ACP analysis and command creation tool

XC chip, auth and block SPI command.
Locked
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

well i was to happy to soon i e11 another to see now i have my anser

01 16 27 46 5C CC 8E AC 72 47 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 F0
01 16 B5 49 D2 70 BD CE D8 13 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 F0

motorola needs to be hacked and release all its diagrams ahaha.
but i still belive somehow each XC chip one distinct key to encrypt data because i dont see how both EMpthy xc chips with invalid uid still have that response diferent

i stil think the XC is only a encrypter with a diferent way of encrypting its contents a key or is build diferent.....i think has to be a key build in permanently


i was reading my XC serial
HTU0208 second HVJ0218 ? this means that they could also planted a key permanent in each chip.....

ANYONE SEE ANY RELATION TO THAT RESPONSE IN CORELATION WITH SERIAL ? maibe the GI comes into play now?
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

I find the serialization number of the ACP chip to be very interesting. It could be that each chip has a hard set of keys programmed at fabrication time. Or it may be just a run date. We just don't know for sure either way the E11 state could be a potential weakness where if the keys are fuse programmed in then the return command responce values can be trial decrypted and encrypted across two boxes to see if there is a correlation of a future known responce which could reveal the hard keys.

I will think about it further.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

i think it has 1 key or 4 because there are 4 tipes of diferent response on same box before E11/ or maibe just one and that coupld mean there is more then uid encrypted in that portion./// but this is the only logical way to encrypt things and have it extremly hard to break the code, because nobory will have same key.,


E11 will be the key to our way. it must be some kinda sequence if is found then just by looking at the serial or whatever we can decrypt on the other real ones. i belive the GI number has something to do with this now because when a E11 box is fixed they only change UID<,,,and notify the company but they never change that hard code GI,
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

i was looking at the serila numbers look what i found


this a small new one but should be same theory XC chip serial
i got 3 DCT with same xc chip serial .....only thow they are 700 i cant e11 and ready spy but this means that this family have same keys....

because the GI is extreeemly close down to the last numbers,


look give an example.
XC CTAA0649 has this gi numbers
M12345NE1234
M12345NE1235
M12345NE1238


IGNORE THE NUMBERS 12345 THE START IS THE SAME....ENDING IS DIFERENT AFTHER NE.....

I READ ANOTHER ONE NOT TO FAAR AWAY
XC CHIP CTAA0617
SERIAL IS DIFERENET COMPLETLY.
this prooves that the xc chips are not same but made in batches so basicaly like i have the serial up top afther NExxxx any of those with xxxx will have same key or keys. since xc chip is same
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

this also explains why when i was faking a good UID to get premiums VOD my PPV got enable i think the xc chip got the command encrypted with same key is possible that box had same xc chip so same encryption my ppv got enabled.


i think thats why we cant xommand same sequence to a total diferent chip because the chip cant decipher good the command.....since has diferent key the result is bad.

to bad we cant spi 700 i would find out a lot more because we have boxes of this things with same xc chip and close uids close gi numebr i have a huge advantage i work for isp i can get lots off stuff.....
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

There are 4 56 bit DES seed keys in the ACP. I am still not convinced that the number on the ACP is not a run date sequence number. But if you know of 2 installed subscribed units with the same ACP serial number you should be able to log SPI on a DCT2000 from anywhere and see if the auth command is the same for the UA's of those boxes. Maybe the UA is not part of the encryption of the auth command. according to the digicipher I protocol it is used.
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

At one point I analyzed the code and seems finally there are some code does something odd and then generate channel 07 command. If this the final path to decrypt video, then if we can generate good channel 07 command we should be able to decrypt video. Treat XC chip as black box since finally each box will generate same 07 command to decrypt the same channel.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

Do you recall where in the code you found the 07 commands?
Are they these ones.

; 00459B34, 00459B4C,
; SPI3ByteCommand_0
0049E5CC
command : E54703
allign : FF
; SPI3ByteCommand_1
0049E5D0
command : 881509
allign : FF
; SPI3ByteCommand_2
0049E5D4
command : 881507
allign : FF
; SPI3ByteCommand_3
0049E5D8
command : 881508
allign : FF
; SPI3ByteCommand_4
0049E5DC
command : 881506
allign : FF
; SPI3ByteCommand_5
0049E5E0
command : C81509
allign : FF
; SPI3ByteCommand_6
0049E5E4
command : C81507
allign : FF
; SPI3ByteCommand_7
0049E5E8
command : C81508
allign : FF
; SPI3ByteCommand_8
0049E5EC
command : C81506
allign : FF
; 00459B70,
; SPI3ByteCommand_9
0049E5F0
command : E56101
allign : FF
; 00459BAC,
; SPI3ByteCommand_10
0049E5F4
command : E56100
allign : FF
; 00459B84,
; SPI6ByteCommand_0
0049E5F8
command : C81508022200
; SPI6ByteCommand_1
0049E5FE
command : C81508062200
; 00459B98,
; SPI6ByteCommand_2
0049E604
command : C81506402200
; SPI6ByteCommand_3
0049E60A
command : C81506442200
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

cipher you dont understand i cant log SPI from a E11 700 box and if i dont e11 the box you cant find the encryption key because the data stored( not the permanent decrypt encrypt key) ......so any data diferent with same key you get diferent result.....thats why is harder. but if i can prove that a E11 with same XC serial number have that same response then that means there is a way.......look i will do this i will log SPI from a 2000 i will autorize for all channels then i will E11 na replay the auth commands and if sucessfull then bingo...my theory is right.


this is the only flaw in the system.//..


each XC chip has its own decryption and encryption KEY.....PErmanent build in based on GI number or XC serial or somehting....

i actualy belive that a autorization command from a box with same XC chip serial number wil work when replay......


i belive the reason why the auto command you get from Abox dosent work on Bbox because XC chip is diferent...

i cant find 2 2000models with same XC chip serial number when i do i will E11 both and i am 80% sure that response 01 16 xx xx xx xx xx xx will be the same . is the most logical way to make it secure enogh
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

That method will do the same thing. I was referring to a remote log using spoofing/fake UA to capture the auth sequence of the two units having the same ACP serial. You can log these incoming DAC generated commands just not what the outgoing response would be.

If the UA is based on an encrypted value stored in the ACP and by causing an E11 we are setting this value to zero then we have a known clear text (UA as 00 00 00 00) and a known cipher text (the response to a GetRegUA command). If this were true then we can get one or more seed keys with a brute for any box.

Good dialog adrianbv lets hope it works.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

my experiment didnt work on a ph6 is possible that the auth command suppose to have same UID as the XC then, i think that the xc chip understands the code but is rejected because wrong UID.....so if anyone can decipher one of the result 01 16 xx xx xx xx xx xx xx the XXX there is some kinda info in there that i still think they have only one DEcrypt encrypt key in eacch XC chip what has same serial number. diferent serial number diferent key....and i think the DAC or the main computer has all the keys since i see same XC chip only on the boxes with same GI the last 4 digits can be diferent and still same xc if one number in GI the beggining is diferent diferent xc .......E11 is the key..i am sure of it ....

i will try on a ph7 or newer /


anyway bdm said something about cant program 700 if the flash has bad data and boot erased?

i did that and i was not able to detect flash......what i did i grounded one pin from test pointJ300 that long 20somehting pin next to the flash./...

i grounded for couple second and detect the flash right away. the pin is first one next to the markings J300 dont try this unless u are sure that u tried everything else and nothing work to detect flash.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

Are you saying that with a set of GI#'s like

GI1234VG1001 = 1 ACP serial#
GI1234VG1002
GI1234VG1003
GI1234VG1004

GI1234VG1005 = 1 ACP Serial#
GI1234VG1006
GI1234VG1007
GI1234VG1008
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

cipher, I do not have code at hand and I will read this latter next week.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

cipher wrote:Are you saying that with a set of GI#'s like

GI1234VG1001 = 1 ACP serial#
GI1234VG1002
GI1234VG1003
GI1234VG1004

GI1234VG1005 = 1 ACP Serial#
GI1234VG1006
GI1234VG1007
GI1234VG1008
yes corect
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

cipher wrote:There are 4 56 bit DES seed keys in the ACP. . Maybe the UA is not part of the encryption of the auth command. according to the digicipher I protocol it is used.
my idea is this

XCchip. encrypts and decrypts data over the cable like auth commads and VIdeo decryptioon key. ISP should have access to only change the video keys .....the encryption used is based on EACH XC chip that i belive has its own key to encrypt and decrypt based on GI or UID orXC serial. or combination that is unknown yet.....rember like i just seen 3 boxes with only couple numbers diferent at the end of UID and GI had same XC chip......i was able to het spi from them but i was not able to get spi afhter E11 so its ussless to me i cant 100% verefy that this is corect...but otherwise they would not make 3 boxes with same chip and other boxes with diferent GI have diferent xc.

when i took the spi the sequance is diferent no matter what even if key is the same UID is diferent so u get diferent result....

now when i E11 box A and BOX B...i send command to each box

80 0b 02 00 00 09

i got this 2 responses
BOX A
01 16 27 46 5C CC 8E AC 72 47 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 F0
BOX B
01 16 B5 49 D2 70 BD CE D8 13 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 F0

i also belive this respons contains UID because it starts with
01 16.....it must be some kinda error.....like FC 16 27 46 5C CC 8E AC 72 47 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 F0
now the reson i also think is diferent because XC chip has diferent Serial.....otherwise response should be same equal....just like the ending on each response 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 F0

this proves that each XC chip has a build in encrypter with its own key....hard to crack if u want to find the video keys on one box u still wornt be able to make a sequance for another box with diferent XC because the XC chip will not decrypt the command right....is like i talk encglish and someone talks french....and a german guy saids hello.....ahah.

this is my idea and i am sticking with it untill i find 2 boxes with same XC serial then i will E11 and when i find the response is the same then next is to find out from that key how they make the other keys.....this has to be computerized they are not random a computer picked up each on...and i think they use same XC chip on more then one box because somehow is related the XC with GI,,,,,,so if we know the last 4 digits of the GInumber can be diferent you get same XC chip then there is some connection....i also was able to precisly pick the right box by the middle abreviation NE has old chip...FG has new XC soon to find out more.



is des triple ECB or des single.?
Locked

Who is online

Users browsing this forum: No registered users and 5 guests