Professional Documents
Culture Documents
237280AAB36BE4B21FC71FBF08218E532A545E744D7B007FF8
69BA426831C4AC653F3825ADE9358FCD1F0239EC447CBC2765
CC0AEBE437AF2270FC461C2FA042
Ird N =
879B352F2044749A3010132F89576633743F729264485A7039
328B98D88E02528EB7F7E33BA0ACC31EE101A57521BA9CE3B0
4E847AB7AE21C6DEF2CA394BEDB1
The Ird, N1, N2, Ideakey exist in the tsop.
Ird E = 3
Ird D = UKNOWN, this is the reason you can't create your own dt08 without changing the N1/N2
on the tsop, you must know Ird D.
DT08 (0A) = IdeaEncrypt(CamN/Ird#/Boxkey/Idea Signature,Ird_Ideakey) ^ D mod Ird N.
Ird requests DT08.
Card sends back the dt08 (0a)
Ird decrypts the dt08.
Decrypted dt08 = IdeaDecrypt(DT08,Ird_IdeaKey) ^ 3 mod Ird N.
It checks the ird # and boxkeys in the Decrypted 08 if they match what is on ird,
it stores the Cam N in the decrypted 08 in ird memmory.
If Using Secondary Key (SK) on the Ird.
Ird checks for SK exists on the ird, if it does, the dt08 will never be requested/ignored from the
card.
Ird validates the SK with idea signature in the SK (using IIIIIIII101924314051647990A9C4E1
where I = irdnumber).
Ird takes the Cam N in the SK and puts it in ird memmory
Note : Cam N is not even encrypted in the sk, very weak method compared to dt08.
Later, establish session key (0C datatype on the card):
Ird requests 2a data from card.
Random 2a is sent from card to ird.
Ird performs some Idea signing (leave it to you to look up 2a/2b routines)
Ird comes up with session key from the 2a message sent from Cam.
Ird encrypts the session key with rsa.
Encrypted 2B = (2B data with 16 byte session idea key) ^ 3 mod Cam N.
Sends encrypted data back to card in 2b message.
Cam decrypts 2B with Cam N, Cam D. Decrypted 2B = (Encrypted 2B) ^ Cam D mod Cam N.
If valid, store session key in ram and on card for later use.
This all happens as ird boots.
When you select a channel.
Ird sends Cmd 07 ECM message with control words encrypted.
Cam decrypts the control words rencrypts them with Idea encryption using the session key
established above.
The ird then requests the control words.
The Cam sends them back in the 1C response.
The ird decrypts the control words with with Idea encryption using the session key established
above.
Sends the control words to the mpeg decoder.
8 seconds of video.
Repeat 07/1C process over and over.
This is all done from memmory, excuse any oversites/exclusions/errors.
Not exhaustive on each step by any means, just a quick overview.