koobas.hobune.stream

Apr MAY Jun 21 2022 2023 2024 1 capture 21 May 23 - 21 May 23

Close Help

AutoUpdate
How does it work?

The following simplified description is based on a log file made with Decrypt 2.40 and the well known TV3 SA (Shared Address) and the management key matching it. For a more comprehensive description I can recommend John Macdonald's documentation on EuroCrypt.

When ViaSat issue/upload new operation keys (08 to 0F) to their own original cards, then these keys are of course encrypted to avoid the hackers from getting hold of them. The key used by the card to decrypt these is called a management key (04 to 07). Typically ViaSat use key 04. The keys 00 to 03 is different on all original cards and are used by UA (Unique Address = 5 bytes) to update the subscriber information normally. The keys 04 to 07 is identical in a group of cards (256 cards) and are used by Shared Address (SA = 4 bytes) to update the operation keys typically.

ViaSat issues the new key(s) in the instruction called CA18 and here's an example:

The receiver asks the card which address (SA) it contains and the card returns this (SA) in the instruction CAB8: CAB8000006 < a5 04 12 31 70 xx 90 08 (xx can be anything). Do you see something you recognize? If not search the net for the most known/used TV3 SA/management key :-)

Then the encrypted keys turn up. ViaSat is right now in the habit of sending out 2 at a time in the instruction CA18: CA18010428 > a1 03 00 04 0b ef 08 33 96 1d 0f 57 2c 58 dd a1 03 00 04 0d ef 08 ff a3 a1 d9 62 70 05 0c f0 08 d6 f9 e7 b4 92 95 94 83 90 00

You can here see that it's an update of key B and D and in both cases is management key 04 in the card needed to decrypt them. The ID which is being updated is 00040 (000400 = TV3/ViaSat Silver package). The red numbers are the encrypted keys and the yellow a check sum (hash).

The card now decrypts the issued keys with the management key (04), makes a check sum calculation and compares this with the one received. Are these identical the 2 new keys are placed in the memory and will be ready for later use (typical 4-6 weeks from first upload. However, the last KeyChange done with Tv1000 only took 9 days).

With a program like e.g. phzdez you can calculate the new operation key. Input the 7 bytes in the management key (04) in the "Key" field and the first 8 red numbers in the "Chiper" field. Press "Lets Calculate". In the "Output" you will see these bytes: 07 A5 A7 85 B1 97 C1 00. This is the TV3 0B key which is used right now. Try to input the second 8 red numbers in the "Chiper" field and press "Lets Calculate". The result is E8 14 14 D4 27 E0 1D 00 in the output field and this is the TV3 0D key.

To make this work in a pirate viewing card you "simply" have to put these functions in the Pic program.

If this has whetted your appetite you can try breaking the new keys in this CA18 instruction (logged Feb. 2,1999):

ca18010428 > a1 03 00 04 19 ef 08 08 18 e2 0e ad 5e 1c 24 a1 03 00 04 1b ef 08 c1 e9 79 67 24 6c a4 b9 f0 08 01 6a 4d 0c 58 8c 34 65 90 00

Or this one:

ca18010428 > a1 03 00 04 1d ef 08 d6 9b 3f a0 48 63 af 1c a1 03 00 04 1f ef 08 83 15 31 73 8a 24 ce a7 f0 08 86 10 d3 9b cd 31 11 20 90 00

CUSTWP
What is this?

CustWP is the last byte of a SA which is used to address the cards. This byte has to exist in a card to make it continue to receive updates. Paul Arnold's autoupdating MM2 software e.g. needs a valid CustWP to receive new keys.

This byte can be calculated from the CAF0 instruction which is issued just before the CA18 instruction. The CAF0 instruction contains all valid CustWP's.

Here's a CAF0 logged Feb. 2, 1999 for TV1000:

caa4040003 > 00 04 10 90 00
caf0000422 > 9e 20 f7 76 ff ff f5 7f ed ff fd 9d 6f fd ff fe ff ff ef f7 ff 57 5f ff ff ff f5 bf ff f9 df ef ff ee 90 00

If you use these 32 bytes in e.g. Custwp12 (you might need some Runtime files) it will calculate all valid CustWP's for that exact SA for TV1000:

01 02 03 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 15 16 17 18 19 1A 1B 1C 1E 1F 20 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 37 38 3A 3C 3D 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5E 60 61 62 64 66 68 69 6A 6B 6C 6D 6E 6F 70 71 72 74 75 76 77 78 79 7A 7B 7D 7E 7F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F A0 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AD AE B0 B2 B3 B4 B7 B8 BA BB BC BD BE BF C0 C1 C2 C3 C4 C5 C6 C7 C8 CA CB CD CE CF D0 D1 D2 D3 D4 D5 D6 D8 DA DC DD DE DF E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF F1 F2 F4 F5 F6 F8 F9 FA FC FD FE FF

This means that a 100% valid SA for TV1000 is 12 35 20 + one of the above listed bytes.

For TV3 it can look like this:

caa4040003 > 00 04 00 90 00
caf0000422 > 9e 20 a6 de 48 b3 fb db b5 7f 0b 5f 73 4e 3d f6 df 1b bf 63 65 ff ef eb b3 fb bf bf de d2 47 77 ff 7e 90 00

Used in Custwp12 this will result in the following CustWP's:

01 02 03 04 05 06 08 09 0A 0B 0C 0D 0E 0F 10 11 12 14 15 16 18 19 1A 1E 21 24 26 27 29 2A 2B 2C 2E 2F 30 31 32 33 34 35 37 38 39 3A 3B 3C 3D 3F 40 41 43 44 45 46 47 48 49 4C 4D 4F 50 51 53 55 56 57 58 59 5A 5B 5D 5E 5F 60 61 62 63 64 65 66 67 68 6A 6D 6E 70 71 75 76 78 79 7A 7B 7C 7D 7F 80 81 83 84 88 89 8A 8B 8C 8E 8F 91 92 94 95 96 97 98 9A 9B 9C 9D A1 A2 A3 A6 A8 A9 AC AD AE B0 B1 B2 B3 B4 B6 B8 B9 BB C0 C1 C2 C3 C4 C5 C6 C8 CA CC CD CF D0 D1 D3 D4 D6 D7 D8 D9 DB DC DD DE DF E0 E1 E4 E5 E7 EB EE F1 F2 F3 F4 F6 F7 F9 FA FD FF

From this you can see that an often used Tv3 SA (12 31 70 52) is not valid because CustWP 52 is not in the list.

© February 1998. www.dsss.dk (translated by Axe)
Made 8/12 21:30
Corrected 13/12 01:50
CAF0 explanation added 27/12 15:30
Log Data and the CustWP list updated 3/2 18:00
Links fixed 24/2 17:50