EVERYTHING YOU WANTED TO KNOW ABOUT COP CARDS BUT NOBODY WOULD TELL YOU REVISED AND EXPANDED BY JOHN MACDONALD May 1997 Since I wrote the original paper last year, there's been a lot of activity on the COP front so I thought I would include some information which has come to light about the different types of COP cards. You folks out there may be interested in how to update COP Eurocrypt cards, since these are expensive to buy and upgrade, but are probably the best implementation of Eurocrypt emulation around (in my opinion much better than PICs). Actually, you can't update the COP since this is a OTW device; what you update is the 24LC16 EEprom which contains all the channel and key data. Unfortunately this data is all encrypted by the COP program (obviously written by a sneaky type). This paper explains what the EEprom contains and how to decrypt it and encrypt new keys/channels. Its also possible to make the COP program automatically update the EEprom with new keys if you have the issuer/management keys and Shared Addresses for the channels. Then you can have all the channels work like Canal+/Cine Cinemas and "learn" the new keys before they're used. This is what the COP manufacturers do which is why new keys appear in COP cards before anything else (generally speaking). I'm going to assume that you have the necessary hardware/software to program 24lc16 EEproms; I use PIX from Bengt Lindgren and various programmers. Or, if you have a Phoenix interface you can use COPREAD and COPWRITE from JC if you have .dat files (see below). CARD TYPES I have come across 3 types of COP card, Series 2, 3 and 4. Series 3 started with version 3.10 known as Big Mac or Millenium and includes versions 3.11, 3.12, 3.14, 3.16, 3.17 and 30B. There are probably some others as well. Series 2 cards have a different EEprom structure and are known as USA cards. I've seen versions A, L, M, U, X, [ and p and all these versions have a remote control interface for adding new keys/channels. Series 4 cards are named after US States in alphabetical order, have a similar EEprom structure to series 2 but don't have remote control update capability. Versions I've seen include 4.02 (Alaska), 4.04 (Arkansas) and 4.05 (California). There are also small variations on the above in existence. SERIES 3 EEPROM STRUCTURE The 24lc16 consists of 2k bytes of data accessible by either programmer or COP program. The COP program regards this as 8x256 byte blocks, one for each channel-id. Much of this data is duplicated for each channel-id, so the space it not used particularly efficiently. A bit more thought would have meant that more channels could have been supported. The blocks are organised as follows: 0000-00ff TV3 0100-01ff TV1000 0200-02ff Filmnet 0300-03ff BBC Prime 0400-04ff CTV (EC-S Multichoice version) 0500-05ff TV2 0600-06ff CANAL+ 0700-07ff Cine Cinemas. This arrangement seems to be the most popular, although I've seen other variations. It doesn't matter to the COP program which channel goes where. Let's concentrate on the structure of any one of the 256 byte blocks. We'll use the least significant addresses (RH byte) to show the breakdown of the 256 bytes. Address (hex) Data 00-02 Channel-ID 03-0f Data for c0 instruction 10-15 a5,04,Program Provider User Address 18-1d a6,04,Group Customer Address 20-2b a7,0a,Label 30-37 a8,06,Dates + Theme/Level 38-40 a9,07,Subscription Link 41-47 Manufacturing Data 48-4f aa,06,Prebooked PPV 50-55 ad,04,Authorised Overdraft 58-5d ae,04,Survey Marker 60-65 b1,04,Program Cost on Last Accreditation Date 68-6d b2,04,Total Program Cost since last Accreditation Date 70-75 b3,04,Total Program Cost since Last Survey 78-7d b4,04,Impulse PPV per Time. A brief explanation of all this follows. The Channel-ID is the three bytes obtained from the A4 instruction, eg Filmnet is 00 28 00 and TV1000 is 00 04 10. The first two bytes of most of the other entities are the Parameter ID and length byte as defined by the Eurocrypt standard, with the Parameter data following. They're mostly not very interesting and exist only to process the AC and B8 instructions. I suppose the two most relevant are: a7-a ten character label which is the channel name displayed by taking the Consultation option from the decoder menu. a8-a 6 character string of subscription start date, end date and authorised programme theme and level. Of course pirate cards don't check these, but official cards certainly do! Finally, addresses 80 to ff contain the encyption keys 0-f. Keys 0-7 are the Management keys which are used to decrypt new keys sent in the 18 instruction ( CANAL+ and Cine Cinemas use keys 5 and 6); and keys 8-f are the Operation keys used in the 88 instruction control word calculation (also the hash checksum calculation). By the way, these 7 byte keys are all stored as 8 bytes in an encrypted form so that there are actually 256 correct "COP" keys for each "real" key. As I said earlier, most of the content of addresses 00-7f is the same for all channels, so more space for extra channels could have been made. BYTE ENCRYPTION/DECRYPTION Now we know the EEprom structure,even if you look at the data you won't see anything familiar, because all the data is encrypted by the COP program to stop us understanding it. The COP program communicates with the EEprom using the same protocol as for communication with the decoder, ie in reverse bit order. So the first thing to do is to reverse the bits in each byte. For example, AE is 1010 1110 which when reversed becomes 0111 0101 or 75 and D4 is 1101 0100 which becomes 0010 1011 or 2B. Then each byte is XORed with the least significant (RH) byte of its address in the 256 block. So if the two bytes AE and D4 above were in locations 0126 and 034F in EEprom we would XOR 75 with 26 (0111 0101 with 0010 0110 giving 0101 0011) and 2B with 4F (0010 1011 with 0100 1111 giving 0110 0100) that is, 53 and 64. The result is the decrypted value of each EEprom byte. Typically, in locations 0500, 0501, 0502 are the values E2, 0A and 40. Reversing the values gives 47, 50 and 02. XORing these with 00, 01 and 02 gives 47, 51, 00 which is the familiar ID for TV2 Norway. I guess you've got the idea by now. KEY ENCRYPTION/DECRYPTION I'm assuming in this section that the byte decryption of the key data has been done as described above. So how is the eight byte key decrypted? Its actually obtained by using a modified form of the DES algorithm on the "real" seven byte key plus any eighth byte with a seven byte COP card issuer key. This issuer key is built into the COP program code and for COP 3.10 is: 21 A4 55 78 D7 F4 6E. So, we take the real key, (eg Filmnet c which is CD EF 73 53 4E 7D 94) append any old value as the eighth byte, do a modified DES using 21 A4 55 78 D7 F4 6E as the DES key and we get an eight byte encrypted COP key. Then we apply the byte encryption above and that's the value to go into the EEprom. The actual address would be 02E0-02E7 if Filmnet were the 256 byte block starting at 0200. The sneaky bit is the modification to the DES algorithm. You know when you've done an encryption round you XOR the new (left hand) 32 bits with the old (right hand) 32 bits prior to swapping the left and right hand halves over and starting the next round? Well, before you do the XORing of the two halves you must swap the 3rd and 4th bytes (ie bits 17-24 and 25-32 counting from the left starting at 1) of the left hand half. It sounds complicated, but if you walk yourself through the DES algorithm you'll see what I mean. That's how its done. To obtain a "real" key from a COP key, you byte decrypt it as above, and put the eight byte key through a reverse modified DES and the "real" key is the first seven bytes of the plaintext result. By the way, DAT files are simply byte decrypted EEprom files with all bytes XORed with ff. AUTO KEY UPDATING The COP card has the usual auto key update for CANAL+ and Cine Cinemas. It also has the capacity to do the same for all channels, which is very desirable in view of TV1000's declared keyswitching policy. Two things are needed to make this feature work: a knowledge of the management keys for each channel and the Shared Address to which they apply a modification to a byte in each 256 byte EEprom block. If you look at the byte in address 06 for each 256 byte EEprom block you will see the values as follows: 20 for TV3, TV1000, Filmnet, BBC Prime, and any EC-M channel 28 for TV2 22 for CANAL+, Cine Cinemas. When byte decrypted these values become 02, 12 and 42 respectively. The COP program looks at the bit settings of this byte as follows (numbering bits from the right starting at 0): bit 4 If set use EC-S, otherwise EC-M bit 6 If set perform auto update, if not don't. It's interesting that it specifically prohibits the auto key update if bit 6 is not set. So if we set this bit for all channels and byte encrypt we get the values: 22 for TV3, TV1000, CANAL+, Cine Cinemas etc (EC-M) 2A for TV2. If we then update the EEprom accordingly all channels acquire auto key update capability (if we have the management keys). ADDITIONAL COMMANDS SUPPORTED Series 3 cards contain support for 70, 74 and 78 commands. These are used by the manufacturer to perform key updates. The command CA 70 P1 P2 P3 causes the card to send 70 then 8 bytes from EEprom block P1 address P2 to a Phoenix interface in byte decrypted form. The command CA 78 P1 P2 P3 causes the card to send 78 then get 8 bytes from a Phoenix interface, byte encrypt them and write them to EEprom starting at block P1 address P2. The command CA 74 P1 P2 P3 causes the card to send 74 then card version number, card name and the manufacturing data in EEprom 0040-0047 (byte decrypted) to a Phoenix interface. Now you can see how COPREAD etc work. CARD 30B This card is interesting because although it has a similar EEprom structure to Series 3 cards there are some major differences: - There is no support for EC-S - There is no autoupdate for any channel, including CANAL+ and Cine Cinemas - No EEprom address XORing is done - A different DES variation is used to encrypt/decrypt keys - Different additional commands are supported. Let's look at the last two points in more detail. As you know, when EC-M keys are decrypted, the card issuer key is shifted left in two halves during each round and the DES function is applied. Well, on the fifth round no left shifting is applied at all. Also, instead of doing the "standard" COP byte swap towards the end of each DES round (see above) the bytes of the left hand half are swapped as follows: 1st goes to 2nd 2nd goes to 4th 3rd goes to 1st 4th goes to 3rd. If you want to encrypt a new key you must first shift the card issuer key right two places in two halves to align the key with its value in the corresponding decryption round and not do any right shifting in round twelve. Of course you must carry out the byte swap exactly as per the decryption process in each round. The additional commands supported are 70, 78 and 93. Command 74 is not supported, presumably to stop COPREAD etc from working. The command CA 93 01 02 03 causes the card to send 6b 00 (unknown instruction) to a Phoenix interface. This is OK though, and the 93 command must be sent exactly as above or the following command CA 70 P1 P2 P3 will be ignored. Assuming the 93 has been sent correctly the card sends 70 then 8 bytes from EEprom block P1 starting at address P2 to the Phoenix interface. Finally, the command CA 78 P1 P2 P3 causes the card to send 78 then get 8 bytes from the Phoenix interface, byte encrypt them (no address XORing) and write them to EEprom starting at block P1 address P2. So now you ought to be able to write your own update routines for COP 30B. SERIES 2 AND 4 EEPROM STRUCTURE This cop version has a differently structured eeprom to all the 3.xx versions. Here is what it contains. Any locations not described are not used (set to FF or 00). Normal byte encryption is used. Note that it makes better use of the available space to support more than eight channels. The 24c16 is broken down into 5 main sections: 0000-007f fixed data values for information types used in the ac, b8 packets 0080-00ff channels supported including programme provider ids 0108-0187 channel labels 0190-01ff more fixed info types, card label 0200-07ff keys. 1 FIXED DATA VALUES The entries here mostly have the "length followed by data" format. 0008-000f 07 00 00 01 02 03 04 05. Used in c0 instruction 0010-0014 04 ae f4 0a 01 PPUA address (parameter a5) 0018-001b 04 04 3c 1f 00 GCA address (parameter a6) 0020-0025 05 07 ae f4 0a 01 UA address (parameter a4) 0028-002e 06 00 00 7d 00 00 00 TOTAM value (parameter ac) 0030-0036 06 1e 34 25 9f ff ff DATES+TH/LE (parameter a8) 0038-003f 07 1e 34 25 9f 00 01 00 DATES+CUSTWD (parameter a9) 0040-0047 00 00 56 00 01 60 0a 18 Manufacturing data 0048-004e 06 00 00 10 00 00 64 INUMB,FNUMB (parameter aa) 0050-0054 04 00 00 00 00 OVER (parameter ad) 0058-005c 04 00 00 00 00 SURVEY (parameter ae) 0060-0064 04 00 00 00 00 COST (parameter b1) 0068-006c 04 00 00 00 00 COST (parameter b2) 0070-0074 04 00 00 00 00 COST (parameter b3) 0078-007e 06 00 00 01 00 00 64 PNUMB+COST (parameter b4) 2 CHANNELS SUPPORTED All the entries here have the same format: xx xx xx PPUID 08 as Key start address, a=0 means start at address 0s00 a=1 means start at address 0s80 8f y0 Type of processing, y=0 means EC-M, no auto update y=4 means EC-M, auto update y=1 means EC-S 00 0080-0087 00 04 00 08 02 8f 00 00 TV3 etc 0088-008f 00 04 01 08 12 8f 00 00 TV1000 0090-0097 00 04 03 08 03 8f 00 00 CTV Package 0098-009f 00 28 00 08 13 8f 00 00 Filmnet 00a0-00a7 00 28 10 08 04 8f 00 00 BBC Prime 00a8-00af 00 2c 00 08 14 8f 00 00 TV Plus 00b0-00b7 10 00 20 08 05 8f 40 00 Canal + 00b8-00bf 10 00 30 08 15 8f 40 00 Cine Cinemas 00c0-00c7 47 51 00 08 06 8f 10 00 TV2 Norway 00c8-00ff spare for 7 more PPUIDs. These rows are also used in the c0 instruction. In locations 0100-0107 is the ATR sequence without the 3f leading byte. 3 CHANNEL LABELS These are contained in 0108-0187, padded with spaces where necessary. The labels include TV3, ZTV, TV6, TVG, BBC Prime, TV1000/Cinema, Filmnet1/2, Discovery, CNN, TCC, NTV, Cine Cinemas, TV Plus, Canal +, Eurosport and TV2. 4 MORE FIXED INFORMATION This is stored in 0190-01ff as follows: 0190-0196 06 00 00 00 01 00 00 Impulse PPV (parameter e4) 0198-1099 01 0f Reference Maturity Rating (parameter 06) 01a0-01a4 04 00 00 00 00 PPV Ceiling (parameter 07) 01a8-01a9 01 00 Lock Status (parameter 08) 01b0-01ba 0a Card Name 01c0-01c6 00 15 00 0d 00 00 00 02 packet sequence 01c8-01cc 10 02 ca 20 11 06 packet sequence 01cd-01d4 07 F I L M N E T 01d8-01e1 ff f4 0f 20 00 00 1f 00 1b 00 c0 packet sequence 01e8-01ef 10 00....00 c0 packet sequence 01f0-01f8 Used in remote handset key update. 5 KEY AREA There is room for twelve blocks of sixteen keys per channel, from 0200-07ff. These are: 0200-027f TV3 with keys 8-b,d-f 0280-02ff TV1000 with keys 8-b,d-f 0300-037f CTV with keys 8,9 0380-03ff Filmnet with keys 8-d 0400-047f BBC Prime with keys 8 0480-04ff TV Plus with keys 8 0500-057f Canal + with keys 5,6,8,9 0580-05ff Cine Cinemas with keys 5,6,8,9 0600-067f TV2 Norway with key 0 everywhere. The keys are encrypted in the normal COP way using the card issuer key. SERIES 2 REMOTE CONTROL UPDATE This cop version processes 24 instructions to provide keypad eeprom update capability. The packets processed are of the form ca 24 01 00 10. The cop reads 0x10 bytes from the DC of which the last two are the four digit code entered via the remote. This is repeated 8 more times until all the update codes have been absorbed. Each four digit code is represented as LH byte, RH byte. If bit 4 of LH is set 8 is added to RH nybble of RH; if bit 5 of LH is set 8 is added to LH nybble of RH. The RH byte is the value of the new key byte, the order of which is determined by the RH nybble of LH (0-7 for the first 8 bytes). The ninth code is an address code which tells the program where to put the key in eeprom. Address codes have the form 8abc; a is the eeprom block address and bc the address within the block, except that if c is odd you must add 8 to b and use (c-1) to get the address. Each data byte is associated with a check byte which is either ff or 7f if bit 6 of LH is set. The data bytes are stored temporarily in 01f0-01f7 and the check bytes in 01f8-01ff, except that each value is XORed with its address before it is stored. A check value for the key is calculated as follows: Starting with the last check byte, rotate it right (with zero carry); set bits 0-2 of the previous check byte to zero and XOR the result with the rotated last check byte. Rotate the result right (with zero carry) and apply the check byte before the previous one as above. Continue this until you have applied the first check byte. The result is the check value for the key. A data value for the whole key is obtained by XORing the target eeprom address with the target block number then XORing this with each of the data bytes in turn. If the value obtained is equal to the key check value the key is put in its correct place in eeprom. Here is how it works for TV3 key 0a. Update code is 1025 6147 6254 5302 4433 1565 2607 6746 8250. Applying bit settings based on LH we get 2d c7 d4 0a 33 6d 87 c6 and 250 for the target address. Check bytes are ff 7f 7f 7f 7f ff ff 7f and ff. XORing with the temporary address 01f0,,, gives dd 36 26 f9 c7 98 71 31 for data 07 86 85 84 83 02 01 80 for check bytes. The check value is 80 rr->40xor00=40 rr->20xor00=20 rr->10xor80=90 rr->48xor80=c8 rr->64xor80=e4 rr->72xor80=f2 rr->79xor00=79. -- The data key value is 50xor02=52 52xor31=63 63xor71=12 12xor98=8a 8axorc7=4d 4dxorf9=b4 b4xor26=92 92xor36=a4 a4xordd=79. -- So the values match and the key update is done. Notice that the check function creates a byte whose bits consist of the most significant bits of the check bytes 1-8 in order left to right after the address XOR. So, before the address XOR, the msb of the check bytes ahould be zero if the corresponding bit in the data key value is set. This tells you how to set bit 6 in the LH byte of each 4 digit code if you want to convert the 8 byte cop key to the remote update code. To get the real 7 byte key take the update codes, adjust the bits and XOR with 0f, 0e, 0d, 0c, 0b, 0a, 09, 08 to get the .dat file value of the cop key. Then decrypt this in the normal way. I hope all this helps. Happy hacking! If anyone has any other COP card issuer keys I'd be grateful for them, as for any of the management keys of any channels.