Thread: Activate For Newbies A Must Read:
View Single Post
  #2 (permalink)  
Old 03-14-2003
ding70's Avatar
ding70 ding70 is offline
RETIRED
  
Join Date: Jun 2002
Posts: 1,321
Thanks: 0
Thanked 4 Times in 4 Posts
ding70 is on a distinguished road
Part Two:
-----EMM / ECM Nomenclature
There seems to be some confusion as to which commands are ECMs (Entitlement Control Messages) and which commands are EMMs (Entitlement Management Messages). Common usage of ECM meaning Electronic Counter Measure in Eurocrypt has lead to the EMMs in Irdeto been labelled ECMs. This is incorrect.
The EMMs are the 01 01 .... commands. These enable and disable channels/cards. The 01 05 ... commands are the ECMs. These contain the information for the decryption process.

Irdeto Commands and Nano Codes

Attached you should find a zipped file (CRDcmdsX.zip) containing a selection of Irdeto commands for you to learn and experiment with. Some of these can destroy a working card - so take care! Look at the *.crds in conjunction with the following explanations. Let me know if you find any new commands.

The Irdeto system complies with the ISO 7816 standard for packet structure and protocol, using 6 byte command headers of the form

CLA, INS, P1, P2, P3, Length

The first byte CLA is always 01. The second byte INS is the instruction. The third and fourth bytes (P1 and P2) are references. The fifth byte P3 usually designates the provider, 00 for Provider 00 and 01 for Provider 10 The sixth byte is the length of the following data string including the NANO codes and signature. There is also an extra checksum byte which is not included in this length..

INS 1 Command - EMM

01 01 00 00 00 xx : Initiates EMM Update information to the card. xx is the length

The next following five bytes of each EMM identify the card(s) to be addressed. They are normally one of the following
02 [Provider group of provider 00, (2 bytes) ] 00 00 - Use crd macro p0
03 [Provider ID of provider 00 , (3 bytes) ] 00 - Use crd macro p2
0A [Provider group of provider 10, (2 bytes) ]00 00 - Use crd macro p1
0B [Provider ID of provider 10 , (3 bytes) ] 00 - Use crd macro p3
C3 [Hex Serial Number, (3 bytes) ] 00 - Use crd macro s0



The sixth byte is always the length of the following string excluding checksum..

Examples of EMMs
1. This activates the Channel Id (ch id) for provider group (pg pg) of Provider 00 on date (dd dd) the signature is (ss ss ss ss ss) and the checksum (cs). The timer is set to FF 00.
01 01 00 00 00 17 02 pg pg 00 00 11 40 02 dd dd 11 06 ch id dd dd FF 00 ss ss ss ss ss cs

2. This writes Key 06 (k6) for Provider 10 on date (dd dd) for provider Id (pi pi pi)
01 01 00 00 00 1A 0B pi pi pi 00 14 40 02 dd dd 10 09 06 k6 k6 k6 k6 k6 k6 k6 k6 ss ss ss ss ss cs

If all the data is correct in an EMM and it is accepted, the card responds with a return code of just 3F. If there is an error the card rejects the EMM with a different return code.

The following are possible answers (return codes) to the 01 INS EMM commands.
01 01 00 00 3F : Command accepted
01 01 00 00 3F 00 00 03 00 00 00 : Signature OK but key no longer accepted? Provider 00
01 01 00 00 3F 00 00 03 00 00 01 : Signature OK but key no longer accepted? Provider 10
01 01 00 00 3F 00 00 03 00 40 00 : Signature OK but wrong date or no key? Provider 00
01 01 00 00 3F 00 00 03 00 40 01 : Signature OK but wrong date or no key? Provider 10
01 01 00 03 00 : Command not accepted, wrong signature
01 01 70 00 00 : Command not accepted, wrong Hex serial number
01 01 71 00 00 : Command not accepted, wrong Provider ID
01 01 72 00 00 : Command not accepted, wrong Provider Group
01 01 73 00 00 : Command not accepted, wrong Provider Group
01 01 74 00 00 : Command not accepted, wrong Provider ID (not in the CB 20 string)
01 01 76 00 00 : Command not accepted, wrong ???
01 01 78 00 00 : Command (not?) accepted, wrong ???
01 01 79 00 00 : Command accepted.
01 01 7A 00 00 : Command not accepted, wrong ???
01 01 7B 00 00 : Command not accepted, wrong Provider ID/Group/signature???
01 01 7C 00 00 : Command not accepted, wrong signature
01 01 7D 00 00 : Command not accepted, Masterkey missing
01 01 7E 00 00 : Command not accepted, wrong Provider Identifier Byte - should be 00 or 11
01 01 7F 00 00 : Command not accepted, invalid nano???
01 99 00 02 99 99 99 00 : Command not accepted, wrong address (c8/9k)??


Blockers work by preventing EMMs getting to the card. They only allow the following ECMs.
--------------------------------------------------------------------
INS 2 Commands - Get...

01 02 00 03 00 : Get Cards Serial Number in ASCII
01 02 01 03 00 : Get Cards Serial Number in HEX. The last byte is always 18h.
The sixth byte from the end indicates the number of providers on the card. Usually 02. But 01 and 03 have also been seen. 03 causes some problems for some receivers (UEC).
01 02 02 03 00 : Get Cards Country Code. Last three bytes (in ascii).
The first two bytes indicate the internal card version. ACS 1.2 cards are 02 01. C8/9k cards are 03 82 or 03 83.
01 02 03 03 00 : Get Provider ID 00
01 02 03 03 01 : Get Provider ID 10
01 02 04 00 00 01 [00....09] : Get ChanIDs, dates and timer for Provider 00
01 02 04 00 01 01 [00....01] : Get ChanIDs, dates and timer for Provider 10
01 02 07 00 00 20: Writes 32 bytes to buffer. If the length is set to zero this also enables reading of the buffer using...
01 02 08 00 00 00: Get 32 bytes from buffer. These commands only work on series < c8000 (PW) or < ACS 1.6
01 02 09 03 xx 40: Send CAM Key
01 02 0B 00 00 :Get Country code, 1st three bytes. Followed by 00 8c 00 64 00 14 00 00 00 00
Then manufactures code. eg B D T V x x x x x C. All characters in Ascii. The 64 and 14 indicate the maximum possible ChID positions for provider 00 and 10 respectively. Some cards have these set at 46 and 32. Thus the maximum number of ChIDs that can be stored is 78h= 120 decimal.
01 02 0D 00 00 : Get first four bytes of signature after an incorrect response
01 02 0E 02 00 : Read Card File 1
01 02 0E 03 00 : Read Card File 2
01 02 0F 00 00 : Get Ascii SN, ProvID for Provider 00 and 8 + 5 byte string.
The eight byte string always seems to be 42 98 2C 4D D9 EA F4 69. Even for Irdeto cards from different countries. I assume the 5 byte string is a digital signature.
01 02 0F 00 01 : Get Ascii SN, ProvID for Provider 10 and 8 + 5 byte string.
The eight byte string always seems to be F0 EC F2 80 85 AB 29 71.
01 02 0F 00 xx : Get Ascii SN, ProvID for Provider 10 and 8 + 5 byte string.
As xx increments, different 8 +5 byte strings are returned. ROM dump?? It is the same for all cards.


PIN Numbers

01 02 0A 0x xx xx Basic PIN number command.
There are four possible PIN numbers on a card. These are identified by the fifth byte of the PIN number command.
00 - Parental PIN
01 - IPPV PIN
02 - Home-Shopping PIN
03 - General PIN

The following examples use the parental PIN
01 02 0A 02 00 02 xx xx ; Enter PIN number, (reply 50 = correct, 51 = wrong)
If a correct reply is received the same command is sent again and if it is confirmed correct, the return code is then 5E.

01 02 0A 01 00 04 xx xx yy yy; Change PIN, x = old pin, y = new pin (reply 51 = wrong xx xx, 52 = OK)

The PIN number can be found by sending all possible 9999 codes sequentially until the return code is 50/5E and not 51.
This can be done in the Smart Card menu of DVB2000 or with simple DOS programs like Irdetpin.

Answers to the Class 2 Commands
00: OK
50: not OK
51:not OK
53:not OK
54: not OK
55: OK
56:not OK
57:not OK
67: The length is incorrect.
69: Command not allowed
6B: Wrong reference (byte 4+5)
6C:The card does not support the instruction class (byte 2?) ??
6D: The instruction code is not programmed or invalid (byte 3) ?
6E: The card does not support the instruction class (byte 2?)
6F: No precise diagnostic is given

-------------------------------------------------------------------
Reply With Quote
 
Page generated in 0.22508 seconds with 9 queries