EMM RSA Key in Nagra

[xpn08]

OK, I have been disassembling the Chaos firmware (very nice programming BTW) and am currently looking through the routines where the card is passed an EMM and its trying to decrypt it.

The question is, obviously RSA has never been hacked (jesus it would be the end of the WORLD if it had ), so how does any card decrypt the EMM?

He's a scenareo to clarify..

• Card comes out of the factory and sent to a customer
• Customer uses the card which uses the factory provided current RSA keys to decrypt EMM's
• EMM is sent to update the RSA key
• Customers card accepts RSA keys and decrypts future EMMS with this key
• Repeat....

Now.. what happens if the card is removed from the box / customer turns off the IRD when a new RSA key as been issued? Does the card become unusable because it has missed the latest RSA key and hence decrypt any EMMs ?

The reason I ask is that I cannot understand how the funcards have the RSA key to decrypt EMMs? When you create a new funcard, you just burn the Chaos firmware and off you go... how does the funcard catch up on the missed RSA key updates?

Sorry there are so many questions and unfortunately for someone trying to learn the nitty gritty, when googling you just get results from people asking how to burn a funcard

[TheCoder]

Generally, the RSA keys on a card are rarely, if ever, changed. In the UK the only change that ever occured was the addition of an extra key tier with a new set of keys (the extra 54/5A/5C tiers with key type byte 01).

With each key tier, there were three sets of RSA keys. The global key (same on all cards), the group key (same for a group of 256 cards) and the personal key (unique to one card). Once set, these were never changed.

The RSA keys are obviously used to decrypt Emm's. As far as the Funcards are concerned the only interesting Emm's are keychange Emm's. These have always been encrypted using the global RSA keyset so that means the Funcards only really need to know one RSA keyset for the provider they handle.

Note that keychange Emm's do NOT change the RSA keysets. They change the DES keysets that are used to decrypt the ECM messages. Its the ECM's that carry the all important CW's used to actually decrypt channels.

So, as you can see, it doesn't really matter how long a card is out of the stream. It can always catch up to the latest DES keychange simply by listening to the EMM stream for a few minutes and acting on the keychange EMM.

[xpn08]

Thanks for the info TheCoder, as always !!

That makes more sense, so i'm guessing the RSA key was found when the Nagra cards were opened up.

The obvious (or maybe not so obvious) question is why doesn't vermin just change the RSA keys? Would this do more harm than good (i.e. affecting legitimate customers aswel as funcards).

TheCoder: It amazes me the amount of knowledge you have in this field. Just what are your resources for learning? As I said, most of the time when searching for technical info, I just get posts from people asking how to burn funcards? I'm not interested in pirating vermin tv, I just love the technology behind it all. I have read through the ISO standards and the StuntGuy FAQ but after that i'm at a dead end (hence disassembling the funcards lol), have you just built it with experience or is there any more reading material you could recommend?

[toryboy]

Quote:

Originally Posted by xpn08

Thanks for the info TheCoder, as always !!

That makes more sense, so i'm guessing the RSA key was found when the Nagra cards were opened up.

The obvious (or maybe not so obvious) question is why doesn't vermin just change the RSA keys? Would this do more harm than good (i.e. affecting legitimate customers aswel as funcards).

TheCoder: It amazes me the amount of knowledge you have in this field. Just what are your resources for learning? As I said, most of the time when searching for technical info, I just get posts from people asking how to burn funcards? I'm not interested in pirating vermin tv, I just love the technology behind it all. I have read through the ISO standards and the StuntGuy FAQ but after that i'm at a dead end (hence disassembling the funcards lol), have you just built it with experience or is there any more reading material you could recommend?

agreed the knowledge on this site amazes me as i was a mere box holder who knew the basics!..

p.s on a lighter note are you recruiting new brains for vm

[xpn08]

Lol, nah, I don't think virgin have brains, just monkeys and typewriters

[TheCoder]

Quote:

Originally Posted by xpn08

The obvious (or maybe not so obvious) question is why doesn't vermin just change the RSA keys? Would this do more harm than good (i.e. affecting legitimate customers aswel as funcards).

It would be pretty pointless as we never used the frontdoor Emm keys to gain entry to the cards. We logged in through the backdoor (initially) and glitching (later). Whatever they changed the Emm keys to we would just read them off a card.

It would also cause problems for the provider baring in mind your initial question about cards mybe being unplugged for a period. Those could no longer update after any changeover period.

It would create some chaos (pun intended ) with funcards of course as someone would have to incorporate the new keys and as that involves some interesting maths (the funcards dont use the Emm keys directly - the use a mathematical construct called a pre-calc which drastically reduces the processing required for 512 bit powermod maths) then someone would have to know how to derive those pre-calcs.