is this a bit of hope or more bulls**t

this is not my own work but thought it may be interesting

How Nagra3 Cams Were Hacked & Cracked.
This was posted on another site by Carddoctor. Is it just the usual crap?

c/p:

Hello hack satellite pirates.

You will find this an interesting read.

Credit goes to Packin18 & Edmonton Guy for original concepts and n3 roms and eeproms
dumps from dish and bell providers currently making way around irc and private
underground forums around the net. Thank Packin18 for your N3 fix and no other.

A virgin non sub card was inserted into a modified blue T911 mod loader with 4053 muxs.
The virgin non sub card was reset and the atr was sent as usual.
A packet containing nops with a bclr instruction at the end was sent to the n3 cam.
When the last bit of the checksum was sent to the cam 16 additional clocks followed.
The cam was soft reset by sending the RST cam pin low from high.
As the cam rst pin swung low a bunch of glitching followed.
This glitching carried on until the RST cam pin came high again.
This glitching carried on for the first clock.
200+ additional clocks were sent to the card.
The cam i/o line was monitored for a full cycle low i/o pin result of the bclr instruction.
The cam was quickly reset, glitched, & clocked a few hundred times again. repeatidly.
When the full cycle low i/o pin signal was seen N3 cams were hacked.
The bclr instructions were removed and replaced with more bsets and bclr instructions
that ROR'd rom and eeprom a bit at a time out of the cam i/o pin without need for the
rom routines that usually handle I/O output.

What Happened?

The packet was stored in the I/O buffer and the card reset before packet processing.
The reset caused the program counter and the stack pointer to reset but not ram values.
The packet full of nops that pulled the i/o line low stayed resident in ram on soft reset.
The card was reset and the addressbus latching of the reset vector was glitched until
the new reset vector became the i/o buffer where NOPS and BCLR code opened N3.

N3 roms/eeproms (142/206/240) for all providers has successfully been dumped.
(interestingly enough this attack works on all N1/N2 cams/icams as well)
(i dont have any dave cams do you?)


so anyway if ur like me and most of this is just gobbiledeygook then heres a simplier way .. they took a new card let the provider hammer it with there info and then took the card and dumped the info anfter it opened up n3 .. i think thats it

now wheather this is true who knows .. but it would be great that means in about a week or 2 there would be a emulation for pc card users and then the code could be put into a bin ..

but i really won't believe it untill i am watching bev again on cardless and iks less system. Make up your own mind but heres hoping.

 

nagra 3 has been in europe for over 3 years and still hasnt been hacked or doesent look likely in the near future

 

the guys at digital kaos have being running some interesting threads on this. lets just wait and see where it leads. ultimately there will or won't be a CAM distributed but lots of people are trying and thats good.

 

Why does it mention Bell, Dish and Dave and then talk about a virgin card?? One's US and one's UK?!

 

we are all beleivers but?

 

But lots. Just reading the threads the options are wide and varying. As pointed out int the starview thread whay does the box die after a year. How can this be dealt with. In the dreambox realm, what are the challenges up and coming. What has happened to the Eurovox and how can this system be made to work. Its just a ball of fun and lots of people are sharing their experience. So it is not a glass half empty but very much a glass half full and needing further replenishment

 

as i said at the top of it all this is not my work and really and trully its like trying to read it in stereo. I came across it and thought to myself there may be some hope. I was hoping the likes of yourself and maybe scouse would understand it a bit better than me. Or any of the senoir members for that fact.

 

In my opinion it's garbage as they can't seem to decide what system it's on but also what side of the Atlantic they are on! They say can't wait to see Bev and their using a virgin non sub card?? Doesn't make any sense.

 

could be right mooley. if it does come to something we will know in due course. what strikes me as strange with all this nagra and particularly the starview stuff is what is the big deal about throwing the box in a bin after a year. fine the share provider cuts you off after a year. but isn't it clear that what the share provider has managed to read a nagra3 card and share it. so then clearly this knowledge is available somewhere. so by the end of the year most likely all this information will be public in which case people can set up their own shares with the sv6 on nagra3. so i wouldn't be binning any sv6

 

Absolutely fintan they have managed to share the N3 card and I do believe you'll see a lot more sharing over the next while. I'm not even binning my DM500c's as I believe they are running on a share already on the N3 system. Not mine mind you. Don't ask me where though people it's all private share between others not me.

 

This is old and BS. Also, just so you know, when you see virgin in an article about NA providers they are referring to a never glitched, subbed, or programmed card. Not to be confused with the Virgin you guys are familiar with.

 

absolutely no idea what you mean. why is this old and bs. is there some information source that proves this

 

Ah so thats what the 'virgin' was referring to cheers!

 

Exact same C&P posted at NA sat sites. Edmonton Guy used to be pretty infamous in NA for BS and money grabbing scams. BTW Packin18 and ED are the same person. New here so I'm not sure on link rules but if you Google Packin18 you'll find the original post from Carddoctor on FTAbins back in 2008.

 

yet more N3 rubbish, hearsay and conjecture by the sounds of it...........

 

Hey guys

I dont profess to be an expert in cryptography, but I do have a bit of basic knowledge, so heres my take.

Ive seen it posted on here and heard it from elsewhere that N3 will employ RSA. If this is the case then I do believe we are truly shafted.

From what I know, the algorithm employs the use of extremely large prime numbers, this makes reverse engineering the algorithm extremely difficult if not near impossible.

I may be wrong and maybe someone else will correct me, but like I say if it is RSA then we're goosed.

 

I believe it does indeed employ RSA. But it is being shared and does work on IKS so it's a start. The standalone bin is probably not going to happen for a long long time but there are always workarounds and I have a feeling that IKS will be the next thing over here in UK and Ireland. Can't see it being anything else for quite a while unfortunately.

Oh and c/s will always continue to exist unfortunately (and I mean that from a standalone bin stance by the way).

 

Sorry, i picked up the comments the wrong way. what i was saying is that cs has already been proven on nagra3 with the sv6 so it does seem that this will be an alternative for some time to come. as of yet i haven't seen the ins and outs of how this has been achieved but i have no doubt that it will become public knowledge in due course. as for the cracking of nagra3, well i suspect that like NDS this will be an improbability and while there is conjecture there is no working CAM currently available

 

No problem. CS is very achievable with N3 and has been running in NA since before N3 was even fully implemented and the swap to N3 had very little effect. Using the provider's boxes, there was no down time from N2 to N3 on CS when using freeware and small network sharing. All it takes is a dump of the subbed box or of the N2 card that was subbed in said box previously. RSA isn't even that big of a hurdle if you have a married box and cam. It was used in NA for N2, and was able to be faked once the cams were compromised. All RSA, IDEA, or anything else implemented in N3 can do is most likely force the use of married cams and IRDs, if the cards get dumped. Speculation here is the swap focused on mostly hardware security upgrades and not software. So they are banking on Nagra and ST getting it right this time. Bad move I think, judging from Nagra's past track record.

 

HMS, good reply. My primary experience is in the sat cs area. To this end I have detailed all that is necessary within current threads. I wonder could you be so kind as to put what you say in laymans terms to the afterdawn users. From the sat side there are the folowing issues
- using a paired card in a dreambox
- emulator to allow card share
and thats it. Now the info has been supplied to read the sly card in the dreambox. Also CCCAM 2.1.4 is ready to provide the cs option.

Can you explain how this is achieved from the Nagra3 card point of view. From my understanding there is boxkey and rsakey issues. How are these overcome. And what emulator is recommended