lilpele12
09-13-2007, 02:48 PM
C&P from another site... maybe someone with knowledge of the subject can shed light on what exactly is going on and when
New method of Video key change introduced. Guessed targets:
Modified FTA
Emulators and simulators of various sorts
Public Plastic code.
What is new?
Current countermeasure attacks improper handling of $0016. Technical name TIMER3_CTRL_REG.
What does it do?
Pretty much like its name states, its an counter.
What was the attack based on?
Many simulators or emulators fail to properly handling masking rules for registers such as this.
Bit 1 of the timer indicates that the timer is active. If bit one is set, no other bit can be modified by the user until the user has cleared bit 1 of the TIMER3_CTRL_REG.
How was it used?
By clearing the bit that activates the timer and setting other bits to be used for a value required to modify the video key sent in the same packet.
Once these bits were set in this case to #$43, the timer was activated and attempts to modify the timer on bit 0,2,6,7 occurred. This is the attack based at emulators. Improper handling of this timer would alter those bits and the following check would exit the update without adding a new video key set.
In case anything managed to overlook this exit, a second trap is set that after the timer is turned off the value in the timer is xored with a byte from the key set to give its true value. Any device that allowed alteration of the timer would end up with an invalid IDEA key. This is also a device insuring that illegally modified FTA could not scan decrypted EMM commands and easily pluck out new key value. This same holds true for simulators.
New method of Video key change introduced. Guessed targets:
Modified FTA
Emulators and simulators of various sorts
Public Plastic code.
What is new?
Current countermeasure attacks improper handling of $0016. Technical name TIMER3_CTRL_REG.
What does it do?
Pretty much like its name states, its an counter.
What was the attack based on?
Many simulators or emulators fail to properly handling masking rules for registers such as this.
Bit 1 of the timer indicates that the timer is active. If bit one is set, no other bit can be modified by the user until the user has cleared bit 1 of the TIMER3_CTRL_REG.
How was it used?
By clearing the bit that activates the timer and setting other bits to be used for a value required to modify the video key sent in the same packet.
Once these bits were set in this case to #$43, the timer was activated and attempts to modify the timer on bit 0,2,6,7 occurred. This is the attack based at emulators. Improper handling of this timer would alter those bits and the following check would exit the update without adding a new video key set.
In case anything managed to overlook this exit, a second trap is set that after the timer is turned off the value in the timer is xored with a byte from the key set to give its true value. Any device that allowed alteration of the timer would end up with an invalid IDEA key. This is also a device insuring that illegally modified FTA could not scan decrypted EMM commands and easily pluck out new key value. This same holds true for simulators.