ACP analysis and command creation tool

XC chip, auth and block SPI command.
Locked
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

ACP analysis and command creation tool

Post by cipher »

I have spent a significant amount of time trying to create a real time ACP command manipulation tool. There are many stability issues with the real time version so I decided to release a stable non-real time version. This version runs in a continuous polling loop on the DCT like the USBBDM command tool. The first version allows you to capture DCT SPI log info and then use the log text to create new commands and then trial them. Later versions will be much more powerful allowing function based script that automates command trialling.

To use it you must install 2.0 .NET

If you wish to try it out just PM me and I will send it to you.

This version only run on the DCT2000 series for now.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

does it work or u have more info ?
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

It works and it comes with instructions on how to use it.
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

have you figured out why there is a sequence into programing the right data to the chip?

like when we use to spi capture the auth command was like in pair of 4 commands i cant remeber good. plus always the before and afther data comes like 2 3 times i use to hit the box. like waht sequence was on before and that it received next...


this is big help considering some of uss have access to a lot of boxes with same packege we can analize what registers are diferent .......

have you been able to turn a channel on so far?
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

The authorization sequence can be replayed using the tool which helps those on a system where the monthly category numbers do not change.

That info is found on the SendSystemID broadcast command highlighted in yellow in XCManglers log window.

The auth 4 sequences have a specific purpose. The distribution of categories and tiers is too big to fit into one or even two sequences so they spit it into two categories which are odd and even they will be combined in the ACP this allows them to make channel changes one month in advance and allows for more flexibility in tier programming. It's too complex to get into here and it's not the best way to crack the box.

They actually encrypt the same category keys differently in each sequence which is not a wise move because it can be cryptographically attacked but it is still extreemly difficult to use since that would only give the ability to derive a working key which would have to be recracked on every category change. It is the auth keys that are the importent ones because we just can't get at the ones that are in the ACP it is a one way function.

At this point the goal is to identify valid commands and to discover if it is possible to program the ACP's UA or keys etc. I believe it can be done by trialling new sequences that would never normally be sent over the CC network. If they did that it would be like handing out candy to kids from motorola's view. The features to perform this level of manipulation are comming. I have to create that functionallity and I must say it's rather complex.

I am certain that we will not be able to turn on a new channel or change a tier by manipulating an auth sequence that would require knowledge of the key lists that were programmed into the box. They have that part well secured, trust me on that one, it's deadly complex and would require distributed DES cracking to accomplish by using known ciphers or a leak from the CC. The auth keys are well hidden. At the point it becomes possible to change the ACP UA or other values then the game will change because you have control of what goes into the ACP then you can change what tiers and categories it will allow because then you can load your own keys for the authorization sequence of the ACP.

The system is much more complex than most even think of and the info is detailed in the patents it's just really ugly to digest. There are weak points, just not very many of them.
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

thanks cipher. great work!
oldnewbie
Junior Member
Posts: 21
Joined: Wed Dec 06, 2006 8:58 pm

Post by oldnewbie »

nice job Cipher...

Thank you....
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

nice anyway i can say 100% sure the UID and gi number they relate somehow.....i have a list of GI and UID that are only 1 number appart of eachother in uid and GI# ig u want i can seend you the list maibe you can make sense of it maibe there is a way how the UID is generated automaticaly/.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

can i send any other commands or just waht you have in there?
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

You can send any command you want. For example lets make something new from an existing command.

In the XCCmdFile.txt you would add the name of your command in brackets like the following command sequence.

[GetKey1234]
0E 06 80 0B 02 12 34 2F
0E 01 00
0E 02 00 00
0E 01 01
0E 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

You will need to create an XOR checksum of the values in blue.
The red value is the calculated checksum. This can be done using the Windows Calc program.

These instructions are also in the XCCmdFle.txt file.

The new boxed name will be parsed and added to the SendCmd pulldown box when you first run XCMangler.

Make sure the last line of text in XCCmdFile.txt contains ;End


Please send me the list of GI/UID's and I will see if I can make sense of it.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

for some reason i manage to make all the premiums on my E11 be ENC 20 they use to be digitall 00

now still got invalid uid....
no picture but some weird logs. and the dac id changed. i havent done spi before me noob i am sure i will hit something again .....and i forget to keep records how i did it.

what is a coomands like this? C4? its a bomb.......tic tac.
C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
07 03 E5 61 01
FF FF FF
07 06 C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
07 09 C5 00 01 FF FF FD 0F 00 03
FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF B4 00 00 00 71 7D 0F 0C 02 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF B7 71 49 02 0C 02 00 00 00 03
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF BA 00 00 00 00 00 03 00 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF F7 04 06 39 08 05 39 0C 06 3D
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 09 C5 00 01 FF FF FB 00 05 E1
FF FF FF FF FF FF FF FF FF
07 06 C0 00 48 FF 10 61
FF FF FF FF FF FF
07 06 C0 00 49 41 00 00
FF FF FF FF FF FF
07 06 C0 00 48 FF 10 10
FF FF FF FF FF FF
07 06 C0 00 49 41 00 00
FF FF FF FF FF FF
07 06 C0 00 48 FF 10 12
FF FF FF FF FF FF
07 06 C0 00 49 41 00 00
FF FF FF FF FF FF
07 0C C4 00 02 00 01 08 0A F0 80 00 01 80
FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C4 00 03 00 01 80 05 08 03 0A F0 80 FF 25 B6
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 83 70 F4 00 00 01 A0 70 70 00 00 01 18 70 F4 00 00 01 A6 70 70 00 00 01 1A
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 8B 70 F4 00 00 01 AC 70 70 00 00 01 1B 70 F4 00 00 01 B2 70 70 00 00 01 23
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0E 01 02
00
0E 03 00 00 00
20 06 13
07 1E C4 00 08 00 01 93 70 F4 00 00 01 BC 07 70 98 00 00 E3 70 F4 00 03 00 06 78 70 00 00 01 91
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 9B 70 F4 00 00 C0 08 78 70 00 00 02 D1 00 00 0C 70 F4 00 00 00 57 07 70 98
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0E 02 86 18
55 00
07 1E C4 00 08 00 01 A3 00 00 D9 0A F0 80 FF 2B 3B 70 F4 00 00 00 57 07 70 98 00 00 D9 0A F0 80
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 AB FF 2B 3E 70 F4 00 FF 3E 02 07 70 98 00 00 D9 0A F0 80 FF 32 78 05 0B D4
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 B3 70 F4 00 00 01 32 70 70 00 00 01 38 70 F4 00 FF 3C 7C 07 70 98 00 00 C1
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 BB 00 00 0C 5E E4 00 01 42 85 05 24 10 0B 74 D0 00 00 01 38 05 00 0B 74 D9
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 C3 00 00 03 69 D8 00 6A C8 00 6D D8 00 6E D8 00 06 D9 10 00 00 05 4E D9 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 15 C4 00 05 00 01 CB 4E 5D 00 4E DA 00 4E 5E 00 0A F0 80 FF 27 8C
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 00 4C 00 00 04 4D F0 00 00 01 CB 0C C5 88 FF FF FD 44 F4 13 00 00 01 0B C5 6C
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 00 54 20 30 44 0B C5 77 00 00 0C 0B F0 80 FF 41 21 0B F0 80 FF 3F 45 70 F4 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0E 05 80 02 01 00 03
55 00 00 00 00
07 12 C4 00 04 00 00 5C 00 00 4D 07 70 98 00 00 F7 00 00 0C
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 06 C0 00 48 00 01 08
FF FF FF FF FF FF
07 06 C0 00 49 80 00 00
FF FF FF FF FF FF
07 03 E0 0A 00
FF FF FF
07 03 E9 84 00
FF FF FF
07 06 C1 FF C8 00 0F FF
FF FF FF FF FF FF
07 06 C1 FF C9 00 B5 40
FF FF FF FF FF FF
07 03 88 01 00
FF FF FF
07 03 00 00 00
FF FF FF
0E 01 00
00
0E 02 00 00
02 01
0E 01 01
00
0E 02 00 00
00 03
0E 04 80 05 00 05
55 00 00 00
0E 01 00
05
0E 02 00 00
02 01
0E 01 01
00
0E 02 00 00
00 03
0E 04 80 05 00 05
55 00 00 00
0E 01 00
05
0E 02 00 00
05 09
0E 01 01
00
0E 0A 00 00 00 00 00 00 00 00 00 00
FC 16 27 46 5C CC 8E AC 72 47
0E 01 00
00
0E 02 00 00
86 07
0E 01 01
00
0E 08 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 81
0E 06 80 0B 02 00 00 09
55 00 00 00 00 00
0E 01 00
0B
0E 02 00 00
0B 1A
0E 01 01
00
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

Channel 07 sends instructions to the BCM7015 so the 07 0C C4 is a BCM7015 command.

By the way I hard coded a auto ACPReset function if the ACP returns 0x11 you can see it in the logs as 0E 02 86 18.

If you do not want it to automatically reset the ACP then rename the [ACPReset] to [ACPReset1] in the XCCmdFile.

Of course you will need to manually correct the 0x11 ACP condition by sending [ACPReset1].

I don't know what 07 xx C4 it is doing but you are already discovering the power of trialling.

Good work!
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

cipher wrote:Channel 07 sends instructions to the BCM7015 so the 07 0C C4 is a BCM7015 command.

By the way I hard coded a auto ACPReset function if the ACP returns 0x11 you can see it in the logs as 0E 02 86 18.

If you do not want it to automatically reset the ACP then rename the [ACPReset] to [ACPReset1] in the XCCmdFile.

Of course you will need to manually correct the 0x11 ACP condition by sending [ACPReset1].

I don't know what 07 xx C4 it is doing but you are already discovering the power of trialling.

Good work!
I aways think channel 07 is used to send keys to BCM. If it is true maybe we do not need XC chip at all to open channel.

Let us say I recorded one channel on subscribed box on channel 7
then i play this command to another box.

I noticed one new HD box (dual tunner) does not have XC chip. In satellite testing today they can manually enter keys, maybe the first step for cable testing is to enter key as well.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

I noticed one new HD box (dual tunner) does not have XC chip. In satellite testing today they can manually enter keys, maybe the first step for cable testing is to enter key as well.[/quote]


it does have a XC chip the new version. just like 700 but bigger version same serial type

scf8000 and one more thing the hds have capability of smart cards not all of them but they do ......just like satelite. and the old version of boxes uses smartcards on same system dechiper2/. .........same deciper2 with cards. i have never open one but now is come up to my attention.


like BDM said we might be able to enter the righ commands if we have the right firmware....i am sure everything will be done from the firmware anyway .later on,
Locked

Who is online

Users browsing this forum: No registered users and 7 guests