Anyone considered this ?

When we cancel a subscription VM send a CMD#04 out to turn our card off; now hows about we block just that cmd ?

We could alter the Spanish Code fairly easily and use a AVR 8515 card similar too >

Tarjeta Universal THT v1.4 ( AVR8) (http://todoelectronica.com/tarjeta-universal-avr8-p-89.html)

Using this as the logger that filters to our VM box and allows the rest of the data ( altho` we dont know what the rest do without the Encryption key )

Or we could use a Dreambox and disable cmd#04 in the CAM - this way we need pairing details.

Now this will work and I guess when we do this we are watching free TV without dirty c/s.

Where we fall down is that tiers will probably expire ( time unknown but I guess and its only a guess is a few months )

A bit of food for thought ....

S

It will work but, as you mention, the tiers will eventually natuarally expire but if you time things properly you could get upto 2 free months.

Tier expiry depends on the tier with most premiums lasting only one month and lesser tiers lasting two months.

There's a further added complication in that if a key update is issued then the card will expire immediately unless you can somehow identify and allow the key update emm. You may possibly do this by allowing global emm's and only blocking addressed group/card emm's.

This stuff is certainly interesting for hobbyists but I suspect it wont be of much interest to the average moocher who's just looking for free TV.

I think they send EMM's every 20 days or so and expire after 64 days, imo you would only be delaying the inevitable
Why cancel a sub just to get maybe 64 days free tv

I think they send EMM's every 20 days or so and expire after 64 days, imo you would only be delaying the inevitable
Why cancel a sub just to get maybe 64 days free tv

We really have no idea of what they send on the latest encryption - in the past a card has the tiers set by your ID and the code is diff for higher tiers to lower. There are no special emm`s sent as you subscribe just a constant CMD# when we cancel to write codspace on the card.

Kudelski does make mistakes and we just dont know .. lets see how long it lasts.

S

I can understand why you are doing this as I am all for the hobby also, but you won't gain much more info in relation to the card itself.

I can see it may help you formulate a way of producing some sort of blocker and maybe as a backend of this some minor insights into a few other cmds, but that will be about it.

I do applaud what you are attempting though as many have sat with their hands under their proverbial arse for quite a while now, (BTW that includes me also), but I still believe there are avenues to follow that may not be on public forums.

I wish you the best in your testing, I presume you are going down the softcam route?

Kudelski does make mistakes and we just dont know .. lets see how long it lasts.

All the smartcard manufacturers make mistakes but they tend to be pretty subtle. Just look at the 'Nipper' backdoor login on N1 cards - not exactly the kind of thing you could find without an initial dump to work with.

Playing/learning a cards command set is certainly interesting from a hobbyist point of view and certainly gives you some insights as to what the card is capable of but I doubt if its going to lead to any major 'hack' breakthroughs. To defeat any card based encryption system you really need a full card firmware dump to use as a 'bootstrap' to enable you to find the more subtle exploits

@satsmo @TheCoder; totally agree with you but it;s an avenue of interest and with a softcam fairly easy; the work as already been done overseas in underground places. Of course it works and I realise there is little chance of a major breakthrough; we can assume with a bit of confidence that tier structure will be identical to other flavours of Nagra. But let`s see how long...

We all realise that N1 was indeed compromised with info gained from a dump/file in Spain (when you look back it`s amazing how long the UK took to realise we could use all there tools ). As for the Nipper login used in various bits of code like NE; yes without a dump how did we know ? Lots of theories of things reverse engineered by other parties and leaked...

From what I can see, other avenues all look @ dumping the N3 card; we know from other places that we can fault the CAM; however we all realise that the RAM protection and indeed timing of code exe along with encryption keys we have no idea about, make things ahem - challenging! I truly believe that we are not going to hack N3 without serious equipment in a LAB environment. We can`t write anything to the card let alone know any addressing.

To coin a phrase we need the key(s)

S

Up an running lets see now....

Best of luck and would be interesting to hear to the outcome.

Before you start getting cards cancelled read the tier dates and note the updates schedule for each tier. It would be pointless running the experiment if tiers only have a day or two to run......

A useful addition would be to log all emm's that are addressed to your test card. A PC DVB card and an appropriate program can be very useful for such 'logging' work. One of the things you can possibly determine is the frequency of the tier 'cancel' commands

You can also log all 'global' Emm's. If your card goes off prematurely then try manually sending these globals - chances are one of them is a key-change.

Before you start getting cards cancelled read the tier dates and note the updates schedule for each tier. It would be pointless running the experiment if tiers only have a day or two to run......

A useful addition would be to log all emm's that are addressed to your test card. A PC DVB card and an appropriate program can be very useful for such 'logging' work. One of the things you can possibly determine is the frequency of the tier 'cancel' commands

You can also log all 'global' Emm's. If your card goes off prematurely then try manually sending these globals - chances are one of them is a key-change.

Wise words as usual :-)

The cancel cmd is not that frequent and I am all but certain that we have no keychange.

Its still early days but no loss as yet ( I cant believe that the tier structure is diff - we all know its an advance on earlier nagra and not "new Nagra 3" ) - Coder you still in the usual places to chat about this and look at some code ?

Kudelski cant have messed up can he ?

S

Still fully open and all channels available.....

any update , has entitlements run out yet..

No fully open. No loss as yet. I will keep you informed.

No fully open. No loss as yet. I will keep you informed.

If you read the tiers off then you should be able to see exactly when stuff will expire. Generally you get around 50 days if you time things just right BUT it will all depend on how much notice you have to give of termination before they stop charging you.

I think the notice period is 28 days so you may think you have cancelled but they will still actually still be charging you for the next 28 day period.

You may still actually be in that 28 day notice period so they may not of even sent any tier-kill commands your way yet.

@TheCoder you are correct, the tier null cmd as not yet arrived.

m8 , if you look at the tiers, shouldnt the expiry dates be on there... its usually 28 days notice, then your mont in hand. so you could be talking full 8 weeks, b4 it , and it will expire..

I saw this thread on another forum. Just wondering how long it took for the tiers to expire?

great read guys interesting stuff