What's new
By:
Filters

Nagra 3 exploit using a blocker.

Mr_Spark

Mr_Spark

Newbie
Now firstly this does work; however its not a reverse engineering of the ROM:

Anyone considered this ?

When we cancel a subscription VM send a CMD#04 out to turn our card off; now hows about we block just that cmd ?

We could alter the Spanish Code fairly easily and use a AVR 8515 card similar too >

Tarjeta Universal THT v1.4 ( AVR8)

Using this as the logger that filters to our card and allow the rest of the data flow ( altho` we dont know what the rest do without the Encryption key ); will keep our card alive.

Or we could use a Dreambox and disable cmd#04 in the CAM - this way we need pairing details.

Now this will work and I guess when we do this we are watching free TV without dirty c/s.

Where we fall down is that tiers will probably expire ( time unknown but I guess and its only a guess is a few months )

A bit of food for thought ....

S
 
Mr_Spark,great to see thoughts other than dirty c/s,could this be used with the itgate box also
 
Mr_Spark you are too technical for me lol trying to understand what you wrote, you sound like a tech guru :)
 
sinno said:
Mr_Spark,great to see thoughts other than dirty c/s,could this be used with the itgate box also
Click to expand...

Yes in theory using the card slot the Linux could be altered to use the CAM with a blocked CMD#04 but you would beed the DT08 etc to code up.

S
 
Thinking outside the box is what is going to get around this thing that is nagra 3. I like your thinking Mr. Sparks (y)
 
i always enjoy reading mr sparks comments on here, very technical and straight to the point, im glad you share your intelligence with us :)
 
j4v3d said:
i always enjoy reading mr sparks comments on here, very technical and straight to the point, im glad you share your intelligence with us :)
Click to expand...

We have to understand that what we are doing here is an avenue of interest and with a softcam we can fairly easily block any CMD we want; the work as already been done overseas in underground places. Of course it works (allegedly) and I realise there is little chance of a really major breakthrough; we can assume with a bit of confidence that the new codespace tier structure will be identical to other flavours of Nagra. But let`s see how long it lasts . Its kind of ols skool to be not subscribing, not using card share and watching TV on a standard VM box or soft cam alternative.

When we look at the cards I am sure we all realise that N1 was indeed compromised with info gained from a dump/file in Spain (when you look back it`s amazing how long the UK took to realise we could use all there tools ). As for the Nipper login used in various bits of code like Nagra Edit; yes without a dump how did we know ? Lots of theories of things reverse engineered by other parties and leaked...

From what I can see, other avenues of a “real” hack look @ dumping the N3 card; we know from other places that we can fault the CAM; however we all realise that the RAM protection and indeed timing of code exe along with encryption keys we have no idea about, make things ahem - challenging! I truly believe that we are not going to hack N3 without serious equipment in a LAB environment. We can`t write anything to the card let alone know any addressing until this is done; this requires breaking the ROM down structure by structure, gate by gate to reverse engineer the code.

To coin a phrase we need the key(s) and yes blocking a cmd to turn off our card works ( but for how long ? ); but all we are doing is taking a large bat and pitching the cmd#04 away from the card – Very novice and very blunt. I realised a long time ago that I am in the haxing world wet behind the ears and a complete novice.

S
 
Last edited:
Mr_Spark said:
We have to understand that what we are doing here is an avenue of interest and with a softcam we can fairly easily block any CMD we want; the work as already been done overseas in underground places. Of course it works (allegedly) and I realise there is little chance of a really major breakthrough; we can assume with a bit of confidence that the new codespace tier structure will be identical to other flavours of Nagra. But let`s see how long it lasts . Its kind of ols skool to be not subscribing, not using card share and watching TV on a standard VM box or soft cam alternative.

When we look at the cards I am sure we all realise that N1 was indeed compromised with info gained from a dump/file in Spain (when you look back it`s amazing how long the UK took to realise we could use all there tools ). As for the Nipper login used in various bits of code like Nagra Edit; yes without a dump how did we know ? Lots of theories of things reverse engineered by other parties and leaked...

From what I can see, other avenues of a “real” hack look @ dumping the N3 card; we know from other places that we can fault the CAM; however we all realise that the RAM protection and indeed timing of code exe along with encryption keys we have no idea about, make things ahem - challenging! I truly believe that we are not going to hack N3 without serious equipment in a LAB environment. We can`t write anything to the card let alone know any addressing until this is done; this requires breaking the ROM down structure by structure, gate by gate to reverse engineer the code.

To coin a phrase we need the key(s) and yes blocking a cmd to turn off our card works ( but for how long ? ); but all we are doing is taking a large bat and pitching the cmd#04 away from the card – Very novice and very blunt. I realised a long time ago that I am in the haxing world wet behind the ears and a complete novice.

S
Click to expand...

Is it me or is that typing in invisible ink? lol
 
Are you aware of the ProgSkeet Mr_Spark and is it of any use,i still have the original boxes which i was given when i took out my service,they were'nt changed only the cards were changed,i dont get the sports or movies just everything else,im just wondering could the Progskeet be used to garner some information from the box itself as to how it handles the card
Very much a novice here to
 
leemoo said:
Is it me or is that typing in invisible ink?
Click to expand...
we just don't want you to know we are talking about you leemoolol I imagine what happened is that your skin has the same colour as Sparks' text, just highlight it as if you were going to copy and paste it (y)
 
Interesting - this is still working without any top tier loss; has kudelski messed up with N3 and not realised this could be done and left a gaping hole :-)
 
Mr_Spark said:
Interesting - this is still working without any top tier loss; has kudelski messed up with N3 and not realised this could be done and left a gaping hole :-)
Click to expand...

i see your hard at work Mr Sparks, any sparks flying at the moment regarding nagra 3 lol?
 
j4v3d said:
i see your hard at work Mr Sparks, any sparks flying at the moment regarding nagra 3 lol?
Click to expand...

I think we have found at least a hole - I am ( allegedly ) watching TV on a VM box and Dreambox without cardshare - like old times lol...
 
I have had a few PM`s about this; any questions please on open forum then anyone can join in or input answer.

This is still working with no loss of channels - so tiers are obv still all ok.

I have also learnt that we probably do not have any keychanges on N3 (at the moment)

S
 
Mr_Spark said:
I think we have found at least a hole - I am ( allegedly ) watching TV on a VM box and Dreambox without cardshare - like old times lol...
Click to expand...

does it work on any other boxes? which VM box do you have? and how did you get it to work? i'd love to enjoy it while it lasts lol
 
j4v3d said:
does it work on any other boxes?
Click to expand...

Yes of course, any box that wil take a ROM; most boxes are the same be it the quality of components and all but the odd one are LINUX based with fairly portable code. With a VM box we need to filter the ROM with an inline device like the 1 I pointed out. Any oher box just needs CMD#4 blocking in the CAM/Code for that particular box; ok if the box does not have source code for using a ROM its going to be more difficult but not that hard.

S
 
this will probably annoy you but please forgive me - can you explain that in layman terms? lol

so the old starview boxes that went off - can they be activated somehow or the old virgin media silver box?
 
You must log in or register to reply here.
Back
Top