|
Some Differences between Iredto1 and 2..
There are 4 Providers instead of 2 (00, 10, 20, 30)
Provider ----- 00 -------- 10 ----------- 20 --------- 30
---------------------------------------------------------
e.g...........3A B9 ----- 3B B9 -------- 3C B9 ----- 3D B9
The CAM knows that ProvID must be asked 4 times instead of 2 for Irdeto1.
The Hex Serial Number (HSN) is read the same as Iredto1.
HSN
----------
e.g. 89 B4
ASCII Serial Number is read the same as Irdeto1.
SN
-------------------
e.g. 0003 3896 255
Country Code (CoCo) is read in the same format as Irdeto1.
CoCo
------------
e.g. ABC
The Signature is composed of 8 bytes instead of 5 as for Irdeto1.
Remembering that in Irdeto1 8 byte of signature were calculated, but
only 5 were used, this new development should not be significant. We
could assume a calculation similar to Irdeto1 with the utilisation of
all the 8 bytes.
Lets talk about the signature.
There are several cases:
a) signature is calculated on the encrypted data block.
b) the data block is taken in blocks of 8 and is encrypted, the bytes missing to 8 are completed with filling bytes.
c) the signature is calculated on the unencrypted command, the data
block is encrypted as before. The overall command comes from the
union of the two strings.
Block Data
----------
Class 5 Commands are used.
It seems there are always blocks of 8 bytes.
That is, for any nanocommand sent and for any number of nanos sent, the sum of the sent byte is always multiple of 8.
It is obvious that will be some bytes filling in order to arrive to
multiples of 8. The logic of filling could be the same as of Irdeto1 for the
signature. Since also the signature is 8 bytes, L2 (length 2) is multiple of 8
and its hexadecimal will be x0 or x8.
Therefore we will always have:
Commands of class 1: 01 01 INS P1 P2 L1 C3 xx xx xx 00 L2..
L1: length L1 = L2+6
L2: from a minimum of 8 (data) +8 (sign.)=16=10h, and then with
values 18h, 20h, 28h.
Commands of class 2: for compatibility with Irdeto1 they are the
same. Indeed they do not have signature and therefore they will not
be crypted.
Commands of class 5: 01 05 INS P1 P2 L1 CH ID KK 00 L2..
L1: length L1 = L2+6
L2: taken into account that in Ir**to1 is normally 1Dh, at minimum it
must be 20h
ALGO
-----
It seems that 4.1 cards use an advanced encription, that is the
instruction is not launched in the clear, but it is sent crypted with a key.
In order to maintain compatibility with the previous Irdeto CAM, we
have some restrictions with the new cards.
a) the Irdeto commands have the known structure: 01 cla Ins p1 p2 LL -
block given-signature-checksum
b) for compatibility the first 6 bytes will be always in the clear
and they will not use advanced encription.
Moses.
|
Irdeto2 Logger
Linear Mode
