Irdeto Sage Demo Key Calculator - Art
#include <psppower.h>
#include <pspkernel.h>
#include <pspdebug.h>
#include <pspctrl.h>
#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <pspdisplay.h>
#include <pspaudiolib.h>
#include <pspaudio.h>
#include <png.h>
#include <pspgu.h>
#include <pspgum.h>
#include <pspsdk.h>
#include <math.h>
#include <malloc.h>
#include <limits.h>
#include "main.h"
#include "graphics.h"
#include "intraFont.h"
#include "pin.h"
#include "phone.h"
PSP_MODULE_INFO("IrdetoSage", 0, 1, 1);
PSP_MAIN_THREAD_ATTR(0);
sample_t* loop_buffer; //
short mic_level; //
int sam; //
int samsel; //
int samlock; //
int ssel; //
int step; // step counter
int alga; //
int algb; //
int algc; //
int del; // delay
int running; // program running flag
char fillerx[120]; //
char filler[120]; //
char fillerb[120]; //
u8 temp; //
unsigned int i; //
u8 HMK[9]; // 10 byte hex master key
u8 HMKX[9]; // 10 byte hex master key copy
u8 MK[7]; // 8 byte key EMK => PMK
u8 work; // work byte
int parity; // odd / even status flag
u8 hasha[256] = {
0xDA, 0x26, 0xE8, 0x72, 0x11, 0x52, 0x3E, 0x46,
0x32, 0xFF, 0x8C, 0x1E, 0xA7, 0xBE, 0x2C, 0x29,
0x5F, 0x86, 0x7E, 0x75, 0x0A, 0x08, 0xA5, 0x21,
0x61, 0xFB, 0x7A, 0x58, 0x60, 0xF7, 0x81, 0x4F,
0xE4, 0xFC, 0xDF, 0xB1, 0xBB, 0x6A, 0x02, 0xB3,
0x0B, 0x6E, 0x5D, 0x5C, 0xD5, 0xCF, 0xCA, 0x2A,
0x14, 0xB7, 0x90, 0xF3, 0xD9, 0x37, 0x3A, 0x59,
0x44, 0x69, 0xC9, 0x78, 0x30, 0x16, 0x39, 0x9A,
0x0D, 0x05, 0x1F, 0x8B, 0x5E, 0xEE, 0x1B, 0xC4,
0x76, 0x43, 0xBD, 0xEB, 0x42, 0xEF, 0xF9, 0xD0,
0x4D, 0xE3, 0xF4, 0x57, 0x56, 0xA3, 0x0F, 0xA6,
0x50, 0xFD, 0xDE, 0xD2, 0x80, 0x4C, 0xD3, 0xCB,
0xF8, 0x49, 0x8F, 0x22, 0x71, 0x84, 0x33, 0xE0,
0x47, 0xC2, 0x93, 0xBC, 0x7C, 0x3B, 0x9C, 0x7D,
0xEC, 0xC3, 0xF1, 0x89, 0xCE, 0x98, 0xA2, 0xE1,
0xC1, 0xF2, 0x27, 0x12, 0x01, 0xEA, 0xE5, 0x9B,
0x25, 0x87, 0x96, 0x7B, 0x34, 0x45, 0xAD, 0xD1,
0xB5, 0xDB, 0x83, 0x55, 0xB0, 0x9E, 0x19, 0xD7,
0x17, 0xC6, 0x35, 0xD8, 0xF0, 0xAE, 0xD4, 0x2B,
0x1D, 0xA0, 0x99, 0x8A, 0x15, 0x00, 0xAF, 0x2D,
0x09, 0xA8, 0xF5, 0x6C, 0xA1, 0x63, 0x67, 0x51,
0x3C, 0xB2, 0xC0, 0xED, 0x94, 0x03, 0x6F, 0xBA,
0x3F, 0x4E, 0x62, 0x92, 0x85, 0xDD, 0xAB, 0xFE,
0x10, 0x2E, 0x68, 0x65, 0xE7, 0x04, 0xF6, 0x0C,
0x20, 0x1C, 0xA9, 0x53, 0x40, 0x77, 0x2F, 0xA4,
0xFA, 0x6D, 0x73, 0x28, 0xE2, 0xCD, 0x79, 0xC8,
0x97, 0x66, 0x8E, 0x82, 0x74, 0x06, 0xC7, 0x88,
0x1A, 0x4A, 0x6B, 0xCC, 0x41, 0xE9, 0x9D, 0xB8,
0x23, 0x9F, 0x3D, 0xBF, 0x8D, 0x95, 0xC5, 0x13,
0xB9, 0x24, 0x5A, 0xDC, 0x64, 0x18, 0x38, 0x91,
0x7F, 0x5B, 0x70, 0x54, 0x07, 0xB6, 0x4B, 0x0E,
0x36, 0xAC, 0x31, 0xE6, 0xD6, 0x48, 0xAA, 0xB4};
u8 hashb[256] = {
0x8E, 0xD5, 0x32, 0x53, 0x4B, 0x18, 0x7F, 0x95,
0xBE, 0x30, 0xF3, 0xE0, 0x22, 0xE1, 0x68, 0x90,
0x82, 0xC8, 0xA8, 0x57, 0x21, 0xC5, 0x38, 0x73,
0x61, 0x5D, 0x5A, 0xD6, 0x60, 0xB7, 0x48, 0x70,
0x2B, 0x7A, 0x1D, 0xD1, 0xB1, 0xEC, 0x7C, 0xAA,
0x2F, 0x1F, 0x37, 0x58, 0x72, 0x88, 0xFF, 0x87,
0x1C, 0xCB, 0x00, 0xE6, 0x4E, 0xAB, 0xEB, 0xB3,
0xF7, 0x59, 0x71, 0x6A, 0x64, 0x2A, 0x55, 0x4D,
0xFC, 0xC0, 0x51, 0x01, 0x2D, 0xC4, 0x54, 0xE2,
0x9F, 0x26, 0x16, 0x27, 0xF2, 0x9C, 0x86, 0x11,
0x05, 0x29, 0xA2, 0x78, 0x49, 0xB2, 0xA6, 0xCA,
0x96, 0xE5, 0x33, 0x3F, 0x46, 0xBA, 0xD0, 0xBB,
0x5F, 0x84, 0x98, 0xE4, 0xF9, 0x0A, 0x62, 0xEE,
0xF6, 0xCF, 0x94, 0xF0, 0xEA, 0x1E, 0xBF, 0x07,
0x9B, 0xD9, 0xE9, 0x74, 0xC6, 0xA4, 0xB9, 0x56,
0x3E, 0xDB, 0xC7, 0x15, 0xE3, 0x80, 0xD7, 0xED,
0xEF, 0x13, 0xAC, 0xA1, 0x91, 0xC2, 0x89, 0x5B,
0x08, 0x0B, 0x4C, 0x02, 0x3A, 0x5C, 0xA9, 0x3B,
0xCE, 0x6B, 0xA7, 0xE7, 0xCD, 0x7B, 0xA0, 0x47,
0x09, 0x6D, 0xF8, 0xF1, 0x8B, 0xB0, 0x12, 0x42,
0x4A, 0x9A, 0x17, 0xB4, 0x7E, 0xAD, 0xFE, 0xFD,
0x2C, 0xD3, 0xF4, 0xB6, 0xA3, 0xFA, 0xDF, 0xB8,
0xD4, 0xDA, 0x0F, 0x50, 0x93, 0x66, 0x6C, 0x20,
0xD8, 0x8A, 0xDD, 0x31, 0x1A, 0x8C, 0x06, 0xD2,
0x44, 0xE8, 0x23, 0x43, 0x6E, 0x10, 0x69, 0x36,
0xBC, 0x19, 0x8D, 0x24, 0x81, 0x14, 0x40, 0xC9,
0x6F, 0x2E, 0x45, 0x52, 0x41, 0x92, 0x34, 0xFB,
0x5E, 0x0D, 0xF5, 0x76, 0x25, 0x77, 0x63, 0x65,
0xAF, 0x4F, 0xCC, 0x03, 0x9D, 0x0C, 0x28, 0x39,
0x85, 0xDE, 0xB5, 0x7D, 0x67, 0x83, 0xBD, 0xC3,
0xDC, 0x3C, 0xAE, 0x99, 0x04, 0x75, 0x8F, 0x97,
0xC1, 0xA5, 0x9E, 0x35, 0x0E, 0x3D, 0x1B, 0x79};
void printgreen(void);
void printgreenX(void);
void printscreen(void);
void algostep(void);
void audioLoopStop(void);
void rotateright(void);
void rotateleft(void);
void decryptEMK(void);
void encryptPMK(void);
intraFont* ltn8;
void audioOutputLoopCallback(void* buf, unsigned int length, void *userdata) {
sample_t* ubuf = (sample_t*) buf;
int i;
if (samlock == 1) {
if (samsel == 1) {
for (i = 0; i < 1024; i++) {
ubuf.l = pin[sam+1] + (pin[sam]*256);
ubuf.r = ubuf.l;
sam++;
sam++;
if (sam > 97009) {
ubuf.l = 0;
ubuf.r = 0;
samlock = 0;
}
}
}
if (samsel == 2) {
for (i = 0; i < 1024; i++) {
ubuf.l = phone[sam+1] + (phone[sam]*256);
ubuf.r = ubuf.l;
sam++;
sam++;
if (sam < 44) {
ubuf.l = 0;
ubuf.r = 0;
}
if (sam > 11532) {
ubuf.l = 0;
ubuf.r = 0;
samlock = 0;
}
}
}
}
if (samlock == 0) {
int bbb;
for (bbb = 0; bbb < 1024; bbb++) {
ubuf[bbb].l = 0xFFFF;
ubuf[bbb].r = 0xFFFF;
}
}
}
void audioLoopStart() {
loop_buffer = (sample_t*) malloc(PSP_NUM_AUDIO_SAMPLES * sizeof(sample_t));
sceKernelDelayThread(200000);
pspAudioSetChannelCallback(0, audioOutputLoopCallback, NULL);
}
int main(void) {
intraFontInit();
ltn8 = intraFontLoad("flash0:/font/ltn8.pgf",INTRAFONT_CACHE_ASCII);
if(!ltn8) sceKernelExitGame();
initGraphics();
running = 1; // set program running flag
loop_buffer = NULL;
pspAudioInit();
sceDisplayWaitVblankStart();
sceDisplayWaitVblankStart();
audioLoopStart();
sceDisplayWaitVblankStart();
sceDisplayWaitVblankStart();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
samsel = 2; // select intro sample
clearScreen(0);
sprintf(fillerx, "IRDETO SAGE");
guStart();
intraFontSetStyle(ltn8, 2.5f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, fillerx);
intraFontSetStyle(ltn8, 1.5f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 170, "Key Cypher Demo - Art 2008!");
sprintf(filler, "PSP Intrafont library by BenHur");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 230, filler);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
for(del=0; del<300; del++) {sceDisplayWaitVblankStart();}
sprintf(fillerx, "Irdeto Key Cypher Demo - Art 2008");
clearScreen(0);
sprintf(filler, " ");
guStart();
intraFontSetStyle(ltn8, 1.0f,0xFFFF5555,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 130, filler);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
HMK[9] = 0x11; // copy initial values to key arrays
HMK[8] = 0x11;
HMK[7] = 0x11;
HMK[6] = 0x11;
HMK[5] = 0x11;
HMK[4] = 0x11;
HMK[3] = 0x11;
HMK[2] = 0x11;
HMK[1] = 0x11;
HMK[0] = 0x11;
MK[7] = 0x22; MK[6] = 0x22; MK[5] = 0x22; MK[4] = 0x22; MK[3] = 0x22; MK[2] = 0x22; MK[1] = 0x22; MK[0] = 0x22;
// MK[7] = 0xE7; MK[6] = 0xF6; MK[5] = 0xA0; MK[4] = 0xDB; MK[3] = 0xB2; MK[2] = 0x93; MK[1] = 0xC3; MK[0] = 0xB7;
clearScreen(0);
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMK[0],HMK[1],HMK[2],HMK[3],HMK[4],HMK[5],HMK[6],HMK[7],HMK[8],HMK[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "EMK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 250, "PRESS X TO DECRYPT");
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
int stopper;
stopper = 0;
while (stopper == 0) {
SceCtrlData xpad;
sceCtrlSetSamplingMode(1);
sceCtrlPeekBufferPositive(&xpad, 1);
if(xpad.Buttons & PSP_CTRL_CROSS) {
stopper = 1;
}
if(xpad.Buttons & PSP_CTRL_CIRCLE) {
stopper = 2;
}
if(xpad.Buttons & PSP_CTRL_TRIANGLE) {
stopper = 3;
}
} // while
if (stopper == 1) {decryptEMK();printgreen();}
if (stopper == 2) {encryptPMK();printgreen();}
if (stopper == 3) {
decryptEMK();printgreen();
for(del=0; del<10; del++) {HMK[del] = HMKX[del];}
encryptPMK();printgreenX();
}
while (running == 1) {
clearScreen(0); // intrafont action
sceDisplayWaitVblankStart();
flipScreen();
clearScreen(0); // intrafont action
guStart();
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 145, "DONE!");
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
for(del=0; del<100; del++) {sceDisplayWaitVblankStart();}
running = 0;
} // running
audioLoopStop(); // stop audio routine
pspAudioEnd();
sceKernelExitGame(); // exit program
return 0;
} // main ************
void algostep() {
if(HMK[alga]&1) {parity = 1;} else {parity = 0;}
work = HMK[alga] ^ MK[algb];
if (parity == 1) {MK[algc] = hasha[work] ^ MK[algc];} else {MK[algc] = hashb[work] ^ MK[algc];}
printscreen();
}
void printscreen() {
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMK[0],HMK[1],HMK[2],HMK[3],HMK[4],HMK[5],HMK[6],HMK[7],HMK[8],HMK[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
clearScreen(0);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "MK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
clearScreen(0);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "MK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
if (ssel == 0) {
samsel = 2; // select intro sample
} else {
samsel = 1; // select intro sample
ssel = 0;
}
for(del=0; del<2; del++) {sceDisplayWaitVblankStart();}
}
void printgreen() {
clearScreen(0);
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMKX[0],HMKX[1],HMKX[2],HMKX[3],HMKX[4],HMKX[5],HMKX[6],HMKX[7],HMKX[8],HMKX[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "PMK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFF55EF55,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
samsel = 1; // select intro sample
for(del=0; del<2; del++) {sceDisplayWaitVblankStart();}
for(del=0; del<650; del++) {sceDisplayWaitVblankStart();}
}
void printgreenX() {
clearScreen(0);
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMKX[0],HMKX[1],HMKX[2],HMKX[3],HMKX[4],HMKX[5],HMKX[6],HMKX[7],HMKX[8],HMKX[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "EMK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFF55EF55,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
samsel = 1; // select intro sample
for(del=0; del<2; del++) {sceDisplayWaitVblankStart();}
for(del=0; del<650; del++) {sceDisplayWaitVblankStart();}
}
void rotateright() {
temp = (HMK[9] << 7); // rotate HMK right once
HMK[9] = (HMK[8] << 7) | (HMK[9] **** 1);
HMK[8] = (HMK[7] << 7) | (HMK[8] **** 1);
HMK[7] = (HMK[6] << 7) | (HMK[7] **** 1);
HMK[6] = (HMK[5] << 7) | (HMK[6] **** 1);
HMK[5] = (HMK[4] << 7) | (HMK[5] **** 1);
HMK[4] = (HMK[3] << 7) | (HMK[4] **** 1);
HMK[3] = (HMK[2] << 7) | (HMK[3] **** 1);
HMK[2] = (HMK[1] << 7) | (HMK[2] **** 1);
HMK[1] = (HMK[0] << 7) | (HMK[1] **** 1);
HMK[0] = temp | (HMK[0] **** 1);
ssel = 1;
printscreen();
}
void rotateleft() {
temp = (HMK[0] **** 7); // rotate HMK right once
HMK[0] = (HMK[1] **** 7) | (HMK[0] << 1);
HMK[1] = (HMK[2] **** 7) | (HMK[1] << 1);
HMK[2] = (HMK[3] **** 7) | (HMK[2] << 1);
HMK[3] = (HMK[4] **** 7) | (HMK[3] << 1);
HMK[4] = (HMK[5] **** 7) | (HMK[4] << 1);
HMK[5] = (HMK[6] **** 7) | (HMK[5] << 1);
HMK[6] = (HMK[7] **** 7) | (HMK[6] << 1);
HMK[7] = (HMK[8] **** 7) | (HMK[7] << 1);
HMK[8] = (HMK[9] **** 7) | (HMK[8] << 1);
HMK[9] = temp | (HMK[9] << 1);
ssel = 1;
printscreen();
}
void encryptPMK() {
for(del=0; del<10; del++) {HMKX[del] = HMK[del];}
for(step=0; step<13; step++) {rotateright();}
alga = 7; algb = 5; algc = 0;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 0; algb = 0; algc = 3;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 0;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 0; algb = 2; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 2;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 0; algb = 4; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 4;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 0; algb = 6; algc = 1;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 6;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 7; algb = 7; algc = 0;
algostep();
alga = 6; algb = 6; algc = 7;
algostep();
alga = 5; algb = 5; algc = 6;
algostep();
alga = 4; algb = 4; algc = 5;
algostep();
alga = 3; algb = 3; algc = 4;
algostep();
alga = 2; algb = 2; algc = 3;
algostep();
alga = 1; algb = 1; algc = 2;
algostep();
alga = 0; algb = 0; algc = 1;
algostep();
rotateleft();
alga = 9; algb = 5; algc = 0;
algostep();
alga = 8; algb = 2; algc = 5;
algostep();
alga = 7; algb = 7; algc = 2;
algostep();
alga = 6; algb = 4; algc = 7;
algostep();
alga = 5; algb = 1; algc = 4;
algostep();
alga = 4; algb = 6; algc = 1;
algostep();
alga = 3; algb = 3; algc = 6;
algostep();
alga = 2; algb = 0; algc = 3;
algostep();
alga = 1; algb = 7; algc = 0;
algostep();
alga = 0; algb = 6; algc = 7;
algostep();
rotateleft();
alga = 9; algb = 5; algc = 6;
algostep();
alga = 8; algb = 4; algc = 5;
algostep();
alga = 7; algb = 3; algc = 4;
algostep();
alga = 6; algb = 2; algc = 3;
algostep();
alga = 5; algb = 1; algc = 2;
algostep();
alga = 4; algb = 0; algc = 1;
algostep();
alga = 3; algb = 5; algc = 0;
algostep();
alga = 2; algb = 2; algc = 5;
algostep();
alga = 1; algb = 7; algc = 2;
algostep();
alga = 0; algb = 4; algc = 7;
algostep();
rotateleft();
alga = 9; algb = 1; algc = 4;
algostep();
alga = 8; algb = 6; algc = 1;
algostep();
alga = 7; algb = 3; algc = 6;
algostep();
alga = 6; algb = 0; algc = 3;
algostep();
alga = 5; algb = 7; algc = 0;
algostep();
alga = 4; algb = 6; algc = 7;
algostep();
alga = 3; algb = 5; algc = 6;
algostep();
alga = 2; algb = 4; algc = 5;
algostep();
alga = 1; algb = 3; algc = 4;
algostep();
alga = 0; algb = 2; algc = 3;
algostep();
rotateleft();
alga = 9; algb = 1; algc = 2;
algostep();
alga = 8; algb = 0; algc = 1;
algostep();
alga = 7; algb = 5; algc = 0;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 0; algb = 0; algc = 3;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 0;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 0; algb = 2; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 2;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 0; algb = 4; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 4;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 0; algb = 6; algc = 1;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 6;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 7; algb = 7; algc = 0;
algostep();
for(step=7; step>0; step--) { // round one
if(HMK[step]&1) {parity = 1;} else {parity = 0;}
work = HMK[step] ^ MK[step];
if (parity == 1) {MK[step+1] = hasha[work] ^ MK[step+1];} else {MK[step+1] = hashb[work] ^ MK[step+1];}
printscreen();
} // step
alga = 0; algb = 0; algc = 1;
if(HMK[alga]&1) {parity = 1;} else {parity = 0;}
work = HMK[alga] ^ MK[algb];
if (parity == 1) {MK[algc] = hasha[work] ^ MK[algc];} else {MK[algc] = hashb[work] ^ MK[algc];}
}
void decryptEMK() {
for(del=0; del<10; del++) {HMKX[del] = HMK[del];}
rotateright();
for(step=0; step<7; step++) { // round one
if(HMK[step]&1) {parity = 1;} else {parity = 0;}
work = HMK[step] ^ MK[step];
if (parity == 1) {MK[step+1] = hasha[work] ^ MK[step+1];} else {MK[step+1] = hashb[work] ^ MK[step+1];}
printscreen();
} // step
alga = 7; algb = 7; algc = 0;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 9; algb = 3; algc = 6;
algostep();
rotateright();
alga = 0; algb = 6; algc = 1;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 9; algb = 3; algc = 4;
algostep();
rotateright();
alga = 0; algb = 4; algc = 5;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 9; algb = 7; algc = 2;
algostep();
rotateright();
alga = 0; algb = 2; algc = 5;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 9; algb = 7; algc = 0;
algostep();
rotateright();
alga = 0; algb = 0; algc = 3;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 7; algb = 5; algc = 0;
algostep();
alga = 8; algb = 0; algc = 1;
algostep();
alga = 9; algb = 1; algc = 2;
algostep();
rotateright();
alga = 0; algb = 2; algc = 3;
algostep();
alga = 1; algb = 3; algc = 4;
algostep();
alga = 2; algb = 4; algc = 5;
algostep();
alga = 3; algb = 5; algc = 6;
algostep();
alga = 4; algb = 6; algc = 7;
algostep();
alga = 5; algb = 7; algc = 0;
algostep();
alga = 6; algb = 0; algc = 3;
algostep();
alga = 7; algb = 3; algc = 6;
algostep();
alga = 8; algb = 6; algc = 1;
algostep();
alga = 9; algb = 1; algc = 4;
algostep();
rotateright();
alga = 0; algb = 4; algc = 7;
algostep();
alga = 1; algb = 7; algc = 2;
algostep();
alga = 2; algb = 2; algc = 5;
algostep();
alga = 3; algb = 5; algc = 0;
algostep();
alga = 4; algb = 0; algc = 1;
algostep();
alga = 5; algb = 1; algc = 2;
algostep();
alga = 6; algb = 2; algc = 3;
algostep();
alga = 7; algb = 3; algc = 4;
algostep();
alga = 8; algb = 4; algc = 5;
algostep();
alga = 9; algb = 5; algc = 6;
algostep();
rotateright();
alga = 0; algb = 6; algc = 7;
algostep();
alga = 1; algb = 7; algc = 0;
algostep();
alga = 2; algb = 0; algc = 3;
algostep();
alga = 3; algb = 3; algc = 6;
algostep();
alga = 4; algb = 6; algc = 1;
algostep();
alga = 5; algb = 1; algc = 4;
algostep();
alga = 6; algb = 4; algc = 7;
algostep();
alga = 7; algb = 7; algc = 2;
algostep();
alga = 8; algb = 2; algc = 5;
algostep();
alga = 9; algb = 5; algc = 0;
algostep();
rotateright();
alga = 0; algb = 0; algc = 1;
algostep();
alga = 1; algb = 1; algc = 2;
algostep();
alga = 2; algb = 2; algc = 3;
algostep();
alga = 3; algb = 3; algc = 4;
algostep();
alga = 4; algb = 4; algc = 5;
algostep();
alga = 5; algb = 5; algc = 6;
algostep();
alga = 6; algb = 6; algc = 7;
algostep();
alga = 7; algb = 7; algc = 0;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 9; algb = 3; algc = 6;
algostep();
rotateright();
alga = 0; algb = 6; algc = 1;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 9; algb = 3; algc = 4;
algostep();
rotateright();
alga = 0; algb = 4; algc = 5;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 9; algb = 7; algc = 2;
algostep();
rotateright();
alga = 0; algb = 2; algc = 5;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 9; algb = 7; algc = 0;
algostep();
rotateright();
alga = 0; algb = 0; algc = 3;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 7; algb = 5; algc = 0;
if(HMK[alga]&1) {parity = 1;} else {parity = 0;}
work = HMK[alga] ^ MK[algb];
if (parity == 1) {MK[algc] = hasha[work] ^ MK[algc];} else {MK[algc] = hashb[work] ^ MK[algc];}
}
CM CW Decrypted:
807031F70405003200060028F283D57D7B2F00C7E814AE065C 72156B6109EBBA24BA4ED7CC2795177F9D012049276690CBB7 F761
Keys Decrypt ECM CW:
OP KEY 06 : 88A4160D2643EC48E2753C36AEAE236D
ECM SEED : 94B249D7D873C04C432949379CB4964C
ECM SEED Prepare : 0852008627608B684B4A811AD902AB48
ECM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-------------------------------------------------------------------------------------------------------------
ECM CW Decrypted:
807031F704050032000600 28 03FC3401400200437812061200000045409050B10008081220 0000CD04020000 6E805C470922678E
8070 ---**** Haeder Type EMM ( 80=CW0 Active Or 81= CW1 Active )
31 ---**** Len (Hex: 0x31 (Dec: 49 Bytes))
F70405
0032 ---**** Channel ID
00 ---**** Provider
06 ---**** Index OPKEY
00
28 ---**** Len (Hex: 0x28 = (Dec: 8*5=40 Bytes))
03FC3401
40 ---**** Nano Date
02 ---**** Len Date
0043 ---**** Date ??
78 ---**** Nano Update DCW
12 ---**** Len
06 ---**** Index OPKEY
12 ---**** 80=12 || 81=13
00000045409050B100080812200000CD ---**** DCW Decrypted
04 02 00 00
6E805C470922678E ---**** Signature MAC
Log:
-------------------- Kasita Botonnou @ Irdeto2 --------------------
OP KEY 06 : 88A4160D2643EC48E2753C36AEAE236D
ECM SEED : 94B249D7D873C04C432949379CB4964C
ECM SEED Prepare : 0852008627608B684B4A811AD902AB48
ECM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-------------------- Kasita Botonnou @ Irdeto2 --------------------
DCW DECRYPTED OK : 00000045409050B100080812200000CD By K. Botonnou
-------------------- Kasita Botonnou @ Irdeto2 --------------------
Key Used Is Inde : 06
-------------------- Kasita Botonnou @ Irdeto2 --------------------
Sig Correct!!! : 6E805C470922678E
void audioLoopStop() {
pspAudioSetChannelCallback(0, NULL, NULL);
}
---------------------------------------------------------------------------------------------------------
Antes De Todo vamos a ver las keys necesarios para Desencrytar una EMM o sea para hacer un Auto Update: -
-
ART : 060400 -
PMK : AF38DA5E9E00AADB 39A1BCBCB060DEA3 Adrress: 08D7 -
EMM-Seed : DA65344511C953D8 6EDAF329EF20376E -
Common-IV: 5BC9E74A983AA5A7 903B000000000000 -
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
y La EMM OPKEY Encrypatada (Encrypt) es la siguiente: - -
-------------------------------------------------------- -
EMM: 82403F0208D7000030384913FC3C61266ED85CD727D1E7A657 83F97DF52C7BD5996F330C884F922A06191338FB13E -
68B6BD26AFCFE180C9340BA9A3152EB37327046 -
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
Vamos a hacer un analisis a esta EMM OPKEY la cual esta Encriptada (Encrypt): - -
------------------------------------------------------------------------------- -
82403F <<------ Haeder { 3F= Longitud Hex:0x3F Dec:63 } -
02 <<------ Type Group 00 -
08D7 <<------ Address -
0000 <<------ Relleno -
30 <<------ Provider ID -
38 <<------ Longitud De Bytes (Hex: 0x38 = (Dec: 8*7=56 Bytes)) -
4913FC3C61266ED8 <<------ Data 1 Encrypt -
5CD727D1E7A65783 <<------ Data 2 Encrypt -
F97DF52C7BD5996F <<------ Data 3 Encrypt -
330C884F922A0619 <<------ Data 4 Encrypt -
1338FB13E68B6BD2 <<------ Data 5 Encrypt -
6AFCFE180C9340BA <<------ Data 6 Encrypt -
9A3152EB37327046 <<------ Data 7 Encrypt (Signature) -
---------------------------------------------------------------------------------------------------------
El Algortimo Usado para Desencriptar una EMM o ECM deIrdeto 2 es el algortimo 3DES CBC
aqui no hablamos sobe este algortimo ya es conocido
Ahora Vamos a empezar paso a paso y veremos todo el proceso de desencriptar una EMM Ir2 hasta el calculo de la firma (Signature)
Los Pasos Son:
1- Prepared EMM_SEED (Encrypt 3DESCBC)
2- Decrypt EMM (Decrypt 3DESCBC)
3- Decrypt Nano (Decrypt 3DESCBC)
4- CalculateMAC (Encrypt 3DESCBC)
****************************************
1- Prepared EMM_SEED (Encrypt 3DESCBC) ************************************************** *******
**************************************** *
*
Primer paso hacemos una preparacion de la Key EMM_Seed con el Algortimo 3DES CBC (Encrypt) *
ya tenemos la PMK como la Key que vamos a usar para el algortimo 3DES CBC *
EMM_Seed es Data o el mensaje que damos al algortimo 3DES CBC *
y IV es el que usa el algortimo 3DES CBC para hacer el XOR *
*
*
PMK = AF38DA5E9E00AADB 39A1BCBCB060DEA3 (16 bytes) Key 3DES CBC (K1=K3) *
EMM Seed = DA65344511C953D8 6EDAF329EF20376E (16 bytes) Data 3DES CBC *
IV = 0000000000000000 (08 bytes) IV 3DES CBC ******************
*
*
Pues Empezamos: ************************************************** *********************
*
DA65344511C953D8 {Xor} 0000000000000000 = DA65344511C953D8 {Encrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = E046C69E8CB4A40D *
Data 8 Bytes'ES' IV 3DES CBC Result PMK Key 3DES CBC Bloc1 Emm_Seed Prepared ok *
*
6EDAF329EF20376E {Xor} E046C69E8CB4A40D = 8E9C35B763949363 {Encrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = A16E52AF4CAE6A15 *
Data 8 Bytes'ES' Blo1 Emm_Seed Pre Result PMK Key 3DES CBC Bloc2 Emm_Seed Prepared ok *
*
*
EMM_Seed Preparado = E046C69E8CB4A40D A16E52AF4CAE6A15 (After Despues de Prepararlo con el algortimo usado 3DES CBC) **********************
*
*
ya esta terminado el primer paso lo que era hacer un 3DES CBC para perparar la EMM_SEED *
EMM_SEED Prepared: E046C69E8CB4A40D A16E52AF4CAE6A15 *
*
************************************************** ************************************************** ****************************
**********************************
2- Decrypt EMM (Decrypt 3DESCBC) ************************************************** **********************************
********************************** *
*
Ya estamos en el segundo paso y siempre con el algotimo 3DESCBC pero ahora hay que Desencriptar (Decrypt 3DES CBC) *
y lo que tenemos que Desencriptar son los bloqueos cifrado en la EMM ya son 7 bloqueos como habamos Visto arriba *
*
y lo necesario aqui es Data son datos de la Emm Cifrados y vamos a Desencriptar 8 a 8 Bytes *
EMM_Seed Prepared como la Key que vamos a usar para el algortimo 3DES CBC *****************
y la key EMM_IV como Key de IV que usamos para el Xor de 3DESCBC *
*
Data = (Ocho a ocho bytes (son datos de emm los cuales estan cifrados)) *
EMM_Seed Prepared = E046C69E8CB4A40D A16E52AF4CAE6A15 (Preparado va a ser la key 3des) *
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (Solo 8 bytes primeros) *
*
Los bloqueos datos de la EMM que tenemos son 7 bloqueos pues 7 Roundas *
--------------------------------------------------------------------- *
- 4913FC3C61266ED8 <<------ Data 1 Encrypt Rounda 1 - *
- 5CD727D1E7A65783 <<------ Data 2 Encrypt Rounda 2 - *
- F97DF52C7BD5996F <<------ Data 3 Encrypt Rounda 3 - *
- 330C884F922A0619 <<------ Data 4 Encrypt Rounda 4 - *
- 1338FB13E68B6BD2 <<------ Data 5 Encrypt Rounda 5 - *
- 6AFCFE180C9340BA <<------ Data 6 Encrypt Rounda 6 - *
- 9A3152EB37327046 <<------ Data 7 Encrypt (Signature) Rounda 7 - *
--------------------------------------------------------------------- *
*
Empezamos a Descifrar ocho a ocho Bytes con el algortimo 3DES CBC : *
*
************************************************** ******************************
EMM Encrypted:
82403F0208D7000030 [38] || 4913FC3C61266ED8 || 5CD727D1E7A65783 || F97DF52C7BD5996F || 330C884F922A0619 || 1338FB13E68B6BD2 || 6AFCFE180C9340BA || 9A3152EB37327046
|| RONDA 1 || RONDA 2 || RONDA 3 || RONDA 4 || RONDA 5 || RONDA 6 || RONDA 7
Datos Cifrados.......................................... .................................................. ...............................
RONDA 1: 4913FC3C61266ED8 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 1BCAE45570C5F5B6 {Xor} 5BC9E74A983AA5A7 = 4003031FE8FF5011 (Result Bloc 1)
Data 1 EMM_Seed Prepared Key 3DES CBC = Result EMM_IV Data 1 Decrypted
RONDA 2: 5CD727D1E7A65783 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 51273A5AEA69A0D4 {Xor} 4913FC3C61266ED8 = 1834C6668B4FCE0C (Result Bloc 2)
Data 2 EMM_Seed Prepared Key 3DES CBC = Result Data 1 Encrypt Data 2 Decrypted
RONDA 3: F97DF52C7BD5996F {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 6FCDD4CF587C99E4 {Xor} 5CD727D1E7A65783 = 331AF31EBFDACE67 (Result Bloc 3)
Data 3 EMM_Seed Prepared Key 3DES CBC = Result Data 2 Encrypt Data 3 Decrypted
RONDA 4: 330C884F922A0619 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 0C2DE40CAC49DDA7 {Xor} F97DF52C7BD5996F = F5501120D79C44C8 (Result Bloc 4)
Data 4 EMM_Seed Prepared Key 3DES CBC = Result Data 3 Encrypt Data 4 Decrypted
RONDA 5: 1338FB13E68B6BD2 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 2C7359CB7AF8C78A {Xor} 330C884F922A0619 = 1F7FD184E8D2C193 (Result Bloc 5)
Data 5 EMM_Seed Prepared Key 3DES CBC = Result Data 4 Encrypt Data 5 Decrypted
RONDA 6: 6AFCFE180C9340BA {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 69AFD81AA6896233 {Xor} 1338FB13E68B6BD2 = 7A972309400209E1 (Result Bloc 6)
Data 6 EMM_Seed Prepared Key 3DES CBC = Result Data 5 Encrypt Data 6 Decrypted
RONDA 7: 9A3152EB37327046 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 35FC7911E95FB504 {Xor} 6AFCFE180C9340BA = 5F008709E5CCF5BE (Result Bloc 7)
Data 7 EMM_Seed Prepared Key 3DES CBC = Result Data 6 Encrypt Data 7 Decrypted
Result All Round's = Data EMM Decrypted:
---------------------------------------------------------------------
- 4003031FE8FF5011 <<------ Data 1 Decrypt Rounda 1 -
- 1834C6668B4FCE0C <<------ Data 2 Decrypt Rounda 2 -
- 331AF31EBFDACE67 <<------ Data 3 Decrypt Rounda 3 -
- F5501120D79C44C8 <<------ Data 4 Decrypt Rounda 4 -
- 1F7FD184E8D2C193 <<------ Data 5 Decrypt Rounda 5 -
- 7A972309400209E1 <<------ Data 6 Decrypt Rounda 6 -
- 5F008709E5CCF5BE <<------ Data 7 Decrypt (Signature) Rounda 7 -
---------------------------------------------------------------------
EMM Decrypted:
82403F0208D7000030 [38] || 4003031FE8FF5011 || 1834C6668B4FCE0C || 331AF31EBFDACE67 || F5501120D79C44C8 || 1F7FD184E8D2C193 || 7A972309400209E1 || 5F008709E5CCF5BE
|| RONDA 1 || RONDA 2 || RONDA 3 || RONDA 4 || RONDA 5 || RONDA 6 || RONDA 7
Datos Descifrados....................................... .................................................. ...............................
Ahora ya tenemos la EMM Desencriptada pero no las OPKEYs, porque en Irdeto 2 tanto la EMM como OPKEYs Estan Encriptadas
desues de Desencritar la EMM llega el paso de desecnriptar las OPKEYS que se encuentran dentro de la EMM desencriptada
Primero Vamos a hacer un analisis a la EMM despues de que ha sido desencriptada
---------------------------------------------------------------------------------------------------------
Vamos a hacer un analisis a esta EMM la cual esta Desencriptada (Decrypted): - -
------------------------------------------------------------------------------- -
82403F <<------ Haeder { 3F= Longitud Hex:0x3F Dec:63 } -
02 <<------ Type Group 00 -
08D7 <<------ Address -
0000 <<------ Relleno -
30 <<------ Provider ID -
38 <<------ Longitud De Bytes (Hex: 0x38 = (Dec: 8*7=56 Bytes)) -
40 03 03 1F E8 FF -
50 11 18 <<------ Nano 50 °° Len 0x11 °° Index 18/4 = 06 -
34C6668B4FCE0C331AF31EBFDACE67F5 <<------ OPKEY Encrypt -
501120 <<------ Nano 50 °° Len 0x11 °° Index 20/4 = 08 -
D79C44C81F7FD184E8D2C1937A972309 <<------ OPKEY Encrypt -
40 <<------ Nano 40
02 <<------ Len
09 E1 <<------ Date?? -
5F008709E5CCF5BE <<------ Firma (Signature) -
---------------------------------------------------------------------------------------------------------
Donde esta el Nano 50 mas adelante + 3 bytes se encuentra La OPKEY
y hay otro caso que se puede encontrar tambien Nano 10 11 XX a la vez de 50 11 XX
y el index se divide sobre 4 y nos da el index que soportan los EMU's de Nuestros aparatos Reciver
si en la EMM es 08 pues se divide sobre 4 y resultado es Index 02
si en la EMM es 10 pues se divide sobre 4 y resultado es Index 04
si en la EMM es 18 pues se divide sobre 4 y resultado es Index 06
si en la EMM es 20 pues se divide sobre 4 y resultado es Index 08 ...
Veremos la EMM con otra manera
EMM Decrypted (OPKEYS EnCrypt):
82403F0208D7000030 [38] || 4003031FE8FF 501118 || 34C6668B4FCE0C33 1AF31EBFDACE67F5 || 501120 || D79C44C81F7FD184 E8D2C1937A972309 || 400209E1 5F008709E5CCF5BE
|| OPKEY ENCRYPT || || OPKEY ENCRYPT ||
************************************************** *******************************************
Pues ya tenemos las OPKEYS Encriptadas dentro de una emm Desencriptada, *
para la esencriptacion de estas OPKEYS Vamos al tercer Paso *
*
************************************************** ***********************
____________________________________
3- Nano Decrypt (Decrypt 3DES CBC) __________________________________________________ __________________________________________________ ________________________________
____________________________________
Pues como siempre el algortimo usado para Desencriptar estas OPKEYS es siempre 3DES CBC
Lo que necesitamos Data1 y Data2 son OPKEYs Encriptada y la key PMK y EMM_iv :
Data1 = 34C6668B4FCE0C33 1AF31EBFDACE67F5 (OPKEY ENCRYPT) <<-- OPKEY 06 (18)
Data2 = D79C44C81F7FD184 E8D2C1937A972309 (OPKEY ENCRYPT) <<-- OPKEY 08 (20)
PMK = AF38DA5E9E00AADB 39A1BCBCB060DEA3 (PMK PLEY MASTER KEY)
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (( IV 3DES CBC ) Solo usamos 8 bytes primeros)
vamos a Desencriptar La Primera OPKEY y luego la segunda ya la manera de desncriptar la primera es la misma que la segunda () Decrypt 3DESCBC)
-----------------------------
Data1 = 34C6668B4FCE0C33 1AF31EBFDACE67F5 (OPKEY ENCRYPT) <<-- OPKEY 06 (18)
Bloc 1 Encrypt Bloc 2 Encrypt
RONDA 1: 34C6668B4FCE0C33 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 98143F086A0A05B0 {Xor} 5BC9E74A983AA5A7 = C3DDD842F230A017
Bloc 1 Encrypt PMK Key 3DES CBC Result IV 3DES CBC Bloc1 OPKEY Decrypted
RONDA 2: 1AF31EBFDACE67F5 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 78DCF6648AB2F85E {Xor} 34C6668B4FCE0C33 = 4C1A90EFC57CF46D (OPKEY Decr)
Bloc 2 Encrypt PMK Key 3DES CBC Result Bloc1 Encrypt Bloc2 OPKEY Decrypted
OPKEY 06 (18) Decrypted: C3DDD842F230A017 4C1A90EFC57CF46D <<<< ----- ya tenemos la OPKEY Desencriptada por fin!!!!!!!!!!!!!!!
Bloc1 Decrypted Bloc2 Decrypted
-----------------------------
Data2 = D79C44C81F7FD184 E8D2C1937A972309 (OPKEY ENCRYPT) <<-- OPKEY 08 (20)
Bloc 1 Encrypt Bloc 2 Encrypt
RONDA 1: D79C44C81F7FD184 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 29F3F9202EB28219 {Xor} 5BC9E74A983AA5A7 = 723A1E6AB68827BE (OPKEY Decr)
Bloc 1 Encrypt PMK Key 3DES CBC Result IV 3DES CBC Bloc1 OPKEY Decrypted
RONDA 2: E8D2C1937A972309 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 43D5635A1C483DAD {Xor} D79C44C81F7FD184 = 944927920337EC29 (OPKEY Decr)
Bloc 2 Encrypt PMK Key 3DES CBC Result Bloc1 Encrypt Bloc2 OPKEY Decrypted
OPKEY 08 (20) Decrypted: 723A1E6AB68827BE 944927920337EC29 <<<< ----- ya tenemos la OPKEY Desencriptada por fin!!!!!!!!!!!!!!!
Bloc1 Decrypted Bloc2 Decrypted
-----------------------------
__________________________________________________ _________________________________
************************************************** ************ _
OPKEY 06 (18) Decrypted: C3DDD842F230A017 4C1A90EFC57CF46D * _
OPKEY 08 (20) Decrypted: 723A1E6AB68827BE 944927920337EC29 * _
************************************************** ************ _
_
_
Ahora ya tenemso la EMM y OPKEY's Desencriptadas: _
_
82403F <<-- Haeder _
02 <<-- Type Group 00 _
08D7 <<-- Adress _
0000 <<-- Relleno _
30 <<-- Provider ID Group _
38 <<-- Len (Hex: 0x38 = (Dec: 8*7=56 Bytes)) _
4003031FE8FF _
50 11 18 Nano 50 + Len 11 + Index 18 / 4 = 06 _
C3DDD842F230A017 4C1A90EFC57CF46D <<-- OP KEY Decrypt _
50 11 20 Nano 50 + Len 11 + Index 20 / 4 = 06 _
723A1E6AB68827BE 944927920337EC29 <<-- OP KEY Decrypt _
40 <<------ Nano 40 -
02 <<------ Len -
09 E1 <<------ Date?? _
5F008709E5CCF5BE <<------ Signature _
__________________________________________________ ______________________________
*************************************
4- CalculateMAC (3DES CBC Encrypt) ************************************************** *********************
************************************* *
*
Vamos ya estamos en el paso cuatro 4 y lo que vemos aqui es como se calcula la firma (Calculate Signature) *************************
*
Cojimos la EMM OPKEYS la cual esta Desencriptada: *
82403F0208D7000030384003031FE8FF501118C3DDD842F230 A0174C1A90EFC57CF46D501120723A1E6AB68827BE94492792 0337EC29400209E15F008709E5CCF5BE *************
*
*
EMM OPKKEY Decrypt: ||Delete|| (vamos a eliminar el haeder + 00 + Signature estan puestos entre ||xx|| ) *
*
||82403F||0208D700||00||30384003031FE8FF501118C3DD D842F230A0174C1A90EFC57CF46D501120723A1E6AB68827BE 944927920337EC29400209E1||5F008709E5CCF5BE|| *
*
y nos queda algo asi:
0208D70030384003031FE8FF501118C3DDD842F230A0174C1A 90EFC57CF46D501120723A1E6AB68827BE944927920337EC29 400209E1
- La separamos en Bloqueos:
0208D70030384003 Bloque 1
031FE8FF501118C3 Bloque 2
DDD842F230A0174C Bloque 3
1A90EFC57CF46D50 Bloque 4
1120723A1E6AB688 Bloque 5
27BE944927920337 Bloque 6
EC29400209E1 Bloque 7
- Como veis tenemos 7 bloqueos y cada bloqueo tiene 8 bytes menos el ultimo que solo lleva 6 bytes, ahora le anadimos 2 bytes al bloqueo 7
y estos 2 Bytes son las que estan en el segundo octeto de EMM-IV
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (necesitas estos dos bytes 903B para el calculo de la firma)
---- ----
- Despues de anadir estos dos bytes en el bloqueo 7 nos queda algo asi:
0208D70030384003 Bloque 1
031FE8FF501118C3 Bloque 2
DDD842F230A0174C Bloque 3
1A90EFC57CF46D50 Bloque 4
1120723A1E6AB688 Bloque 5
27BE944927920337 Bloque 6
EC29400209E1903B Bloque 7 <<<--- Add 2 Bytes de EMM_IV del segundo octeto
y la key 3DES es la que habiamos perparado en primer paso:
EMM_Seed Prepared: E046C69E8CB4A40DA16E52AF4CAE6A15 Key 3DES
ahora vamos a calcular la firma en 7 Rondas son 7 bloqueos:
|| 0208D70030384003 || 031FE8FF501118C3 || DDD842F230A0174C || 1A90EFC57CF46D50 || 1120723A1E6AB688 || 27BE944927920337 || EC29400209E1903B
|| RONDA 1 || RONDA 2 || RONDA 3 || RONDA 4 || RONDA 5 || RONDA 6 || RONDA 7
RONDA 1: 0208D70030384003 {Xor} 0000000000000000 = 0208D70030384003 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = AA8B12A7467A145F
Data 8 Bytes'ES' IV 3DES CBC Result EMM_Seed Prepared Key 3DES CBC Result Bloque 1
RONDA 2: AA8B12A7467A145F {Xor} 031FE8FF501118C3 = A994FA58166B0C9C {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = CDA5BB939E3BD120
Data 8 Bytes'ES' Bloque 2 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 2
RONDA 3: CDA5BB939E3BD120 {Xor} DDD842F230A0174C = 107DF961AE9BC66C {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 484B0E88CA120795
Data 8 Bytes'ES' Bloque 3 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 3
RONDA 4: 484B0E88CA120795 {Xor} 1A90EFC57CF46D50 = 52DBE14DB6E66AC5 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 287467CA90373AB3
Data 8 Bytes'ES' Bloque 4 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 4
RONDA 5: 287467CA90373AB3 {Xor} 1120723A1E6AB688 = 395415F08E5D8C3B {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = DB92F3C8E9730646
Data 8 Bytes'ES' Bloque 5 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 5
RONDA 6: DB92F3C8E9730646 {Xor} 27BE944927920337 = FC2C6781CEE10571 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = C815564DC98CDE6C
Data 8 Bytes'ES' Bloque 6 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 6
RONDA 7: C815564DC98CDE6C {Xor} EC29400209E1903B = 243C164FC06D4E57 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 5F008709E5CCF5BE *
Data 8 Bytes'ES' Bloque 7 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 7 *
*
*
Result final de la Ronda 7 es = 5F008709E5CCF5BE <<<--- Coindciden!!! == *
5F008709E5CCF5BE <<<--- Signature de la EMMOPKEY Decrypt *
*
************************************************** ************************************************** **********************************************
EMM PMK Decrypted:
824038C3FFFFFF0000003043ECF812DBB2F3B44C6AA1377479 D96E3C712B3670325DBF06F739CD488224A85949B939206612 4336F0F10AFAC8B81B
Keys Decrypt EMM PMK:
HMK0 Axi : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HMK1 Exi : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
EMM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-----------------------------------------------------------------------------------------------------------------------
EMM PMK Decrypted:
8240 38 C3 FFFFFF 0000 00 30 010268240033333333333333333333333333333333 44444444444444444444444444444444 555566 AA54268F60038015
8240 ---**** Haeder Type EMM
38 ---**** Len (Hex: 0x38 (Dec: 56 Bytes))
C3 ---**** C3/CB PMK
FFFFFF ---**** Hex Serial
0000 ---**** Relleno
00 ---**** Provider ID Group
30 ---**** Len (Hex: 0x30 = (Dec: 8*6=48 Bytes))
01 ---****
02 ---****
68 ---**** Nano Update PMK
24 ---**** Len Data --**** Index
00 ---**** Index [00=00 | 01=10 | 02=20 | 03=30 | 04=40]
33333333333333333333333333333333 ---**** PMK0
44444444444444444444444444444444 ---**** PMK1
555566 ---**** Provider ID
AA54268F60038015 ---**** Signature MAC
Log:
-------- Kasita Botonnou @ Irdeto2 --------
PMK0 Enc : 8F754A711A62ACA8CC6F200370A6E332
PMK0 Dec : 33333333333333333333333333333333
-------- Kasita Botonnou @ Irdeto2 --------
PMK1 Enc : 8B8EC848BBCDA309423A4B528539EDCA
PMK1 Dec : 44444444444444444444444444444444
-------- Kasita Botonnou @ Irdeto2 --------
Log:
-------- Kasita Botonnou @ Irdeto2 --------
HMK0 Axi : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HMK1 Exi : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
EMM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-------- Kasita Botonnou @ Irdeto2 --------
Hash OK : Signature Correct!!!
Sig MAC : AA54268F60038015 OK
#include <psppower.h>
#include <pspkernel.h>
#include <pspdebug.h>
#include <pspctrl.h>
#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <pspdisplay.h>
#include <pspaudiolib.h>
#include <pspaudio.h>
#include <png.h>
#include <pspgu.h>
#include <pspgum.h>
#include <pspsdk.h>
#include <math.h>
#include <malloc.h>
#include <limits.h>
#include "main.h"
#include "graphics.h"
#include "intraFont.h"
#include "pin.h"
#include "phone.h"
PSP_MODULE_INFO("IrdetoSage", 0, 1, 1);
PSP_MAIN_THREAD_ATTR(0);
sample_t* loop_buffer; //
short mic_level; //
int sam; //
int samsel; //
int samlock; //
int ssel; //
int step; // step counter
int alga; //
int algb; //
int algc; //
int del; // delay
int running; // program running flag
char fillerx[120]; //
char filler[120]; //
char fillerb[120]; //
u8 temp; //
unsigned int i; //
u8 HMK[9]; // 10 byte hex master key
u8 HMKX[9]; // 10 byte hex master key copy
u8 MK[7]; // 8 byte key EMK => PMK
u8 work; // work byte
int parity; // odd / even status flag
u8 hasha[256] = {
0xDA, 0x26, 0xE8, 0x72, 0x11, 0x52, 0x3E, 0x46,
0x32, 0xFF, 0x8C, 0x1E, 0xA7, 0xBE, 0x2C, 0x29,
0x5F, 0x86, 0x7E, 0x75, 0x0A, 0x08, 0xA5, 0x21,
0x61, 0xFB, 0x7A, 0x58, 0x60, 0xF7, 0x81, 0x4F,
0xE4, 0xFC, 0xDF, 0xB1, 0xBB, 0x6A, 0x02, 0xB3,
0x0B, 0x6E, 0x5D, 0x5C, 0xD5, 0xCF, 0xCA, 0x2A,
0x14, 0xB7, 0x90, 0xF3, 0xD9, 0x37, 0x3A, 0x59,
0x44, 0x69, 0xC9, 0x78, 0x30, 0x16, 0x39, 0x9A,
0x0D, 0x05, 0x1F, 0x8B, 0x5E, 0xEE, 0x1B, 0xC4,
0x76, 0x43, 0xBD, 0xEB, 0x42, 0xEF, 0xF9, 0xD0,
0x4D, 0xE3, 0xF4, 0x57, 0x56, 0xA3, 0x0F, 0xA6,
0x50, 0xFD, 0xDE, 0xD2, 0x80, 0x4C, 0xD3, 0xCB,
0xF8, 0x49, 0x8F, 0x22, 0x71, 0x84, 0x33, 0xE0,
0x47, 0xC2, 0x93, 0xBC, 0x7C, 0x3B, 0x9C, 0x7D,
0xEC, 0xC3, 0xF1, 0x89, 0xCE, 0x98, 0xA2, 0xE1,
0xC1, 0xF2, 0x27, 0x12, 0x01, 0xEA, 0xE5, 0x9B,
0x25, 0x87, 0x96, 0x7B, 0x34, 0x45, 0xAD, 0xD1,
0xB5, 0xDB, 0x83, 0x55, 0xB0, 0x9E, 0x19, 0xD7,
0x17, 0xC6, 0x35, 0xD8, 0xF0, 0xAE, 0xD4, 0x2B,
0x1D, 0xA0, 0x99, 0x8A, 0x15, 0x00, 0xAF, 0x2D,
0x09, 0xA8, 0xF5, 0x6C, 0xA1, 0x63, 0x67, 0x51,
0x3C, 0xB2, 0xC0, 0xED, 0x94, 0x03, 0x6F, 0xBA,
0x3F, 0x4E, 0x62, 0x92, 0x85, 0xDD, 0xAB, 0xFE,
0x10, 0x2E, 0x68, 0x65, 0xE7, 0x04, 0xF6, 0x0C,
0x20, 0x1C, 0xA9, 0x53, 0x40, 0x77, 0x2F, 0xA4,
0xFA, 0x6D, 0x73, 0x28, 0xE2, 0xCD, 0x79, 0xC8,
0x97, 0x66, 0x8E, 0x82, 0x74, 0x06, 0xC7, 0x88,
0x1A, 0x4A, 0x6B, 0xCC, 0x41, 0xE9, 0x9D, 0xB8,
0x23, 0x9F, 0x3D, 0xBF, 0x8D, 0x95, 0xC5, 0x13,
0xB9, 0x24, 0x5A, 0xDC, 0x64, 0x18, 0x38, 0x91,
0x7F, 0x5B, 0x70, 0x54, 0x07, 0xB6, 0x4B, 0x0E,
0x36, 0xAC, 0x31, 0xE6, 0xD6, 0x48, 0xAA, 0xB4};
u8 hashb[256] = {
0x8E, 0xD5, 0x32, 0x53, 0x4B, 0x18, 0x7F, 0x95,
0xBE, 0x30, 0xF3, 0xE0, 0x22, 0xE1, 0x68, 0x90,
0x82, 0xC8, 0xA8, 0x57, 0x21, 0xC5, 0x38, 0x73,
0x61, 0x5D, 0x5A, 0xD6, 0x60, 0xB7, 0x48, 0x70,
0x2B, 0x7A, 0x1D, 0xD1, 0xB1, 0xEC, 0x7C, 0xAA,
0x2F, 0x1F, 0x37, 0x58, 0x72, 0x88, 0xFF, 0x87,
0x1C, 0xCB, 0x00, 0xE6, 0x4E, 0xAB, 0xEB, 0xB3,
0xF7, 0x59, 0x71, 0x6A, 0x64, 0x2A, 0x55, 0x4D,
0xFC, 0xC0, 0x51, 0x01, 0x2D, 0xC4, 0x54, 0xE2,
0x9F, 0x26, 0x16, 0x27, 0xF2, 0x9C, 0x86, 0x11,
0x05, 0x29, 0xA2, 0x78, 0x49, 0xB2, 0xA6, 0xCA,
0x96, 0xE5, 0x33, 0x3F, 0x46, 0xBA, 0xD0, 0xBB,
0x5F, 0x84, 0x98, 0xE4, 0xF9, 0x0A, 0x62, 0xEE,
0xF6, 0xCF, 0x94, 0xF0, 0xEA, 0x1E, 0xBF, 0x07,
0x9B, 0xD9, 0xE9, 0x74, 0xC6, 0xA4, 0xB9, 0x56,
0x3E, 0xDB, 0xC7, 0x15, 0xE3, 0x80, 0xD7, 0xED,
0xEF, 0x13, 0xAC, 0xA1, 0x91, 0xC2, 0x89, 0x5B,
0x08, 0x0B, 0x4C, 0x02, 0x3A, 0x5C, 0xA9, 0x3B,
0xCE, 0x6B, 0xA7, 0xE7, 0xCD, 0x7B, 0xA0, 0x47,
0x09, 0x6D, 0xF8, 0xF1, 0x8B, 0xB0, 0x12, 0x42,
0x4A, 0x9A, 0x17, 0xB4, 0x7E, 0xAD, 0xFE, 0xFD,
0x2C, 0xD3, 0xF4, 0xB6, 0xA3, 0xFA, 0xDF, 0xB8,
0xD4, 0xDA, 0x0F, 0x50, 0x93, 0x66, 0x6C, 0x20,
0xD8, 0x8A, 0xDD, 0x31, 0x1A, 0x8C, 0x06, 0xD2,
0x44, 0xE8, 0x23, 0x43, 0x6E, 0x10, 0x69, 0x36,
0xBC, 0x19, 0x8D, 0x24, 0x81, 0x14, 0x40, 0xC9,
0x6F, 0x2E, 0x45, 0x52, 0x41, 0x92, 0x34, 0xFB,
0x5E, 0x0D, 0xF5, 0x76, 0x25, 0x77, 0x63, 0x65,
0xAF, 0x4F, 0xCC, 0x03, 0x9D, 0x0C, 0x28, 0x39,
0x85, 0xDE, 0xB5, 0x7D, 0x67, 0x83, 0xBD, 0xC3,
0xDC, 0x3C, 0xAE, 0x99, 0x04, 0x75, 0x8F, 0x97,
0xC1, 0xA5, 0x9E, 0x35, 0x0E, 0x3D, 0x1B, 0x79};
void printgreen(void);
void printgreenX(void);
void printscreen(void);
void algostep(void);
void audioLoopStop(void);
void rotateright(void);
void rotateleft(void);
void decryptEMK(void);
void encryptPMK(void);
intraFont* ltn8;
void audioOutputLoopCallback(void* buf, unsigned int length, void *userdata) {
sample_t* ubuf = (sample_t*) buf;
int i;
if (samlock == 1) {
if (samsel == 1) {
for (i = 0; i < 1024; i++) {
ubuf.l = pin[sam+1] + (pin[sam]*256);
ubuf.r = ubuf.l;
sam++;
sam++;
if (sam > 97009) {
ubuf.l = 0;
ubuf.r = 0;
samlock = 0;
}
}
}
if (samsel == 2) {
for (i = 0; i < 1024; i++) {
ubuf.l = phone[sam+1] + (phone[sam]*256);
ubuf.r = ubuf.l;
sam++;
sam++;
if (sam < 44) {
ubuf.l = 0;
ubuf.r = 0;
}
if (sam > 11532) {
ubuf.l = 0;
ubuf.r = 0;
samlock = 0;
}
}
}
}
if (samlock == 0) {
int bbb;
for (bbb = 0; bbb < 1024; bbb++) {
ubuf[bbb].l = 0xFFFF;
ubuf[bbb].r = 0xFFFF;
}
}
}
void audioLoopStart() {
loop_buffer = (sample_t*) malloc(PSP_NUM_AUDIO_SAMPLES * sizeof(sample_t));
sceKernelDelayThread(200000);
pspAudioSetChannelCallback(0, audioOutputLoopCallback, NULL);
}
int main(void) {
intraFontInit();
ltn8 = intraFontLoad("flash0:/font/ltn8.pgf",INTRAFONT_CACHE_ASCII);
if(!ltn8) sceKernelExitGame();
initGraphics();
running = 1; // set program running flag
loop_buffer = NULL;
pspAudioInit();
sceDisplayWaitVblankStart();
sceDisplayWaitVblankStart();
audioLoopStart();
sceDisplayWaitVblankStart();
sceDisplayWaitVblankStart();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
samsel = 2; // select intro sample
clearScreen(0);
sprintf(fillerx, "IRDETO SAGE");
guStart();
intraFontSetStyle(ltn8, 2.5f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, fillerx);
intraFontSetStyle(ltn8, 1.5f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 170, "Key Cypher Demo - Art 2008!");
sprintf(filler, "PSP Intrafont library by BenHur");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 230, filler);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
for(del=0; del<300; del++) {sceDisplayWaitVblankStart();}
sprintf(fillerx, "Irdeto Key Cypher Demo - Art 2008");
clearScreen(0);
sprintf(filler, " ");
guStart();
intraFontSetStyle(ltn8, 1.0f,0xFFFF5555,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 130, filler);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
HMK[9] = 0x11; // copy initial values to key arrays
HMK[8] = 0x11;
HMK[7] = 0x11;
HMK[6] = 0x11;
HMK[5] = 0x11;
HMK[4] = 0x11;
HMK[3] = 0x11;
HMK[2] = 0x11;
HMK[1] = 0x11;
HMK[0] = 0x11;
MK[7] = 0x22; MK[6] = 0x22; MK[5] = 0x22; MK[4] = 0x22; MK[3] = 0x22; MK[2] = 0x22; MK[1] = 0x22; MK[0] = 0x22;
// MK[7] = 0xE7; MK[6] = 0xF6; MK[5] = 0xA0; MK[4] = 0xDB; MK[3] = 0xB2; MK[2] = 0x93; MK[1] = 0xC3; MK[0] = 0xB7;
clearScreen(0);
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMK[0],HMK[1],HMK[2],HMK[3],HMK[4],HMK[5],HMK[6],HMK[7],HMK[8],HMK[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "EMK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 250, "PRESS X TO DECRYPT");
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
int stopper;
stopper = 0;
while (stopper == 0) {
SceCtrlData xpad;
sceCtrlSetSamplingMode(1);
sceCtrlPeekBufferPositive(&xpad, 1);
if(xpad.Buttons & PSP_CTRL_CROSS) {
stopper = 1;
}
if(xpad.Buttons & PSP_CTRL_CIRCLE) {
stopper = 2;
}
if(xpad.Buttons & PSP_CTRL_TRIANGLE) {
stopper = 3;
}
} // while
if (stopper == 1) {decryptEMK();printgreen();}
if (stopper == 2) {encryptPMK();printgreen();}
if (stopper == 3) {
decryptEMK();printgreen();
for(del=0; del<10; del++) {HMK[del] = HMKX[del];}
encryptPMK();printgreenX();
}
while (running == 1) {
clearScreen(0); // intrafont action
sceDisplayWaitVblankStart();
flipScreen();
clearScreen(0); // intrafont action
guStart();
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 145, "DONE!");
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
for(del=0; del<100; del++) {sceDisplayWaitVblankStart();}
running = 0;
} // running
audioLoopStop(); // stop audio routine
pspAudioEnd();
sceKernelExitGame(); // exit program
return 0;
} // main ************
void algostep() {
if(HMK[alga]&1) {parity = 1;} else {parity = 0;}
work = HMK[alga] ^ MK[algb];
if (parity == 1) {MK[algc] = hasha[work] ^ MK[algc];} else {MK[algc] = hashb[work] ^ MK[algc];}
printscreen();
}
void printscreen() {
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMK[0],HMK[1],HMK[2],HMK[3],HMK[4],HMK[5],HMK[6],HMK[7],HMK[8],HMK[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
clearScreen(0);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "MK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
clearScreen(0);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "MK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
if (ssel == 0) {
samsel = 2; // select intro sample
} else {
samsel = 1; // select intro sample
ssel = 0;
}
for(del=0; del<2; del++) {sceDisplayWaitVblankStart();}
}
void printgreen() {
clearScreen(0);
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMKX[0],HMKX[1],HMKX[2],HMKX[3],HMKX[4],HMKX[5],HMKX[6],HMKX[7],HMKX[8],HMKX[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "PMK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFF55EF55,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
samsel = 1; // select intro sample
for(del=0; del<2; del++) {sceDisplayWaitVblankStart();}
for(del=0; del<650; del++) {sceDisplayWaitVblankStart();}
}
void printgreenX() {
clearScreen(0);
sprintf(filler, "%X %X %X %X %X %X %X %X %X %X",HMKX[0],HMKX[1],HMKX[2],HMKX[3],HMKX[4],HMKX[5],HMKX[6],HMKX[7],HMKX[8],HMKX[9]);
sprintf(fillerb, "%X %X %X %X %X %X %X %X", MK[0], MK[1], MK[2], MK[3], MK[4], MK[5], MK[6], MK[7]);
guStart();
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 95, "HMK:");
intraFontSetStyle(ltn8, 1.5f,0xFF777777,0,INTRAFONT_ALIGN_LEFT);
intraFontPrint(ltn8, 0, 155, "EMK:");
intraFontSetStyle(ltn8, 1.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 10, fillerx);
intraFontSetStyle(ltn8, 2.0f,0xFFEFDDCA,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 120, filler);
intraFontSetStyle(ltn8, 2.0f,0xFF55EF55,0,INTRAFONT_ALIGN_CENTER);
intraFontPrint(ltn8, 240, 180, fillerb);
sceGuFinish();
sceGuSync(0,0);
sceDisplayWaitVblankStart();
flipScreen();
sam = 1; // set sample address counter
samlock = 1; // re-enable player routine
samsel = 1; // select intro sample
for(del=0; del<2; del++) {sceDisplayWaitVblankStart();}
for(del=0; del<650; del++) {sceDisplayWaitVblankStart();}
}
void rotateright() {
temp = (HMK[9] << 7); // rotate HMK right once
HMK[9] = (HMK[8] << 7) | (HMK[9] **** 1);
HMK[8] = (HMK[7] << 7) | (HMK[8] **** 1);
HMK[7] = (HMK[6] << 7) | (HMK[7] **** 1);
HMK[6] = (HMK[5] << 7) | (HMK[6] **** 1);
HMK[5] = (HMK[4] << 7) | (HMK[5] **** 1);
HMK[4] = (HMK[3] << 7) | (HMK[4] **** 1);
HMK[3] = (HMK[2] << 7) | (HMK[3] **** 1);
HMK[2] = (HMK[1] << 7) | (HMK[2] **** 1);
HMK[1] = (HMK[0] << 7) | (HMK[1] **** 1);
HMK[0] = temp | (HMK[0] **** 1);
ssel = 1;
printscreen();
}
void rotateleft() {
temp = (HMK[0] **** 7); // rotate HMK right once
HMK[0] = (HMK[1] **** 7) | (HMK[0] << 1);
HMK[1] = (HMK[2] **** 7) | (HMK[1] << 1);
HMK[2] = (HMK[3] **** 7) | (HMK[2] << 1);
HMK[3] = (HMK[4] **** 7) | (HMK[3] << 1);
HMK[4] = (HMK[5] **** 7) | (HMK[4] << 1);
HMK[5] = (HMK[6] **** 7) | (HMK[5] << 1);
HMK[6] = (HMK[7] **** 7) | (HMK[6] << 1);
HMK[7] = (HMK[8] **** 7) | (HMK[7] << 1);
HMK[8] = (HMK[9] **** 7) | (HMK[8] << 1);
HMK[9] = temp | (HMK[9] << 1);
ssel = 1;
printscreen();
}
void encryptPMK() {
for(del=0; del<10; del++) {HMKX[del] = HMK[del];}
for(step=0; step<13; step++) {rotateright();}
alga = 7; algb = 5; algc = 0;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 0; algb = 0; algc = 3;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 0;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 0; algb = 2; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 2;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 0; algb = 4; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 4;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 0; algb = 6; algc = 1;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 6;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 7; algb = 7; algc = 0;
algostep();
alga = 6; algb = 6; algc = 7;
algostep();
alga = 5; algb = 5; algc = 6;
algostep();
alga = 4; algb = 4; algc = 5;
algostep();
alga = 3; algb = 3; algc = 4;
algostep();
alga = 2; algb = 2; algc = 3;
algostep();
alga = 1; algb = 1; algc = 2;
algostep();
alga = 0; algb = 0; algc = 1;
algostep();
rotateleft();
alga = 9; algb = 5; algc = 0;
algostep();
alga = 8; algb = 2; algc = 5;
algostep();
alga = 7; algb = 7; algc = 2;
algostep();
alga = 6; algb = 4; algc = 7;
algostep();
alga = 5; algb = 1; algc = 4;
algostep();
alga = 4; algb = 6; algc = 1;
algostep();
alga = 3; algb = 3; algc = 6;
algostep();
alga = 2; algb = 0; algc = 3;
algostep();
alga = 1; algb = 7; algc = 0;
algostep();
alga = 0; algb = 6; algc = 7;
algostep();
rotateleft();
alga = 9; algb = 5; algc = 6;
algostep();
alga = 8; algb = 4; algc = 5;
algostep();
alga = 7; algb = 3; algc = 4;
algostep();
alga = 6; algb = 2; algc = 3;
algostep();
alga = 5; algb = 1; algc = 2;
algostep();
alga = 4; algb = 0; algc = 1;
algostep();
alga = 3; algb = 5; algc = 0;
algostep();
alga = 2; algb = 2; algc = 5;
algostep();
alga = 1; algb = 7; algc = 2;
algostep();
alga = 0; algb = 4; algc = 7;
algostep();
rotateleft();
alga = 9; algb = 1; algc = 4;
algostep();
alga = 8; algb = 6; algc = 1;
algostep();
alga = 7; algb = 3; algc = 6;
algostep();
alga = 6; algb = 0; algc = 3;
algostep();
alga = 5; algb = 7; algc = 0;
algostep();
alga = 4; algb = 6; algc = 7;
algostep();
alga = 3; algb = 5; algc = 6;
algostep();
alga = 2; algb = 4; algc = 5;
algostep();
alga = 1; algb = 3; algc = 4;
algostep();
alga = 0; algb = 2; algc = 3;
algostep();
rotateleft();
alga = 9; algb = 1; algc = 2;
algostep();
alga = 8; algb = 0; algc = 1;
algostep();
alga = 7; algb = 5; algc = 0;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 0; algb = 0; algc = 3;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 0;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 0; algb = 2; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 7; algc = 2;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 0; algb = 4; algc = 5;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 4;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 0; algb = 6; algc = 1;
algostep();
rotateleft();
alga = 9; algb = 3; algc = 6;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 7; algb = 7; algc = 0;
algostep();
for(step=7; step>0; step--) { // round one
if(HMK[step]&1) {parity = 1;} else {parity = 0;}
work = HMK[step] ^ MK[step];
if (parity == 1) {MK[step+1] = hasha[work] ^ MK[step+1];} else {MK[step+1] = hashb[work] ^ MK[step+1];}
printscreen();
} // step
alga = 0; algb = 0; algc = 1;
if(HMK[alga]&1) {parity = 1;} else {parity = 0;}
work = HMK[alga] ^ MK[algb];
if (parity == 1) {MK[algc] = hasha[work] ^ MK[algc];} else {MK[algc] = hashb[work] ^ MK[algc];}
}
void decryptEMK() {
for(del=0; del<10; del++) {HMKX[del] = HMK[del];}
rotateright();
for(step=0; step<7; step++) { // round one
if(HMK[step]&1) {parity = 1;} else {parity = 0;}
work = HMK[step] ^ MK[step];
if (parity == 1) {MK[step+1] = hasha[work] ^ MK[step+1];} else {MK[step+1] = hashb[work] ^ MK[step+1];}
printscreen();
} // step
alga = 7; algb = 7; algc = 0;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 9; algb = 3; algc = 6;
algostep();
rotateright();
alga = 0; algb = 6; algc = 1;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 9; algb = 3; algc = 4;
algostep();
rotateright();
alga = 0; algb = 4; algc = 5;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 9; algb = 7; algc = 2;
algostep();
rotateright();
alga = 0; algb = 2; algc = 5;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 9; algb = 7; algc = 0;
algostep();
rotateright();
alga = 0; algb = 0; algc = 3;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 7; algb = 5; algc = 0;
algostep();
alga = 8; algb = 0; algc = 1;
algostep();
alga = 9; algb = 1; algc = 2;
algostep();
rotateright();
alga = 0; algb = 2; algc = 3;
algostep();
alga = 1; algb = 3; algc = 4;
algostep();
alga = 2; algb = 4; algc = 5;
algostep();
alga = 3; algb = 5; algc = 6;
algostep();
alga = 4; algb = 6; algc = 7;
algostep();
alga = 5; algb = 7; algc = 0;
algostep();
alga = 6; algb = 0; algc = 3;
algostep();
alga = 7; algb = 3; algc = 6;
algostep();
alga = 8; algb = 6; algc = 1;
algostep();
alga = 9; algb = 1; algc = 4;
algostep();
rotateright();
alga = 0; algb = 4; algc = 7;
algostep();
alga = 1; algb = 7; algc = 2;
algostep();
alga = 2; algb = 2; algc = 5;
algostep();
alga = 3; algb = 5; algc = 0;
algostep();
alga = 4; algb = 0; algc = 1;
algostep();
alga = 5; algb = 1; algc = 2;
algostep();
alga = 6; algb = 2; algc = 3;
algostep();
alga = 7; algb = 3; algc = 4;
algostep();
alga = 8; algb = 4; algc = 5;
algostep();
alga = 9; algb = 5; algc = 6;
algostep();
rotateright();
alga = 0; algb = 6; algc = 7;
algostep();
alga = 1; algb = 7; algc = 0;
algostep();
alga = 2; algb = 0; algc = 3;
algostep();
alga = 3; algb = 3; algc = 6;
algostep();
alga = 4; algb = 6; algc = 1;
algostep();
alga = 5; algb = 1; algc = 4;
algostep();
alga = 6; algb = 4; algc = 7;
algostep();
alga = 7; algb = 7; algc = 2;
algostep();
alga = 8; algb = 2; algc = 5;
algostep();
alga = 9; algb = 5; algc = 0;
algostep();
rotateright();
alga = 0; algb = 0; algc = 1;
algostep();
alga = 1; algb = 1; algc = 2;
algostep();
alga = 2; algb = 2; algc = 3;
algostep();
alga = 3; algb = 3; algc = 4;
algostep();
alga = 4; algb = 4; algc = 5;
algostep();
alga = 5; algb = 5; algc = 6;
algostep();
alga = 6; algb = 6; algc = 7;
algostep();
alga = 7; algb = 7; algc = 0;
algostep();
alga = 8; algb = 0; algc = 3;
algostep();
alga = 9; algb = 3; algc = 6;
algostep();
rotateright();
alga = 0; algb = 6; algc = 1;
algostep();
alga = 1; algb = 1; algc = 4;
algostep();
alga = 2; algb = 4; algc = 7;
algostep();
alga = 3; algb = 7; algc = 2;
algostep();
alga = 4; algb = 2; algc = 5;
algostep();
alga = 5; algb = 5; algc = 0;
algostep();
alga = 6; algb = 0; algc = 1;
algostep();
alga = 7; algb = 1; algc = 2;
algostep();
alga = 8; algb = 2; algc = 3;
algostep();
alga = 9; algb = 3; algc = 4;
algostep();
rotateright();
alga = 0; algb = 4; algc = 5;
algostep();
alga = 1; algb = 5; algc = 6;
algostep();
alga = 2; algb = 6; algc = 7;
algostep();
alga = 3; algb = 7; algc = 0;
algostep();
alga = 4; algb = 0; algc = 3;
algostep();
alga = 5; algb = 3; algc = 6;
algostep();
alga = 6; algb = 6; algc = 1;
algostep();
alga = 7; algb = 1; algc = 4;
algostep();
alga = 8; algb = 4; algc = 7;
algostep();
alga = 9; algb = 7; algc = 2;
algostep();
rotateright();
alga = 0; algb = 2; algc = 5;
algostep();
alga = 1; algb = 5; algc = 0;
algostep();
alga = 2; algb = 0; algc = 1;
algostep();
alga = 3; algb = 1; algc = 2;
algostep();
alga = 4; algb = 2; algc = 3;
algostep();
alga = 5; algb = 3; algc = 4;
algostep();
alga = 6; algb = 4; algc = 5;
algostep();
alga = 7; algb = 5; algc = 6;
algostep();
alga = 8; algb = 6; algc = 7;
algostep();
alga = 9; algb = 7; algc = 0;
algostep();
rotateright();
alga = 0; algb = 0; algc = 3;
algostep();
alga = 1; algb = 3; algc = 6;
algostep();
alga = 2; algb = 6; algc = 1;
algostep();
alga = 3; algb = 1; algc = 4;
algostep();
alga = 4; algb = 4; algc = 7;
algostep();
alga = 5; algb = 7; algc = 2;
algostep();
alga = 6; algb = 2; algc = 5;
algostep();
alga = 7; algb = 5; algc = 0;
if(HMK[alga]&1) {parity = 1;} else {parity = 0;}
work = HMK[alga] ^ MK[algb];
if (parity == 1) {MK[algc] = hasha[work] ^ MK[algc];} else {MK[algc] = hashb[work] ^ MK[algc];}
}
CM CW Decrypted:
807031F70405003200060028F283D57D7B2F00C7E814AE065C 72156B6109EBBA24BA4ED7CC2795177F9D012049276690CBB7 F761
Keys Decrypt ECM CW:
OP KEY 06 : 88A4160D2643EC48E2753C36AEAE236D
ECM SEED : 94B249D7D873C04C432949379CB4964C
ECM SEED Prepare : 0852008627608B684B4A811AD902AB48
ECM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-------------------------------------------------------------------------------------------------------------
ECM CW Decrypted:
807031F704050032000600 28 03FC3401400200437812061200000045409050B10008081220 0000CD04020000 6E805C470922678E
8070 ---**** Haeder Type EMM ( 80=CW0 Active Or 81= CW1 Active )
31 ---**** Len (Hex: 0x31 (Dec: 49 Bytes))
F70405
0032 ---**** Channel ID
00 ---**** Provider
06 ---**** Index OPKEY
00
28 ---**** Len (Hex: 0x28 = (Dec: 8*5=40 Bytes))
03FC3401
40 ---**** Nano Date
02 ---**** Len Date
0043 ---**** Date ??
78 ---**** Nano Update DCW
12 ---**** Len
06 ---**** Index OPKEY
12 ---**** 80=12 || 81=13
00000045409050B100080812200000CD ---**** DCW Decrypted
04 02 00 00
6E805C470922678E ---**** Signature MAC
Log:
-------------------- Kasita Botonnou @ Irdeto2 --------------------
OP KEY 06 : 88A4160D2643EC48E2753C36AEAE236D
ECM SEED : 94B249D7D873C04C432949379CB4964C
ECM SEED Prepare : 0852008627608B684B4A811AD902AB48
ECM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-------------------- Kasita Botonnou @ Irdeto2 --------------------
DCW DECRYPTED OK : 00000045409050B100080812200000CD By K. Botonnou
-------------------- Kasita Botonnou @ Irdeto2 --------------------
Key Used Is Inde : 06
-------------------- Kasita Botonnou @ Irdeto2 --------------------
Sig Correct!!! : 6E805C470922678E
void audioLoopStop() {
pspAudioSetChannelCallback(0, NULL, NULL);
}
---------------------------------------------------------------------------------------------------------
Antes De Todo vamos a ver las keys necesarios para Desencrytar una EMM o sea para hacer un Auto Update: -
-
ART : 060400 -
PMK : AF38DA5E9E00AADB 39A1BCBCB060DEA3 Adrress: 08D7 -
EMM-Seed : DA65344511C953D8 6EDAF329EF20376E -
Common-IV: 5BC9E74A983AA5A7 903B000000000000 -
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
y La EMM OPKEY Encrypatada (Encrypt) es la siguiente: - -
-------------------------------------------------------- -
EMM: 82403F0208D7000030384913FC3C61266ED85CD727D1E7A657 83F97DF52C7BD5996F330C884F922A06191338FB13E -
68B6BD26AFCFE180C9340BA9A3152EB37327046 -
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
Vamos a hacer un analisis a esta EMM OPKEY la cual esta Encriptada (Encrypt): - -
------------------------------------------------------------------------------- -
82403F <<------ Haeder { 3F= Longitud Hex:0x3F Dec:63 } -
02 <<------ Type Group 00 -
08D7 <<------ Address -
0000 <<------ Relleno -
30 <<------ Provider ID -
38 <<------ Longitud De Bytes (Hex: 0x38 = (Dec: 8*7=56 Bytes)) -
4913FC3C61266ED8 <<------ Data 1 Encrypt -
5CD727D1E7A65783 <<------ Data 2 Encrypt -
F97DF52C7BD5996F <<------ Data 3 Encrypt -
330C884F922A0619 <<------ Data 4 Encrypt -
1338FB13E68B6BD2 <<------ Data 5 Encrypt -
6AFCFE180C9340BA <<------ Data 6 Encrypt -
9A3152EB37327046 <<------ Data 7 Encrypt (Signature) -
---------------------------------------------------------------------------------------------------------
El Algortimo Usado para Desencriptar una EMM o ECM deIrdeto 2 es el algortimo 3DES CBC
aqui no hablamos sobe este algortimo ya es conocido
Ahora Vamos a empezar paso a paso y veremos todo el proceso de desencriptar una EMM Ir2 hasta el calculo de la firma (Signature)
Los Pasos Son:
1- Prepared EMM_SEED (Encrypt 3DESCBC)
2- Decrypt EMM (Decrypt 3DESCBC)
3- Decrypt Nano (Decrypt 3DESCBC)
4- CalculateMAC (Encrypt 3DESCBC)
****************************************
1- Prepared EMM_SEED (Encrypt 3DESCBC) ************************************************** *******
**************************************** *
*
Primer paso hacemos una preparacion de la Key EMM_Seed con el Algortimo 3DES CBC (Encrypt) *
ya tenemos la PMK como la Key que vamos a usar para el algortimo 3DES CBC *
EMM_Seed es Data o el mensaje que damos al algortimo 3DES CBC *
y IV es el que usa el algortimo 3DES CBC para hacer el XOR *
*
*
PMK = AF38DA5E9E00AADB 39A1BCBCB060DEA3 (16 bytes) Key 3DES CBC (K1=K3) *
EMM Seed = DA65344511C953D8 6EDAF329EF20376E (16 bytes) Data 3DES CBC *
IV = 0000000000000000 (08 bytes) IV 3DES CBC ******************
*
*
Pues Empezamos: ************************************************** *********************
*
DA65344511C953D8 {Xor} 0000000000000000 = DA65344511C953D8 {Encrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = E046C69E8CB4A40D *
Data 8 Bytes'ES' IV 3DES CBC Result PMK Key 3DES CBC Bloc1 Emm_Seed Prepared ok *
*
6EDAF329EF20376E {Xor} E046C69E8CB4A40D = 8E9C35B763949363 {Encrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = A16E52AF4CAE6A15 *
Data 8 Bytes'ES' Blo1 Emm_Seed Pre Result PMK Key 3DES CBC Bloc2 Emm_Seed Prepared ok *
*
*
EMM_Seed Preparado = E046C69E8CB4A40D A16E52AF4CAE6A15 (After Despues de Prepararlo con el algortimo usado 3DES CBC) **********************
*
*
ya esta terminado el primer paso lo que era hacer un 3DES CBC para perparar la EMM_SEED *
EMM_SEED Prepared: E046C69E8CB4A40D A16E52AF4CAE6A15 *
*
************************************************** ************************************************** ****************************
**********************************
2- Decrypt EMM (Decrypt 3DESCBC) ************************************************** **********************************
********************************** *
*
Ya estamos en el segundo paso y siempre con el algotimo 3DESCBC pero ahora hay que Desencriptar (Decrypt 3DES CBC) *
y lo que tenemos que Desencriptar son los bloqueos cifrado en la EMM ya son 7 bloqueos como habamos Visto arriba *
*
y lo necesario aqui es Data son datos de la Emm Cifrados y vamos a Desencriptar 8 a 8 Bytes *
EMM_Seed Prepared como la Key que vamos a usar para el algortimo 3DES CBC *****************
y la key EMM_IV como Key de IV que usamos para el Xor de 3DESCBC *
*
Data = (Ocho a ocho bytes (son datos de emm los cuales estan cifrados)) *
EMM_Seed Prepared = E046C69E8CB4A40D A16E52AF4CAE6A15 (Preparado va a ser la key 3des) *
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (Solo 8 bytes primeros) *
*
Los bloqueos datos de la EMM que tenemos son 7 bloqueos pues 7 Roundas *
--------------------------------------------------------------------- *
- 4913FC3C61266ED8 <<------ Data 1 Encrypt Rounda 1 - *
- 5CD727D1E7A65783 <<------ Data 2 Encrypt Rounda 2 - *
- F97DF52C7BD5996F <<------ Data 3 Encrypt Rounda 3 - *
- 330C884F922A0619 <<------ Data 4 Encrypt Rounda 4 - *
- 1338FB13E68B6BD2 <<------ Data 5 Encrypt Rounda 5 - *
- 6AFCFE180C9340BA <<------ Data 6 Encrypt Rounda 6 - *
- 9A3152EB37327046 <<------ Data 7 Encrypt (Signature) Rounda 7 - *
--------------------------------------------------------------------- *
*
Empezamos a Descifrar ocho a ocho Bytes con el algortimo 3DES CBC : *
*
************************************************** ******************************
EMM Encrypted:
82403F0208D7000030 [38] || 4913FC3C61266ED8 || 5CD727D1E7A65783 || F97DF52C7BD5996F || 330C884F922A0619 || 1338FB13E68B6BD2 || 6AFCFE180C9340BA || 9A3152EB37327046
|| RONDA 1 || RONDA 2 || RONDA 3 || RONDA 4 || RONDA 5 || RONDA 6 || RONDA 7
Datos Cifrados.......................................... .................................................. ...............................
RONDA 1: 4913FC3C61266ED8 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 1BCAE45570C5F5B6 {Xor} 5BC9E74A983AA5A7 = 4003031FE8FF5011 (Result Bloc 1)
Data 1 EMM_Seed Prepared Key 3DES CBC = Result EMM_IV Data 1 Decrypted
RONDA 2: 5CD727D1E7A65783 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 51273A5AEA69A0D4 {Xor} 4913FC3C61266ED8 = 1834C6668B4FCE0C (Result Bloc 2)
Data 2 EMM_Seed Prepared Key 3DES CBC = Result Data 1 Encrypt Data 2 Decrypted
RONDA 3: F97DF52C7BD5996F {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 6FCDD4CF587C99E4 {Xor} 5CD727D1E7A65783 = 331AF31EBFDACE67 (Result Bloc 3)
Data 3 EMM_Seed Prepared Key 3DES CBC = Result Data 2 Encrypt Data 3 Decrypted
RONDA 4: 330C884F922A0619 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 0C2DE40CAC49DDA7 {Xor} F97DF52C7BD5996F = F5501120D79C44C8 (Result Bloc 4)
Data 4 EMM_Seed Prepared Key 3DES CBC = Result Data 3 Encrypt Data 4 Decrypted
RONDA 5: 1338FB13E68B6BD2 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 2C7359CB7AF8C78A {Xor} 330C884F922A0619 = 1F7FD184E8D2C193 (Result Bloc 5)
Data 5 EMM_Seed Prepared Key 3DES CBC = Result Data 4 Encrypt Data 5 Decrypted
RONDA 6: 6AFCFE180C9340BA {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 69AFD81AA6896233 {Xor} 1338FB13E68B6BD2 = 7A972309400209E1 (Result Bloc 6)
Data 6 EMM_Seed Prepared Key 3DES CBC = Result Data 5 Encrypt Data 6 Decrypted
RONDA 7: 9A3152EB37327046 {Decrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 35FC7911E95FB504 {Xor} 6AFCFE180C9340BA = 5F008709E5CCF5BE (Result Bloc 7)
Data 7 EMM_Seed Prepared Key 3DES CBC = Result Data 6 Encrypt Data 7 Decrypted
Result All Round's = Data EMM Decrypted:
---------------------------------------------------------------------
- 4003031FE8FF5011 <<------ Data 1 Decrypt Rounda 1 -
- 1834C6668B4FCE0C <<------ Data 2 Decrypt Rounda 2 -
- 331AF31EBFDACE67 <<------ Data 3 Decrypt Rounda 3 -
- F5501120D79C44C8 <<------ Data 4 Decrypt Rounda 4 -
- 1F7FD184E8D2C193 <<------ Data 5 Decrypt Rounda 5 -
- 7A972309400209E1 <<------ Data 6 Decrypt Rounda 6 -
- 5F008709E5CCF5BE <<------ Data 7 Decrypt (Signature) Rounda 7 -
---------------------------------------------------------------------
EMM Decrypted:
82403F0208D7000030 [38] || 4003031FE8FF5011 || 1834C6668B4FCE0C || 331AF31EBFDACE67 || F5501120D79C44C8 || 1F7FD184E8D2C193 || 7A972309400209E1 || 5F008709E5CCF5BE
|| RONDA 1 || RONDA 2 || RONDA 3 || RONDA 4 || RONDA 5 || RONDA 6 || RONDA 7
Datos Descifrados....................................... .................................................. ...............................
Ahora ya tenemos la EMM Desencriptada pero no las OPKEYs, porque en Irdeto 2 tanto la EMM como OPKEYs Estan Encriptadas
desues de Desencritar la EMM llega el paso de desecnriptar las OPKEYS que se encuentran dentro de la EMM desencriptada
Primero Vamos a hacer un analisis a la EMM despues de que ha sido desencriptada
---------------------------------------------------------------------------------------------------------
Vamos a hacer un analisis a esta EMM la cual esta Desencriptada (Decrypted): - -
------------------------------------------------------------------------------- -
82403F <<------ Haeder { 3F= Longitud Hex:0x3F Dec:63 } -
02 <<------ Type Group 00 -
08D7 <<------ Address -
0000 <<------ Relleno -
30 <<------ Provider ID -
38 <<------ Longitud De Bytes (Hex: 0x38 = (Dec: 8*7=56 Bytes)) -
40 03 03 1F E8 FF -
50 11 18 <<------ Nano 50 °° Len 0x11 °° Index 18/4 = 06 -
34C6668B4FCE0C331AF31EBFDACE67F5 <<------ OPKEY Encrypt -
501120 <<------ Nano 50 °° Len 0x11 °° Index 20/4 = 08 -
D79C44C81F7FD184E8D2C1937A972309 <<------ OPKEY Encrypt -
40 <<------ Nano 40
02 <<------ Len
09 E1 <<------ Date?? -
5F008709E5CCF5BE <<------ Firma (Signature) -
---------------------------------------------------------------------------------------------------------
Donde esta el Nano 50 mas adelante + 3 bytes se encuentra La OPKEY
y hay otro caso que se puede encontrar tambien Nano 10 11 XX a la vez de 50 11 XX
y el index se divide sobre 4 y nos da el index que soportan los EMU's de Nuestros aparatos Reciver
si en la EMM es 08 pues se divide sobre 4 y resultado es Index 02
si en la EMM es 10 pues se divide sobre 4 y resultado es Index 04
si en la EMM es 18 pues se divide sobre 4 y resultado es Index 06
si en la EMM es 20 pues se divide sobre 4 y resultado es Index 08 ...
Veremos la EMM con otra manera
EMM Decrypted (OPKEYS EnCrypt):
82403F0208D7000030 [38] || 4003031FE8FF 501118 || 34C6668B4FCE0C33 1AF31EBFDACE67F5 || 501120 || D79C44C81F7FD184 E8D2C1937A972309 || 400209E1 5F008709E5CCF5BE
|| OPKEY ENCRYPT || || OPKEY ENCRYPT ||
************************************************** *******************************************
Pues ya tenemos las OPKEYS Encriptadas dentro de una emm Desencriptada, *
para la esencriptacion de estas OPKEYS Vamos al tercer Paso *
*
************************************************** ***********************
____________________________________
3- Nano Decrypt (Decrypt 3DES CBC) __________________________________________________ __________________________________________________ ________________________________
____________________________________
Pues como siempre el algortimo usado para Desencriptar estas OPKEYS es siempre 3DES CBC
Lo que necesitamos Data1 y Data2 son OPKEYs Encriptada y la key PMK y EMM_iv :
Data1 = 34C6668B4FCE0C33 1AF31EBFDACE67F5 (OPKEY ENCRYPT) <<-- OPKEY 06 (18)
Data2 = D79C44C81F7FD184 E8D2C1937A972309 (OPKEY ENCRYPT) <<-- OPKEY 08 (20)
PMK = AF38DA5E9E00AADB 39A1BCBCB060DEA3 (PMK PLEY MASTER KEY)
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (( IV 3DES CBC ) Solo usamos 8 bytes primeros)
vamos a Desencriptar La Primera OPKEY y luego la segunda ya la manera de desncriptar la primera es la misma que la segunda () Decrypt 3DESCBC)
-----------------------------
Data1 = 34C6668B4FCE0C33 1AF31EBFDACE67F5 (OPKEY ENCRYPT) <<-- OPKEY 06 (18)
Bloc 1 Encrypt Bloc 2 Encrypt
RONDA 1: 34C6668B4FCE0C33 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 98143F086A0A05B0 {Xor} 5BC9E74A983AA5A7 = C3DDD842F230A017
Bloc 1 Encrypt PMK Key 3DES CBC Result IV 3DES CBC Bloc1 OPKEY Decrypted
RONDA 2: 1AF31EBFDACE67F5 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 78DCF6648AB2F85E {Xor} 34C6668B4FCE0C33 = 4C1A90EFC57CF46D (OPKEY Decr)
Bloc 2 Encrypt PMK Key 3DES CBC Result Bloc1 Encrypt Bloc2 OPKEY Decrypted
OPKEY 06 (18) Decrypted: C3DDD842F230A017 4C1A90EFC57CF46D <<<< ----- ya tenemos la OPKEY Desencriptada por fin!!!!!!!!!!!!!!!
Bloc1 Decrypted Bloc2 Decrypted
-----------------------------
Data2 = D79C44C81F7FD184 E8D2C1937A972309 (OPKEY ENCRYPT) <<-- OPKEY 08 (20)
Bloc 1 Encrypt Bloc 2 Encrypt
RONDA 1: D79C44C81F7FD184 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 29F3F9202EB28219 {Xor} 5BC9E74A983AA5A7 = 723A1E6AB68827BE (OPKEY Decr)
Bloc 1 Encrypt PMK Key 3DES CBC Result IV 3DES CBC Bloc1 OPKEY Decrypted
RONDA 2: E8D2C1937A972309 {Decrypt 3DES} AF38DA5E9E00AADB 39A1BCBCB060DEA3 = 43D5635A1C483DAD {Xor} D79C44C81F7FD184 = 944927920337EC29 (OPKEY Decr)
Bloc 2 Encrypt PMK Key 3DES CBC Result Bloc1 Encrypt Bloc2 OPKEY Decrypted
OPKEY 08 (20) Decrypted: 723A1E6AB68827BE 944927920337EC29 <<<< ----- ya tenemos la OPKEY Desencriptada por fin!!!!!!!!!!!!!!!
Bloc1 Decrypted Bloc2 Decrypted
-----------------------------
__________________________________________________ _________________________________
************************************************** ************ _
OPKEY 06 (18) Decrypted: C3DDD842F230A017 4C1A90EFC57CF46D * _
OPKEY 08 (20) Decrypted: 723A1E6AB68827BE 944927920337EC29 * _
************************************************** ************ _
_
_
Ahora ya tenemso la EMM y OPKEY's Desencriptadas: _
_
82403F <<-- Haeder _
02 <<-- Type Group 00 _
08D7 <<-- Adress _
0000 <<-- Relleno _
30 <<-- Provider ID Group _
38 <<-- Len (Hex: 0x38 = (Dec: 8*7=56 Bytes)) _
4003031FE8FF _
50 11 18 Nano 50 + Len 11 + Index 18 / 4 = 06 _
C3DDD842F230A017 4C1A90EFC57CF46D <<-- OP KEY Decrypt _
50 11 20 Nano 50 + Len 11 + Index 20 / 4 = 06 _
723A1E6AB68827BE 944927920337EC29 <<-- OP KEY Decrypt _
40 <<------ Nano 40 -
02 <<------ Len -
09 E1 <<------ Date?? _
5F008709E5CCF5BE <<------ Signature _
__________________________________________________ ______________________________
*************************************
4- CalculateMAC (3DES CBC Encrypt) ************************************************** *********************
************************************* *
*
Vamos ya estamos en el paso cuatro 4 y lo que vemos aqui es como se calcula la firma (Calculate Signature) *************************
*
Cojimos la EMM OPKEYS la cual esta Desencriptada: *
82403F0208D7000030384003031FE8FF501118C3DDD842F230 A0174C1A90EFC57CF46D501120723A1E6AB68827BE94492792 0337EC29400209E15F008709E5CCF5BE *************
*
*
EMM OPKKEY Decrypt: ||Delete|| (vamos a eliminar el haeder + 00 + Signature estan puestos entre ||xx|| ) *
*
||82403F||0208D700||00||30384003031FE8FF501118C3DD D842F230A0174C1A90EFC57CF46D501120723A1E6AB68827BE 944927920337EC29400209E1||5F008709E5CCF5BE|| *
*
y nos queda algo asi:
0208D70030384003031FE8FF501118C3DDD842F230A0174C1A 90EFC57CF46D501120723A1E6AB68827BE944927920337EC29 400209E1
- La separamos en Bloqueos:
0208D70030384003 Bloque 1
031FE8FF501118C3 Bloque 2
DDD842F230A0174C Bloque 3
1A90EFC57CF46D50 Bloque 4
1120723A1E6AB688 Bloque 5
27BE944927920337 Bloque 6
EC29400209E1 Bloque 7
- Como veis tenemos 7 bloqueos y cada bloqueo tiene 8 bytes menos el ultimo que solo lleva 6 bytes, ahora le anadimos 2 bytes al bloqueo 7
y estos 2 Bytes son las que estan en el segundo octeto de EMM-IV
EMM_IV = 5BC9E74A983AA5A7 903B000000000000 (necesitas estos dos bytes 903B para el calculo de la firma)
---- ----
- Despues de anadir estos dos bytes en el bloqueo 7 nos queda algo asi:
0208D70030384003 Bloque 1
031FE8FF501118C3 Bloque 2
DDD842F230A0174C Bloque 3
1A90EFC57CF46D50 Bloque 4
1120723A1E6AB688 Bloque 5
27BE944927920337 Bloque 6
EC29400209E1903B Bloque 7 <<<--- Add 2 Bytes de EMM_IV del segundo octeto
y la key 3DES es la que habiamos perparado en primer paso:
EMM_Seed Prepared: E046C69E8CB4A40DA16E52AF4CAE6A15 Key 3DES
ahora vamos a calcular la firma en 7 Rondas son 7 bloqueos:
|| 0208D70030384003 || 031FE8FF501118C3 || DDD842F230A0174C || 1A90EFC57CF46D50 || 1120723A1E6AB688 || 27BE944927920337 || EC29400209E1903B
|| RONDA 1 || RONDA 2 || RONDA 3 || RONDA 4 || RONDA 5 || RONDA 6 || RONDA 7
RONDA 1: 0208D70030384003 {Xor} 0000000000000000 = 0208D70030384003 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = AA8B12A7467A145F
Data 8 Bytes'ES' IV 3DES CBC Result EMM_Seed Prepared Key 3DES CBC Result Bloque 1
RONDA 2: AA8B12A7467A145F {Xor} 031FE8FF501118C3 = A994FA58166B0C9C {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = CDA5BB939E3BD120
Data 8 Bytes'ES' Bloque 2 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 2
RONDA 3: CDA5BB939E3BD120 {Xor} DDD842F230A0174C = 107DF961AE9BC66C {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 484B0E88CA120795
Data 8 Bytes'ES' Bloque 3 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 3
RONDA 4: 484B0E88CA120795 {Xor} 1A90EFC57CF46D50 = 52DBE14DB6E66AC5 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 287467CA90373AB3
Data 8 Bytes'ES' Bloque 4 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 4
RONDA 5: 287467CA90373AB3 {Xor} 1120723A1E6AB688 = 395415F08E5D8C3B {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = DB92F3C8E9730646
Data 8 Bytes'ES' Bloque 5 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 5
RONDA 6: DB92F3C8E9730646 {Xor} 27BE944927920337 = FC2C6781CEE10571 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = C815564DC98CDE6C
Data 8 Bytes'ES' Bloque 6 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 6
RONDA 7: C815564DC98CDE6C {Xor} EC29400209E1903B = 243C164FC06D4E57 {Encrypt 3DES} E046C69E8CB4A40D A16E52AF4CAE6A15 = 5F008709E5CCF5BE *
Data 8 Bytes'ES' Bloque 7 Result EMM_Seed Prepared Key 3DES CBC Result Bloque 7 *
*
*
Result final de la Ronda 7 es = 5F008709E5CCF5BE <<<--- Coindciden!!! == *
5F008709E5CCF5BE <<<--- Signature de la EMMOPKEY Decrypt *
*
************************************************** ************************************************** **********************************************
EMM PMK Decrypted:
824038C3FFFFFF0000003043ECF812DBB2F3B44C6AA1377479 D96E3C712B3670325DBF06F739CD488224A85949B939206612 4336F0F10AFAC8B81B
Keys Decrypt EMM PMK:
HMK0 Axi : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HMK1 Exi : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
EMM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-----------------------------------------------------------------------------------------------------------------------
EMM PMK Decrypted:
8240 38 C3 FFFFFF 0000 00 30 010268240033333333333333333333333333333333 44444444444444444444444444444444 555566 AA54268F60038015
8240 ---**** Haeder Type EMM
38 ---**** Len (Hex: 0x38 (Dec: 56 Bytes))
C3 ---**** C3/CB PMK
FFFFFF ---**** Hex Serial
0000 ---**** Relleno
00 ---**** Provider ID Group
30 ---**** Len (Hex: 0x30 = (Dec: 8*6=48 Bytes))
01 ---****
02 ---****
68 ---**** Nano Update PMK
24 ---**** Len Data --**** Index
00 ---**** Index [00=00 | 01=10 | 02=20 | 03=30 | 04=40]
33333333333333333333333333333333 ---**** PMK0
44444444444444444444444444444444 ---**** PMK1
555566 ---**** Provider ID
AA54268F60038015 ---**** Signature MAC
Log:
-------- Kasita Botonnou @ Irdeto2 --------
PMK0 Enc : 8F754A711A62ACA8CC6F200370A6E332
PMK0 Dec : 33333333333333333333333333333333
-------- Kasita Botonnou @ Irdeto2 --------
PMK1 Enc : 8B8EC848BBCDA309423A4B528539EDCA
PMK1 Dec : 44444444444444444444444444444444
-------- Kasita Botonnou @ Irdeto2 --------
Log:
-------- Kasita Botonnou @ Irdeto2 --------
HMK0 Axi : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HMK1 Exi : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
EMM IV : 6886F8A059808A9A4DF751E08AF9FD3A
-------- Kasita Botonnou @ Irdeto2 --------
Hash OK : Signature Correct!!!
Sig MAC : AA54268F60038015 OK