View Full Version : Generating Biss 1 keys from Biss E
harshy
18-12-2010, 12:17 PM
Hi Satpimps members
I have generated a set of Biss-E keys using a keys generator, the problem i have is converting these to Biss 1 keys, I tried looking in Excel but couldn't work out a formula to replace the 7th, 8th, 15th and 16th character to 00, is anyone who knows how to it help me, btw has anyone managed to generate all the biss combinations and add this to their softcam.key file, if no one wants to give this info in public, please PM me.
Thanks again,
harshy
Eugenie
18-12-2010, 12:41 PM
actually...
BISS-E uses an encrypted session word...the actual usable session word is only available after performing DES operations involving an additional form of data (an actual ID (either injected or buried)). You would also need some software supporting BISS-E.
Dare I suggest some confusion on your side of things...
you have a BISS-1 session word and you want to remove the actual checksums thus turning the 8byte data you have into 6byte(12 digit number)?
The fourth and eighth byte (or the '7th, 8th, 15th and 16th character' as you put it) can simply be nulled (or removed) depending on what input syntax your software/cam uses.
Your post is somewhat unclear...at least to me.
harshy
18-12-2010, 01:04 PM
Hello Eugenie
Many thanks for replying :) i have a dreambox dm800 so its support Both Biss - E and Biss 1 :)
so with this example of a Biss-E keys
xxxxxx71xxxxxxA0
for Biss 1, this becomes
xxxxxx00xxxxxx00
as the software generates 500 different combinations of Biss-E key i need a formula in MS Excel to convert the bolded characters to 00, I hope this makes sense :)
Thanks again,
harshy
Eugenie
18-12-2010, 01:47 PM
"i need a formula in MS Excel to convert the bolded characters to 00, I hope this makes sense"
well yes that part makes sense...for your sought after MS Excel formula...search me...donŽt make use of it. I am puzzled about your BISS-E/1 key generating...really wonder what the heck you're actually doing...but IŽll leave that up to you m8. Hope you get the help you're after.
harshy
18-12-2010, 02:36 PM
i'll send you reply by PM :)
Thanks,
harshy
kebien
18-12-2010, 02:39 PM
He is clearly confused.
You cannot generate a biss key unless you are referring to the biss encoder,you have one of those?
Apparently not.
In any case the checksum are NOT the only difference between one version and the other.
Now you post this
**so with this example of a Biss-E keys
xxxxxx71xxxxxxA0
for Biss 1, this becomes
xxxxxx00xxxxxx00***
Where you learned this?
Is completely untrue and wrong.
Also
***Many thanks for replying i have a dreambox dm800 so its support Both Biss - E and Biss 1***
This is also untrue and wrong,all emulators accept the direct control word,meaning biss 1 type of keys.
For example,there is no element of evidence all decoders (being tandberg and others) use the same algorithm to convert the biss-e key into biss 1,this process could very well be proprietary.
snakie
18-12-2010, 06:12 PM
Maybe he is just trying to open a service that uses BISS-E ,but he generates normal static values of random numbers which he tries to use as BISS1 which of course are like direct control word.
In such case he doesnt need the BISS-E key but instead the clear one ;)
But have to agree also that is kinda unclear what he tries to do.
Also 1+2+3=4th ..but as stated by Eugenie can also be used 00 depending on the csa
harshy
18-12-2010, 07:32 PM
i was trying to open any biss channel which uses SID value of 1 using CCCam and my softcam key file in my dreambox.
kebien
19-12-2010, 12:37 AM
He is simple 00 the checksums,not converting keys.
Some emulators take the 8 byte key (with checksums),some can take care of the checksums (meaning you can 00,but wouldn't make a difference any value you give it),and some take only the 6 bytes key,without checksums.
Let's all agree thet Biss-e keys will look completely different than Biss 1,not only the checksums.
Eugenie
19-12-2010, 12:51 PM
CCcam will search for the first instance of the correct SID...if a line/entry has the SID CCcam will use the PMTPID entry of that line to try and find the elementary
stream pids...if the PMT table does not contain any BISS 0x2600 CAID with ecmpid 0x1FFF (0x1FFF is the DVB nullpid in place for ecmpid since BISS carries no ecm stream) CCcam will report 'biss ecm not found'.
for example...lets say you want to descramble InterHD. The second line holds the correct data but the CW's of the first line will be used since it carries the correct/same SID.
constant.cw keyfile (caid provid sid pmt ecmpid CWCW[even/odd])
2600:000000:000c:022C:1FFF::xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ; TRT3 (42.0E) *
2600:000000:000c:0c00:1FFF::yy yy yy yy yy yy yy yy yy yy yy yy yy yy yy yy ; InterHD (4.0W)
same is true using softcam.key(F sid+ecmpid CWparity(even/odd) CW)...no PMTPID here though
F 000C1FFF 00 xxxxxxxxxxxxxxxx ; *
F 000C1FFF 01 xxxxxxxxxxxxxxxx ; *
F 000C1FFF 00 yyyyyyyyyyyyyy ;
F 000C1FFF 01 yyyyyyyyyyyyyy ;
As for nullbytes...the descrambler in DM800 requiers checksum bytes...CCcam (in this case) will calculate these bytes if they are nulled out.
Note that CCcam will report an 'ecm even/odd ok' even if the actual CW is incorrect...as long as the pids and CWs are set without error it assumes that things are ok.
Also, the 2 bit scrambling control flag in the TS header will change status as long as the correct pids for the stream have been subjected to the descrambling process and CWs set. Whether of not the actual descrambling was correct does not seem to matter. That means that if you have the incorrect CW, scrambling control will get set to 0x00 (not scrambled[unscrambled if you will])...although the decoder may not make sense of the data.
As far as I can see...if Harshy wishes for CCcam to go through several entries with the same SID...hoping for CCcam to in an intelligent way find out which CW's actually work (if any)...he won't have much luck. I think? I do not really use CCcam for these things...just had a quick look at it.
harshy
24-12-2010, 12:52 PM
oh dear oh dear, looks like CCCam hits the first SID with 0001 and stops there, so my idea is useless :(:banghead:
snakie
24-12-2010, 02:13 PM
you can ... echo a new line all the time , replacing the file details , but its slow for brute force ...;)
harshy
30-12-2010, 04:38 PM
Hello Snakie
I hope you had a great christmas break :) how do i go about getting cccam to go through the biss keys, do i have to put the keys in the cccam.cfg file instead
You say i need to echo a line, but where do i do this and can you send me example format by pm if possible?
Thanks again,
harshy
snakie
30-12-2010, 11:14 PM
Well, you can use lets say the file constant.cw and see the structure of it how it is,
e.g:
from telnet or ssh ,
echo 2600:000000:20EC:04B0:051F::01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00 > /var/scce/constant.cw
harshy
01-01-2011, 01:51 PM
Hello snakie,
A happy new year to you, is it possible to do this within the softcam.key file instead, I do have a constant.cw file however if its not possible.
Thanks again,
harshy
harshy
23-01-2011, 10:55 PM
ok this is not possible, please close thread.
saroteW
02-02-2011, 04:23 AM
Hello Eugenie
Many thanks for replying :) i have a dreambox dm800 so its support Both Biss - E and Biss 1 :)
so with this example of a Biss-E keys
xxxxxx71xxxxxxA0
for Biss 1, this becomes
xxxxxx00xxxxxx00
as the software generates 500 different combinations of Biss-E key i need a formula in MS Excel to convert the bolded characters to 00, I hope this makes sense :)
Thanks again,
harshy
Please ...send PM , Thank you very much. :bowing-036:
saroteW
02-02-2011, 04:30 AM
you must use ...program List Attack ...for build key biss...
cprasad7
17-03-2011, 09:13 PM
He is clearly confused.
You cannot generate a biss key unless you are referring to the biss encoder,you have one of those?
Apparently not.
In any case the checksum are NOT the only difference between one version and the other.
Now you post this
**so with this example of a Biss-E keys
xxxxxx71xxxxxxA0
for Biss 1, this becomes
xxxxxx00xxxxxx00***
Where you learned this?
Is completely untrue and wrong.
Also
***Many thanks for replying i have a dreambox dm800 so its support Both Biss - E and Biss 1***
This is also untrue and wrong,all emulators accept the direct control word,meaning biss 1 type of keys.
For example,there is no element of evidence all decoders (being tandberg and others) use the same algorithm to convert the biss-e key into biss 1,this process could very well be proprietary.
So Dreambox also can accept BISS 1 keys? If so which is the best cam to use it and how to? Is there any special syntax to this 12 digit keys than 16 digit keys? I have try many BISS 1 keys in Dreambox but never got picture. But the same key got the picture with another receiver. So what is the correct method of using a BISS 1 key in Dreambox?
Eugenie
18-03-2011, 01:33 AM
The only BISS session words out in the public domain are BISS-1 (clear). They may or may not have been harvested from an encrypted session word. Therefore, there is not real reason for public applications to support BISS-E since encrypted session words and the ID's needed for decryption never float around the public domain. Any BISS SW found in the public domain will be in the clear state (BISS-1) since they are brute forced.
Included a couple of pics of BISS-E decryption.
kebien
18-03-2011, 02:10 PM
So Dreambox also can accept BISS 1 keys? If so which is the best cam to use it and how to? Is there any special syntax to this 12 digit keys than 16 digit keys? I have try many BISS 1 keys in Dreambox but never got picture. But the same key got the picture with another receiver. So what is the correct method of using a BISS 1 key in Dreambox?
You should go to dreambox section and read about emulators like cccam,mgcam,and others.In the readme is explained how the keys are setup.
snakie
19-03-2011, 04:50 AM
The only BISS session words out in the public domain are BISS-1 (clear). They may or may not have been harvested from an encrypted session word. Therefore, there is not real reason for public applications to support BISS-E since encrypted session words and the ID's needed for decryption never float around the public domain. Any BISS SW found in the public domain will be in the clear state (BISS-1) since they are brute forced.
Included a couple of pics of BISS-E decryption.
Nice photos ;)
kebien
19-03-2011, 01:41 PM
The only BISS session words out in the public domain are BISS-1 (clear). They may or may not have been harvested from an encrypted session word. Therefore, there is not real reason for public applications to support BISS-E since encrypted session words and the ID's needed for decryption never float around the public domain. Any BISS SW found in the public domain will be in the clear state (BISS-1) since they are brute forced.
Included a couple of pics of BISS-E decryption.
I cannot think on any biss key you find in public forums being derived from a biss-e key because to do this,some conditions must be met : you must know the algorithm to decrypt the key,and you must be given this key (SW) by people involved in the encryption center.
This algorithm can change from decoder to decoder too,being Tandberg,Scopus,Tiernan and so on.
The photos show that specific receiver can handle that specific SW.(btw,if you care to tell us what is that specific receiver would be great)
Eugenie
19-03-2011, 05:06 PM
Yes, BISS-E requires ESW and ID to produce the actual BISS-1 SW. So, on the providers side of things the BISS-1(clear) might be the product of BISS-E...on 'our' side of things it probably never is...but instead a result of brute forcing producing clear BISS-1 SW.
The pics show an application supporting BISS-E in accordance to official EBU(Tech 3292 rev. 2) standard paper.
Application is private, coded in Python running on Enigma2 (in this case DM800).
The standard (Tech 3292 rev. 2) does leave room for things like additional and/or private (undefined) post processing rutines, ID modes etc. This application can of course only be successfully used if the provider keep strictly to the official standard.
kebien
19-03-2011, 06:44 PM
The pics show an application supporting BISS-E in accordance to official EBU(Tech 3292 rev. 2) standard paper.
Application is private, coded in Python running on Enigma2 (in this case DM800).
And of course the Biss-E key shown cannot be produced but only from one place.:respect-055:
Eugenie
19-03-2011, 07:42 PM
...in the end, as established...BISS-E keys (ESW+ID) do not float around our neighborhood...BISS-1 support is really all us hobbyists need.
kebien
20-03-2011, 01:14 AM
Yeah,nothing simpler than parse PAT/PMT,get CA id,and send a open() message to the CA device with the key,then close().
We can say that to code a biss-1 emu is nothing very difficult.
Eugenie
20-03-2011, 09:41 AM
The only mode that requires some more work is BISS-E since it actually has a decryption process...but in the end whether its mode 1 or E...BISS is still a simple system without the ecm rutines.
so what does this mean in layman terms?
kebien
20-03-2011, 07:57 PM
it means you do not have to worry about biss-e keys at all.
saroteW
25-07-2011, 12:32 PM
ex...
_http://www.mediafire.com/?zb13i2on53j8d11
list keys 200,000 key
^^Salih15^^
25-07-2011, 07:43 PM
nice read .. ..
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.