Nagravision 3 Hack Comming or Not?

[pharaoh47]

Are you jockin?
Most of the channel in your list are not in Nagra and the others are old...

he probably copied somebodies old post like many people is doing that(but they are atleast coping new posts)

enjoy watching satellite tv and play
http:/********************cellule

[TV_LICENCE]

Here is some n*gra k**s in a txt format

Come on guys!

It's time to grow up

[djangel912]

---------------------------------- __ __ __ ___ __ __
The NagraVision3 hacking FAQ /_/ /_/ /_/ | | /_/ /_/
Revision: 00000000 |_|/_/ /_/ |_| /_/ |_|
| || | | | | | | | | |
-- -- -- - -- --
Contents:

0: Openers
0.1: Introduction/About me
0.2: Where to find this FAQ
0.3: Contributors
0.4: Detractors
1: The T=1 protocol
1.1: NagraVision2 ATR
1.2: NagraVision's packet structure I: The ISO-specified portion
1.2.1: Chained messages
1.3: NagraVision's packet structure II: The IRD-to-CAM information field
1.4: NagraVision's packet structure III: The CAM-to-IRD information field
1.5: The status word
2: Commands
2.1: Command list
2.2: Command lengths, expected replies, and reply lengths
2.3: Command breakdown
2.3.Rom152.CMD.04: CMD $04/RSP $84 Entitlement Management Message (EMM)
2.3.Rom152.CMD.07: CMD $07/RSP $87 Entitlement Control Message (ECM)
2.3.Rom152.CMD.12: CMD $12/RSP $92 Serial Number Request
2.3.Rom152.CMD.15: CMD $15/RSP $95 Processing cycle request
2.3.Rom152.CMD.17: CMD $17/RSP $97 Special Entitlement Management Message Cmd17 (EMM)
2.3.Rom152.CMD.18: CMD $18/RSP $98 Special Entitlement Management Message Cmd18 (EMM)
2.3.Rom152.CMD.1A: CMD $1A/RSP $9A Control Word Request (video decryption key request)
2.3.Rom152.CMD.1C: CMD $1C/RSP $1C Control Word Request (video decryption key request)
2.3.Rom152.CMD.22: CMD $22/RSP $A2 Data item request
2.3.Rom152.CMD.2A: CMD $2A/RSP $AA MECM key request
2.3.Rom152.CMD.2B: CMD $2B/RSP $AB MECM key update
2.3.Rom152.CMD.32: CMD $32/RSP $F2 Request for encryption of data to be sent in callback
2.3.Rom152.CMD.33: CMD $33/RSP $F3 Request for data encrypted by previous command $32
2.3.Rom152.CMD.48: CMD $48/RSP $78 Special Entitlement Management Message Cmd48 (EMM)
2.3.Rom152.CMD.49: CMD $49/RSP $79 Get EMMPlaintext from Cmd48
2.3.Rom152.CMD.4A: CMD $4A/RSP $7A Special Encrypt Message Cmd4A
2.3.Rom152.CMD.64: CMD $64/RSP $E4 Write IRD info
2.3.Rom152.CMD.65: CMD $65/RSP $E5 Get IRD Command from EmmCmd64
2.3.Rom152.CMD.68: CMD $68/RSP $E8 Process UROM2 Data
2.3.Rom152.CMD.69: CMD $69/RSP $E9 Process UROM2 Data
2.3.Rom152.CMD.6A: CMD $6A/RSP $EA Update Provider Filter
2.3.Rom152.CMD.6B: CMD $6B/RSP $EB Update and play with DecryptKey no 7A and Provider Filter
2.3.Rom152.CMD.6C: CMD $6C/RSP $EC Update Provider Filter
2.3.Rom152.CMD.6D: CMD $6D/RSP $ED Update or Create DecryptKeyno24
2.3.Rom152.CMD.C4: CMD $C4/RSP $84 Special Entitlement Management Message CmdC4 (EMM)
2.3.Rom152.CMD.C7: CMD $C7/RSP $B7 Request for ID of updated data items
2.3.Rom152.CMD.C8: CMD $C8/RSP $B8 Request for date/time
27Rom Total
2.3.FW.CMD.05: CMD $05/RSP $85 unknow
2.3.FW.CMD.08: CMD $08/RSP $88 unknow
2.3.FW.CMD.16: CMD $16/RSP $96 unknow
2.3.FW.CMD.19: CMD $19/RSP $99 unknow
2.3.FW.CMD.27: CMD $27/RSP $A7 unknow
2.3.FW.CMD.28: CMD $28/RSP $A8 unknow
2.3.FW.CMD.29: CMD $29/RSP $A9 unknow
2.3.FW.CMD.2C: CMD $2C/RSP $AC unknow
2.3.FW.CMD.2D: CMD $2D/RSP $AD unknow
2.3.FW.CMD.63: CMD $63/RSP $E3 unknow
2.3.FW.CMD.6E: CMD $6E/RSP $EE unknow
2.3.FW.CMD.C9: CMD $C9/RSP $B9 unknow
12FW Total
2.4: Basic command sequences
2.4.1: Finding out if the card is busy or has new information
2.4.2: Finding out what data types in the card's database have changed
2.4.3: Retrieving a specific data item from the card
2.4.4: Getting the data required to decrypt the video stream
3: EMM commands
3.1: EMM command list
3.2: EMM command breakdown
3.2.01: EMM command $01 Set up for EMM commands
3.2.10: EMM command $10 Spending limit item create
3.2.12: EMM command $12 Create subscription tier
3.2.13: EMM command $13 PPV Service
3.2.20: EMM command $20 Modify subscription dates
3.2.46: EMM command $46 Create and update Dt08 ItemId0A
3.2.47: EMM command $47 DT06 key update for key no 30 (CMD48)
3.2.48: EMM command $48 Create and update Dt08 ItemId0A
3.2.49: EMM command $49 Create and update Dt08 ItemId0A
3.2.42: EMM command $42 DT06 key update
3.2.4F: EMM command $4F CW Extra encryption
3.2.54: EMM command $54 Update blackout bytes
3.2.81: EMM command $81 Master program provider activation
3.2.83: EMM command $83 Change EMM system ID
3.2.64: EMM command $64 Encrypt IRD command
3.2.90: EMM command $90 Create ItemID0B
3.2.85: EMM command $85 Create ItemID04
3.2.9F: EMM command $9F EmmHeader for nextemmcmd by Cmp UpstatMsb:Lsb
3.2.A1: EMM command $A1-AF Emm Filter by CamId
3.2.B1: EMM command $B1 Execute code from RAM
3.2.B1.0801 List: Emm Command $B1 List of packet 41 42 43 44 45 46 47
3.2.C4: EMM command $C4 EmmCmdXX with Extra encryption Layer
3.2.C5: EMM command $C5 WriteEEp at 311E and 311F and Update Date_Copy
3.2.E0: EMM command $E0 ItemID Update
3.2.E3: EMM command $E3 Write eeprom
3.2.E3: EMM command $E3 Write eeprom, Sub section all EmmcmdE3 packet for Rom102Rev241 to Rom102Rev242
3.2.E3: EMM Command $E3 write eeprom, Sub Section Understand EmmcmdE3 by dasm
3.2.F3: EMM command $F3
4: 21-xx data types
4.1: Data type list
4.2: Data type breakdown
4.2.00: Data Type$00 Mapped ItemID[01] - IRD INFO
4.2.01: Data Type$01 Mapped ItemID[02] - System Type
4.2.02: Data Type$02 Mapped ItemId[03] -
4.2.03: Data Type$03 Mapped ItemID[04] -
4.2.04: Data Type$04 Mapped ItemID[05] - Provider Info
4.2.--: Data Type$-- Mapped ItemID[06] - Decrypt Keys
4.2.05: Data Type$05 Mapped ItemID[07] - Tier
4.2.06: Data Type$06 Mapped ItemID[08] - Provider Filter
4.2.07: Data Type$07 Mapped ItemID[09] - Spending Limit
4.2.08: Data Type$08 Mapped ItemID[0A] - DT08+C8
4.2. : Data Type$ Mapped ItemID[0B] -
4.2. : Data Type$ Mapped ItemID[0C] -
4.2. : Data Type$ Mapped ItemID[FF] - DTMatchany
5: The backdoors
5.1: The backdoor passwords
5.2: The backdoor commands
6: Inside NagraVision cards
6.1: The MCU core
6.2: AA-06 vs AA-07
7: Glossary
7.1: Glossary
8: Encryption
8.1: ECM encryption
8.1.1: The encryption algorithm
8.2: EMM encryption
8.3: The valid hash
9: Hacks
10: Firmware versions of the various E* cards
10.102: ROM152 firmware versions
11: Writing code for NagraVision cards
11.3: ROM152 cards
11.3.1: Bug-catcher modules
11.3.2: Hooking in a bug-catcher
11.3.3: Useful routines and memory locations
11.3.3.1: Utility routines
11.3.3.2: Database routines
11.3.3.3: Low-level routines
11.3.3.4: Encryption/decryption routines
11.3.4: Memory usage
11.3.4.1: ZP RAM
11.3.4.2: Other RAM
11.3.4.3: Tables in ROM and EEPROM
11.3.5: MAPROM
13: Stream
13.1: Bootup sequence 0101
13.2: Bootup sequence 0101 cut
13.3: Bootup sequence 0801
13.4: Bootup sequence 0801 cut
13.8: Nagra_3_config1.1.cfg for T-Rex Nagra-Tool
13.9: DASM ROM152_ND13_A0FF-INTERCEPT-autoVCC_20.XVB
Blockerv7 Backdoor dasm
Blockerv7 emmhandler dasm
22sk dasm
________________________________________ ________________________________________ _____________________
/| /|
/ | / |
/__|_____________________________________ ________________________________________ ____________________/ |
| | | |
| | Special thanks to Stunteam, Stuntguy, No1b4me,Bobigboys,IDAPRO,Dbdan, | |
| |_______________________________________ ________________________________________ __________________|__|
| / | /
| / | /
|/________________________________________ ________________________________________ ___________________|/

######################################## ######################################## #####################
######################################## ######################################## #####################


######################################## ######################################## #####################
######################################## ######################################## #####################
#section00: Openers
#0: Openers
######################################## ######################################## #####################
hello

######################################## ######################################## #####################
######################################## ######################################## #####################
# 1.1: NagraVision2 ATR
#
######################################## ######################################## #####################

3F ... Convention
|
|_____________ Inverse convention (data is inverted)

FF 95 00 FF 91 ... Initial parm setup
| | | | |
| | | | |_ Td1=91 (Ta2 and Td2 will be sent, Protocol is async
| | | | half duplex block format)
| | | |____ Tc1=FF (Guard time=257 bits)
| | |_______ Tb1=00 (No Vpp)
| |__________ Ta1=95 (F=512, D=16; Bit period=(512/16) (32) clocks)
|_____________ T0=FF (Ta1, Tb1, Tc1, and Td1 will be sent, 15
historical characters will be sent)

81 71 ... Secondary parameters
| |
| |__________ Td2=71 (Ta3, Tb3, and Tc3 will be sent, protocol is async
| half duplex block format)
|_____________ Ta2=81 (Mode change not allowed, Protocol is async half
duplex block format)

FF 47 00 ... T=1 specific parameters
| | |
| | |_______ Tc3=00 (LRC (XOR-type) error checking to be used)
| |__________ Tb3=47 (Char wait time is 25 bit times, block wait time
| is 634.9 mSec + 11 bit times) (1 bit time=7.111
| uSec)
|_____________ Ta3=FF (Receive block size=0xFF bytes (255 bytes decimal)

44 4E 41 53 50 53 30 31 20 52 65 76 36 34 30 ... Historical bytes
| |
|_____ ___________________________________|
|
|_______ ASCII text: "DNASPS01 Rev640".

05
|_____________ Checksum (all other bytes XORed together except the First "3F"byte)

######################################## ######################################## #####################
######################################## ######################################## #####################
# 1.2: NagraVision's packet structure I: The ISO-specified portion
#
######################################## ######################################## #####################

Bit convention note (C/P from wapo source) , and meltro correction
------------------------------------------------------------
NOTE: For RS-232, the output is normally low.
We must drive it high for start, stop, or data bits.
Using 115,200 baud, 1 start bit, 1 stop bit, no parity bit.
Order of bits sent is:
Start, LSB.....MSB, Stop


NOTE: For ATR message (from CAM to IRD at ~12,097 baud):

Bits are inverted (1 vs 0), i.e. if you want to send
a 1 then you drive the pin low.
1 start bit (always 1, which is 0 volts),
8 data bits,
3 stop bits (always 0, which is 5 volts),
no parity bits.
Order of bits sent is:
Start, MSB.....LSB, Stop
This is backwards from the way RS-232 does it.
Bit duration is 82.7 uS
Byte duration is 992 uS




Data rate specified for IRD/CAN normal comms is 140,625.
Bits are inverted (1 vs 0), i.e. if you want to send
a 1 then you drive the pin low.
1 start bit (always 1, which is 0 volts),
8 data bits,
2 stop bits (always 0, which is 5 volts),
no parity bits.

Or is it 1 parity and 1 stop?

Order of bits sent is:
Start, MSB.....LSB, Stop
This is backwards from the way RS-232 does it.
Bit duration is 7.11 uS
Byte duration is 78.2 uS
------------------------------------------------------------
######################################## ######################################## #####################
######################################## ######################################## #####################
#section1.5
#The status word
######################################## ######################################## #####################
N1 + N2 status word

SW1 SW2 Meaning
------ ------ -----------------------------------------------
63 00 Password(s) incorrect
69 82 Need password for access to backdoor commands
69 85 EEPROM data area pointer no good (Doesn't point to
an address in the $Exxx range)
69 86 Bad address in backdoor read/write memory command
6A 00 P1 and/or P2 byte incorrect
6B 00 Incorrect reference
6C FF Requested too few data bytes in $21 command
6D 00 Instruction not supported
6E 00 CLA not supported
6E 00 P1 and/or P2 byte incorrect (note: This is a bug in
the ROM3 code...in theory, this situation should
produce an SW1/SW2 of 6A 00, but it doesn't (in fact,
nothing does))
6F 00 Command not supported
90 00 Command completed successfully

90 01 ???



######################################## ######################################## #####################
######################################## ######################################## #####################
#section2.1 commands
#Nagra1 and Nagra2 Command list From Rom and Firmware
######################################## ######################################## #####################
A0 CA 00 00 HEADER Command list, ROM2-3-10-11-101(007)-102(103)-S01(640)
(always need correction somewhere in table)
----- ------ ------ ----- ------ ----- ------------------------------------------------------------
Data RSP
CMD #FW Length Length RSP # Length Type Description
----- ------ ------ ----- ------ ----- ------------------------------------------------------------
00 Y 00 Varies 00 00 N1 Entitlement Management Message (EMM)
00 Y 4D 53 80 05 N1 Entitlement Management Message (EMM)
01 Y 4D 53 81 05 N1 PPV Entitlement Management Message
02 Y 4D 53 82 05 N1 MECM key update
03 Y 00 Varies 83 05 N1 Entitlement Control Message
04 Y 00 Varies 84 02 N2 Entitlement Management Message (EMM)
04 Y 00 Varies 84 02 N2 Entitlement Management Message (EMM)
05 Y 00 Varies 85 05 ??
07 Y 00 Varies 87 02 N2 Entitlement Control Message
08 Y 00 Varies 88 04 ??
12 Y 02 08 92 06 N1/N2 Serial Number Request
13 Y 03 09 93 00 N1 Control Word Request (video decryption key request)
14 Y 02 08 94 06 N1 Processing cycle request
15 Y 02 08 95 08 N2 Processing cycle request
16 Y 00 Varies 96 04 ??
17 Y 00 Varies 97 02 N2 Special Entitlement Management Message Cmd17 (EMM)
18 Y 00 Varies 98 02 N2 Special Entitlement Management Message Cmd18 (EMM)
19 Y 00 Varies 99 04 ??
1A Y 02 08 9A 00 N2 Control Word Request (video decryption key request)
1C Y 02 08 9C 36 N2 Control Word Request (video decryption key request)
20 Y 06 0C A0 03 N1 Data items available request
21 Y 00 Varies A1 00 N1 Data item request
22 Y 03 09 A2 00 N2 Data item request
26 Y 07/02 0D/08 A6/86 42/00 N2
27 Y 47 4D A7 02 ??
28 Y 03 09 A8 1A ??
29 Y 02 08 A9 04 ??
2A Y 02 08 AA 42 N2 MECM key request
2B Y 42 48 AB 02 N2 MECM key update
2C Y 02 08 AC 42 ??
2D Y 42 48 AD 02 ??
30 Y 05 0B F0 05 N1 Request for encryption of data to be sent in callback
31 Y 02 08 F1 52 N1 Request for data encrypted by previous command $30
32 Y 05 0B F2 03 N2 Request for encryption of data to be sent in callback
33 Y 02 08 F3 00 N2 Request for data encrypted by previous command $32
40 Y 02 08 70 04 N1 EEPROM data space available request
41 Y 00/02 Varies 71/C1 03/00 N1/N2 PPV buy write
42 Y 09 0F 72 03 N1 PPV buy link
48 02 08 78 02? N2 Special Entitlement Management Message Cmd48 (EMM)
49 02 08 79 56? N2 Get EMMPlaintext from Cmd48
4A XX XX 7A xx N2 Special Encrypt Message Cmd4A
55 05 0B D5 06 N1 Mail Read
56 05 0B D6 06 N1 Delete Mail
60 Y 02 08 E0 42 N1 Get IRD command
61 Y 16 1C E1 03 N1 Write IRD info
63 Y 12 18 E3 03 ??
64 Y 12 18 E4 03 N2 Write IRD info
65 Y 02 08 E5 52 N2 Get IRD Command from EmmCmd64
68 Y 00 Varies E8 03 N2 Process UROM2 Data
69 Y 00 Varies E9 02 N2 Process UROM2 Data
6A Y 04 0A EA 02 N2 Update Provider Filter
6B Y 07 0D EB 02 N2 Update and play with DecryptKey no 7A and Provider Filter
6C Y 03 09 EC 02 N2 Update Provider Filter
6D ED N2 Update or Create DecryptKeyno24
6E Y 00 Varies EE 04 N2
99 Y 1A 20 99 1A N1 Anti-piracy message
C0 Y 02 08 B0 06 N1/N2 CAM status request
C1 Y 02 08 B1 04 N1 Request for ID of updated data items
C4 Y 00 Varies B4 02 N2 Special Entitlement Management Message CmdC4 (EMM)
C7 Y 02 08 B7 04 N2 Request for ID of updated data items
C8 Y 02 08 B8 06 N2 Request for date/time
C9 Y 00 Varies B9 04 ??
----- ------ ------ ----- ------ ----- ------------------------------------------------------------
Data RSP RSP Cmd
CMD #FW Length Length RSP # Length Type Description
----- ------ ------ ----- ------ ----- ------------------------------------------------------------
Y in table = Include in firmware list see below

From FW, Firmware 2700-2800
CMD
C0 12 99 60 40 14 C1 20-21 03 13 02 00 01 30 31
41 42 61 2C 2D 05 65 15-C8 22 C7 07 08 1C 1A 2A
2B 26 27 28 29 04 04 17-16 18 19 32 33 C4 C9 64
63 68 6E 69 6A 6B 6C 00

Length
02 02 1A 02 02 02 02 06-00 00 03 4D 4D 4D 05 02
00 09 16 02 42 00 02 02-02 03 02 00 00 02 02 02
42 07 47 03 02 00 00 00-00 00 00 05 02 00 00 12
12 00 00 00 04 07 03 00

RSP #
B0 92 99 E0 70 94 B1 A0-A1 83 93 82 80 81 F0 F1
71 72 E1 AC AD 85 E5 95-B8 A2 B7 87 88 9C 9A AA
AB A6 A7 A8 A9 84 84 97-96 98 99 F2 F3 B4 B9 E4
E3 E8 EE E9 EA EB EC 00

Rsp lengths:
06 06 1A 42 04 06 04 03-00 05 00 05 05 05 05 52
03 03 03 42 02 05 52 08-06 00 04 02 04 36 00 42
02 42 02 1A 04 02 02 02-04 02 04 03 00 02 04 03
03 03 04 02 02 02 02 00




######################################## ######################################## #####################
######################################## ######################################## #####################
#section2.2 commands
#Command Breakdown
######################################## ######################################## #####################

initial test was on virgin rom.
rom101 was 007
rom102 was 103
romS01 was 640

N3Rom Command and Firmware Command

######################################## ######################################## #####################
######################################## ######################################## #####################
#Cmd.04
#Rom:101-102-S01
# Data RSP Cmd
#CMD # Length Length RSP # Length Type Description
#----- ------ ------ ----- ------ ----- ----------------------------------------------------
#04 00 Varies 84 02 N2 Entitlement Management Message (EMM)
#04 00 Varies 84 02 N2 Entitlement Management Message (EMM)
######################################## ######################################## #####################
S01 accept more big packet
each ecm or emm packet need more recent date than eeprom

768 bit

CD 5C 06 call CmpZPtoZP3P ; Compare ZP RAM to ZP RAM
; (Params: Start1, Start2, Length)
; ---------------------------------------------------------------------------
8A dc.b {EMMBUFF+$A} ; Valid Date IF lower or equal
82 dc.b {EMMBUFF+2} ; EEprom Date(2HL)Time(1H) from 30DD, 30DE,30DF,
03 dc.b 3
; ---------------------------------------------------------------------------
23 1A jrule DecodeECM_EMM_CompareDate_BADDATE ; Jump if (C + Z = 1)


21 00 6D ; A0 CA 00 00 ;Standard header
67 ;Instruction length
04 ;Command
65 ;Command data length
09 01 ;Providor
81 00 10 ;Key select byte
F5 F9 5D DE 10 A6 5D FB ;Signature
28 9D 78 5C 10 E1 CA 38 ;Encrypted Package #0
1B A6 45 7E 9E 28 2C C6 ;Encrypted Package #1
3F E2 90 1A 8F 64 DF EA ;Encrypted Package #2
20 34 E5 AD BB 94 E5 05 ;Encrypted Package #3
8B A0 7B 22 51 20 47 98 ;Encrypted Package #4
52 43 64 9E 55 7B 4E B6 ;Encrypted Package #5
93 F5 45 1F 09 2D C7 FD ;Encrypted Package #6
5D A4 C0 87 1B E3 B1 1E ;Encrypted Package #7
8B B7 74 BC 90 C9 00 42 ;Encrypted Package #8
A1 09 BF D0 76 EF 7D 10 ;Encrypted Package #9
58 AB 77 FE 71 61 9B BB ;Encrypted Package #A
02 ;Expected response length
CA ;Checksum

12 00 04 ; 84 ;Response code
00 ;Response data length
90 00 ;SW1/SW2: Successful completion
02 ;Checksum

Key select byte
81 00 10 or 81 00 90 Single CAM
82 00 10 or 82 00 90 All CAMs


21 40 6D ; A0 CA 00 00
67
04
65
09 01
82 00 90
EE 73 55 9F B9 D5 02 7A
64 1E 72 0E 3F 61 11 26
D2 5C F2 AB DF 20 8D 89
75 CB A5 23 2C C3 E6 52
FD 60 F8 53 34 4B 28 6F
64 1D 6D 94 FD 5E D9 D9
47 80 5C AA 73 F1 4C 06
7A 88 35 58 E8 5A 8F 37
BA 18 EC 94 C5 40 58 7C
59 46 4B DD FC B7 D3 BB
4C A8 57 C7 43 11 8C D3
6B 4F 87 07 DC D9 D9 4E
02
C4


09 01 ;Emmbuff+00, Provider
13 E5 63 EA D8 B6 ;Signature
09 01 ;PROVIDER
13 DB 00 01 ;Date VALID EMMBUFF8A
14 34 03 84 ;Date2 Always compare with eepromDate30DD
42 00 10 06 08 00 10 10 F2 6F 9D 76 A8 03 DF C7 ;Emmcmd42
71 B1 BD F2 EA A1 D1 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 DC
D9 D9 4E 02 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00




IDEA Keys in eeprom

00 --> Unknown
01 --> for EMM-S
02 --> for EMM-G
03 --> for EMM signing
06 --> for ECM
07 --> for ECM signing
09 --> for cmd 32/33
0B --> unknown




Ready to send packet:

21 00 6D A0 CA 00 00 67 04 65 09 01 81 00 10 F5 F9 5D DE 10 A6 5D FB 28 9D 78 5C 10 E1 CA 38 1B A6 45 7E 9E 28 2C C6 3F E2 90 1A 8F 64 DF EA 20 34 E5 AD BB 94 E5 05 8B A0 7B 22 51 20 47 98 52 43 64 9E 55 7B 4E B6 93 F5 45 1F 09 2D C7 FD 5D A4 C0 87 1B E3 B1 1E 8B B7 74 BC 90 C9 00 42 A1 09 BF D0 76 EF 7D 10 58 AB 77 FE 71 61 9B BB 02 CA

12 00 04 84 00 90 00 02
######################################## ######################################## #####################
######################################## ######################################## #####################
#Cmd.05
#Rom:FWOnly
# Data RSP Cmd
#CMD # Length Length RSP # Length Type Description
#----- ------ ------ ----- ------ ----- ----------------------------------------------------
#05 00 Varies 85 05 ??
######################################## ######################################## #####################


Ready to send packet:
21 00 08 A0 CA 00 00 00 05 00 05 43

12 00 02 6F 00 7F Rom 101-102-S01 command not supported



######################################## ######################################## #####################
######################################## ######################################## #####################
#Cmd.07
#Rom:101-102-S01
# Data RSP Cmd
#CMD # Length Length RSP # Length Type Description
#----- ------ ------ ----- ------ ----- ----------------------------------------------------
#07 00 Varies 87 02 N2 Entitlement Control Message
######################################## ######################################## #####################
This command is used to prime the card to return video decryption keys to
the IRD. Contained within this command's encrypted packets are information
pertaining to the program tier the user is attempting to view, the correct
audio and video decryption keys for the channel, current date and time, and so
forth. When a card receives a $1C command, it will re-encrypt the decryption
keys using the IRD's 8-byte key and return them to the IRD if it (the card)
believes that the program tier that the user is attempting to watch is one for
which they are authorized.
In addition to information about the program that the user is attempting to
watch, the $07 command contains information about the encryption method used,
how many encrypted video keys are present, and so forth.

Example of a $07 command and its response:

21 00 4D ; A0 CA 00 00 ;Standard header
47 ;Instruction length
07 ;Command
45 ;Command data length
01 01 ;System ID
86 00 ;key select?
88 ;values = 08 or 88
46 FE 13 E9 56 82 74 E1 ;Data Package #0
6A 25 B4 75 9A 11 {D3} B2 ;Data Package #1
{52 EC 50 6A} 5C 19 83 E7 ;Data Package #2
48 B4 65 4C A5 47 2F 84 ;Data Package #3
E6 C3 0B 16 A4 9A 4E AE ;Data Package #4
B7 01 41 0E E6 54 D8 2C ;Data Package #5
BC 9E 9B 5E 24 E6 48 CF ;Data Package #6
96 A9 E1 76 1A 2D F0 89 ;Data Package #7
02 ;Expected response length
4C ;Checksum

12 00 04 ; 87 ;Response code
00 ;Response data length
90 00 ;SW1/SW2: Successful completion
01 ;Checksum

Ready to send packet:
21 00 4D A0 CA 00 00 47 07 45 01 01 86 00 88 46 FE 13 E9 56 82 74 E1 6A 25 B4 75 9A 11 D3 B2 52 EC 50 6A 5C 19 83 E7 48 B4 65 4C A5 47 2F 84 E6 C3 0B 16 A4 9A 4E AE B7 01 41 0E E6 54 D8 2C BC 9E 9B 5E 24 E6 48 CF 96 A9 E1 76 1A 2D F0 89 02 4C

12 00 04 87 00 90 00 01
######################################## ######################################## #####################
######################################## ######################################## #####################
#Cmd.08
#Rom:FWOnly
# Data RSP Cmd
#CMD # Length Length RSP # Length Type Description
#----- ------ ------ ----- ------ ----- ----------------------------------------------------
#08 00 Varies 88 04 ??
######################################## ######################################## #####################

Ready to send packet:
21 00 08 A0 CA 00 00 00 08 00 04 4F

12 00 02 6F 00 7F Rom 101-102-S01 command not supported


######################################## ###################

Data from official original card. Nagra 3 is NOT HACKED (All infos just infos )

[dreams@t]

Nagra3 is not hacked but i think soon

[mesicek7]

Nagra 3 will never be hacked
face it thats the truth

[igoreshka]

Nagra 3 will never be hacked
face it thats the truth

that's what peeps like you were saying when N2 was on the way. Let's stop being negative, and look on the bright side

[drahcirk03]

lets face it, looks like the end of the world is not coming, what a bummer,.and dont forget to look on the brightside ,even when uv infracted, he he,.

[zoro25]

All of the rumours are stirring as the US "FTA" operators have now all switched.

This always happens.
Most of the fake rumours are US based, The average European user has been coping with the lack of a hacked Nagra3 for over a year.

Having a linux box and many friends is the future of the satellite hobby.

Hobby Cards and Free Keys will slowing decrease in number to the point where there are next to none.

Encryptions will only get harder to break.

[antopo]

i hope so

[uȠiӃ ζ]

No confirmation of any N3 hack in Europe at this time
>JUST RUMORS<