC7, 0xF5, 0xA8, 0x7F, 0x2E, 0xC7, 0xE1, 0xBA, 0xAE, 0x2B, 0xF7, 0xF0,
381	0x8E, 0xF7, 0x54, 0x0B, 0xF0, 0xD2, 0x41, 0x81, 0x68, 0x3B, 0x1E, 0x35, 0xAB, 0xD9, 0x2B, 0x46,
382	0x57, 0xE8, 0x53, 0xDF, 0xDE, 0x10, 0xEF, 0xCB, 0x4C, 0xE0, 0x52, 0x18, 0x2C, 0x4E, 0xB9, 0x20,
383	0xE9, 0x7E, 0x85, 0xDF, 0x75, 0x32, 0xE6, 0x10, 0xE9, 0x9C, 0x7B, 0x2E, 0x4C, 0xDA, 0x46, 0xE6,
384	0xCC, 0x77, 0x36, 0x1D, 0x4A, 0x15, 0xF5, 0x32, 0x18, 0x6B, 0x7E, 0xAA, 0xCC, 0x97, 0xCC, 0xD1,
385	0x2F, 0xE5, 0x58, 0x03, 0x35, 0x35, 0x3D, 0xA0, 0x2B, 0x13, 0x3A, 0x65, 0xFF, 0x24, 0x72, 0xCF,
386	0xA7, 0x6D, 0x52, 0x55, 0xF6, 0xC2, 0x30, 0x23, 0x7D, 0x9B, 0x9E, 0xB0, 0x94, 0x02, 0xAD, 0x60,
387	0x8A, 0x9F, 0xBC, 0xC8, 0xE4, 0x2B, 0x92, 0x96, 0xF5, 0xAE, 0x04, 0xA4, 0x33, 0x0C, 0x90, 0x67,
388	0xF0, 0xB9, 0x1E, 0x7E, 0xBE, 0x02, 0x18, 0xB2, 0x03, 0xB6, 0x40, 0xBF, 0x05, 0xE3, 0x76, 0x98,
389	0x21, 0x38, 0xC9, 0x5F, 0xD3, 0x51, 0x8B, 0x43, 0x0B, 0x1A, 0x0B, 0xF9, 0x3C, 0x21, 0x6C, 0x3D,
390	0xB8, 0xA0, 0x57, 0xCA, 0x68, 0xCD, 0x1E, 0xD2, 0x2C, 0x50, 0xEE, 0xC0, 0xDF, 0x25, 0x88, 0x52,
391	0x37, 0xE1, 0x44, 0xC6, 0x76, 0x3B, 0x91, 0x95, 0x86, 0x76, 0x87, 0x49, 0x21, 0x93, 0x44, 0x0A,
392	0x52, 0xB9, 0x2D, 0x2B, 0xE3, 0x1D, 0xB0, 0xE4, 0x98, 0xC6, 0xEE, 0x3D, 0x96, 0x53, 0x4B, 0xFF,
393	0x39, 0x00, 0xD5, 0x42, 0x7E, 0xE1, 0x4C, 0x6F, 0xD5, 0xB7, 0xE6, 0x99, 0x2A, 0x5B, 0x67, 0xEE,
394	0x3E, 0xBA, 0xF7, 0xEC, 0x43, 0x2A, 0x1C, 0xB6, 0xB5, 0x04, 0x26, 0x59, 0xB1, 0x4C, 0x17, 0xCC,
395	0x83, 0xB9, 0x00, 0x3E, 0x36, 0x91, 0x90, 0xF7, 0x5E, 0x38, 0xDC, 0xE4, 0x15, 0xC7, 0x67, 0xF0,
396	0xCA, 0xC8, 0xD2, 0x91, 0x5D, 0x74, 0xAC, 0x97, 0x56, 0x36, 0x1A, 0x82, 0x0A, 0xAA, 0xB4, 0x4E,
397	0xBF, 0x29, 0x5C, 0xBF, 0x58, 0xB3, 0x97, 0xF9, 0xEB, 0x7C, 0x85, 0xB4, 0xA5, 0x13, 0x2F, 0xD1,
398	0xDE, 0x1C, 0xEC, 0x97, 0xDD, 0xE2, 0x39, 0xE4, 0xFB, 0x0A, 0x02, 0xE0, 0xC3, 0xBA, 0x39, 0x79,
399	0xAA, 0x1C, 0x37, 0x75, 0x25, 0x54, 0xBE, 0x85, 0x74, 0x2C, 0xFA, 0x0C, 0xFA, 0x50, 0xF6, 0xBE,
400	0x9F, 0x2A, 0x53, 0x7C, 0x27, 0x46, 0x68, 0x2D, 0x74, 0x2B, 0x46, 0xDA, 0xF5, 0x07, 0x95, 0x09,
401	0x6A, 0x91, 0xB7, 0xB1, 0x34, 0x07, 0x5F, 0xEA, 0xBE, 0x0F, 0x87, 0x28, 0x68, 0x97, 0x43, 0x77,
402	0xD5, 0x38, 0x2B, 0x11, 0x11, 0x4F, 0xD9, 0x75, 0x5E, 0xE1, 0x06, 0xA0, 0x3B, 0xAC, 0x32, 0xFE,
403	0xBF, 0x73, 0x59, 0x5B, 0xA2, 0xA8, 0x7E, 0x10, 0x4C, 0x6E, 0x78, 0xF0, 0x4A, 0x4E, 0x95, 0xD6,
404	0xDD, 0x05, 0x7A, 0xBB, 0xF1, 0xEB, 0xA8, 0xA4, 0x5D, 0x91, 0xF0, 0xED, 0xDB, 0xB8, 0x01, 0x41,
405	0xF8, 0x97, 0x7F, 0xC3, 0x91, 0x53, 0xBF, 0xE9, 0xEA, 0x33, 0x1F, 0xDC, 0xA6, 0xE6, 0x8D, 0xCB,
406	0x75, 0xD0, 0x69, 0xD0, 0xA4, 0x59, 0xA5, 0x02, 0xFC, 0x60, 0x0D, 0x6A, 0xA0, 0x05, 0x1A, 0x54,
407	0x8A, 0xA7, 0x57, 0xA3, 0xF0, 0x90, 0x8A, 0xD5, 0x6F, 0x1E, 0x2E, 0x10, 0x9A, 0x93, 0x2B, 0x51,
408	0x2C, 0xFD, 0x99, 0xE5, 0x9B, 0x5D, 0xB2, 0xA7, 0x37, 0x99, 0x26, 0x35, 0xCA, 0xDD, 0x22, 0x19,
409	0x59, 0x2A, 0xB0, 0x99, 0x23, 0xDF, 0xA7, 0xA9, 0x85, 0x12, 0xCF, 0xBF, 0xFC, 0x74, 0x80, 0x87,
410	0xE1, 0x97, 0xD0, 0xF9, 0xEF, 0x5F, 0x1B, 0x45, 0xF7, 0x76, 0xDB, 0x66, 0x39, 0x05, 0x43, 0x06,
411	0xA9, 0x9F, 0x2E, 0x14, 0x9F, 0x1C, 0x0C, 0x1F, 0xD5, 0xD9, 0xA4, 0x8D, 0x18, 0x6F, 0x08, 0x53,
412	0x0B, 0x92, 0x9A, 0x0C, 0xEA, 0x4C, 0xE4, 0x1D, 0x9E, 0x9A, 0x51, 0xB8, 0x7E, 0x2D, 0xE7, 0x3C,
413	0xFF, 0x84, 0x5C, 0xBF, 0x8F, 0x8C, 0x89, 0x09, 0x1B, 0x7E, 0x4B, 0xE7, 0x85, 0xEC, 0x04, 0xB5,
414	0x20, 0x18, 0x1E, 0x55, 0xD5, 0x5B, 0xAC, 0xC6, 0x25, 0x5A, 0xA1, 0x81, 0xC1, 0x31, 0x9C, 0xF5,
415	0xB5, 0x54, 0x07, 0x65, 0x0A, 0x5B, 0x90, 0x06, 0x4F, 0x84, 0xB2, 0x7F, 0xD1, 0xAD, 0x16, 0x81,
416	0x25, 0xAF, 0xAF, 0xE2, 0x03, 0xA9, 0x1F, 0x13, 0x02, 0x5D, 0x54, 0x89, 0xCD, 0x44, 0x51, 0xEB,
417	0xA4, 0x2B, 0xBD, 0x47, 0xB0, 0xB6, 0x27, 0x1D, 0x9B, 0x14, 0x6F, 0xBF, 0xCD, 0x59, 0xBC, 0x0A,
418	0x37, 0xA8, 0x74, 0x7D, 0x16, 0x90, 0x28, 0xD5, 0x94, 0xC3, 0xE4, 0x23, 0xC4, 0x98, 0x91, 0xCE,
419	0x55, 0xBD, 0x21, 0x3B, 0x84, 0xBD, 0x44, 0x3C, 0xF9, 0xCD, 0x37, 0x43, 0x4A, 0xC6, 0x8C, 0x23,
420	0x04, 0x28, 0x63, 0x7A, 0x03, 0x85, 0xD2, 0x46, 0x93, 0xCA, 0xFE, 0xC3, 0x83, 0x0B, 0x13, 0xCC,
421	0x5D, 0xCB, 0xBA, 0xCA, 0x68, 0xAB, 0x05, 0xF7, 0xEC, 0x4A, 0x9C, 0x0F, 0xD5, 0xC4, 0x5A, 0xA5,
422	0xA0, 0x04, 0x41, 0x6A, 0xF6, 0xEF, 0x16, 0x9B, 0x69, 0x38, 0xF6, 0x2D, 0xAA, 0xEB, 0x2D, 0xE2,
423	0x82, 0xA2, 0x9F, 0x6F, 0xBD, 0x2A, 0xE3, 0x66, 0x6B, 0x21, 0xDA, 0x56, 0xAD, 0x82, 0x2B, 0x93,
424	0xF3, 0x25, 0xEA, 0xFC, 0xFD, 0xFD, 0x1B, 0xA9, 0xFC, 0xB8, 0xC6, 0x98, 0x45, 0xF2, 0x70, 0x03,
425	0x4A, 0x9C, 0x60, 0x82, 0x65, 0xB6, 0x68, 0x4C, 0xE7, 0x41, 0x10, 0x9D, 0x59, 0x40, 0x03, 0x02,
426	0x07, 0x12, 0x33, 0xAF, 0x79, 0xE1, 0xC4, 0xEB, 0xB8, 0xCE, 0x6A, 0x90, 0x72, 0x61, 0x5D, 0x56,
427	0xC7, 0x59, 0x31, 0xCB, 0x45, 0x2D, 0x42, 0x9F, 0x10, 0x1D, 0x09, 0x63, 0x59, 0x8C, 0x6C, 0xDB,
428	0x11, 0xCF, 0xA1, 0xDF, 0x5F, 0x4D, 0xDF, 0xB4, 0xC3, 0x82, 0xEE, 0x58, 0x16, 0xB4, 0x74, 0xFA,
429	0xBE, 0x11, 0x9C, 0x1E, 0x98, 0x29, 0xDE, 0xE3, 0xE5, 0x9E, 0xCF, 0xD7, 0x91, 0x0A, 0xA3, 0xA4,
430	0x42, 0xA1, 0x95, 0x09, 0x9E, 0x16, 0xD5, 0xA8, 0x24, 0x56, 0x5B, 0x23, 0xC8, 0x56, 0x4C, 0xCB,
431	0x89, 0x18, 0x69, 0xEB, 0x0C, 0x1F, 0xC0, 0x41, 0x5C, 0x63, 0x04, 0x68, 0xB2, 0x0F, 0x3F, 0x88,
432	0x36, 0xDD, 0x23, 0x4D, 0x4C, 0xC0, 0x81, 0xE3, 0xE9, 0xAD, 0xE0, 0x27, 0xD5, 0xE5, 0x46, 0xEB,
433	0xFF, 0x32, 0xA2, 0xB7, 0x14, 0x64, 0x0B, 0x6D, 0x1B, 0xE5, 0xD8, 0xAE, 0x9D, 0xE8, 0x55, 0xB9,
434	0x52, 0x70, 0x59, 0xB8, 0x72, 0x92, 0x69, 0x37, 0x95, 0x61, 0x0A, 0xE5, 0xF6, 0x55, 0x97, 0x1D,
435	0xBF, 0xF7, 0x29, 0x77, 0x0F, 0x72, 0x80, 0xB2, 0x7E, 0x56, 0xBF, 0xFD, 0xE9, 0xF5, 0x9B, 0x62,
436	0xE9, 0xBD, 0x0B, 0xC2, 0x07, 0x55, 0x31, 0x4C, 0x57, 0x3A, 0x05, 0xB9, 0x27, 0x41, 0x4A, 0xC3,
437	0xEC, 0x72, 0x20, 0xB3, 0x0C, 0xF9, 0xD9, 0x3A, 0x14, 0x6A, 0x03, 0x44, 0x6A, 0xF1, 0x41, 0x55,
438	0x7F, 0x81, 0xC2, 0x04, 0xA8, 0x05, 0xB9, 0x49, 0x2E, 0x43, 0xC4, 0x00, 0x87, 0x86, 0x04, 0xAC,
439	0xAF, 0x73, 0x78, 0x0E, 0xA4, 0x43, 0x5B, 0x36, 0xA2, 0x8F, 0x9C, 0xF7, 0x66, 0x4A, 0x5A, 0x09,
440	0x6B, 0xAA, 0x69, 0x6F, 0xB1, 0x20, 0x0D, 0x56, 0x85, 0x0A, 0x5E, 0x06, 0xBF, 0xE2, 0x32, 0xB4,
441	0x5C, 0x46, 0x33, 0x0D, 0x27, 0xA3, 0x6B, 0xE1, 0xB2, 0x6A, 0x7D, 0x4A, 0xA7, 0x81, 0x0F, 0x2B,
442	0x16, 0x7C, 0x51, 0xD6, 0xC0, 0x3D, 0xB9, 0xFE, 0xB4, 0x66, 0xC4, 0xB6, 0x54, 0x53, 0x67, 0xDA,
443	0x70, 0x96, 0x9A, 0x0A, 0x07, 0x1A, 0x26, 0xBA, 0x85, 0x50, 0xF5, 0x27, 0x53, 0x9C, 0x3A, 0x94,
444	0x0A, 0x7D, 0xDB, 0xE1, 0xC3, 0xE3, 0x6A, 0x3E, 0x9E, 0xD5, 0x13, 0x0A, 0xA3, 0xD2, 0x21, 0x75,
445	0x79, 0x17, 0x26, 0xAC, 0x48, 0x5F, 0x3D, 0xE1, 0x7D, 0xA4, 0xB1, 0x56, 0x0F, 0x92, 0x2C, 0x60,
446	0xE6, 0xCB, 0x87, 0x35, 0xB8, 0x75, 0xC3, 0xA2, 0x03, 0x50, 0x4B, 0xA2, 0x6E, 0x01, 0xE1, 0xDD,
447	0x87, 0xA5, 0x33, 0xC6, 0x2F, 0xA2, 0x41, 0xFC, 0x72, 0x98, 0xA2, 0x69, 0x4C, 0x3F, 0xF0, 0x53,
448	0xF5, 0x41, 0x2B, 0x23, 0x24, 0x3B, 0xCE, 0x9D, 0x39, 0x31, 0x17, 0x08, 0xE1, 0x3F, 0x5F, 0xFB,
449	0x00, 0xFA, 0xF1, 0xE3, 0xE1, 0x7B, 0x0C, 0xDF, 0x8D, 0xA2, 0xC4, 0xCD, 0x62, 0x3D, 0xAE, 0xC7,
450	0x48, 0x09, 0x1C, 0x66, 0xCB, 0x0E, 0x23, 0xE8, 0x1B, 0x9F, 0x1B, 0xCB, 0xF8, 0x14, 0xC3, 0x34,
451	0x91, 0x32, 0x2B, 0x39, 0x1C, 0xBA, 0x1C, 0xA0, 0x19, 0xF2, 0x57, 0x9D, 0x78, 0x00, 0x55, 0x1F,
452	0x15, 0x12, 0x9A, 0xA2, 0xF2, 0xC2, 0xB7, 0x4E, 0xEA, 0x46, 0x01, 0xC2, 0xE9, 0x76, 0xBF, 0xDE,
453	0xCF, 0x8B, 0xC7, 0x50, 0x80, 0xEE, 0x46, 0x91, 0x93, 0x1E, 0x5C, 0x48, 0x5D, 0xC8, 0xC8, 0x63,
454	0xD1, 0x89, 0x02, 0x29, 0xE9, 0x90, 0x9F, 0x0B, 0x0A, 0x1A, 0x44, 0x17, 0xE7, 0x4E, 0xAD, 0x58,
455	0x55, 0xF8, 0x38, 0xF6, 0x4F, 0xD8, 0x1C, 0x7E, 0x25, 0x9B, 0x59, 0x16, 0xBC, 0x65, 0x24, 0xC5,
456	0xA7, 0x56, 0xE5, 0x20, 0x3F, 0xD9, 0x27, 0xE0, 0x32, 0x24, 0xE1, 0x7B, 0xE1, 0x32, 0xEA, 0xF4,
457	0xFE, 0xD9, 0xA5, 0xFF, 0x35, 0xAE, 0xA9, 0x1B, 0x38, 0x28, 0x6A, 0xC0, 0x1A, 0x42, 0xD9, 0x5E,
458	0x14, 0x2C, 0xC2, 0x2D, 0x9B, 0x94, 0x5B, 0xCF, 0x83, 0x30, 0xB9, 0x06, 0xAF, 0x4B, 0xD7, 0xF6,
459	0x38, 0x7C, 0xFF, 0xB4, 0xA5, 0x1A, 0xA0, 0xE9, 0xF3, 0x01, 0xE3, 0x97, 0xC4, 0xA9, 0x57, 0xF5,
460	0xB9, 0x96, 0xA7, 0xA3, 0xB8, 0x10, 0x0E, 0xFB, 0x1D, 0x39, 0x44, 0x16, 0x97, 0x94, 0x3E, 0x5F,
461	0xAF, 0x0F, 0xE3, 0x99, 0xDC, 0xA0, 0xE9, 0x8D, 0x26, 0x2B, 0xD9, 0xAE, 0xEC, 0x4C, 0x4F, 0x09,
462	0x86, 0x7E, 0x7B, 0xC3, 0xE3, 0xC6, 0x17, 0xAE, 0x30, 0x9C, 0x31, 0xD1, 0x84, 0x47, 0xAF, 0xCB,
463	0xEA, 0x69, 0x2A, 0x08, 0x3E, 0x13, 0x00, 0xDE, 0xF6, 0x4A, 0x42, 0xD3, 0xBE, 0x33, 0xD9, 0x50,
464	0x6B, 0x8D, 0x59, 0x12, 0x1A, 0xD3, 0xA7, 0x7C, 0x0A, 0xE7, 0x87, 0x47, 0xCA, 0xAA, 0x33, 0xFD,
465	0xC1, 0xF6, 0x28, 0xC1, 0x62, 0xA2, 0x4C, 0x79, 0x83, 0x48, 0x86, 0x0E, 0xA4, 0x67, 0x34, 0x95,
466	0xAE, 0x7D, 0xD6, 0xEE, 0x91, 0x05, 0x35, 0x91, 0xE8, 0x34, 0x39, 0xA3, 0xE5, 0xE6, 0x80, 0x53,
467	0x76, 0x1F, 0x94, 0xA0, 0xF6, 0xA5, 0x41, 0x79, 0x82, 0xD3, 0xB0, 0x1F, 0xCE, 0xE1, 0x86, 0x64,
468	0x65, 0x0C, 0x8D, 0xD6, 0xFA, 0xC1, 0x10, 0x6C, 0x07, 0xD5, 0xF0, 0x77, 0x65, 0xB9, 0x0C, 0xBD,
469	0xAE, 0x2D, 0x62, 0x6C, 0x42, 0x7E, 0x2A, 0xBE, 0x5F, 0xC1, 0x17, 0x3B, 0x07, 0xFF, 0x5E, 0xD7,
470	0x31, 0x52, 0x26, 0x2F, 0x9F, 0x12, 0xD8, 0x2E, 0xA3, 0xF5, 0xB5, 0xD2, 0xFC, 0x6E, 0x08, 0x1F,
471	0xC8, 0x93, 0xA1, 0xEB, 0xF9, 0x13, 0x1D, 0x1F, 0x98, 0x5E, 0xB0, 0x0C, 0x65, 0x6C, 0xAE, 0x07,
472	0x78, 0xF8, 0x12, 0xD2, 0xD1, 0x1E, 0x77, 0x5C, 0x24, 0x62, 0xE5, 0x94, 0xD6, 0x6A, 0x8E, 0xD0,
473	0x72, 0x59, 0xDA, 0x48, 0x38, 0x2F, 0x31, 0x75, 0x0C, 0x52, 0xF0, 0x0C, 0x8F, 0x5C, 0xE9, 0x5E,
474	0x5A, 0x94, 0xE8, 0xD2, 0x80, 0xF8, 0x4F, 0xE7, 0xAA, 0x6C, 0xBE, 0x47, 0xFB, 0xDD, 0x57, 0x0A,
475	0xD8, 0x5E, 0xCC, 0x0D, 0x8F, 0x42, 0x5E, 0xDC, 0x5D, 0x95, 0x95, 0x60, 0x9B, 0x6F, 0x05, 0x5E,
476	0x08, 0x45, 0x91, 0xE4, 0xB8, 0x06, 0xB1, 0xF2, 0xC0, 0xD7, 0xE3, 0x47, 0xB7, 0x38, 0x08, 0xA8,
477	0x58, 0xE4, 0x55, 0xFC, 0xE2, 0x37, 0x1F, 0x38, 0xA2, 0x18, 0x9E, 0xC2, 0x0F, 0x90, 0x14, 0x20,
478	0x50, 0xD1, 0xD0, 0xAB, 0x36, 0x7F, 0xAA, 0x03, 0x1C, 0xE6, 0x0A, 0xF9, 0x8E, 0x41, 0xDB, 0x32,
479	0x1C, 0x68, 0xA0, 0xA0, 0xED, 0x4A, 0xF4, 0x4B, 0x09, 0xD0, 0xF0, 0x01, 0x8B, 0x17, 0x44, 0xE1,
480	0xEA, 0xC5, 0x9D, 0x3B, 0x37, 0x7A, 0x68, 0xF1, 0x78, 0x46, 0xCF, 0xB6, 0x57, 0xDB, 0x4B, 0x5C,
481	0x03, 0xE1, 0x9D, 0xC0, 0x37, 0x55, 0x8D, 0x03, 0xFB, 0x6A, 0x00, 0x82, 0x19, 0xD1, 0xC0, 0x76,
482	0x97, 0xEE, 0xC9, 0xAD, 0x0D, 0x72, 0x0B, 0xE9, 0xA8, 0x09, 0x92, 0x03, 0xA4, 0xAA, 0x2C, 0xCF,
483	0xFD, 0xDE, 0x86, 0xD0, 0x06, 0x4A, 0xAE, 0x7E, 0xC1, 0xB8, 0x2A, 0x4E, 0x9F, 0xA3, 0x5E, 0x8C,
484	0x12, 0x40, 0x74, 0x38, 0xE7, 0xEA, 0xB0, 0x51, 0xC2, 0xB9, 0x6D, 0x4A, 0x50, 0xBF, 0x59, 0x9C,
485	0x05, 0xB2, 0x42, 0xE2, 0x0F, 0x71, 0x44, 0xDB, 0x97, 0x0B, 0xD0, 0xDB, 0x44, 0x1F, 0x9A, 0x3B,
486	0x18, 0x2A, 0x7B, 0xD9, 0x03, 0x83, 0x0B, 0xCF, 0x27, 0x20, 0x43, 0xA6, 0x42, 0xED, 0x89, 0x63,
487	0xDB, 0x2D, 0x27, 0xC2, 0x3B, 0xE6, 0x0D, 0x3E, 0xB6, 0x96, 0x33, 0x70, 0xA6, 0xF3, 0xF5, 0x56,
488	0xEA, 0xEB, 0xF1, 0xE7, 0xD8, 0xCB, 0x04, 0x48, 0x99, 0x4C, 0x00, 0xA4, 0x2A, 0xA5, 0x8A, 0xF1,
489	0x58, 0xD5, 0x17, 0x4C, 0xC5, 0x88, 0x06, 0x8F, 0xA6, 0x67, 0xA6, 0x14, 0xC7, 0xB9, 0xE0, 0x86,
490	0xAC, 0x67, 0xFD, 0xB3, 0x5B, 0x3E, 0xDF, 0x03, 0xFD, 0xC8, 0xC4, 0x4A, 0x32, 0x78, 0x6B, 0xD1,
491	0xC1, 0xE2, 0x36, 0x9D, 0x0B, 0xF2, 0x54, 0x25, 0xB8, 0xB7, 0xB2, 0x10, 0x7A, 0xA6, 0x79, 0x52,
492	0xC2, 0xEE, 0x98, 0xA5, 0x3D, 0xF0, 0x07, 0x8D, 0x25, 0xC3, 0xAC, 0xFD, 0xCF, 0x83, 0x98, 0x80,
493	0x56, 0x95, 0xC4, 0x14, 0xA2, 0xA5, 0x93, 0xFE, 0x24, 0x59, 0x44, 0x73, 0xDF, 0xD6, 0x47, 0xDA,
494	0x22, 0x3A, 0x82, 0xC5, 0xD1, 0x59, 0x40, 0x9D, 0x0C, 0x1A, 0xB7, 0x79, 0x45, 0x9A, 0xF8, 0x6D,
495	0x5A, 0x5C, 0xC2, 0x80, 0xFC, 0xAA, 0x8A, 0xA4, 0xFE, 0x68, 0x61, 0x7D, 0xFE, 0x2C, 0x36, 0xE3,
496	0xE0, 0x59, 0x28, 0x40, 0x79, 0xAD, 0x2D, 0x28, 0x12, 0x30, 0xFC, 0x56, 0x2E, 0x1D, 0xEC, 0x48,
497	0x3A, 0xF0, 0xC5, 0x6C, 0x31, 0xE0, 0x2E, 0xB3, 0x91, 0x70, 0xB9, 0x9E, 0xBD, 0xE7, 0x96, 0x58,
498	0xCB, 0xBC, 0x1C, 0xE4, 0xC7, 0x78, 0xC7, 0x1E, 0x39, 0xDB, 0xB8, 0x77, 0x50, 0xB7, 0x65, 0x20,
499	0x04, 0x16, 0x8B, 0xFC, 0x66, 0xC4, 0x6D, 0x05, 0x8C, 0x3C, 0xB6, 0x32, 0x2F, 0xDE, 0xC3, 0x6F,
500	0xFC, 0x82, 0x06, 0x02, 0x87, 0x47, 0xFD, 0xD8, 0xDA, 0x75, 0xE0, 0x4E, 0x8C, 0x40, 0x00, 0xB2,
501	0x9B, 0x35, 0x78, 0xA4, 0x61, 0x64, 0x96, 0x62, 0x37, 0xF6, 0x3E, 0x39, 0xFA, 0x14, 0x5B, 0xC4,
502	0x70, 0x17, 0xDC, 0x0C, 0x9E, 0x31, 0x82, 0x2C, 0x63, 0xCC, 0x8A, 0x43, 0x7C, 0x69, 0x12, 0x05,
503	0x18, 0xA3, 0x62, 0xCC, 0xA2, 0x13, 0x96, 0x25, 0xA6, 0x1B, 0xF2, 0x10, 0xC8, 0x73, 0x4F, 0xCB,
504	0x80, 0xCA, 0xAF, 0x73, 0xC9, 0x78, 0xB1, 0xAE, 0x87, 0xB8, 0xDF, 0x50, 0xD3, 0x55, 0x1E, 0x3A,
505	0x81, 0xF6, 0x84, 0xD6, 0x57, 0x36, 0xCF, 0x38, 0xB7, 0xBC, 0xBC, 0x1E, 0x48, 0x62, 0x9F, 0x0F,
506	0x0C, 0xE5, 0xF0, 0x63, 0x33, 0xE6, 0x59, 0x6B, 0x1E, 0xE6, 0x1C, 0x8A, 0xF9, 0xDD, 0x6B, 0xA3,
507	0xDC, 0x02, 0x4A, 0x2F, 0x8C, 0x6A, 0x8D, 0x16, 0x7E, 0x2F, 0xF1, 0x75, 0xD5, 0x15, 0x93, 0x07,
508	0x27, 0xD9, 0x6F, 0x1A, 0x5D, 0x43, 0xF3, 0x47, 0xC4, 0xED, 0xAD, 0x05, 0x9F, 0xEC, 0x8F, 0xD0,
509	0xBE, 0xB5, 0x58, 0xF4, 0xF6, 0xBE, 0x08, 0x73, 0x96, 0x19, 0x05, 0x25, 0xEC, 0x3D, 0x26, 0xF4,
510	0x93, 0xDB, 0x9F, 0x56, 0x48, 0x4C, 0xBC, 0xD0, 0x02, 0x59, 0xD1, 0x40, 0x4C, 0xA6, 0x06, 0x41,
511	0xE8, 0x7D, 0x47, 0xAE, 0x3A, 0x9E, 0x1A, 0x71, 0x52, 0xD4, 0x67, 0xC1, 0x14, 0x7E, 0x40, 0x6F,
512	0x1C, 0x75, 0x30, 0x7B, 0x70, 0x3A, 0xE0, 0x37, 0xB7, 0x41, 0x7F, 0xCB, 0x4A, 0xBA, 0xA7, 0xCE,
513	0x56, 0x54, 0xC5, 0x46, 0x65, 0x6F, 0xB4, 0xB6, 0xF0, 0x57, 0xCE, 0x2E, 0x4F, 0xA9, 0xF0, 0x14,
514	0x50, 0xC3, 0x30, 0xC5, 0xBA, 0xE1, 0x5E, 0xD6, 0xDC, 0xC5, 0x78, 0x55, 0x32, 0xAA, 0xCB, 0x29,
515	0x35, 0x81, 0x46, 0x5E, 0x92, 0xE7, 0xDE, 0xCC, 0x92, 0x29, 0x86, 0xE0, 0x8F, 0x91, 0x3C, 0x74,
516	0x97, 0x79, 0x63, 0x97, 0x4A, 0xCC, 0x88, 0xB5, 0xA3, 0x7A, 0xF0, 0xF0, 0x33, 0x87, 0xCD, 0xBD
517	};
518	uint8_t b = Value ^ hdSurEncBasicCrypt_D2_0F_11(Value, lookup[(((AddrInd * 2) + 0) * 256) + Value]);
519	return (Value ^ hdSurEncBasicCrypt_D2_0F_11(b, lookup[(((AddrInd * 2) + 1) * 256) + b]));
520	}
521
522	void hdSurEncPhase1_D2_0F_11(uint8_t *CWs)
523	{
524	static const uint8_t lookup1[] =
525	{
526	0x16, 0x71, 0xCA, 0x14, 0xC4, 0xF4, 0xA3, 0x5A, 0x9D, 0x5F, 0x85, 0x8B, 0xA6, 0x77, 0xFD, 0x3C,
527	0x5F, 0x13, 0x2A, 0x5F, 0x61, 0x36, 0xE4, 0xDC, 0x0D, 0x82, 0x92, 0xC5, 0x25, 0xE1, 0x7A, 0x1C,
528	0x29, 0x19, 0x94, 0x2F, 0xC5, 0xD2, 0xDC, 0xBA, 0x86, 0x60, 0x64, 0x60, 0x86, 0x92, 0xA3, 0x4E,
529	0x3D, 0x9B, 0xCC, 0x16, 0xBB, 0xBA, 0xD2, 0xF0, 0x6A, 0xD3, 0x2F, 0x07, 0x75, 0xBD, 0x28, 0xDB
530	};
531	static const int8_t lookup2[] = { 1, -1, -1, 1, -1, 2, 1, -2, -1, 1, 2, -2, 1, -2, -2, 4 };
532	static const int8_t CAddrIndex[] = { 0, 1, 3, 4 };
533	int32_t i, j, i1, i2, i3;
534
535	for(i = 3; i >= 0; --i)
536	{
537	for(j = 0; j <= 15; ++j)
538	{
539	CWs[j] = CWs[j] ^ hdSurEncBasicCrypt_D2_0F_11(j , lookup1 [(16 * i) + j]);
540	}
541
542	uint8_t Buffer[16];
543	uint32_t k;
544	for(i1 = 0; i1 <= 3; ++i1)
545	{
546	for(i2 = 0; i2 <= 3; ++i2)
547	{
548	k = 0;
549	for(i3 = 0; i3 <= 3; ++i3)
550	{
551	k = k + (CWs[(i2 * 4) + i3] * lookup2[(i3 * 4) + i1]);
552	Buffer[(i2 * 4) + i1] = (uint8_t)k;
553	}
554	}
555	}
556	memcpy(CWs, Buffer, 16);
557
558	// CW positions are mixed around here
559	uint8_t a4[4];
560	for(i1 = 1; i1 <= 3; ++i1)
561	{
562	for(i2 = 0; i2 <= 3; ++i2)
563	{
564	a4[i2] = i1 + (i2 * 4);
565	}
566
567	for(i2 = 0; i2 <= i1 - 1; ++i2) // the given code in Func1_3 seems to be wrong here(3 instead of i1-1)!
568	{
569	uint8_t tmp = CWs[a4[0]];
570
571	for(i3 = 1; i3 <= 3; ++i3)
572	{
573	CWs[a4[i3 - 1]] = CWs[a4[i3]];
574	}
575	CWs[a4[3]] = tmp;
576	}
577	}
578
579	for(i1 = 0; i1 <= 15; ++i1)
580	{
581	CWs[i1] = hdSurEncCryptLookup_D2_0F_11(CWs[i1], CAddrIndex[i1 & 3]);
582	}
583	}
584	}
585
586	void hdSurEncPhase2_D2_0F_11_sub(uint8_t CWa, uint8_t CWb, uint8_t AddrInd)
587	{
588	uint8_t Buffer[8];
589	uint8_t tmp, i;
590
591	for(i = 0; i <= 7; ++i)
592	{
593	Buffer[i] = hdSurEncCryptLookup_D2_0F_11(CWb[i], AddrInd);
594	}
595
596	// some bitshifting
597	tmp = Buffer[7];
598	for(i = 7; i >= 1; --i)
599	{
600	Buffer[i] = ((Buffer[1] >> 4) & 0xFF) \| ((Buffer[i - 1] << 4) & 0xFF);
601	}
602	Buffer[0] = ((Buffer[0] >> 4) & 0xFF) \| ((tmp << 4) & 0xFF);
603
604	// saving the result
605	for(i = 0; i <= 7; ++i)
606	{
607	CWa[i] = CWa[i] ^ Buffer[i];
608	}
609	}
610
611	void hdSurEncPhase2_D2_0F_11(uint8_t *CWs)
612	{
613	hdSurEncPhase2_D2_0F_11_sub(CWs, CWs + 8, 0);
614	hdSurEncPhase2_D2_0F_11_sub(CWs + 8, CWs, 1);
615	hdSurEncPhase2_D2_0F_11_sub(CWs, CWs + 8, 2);
616	hdSurEncPhase2_D2_0F_11_sub(CWs + 8, CWs, 3);
617	hdSurEncPhase2_D2_0F_11_sub(CWs, CWs + 8, 4);
618	}
619
620	void CommonMain_1_D2_13_15(const uint8_t datain, uint8_t dataout)
621	{
622	const uint8_t Tab3[88] = {
623	0x1B, 0x12, 0x12, 0x0C, 0x12, 0x0C, 0x0C, 0x08, 0x09, 0x09, 0x06, 0x06, 0x06, 0x06, 0x04, 0x04,
624	0x08, 0x04, 0x04, 0x02, 0x04, 0x02, 0x02, 0x01, 0x09, 0x06, 0x09, 0x06, 0x06, 0x04, 0x06, 0x04,
625	0x03, 0x03, 0x03, 0x03, 0x02, 0x02, 0x02, 0x02, 0x04, 0x04, 0x02, 0x02, 0x02, 0x02, 0x01, 0x01,
626	0x09, 0x06, 0x06, 0x04, 0x09, 0x06, 0x06, 0x04, 0x03, 0x03, 0x02, 0x02, 0x03, 0x03, 0x02, 0x02,
627	0x04, 0x02, 0x04, 0x02, 0x02, 0x01, 0x02, 0x01, 0x03, 0x02, 0x03, 0x02, 0x03, 0x02, 0x03, 0x02,
628	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
629
630	int i1,i2;
631	unsigned long bb;
632
633	for (i1 = 0; i1 < 11; i1++)
634	{
635	bb = 0;
636	for (i2 = 0; i2 < 8; i2++)
637	{
638	bb += (Tab3[(i1 * 8) + i2] * datain[i2]);
639	}
640	dataout[i1] = (bb & 0xFF);
641	}
642	}
643
644
645	unsigned short CommonMain_2_D2_13_15(const uint8_t *data, const unsigned long num)
646	{
647	unsigned long bb1, bb2;
648
649	bb1 = num >> 3;
650	bb2 = (data[bb1] << 24) + (data[bb1 + 1] << 16) + (data[bb1 + 2] << 8);
651
652	return ((bb2 >> (21 - (num & 7))) & 0x7FF);
653	}
654
655	void CommonMain_3_D2_13_15(uint8_t data0, uint8_t data1, int nbrloop)
656	{
657	int i;
658	unsigned long bb1, bb2;
659
660	bb1 = 0;
661	bb2 = 0;
662	for (i = nbrloop - 1; i >= 0; i--)
663	{
664	bb1 += (data0[i] * 2) + data1[i];
665	bb2 += data0[i] + data1[i];
666	data0[i] = (bb1 & 0xFF);
667	data1[i] = (bb2 & 0xFF);
668	bb1 >>= 8;
669	bb2 >>= 8;
670	}
671	}
672
673	void CommonMain_D2_13_15(const uint8_t datain, uint8_t dataout, int loopval)
674	{
675
676	const uint8_t Tab0_Comp[0x800] = {
677	0x54,0x75,0x01,0x0C,0x7C,0xE2,0xC3,0xC2,0x5E,0x13,0x26,0xCA,0xB2,0xCD,0xB8,0x3D,
678	0x02,0x2C,0xE4,0x19,0x41,0x3D,0xE4,0x0F,0xEC,0xF1,0x45,0x83,0xE2,0xE2,0x72,0xF9,
679	0xCD,0x75,0x1E,0x41,0xCC,0x0C,0x1F,0x39,0x87,0x9B,0x46,0xFF,0x68,0x1F,0x00,0xD8,
680	0x41,0x82,0xCA,0xC6,0xEF,0x87,0x90,0xA2,0x7E,0xD9,0xDE,0xC8,0x25,0xEA,0xC9,0x75,
681	0x6E,0x18,0x81,0xD8,0x5A,0xA6,0x74,0x05,0xAF,0xAE,0xE0,0x4F,0x85,0xAD,0x94,0xF6,
682	0x45,0xF4,0xF5,0x55,0xA8,0xEB,0xEC,0xDB,0x6C,0xFF,0x2F,0xC2,0xC3,0x7D,0x93,0xE6,
683	0xF5,0x31,0x96,0xB7,0x9A,0xDB,0xE5,0x76,0x66,0xFB,0xDD,0xBC,0x19,0x18,0x42,0xC6,
684	0x36,0xCD,0x46,0x33,0xEA,0xF1,0x4C,0xC0,0x72,0x07,0xCD,0x61,0xCE,0x0E,0x08,0x01,
685	0xA3,0xFA,0x84,0x21,0xF2,0x43,0x37,0x1C,0xDE,0x25,0x8A,0x1A,0xF4,0xBB,0x40,0xF3,
686	0x53,0xFE,0x17,0x60,0x91,0x6D,0x7B,0x6D,0x5F,0x1C,0x15,0x73,0xCC,0x6E,0x73,0x46,
687	0x27,0x73,0xA3,0x10,0x16,0x32,0xB3,0x39,0x45,0xA6,0x55,0xE7,0x91,0x32,0x24,0xC8,
688	0xAE,0xAF,0x1B,0x28,0x69,0x22,0x2F,0xE9,0x77,0x72,0xBF,0x4B,0x8B,0x07,0x82,0x31,
689	0xB0,0x95,0x10,0x78,0x9F,0xC5,0xF3,0x73,0xE1,0xF8,0x36,0x84,0xFE,0x1B,0x92,0xB2,
690	0xE6,0xA5,0xCE,0xDA,0x56,0x48,0x52,0x77,0x9D,0x9D,0x8E,0x37,0x4B,0xC8,0x35,0x7E,
691	0xB9,0x5D,0xA4,0xAE,0x3F,0xD0,0xAA,0x60,0xA8,0x4C,0x85,0x49,0xF6,0x0C,0x27,0xE8,
692	0x94,0x84,0xA0,0xAA,0x06,0x4D,0xAC,0x58,0x8B,0x61,0x29,0x3D,0x68,0x25,0xD3,0xD3,
693	0x8E,0xA1,0xE0,0x71,0xBF,0x21,0x0C,0xC7,0x18,0x19,0xF1,0x25,0x98,0x5F,0x79,0x5E,
694	0x51,0xBA,0x8C,0x2F,0x52,0x43,0xF3,0x5A,0xE3,0x58,0x97,0x64,0x23,0xE0,0x44,0x4F,
695	0x30,0x2A,0xE0,0x16,0x8D,0x4D,0xD1,0x1F,0x7B,0xC9,0xC5,0x74,0x11,0x23,0x5D,0x95,
696	0xAC,0x7F,0x2E,0x30,0xBE,0x2D,0xE3,0xB5,0xC6,0xA7,0x69,0x99,0x1F,0x18,0x3C,0x96,
697	0x30,0x45,0x99,0x71,0x28,0x08,0x3C,0xF7,0x37,0x4F,0x6A,0xD6,0xAE,0x9B,0x57,0xC1,
698	0xCC,0x2C,0xE2,0x0F,0x7D,0x66,0xF4,0x36,0x0C,0x3B,0x35,0xF6,0x28,0x03,0xA3,0x7A,
699	0x83,0x15,0xF5,0x61,0x5E,0xE8,0xB7,0xD8,0x54,0x33,0x93,0x63,0x80,0x40,0x43,0xD0,
700	0x9C,0xAA,0x3A,0x98,0x50,0xD2,0xB8,0x80,0x5D,0x16,0xDF,0x1C,0x03,0xAA,0x87,0xC7,
701	0x63,0xA5,0x8D,0xA9,0x2E,0xFB,0x4F,0x7C,0x2B,0xF5,0xF9,0x57,0xB5,0x90,0xD8,0x75,
702	0xAB,0x81,0x4C,0x1B,0xAF,0x6C,0x0E,0xCB,0xB1,0x4F,0xD3,0xE3,0x69,0x18,0x8C,0x7A,
703	0x3C,0xE1,0x11,0x86,0x47,0x78,0x11,0xA0,0xD4,0x28,0xC3,0x0D,0xAC,0xC6,0x17,0xA1,
704	0x32,0x9F,0x8F,0x42,0xD9,0x3F,0x66,0xD7,0x2D,0x87,0x7B,0x65,0xD3,0xD6,0x90,0x83,
705	0xA2,0x75,0xE8,0x98,0x90,0x9D,0xDE,0x81,0x9E,0x3D,0xE4,0xA9,0xE4,0x0B,0xBC,0xBA,
706	0x96,0xDD,0x05,0xCA,0xAE,0x78,0x69,0x24,0xDB,0xA7,0x3E,0x7A,0x3B,0xB4,0xC4,0x59,
707	0x61,0xD2,0xF2,0xE3,0x99,0x8F,0x8F,0x8A,0x82,0x33,0xB8,0x17,0x5E,0x7A,0x32,0x41,
708	0x10,0x8D,0xC2,0xEF,0xAA,0xF8,0x5A,0xF7,0xD2,0x1D,0xC0,0xCB,0x5E,0xB7,0x8A,0x78,
709	0x49,0x42,0xEB,0x19,0x1B,0x61,0xA0,0x77,0x5A,0xF4,0x6D,0x55,0xDA,0xEB,0xCE,0x4E,
710	0xB8,0xE6,0x32,0xD7,0x51,0x3F,0x73,0x14,0x34,0x6E,0x38,0xD6,0xA7,0x28,0x87,0x4A,
711	0x59,0xCA,0x1C,0x80,0xB5,0x8C,0x9D,0x94,0xCB,0xFE,0x29,0x41,0xE5,0x69,0xCF,0xFD,
712	0x0B,0xE1,0x7C,0xA1,0x70,0x12,0x76,0x43,0xDA,0xB9,0xD4,0xC3,0x31,0xBC,0x94,0x77,
713	0x04,0xB4,0x1C,0xAA,0xEC,0x6F,0xA5,0x12,0x9D,0x6F,0x34,0x65,0x77,0xA0,0xD2,0x6F,
714	0x60,0xC6,0x47,0xC2,0xDF,0x6A,0x10,0x53,0xD4,0xBA,0xF3,0xB7,0x38,0x79,0x63,0xC9,
715	0xD4,0x77,0xBC,0x54,0xE9,0x79,0x42,0xD5,0xE0,0x71,0xE7,0x9E,0x5A,0x62,0x0C,0xAD,
716	0x01,0x09,0xA8,0x9F,0x8E,0x67,0x4A,0x30,0xA4,0xB1,0x08,0xFC,0x0A,0xEA,0x7A,0x1D,
717	0x4C,0x4A,0x21,0xDE,0x00,0xD7,0x41,0x98,0x6B,0x38,0x50,0x3E,0x1F,0x25,0x06,0xE3,
718	0x6C,0xA3,0x84,0x5B,0xC1,0xED,0x47,0xDD,0xB3,0x83,0x46,0x72,0x69,0xCE,0x72,0x04,
719	0x43,0x67,0x3A,0x19,0xD9,0x0A,0xF7,0x43,0x88,0xCA,0xC7,0x31,0x34,0x21,0x4E,0x4C,
720	0xE8,0xD1,0x70,0x00,0xBD,0xB1,0xB6,0x76,0x6F,0x5B,0xF9,0xF5,0xF4,0x19,0x20,0x21,
721	0xC1,0xF0,0x11,0x36,0x66,0xAB,0x15,0xBD,0x69,0x92,0xC6,0x46,0xDE,0xDC,0xE9,0x9A,
722	0xF8,0x6C,0x15,0x29,0x15,0xA6,0x35,0x3E,0x08,0xE5,0x90,0x62,0x9F,0x86,0x56,0x83,
723	0x5D,0x60,0x0D,0x22,0x77,0xA7,0x60,0x9B,0x26,0x80,0x16,0x67,0xB4,0x46,0xBF,0x74,
724	0x55,0x92,0x5B,0x34,0xFF,0xC8,0x28,0x37,0xFF,0x14,0x62,0xFA,0xBD,0x03,0x78,0x04,
725	0x1B,0x65,0x7F,0x99,0x05,0x27,0x14,0xC0,0x06,0x4D,0x4B,0x0E,0x98,0x34,0x6A,0xB3,
726	0xA1,0xFE,0xBC,0x45,0x7D,0x52,0x50,0x0E,0x2C,0xFB,0x91,0xF5,0xFB,0x2A,0xB7,0xD9,
727	0xB8,0xB8,0x54,0x31,0x81,0x03,0x93,0x2C,0xE1,0x5C,0xB9,0x2C,0xE8,0x38,0xC0,0xA7,
728	0x58,0x18,0x92,0xC5,0x8B,0xEF,0x1E,0x33,0xA4,0xBA,0x86,0x2B,0xE9,0xEE,0xB1,0xDF,
729	0xAB,0xB8,0x48,0xDA,0x84,0xF1,0x68,0x05,0x4E,0xDE,0xB5,0x9E,0x88,0x12,0xC9,0x60,
730	0x50,0x58,0x56,0x9D,0x26,0x84,0xB6,0x1A,0xE6,0x4B,0x40,0x94,0x6D,0xE9,0x1D,0x0D,
731	0x8A,0xF9,0x2A,0xB5,0xBC,0xDB,0x06,0x8F,0x13,0x7E,0x1D,0x1C,0xC7,0xFD,0x8F,0x78,
732	0x55,0x3F,0x16,0x84,0x48,0xDA,0x1A,0xD1,0x93,0x95,0x20,0x58,0x92,0x39,0xF6,0x73,
733	0x4E,0x9E,0x7B,0x70,0xFC,0x1E,0x5B,0x20,0x48,0x96,0xB3,0x7C,0x50,0x09,0x5B,0x61,
734	0x57,0x97,0x36,0x04,0x29,0x2C,0x32,0x8E,0x93,0x4A,0x45,0xFA,0xD5,0x24,0x14,0x1A,
735	0x28,0x9C,0x1A,0x71,0xAE,0x85,0x4B,0x26,0x79,0x99,0x65,0xD0,0x07,0x98,0xED,0xC9,
736	0x1B,0x39,0x57,0x5B,0xDB,0x3D,0x87,0x69,0x66,0x9B,0x03,0x23,0x54,0x6B,0x4B,0xAC,
737	0x6E,0x7A,0x25,0x1E,0xB6,0x97,0xCF,0x1D,0x07,0xCB,0x2A,0x3E,0x85,0x02,0x93,0x31,
738	0x12,0x27,0xF0,0xA6,0x6D,0x0F,0x9A,0xB6,0xFC,0x22,0x79,0x6C,0x77,0xFD,0x3F,0xDC,
739	0x19,0xD0,0xDF,0xBD,0x9E,0xE0,0xBE,0x20,0x13,0xA3,0x0A,0x0B,0x22,0xF2,0xC8,0x6B,
740	0xA1,0xDD,0x6C,0x67,0xB3,0xFD,0x71,0xC2,0x7B,0x08,0x3B,0xF1,0x37,0xB5,0x0F,0x86,
741	0xFA,0xA9,0xE9,0x42,0xD1,0xE8,0xCD,0x05,0xEF,0xD3,0xCC,0x0B,0x70,0x51,0x5B,0x97,
742	0x06,0xC4,0x9D,0x88,0x11,0x3E,0x99,0x9F,0xBE,0x76,0x8C,0x8D,0xE6,0xBA,0xDA,0x48,
743	0xD0,0x04,0x86,0x4F,0xA9,0xC6,0xB0,0xED,0xA4,0x94,0x46,0x96,0x27,0xEE,0x9F,0xBD,
744	0xDA,0x9B,0x3D,0x11,0x80,0xD3,0x7B,0x5A,0x48,0x94,0xE5,0xCC,0x48,0xEA,0xE4,0x18,
745	0xDF,0x51,0xB3,0x02,0x57,0x20,0x4B,0x0F,0x07,0xFF,0x41,0x33,0x0F,0x6B,0x2E,0xAA,
746	0xDE,0xB2,0x56,0xF7,0xFB,0xA2,0x48,0x3C,0x97,0x1A,0x64,0x2C,0xD1,0x74,0x40,0xCF,
747	0x65,0x7F,0x14,0x08,0x59,0xC4,0x35,0xD3,0x8A,0x0F,0xFD,0x71,0x7A,0x71,0xAC,0x2D,
748	0xF3,0xFD,0x7B,0x12,0x5F,0xC0,0xBC,0x4E,0x96,0x12,0xF2,0x8E,0x41,0x84,0x01,0x0F,
749	0xED,0x7B,0xC1,0xB9,0x39,0x03,0x35,0x40,0x49,0x53,0xB8,0xB4,0x6B,0xA6,0xE7,0x0A,
750	0x14,0xBB,0x29,0x16,0xEC,0x2A,0x3A,0xD6,0x09,0xBB,0x5C,0x20,0xF8,0x09,0xFD,0x86,
751	0xC4,0x25,0x09,0x85,0x0B,0xD5,0xD8,0x51,0xB1,0xA2,0xCB,0xDC,0xC4,0xDD,0x34,0xDF,
752	0xE2,0x85,0xA9,0xCC,0x4E,0x66,0x51,0xFA,0x9C,0x4D,0xB7,0x1E,0x3E,0x49,0x34,0x9C,
753	0x21,0x66,0x07,0x44,0xB2,0xEC,0x73,0xC5,0xBB,0x27,0x9A,0xA5,0x91,0x5A,0xB9,0x9F,
754	0xBE,0xC8,0xA2,0x27,0x89,0x21,0xA7,0xEE,0x50,0x4D,0x43,0x50,0x67,0xC2,0x3B,0x7C,
755	0x20,0x0B,0x95,0x40,0xBE,0xEA,0xB5,0xD9,0x82,0xD7,0x9C,0xB5,0x21,0xAD,0xA6,0xF9,
756	0x70,0xEA,0xCD,0x04,0xDD,0x58,0x91,0x89,0xB2,0xA9,0xF9,0xB4,0x12,0xA2,0x63,0x89,
757	0x40,0x8E,0xEA,0x62,0xEE,0x0B,0x01,0x82,0x6F,0xB3,0x5E,0x5C,0x36,0xBE,0xF4,0x97,
758	0x2C,0xCF,0x96,0x7C,0x0D,0xAD,0x62,0xCE,0xD4,0x38,0xC5,0x32,0x02,0x24,0x57,0x27,
759	0xE0,0xCF,0x56,0xA5,0x72,0x6D,0x90,0x89,0x2D,0x4C,0x34,0xF6,0x1D,0xDD,0x88,0x5E,
760	0x7A,0x23,0xE3,0x6F,0x42,0xA3,0xD9,0x58,0x7E,0xE3,0x52,0x74,0x57,0x63,0xB7,0xB2,
761	0xC1,0xA3,0x30,0x92,0x2E,0xB0,0x91,0x01,0x13,0x36,0x9A,0x6A,0xA7,0x5B,0x3C,0x07,
762	0xFB,0xD8,0x1E,0x7E,0xCF,0x49,0xAB,0x3F,0xCA,0xCE,0x74,0x40,0x54,0x8D,0x83,0x61,
763	0xCA,0xC3,0x76,0x59,0x5C,0x9F,0x49,0x8A,0x7D,0xD1,0x17,0x9C,0xA4,0xDB,0xB9,0x16,
764	0x4D,0x64,0xF7,0xC7,0xF0,0x24,0xE7,0x00,0xB6,0x98,0xD5,0x8B,0x54,0xCB,0x1E,0x8B,
765	0xA2,0x2B,0x7D,0x50,0x51,0x8A,0xF0,0xEF,0x47,0xAE,0xD0,0xD6,0xA0,0x42,0x8A,0xD8,
766	0x22,0xAF,0x02,0x99,0x4A,0xE0,0x8D,0x8D,0xBF,0x11,0x05,0xA4,0xC4,0x9D,0xB3,0x89,
767	0xB4,0x4C,0xC9,0xF7,0x4D,0xC5,0x2A,0x35,0x95,0x30,0xF3,0x0E,0x2F,0xEC,0x6E,0x3A,
768	0x8B,0x05,0x76,0xED,0x1A,0x7C,0xC0,0xE7,0x22,0xCB,0x59,0xFF,0xE6,0x37,0x78,0x44,
769	0xD4,0xEE,0xAD,0xD7,0xBD,0x2E,0xB7,0x6A,0xA4,0x4E,0x0E,0xFB,0xB0,0xF5,0xCB,0x87,
770	0xCF,0xC3,0x18,0x64,0x6F,0x26,0x5C,0xD7,0x16,0xC8,0x7F,0xAB,0x29,0xC4,0xBA,0xFF,
771	0xCD,0x1C,0xE4,0x3A,0xF2,0xEB,0x6A,0x38,0xE4,0x65,0xC2,0x33,0x03,0x26,0x7D,0x9B,
772	0x7E,0x1D,0x83,0x00,0x04,0x2D,0x2B,0x5F,0xFE,0x39,0x7E,0xF1,0x3C,0xA2,0x8C,0x52,
773	0x95,0xBF,0x46,0x81,0x24,0x44,0xF8,0x10,0xC3,0x87,0x8E,0x64,0x80,0x17,0x44,0xE2,
774	0x8B,0xD1,0x3C,0x4A,0xE2,0x1F,0xA9,0xDE,0x75,0x13,0xFC,0x2E,0x86,0x0A,0x5C,0x5F,
775	0x92,0x2B,0x92,0x2D,0x2A,0xEC,0xD2,0x5C,0x82,0x6B,0x76,0x1E,0xED,0xE6,0x56,0xF7,
776	0xD2,0xDB,0x96,0x68,0x02,0x68,0x99,0x49,0xEE,0x88,0x66,0xCE,0x5D,0x08,0x88,0xA8,
777	0xB9,0x24,0xB0,0xB4,0xDC,0xA6,0xC9,0xD8,0x68,0x80,0xBF,0x6B,0x32,0x57,0x7F,0x91,
778	0x0E,0x37,0x59,0xF6,0x76,0xD2,0xC5,0x0B,0xF3,0x23,0xBF,0x38,0x52,0x0D,0x97,0x81,
779	0x17,0xBB,0x9A,0xC2,0x55,0x44,0x72,0xCE,0xEE,0xFA,0xBB,0xDA,0xAB,0xB0,0x09,0xEA,
780	0xDB,0xBF,0x45,0x95,0x07,0x88,0xD4,0xD2,0x0D,0x2E,0x15,0x31,0xBE,0x6A,0xF4,0xEF,
781	0xA3,0x7D,0x22,0x81,0x3B,0xA8,0x83,0xF9,0x42,0xE5,0x9B,0x79,0x01,0xF5,0xDC,0x19,
782	0x64,0xEB,0x47,0x67,0xAF,0xA4,0xB2,0xAE,0xF8,0xF9,0x4D,0x63,0xAD,0x54,0xE1,0x02,
783	0x56,0x89,0x4E,0x0A,0xE8,0x3E,0x03,0xFA,0x33,0x61,0x58,0x80,0x64,0x55,0x3C,0x8C,
784	0x2A,0x3D,0x70,0x3E,0xE5,0xC1,0xA7,0x75,0xFC,0x91,0x75,0x05,0x8C,0x6E,0x3A,0x74,
785	0x10,0xF1,0x30,0xE6,0xF6,0xF7,0xAB,0x6C,0xB1,0x2B,0xF0,0x2F,0x13,0x6E,0xD4,0x0A,
786	0x64,0x29,0xF8,0xBB,0xA1,0xAA,0x55,0x09,0x93,0x47,0x2F,0x8C,0x7D,0xF1,0x2D,0x81,
787	0xFE,0x78,0xFC,0xEE,0x3F,0xDD,0x49,0xDC,0x0D,0x52,0x5C,0x3B,0x8F,0x08,0xB0,0xDF,
788	0xDC,0xFC,0xBE,0x5F,0x3B,0x53,0x82,0xE2,0xBD,0x6D,0x5D,0xF2,0x8D,0xFB,0x5A,0x1D,
789	0x15,0x1B,0xE4,0xB1,0x56,0x06,0x1A,0xF8,0x9C,0xB9,0x44,0xF2,0xD9,0xF4,0xB2,0x00,
790	0x9A,0x94,0x62,0x33,0x7E,0x0A,0xB0,0x0C,0xD5,0xEF,0x8E,0xA8,0xEB,0x47,0xE9,0x20,
791	0xA8,0x68,0xEF,0x53,0xA0,0x59,0x1B,0xA0,0x2B,0xC5,0x2B,0x30,0xB6,0x5D,0xAB,0xB4,
792	0x5F,0x86,0x71,0x95,0x89,0xFC,0xC7,0x9A,0xC3,0xED,0x82,0xA0,0x3D,0x73,0xC1,0x36,
793	0x01,0x5F,0x9E,0xD7,0xE3,0xC0,0x62,0x74,0xED,0x13,0xB6,0xD6,0xD5,0x37,0x17,0xE1,
794	0x39,0xC7,0x6D,0x31,0xBA,0x02,0xAF,0xD5,0xCC,0x51,0xA8,0x09,0x3F,0x00,0x4A,0x8F,
795	0xA6,0x23,0x13,0x88,0xCD,0x1F,0x38,0x60,0xE7,0xE7,0x53,0xDC,0x65,0xE8,0x53,0x26,
796	0xBB,0xE1,0x1F,0x65,0xF0,0xAD,0x53,0x3B,0xBD,0xAD,0x97,0xAC,0xD1,0xA5,0xD0,0xE9,
797	0xEB,0xD6,0x11,0xD5,0x00,0xDF,0x72,0x9C,0xCC,0x7F,0xD3,0x67,0xA1,0x3A,0x79,0xE1,
798	0x85,0x70,0xE5,0x43,0xC9,0x28,0xA5,0x2F,0x9E,0xE7,0xFE,0xEB,0x14,0x10,0x23,0xC7,
799	0xAF,0xB1,0x24,0xC8,0xE5,0x44,0x6F,0x4C,0x04,0xEC,0xC1,0xF0,0x23,0x1C,0xF6,0xAC,
800	0xAF,0xC4,0x0E,0x2D,0x59,0x39,0x47,0xA9,0x9E,0xD9,0x2E,0x79,0xBA,0xFE,0x4F,0x12,
801	0x7F,0x63,0x7F,0x62,0x67,0x7C,0x52,0x2F,0xCA,0x8B,0x6B,0x4F,0x10,0x8F,0x14,0xC6,
802	0xA1,0x9B,0x45,0x15,0x90,0x63,0x22,0x5D,0x68,0x4B,0xCF,0xFA,0x6A,0x06,0xF0,0x26,
803	0xAC,0x6C,0x3A,0x89,0x25,0xF3,0x5E,0x90,0x06,0x93,0xB6,0x35,0x0D,0x85,0x60,0x98,
804	0xBC,0x6E,0xF2,0xA5,0x17,0x29,0x70,0xD6,0xFF,0x0C,0xD0,0xC0,0x35,0xD7,0x4A,0xFD };
805
806
807	const uint8_t Tab1_Comp[11*8] = {
808	0x70,0x49,0xD7,0xE3,0xDF,0x3C,0x96,0x03,0x2A,0x70,0x82,0xA6,0x5F,0xDE,0xCC,0x0C,
809	0x2A,0x62,0x2A,0x3E,0xA4,0x0C,0x0A,0xAB,0x4F,0x06,0x5D,0xD4,0x14,0xAA,0xE1,0xC3,
810	0x96,0xDA,0x16,0x36,0x45,0x3C,0x63,0xC2,0x97,0x71,0x87,0xAB,0xFA,0xB2,0xFC,0xD6,
811	0x8F,0x85,0xC9,0x04,0x56,0xBA,0xEB,0x3F,0x42,0x9F,0xCB,0x66,0x55,0x45,0x1C,0x96,
812	0xFF,0x4D,0x35,0xDF,0x88,0x0E,0xDC,0xC8,0x4E,0x3F,0x81,0x74,0xD8,0x77,0x4C,0x8E,
813	0x00,0xC0,0x64,0x83,0x4E,0xBB,0xF0,0xB1 };
814
815	unsigned short buff8[8];
816	uint8_t buff11[11 + 1]; // +1 to avoid func2 bug
817	int i1, i2;
818	buff11[11] = 0;
819
820	CommonMain_1_D2_13_15(datain, buff11);
821	for (i1 = 0; i1 < 11; i1++)
822	{
823	buff11[i1] ^= Tab1_Comp[(loopval * 11) + i1];
824	}
825
826	for (i1 = 0; i1 < 8; i1++)
827	{
828	buff8[i1] = CommonMain_2_D2_13_15(buff11, i1 * 11);
829	}
830
831	for (i1 = 0; i1 < 8; i1++)
832	{
833	dataout[i1] = Tab0_Comp[buff8[i1]];
834	}
835
836	i1 = 1;
837	while (i1 < 8)
838	{
839	i2 = 0 ;
840	while (i2 < 8)
841	{
842	CommonMain_3_D2_13_15(&dataout[i2], &dataout[i1 + i2], i1);
843	i2 += (i1 * 2);
844	}
845	i1 *= 2;
846	}
847	}
848
849	void Common_D2_13_15(uint8_t cw0, const uint8_t cw1, int loopval)
850	{
851	int i;
852	uint8_t buff8[8];
853
854	CommonMain_D2_13_15(cw1, buff8, loopval);
855	for (i = 0; i < 8; i++)
856	{
857	cw0[i] ^= buff8[i];
858	}
859	}
860
861	void ExchangeCWs(uint8_t cw0, uint8_t cw1)
862	{
863	int i;
864	uint8_t b;
865
866	for (i = 0; i < 8; i++)
867	{
868	b = cw1[i];
869	cw1[i] = cw0[i];
870	cw0[i] = b;
871	}
872	}
873
874
875	void hdSurEncPhase1_D2_13_15(uint8_t *cws)
876	{
877	int i;
878
879	for (i = 0; i <= 7; i++)
880	{
881	// Possible code
882	if ((i & 1) == 0)
883	{
884	Common_D2_13_15((uint8_t ) &cws[0], (uint8_t ) &cws[8], i);
885	}
886	else
887	{
888	Common_D2_13_15((uint8_t ) &cws[8], (uint8_t ) &cws[0], i);
889	}
890	}
891	ExchangeCWs((uint8_t ) &cws[0], (uint8_t ) &cws[8]);
892	}
893
894	void hdSurEncPhase2_D2_13_15(uint8_t *cws)
895	{
896	int i;
897
898	for (i = 7; i >= 0; i--)
899	{
900	// Possible code
901	if ((i & 1) == 0)
902	{
903	Common_D2_13_15((uint8_t ) &cws[8], (uint8_t ) &cws[0], i);
904	}
905	else
906	{
907	Common_D2_13_15((uint8_t ) &cws[0], (uint8_t ) &cws[8], i);
908	}
909	}
910	ExchangeCWs((uint8_t ) &cws[8], (uint8_t ) &cws[0]);
911	}
912
913
914	static int32_t viaccess_card_init(struct s_reader reader, ATR newatr)
915	{
916	get_atr;
917	def_resp;
918	int32_t i;
919	uint8_t buf[256];
920	uint8_t insac[] = { 0xca, 0xac, 0x00, 0x00, 0x00 }; // select data
921	uint8_t insb8[] = { 0xca, 0xb8, 0x00, 0x00, 0x00 }; // read selected data
922	uint8_t insa4[] = { 0xca, 0xa4, 0x00, 0x00, 0x00 }; // select issuer
923	uint8_t insc0[] = { 0xca, 0xc0, 0x00, 0x00, 0x00 }; // read data item
924	static const uint8_t insFAC[] = { 0x87, 0x02, 0x00, 0x00, 0x03 }; // init FAC
925	static const uint8_t FacDat[] = { 0x00, 0x00, 0x28 };
926	static uint8_t ins8702_data[] = { 0x00, 0x00, 0x11};
927	static uint8_t ins8704[] = { 0x87, 0x04, 0x00, 0x00, 0x07 };
928	static uint8_t ins8706[] = { 0x87, 0x06, 0x00, 0x00, 0x04 };
929
930	if((atr[1] != 0x77) \|\| ((atr[2] != 0x18) && (atr[2] != 0x11) && (atr[2] != 0x19)) \|\| ((atr[9] != 0x68) && (atr[9] != 0x6C) && (atr[9] != 0x64)))
931	{
932	return ERROR;
933	}
934
935	write_cmd(insFAC, FacDat);
936	if(!(cta_res[cta_lr - 2] == 0x90 && cta_res[cta_lr - 1] == 0))
937	{
938	return ERROR;
939	}
940
941	if(!cs_malloc(&reader->csystem_data, sizeof(struct viaccess_data)))
942	{
943	return ERROR;
944	}
945
946	struct viaccess_data *csystem_data = reader->csystem_data;
947
948	write_cmd(insFAC, ins8702_data);
949	if((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0x00))
950	{
951	write_cmd(ins8704, NULL);
952	if((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0x00))
953	{
954	write_cmd(ins8706, NULL);
955	if((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0x00))
956	{
957	csystem_data->last_geo.number_ecm = (cta_res[2] << 8) \| (cta_res[3]);
958	rdr_log(reader, "using ecm #%x for long viaccess ecm", csystem_data->last_geo.number_ecm);
959	}
960	}
961	}
962
963	reader->caid = 0x500;
964	memset(reader->prid, 0xff, sizeof(reader->prid));
965	insac[2] = 0xa4;
966	write_cmd(insac, NULL); // request unique id
967	insb8[4] = 0x07;
968	write_cmd(insb8, NULL); // read unique id
969	memcpy(reader->hexserial, cta_res + 2, 5);
970	// rdr_log(reader, "[viaccess-reader] type: Viaccess, ver: %s serial: %llu", ver, b2ll(5, cta_res+2));
971	rdr_log_sensitive(reader, "type: Viaccess (%sstandard atr), caid: %04X, serial: {%llu}",
972	atr[9] == 0x68 ? "" : "non-", reader->caid, (unsigned long long) b2ll(5, cta_res + 2));
973
974	i = 0;
975	insa4[2] = 0x00;
976	write_cmd(insa4, NULL); // select issuer 0
977	buf[0] = 0;
978	while((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0))
979	{
980	insc0[4] = 0x1a;
981	write_cmd(insc0, NULL); // show provider properties
982	cta_res[2] &= 0xF0;
983	reader->prid[i][0] = 0;
984	memcpy(&reader->prid[i][1], cta_res, 3);
985	memcpy(&csystem_data->availkeys[i][0], cta_res + 10, 16);
986	snprintf((char )buf + strlen((char )buf), sizeof(buf) - strlen((char *)buf), ",%06X", b2i(3, &reader->prid[i][1]));
987	// rdr_log(reader, "[viaccess-reader] buf: %s", buf);
988
989	insac[2] = 0xa5;
990	write_cmd(insac, NULL); // request sa
991	insb8[4] = 0x06;
992	write_cmd(insb8, NULL); // read sa
993	memcpy(&reader->sa[i][0], cta_res + 2, 4);
994
995	insa4[2] = 0x02;
996	write_cmd(insa4, NULL); // select next issuer
997	i++;
998	}
999	reader->nprov = i;
1000	rdr_log(reader, "providers: %d (%s)", reader->nprov, buf + 1);
1001
1002	get_maturity(reader);
1003	if(cfg.ulparent)
1004	{
1005	unlock_parental(reader);
1006	}
1007
1008	rdr_log(reader, "ready for requests");
1009	return OK;
1010	}
1011
1012	bool dcw_crc(uint8_t *dw)
1013	{
1014	int8_t i;
1015	for(i = 0; i < 16; i += 4) if(dw[i + 3] != ((dw[i] + dw[i + 1] + dw[i + 2]) & 0xFF)) { return 0; }
1016	return 1;
1017	}
1018
1019	static int32_t viaccess_do_ecm(struct s_reader reader, const ECM_REQUEST er, struct s_ecm_answer *ea)
1020	{
1021	def_resp;
1022	static const uint8_t insa4[] = { 0xca, 0xa4, 0x04, 0x00, 0x03 }; // set provider id
1023	uint8_t ins88[] = { 0xca, 0x88, 0x00, 0x00, 0x00 }; // set ecm
1024	uint8_t insf8[] = { 0xca, 0xf8, 0x00, 0x00, 0x00 }; // set geographic info
1025	static const uint8_t insc0[] = { 0xca, 0xc0, 0x00, 0x00, 0x12 }; // read dcw
1026	struct viaccess_data *csystem_data = reader->csystem_data;
1027
1028	// //XXX what is the 4th uint8_t for ??
1029	int32_t ecm88Len = MIN(MAX_ECM_SIZE - 4, SCT_LEN(er->ecm) - 4);
1030	if(ecm88Len < 1)
1031	{
1032	rdr_log(reader, "ECM: Size of ECM couldn't be correctly calculated.");
1033	return ERROR;
1034	}
1035	uint8_t ecmData[ecm88Len];
1036	memset(ecmData, 0, ecm88Len);
1037	memcpy(ecmData, er->ecm + 4, ecm88Len);
1038	uint8_t *ecm88Data = &ecmData[0];
1039	uint32_t provid = 0;
1040	int32_t rc = 0;
1041	int32_t hasD2 = 0;
1042	uint8_t hasE0 = 0;
1043	int32_t curEcm88len = 0;
1044	int32_t nanoLen = 0;
1045	uint8_t *nextEcm;
1046	uint8_t DE04[MAX_ECM_SIZE];
1047	int32_t D2KeyID = 0;
1048	int32_t curnumber_ecm = 0;
1049	// nanoD2 d2 02 0d 02 -> D2 nano, len 2
1050	// 0b, 0f, 13 -> pre AES decrypt CW
1051	// 0d, 11, 15 -> post AES decrypt CW
1052
1053	int32_t nanoD2 = 0; // knowns D2 nanos: 0x0b ,0x0d ,0x0f ,0x11, 0x13, 0x15
1054
1055	memset(DE04, 0, sizeof(DE04)); //fix dorcel de04 bug
1056
1057	nextEcm = ecm88Data;
1058
1059	while(ecm88Len > 0 && !rc)
1060	{
1061
1062	if(ecm88Data[0] == 0x00 && ecm88Data[1] == 0x00)
1063	{
1064	// nano 0x00 and len 0x00 aren't valid... something is obviously wrong with this ecm.
1065	rdr_log(reader, "ECM: Invalid ECM structure. Rejecting");
1066	return ERROR;
1067	}
1068
1069	// 80 33 nano 80 (ecm) + len (33)
1070	if(ecm88Data[0] == 0x80) // nano 80, give ecm len
1071	{
1072	curEcm88len = ecm88Data[1];
1073	nextEcm = ecm88Data + curEcm88len + 2;
1074	ecm88Data += 2;
1075	ecm88Len -= 2;
1076	}
1077
1078	if(!curEcm88len) // there was no nano 80 -> simple ecm
1079	{
1080	curEcm88len = ecm88Len;
1081	}
1082
1083	// d2 02 0d 02 -> D2 nano, len 2, select the AES key to be used
1084	if(ecm88Data[0] == 0xd2)
1085	{
1086	// test if it needs AES decrypt
1087	if(ecm88Data[2] == 0x0b)
1088	{
1089	nanoD2 = 0x0b;
1090	rdr_log_dbg(reader, D_READER, "ECM: nano D2 0x0b");
1091	}
1092
1093	if(ecm88Data[2] == 0x0d)
1094	{
1095	nanoD2 = 0x0d;
1096	rdr_log_dbg(reader, D_READER, "ECM: nano D2 0x0d");
1097	}
1098
1099	if(ecm88Data[2] == 0x0f)
1100	{
1101	nanoD2 = 0x0f;
1102	rdr_log_dbg(reader, D_READER, "ECM: nano D2 0x0f");
1103	}
1104
1105	if(ecm88Data[2] == 0x11)
1106	{
1107	nanoD2 = 0x11;
1108	rdr_log_dbg(reader, D_READER, "ECM: nano D2 0x11");
1109	}
1110
1111	if(ecm88Data[2] == 0x13)
1112	{
1113	nanoD2 = 0x13;
1114	rdr_log_dbg(reader, D_READER, "ECM: nano D2 0x13");
1115	}
1116
1117	if(ecm88Data[2] == 0x15)
1118	{
1119	nanoD2 = 0x15;
1120	rdr_log_dbg(reader, D_READER, "ECM: nano D2 0x15");
1121	}
1122
1123	// use the d2 arguments to get the key # to be used
1124	int32_t len = ecm88Data[1] + 2;
1125	D2KeyID = ecm88Data[3];
1126	ecm88Data += len;
1127	ecm88Len -= len;
1128	curEcm88len -= len;
1129	hasD2 = 1;
1130	}
1131	else
1132	{
1133	hasD2 = 0;
1134	}
1135
1136	// 40 07 03 0b 00 -> nano 40, len =7 ident 030B00 (tntsat), key #0 <== we're pointing here
1137	// 09 -> use key #9
1138	// 05 67 00
1139	if((ecm88Data[0] == 0x90 \|\| ecm88Data[0] == 0x40) && (ecm88Data[1] == 0x03 \|\| ecm88Data[1] == 0x07))
1140	{
1141	uint8_t ident[3], keynr;
1142	uint8_t *ecmf8Data = 0;
1143	int32_t ecmf8Len = 0;
1144
1145	nanoLen = ecm88Data[1] + 2;
1146	keynr = ecm88Data[4] & 0x0F;
1147
1148	// 40 07 03 0b 00 -> nano 40, len =7 ident 030B00 (tntsat), key #0 <== we're pointing here
1149	// 09 -> use key #9
1150	if(nanoLen > 5)
1151	{
1152	curnumber_ecm = (ecm88Data[6] << 8) \| (ecm88Data[7]);
1153	rdr_log_dbg(reader, D_READER, "checking if the ecm number (%x) match the card one (%x)", curnumber_ecm, csystem_data->last_geo.number_ecm);
1154	// if we have an ecm number we check it.
1155	// we can't assume that if the nano len is 5 or more we have an ecm number
1156	// as some card don't support this
1157	if(csystem_data->last_geo.number_ecm > 0)
1158	{
1159	if(csystem_data->last_geo.number_ecm == curnumber_ecm && !(ecm88Data[nanoLen - 1] == 0x01))
1160	{
1161	keynr = ecm88Data[5];
1162	rdr_log_dbg(reader, D_READER, "keyToUse = %02x, ECM ending with %02x", ecm88Data[5], ecm88Data[nanoLen - 1]);
1163	}
1164	else
1165	{
1166	if(ecm88Data[nanoLen - 1] == 0x01)
1167	{
1168	rdr_log_dbg(reader, D_READER, "Skip ECM ending with = %02x for ecm number (%x) for provider %02x%02x%02x",
1169	ecm88Data[nanoLen - 1], curnumber_ecm, ecm88Data[2], ecm88Data[3], ecm88Data[4]);
1170	}
1171	rdr_log_dbg(reader, D_READER, "Skip ECM ending with = %02x for ecm number (%x)", ecm88Data[nanoLen - 1], curnumber_ecm);
1172	ecm88Data = nextEcm;
1173	ecm88Len -= curEcm88len;
1174	continue; // loop to next ecm
1175	}
1176	}
1177	else // long ecm but we don't have an ecm number so we have to try them all.
1178	{
1179	keynr = ecm88Data[5];
1180	rdr_log_dbg(reader, D_READER, "keyToUse = %02x", ecm88Data[5]);
1181	}
1182	}
1183
1184	memcpy(ident, &ecm88Data[2], sizeof(ident));
1185	provid = b2i(3, ident);
1186	ident[2] &= 0xF0;
1187
1188	if(hasD2 && reader->aes_list)
1189	{
1190	// check that we have the AES key to decode the CW
1191	// if not there is no need to send the ecm to the card
1192	if(!aes_present(reader->aes_list, 0x500, (uint32_t)(provid & 0xFFFFF0) , D2KeyID))
1193	{
1194	return ERROR;
1195	}
1196	}
1197
1198	if(!chk_prov(reader, ident, keynr))
1199	{
1200	rdr_log_dbg(reader, D_READER, "ECM: provider or key not found on card");
1201	snprintf(ea->msglog, MSGLOGSIZE, "provider(%02x%02x%02x) or key(%d) not found on card", ident[0], ident[1], ident[2], keynr);
1202	return ERROR;
1203	}
1204
1205	ecm88Data += nanoLen;
1206	ecm88Len -= nanoLen;
1207	curEcm88len -= nanoLen;
1208
1209	// DE04
1210	if(ecm88Data[0] == 0xDE && ecm88Data[1] == 0x04)
1211	{
1212	memcpy(DE04, &ecm88Data[0], 6);
1213	ecm88Data += 6;
1214	}
1215
1216	// E0 (seen so far in logs: E0020002 or E0022002, but not in all cases delivers invalid cw so just detect!)
1217	if(ecm88Data[0] == 0xE0 && ecm88Data[1] == 0x02)
1218	{
1219	rdr_log_dbg(reader, D_READER,"[viaccess-reader] nano E0 ECM detected!");
1220	hasE0=1;
1221	}
1222
1223	if(csystem_data->last_geo.provid != provid)
1224	{
1225	csystem_data->last_geo.provid = provid;
1226	csystem_data->last_geo.geo_len = 0;
1227	csystem_data->last_geo.geo[0] = 0;
1228	write_cmd(insa4, ident); // set provider
1229	}
1230
1231	// Nano D2 0x0b, 0x0f, 0x13 -> pre AES decrypt CW
1232	if(hasD2 && (nanoD2 == 0x0b\|\| nanoD2 == 0x0f\|\| nanoD2 == 0x13))
1233	{
1234	uint8_t *ecm88DataCW = ecm88Data;
1235	int32_t cwStart = 0;
1236	//int32_t cwStartRes = 0;
1237	int32_t must_exit = 0;
1238	// find CW start
1239	while(cwStart < curEcm88len - 1 && !must_exit)
1240	{
1241	if(ecm88Data[cwStart] == 0xEA && ecm88Data[cwStart + 1] == 0x10)
1242	{
1243	ecm88DataCW = ecm88DataCW + cwStart + 2;
1244	must_exit = 1;
1245	}
1246	cwStart++;
1247	}
1248
1249	if(nanoD2 == 0x0f)
1250	{
1251	hdSurEncPhase1_D2_0F_11(ecm88DataCW);
1252	hdSurEncPhase2_D2_0F_11(ecm88DataCW);
1253	}
1254
1255	if(nanoD2 == 0x13)
1256	{
1257	hdSurEncPhase1_D2_13_15(ecm88DataCW);
1258	}
1259
1260	// use AES from list to decrypt CW
1261	rdr_log_dbg(reader, D_READER, "Decoding CW : using AES key id %d for provider %06x", D2KeyID, (provid & 0xFFFFF0));
1262	if(aes_decrypt_from_list(reader->aes_list, 0x500, (uint32_t)(provid & 0xFFFFF0), D2KeyID, &ecm88DataCW[0], 16) == 0)
1263	{
1264	snprintf(ea->msglog, MSGLOGSIZE, "Missing AES key(%d)[aka E%X]",D2KeyID, D2KeyID);
1265	}
1266
1267	if(nanoD2 == 0x0f)
1268	{
1269	hdSurEncPhase1_D2_0F_11(ecm88DataCW);
1270	}
1271
1272	if(nanoD2 == 0x13)
1273	{
1274	hdSurEncPhase2_D2_13_15(ecm88DataCW);
1275	}
1276	}
1277
1278	while(ecm88Len > 1 && ecm88Data[0] < 0xA0)
1279	{
1280	nanoLen = ecm88Data[1] + 2;
1281	if(!ecmf8Data)
1282	{
1283	ecmf8Data = (uint8_t *)ecm88Data;
1284	}
1285	ecmf8Len += nanoLen;
1286	ecm88Len -= nanoLen;
1287	curEcm88len -= nanoLen;
1288	ecm88Data += nanoLen;
1289	}
1290
1291	if(ecmf8Len)
1292	{
1293	if(csystem_data->last_geo.geo_len != ecmf8Len \|\| memcmp(csystem_data->last_geo.geo, ecmf8Data, csystem_data->last_geo.geo_len))
1294	{
1295	memcpy(csystem_data->last_geo.geo, ecmf8Data, ecmf8Len);
1296	csystem_data->last_geo.geo_len = ecmf8Len;
1297	insf8[3] = keynr;
1298	insf8[4] = ecmf8Len;
1299	write_cmd(insf8, ecmf8Data);
1300	}
1301	}
1302	ins88[2] = ecmf8Len ? 1 : 0;
1303	ins88[3] = keynr;
1304	ins88[4] = (curEcm88len > 0xFF) ? 0x00 : curEcm88len;
1305	//
1306	// we should check the nano to make sure the ecm is valid
1307	// we should look for at least 1 E3 nano, 1 EA nano and the F0 signature nano
1308	//
1309	// DE04
1310	if(DE04[0] == 0xDE)
1311	{
1312	uint32_t l = curEcm88len - 6;
1313	if(l > MAX_ECM_SIZE \|\| curEcm88len <= 6) //don't known if this is ok...
1314	{
1315	rdr_log(reader, "ecm invalid/too long! len=%d", curEcm88len);
1316	return ERROR;
1317	}
1318	memcpy(DE04 + 6, (uint8_t *)ecm88Data, l);
1319	write_cmd(ins88, DE04); // request dcw
1320	}
1321	else
1322	{
1323	write_cmd(ins88, (uint8_t *)ecm88Data); // request dcw
1324	}
1325
1326	write_cmd(insc0, NULL); // read dcw
1327	switch(cta_res[0])
1328	{
1329	case 0xe8: // even
1330	if(cta_res[1] == 8)
1331	{
1332	memcpy(ea->cw, cta_res + 2, 8);
1333	rc = 1;
1334	} break;
1335
1336	case 0xe9: // odd
1337	if(cta_res[1] == 8)
1338	{
1339	memcpy(ea->cw + 8, cta_res + 2, 8);
1340	rc = 1;
1341	} break;
1342
1343	case 0xea: // complete
1344	if(cta_res[1] == 16)
1345	{
1346	memcpy(ea->cw, cta_res + 2, 16);
1347	rc = 1;
1348	} break;
1349
1350	default :
1351	ecm88Data = nextEcm;
1352	ecm88Len -= curEcm88len;
1353	rdr_log_dbg(reader, D_READER, "Error: card respondend %02X %02X, trying next ECM", cta_res[0], cta_res[1]);
1354	snprintf(ea->msglog, MSGLOGSIZE, "key to use is not the current one, trying next ECM");
1355	}
1356	}
1357	else
1358	{
1359	//ecm88Data=nextEcm;
1360	//ecm88Len-=curEcm88len;
1361	rdr_log_dbg(reader, D_READER, "ECM: Unknown ECM type");
1362	snprintf(ea->msglog, MSGLOGSIZE, "Unknown ECM type");
1363	return ERROR; /Lets interupt the loop and exit, because we don't know this ECM type./
1364	}
1365	}
1366
1367	// Nano D2 0d, 11, 15 -> post AES decrypt CW
1368
1369	if(hasD2 && !dcw_crc(ea->cw) && (nanoD2 == 0x0d \|\| nanoD2 == 0x11 \|\| nanoD2 == 0x15))
1370	{
1371	if(nanoD2 == 0x11)
1372	{
1373	hdSurEncPhase1_D2_0F_11(ea->cw);
1374	hdSurEncPhase2_D2_0F_11(ea->cw);
1375	}
1376
1377	if(nanoD2 == 0x15)
1378	{
1379	hdSurEncPhase1_D2_13_15(ea->cw);
1380	}
1381	rdr_log_dbg(reader, D_READER, "Decoding CW : using AES key id %d for provider %06x", D2KeyID, (provid & 0xFFFFF0));
1382	rc = aes_decrypt_from_list(reader->aes_list, 0x500, (uint32_t)(provid & 0xFFFFF0), D2KeyID, ea->cw, 16);
1383
1384	if(rc == 0)
1385	{
1386	snprintf(ea->msglog, MSGLOGSIZE, "Missing AES key(%d)[aka E%X]",D2KeyID, D2KeyID);
1387	}
1388
1389	if(nanoD2 == 0x11)
1390	{
1391	hdSurEncPhase1_D2_0F_11(ea->cw);
1392	}
1393
1394	if(nanoD2 == 0x15)
1395	{
1396	hdSurEncPhase2_D2_13_15(ea->cw);
1397	}
1398	}
1399
1400	if (hasE0)
1401	{
1402	if (reader->initCA28)
1403	{
1404	rdr_log_dbg(reader, D_READER, "Decrypting nano E0 encrypted cw.");
1405	uint8_t returnedcw[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1406	memcpy(returnedcw,ea->cw,16);
1407
1408	// Processing 3DES
1409	// Processing even cw
1410	des(returnedcw, reader->key_schedule1, 0); // decrypt
1411	des(returnedcw, reader->key_schedule2, 1); // crypt
1412	des(returnedcw, reader->key_schedule1, 0); // decrypt
1413
1414	// Processing odd cw
1415	des(returnedcw + 8, reader->key_schedule1, 0); // decrypt
1416	des(returnedcw + 8, reader->key_schedule2, 1); // crypt
1417	des(returnedcw + 8, reader->key_schedule1, 0); // decrypt
1418
1419	// returning value
1420	memcpy(ea->cw,returnedcw, 16);
1421	}
1422	else
1423	{
1424	snprintf(ea->msglog, MSGLOGSIZE, "nano E0 detected, no valid boxkey / deskey defined: no decoding");
1425	}
1426	}
1427	return (rc ? OK : ERROR);
1428	}
1429
1430	static int32_t viaccess_get_emm_type(EMM_PACKET ep, struct s_reader rdr)
1431	{
1432	uint32_t provid = 0;
1433	rdr_log_dbg(rdr, D_EMM, "Entered viaccess_get_emm_type ep->emm[0]=%02x", ep->emm[0]);
1434
1435	if(ep->emm[3] == 0x90 && ep->emm[4] == 0x03)
1436	{
1437	provid = b2i(3, ep->emm + 5);
1438	provid &= 0xFFFFF0;
1439	i2b_buf(4, provid, ep->provid);
1440	}
1441
1442	switch(ep->emm[0])
1443	{
1444	case 0x88:
1445	ep->type = UNIQUE;
1446	memset(ep->hexserial, 0, 8);
1447	memcpy(ep->hexserial, ep->emm + 4, 4);
1448	rdr_log_dbg(rdr, D_EMM, "UNIQUE");
1449	if(!is_network_reader(rdr))
1450	{
1451	return (!memcmp(rdr->hexserial + 1, ep->hexserial, 4)); // local reader
1452	}
1453	else
1454	{
1455	return 1; // let server decide!
1456	}
1457
1458	case 0x8A:
1459	case 0x8B:
1460	ep->type = GLOBAL;
1461	rdr_log_dbg(rdr, D_EMM, "GLOBAL");
1462	return 1;
1463
1464	case 0x8C:
1465	case 0x8D:
1466	ep->type = SHARED;
1467	rdr_log_dbg(rdr, D_EMM, "SHARED (part)");
1468	// We need those packets to pass otherwise we would never
1469	// be able to complete EMM reassembly
1470	return 1;
1471
1472	case 0x8E:
1473	ep->type = SHARED;
1474	rdr_log_dbg(rdr, D_EMM, "SHARED");
1475	memset(ep->hexserial, 0, 8);
1476	memcpy(ep->hexserial, ep->emm + 3, 3);
1477
1478	// local reader
1479	int8_t i;
1480	for(i = 0; i < rdr->nprov; i++)
1481	{
1482	if(!memcmp(&rdr->prid[i][2], ep->hexserial+1, 2))
1483	{
1484	return 1;
1485	}
1486	return (!memcmp(&rdr->sa[0][0], ep->hexserial, 3));
1487	} /* fallthrough */
1488
1489	default:
1490	ep->type = UNKNOWN;
1491	rdr_log_dbg(rdr, D_EMM, "UNKNOWN");
1492	return 1;
1493	}
1494	}
1495
1496	static int32_t viaccess_get_emm_filter(struct s_reader rdr, struct s_csystem_emm_filter emm_filters, unsigned int filter_count)
1497	{
1498	if(*emm_filters == NULL)
1499	{
1500	bool network = is_network_reader(rdr);
1501	int8_t device_emm = ((rdr->deviceemm > 0) ? 1 : 0); // set to 1 if device specific emms should be catched too
1502	const unsigned int max_filter_count = 4 + ((device_emm != 0 && rdr->nprov > 0) ? 1:0) + (3 * ((rdr->nprov > 0) ? (rdr->nprov - 1) : 0));
1503
1504	if(!cs_malloc(emm_filters, max_filter_count * sizeof(struct s_csystem_emm_filter)))
1505	{
1506	return ERROR;
1507	}
1508
1509	struct s_csystem_emm_filter filters = emm_filters;
1510	*filter_count = 0;
1511
1512	int32_t idx = 0;
1513	int32_t prov;
1514
1515	if(rdr->nprov > 0 && device_emm == 1)
1516	{
1517	filters[idx].type = EMM_GLOBAL; // 8A or 8B no reassembly needed!
1518	filters[idx].enabled = 1;
1519	filters[idx].filter[0] = 0x8A;
1520	filters[idx].mask[0] = 0xFE;
1521	filters[idx].filter[3] = 0x80; // device specific emms
1522	filters[idx].mask[3] = 0x80;
1523	idx++;
1524	}
1525
1526	// shared are most important put them on top, define first since viaccess produces a lot of filters!
1527	for(prov = 0; (prov < rdr->nprov); prov++)
1528	{
1529	if((rdr->prid[prov][2] &0xF0) == 0xF0) // skip this not useful provider
1530	{
1531	continue;
1532	}
1533
1534	filters[idx].type = EMM_SHARED; // 8C or 8D always first part of shared, second part delivered by 8E!
1535	filters[idx].enabled = 1;
1536	filters[idx].filter[0] = 0x8C;
1537	filters[idx].mask[0] = 0xFE;
1538	if(rdr->nprov > 0)
1539	{
1540	memcpy(&filters[idx].filter[4], &rdr->prid[prov][2], 2);
1541	filters[idx].mask[4] = 0xFF;
1542	filters[idx].mask[5] = 0xF0; // ignore last digit since this is key on card indicator!
1543	}
1544	idx++;
1545
1546	filters[idx].type = EMM_SHARED; // 8E second part reassembly with 8c/8d needed!
1547	filters[idx].enabled = 1;
1548	filters[idx].filter[0] = 0x8E;
1549	filters[idx].mask[0] = 0xFF;
1550	if(rdr->nprov > 0)
1551	{
1552	memcpy(&filters[idx].filter[1], &rdr->sa[prov][0], 3);
1553	memset(&filters[idx].mask[1], 0xFF, 3);
1554	}
1555	idx++;
1556	}
1557
1558	// globals are less important, define last since viaccess produces a lot of filters!
1559	for(prov = 0; (prov < rdr->nprov); prov++)
1560	{
1561	if((rdr->prid[prov][2] &0xF0) == 0xF0) // skip this not useful provider
1562	{
1563	continue;
1564	}
1565
1566	filters[idx].type = EMM_GLOBAL; // 8A or 8B no reassembly needed!
1567	filters[idx].enabled = 1;
1568	filters[idx].filter[0] = 0x8A;
1569	filters[idx].mask[0] = 0xFE;
1570	if(rdr->nprov > 0)
1571	{
1572	memcpy(&filters[idx].filter[4], &rdr->prid[prov][2], 2);
1573	filters[idx].mask[4] = 0xFF;
1574	filters[idx].mask[5] = 0xF0; // ignore last digit since this is key on card indicator!
1575	}
1576	else if (device_emm == 0)
1577	{
1578	filters[idx].filter[3] = 0x00; // additional filter to cancel device specific emms
1579	filters[idx].mask[3] = 0x80;
1580	}
1581	idx++;
1582	}
1583
1584	filters[idx].type = EMM_UNIQUE;
1585	filters[idx].enabled = 1;
1586	filters[idx].filter[0] = 0x88;
1587	filters[idx].mask[0] = 0xFF;
1588	if(!network) // network has only 3 digits out of 4
1589	{
1590	memcpy(&filters[idx].filter[1], rdr->hexserial + 1, 4);
1591	memset(&filters[idx].mask[1], 0xFF, 4);
1592	}
1593	else
1594	{
1595	memcpy(&filters[idx].filter[1], rdr->hexserial + 1, 3);
1596	memset(&filters[idx].mask[1], 0xFF, 3);
1597	}
1598	idx++;
1599
1600	*filter_count = idx;
1601	}
1602
1603	return OK;
1604	}
1605
1606	static int32_t viaccess_do_emm(struct s_reader reader, EMM_PACKET ep)
1607	{
1608	def_resp;
1609	static const uint8_t insa4[] = { 0xca, 0xa4, 0x04, 0x00, 0x03 }; // set provider id
1610	uint8_t insf0[] = { 0xca, 0xf0, 0x00, 0x01, 0x22 }; // set adf
1611	uint8_t insf4[] = { 0xca, 0xf4, 0x00, 0x01, 0x00 }; // set adf, encrypted
1612	uint8_t ins18[] = { 0xca, 0x18, 0x01, 0x01, 0x00 }; // set subscription
1613	uint8_t ins1c[] = { 0xca, 0x1c, 0x01, 0x01, 0x00 }; // set subscription, encrypted
1614	struct viaccess_data *csystem_data = reader->csystem_data;
1615
1616	int32_t emmdatastart = 7;
1617
1618	if (ep->emm[1] == 0x01) // emm from cccam
1619	{
1620	emmdatastart = 12;
1621	ep->emm[1] = 0x70; // (& 0x0f) of this byte is length, so 0x01 would increase the length by 256
1622	ep->emm[2] -= 1;
1623	if (ep->type == SHARED \|\| ep->type == GLOBAL) // build missing 0x90 nano from provider at serial position
1624	{
1625	memcpy(ep->emm + 7, ep->emm + 3, 3);
1626	ep->emm[5] = 0x90;
1627	ep->emm[6] = 0x03;
1628	ep->emm[9] \|= 0x01;
1629	ep->emm[10] = 0x9E;
1630	ep->emm[11] = 0x20;
1631	emmdatastart = 5;
1632	}
1633	}
1634
1635	if(ep->type == UNIQUE)
1636	{
1637	emmdatastart++;
1638	}
1639
1640	if(ep->type == GLOBAL && emmdatastart == 7)
1641	{
1642	emmdatastart -= 4;
1643	}
1644
1645	int32_t emmLen = SCT_LEN(ep->emm) - emmdatastart;
1646	int32_t rc = 0;
1647
1648	rdr_log_dump(reader, ep->emm, emmLen + emmdatastart, "RECEIVED EMM VIACCESS");
1649
1650	int32_t emmUpToEnd;
1651	uint8_t *emmParsed = ep->emm + emmdatastart;
1652	int32_t provider_ok = 0;
1653	uint32_t emm_provid = 0;
1654	uint8_t keynr = 0;
1655	int32_t ins18Len = 0;
1656	uint8_t ins18Data[512];
1657	uint8_t insData[512];
1658	uint8_t *nano81Data = 0;
1659	uint8_t *nano91Data = 0;
1660	uint8_t *nano92Data = 0;
1661	uint8_t *nano9EData = 0;
1662	uint8_t *nanoF0Data = 0;
1663	uint8_t *nanoA9Data = 0;
1664
1665	for(emmUpToEnd = emmLen; (emmParsed[1] != 0) && (emmUpToEnd > 0); emmUpToEnd -= (2 + emmParsed[1]), emmParsed += (2 + emmParsed[1]))
1666	{
1667	rdr_log_dump(reader, emmParsed, emmParsed[1] + 2, "NANO");
1668
1669	if(emmParsed[0] == 0x90 && emmParsed[1] == 0x03)
1670	{
1671	/* identification of the service operator */
1672
1673	uint8_t soid[3], ident[3], i;
1674
1675	for(i = 0; i < 3; i++)
1676	{
1677	soid[i] = ident[i] = emmParsed[2 + i];
1678	}
1679	ident[2] &= 0xF0;
1680	emm_provid = b2i(3, ident);
1681	keynr = soid[2] & 0x0F;
1682
1683	if(chk_prov(reader, ident, keynr))
1684	{
1685	provider_ok = 1;
1686	}
1687	else
1688	{
1689	rdr_log(reader, "EMM: ignored since provider or key not present on card (%x, %x)", emm_provid, keynr);
1690	return SKIPPED;
1691	}
1692
1693	// check if the provider changes. If yes, set the new one. If not, don't... card will return an error if we do.
1694	if(csystem_data->last_geo.provid != emm_provid)
1695	{
1696	write_cmd(insa4, ident);
1697	if(cta_res[cta_lr - 2] != 0x90 \|\| cta_res[cta_lr - 1] != 0x00)
1698	{
1699	rdr_log_dump(reader, insa4, 5, "set provider cmd:");
1700	rdr_log_dump(reader, soid, 3, "set provider data:");
1701	rdr_log(reader, "update error: %02X %02X", cta_res[cta_lr - 2], cta_res[cta_lr - 1]);
1702	return ERROR;
1703	}
1704	}
1705	// as we are maybe changing the used provider, clear the cache, so the next ecm will re-select the correct one
1706	csystem_data->last_geo.provid = 0;
1707	csystem_data->last_geo.geo_len = 0;
1708	csystem_data->last_geo.geo[0] = 0;
1709
1710	}
1711	else if(emmParsed[0] == 0x9e && emmParsed[1] == 0x20)
1712	{
1713	/* adf */
1714
1715	if(!nano91Data)
1716	{
1717	/* adf is not crypted, so test it */
1718
1719	uint8_t custwp;
1720	uint8_t *afd;
1721
1722	custwp = reader->sa[0][3];
1723	afd = (uint8_t *)emmParsed + 2;
1724
1725	if(afd[31 - custwp / 8] & (1 << (custwp & 7)))
1726	{
1727	rdr_log_dbg(reader, D_READER, "emm for our card %08X", b2i(4, &reader->sa[0][0]));
1728	}
1729	else
1730	{
1731	rdr_log_dbg(reader, D_READER, "emm not suitable for our card %08X", b2i(4, &reader->sa[0][0]));
1732	return SKIPPED;
1733	}
1734	}
1735
1736	// memorize
1737	nano9EData = emmParsed;
1738
1739	}
1740	else if(emmParsed[0] == 0x81)
1741	{
1742	nano81Data = emmParsed;
1743	}
1744	else if(emmParsed[0] == 0x91 && emmParsed[1] == 0x08)
1745	{
1746	nano91Data = emmParsed;
1747	}
1748	else if(emmParsed[0] == 0x92 && emmParsed[1] == 0x08)
1749	{
1750	nano92Data = emmParsed;
1751	}
1752	else if(emmParsed[0] == 0xF0 && emmParsed[1] == 0x08)
1753	{
1754	nanoF0Data = emmParsed;
1755	}
1756	else if(emmParsed[0] == 0xD8 && emmParsed[2] == 0x45)
1757	{
1758	uint8_t pos = 4 + emmParsed[3];
1759	char *tmpbuf;
1760	if(emmParsed[pos] == 0x46 && ((emmParsed[pos+1] - emmParsed[1]) == pos))
1761	{
1762	if(cs_malloc(&tmpbuf, emmParsed[pos + 1]))
1763	{
1764	cs_strncpy(tmpbuf, (char *)emmParsed + pos + 2, emmParsed[pos + 1]);
1765	rdr_log(reader, "Viaccess EMM-text: %s", tmpbuf);
1766	NULLFREE(tmpbuf);
1767	}
1768	}
1769	}
1770	else
1771	{
1772	/* other nanos */
1773	show_subs(reader, emmParsed);
1774	if(emmParsed[0] == 0xA9 && ep->type == SHARED) // check on shared (reassembled) emm if all classes are present and up to date on card: error 90 40
1775	{
1776	if(!emm_provid)
1777	{
1778	rdr_log(reader, "no provid in shared emm -> skipped!");
1779	return SKIPPED;
1780	}
1781	int8_t match = add_find_class(reader, emm_provid, emmParsed + 2, emmParsed[1], 0);
1782
1783	if(match == -2)
1784	{
1785	rdr_log(reader, "shared emm provid %06X all classes have entitlementdate already same or newer -> skipped!", emm_provid);
1786	return SKIPPED;
1787	}
1788	nanoA9Data = emmParsed;
1789	}
1790
1791	memcpy(ins18Data + ins18Len, emmParsed, emmParsed[1] + 2);
1792	ins18Len += emmParsed [1] + 2;
1793	}
1794	}
1795
1796	if(!provider_ok)
1797	{
1798	rdr_log_dbg(reader, D_READER, "provider not found in emm, continue anyway");
1799	// force key to 1...
1800	keynr = 1;
1801	///return ERROR;
1802	}
1803
1804	if(!nanoF0Data)
1805	{
1806	rdr_log_dump(reader, ep->emm, ep->emmlen, "can't find 0xf0 in emm...");
1807	return ERROR; // error
1808	}
1809
1810	if(nano9EData)
1811	{
1812	if(!nano91Data)
1813	{
1814	// set adf
1815	insf0[3] = keynr; // key
1816	insf0[4] = nano9EData[1] + 2;
1817	write_cmd(insf0, nano9EData);
1818	if(cta_res[cta_lr - 2] != 0x90 \|\| cta_res[cta_lr - 1] != 0x00)
1819	{
1820	rdr_log_dump(reader, insf0, 5, "set adf cmd:");
1821	rdr_log_dump(reader, nano9EData, insf0[4] , "set adf data:");
1822	rdr_log(reader, "update error: %02X %02X", cta_res[cta_lr - 2], cta_res[cta_lr - 1]);
1823	return ERROR;
1824	}
1825	}
1826	else
1827	{
1828	// set adf crypte
1829	insf4[3] = keynr; // key
1830	insf4[4] = nano91Data[1] + 2 + nano9EData[1] + 2;
1831	memcpy(insData, nano91Data, nano91Data[1] + 2);
1832	memcpy(insData + nano91Data[1] + 2, nano9EData, nano9EData[1] + 2);
1833	write_cmd(insf4, insData);
1834
1835	if((cta_res[cta_lr - 2] != 0x90 && cta_res[cta_lr - 2] != 0x91) \|\| cta_res[cta_lr - 1] != 0x00)
1836	{
1837	rdr_log_dump(reader, insf4, 5, "set adf encrypted cmd:");
1838	rdr_log_dump(reader, insData, insf4[4], "set adf encrypted data:");
1839	rdr_log(reader, "update error: %02X %02X", cta_res[cta_lr - 2], cta_res[cta_lr - 1]);
1840	return ERROR;
1841	}
1842	}
1843	}
1844
1845	if(!nano92Data)
1846	{
1847	// send subscription
1848	ins18[2] = nano9EData ? 0x01 : 0x00; // found 9E nano ?
1849	ins18[3] = keynr; // key
1850	ins18[4] = ins18Len + nanoF0Data[1] + 2;
1851	memcpy(insData, ins18Data, ins18Len);
1852	memcpy(insData + ins18Len, nanoF0Data, nanoF0Data[1] + 2);
1853	write_cmd(ins18, insData);
1854
1855	if((cta_res[cta_lr - 2] == 0x90 \|\| cta_res[cta_lr - 2] == 0x91) && cta_res[cta_lr - 1] == 0x00)
1856	{
1857	if(nanoA9Data)
1858	{
1859	add_find_class(reader, emm_provid, nanoA9Data + 2, nanoA9Data[1], 1);
1860	rdr_log(reader, "Your subscription data was updated.");
1861	}
1862	rc = 1; // written
1863	}
1864	else
1865	{
1866	rdr_log_dump(reader, ins18, 5, "set subscription cmd:");
1867	rdr_log_dump(reader, insData, ins18[4], "set subscription data:");
1868
1869	if(!(cta_res[cta_lr -2] == 0x90 && cta_res[cta_lr - 1] == 0x40)) // dont throw softerror 9040 in log!
1870	{
1871	rdr_log(reader, "update error: %02X %02X", cta_res[cta_lr - 2], cta_res[cta_lr - 1]);
1872	}
1873	else
1874	{
1875	rc = 2; // skipped
1876	}
1877	}
1878
1879	}
1880	else
1881	{
1882	// send subscription encrypted
1883
1884	if(!nano81Data)
1885	{
1886	rdr_log_dump(reader, ep->emm, ep->emmlen, "0x92 found, but can't find 0x81 in emm...");
1887	return ERROR; // error
1888	}
1889
1890	ins1c[2] = nano9EData ? 0x01 : 0x00; // found 9E nano ?
1891	if(ep->type == UNIQUE)
1892	{
1893	ins1c[2] = 0x02;
1894	}
1895
1896	ins1c[3] = keynr; // key
1897	ins1c[4] = nano92Data[1] + 2 + nano81Data[1] + 2 + nanoF0Data[1] + 2;
1898	memcpy(insData, nano92Data, nano92Data[1] + 2);
1899	memcpy(insData + nano92Data[1] + 2, nano81Data, nano81Data[1] + 2);
1900	memcpy(insData + nano92Data[1] + 2 + nano81Data[1] + 2, nanoF0Data, nanoF0Data[1] + 2);
1901	write_cmd(ins1c, insData);
1902
1903	if((cta_res[cta_lr - 2] == 0x90 \|\| cta_res[cta_lr - 2] == 0x91) && (cta_res[cta_lr - 1] == 0x00 \|\| cta_res[cta_lr - 1] == 0x08))
1904	{
1905	rdr_log(reader, "update successfully written");
1906	rc = 1; // written
1907	}
1908	rc = 1;
1909	}
1910
1911	return rc;
1912	}
1913
1914	static int32_t viaccess_card_info(struct s_reader *reader)
1915	{
1916	def_resp;
1917	int32_t i, l;
1918	time_t now;
1919	struct tm timeinfo;
1920	uint16_t tmpdate;
1921	uint8_t insac[] = { 0xca, 0xac, 0x00, 0x00, 0x00 }; // select data
1922	uint8_t insb8[] = { 0xca, 0xb8, 0x00, 0x00, 0x00 }; // read selected data
1923	uint8_t insa4[] = { 0xca, 0xa4, 0x00, 0x00, 0x00 }; // select issuer
1924	uint8_t insc0[] = { 0xca, 0xc0, 0x00, 0x00, 0x00 }; // read data item
1925	static const uint8_t ins24[] = { 0xca, 0x24, 0x00, 0x00, 0x09 }; // set pin
1926
1927	uint8_t cls[] = { 0x00, 0x21, 0xff, 0x9f};
1928	static const uint8_t pin[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04};
1929	struct viaccess_data *csystem_data = reader->csystem_data;
1930
1931	csystem_data->last_geo.provid = 0;
1932	csystem_data->last_geo.geo_len = 0;
1933	csystem_data->last_geo.geo[0] = 0;
1934
1935	rdr_log(reader, "card detected");
1936
1937	cs_clear_entitlement(reader); //reset the entitlements
1938
1939	// set pin
1940	write_cmd(ins24, pin);
1941
1942	insac[2] = 0xa4;
1943	write_cmd(insac, NULL); // request unique id
1944	insb8[4] = 0x07;
1945	write_cmd(insb8, NULL); // read unique id
1946	rdr_log_sensitive(reader, "serial: {%llu}", (unsigned long long) b2ll(5, cta_res + 2));
1947
1948	insa4[2] = 0x00;
1949	write_cmd(insa4, NULL); // select issuer 0
1950
1951	for(i = 1; (cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0); i++)
1952	{
1953	bool added = false;
1954	uint32_t l_provid, l_sa;
1955	uint8_t l_name[64];
1956	insc0[4] = 0x1a;
1957	write_cmd(insc0, NULL); // show provider properties
1958	cta_res[2] &= 0xF0;
1959	l_provid = b2i(3, cta_res);
1960
1961	insac[2] = 0xa5;
1962	write_cmd(insac, NULL); // request sa
1963	insb8[4] = 0x06;
1964	write_cmd(insb8, NULL); // read sa
1965	l_sa = b2i(4, cta_res + 2);
1966
1967	insac[2] = 0xa7;
1968	write_cmd(insac, NULL); // request name
1969	insb8[4] = 0x02;
1970	write_cmd(insb8, NULL); // read name nano + len
1971	l = cta_res[1];
1972	insb8[4] = l;
1973	write_cmd(insb8, NULL); // read name
1974	cta_res[l] = 0;
1975	trim((char *)cta_res);
1976
1977	if(cta_res[0])
1978	{
1979	snprintf((char *)l_name, sizeof(l_name), ", name: %.55s", cta_res);
1980	}
1981	else
1982	{
1983	l_name[0] = 0;
1984	}
1985
1986	// read GEO
1987	insac[2] = 0xa6;
1988	write_cmd(insac, NULL); // request GEO
1989	insb8[4] = 0x02;
1990	write_cmd(insb8, NULL); // read GEO nano + len
1991	l = cta_res[1];
1992	char tmp[l * 3 + 1];
1993	insb8[4] = l;
1994	write_cmd(insb8, NULL); // read geo
1995	rdr_log_sensitive(reader, "provider: %d, id: {%06X%s}, sa: {%08X}, geo: %s", i, l_provid, l_name, l_sa, (l < 4) ? "empty" : cs_hexdump(1, cta_res, l, tmp, sizeof(tmp)));
1996
1997	// read classes subscription
1998	insac[2] = 0xa9;
1999	insac[4] = 4;
2000	if(!reader->read_old_classes)
2001	{
2002	now = time(NULL) - (246060);
2003	cs_gmtime_r(&now, &timeinfo);
2004	tmpdate = timeinfo.tm_mday \| ((timeinfo.tm_mon + 1) << 5) \| ((timeinfo.tm_year - 80) << 9);
2005	cls[0] = tmpdate >> 8;
2006	cls[1] = tmpdate & 0xff;
2007	}
2008	write_cmd(insac, cls); // request class subs
2009
2010	while((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0))
2011	{
2012	insb8[4] = 0x02;
2013	write_cmd(insb8, NULL); // read class subs nano + len
2014	if((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0))
2015	{
2016	l = cta_res[1];
2017	insb8[4] = l;
2018	write_cmd(insb8, NULL); // read class subs
2019	if((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0x00 \|\| cta_res[cta_lr - 1] == 0x08))
2020	{
2021	show_class(reader, NULL, l_provid, cta_res, cta_lr - 2);
2022	added = true;
2023	}
2024	}
2025	}
2026
2027	if(!added)
2028	{
2029	// add entitlement info for provid without class
2030	cs_add_entitlement(reader, reader->caid, l_provid, 0, 0, 0, 0, 5, 1);
2031	}
2032
2033	insac[4] = 0;
2034	insa4[2] = 0x02;
2035	write_cmd(insa4, NULL); // select next provider
2036	}
2037	//return ERROR;
2038	// Start process init CA 28
2039	reader->initCA28=0;
2040	int32_t lenboxkey = reader->boxkey_length;
2041	int32_t lendeskey = reader->des_key_length;
2042	if ((lenboxkey >= 4) && (lendeskey > 0))
2043	{
2044	uint8_t ins28[] = { 0xCA, 0x28, 0x00, 0x00, 0x04 }; //Init for nanoE0 ca28
2045	ins28[4] = (uint8_t) lenboxkey;
2046	uint8_t ins28_data[4];
2047	memcpy(ins28_data, reader->boxkey, 4);
2048	write_cmd(ins28, ins28_data); // unlock card to reply on E002xxyy
2049
2050	if((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0))
2051	{
2052	rdr_log(reader, "CA 28 initialisation successful!");
2053	// init 3DES key
2054	des_set_key(reader->des_key, reader->key_schedule1);
2055	des_set_key(reader->des_key+8, reader->key_schedule2);
2056	reader->initCA28=1;
2057	}
2058	else
2059	{
2060	rdr_log(reader, "CA 28 initialisation failed! CA 28 refused");
2061	}
2062	}
2063	//end process init CA 28
2064	return OK;
2065	}
2066
2067	static int32_t viaccess_reassemble_emm(struct s_reader rdr, struct s_client client, EMM_PACKET *ep)
2068	{
2069	uint8_t *buffer = ep->emm;
2070	int16_t *len = &ep->emmlen;
2071	int32_t pos = 0, i;
2072	int16_t k;
2073	int32_t prov, provid = 0;
2074	struct emm_rass *r_emm = NULL;
2075
2076	// Viaccess
2077	if(*len > 500)
2078	{
2079	return 0;
2080	}
2081
2082	switch(buffer[0])
2083	{
2084	case 0x8c:
2085	case 0x8d:
2086	// emm-s part 1
2087	provid = b2i(3, ep->emm + 5); // extract provid from emm
2088	provid &= 0xFFFFF0; // last digit is dont care
2089	r_emm = find_rabuf(client, provid, (uint8_t) buffer[0], 1);
2090
2091	if(!r_emm)
2092	{
2093	cs_log("[viaccess] ERROR: Can't allocate EMM reassembly buffer.");
2094	return 0;
2095	}
2096
2097	if(!memcmp(&r_emm->emm, &buffer[0], *len)) // skip same shared emm, this make sure emmlen isnt replaced. emmlen = 0 means this shared emm has been used for reassembly
2098	{
2099	return 0;
2100	}
2101
2102	memset(&r_emm->emm[0], 0, sizeof(r_emm->emm)); // zero it!
2103	memcpy(&r_emm->emm[0], &buffer[0], *len); // put the fresh new shared emm
2104	r_emm->emmlen = *len; // put the emmlen indicating that this shared emm isnt being reassembled
2105	rdr_log_dump_dbg(rdr, D_EMM, r_emm->emm, r_emm->emmlen, "%s: received fresh emm-gh for provid %06X", __func__, provid);
2106	return 0;
2107
2108	case 0x8e:
2109	// emm-s part 2
2110	for(prov = 0; prov < rdr->nprov ; prov++)
2111	{
2112	if(!memcmp(&buffer[3], &rdr->sa[prov][0], 3))
2113	{
2114	//matching sa found!
2115	if(is_network_reader(rdr))
2116	{
2117	provid = b2i(4, ep->provid); // use provid from emm since we have nothing better!
2118	provid &= 0xFFFFF0; // last digit is dont care
2119	}
2120
2121	else
2122	{
2123	provid = b2i(4, rdr->prid[prov]); // get corresponding provid from reader since there is no provid in emm payload!
2124	provid &= 0xFFFFF0; // last digit is dont care
2125	}
2126	r_emm = find_rabuf(client, provid, 0, 0); // nano = don't care, the shared 8c or 8d not been written gets returned!
2127
2128	if(!r_emm \|\| !r_emm->emmlen)
2129	{
2130	continue; // match but no emm-gh found for this provider
2131	}
2132	else
2133	{
2134	break; // stop searching-> emm-gh found!
2135	}
2136	}
2137	}
2138
2139	if(!r_emm \|\| !r_emm->emmlen)
2140	{
2141	return 0; // stop -> no emm-gh found!
2142	}
2143	//extract nanos from emm-gh and emm-s
2144	uint8_t emmbuf[512];
2145
2146	rdr_log_dbg(rdr, D_EMM, "%s: start extracting nanos", __func__);
2147	//extract from emm-gh
2148	for(i = 3; i < r_emm->emmlen; i += r_emm->emm[i + 1] + 2)
2149	{
2150	//copy nano (length determined by i+1)
2151	memcpy(emmbuf + pos, r_emm->emm + i, r_emm->emm[i + 1] + 2);
2152	pos += r_emm->emm[i + 1] + 2;
2153	}
2154
2155	if(buffer[2] == 0x2c)
2156	{
2157	//add 9E 20 nano + first 32 uint8_ts of emm content
2158	memcpy(emmbuf + pos, "\x9E\x20", 2);
2159	memcpy(emmbuf + pos + 2, buffer + 7, 32);
2160	pos += 34;
2161
2162	//add F0 08 nano + 8 subsequent uint8_ts of emm content
2163	memcpy(emmbuf + pos, "\xF0\x08", 2);
2164	memcpy(emmbuf + pos + 2, buffer + 39, 8);
2165	pos += 10;
2166	}
2167	else
2168	{
2169	//extract from variable emm-s
2170	for(k = 7; k < (*len); k += buffer[k + 1] + 2)
2171	{
2172	//copy nano (length determined by k+1)
2173	memcpy(emmbuf + pos, buffer + k, buffer[k + 1] + 2);
2174	pos += buffer[k + 1] + 2;
2175	}
2176	}
2177
2178	rdr_log_dump_dbg(rdr, D_EMM, buffer, *len, "%s: %s emm-s", __func__, (buffer[2] == 0x2c) ? "fixed" : "variable");
2179
2180	emm_sort_nanos(buffer + 7, emmbuf, pos);
2181	pos += 7;
2182
2183	//calculate emm length and set it on position 2
2184	buffer[2] = pos - 3;
2185
2186	rdr_log_dump_dbg(rdr, D_EMM, r_emm->emm, r_emm->emmlen, "%s: emm-gh provid %06X", __func__, provid);
2187	rdr_log_dump_dbg(rdr, D_EMM, buffer, pos, "%s: assembled emm", __func__);
2188
2189	*len = pos;
2190	r_emm->emmlen = 0; // mark this shared 8c or 8d as being used for reassembly and send to reader!
2191	break;
2192	}
2193	return 1;
2194	}
2195
2196	const struct s_cardsystem reader_viaccess =
2197	{
2198	.desc = "viaccess",
2199	.caids = (uint16_t[]){ 0x05, 0 },
2200	.do_emm_reassembly = viaccess_reassemble_emm,
2201	.do_emm = viaccess_do_emm,
2202	.do_ecm = viaccess_do_ecm,
2203	.card_info = viaccess_card_info,
2204	.card_init = viaccess_card_init,
2205	.get_emm_type = viaccess_get_emm_type,
2206	.get_emm_filter = viaccess_get_emm_filter,
2207	};
2208
2209	#endif

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/reader-viaccess.c

Download in other formats: