ACP analysis and command creation tool

XC chip, auth and block SPI command.
Locked
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

is it ok if we post commands maibe someone can see something similarr

do you have one that can make this commands in real time?

i keep getting this command i dont know whats up.....is similarr command and response on all my ENC12 channels

80 07 01 00 06
55 00 00 00 00
0E 01 00
07
0E 02 00 00
07 13
0E 01 01
00
0E 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 25 A8 00 EF 80 12 00 00 00 00 10 00 00 00 00 00 00 F4
07 03 E5 61 01
FF FF FF
07 06 C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
0E 01 00
61
0E 02 00 00
87 13
0E 01 01
00
0E 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 21 93 00 EF 80 12 00 00 00 00 10 00 00 00 00 00 00 4B
07 03 E5 61 01
FF FF FF
07 06 C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF


0E 08 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 81
0E 01 00
00
0E 02 00 00
87 13
0E 01 01
00
0E 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 21 93 00 EF 80 12 00 00 00 00 10 00 00 00 00 00 00 4B
07 03 E5 61 01
FF FF FF
07 06 C8 15 08 02 22 00
FF FF FF FF FF FF
0E 02 87 00
55 00
0E 03 90 08 41
55 00 00
0E 03 92 08 40
55 00 00
0E 03 94 04 32
55 00 00
0E 02 98 00
55 00
0E 02 99 00
55 00
0E 02 9A 30
55 00
0E 02 9B 80
55 00
0E 02 87 70
55 00
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
0E 01 00
61
0E 02 00 00
87 13
0E 01 01
00
0E 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 22 0D 00 EF 80 12 00 00 00 00 10 00 00 00 00 00 00 D6
0E 05 80 07 01 00 06
55 00 00 00 00
0E 01 00
07
0E 02 00 00
07 13
0E 01 01
00
0E 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 22 0D 00 EF 80 12 00 00 00 00 10 00 00 00 00 00 00 56
07 03 E5 61 01
FF FF FF
07 06 C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
07 03 E5 61 01
FF FF FF
07 06 C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
0E 01 00
00
02 00 00
86 07
01 01
00
08 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 81
0E 08 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 81 on a channel that saids unaveilable i get this only 00000000081

looks like afther every command 80 07 01 00 06 comes taht sequence of weird C8 data and stuff.


i also get this type off command this is the only one diferent from all the boxes...3 diferent boxres only this data is diferent and all have same packege Exacly
whats this? i dont see uid in there and seems the command is plit in 2 parts the 02 in the middle is about it.

B0 21 EF A8 27 8E 9A 2C 00 00 11 8A 00 00 0A 02 00 01 00 00 4C 22 00 00 17 33

CD 30 B2 84 B5 19 A3 60 00 00 00 00 00 00 00 02 00 01 00 00 3A 98 00 00 0D 19
EE FC 6B C1 E7 20 0F 08 00 00 12 BC 00 00 05 02 00 01 00 00 4D 54 00 00 12 CA

i try to play back most of the commands i get response back 55 00 i think thats good but i dotn see anything diferent i only try on a E11...anyway i try on a box that still has a valid id....o one more thing on a e11 the UIDresponse is weird should be all FF 16 00 00 00 00 20 00 XX right? well i get all weird numbers does anyone else get that?

anyway chiper if u got the real version i wana try the real time to send those C8 and other commands to see what purpose they have.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

ok auth command analasys....


i come wo concluseion of this

first command
80 3C xx xx xx xx xx xx xx xx xx xx xx 80 yy yy yy yy yy yy yy yy yy yy yy yy yy yy yy yy 02 04
81 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
81 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
81 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
81 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx yy yy yy yy yy yy yy yy xx xx xx

First command XXXX Will be the same on any box with same packege.

YYY is diferent it might be incorporated with UID anything else in the sequence will be the same....


now the conclusion is to find out what the hell YYYYY's are standing for and if we can pull out i belive as well that this command response afhter command 80 0B 02 51 09 51 response
00 D5 D7 87 4D 02 23 7F 4E 00 00 00 00 00 00 00 02 00 01 00 00 3A 98 00 00 0D 65 there are a couple of this diferent in every box some

same is with same packege D5 D7 87 4D 02 23 7F 4E the beggining i diferent rest is same. 3A 98 in this case means something ISP or box specific i dotn know what.
junctionbox
Junior Member
Posts: 449
Joined: Sat Oct 21, 2006 6:19 am

re

Post by junctionbox »

is this device made for retreiving information from cc subscribe converter and appling it to other non subscribe converters? also will this device also allow us to control isp
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

tester5 wrote:ok auth command analasys....


i come wo concluseion of this

first command
80 3C xx xx xx xx xx xx xx xx xx xx xx 80 yy yy yy yy yy yy yy yy yy yy yy yy yy yy yy yy 02 04
81 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
81 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
81 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
81 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx yy yy yy yy yy yy yy yy xx xx xx

First command XXXX Will be the same on any box with same packege.

YYY is diferent it might be incorporated with UID anything else in the sequence will be the same....


now the conclusion is to find out what the hell YYYYY's are standing for and if we can pull out i belive as well that this command response afhter command 80 0B 02 51 09 51 response
00 D5 D7 87 4D 02 23 7F 4E 00 00 00 00 00 00 00 02 00 01 00 00 3A 98 00 00 0D 65 there are a couple of this diferent in every box some

same is with same packege D5 D7 87 4D 02 23 7F 4E the beggining i diferent rest is same. 3A 98 in this case means something ISP or box specific i dotn know what.
80 yy ... 02 04 - this is the encrypted category keys the first 64 bits is the odd key and the next 64 bits is the even key.

last yy - this is a 64 bit authentication hash

80 0B 02 XX XX CC- still trying to understand it, it's some sort of key and there are 65535 addressable units with XX XX and CC is the XOR check sum.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

usbbdm wrote:
cipher wrote:Channel 07 sends instructions to the BCM7015 so the 07 0C C4 is a BCM7015 command.

By the way I hard coded a auto ACPReset function if the ACP returns 0x11 you can see it in the logs as 0E 02 86 18.

If you do not want it to automatically reset the ACP then rename the [ACPReset] to [ACPReset1] in the XCCmdFile.

Of course you will need to manually correct the 0x11 ACP condition by sending [ACPReset1].

I don't know what 07 xx C4 it is doing but you are already discovering the power of trialling.

Good work!
I aways think channel 07 is used to send keys to BCM. If it is true maybe we do not need XC chip at all to open channel.

Let us say I recorded one channel on subscribed box on channel 7
then i play this command to another box.

I noticed one new HD box (dual tunner) does not have XC chip. In satellite testing today they can manually enter keys, maybe the first step for cable testing is to enter key as well.
This is quite possible. I know the BCM7015 can decrypt an mpeg stream itself or it can pass it to the ACP. The ACP can process one of up to six different channels on its connection to the BCM mpeg stream.

This may explain how they do VOD or they may just not encrypt VOD.

Some of the 07 channel commands send mpeg PID etc. info back to the BCM this may select the digital channel to send on the mpeg stream connection.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Re: re

Post by cipher »

jamesjames wrote:is this device made for retreiving information from cc subscribe converter and appling it to other non subscribe converters? also will this device also allow us to control isp
No. Its for analysis and trialling or replaying.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

Real time.......

This was the original goal and I will keep trying. But is not easy, the platform has specific timming events and status info that I do not have reference info on. I was able to successfully process the serial info with stability. But to send the command to the QSM port without causing box resets was not successful.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

now since we know they are encrypted i was mentioning that only YYYYYhas to be decrypted because the rest can stay the same ....


wel i am sure the commands are encripted specialy this command what i figure out hwat it is. actualy this is a response send to cc

this are similar encripted data that gows to cc when asked....
00 B0 21 EF A8 27 8E 9A 2C 00 00 11 8A 00 00 0A 02 00 01 00 00 4C 22 00 00 17 33
00 CD 30 B2 84 B5 19 A3 60 00 00 00 00 00 00 00 02 00 01 00 00 3A 98 00 00 0D 19
00 EE FC 6B C1 E7 20 0F 08 00 00 12 BC 00 00 05 02 00 01 00 00 4D 54 00 00 12 CA

commands afher E11 u get this
01 16 27 46 5C CC 8E AC 72 47 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 F0

its all encrypted but contains UID and some other facrors.. afther E11 box fails it encryption.

why we have this ?
s 2
s 0 0 0
s 2
s 0 0 0
s 86 18
g 2 1 0
g 4 0
g 5 0
g
g 0e 05 30 18 19 35 85 is it neccesary for the commands to go in properly?
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

The security that is used to build an auth for a box is way way way way way to difficult to crack, so as I mentioned in an earlier post. Messing with the auth command is not the way to crack the box.

Just to brute force 1 category key on a 2.0Ghz processor would take 6 months and they are changed monthly!

The 64bit hash uses one of the secured XC auth keys to create a signature. The signature must match or the ACP will reject it. Change 1 bit of the auth sequence and you need to recalc the signature so you must have knowledge of the secured keys. If you could trial the signature it would take 5 plus seconds each and there are 4 * 64^2 possibles with standard DES and 4 * 64^2 factorial 4 possibles in 3DES, the system uses either, then on top of that a randomly selected portion of the ACP internal firmware or memory is XORed to the key for good measure.

It is possible to perform a birthday attack on the hash but you would need to figure out what portions of the auth are included in the hash function and what the algorithim to calc it was.

This is a more reachable possibility but far from simple.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

what your talking about brute force? i have a quad pc maibe works faster... what you need? my keys never change is it helpfull if i participate to that maibe i find out faster and see whats inside. teh command ?
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

anyone seen a box called QCR2221? is a dechiper2 box just like motorola and works with same system....now it only has a card and no XC chip also has same cpu
bcm7115
has build in modem
bcm3345

all of them have jtag
the smart card should have the keys .....
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

adrianbv6,

If you want to play with auth manipulation with you will need to write code that does the following.

Enable logging then

On an authed box first buy a PPV and record the HEX values for the PPID, Pakage cost and Package ID

This comes from the logged 80 0A command

0E 11 80 0A 07 00 00 00 08 2E B9 D1 43
55 00 00 00 00 00 00 00 00 00 00

Then

Record the returned package key from the log indicated by the 0B 1A responce.

It looks like this after 80 0A

0E 01 00
0B
0E 02 00 00
0B 1A
0E 01 01
00
0E 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 E9 23 31 5E E7 49 56 89 00 00 00 8E 00 00 89 28 00 01 00 00 00 CA 00 00 8E AF

Then write a program to:

1 Generate 65536 random DES 56 bit keys
2 Decrypt a 64 bit category key form this authed box with the 65536 keys
3 Decrypt the Package Key with the decrypted category keys and match 1 or more bytes of the 80 0A command.
Try next 65356 possibles

Repeat until a match is found and bingo you have the category key in the clear.

This is the first of many other system key cracks that will need to be accomplished.

This is the brute force component.

And this is the easy one to do.

This is one of the systems weaknesses. Once you have the category key it becomes possible to trial hash algorithims and other brute force methods that will eventually lead to the unit keys for only one box!

I will not do this myself until there is evidence that i can change the UID and keys.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

look of this
http://en.wikipedia.org/wiki/EFF_DES_cracker


i guess DES is hard to crack

triple des is verry hard........


i dont see any programs that you can easly put a string of encrypted data and wayit untill it calculates all the posible decription or something like that



now what i understand what this dam encription wel the XC chip does DES normal so that bigger command encrypted is just double otherwise they would only made triple i dont see a poing in using both encryptions.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

hey something came in my head just like most of the stuff ....
can you decript a messege if you have a valid key?



i think XC encryps data by your uid in hex. i get this thing i was analizing...

00 B0 21 EF A8 27 8E 9A 2C 00 00 11 8A 00 00 0A 02 00 01 00 00 4C 22 00 00 17 33
00 CD 30 B2 84 B5 19 A3 60 00 00 00 00 00 00 00 02 00 01 00 00 3A 98 00 00 0D 19
00 EE FC 6B C1 E7 20 0F 08 00 00 12 BC 00 00 05 02 00 01 00 00 4D 54 00 00 12 CA

EE FC 6B C1 E7 20 0F 08
CD 30 B2 84 B5 19 A3 60
B0 21 EF A8 27 8E 9A 2C
there are only 4 of this type.....what makes me think now that usbdm just remind me there are 4 80 3c commands to send to auth
now since this said comany pulls one of this replays then automaticaly computes the auth command based on that key.

that is encrypted data.....always the same


now ....on same box afther E11 i get this. only this nothing else...
01 16 27 46 5C CC 8E AC 72 47 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 F0

16 27 46 5C CC 8E AC 72 47 if thats the reseult then i was thingking about a program that can calculate those result into that
i think i am right with this now because i dont see any other explanation...

that is the UID afhter 16.....and seems to be encrypted...by default of XC i belive XC has a set key to encrypt data onnly thing the comapany does is add they stream keys...

my theory is that each XC chip uid completes the DES encryption this way when is E11 there is only one result on all boxes....and only one key to encrypt it will not be diferent .........
this way ,my idea is that if we figure out the key on the default E11 that encrypts data to begin with then next is to find streeam keys and make sequence that only E11 will accept.



i think in theory in the factory XC chip is a encryptor of des.

now each one is programed with a UID......the uid is the key ok part of it.

thats why company need response from the box to complete sequence...go figure why they cant make it on a E11 .....is not unique anymore /////

its impossible the company has access to encryption only thing they might do is input the keys into the program and compute the encryption based on every xc chip destinct uid ........

if anyone has any more ideas please add look at your boxes i think this is a flaw we might be able to find.


look there has to be a reason why this comes first in many of my tries....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 CD 30 B2 84 B5 19 A3 60 00 00 00 00 00 00 00 02 00 01 00 00 3A 98 00 00 0D 19

04/23 21:14:49 :0484
80 3C 99 70 00 00 00 94 A0 00 01 00 00 80 F6 95 BA 38 34 98 1E 65 79 B5 6F C2 B7 D1 B4 86 02 04
55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


i cant see the command used to get that but its there.

now all this manbo jambo....let me shor things up.

XC(invalid UID)-->nothing to encrypt. thats why the passCARD slot might be there to program a UID but the encription key might be permanent.
right if we encrypt something with one key then result will be always diferent because of uid number but when uid number is diferent is not anymore.





please any more people with E11 please read your response see what u get


if is like that
01 16 27 46 5C CC 8E AC 72 47 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 F0

then lets join forces and find the pattern to

uid in hex all 00 00 00 00 00 maibe more then uid in here? result is 27 46 5C CC 8E AC 72 47

please proove me wrong so i can sleep.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

ok i cant find a good encryptor and decryptor anyone know one i can try couple there is no programs out there?
I USED THIS ONE I GOT FROM SOMEONE

like lets say uid in this state

00 00 00 00 KEY 11 11 11 11 11 11 11 11
RESULT
f5 38 a1 1f 77 9e b7 49 3f 68 28 57 47 96 14 ad this are 16.

maibe program dont calculate right

so i made all together
00000000 key 11 11 11 11 11 11 11 11
result
DE 8D 55 14 2B 18 DE B7 this will be 8 pairs.. just to fit in that command i was talking up there...


my idea is that anyone else with E11 has same command then all XC chips in the motorola factory before installed on boards are permanently programed with a key or its made to encrypt data only one way one combination and once you have a UID the sequence will always be diferent because uid is. and this time i am 90% sure this is the technique. thats why is so hard to crack because so many combinations..but if we find only that one key buidl in the factory of XC chip before was programmed with UID then we chrack this case.



plesae E11 responses quick i am curious i have no mroe E11 boxes.
Locked

Who is online

Users browsing this forum: No registered users and 7 guests