N3 Source Code Algorithms

[PaddyBhoy]

Lads and Lassies.

The source code for n3 has been found and tested

[unadkat]

The source code above which you have posted was tested back in 2001 and I doubt it has any relevance at all for the present, if memory serves me right they attempted a crack on the sat side and never worked out.

If a hack / crack was going to come out I would have imagined that it would have come out by now. Infact it would have been out 10 yrs ago.

I could be wrong but am sure someone will shed more light in regards to this.

Also looking at the source code its for Rom102Rev241 to Rom102Rev242 .. Am no expert at this but kudelski are using Rom 180, SO I would have imagine that its useless to even look at the code.

But as I said am not a expert.. And its a wild Guess. Infact to me these codes dont make any sense @ all.

[TheCoder]

Rom102 was also N2, not N3 !

The Rom102 was heavily used in the US several years ago and was hacked to hell - almost as much as our Rom10/11 cards. Its far less advanced even than the old Irish Rom110 card.

In terms of N3 functionality the dumps have next to zero usefulness. If you actually want a dump of any of the 101/102/103 series of cards they are readily available as are full disassembly listings. They can be quite interesting if you want to start to learn about nagra card pairing.

[timetrex]

Not my work but just a brief description of rsa and sk and the process which has been covered before by the coder




If Using DT08 (0a) on the card :
The Dt08 (0a datatype on card) is created by the provider and sent to the card at sub time.
The dt08 contains the Cam N public rsa key along with ird/boxkey.
The dt08 is IDEA encrypted with the Idea Key made from ird/boxkey/inverted ird.
The dt08 is RSA encrypted using Ird N (public rsa key) and Ird D (private key and uknown by anyone but provider).
Ird N = N1 xored N2
Ird N1= A4E9B585932F90282FD70C908176E8605E6B2CE629335A0FC1 5B31DAB0BFC6FEEB88CFC69649994CD3FE039C9965C620C4D5 828E9153998EE4AE0E8C25644DF3 xor
Ird N1= 237280AAB36BE4B21FC71FBF08218E532A545E744D7B007FF8 69BA426831C4AC653F3825ADE9358FCD1F0239EC447CBC2765 CC0AEBE437AF2270FC461C2FA042
Ird N = 879B352F2044749A3010132F89576633743F729264485A7039 328B98D88E02528EB7F7E33BA0ACC31EE101A57521BA9CE3B0 4E847AB7AE21C6DEF2CA394BEDB1
The Ird N1,N2,Ideakey exist in the tsop.
Ird E = 3
Ird D = UKNOWN, this is the reason you can't create your own dt08 without changing the N1/N2 on the tsop, you must know Ird D.

DT08 (0A) = IdeaEncrypt(CamN/Ird#/Boxkey/Idea Signature,Ird_Ideakey) ^ D mod Ird N.

Ird requests DT08.
Card sends back the dt08 (0a)
Ird decrypts the dt08.
Decrypted dt08 = IdeaDecrypt(DT08,Ird_IdeaKey) ^ 3 mod Ird N.
It checks the ird # and boxkeys in the Decrypted 08 if they match what is on ird,
it stores the Cam N in the decrypted 08 in ird memmory.

If Using Secondary Key (SK) on the Ird.
Ird checks for SK exists on the ird, if it does, the dt08 will never be requested/ignored from the card.
Ird validates the SK with idea signature in the SK (using IIIIIIII01924314051647990A9C4E1 where I = irdnumber).
Ird takes the Cam N in the SK and puts it in ird memmory
Note : Cam N is not even encrypted in the sk, very weak method compared to dt08.

Later, establish session key (0C datatype on the card):
Ird requests 2a data from card.
Random 2a is sent from card to ird.
Ird performs some Idea signing (leave it to you to look up 2a/2b routines)
Ird comes up with session key from the 2a message sent from Cam.
Ird encrypts the session key with rsa.
Encrypted 2B = (2B data with 16 byte session idea key) ^ 3 mod Cam N.
Sends encrypted data back to card in 2b message.
Cam decrypts 2B with Cam N, Cam D. Decrypted 2B = (Encrypted 2B) ^ Cam D mod Cam N.
If valid, store session key in ram and on card for later use.

This all happens as ird boots.
When you select a channel.
Ird sends Cmd 07 ECM message with control words encrypted.
Cam decrypts the control words rencrypts them with Idea encryption using the session key established above.
The ird then requests the control words.
The Cam sends them back in the 1C response.
The ird decrypts the control words with with Idea encryption using the session key established above.
Sends the control words to the mpeg decoder.
8 seconds of video.
Repeat 07/1C process over and over.

This is all done from memmory, excuse any oversites/exclusions/errors.
Not exhaustive on each step by any means, just a quick overview.

[TheCoder]

wow, falls off chair and suffers great shock to system !

A technical post - didn't think I would live long enough to see one of those !

[timetrex]

lol...some people want to learn some want it on a spoon for them.

[CG121]

Quote:

Originally Posted by TheCoder

wow, falls off chair and suffers great shock to system !

A technical post - didn't think I would live long enough to see one of those !

It's just a shame it's the same cut 'n' paste that's been around for ages, which nobody is likely to understand or find any use for...

[kerrywez]

Both N1 and N2 were hacked and and we had a great run with them, but there will never be a hack for N3, just my opinion. You guys on the cable side have got to remember that the best have been trying for some 2 1/2 or 3 years now and they have got nowhere so what makes the OP think that something as old as the rubbish he has posted, will have any relevance to N3? It was the Spanish and Portuguese who cracked N1 and N2, so take a hint and go look in those countries for a hack, when you find one come back with something that is at least from the last 1 to 3 years then I might take notice.

Regards Wez

[timetrex]

Quote:

Originally Posted by kerrywez

Both N1 and N2 were hacked and and we had a great run with them, but there will never be a hack for N3, just my opinion. You guys on the cable side have got to remember that the best have been trying for some 2 1/2 or 3 years now and they have got nowhere so what makes the OP think that something as old as the rubbish he has posted, will have any relevance to N3? It was the Spanish and Portuguese who cracked N1 and N2, so take a hint and go look in those countries for a hack, when you find one come back with something that is at least from the last 1 to 3 years then I might take notice.

Regards Wez

Anything is possible given time and investment, that I don't doubt. and if i'm not mistaken nagra was never hacked, it is still as secure as the day it was released and if you want to be technical about it there is no such thing as nagra 1 and 2 as i'm sure your aware of it.

OLd posts they maybe but everything has relevance if you to begin to understand the updated Nagravision encryption. SO as you call Nagra1 and 2 are both a good place to start especially for those looking to card share and begin to understand the pairing process. Once they understand how things work they they will have a fair idea of the information they need and how to get that.

And for the spanish and portuguese lot while it wouldn't have all been possible if they get help from another company who had their own vested interests.

p.s

The whole cable sat thing gets a bit boring after a while. Perhaps you could even say the sat crew aren't as good as they thought they were given the time they have had. But then again I would be talking rubbish, am I?


tt

[PerryCox]

If I could, I'd thank you twice for that post.

It's so annoying the way questions on here get shot down.

"It can't be done"

"What do you want to know for, you can't do it"

"Accept that it's not going to get hacked"

"Don't ask questions"

"Sat couldn't do it so cable can't"

"You're talking **** and you're a moron" (Ok, maybe not quite that, but not far off sometimes).

Not many on techwatch have any kind of hacking skills, and not many are interested beyond getting immediate free TV - but when there is a bit of technical debate going on, the uninterested are the first ones in to shoot someone down.

So what if someone asks about how ITVDig "gold cards" were programmed. Yes it's old, yes it's no longer about, yes, no providers use it. That doesn't mean the person asking, or anyone reading, won't learn something. So what if someone asks about something you don't believe can be done - your opinion is worth the square root of feck all in a technical debate.

If someone posts a question which you can't see the relevance of, please don't jump in with a post to question their motives/mock them. Just wait, and see if someone more knowledgeable answers.

I haven't worded myself very well, but I hope my meaning is understood. To recklessly butcher and old saying, if you haven't got anything constructive to add, don't post anything.