how to find a biss key for feeds?

Sorry, but it doesn't work for me. Just a blank field in the codeScreenshot_1.png

Eutelsat 7E

The CWFinder only works when the Key is listed in CWBrute List.

Normally you use the .ts file, then get the C8 Key (see here) then use the CSA Rainbow tables (from here) and then you get the BISS key.

But.... the rainbow tables are quite huge (around 200GB) and you need a fast graphics card to bruteforce the key. It can take up to 5 minutes on a SSD with NVidia with CUDA.

Another way is to buy a cheap Chinese receiver with autobiss function. Here the receiver sends a part of the .ts stream to a server, then the server does the job and you get the key back. You can export it from the local softcam file on the receiver and then post it here or export it to any other softcam :)

Quote from jenseneverest

Quote from tiger82

Code

half the links don't work on http://colibri.bplaced.net/csa_rainbow_table.htm

i have most, if not all that data on HDD, what we need is a suitable place to share it, a file host that is free and can handle 1.2TB of data

there was one member of th sat universe who shared a link and I uploaded some tables there

here for you _https://csar.birds.web.id

Quote from zapf2000

Another way is to buy a cheap Chinese receiver with autobiss function. Here the receiver sends a part of the .ts stream to a server, then the server does the job and you get the key back. You can export it from the local softcam file on the receiver and then post it here or export it to any other softcam :)

do i need to tune the frequency with BISS encrypted stream every time to get the key from these "chinese servers"? is it possible to just download the latest softcam.key file from this server based on other user's inputs in the past? i'm just looking to share keys within a group of friends and watch the feed myself only once in a while ...

thanks for the detailed response jenseneverest . even though the feeds are active only for a few hours, i would expect these "Chinese servers" to be smart. They would not be computing the key every time someone switches the receiver to a BISS encrypted channel. once someone's receiver has uploaded the necessary parts of .ts stream, the server would compute and store only the 8 byte key values. consequently when another person's receiver asks for the same key, the server would just provide the key instead of asking to upload .ts chunk all over again.

my question is : if a feed's .ts chunk is already uploaded by some receiver to the server in the past, the server would already have the key for that particular feed (possibly uniquely identified by geolocation of the satellite, frequency, SR, SID etc.). would i be able to get these readily available keys without actually tuning my receiver to that particular satellite/frequency/SR/SID etc.?

perhaps zapf2000 would want to chip in too ?

cheers

Quote from Freshmint

thanks for the detailed response jenseneverest . even though the feeds are active only for a few hours, i would expect these "Chinese servers" to be smart. They would not be computing the key every time someone switches the receiver to a BISS encrypted channel. once someone's receiver has uploaded the necessary parts of .ts stream, the server would compute and store only the 8 byte key values. consequently when another person's receiver asks for the same key, the server would just provide the key instead of asking to upload .ts chunk all over again.

my question is : if a feed's .ts chunk is already uploaded by some receiver to the server in the past, the server would already have the key for that particular feed (possibly uniquely identified by geolocation of the satellite, frequency, SR, SID etc.). would i be able to get these readily available keys without actually tuning my receiver to that particular satellite/frequency/SR/SID etc.?

perhaps zapf2000 would want to chip in too ?

cheers

Display More

They do exactly what you are saying…but they are computing the request using an hash calculated in a way which is not known so you cannot just contact the server and get the key

Yes, rush1 is right. Every request is hash based, so it's not possible to get the key directly (perhaps through an API, but it's unknown). I'll sniff communication with wireshark when I have time to.

A possibility would be to setup an own server, that does the job. Currently this is all done manually (pipe .ts to C8 calculator, export C8 to Rainbow Table Tool, export the key to Softcam.Key, restart Oscam). As I already built up a CUDA Server on my Linux Maschine, the key finding was boostet a lot. I get most keys in a few seconds.

If we had a Enigma plugin for extracting C8 out of .ts and send it to my server, read the key back and update Softcam.key, it could all be done automatically as the BISS autokey function does. We could define the protocols and security ourselfes.

Someone likes Python programming? ;)

i was looking for server software to calculate cw from crypto8 that can run on linux but I would not find it, python is not a big deal but starting from scrath maybe be a problem. In addition we definitely need a linux vm with nvidia GPU. Ideally the workflow should be

1) ask the server for all known keys for the feed.. "0070:11017:V:7199"

2) test all keys

3) if not working, wait for C8, extract it and send to the server

4) polling server while it calculates the CW

5) receive the CW

I used wine for the CUDA Server. Works without any performance loss. I compared it with native Windows. Wine is able to share the nvidia GPU and use the CUDA Server built for Windows.

See here

ok, but is there a cmd windows utility to calculate cw from c8? i only know UI windows program....which is not suitable for a server

I found some python code for calculating C8, but I lost the link to it. I'll search for it again. For the Rainbow Table Tool there is also c++ code available, both from Colibri himself, but also the Posix Version for Unix based systems.

The Linux Port

Original Sources from Colibri

although my understanding of biss implementation and hacks is rather limited, a couple of things to note

Quote from rush1

ask the server for all known keys for the feed.. "0070:11017:V:7199"

blind scans on different receivers almost always throw up frequency and SR values a bit off from the "real" ones. for instance, the unique hash mentioned above could actually be of the feed on frequency 11015 Mhz with SR 7200. these variations need to be taken into account when the receiver askes server for a key

i think a cleaner implementation would be as suggested by zapf2000 . extract crypt8's using enigma2 plugin and then send it to the server. how compute intensive is getting c8 from raw .ts ? can an average e2 box do it without much fuss?

Quote from Freshmint

i think a cleaner implementation would be as suggested by zapf2000 . extract crypt8's using enigma2 plugin and then send it to the server. how compute intensive is getting c8 from raw .ts ? can an average e2 box do it without much fuss?

this is an approach...i guess if the SR is 7199 or 7200 or 7202 wil be considered the same. Regarding the ability to get c8 from raw ts not sure how to do that in python too, need to study the cpp code to understand

Quote from Freshmint

although my understanding of biss implementation and hacks is rather limited, a couple of things to note

Quote from rush1

ask the server for all known keys for the feed.. "0070:11017:V:7199"

blind scans on different receivers almost always throw up frequency and SR values a bit off from the "real" ones. for instance, the unique hash mentioned above could actually be of the feed on frequency 11015 Mhz with SR 7200. these variations need to be taken into account when the receiver askes server for a key

i think a cleaner implementation would be as suggested by zapf2000 . extract crypt8's using enigma2 plugin and then send it to the server. how compute intensive is getting c8 from raw .ts ? can an average e2 box do it without much fuss?

It takes nearly no CPU power to get C8 out of TS, because the TS package is only parsed and cut to get the 8 Bytes out of the 184 Bytes payload in TS.

I found an old code snippet written in perl, which does the job.

#!/usr/bin/perl
use strict;
use warnings;


my $num_args = $#ARGV + 1;
if ($num_args != 3) {
    print "\nUsage: getC8.pl file pid payloadsize\n";
    print "Set pid to 'all' for all pids.\n";
    print "Set payloadsize to 'all' for all payloadsizes.\n";
    print "----------------------------------------------\n";
    print "getC8.pl v0.5 02/09/2018\n";
    exit;
}

my $file=$ARGV[0];
my $pid=$ARGV[1];
my $payload=$ARGV[2];
my $low=1;
my $high=23;


if ($payload ne "all") {
    $payload=oct($payload) if $payload=~ /^0/;
    $low=int($payload/8);
    $high=int($payload/8);

    if ($payload % 8 != 0) {
        print"\nError: The payloadsize must be a multiple of 8!\n";
        exit;
    }
    if ($payload > 184) {
        print"\nError: The payloadsize may not be greater than 184!\n";
        exit;
    }
    if ($payload < 8) {
        print"\nError: The payloadsize may not be smaller than 8!\n";
        exit;
    }
}

if ($pid ne "all") {
    $pid=oct($pid) if $pid=~ /^0/;
    if ($pid > 0x1FFF) {
        print"\nError: The pid may not be greater than 0x1FFF!\n";
        exit;
    }
    if ($pid < 0x0020) {
        print"\nError: The pid may not be smaller than 0x0020!\n";
        exit;
    }
}

print "getC8.pl v0.5 02/09/2018\n";
print "------------------------\n";

my %even_c8=();
my %odd_c8=();

open (my $FH, '<:raw', $file) or die "Can't open '$file' for read: $!";

while (read $FH, my $packet, 188){
    my $header_2=unpack("x1 C",$packet);
    my $header_3=unpack("x2 C",$packet);
    my $header_4=unpack("x3 C",$packet);
    #printf ("0x%02x\n",$header_4);
    
    my $tmp_pid = (($header_2 & 0x1F) << 8) | ($header_3);
    my $scrambled = ($header_4 >> 6); #10=even; 11=odd; 
    my $af = ($header_4 >> 4) & 0x3; #01=no af; 11=af and payload
    my $offset=4;
    my $tmp_pls=0;
    #print "$pid $scrambled $tmp_pid $af\n";
    
    #if (($tmp_pid == $pid) && ($scrambled > 1)){
    if (($tmp_pid < 0x1FFF) && ($tmp_pid >0x001F) && ($scrambled > 1)){
        if ($af == 0x1) {
            $tmp_pls=184;
            $offset=4;
        } elsif ($af == 0x3) {
            $tmp_pls=184-unpack("x4 C",$packet)-1;
            $offset=unpack("x4 C",$packet)+1+4;
        }
        
        $tmp_pls=int($tmp_pls/8)*8;
        #printf "$offset\n";
        if ($offset>180) {$offset=4};
        my $c8=unpack("x$offset H16",$packet);
        #printf "$c8\n";
        if ($scrambled==2) { #even
            if (!(defined $even_c8{$tmp_pls}{$tmp_pid}{$c8})) {
                $even_c8{$tmp_pls}{$tmp_pid}{$c8}=0;
            }
            $even_c8{$tmp_pls}{$tmp_pid}{$c8}++;
        } elsif ($scrambled ==3) { #odd
            if (!(defined $odd_c8{$tmp_pls}{$tmp_pid}{$c8})) {
                $odd_c8{$tmp_pls}{$tmp_pid}{$c8}=0;
            }
            $odd_c8{$tmp_pls}{$tmp_pid}{$c8}++;
        }    
    }
}
close $FH or die "Cannot close $file: $!";

for (my $i=$low; $i<=$high; $i++){
    my $tmp_pls=$i*8;
    printf "Using payload size: %s\n",$tmp_pls;
    foreach my $tmp_pid (sort keys %{$even_c8{$tmp_pls}}){
        my $counter=0;
        foreach my $c8 (sort {$even_c8{$tmp_pls}{$tmp_pid}{$b} <=> $even_c8{$tmp_pls}{$tmp_pid}{$a}} keys %{$even_c8{$tmp_pls}{$tmp_pid}}){
            if (($even_c8{$tmp_pls}{$tmp_pid}{$c8}>1) && ($counter<11)){ 
                if (($pid eq "all") || ($pid == $tmp_pid)){
                    printf "PID %0Xh %0Xh-Crypt8: %s [E] Count:%s\n",$tmp_pid,$tmp_pls,$c8,$even_c8{$tmp_pls}{$tmp_pid}{$c8};
                    $counter++;
                }
            }
        }
        if ($counter>0) {print "\n";}
    }

    foreach my $tmp_pid (sort keys %{$odd_c8{$tmp_pls}}){
        my $counter=0;
        foreach my $c8 (sort {$odd_c8{$tmp_pls}{$tmp_pid}{$b} <=> $odd_c8{$tmp_pls}{$tmp_pid}{$a}} keys %{$odd_c8{$tmp_pls}{$tmp_pid}}){
            if (($odd_c8{$tmp_pls}{$tmp_pid}{$c8}>1) && ($counter<11)){ 
                if (($pid eq "all") || ($pid == $tmp_pid)){
                    printf "PID %0Xh %0Xh-Crypt8: %s [O] Count:%s\n",$tmp_pid,$tmp_pls,$c8,$odd_c8{$tmp_pls}{$tmp_pid}{$c8};
                    $counter++;
                }
            }
        }
        if ($counter>0) {print "\n";}
    }
}

By the way, the BISS Autokey function of some receivers base on the FreeDVB BISS API. When you have an API key, you can easily obtain the CW via API....

                                Biss API - v1.0

Overview:

    api_uri : https://service.freedvb.com/biss/${API_KEY}+${TS}+${API_SIGNATURE}
    example : https://service.freedvb.com/biss/00000000000000004741419a05d687e0c29a2cc3360a82db00ca03ad75cd379bd4fb105a877cb4635ff815db8fe3fc3f3f86dd32d4c02617376b07218c5816d668d1b23d97520fd52359813607a3ada2c872543103376382ad7793d8778e4d04ce133177abd5e1d0053445725e461ee045a5c23b0a0aef9622306f0af3d91c1c0dd581be9de63bc4c089a592ef6d3100045a0244340cba9c0c3d04e1a56baa1260a71b9e51c56e1f70dda5c6297602cdd4051ac95993a5fbfa2bfb85f6e3b42a168ce0964cc7bfb797390719

Description:

    API_KEY:         8B
    SECRET_KEY:      8B
    TS:              188B - 47 XX XX XX ......
    API_SIGNATURE:   8B

    API_SIGNATURE = MD5(API_KEY+TS+SECRET_KEY)[8:16]
    
    Note: You can apply for api key and secret key for free from FreeDVB, and the privacy of secret key must be guaranteed.
    
    Python sample code:
    
        import hashlib, requests

        api_key, secret_key = '0000000000000000', '0000000000000000'
        ts = '4741419a05d687e0c29a2cc3360a82db00ca03ad75cd379bd4fb105a877cb4635ff815db8fe3fc3f3f86dd32d4c02617376b07218c5816d668d1b23d97520fd52359813607a3ada2c872543103376382ad7793d8778e4d04ce133177abd5e1d0053445725e461ee045a5c23b0a0aef9622306f0af3d91c1c0dd581be9de63bc4c089a592ef6d3100045a0244340cba9c0c3d04e1a56baa1260a71b9e51c56e1f70dda5c6297602cdd4051ac95993a5fbfa2bfb85f6e3b42a168ce096'

        md5 = hashlib.md5()
        md5.update(bytes.fromhex(api_key + ts + secret_key))
        api_signature = md5.digest()[-8:].hex()

        r = requests.get('https://service.freedvb.com/biss/{}'.format(api_key + ts + api_signature))
        print(r.text)