Nagra 3 exploit using a blocker.

Mr_Spark,great to see thoughts other than dirty c/s,could this be used with the itgate box also

Mr_Spark you are too technical for me trying to understand what you wrote, you sound like a tech guru

Originally Posted by sinno

Mr_Spark,great to see thoughts other than dirty c/s,could this be used with the itgate box also

Yes in theory using the card slot the Linux could be altered to use the CAM with a blocked CMD#04 but you would beed the DT08 etc to code up.

S

Appreciate the info and will enjoy researching it

Thinking outside the box is what is going to get around this thing that is nagra 3. I like your thinking Mr. Sparks

i always enjoy reading mr sparks comments on here, very technical and straight to the point, im glad you share your intelligence with us

Originally Posted by j4v3d

i always enjoy reading mr sparks comments on here, very technical and straight to the point, im glad you share your intelligence with us

We have to understand that what we are doing here is an avenue of interest and with a softcam we can fairly easily block any CMD we want; the work as already been done overseas in underground places. Of course it works (allegedly) and I realise there is little chance of a really major breakthrough; we can assume with a bit of confidence that the new codespace tier structure will be identical to other flavours of Nagra. But let`s see how long it lasts . Its kind of ols skool to be not subscribing, not using card share and watching TV on a standard VM box or soft cam alternative.

When we look at the cards I am sure we all realise that N1 was indeed compromised with info gained from a dump/file in Spain (when you look back it`s amazing how long the UK took to realise we could use all there tools ). As for the Nipper login used in various bits of code like Nagra Edit; yes without a dump how did we know ? Lots of theories of things reverse engineered by other parties and leaked...

From what I can see, other avenues of a “real” hack look @ dumping the N3 card; we know from other places that we can fault the CAM; however we all realise that the RAM protection and indeed timing of code exe along with encryption keys we have no idea about, make things ahem - challenging! I truly believe that we are not going to hack N3 without serious equipment in a LAB environment. We can`t write anything to the card let alone know any addressing until this is done; this requires breaking the ROM down structure by structure, gate by gate to reverse engineer the code.

To coin a phrase we need the key(s) and yes blocking a cmd to turn off our card works ( but for how long ? ); but all we are doing is taking a large bat and pitching the cmd#04 away from the card – Very novice and very blunt. I realised a long time ago that I am in the haxing world wet behind the ears and a complete novice.

S

Originally Posted by Mr_Spark

We have to understand that what we are doing here is an avenue of interest and with a softcam we can fairly easily block any CMD we want; the work as already been done overseas in underground places. Of course it works (allegedly) and I realise there is little chance of a really major breakthrough; we can assume with a bit of confidence that the new codespace tier structure will be identical to other flavours of Nagra. But let`s see how long it lasts . Its kind of ols skool to be not subscribing, not using card share and watching TV on a standard VM box or soft cam alternative.

When we look at the cards I am sure we all realise that N1 was indeed compromised with info gained from a dump/file in Spain (when you look back it`s amazing how long the UK took to realise we could use all there tools ). As for the Nipper login used in various bits of code like Nagra Edit; yes without a dump how did we know ? Lots of theories of things reverse engineered by other parties and leaked...

From what I can see, other avenues of a “real” hack look @ dumping the N3 card; we know from other places that we can fault the CAM; however we all realise that the RAM protection and indeed timing of code exe along with encryption keys we have no idea about, make things ahem - challenging! I truly believe that we are not going to hack N3 without serious equipment in a LAB environment. We can`t write anything to the card let alone know any addressing until this is done; this requires breaking the ROM down structure by structure, gate by gate to reverse engineer the code.

To coin a phrase we need the key(s) and yes blocking a cmd to turn off our card works ( but for how long ? ); but all we are doing is taking a large bat and pitching the cmd#04 away from the card – Very novice and very blunt. I realised a long time ago that I am in the haxing world wet behind the ears and a complete novice.

S

Is it me or is that typing in invisible ink?

Are you aware of the ProgSkeet Mr_Spark and is it of any use,i still have the original boxes which i was given when i took out my service,they were'nt changed only the cards were changed,i dont get the sports or movies just everything else,im just wondering could the Progskeet be used to garner some information from the box itself as to how it handles the card
Very much a novice here to

Originally Posted by sinno

Are you aware of the ProgSkeet Mr_Spark

Good idea but I am afraid it can flash prog but its of little use with Nagra.

Originally Posted by leemoo

Is it me or is that typing in invisible ink?

we just don't want you to know we are talking about you leemoo I imagine what happened is that your skin has the same colour as Sparks' text, just highlight it as if you were going to copy and paste it

Interesting - this is still working without any top tier loss; has kudelski messed up with N3 and not realised this could be done and left a gaping hole :-)

Originally Posted by Mr_Spark

Interesting - this is still working without any top tier loss; has kudelski messed up with N3 and not realised this could be done and left a gaping hole :-)

i see your hard at work Mr Sparks, any sparks flying at the moment regarding nagra 3 ?

Originally Posted by j4v3d

i see your hard at work Mr Sparks, any sparks flying at the moment regarding nagra 3 ?

I think we have found at least a hole - I am ( allegedly ) watching TV on a VM box and Dreambox without cardshare - like old times ...

Originally Posted by Mr_Spark

I think we have found at least a hole - I am ( allegedly ) watching TV on a VM box and Dreambox without cardshare - like old times ...

Sounds like a very large hole in Nagra 3 Mr_Spark one i hope to exploit myself

I have had a few PM`s about this; any questions please on open forum then anyone can join in or input answer.

This is still working with no loss of channels - so tiers are obv still all ok.

I have also learnt that we probably do not have any keychanges on N3 (at the moment)

S

Originally Posted by Mr_Spark

I think we have found at least a hole - I am ( allegedly ) watching TV on a VM box and Dreambox without cardshare - like old times ...

does it work on any other boxes? which VM box do you have? and how did you get it to work? i'd love to enjoy it while it lasts

Originally Posted by j4v3d

does it work on any other boxes?

Yes of course, any box that wil take a ROM; most boxes are the same be it the quality of components and all but the odd one are LINUX based with fairly portable code. With a VM box we need to filter the ROM with an inline device like the 1 I pointed out. Any oher box just needs CMD#4 blocking in the CAM/Code for that particular box; ok if the box does not have source code for using a ROM its going to be more difficult but not that hard.

S

this will probably annoy you but please forgive me - can you explain that in layman terms?

so the old starview boxes that went off - can they be activated somehow or the old virgin media silver box?