1 | #include "globals.h"
|
---|
2 | #include "reader-common.h"
|
---|
3 | //#include <stdlib.h>
|
---|
4 |
|
---|
5 | extern uchar cta_cmd[], cta_res[];
|
---|
6 | extern ushort cta_lr;
|
---|
7 | unsigned long long serial;
|
---|
8 | char *card;
|
---|
9 | static uchar provider;
|
---|
10 | static short int mode;
|
---|
11 |
|
---|
12 | #define OK_RESPONSE 0x61
|
---|
13 | #define CMD_BYTE 0x59
|
---|
14 |
|
---|
15 | #define dre_cmd(cmd) \
|
---|
16 | { \
|
---|
17 | dre_command(cmd, sizeof(cmd)); \
|
---|
18 | }
|
---|
19 |
|
---|
20 | int dre_set_provider_info (void)
|
---|
21 | {
|
---|
22 | int i;
|
---|
23 | static uchar cmd59[] = { 0x59, 0x14 }; // subscriptions
|
---|
24 | static uchar cmd5b[] = { 0x5b, 0x00, 0x14 }; //validity dates
|
---|
25 |
|
---|
26 | cmd59[1] = provider;
|
---|
27 | if ((dre_cmd (cmd59))) { //ask subscription packages, returns error on 0x11 card
|
---|
28 | uchar pbm[32];
|
---|
29 | memcpy (pbm, cta_res + 3, cta_lr - 6);
|
---|
30 | cs_debug ("DRECRYPT pbm: %s", cs_hexdump (0, pbm, 32));
|
---|
31 |
|
---|
32 | if (pbm[0] == 0xff)
|
---|
33 | cs_log ("No active packages!");
|
---|
34 | else
|
---|
35 | for (i = 0; i < 32; i++)
|
---|
36 | if (pbm[i] != 0xff) {
|
---|
37 | cmd5b[1] = i;
|
---|
38 | cmd5b[2] = provider;
|
---|
39 | dre_cmd (cmd5b); //ask for validity dates
|
---|
40 |
|
---|
41 | time_t start;
|
---|
42 | time_t end;
|
---|
43 | start = (cta_res[3] << 24) | (cta_res[4] << 16) | (cta_res[5] << 8) | cta_res[6];
|
---|
44 | end = (cta_res[7] << 24) | (cta_res[8] << 16) | (cta_res[9] << 8) | cta_res[10];
|
---|
45 |
|
---|
46 | struct tm *temp;
|
---|
47 |
|
---|
48 | temp = localtime (&start);
|
---|
49 | int startyear = temp->tm_year + 1900;
|
---|
50 | int startmonth = temp->tm_mon + 1;
|
---|
51 | int startday = temp->tm_mday;
|
---|
52 | temp = localtime (&end);
|
---|
53 | int endyear = temp->tm_year + 1900;
|
---|
54 | int endmonth = temp->tm_mon + 1;
|
---|
55 | int endday = temp->tm_mday;
|
---|
56 | cs_log ("Active package %i valid from %04i/%02i/%02i to %04i/%02i/%02i", i, startyear, startmonth, startday,
|
---|
57 | endyear, endmonth, endday);
|
---|
58 | }
|
---|
59 | }
|
---|
60 | return 1;
|
---|
61 | }
|
---|
62 |
|
---|
63 | uchar xor (uchar * cmd, int cmdlen)
|
---|
64 | {
|
---|
65 | int i;
|
---|
66 | uchar checksum = 0x00;
|
---|
67 | for (i = 0; i < cmdlen; i++)
|
---|
68 | checksum ^= cmd[i];
|
---|
69 | return checksum;
|
---|
70 | }
|
---|
71 |
|
---|
72 |
|
---|
73 | int dre_command (uchar * cmd, int cmdlen) //attention: inputcommand will be changed!!!! answer will be in cta_res, length cta_lr ; returning 1 = no error, return 0 = err
|
---|
74 | {
|
---|
75 | static uchar startcmd[] = { 0x80, 0xFF, 0x10, 0x01, 0x05 }; //any command starts with this,
|
---|
76 | //last byte is nr of bytes of the command that will be sent
|
---|
77 | //after the startcmd
|
---|
78 | //response on startcmd+cmd: = { 0x61, 0x05 } //0x61 = "OK", last byte is nr. of bytes card will send
|
---|
79 | static uchar reqans[] = { 0x00, 0xC0, 0x00, 0x00, 0x08 }; //after command answer has to be requested,
|
---|
80 | //last byte must be nr. of bytes that card has reported to send
|
---|
81 | uchar command[256];
|
---|
82 | int headerlen = sizeof (startcmd);
|
---|
83 | startcmd[4] = cmdlen + 3; //commandlength + type + len + checksum bytes
|
---|
84 | memcpy (command, startcmd, headerlen);
|
---|
85 | command[headerlen++] = CMD_BYTE; //type
|
---|
86 | command[headerlen++] = cmdlen + 1; //len = command + 1 checksum byte
|
---|
87 | memcpy (command + headerlen, cmd, cmdlen);
|
---|
88 |
|
---|
89 | uchar checksum = ~xor (cmd, cmdlen);
|
---|
90 | //cs_debug ("Checksum: %02x", checksum);
|
---|
91 | cmdlen += headerlen;
|
---|
92 | command[cmdlen++] = checksum;
|
---|
93 |
|
---|
94 | reader_cmd2icc (command, cmdlen);
|
---|
95 |
|
---|
96 | if ((cta_lr != 2) || (cta_res[0] != OK_RESPONSE)) {
|
---|
97 | cs_log ("DRECRYPT ERROR: unexpected answer from card: %s", cs_hexdump (0, cta_res, cta_lr));
|
---|
98 | return 0; //error
|
---|
99 | }
|
---|
100 |
|
---|
101 | reqans[4] = cta_res[1]; //adapt length byte
|
---|
102 | reader_cmd2icc (reqans, 5);
|
---|
103 |
|
---|
104 | if (cta_res[0] != CMD_BYTE) {
|
---|
105 | cs_log ("DRECRYPT Unknown response: cta_res[0] expected to be %02x, is %02x", CMD_BYTE, cta_res[0]);
|
---|
106 | return 0;
|
---|
107 | }
|
---|
108 | if ((cta_res[1] == 0x03) && (cta_res[2] == 0xe2)) {
|
---|
109 | switch (cta_res[3]) {
|
---|
110 | case 0xe1:
|
---|
111 | cs_log ("DRECRYPT checksum error: %s.", cs_hexdump (0, cta_res, cta_lr));
|
---|
112 | break;
|
---|
113 | case 0xe2:
|
---|
114 | cs_log ("DRECRYPT wrong provider: %s.", cs_hexdump (0, cta_res, cta_lr));
|
---|
115 | break;
|
---|
116 | case 0xec:
|
---|
117 | cs_log ("DRECRYPT wrong signature: %s.", cs_hexdump (0, cta_res, cta_lr));
|
---|
118 | break;
|
---|
119 | default:
|
---|
120 | cs_debug ("DRECRYPT unknown error: %s.", cs_hexdump (0, cta_res, cta_lr));
|
---|
121 | break;
|
---|
122 | }
|
---|
123 | return 0; //error
|
---|
124 | }
|
---|
125 | int length_excl_leader = cta_lr;
|
---|
126 | if ((cta_res[cta_lr - 2] == 0x90) && (cta_res[cta_lr - 1] == 0x00))
|
---|
127 | length_excl_leader -= 2;
|
---|
128 |
|
---|
129 | checksum = ~xor (cta_res + 2, length_excl_leader - 3);
|
---|
130 |
|
---|
131 | if (cta_res[length_excl_leader - 1] != checksum) {
|
---|
132 | cs_log ("DRECRYPT checksum does not match, expected %02x received %02x:%s", checksum,
|
---|
133 | cta_res[length_excl_leader - 1], cs_hexdump (0, cta_res, cta_lr));
|
---|
134 | return 0; //error
|
---|
135 | }
|
---|
136 | return 1;
|
---|
137 | }
|
---|
138 |
|
---|
139 | int dre_card_init (uchar * atr, int atrsize)
|
---|
140 | {
|
---|
141 | static uchar ua[] = { 0x43, 0x15 }; // get serial number (UA)
|
---|
142 | static uchar providers[] = { 0x49, 0x15 }; // get providers
|
---|
143 | int i;
|
---|
144 |
|
---|
145 | if ((atr[0] != 0x3b) || (atr[1] != 0x15) || (atr[2] != 0x11) || (atr[3] != 0x12 || atr[4] != 0xca || atr[5] != 0x07))
|
---|
146 | return (0);
|
---|
147 |
|
---|
148 | provider = atr[6];
|
---|
149 | uchar checksum = xor (atr + 1, 6);
|
---|
150 |
|
---|
151 | if (checksum != atr[7])
|
---|
152 | cs_log ("DRECRYPT Warning: expected ATR checksum %02x, smartcard reports %02x", checksum, atr[7]);
|
---|
153 |
|
---|
154 | switch (atr[6]) {
|
---|
155 | case 0x11:
|
---|
156 | card = "Tricolor Centr";
|
---|
157 | reader[ridx].caid[0] = 0x4ae0;
|
---|
158 | mode = 41;
|
---|
159 | break; //59 type card = MSP (74 type = ATMEL)
|
---|
160 | case 0x12:
|
---|
161 | card = "Cable TV";
|
---|
162 | reader[ridx].caid[0] = 0x4ae0; //TODO not sure about this one
|
---|
163 | mode = 41; //TODO not sure
|
---|
164 | break;
|
---|
165 | case 0x14:
|
---|
166 | card = "Tricolor Syberia / Platforma HD new";
|
---|
167 | reader[ridx].caid[0] = 0x4ae1;
|
---|
168 | mode = 51;
|
---|
169 | break; //59 type card
|
---|
170 | case 0x15:
|
---|
171 | card = "Platforma HD / DW old";
|
---|
172 | reader[ridx].caid[0] = 0x4ae1; //TODO not sure
|
---|
173 | mode = 41; //TODO not sure
|
---|
174 | break; //59 type card
|
---|
175 | default:
|
---|
176 | card = "Unknown";
|
---|
177 | reader[ridx].caid[0] = 0x4ae1; //TODO: what is sensible value here?
|
---|
178 | mode = 51;
|
---|
179 | break;
|
---|
180 | }
|
---|
181 |
|
---|
182 | memset (reader[ridx].prid, 0x00, 8);
|
---|
183 |
|
---|
184 | static uchar cmd30[] =
|
---|
185 | { 0x30, 0x81, 0x00, 0x81, 0x82, 0x03, 0x84, 0x05, 0x06, 0x87, 0x08, 0x09, 0x00, 0x81, 0x82, 0x03, 0x84, 0x05,
|
---|
186 | 0x00
|
---|
187 | };
|
---|
188 | dre_cmd (cmd30); //unknown command, generates error on card 0x11 and 0x14
|
---|
189 | /*
|
---|
190 | response:
|
---|
191 | 59 03 E2 E3
|
---|
192 | FE 48 */
|
---|
193 |
|
---|
194 | static uchar cmd54[] = { 0x54, 0x14 }; // geocode
|
---|
195 | cmd54[1] = provider;
|
---|
196 | uchar geocode = 0;
|
---|
197 | if ((dre_cmd (cmd54))) //error would not be fatal, like on 0x11 cards
|
---|
198 | geocode = cta_res[3];
|
---|
199 |
|
---|
200 | providers[1] = provider;
|
---|
201 | if (!(dre_cmd (providers)))
|
---|
202 | return 0; //fatal error
|
---|
203 | if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00))
|
---|
204 | return 0;
|
---|
205 | uchar provname[128];
|
---|
206 | for (i = 0; ((i < cta_res[2] - 6) && (i < 128)); i++) {
|
---|
207 | provname[i] = cta_res[6 + i];
|
---|
208 | if (provname[i] == 0x00)
|
---|
209 | break;
|
---|
210 | }
|
---|
211 | int major_version = cta_res[3];
|
---|
212 | int minor_version = cta_res[4];
|
---|
213 |
|
---|
214 | ua[1] = provider;
|
---|
215 | dre_cmd (ua); //error would not be fatal
|
---|
216 |
|
---|
217 | int hexlength = cta_res[1] - 2; //discard first and last byte, last byte is always checksum, first is answer code
|
---|
218 |
|
---|
219 | reader[ridx].hexserial[0] = 0;
|
---|
220 | reader[ridx].hexserial[1] = 0;
|
---|
221 | memcpy (reader[ridx].hexserial + 2, cta_res + 3, hexlength);
|
---|
222 |
|
---|
223 | int low_dre_id = ((cta_res[4] << 16) | (cta_res[5] << 8) | cta_res[6]) - 48608;
|
---|
224 | int dre_chksum = 0;
|
---|
225 | uchar buf[32];
|
---|
226 | sprintf (buf, "%i%i%08i", provider - 16, major_version + 1, low_dre_id);
|
---|
227 | for (i = 0; i < 32; i++) {
|
---|
228 | if (buf[i] == 0x00)
|
---|
229 | break;
|
---|
230 | dre_chksum += buf[i] - 48;
|
---|
231 | }
|
---|
232 |
|
---|
233 | //cs_ri_log("type: DRECrypt, caid: %04X, serial: %llu, card: v%x",
|
---|
234 | cs_log ("type: DRECrypt, caid: %04X, serial: %s, dre id: %i%i%i%08i, geocode %i, card: %s v%i.%i",
|
---|
235 | reader[ridx].caid[0], cs_hexdump (0, reader[ridx].hexserial + 2, 4), dre_chksum, provider - 16,
|
---|
236 | major_version + 1, low_dre_id, geocode, card, major_version, minor_version);
|
---|
237 | cs_log ("Provider name:%s.", provname);
|
---|
238 |
|
---|
239 |
|
---|
240 | memset (reader[ridx].sa, 0, sizeof (reader[ridx].sa));
|
---|
241 | memcpy (reader[ridx].sa[0], reader[ridx].hexserial + 2, 1); //copy first byte of unique address also in shared address, because we dont know what it is...
|
---|
242 |
|
---|
243 | cs_log ("DEBUG: SA = %02X%02X%02X%02X, UA = %s", reader[ridx].sa[0][0], reader[ridx].sa[0][1], reader[ridx].sa[0][2],
|
---|
244 | reader[ridx].sa[0][3], cs_hexdump (0, reader[ridx].hexserial + 2, 4));
|
---|
245 |
|
---|
246 | //reader[ridx].nprov = 1; TODO doesnt seem necessary
|
---|
247 |
|
---|
248 | if (!dre_set_provider_info ())
|
---|
249 | return 0; //fatal error
|
---|
250 |
|
---|
251 |
|
---|
252 | /* Unknown function 51
|
---|
253 | 59
|
---|
254 | 23 51 82 3B 05 00 4A D4 CA
|
---|
255 | A3 1D A2
|
---|
256 | DF 95 29 90 65 E1 95 B8 1C 91 87 C8 B5 CB 62 2F
|
---|
257 | 09
|
---|
258 | F7 BC 18 BA 14 some byte seems to be missing !?!
|
---|
259 |
|
---|
260 | ANOTHER INS is the same except last line:
|
---|
261 | EF C7 1D 4C E3 14 last byte stays the same = provider byte???
|
---|
262 |
|
---|
263 | response: DW info retour
|
---|
264 | 59 12 D2 8E 7A FE BA 6C DF 31 49
|
---|
265 | 1A 8F 34
|
---|
266 | 98 48 42 CE 0D DE
|
---|
267 | 90 00 */
|
---|
268 |
|
---|
269 |
|
---|
270 | //memcpy(&reader[ridx].prid[i][2], cta_res, 2);
|
---|
271 |
|
---|
272 | //############### PLAYGROUND ////
|
---|
273 |
|
---|
274 | //from bbs, provider = 15???
|
---|
275 | //static uchar ecmtest[] = { 0x51, 0x01, 0x56, 0x00, 0x00, 0x48, 0xC6, 0xF0, 0x19, 0x01, 0xD4, 0xDF, 0x4F, 0xD7, 0x91, 0x55, 0x68, 0x02, 0x72, 0xF7, 0x98, 0x28, 0xBD, 0x78, 0x8E, 0x4E, 0xE8, 0xED, 0x0B, 0x51, 0xBF, 0xA4, 0x4E, 0x15 };
|
---|
276 | //from log, works:
|
---|
277 | //static uchar ecmtest[] = { 0x51, 0x02, 0x56, 0x05, 0x00, 0x4A, 0xE3, 0x9C, 0xDA, 0xC1, 0x71, 0x21, 0x06, 0xF0, 0x14, 0xA7, 0x0E, 0x89, 0xDA, 0xC9, 0xD7, 0xFD, 0xB9, 0x06, 0xFD, 0xD5, 0x1E, 0x2A, 0xA3, 0xB5, 0xA0, 0x82, 0x11, 0x14 };
|
---|
278 | /* static uchar ecmtest[] =
|
---|
279 | { 0x51, 0x03, 0x56, 0x05, 0x00, 0x4A, 0xE4, 0x58, 0x02, 0x8B, 0xAE, 0x42, 0xEE, 0xE2, 0x6A, 0x7F, 0x51, 0xE0, 0x7D,
|
---|
280 | 0xCE, 0x20, 0x8A, 0x24, 0xE8, 0xBA, 0xA6, 0xC3, 0xCB, 0x35, 0x45, 0x35, 0x52, 0x94, 0x14 };
|
---|
281 | */
|
---|
282 | //from platforma itself through dvbviewer
|
---|
283 | /*
|
---|
284 | static uchar ecmtest[] =
|
---|
285 | { 0x51, 0x02, 0x56, 0x00, 0x00, 0x4A, 0xEC, 0x00, 0xAA, 0x31, 0x39, 0x06, 0x57, 0x94, 0x55, 0x1D, 0x23, 0x52, 0x88,
|
---|
286 | 0x3D, 0xA8, 0x62, 0xDC, 0xA2, 0x98, 0xD7, 0xAB, 0x0D, 0x80, 0x60, 0x15, 0xF5, 0x07, 0x14 };
|
---|
287 | */
|
---|
288 | //from redirected dvbviewer
|
---|
289 | static uchar ecmtest[] =
|
---|
290 | { 0x51, 0x02, 0x56, 0x00, 0x00, 0x4A, 0xEC, 0x3B, 0xF6, 0x56, 0x5A, 0x43, 0x95, 0x43, 0x05, 0x02, 0xBB, 0x46, 0x22,
|
---|
291 | 0x27, 0xEF, 0x33, 0xF4, 0xA9, 0xD0, 0x65, 0xDB, 0x57, 0x8F, 0x8F, 0x7C, 0x19, 0x36, 0x14
|
---|
292 | };
|
---|
293 |
|
---|
294 | //rest: 0x93, 0x36, 0x58, 0xC9
|
---|
295 |
|
---|
296 |
|
---|
297 | //ecmcmd51[33]=provider; //FIXME part of signatur
|
---|
298 |
|
---|
299 | //int hans, index, save;
|
---|
300 | //for (index=1; index<3; index++) {
|
---|
301 | // save = ecmtest[index];
|
---|
302 | // for (hans=0; hans<256; hans++) {
|
---|
303 | // ecmtest[index] = hans;
|
---|
304 | // if ((dre_cmd(ecmtest)))
|
---|
305 | // cs_log("HANS SUCCESS");
|
---|
306 | // }
|
---|
307 | // ecmtest[index] = save;
|
---|
308 | //}
|
---|
309 |
|
---|
310 | EMM_PACKET *eptmp;
|
---|
311 | eptmp = malloc (sizeof (EMM_PACKET));
|
---|
312 | // static unsigned char tempser[] = { 0, 0, 0xC8, 0x4D, 0x25, 0x5A };
|
---|
313 | // memcpy (reader[ridx].hexserial, tempser, 8);
|
---|
314 | dre_do_emm (eptmp);
|
---|
315 | free (eptmp);
|
---|
316 | //############### PLAYGROUND ////
|
---|
317 | cs_log ("ready for requests");
|
---|
318 | return (1);
|
---|
319 | }
|
---|
320 |
|
---|
321 | /*
|
---|
322 | static int get_prov_index (char *provid) //returns provider id or -1 if not found
|
---|
323 | {
|
---|
324 | int prov;
|
---|
325 | for (prov = 0; prov < reader[ridx].nprov; prov++) //search for provider index
|
---|
326 | if (!memcmp (provid, &reader[ridx].prid[prov][2], 2))
|
---|
327 | return (prov);
|
---|
328 | return (-1);
|
---|
329 | }
|
---|
330 | */
|
---|
331 |
|
---|
332 | int dre_do_ecm (ECM_REQUEST * er)
|
---|
333 | {
|
---|
334 | //
|
---|
335 | //cmd41 is not known for card provider 0x14 ???
|
---|
336 | if (mode == 41) {
|
---|
337 | static uchar ecmcmd41[] = { 0x41,
|
---|
338 | 0x58, 0x1f, 0x00, //fixed part, dont change
|
---|
339 | 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, //0x01 - 0x08: next key
|
---|
340 | 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, //0x11 - 0x18: current key
|
---|
341 | 0x3b, 0x59, 0x11 //0x3b = keynumber, can be a value 56 ;; 0x59 number of package = 58+1 - Pay Package ;; 0x11 = provider
|
---|
342 | };
|
---|
343 | ecmcmd41[22] = provider;
|
---|
344 | memcpy (ecmcmd41 + 4, er->ecm + 8, 16);
|
---|
345 | ecmcmd41[20] = er->ecm[6]; //keynumber
|
---|
346 | ecmcmd41[21] = 0x58 + er->ecm[25]; //package number
|
---|
347 | cs_debug ("DEBUG: unused ECM info front:%s", cs_hexdump (0, er->ecm, 8));
|
---|
348 | cs_debug ("DEBUG: unused ECM info back:%s", cs_hexdump (0, er->ecm + 24, er->ecm[2] + 2 - 24));
|
---|
349 | if ((dre_cmd (ecmcmd41))) { //ecm request
|
---|
350 | if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00))
|
---|
351 | return (0); //exit if response is not 90 00 //TODO: if response is 9027 ppv mode is possible!
|
---|
352 | //memcpy(er->cw,cta_res+3,16);
|
---|
353 | //or swap bytes:
|
---|
354 | memcpy (er->cw, cta_res + 11, 8);
|
---|
355 | memcpy (er->cw + 8, cta_res + 3, 8);
|
---|
356 |
|
---|
357 | // return 0; //FIXME only used for testing CWs
|
---|
358 | return 1;
|
---|
359 | }
|
---|
360 | }
|
---|
361 | else {
|
---|
362 |
|
---|
363 | //cmd51 is used for provider 0x14
|
---|
364 | static uchar ecmcmd51[] = { 0x51, 0x02, 0x56, 0x05, 0x00, 0x4A, 0xE3, //fixed header?
|
---|
365 | 0x9C, 0xDA, //first three nibbles count up, fourth nibble counts down; all ECMs sent twice
|
---|
366 | 0xC1, 0x71, 0x21, 0x06, 0xF0, 0x14, 0xA7, 0x0E, //next key?
|
---|
367 | 0x89, 0xDA, 0xC9, 0xD7, 0xFD, 0xB9, 0x06, 0xFD, //current key?
|
---|
368 | 0xD5, 0x1E, 0x2A, 0xA3, 0xB5, 0xA0, 0x82, 0x11, //key or signature?
|
---|
369 | 0x14 //provider
|
---|
370 | };
|
---|
371 | memcpy (ecmcmd51 + 1, er->ecm + 5, 0x21);
|
---|
372 | //cs_log ("DEBUG: ECM: %s", cs_hexdump (0, er->ecm, er->ecm[2] + 3));
|
---|
373 | cs_debug ("DEBUG: unused ECM info front:%s", cs_hexdump (0, er->ecm, 5));
|
---|
374 | cs_debug ("DEBUG: unused ECM info back:%s", cs_hexdump (0, er->ecm + 37, 4));
|
---|
375 | ecmcmd51[33] = provider; //no part of sig
|
---|
376 | if ((dre_cmd (ecmcmd51))) { //ecm request
|
---|
377 | if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00))
|
---|
378 | return (0); //exit if response is not 90 00 //TODO: if response is 9027 ppv mode is possible!
|
---|
379 | //memcpy(er->cw,cta_res+3,16);
|
---|
380 | //or swap bytes:
|
---|
381 | memcpy (er->cw, cta_res + 11, 8);
|
---|
382 | memcpy (er->cw + 8, cta_res + 3, 8);
|
---|
383 |
|
---|
384 | // return 0; //FIXME only used for testing CWs
|
---|
385 | return 1;
|
---|
386 | }
|
---|
387 | }
|
---|
388 | return 0;
|
---|
389 | }
|
---|
390 |
|
---|
391 | int dre_do_emm (EMM_PACKET * ep)
|
---|
392 | {
|
---|
393 | //return 0; //FIXME STUB
|
---|
394 | /*
|
---|
395 | uchar emmtest[] = { 0x87, 0x00, 0x8C, 0xC8, 0x4D, 0x25, 0x5A, 0x02, 0xA9, 0xA5, 0x34, 0x31, 0xAB, 0x9C, 0x9B, 0x59,
|
---|
396 | 0x5D, 0x47, 0x95, 0xB3, 0xB1, 0x61, 0x47, 0xE6, 0x85, 0xE0, 0x17, 0xC8, 0x25, 0x70, 0x59, 0x73,
|
---|
397 | 0x12, 0x1F, 0x2B, 0x9B, 0x02, 0x5A, 0x9D, 0x3A, 0x05, 0x56, 0x85, 0x58, 0x00, 0xC8, 0x4D, 0x25,
|
---|
398 | 0x5A, 0x06, 0x02, 0x23, 0xB4, 0x37, 0x1E, 0xE0, 0x7E, 0x59, 0xFC, 0x38, 0xCA, 0x13, 0x21, 0x0D,
|
---|
399 | 0x3E, 0x09, 0xDF, 0xB4, 0x45, 0x6C, 0x99, 0x7E, 0x3E, 0xDA, 0xA4, 0xC7, 0xB9, 0x7B, 0xAB, 0x4A,
|
---|
400 | 0xB5, 0xE2, 0x1D, 0xA3, 0xCD, 0x03, 0xAF, 0xDA, 0xBA, 0xEA, 0x3B, 0x85, 0x58, 0x00, 0xC8, 0x4D,
|
---|
401 | 0x25, 0x5A, 0x05, 0xF4, 0xAF, 0x8B, 0x8F, 0x2F, 0x6C, 0xF2, 0x43, 0x8C, 0x86, 0x03, 0xFD, 0x1C,
|
---|
402 | 0xDF, 0x7A, 0xE4, 0xB6, 0x0B, 0xF9, 0x70, 0x72, 0xFC, 0x2A, 0xEC, 0x0F, 0x6D, 0x8D, 0x82, 0xC6,
|
---|
403 | 0x4C, 0x16, 0x81, 0xDC, 0xC9, 0x3C, 0x34, 0x84, 0x35, 0x9A, 0xA7, 0xED, 0xB1, 0x39, 0xBC
|
---|
404 | }; //UNIQE EMM
|
---|
405 | */
|
---|
406 |
|
---|
407 | uchar emmtest[] = { 0x89, 0x00, 0x68, 0x00, 0x4D, 0x56, 0x85, 0x58, 0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x29, 0x58,
|
---|
408 | 0x89, 0x04, 0x3A, 0xEE, 0x15, 0xB1, 0x38, 0x4A, 0x75, 0x5A, 0x21, 0xEE, 0x4D, 0x37, 0xF3, 0x53,
|
---|
409 | 0xF8, 0xAC, 0x1F, 0x8D, 0xEA, 0xDF, 0x12, 0x73, 0x00, 0x69, 0xBB, 0x67, 0x5D, 0x8A, 0x96, 0x2D,
|
---|
410 | 0x1C, 0x08, 0xEB, 0xF1, 0xCA, 0x40, 0x3B, 0x85, 0x58, 0x01, 0x00, 0x00, 0x00, 0x00, 0x05, 0x85,
|
---|
411 | 0xF2, 0xE1, 0xD9, 0x86, 0xEA, 0x19, 0x6A, 0xEF, 0x3B, 0x9D, 0x0C, 0xEA, 0xF3, 0x7B, 0x74, 0xE5,
|
---|
412 | 0xF7, 0x4F, 0xD6, 0x9C, 0x85, 0x6C, 0x7E, 0x79, 0xDF, 0x18, 0xD1, 0xC3, 0x54, 0xA9, 0x47, 0xCB,
|
---|
413 | 0xAC, 0xB6, 0x18, 0x71, 0xC8, 0x69, 0x6B, 0x10, 0xFF, 0x9D, 0x11 }; //GLOBAL EMM
|
---|
414 |
|
---|
415 | memcpy (ep->emm, emmtest, 0x8f);
|
---|
416 |
|
---|
417 | int emm_length = ((ep->emm[1] & 0x0f) << 8) + ep->emm[2];
|
---|
418 |
|
---|
419 | cs_ddump (ep->emm, emm_length + 3, "EMM:");
|
---|
420 | ep->type = ep->emm[0];
|
---|
421 | cs_debug ("ep->type%x", ep->type);
|
---|
422 |
|
---|
423 | if (mode != 41) {
|
---|
424 | cs_log ("EMM Mode not implemented yet");
|
---|
425 | return 0;
|
---|
426 | }
|
---|
427 |
|
---|
428 | static uchar emmcmd42[] =
|
---|
429 | { 0x42, 0x85, 0x58, 0x01, 0xC8, 0x00, 0x00, 0x00, 0x05, 0xB8, 0x0C, 0xBD, 0x7B, 0x07, 0x04, 0xC8,
|
---|
430 | 0x77, 0x31, 0x95, 0xF2, 0x30, 0xB7, 0xE9, 0xEE, 0x0F, 0x81, 0x39, 0x1C, 0x1F, 0xA9, 0x11, 0x3E,
|
---|
431 | 0xE5, 0x0E, 0x8E, 0x50, 0xA4, 0x31, 0xBB, 0x01, 0x00, 0xD6, 0xAF, 0x69, 0x60, 0x04, 0x70, 0x3A,
|
---|
432 | 0x91,
|
---|
433 | 0x56, 0x58, 0x11
|
---|
434 | };
|
---|
435 |
|
---|
436 | switch (ep->type) {
|
---|
437 | case 0x88: //shared EMM
|
---|
438 | {
|
---|
439 | cs_debug ("HANS: checkpoint 1");
|
---|
440 | if (memcmp (ep->emm + 9, reader[ridx].sa[0], 1)) { //in case of SHARED EMM, only first byte has to match?
|
---|
441 | cs_log ("EMM: Shared update did not match; EMM SA:%02X%02X%02X%02X, Reader SA:%s.", ep->emm[9], ep->emm[10],
|
---|
442 | ep->emm[11], ep->emm[12], cs_hexdump (0, reader[ridx].sa[0], 4));
|
---|
443 | return (0);
|
---|
444 | }
|
---|
445 | else {
|
---|
446 | cs_log ("EMM: Shared update matched for EMM SA %02X%02X%02X%02X.", ep->emm[9], ep->emm[19], ep->emm[11],
|
---|
447 | ep->emm[12]);
|
---|
448 | }
|
---|
449 | /*
|
---|
450 | 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16
|
---|
451 | 88 00 68 C8 4D 56 85 58 01 C8 00 00 00 05 B8 0C
|
---|
452 |
|
---|
453 | 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 --
|
---|
454 | BD 7B 07 04 C8 77 31 95 F2 30 B7 E9 EE 0F 81 39
|
---|
455 |
|
---|
456 | 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 --
|
---|
457 | 1C 1F A9 11 3E E5 0E 8E 50 A4 31 BB 01 00 D6 AF
|
---|
458 |
|
---|
459 | 49 50 51 52 53 54X55 56 57 58 59 60 61 62 63 64 --
|
---|
460 | 69 60 04 70 3A 91 3B 85 58 01 C8 00 00 00 05 B1
|
---|
461 |
|
---|
462 | 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 --
|
---|
463 | 3F BF A0 05 6E BD AB 0A 70 77 30 C2 AC EC 06 C2
|
---|
464 |
|
---|
465 | 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 --
|
---|
466 | 3D 47 50 8D B1 77 68 62 6B 26 6B CE A9 EF 1B 6A
|
---|
467 |
|
---|
468 | 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 --
|
---|
469 | DF 7B 39 52 A4 5A 0E B0 A6 ED 7B DC 82 3C AE A3
|
---|
470 |
|
---|
471 | Here we have:
|
---|
472 |
|
---|
473 | Bytes ...
|
---|
474 | 01 (88) - EMM filter can be a value 87
|
---|
475 | 03 (68) - length of data EMM
|
---|
476 | 04 (C8) - the number of SA for the filter (C8 - is a map)
|
---|
477 | 06 (56) - index kriptodannyh (56/3B alternate) are likely key number
|
---|
478 |
|
---|
479 | 07 (85) - choice of algorithm (8x - MSP / 4x - Atmel), in the cards until only 85
|
---|
480 | 08 (01) - the type of EMM (00 - EMM_U, solo / 01 - EMM_S, group)
|
---|
481 | 10 - 13 (C8 00 00 00) - here only for SA EMM_S
|
---|
482 | 14 (05) - additional flags
|
---|
483 | 15 - 54 (V8. .. 91) own body EMM, information about the key.
|
---|
484 | 55 (3B) may be a checksum.
|
---|
485 |
|
---|
486 | Bytes 56 - 104 - for the second key.
|
---|
487 | Appointment of the remaining bytes is unknown.
|
---|
488 | */
|
---|
489 | } // end shared EMM NO BREAK so rest happens in global EMM
|
---|
490 | case 0x89: //global EMM ??
|
---|
491 | {
|
---|
492 | if (ep->type == 0x89)
|
---|
493 | cs_log ("EMM: Global update");
|
---|
494 | /* 89 00 68 00 4D 56 85 58 01 00 00 00 00 06 29 58
|
---|
495 | * 89 04 3A EE 15 B1 38 4A 75 5A 21 EE 4D 37 F3 53
|
---|
496 | * F8 AC 1F 8D EA DF 12 73 00 69 BB 67 5D 8A 96 2D
|
---|
497 | * 1C 08 EB F1 CA 40X3BX85 58 01 00 00 00 00 05 85
|
---|
498 | * F2 E1 D9 86 EA 19 6A EF 3B 9D 0C EA F3 7B 74 E5
|
---|
499 | * F7 4F D6 9C 85 6C 7E 79 DF 18 D1 C3 54 A9 47 CB
|
---|
500 | * AC B6 18 71 C8 69 6B 10 FF 9D 11
|
---|
501 | */
|
---|
502 | memcpy (emmcmd42 + 1, ep->emm + 6, 48);
|
---|
503 | emmcmd42[51] = provider;
|
---|
504 | //emmcmd42[50] = ecmcmd42[2]; //TODO package nr could also be fixed 0x58
|
---|
505 | emmcmd42[49] = ep->emm[5]; //keynr
|
---|
506 | /* response:
|
---|
507 | 59 05 A2 02 05 01 5B
|
---|
508 | 90 00 */
|
---|
509 | cs_debug ("HANS: checkpoint 5");
|
---|
510 | if ((dre_cmd (emmcmd42))) { //first emm request
|
---|
511 | if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00))
|
---|
512 | return (0); //exit if response is not 90 00
|
---|
513 |
|
---|
514 | cs_debug ("HANS: checkpoint 6");
|
---|
515 | memcpy (emmcmd42 + 1, ep->emm + 55, 7);
|
---|
516 | memcpy (emmcmd42 + 8, ep->emm + 67, 41);
|
---|
517 | emmcmd42[51] = provider;
|
---|
518 | //emmcmd42[50] = ecmcmd42[2]; //TODO package nr could also be fixed 0x58
|
---|
519 | emmcmd42[49] = ep->emm[54]; //keynr
|
---|
520 | if ((dre_cmd (emmcmd42))) { //second emm request
|
---|
521 | if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00))
|
---|
522 | return (0); //exit if response is not 90 00
|
---|
523 | return 1; //success
|
---|
524 | }
|
---|
525 | }
|
---|
526 |
|
---|
527 | break;
|
---|
528 | } //end global EMM
|
---|
529 | case 0x87: //unique EMM
|
---|
530 | {
|
---|
531 | /*
|
---|
532 | 0x87, 0x00, 0x8C, ser1, ser2, ser3, ser4, 0x02, 0xA9, 0xA5, 0x34, 0x31, 0xAB, 0x9C, 0x9B, 0x59,
|
---|
533 | 0x5D, 0x47, 0x95, 0xB3, 0xB1, 0x61, 0x47, 0xE6, 0x85, 0xE0, 0x17, 0xC8, 0x25, 0x70, 0x59, 0x73,
|
---|
534 | 0x12, 0x1F, 0x2B, 0x9B, 0x02, 0x5A, 0x9D, 0x3A, 0x05, 0x56, 0x85, 0x58, 0x00, 0xC8, 0x4D, 0x25,
|
---|
535 | 0x5A, 0x06, 0x02, 0x23, 0xB4, 0x37, 0x1E, 0xE0, 0x7E, 0x59, 0xFC, 0x38, 0xCA, 0x13, 0x21, 0x0D,
|
---|
536 | 0x3E, 0x09, 0xDF, 0xB4, 0x45, 0x6C, 0x99, 0x7E, 0x3E, 0xDA, 0xA4, 0xC7, 0xB9, 0x7B, 0xAB, 0x4A,
|
---|
537 | 0xB5, 0xE2, 0x1D, 0xA3, 0xCD, 0x03, 0xAF, 0xDA, 0xBA, 0xEA, 0x3B, 0x85, 0x58, 0x00, 0xC8, 0x4D,
|
---|
538 | 0x25, 0x5A, 0x05, 0xF4, 0xAF, 0x8B, 0x8F, 0x2F, 0x6C, 0xF2, 0x43, 0x8C, 0x86, 0x03, 0xFD, 0x1C,
|
---|
539 | 0xDF, 0x7A, 0xE4, 0xB6, 0x0B, 0xF9, 0x70, 0x72, 0xFC, 0x2A, 0xEC, 0x0F, 0x6D, 0x8D, 0x82, 0xC6,
|
---|
540 | 0x4C, 0x16, 0x81, 0xDC, 0xC9, 0x3C, 0x34, 0x84, 0x35, 0x9A, 0xA7, 0xED, 0xB1, 0x39, 0xBC
|
---|
541 | */
|
---|
542 | cs_debug ("HANS: checkpoint 2");
|
---|
543 | //first test if UA matches
|
---|
544 | if (memcmp (reader[ridx].hexserial + 2, ep->emm + 3, 4)) {
|
---|
545 | cs_log ("EMM: Unique update did not match; EMM Serial:%02X%02X%02X%02X, Reader Serial:%s.", ep->emm[3],
|
---|
546 | ep->emm[4], ep->emm[5], ep->emm[6], cs_hexdump (0, reader[ridx].hexserial + 2, 4));
|
---|
547 | return (0);
|
---|
548 | }
|
---|
549 | else {
|
---|
550 | cs_log ("EMM: Unique update matched EMM Serial:%02X%02X%02X%02X.", ep->emm[3], ep->emm[4], ep->emm[5],
|
---|
551 | ep->emm[6]);
|
---|
552 | cs_log ("EMM: layout of EMM 0x87 unknown, cannot be processed yet.");
|
---|
553 | }
|
---|
554 | break;
|
---|
555 | } //end unique EMM
|
---|
556 | default:
|
---|
557 | cs_log
|
---|
558 | ("EMM: Congratulations, you have discovered a new EMM type on DRECRYPT. This has not been decoded yet, so send this output to authors:");
|
---|
559 | cs_dump (ep->emm, emm_length + 3, "EMM:");
|
---|
560 | return 0; //unknown
|
---|
561 | } //end of switch
|
---|
562 |
|
---|
563 |
|
---|
564 | cs_debug ("HANS: checkpoint 3");
|
---|
565 | return 0;
|
---|
566 | }
|
---|
567 |
|
---|
568 | int dre_card_info (void)
|
---|
569 | {
|
---|
570 | return (1);
|
---|
571 | }
|
---|