EMM analysis Nagra 2(still in progress)

[joebvk]

Hello!
I'm trying to analyse emm recieved from skystar and vplug.
I write from many tutorial small program (in Mingw with OpenSSL library).
Calculation hash function & decriprion with 3DES isn't in this program implemented.
Only one I get some usefull result from recieved EMM packet (9.7.2009) (I think that EMM Idea was changed and don't understand which key to select ... 820018, 920018,820098,920092, susccess was with KEY select 820018).
In my program are still more commented part of code and some bugs (when I try brute force it always down aftter few minutes).
Zip contains source code and exe. To use exe You need to edit file input.txt, used are first 3 rows (1. is EMM key, 2. is EMM RSA, 3. is part of recieved EMM). In source code is line //#define vypis, if You delete //, then program show results step by step.

EDIT: Today I recieve neu packet, which give me successfull result (of course result need to do XOR 4.byte with FD & XOR 7.byte with 02)
EMM packet was

EMM-G=82 70 6C 00 00 00 00 00 04 65 20 11 82 00 18 2B C2 07 1C DE 54 8E 13 D1 4C 34 81 BF 68 5E 7B 76 9D 54 69 DB 0C DA 61 50 95 19 0F 55 91 67 D8 36 FD 63 98 83 13 B3 BA DD 74 43 D3 1D 8E 47 8C 5D 25 B8 A5 7D C3 70 D7 E7 5E 5A 1E F9 04 9A F2 BE 48 84 40 DB CC 17 EB 72 A5 EA 98 59 46 20 D4 30 19 4F A5 14 D9 0C B0 56 D9 6B 5B 34 4C 40 05

Result:

29245366234A9178201113DB00011A337789BA8A 9BCD605400230AC62F70A12125F9B723A604B72B B725B726A607CD3844B62D43B8D1B7D1B62DB8D4 B7D486A632CC9BE18321114200100608001012DC 2EE33392A35B3139A483C9454B460000

You can see calculated key: 12DC2EE33392A35B3139A483C9454B46
Right key is: 12DC2E1E3392A15B3139A483C9454B46

[joebvk]

Hello, here is semi-AU for skystar(for D*giT*).
All needed steps:
1. catch EMM packets (in vplug click on CA-Info tools - Utils - Log all reseived N2-Emms)
2. after few minutes copy contents of Debug output into vstup.log
3. run uprava.exe (it create small auxiliary files) (if is vystup5.log empty, then catch EMM again)
4. run DecryptEMM.exe (it create softcam.key)
5. copy softcam.key into folder whitch contains vplug
6. delete v_keys.db

(it is possible to see key in softcam.key and insert it to vplug directly, there are many possibility to insert it to vplug)

[joebvk]

Here is vplug.dll (patched version 2.4.2).
It's include patch for DIgiTV AU (all other nagra2 aren't working).

[joebvk]

Yesterday was made change in EMU.
Now is working this new patch.
Replace original 2 files with this new(ROM110.bin into folder AUBins):

[joebvk]

AU in vplug is down again, they use different algo for next key change (but under same AC 6 revison).

[Manetticut]

old thread

but I am looking for software to decrypt N2 with EMM-G

[toshi82]

Are you looking for studio n2-s3 other what exactly?

Do you have a dump from your smartcard?

[Manetticut]

I dont know what I need

I just know that you can decrypt Nagra2 key from EMM-G


i am talking about sw!ss cablec*m UPC (DVB-C)

I think I should be able to get card dump

[Manetticut]

i have card dump with all keys...

someone help me with decrypting EMM-G please