Changeset 497
- Timestamp:
- 11/06/09 19:16:07 (11 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/csctapi/config.h.dbg
r8 r497 2 2 /* config.h.in. Generated from configure.ac by autoheader. */ 3 3 4 #include "../ config.h"4 #include "../oscam-config.h" 5 5 6 6 /* Debug CT-API */ -
trunk/csctapi/config.h.std
r8 r497 2 2 /* config.h.in. Generated from configure.ac by autoheader. */ 3 3 4 #include "../ config.h"4 #include "../oscam-config.h" 5 5 6 6 /* Debug CT-API */ 7 7 /* #undef DEBUG_CTAPI */ 8 // #define DEBUG_CTAPI 18 // #define DEBUG_CTAPI 1 9 9 10 10 /* Debug Integrated Circuit Card */ 11 11 /* #undef DEBUG_ICC */ 12 // #define DEBUG_ICC 112 // #define DEBUG_ICC 1 13 13 14 14 /* Debug Interface Device */ … … 22 22 /* Debug Input/Output */ 23 23 /* #undef DEBUG_IO */ 24 // #define DEBUG_IO 124 // #define DEBUG_IO 1 25 25 26 26 /* Debug Protocol */ -
trunk/reader-dre.c
r492 r497 5 5 extern uchar cta_cmd[], cta_res[]; 6 6 extern ushort cta_lr; 7 static unsigned short pmap = 0; // provider-maptable8 7 unsigned long long serial; 9 8 char *card; … … 181 180 } 182 181 183 memset (reader[ridx].prid, 0xff, sizeof (reader[ridx].prid));184 182 memset (reader[ridx].prid, 0x00, 8); 185 183 … … 217 215 dre_cmd (ua); //error would not be fatal 218 216 219 for (i = 0; i < 8; i++)220 reader[ridx].hexserial[i] = 0; 221 int hexlength = cta_res[1] - 2; //discard first and last byte, last byte is always checksum, first is always rubbish?222 223 memcpy (reader[ridx].hexserial + 8 - hexlength, cta_res + 3, hexlength);217 int hexlength = cta_res[1] - 2; //discard first and last byte, last byte is always checksum, first is answer code 218 219 reader[ridx].hexserial[0] = 0; 220 reader[ridx].hexserial[1] = 0; 221 memcpy (reader[ridx].hexserial + 2, cta_res + 3, hexlength); 224 222 225 223 int low_dre_id = ((cta_res[4] << 16) | (cta_res[5] << 8) | cta_res[6]) - 48608; … … 235 233 //cs_ri_log("type: DRECrypt, caid: %04X, serial: %llu, card: v%x", 236 234 cs_log ("type: DRECrypt, caid: %04X, serial: %s, dre id: %i%i%i%08i, geocode %i, card: %s v%i.%i", 237 reader[ridx].caid[0], cs_hexdump (0, reader[ridx].hexserial , 8), dre_chksum, provider - 16, major_version + 1,238 low_dre_id, geocode, card, major_version, minor_version);235 reader[ridx].caid[0], cs_hexdump (0, reader[ridx].hexserial + 2, 4), dre_chksum, provider - 16, 236 major_version + 1, low_dre_id, geocode, card, major_version, minor_version); 239 237 cs_log ("Provider name:%s.", provname); 240 238 241 239 242 memcpy (&reader[ridx].sa[0][0], &reader[ridx].hexserial + 4, 4); //copy unique address also in shared address, because we dont know what it is... 240 memset (reader[ridx].sa, 0, sizeof (reader[ridx].sa)); 241 memcpy (reader[ridx].sa[0], reader[ridx].hexserial + 2, 1); //copy first byte of unique address also in shared address, because we dont know what it is... 242 243 cs_log ("DEBUG: SA = %02X%02X%02X%02X, UA = %s", reader[ridx].sa[0][0], reader[ridx].sa[0][1], reader[ridx].sa[0][2], 244 reader[ridx].sa[0][3], cs_hexdump (0, reader[ridx].hexserial + 2, 4)); 245 246 //reader[ridx].nprov = 1; TODO doesnt seem necessary 243 247 244 248 if (!dre_set_provider_info ()) … … 304 308 //} 305 309 310 EMM_PACKET *eptmp; 311 eptmp = malloc (sizeof (EMM_PACKET)); 312 // static unsigned char tempser[] = { 0, 0, 0xC8, 0x4D, 0x25, 0x5A }; 313 // memcpy (reader[ridx].hexserial, tempser, 8); 314 dre_do_emm (eptmp); 315 free (eptmp); 306 316 //############### PLAYGROUND //// 307 317 cs_log ("ready for requests"); … … 309 319 } 310 320 321 /* 311 322 static int get_prov_index (char *provid) //returns provider id or -1 if not found 312 323 { … … 317 328 return (-1); 318 329 } 319 330 */ 320 331 321 332 int dre_do_ecm (ECM_REQUEST * er) … … 333 344 memcpy (ecmcmd41 + 4, er->ecm + 8, 16); 334 345 ecmcmd41[20] = er->ecm[6]; //keynumber 335 ecmcmd41[21] = 0x58 + er->ecm[25]; 346 ecmcmd41[21] = 0x58 + er->ecm[25]; //package number 336 347 cs_debug ("DEBUG: unused ECM info front:%s", cs_hexdump (0, er->ecm, 8)); 337 cs_debug ("DEBUG: unused ECM info back:%s", cs_hexdump (0, er->ecm + 24, er->ecm[2] +2-24));348 cs_debug ("DEBUG: unused ECM info back:%s", cs_hexdump (0, er->ecm + 24, er->ecm[2] + 2 - 24)); 338 349 if ((dre_cmd (ecmcmd41))) { //ecm request 339 350 if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00)) … … 380 391 int dre_do_emm (EMM_PACKET * ep) 381 392 { 382 return 0; //FIXME STUB 393 //return 0; //FIXME STUB 394 /* 395 uchar emmtest[] = { 0x87, 0x00, 0x8C, 0xC8, 0x4D, 0x25, 0x5A, 0x02, 0xA9, 0xA5, 0x34, 0x31, 0xAB, 0x9C, 0x9B, 0x59, 396 0x5D, 0x47, 0x95, 0xB3, 0xB1, 0x61, 0x47, 0xE6, 0x85, 0xE0, 0x17, 0xC8, 0x25, 0x70, 0x59, 0x73, 397 0x12, 0x1F, 0x2B, 0x9B, 0x02, 0x5A, 0x9D, 0x3A, 0x05, 0x56, 0x85, 0x58, 0x00, 0xC8, 0x4D, 0x25, 398 0x5A, 0x06, 0x02, 0x23, 0xB4, 0x37, 0x1E, 0xE0, 0x7E, 0x59, 0xFC, 0x38, 0xCA, 0x13, 0x21, 0x0D, 399 0x3E, 0x09, 0xDF, 0xB4, 0x45, 0x6C, 0x99, 0x7E, 0x3E, 0xDA, 0xA4, 0xC7, 0xB9, 0x7B, 0xAB, 0x4A, 400 0xB5, 0xE2, 0x1D, 0xA3, 0xCD, 0x03, 0xAF, 0xDA, 0xBA, 0xEA, 0x3B, 0x85, 0x58, 0x00, 0xC8, 0x4D, 401 0x25, 0x5A, 0x05, 0xF4, 0xAF, 0x8B, 0x8F, 0x2F, 0x6C, 0xF2, 0x43, 0x8C, 0x86, 0x03, 0xFD, 0x1C, 402 0xDF, 0x7A, 0xE4, 0xB6, 0x0B, 0xF9, 0x70, 0x72, 0xFC, 0x2A, 0xEC, 0x0F, 0x6D, 0x8D, 0x82, 0xC6, 403 0x4C, 0x16, 0x81, 0xDC, 0xC9, 0x3C, 0x34, 0x84, 0x35, 0x9A, 0xA7, 0xED, 0xB1, 0x39, 0xBC 404 }; //UNIQE EMM 405 */ 406 407 uchar emmtest[] = { 0x89, 0x00, 0x68, 0x00, 0x4D, 0x56, 0x85, 0x58, 0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x29, 0x58, 408 0x89, 0x04, 0x3A, 0xEE, 0x15, 0xB1, 0x38, 0x4A, 0x75, 0x5A, 0x21, 0xEE, 0x4D, 0x37, 0xF3, 0x53, 409 0xF8, 0xAC, 0x1F, 0x8D, 0xEA, 0xDF, 0x12, 0x73, 0x00, 0x69, 0xBB, 0x67, 0x5D, 0x8A, 0x96, 0x2D, 410 0x1C, 0x08, 0xEB, 0xF1, 0xCA, 0x40, 0x3B, 0x85, 0x58, 0x01, 0x00, 0x00, 0x00, 0x00, 0x05, 0x85, 411 0xF2, 0xE1, 0xD9, 0x86, 0xEA, 0x19, 0x6A, 0xEF, 0x3B, 0x9D, 0x0C, 0xEA, 0xF3, 0x7B, 0x74, 0xE5, 412 0xF7, 0x4F, 0xD6, 0x9C, 0x85, 0x6C, 0x7E, 0x79, 0xDF, 0x18, 0xD1, 0xC3, 0x54, 0xA9, 0x47, 0xCB, 413 0xAC, 0xB6, 0x18, 0x71, 0xC8, 0x69, 0x6B, 0x10, 0xFF, 0x9D, 0x11 }; //GLOBAL EMM 414 415 memcpy (ep->emm, emmtest, 0x8f); 416 417 int emm_length = ((ep->emm[1] & 0x0f) << 8) + ep->emm[2]; 418 419 cs_ddump (ep->emm, emm_length + 3, "EMM:"); 420 ep->type = ep->emm[0]; 421 cs_debug ("ep->type%x", ep->type); 422 423 if (mode != 41) { 424 cs_log ("EMM Mode not implemented yet"); 425 return 0; 426 } 427 428 static uchar emmcmd42[] = 429 { 0x42, 0x85, 0x58, 0x01, 0xC8, 0x00, 0x00, 0x00, 0x05, 0xB8, 0x0C, 0xBD, 0x7B, 0x07, 0x04, 0xC8, 430 0x77, 0x31, 0x95, 0xF2, 0x30, 0xB7, 0xE9, 0xEE, 0x0F, 0x81, 0x39, 0x1C, 0x1F, 0xA9, 0x11, 0x3E, 431 0xE5, 0x0E, 0x8E, 0x50, 0xA4, 0x31, 0xBB, 0x01, 0x00, 0xD6, 0xAF, 0x69, 0x60, 0x04, 0x70, 0x3A, 432 0x91, 433 0x56, 0x58, 0x11 434 }; 435 436 switch (ep->type) { 437 case 0x88: //shared EMM 438 { 439 cs_debug ("HANS: checkpoint 1"); 440 if (memcmp (ep->emm + 9, reader[ridx].sa[0], 1)) { //in case of SHARED EMM, only first byte has to match? 441 cs_log ("EMM: Shared update did not match; EMM SA:%02X%02X%02X%02X, Reader SA:%s.", ep->emm[9], ep->emm[10], 442 ep->emm[11], ep->emm[12], cs_hexdump (0, reader[ridx].sa[0], 4)); 443 return (0); 444 } 445 else { 446 cs_log ("EMM: Shared update matched for EMM SA %02X%02X%02X%02X.", ep->emm[9], ep->emm[19], ep->emm[11], 447 ep->emm[12]); 448 } 449 /* 450 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 451 88 00 68 C8 4D 56 85 58 01 C8 00 00 00 05 B8 0C 452 453 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 -- 454 BD 7B 07 04 C8 77 31 95 F2 30 B7 E9 EE 0F 81 39 455 456 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 -- 457 1C 1F A9 11 3E E5 0E 8E 50 A4 31 BB 01 00 D6 AF 458 459 49 50 51 52 53 54X55 56 57 58 59 60 61 62 63 64 -- 460 69 60 04 70 3A 91 3B 85 58 01 C8 00 00 00 05 B1 461 462 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 -- 463 3F BF A0 05 6E BD AB 0A 70 77 30 C2 AC EC 06 C2 464 465 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 -- 466 3D 47 50 8D B1 77 68 62 6B 26 6B CE A9 EF 1B 6A 467 468 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 -- 469 DF 7B 39 52 A4 5A 0E B0 A6 ED 7B DC 82 3C AE A3 470 471 Here we have: 472 473 Bytes ... 474 01 (88) - EMM filter can be a value 87 475 03 (68) - length of data EMM 476 04 (C8) - the number of SA for the filter (C8 - is a map) 477 06 (56) - index kriptodannyh (56/3B alternate) are likely key number 478 479 07 (85) - choice of algorithm (8x - MSP / 4x - Atmel), in the cards until only 85 480 08 (01) - the type of EMM (00 - EMM_U, solo / 01 - EMM_S, group) 481 10 - 13 (C8 00 00 00) - here only for SA EMM_S 482 14 (05) - additional flags 483 15 - 54 (V8. .. 91) own body EMM, information about the key. 484 55 (3B) may be a checksum. 485 486 Bytes 56 - 104 - for the second key. 487 Appointment of the remaining bytes is unknown. 488 */ 489 } // end shared EMM NO BREAK so rest happens in global EMM 490 case 0x89: //global EMM ?? 491 { 492 if (ep->type == 0x89) 493 cs_log ("EMM: Global update"); 494 /* 89 00 68 00 4D 56 85 58 01 00 00 00 00 06 29 58 495 * 89 04 3A EE 15 B1 38 4A 75 5A 21 EE 4D 37 F3 53 496 * F8 AC 1F 8D EA DF 12 73 00 69 BB 67 5D 8A 96 2D 497 * 1C 08 EB F1 CA 40X3BX85 58 01 00 00 00 00 05 85 498 * F2 E1 D9 86 EA 19 6A EF 3B 9D 0C EA F3 7B 74 E5 499 * F7 4F D6 9C 85 6C 7E 79 DF 18 D1 C3 54 A9 47 CB 500 * AC B6 18 71 C8 69 6B 10 FF 9D 11 501 */ 502 memcpy (emmcmd42 + 1, ep->emm + 6, 48); 503 emmcmd42[51] = provider; 504 //emmcmd42[50] = ecmcmd42[2]; //TODO package nr could also be fixed 0x58 505 emmcmd42[49] = ep->emm[5]; //keynr 506 /* response: 507 59 05 A2 02 05 01 5B 508 90 00 */ 509 cs_debug ("HANS: checkpoint 5"); 510 if ((dre_cmd (emmcmd42))) { //first emm request 511 if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00)) 512 return (0); //exit if response is not 90 00 513 514 cs_debug ("HANS: checkpoint 6"); 515 memcpy (emmcmd42 + 1, ep->emm + 55, 7); 516 memcpy (emmcmd42 + 8, ep->emm + 67, 41); 517 emmcmd42[51] = provider; 518 //emmcmd42[50] = ecmcmd42[2]; //TODO package nr could also be fixed 0x58 519 emmcmd42[49] = ep->emm[54]; //keynr 520 if ((dre_cmd (emmcmd42))) { //second emm request 521 if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00)) 522 return (0); //exit if response is not 90 00 523 return 1; //success 524 } 525 } 526 527 break; 528 } //end global EMM 529 case 0x87: //unique EMM 530 { 531 /* 532 0x87, 0x00, 0x8C, ser1, ser2, ser3, ser4, 0x02, 0xA9, 0xA5, 0x34, 0x31, 0xAB, 0x9C, 0x9B, 0x59, 533 0x5D, 0x47, 0x95, 0xB3, 0xB1, 0x61, 0x47, 0xE6, 0x85, 0xE0, 0x17, 0xC8, 0x25, 0x70, 0x59, 0x73, 534 0x12, 0x1F, 0x2B, 0x9B, 0x02, 0x5A, 0x9D, 0x3A, 0x05, 0x56, 0x85, 0x58, 0x00, 0xC8, 0x4D, 0x25, 535 0x5A, 0x06, 0x02, 0x23, 0xB4, 0x37, 0x1E, 0xE0, 0x7E, 0x59, 0xFC, 0x38, 0xCA, 0x13, 0x21, 0x0D, 536 0x3E, 0x09, 0xDF, 0xB4, 0x45, 0x6C, 0x99, 0x7E, 0x3E, 0xDA, 0xA4, 0xC7, 0xB9, 0x7B, 0xAB, 0x4A, 537 0xB5, 0xE2, 0x1D, 0xA3, 0xCD, 0x03, 0xAF, 0xDA, 0xBA, 0xEA, 0x3B, 0x85, 0x58, 0x00, 0xC8, 0x4D, 538 0x25, 0x5A, 0x05, 0xF4, 0xAF, 0x8B, 0x8F, 0x2F, 0x6C, 0xF2, 0x43, 0x8C, 0x86, 0x03, 0xFD, 0x1C, 539 0xDF, 0x7A, 0xE4, 0xB6, 0x0B, 0xF9, 0x70, 0x72, 0xFC, 0x2A, 0xEC, 0x0F, 0x6D, 0x8D, 0x82, 0xC6, 540 0x4C, 0x16, 0x81, 0xDC, 0xC9, 0x3C, 0x34, 0x84, 0x35, 0x9A, 0xA7, 0xED, 0xB1, 0x39, 0xBC 541 */ 542 cs_debug ("HANS: checkpoint 2"); 543 //first test if UA matches 544 if (memcmp (reader[ridx].hexserial + 2, ep->emm + 3, 4)) { 545 cs_log ("EMM: Unique update did not match; EMM Serial:%02X%02X%02X%02X, Reader Serial:%s.", ep->emm[3], 546 ep->emm[4], ep->emm[5], ep->emm[6], cs_hexdump (0, reader[ridx].hexserial + 2, 4)); 547 return (0); 548 } 549 else { 550 cs_log ("EMM: Unique update matched EMM Serial:%02X%02X%02X%02X.", ep->emm[3], ep->emm[4], ep->emm[5], 551 ep->emm[6]); 552 cs_log ("EMM: layout of EMM 0x87 unknown, cannot be processed yet."); 553 } 554 break; 555 } //end unique EMM 556 default: 557 cs_log 558 ("EMM: Congratulations, you have discovered a new EMM type on DRECRYPT. This has not been decoded yet, so send this output to authors:"); 559 cs_dump (ep->emm, emm_length + 3, "EMM:"); 560 return 0; //unknown 561 } //end of switch 562 563 564 cs_debug ("HANS: checkpoint 3"); 565 return 0; 383 566 } 384 567
Note:
See TracChangeset
for help on using the changeset viewer.