Page 8 of 9 FirstFirst 123456789 LastLast
Results 141 to 160 of 172

Thread: Are Sellers And Gammas The Same?

  1. #141
    Junior Member
    Join Date
    Jan 2009
    Age
    44
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Reputation
    10

    Default

    I think Gamma will die...



  • #142
    Premium Member agarol's Avatar
    Join Date
    Jan 2008
    Location
    A state of constant denial
    Posts
    331
    Thanks
    27
    Thanked 52 Times in 23 Posts
    Rep Power
    215
    Reputation
    331

    Default

    I just love you brief comments

    Would you be willing to expand on your knowledge?

    ag
    Energy is the father of creation

  • #143
    Junior Member
    Join Date
    Jan 2008
    Posts
    90
    Thanks
    4
    Thanked 13 Times in 7 Posts
    Rep Power
    202
    Reputation
    97

    Default

    Quote Originally Posted by agarol View Post
    Good work gentlemen

    Now let's debate whether the gamma (m-core) is likely to be receptive to timing attacks, etc. What would be really interesting would be the update keys...

    ag
    I'm actually thinking the best way to get the update keys and all the other goodies from the card is to simply write a small program to read them from the flash.

    The trick is how to you upload your own program to the card with out knowing any of the 3des keys required to create the encrypted 02000 commands?

    If you have a look at startup.c you can see the gamma as part of its boot process checks to see if there has been any new version of the software uploaded. It does this by calling the function "Check4Update".

    When a new version of the gamma os is sent via the .gam file using the 02000 commands the card descrypts the payload and stores it into flash. If you have a look at the gamma updates the first encryted line is 0201000000105C6D3A55D9CE0BE8B9032F1305251E6F. The gamma os decrypts this line as stores at flash location 0x010000 minus the command header, checksum, etc...

    The Check4Update function compares this line via a XOR check with fixUpdateCMD[] = {0x18,0x55,0x2f,0x45,0xf1,0x55,0x87,0x95}. If the line matches then the gamma os updates itself with the new version otherwise the updated is trashed.

    My theory yet to be proven is this.

    6D3A55D9CE0BE8B9032F1305251E6F descrypts to be 0x18,0x55,0x2f,0x45,0xf1,0x55,0x87,0x95.

    Now that we know both the encrypted and decrypted version of the message the task of working out what one of the the 3DES keys.

    Once we have this key we can create our own .gam files.

    Can anyone else check this theory?

  • #144
    Premium Member agarol's Avatar
    Join Date
    Jan 2008
    Location
    A state of constant denial
    Posts
    331
    Thanks
    27
    Thanked 52 Times in 23 Posts
    Rep Power
    215
    Reputation
    331

    Default

    Quote Originally Posted by autertip View Post
    .....
    6D3A55D9CE0BE8B9032F1305251E6F descrypts to be 0x18,0x55,0x2f,0x45,0xf1,0x55,0x87,0x95.

    Now that we know both the encrypted and decrypted version of the message the task of working out what one of the the 3DES keys.
    ...
    Can anyone else check this theory?
    I'll just run a brute-force attack and get back to you next millenium with the results.

    ag
    Energy is the father of creation

  • #145
    Junior Member
    Join Date
    Jan 2008
    Posts
    90
    Thanks
    4
    Thanked 13 Times in 7 Posts
    Rep Power
    202
    Reputation
    97

    Default

    Quote Originally Posted by agarol View Post
    I'll just run a brute-force attack and get back to you next millenium with the results.

    ag
    Yes thats a small implementation issue

    I was more interested in someone else validating the theory I know its may not practical.

  • #146
    Junior Member
    Join Date
    Jan 2008
    Location
    newcastle
    Posts
    124
    Thanks
    3
    Thanked 5 Times in 5 Posts
    Rep Power
    202
    Reputation
    27

    Default

    dont all the gamma updates send the same first line?

  • #147
    Junior Member
    Join Date
    Jan 2008
    Posts
    190
    Thanks
    1
    Thanked 25 Times in 15 Posts
    Rep Power
    205
    Reputation
    81

    Default

    How do you know its des/tdes ? I'm not saying its not as I think it is also. I also think the each line is encrypted as a single line in TDES CBC mode, with the first 8 bytes being the IV.

    This still does not give you the key.

    The first line is different from all the rest. My gut says is an RSA key. If that is the case, then why send an RSA key as a special line if your not going to use it to install the following code.

    Just all theory.

    BTW when working out the TDES dont forget in its very basic form its just des 3 times. The keyspread algos could salt any key and the way these keys are used can change. ie: You can use 2 or 3 keys for TDes (2 being more common).
    ie:
    Data = ENC_Key1 (Data)
    Data = DEC_Key2 (Data)
    Data = ENC_Key1 (Data)

    or
    Data = ENC_Key1 (Data)
    Data = DEC_Key2 (Data)
    Data = ENC_Key3 (Data)

    etc....
    So good luck with that brute force LOL

  • #148
    Premium Member agarol's Avatar
    Join Date
    Jan 2008
    Location
    A state of constant denial
    Posts
    331
    Thanks
    27
    Thanked 52 Times in 23 Posts
    Rep Power
    215
    Reputation
    331

    Default

    Quote Originally Posted by crypto7 View Post

    ...with the first 8 bytes being the IV.
    I disagree!
    In the 16-byte lines, the first 8 bytes are the encrypted data and the last 8 bytes the mac. The IV comes from the card.


    Quote Originally Posted by crypto7 View Post

    So good luck with that brute force LOL
    TDES (2keys), 2^112 keys = a very long time


    ag
    Energy is the father of creation

  • #149
    Junior Member
    Join Date
    Jan 2008
    Posts
    190
    Thanks
    1
    Thanked 25 Times in 15 Posts
    Rep Power
    205
    Reputation
    81

    Default

    Quote Originally Posted by agarol View Post
    I disagree!
    In the 16-byte lines, the first 8 bytes are the encrypted data and the last 8 bytes the mac. The IV comes from the card.
    Sorry, my bad. I was looking at the IRD Card update to go onto a gamma card, not the Gamma os to go onto a "blank" card. opps


    Quote Originally Posted by agarol View Post
    TDES (2keys), 2^112 keys = a very long time


    ag
    Yep and it only gets longer if you have 3 keys as explained above). The 2 key is just a commmon "standand"

  • #150
    Junior Member
    Join Date
    Jan 2009
    Age
    44
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Reputation
    10

    Default

    did you all tryed to extrac the Update from 1.X to 1.4 from the loader ?

    contains 3 blocks - Update Revision - Provider Update and IDK

    02010000009027FB91D6BA6C08F1B0B8FE2D6CA1B9D7427FD. ...
    some lines deeper...
    020100000030C4AA6387630AF2BDC6A1A41D12BFACFB0286DC 41488079F2367707C86B9B105CFCE1D6F7B9C6065537D65A7E 140E4093
    0201000000208F829592032AE335A1F94E6E8CBDD7F3B9432C 1F6FA9FAD96449FDF349BB8833
    END
    NEX BLOCK

    If you have a look on creating files... (you got this tool?)
    Logg ECM with HSN (GROUP)

    ECM= 123456788
    Gets MD5 and the time Stamp on it. and you have a working GAM File... and you can flash it. So the Backdoor can be a the FLASH, but if you make failures on flashing the card get locked. The Crd pick up decrypt the ECM and extrac the Keys into a other adress in main flash.

    So one way you can try if you sending a gam file to your Hardware to inject something.
    (glitch) High Risk

  • #151
    Senior Member mickc's Avatar
    Join Date
    Jan 2008
    Location
    newcastle
    Posts
    1,473
    Thanks
    160
    Thanked 201 Times in 139 Posts
    Rep Power
    270
    Reputation
    1154

    Default

    $80
    our cards here are a gamma varient the card wont accept 0201 commands
    and the gamma wont work with the main providers here
    Logg ECM with HSN maybe a interresting tool to play with if you could post a link

  • #152
    Premium Member agarol's Avatar
    Join Date
    Jan 2008
    Location
    A state of constant denial
    Posts
    331
    Thanks
    27
    Thanked 52 Times in 23 Posts
    Rep Power
    215
    Reputation
    331

    Default

    Quote Originally Posted by mickc View Post
    $80
    our cards here are a gamma varient the card wont accept 0201 commands
    and the gamma wont work with the main providers here
    Logg ECM with HSN maybe a interresting tool to play with if you could post a link
    mick,

    I think you've forgotten that the original 1.2 gammas could be updated to 1.4. The header for each line of data was indeed 0201.

    I agree it would be very nice if $80 could post a link to some tools

    cheers
    ag
    Energy is the father of creation

  • #153
    Junior Member
    Join Date
    Feb 2008
    Location
    5 Hampden Crescent.Heritage Park Qld 4118
    Age
    84
    Posts
    56
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    197
    Reputation
    10

    Default

    If Gamma is the new card on the block, then many will be intertested if it works more than normal n updates itself
    thanks for reading this mail, n wish u all the best of health n wealth 4 u n yr familiy

  • #154
    Senior Member mickc's Avatar
    Join Date
    Jan 2008
    Location
    newcastle
    Posts
    1,473
    Thanks
    160
    Thanked 201 Times in 139 Posts
    Rep Power
    270
    Reputation
    1154

    Default

    the gamma uses 0201 commands
    and we updated the gamma with gam files and logged the ecm and sent to card
    but the hmk or whatever is not in the stream to be logged
    and with the revisions to the white cards i dont think the original gamma code would work here any more

  • #155
    Junior Member
    Join Date
    Jan 2008
    Posts
    90
    Thanks
    4
    Thanked 13 Times in 7 Posts
    Rep Power
    202
    Reputation
    97

    Default

    Quote Originally Posted by $80 View Post
    ....

    So one way you can try if you sending a gam file to your Hardware to inject something.
    (glitch) High Risk
    I'm not sure what you mean by "inject something"? The payload is signed with a Message Authentication Code (MAC) and the complete message has a CRC. The hardware would simply ignore it.

    Can you provide more information?

  • #156
    Premium Member agarol's Avatar
    Join Date
    Jan 2008
    Location
    A state of constant denial
    Posts
    331
    Thanks
    27
    Thanked 52 Times in 23 Posts
    Rep Power
    215
    Reputation
    331

    Default

    I wonder if the reference was to an unlooper or loader to glitch the timing/voltage. Something like UL4S.

    Or maybe he's referring to one of the crypto attacks that involves changing a single bit in the encrypted data and watching the result, although that probably wouldn't be useful for the update data as you don't get to see the data coming out the other end.

    ag
    Energy is the father of creation

  • #157
    Junior Member
    Join Date
    Jan 2008
    Posts
    155
    Thanks
    2
    Thanked 8 Times in 7 Posts
    Rep Power
    204
    Reputation
    60

    Default

    how is it that some ir2 providers in europe have keys...

    on another forum there is something about MCT , a raw ECm then the decoded ECM.... not sure if it will help anyone...

  • #158
    Junior Member
    Join Date
    Dec 2008
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Reputation
    10

    Default

    cost me $100 all good

  • #159
    Junior Member
    Join Date
    Jan 2008
    Posts
    75
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    200
    Reputation
    10

    Default

    Quote Originally Posted by $80 View Post
    I think Gamma will die...
    your username is familiar with a known seller. hmm.

  • #160
    Senior Member tagg's Avatar
    Join Date
    Jan 2008
    Location
    In a Tin Can
    Posts
    2,203
    Thanks
    872
    Thanked 378 Times in 221 Posts
    Rep Power
    308
    Reputation
    1897

    Default

    Quote Originally Posted by ohn552000 View Post
    cost me $100 all good
    another crash clone i wish he would give up

    tagg

  • Page 8 of 9 FirstFirst 123456789 LastLast

    Bookmarks

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •