PowerVu nano 01 Discussion/Exploration

Quote from Dalvinx1

Quote from until061

Good job, I’ll follow your topic with interest.

I don’t know if I can help or not. If you want to share your data / software, I’m interested.

Greetings

Ok, tomorrow I'll compile the data I have saved and send it to you, let's see what else I can get from there.

Greetings.

Display More

Mad scientists are what this hobby is all about!

So it does have a JTAG? If I can get root access that will be almost as if not more interesting as it should allow finding a way to get into the trustzone key storage and such.

Thanks for sharing! I really hope UPS doesn't act like USPS and deliver 1+ week late - they usually do better so it should be here tomorrow.

Where are you even getting software updates, OTA from the satellite? I can't find them on cisco's site anywhere.

Good to know...then the AFN version may differ from whatever version you have then. Will be interesting to compare.

Quote from ray34

Do not share the information you have accessed or are trying to access in the open area and share the file in an encrypted form as WinRAR. If others see it and leak information to the center, the administrators will take precautions and patch it, it is always like this.

Those are exposed on google search already - but if firmware dumps are shared we may be better off doing that via DM or a private thread if possible.

I would assume. Also figure this may give us a way of figuring out how to crack pvu+ too - with cuda we could just get a sample from each channel/tp and test keys against it somehow using cuda and an nvidia gpu against 8 byte UA combinations

Oh: mine is downloading version 2.9 right now: https://media.myafn.dodmedia.o…Troubleshooting_Guide.pdf

For MTN/Anuvu do any of you know how to determine the NetId of the MTN mux?

Fenix11 if you do have dumps of the firmware - 2.90 or whatever, I can probably take those apart...I'm decent with reversing software, but not so much an expert on satellites - like I don't even know the NetId of Anuvu/MTI to test that mux with my receiver.

After reskimming Colibri's work and looking at these dumps, I suspect this thing runs some kind of MIPS RTOS. There's not any truly discernable binaries at a cursory look that do a lot in terms of encryption, I believe the ISC (integrated security chip) is responsible for that.

In the PowerVuSecrets.pdf by colibri he shows how he managed to talk to the ISC.

Has anyone tried getting in touch with Colibri about this before?

This one...it had a sticker on top with the UA of the receiver (which is a new addition - this is PowerVu Plus and nano01 most likely! - AES 128 + using the UA in the hash somehow) - see Colibri's work on what this thing is. I'm sure it probably speaks the same protocol (logic analyzer may be easier than a custom board?)

If we can poke these and figure out the hashing method and reproduce everything in a softcam with a given UA, then for any given stream, the cracking method would involve using CUDA and a capture of the TS with EMM's to test every possible 8 byte UA until we find one that is authorized...I theorize anyway.

I know enough to be dangerous but we may need some help from people who have done a lot in this space in order to figure it out.

pasted-from-clipboard.pngpasted-from-clipboard.png

It'd be amazing if we could get Colibri or someone who is an OG in on this...low level stuff like this is hard.

fairbird sorry to ping you but I think that nano01 may actually be an optional use of AES256, but more importantly, the addition of an 8 byte UA instead of just a 4 byte UA...see the example posted earlier in the thread with the nano00 vs nano01 comparison...the 4 extra bytes appear to just be the new use of longer UA's?

I only know this from a high level view right now, is this something we could pound out/test/investiagate? I wonder if this thread may need to be private or if instead we should talk on TG or Discord?