A little bit of decoding NDS (which?)*


DESCRIPTION DETAILED OF THE PROCESS OF DECODING NDS


The system NDS Direct TV founds him on the packets of data envoys to the respective decoders together with the data video. Some of these data are selected by the ricevitore/decoder before passing them to the smart card so that to form an united individually authorized. In practice only certain data among million the transit you/they can be passed card to your smart. In this way to your smart cards won't arrive all that turned useless data to other smart card/decoder. Quite a lot packets of data will pass toward the smart card however. I am to dozens and among these of it some they are of vital importance!
The first vital packet is 4840, that it is how much it is immediately gotten after a new channel tunes in him (and also to regular intervals). An example could be as this:
48 40 00 00 XX 40 09 10 10 00 01 4a 12 34 02 41 03 33 42 00 0cs aa bb cc dd ee
let's break him/it in parts:
48 40 00 00 XX I two byte 48 40 describe the type of packet and XX it points out the number of byte that you/they follow;
40 are an echo of the card toward the decoder to point out that you/he/she is working;
09 10 10 00 here 09 are the command that sect the key that will subsequently be used. In this case you/he/she is pointed out the 10 that it is a generic key used by all the smart card. The smart card uses an algorithm that produces 10 (in decimal?; NdT) byte every time that a new byte is acquired. For these 10 byte it uses the preceding value and the new value memorized in the register Á. or accumulator. Once sent forth the command 09, every byte subsequently read almost passes through this algorithm producing a new set of 10 byte. This way the only way to know in advance these 10 byte is immediately after a command 09 are sent card to the smart. The algorithm is sufficiently complex to discover, would also ask for years of elaboration to the super faster computers!!
01 4a 12 34 The command 01 position the time and the date, where 4a represent the month and 12 34 the digital time (not necessarily correlated to the 24 hours). you/he/she must be made to notice, after the preceding description of the "10 byteses key", that the acquisition of these 4 byte will produce one "10 byteses key" absolutely only and not repeatable in how much tied up to temporal values. Then every interception or attempt to change dates it will be translated in an issue of wrong key.
02 41: The command 02 furnish the state of visibility of the program. In the case the byte that follows the "4" it means that for the vision the subscription is necessary, while if it were "8" the vision is free or in preview. The second figure represents the "parental rating" (forbidden to the smaller ones; NdT). However you/he/she must be repeated that every attempt to intercept and to change the 41 (vision with subscription) in 81 (free vision) it will produce one "10 byte key" wrong that all of our efforts it will invalidate.
03 33 42 00: The command 03 verification that our subscription allows the vision of the tuned in channel, in this case 33 42 (Ch-id; NdT). And to this point that smart card will respond in different way to second if we have or we don't have the qualification to the vision of the channel inside our smart card. Also in this case it is not possible to intercept and to change the identificativo of channel to make to believe in the card to have the subscription, without altering and therefore to invalidate quotes her/it 10 byteses key. The command 03 can be repeated more times in how much every single channel can have different Ch-id to it associates and one of these will be recognized or less from our smart card. (This has been done for simplifying and to optimize the offer of the subscriptions to the various packets of programs). In the events Pay For View (PPW) the command 03 are replaced by 06, however the result is the same. (Only that in this case the qualification to the vision of the channel is temporary! NdT).
0c aa bb cc dd ee: 0c is the command that verifies the integrity of all the byteses received after the 09 initial thin to inclusive ee. The five byteses after the 0c (aa bb cc dd ee) you/they are compared with the first 5 byteses of the "10 byteses key" produced and memorized in the accumulator of the smart card (as we have seen to every acquired byte it corresponds a new "10 byteses key";NdT). If for whatever reason, troubles e/o attempts of intercettazione/modifica, these 5 byteses don't coincide, the process of generation of the key of decoding won't be activated. Besides it is not easy to guess these byte in how much 256x256x256x256x256s there are combinations (they are so many!). In this way it finishes the packet 4840.
The smart card puts again him waiting for the next packet. What has been memorized however, it is a set of 10 byteses and the state of visibility or less to the vision of the channel. Till now the ricevitore/decoder doesn't know the status of visibility yet and doesn't show any signal video.
This way, the other packet of vital importance immediately comes later: 48 54. This has a simpler format: 48 54 00 00 00 and nothing more. The smart card recognizes 48 54 and ago echo with a 54. Then it makes use of the data created with the precedent packet 48 40 to produce a further version of the "10 byteses key" and "it beats" the all in way Hardware (so that to make the complicated thing with an emulator, also from the point of view of the speed; NdT).
Then ago a cryptaggio software and he/she sends her/it so gotten "10 byteses key" and the status of visibility to the ricevitore/decoder.
For this further "smanazzamento" of key, just described, the correct status is necessary however for that channel at that time, otherwise she will be sent "10 byteses key" gotten by the precedent packet 48 40 that it behaves the access denied to the channel.
If however everything is OK her "10 byteses key" you/he/she is sent MPEG that will finally furnish us the signal video to the decoder. (The audio is not codified but he/she remains in "molts" until the coding video is not correct).
To this point we have learned that: these two packets are fundamental, if we launch whatever byte of the pachetto 48 40 among the command 09 and the end of the packet, we will have her/it "10 byteses key" wrong with any decoding.
We can now add others you command to the packet 4840 besides the simple 01 (the time and date), 02 (visibility of the program), 03 (verification of the data of subscription), to pact that the final result of the 5 byte of verification is correct and correlated to the commands sent card to the smart. We can for example include the command 60 followed by a lace of sottocomanto BF:
60 BFs 81 23 01
This command ago him that her "10 byteses key" is produced again for 8 times, once for every byte found in the EEPROM beginning from the location 81 23. It is possible to specify the number of blocks from 8 byteses to verify (the example shows only 01 for a block) or a list of addresses to be verified. The real address would be able not to be 8123 but another address (or edges of address) in the area 8xxx that corresponds to the codes altered by the "pirates!"
If we address an area of the eeprom in which we know that there are some fixed values in every legitimate smart card, then every legitimate smart card will produce the same one "10 byteses key" valid for the decoding, but if, as in the case of the cards pirate, also an only byte was different, we will get some wrong keys and therefore anybody decoding.
NdT: they follow then some considerations on fact what this last control is not evidently performed since they have been being around for months card pirate (D*S-DirectTV) funzionanti while with this control you/they would be put all KOs. Is it a choice of the broadcaster? Who knows?
Precise besides that how much above it refers to the system American N*S and as such you/he/she could slightly differ from the European version.

=va urma=