TPScrypt HowTo, all you should know to write your own emulator !

Dear friends, I write this file, because I think this version of TPScrypt is
too simple to be true.
My guess is that they've updated in urge, don't know why, but sure it'll not
stay as is for a long.

Now let's talk seriously: How to convert a TPScrypt ECM in Via1 format.

TPScrypt is simply an added layer to the good old Via1 crypt system.
The idear is to crypt the ECM who ask to the CAM to decypher the 16 bytes
control word.
The result is that a "classic" Via1 CAM doesn't find the usual nanos and then
drop the ECM.

If you take a season + Wallbanger you can observe ECM who look like this:

Incoming ECM Instruction
01 05 00 00 02 34
01 DF B7 FC E7 42 A0 46 E5 05 1C BE BA CE 93 88
CD D9 4E 47 E0 3F 15 26 7D A0 0D 0C 2B CB C3 74
44 D3 34 7A E9 3C E5 E8 46 53 F9 FD A7 53 E4 15
DD 8F C9 11 13
Signature Wrong!!

A classic Via1 ECM look like this (from TSR1-hotbird):

Incoming ECM Instruction
01 05 00 00 00 24
00 94 0C E2 03 2C DA 01 EA 10 66 6B 80 E4 1F EF
BC 44 E2 41 CB 12 63 A4 DF BA F0 08 0D B9 CD B6
E1 E7 1B 7D 85
Signature OK!!

You can see a little difference: on is okey the other is "garbage"
Our luck is that the modified irdeto CAM by PH of the Humax5400 doesn't do any
check on the ECM and send it to the card, as is, even if it's non-sense for the
CAM datas.

On the clear log from TSR1, you can see the Irdeto header, then the provider
ID+key number: 00 94 0C, and the ECM in with their nanos.


Now, let's see how the format of an Via1 ECM in a Via1 CAM buffer (thanx to
Denny for the log):
81 7X XX 90 03 00 94 0C YY..YY
And, the ECM in TPS crypt format:
81 7X XX D2 01 01 DF B7 FC E7 42 ZZ..ZZ
-------------->** ** **

The XX is the lenght of the current ECM, the YY..YY is the ECM and the ZZ.ZZ is
the encrypted ECM (TPScrypt format).

Now, just look the arrow, it show you the begining of the buffer sent by the
Humax firmware to the external card.
In Via1 it start to send 00 94 0C, the provider ID. (2nd Wallbanger log)
And in TPScrypt it send an ECM who start by 01 DF B7 etc. (1st Wallbanger log)


Let's convert the ECM:
From the numerous log we've done, it always start with 01 DF B7 ....
That means the algos produce the same encrypted result from an ECM with
constant begining datas (90 03 00 7C 08).
Then Denny told me it was a XOR function! So, with calc.exe, the extrem tool
from windoz (TM) to reverse unbelivable cryptos algos, we just done:
DF XOR 90 = 4F
B7 XOR 03 = B4
FC XOR 00 = FC
E7 XOR 7C = 9B
42 XOR 08 = 4A

With this little exemple you guess how to find the TPS tables for uncrypt the
ECMs to a normal Via1 format.

How to find the complete tables: Again, it's trivial to guess the full tables.
You can easy obtains the first datas, because Via1 ECM are constant at the
begining of the ECM, but when you reach the Control Word, you don't have
idears of the values. The idear is to find someone who have a winDVD card plus
an official goldbox from TPS just beside. With big luck I have a good friend
from Belgium in this case . So he send us a 2 logs: one with Wallbanger with
the full Via1 chat, and another the WinDVD extracted encrypted ECM.
With all those kind of datas we where able to calc the 2 tables:

Table1:
4FB4FC9B4A7F44FB05FFBDBB162D6CC8
D896F9FE3FFF3624B6BF49C92D365ED0
1F097EA97FFF64B65B7EF8FC6E3F7FBF
DD3612E905FEB46C6FFE7EC825906D90

Table2:
7E6D7E1276FD2FFE6DFEDA3FDA6DBD97
D06DD89F69FDB637FE7F3692BD5216DF
FC96FF92FD6D7FB5FB4CB6B77ED9FE9B
FDF46D9BB936BF7FD22DDFB7D9FE69BF

So the progz to handle TPScrypt is ONLY and NOTHING MORE than a XOR beetween
datas who came from the CAM to the card! Just move the result of the decrypted
ECM 3 bytes left, then you have a *NORMAL* ECM in Via1 format. The D2 01 01
nano is not usefull for the Via1 algo.

To guess witch table to use, just check if the ECM start with DF B7 or EE 6E.

There is 2 last step to do:
* At the end of the decrypted ECM in Via1 format, you have 2 bytes: FF 03,
you can remove them, it's not usefull at all.
* Then, substract 05 to the lenght of the ECM. ( D2 01 01 & FF 03 nanos
removed nanos)

That's all !

Thanx to Denny from Croatia for the general idears on this one, Mickey the
original author of the 5in1 software I use to implement TPScrypt inside and
to all my friends from France & Belgium who had help me on this job

Now, dear reverser you can try to had TPScrypt to usual Black, Red CAM !

T. on 20/07/2002

Made in France.