Does anyone know how to change HSN??

[supernova_esa]

Did anyone managed to change the HSN of his card to a new one? Not by loading an old gam file.

That's the only think that would make g@m@ C@rds not to expire very soon.

The method of logging EMMs with EMM Xtractor doesn't have any great result because you jonly change the providers of the card not the HSN. This just makes an old file to wake up without the need to let the card in the reciever for 1-2 or even 10 hours. Someone said tha you need a paid of C3 and CB line for the same hsn from the Emm Extractor but i dont think this make sense.

Moreover it is already known the way a G@m@ command is syntaxed.

How to create Gamma Update, (Commands)

'' 020100DKLNMMMMMMMMUSUL PAYLOAD CC
02 = Gamma update PDU
01 = CLA
00 = P1
DK = Index to 16byte Gamma update 3DES Key.
LN = Length of Message
MM = 8 Byte DES MAC
US = Update Selector (what to update)

For GSMK US = 01
For PMSK US = 02
For IV_PAD US = 03
For GMASK US = 04
For PMASK US = 05
For KEK US = 06
For COCO US = 08
For HSN US = 09
For ExiKey US = 0B
For AxiKey US = 0C
For ProviderID US = 10
For GroupKey US = 12
For ProductKey US = 13
For OS Erase US = 20
FOR OS Update US = 21

UL = Length of Update (for example for HSN UL = 03, for GMSK UL = 10, etc...)

PAYLOAD is the Update
CC = Message CRC or Checksum. Simply XOR message with 0x3F

OK to have multiple updates in one command.
Example:
020100DKLNMMMMMMMM0903HNHNHN0803COCOCO10 03PIPIPICC

This command will update HSN (HN), Coco (CO) and Provider ID (PI) in one go.

The DES MAC is calculated by prepending an 8 octet confounder to the plaintext,
performing a DES CBC-mode encryption on the result using the key and an initialization vector of zero,
taking the last block of the ciphertext, prepending the same confounder and encrypting the pair using DES
in cipher-block-chaining (CBC) mode using a a variant of the key, where the variant is computed by eXclusive-ORing the key

The message after LN is encrypted using the Triple DES mode CBC until the CC using 16 byte key in index DK . ''


So finally does anyone know how to change HSN??

[djkenzo]

if we can undrestand this language maybe yes, but i don't

[djkenzo]

but i got a couple of cards with killed HSN, PM me if u want me to test anything on these "dead" cards...

[cde]

hi im not a programmer but i noticed that every time you programme a card with different file the hsn is change so dont believe <them> talking for dead cards

[dilly]

Did anyone managed to change the HSN of his card to a new one? Not by loading an old gam file.

That's the only think that would make g@m@ C@rds not to expire very soon.

The method of logging EMMs with EMM Xtractor doesn't have any great result because you jonly change the providers of the card not the HSN. This just makes an old file to wake up without the need to let the card in the reciever for 1-2 or even 10 hours. Someone said tha you need a paid of C3 and CB line for the same hsn from the Emm Extractor but i dont think this make sense.

Moreover it is already known the way a G@m@ command is syntaxed.

How to create Gamma Update, (Commands)

'' 020100DKLNMMMMMMMMUSUL PAYLOAD CC
02 = Gamma update PDU
01 = CLA
00 = P1
DK = Index to 16byte Gamma update 3DES Key.
LN = Length of Message
MM = 8 Byte DES MAC
US = Update Selector (what to update)

For GSMK US = 01
For PMSK US = 02
For IV_PAD US = 03
For GMASK US = 04
For PMASK US = 05
For KEK US = 06
For COCO US = 08
For HSN US = 09
For ExiKey US = 0B
For AxiKey US = 0C
For ProviderID US = 10
For GroupKey US = 12
For ProductKey US = 13
For OS Erase US = 20
FOR OS Update US = 21

UL = Length of Update (for example for HSN UL = 03, for GMSK UL = 10, etc...)

PAYLOAD is the Update
CC = Message CRC or Checksum. Simply XOR message with 0x3F

OK to have multiple updates in one command.
Example:
020100DKLNMMMMMMMM0903HNHNHN0803COCOCO10 03PIPIPICC

This command will update HSN (HN), Coco (CO) and Provider ID (PI) in one go.

The DES MAC is calculated by prepending an 8 octet confounder to the plaintext,
performing a DES CBC-mode encryption on the result using the key and an initialization vector of zero,
taking the last block of the ciphertext, prepending the same confounder and encrypting the pair using DES
in cipher-block-chaining (CBC) mode using a a variant of the key, where the variant is computed by eXclusive-ORing the key

The message after LN is encrypted using the Triple DES mode CBC until the CC using 16 byte key in index DK . ''


So finally does anyone know how to change HSN??

With ultimate respect, all this means nothing useful.
Commands are encrypted, except for first bytes:
0201000000LN PAYLOAD
0201000000 unencrypted
LN = length of encrypted data

Encrypted data is decrypted using updateKey[0]
Decrypted data has extra 8 bytes at end which is the MAC
If calculated MAC = decrypted MAC, data is valid

It's only then that the gammacard can apply the commands as listed above.

The post seems to imply that the gamma commands are evident in the encrypted line. They are not.

So.... to change the HSN you need to decrypt the data, change the HSN, recalculate the MAC and encrypt the whole line again.
But this will still not get you a working card because you still need to generate new Exi and Axi keys, as these are used to decrypt the stream data.

In short, it's nearly impossible.

Cheers
dil

[tekan]

So what HSN value do you want?

[dilly]

Well, I'd like HSN = 00 00 00 and corresponding Axi/Exi please.
dil

[tekan]

I've done one better this file will set HSN of 00 00 01. Just use gammaloader :)

[therapia]

I've done one better this file will set HSN of 00 00 01. Just use gammaloader :)

no my friend with gamaloader the card cleaned when press program buton only with emk you can send this string if you want to load with gamaloader you must add and 58 line string

[dilly]

I've done one better this file will set HSN of 00 00 01. Just use gammaloader :)

LOL, very funny.

That line has HSN = 00 00 01.
But the Axi and Exi are invalid - how can they both be
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ??

dil