Nagra 3 exploit using a blocker.

Now firstly this does work; however its not a reverse engineering of the ROM:

Anyone considered this ?

When we cancel a subscription VM send a CMD#04 out to turn our card off; now hows about we block just that cmd ?

We could alter the Spanish Code fairly easily and use a AVR 8515 card similar too >

Tarjeta Universal THT v1.4 ( AVR8)

Using this as the logger that filters to our card and allow the rest of the data flow ( altho` we dont know what the rest do without the Encryption key ); will keep our card alive.

Or we could use a Dreambox and disable cmd#04 in the CAM - this way we need pairing details.

Now this will work and I guess when we do this we are watching free TV without dirty c/s.

Where we fall down is that tiers will probably expire ( time unknown but I guess and its only a guess is a few months )

A bit of food for thought ....

S

Mr_Spark,great to see thoughts other than dirty c/s,could this be used with the itgate box also

Mr_Spark you are too technical for me trying to understand what you wrote, you sound like a tech guru

Originally Posted by sinno

Mr_Spark,great to see thoughts other than dirty c/s,could this be used with the itgate box also

Yes in theory using the card slot the Linux could be altered to use the CAM with a blocked CMD#04 but you would beed the DT08 etc to code up.

S

Appreciate the info and will enjoy researching it

Thinking outside the box is what is going to get around this thing that is nagra 3. I like your thinking Mr. Sparks

i always enjoy reading mr sparks comments on here, very technical and straight to the point, im glad you share your intelligence with us

Originally Posted by j4v3d

i always enjoy reading mr sparks comments on here, very technical and straight to the point, im glad you share your intelligence with us

We have to understand that what we are doing here is an avenue of interest and with a softcam we can fairly easily block any CMD we want; the work as already been done overseas in underground places. Of course it works (allegedly) and I realise there is little chance of a really major breakthrough; we can assume with a bit of confidence that the new codespace tier structure will be identical to other flavours of Nagra. But let`s see how long it lasts . Its kind of ols skool to be not subscribing, not using card share and watching TV on a standard VM box or soft cam alternative.

When we look at the cards I am sure we all realise that N1 was indeed compromised with info gained from a dump/file in Spain (when you look back it`s amazing how long the UK took to realise we could use all there tools ). As for the Nipper login used in various bits of code like Nagra Edit; yes without a dump how did we know ? Lots of theories of things reverse engineered by other parties and leaked...

From what I can see, other avenues of a “real” hack look @ dumping the N3 card; we know from other places that we can fault the CAM; however we all realise that the RAM protection and indeed timing of code exe along with encryption keys we have no idea about, make things ahem - challenging! I truly believe that we are not going to hack N3 without serious equipment in a LAB environment. We can`t write anything to the card let alone know any addressing until this is done; this requires breaking the ROM down structure by structure, gate by gate to reverse engineer the code.

To coin a phrase we need the key(s) and yes blocking a cmd to turn off our card works ( but for how long ? ); but all we are doing is taking a large bat and pitching the cmd#04 away from the card – Very novice and very blunt. I realised a long time ago that I am in the haxing world wet behind the ears and a complete novice.

S

Originally Posted by Mr_Spark

We have to understand that what we are doing here is an avenue of interest and with a softcam we can fairly easily block any CMD we want; the work as already been done overseas in underground places. Of course it works (allegedly) and I realise there is little chance of a really major breakthrough; we can assume with a bit of confidence that the new codespace tier structure will be identical to other flavours of Nagra. But let`s see how long it lasts . Its kind of ols skool to be not subscribing, not using card share and watching TV on a standard VM box or soft cam alternative.

When we look at the cards I am sure we all realise that N1 was indeed compromised with info gained from a dump/file in Spain (when you look back it`s amazing how long the UK took to realise we could use all there tools ). As for the Nipper login used in various bits of code like Nagra Edit; yes without a dump how did we know ? Lots of theories of things reverse engineered by other parties and leaked...

From what I can see, other avenues of a “real” hack look @ dumping the N3 card; we know from other places that we can fault the CAM; however we all realise that the RAM protection and indeed timing of code exe along with encryption keys we have no idea about, make things ahem - challenging! I truly believe that we are not going to hack N3 without serious equipment in a LAB environment. We can`t write anything to the card let alone know any addressing until this is done; this requires breaking the ROM down structure by structure, gate by gate to reverse engineer the code.

To coin a phrase we need the key(s) and yes blocking a cmd to turn off our card works ( but for how long ? ); but all we are doing is taking a large bat and pitching the cmd#04 away from the card – Very novice and very blunt. I realised a long time ago that I am in the haxing world wet behind the ears and a complete novice.

S

Is it me or is that typing in invisible ink?

Are you aware of the ProgSkeet Mr_Spark and is it of any use,i still have the original boxes which i was given when i took out my service,they were'nt changed only the cards were changed,i dont get the sports or movies just everything else,im just wondering could the Progskeet be used to garner some information from the box itself as to how it handles the card
Very much a novice here to