PART 2 of 2
C) Setting up your CW3000HD and CW4000HD as a cardserver using RQcs 1.04 and up (N2 and N3 cards )
This is pretty much the same as above, so a lot of cut and paste!
1) First, you must download, unzip and add the proper RQcs 1.04 components to the CW3K/4K. After package is unzipped, you must manually copy the correct RQcs binary
[rqcs.x86] to the
usr/local/bin directory of the CW3K/4K; and then copy the
rcqs.conf file from the "configs" folder of the RQcs 1.04 package and put it in the
etc folder of the CW3K/4K. You must first be sure that you did the
rwroot command in PutTy as described above or you will not be able to add files to root-level folders! After the files are copied to the target directories, rename the "rqcs.x86" binary to
rqcs and change permissions to 755 by right-clicking and going to "properties".
Edit the rqcs.conf to allow the VDR-SC to connect to it locally via newcamd protocol listed in your cardclient file (see above newcamd line). The example that I will provide below is a working example for my Dish ROM 102 card---I have not tested it with any other ROM card (ROM 103,SOx), but they should work as well. According to Raton's READ ME of RQcs, it should work with ROM103 cards and with ROM24x cards!!! FEEL FREE TO COPY THE RQCS.CONF TEXT AND PASTE IT INTO YOUR RQCS.CONF FILE. YOU WILL NEED YOUR OWN BOX KEYS!!!!
rqcs.conf file
Code:
###############################################################################
# rqcs configuration file #
# All configuration options in this file observe the same format: #
# <configuration_name>=<configuration_value> #
# #
# No white space is allowed in any place or the configuration entry will be #
# ignored. #
###############################################################################
########################### general configuration #############################
[General]
# This sets the box type the card server will run on. Compatible boxes are:
# 0 - Dreambox
# 1 - Triple Dragon
# 2 - DGStation (Mutant/Relook/CubeCafe)
# 3 - Linux x86 PC
#
# NOTE: Ignored in the WIN32 version.
box_type=3
# Enable or disable background execution
# 0 - Disable
# 1 - Enable
#
# NOTE: Ignored in the WIN32 version.
background_execution=1
# This sets the level of console output for debugging:
# 0 - Silent, 1 - Basic debug info, 2 - Extended debug info,
# 3 - Show all debug info
debug_level=2
# This option enables or disables the writing of debug information to the
# console.
log_to_console=1
# This option enables or disables the writing of console output to a log file
log_to_file=1
# When log_to_file is set to 1, this is the path and filename to write console
# ouput to.
#
# NOTE: In the WIN32 version, if enabled, this should be set to a valid
# Windows/DOS path.
logfile_name=/var/log/rqcs.txt
############################# slot configuration ##############################
# Logical slots are a combination of a physical slot/interface, card, and #
# protocol server. There is no limit to how many logical slots can be added, #
# except for those imposed by the device where it is running. #
###############################################################################
[Logical-Slot:Lower]
# Enable/Disable this logical slot. If disabled it will be completely ignored.
# 0 - Disabled, 1 - Enabled
enabled=1
# Sets the type of smartcard interface.
# 0 - ISO7816 Smartcard Interface.
# 1 - Phoenix type connected to RS232 serial port.
#
# NOTE: Ignored in the WIN32 version. Always uses Phoenix interface.
sci_type=1
# The numeric identifier of the smartcard interface
# eg: for internal iso7816 slots: 0 = sci0, 1 = sci1, 2 = sci2 and so on...
# for rs232 serial ports: 0 = ttyS0, 1 = ttyS1, 2 = ttyS2 and so on...
#
# NOTE: There's a small difference in the WIN32 version:
# 0 = COM1, 1 = COM2, 2 = COM3 and so on...
sci_ordinal=0
# Clock frequency of the internal box smartcard interface, in Hertz.
# This is only used when ISO7816 smartcard interface is selected.
sci_clock_frequency=3574595
# ECMs received in shorter intervals that what is specified in this parameter
# (in seconds), will be rejected. [This is currently not implemented!]
maximum_ecm_rate=2
# Block Global/Shared/Unique EMM's [This is currently not implemented!]
block_emm_g=0
block_emm_s=0
block_emm_u=0
# A list of SIDs to allow in this slot. If this is left empty, all sids are
# allowed. Format: <sid_1>|<sid_2>|<sid_3> ... and so on.
#
allow_sids=
# A list of SIDs to deny in this slot. Leaving this parameter empty has no
# special meaning. Format: <sid_1>|<sid_2>|<sid_3> ... and so on.
deny_sids=
# For Nagra cards, if they use the DT08 session negotiation method, you
# must configure the IRD box key.
box_key=XXXXXXXXXXXXXXXX
# For Nagra cards, if they use the secondary key session negotiation
# method, you must configure the IRD secondary key.
#
# If the secondary key value is empty, the DT08 method will be attempted with
# the provided box key. If this value is specified, the box key will be
# ignored (as the secondary key has the box key embedded) and the secondary key
# session negotiation method will be attempted instead.
#
# The secondary key is 96 bytes long and has the following structure:
#
# II II II II XX XX XX XX XX XX XX XX XX XX Y1 Y1 Y1 Y1 Y1 Y1 Y1 Y1
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# Y2 Y2 Y2 Y2 Y2 Y2 Y2 Y2 CS CS
#
# II = IRD serial number.
# XX = Unimportant.
# Y1, Y2 = SK signature and also used to calculate the box key.
# SK = Actual secondary key data (CAM N, public modulus).
# CS = Checksum.
#
# NOTE: The secondary key should be specified as a single line without spaces
# (like the box key), and should be the exact 96 bytes as extracted from the IRD.
secondary_key=
# Optional. Card provider's IRD RSA key.
rsa_key=
# The protocol with which the logical slot will communicate with the
# clients.
# 0 - Newcamd protocol.
protocol_server_type=0
# The port on which the logical slot's protocol server will be listening.
protocol_server_port=12000
# If the Newcamd protocol is selected, you must configure here the des
# key to be used for encrypting communication.
protocol_server_newcamd_des_key=0102030405060708091011121314
# The user list that will be able to connect to the logical slot.
# Format: <username_0>:<password_0>|<username_1>:<password_1> ... and so on.
protocol_server_users=localhost:localhost|dummy_2:dummy_2|dummy_3:dummy_3
###############################################################################
[Logical-Slot:Upper]
enabled=1
sci_type=0
sci_ordinal=1
sci_clock_frequency=3574595
maximum_ecm_rate=2
block_emm_g=0
block_emm_s=0
block_emm_u=0
allow_sids=
deny_sids=
box_key=
secondary_key=
rsa_key=
protocol_server_type=0
protocol_server_port=15001
protocol_server_newcamd_des_key=0102030405060708091011121314
protocol_server_users=dummy:dummy
**Not a lot of issues with RQcs---it works well! I got all bugs worked out with NewCS so no real key points here.
***Until you get the kinks worked out, it is a good ideal to make sure you enable "log to file" option. I have a file as /var/log/rqcs.txt. When things are working, it will be a good ideal to disable the logfile option to avoid potential space and memory problems.
Now you are ready to roll:
Make sure you have disabled VDR-sc softcam emulation by method described above, and that you are logged out of any of the USER profiles on you CW box. Open a PuTty session and enter your CW root password (captive or CW3000HD---default are pws). From the command prompt, type the follwing command:
/usr/local/bin/rqcs &
If successful, you should see something like this:
RQcs 1.04 log
Code:
rqcs version 1.04, card server by raton_craquero.
rqcs is free software! -- visit the rqcs homepage at:
http://rqcamd.doesntexist.com
Usage: rqcs [OPTION] ...
These are the currently supported options for rqcs:
-help Show this information.
-config <path> Set a custom configuration file path.
-debug-level <n> Specifies the level of detail (n) when displaying debug
messages to the console (default is 1):
0 - Silent
1 - Basic information messages.
2 - Detailed debug information.
3 - Show all available debug info.
Read configuration settings from '/etc/rqcs.conf'
****************** Starting log on Fri Feb 6 03:14:46 2009 ******************
Configuration settings:
Debug level: 2
Starting Logical Slot 'Lower' [Users: 3]
------------------------------------------------------------------------------
Device Path: /dev/ttyS0 | Listening Port: 12000
------------------------------------------------------------------------------
Opening sci... Done
Detecting card... Card present
Resetting card... Done
Identifying card type...
Historical bytes: D N A S P 1 0 2 R e v 1 0 C
44 4E 41 53 50 31 30 32 20 52 65 76 31 30 43
Card type: Nagra
ROM Revision: 102
EEPROM Revision: Rev10C
Configuring sci...
SCI | Conv: Inverse | Baud Rate: 115200 | Stop Bits: 2 | Parity: Odd
Slot custom parameters:
des_key: 0102030405060708091011121314
box_key: XXXXXXXXXXXX
secondary_key:
rsa_key:
Card start-up initialization...
Using DT08 session negotiation:
Setting Field Size: Done
Retrieving IRD serial number: XXXXXXXX
Retrieving CAM serial number: XXXXXX
Retrieving System IDs: 0101,0106
Retrieving CAM modulus (DT08): Done
Retrieving CAM challenge data: Done
Performing Session Key Negotiation: Successful
Starting card worker thread... Done
Starting protocol server on port 12000 [newcamd protocol]
Logical Slot 'Lower' READY!
------------------------------------------------------------------------------
Starting Logical Slot 'Upper' [Users: 1]
------------------------------------------------------------------------------
Device Path: /dev/sci1 | Listening Port: 15001
------------------------------------------------------------------------------
Opening sci... failed to open sci.
Logical Slot 'Upper' Disabled.
------------------------------------------------------------------------------
If all goes well, log onto a USER profile and watch TV! If your ROM card has current keys, everything should work and you will see something like this in PuTty:
Code:
CONNECT **** [Fri Feb 6 03:15:50 2009] Processing incoming connection...
User 'localhost' authenticated successfully [Client: Unknown] | Clients: 1
DATA **** [Fri Feb 6 03:15:50 2009] Processing card data request...
Username: localhost | Logical slot: 'Lower' | Card data sent successfully.
ECM **** [Fri Feb 6 03:15:54 2009] Processing ECM request...
Username: localhost (1 users) | SID: 0176 | Logical slot: 'Lower'
Cache: Miss (1 elements) | Card: Valid control words returned. [757ms]
CW0:CW1 | 1B045F7E7C9FE3FE:962AD7971840CF27
EMM **** [Fri Feb 6 03:15:55 2009] Processing EMM...
EMM processed successfully by card [851ms].
EMM **** [Fri Feb 6 03:15:58 2009] Processing EMM...
EMM processed successfully by card [850ms].
EMM **** [Fri Feb 6 03:16:01 2009] Processing EMM...
EMM processed successfully by card [850ms].
ECM **** [Fri Feb 6 03:16:03 2009] Processing ECM request...
Username: localhost (1 users) | SID: 0176 | Logical slot: 'Lower'
Cache: Miss (2 elements) | Card: Valid control words returned. [748ms]
CW0:CW1 | 1B045F7E7C9FE3FE:024E05552D04FC2D
EMM **** [Fri Feb 6 03:16:04 2009] Processing EMM...
EMM processed successfully by card [851ms].
EMM **** [Fri Feb 6 03:16:07 2009] Processing EMM...
EMM processed successfully by card [850ms].
EMM **** [Fri Feb 6 03:16:10 2009] Processing EMM...
EMM processed successfully by card [851ms].
EMM **** [Fri Feb 6 03:16:13 2009] Processing EMM...
EMM processed successfully by card [850ms].
You may have to change channels to get things started.
Some Key points:
As I mentioned above, the ecm.cache file is critical. After you tune to a channel for the first time, vdr-sc pulls this information for a particular SID from the datastream , and stores the “ecm” information for that channel in this file. For quicker channel changing information, vdr-sc then recalls this information from the ecm.cache whenever you tune back to that particular channel at a later time---which makes the channel changes much quicker in subsequent tune-ins.
During card sharing on the CW3K/4K, the first time you tune to a channel that does not have the ecm information for that particular SID stored in the ecm.cache file, it may take up to a minute for that channel to come in. However, once the information is saved into the ecm.cache file, subsequent channel changes to that same channel are fast! This is a minor draw back to the cardsharing on the CW3k/4K.
Right now, vdr-sc will not default to card sharing if it goes down during a provider ECM attack. You will once again have to manually enable cardsharing by making sure that the Softcam.key file is disabled (renamed) to force local card-based decryption to be activated. Perhaps someone who knows linux can modify vdr-sc so that it will default to cardsharing if it cannot retrieve the proper CWs for decryption from the core (software). This would really improve the efficiency of this setup and make it the best of both worlds.
If you install a new fix softcam {SC update} fix (ie step up from the 1-31 fix to the 2-3 fix), the install process will add a new softcam.key file and a new “fix_sc” script. You will need to redo steps 4 and 5 to set up the CW3k/4k for local cardsharing.
Although it is not recommended and is probably illegal, you may be able to card share over the internet with this procedure. I don't condone illegal stuff!!! This is for educational purposes and for the reasons I described above only!
As of now, this set up is >95% stable. Depending upon your number of clients, network reliability, and ROM card image, you may from time-to-time have newcs/rqcs just crash and need to be restarted. Fortunately, this has happened only once on my setup. Perhaps some tweaking with the ecm/emm cache will help this out a bit.
If you are the type of person who shuts down the CW3K/4K every day, you will need to restart the card server (newcs or rqcs) through PutTy every time you startup your system---and before you log onto your USER profile. Also, you may have to update your card if the keys change while you are down.
Finally, once you are successful, make sure that you disable vdr-sc logging by undoing step 5 (except do not make changes in the "cryptosystem options" menu), otherwise vdr-sc will become unresponsive with a massive log file. Also make sure that you undo the rwroot command!
I hope this helps!!! Now if someone can somehow write a plugin for the VDR JAVA interface to automate this process----it would be awsome!!! Now on to my quest of adding a USB based card reader to the CW4000HD!!!