Decrypting Nagravision
Now after breaking videocrypt, lets take a look at (old analog) nagravision
Nagravision
the PRNG seed
Same as videocrypt (Binary data from the vertical blanking interval is feeded into a smartcard which then among other things produces a PRNG seed for the nagravision decoder, but none of this matters to us here)
the PRNG
The PRNG (pseudo random number generator) is feeded with a 15bit seed and a 256 5bit entry table, and produces 287 5 bit values, the following code will do exactly that:
void prng(int seed, int *cle2enc){
uint8_t keyNdx= seed >> 7;
int keyInc= ((seed & 0x7F) << 1) + 1;
int buffer[32];
for(int i=0; i<32; i++) buffer[i]= i;
for(int i=0; i<255; i++){
cle2enc[i]= buffer[ keyTable[keyNdx] ];
buffer[ keyTable[keyNdx] ]= i + 32;
keyNdx+= keyInc;
}
memcpy(cle2enc+255, buffer, 32*sizeof(int));
}
the actual decryption
nagravision has a 32 line buffer, each line can contain a line of video, for each of the 287 lines of a field there are 5bits from the PRNG which are used as index into the buffer to decide into which entry to store the next received line and from where to output one, or in other words nagravision reorders lines using a 32line temporary buffer
Breaking Nagravision without knowledeg of the PRNG
The naive and ideal solution would be to try all 32^287 possibilities and compare the resulting decoded images, obviously thats not realistic
if OTOH we just use a compare function which compares 2 lines and lets assume its just simple correlation then and wish to find the global minimum then we actually didnt improve by that much as thats equivalent of solving the TSP
old versions of 2010 used the following algorithm to find a good permutation of the lines, which resulted in watchable movies
Step 1 (downsampling)
to speedup the linecompare later, the lines can be horizintally downsampled
Step 2 (comparing lines)
all lines which are not near black and which have not yet been merged with 2 lines are compared to all other such lines, the compares are done blockwise so that the number of cache misses is minimzed, for each line a fixed number of best matches is kept
Step 3 (sorting)
all the line pairs are sorted depending upon their similarity
Step 4 (merging)
from best matching line pair to worst the following steps are done
Step 4A (out of pairs)
if we hit the last pair for any line (we just keept a fixed number of best matches for each line) then we goto Step 2
Step 4B (impossible merges 1)
if either of the lines is in the middle of a block or they are the ends of the same block we continue with the next pair at Step 4
Step 4C (impossible merges 2)
we maintain 2 position limits for each block one for each possible orientation, if a merge would force the block outside the image we continue with the next pair at Step 4
the limits are calculated based on the fact that no line can be output before it has been received
Step 4D (impossible merges 3)
we maintain the fullness state of the 32 line reorder buffer if a merge would require overflowing it then we again continue with the next pair at Step 4
Step 4E (merge)
we merge the 2 blocks and update the buffer fullness and limits
Step 5 (sort blocks)
all blocks are sorted by their less restrictive position limit (=orientation is so that the limit is less restrictive)
Step 6 (reorder lines)
we reorder the actual lines
Breaking Nagravision with knowledge of the PRNG
as there are just 2^15 possible permutations so the naive bruteforce becomes alot more realistic but its still somewhat expensive for realtime decoding, so 2010 used a faster method
Step 1 (downsampling)
to speedup the linecompare later, the lines can be horizintally downsampled
Step 2 (compare)
every keyline is compared against all lines, the best 2 are keept
Step 3 (find seedlists)
for every line triplet (keyline and the 2 best matches) we assume that they will be consecutive
in the decoded image, we look up a list of seeds for which this is true from a precalculated table
or tree structure
Step 4 (find seed)
we find the most often occuring seed in the seedlists and if its number of occurances is above some threshold we decode the image, if not we drop it, this ensure practcally zero wrong decoded images
Step 5 (reorder)
after we know the seed we just need to reorder the lines and fix the chroma
IRRC in order to get a faster algorithm you could :
– exploit the fact that the same seed is used 2 times (1 frame and 25 frames later). But it is hard to keep syncronisation in case of dropped frame
– for PAL, use PALPLUS signal that is present on a know line
– for SECAM use chroma bugs of the grabber chip (it is chip dependent)
– …
Comment by anonymous — 2006-04-17 @ 18:36
> IRRC in order to get a faster algorithm you could :
2010 could decode full PAL resolution at full framerate with the hardware i had back then, so theres little point in speeding things up (not to mention we are talking about a dead encryption system)
> – exploit the fact that the same seed is used 2 times (1 frame and 25 frames later).
i remember something like that, and its useless, the slowest per frame decode time is what matters (either you can do X fps realtime or you cant) unless you buffer 2sec video and audio but then you will have a speed loss due to cache misses, and it seems you overestimate the time needed to find the seed, this was But it is hard to keep syncronisation in case of dropped frame
yes that too
> – for PAL, use PALPLUS signal that is present on a know line
good idea, 2010 didnt do this
> – for SECAM use chroma bugs of the grabber chip (it is chip dependent)
2010 didnt support SECAM as there where no SECAM channels i cared about :)
… not that i seriously cared about the PAL channels, actually i watched very little, >95% of whats on TV (payTv or not) is total crap, iam sure i spend more time working on 2010 then i spend actually using it …
Comment by Michael — 2006-04-17 @ 23:37
Marvelous….now if we can get into the N3, would be more useful
Comment by Hauleywould — 2009-06-21 @ 17:54