ACP analysis and command creation tool

XC chip, auth and block SPI command.
Locked
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

adrianbv6,

I was looking at my e11 box and I think you need to do the following on one of yours.

When working with certain commands you may need to issue an ACP reset to get the device to a correct starting point or you will not receive the response that would normally occur in real time.

send ACPReset
send GetReg05-UA up to three times
send ACPReset
send GetReg0B up to three times

then evaluate your results

This may change your analysis.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

i dont get diferent results its same . what you get? and whats your xc serial?


i eamnt about UID when is E11 its
01 16.......

and the uid is FC 16 so it means that uid is afther 16 under that command. maibe more then just uid.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

some kinda new command on one of my E11 i get this
80 05 00 05 00
55 00 00 00 00

00
55

00 00
05 09

01
55

00 00 00 00 00 00 00 00 00 00
FC 16 B5 49 D2 70 BD CE D8 13



80 FF 16 00 E9
55 00 00 00 00

00
55

00 00
FF 16

01
55

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 E9 6A 34 34 34 00 1F 01 00 00 80 AC E7 E1 E4 55 26 1C 87 20 0D 00

it seems that you can erase or set what u want in that
if you put 80 ff 16 00 00 00 00 00 00 00 00 00 00 00 00 00

dont know what it is
80 FF 16 00 E9
55 00 00 00 00

00
55

00 00
FF 16

01
55

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 E9 6A 34 34 34 00 1F 01 00 00 80 AC E7 E1 E4 55 26 1C 87 20 0D 00


80 05 00 05 00
55 00 00 00 00

00
55

00 00
05 09

01
55

00 00 00 00 00 00 00 00 00 00
FC 16 B5 49 D2 70 BD CE D8 13
80 FF 1D E2
55 00 00 00

00
55

00 00
FF 1D

01
55

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E2 16 6A 00 00 00 00 00 00 E9 F8 00 00 00 00 00 00 26 1C 87 20 0D 2E 7D F6 B8 A3 E5 02 04 I F


80 FF 1F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 04 E6
55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00
55

00 00
FF 1F

01
55

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 04 E6 B8 A3 E5 02 04 15 00

80 FF 1F E0
55 00 00 00

00
55

00 00
FF 1F

01
55

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 04 E6 B8 A3 E5 02 04 15 00

80 FF 1F 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 02 04 E6
55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00
55

00 00
15 00

01
55

00
15

80 FF 1F 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 02 04 E6
55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00
55

00 00
FF 1F

01
55

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 00 00 00 00 00 02 04 E6 B8 A3 E5 02 04 15 00

80 FF 1F 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 02 04 F4
55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00
55

00 00
FF 1F

01
55

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 00 00 00 00 00 02 04 E6 B8 A3 E5 02 04 15 00

80 FF 1F E0
55 00 00 00

00
55

00 00
FF 1F

01
55

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E0 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 00 00 00 00 00 02 04 E6 B8 A3 E5 02 04 15 00

80 FF 1F E0
55 00 00 00

00
55

00 00
FF 1F

01
55

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E0 16 6A 12 12 12 12 12 12 12 12 12 12 12 12 12 12 00 00 00 00 00 02 04 E6 B8 A3 E5 02 04 15 00


i reboted the box and this E0 16 6A 12 12 12 12 12 12 12 12 12 12 12 12 12 12 00 00 00 00 00 02 04 E6 B8 A3 E5 02 04 15 00 stays there i dont know whats the purpose because this is a E11
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

It could be a problem with my assembler routine. I will check it this weekend.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

i am not using yours



i am using normal CPI command i dont like to have to write that command manual in the txt folder then save ......with normal SPI commander i can trial more commands faster......yours is nice thing once we know what coommands do what then thats easy but for rest spi commander works fine ...



i realize that 80 0B xx xx xx xx IS SOME KINDA STORAGE on a legal box a few combinations you get diferent result......either is changing the last 4 pairs of encryption key...or is registers when things are stored....if you pay attention to the auth sequance the command 80 0B comes first before each command.....so might bee some kinda command to open a specific register then send command ....etc i dont know...
junctionbox
Junior Member
Posts: 449
Joined: Sat Oct 21, 2006 6:19 am

maybe new commands

Post by junctionbox »

HEY GUYS SOUND LIKE WE MIGHT BE GETTING NEW COMMANDS SOON KEEP UP THE GOOD WORK MASTERS OF THIS SIGHT WISH COULD LEND A HELPPING HAND BUT ITS LIKE TRING TO FIND A COWS ASS IN THE DARK GUYS FOR ME
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

cipher what are this TABLES?


every command starts with this no matter wat company it is and what packege...

set1
80 3C 99 70 00 00 00 94 A0 00 01 00 00
set2
80 3C 99 70 00 00 00 94 A0 00 01 00 00
set3
80 3C 78 70 00 00 00 94 A0 00 01 00 00
set4
80 3C B8 70 00 00 00 96 A0 00 01 00 00

verry interesting since this never change plus there is a table starting from 00 xx xx xx 01 xx xx xx 02 xx xx xx 03 xx xx xx all the way to 1F the XX must hold some kinda packege info of some kind.....like whats included and whats not. i dont think there is more then 2 video keys...rest must be packeges set since i see this change with the packege.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

These are the authorization sequences. Each one has a specific function which I have deducted to the following.

The last sequence is the program tier group it contains the default tier which you will find matches the system ID. This is what all UA's will recieve by default when added to a DAC. Then if you add on other packages you will have additional tiers. Some of the fields are the location code, region code, unit control, vh stack and category number and some other unknowns.

The first three are the odd and even encrypted category keys, sequence number, control byte, data service tiers 2 1 & 0 ppv credits and some other unknowns. Each sequence will use some internally chosen ACP memory address value to encrypt the category keys and the last 64 bit value is the message authentication cipher or MAC for short. They take the data portion of the sequence and create a oneway hash from it which is used to validate that it came from the DAC.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

anyone found 2 dct with same xc chip to get spi from i cant locate any 2000 model with same XC chip////only 700 and i cant spi from those...


cipher what you think aout this technique i am thinking the motorola used to build this ?


i am looking hard to find 2000 models with same xc chip but none are close wt GI..... i study all the equipment using decipher2 they all have a GI M4 or other type to start with and all have same design cable cards...HDs DVRs 700 2000 it cant just be a coincidence, that gi number must be importnat other then just warehouse keeping......cracking encription is hard even for motorola unless they make this with a sequence key logged by gi number or somehting ........ gi is related to Xc chip

please everyone with 2000 models that already have E11 post your GI number maibe one of us have close numbers.....the last 4 digits are ok to be diferent...... i realy want to find if this is true or not so i can look in a diferent direction or not
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

adrianbv6,

I think there is merit in the serialized XC chip idea. I don't know what gain there will be from it at this point. But I can say the more we experiment the more we will know how this system works.
junctionbox
Junior Member
Posts: 449
Joined: Sat Oct 21, 2006 6:19 am

Re: re

Post by junctionbox »

CIPHER YOU COULD SAVE THE DAY IF YOU CRACK THIS PEOPLES LIVES WILL IMPROVE CONSIDERABLLY
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

cipher wrote:Are you saying that with a set of GI#'s like

GI1234VG1001 = 1 ACP serial#
GI1234VG1002
GI1234VG1003
GI1234VG1004

GI1234VG1005 = 1 ACP Serial#
GI1234VG1006
GI1234VG1007
GI1234VG1008

i found that i am wrong i found couple GI# that only the ending is like 2312 the other is 1023 the XC chip is diferent and the UID half is diferent too...........xc chip on the ones with 2737 is ctaa0617 the other one 1021 is ctaD0621 i will study more closely the boxes to see how far away apart they use same xc chip.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

cipher do you know in the nvram is the channel table encrypted?


like on clr channels the last 00 00 are the correct channel ID...........

on ENC thats is not correct anymore......


you know what 80 xx xx xx xx xx xx xx xx xx xx



it seems encrypted..... i am looking maibe the channels are categoryzed in nvram but now i see that i cant motify the channel info.....


for example u can add chanels in between just put 80 every 10 pairs......but the data inside seems encrypted on the enc 12 channels and ppv ......on CLR only the ID i can match to everything i looked.

whis is what i found



80 00 00 00 aa bb cc dd ee ff now editing aa nothing change....
edit bb nothing change
edit cc frequency and channel id change.
edit dd/ee/ff channel comes unavailable unless u find a good one from another list

so i guess they are encrypted if i change cc and i can view diferent channel then somethings up. but channel id and frequency wont match to cc.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

i was reading around about another system that is compatibe on my newtowrk is called NDS videogaurd. this is waht i found

# NDS smart cards use custom-designed chips and include unique security algorithms for each customer.
# Algorithm-based key generation ensures maximum security and bandwidth efficiency."

this has now raised all my doubts...and i know XC chip has same thing each xc chip has a way of encrypting is data and command each separate...and sice this commands are made by a computer then there is a way to hack it i know the E11 boxes are our way into the system.

i post all my XC chips serial numbers if any of you have same one please let me know. on 2000 models and only E11 boxes.


HWN0223
HIF0021
HKR0045
HLF0052
HPJ0142
HXZ0229
HTX0209
HXK0226
QDY0304
HVJ0218


on 700 i found 5 with same XC chip. so this dam things are made in batches. maibe 50 100 not many dont know yet...and each serial number has diferent way to encrypt data. there is no spi for 700 yet otherwise i would find out myself what i wana know.....so with 2000 models is a long shot because they been out for a long time and are mixed and mixed there is no way i can find one with same number.
junctionbox
Junior Member
Posts: 449
Joined: Sat Oct 21, 2006 6:19 am

dct2244

Post by junctionbox »

i have a dct2244 cr4 box where is the xc chip located at in that particular box?
Locked

Who is online

Users browsing this forum: No registered users and 5 guests