Changeset 497 for trunk/reader-dre.c


Ignore:
Timestamp:
Nov 6, 2009, 7:16:07 PM (10 years ago)
Author:
dingo35
Message:

Fix small bug in debugging configs

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/reader-dre.c

    r492 r497  
    55extern uchar cta_cmd[], cta_res[];
    66extern ushort cta_lr;
    7 static unsigned short pmap = 0; // provider-maptable
    87unsigned long long serial;
    98char *card;
     
    181180  }
    182181
    183   memset (reader[ridx].prid, 0xff, sizeof (reader[ridx].prid));
    184182  memset (reader[ridx].prid, 0x00, 8);
    185183
     
    217215  dre_cmd (ua);         //error would not be fatal
    218216
    219   for (i = 0; i < 8; i++)
    220     reader[ridx].hexserial[i] = 0;
    221   int hexlength = cta_res[1] - 2;   //discard first and last byte, last byte is always checksum, first is always rubbish?
    222 
    223   memcpy (reader[ridx].hexserial + 8 - hexlength, cta_res + 3, hexlength);
     217  int hexlength = cta_res[1] - 2;   //discard first and last byte, last byte is always checksum, first is answer code
     218
     219  reader[ridx].hexserial[0] = 0;
     220  reader[ridx].hexserial[1] = 0;
     221  memcpy (reader[ridx].hexserial + 2, cta_res + 3, hexlength);
    224222
    225223  int low_dre_id = ((cta_res[4] << 16) | (cta_res[5] << 8) | cta_res[6]) - 48608;
     
    235233  //cs_ri_log("type: DRECrypt, caid: %04X, serial: %llu, card: v%x",
    236234  cs_log ("type: DRECrypt, caid: %04X, serial: %s, dre id: %i%i%i%08i, geocode %i, card: %s v%i.%i",
    237       reader[ridx].caid[0], cs_hexdump (0, reader[ridx].hexserial, 8), dre_chksum, provider - 16, major_version + 1,
    238       low_dre_id, geocode, card, major_version, minor_version);
     235      reader[ridx].caid[0], cs_hexdump (0, reader[ridx].hexserial + 2, 4), dre_chksum, provider - 16,
     236      major_version + 1, low_dre_id, geocode, card, major_version, minor_version);
    239237  cs_log ("Provider name:%s.", provname);
    240238
    241239
    242   memcpy (&reader[ridx].sa[0][0], &reader[ridx].hexserial + 4, 4);  //copy unique address also in shared address, because we dont know what it is...
     240  memset (reader[ridx].sa, 0, sizeof (reader[ridx].sa));
     241  memcpy (reader[ridx].sa[0], reader[ridx].hexserial + 2, 1);   //copy first byte of unique address also in shared address, because we dont know what it is...
     242
     243  cs_log ("DEBUG: SA = %02X%02X%02X%02X, UA = %s", reader[ridx].sa[0][0], reader[ridx].sa[0][1], reader[ridx].sa[0][2],
     244      reader[ridx].sa[0][3], cs_hexdump (0, reader[ridx].hexserial + 2, 4));
     245
     246  //reader[ridx].nprov = 1; TODO doesnt seem necessary
    243247
    244248  if (!dre_set_provider_info ())
     
    304308//}
    305309
     310  EMM_PACKET *eptmp;
     311  eptmp = malloc (sizeof (EMM_PACKET));
     312//  static unsigned char tempser[] = { 0, 0, 0xC8, 0x4D, 0x25, 0x5A };
     313//  memcpy (reader[ridx].hexserial, tempser, 8);
     314  dre_do_emm (eptmp);
     315  free (eptmp);
    306316//############### PLAYGROUND ////
    307317  cs_log ("ready for requests");
     
    309319}
    310320
     321/*
    311322static int get_prov_index (char *provid)    //returns provider id or -1 if not found
    312323{
     
    317328  return (-1);
    318329}
    319 
     330*/
    320331
    321332int dre_do_ecm (ECM_REQUEST * er)
     
    333344    memcpy (ecmcmd41 + 4, er->ecm + 8, 16);
    334345    ecmcmd41[20] = er->ecm[6];  //keynumber
    335     ecmcmd41[21] = 0x58 + er->ecm[25];
     346    ecmcmd41[21] = 0x58 + er->ecm[25];  //package number
    336347    cs_debug ("DEBUG: unused ECM info front:%s", cs_hexdump (0, er->ecm, 8));
    337     cs_debug ("DEBUG: unused ECM info back:%s", cs_hexdump (0, er->ecm + 24, er->ecm[2]+2-24));
     348    cs_debug ("DEBUG: unused ECM info back:%s", cs_hexdump (0, er->ecm + 24, er->ecm[2] + 2 - 24));
    338349    if ((dre_cmd (ecmcmd41))) { //ecm request
    339350      if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00))
     
    380391int dre_do_emm (EMM_PACKET * ep)
    381392{
    382   return 0;         //FIXME STUB
     393  //return 0;                   //FIXME STUB
     394  /*
     395  uchar emmtest[] = { 0x87, 0x00, 0x8C, 0xC8, 0x4D, 0x25, 0x5A, 0x02, 0xA9, 0xA5, 0x34, 0x31, 0xAB, 0x9C, 0x9B, 0x59,
     396    0x5D, 0x47, 0x95, 0xB3, 0xB1, 0x61, 0x47, 0xE6, 0x85, 0xE0, 0x17, 0xC8, 0x25, 0x70, 0x59, 0x73,
     397    0x12, 0x1F, 0x2B, 0x9B, 0x02, 0x5A, 0x9D, 0x3A, 0x05, 0x56, 0x85, 0x58, 0x00, 0xC8, 0x4D, 0x25,
     398    0x5A, 0x06, 0x02, 0x23, 0xB4, 0x37, 0x1E, 0xE0, 0x7E, 0x59, 0xFC, 0x38, 0xCA, 0x13, 0x21, 0x0D,
     399    0x3E, 0x09, 0xDF, 0xB4, 0x45, 0x6C, 0x99, 0x7E, 0x3E, 0xDA, 0xA4, 0xC7, 0xB9, 0x7B, 0xAB, 0x4A,
     400    0xB5, 0xE2, 0x1D, 0xA3, 0xCD, 0x03, 0xAF, 0xDA, 0xBA, 0xEA, 0x3B, 0x85, 0x58, 0x00, 0xC8, 0x4D,
     401    0x25, 0x5A, 0x05, 0xF4, 0xAF, 0x8B, 0x8F, 0x2F, 0x6C, 0xF2, 0x43, 0x8C, 0x86, 0x03, 0xFD, 0x1C,
     402    0xDF, 0x7A, 0xE4, 0xB6, 0x0B, 0xF9, 0x70, 0x72, 0xFC, 0x2A, 0xEC, 0x0F, 0x6D, 0x8D, 0x82, 0xC6,
     403    0x4C, 0x16, 0x81, 0xDC, 0xC9, 0x3C, 0x34, 0x84, 0x35, 0x9A, 0xA7, 0xED, 0xB1, 0x39, 0xBC
     404  }; //UNIQE EMM
     405*/
     406
     407  uchar emmtest[] = { 0x89, 0x00, 0x68, 0x00, 0x4D, 0x56, 0x85, 0x58, 0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x29, 0x58,
     408    0x89, 0x04, 0x3A, 0xEE, 0x15, 0xB1, 0x38, 0x4A, 0x75, 0x5A, 0x21, 0xEE, 0x4D, 0x37, 0xF3, 0x53,
     409    0xF8, 0xAC, 0x1F, 0x8D, 0xEA, 0xDF, 0x12, 0x73, 0x00, 0x69, 0xBB, 0x67, 0x5D, 0x8A, 0x96, 0x2D,
     410    0x1C, 0x08, 0xEB, 0xF1, 0xCA, 0x40, 0x3B, 0x85, 0x58, 0x01, 0x00, 0x00, 0x00, 0x00, 0x05, 0x85,
     411    0xF2, 0xE1, 0xD9, 0x86, 0xEA, 0x19, 0x6A, 0xEF, 0x3B, 0x9D, 0x0C, 0xEA, 0xF3, 0x7B, 0x74, 0xE5,
     412    0xF7, 0x4F, 0xD6, 0x9C, 0x85, 0x6C, 0x7E, 0x79, 0xDF, 0x18, 0xD1, 0xC3, 0x54, 0xA9, 0x47, 0xCB,
     413    0xAC, 0xB6, 0x18, 0x71, 0xC8, 0x69, 0x6B, 0x10, 0xFF, 0x9D, 0x11 }; //GLOBAL EMM
     414
     415  memcpy (ep->emm, emmtest, 0x8f);
     416
     417  int emm_length = ((ep->emm[1] & 0x0f) << 8) + ep->emm[2];
     418
     419  cs_ddump (ep->emm, emm_length + 3, "EMM:");
     420  ep->type = ep->emm[0];
     421  cs_debug ("ep->type%x", ep->type);
     422
     423  if (mode != 41) {
     424    cs_log ("EMM Mode not implemented yet");
     425    return 0;
     426  }
     427
     428  static uchar emmcmd42[] =
     429    { 0x42, 0x85, 0x58, 0x01, 0xC8, 0x00, 0x00, 0x00, 0x05, 0xB8, 0x0C, 0xBD, 0x7B, 0x07, 0x04, 0xC8,
     430    0x77, 0x31, 0x95, 0xF2, 0x30, 0xB7, 0xE9, 0xEE, 0x0F, 0x81, 0x39, 0x1C, 0x1F, 0xA9, 0x11, 0x3E,
     431    0xE5, 0x0E, 0x8E, 0x50, 0xA4, 0x31, 0xBB, 0x01, 0x00, 0xD6, 0xAF, 0x69, 0x60, 0x04, 0x70, 0x3A,
     432    0x91,
     433    0x56, 0x58, 0x11
     434  };
     435
     436  switch (ep->type) {
     437  case 0x88:            //shared EMM
     438    {
     439      cs_debug ("HANS: checkpoint 1");
     440      if (memcmp (ep->emm + 9, reader[ridx].sa[0], 1)) {    //in case of SHARED EMM, only first byte has to match?
     441    cs_log ("EMM: Shared update did not match; EMM SA:%02X%02X%02X%02X, Reader SA:%s.", ep->emm[9], ep->emm[10],
     442        ep->emm[11], ep->emm[12], cs_hexdump (0, reader[ridx].sa[0], 4));
     443    return (0);
     444      }
     445      else {
     446    cs_log ("EMM: Shared update matched for EMM SA %02X%02X%02X%02X.", ep->emm[9], ep->emm[19], ep->emm[11],
     447        ep->emm[12]);
     448      }
     449      /*
     450         01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16
     451         88 00 68 C8 4D 56 85 58 01 C8 00 00 00 05 B8 0C
     452
     453         17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 --
     454         BD 7B 07 04 C8 77 31 95 F2 30 B7 E9 EE 0F 81 39
     455
     456         33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 --
     457         1C 1F A9 11 3E E5 0E 8E 50 A4 31 BB 01 00 D6 AF
     458
     459         49 50 51 52 53 54X55 56 57 58 59 60 61 62 63 64 --
     460         69 60 04 70 3A 91 3B 85 58 01 C8 00 00 00 05 B1
     461
     462         65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 --
     463         3F BF A0 05 6E BD AB 0A 70 77 30 C2 AC EC 06 C2
     464
     465         81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 --
     466         3D 47 50 8D B1 77 68 62 6B 26 6B CE A9 EF 1B 6A
     467
     468         97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 --
     469         DF 7B 39 52 A4 5A 0E B0 A6 ED 7B DC 82 3C AE A3
     470
     471         Here we have:
     472
     473         Bytes ...
     474         01 (88) - EMM filter can be a value 87
     475         03 (68) - length of data EMM
     476         04 (C8) - the number of SA for the filter (C8 - is a map)
     477         06 (56) - index kriptodannyh (56/3B alternate) are likely key number
     478
     479         07 (85) - choice of algorithm (8x - MSP / 4x - Atmel), in the cards until only 85
     480         08 (01) - the type of EMM (00 - EMM_U, solo / 01 - EMM_S, group)
     481         10 - 13 (C8 00 00 00) - here only for SA EMM_S
     482         14 (05) - additional flags
     483         15 - 54 (V8. .. 91) own body EMM, information about the key.
     484         55 (3B) may be a checksum.
     485
     486         Bytes 56 - 104 - for the second key.
     487         Appointment of the remaining bytes is unknown.
     488       */
     489    }               // end shared EMM NO BREAK so rest happens in global EMM
     490  case 0x89:            //global EMM ??
     491    {
     492      if (ep->type == 0x89)
     493    cs_log ("EMM: Global update");
     494      /* 89 00 68 00 4D 56 85 58 01 00 00 00 00 06 29 58
     495       * 89 04 3A EE 15 B1 38 4A 75 5A 21 EE 4D 37 F3 53
     496       * F8 AC 1F 8D EA DF 12 73 00 69 BB 67 5D 8A 96 2D
     497       * 1C 08 EB F1 CA 40X3BX85 58 01 00 00 00 00 05 85
     498       * F2 E1 D9 86 EA 19 6A EF 3B 9D 0C EA F3 7B 74 E5
     499       * F7 4F D6 9C 85 6C 7E 79 DF 18 D1 C3 54 A9 47 CB
     500       * AC B6 18 71 C8 69 6B 10 FF 9D 11
     501       */
     502      memcpy (emmcmd42 + 1, ep->emm + 6, 48);
     503      emmcmd42[51] = provider;
     504      //emmcmd42[50] = ecmcmd42[2]; //TODO package nr could also be fixed 0x58
     505      emmcmd42[49] = ep->emm[5];    //keynr
     506      /* response:
     507         59 05 A2 02 05 01 5B
     508         90 00 */
     509      cs_debug ("HANS: checkpoint 5");
     510      if ((dre_cmd (emmcmd42))) {   //first emm request
     511    if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00))
     512      return (0);       //exit if response is not 90 00
     513
     514    cs_debug ("HANS: checkpoint 6");
     515    memcpy (emmcmd42 + 1, ep->emm + 55, 7);
     516    memcpy (emmcmd42 + 8, ep->emm + 67, 41);
     517    emmcmd42[51] = provider;
     518    //emmcmd42[50] = ecmcmd42[2]; //TODO package nr could also be fixed 0x58
     519    emmcmd42[49] = ep->emm[54]; //keynr
     520    if ((dre_cmd (emmcmd42))) { //second emm request
     521      if ((cta_res[cta_lr - 2] != 0x90) || (cta_res[cta_lr - 1] != 0x00))
     522        return (0);     //exit if response is not 90 00
     523      return 1;     //success
     524    }
     525      }
     526
     527      break;
     528    }               //end global EMM
     529  case 0x87:            //unique EMM
     530    {
     531      /*
     532         0x87, 0x00, 0x8C, ser1, ser2, ser3, ser4, 0x02, 0xA9, 0xA5, 0x34, 0x31, 0xAB, 0x9C, 0x9B, 0x59,
     533         0x5D, 0x47, 0x95, 0xB3, 0xB1, 0x61, 0x47, 0xE6, 0x85, 0xE0, 0x17, 0xC8, 0x25, 0x70, 0x59, 0x73,
     534         0x12, 0x1F, 0x2B, 0x9B, 0x02, 0x5A, 0x9D, 0x3A, 0x05, 0x56, 0x85, 0x58, 0x00, 0xC8, 0x4D, 0x25,
     535         0x5A, 0x06, 0x02, 0x23, 0xB4, 0x37, 0x1E, 0xE0, 0x7E, 0x59, 0xFC, 0x38, 0xCA, 0x13, 0x21, 0x0D,
     536         0x3E, 0x09, 0xDF, 0xB4, 0x45, 0x6C, 0x99, 0x7E, 0x3E, 0xDA, 0xA4, 0xC7, 0xB9, 0x7B, 0xAB, 0x4A,
     537         0xB5, 0xE2, 0x1D, 0xA3, 0xCD, 0x03, 0xAF, 0xDA, 0xBA, 0xEA, 0x3B, 0x85, 0x58, 0x00, 0xC8, 0x4D,
     538         0x25, 0x5A, 0x05, 0xF4, 0xAF, 0x8B, 0x8F, 0x2F, 0x6C, 0xF2, 0x43, 0x8C, 0x86, 0x03, 0xFD, 0x1C,
     539         0xDF, 0x7A, 0xE4, 0xB6, 0x0B, 0xF9, 0x70, 0x72, 0xFC, 0x2A, 0xEC, 0x0F, 0x6D, 0x8D, 0x82, 0xC6,
     540         0x4C, 0x16, 0x81, 0xDC, 0xC9, 0x3C, 0x34, 0x84, 0x35, 0x9A, 0xA7, 0xED, 0xB1, 0x39, 0xBC
     541       */
     542      cs_debug ("HANS: checkpoint 2");
     543      //first test if UA matches
     544      if (memcmp (reader[ridx].hexserial + 2, ep->emm + 3, 4)) {
     545    cs_log ("EMM: Unique update did not match; EMM Serial:%02X%02X%02X%02X, Reader Serial:%s.", ep->emm[3],
     546        ep->emm[4], ep->emm[5], ep->emm[6], cs_hexdump (0, reader[ridx].hexserial + 2, 4));
     547    return (0);
     548      }
     549      else {
     550    cs_log ("EMM: Unique update matched EMM Serial:%02X%02X%02X%02X.", ep->emm[3], ep->emm[4], ep->emm[5],
     551        ep->emm[6]);
     552    cs_log ("EMM: layout of EMM 0x87 unknown, cannot be processed yet.");
     553      }
     554      break;
     555    }               //end unique EMM
     556  default:
     557    cs_log
     558      ("EMM: Congratulations, you have discovered a new EMM type on DRECRYPT. This has not been decoded yet, so send this output to authors:");
     559    cs_dump (ep->emm, emm_length + 3, "EMM:");
     560    return 0;           //unknown
     561  }             //end of switch
     562
     563
     564  cs_debug ("HANS: checkpoint 3");
     565  return 0;
    383566}
    384567
Note: See TracChangeset for help on using the changeset viewer.