Understanding processing of Viaccess ECM

Kui soovid välja käia mingi tarkusetera siis postita siia. Vastusteks olgu ainult teema edasiarendused.
Kasutaja avatar
admin
Admin
Postitusi: 594
Liitunud: 15:06, 11 Jaan 2003
Asukoht: Saaremaa
    unknown unknown
On tänanud: 6 korda
On tänatud: 22 korda
Kontakt:

Understanding processing of Viaccess ECM

PostitusPostitas admin » 20:58, 14 Jaan 2003

Thanx to Wolfman

Processing ECM is done in two steps (like with any system I guess):
1) the cam sends the full ECM to the card and ask it to decrypt it
2) the cam then ask the card to send back the results

So in a log you have:

Incoming ECM Instruction
CA 88 00 08 21
E2 03 2C E4 21 EA 10 B7 EC A6 C1 AC 6C 47 09 AC
E6 37 DD 1F C4 A3 15 F0 08 B5 4C 2F 96 8C D2 71
94 90 00

This is the command that sends the ECM to the card (CA 88).
The key to be used is key 08 and the leght of the ECM is 0x21 bytes.
Then comes the ECM (from E2 to 94). ECMs are encoded in TLV (Type Length Value). They are usually made of three parts:
1) the access conditions the card needs to have to decrypt the CW
2) the CWs themselves (present and following)
3) a hash field to check the integrity of the full ECM

In our case, the first field is E2 03 2C E4 21
E2 means that access rights are based on date and classes.
03 is the leght
2C E4 is the date (this one is 4th July 2002)
21 is the class
This means that, in order for the card to decrypt the CWs, it has to have access rights to class 21 up till the 4th of July. Otherwise the card answers 90 08 (No rights).

Then we have:
EA 10 B7 EC A6 C1 AC 6C 47 09 AC E6 37 DD 1F C4 A3 15
EA means ECW/OCW, so we have two CWs one for even period and the other for odd.
10 is the length
B7 EC A6 C1 AC 6C 47 09 is the first ECW
AC E6 37 DD 1F C4 A3 15 is the second ECW

And finally we have:
F0 08 B5 4C 2F 96 8C D2 71 94
F0 means HASH
08 is the leght
B5 4C 2F 96 8C D2 71 94 is the hash value

The card answers 90 00 which means everything's ok.
Usually the cam doesn't really have to bother about all those details. It just takes what comes into the ECM stream and forward it to the card as it is.


Request Decrypted CW
CA C0 00 00 12
EA 10 A4 0B 9E 78 40 C5 57 A6 5A 1A 72 DD 6D 0C
ED FC 90 00

This is the command that ask the card to send the DCWs back (CA C0). This command is not dedicated to CW but is more like a general command to ask for results after a request. The two bytes after CA C0 are always 00 and 12 is the length of the requested data. If the card has less than that length to send it is padded with FF.

The card answers with a TLV encoded message:
EA 10 A4 0B 9E 78 40 C5 57 A6 5A 1A 72 DD 6D 0C ED FC
EA still means ECW/OCW (but this time they are decrypted)
10 is the legnth
A4 0B 9E 78 40 C5 57 A6 is the first CW decrypted with OpKey 08
5A 1A 72 DD 6D 0C ED FC is the second CW decrypted with same OpKey

And then we have 90 00 which means everything's ok.

And that's it. We're ready for the next crypto period.

Mine

Kes on foorumil

Kasutajad foorumit lugemas: Registreeritud kasutajaid pole ja 11 külalist