Posts by Fenix11

Quote from sam_

is that interesting material sharable for analysis and help to understand additionnal processing in the powervu system ?

many thanks.

++

Hi Sam,

resolving this requires the right tools and people capable of using them effectively. The only solution for this new system is to try to obtain the modules that handle encryption—specifically the PTI (Programmable Transport Interface) and the TC (Transport Controller) software. These can be found within the OS20 or OS21 kernel, along with their associated APIs; there, you can examine every detail of the system and observe how it operates. You will need to attempt to acquire these modules and drivers using tools such as ST Workbench, ST 40toolset, Osplus, or trace32, among other possibilities.

Regards.

Quote from sam_

Quote from Fenix11

Quote from ilikenwf

Where are you even getting software updates, OTA from the satellite? I can't find them on cisco's site anywhere.

The software is updated via satellite.

how to get that OTA update ? I guess it comes encrypted and no so easy to disassemble.

best regards.

++

Display More

Hello bro, Updates are obtained via OTA by tuning in to a channel that carries the necessary download PIDs—specifically PIDs 7001, 7002, or 7003. The software is encrypted; consequently, I had to remove the flash memory chip from the receiver in order to perform a memory dump. I currently have several versions available for analysis, including versions x.00, x.01, x,20, x.30, x.75, x.85, x.90, and the latest release, x.92. Using tools such as Binwalk, it is possible to extract specific data to examine the software's details and track any changes made between versions. Additionally, by utilizing tools provided by STMicroelectronics, one can connect to the device via its JTAG interface to explore the system environment and perform memory dumps of specific address ranges.

Quote from geraldo

This is a recording from the VTV+ HD channel, which I made using PowerVu Home Edition.

Those channels have hash mode enabled; that is why the program does not yield valid results with the EMMs.

Greetings colleagues,

here I bring you more news that I have found in the latest powerVu software where they have removed some functions in the data of the DCTP DCTB and DCBS tables, the increase in the Vprintf values of the ECM stamps from% 10d to% 10llu, The new functions called "ECM CM PARTITION PER CENT FULL" is something new that has not been seen in previous software, these functions were in use from 2009 to 2018, but in the latest software 2.92 of 2019 they were modified, they also removed some functions as you can see in the images. so far this is what I have been able to differentiate when analyzing each software. the S-box algorithm, the key flow and the different hash tables have changed, which is why the current emulators are not compatible. it would only remain to study how these new systems work and adapt it to the emulators.

I've been busy too, but sometimes with my limited resources I still continue to investigate the software to find more details about this mystery that has yet to be solved. Anything I find I'll be sharing here.

Quote from carinobra

I can help with any info from 58W. I have a dish pointed to that sat and TV Headend.

excellent it is very good to have more contributions, anything we are in contact with you, meanwhile I am exploring the 9865 receiver in search of interesting data in its memories, I have only found some about the software and its functions, it seems a very extensive tour almost like walking like the desert in search of some water but here we go. here I show you some data that I found inside the equipment.

Quote from carinobra

Quote from Fenix11

Quote from carinobra

Quote from Fenix11

Quote from carinobra

Quote from Fenix11

Greetings.

I'm not that expert on these Nanos issues, but with my limited knowledge, I've noticed that GTMedia opens some 55W and 58W channels with the current PowerVu system. I've noticed that the channels with the Nanos 01 accompanied by the Nano 08 are the ones that are opening but without audio. The others, like the MUX channels of the Studio Universal 58W, only contain Nano 01 with the other Nanos at 00. For example (0E00 01 00 00). Here are some reference images.

I've been analyzing and observing some changes in the ECM flows, among other changes, when I was comparing the old PowerVu cisco software with the new one.

Best regards.

Display More

Is there any progress on this?

Display More

I imagine everyone must be doing their own research and testing; at any moment, someone could come along with other discoveries about this new system. I, too, continue working to advance this with the little knowledge I have. I think if we were more united on this issue, we would have made a lot of progress.

Thanks.

Display More

How can I help?

Display More

It's great to see that question. 😎Do you know anything about programming, development, or what skills you have for this hobby? Because it would be great to have a team with different skills for this project. Together, we can achieve what is impossible for some.💪

Display More

I just used to code in VB a long time ago ... But, I have a C-band dish pointed to 58W, a TV Headend server and could help testing

Display More

That sounds great. I don't know much about servers, so it's always good to have different resources. If you have any updates, we'll be in touch.

Quote from carinobra

Quote from Fenix11

Quote from carinobra

Quote from Fenix11

Greetings.

I'm not that expert on these Nanos issues, but with my limited knowledge, I've noticed that GTMedia opens some 55W and 58W channels with the current PowerVu system. I've noticed that the channels with the Nanos 01 accompanied by the Nano 08 are the ones that are opening but without audio. The others, like the MUX channels of the Studio Universal 58W, only contain Nano 01 with the other Nanos at 00. For example (0E00 01 00 00). Here are some reference images.

I've been analyzing and observing some changes in the ECM flows, among other changes, when I was comparing the old PowerVu cisco software with the new one.

Best regards.

Display More

Is there any progress on this?

Display More

I imagine everyone must be doing their own research and testing; at any moment, someone could come along with other discoveries about this new system. I, too, continue working to advance this with the little knowledge I have. I think if we were more united on this issue, we would have made a lot of progress.

Thanks.

Display More

How can I help?

Display More

It's great to see that question. 😎Do you know anything about programming, development, or what skills you have for this hobby? Because it would be great to have a team with different skills for this project. Together, we can achieve what is impossible for some.💪

Quote from carinobra

Quote from Fenix11

Greetings.

I'm not that expert on these Nanos issues, but with my limited knowledge, I've noticed that GTMedia opens some 55W and 58W channels with the current PowerVu system. I've noticed that the channels with the Nanos 01 accompanied by the Nano 08 are the ones that are opening but without audio. The others, like the MUX channels of the Studio Universal 58W, only contain Nano 01 with the other Nanos at 00. For example (0E00 01 00 00). Here are some reference images.

I've been analyzing and observing some changes in the ECM flows, among other changes, when I was comparing the old PowerVu cisco software with the new one.

Best regards.

Display More

Is there any progress on this?

Display More

I imagine everyone must be doing their own research and testing; at any moment, someone could come along with other discoveries about this new system. I, too, continue working to advance this with the little knowledge I have. I think if we were more united on this issue, we would have made a lot of progress.

Thanks.

Quote from EnoSat

Even though VTV/GolTV already has a new ECM (multi)

Code

80 30 45 50 3F 20 0E00 22 08 9ABC7D5FD78776B1 00 D4 A0 00 A7 C0 C3 36 7E D9 E8 7B C7 88 71 96 82 B4 BA 0150 00 00 FF 59 D5 F0 B9 2A D1 A4 B3 D9 3D BF 65 B1 EF 09 D5 41 5B 4F CD BF 0B 55 7C F5 72 FC 3F 24 B9
81 30 45 50 3F 20 0E00 9B 08 5418E7426A090582 00 D5 A0 00 28 DC F3 A9 0C 31 5A 31 30 7E 62 9A CF 5D A9 0150 00 00 A9 A1 D1 F4 09 34 01 51 CB AE 63 2B 9C B5 C8 88 28 E4 84 7E 1D 83 C3 D9 5A D7 7E 17 2C D1 56

has anyone seen a working EMM for 40W/4061R ?

These EMMs may be active

Quote from EnoSat

Quote from EnoSat

Even though VTV/GolTV already has a new ECM (multi)

Code

80 30 45 50 3F 20 0E00 22 08 9ABC7D5FD78776B1 00 D4 A0 00 A7 C0 C3 36 7E D9 E8 7B C7 88 71 96 82 B4 BA 0150 00 00 FF 59 D5 F0 B9 2A D1 A4 B3 D9 3D BF 65 B1 EF 09 D5 41 5B 4F CD BF 0B 55 7C F5 72 FC 3F 24 B9
81 30 45 50 3F 20 0E00 9B 08 5418E7426A090582 00 D5 A0 00 28 DC F3 A9 0C 31 5A 31 30 7E 62 9A CF 5D A9 0150 00 00 A9 A1 D1 F4 09 34 01 51 CB AE 63 2B 9C B5 C8 88 28 E4 84 7E 1D 83 C3 D9 5A D7 7E 17 2C D1 56

has anyone seen a working EMM for 40W/4061R ?

I have a Geant receiver that autorolls on that channel, but I don't know which EMM it's working with.

The TyS Sport channel 55w, has a very long section, I found inside 2 additional 0E00 plus other data, seeing this in PV plus we would think that it would be additional bytes for AES but it is not because the emulators still open these channels

These changes to the nanos and other improvements that I have seen are quite interesting because I have noticed in some MUX that the values change very often in a channel, for example the FOX NEWS 55w channel that changes the values from nano 01 to nano 00 then to nano 01 also the section length values change from 3D to 4F doing the same thing over and over again, other MUX like the GMA of the 135w I see it much worse where they have the ModeCw: 8,20,25,25,41 also with the changes in section length and hashModeCw with changes from 01 to 00, the truth is that our emulators are crazy with this new system.

Quote from EnoSat

PowerVu uses two encryption modes, either DES or CSA

In nano 20h the two msbits of data byte 7 indicates the if DES or CSA must be used to decrypt the video/audio streams:

00xxxxxxb = DES

10xxxxxxb = CSA

Since 2009 PV has made many changes.

Quote from EnoSat

PowerVu uses two encryption modes, either DES or CSA

In nano 20h the two msbits of data byte 7 indicates the if DES or CSA must be used to decrypt the video/audio streams:

00xxxxxxb = DES

10xxxxxxb = CSA

Exactly as described in this image. We need to continue investigating the modifications they made.

I think they may be in DES because the Espn 55w and 58w still open and are already with the 2.92 app, as I said before it would be that the nano 01 is accompanied by the nano 08 and not 00 like the other MUX like universal studio that cannot open, it also surprises me that the Cisco D9865 detects all these PV plus MUX as SCRAMBLING DES.

Another thing I would like to know is what the new function of the new PIDs detected by the CISCO D9865 will be, as (UNKOWN) these PIDs appear in this new PV plus system and other systems like DIGICIPHER for example. My Enigma Edision detects these PIDs as if they were audio and my TBS card with TS Reader as private data, I think it's like extra security or I don't know if it belongs to the new D9800 equipment but this new unknown PID is very strange, I see that our emulators can't process this additional data. I don't know if this affects the SEED or CW calculations. It would be good to investigate whether this affects it or not.

Hello friends.

I have observed something in the nano 01 hash and that is that the emulator is forced to continue doing autoroll in each valid UA it finds despite already having the valid key and I also saw that there is a UA or EMM that launches an ECM 00 and 01 different from the valid ECM of the same MUX. it seems very strange to me that if you have for example 10 valid or active EMMs in your softcam, the emulator with the new powervu does autoroll over and over again until it reaches the 10 ECMs of the 10 EMMs including the unknown ECM key, this key has the same digits as in index 00 and 01. this detail must be investigated because the emulator is forced to produce repeated keys with this new powervu system of the nanos 01. here I show you the universal studio keys of the 58w observe the keys that the emulator gave. I removed the UA that gave me those false keys 🔑 because I suspected that it paralyzed the emulator but as if the valid keys were repeating for the different EMMs.

It seems that the generated keys expire instantly, and the emulator starts autorolling again, launching the same keys but from different EMMs. I also noticed on one channel of the 55w PFCi HD that there was an EMM key that, when autorolled, would stop the entire emulator. After deleting the key and leaving only the others, the problem was resolved. It was quite similar to the problem with the Nano01 on the 58w Universal Studio.

Has anyone else noticed this on softcams or the receivers they autoroll?

Quote from ilikenwf

Fenix11 if you do have dumps of the firmware - 2.90 or whatever, I can probably take those apart...I'm decent with reversing software, but not so much an expert on satellites - like I don't even know the NetId of Anuvu/MTI to test that mux with my receiver.

Everything is ready, I hope they are of some use to you in your projects.

Quote from ilikenwf

Fenix11 if you do have dumps of the firmware - 2.90 or whatever, I can probably take those apart...I'm decent with reversing software, but not so much an expert on satellites - like I don't even know the NetId of Anuvu/MTI to test that mux with my receiver.

Perfect, I'll share them with you.