N3 Project - help required

[u-boat]

Hi, I'm part of a team of cryptologists working to crack N3 (for educational purposes). We've developed some sofware (a data logger) to record hex info from an N3 feed. We can then analyse this feed and profile data from it. We believe the pattern and relational data from the feed will hold valuable clues as to the deeply encrypted keys and ciphers and help us with the hacking process.

We're using the usb ex100 from Eurovox as the test bed and need some volunteers in N3 areas to load some hacked ex100usb firmware (with the data logger included on it). The volunteers in confidence and annonymously would then dump data (a bit like the channel data dump) from the new 'feed dump' menu, at periodic times. This data would be then uploaded to an anonymous email.

We appreciate there are loads of Hoax on the net for N3 cracking. As such, we are prepared to do a validity exercise whereby if a senior forum member wants to point us to provide us with some firmware, we are prepared to hack it and put a personal message/text of the senior member's choice on the firmware to prove our hacking skills. We would then appreciate it if that senior member could validate the firmware on the forum.

We're posting here as we need ex100 testers.

thx

U-boat team

[smoggy]

you picked the wrong user name BANANA BOAT would have been more applicable

[TheCoder]

Quote:

Originally Posted by u-boat

Hi, I'm part of a team of cryptologists working to crack N3 (for educational purposes). We've developed some sofware (a data logger) to record hex info from an N3 feed. We can then analyse this feed and profile data from it. We believe the pattern and relational data from the feed will hold valuable clues as to the deeply encrypted keys and ciphers and help us with the hacking process.......

No digital smarcard cryptography has ever been broken in any signiicant way (some early DES was decrypted by brute force but not in real time) so your chances of getting anywhere by data analysis of logs is effectively NIL !

The algorithms used are especially designed to be analysis resistant as they all packet fill with random data. The algorithms are derivatives of RSA-1024 with a sub-level encryption of probably IDEA (although it may be tripleDES or AES)

Basically, your wasting your time with this persuit. Forget the cryptography and analyse the actual card hardware. If there are any faults, thats where you will find them.

[TechWreck]

Quote:

Originally Posted by u-boat

Hi, I'm part of a team of cryptologists working to crack N3 (for educational purposes). We've developed some sofware (a data logger) to record hex info from an N3 feed. We can then analyse this feed and profile data from it. We believe the pattern and relational data from the feed will hold valuable clues as to the deeply encrypted keys and ciphers and help us with the hacking process.

We're using the usb ex100 from Eurovox as the test bed and need some volunteers in N3 areas to load some hacked ex100usb firmware (with the data logger included on it). The volunteers in confidence and annonymously would then dump data (a bit like the channel data dump) from the new 'feed dump' menu, at periodic times. This data would be then uploaded to an anonymous email.

We appreciate there are loads of Hoax on the net for N3 cracking. As such, we are prepared to do a validity exercise whereby if a senior forum member wants to point us to provide us with some firmware, we are prepared to hack it and put a personal message/text of the senior member's choice on the firmware to prove our hacking skills. We would then appreciate it if that senior member could validate the firmware on the forum.

We're posting here as we need ex100 testers.

thx

U-boat team

DAS BOOT !! "fire torpedo 1" ......"torpedo 1 away captain !!" lol

I think we are all sunk !

[River-Rat]

werid, again to do with voxes, like that post about the person from spain

[SunRise]

I think the U-Boat team is on a sinking ship tbh.

Apart from what TheCoder has quoted, I cannot see anybody who is intelligent enough to disassembled & edit a EuroVox firmware been dumb enough to believe that they could crack the encryption by analysing the encrypted incoming data and not the card that contains the algo's and keys to decrypt them.

In addition, why would you need to adapt the EuroVox hardware to get hex data from the stream? A cheap DVB-C card would be both cheaper/easier that reverse engineering and rewriting a closed source firmware.

Finally why would they need testers to log static data that is broadcast to every feed - they would only get everybody submitting the same information (the same encrypted EMM's, the same encrypted ECM's...)

Sorry but this IS another hoax.

Don't waste your time on this.

[u-boat]

Can a moderator close this thread, we have some testers now.

Underground Crew...

The block cipher on the feed is a very basic (DES) encryption. It takes a block of the plaintext and the key as inputs, and applies several alternating layers of substitution boxes (S-boxes) and permutation boxes (P-boxes) to produce the cipher text block. This makes the feed open to an integral cryptanalytical attack (similar to the ‘square attack’ used on the Square block cipher).

As you say, the feed isn’t the important bit (hence the relatively basic encryption). However, a full hack of the feed will give a complete understanding of what is being fed into the heavy encryption on the card. This then opens up options for a strategic brute force attack on the card or even give some cryptanalytical data for hacking the card.

The purpose of multiple testers is that our work/research so far suggests that N3 is regionalised operating slightly different versions of its encryption in different areas. This is probably the real reason for VM’s staged regional roll out, rather than the publically assumed reason that it is due to logistics. The purpose of regionalised variations of the block ciphers is if the N3 encryption is compromised, it is likely that just one area will be affected and thus buys time to secure the network again.

The purpose of Vox usb is because of the simple usb dump feature and ease of use for testers and gathering of data. Our data logger carries more than just jumbled hex.

If we can hack the feed and have the data for each area we may be in a position to have a go at the card. Any team trying to reverse engineer the card has got no chance without knowing what it is being fed.

[marky_811]

the eurovox ex1000 has not got a usb its the ex1100 that has this port

[TheCoder]

Quote:

Originally Posted by u-boat

Underground Crew...

The block cipher on the feed is a very basic (DES) encryption. It takes a block of the plaintext and the key as inputs, and applies several alternating layers of substitution boxes (S-boxes) and permutation boxes (P-boxes) to produce the cipher text block. This makes the feed open to an integral cryptanalytical attack (similar to the ‘square attack’ used on the Square block cipher).

Not sure what you mean here !

The CSA algorithm certainly isn't DES and as its keys change every 8 seconds theres no amount of data analysis going to crack it by brute force in any reasonable timeframe.

The cards themselves dont use DES and haven't since the rather clumsy EDES of the original N1 cards. These days, all Kudelski card based encryption uses public key RSA with a secondary symetric cypher (Usually IDEA, AES or 3DES). You wont be breaking that - ever !

Quote:

The purpose of multiple testers is that our work/research so far suggests that N3 is regionalised operating slightly different versions of its encryption in different areas. This is probably the real reason for VM’s staged regional roll out, rather than the publically assumed reason that it is due to logistics. The purpose of regionalised variations of the block ciphers is if the N3 encryption is compromised, it is likely that just one area will be affected and thus buys time to secure the network again

So far, its the same everywhere that its been rolled out in the UK.

Quote:

If we can hack the feed and have the data for each area we may be in a position to have a go at the card. Any team trying to reverse engineer the card has got no chance without knowing what it is being fed.

Whats been fed into the card is already pretty much known. Apart from encryption changes to the EMM/ECM stream its pretty much identical to what was fed into N2 cards. Its still the same old EMM/ECM datastreams with the output being RSA/IDEA encrypted to a shared session key (changed every couple hours at the request of the card).

[SunRise]

Quote:

Originally Posted by u-boat

Can a moderator close this thread, we have some testers now.

Underground Crew...

The block cipher on the feed is a very basic (DES) encryption. It takes a block of the plaintext and the key as inputs, and applies several alternating layers of substitution boxes (S-boxes) and permutation boxes (P-boxes) to produce the cipher text block. This makes the feed open to an integral cryptanalytical attack (similar to the ‘square attack’ used on the Square block cipher).

As you say, the feed isn’t the important bit (hence the relatively basic encryption). However, a full hack of the feed will give a complete understanding of what is being fed into the heavy encryption on the card. This then opens up options for a strategic brute force attack on the card or even give some cryptanalytical data for hacking the card.

The purpose of multiple testers is that our work/research so far suggests that N3 is regionalised operating slightly different versions of its encryption in different areas. This is probably the real reason for VM’s staged regional roll out, rather than the publically assumed reason that it is due to logistics. The purpose of regionalised variations of the block ciphers is if the N3 encryption is compromised, it is likely that just one area will be affected and thus buys time to secure the network again.

The purpose of Vox usb is because of the simple usb dump feature and ease of use for testers and gathering of data. Our data logger carries more than just jumbled hex.

If we can hack the feed and have the data for each area we may be in a position to have a go at the card. Any team trying to reverse engineer the card has got no chance without knowing what it is being fed.

Whatever your smoking, you should stop - it's bad for you.

Affecting the brain cells.

You don't have to explain what DES is to me ... but I will point out it plays no part in this.

ECM data comes in in standard format - pre encrypted. The firmware extracts this by removing any DVB header and sticking on a nagra header / LRC and this is sent to the card as a command. The reply back is read by another command (1C) and is a IDEA key encrypted version of the control words. All of this is standard for Nagra3.

At no point does DES come into the picture.

As TheCoder pointed out, the CSA algo is not DES - and at no point on N3 does DES come into play - unless it's used for some stage inside the card, which I guess is unlikely due to it's weaker nature.

N3 is not regional - The roll out by region is for several factors, including not cocking the whole network up at once, equipment upgrades, logistical...

Your posts are all fake crap - I suspect you are the same idiot that quoted about the splitter+EuroVox and extra "missing" card. Deffo smells like the same flavour of manure.