how to get Control words out of a smart card

SP-thimmyyy · #1 (**permalink**) 03-27-2007

Hi all,

I'm kinda new at this forum so i don't know where my question belongs here.

I'working on a software app that descrambles encrypted tv channels.
Most of it is done (although a lot of it needs to be tied together) but that doesnt really matter.

i'll explain how the whole thing works.

You have a laptop or pc with a smartcard reader, a source for coded mpeg2 streams and a smartcard (casema, cryptoworks irdeto).

The idea is that if you start the app, load in the mpeg2 stream, you can decrypt the channel. (CSA is implemented so i just need to get the control words from the SC)

I already tested with a casema card and a cyptoworks card but with the irdeto card i get stuck. (I think mainly because irdeto doesn't use T0 or T1 protocol)

I dug up ISO 7816-4 ( http://www.ttfn.net/techno/smartcard...6_4.html#ssB_1 ) to find out how to talk to the SC.

Every card I tried so far (with the exception of the irdeto) uses T0 protocol and i can connect to them.By making use of the winSCard.dll and the SCardConnect() function.
This function takes takes following parameter:
Parameters

hContext [in] A handle that identifies the resource manager context. The resource manager context is set by a previous call to SCardEstablishContext.
szReader [in] The name of the reader that contains the target card.
dwShareMode [in] A flag that indicates whether other applications may form connections to the card.
Value Meaning
SCARD_SHARE_SHARED This application is willing to share the card with other applications.
SCARD_SHARE_EXCLUSIVE This application is not willing to share the card with other applications.
SCARD_SHARE_DIRECT This application is allocating the reader for its private use, and will be controlling it directly. No other applications are allowed access to it.

dwPreferredProtocols [in] A bit mask of acceptable protocols for the connection. Possible values may be combined with the OR operation.
Value Meaning
SCARD_PROTOCOL_T0 T=0 is an acceptable protocol.
SCARD_PROTOCOL_T1 T=1 is an acceptable protocol.
0 This parameter may be zero only if dwShareMode is set to SCARD_SHARE_DIRECT. In this case, no protocol negotiation will be performed by the drivers until an IOCTL_SMARTCARD_SET_PROTOCOL control directive is sent with SCardControl.

phCard [out] A handle that identifies the connection to the smart card in the designated reader.
pdwActiveProtocol [out] A flag that indicates the established active protocol.
Value Meaning
SCARD_PROTOCOL_T0 T=0 is the active protocol.
SCARD_PROTOCOL_T1 T=1 is the active protocol.
SCARD_PROTOCOL_UNDEFINED SCARD_SHARE_DIRECT has been specified, so that no protocol negotiation has occurred. It is possible that there is no card in the reader.Does irdeto use T0 or T1 protocol, and if not wich one does it use and how do i set up this protocol.

I've already read a lot of stuf on the irdeto but i cannot use or try these commands or even send an ATR to the card if i can't connect to it.

SP-thimmyyy · #2 (**permalink**) 03-29-2007

no one knows how to negotiate Irdeto 2 protocol????????????????????

mwalker3 · #3 (**permalink**) 04-06-2007

Assuming you can get the ECM/EMM packets from the stream, you need to build the Irdeto packet format to suit the flavor of Irdeto that the card wants.

Once you have created the packet for the card you need to send it to the card and the reply will be the cw (for the ECM).

You will need a pheonix mode card reader. If this is running at 6Mhz, an RS232 port settings of 9600 8 data bit No Parity and 1 stop bit should be ok.

I cant remember, but once you open the com port, SET and CLR DTR and/or Set and Clear RTS, the atr should then be in the port ready to read.

You should now be ready to send commands to the card and get the reply.

....

Dont forget the Card will need a camkey and you will need to be able to remove the camkey to get the clear cw to decode the data stream.

SP-thimmyyy · #4 (**permalink**) 04-16-2007

tnx for the reply ,

I Can extract the ECM in software, the EMM probably aswell. I have an internal smart card reader in my laptop and i can adress this SC - reader.

The only question is how to set up the communication protocol between the laptop and card.
This means:
1) I would need to know the packet format of the ecm/emm to suit the flavor of iredeto (no idea as to what is format could be for certain cards?)

2) I don't use any other software to talk to a smart card other than functions exposed by winscard.dll. this means that i have to format all commands being sent to the card.

In a less secure sc-system that communicate via T=0 protocol it is possible to "hack" the CLA INS P1 P2 en lenght packages (reverse check the Status words the card returns). For DVB you would typically send a SEEK or SELECT_FILE command (INS = A2 or A4 it can differ depending on the card) containing the ecm without header to the card. You would get a response from the card telling you to pick up the CW with lenght of about +- 32 bytes. So you call the C0 (GET_RESPONSE) or CA (GET_DATA) INStruction

Formatting is like this:

CLA INS P1 P2 Lenght :

for example : 0xdd , 0xa2, 0x0, 0x0, (ecm.lenght + 3), 0x14 , (ecm.lenght +1), 0x0, ECM.Bytes (without header)

This would result in a status word (depending on the card) 0x9032 so S1 = 90 and is status for ok, S2 = 32 and is lenght of bytes to be returned by the card if you issue a get response command.

Note: this works for cards communicating via T=0 protocol. Formatting of the commands you need to send to the card is largely defined (with some card specific stuff) in ISO 7816-4. Main problem is that irdeto cards don't use T= 0 protocol but T = 14 (meaning implemented by irdeto).

If you have software that can 'talk' to an irdeto card i would like to know what the bytes are behind SET and CLR DTR and/or Set and Clear RTS.

note: camkey ????

mwalker3 · #5 (**permalink**) 04-18-2007

SP, check your PM Inbox

SkepTik · #6 (**permalink**) 04-23-2007

Would the control word be signified by CW1/CW2. I'm using a Dreambox and can see such things using Gb*x.
It says:
Irdeto ECM on CAID 0x0606 0x05FD

prov: 00 chid: 0004

CW1 5D E3 CF 3F F2 C2 85 8A
CW2 60 3C 6F 46 2C 83 AB 4D

What can this be used for??

mwalker3 · #7 (**permalink**) 04-24-2007

the CW's are used to decrypt to DVB Stream. My guess would be the CWs will change very often. In aus the change every 10-15 Seconds on the Main Pay providers.