I've not toyed with this in a while...still interested just busy.
Posts by ilikenwf
-
-
Is that reelz?
I had to use a 4.0GHZ bandpass LNB to get that under control but still see it sometimes.
-
Other than the black box of the security chip with the 8 byte UAs, I guess we just have to tear apart the firmware to determine what is going on in that side and from there attempt to figure out the security chip then?
-
fairbird sorry to ping you but I think that nano01 may actually be an optional use of AES256, but more importantly, the addition of an 8 byte UA instead of just a 4 byte UA...see the example posted earlier in the thread with the nano00 vs nano01 comparison...the 4 extra bytes appear to just be the new use of longer UA's?
I only know this from a high level view right now, is this something we could pound out/test/investiagate? I wonder if this thread may need to be private or if instead we should talk on TG or Discord? -
It'd be amazing if we could get Colibri or someone who is an OG in on this...low level stuff like this is hard.
-
This one...it had a sticker on top with the UA of the receiver (which is a new addition - this is PowerVu Plus and nano01 most likely! - AES 128 + using the UA in the hash somehow) - see Colibri's work on what this thing is. I'm sure it probably speaks the same protocol (logic analyzer may be easier than a custom board?)
If we can poke these and figure out the hashing method and reproduce everything in a softcam with a given UA, then for any given stream, the cracking method would involve using CUDA and a capture of the TS with EMM's to test every possible 8 byte UA until we find one that is authorized...I theorize anyway.
I know enough to be dangerous but we may need some help from people who have done a lot in this space in order to figure it out.
-
After reskimming Colibri's work and looking at these dumps, I suspect this thing runs some kind of MIPS RTOS. There's not any truly discernable binaries at a cursory look that do a lot in terms of encryption, I believe the ISC (integrated security chip) is responsible for that.
In the PowerVuSecrets.pdf by colibri he shows how he managed to talk to the ISC.Has anyone tried getting in touch with Colibri about this before?
-
Fenix11 if you do have dumps of the firmware - 2.90 or whatever, I can probably take those apart...I'm decent with reversing software, but not so much an expert on satellites - like I don't even know the NetId of Anuvu/MTI to test that mux with my receiver.
-
For MTN/Anuvu do any of you know how to determine the NetId of the MTN mux?
-
I would assume. Also figure this may give us a way of figuring out how to crack pvu+ too - with cuda we could just get a sample from each channel/tp and test keys against it somehow using cuda and an nvidia gpu against 8 byte UA combinations
Oh: mine is downloading version 2.9 right now: https://media.myafn.dodmedia.o…Troubleshooting_Guide.pdf
-
Do not share the information you have accessed or are trying to access in the open area and share the file in an encrypted form as WinRAR. If others see it and leak information to the center, the administrators will take precautions and patch it, it is always like this.
Those are exposed on google search already - but if firmware dumps are shared we may be better off doing that via DM or a private thread if possible.
-
Good to know...then the AFN version may differ from whatever version you have then. Will be interesting to compare.
-
Where are you even getting software updates, OTA from the satellite? I can't find them on cisco's site anywhere.
-
Display More
Good job, I’ll follow your topic with interest.
I don’t know if I can help or not. If you want to share your data / software, I’m interested.
Greetings
Ok, tomorrow I'll compile the data I have saved and send it to you, let's see what else I can get from there.
Greetings.
Mad scientists are what this hobby is all about!
So it does have a JTAG? If I can get root access that will be almost as if not more interesting as it should allow finding a way to get into the trustzone key storage and such.
Thanks for sharing! I really hope UPS doesn't act like USPS and deliver 1+ week late - they usually do better so it should be here tomorrow.
-
Feel free to share! My d9865 arrives tomorrow.
How hard is the flash to dump?
-
Display More
Hello, greetings.
Seeing these interesting topics, I've also researched and explored this new system. I've noticed some interesting changes in both the bit data flow and the software.
I've been analyzing some details of the equipment software, comparing the x.90 version and the recent x.92 version. I've noticed that they've removed, modified, and added features to this software that I'm not very familiar with, but at a glance, it's clear that they relate to the flow and management of key data.
In one of the images, comparing both software versions, you can see that they've removed some features related to the EMM, ECM, and CW values, adding features and improvements to the ECM flow. You can also see changes in the vfprintf values, from %10d to %10llu. Changes can also be seen in the OS21 tasks. In the Oscam emulator, you can see that in the different PowerVu modes of some MUXes, the security bit and nano values change, as does the length of the section in the ECM packet stream. Something curious and new to me is that in the image of the FOX News channel's bit stream, the ID tables 80 and 81 change these values. I don't know if it's an emulator error, but it looks strange.
My conclusion is that these bit changes can affect CW calculations.
I will continue to explore more closely to see what else is discovered. If anyone needs any of the information or software, I can share it.
I hope this small contribution helps in some way with the investigation of this new system.Best regards.
You've got the cisco receiver? How are you, by chance, dumping the flash image/firmware? Or is this some other software/box? If you have the binaries responsible for doing decryption you could toss them into ida+hex rays or ghidra and then have some pseudo-c code that we could pick apart or have an AI look at.
edit:oh - that's just oscam-emu output?
-
@Anubis_Ir
@colibri
Other forums could contribute to this topic and possibly develop a solution. It's a great loss that they no longer contribute...Feel free to go post those places and get them over here...or at least once I maybe find a way to dump the firmware.
-
I guess with a D9865-D, that either dumping the firmware if possible or having it auto update downloading the firmware from an MTN satellite, and then dumping that, might give us something to look at since it is still powervu, meaning that no conditional access module is likely to be used...that said they are probably whitelisting receiver IDs...which we should be able to handle with EMMs, so I suppose I'll grab one of these on ebay.
-
:) - but I bet the decoder card does all the work.
Anuvu Broadcast Center | See Full Importer History | ImportGeniusUS Customs records available for Anuvu Broadcast Center in Miramar. See their past imports from Princess Cruises based in United States. Follow future activiy…www.importgenius.com -
I don't think this is an actual encryption issue as much as it is some kind of hashing issue. It's not a huge thing but still something worth digging into.
If anyone can confirm a box - commercial or professional that works, we can probably find the firmware to dump and get some clues at the least anyway.
