What do I need to read and extract the keys from a official Irdeto1 smartcard ?

tisurame · 02-10-2005

I'm really sorry guys, but I'm newbie in this subject...

There is a private channel here, protected by Irdeto1. It's not a commercial channel, so the official smartcard is not available for public. Anyway, if I borrow this smartcard, what I need to do in order to clone this card ? Or better...what do I need to read and extract the keys from it, so I can use it with a DVB PC card, like Skystar2 ?

Thanks.

**Topper** · 02-10-2005

to the forum tisurame
What you are suggesting I do not think is possible. The majority of card programmers over here in Europe are designed so that they erase the card when first placed in the reader, the situation may be different on your side of the pond but obviously few here would have any knowledge of that. I'm sure if you are patient someone will be able to confirm if it is or isn't possible. For sure though cloning of Irdeto II is completely out of the question.... otherwise everyone would be doing it, but not so sure about Irdeto I

**ukyawaye** · 05-10-2005

There may be many ways to clone Irdeto Version One Card.
Two method widely used is cloning to MOSC ( Modified Original SC ) and Making Wafer Card ( Gold ).
Both method ask for 10 bytes HMK from the original card.
There are many programs on the net to extract HMK from original card.
Depending on the original version such as version 1.2, 1.6, 1.8, 1.9 you have to use different programs.
I found FMCard400 by Fatmate easier to use.
Other important parameters are Serial Hex, Provider IDs & country codes.
FMCard400 will read these on connecting to Card Reader such as Mastera etc.

Using HMK & Serial Hex (with abit of manipulation) & using program such as Cardwizard,
you can write required data to original SC. But you have to partially erase the card.
Cardwizard will do that for you by Killing the original card.

By having HMK & Serial Hex, you can also write on Gold Card.

According to my experience, it is better to do MOSC.

Regards.

tisurame · 06-10-2005

Hey ukyawaye,

A Cas Interface 3, like this one: http://www.duolabs.com/cas3-eng.htm

Would work as a card reader to do that ?

Thanks

**ukyawaye** · 08-10-2005

Sorry, I have never used Cas3 Interface.
I have used Cas2 Interface.But I don't have add-ons ( attachment to Cas2 )
to use Cas2 as phoenix interface.
I have used only Infinity USB,Mastera III,Multiprog & SC-Master to play around with smart cards.
But since most card programer can be used as phoenix interface, I believe Cas3 will be able to read.
Please check you may need add-on for phoenix Interface.
You have to set to phoenix mode 6MHz. to read original card.
If you get ATR, Card Number, Serial Hex & Provider read outs, you card programer is ok.
The procedure is mentioned before.Required to get 10 byte HMK from original I1 card.
Please also make sure not to damage original card.
Do not try to write anything to original card.
I would like to advise you to start with expired I1 card.

tisurame · 08-10-2005

And before trying to get HMK from the original card, do I need to log the stream to reveal the card's version number and EMK ? It's possible to log using a Skystar2 ? How ?

Thanks.

**ukyawaye** · 10-10-2005

When The Card is inserted in Card Reader or Programmer ( I mean in Phoenix mode ), most Reader/Programmer will read & display Information such as Card Number,ATR, Serial Hex, Country Code ,Provider IDs, Date etc.
At the end of ATR string, there is the info. for ACS version No.

The Info. may be like :

Section containing key type alphanumeric codes removed:
NO keys on this forum, not even fake ones!

or anything below 2.0, you are in bussiness. Prepare to extract 10 bytes key.

No need to log to service provider. The program will extract the required 10 bytes key for you.

But I do not think there is any service provider still using Irdeto 1.
I think Irdeto 1 is left only in legend, Games of the Past.

Regards.

tisurame · 10-10-2005

But the PMK is not necessary ? In order to get the PMK, I need to know the HMK plus the EMK, right ? And since the EMK is not stored in the smartcard, maybe the only way to get it would be to log...

Irdeto 1 is still used here, in South America.

**ukyawaye** · 12-10-2005

Yes, regarding PMK, you are right.
To accept Key updates,PMK must be inside the card.
Both HMK & PMK can be extracted from card.
EMK can be computed by above Programmes.

But please remember once you reprogram the expired Manufactured Original SC with correct 10 bytes key, serialHex
and Provider ID, it will behave exactly like operating MOSC.
Infact, it will receive Mkey updating string and will update Provider ID, PMK.
Even properly programmed Gold Card will do above.
But Service Provider is not sending EMK everyday.So you have to log continuously to get EMK until they are sent.

Luckly, the PMK can be extracted easily from original card and enter to any expired card with Provider ID from original card.
Since Provider ID & PMK is correct, it will update operating keys ( which is changed from time to time ) and will decrypt Control word.
No need to extract HMK.
The problem is when SP send EMK next time (may be 3 months later), it will stop working.
That's why HMK is needed.

But logging is a must, to study the process properly.

tisurame · 13-10-2005

About the EMK...so, it's not really necessary ? You can directly extract the PMK ? But trying to do this, would not damage the smartcard ? If I remember, only a v1.2 Irdeto card would be safe to directly read the PMK.

If the only safe way to get the PMK is through EMK and HMK, what can be done if I start to log, but I do not receive the EMK, since it can be sent only 3 moths later ? There is a way to decrypt the channels without the EMK ?

**ukyawaye** · 15-10-2005

Without PMK the card will not accept keyupdates.
With correct PMK & correct Provider ID, it will accept keyupdates.
Plain Keys are used to Decrypt Control Words.

I believe you can extract PMK from all Irdeto version 1 cards.
Extracting properly will not demage the card.
Once 10 bytes HMK is extracted, you can clone many cards.

tisurame · 15-10-2005

About the smartcard version, there is a good chance that the Irdeto1 card version here is 4.1 or more...

So, it would be possible to clone ?

**ukyawaye** · 15-10-2005

That is great to hear that you have learned alot.
But there is a problem here what you have is Irdeto version 4.
Which give alot more problems that reactivation with logs wouldn't work.
Ofcourse there may be some hidden knowledge we shouldn't discuss here.
Version 4! There cried alot of so called schoolar for I1 like myself.
If version 4, then we have to wait until experts helps us out.
I believe the thread should be closed here.

Bye.

D. S. SHack · 22-10-2005

Hi tisurame,

Cloning an Irdetto Card ver 1.0 card / making a MOSC is easy enough, Kwessie is;
Is it an ACS 1.1/2, ACS 1.4/6 or an ACS 1.8/9 card as the PMK extraction is slighly different for each, (use a program such as FMCard to find out) .....
Also ...
Assuming you intend cloning it to another "original" Irdeto card, (as against a PIC/ Atmel card), what version would that card be, as the crd's for writing the new card, (and process of "zero-ing" the card/s), would be slighly different dependant upon the card/s concerned.

Irdeto 2 on the other hand is a little more complex, but not impossible

Rdgs,
DSS_Hack

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)