Opened 11 years ago

Closed 11 years ago

#26 closed task (fixed)

Add DreCrypt card support

Reported by: sergis Owned by: dingo35
Priority: major Component: General
Severity: medium Keywords:
Cc: Sensitive: no

Description

Log from card:

ATR: 3B 15 11 12 CA 07 15 CE

80 FF 10 01 05 
FF 
59 03 43 15 A9 //UA
61 08 
00 C0 00 00 08 
C0 
59 06 C2 xx xx xx xx F6 //xxxxxxxx - UA
90 00 
80 FF 10 01 05 
FF 
59 03 49 15 A3 //provider info
61 17 
00 C0 00 00 17 
C0 
59 15 82 02 04 15 50 6C 61 74 66 6F 72 6D 20 48 
44 00 FF FF FF FF 7D //Platform HD
90 00
80 FF 10 01 05 
FF 
59 03 54 15 BE //geocode
61 05 
00 C0 00 00 05 
C0 
59 03 62 00 9D //00
90 00 
80 FF 10 01 05 
FF
59 03 59 15 B3 //subs
61 24 
00 C0 00 00 24 
C0 
59 22 72 00 04 04 04 FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF 89 
90 00 
80 FF 10 01 05 
FF 
59 03 5A 15 B0 //???
61 07
00 C0 00 00 07 
C0 
59 05 A2 xx xx xx 5B 
90 00 
80 FF 10 01 05 
FF 
59 03 59 15 B3 //subs
61 24 
00 C0 00 00 24 
C0 
59 22 72 00 04 04 04 FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF 89 
90 00 
80 FF 10 01 25 //ECM
FF 
59 23 51 
02 3B 00 00 4A A9 4C 80 8A EC D9 0A 6A A5 62 F8 
B7 9B 34 90 51 F8 CA 84 61 FE 21 2B 28 E5 BB BD 
15 7C 
61 14 
00 C0 00 00 14 
C0 
59 12 D2 
47 0E E6 3B 13 EB D6 D4 AC 06 C8 7A AF D3 D6 58 
A9 
90 00 

80 FF 10 01 3D //EMM
FF
59 3B 52 82 00 01 12 00 00 00 01 C3 74 00 56 4A
9B 8C A7 70 03 72 51 FA 2D FE CF 7A 6B 0A F1 CB
13 A8 81 2B 4A EB 40 92 8C 12 3B 99 76 F1 91 F7
CC 76 5B 4C 84 69 10 F3 B8 55 1E 15 4B
61 07 
00 C0 00 00 07 
C0 
59 05 A2 02 05 01 5B 
90 00

Change History (5)

comment:1 by sergis, 11 years ago

Found this in net, about dre

EMM encoding DRE 

From the flow ... 
EMM contains information about two masterklyuchah, current and next. 

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 - Room B 
88 00 68 C8 4D 56 85 58 01 C8 00 00 00 05 B8 0C 

17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 -- 
BD 7B 07 04 C8 77 31 95 F2 30 B7 E9 EE 0F 81 39 

33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 -- 
1C 1F A9 11 3E E5 0E 8E 50 A4 31 BB 01 00 D6 AF 

49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 -- 
69 60 04 70 3A 91 3B 85 58 01 C8 00 00 00 05 B1 

65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 -- 
3F BF A0 05 6E BD AB 0A 70 77 30 C2 AC EC 06 C2 

81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 -- 
3D 47 50 8D B1 77 68 62 6B 26 6B CE A9 EF 1B 6A 

97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 -- 
DF 7B 39 52 A4 5A 0E B0 A6 ED 7B DC 82 3C AE A3 

Here we have: 

Bytes ... 
01 (88) - EMM filter can be a value 87 
03 (68) - length of data EMM 
04 (C8) - the number of SA for the filter (C8 - is a map) 
06 (56) - index kriptodannyh (56/3B alternate) are likely key number 

07 (85) - choice of algorithm (8x - MSP / 4x - Atmel), in the cards until only 85 
08 (01) - the type of EMM (00 - EMM_U, solo / 01 - EMM_S, group) 
10 - 13 (C8 00 00 00) - here only for SA EMM_S 
14 (05) - additional flags 
15 - 54 (V8. .. 91) own body EMM, information about the key.
55 (3B) may be a checksum. 

Bytes 56 - 104 - for the second key. 
Appointment of the remaining bytes is unknown. 

Exchange with decoder. 

Decoding devices are known 4 types. 
Two of them are used in receivers DRE, conditionally Atmel and MSP (type 
of used chips). Third - map DRECript, the actual exchange is fully 
coincides with the type of MSP, distinguished by the presence of "card frame" on 
standard ISO. 4-th device - dongle DRECript on Comport tuner. 

*************** 
Working with the card. 
From the above EMM will be formed two "card" EMM. 

80 FF 10 01 37 
FF 
59 35 42 85 58 01 C8 00 00 00 05 B8 0C BD 7B 07 
04 C8 77 31 95 F2 30 B7 E9 EE 0F 81 39 1C 1F A9 
11 3E E5 0E 8E 50 A4 31 BB 01 00 D6 AF 69 60 04 
70 3A 91 56 58 11 2C 
61 07 
00 C0 00 00 07 
C0 
59 05 A2 02 05 01 5B 
90 00 

80 FF 10 01 37 
FF 
59 35 42 85 58 01 C8 00 00 00 05 6E BD AB 0A 70 
77 30 C2 AC EC 06 C2 3D 47 50 8D B1 77 68 62 6B 
26 6B CE A9 EF 1B 6A DF 7B 39 52 A4 5A 0E B0 A6 
ED 7B DC 3B 58 11 0A 
61 07 
00 C0 00 00 07 
C0 
59 05 A2 02 05 01 5B 
90 00 

Here we have: 
80 FF 10 01 37 - card team to take information, 37 - number of bytes 
FF - response cards, acknowledgment command. 

<59> <35> <42> <85 58> <01> <C8> <00 00 00> <05> <6E BD AB 0A 70 
77 30 C2 AC EC 06 C2 3D 47 50 8D B1 77 68 62 6B 
26 6B CE A9 EF 1B 6A DF 7B 39 52> <A4 5A 0E B0 A6 
ED 7B DC> <3B> <58> <11> <0A> - the body of the team, he will look further: 

******************* 
Team DRE 

59 - heading the team, such as MSP (for the type of Atmel will be 74) 
35 - number of bytes 
42 - the actual type of EMM commands - see below. 
85 58 - unknown 
01 - type EMMb in this case the group, 0 - individual 
C8 - byte UA, group number 
00 00 00 - lower three bytes of the UA, are present in the individual EMM 
05 - ID of the current key in block keys, key corresponds 3B, the value 6 corresponds to the key 56 
6E ... 52 - 32 byte encryption key. 
A4 ... DC - 8-byte signature 
3B - key number, but rather address the key in memory, another value 56 
58 - Number of package manages the deployment of a key block in the memory, and other Data Value 59 ... 5F 
11 - Number decoding device, but with the cards are always 11. 
0A - Checksum 
******************** 

61 07 - response cards, 61 - a sign, 07 - length of information to the tuner 

Now the tuner can read this information 

00 C0 00 00 07 - card team to provide information 
C0 - response cards, acknowledgment command 
59 05 A2 02 05 01 5B - Information DRE, look closer 

************* 
Information on the admission of DRE EMM 

59 - Home of information such as MSP (for the type of Atmel will be 47) 
05 - number of bytes in response 
A2 - the type of information, see below 
02 05 01 - the actual information 
5В - контрольная сумма 
************* 

90 00 - response card, type I graduated. 

ECM encoding DRE 

ECM carries information about the two keys, which in this and subsequent time 
be decoded image. Observed three types of ECM for 
encoding - for different ways of decoding. 

Type 1 - ECM carries the body of the keys in nezakodirovanom form while a receiver will not 
addresses to devices for decoding keys. 

Type Atmel: 
81 00 19 56 0A 68 3B D1 6F EF 5F 96 05 04 27 63 82 84 6D FB D6 FE 19 A0 B3 EC 12 6C 

Type of MSP: 
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 - number of bytes to order 
80 00 1B 56 0D 68 56 D1 84 1E 95 2A A8 7C D0 1D 

17 18 19 20 21 22 23 24 25 26 27 28 29 30 - the same. 
05 BB B9 82 0D FC B1 70 2A 00 9B F4 82 AA 

As a more general case we consider the type of MSP: 

01 (80 or 81) - ECM priznakb Filter 
03 (1B or 19) - length of data ECM. It should always be this value. 
05 (0A and 0D or 0V) - type of decoding (Atmel or MSP, or type 1) 
07 (56) - key number, can be important 3B 
08 (D1) - sign of the beginning of the body ECM? 
09 ... 24 - the actual information about the keys, the current key is the last. If 
type 1 are not encrypted. 
25 (2A) - Flag Room Package 
26 (00) - number of packages can be found the value 00 (base), 01 (charged), 07 (porn) 
30 (AA) - checksum. 

Appointment of the remaining bytes unknown. 

From the above ECM type MSP card team formed ECM: 

Porn package 
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 
80 00 1B 56 0D 68 3B D1 EE 4B DE E0 42 B3 07 91 33 1B 21 FB 71 47 CD 05 2A 06 BE 3A BC D8 
09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 07 26 
59 18 41 58 1F 00 EE 4B DE E0 42 B3 07 91 33 1B 21 FB 71 47 CD 05 3B (58 +06) 11 KS 



I appeal to the card (another ECM) 

80 FF 10 01 1A 
FF 
59 18 41 58 1F 00 03 B7 A0 52 E1 19 07 64 CB FF 
90 60 4F 32 BA AA 3B 59 11 FE 
61 14 
00 C0 00 00 14 
C0 
59 12 D2 CB FF 90 60 4F 32 BA AA 03 B7 A0 52 E1 
19 07 64 59 
90 00 

Here we have: 
80 FF 10 01 1A - card team to take the information, 1A - number of bytes 
FF - response cards, acknowledgment command. 

59 18 41 58 1F 00 03 B7 A0 52 E1 19 07 64 CB FF 
90 60 4F 32 BA AA 3B 59 11 FE - the body of the team, he will look further: 

******************* 
Team DRE 

59 - heading the team, such as MSP (for the type of Atmel will be 74) 
18 - number of bytes 
41 - the actual type of command ECM - see below. 
58 1F 00 - do not change, the appointment is unknown, but determines the position of the key in the memory decodes. device. 
03 ... BA AA - the body of the team, information about the keys 16 
3B - key number, can be a value 56 
59 - Number of package = 58 +1 - Pay Package 
11 - Appointment of unknown, always 11 
FE - Checksum 
******************** 

61 14 - response cards, 61 - a sign, 14 - length of information to the tuner 

Now the tuner can read this information 

00 C0 00 00 07 - card team to provide information 
C0 - response cards, acknowledgment command 
59 12 D2 CB FF 90 60 4F 32 BA AA 03 B7 A0 52 E1 
19 07 64 59 - Information DRE, look closer 

************* 
Information DRE when receiving ECM 

59 - Home of information such as MSP (for the type of Atmel will be 47) 
12 - number of bytes in response 
D2 - the type of information is DW 
CB FF 90 60 4F 32 BA AA - the next key 
03 B7 A0 52 E1 19 07 64 - the current key 
59 - Checksum 
************* 

90 00 - response card, type I graduated. 

Teams DRE 

Own team DRE and the answers to them have the structure " 

<sign of the command / response> <number of bytes> <command type> <body command> <checksum> 

Symptom bedded room - one byte for the type of MSP is always 59, for the type of Atmel always 74 
Symptom response - for the type of MSP is always 59, for the type of Atmel always 47 
The number of bytes-all following the checksum. 

Command Type MSP: 

41 - ECM 
42 - EMM 
43 - read the unique address 
example: 59 02 43 BC 
answer 59 06 C2 xx xx xx xx xx 

44 - to repeat what has (Echo) 
example: 59 07 44 09 F3 06 7D 37 0D 
answer 59 07 44 09 F3 06 7D 37 0D 
45 - presumably off the decoder, has not yet been applied 
49 - read the name of the provider 

Type command Atmel: 

33 - ECM 
34 - EMM 
35 - read the unique address 
example: 74 02 35 CA 
answer 47 06 C2 xx xx xx xx AB 
36 - presumably off the decoder, has not yet been applied. 
37 - to repeat what has (Echo) 
Example: Team 74 0A 37 8D B4 A7 F7 5A AA FA BB 10 
answer 47 0A 37 8D B4 A7 F7 5A AA FA BB 10 

Other teams DRE has not lit. 

Rule calculate the checksum in the team DRE 

Checksums are only available in the commands and responses DRE, in the card 
frame they are absent. Calculated as the XOR of all bytes from 
type of team with inversion result (NOT). 

Example: 59 03 49 11 A7! 


Log DRECript Cards 

By the inclusion map shows ATR 

3B 15 11 12 CA 07 11 CA - ATR Cards 

80 FF 10 01 05 
FF 
59 03 49 11 A7 
61 17 
00 C0 00 00 17 
C0 
59 15 82 01 02 11 54 52 49 43 4F 4C 4F 52 20 54 - name tricolor in ASCI 
56 00 FF FF FF FF 5F 
90 00 

Reading a unique card number 

80 FF 10 01 05 
FF 
59 03 43 11 AD 
61 08 
00 C0 00 00 08 
C0 
59 06 C2 C8 XX XX XX BF - C8 XX XX XX a unique card number. 
90 00 

ECM 

80 FF 10 01 1A 
FF 
59 18 41 58 1F 00 3C CE 35 E7 91 71 D7 67 5D AB 
27 DF 17 6F 1C 54 3B 58 11 C5 
61 14 
00 C0 00 00 14 
C0 
59 12 D2 5D AB 27 DF 17 6F 1C 54 3C CE 35 E7 91 
71 D7 67 63 
90 00 

EMM 

80 FF 10 01 37 
FF 
59 35 42 85 58 01 C8 00 00 00 05 6E BD AB 0A 70 
77 30 C2 AC EC 06 C2 3D 47 50 8D B1 77 68 62 6B 
26 6B CE A9 EF 1B 6A DF 7B 39 52 A4 5A 0E B0 A6 
ED 7B DC 3B 58 11 0A 
61 07 
00 C0 00 00 07 
C0 
59 05 A2 02 05 01 5B 
90 00 

*********************************** 
Feedback error 

E2 E1 - checksum error 
E2 E2 - wrong team 
E2 EC - Error Signature 
************************************** 

Working with tuner dongle DRECript GS7001 

To incorporate a tuner in the network is the following exchange of information Cheresov COM port: 

Information about the tuner to 115200 
RX Data: 00 00 A2 EA 57 C2 - was read in 9600 

Further exchange with the dongle at 9600 
team for the dongle code starts with 74, byte length of the second team, third 
bytes - the type of coding - 5A-type MSP, 34 types of Atmel.

1. Team repeat - echoes for MSP - Code 44 
RX Data: 74 09 5A 59 07 44 09 F3 06 7D 11 2B 
TX Data: 59 07 44 09 F3 06 7D 11 2B 

2. Also for Atmel - Code 37 
RX Data: 74 0C 34 74 0A 37 8D B4 A7 F7 5A AA FA 11 BA 
TX Data: 47 0A 37 8D B4 A7 F7 5A AA FA 11 BA 

3. Team SA to give Atmel - code 35, is a fictional SA = C8 01 02 03, with 
of the address space for cards, and a tuner is swallowed. 
RX Data: 74 05 34 74 03 35 11 DB 
TX Data: 47 06 C2 C8 01 02 03 F5 

4. Also for the MSP - Code 43 
RX Data: 74 05 5A 59 03 43 11 AD 
TX Data: 59 06 C2 C8 01 02 03 F5 

5. MSP issue a command to the provider - code 49 
RX Data: 74 05 5A 59 03 49 11 A7 
TX Data: 59 15 82 01 02 11 54 52 49 43 4F 4C 4F 52 20 54 
56 00 FF FF FF FF 5F 

Further, these commands are repeated 5 more times, with different penultimate 
byte. (11, 12, etc.) can be assumed that this is the address, the number of different dongle 
that can be connected to the tuner. 

RX Data: 74 09 5A 59 07 44 09 F3 06 7D 12 28 
TX Data: 59 07 44 09 F3 06 7D 12 28 
RX Data: 74 0C 34 74 0A 37 8D B4 A7 F7 5A AA FA 12 B9 
TX Data: 47 0A 37 8D B4 A7 F7 5A AA FA 12 B9 
RX Data: 74 05 34 74 03 35 12 D8 
TX Data: 47 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 43 12 AE 
TX Data: 59 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 49 12 A4 
TX Data: 59 15 82 01 02 11 54 52 49 43 4F 4C 4F 52 20 54 
56 00 FF FF FF FF 5F 

RX Data: 74 09 5A 59 07 44 09 F3 06 7D 13 29 
TX Data: 59 07 44 09 F3 06 7D 13 29 
RX Data: 74 0C 34 74 0A 37 8D B4 A7 F7 5A AA FA 13 B8 
TX Data: 47 0A 37 8D B4 A7 F7 5A AA FA 13 B8 
RX Data: 74 05 34 74 03 35 13 D9 
TX Data: 47 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 43 13 AF 
TX Data: 59 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 49 13 A5 
TX Data: 59 15 82 01 02 11 54 52 49 43 4F 4C 4F 52 20 54 
56 00 FF FF FF FF 5F 

RX Data: 74 09 5A 59 07 44 09 F3 06 7D 14 2E 
TX Data: 59 07 44 09 F3 06 7D 14 2E 
RX Data: 74 0C 34 74 0A 37 8D B4 A7 F7 5A AA FA 14 BF 
TX Data: 47 0A 37 8D B4 A7 F7 5A AA FA 14 BF 
RX Data: 74 05 34 74 03 35 14 DE 
TX Data: 47 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 43 14 A8 
TX Data: 59 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 49 14 A2 
TX Data: 59 15 82 01 02 11 54 52 49 43 4F 4C 4F 52 20 54 
56 00 FF FF FF FF 5F 

RX Data: 74 09 5A 59 07 44 09 F3 06 7D 15 2F 
TX Data: 59 07 44 09 F3 06 7D 15 2F 
RX Data: 74 0C 34 74 0A 37 8D B4 A7 F7 5A AA FA 15 BE 
TX Data: 47 0A 37 8D B4 A7 F7 5A AA FA 15 BE 
RX Data: 74 05 34 74 03 35 15 DF 
TX Data: 47 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 43 15 A9 
TX Data: 59 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 49 15 A3 
TX Data: 59 15 82 01 02 11 54 52 49 43 4F 4C 4F 52 20 54 
56 00 FF FF FF FF 5F 

RX Data: 74 09 5A 59 07 44 09 F3 06 7D 16 2C 
TX Data: 59 07 44 09 F3 06 7D 16 2C 
RX Data: 74 0C 34 74 0A 37 8D B4 A7 F7 5A AA FA 16 BD 
TX Data: 47 0A 37 8D B4 A7 F7 5A AA FA 16 BD 
RX Data: 74 05 34 74 03 35 16 DC 
TX Data: 47 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 43 16 AA 
TX Data: 59 06 C2 C8 01 02 03 F5 
RX Data: 74 05 5A 59 03 49 16 A0 
TX Data: 59 15 82 01 02 11 54 52 49 43 4F 4C 4F 52 20 54 
56 00 FF FF FF FF 5F 

The tuner then finds that he has even installed two modules DRE, as reported 
in the Status menu. 

If you then switch the power from the console or the front panel, then go ECM and EMM: 
Answers dongle is not simulated, but it can be assumed as they look. 

ECM type MSP: 
RX Data: 74 18 5A 59 16 41 58 1F 00 9E 4A 86 FC 69 27 04 
2B B7 E7 EF 3D 85 2C 06 63 11 69 
Tx Data: 59 12 D2 FC 99 FC 91 90 6F CC CB 03 BC 3F FE 06 
32 78 B0 5F 

EMM types of MSP: 
RX Data: 74 35 5A 59 33 42 85 58 01 34 00 00 00 06 33 76 
8B EB 50 A4 3A AC D9 86 C2 09 ED 9B 18 50 0E 5A 
42 D0 BE F8 A4 DB 6A 16 77 B2 85 79 B8 4A 20 87 
71 64 D5 86 7E 3D 11 45 
Tx Data: 59 05 A2 04 05 06 5A

comment:3 by dingo35, 11 years ago

Owner: set to dingo35

comment:4 by satfox, 11 years ago

dingo35, huge thanks for the fix!
как здорово что ты добавил ДРЕ!

comment:5 by Deas, 11 years ago

Component: General
Resolution: fixed
Sensitive: unset
Status: newclosed

added around r550 i think...

Note: See TracTickets for help on using tickets.