Videoguard

[gessle]

Just for learning and educational purposes only,not decoding NDS!!!


First of all:
The card is always asked by the ICAM to receive or send information. The card never asks the ICAM to do anything! To do this the ICAM always sends a 5 byte long command packet header to the card.

Example: 48 INS P1 P2 P3

The first byte is always 48 (command class) followed by the instruction number. The last 3 bytes are the parameters. P1 and P2 are used differently and are often ignored. P3 is the length of the packet to be send or expected to receive. The cards first reply is the instruction number which is a vital value for the ICAM. These instruction numbers are possibly contained in a jumptable in the ICAMs source leading to a specific offset where processing continues.

The Answer To Reset (ATR):

3F 7F 13 25 03 40 B0 0B 69 4C 4A 50 C0 00 00 53 59 00 00 00

3F TS - "3F" indicates inverse convention ("3B" would be direct convention)
7F T0 - "7" (0111...) indicates TA1,TB1,TC1 will be sent "F" (...1111) indicated that 15 historical bytes will be send.
13 TA1
25 TB1
03 TC1
40 B0 0B 69 4C 4A 50 C0 00 00 53 59 00 00 00 the 15 historical bytes

1. On start up we get 48 52 00 00 14. This asks the card for 14h bytes.

>48 52 00 00 14
<52 card replies command for ICAM
<SN SN SN SN card SN (unique address)
<00 A status byte?
<01 19 11 00 0C 09 00 01 02 03 04 10 01 00 00 always the same?
<90 00 sw1/sw2


2. The next cmd is 48 58 00 00 35. This asks the card for 35h bytes.

>48 58 00 00 35
<58 card replies command for ICAM
<00 fuse byte (see below)
<01 09 60 always the same
<00 SN SN SN card SN (unique address)
<ff ff ff ff unknown
<00 SN SN three bytes of card number (shared address)
<00 ff ff ff 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 unknown
<00 xx xx xx was written with the 4e nano on activation
<47 42 52 "GBR" on British cards only
<00 01 00 00 unknown
<03 RC specific region code for local programming. See later under INS1C
<00 00 00 00 unknown
<90 00 sw1/sw2

The fuse byte indicates whether the card is a virgin or married or active or deactivated. The fuse byte is set during the intitial activation possibly with the 3d nano.
00 - Virgin
05 - Married/FTV only?
20 - Virgin/??
24 - Married/Deactivated?
25 - Married/Activated

3. The IRD then askes to send 09 bytes with 48 4C 00 00 09

>48 4C 00 00 09
<4C card replies command for ICAM
>IN IN IN IN IRD Serial Number
>02 00 00 D8 02 unknown
<90 20 correctly married

If the card belongs to this box it replies 90 20 (OK).
If the card does not belong to this box it replies 90 00 (Not OK).
If the card has the fuse byte set but is previously unmarried, this command writes the IRD number to the card, thereby completing the marriage (sw1/2 = 90 a1). If the card is deactivated and this command arrives the IRD Serial Number is written to the cards EEPROM too (sw1/2 = 90 20).
If the IRD number is set to 00 00 00 00 it will be accepted by any box. eg an engineer's card.
The card must receive the correct IRD number before it will give valid responses to ECMs and EMMs.

4. The card is then asked for 09 bytes with 48 2C 00 00 09.

>48 2C 00 00 09
<2C card replies command for ICAM
<00 00 convert to HEX and add then 8000h - this is your PIN
<XX XX 00 00 on active card: FF FF 00 00, on deactivated card: 00 00 00 00
<00 Parental Control Byte (PCB) - see below
<00 00 unknown
<90 20 sw1/sw2

IT can be changed the PIN using command 48 2e 80 00 09.

5. Next we have an often repeated cmd 48 5C 00 00 04. The ICAM asks the card for 04 bytes.

>48 5C 00 00 04
<5C card replies command for ICAM
<00 00 00 00 allways zero, except during the activation process
<90 20

The command flushes a buffer containing the 7E nano. So don't issue INS5C if you haven't allready asked for the key (issued INS54) after sending an ECM to the card. You would get a totally wrong key.

6. Next comes 48 1C 00 00 20. This asks the card for 20h bytes.

>48 1C 00 00 20
<1C card replies command for ICAM
<47 42 52 "GBR"(47 42 52)=British cards , "IRL"(49 52 4C)=Irish Card
<XX Region code (01=England, 02=Scotland, (04=Irland?), 08=Wales, 10=North Irland)
<00 00 00 00 00 00 00 00 00 00 00 00 00 00 unknown
<01 XX XX 00 00 00 00 X0 XX 00 08 00 03 RC was written with the 75 0F nano on intital activation, zero on virgin cards
<90 20 OK

The fourth byte XX is the Country Code.
Values seen 01, 02, 08, 10 and 1b. This byte is a specific country code related to the Postal Code.
01 is for all English postcodes.
02 is for Scottish postcodes AB, DD, DG, EH, FK, G, HS, IV, KY, KA, KW, ML, PA, PH, TD, ZE.
08 is for Welsh postcodes CF, CH, DY, HR, LL, LD, NP, SA, SY, WR.
10 is for Northern Ireland postcode - BT.

1b is associated with "Postal Code" "UKxx". Is this another region or class of card?

The "GBR XX" is sent with the 75_13 nano to specify a country. It is sent by addressing the card via it's postal code address.

03 RC is the Local Regional code. This is used for local BBC and ITV regional programming. It is written with 75 0f nano on initial activation.

03 01 is London
03 02 is Anglia
03 08 is Yorkshire
03 09 is Meridian,
03 0D is Tyne-Tees,
03 14 is Carlton Central etc.

Some postcodes that lie in marginal areas between terrestrial transmitters may get two or more local regional services.
Please supply your regional bytes and local ITV channel(s) received so we can make a complete list.

This 48_1c cmd is also sent following every channel change. It is a test of regional (country) and local entitlement.

---------------------------------------------
The Parental Control Byte (PCB)

The category of blocked programming is determined bitwise. Six bits are used. If a bit is set that category is available, if it is not set then that category is blocked.
00 = blocks all channels.

PCB; "11 1111" LSB
|| ||||- unclassified
|| |||-- universal
|| ||--- PG
|| |---- 12
||------ 15
|------- 18

PCB:- 1F = 18 programming is blocked, 2F = 15 programming is blocked
37 = 12 programming is blocked, 3B = PG programming is blocked
3D = universal programming is blocked,
3F = unrestricted - no programming is blocked.

Other sample combinations of blocked channels:-
39 = U+PG 0F = 15+18 07 = 12+15+18 03 = PG+12+15+18 01 = U+PG+12+15+18


The level of parental control is selected in the services/parental control menu. This along with the rating byte sent in the ECMs can be used by the subscriber to block un-wanted programming.
The PCB is set using the 48 2E 40 00 09 command.

------------------------------
The Rating Byte

The level of parental control is selected in the services/parental control menu. This along with the rating byte sent in the ECMs can be used by the subscriber to block un-wanted programming.

The Rating Byte which follows the 02 nano describes the type of programming content.

00 = not-encrypted ?
40 = encrypted (Universal)
41 = encrypted/ppv (Universal)
42 = encrypted/ppv (PG)
43 = encrypted/ppv (12)
44 = encrypted/ppv (15)
45 = encrypted/ppv (18)
51 = ppv (12)
52 = ppv (15)
53 = ppv (18)
80 = Information/announcement channels

=== to be continued ===