SoC in STB, descrambling algorithm implementation details

Discussion in 'Embedded Systems and Microcontrollers' started by spein468, Dec 18, 2017.

  1. spein468

    Thread Starter New Member

    Dec 18, 2017
    4
    0
    Hi guys, the STBs (set-top-box) in occidental europe use CSA (common scrambling algorithm)and it is implemented hardware side.
    Indeed in datasheet SoC of STBs, there is a "transport demultiplexer/descrambler"( schema in attached photo). what I want to know is the scrambling algorithm is implemented in memory like eprom/rom? or something of the operating logic escapes me.
    thanks
     
  2. WBahn

    Moderator

    Mar 31, 2012
    22,857
    6,820
    There are many ways to implement scrambling algorithms. The exact choice is up to the hardware designer and that decision is based on a number of factors. A lot of it depends on the complexity and design of the scrambling algorithms and whether it was intended to be efficiently descrambled using simple hardware, which this one probably was.
     
  3. spein468

    Thread Starter New Member

    Dec 18, 2017
    4
    0
    which one?in eprom?or is it implemented in design of support in this case "transport demultiplexer/descramblers"?
    if I wanted get the algorithm, what is the way?
     
  4. WBahn

    Moderator

    Mar 31, 2012
    22,857
    6,820
    There is no way for anyone to know how the algorithm in any particular piece of hardware is implemented -- that is up to the hardware designer that designed that particular piece of hardware.

    Look it up. It's been publicly available for 15 years.

    But it would appear that you don't want the algorithm, you want to steal content that you haven't paid for. That's a different problem and for that you need a way of compromising the keys that are used.
     
    spinnaker likes this.
  5. spein468

    Thread Starter New Member

    Dec 18, 2017
    4
    0
    I know, CSA is public , but there is another scrambling algorithm not public which is implemented and I would like to get it but I have to know the specific location where algorithm is implemented.
    I thought to link with jtag to SoC and I could dump ROM, but I don't know if algorithm is there.
     
  6. spinnaker

    AAC Fanatic!

    Oct 29, 2009
    6,644
    2,928

    Maybe you need to explain why you would like to "get it". But I think WBahn already came up with that answer.
     
  7. WBahn

    Moderator

    Mar 31, 2012
    22,857
    6,820
    If the security of the system is dependent on safeguarding the contents of a ROM, then you won't be able to just connect to it with a JTAG interface and dump the ROM -- that would have been pretty stupid on the designer's part, no?

    The replacement, CSA3, is based on AES-128. So perhaps first you should break that algorithm.
     
  8. spein468

    Thread Starter New Member

    Dec 18, 2017
    4
    0
    I don't think that this different algorithm of which I m writing it is CSA3, and I don't want break algroithm, I would reverse algorithm from STB and I m right to thing that there is a possibility to interface with jtag.
    But my problem is the location of algorithm, as I said before.
     
  9. WBahn

    Moderator

    Mar 31, 2012
    22,857
    6,820
    And as I've said before, twice, how the algorithm is implemented and where it is located is entirely, completely, and totally up to the person that designed THAT piece of hardware. That brand, that model, and that version.

    Why do you want to access the algorithm?

    If the designer of the hardware doesn't want certain information about the implementation to be accessible, then they will take steps to make it extremely difficult (i.e., all but impossible) to access it. The manufactures of programmable parts know that many of their customers will want this capability and so they have parts in their product line that support it.
     
Loading...