help gamma team

[adoo_100200]

why gamma tem be late for the new updaits orbit down and sex view also please help us or learn us how we make our updait for our cards

[giannis327]

efxaristw



>> ONLY english language outside the international forums!

[gammaoracle]

why gamma tem be late for the new updaits orbit down and sex view also please help us or learn us how we make our updait for our cards

You will not get a lot of help from the Gamma Team. They are very busy making Titanium 3.

If you really want to know how to make commands to change your HSN you first need to understand how it all works. The best way to do this is to look at the gamma source. But here is some basics.

The gamma source describes a icard using the following structures:

typedef struct tagIRDETOCARD {
BYTE GSMK[16];
BYTE PSMK[16];
BYTE IV_PAD[16];
BYTE GMASK[16];
BYTE PMASK[16];
BYTE KEK[16];

BYTE INS2_23[13];
BYTE Coco[3];
BYTE abHex[3];
BYTE AnzahlSectoren[1];
BYTE ExiKey[16];
BYTE AxiKey[16];
IRDETO_SECTOR sIrdetoSector[2];

}IRDETO_CARD;



From this you can see there are many keys required however as a minimum to have working card you need:
1. IV_PAD (this is required by the CBC algorithm used for decrypting DES)
2. GMASK (this is required to decrypt the product keys sent in the 02/03 EMMs)
3. abHEX (this is the HSN)
4. AxiKey (this is to decrypt the first layer of the C3/CB EMK)
5. ExiKey (this is to decrypt the second layer or the Nano Messages of the C3/CB EMK)

The gamma team to get the IV_PAD, GMASK, plus the other keys in the icard send a real card to a lab to micro-probe and dump its contents.
The ExiKey and AxiKey's are generated by them using a special technique that is known to them. There are lists which the Gamma Team have published and unfortunately given to the providers so that they can kill all the HSNs that have been used in the gammacard. For example, the Nova list contains well over 8,000 details.

The various lists are floating around the forums. I suggest you get your hands on them and have a look. See if you can see what others have worked out.

Regardless this is were your biggest challenge will be. Unless you also send your real card to a lab to dump its contents you will not be able to obtain the Exi/Axi keys that match the HSN you are trying to clone.


So lets have a look at how this structure is populated using the individual Update Commands (UC) described in great detail in the Gamma Source Code.

Gamma Update Command
Encrypted:
020100000060FF5E8BEE52F49016E1B1A10A1274 8843640FE349E61AE9A6EA10E6891AB0B06ADBDC
C0507B3347F74DF5D59544DBA4D0D6348A6BF2C9 941F47240249FF86FD8896672CAC65921AEBE8A0
E9F85F972B3BB8DE62428F5FCE6503DCB9689792 009B


Decrypted using the Update Key 0:
890601100D22CC930A01000310AFB049FC408D4D 2C91B8588E3B691C470410D577AE402C9C31DBBE
4302769980EA2205108E285D3EDB3E2BCB98164E 21BA25BC10070D05051206030604060106020000
0A01020803475243 MAC = 117434F9A2B18072

When you look through the decrypted message from left to write you see this message contains the following update commands:

Padding Byte (UC->89) = 06 (This instructs the gamma to ignore the next 6 bytes)
AnzahlSectoren (UC-0A) = 00
IV_PAD (UC->03) = AFB049FC408D4D2C91B8588E3B691C47
GMASK (UC->04) = D577AE402C9C31DBBE4302769980EA22
PMASK (UC->05) = 8E285D3EDB3E2BCB98164E21BA25BC10
INS2_23 (UC->07) = 05051206030604060106020000
AnzahlSectoren (UC->0A) = 02
Coco (UC->08) = 475243


Gamma Update Command
Encrypted:
020100020048B0F77E2B1BB864623F39350991F5 EE87152E79C18CE50C6EA756CE4BD4DF6866B393 F
18909FC227C54B96FA4E13DB3DFE381E41EEBCEB FFD5F6E93E78A059942568F401C95770767


Decrypted using the Update Key 0:
8912E1B08086646F15079C51D35FEC9A73A65170 0B10E11277A94DFBAA9B86732C6AB8C590B70C10
E62E1ADE4E9AB245606733E5DBB1188A0903079A B10D0118 MAC = 03F6DD58915095B9


When you look through the decrypted message from left to write you see this message contains the following update commands:

Padding Byte (UC->89) = 12 (This instructs the gamma to ignore the next 12 bytes)
ExiKey (UC->0B) = E11277A94DFBAA9B86732C6AB8C590B7
AxiKey (UC->0C) = E62E1ADE4E9AB245606733E5DBB1188A
abHex (UC->09) = 079AB1


Gamma Update Command
Encrypted:
020100020048CAB79AE419027D30A304238462D9 15E3ACA24B6685ECC4941321AE8AE3E5FA303D0A 6B6A
795A3EF5581097793A25D37A261B13FB75AC883A BD01D0A0726496D937108BA475662ABB


Decrypted usig the Update Key 0:
890D6D6DAD060E08A2ED06735741714001131004 00052B2912120000D2C37C72BC09C66D18AFB930
ECCA0C0D121200019AA30E9C914B6FE93559DFED F1F98D9D MAC = F63F1C137D67DF4E

When you look through the decrypted message from left to write you see this message contains the following update commands:

Padding Byte (UC->89) = 0D
iCard.sIrdetoSector[0].abPid (UC->10-00) = 052B29
iCard.sIrdetoSector[0].abGroupKey[0] (UC-> 12-00-00) = D2C37C72BC09C66D18AFB930ECCA0C0D
iCard.sIrdetoSector[0].abGroupKey[1] (UC-> 12-00-01) = 9AA30E9C914B6FE93559DFEDF1F98D9D

GammaOracle

[nickman9271]

very helpfull post , thnx.

@ admins
there may be a prob with the new forum soft . it wont accept directly the post reply button , so many of us keen on double posting by double or triple pressing the button .

[mcguiver]

You will not get a lot of help from the Gamma Team. They are very busy making Titanium 3.

If you really want to know how to make commands to change your HSN you first need to understand how it all works. The best way to do this is to look at the gamma source. But here is some basics.

The gamma source describes a icard using the following structures:

typedef struct tagIRDETOCARD {
BYTE GSMK[16];
BYTE PSMK[16];
BYTE IV_PAD[16];
BYTE GMASK[16];
BYTE PMASK[16];
BYTE KEK[16];

BYTE INS2_23[13];
BYTE Coco[3];
BYTE abHex[3];
BYTE AnzahlSectoren[1];
BYTE ExiKey[16];
BYTE AxiKey[16];
IRDETO_SECTOR sIrdetoSector[2];

}IRDETO_CARD;



From this you can see there are many keys required however as a minimum to have working card you need:
1. IV_PAD (this is required by the CBC algorithm used for decrypting DES)
2. GMASK (this is required to decrypt the product keys sent in the 02/03 EMMs)
3. abHEX (this is the HSN)
4. AxiKey (this is to decrypt the first layer of the C3/CB EMK)
5. ExiKey (this is to decrypt the second layer or the Nano Messages of the C3/CB EMK)

The gamma team to get the IV_PAD, GMASK, plus the other keys in the icard send a real card to a lab to micro-probe and dump its contents.
The ExiKey and AxiKey's are generated by them using a special technique that is known to them. There are lists which the Gamma Team have published and unfortunately given to the providers so that they can kill all the HSNs that have been used in the gammacard. For example, the Nova list contains well over 8,000 details.

The various lists are floating around the forums. I suggest you get your hands on them and have a look. See if you can see what others have worked out.

Regardless this is were your biggest challenge will be. Unless you also send your real card to a lab to dump its contents you will not be able to obtain the Exi/Axi keys that match the HSN you are trying to clone.


So lets have a look at how this structure is populated using the individual Update Commands (UC) described in great detail in the Gamma Source Code.

Gamma Update Command
Encrypted:
020100000060FF5E8BEE52F49016E1B1A10A1274 8843640FE349E61AE9A6EA10E6891AB0B06ADBDC
C0507B3347F74DF5D59544DBA4D0D6348A6BF2C9 941F47240249FF86FD8896672CAC65921AEBE8A0
E9F85F972B3BB8DE62428F5FCE6503DCB9689792 009B


Decrypted using the Update Key 0:
890601100D22CC930A01000310AFB049FC408D4D 2C91B8588E3B691C470410D577AE402C9C31DBBE
4302769980EA2205108E285D3EDB3E2BCB98164E 21BA25BC10070D05051206030604060106020000
0A01020803475243 MAC = 117434F9A2B18072

When you look through the decrypted message from left to write you see this message contains the following update commands:

Padding Byte (UC->89) = 06 (This instructs the gamma to ignore the next 6 bytes)
AnzahlSectoren (UC-0A) = 00
IV_PAD (UC->03) = AFB049FC408D4D2C91B8588E3B691C47
GMASK (UC->04) = D577AE402C9C31DBBE4302769980EA22
PMASK (UC->05) = 8E285D3EDB3E2BCB98164E21BA25BC10
INS2_23 (UC->07) = 05051206030604060106020000
AnzahlSectoren (UC->0A) = 02
Coco (UC->08) = 475243


Gamma Update Command
Encrypted:
020100020048B0F77E2B1BB864623F39350991F5 EE87152E79C18CE50C6EA756CE4BD4DF6866B393 F
18909FC227C54B96FA4E13DB3DFE381E41EEBCEB FFD5F6E93E78A059942568F401C95770767


Decrypted using the Update Key 0:
8912E1B08086646F15079C51D35FEC9A73A65170 0B10E11277A94DFBAA9B86732C6AB8C590B70C10
E62E1ADE4E9AB245606733E5DBB1188A0903079A B10D0118 MAC = 03F6DD58915095B9


When you look through the decrypted message from left to write you see this message contains the following update commands:

Padding Byte (UC->89) = 12 (This instructs the gamma to ignore the next 12 bytes)
ExiKey (UC->0B) = E11277A94DFBAA9B86732C6AB8C590B7
AxiKey (UC->0C) = E62E1ADE4E9AB245606733E5DBB1188A
abHex (UC->09) = 079AB1


Gamma Update Command
Encrypted:
020100020048CAB79AE419027D30A304238462D9 15E3ACA24B6685ECC4941321AE8AE3E5FA303D0A 6B6A
795A3EF5581097793A25D37A261B13FB75AC883A BD01D0A0726496D937108BA475662ABB


Decrypted usig the Update Key 0:
890D6D6DAD060E08A2ED06735741714001131004 00052B2912120000D2C37C72BC09C66D18AFB930
ECCA0C0D121200019AA30E9C914B6FE93559DFED F1F98D9D MAC = F63F1C137D67DF4E

When you look through the decrypted message from left to write you see this message contains the following update commands:

Padding Byte (UC->89) = 0D
iCard.sIrdetoSector[0].abPid (UC->10-00) = 052B29
iCard.sIrdetoSector[0].abGroupKey[0] (UC-> 12-00-00) = D2C37C72BC09C66D18AFB930ECCA0C0D
iCard.sIrdetoSector[0].abGroupKey[1] (UC-> 12-00-01) = 9AA30E9C914B6FE93559DFEDF1F98D9D

GammaOracle

hi all

yes this is all true info i know it

regards

[Jrak]

ok Thanks

But How Decrypt Line ????????

And Encrypt line

[infloop]

You will not get a lot of help from the Gamma Team. They are very busy making Titanium 3.

The assumption someone makes from this is that its time for Gamma's end!!!

If you really want to know how to make commands to change your HSN you first need to understand how it all works. The best way to do this is to look at the gamma source. But here is some basics.

Even if we look at the source, what good is it without the Exi/AxiKey matching to HSN?

The ExiKey and AxiKey's are generated by them using a special technique that is known to them. There are lists which the Gamma Team have published and unfortunately given to the providers so that they can kill all the HSNs that have been used in the gammacard. For example, the Nova list contains well over 8,000 details.

And how do we get from this:

Gamma Update Command
Encrypted:
020100000060FF5E8BEE52F49016E1B1A10A1274 8843640FE349E61AE9A6EA10E6891AB0B06ADBDC
C0507B3347F74DF5D59544DBA4D0D6348A6BF2C9 941F47240249FF86FD8896672CAC65921AEBE8A0
E9F85F972B3BB8DE62428F5FCE6503DCB9689792 009B

to this:

Decrypted using the Update Key 0:
890601100D22CC930A01000310AFB049FC408D4D 2C91B8588E3B691C470410D577AE402C9C31DBBE
4302769980EA2205108E285D3EDB3E2BCB98164E 21BA25BC10070D05051206030604060106020000
0A01020803475243 MAC = 117434F9A2B18072

To conclude, since the lists are published and known (how the heck did this happen anyway?) and the Exi/Axi keys generation is only known to the gamma team and therefor impossible to create our own HSN... but is the deccryption/ecryption key 0 at least known? Even if it is, what good is it for since the matching list of Axi/Exi/HSN is already known?

[frabalus]

What can somebody do?- and how exactelly?- if even have lists of Axi/Exi/HSN ?
Theoretically all these.

[doulapa]

All this is good but the question is : How do we decrypt the command lines of Gamma in order to find the axi/exi/hsn ;;;

[Tobycat]

Can some kind soul say which encryption key is used to calculate the DES MAC ? Is it Axi key, Exi key or some other key ?