Hallo from Italy,

just a quick expanation for who asked how this "crack" works.

The emulation of the S*ca2 system uses the following instruments:

- Hash Table Bx Algorithm SuperEncription
- RSA key and exponent to decrypt ECM table 1001
- Operative Key 0D (March)

First of all you have to know that we have 3 hash tables in our S*ca2 cards. We have 9x, Bx and Fx table.

The Bx and the Fx tables are allocated in the eeprom of the card that was dumped maybe using an unlooper or a glitcher. The 9x tables are allocated in the rom, and there's no voice of a dump of the S*ca2 rom over the Net.

The eeprom dump is not of public domain anyway but someone with commercial interests used that to produce some pirate cards called Titanium and KnotCard earlier this year, wich files are not on the public domain as these cards are sold by people who lives this not as a hobby but as a work!

I think that the Bx tables used in the emu that YOU have on your cams (I've only an extremely normal GoldBox decoder ), have been dumped down from one these pirate cards or maybe someone had the files used to build the titanium cards and similar cards and he decompiled them.

The nice fact is that these tables are now in the public circuit, you can find them in the "Scam" binary file of the 5 mega img file for DreamBox. The sad fact is that if S_K_Y wants (and why shouldn't it want it?), it can switch all the ECM and EMM to a different table. It can use Fx tables at the beginning, just to give a black screen to all the emu people but soon or later also the Fx tables will faced up the sceenes. Definitevely S_K_Y could switch all to 9x hash table then and it will grant it the stronger smack down for anyone interested in emu or pirate solutions.

For who is asking how the Bx hash table is used, just look at a couple of strings here:

this is an example of ECM we receive:


C13C01Bx5C1001 236382606FAB41DCEBD40B034F59D0CD090A0196D42642E2FF2FF399741920FA956DD1C0631
4F6F2
099989C66653347162D6E8D063A3051F2A653C4FB751CEBCD6D887EE70CEE11CF3DA61F4346
03F01
BDF95FBF593D665BEB4A

and this is an examble of EMM we receive:

C14001B0631003 E7C2019B9870CD01D2A01CE5FBF66304DB0B1CB8DB2DE4832E4D6BCDEC87106A6E3F6D76294
73058
3355BB4E4AAAB52AEFEEC74DC369D488D47E756394C715FBB1D2C1F76AEDE39DEFBD50C9795
A4584
0EFEEC75FBF6630367822F9AA952804681


Look at the start of each string, it says us that:

C1 = Class of the command
40 = indicates the Ins used in the command, the ins 40 is used for EMM and ins 3C for ECM
01 = indicates the provider (Italian 01 is -> S_k_y (0070), in Spain it is -> C@nal+ (0064), and so on)
B0 or B1 = the lower nibble indicates the keys wich is signing the command, so 0 is for MK 00 and 1 is for MK 01, the high nibble indicates the hash tables used to crypt the entire command, from the beginning up today has been used the Bx hash table but as I said why S_K_Y should continue to use it now?
5C or 63 or other = indicates the LEN of the following part of the string
10 01 or 10 03 = indicates the ECM or EMM tables. We have 3 potentially activable tables for ECM and for EMM: 1001, 1003 and 1005, and an unuseful table 1007. Each table works with one RSA key and a public exponent. Each table is different from ECM to EMM, so if we had ECM table RSA keys 1001 they will be different from EMM table RSA keys 1001.

The control words (or cryptes words) now come crypted with ECM table 1001. The emu contains the RSA ECM 1001 keys and it firstly decrypt the entire command that brings the CryptedWord to open a channel. The cw comes with a C13C01Bx5C1001 command where, as you have understand:

C1 = Class
3C = Ins used for sending CW
01 = provider
Bx = you just know that B is the hush table used and x can be the operative C or D or E keys that will sign the command
5C = LEN
1001 = ECM table in use NOW!

The emu does that:

- receive the ECM that is crypted on ECM table 1001, signed with operative key in use now (0D March) hashed in table Bx
- decrypts it and takes the 8 bytes crypted word
- reply with a C1 3A containing the 8 bytes decrypted word (it doesn't require any suppletive cryptation)

All that gives you the open vision of the channels.

But how much can it last? Few days in my opinions.

The following are just some example of how can S_K_Y switch off the emus:

1) By changing operative key (Emu has the march key only and it is not updatable because it includes ECM table 1001 and not the EMM table 1003 wich is used to sign actualization!)
2) By changing ECM table from 1001 to 1003 or 1005 (these two last use a RSA key not in the public domain)
3) By switching all the command from hash tables Bx to unsecure but not yet in the public domain Fx tables or strongest solution: all switched to 9x tables!!!

I hope this explanation has been of any help for who asked how the system works, and if someone asks why it doesn't work for other providers, he must remember that:

- other provider hash tables are not in the public domain
- other provider ECM or EMM tables are not in the public domain
- many provider in Europe uses strongest cards then the Italian cards (we use Version 7.0A and Version 7.0B cards in Italy and Spain, other countries use cards with less bugs up to not-known bugs).

All the best,

Pop-Rock

moderator of Italian STUDY S*ca Board

Original geschrieben von wolfgreece
Selbst die Kopie
einer Originalkarte kann m.e.A. nicht laufen wenn beide Karten
gleichzeitig genutzt werden.