help gamma team

[bil ETO]

why gamma tem ?????????

[miltossat]

I might be late for this question but the 020100000060 line is a total of 102 bytes data. How can we do a 3des decryption since 3des needs a multiply of 8 bytes ???

[007.4]

You do not count the header bytes. The length of the EMM is 0x60 which is 96 decimal. This is a multiple of 8 ........ 8 x12 = 96

[miltossat]

Yes... I realized it after my post when i saw that the decrypted message was 88 bytes, 96 with the mac.
The decryption is done only by a 3des key ? That is something that we could compute, though I believe that many people have it. I might be a very big number of computing though...
340.282.366.920.938.000.000.000.000.000. 000.000.000,00

[007.4]

You also need the 16 byte Initial Vector.
Calculating 3DES keys (effectively, two 8 byte keys) is, to all intents and purposes....impossible, with today's computing power.
Furthermore, there are some XOR functions in the algo, so just getting the plain and encryted data to attempt a BF would be extremely difficult.

[acab1]

You also need the 16 byte Initial Vector.
Calculating 3DES keys (effectively, two 8 byte keys) is, to all intents and purposes....impossible, with today's computing power.
Furthermore, there are some XOR functions in the algo, so just getting the plain and encryted data to attempt a BF would be extremely difficult.

unfortunately I'd have to agreed with you on that one ... :(

[bobi]

help Macedonian package irdeto 2-16° est-12525 h 30000
kanal 5 mkd
kanal5 + mkd
alfa tv
sitel
sitel 3
ab kanal

[georgekamal]

dear sir, thank u for ur post with usefull info ., and how to extract Axi, Exi or GMASK, IV_PAD from the real working card? have any guide ?
regards-george

You will not get a lot of help from the Gamma Team. They are very busy making Titanium 3.

If you really want to know how to make commands to change your HSN you first need to understand how it all works. The best way to do this is to look at the gamma source. But here is some basics.

The gamma source describes a icard using the following structures:

typedef struct tagIRDETOCARD {
BYTE GSMK[16];
BYTE PSMK[16];
BYTE IV_PAD[16];
BYTE GMASK[16];
BYTE PMASK[16];
BYTE KEK[16];

BYTE INS2_23[13];
BYTE Coco[3];
BYTE abHex[3];
BYTE AnzahlSectoren[1];
BYTE ExiKey[16];
BYTE AxiKey[16];
IRDETO_SECTOR sIrdetoSector[2];

}IRDETO_CARD;



From this you can see there are many keys required however as a minimum to have working card you need:
1. IV_PAD (this is required by the CBC algorithm used for decrypting DES)
2. GMASK (this is required to decrypt the product keys sent in the 02/03 EMMs)
3. abHEX (this is the HSN)
4. AxiKey (this is to decrypt the first layer of the C3/CB EMK)
5. ExiKey (this is to decrypt the second layer or the Nano Messages of the C3/CB EMK)

The gamma team to get the IV_PAD, GMASK, plus the other keys in the icard send a real card to a lab to micro-probe and dump its contents.
The ExiKey and AxiKey's are generated by them using a special technique that is known to them. There are lists which the Gamma Team have published and unfortunately given to the providers so that they can kill all the HSNs that have been used in the gammacard. For example, the Nova list contains well over 8,000 details.

The various lists are floating around the forums. I suggest you get your hands on them and have a look. See if you can see what others have worked out.

Regardless this is were your biggest challenge will be. Unless you also send your real card to a lab to dump its contents you will not be able to obtain the Exi/Axi keys that match the HSN you are trying to clone.


So lets have a look at how this structure is populated using the individual Update Commands (UC) described in great detail in the Gamma Source Code.

Gamma Update Command
Encrypted:
020100000060FF5E8BEE52F49016E1B1A10A1274 8843640FE349E61AE9A6EA10E6891AB0B06ADBDC
C0507B3347F74DF5D59544DBA4D0D6348A6BF2C9 941F47240249FF86FD8896672CAC65921AEBE8A0
E9F85F972B3BB8DE62428F5FCE6503DCB9689792 009B


Decrypted using the Update Key 0:
890601100D22CC930A01000310AFB049FC408D4D 2C91B8588E3B691C470410D577AE402C9C31DBBE
4302769980EA2205108E285D3EDB3E2BCB98164E 21BA25BC10070D05051206030604060106020000
0A01020803475243 MAC = 117434F9A2B18072

When you look through the decrypted message from left to write you see this message contains the following update commands:

Padding Byte (UC->89) = 06 (This instructs the gamma to ignore the next 6 bytes)
AnzahlSectoren (UC-0A) = 00
IV_PAD (UC->03) = AFB049FC408D4D2C91B8588E3B691C47
GMASK (UC->04) = D577AE402C9C31DBBE4302769980EA22
PMASK (UC->05) = 8E285D3EDB3E2BCB98164E21BA25BC10
INS2_23 (UC->07) = 05051206030604060106020000
AnzahlSectoren (UC->0A) = 02
Coco (UC->08) = 475243


Gamma Update Command
Encrypted:
020100020048B0F77E2B1BB864623F39350991F5 EE87152E79C18CE50C6EA756CE4BD4DF6866B393 F
18909FC227C54B96FA4E13DB3DFE381E41EEBCEB FFD5F6E93E78A059942568F401C95770767


Decrypted using the Update Key 0:
8912E1B08086646F15079C51D35FEC9A73A65170 0B10E11277A94DFBAA9B86732C6AB8C590B70C10
E62E1ADE4E9AB245606733E5DBB1188A0903079A B10D0118 MAC = 03F6DD58915095B9


When you look through the decrypted message from left to write you see this message contains the following update commands:

Padding Byte (UC->89) = 12 (This instructs the gamma to ignore the next 12 bytes)
ExiKey (UC->0B) = E11277A94DFBAA9B86732C6AB8C590B7
AxiKey (UC->0C) = E62E1ADE4E9AB245606733E5DBB1188A
abHex (UC->09) = 079AB1


Gamma Update Command
Encrypted:
020100020048CAB79AE419027D30A304238462D9 15E3ACA24B6685ECC4941321AE8AE3E5FA303D0A 6B6A
795A3EF5581097793A25D37A261B13FB75AC883A BD01D0A0726496D937108BA475662ABB


Decrypted usig the Update Key 0:
890D6D6DAD060E08A2ED06735741714001131004 00052B2912120000D2C37C72BC09C66D18AFB930
ECCA0C0D121200019AA30E9C914B6FE93559DFED F1F98D9D MAC = F63F1C137D67DF4E

When you look through the decrypted message from left to write you see this message contains the following update commands:

Padding Byte (UC->89) = 0D
iCard.sIrdetoSector[0].abPid (UC->10-00) = 052B29
iCard.sIrdetoSector[0].abGroupKey[0] (UC-> 12-00-00) = D2C37C72BC09C66D18AFB930ECCA0C0D
iCard.sIrdetoSector[0].abGroupKey[1] (UC-> 12-00-01) = 9AA30E9C914B6FE93559DFEDF1F98D9D

GammaOracle