Distribuite by dreambox.chokelive.com gbox - Version 1.00pre11 ---------------------------------------------------------------------!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! This is an internal beta version, not for public release. It is incomplete, contains bugs and should not be used by any 'Joe Public' user. If anyone receives this from someone else and wants to test it, you can do so. I would only ask that you do not start a discussion and do not distribute this to any upload servers, nor post any images. If you are not in a position to create your own image, then you'll only have problems with this software. Thanks! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The gbox is: A. Emulator: Irdeto,Seca,Viaccess,Nagravision,Conax. All with AU B. Softcam : Irdeto,Seca,Viaccess,Nagravision,Conax,Cryptoworks,NDS auch alle 2er systeme. All with AU C. off-air ECM&EMM Log Auswerter. D. Tool to send ECMs and EMMs to the card via the RS232 port. E. Multipid logger: multiple ECM and EMM pids can be logged simultaneously F. Card sharing Client & Server peer to peer, local and internet. G. Standalone CWserver H. GSMS Messageing system The following versions are contained in the Zip: PPC Linux api1 Linux api2 Linux api3 Intel X86 Linux api3 (VDR) dos&windows (Multidec, ProgDVB, MyTheatre, usw.) The gbox works in direct or indirect mode. In direct mode, the pmt is written on the trigger of the /var/tmp/pmt.tmp, the gbox controls all other pids and the cw_write If no pmt.tmp is found, the gbox will work in indirect mode in which the PMT/CAT and the ECM/EMM pids are sent to the gbox via UDP, and it sends back the CWs via UDP. This mode is API-less and can be used with any application. direkt indirekt off-air cwserver PPC Linux api1 api1 Yes Linux api2 api2 Yes Yes Linux api3 api3 Yes Yes Intel X86 Linux api3 api3 Yes dos&windows Yes Yes UDP UDP UDP UDP UDP Instructions: port 8003: gbox_out port 8004: gbox_in port 8005: gbox_in port 8006: gbox_in Yes Yes Yes Yes Yes Yes Yes (CW_write, Need_pids) (PMT, CAT) (pid1 von der Need_pids liste) (pid2 von der Need_pids liste) UDP port 8007: gbox_in usw. (pid3 von der Need_pids liste) CW_Write : 89 CW1 CW2 Example : 89 01 02 03 04 05 06 07 08 10 20 30 40 50 60 70 80 Need_pids: 8A pid_number(1 byte) pid1(2 bytes) pid2(2 bytes) usw ... Example : 8A 02 10 00 15 00 CAT PMT : 86 01 ..... : 87 02 ..... pidx : 88 pid(2 bytes) len(1 byte) data Example : 88 15 01 48 81 70 ... Bei jedem Nee_pids muss der server alle pids >= 8005 schlieáen, und nach der erhaltenen Liste alle neu ”ffnen. Irdeto AU ============================== + Single Key update + multiple Key update - 2 keys + multiple Key update - 2 single key update in ein Packet + PMK update A multiple key update - 4 keys I'm not sure about but it should work. There could be many Prov/PMKs introduced. With debug level 2 all keys are written, irrespective of whether these are old or new. Therefore all Prov/PMKs are checked for validity. If a provider ID of 00 00 00 is supplied, this is tested with every EMM and when the correct signature is found an update is run. Seca AU ============================ + multiple Key update - 3 keys + AU over primary MK or primary & secondary MK In the case of a known key, but not the PPUA and/or key number, the PPUA is given as 00 00 00. In this case the key is checked for all EMMs and when the correct hash and signature match the update is run, and thus the PPUA/Key nr is distributed. The number of simultaneous 00 00 00 00 keys that can be processed depends on the speed of the EMM data, although one will always run (?). Many PPUA/MKs per provider can be used. With debug level 2, all keys are written irrespective of whether they are new or old. So all the PPUA/MKs can be tested for validity. Via AU ==================== + single Key update + multiple key update 2 keys + AU + AU + AU ber SA (SRG, SloTV, ...) ber UA (SVT, HRT, ... ) ber issuer There could be many Prov/PMKs introduced. With debug level 2 all keys are written, irrespective of whether these are old or new. Therefore all Prov/PMKs are checked for validity. Falls eine PPUA als 00 00 00 00 angegeben wird, wird dieser MK mit allen EMM's berpr ft, im falle einer g ltigen Signatur wird das update ausgef hrt. See above Nagra AU ======== Implementation of ROM3, ROM7, ROM10 and ROM11 Card types. 0001 - Dish Networks 0801 - Bell Express VU 2C01 - SABC 4001 - Via Digital 4601 - Euskatel 4801 - TV Cabo 4A01 - MMBN (Asia) 4E01 - Dream TV (Philipines) 5401 - NTL Cable 5A01 - TeleWest Cable 5C01 - C&W/NTL Cable 7001 - Polsat 7401 - Star Digital 9401 - Hong Kong Cable There's not much to say here - it's completely plug and play. Just leave it in Autoupdate_mode=Auto. All ROMs, EEPROMs, RAMs, keys etc. are integrated into the gbox. Conax AU ======== There could be many Prov/PMKs introduced. With debug level 2 all keys are written, irrespective of whether these are old or new. Therefore all Prov/PMKs are checked for validity. See above The AU is implemented for complete updates (exp+mod) as well as partial updates (only exp or only mod). Gbox Multisystem Softcam ======================== In the gbox is an integrated multisystem softcam. To use this, you will need to attach a chip card reader to COM1 or COM2 (modem slot on the dbox2). You can connect a Smartmouse/Phoenix to COM1 or COM2. Or a sc8in1 for up to 8 cards on one COM port. With this it is possible to communicate with up to 8 chip cards over COM1 or COM2. This way it does not matter which card system is involved, as all cards and systems can be combined. This would mean 8 Magiccams. The COM port on the dbox2 is TTL level, to which a sc8in1 can be directly attached, although not a Smartmouse. To connect a Multicam to COM2 of the dbox2, please read the file multicam.txt. Currently, the following cam systems are supported: Irdeto allcam Seca/Mediagard Viaccess Nagravision Cryptoworks Conax NDS - A0x/K0x/S0x/C/D/F/1.x/382/383/384/Z/nonZ/DS9/Xin1 Original Seca1+Seca2, GW, Fun Original, GW, Fun Original, Fun Original Original Original All systems with full autoupdate support. Tested with dbox2(PPC), VDR(intel x86) and Win32(intel x86) *6MHz test* ECM test EMM test ========================================================= Irdeto 1.x GW OK OK OK Irdeto 6in1 Fun OK OK OK Irdeto DS9 Piccard2 OK OK Irdeto Fun C/D383Z OK OK OK Irdeto Fun C/D/F384Z OK OK OK Irdeto original C/D/F383Z OK OK OK Irdeto original C/D/F384 OK OK OK Irdeto original A01/K01/S01 OK OK OK Irdeto original A02/K02/S02 OK OK OK Irdeto2 original OK OK OK --------------------------------------------------------Seca Fun OK OK OK Seca GW OK OK OK Seca original OK OK OK Seca2 original OK OK OK --------------------------------------------------------Viaccess Fun OK OK OK Viaccess GW OK OK OK Viaccess original OK OK OK Viaccess2 original OK OK OK --------------------------------------------------------Nagravision Fun OK OK OK Nagravision original ROM2 OK OK OK Nagravision original ROM3 OK OK OK Nagravision original ROM7 OK OK OK Nagravision original ROM10 OK OK OK Nagravision original ROM11 OK OK --------------------------------------------------------Cryptoworks original V1 OK OK OK Cryptoworks original V2 OK OK OK Cryptoworks original V3 OK OK OK --------------------------------------------------------Conaxis Fun-NagraInConax OK OK Conax original OK OK OK --------------------------------------------------------NDS original (provider: 0960) OK OK OK --------------------------------------------------------(*)With the dbox2 3.579MHz and 6MHz oscillators can be used for all systems. The software sets the baud rate, the card type and automatically sets all the parameters. A 6MHz type is recommended, since the card works 68% faster with it and changes channels more quickly etc. Almost all cards (except Nagra ROM11) run absolutely reliably. On a PC with VDR it is recommended to use several quartz (crystals?) together according to your needs. The delivery specification includes 2 * 6MHz, 2*3.686 and 4*3.579. The following systems will run with the corresponding crystals Irdeto 6.0000 MHz Seca 3.5795 MHz Viaccess 3.5795 MHz Nagravision 3.6864 MHz Cryptoworks 3.5795 MHz Conax 3.5795 MHz NDS 3.5795 MHz In the gbox is an integrated software blocker that allows it to block EMMs. Groups of EMMs can be blocked according to addressing, EMMs for all cards, for shared or unique addresses. This is configured in the softcam.cfg NET Mode ======== NET-mode is intended for: 1. Development/testing (implemented) The dbox 2 sends each ECM over the network to the PC which then performs the decryption and sends the CWs to the dbox2, which can be used for decoding. In the sub-folder /net-mode you will find a small software demo, C source and executable (cygwin) 2. Networking the dbox2 (implemented) Networking several dbox2s (living room, bedroom, neighbour…) in order to use all boxes with one card, so that all boxes can use all available cards. 3. CW & card sharing (in development) As with point 1, only using a server instead of a PC that communicates over the internet. For the NET mode UDP must be initialised L: { 01 } PC_IP Server mode: Decode ECM ----------------------Decodes an ECM with the emulator, answers with the CWs Instruction: 0x42 0x15 Client_IP Len CaID PID ECM_data ... Answer(success) 0x41 0x15 0x10 CW0 ... CW1 ... Answer(failed) 0x41 0x15 0x00 Client mode: Init NET mode -------------------------NET mode init, EMU is disabled (?), dbox2 becomes a client, the ECMs go to the given IP (server) Instruction: 0x42 0x12 0x04 Server_IP Answer(success) 0x41 0x12 0x00 In order to switch back to Net mode, the following entry in gbox_cfg must exist: G { 02 } // Pure NET Client Multipid logger =============== Multipid logger In the zip you will find the MultiCaID/MultiPID logger from trilu. To use this, the following field in the gbox_cfg must be set, L: { 01 } PC_IP in order to initialise the UDP port. The implemented UDP (port:8017) instructions are:: Instruction: Answer: LogDaten: "B" 0x42 "A" 0x41 L CaID (2bytes) Pid(2bytes) Len(2bytes) ... Daten n=Len Structure =========================================== Instruction Type L„nge Daten=L„nge 0x42 0x?? 0xlen Daten .... Get cat ======= Instruction: 0x42 0x01 0x00 Answer: 0x41 0x01 0xLN ...... LN number of Bytes in CAT. Get pmt ======= Instruction: 0x42 0x02 0x00 Answer: 0x41 0x02 0xLN ...... LN number of Bytes in PMT. Get selected pids for logging ============================= Instruction: 0x42 0x03 0x00 Answer: 0x41 0x03 0xLN 0xA1 0xA2 0xB1 0xB2 ...... LN/2 number pids. A1A2 first pid B1B2 second pid ... .. In case no PIDs are selected: 0x41 0x03 0x00 Selected pids for logging ========================= Instruction: 0x42 0x04 0xLN 0xA1 0xA2 0xB1 0xB2 ...... Answer: 0x41 0x04 0x00 (OK) LN/2 Anzahl der pids. A1A2 first pid B1B2 second pid ... .. Get available pids for logging ============================== Instruction: 0x42 0x05 0x00 Answer: 0x41 0x05 0xLN 0xA1 0xA2 0xA3 0xA4 0xA5 0xB1 0xB2 ... LN/5 Anzahl der pids. A1A2 first CaID A3A4 first pid A5 Type EMM=0 ; ECM=1 .. Falls keine pids da sind (FTA): 0x41 0x05 0x00 Start Logging ============= Instruction: Answer: Stop Logging ============ Instruction: Answer: 0x42 0xFE 0x00 0x41 0xFE 0x00 0x42 0xFF 0x00 0x41 0xFF 0x00 PIDs can only be logged that have been read and mapped, thus the cat and pmt are informative, using the 0x05 to see what is there (?) Only send commands when logging off ! After each command a reply should arrive. For the log off command you need to always send two log offs in order to receive an answer - this may be to do with my test software. In the folder you will find the logger from trilu and this can log single or multiple pids (ecm and/or emm). Card sharing -----------Cwsharing supports local networks and the internet. A peer to peer network is built, in which all dboxes communicate with one another directly. This is designed for performance and security reasons. With cwsharing it does not matter which dbox2 has what card, and who is using which sender. The cwsharing is reasonably optimised, and it should not be a problem to have more than 100 users for each card. All cards are supported with sharing. A few settings: 1. The owner has absolute priority, no matter how many users are attached to his card and he should not need to use the 'zapping' feature. 2. Each dbox2 only communicates directly with the dbox2s listed in the cwshare.cfg 3. According to the IP entry in the cwshare.cfg, there are two codes: Code 1 - this IP allows my card data to be distributed to x groups of friends Code 2 - this IP allows my foreign card data to be distributed to x groups of friends If the user A has the cryptocard and the user B is his friend (with an entry in the cwshare.cfg), then user B can also use user A's cryptocard. If user C is a friend of user B, he can also use user A's card, as long as he has allowed it (code 1>1). If user D is a friend of user C, he can also use user A's card (if he has allowed it = code 1>2) and so on. Important: every dbox2 only communicates with those nominated as friends, with the ECMs and CWs going from dbox2 to dbox2 until the limit is reached. 4. All files are completely encrypted so even headers are not recognisable Install: a. If you want to go into the internet, you should have a look at dyndns.org and set up an account. Activate dyndns in your router, so that it registers with dyndns.org whenever you go online. b. Make sure you give the Gateway and Nameserver in the network configuration of the dbox. c. On the router the referenced ports to the dbox2 need to be opened so that it can transmit the incoming data. This is called 'port forwarding' and is not necessary for local networks, only for the internet! d. On the local network all boxes must have entries in each cwshare.cfg to ensure these are always found. Thus any machine can be first to boot and the next one will always find those that are already on line. e. Always use MIX When the AU is set to manage. Auto AU successful decode. will switch itself depends on whether MODE and (NON_AU or AUTO_AU)! to ON, too many EMMs can be sent to the card for the sharing limits the AU by demand, and switches it back off after a It is recommended to use CW sharing with NON_AU, as the AU on when, for example, the PW is zapped directly, thus it an AU is essential or not (?). ---------------------------------------------------------------------An example for three boxes in a LAN with one on the internet # cwshare.cfg --- dbox1 --- Internet and # # My dbox2 (local IP =192.168.0.6) # password M: { mydbox2.homeip.net { AA242456 }} # # Internet Friends RX TX_Port D: { friend1.homeip.net { 8200 8200 { D: { friend2.homelinux.net { 8200 8200 { # # other local boxes D: { 192.168.0.51 { 8200 8200 { D: { 192.168.0.52 { 8200 8200 { Local Network password cod B142AB11 { 5 5 }}}} 81BFF901 { 5 5 }}}} AB333441 { 5 5 }}} BA334B24 { 5 5 }}} # cwshare.cfg --- dbox2 --- Local Network # password M: { 192.168.0.51 { AB333441 }} # # other local boxes D: { 192.168.0.6 { 8200 8200 { AA242456 { 5 5 }}}} D: { 192.168.0.52 { 8200 8200 { BA334B24 { 5 5 }}}} # cwshare.cfg --- dbox3 --- Local Network # password M: { 192.168.0.52 # # other local boxes D: { 192.168.0.6 D: { 192.168.0.51 { BA334B24 }} { 8200 8200 { AA242456 { 5 5 }}}} { 8200 8200 { AB333441 { 5 5 }}}} CWserver ======== If the gbox is not running as a receiver and the /var/tmp/pmt.tmp is not found, it will run as a CW server. A Phoenix will be used on Com1, or a sc8in1 for up to 8 cards on com1. Off-air Decryption ================== To decrypt the logged ECMs and/or EMMs or to send them to a card, the gbox is called with 2 arguments: gbox file caid Example: gbox seca-ecm.txt 0100 Example: gbox seca-ecm.bin 0100 In the gbox.cfg you can determine whether a decryption should be done via the emulator (Mode =emu) or the ECMs and EMMs should be sent to the card (Mode=Softcam). The ECMs and EMMs can be combined into a text or binary file and in case the log in the gbox is set to multipid mode, the ECM from various systems can be seen in the log file. If a sc8in1 is attached to COM1, the ECMs and EMMs are forwarded to the relevant cards. With Nagra decryption, there has to be an ECM in the log file as this is used to check the keys. GSMS ==== GSMS allows messages to be sent to either a single gbox or all on the network. Only one file, gsms.txt, is copied to /var/tmp and this is then read in, the data sent on and the file deleted. If the IP address 0.0.0.0 is given, the message is sent to all dboxes in the cwshare.txt file. The automatic display of GSMS messages on the screen is only available with Neutrino or Enigma. With VDR you need a plugin or something else (to follow). 192.168.0.51 0 this is a normal test message/this is the second line//and this the fourth someip.homelinux.net 0 this is also e normal message 192.168.0.52 1 this will display a popup that will require a/OK pressing, to disappear Install ======= The files from /keys/ (irdeto, seca, via, ...) must be copied to /var/keys A folder /var/tmp must be available to store temporary files For different settings please refer to the gbox.cfg and softcam.cfg VDR: ---The following driver is used, patched from the root Patch the VDR with /x86/linux/gbox_VDR.diff Call the gbox: ./vdr ./gboxx86 With multiple cards the gbox will need to be started several times. A separate copy of gbox (including keys and config files) should be started for each card. /var/keys/gbox0/gboxX86 /var/keys/gbox1/gboxX86 /var/keys/gbox2/gboxX86 etc ... A gbox can control a COM port (with Multicam or sc8in1). If there are two or more cards in a system, all of them can gain access to their own multicam or sc8in1 and then the smartcards can be used by all dvb-s cards. . Only one gbox can manage the cwshare. We'll call this the master gbox and the other one a slave. In the master cwshare.cfg are entries for all other friends and the rest of the dvb-s cards in the system. With this configuration all slave gboxes should have their own RX UDP port Master (4 card example): M: D: D: D: { { { { 192.168.0.10 192.168.0.10 192.168.0.10 192.168.0.10 { { { { 12345678 } 8000 8001 { 12345670 { 5 5 }}}} 8000 8002 { 12345671 { 5 5 }}}} 8000 8003 { 12345672 { 5 5 }}}} Bei den slaves: M: { 192.168.0.10 { 12345670 } D: { 192.168.0.10 { 8001 8000 { 12345678 { 5 5 }}}} M: { 192.168.0.10 { 12345671 } D: { 192.168.0.10 { 8002 8000 { 12345678 { 5 5 }}}} M: { 192.168.0.10 { 12345672 } D: { 192.168.0.10 { 8003 8000 { 12345678 { 5 5 }}}} The softcsa is also not implemented. I do not have a SkyStar and therefore can't implement or test this. From /dev/dvb/adapter0/ca0 I only use Ioctl (ca_handle,CA_SET_DESCR,&ca_descr); If anyone is interested, could they write a module that opens a device /dev/dvb/adapter0/ca0 and implements the softcwwrite. dbox2 ----Gbox is a daemon that should not be killed by channel changing. It is started once, and then the channel change is triggered by the writing of the PMT to /var/tmp/pmt.tmp. The driver gboxdrv.o must be copied from /lib/modules/2.4.22/misc/, and in startscript normal with in mode to be installed. For 2.4.22-dbox2 the driver gboxdrv.o.-dbox2 in gboxdrv.o rename and after /lib/modules/2.4.22-dbox2/misc/ copy. Windows ------The dbox works on Windows only in indirect mode. As an interface (wrapper?) between DVBcore applications and the gbox the plugin gboxsfriend.dll is used which is compatible with DVBcore. This sends the PMT&CAT to the gbox on channgel changes and later the ECMs and EMMs too. For Multidec compatible applications you will still need to use the wrapper DVBcore.dll - this allows a dvbcode compatible plugin to be used with a Multidec API application. DVBcore.dll should be copied to the Multidec folder and gbossfriend.dll installed in the \plugins folder under the Multidec folder. Zapping is slower under Multidec/ProgDVB as the PIDs from Multidec/ProgDVB first go to the wrapper, then to gboxsfriend and then to the gbox. To accelerate this we need a Multidec compatible gboxsfriend to be written. --------------------------------------------------------------------In der entwicklung dieser Software haben viele Personen teilgenommen. Manche in guter Absicht, manche unwissentlich, mit Ihrer Arbeit und Forschung. Das jemand hier aufgef hrt ist, bedeutet nicht das er irgendetwas mit der gbox direkt zu tun hat. Freundliche Gr áe und ein groáes danke an: Campag5242, Chianti_le, Dagobert, denny, dvbtux, Gizm0, hpsp, Luki, LuckyLooser, nervous, Nirvana, NoClue, Nullahnung, Secuworld, SoldierX, StillerLeser, TBFT, TaGana, Telefonman, TheBorg, strsh, tmbinc, trilu, tufler17, Ulster94, zapit_emu. ohne die, diese Software nicht entstanden w„hre. Ebenfalls bedanke ich mich bei allen betatestern die mir durch ihre bugreports sehr geholfen haben haben. Ein groáes danke auch an das dbox2world Board. Sorry falls ich jemanden vergessen habe.