Changeset 11575
- Timestamp:
- 02/26/20 21:30:12 (3 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 4 edited
-
globals.h (modified) (2 diffs)
-
oscam-work.c (modified) (2 diffs)
-
oscam-work.h (modified) (1 diff)
-
reader-nagracak7.c (modified) (14 diffs)
-
reader-nagracak7.h (added)
Legend:
- Unmodified
- Added
- Removed
-
trunk/globals.h
r11574 r11575 1500 1500 #endif 1501 1501 #ifdef READER_NAGRA_MERLIN 1502 uint8_t irdid[4]; 1503 uint8_t irdid_length; 1504 uint8_t public_exponent[3]; 1505 uint8_t public_exponent_length; 1502 1506 uint8_t mod1[112]; 1503 1507 uint8_t mod1_length; … … 1524 1528 uint8_t v[8]; 1525 1529 uint8_t iout[8]; 1526 uint32_t dword_83DBC;1527 1530 uint8_t data2[4]; 1528 uint8_t cak7expo[0x11];1529 1531 uint8_t data[0x80]; 1530 1532 uint8_t step1[0x60]; -
trunk/oscam-work.c
r11495 r11575 12 12 #include "oscam-work.h" 13 13 #include "reader-common.h" 14 #ifdef READER_NAGRA_MERLIN 15 #include "reader-nagracak7.h" 16 #endif 14 17 #include "module-cccam.h" 15 18 #include "module-cccam-data.h" … … 305 308 break; 306 309 310 #ifdef READER_NAGRA_MERLIN 311 case ACTION_READER_RENEW_SK: 312 CAK7_getCamKey(reader); 313 break; 314 #endif 315 307 316 case ACTION_READER_INIT: 308 317 if(!cl->init_done) -
trunk/oscam-work.h
r11487 r11575 17 17 ACTION_READER_CAPMT_NOTIFY = 12, // wr12 18 18 ACTION_READER_POLL_STATUS = 13, // wr13 19 #ifdef READER_NAGRA_MERLIN 20 ACTION_READER_RENEW_SK = 14, // wr14 21 #endif 19 22 // Client actions 20 23 ACTION_CLIENT_UDP = 22, // wc22 -
trunk/reader-nagracak7.c
r11566 r11575 8 8 #include "reader-common.h" 9 9 #include "reader-nagra-common.h" 10 #include "reader-nagracak7.h" 10 11 #include "oscam-work.h" 11 12 #include "cscrypt/des.h" 12 13 #include "cscrypt/mdc2.h" 13 14 14 static const uint8_t public_exponent[] = { 0x01, 0x00, 0x01 };15 15 static const uint8_t d00ff[] = { 0x00, 0xFF, 0xFF, 0xFF }; 16 static const uint8_t irdid[] = { 0x64, 0x65, 0x6D, 0x6F }; // fake -> ASCII HEX-bytes of "demo" 17 static const uint8_t data1[] = { 0x00, 0x00, 0x00, 0x01 }; 16 static uint8_t data1[] = { 0x00, 0x00, 0x00, 0x01 }; 18 17 19 18 // Datatypes 20 #define IRDINFO 0x03 21 #define TIERS 0x0C 22 #define SYSID 0x05 19 #define SYSID_CAID 0x02 20 #define IRDINFO 0x03 21 #define DT05 0x05 22 #define TIERS 0x0C 23 23 24 24 static time_t tier_date(uint64_t date, char *buf, int32_t l) … … 35 35 } 36 36 37 void rsa_decrypt(uint8_t *edata50, int len, uint8_t *out, uint8_t *key, int keylen )37 void rsa_decrypt(uint8_t *edata50, int len, uint8_t *out, uint8_t *key, int keylen, uint8_t *expo, uint8_t expolen) 38 38 { 39 39 BN_CTX *ctx0 = BN_CTX_new(); … … 46 46 BIGNUM *bnPT0 = BN_CTX_get(ctx0); 47 47 BN_bin2bn(&key[0], keylen, bnN0); 48 BN_bin2bn( public_exponent, 0x03, bnE0);48 BN_bin2bn(&expo[0], expolen, bnE0); 49 49 BN_bin2bn(&edata50[0], len, bnCT0); 50 50 BN_mod_exp(bnPT0, bnCT0, bnE0, bnN0, ctx0); … … 85 85 switch(dt) 86 86 { 87 case 0x02:87 case SYSID_CAID: 88 88 { 89 89 reader->prid[0][0] = 0x00; … … 114 114 } 115 115 116 case SYSID: // case 0x05116 case DT05: // case 0x05 117 117 { 118 118 IDEA_KEY_SCHEDULE ks; 119 119 memcpy(reader->edata,cta_res + 26, 0x70); 120 120 reader->dt5num = cta_res[20]; 121 rsa_decrypt(reader->edata, 0x70, reader->out, reader->mod1, reader->mod1_length );121 rsa_decrypt(reader->edata, 0x70, reader->out, reader->mod1, reader->mod1_length, reader->public_exponent, reader->public_exponent_length); 122 122 123 123 if(reader->dt5num == 0x00) … … 263 263 } 264 264 265 void sub_6AD78(uint32_t *dinit) // gbox function266 {267 uint32_t v0 = (uint32_t) * dinit;268 double f0;269 f0 = v0;270 double f12 = 16807;271 double f15 = 2147483647;272 f12 = f0 * f12;273 double v12;274 v12 = fmod(f12, f15);275 *dinit = v12;276 }277 278 void calc_cak7_exponent(uint32_t *dinit, uint8_t *out, uint8_t len)279 {280 memset(out, 0x00, len);281 282 sub_6AD78(dinit);283 284 int nR4 = 0;285 int nR5 = 0;286 while(true)287 {288 uint32_t nR0 = (uint32_t)* dinit;289 int nR3 = nR4 + 3;290 nR5 += 4;291 292 if(nR3 > len)293 {294 break;295 }296 297 out[nR5 - 1] = ((nR0 ) & 0xFF);298 out[nR5 - 2] = ((nR0 >> 8) & 0xFF);299 out[nR5 - 3] = ((nR0 >> 16) & 0xFF);300 out[nR5 - 4] = ((nR0 >> 24) & 0xFF);301 nR4 += 4;302 sub_6AD78(dinit);303 304 }305 306 uint32_t nR0 = (uint32_t)* dinit;307 while(nR4 < len)308 {309 out[nR4] = nR0 & 0xFF;310 nR4++;311 nR0 >>= 8;312 }313 314 out[0] &= 0x03;315 out[0x10] |= 0x01;316 317 }318 319 265 void CAK7_getCamKey(struct s_reader *reader) 320 266 { … … 328 274 0x69,0xB8,0x35,0x68,0x11,0x4C,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x00,0xCC,0xCC,0xCC,0xCC}; 329 275 276 get_random_bytes(data1, 0x04); 277 if (data1[3] == 0xFF) 278 { 279 data1[3]--; 280 } 281 memcpy(cmd0e + 9, data1, 0x04); 282 data1[3]++; 283 284 if (reader->irdid_length == 4) 285 { 286 memcpy(&cmd0e[14], reader->irdid, reader->irdid_length); // inject irdid 287 } 288 289 // inject provid 290 cmd0e[18] = reader->prid[0][2]; 291 cmd0e[19] = reader->prid[0][3]; 292 330 293 if (reader->nuid_length == 4) 331 294 { 332 memcpy( cmd0e + 132, reader->nuid, reader->nuid_length); // inject NUID295 memcpy(&cmd0e[132], reader->nuid, reader->nuid_length); // inject NUID 333 296 } 334 297 335 298 do_cak7_cmd(reader,cta_res, &cta_lr, cmd0e, sizeof(cmd0e), 0x20); 336 reader->dword_83DBC = (cta_res[18] << 24); 337 reader->dword_83DBC += (cta_res[19] << 16); 338 reader->dword_83DBC += (cta_res[20] << 8); 339 reader->dword_83DBC += (cta_res[21] ); 340 calc_cak7_exponent(&reader->dword_83DBC, reader->cak7expo, 0x11); 299 341 300 memcpy(reader->cardid,cta_res + 14, 4); 342 301 rdr_log_dump_dbg(reader, D_READER, reader->cardid, 0x04, "CardSerial: "); 302 343 303 memcpy(reader->hexserial + 2, reader->cardid, 4); 344 304 memcpy(reader->sa[0], reader->cardid, 3); 345 305 memcpy(reader->sa[1], reader->sa[0], 4); 306 346 307 unsigned long datal = (cta_res[9] << 24) + (cta_res[10] << 16) + (cta_res[11] << 8) + (cta_res[12]); 347 308 datal++; … … 351 312 reader->data2[3] = (datal ) & 0xFF; 352 313 353 BN_CTX *ctx0 = BN_CTX_new(); 354 #ifdef WITH_LIBCRYPTO 355 BN_CTX_start(ctx0); 356 #endif 357 BIGNUM *bnN0 = BN_CTX_get(ctx0); 358 BIGNUM *bnE0 = BN_CTX_get(ctx0); 359 BIGNUM *bnCT0 = BN_CTX_get(ctx0); 360 BIGNUM *bnPT0 = BN_CTX_get(ctx0); 361 BN_bin2bn(&reader->mod50[0], 0x50, bnN0); 362 BN_bin2bn(&reader->cak7expo[0], 0x11, bnE0); 363 BN_bin2bn(&reader->data50[0], 0x50, bnCT0); 364 BN_mod_exp(bnPT0, bnCT0, bnE0, bnN0, ctx0); 365 memset(reader->data, 0x00, sizeof(reader->data)); 366 BN_bn2bin(bnPT0, reader->data + (0x50 - BN_num_bytes(bnPT0))); 367 BN_CTX_end(ctx0); 368 BN_CTX_free(ctx0); 314 rsa_decrypt(reader->data50, reader->data50_length, reader->data, reader->mod50, reader->mod50_length, reader->public_exponent, reader->public_exponent_length); 369 315 370 316 memcpy(&reader->step1[0], d00ff, 4); 371 317 memcpy(&reader->step1[4], reader->data, 0x50); 372 memcpy(&reader->step1[4 + 0x50], irdid, 0x04);318 memcpy(&reader->step1[4 + 0x50], reader->irdid, reader->irdid_length); 373 319 memcpy(&reader->step1[4 + 4 + 0x50], data1, 0x04); 374 320 memcpy(&reader->step1[4 + 4 + 4 + 0x50], reader->data2, 0x04); 375 376 BN_CTX *ctx1 = BN_CTX_new(); 377 #ifdef WITH_LIBCRYPTO 378 BN_CTX_start(ctx1); 379 #endif 380 BIGNUM *bnN1 = BN_CTX_get(ctx1); 381 BIGNUM *bnE1 = BN_CTX_get(ctx1); 382 BIGNUM *bnCT1 = BN_CTX_get(ctx1); 383 BIGNUM *bnPT1 = BN_CTX_get(ctx1); 384 BN_bin2bn(&reader->key60[0], 0x60, bnN1); 385 BN_bin2bn(&reader->exp60[0], 0x60, bnE1); 386 BN_bin2bn(&reader->step1[0], 0x60, bnCT1); 387 BN_mod_exp(bnPT1, bnCT1, bnE1, bnN1, ctx1); 388 BN_bn2bin(bnPT1, reader->data + (0x60 - BN_num_bytes(bnPT1))); 389 BN_CTX_end(ctx1); 390 BN_CTX_free(ctx1); 321 rsa_decrypt(reader->step1, 0x60, reader->data, reader->key60, reader->key60_length, reader->exp60, reader->exp60_length); 391 322 392 323 memcpy(&reader->step2[0], d00ff, 4); 393 324 memcpy(&reader->step2[4], reader->cardid, 4); 394 325 memcpy(&reader->step2[8], reader->data, 0x60); 395 396 BN_CTX *ctx2 = BN_CTX_new(); 397 #ifdef WITH_LIBCRYPTO 398 BN_CTX_start(ctx2); 399 #endif 400 BIGNUM *bnN2 = BN_CTX_get(ctx2); 401 BIGNUM *bnE2 = BN_CTX_get(ctx2); 402 BIGNUM *bnCT2 = BN_CTX_get(ctx2); 403 BIGNUM *bnPT2 = BN_CTX_get(ctx2); 404 BN_bin2bn(&reader->kdt05_10[0], 0x68, bnN2); 405 BN_bin2bn(public_exponent, 3, bnE2); 406 BN_bin2bn(&reader->step2[0], 0x68, bnCT2); 407 BN_mod_exp(bnPT2, bnCT2, bnE2, bnN2, ctx2); 408 BN_bn2bin(bnPT2, reader->data + (0x68 - BN_num_bytes(bnPT2))); 409 BN_CTX_end(ctx2); 410 BN_CTX_free(ctx2); 326 rsa_decrypt(reader->step2, 0x68, reader->data, reader->kdt05_10, 0x68, reader->public_exponent, reader->public_exponent_length); 411 327 412 328 memcpy(&reader->step3[0], d00ff, 4); 413 329 memcpy(&reader->step3[4], reader->data, 0x68); 414 415 BN_CTX *ctx3 = BN_CTX_new(); 416 #ifdef WITH_LIBCRYPTO 417 BN_CTX_start(ctx3); 418 #endif 419 BIGNUM *bnN3 = BN_CTX_get(ctx3); 420 BIGNUM *bnE3 = BN_CTX_get(ctx3); 421 BIGNUM *bnCT3 = BN_CTX_get(ctx3); 422 BIGNUM *bnPT3 = BN_CTX_get(ctx3); 423 BN_bin2bn(&reader->kdt05_00[0], 0x6c, bnN3); 424 BN_bin2bn(public_exponent, 3, bnE3); 425 BN_bin2bn(&reader->step3[0], 0x6c, bnCT3); 426 BN_mod_exp(bnPT3, bnCT3, bnE3, bnN3, ctx3); 427 BN_bn2bin(bnPT3, reader->data + (0x6c - BN_num_bytes(bnPT3))); 428 BN_CTX_end(ctx3); 429 BN_CTX_free(ctx3); 430 431 uint8_t cmd03[] = {0xCC,0xCC,0xCC,0xCC, 0x00,0x00,0x0A,0x03,0x6C, 432 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 433 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 434 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 435 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 436 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 437 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 438 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 439 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC }; 330 rsa_decrypt(reader->step3, 0x6c, reader->data, reader->kdt05_00, 0x6c, reader->public_exponent, reader->public_exponent_length); 331 332 uint8_t cmd03[] = {0xCC,0xCC,0xCC,0xCC,0x00,0x00,0x0A,0x03,0x6C, 333 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 334 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 335 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 336 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 337 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 338 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 339 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 340 0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC}; 440 341 441 342 memcpy(&cmd03[9],reader->data,0x6c); 442 343 do_cak7_cmd(reader,cta_res,&cta_lr,cmd03,sizeof(cmd03),0x90); 344 443 345 memcpy(reader->encrypted,&cta_res[10],0x68); 444 445 BN_CTX *ctx = BN_CTX_new(); 446 #ifdef WITH_LIBCRYPTO 447 BN_CTX_start(ctx); 448 #endif 449 BIGNUM *bnN = BN_CTX_get(ctx); 450 BIGNUM *bnE = BN_CTX_get(ctx); 451 BIGNUM *bnCT = BN_CTX_get(ctx); 452 BIGNUM *bnPT = BN_CTX_get(ctx); 453 BN_bin2bn(&reader->kdt05_10[0], 104, bnN); 454 BN_bin2bn(public_exponent, 3, bnE); 455 BN_bin2bn(&reader->encrypted[0], 104, bnCT); 456 BN_mod_exp(bnPT, bnCT, bnE, bnN, ctx); 457 memset(reader->result, 0, 104); 458 BN_bn2bin(bnPT, reader->result + (104 - BN_num_bytes(bnPT))); 459 BN_CTX_end(ctx); 460 BN_CTX_free(ctx); 461 462 //uint8_t stillencrypted[0x50]; 346 rsa_decrypt(reader->encrypted, 0x68, reader->result, reader->kdt05_10, 0x68, reader->public_exponent, reader->public_exponent_length); 347 463 348 memcpy(reader->stillencrypted,&reader->result[12],0x50); 464 465 //uint8_t resultrsa[0x50]; 466 BN_CTX *ctxs = BN_CTX_new(); 467 #ifdef WITH_LIBCRYPTO 468 BN_CTX_start(ctxs); 469 #endif 470 BIGNUM *bnNs = BN_CTX_get(ctxs); 471 BIGNUM *bnEs = BN_CTX_get(ctxs); 472 BIGNUM *bnCTs = BN_CTX_get(ctxs); 473 BIGNUM *bnPTs = BN_CTX_get(ctxs); 474 BN_bin2bn(&reader->mod50[0], reader->mod50_length, bnNs); 475 BN_bin2bn(&reader->cak7expo[0], 0x11, bnEs); 476 BN_bin2bn(&reader->stillencrypted[0], 0x50, bnCTs); 477 BN_mod_exp(bnPTs, bnCTs, bnEs, bnNs, ctxs); 478 BN_bn2bin(bnPTs, reader->resultrsa + (0x50 - BN_num_bytes(bnPTs))); 479 BN_CTX_end(ctxs); 480 BN_CTX_free(ctxs); 349 rsa_decrypt(reader->stillencrypted, 0x50, reader->resultrsa, reader->mod50, reader->mod50_length, reader->public_exponent, reader->public_exponent_length); 481 350 482 351 uint8_t mdc_hash[MDC2_DIGEST_LENGTH]; … … 496 365 497 366 memset(reader->hexserial, 0x00, 0x08); 367 368 reader->public_exponent[0] = 0x01; 369 reader->public_exponent[1] = 0x00; 370 reader->public_exponent[2] = 0x01; 371 reader->public_exponent_length = 3; 372 373 reader->irdid[0] = 0x64; 374 reader->irdid[1] = 0x65; 375 reader->irdid[2] = 0x6D; 376 reader->irdid[3] = 0x6F; 377 reader->irdid_length = 4; 378 498 379 reader->cak7_seq = 0; 499 380 cs_clear_entitlement(reader); … … 510 391 511 392 // check the completeness of the required CAK7 keys 512 if(reader->mod1_length && reader-> data50_length && reader->mod50_length && reader->key60_length && reader->exp60_length && reader->nuid_length)513 { 514 rdr_log_dbg(reader, D_READER, "All parameters are set.");393 if(reader->mod1_length && reader->irdid_length && reader->data50_length && reader->mod50_length && reader->key60_length && reader->exp60_length && reader->nuid_length) 394 { 395 rdr_log_dbg(reader, D_READER, "All parameters for CAK7 global pairing are set."); 515 396 } 516 397 else 517 398 { 518 rdr_log(reader, "ERROR: Not all required parameters are set!");399 rdr_log(reader, "ERROR: Not all required CAK7 parameters are set!"); 519 400 reader->card_status = CARD_FAILURE; 520 401 return ERROR; … … 523 404 reader->nprov = 1; 524 405 525 //CAK7GetDataType(reader, 0x09);526 CAK7GetDataType(reader, 0x05);406 CAK7GetDataType(reader, DT05); 407 CAK7GetDataType(reader, SYSID_CAID); // sysid+caid 527 408 CAK7_getCamKey(reader); 528 //CAK7GetDataType(reader, 0x09); 529 CAK7GetDataType(reader, 0x02); // sysid+caid 409 530 410 531 411 rdr_log(reader, "ready for requests"); … … 541 421 rdr_log(reader, "CAID: %04X", reader->caid); 542 422 rdr_log(reader, "Prv.ID: %s(sysid)", cs_hexdump(1, reader->prid[0], 4, tmp, sizeof(tmp))); 543 CAK7GetDataType(reader, 0x03);423 CAK7GetDataType(reader, IRDINFO); 544 424 cs_clear_entitlement(reader); // reset the entitlements 545 425 rdr_log(reader, "-----------------------------------------"); 546 426 rdr_log(reader, "|id |tier |valid from |valid to |"); 547 427 rdr_log(reader, "+----+--------+------------+------------+"); 548 CAK7GetDataType(reader, 0x0C);428 CAK7GetDataType(reader, TIERS); 549 429 rdr_log(reader, "-----------------------------------------"); 550 430 uint8_t i; … … 561 441 if((reader->cak7_camstate & 64) == 64) 562 442 { 563 rdr_log (reader, "renew Session Key: CAK7");564 CAK7_getCamKey(reader);443 rdr_log_dbg(reader, D_READER, "renew Session Key: CAK7"); 444 add_job(reader->client, ACTION_READER_RENEW_SK, NULL, 0); //CAK7_getCamKey 565 445 } 566 446 } … … 669 549 do_cak7_cmd(reader, cta_res, &cta_lr, emmreq, sizeof(emmreq), 0xB0); 670 550 671 if(cta_res[cta_lr -2] != 0x90 && cta_res[cta_lr-1] != 0x00)551 if(cta_res[cta_lr - 2] != 0x90 && cta_res[cta_lr - 1] != 0x00) 672 552 { 673 553 rdr_log(reader, "(EMM) Reader will be restart now cause: %02X %02X card answer!!!", cta_res[cta_lr - 2], cta_res[cta_lr - 1]);
Note:
See TracChangeset
for help on using the changeset viewer.
