2224 Component - XC420061

Backup of earlier posts.
Post Reply
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

I was thinking they would not use a standard format. I will put it on the scope and see what it looks like.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

guys the keys are in the stream hdtv and dvr pick up the keys automaticaly and the area . only thing when is placed into the account it connects and downgrades to the account packege, all dvrs and hd i inst are in right area if not they auto restart about 5 6 times and adjust to the area and correct channel to bad we can use the bdm or futre jtag to connect the box
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

adrianbv6,

I do not think the decryption keys are in the mpeg stream. The seed keys are stored in the XC chip and these are the keys that decipher the encrypted video and audio. There are other keys that are used in the authorization process, ppv's and VOD etc. If you examine this patent http://www.freepatentsonline.com/6061449.pdf you will see how it works.
Also you can examine http://www.freepatentsonline.com/5754659.pdf which covers the tiers of service authorization method which allows one authorization command sequence to cover many channels. This is why you cannot authorize one set of channels and then add something after it and have a combined authorization with the authorization playback. usbbdm has comfirmed this by trialing the playback authorization sequences. The DCT is capable of decoding all the encrypted streams, it is just instructed not to do so when it is inventoried in the DAC6000 and sent a service tier authorization.
Darkkeep
Junior Member
Posts: 44
Joined: Mon Oct 31, 2005 9:50 pm

Post by Darkkeep »

This post may be over my head of thought. I hate getting into the game late.

However, what if the 3 pin on the XC is a VCC, TX/RX (kind of passive or combination of clock pulse means low or high) and clock pulse. With the low and high, what if certain Freq's caused one pin to become a TX, force a low, then the same pin RX on high. I mean, just a thought. Could be a combination of low voltage and high freq, a sub carrier...
Darkkeep
Junior Member
Posts: 44
Joined: Mon Oct 31, 2005 9:50 pm

Post by Darkkeep »

I have one question pretaining to the GI #.

Would it not require a lot of bandwidth to broadcast specific GI#'s with subscription? Would it not be easier to target the box, through the GI, to force auth. Then the XC retains the information through the seed key's and a checksum is created. I have read the patents over and over...there is a lot of encryption, housekeeping and confirmation. I believe the key would be, find the auth (like USBBDM stated), locate if the seed key is broadcasted. Or would the seed key be a sum of an equation and the checksum, repeated, be the seed key.

One question I would have is...is the authorization of each unit, the same, time and time again? From one month to the next to this year to the next.

The only reason I am saying this is, my CC is wardriving right now and disconecting if you have P2P ports open your connection. I know this from accounts of friends. Why would an ISP be worried about bandwidth if they are offering 4mb/s? Could this counter my claim? Do they need the bandwidth for these type's of broadcast's?
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

darkkeep,

The patent is intended to cover as many different angles as possible. This will encompass multiple modes of implementation to prevent circumvention by those wishing to copy it. In this case they will only use the portion that is cost effective and targets this application. They will not use the military strength one for this one because it is costly. So did they use triple-des. I don't think so the DAC was designed 8 years ago. Processors at that time could not handle that heavy a load. But then again maybe it all hardware using multiple asic chips on it. I can tell you it runs unix on a compaq box.

The authorization is not the same each time. It is scrambled each time to obscure the patterns that would be visible to us. Do they use the GI# and UID? Maybe. Do they use the UID? This I am certain of.

Is there bandwidth issues. I don't think so. I have monitored the authorizations to my unit and there are about 5 a month they are small in the grand scheme of things. 30 days / 1M units x 5 x 1K is about 166MB per day at the headend for a customer base of 1 Million.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

the capacitor that holds the data is right next to it thats responsible for E11 dead boxes it makes me think that unit address can be set only if bypassed just like watchdog on ph6... but i dont know
Phredog
Junior Member
Posts: 39
Joined: Tue Jul 26, 2005 3:46 pm

Post by Phredog »

adrianbv6 wrote:the capacitor that holds the data is right next to it thats responsible for E11 dead boxes

What is the value of this cap? It must be half a farad, or somthing, if it holds the data.
adrianbv6 wrote:it makes me think that unit address can be set only if bypassed just like watchdog on ph6... but i dont know


C106 couples the reset signal from the watchdog to the reset pin on the uProc. Thus the uroc will not reset every few seconds. That gives the BDM all the time it needs to do its magic. Is there a watchdog on the XC? We don't know, but you may be right if the XC was loaded via BDM.

It need not be loaded via BDM. I work in the credit card terminal business. We can load the secure processors with seed keys by an external gadget. Once the write is complete, and verified, a "fuse" command will prevent future reads or writes.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

hi adrianbv6,

The XC chips memory is kept alive by the 3.6V battery.

You must be talking about c927, I don't know what its for since the pin out of the XC is unknown. But I don't think its like the watch dog function. I think they program the XC chip and everthing else from the TV Pass Card port. The watch dog is a bit different, it is pulsed charged by the CPU to keep the reset circuit from triggering. The watchdog just saves Moto money by reducing programming bugs causing warranty returns etc.

If we had the source code or a backup from a DAC system then we could see whats going on in the XC chip. I believe the unit will accept a UID coding command only when the XC program state is zeroed or you know the current UID and encryption keys and are changing it. If you look at the patent carefully it indicates the that the auth value is something the XC chip knows that is unique or a 0 value. Why would they have or 0. I can only think of the initial state of zero is for the first time its coded, otherwise it has a UID and that would be the unique value it checks for.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

The XC chips memory is kept alive by the 3.6V battery.

yes is true but if u place a negative over the positive leg of the cap you will get E11 guaranteed adn the cap is right next to the xc chip on the left facing the front of the box the reson that got me thinking is that you only see the cap on ph7 and up ph6 have the watch cap and no xc cap or the cap in diferent place. what i belive that only way to program teh unit is by shorting the cap while is pluged in somehow it has to have a purpose ......same when i was tempering with xc chip the box gave me an error i belive 1003\2027 i dont remober but was flashing and couldnt use the box power or change channel anything only way i regain control was by placing a negative over the cap/ so it has to be like a watch dog and store some kinda codes when is tempered with.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

There is always a possibility that it has that function, the reason I suspect it is not is because the 3.6V is on the positive side of C927 and remains there even when AC is removed. So the probability is higher that its is a VSS supply line and not a state control.
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

i would agree with cipher on this. here the CC replaces the batteries in older dct's while they are still plug in to avoid E11. if the cap held a long enough charge then the battery could be changed with the unit unplugged and no hazard soldering near a "hot" power supply.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

After reading multiple patents on the Videocipher I, II and Digicipher systems I thought I would share what I have discovered.

The XC chip stores 4 56bit seed keys and a 32bit unit address that are installed at the factory.
All encryption and decryption has some relation to these seed keys.

When a box is sent an authorization message the DAC system encodes the unit address on the data stream and the receivers BCM chip matches the address and processes the message which is then sent to the XC chip over the SPI interface. The authorization is encrypted so that only this target address can use the message.

A system key message is broadcast to all dct addresses in the network. It looks like this following in the SPI log.

02/10 10:47:38 :0607
80 0E 05 30 1D 19 35 85 8F
55 00 00 00 00 00 00 00 00

The 1D is the category version and the 19 35 85 is the system key.

This info is then added to the UID to create a 64bit unit value like this following

19 35 85 1D 12 33 02 7F

The 64bit value is used to create a unit key by encrypting it with one of three selectable levels of seed keys.

Level 1 = One 16 round DES using a single key (DES)
Level 2 = Two 16 round DES using 2 seed keys (modified DES)
Level 3 = Three 16 round DES using alternate pairs of 2 seed keys (modified DES)

The chosen seed key(s) are determined by using 2 bits (4 on level 3) of the system key to address the seed key values.

Once the value is encrypted it is referred to as a unit key or subscriber key.

This key is used to encrypt and decrypt the category key

A combination of XOR and DES functions are used with the tier/control data etc. and the unit key to produce the category key

For example tier bytes 0-6 + the current category Version byte are XOR'd to the Unit key and then used as a first decryption pass on the encrypted category key.
Then the credit + location code are XOR'd to the result of the first decryption pass and used as the key in the second decryption pass and so on until the entire process is complete.

Using this method allows them to distance the transmitted auth data from the seed keys so that a brute force crack on this data or is not a possible option due to computational infeasiblity and complexity. (Thats what the said with the Videocipher II as well)

There are 4 encryption cycles between the actual unit key and the decrypted category key.

The unit key can be used to find the seed keys with a brute force.

The category key can be determined from the PPV record data.

The challenge is to get from the category key back to the unit key and then determine the seed keys.

Of course you must be able to determine where the cost data, tier data etc are in the actual auth messages. I already know some of them.

So obviously it is an extreme challenge.

Anybody have a DES cracking machine it would only take a few hours with one of those devices. lol
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

Wow !

Great explanation and good works !
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

wel look at this i dotn think you can auth or deauth a box with uplink disable........maibe if is the system it can be deauth but i think the box needs to repply back to cc to complete command..

chiper good work . i have no knowledge of that i am happy o fould out about vod...there is more movies on vod then it is on 4 ppv channels i have
Post Reply

Who is online

Users browsing this forum: No registered users and 9 guests