2224 Component - XC420061

Backup of earlier posts.
Post Reply
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

You can get as many as you want from ebay.

GI4043NDE821
0000276252904047
Phredog
Junior Member
Posts: 39
Joined: Tue Jul 26, 2005 3:46 pm

Post by Phredog »

cipher wrote:Interesting diaglog Gentlemen,

The seed keys are implanted by the manufacturer and are provider specific. I have read that some people have successfully convinced a cable tech to add an external DCT to there system without going to the factory to implant the keys. This is interesting because that would mean the seed keys can be updated over the broadband network. Boy would I love to capture that SPI log. Also if it is possible to address the externally keyed unit then the address is not part of the seed key integration and is therefore is exploitable.
http://digitalhomecanada.com/forum/show ... 915&page=2
We think the processor filters out packets that are not needed by the XC chip, and does not bother to send them over the SPI. Why overwealm the XC chip with messages for other boxes?

So if a new seed was sent using that boxes address, and the IV uses the unit address, then the seed key, for that provider, could be sent in stealth.

I work in secure communications. We inject keys into our hardware. Each unit has a unique serial number and a randomly generated "default" key. These are assigned at manufacture, and kept in a database. When the unit is shipped to a customer, the real key is injected. It is encrypted using a hash of the serial number and the "default" key. So the key is never visible in the stream.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

all have 12 digits....
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

unfortuneatly i don't unsderstand much about the programming side of this stuff. i do know that the DAC uses the unit address as it's way communicating with the boxes. the csr/tech/customer calls in the GI/M number, but the dac matches it to the unit address to control the box. When cable co's purchase these boxes and scan them into their system they enter both serial # and unit address. i also know that if they scan the wrong unit address the for the box it won't receive commands from the DAC. I don't know if that helps, or if everyone already knew that.
dragonmas
Junior Member
Posts: 146
Joined: Fri Sep 30, 2005 4:17 pm

Post by dragonmas »

GI # and unit address must match,GI# never changes,if firmware needs to be reload during repair only unit address is changed,if unit address is changed,old unit # has to be purged from DAC,usually done in 24-48 hours.Basically now this gi/unit/dct is not known(not in inventory)in the DAC.Now unit is re-scaned(new gi/unit address)and re-entered into the dac.At this point display is "0",new init(cold hit is sent to box and yes gi/unit address needs to match or no hit is taken.Current sw/guide is now downloaded to dct.Box can now be "hot" ie, box is wide open for x amount of time,if not seen by dac in given time period,box goes into shutdown or when put on customer account will only have sub channels.
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

dragonmas, if it is true then the GI number will not be the key to do DES. We should concentrate on the unitaddress. The unit address is only 4 bytes. With leading one byte of zero. Not enough to make up a 7 bytes (56 bit) key.
Phredog
Junior Member
Posts: 39
Joined: Tue Jul 26, 2005 3:46 pm

Post by Phredog »

usbbdm wrote:dragonmas, if it is true then the GI number will not be the key to do DES. We should concentrate on the unitaddress. The unit address is only 4 bytes. With leading one byte of zero. Not enough to make up a 7 bytes (56 bit) key.
Good point...

4 bytes is certainly too short for DES.

I'm thinking, at this point, that the key is unique to each cable operator, or headend.

I still think the unit ID is used to create the IV.

Regards;
: )
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

Phredog wrote:
usbbdm wrote:dragonmas, if it is true then the GI number will not be the key to do DES. We should concentrate on the unitaddress. The unit address is only 4 bytes. With leading one byte of zero. Not enough to make up a 7 bytes (56 bit) key.
Good point...

4 bytes is certainly too short for DES.

I'm thinking, at this point, that the key is unique to each cable operator, or headend.

I still think the unit ID is used to create the IV.

Regards]
But if the key is unique to CC, then you are not able to subscribe a box off the ebay.
dragonmas
Junior Member
Posts: 146
Joined: Fri Sep 30, 2005 4:17 pm

Post by dragonmas »

Doesn't matter what CC the DCT2000 comes from as long as it in good
working condition and can be entered into the system(DAC's Inventory)
Comcast and COX and Charter all use the DCT2000 and even have logo's
imprinted on the face plate.But they can all be enterchanged.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

dragonmas

You have experiance with a DAC system, can you tell me do you enter the UID in hex or in a text string that came from the DCT barcode? This is important since the text string may be converted to something other that what we think it's format is. For example 00 00 27 62 52 90 40 47 is 8 bytes of data. And never has a value over 7 bits per byte thus leaves room for the parity bit when used as a key. Or maybe it is used as the IV in a DES-CBC or DES-CFB mode. I think we have to look at it from every logical format.
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

i know the CC here enters it through the barcode on the box. i have no idea if it gets converted automatically in the DAC to hex. also when they have problems with a box they look it up by the numbers on the box, GI and matching unit address.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

I think this patent may very well be a part of the XC chip.

http://www.freepatentsonline.com/6061449.pdf
Phredog
Junior Member
Posts: 39
Joined: Tue Jul 26, 2005 3:46 pm

Post by Phredog »

cipher wrote:I think this patent may very well be a part of the XC chip.

http://www.freepatentsonline.com/6061449.pdf
I just printed it out and read it. I think that you are correct! :D
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

I'm almost certain that this is the security processor design for the XC chip, nasty little thing. Makes you want crack it just for something to do. Although that would be no small feat. 8)
Phredog
Junior Member
Posts: 39
Joined: Tue Jul 26, 2005 3:46 pm

Post by Phredog »

cyhper...

I still subscribe to the idea that the IV is the Unit ID, or a hash thereof. In theory the IV is 64 bits.

The headend knows the Unit ID. The XC knows its unit ID. The message is sent, over the cable, and eventually reaches your XC chip. If the unit ID does not match, the message will decrypt to crap. The CRC will fail, and the message will be rejected.

What makes this so logical, is the unit ID need never be sent!

If my idea is correct, then two things are needed to talk to the XC. The fist is the unit ID, and its hash, the second is the key.

Now the question is how does the cable operator initialize the box with the local key. I am wondering if there is not a special command that again uses the unit IDs' hash as the IV, and then encrypts the key using some special plaintext sequence. The firmware may know how to reverse the algorithm and obtain the key. After all it knows the plaintext, and it knows the IV.

I also think the real unit ID is in a database. The serial number off the bottom of the box is the key to locating the real unit ID in the database. I think that when they scan the barcode, an SQL script is generated, that locates the unit ID. The unit ID is used to build the message, and then it is sent to init the box. The operator never sees the actual unit ID, only the quasi-unit ID that is located on the sticker.

What do you think?

:P
Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests