ef=key update, ee?

J

Jowi

Regular Member
Messages
17
Likes
0
#1
I´ve recently discovered a new kind of card update on a viaccess system. Normally a key update is beginned with ef and length. But now a new one has appeared. It changes entity to ff f4 10 and then comes a ca 18 command followed by an encrypted word beginning with ee and length. Does anyone know what the ee stands for?

Jowi
 
S

scoodidi

Guest
#2
i think it could be
ef=opkey update
ee=mk update
could you post the complete log of that update
Regards
CAA4
CAF0
CA18
 
J

Jowi

Regular Member
Messages
17
Likes
0
#3
Sure, here it comes.

caa4040003 > ff f4 10 90 00

Changes to Master File Level

caf0000122 > 9e 20 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ef ff ff
ff ff 90 00

All cards but one, propably closed.

ca18010114 > ee 08 81 06 31 eb 47 d9 48 3a f0 08 52 a6 15 e6
e7 d5 4f 85 91 00

The update, already in card, no address or anything just "ee 08"

caa4040003 > 00 88 00 90 00

Goes back to normal File Level(Provider)

It´s confusing that it changes to master file level. What I have understood there´s no keys in the root. If you read out the active keys in the Master level it should be the active providers.

/Jowi
 
S

scoodidi

Guest
#4
after some work with viadecrypt it semms to be
an mk1 update of provider 00 88 00 (what that for a provider) crypted with mk1 of provider FFF410 (normaly master provider is fff400)

Regards
 
J

Jowi

Regular Member
Messages
17
Likes
0
#5
I didn´t know they could use keys from master provider. There´s only two active, 00 01, so I thought that was the list of providers. The system i am logging is a national wide cable-tv system in Sweden. Master Provider is called FF F4 10, the other provider is 00 88 00 which cover all channels, thankfully. I saw another Master Provider on an other system in Sweden where it was called FF F5 10.
It would make sense if it was a mk1 update because the have been using mk1 but uses mk4 at the moment. I´ve only seen those two mk´s in old logs. I just wonder what makes you think it´s an mk1 update. The ca 18 command tells you that it should decrypt it with mk1 from master but theres no indication of where to put it. Anyway, next step is to figure out how to get the mk´s in plain. BruteForce is out of the question so there has to be another way into the card.

Thanks for your help, if you have any other comments I would be glad to hear more from you.

Jowi
 
J

Jowi

Regular Member
Messages
17
Likes
0
#6
Ok, I see. Tried it in Viadecrypt as well. It seems to be a mk1 update. But the question remains. How does the card know which provider to put it in when it have changed to master. In my case theres only one other provider but there could have been more.

Once again, thanks for your help and please let me know if you have any other comments.

/Jowi
 
J

Jowi

Regular Member
Messages
17
Likes
0
#7
Ok, I will answer my own question now. The EE 08 is meant to set the card PIN-code. It´s only used if the provider wishes to do so. If you change it through the box it´s not coded.
I changed my PIN-code through the box and then used the update and it was back to "0000".

The only strange thing is why they did it on so many cards in the same SA. It was all but one.

/Jowi
 
Top