gfto
/
tsdecrypt
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 18 Wiki Activity
tsdecrypt reads and decrypts CSA encrypted incoming mpeg transport stream over UDP/RTP using code words obtained from OSCAM or similar CAM server. tsdecrypt communicates with CAM server using cs378x (camd35 over tcp) protocol or newcamd protocol. https://georgi.unixsol.org/programs/tsdecrypt/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
196 Commits
4 Branches
Tree: a94de9f157
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a94de9f157'
${ noResults }
tsdecrypt/camd-newcamd.c

camd-newcamd.c 12KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416 
  1. /*

  2.  * newcamd protocol

  3.  * Most of the code is copied from getstream's newcamd protocol implementation.

  4.  *

  5.  * This program is free software; you can redistribute it and/or modify

  6.  * it under the terms of the GNU General Public License version 2

  7.  * as published by the Free Software Foundation.

  8.  *

  9.  * This program is distributed in the hope that it will be useful,

  10.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  12.  * GNU General Public License for more details.

  13.  *

  14.  * You should have received a copy of the GNU General Public License

  15.  * along with this program; if not, write to the Free Software

  16.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.

  17.  */

  18. 

  19. #define _XOPEN_SOURCE 700 // Needed to pull crypt() from unistd.h

  20. 

  21. #include <stdlib.h>

  22. #include <string.h>

  23. #include <unistd.h>

  24. 

  25. #include <openssl/des.h>

  26. 

  27. #include "libfuncs/libfuncs.h"

  28. 

  29. #include "data.h"

  30. #include "util.h"

  31. #include "camd.h"

  32. 

  33. #define NEWCAMD_PROTO_VER      525

  34. #define NEWCAMD_HDR_LEN        8

  35. #define NEWCAMD_FIRST_CMD_NO   0xe0

  36. 

  37. typedef enum {

  38. 	MSG_CLIENT_2_SERVER_LOGIN = NEWCAMD_FIRST_CMD_NO,

  39. 	MSG_CLIENT_2_SERVER_LOGIN_ACK,

  40. 	MSG_CLIENT_2_SERVER_LOGIN_NAK,

  41. 	MSG_CARD_DATA_REQ,

  42. 	MSG_CARD_DATA,

  43. 	MSG_SERVER_2_CLIENT_NAME,

  44. 	MSG_SERVER_2_CLIENT_NAME_ACK,

  45. 	MSG_SERVER_2_CLIENT_NAME_NAK,

  46. 	MSG_SERVER_2_CLIENT_LOGIN,

  47. 	MSG_SERVER_2_CLIENT_LOGIN_ACK,

  48. 	MSG_SERVER_2_CLIENT_LOGIN_NAK,

  49. 	MSG_ADMIN,

  50. 	MSG_ADMIN_ACK,

  51. 	MSG_ADMIN_LOGIN,

  52. 	MSG_ADMIN_LOGIN_ACK,

  53. 	MSG_ADMIN_LOGIN_NAK,

  54. 	MSG_ADMIN_COMMAND,

  55. 	MSG_ADMIN_COMMAND_ACK,

  56. 	MSG_ADMIN_COMMAND_NAK,

  57. 	MSG_KEEPALIVE = NEWCAMD_FIRST_CMD_NO + 0x1d

  58. } net_msg_type_t;

  59. 

  60. static void set_odd_parity(uint8_t *key) {

  61. 	DES_set_odd_parity((DES_cblock *)&key[0]);

  62. 	DES_set_odd_parity((DES_cblock *)&key[8]);

  63. }

  64. 

  65. static void des_schedule_key(triple_des_t *td) {

  66. 	DES_key_sched((DES_cblock *)&td->des_key[0],&td->ks1);

  67. 	DES_key_sched((DES_cblock *)&td->des_key[8],&td->ks2);

  68. }

  69. 

  70. static void des_key_spread(triple_des_t *td, uint8_t *normal) {

  71. 	td->des_key[0]  =   normal[0] & 0xfe;

  72. 	td->des_key[1]  = ((normal[0] << 7) | (normal[1] >> 1)) & 0xfe;

  73. 	td->des_key[2]  = ((normal[1] << 6) | (normal[2] >> 2)) & 0xfe;

  74. 	td->des_key[3]  = ((normal[2] << 5) | (normal[3] >> 3)) & 0xfe;

  75. 	td->des_key[4]  = ((normal[3] << 4) | (normal[4] >> 4)) & 0xfe;

  76. 	td->des_key[5]  = ((normal[4] << 3) | (normal[5] >> 5)) & 0xfe;

  77. 	td->des_key[6]  = ((normal[5] << 2) | (normal[6] >> 6)) & 0xfe;

  78. 	td->des_key[7]  =   normal[6] << 1;

  79. 	td->des_key[8]  =   normal[7] & 0xfe;

  80. 	td->des_key[9]  = ((normal[7] << 7)  | (normal[8] >> 1)) & 0xfe;

  81. 	td->des_key[10] = ((normal[8] << 6)  | (normal[9] >> 2)) & 0xfe;

  82. 	td->des_key[11] = ((normal[9] << 5)  | (normal[10] >> 3)) & 0xfe;

  83. 	td->des_key[12] = ((normal[10] << 4) | (normal[11] >> 4)) & 0xfe;

  84. 	td->des_key[13] = ((normal[11] << 3) | (normal[12] >> 5)) & 0xfe;

  85. 	td->des_key[14] = ((normal[12] << 2) | (normal[13] >> 6)) & 0xfe;

  86. 	td->des_key[15] =   normal[13] << 1;

  87. 	set_odd_parity(td->des_key);

  88. };

  89. 

  90. static uint8_t xor_sum(const uint8_t *mem, int len) {

  91. 	uint8_t cs = 0;

  92. 	while (len > 0) {

  93. 		cs ^= *mem++;

  94. 		len--;

  95. 	}

  96. 	return cs;

  97. }

  98. 

  99. static int pad_message(uint8_t *data, int len) {

  100. 	DES_cblock padBytes;

  101. 	uint8_t noPadBytes = (8 - ((len - 1) % 8)) % 8;

  102. 	if (len + noPadBytes + 1 >= NEWCAMD_MSG_SIZE - 8)

  103. 		return -1;

  104. 	DES_random_key(&padBytes);

  105. 	memcpy(data + len, padBytes, noPadBytes);

  106. 	len += noPadBytes;

  107. 	data[len] = xor_sum(data + 2, len - 2);

  108. 	return len + 1;

  109. }

  110. 

  111. static const uint8_t *triple_des_encrypt(triple_des_t *td, uint8_t *data, int len, uint8_t *crypted) {

  112. 	DES_cblock ivec;

  113. 	DES_random_key(&ivec);

  114. 	memcpy(crypted + len, ivec, sizeof(ivec));

  115. 	DES_ede2_cbc_encrypt(data + 2, crypted + 2, len - 2, &td->ks1, &td->ks2, (DES_cblock *)ivec, DES_ENCRYPT);

  116. 	return crypted;

  117. }

  118. 

  119. static void triple_des_decrypt(triple_des_t *td, uint8_t *data, int len) {

  120. 	if ((len-2) % 8 || (len-2) < 16)

  121. 		return;

  122. 	DES_cblock ivec;

  123. 	len -= sizeof(ivec);

  124. 	memcpy(ivec, data+len, sizeof(ivec));

  125. 	DES_ede2_cbc_encrypt(data+2, data+2, len-2, &td->ks1, &td->ks2, (DES_cblock *)ivec, DES_DECRYPT);

  126. }

  127. 

  128. static void prepare_login_key(struct camd *c, const uint8_t *rkey) {

  129. 	unsigned int i;

  130. 	uint8_t tmpkey[14];

  131. 	for(i = 0; i < sizeof(tmpkey); i++)

  132. 		tmpkey[i] = rkey[i] ^ c->newcamd.bin_des_key[i];

  133. 	des_key_spread(&c->newcamd.td_key, tmpkey);

  134. }

  135. 

  136. static int newcamd_connect(struct camd *c);

  137. 

  138. static uint8_t newcamd_send_msg(struct camd *c, const uint8_t *data, int data_len, uint16_t service_id, uint8_t useMsgId) {

  139. 	uint8_t netbuf[NEWCAMD_MSG_SIZE];

  140. 

  141. 	if (newcamd_connect(c) < 0)

  142. 		return 0;

  143. 

  144. 	if (data_len < 3 || (data_len + NEWCAMD_HDR_LEN + 4) > NEWCAMD_MSG_SIZE) {

  145. 		ts_LOGf("ERR | [%s] Bad message size.\n", c->ops.ident);

  146. 		return 0; // false

  147. 	}

  148. 

  149. 	memset(&netbuf[2], 0, NEWCAMD_HDR_LEN + 2);

  150. 	memcpy(&netbuf[NEWCAMD_HDR_LEN + 4], data, data_len);

  151. 

  152. 	netbuf[NEWCAMD_HDR_LEN + 4 + 1] = (data[1] & 0xF0) | (((data_len - 3) >> 8) & 0x0F);

  153. 	netbuf[NEWCAMD_HDR_LEN + 4 + 2] = (data_len - 3) & 0xFF;

  154. 

  155. 	data_len += 4;

  156. 	netbuf[4] = service_id >> 8;

  157. 	netbuf[5] = service_id & 0xFF;

  158. 

  159. 	data_len += NEWCAMD_HDR_LEN;

  160. 

  161. 	if (useMsgId) {

  162. 		c->newcamd.msg_id++;

  163. 		netbuf[2] = c->newcamd.msg_id >> 8;

  164. 		netbuf[3] = c->newcamd.msg_id & 0xFF;

  165. 	}

  166. 

  167. 	if ((data_len = pad_message(netbuf, data_len)) < 0) {

  168. 		ts_LOGf("ERR | [%s] Pad_message failed.\n", c->ops.ident);

  169. 		return 0;

  170. 	}

  171. 

  172. 	if ((data = triple_des_encrypt(&c->newcamd.td_key, netbuf, data_len, netbuf)) == 0) {

  173. 		ts_LOGf("ERR | [%s] Encrypt failed.\n", c->ops.ident);

  174. 		return 0;

  175. 	}

  176. 

  177. 	data_len += sizeof(DES_cblock);

  178. 	netbuf[0] = (data_len - 2) >> 8;

  179. 	netbuf[1] = (data_len - 2) & 0xFF;

  180. 

  181. 	return fdwrite(c->server_fd, (char *)netbuf, data_len);

  182. }

  183. 

  184. static int newcamd_recv_msg(struct camd *c, uint8_t *data, uint8_t useMsgId) {

  185. 	uint8_t *netbuf = c->newcamd.buf;

  186. 

  187. 	if (fdread(c->server_fd, (char *)netbuf, 2) != 2) {

  188. 		ts_LOGf("ERR | [%s] Failed to read message.\n", c->ops.ident);

  189. 		return 0;

  190. 	}

  191. 

  192. 	int mlen = ((netbuf[0] << 8) | netbuf[1]) & 0xFFFF;

  193. 	if (mlen > NEWCAMD_MSG_SIZE - 2) {

  194. 		ts_LOGf("ERR | [%s] Buffer overflow [mlen = %d]\n", c->ops.ident, mlen);

  195. 		return 0;

  196. 	}

  197. 

  198. 	if (fdread(c->server_fd, (char *)netbuf+2, mlen) != mlen) {

  199. 		ts_LOGf("ERR | [%s] Failed to read message.\n", c->ops.ident);

  200. 		return 0;

  201. 	}

  202. 

  203. 	mlen += 2;

  204. 	triple_des_decrypt(&c->newcamd.td_key, netbuf, mlen);

  205. 	mlen -= sizeof(DES_cblock);

  206. 	if (xor_sum(netbuf + 2, mlen - 2)) {

  207. 		ts_LOGf("ERR | [%s] Checksum error.\n", c->ops.ident);

  208. 		return 0;

  209. 	}

  210. 

  211. 	int retlen = (((netbuf[5 + NEWCAMD_HDR_LEN] << 8) | netbuf[6 + NEWCAMD_HDR_LEN]) & 0x0FFF) + 3;

  212. 

  213. 	if (useMsgId) {

  214. 		uint16_t tmp = ((netbuf[2] << 8) | netbuf[3]) & 0xFFFF;

  215. 		if (c->newcamd.msg_id != tmp) {

  216. 			ts_LOGf("ERR | [%s] Bad msg_id %04X != %04X\n", c->ops.ident, c->newcamd.msg_id, tmp);

  217. 			return -2;

  218. 		}

  219. 	}

  220. 

  221. 	memmove(data, netbuf + 4 + NEWCAMD_HDR_LEN, retlen);

  222. 

  223. 	return retlen;

  224. }

  225. 

  226. static uint8_t newcamd_send_cmd(struct camd *c, net_msg_type_t cmd) {

  227. 	uint8_t data[3] = { 0, 0, 0 };

  228. 	data[0] = cmd;

  229. 	return newcamd_send_msg(c, data, sizeof(data), 0, 0);

  230. }

  231. 

  232. static int newcamd_recv_cmd(struct camd *c) {

  233. 	uint8_t buffer[NEWCAMD_MSG_SIZE];

  234. 	if (newcamd_recv_msg(c, buffer, 0) != 3)

  235. 		return -1;

  236. 	return buffer[0];

  237. }

  238. 

  239. static void newcamd_init_card_data(struct camd *c, struct newcamd *nc, uint8_t *buffer) {

  240. 	int i;

  241. 	char msg_buffer[32];

  242. 

  243. 	nc->caid = (buffer[4] << 8) | buffer[5];

  244. 

  245. 	for(i = 0; i < 8; i++)

  246. 		sprintf(&msg_buffer[i*2], "%02X", buffer[6 + i]);

  247. 

  248. 	ts_LOGf("CAM | [%s] Card info: CAID 0x%04X Admin=%s srvUA=%s\n",

  249. 		c->ops.ident, nc->caid, (buffer[3]==1) ? "YES" : "NO", msg_buffer);

  250. 	memcpy(nc->ua, &buffer[6], 8);

  251. 

  252. 	// Parse providers

  253. 	uint8_t is_ok = 0;

  254. 	nc->num_of_provs = buffer[14];

  255. 	for (i = 0; i < nc->num_of_provs; i++) {

  256. 		if (nc->prov_ident_manual == 0) {

  257. 			memcpy(nc->provs_ident[i], &buffer[15+11*i], 3);

  258. 			memcpy(nc->provs_id[i], &buffer[18+11*i], 8);

  259. 		} else {

  260. 			if (!memcmp(nc->provs_ident[0], &buffer[15+11*i], 3)) {

  261. 				is_ok = 1;

  262. 				memcpy(nc->provs_id[0], &buffer[18+11*i], 8);

  263. 			} else {

  264. 				continue;

  265. 			}

  266. 		}

  267. 		uint8_t debug_idx = (nc->prov_ident_manual == 1) ? 0 : i;

  268. 		ts_LOGf("CAM | [%s] Card info: Provider %d : %02X%02X%02X : %02X%02X%02X%02X%02X%02X%02X%02X\n",

  269. 				c->ops.ident,

  270. 				debug_idx,

  271. 				nc->provs_ident[debug_idx][0], nc->provs_ident[debug_idx][1],

  272. 				nc->provs_ident[debug_idx][2], nc->provs_id[debug_idx][0],

  273. 				nc->provs_id[debug_idx][1], nc->provs_id[debug_idx][2],

  274. 				nc->provs_id[debug_idx][3], nc->provs_id[debug_idx][4],

  275. 				nc->provs_id[debug_idx][5], nc->provs_id[debug_idx][6],

  276. 				nc->provs_id[debug_idx][7]);

  277. 

  278. 		if (nc->prov_ident_manual == 1 && is_ok == 1) {

  279. 			nc->num_of_provs = 1;

  280. 			break;

  281. 		}

  282. 	}

  283. }

  284. 

  285. static int newcamd_login(struct camd *c) {

  286. 	uint8_t *buffer = c->newcamd.buf;

  287. 

  288. 	c->newcamd.caid = 0;

  289. 	c->newcamd.msg_id = 0;

  290. 

  291. 	uint8_t rand_data[14];

  292. 	if (fdread(c->server_fd, (char *)rand_data, sizeof(rand_data)) != 14) {

  293. 		ts_LOGf("ERR | [%s] Can't read protocol handshake.\n", c->ops.ident);

  294. 		return 0;

  295. 	}

  296. 

  297. 	char *crPasswd = crypt(c->pass, "$1$abcdefgh$");

  298. 

  299. 	const int userLen = strlen(c->user) + 1;

  300. 	const int passLen = strlen(crPasswd) + 1;

  301. 

  302. 	// prepare login message

  303. 	buffer[0] = MSG_CLIENT_2_SERVER_LOGIN;

  304. 	buffer[1] = 0;

  305. 	buffer[2] = userLen + passLen;

  306. 	memcpy(&buffer[3], c->user, userLen);

  307. 	memcpy(&buffer[3 + userLen], crPasswd, passLen);

  308. 

  309. 	prepare_login_key(c, rand_data);

  310. 	des_schedule_key(&c->newcamd.td_key);

  311. 

  312. 	if (!newcamd_send_msg(c, buffer, buffer[2] + 3, 0, 1) ||

  313. 		newcamd_recv_cmd(c) != MSG_CLIENT_2_SERVER_LOGIN_ACK)

  314. 	{

  315. 		ts_LOGf("ERR | [%s] Login failed. Check user/pass/des-key.\n", c->ops.ident);

  316. 		sleep(1);

  317. 		return 0;

  318. 	}

  319. 

  320. 	// Prepare session key

  321. 	uint8_t tmpkey[14];

  322. 	memcpy(tmpkey, c->newcamd.bin_des_key, sizeof(tmpkey));

  323. 	int i;

  324. 	for(i = 0; i < (passLen - 1); ++i)

  325. 		tmpkey[i % 14] ^= crPasswd[i];

  326. 	des_key_spread(&c->newcamd.td_key, tmpkey);

  327. 	des_schedule_key(&c->newcamd.td_key);

  328. 

  329. 	if (!newcamd_send_cmd(c, MSG_CARD_DATA_REQ) || newcamd_recv_msg(c, buffer, 0) <= 0) {

  330. 		ts_LOGf("ERR | [%s] MSG_CARD_DATA_REQ error.\n", c->ops.ident);

  331. 		return 0;

  332. 	}

  333. 

  334. 	if (buffer[0] == MSG_CARD_DATA) {

  335. 		newcamd_init_card_data(c, &c->newcamd, buffer);

  336. 	} else {

  337. 		ts_LOGf("ERR | [%s] MSG_CARD_DATA response error.\n", c->ops.ident);

  338. 	}

  339. 

  340. 	return 1;

  341. }

  342. 

  343. static int newcamd_connect(struct camd *c) {

  344. 	if (c->server_fd < 0) {

  345. 		c->server_fd = camd_tcp_connect(c->server_addr, c->server_port);

  346. 		if (!newcamd_login(c))

  347. 			shutdown_fd(&c->server_fd);

  348. 	}

  349. 	return c->server_fd;

  350. }

  351. 

  352. static void newcamd_disconnect(struct camd *c) {

  353. 	shutdown_fd(&c->server_fd);

  354. }

  355. 

  356. static int newcamd_reconnect(struct camd *c) {

  357. 	newcamd_disconnect(c);

  358. 	return newcamd_connect(c);

  359. }

  360. 

  361. static int newcamd_do_ecm(struct camd *c, struct camd_msg *msg) {

  362. 	return newcamd_send_msg(c, msg->data, msg->data_len, msg->service_id, 1);

  363. }

  364. 

  365. static int newcamd_do_emm(struct camd *c, struct camd_msg *msg) {

  366. 	uint8_t *buf = c->newcamd.buf;

  367. 	int ret;

  368. 

  369. 	ret = newcamd_send_msg(c, msg->data, msg->data_len, msg->service_id, 1);

  370. 	if (!ret)

  371. 		return ret;

  372. 

  373. 	int data_len = newcamd_recv_msg(c, buf, 1);

  374. 	if (data_len >= 3) {

  375. 		if (buf[1] & 0x10)

  376. 			return 1; // OK

  377. 		ts_LOGf("ERR | [%s] EMM rejected by card.\n", c->ops.ident);

  378. 	} else {

  379. 		ts_LOGf("ERR | [%s] EMM unexpected server response (data_len=%d, buf[1]=0x%02x).\n",

  380. 			c->ops.ident, data_len, buf[1]);

  381. 	}

  382. 

  383. 	return 0; // Error

  384. }

  385. 

  386. static int newcamd_get_cw(struct camd *c, uint16_t *ca_id, uint16_t *idx, uint8_t *cw) {

  387. 	int ret;

  388. 	uint8_t *buf = c->newcamd.buf;

  389. 

  390. 	while((ret = newcamd_recv_msg(c, buf, 1)) == -2)

  391. 		ts_LOGf("ERR | [%s] msg_id sync error. retrying...\n", c->ops.ident);

  392. 

  393. 	if (ret != 19) {

  394. 		if (ret == 3)

  395. 			ts_LOGf("ERR | [%s] Card was not able to decode the channel.\n", c->ops.ident);

  396. 		else

  397. 			ts_LOGf("ERR | [%s] Unexpected CAMD server response (code %d).\n", c->ops.ident, ret);

  398. 		return 0;

  399. 	}

  400. 

  401. 	*ca_id = c->newcamd.caid;

  402. 	*idx   = 0; // FIXME

  403. 	memcpy(cw, c->newcamd.buf + 3, 16);

  404. 	return 1;

  405. }

  406. 

  407. void camd_proto_newcamd(struct camd_ops *ops) {

  408. 	strcpy(ops->ident, "newcamd");

  409. 	ops->proto		= CAMD_NEWCAMD;

  410. 	ops->connect	= newcamd_connect;

  411. 	ops->disconnect	= newcamd_disconnect;

  412. 	ops->reconnect	= newcamd_reconnect;

  413. 	ops->do_emm		= newcamd_do_emm;

  414. 	ops->do_ecm		= newcamd_do_ecm;

  415. 	ops->get_cw		= newcamd_get_cw;

  416. }