Background to the process of turning B-CAS card into a paid broadcast unreleased card "BLACKCAS" Summary, what happened on the net?

It is a topic that I am making noise around the Internet from around last weekend, it was possible to rewrite the contents of the B - CAS card necessary for watching TV. Around the month of February"The mysterious card" touching mystery card "that you can watch pay TV without registering" BLACKCAS card "Although it appeared, this time it is possible to do the same thing with the card at hand at hand.

Regarding what is going on in the current situation, just Maruya workshop has put together three rows today.

On May 18th (Friday) B-CAS

After all, because I received a radio wave to put together in three lines what's going on.

1. If the backdoor of M001 / M002 / T422 / T415 / T419 exceeding 80% of issued B-CAS cards is released, if the card is the target card, it is possible to refer and rewrite contract information and key information freely
2. Cryptographic algorithms for data used for key distribution such as ECM / EMM are also dropped C ++ code which can be compiled immediately
3. It is now possible to create b25decoder.dll and b25.exe that run without B-CAS without analyzing the B-CAS card

"M001", "T422" etc. appearing here are the types of B-CAS cards. It is written on the bottom right of the back of the card. This is M002, one of the cards this time the back door was revealed.

This is T - 002. It is an old card which has not been issued already.

Initially, on July 24, 2011, due to the stoppage of analog broadcasting, Japanese television broadcasting shifted to digital broadcasting (East Japan great earthquake disaster area stopped March 31, 2012). The digital broadcasting itself in Japan began in 1996 with "Japan PerfecTV!" Of Japanese digital broadcasting service. This is still a service as "SKY PerfecTV!" By SKY Perfect JSAT.

The B-CAS card appeared in 2000, in order to make it possible for only paid broadcasting subscribers in BS digital broadcasting to see applicable programsConditional Access System (CAS)It was. Terrestrial digital broadcasting began at 110 degrees CS digital broadcasting from 2002, B-CAS card has become an indispensable card to watch digital broadcasting from 2004 onwards since 2003.

Here is a report on what company B-CAS actually went through.

I went to a mysterious private corporation "B-CAS company" which damages the convenience of terrestrial digital broadcasting and hinders popularization

Inside the B-CAS cardCard IDWhenMaster key (Km)It contains. In digital broadcasting, TV programs are sent in an encrypted state, but along with the program dataECM(Entitlement Control Message) andEMM(Entitlement Management Message) has also been sent. ECM is a program for deciphering program information and encrypted programsScramble key (Ks)The one containing EMMWork key (Kw)It is encrypted and contained. Both of them are encrypted. First, the encryption of EMM is canceled with Km, the Kw is taken out, the encryption of ECM is canceled with the extracted Kw, the Ks is taken out, and the content of the encryption finally encrypted with this Ks It turns out to be a proper video signal and it is reflected on the TV.

Three year old Books "Game lab"June 19th page from page 19," Flow of decryption by B-CAS card "

Among these, EMM is transmitted for each B-CAS ID. For example, "Since a person of this ID has only a terrestrial wave contract of NHK, we will issue a message to join if we are watching BS" ID has a contract for every channel of SKY Perfec! E2, so I have to keep it all. " Since the individual information is saved in the B-CAS card, even if it is withdrawn from the television after use, if it is used next and EMM is received, "If we apply before 7 days free experience of SKY PerfecTV! E2 and the period is As you are done, please sign if you want to see "message.


The threat to this mechanism is that it appeared in February 2012 "BLACKCAS card"is. This card made by Taiwan will be able to see pay broadcasting, the biggest problem was whether the encryption algorithm of B-CAS card was decoded or not. According to Marumo SeisakushoIt was confirmed that BLACKCAS was created using regular B-CAS hardware, created arbitrary EMM and processed by IC chip of B-CAS cardSo, I know that the BLACKCAS card is made in the same environment as the B - CAS card, and if the encryption algorithm was decrypted, anyone can do the same thing any longer That's it.

And it turned out from the end of April 2012 to May that it turned out that the concern was partly in the middle. It became clear that a part of the B - CAS card contains a card which can unlock and rewrite the inside. The flow from here is easy to understand what was gathered in threads.

Yazin @ tumblr

Easy summary of B-CAS this time ver 0.2
BLACK-CAS will be released from Taiwan around February 2012
Foreigners at the end of April 2012 start to leak information in a spotless way
May 4, 2012
- 20:40 The above foreigners leaked Toshiba Card's UNLOCK key
- 23:33 Analysis thread reveals file management number in IC card
May 6, 2012
- 02: 49 Identification code of unreadable file (BC 01) is found
May 9, 2012
- 03: 14 Discover contract information in the file you read above
- 04: 13 Successful rewriting contract information on some channels
- 08: 56 Blue B-CAS is also suggested to be equivalent to red B-CAS
- Report that 09:48 foreigners are creating tools
- 17: 01 Blue B-CAS reddening success report
- 18: 48 Successful rewriting of contract information of star channel
May 10, 2012
- 00:41 Contract information rewritten files begin to circulate
- 03: 44 Finding the contract information position of the channel for difficult viewing area
- 15: 08 Successfully rewritten contract information of difficult channel for viewing area
- 16: 32 B-CAS number part in BC 01 is known, number change is possible
- 16:35 M001 Card dump memory reported
- 23:49 Aggregation with rewritable B-CAS ID starts
May 11, 2012
- 02: 49 Back BC 01 that can easily save / restore BC 01 is released
May 12, 2012
- 02: 48 The author of BackupBC 01 deleted the file, afterwards many fishing
May 13, 2012
- 08:52 foreigners publish RAR with path (tool source)
May 16, 2012
- 02: 39 The password of the above file is known

Although there are two types of B - CAS cards, Toshiba and Matsushita, initially it turned out that only a part of Toshiba cards can be rewritten. A tool corresponding to that was produced, and at the same time, Matsushita made card analysis also progressed. As a result, as mentioned at the beginning, backdoor information of more than 80% of issued B - CAS cards is released, and if it is a target card, the information can be freely rewritten. The following tweets briefly show the situation.

In the June Laboratory Game Lab released on May 16th, we feature the BLACKCAS card.

At the end of the article, there is an article saying that I succeeded on this T card rewriting on my own.

As a countermeasure to the present situation, as of March when the presence of BLACKCAS was reported at Marumo SeisakushoCreate a new B-CAS card and send it to all viewersComment that there is only "Matsu course" to do.If multiple B-CAS cards have contracts of multiple businesses, if they do not go well, "If there is more than one original card, multiple new cards will arrive at the customer"And from that,If it is not a pay broadcast, it is no longer necessary to stop using B-CAS (= DRM cancellation)There is also an opinion saying.

In other words, in the current situation, in order to make a B-CAS card at hand as a paid broadcasting unrelated card like BLACKCAS, it is only necessary to follow the following procedure.

◆ Step 1: Confirm B-CAS card
If the lower right corner of the back side is "M001 / M002 / T422 / T415 / T419", go to the next step 2

◆ Step 2: Preparing the IC card reader / writer
Corresponding IC card reader / writer "HX-520UJ.K"SCR 3310 - NTTComAndAmazonWe will purchase from.

◆ Step 3: Rewrite with "2038 year kit"
You can complete it by rewriting the procedure as explained on the following page.

Back trick to enable BS / CS pay broadcasting to be viewed for free with B-CAS card rewrite | Will feel Tips
((Cache) Back trick to enable BS / CS pay broadcasting to be watched free with B-CAS card rewrite | Will feel Tips)

The final "Step 3" will become available if you get used to it in 3 to 5 minutes, you do not need to buy "BLACKCAS" which had been sold for about 50,000 yen so far, It will become possible to "BLACK CAS" any number of B - CAS cards.

Even now, further analysis is progressing on the net at the moment, so what kind of actions will take place from paid broadcasters, what will happen to B-CAS, and it is important to develop in the future.

in Note, Posted by logc_nt