Pages

Thursday, January 31, 2013

NDS Command Structure 2 v0.5


NDS Command Structure 2 v0.5(videoguard/NDS2命令和状态数据流格式)


NDS Command Structure 2 v0.5
Card Version 2.0
by Powermouse

This information is for academic interest and educational purposes only. There is nothing in this text that will enable decoding of NDS encryption. Illegal watching of encrypted TV is not condoned.

1. Introduction
2. Answer to Reset (ATR)
3. The Zero Knowledge Test (card verification)
4. The communication Protocol
5. The Entitlement Control Message (ECM)
6. The Entitlement Management Message (EMM)
7. The Instructions in detail
8. The signature
9. Codes
9.1 The Fuse Byte
9.2 The Rating Byte
9.3 The Parental Control Byte (PCB)
9.4 The Country Code.
9.5 The Regional code
9.6 The Bitmap algorithm
9.7 The keys
9.8 Structure of Date and Time
9.9 The Status Words
9.10 The Channel Entitlements (taken from Colibri Doc: http://colibri.move.to/)

1.Introduction:

The card is always asked by the ICAM to receive or send information. The card never asks the ICAM to do anything! To do this the ICAM always sends a 5 byte long command packet header to the card.

Standard 5 byte ISO-7816 header : "CLASS INSTRUCTION PARAM1 PARAM2 PARAM3"

With the introduction of the new card 2 new classes were introduced:

Class Meaning
D0/D1 Replaces 48 of the old card
D2 appends a 16 byte signature on the instruction reply
D3 Use an additional stream cipher to secure transmission between card and box (NOT using internal HashCircuit)

(Class 48 is no longer supportet and causes the card to rerun part of the initialisation including the ATR output.)

PARAM1 and PARAM2 are used differently and are often ignored. PARAM3 is the length of the packet to be send or expected to receive. The cards first reply is the instruction number which is a vital value for the ICAM. These instruction numbers are possibly contained in a jumptable in the ICAMs source leading to a specific offset where processing continues.

2.The Answer To Reset (ATR):

Former ATR: 3F 7F 13 25 03 40 B0 0B 69 4C 4A 50 C0 00 00 53 59 00 00 00
New ATR : 3F 7F 13 25 03 33 B0 06 69 FF 4A 50 D0 00 00 53 59 00 00 00

3F TS - "3F" indicates inverse convention ("3B" would be direct convention)
7F T0 - "7" (0111...) indicates TA1,TB1,TC1 will be sent "F" (...1111) indicated that 15 historical bytes will be send.
13 TA1 \
25 TB1 - used for baudrate calculation
03 TC1 /
33 B0 06 69 - version Info. Has been "40 B0 0B 69"
FF - Has been ASIC reply. Now FF because he is no longer used due to multiple reasons
4A 50 C0 00 00 53 59 00 00 00 - the 15 historical bytes (system ID)

3. The Zero Knowledge Test (card verification)

These three Instructions are sent to verify that the card in the decoder is a true NDS card

Variables used:
r - 512 bit random number
n - 512 bit number which is the product of two large prime numbers;is constant;can be found in the ROM of the card and in the IRD firmware
s - based on a complex function of n

3.1 generate a random number r
>D1 4A 10 01 01
<4a -="" acknowledgement="" p="">>01 - selects one of two seeds that is to be used for a random number r
<90 -="" 00="" 20="" not="" ok="" p="">
3.2 send 96-bit hash of r2 MOD n to IRD

>D1 5A 10 01 10
<5a -="" acknowledgement="" p=""><90 -="" 00="" 20="" not="" ok="" p="">
3.3 send either r*s MOD n or r to IRD

3.3.1 IRD asks for r
>48 5A 10 02 40
<5a p=""><33 41="" 42="" 63="" 78="" 99="" a1="" aa="" b0="" c4="" c9="" cb="" cf="" d4="" f1="" f5="" nbsp="" p=""><1f 06="" 1d="" 2f="" 3b="" 62="" 6f="" 93="" b9="" bb="" c4="" c7="" d3="" d8="" nbsp="" p=""><48 00="" 05="" 29="" 56="" 61="" 64="" 6e="" 7c="" 84="" b2="" bc="" c1="" c7="" d7="" f1="" nbsp="" p=""><90 -="" 00="" 20="" not="" ok="" p="">

3.3.2 IRD asks for r*s mod n
>48 5A 11 02 40
<5a p=""><71 16="" 1d="" 49="" 64="" 69="" 79="" 7f="" 84="" 94="" ae="" b2="" e2="" e9="" ea="" f2="" nbsp="" p=""><6e 0b="" 1c="" 21="" 51="" 55="" 6a="" 7b="" 82="" b4="" b5="" bf="" d9="" de="" ee="" nbsp="" p=""><90 -="" 00="" 20="" not="" ok="" p="">
4.The communication Protocol:

4.1 Instruction Overview

Instruction Meaning
02 BSkyB identifier "SYAV" and ROM version 02.00
04 receives one byte and writes it to 8022h
06 sends the byte at 8022h
0E sends one byte (09) - unknown
12 sends encrypted chip information
1E sends 9 bytes - unkown
28
2A sends detailed card information (mostly from EEPROM)
40 makes it possible to process commands
42
4C

4.2 Command Overview

The values in brackets indicate the fixed length byte for this command. The remaining commands have all a variable length.

Red - commands are processed in realtime (no matter if signature is correct or not)
Fuchsia - commands are buffered and executed via the deferred command buffer only if the signature is correct
Lime - command is processed in real time but don't change anything. Only important for ASIC.
Blue -
Teal -
Black - handled seperatly

Basic command set:

00 [00] - No Operation
01 [04] - Sets Date/Time
02 [01] - Sets rating byte, marks message as ECM
03 [03] - checks channel entitlements
04 [00] - set bit 2Ah.0
05 [00] - clear bit 2Ah.0
06 [0B] - compares Postal code, opens card filter if they match
07 LE - set bit 2Ch.6
08 LE - Bogus!
09 [03] - initialise ASIC with specified key, flushes the command buffer (nanos which need no signature stay)
0A [05] - Bogus!
0B LE - write 14 bytes to 9E36h
0C [00] -
0D [00] - Bogus!
0E [00] - Bogus!
0F [04] - Bogus!
10 [02] - Bogus!
11 [04] - Bogus!
12 [12] - set Blackout bits
13 [02] - Bogus!
14 [01] - clear Blackout bits
15 LE - Bogus!
16 [07] - Bogus!
17 LE - Bogus!
18 [03] -
19 [01] - stores the Time Zone in EEPROM (9CC9h)
1A [04] - Bogus!
1B [03] - Bogus!
1C [00] - Bogus!
1D LE - stores the Zip Code in EEPROM (9CA8h)
1E [08] - set the PostCode
1F LE -
20 [00] - Bogus!
21 [00] - Bogus!
22 [00] - Bogus!
23 [00] - Bogus!
24 [00] - Close Filter
25 [00] - Flip filter, from open to closed or vice versa
26 [01] -
27 [0D] - Card Swap! (write cardswap key to 9FF5h/Date stamp to 9CA0h/update fuse)
28 [07] - Bogus!
29 [08] - something to do with PPV (add entry to purchase list?)
2A [01] - Bogus!
2B [02] - UnSwap card! (write cardswap send key to 9FF5h/Date stamp to 9CA0h/update fuse)
2C [04] - Bogus!
2D [04] - sets Activation Date/Time
2E [08] - Bogus!
2F LE - Bogus!
30 [00] -
31 [03] - checks Serial Number
32 [03] - checks Shared Address (whole card group)
33 LE - checks Shared Address, processes bitmap
34 LE - Bogus!
35 [00] - Bogus!
36 [00] - Bogus!
37 LE - Bogus!
38 [00] - checks Postal Code
39 [00] - Bogus!
3A [00] - Bogus!
3B LE - Bogus!
3C LE - Bogus!
3D [02] - activates card and write PPV spending limit
3E [00] - deacivate card
3F [02] - Bogus!
40 [00] -
41 [05] - add/update channel entitlements (tier)
42 [02] - drop channel entitlement (tier)
43 [02] - Bogus!
44 [04] -
45 [05] - Bogus!
46 LE - Bogus!
47 [01] - Bogus!
48 [00] -
49 [02] - Bogus!
4A [05] - Bogus!
4B [04] - Bogus!
4C LE - Bogus!
4D [00] - sets some data, PPV related, both in PPV ECM and EMM
4E [04] - writes four bytes
4F [14] - Bogus!
50 LE - Bogus!
51 LE - Bogus!
52 LE - Bogus!
53 LE -
54 LE - same as cmd53
55 LE - Bogus!
56 LE - Bogus!
57 LE -
58 [00] -
59 LE -
5A LE - Bogus!
5B LE -
5C LE - Bogus!
5D LE -
5E LE - Bogus!
5F LE -
60 LE - Bogus!
61 LE - Bogus!
62 LE - Bogus!
63 LE - Bogus!
64 LE - Bogus!
65 LE - Bogus!
66 LE - Bogus!
67 LE - contains signature to authorise packet
68 LE -
69 LE - Bogus!
6A LE - Bogus!
6B LE - Bogus!
6C LE - Bogus!
6D LE - sets some data, unknown, values can be read with INS78
6E LE - same as cmd6D
6F LE - Bogus!
70 LE - Bogus!
71 LE - Bogus!
72 LE - sets some data, unknown
73 LE -
74 LE -
75 LE - writes some data including Local Region Code. Values can be read with INS58
76 LE - Bogus!
77 LE - Bogus!

Extended command set:

7E LE - sets signature and key adjustment bytes
7F LE - sets signature and key adjustment bytes (bridges gap between 1.X and 2.0 cards)
CB 02 - sets two bytes, unknown

4.3. Card initialisation:

The following Instructions are issued by the box during initialisation:

1. Ins48
2. Ins4C

????

D1 48 00 00 36
D1 4C 00 00 09

D1 40 40 80 4A
D1 42 00 00 16
D1 5C 00 00 04

3. The IRD then askes to send 09 bytes with 48 4C 00 00 09

>D1 4C 00 00 09
<4c acknowledges="" card="" instruction="" p="">>IN IN IN IN IRD Serial Number
>02 00 00 D8 02 unknown
<90 20="" correctly="" married="" p="">
If the card belongs to this box it replies 90 20 (OK).
If the card does not belong to this box it replies 90 00 (Not OK).
If the card has the fuse byte set but is previously unmarried, this command writes the IRD number to the card, thereby completing the marriage (sw1/2 = 90 a1). If the card is deactivated and this command arrives the IRD Serial Number is written to the cards EEPROM too (sw1/2 = 90 20).
If the IRD number is set to 00 00 00 00 it will be accepted by any box. eg an engineer's card.
The card must receive the correct IRD number before it will give valid responses to ECMs and EMMs.

4. The card is then asked for 09 bytes with 48 2C 00 00 09.

>48 2C 00 00 09
<2c acknowledges="" card="" instruction="" p=""><00 -="" 00="" 8000h="" add="" and="" convert="" hex="" is="" p="" pin="" then="" this="" to="" your=""><00 -="" below="" byte="" control="" p="" parental="" see=""><00 00="" p="" unknown=""><90 20="" p="" sw1="" sw2="">
We can change the PIN using command 48 2e 80 00 09.

5. Next we have an often repeated cmd 48 5C 00 00 04. It's a bogus instruction. Nothing is done although the box knows the card is still present and working.

>48 5C 00 00 04
<5c acknowledges="" card="" instruction="" p=""><00 00="" allways="" p="" zero=""><90 20="" p="">
The command flushes a buffer containing the 7E nano. So don't issue INS5C if you haven't allready asked for the key (issued INS54) after sending an ECM to the card. You would get a totally wrong key.

5. The Entitlement Control

5.1. The Entitlement Control Message (ECM)

The following is a sample ECM packet logged with a DVBs. You'll see that only the last part is actually passed on to the smartcard. The first part is processed by the Box.

81 70 5C 00 00 01 0E 4D 1D 69 78 FF FF 19 25 01 20 01 00 00 B8 49 7E 12 00 00 00 00 00 00 00 00 E0 17 EA C7 14 8E 45 23 00 00 7F 12 E0 C0 32 4E 1A F8 5F 1A D6 78 DF F0 92 F1 BE 56 DD F7 09 10 10 00 01 4D 1D 69 78 CB 02 FF FF 02 00 03 00 10 00 03 B8 69 00 67 08 5D E7 B2 D3 82 0B 2F 70

Processed ONLY by the Box:

81 70 - packet separator, first byte alternates between 80 and 81 indicating even and odd CW
5C - length of the whole packet
00 00 01 - allways the same
0E - Header length
4D 1D 69 78 - Date and Time
FF FF - different on BOX office but usually FF FF
19 25 - 9th and 10th byte of key returned by INS54
01 - either 01 or 11 indicating plain CW or encrypted CW is returned by card
20 01 00 00 - allways the same
B8 - Checksum (00+00+01+0E+4D+1D+69+78+FF+FF+19+25+01+20+01+00+00=...B8)
49 - length of the packet send to the SmartCard

Processed ONLY by then SmartCard:

>D1 40 00 00 41 generated instruction header from the ICAM
<40 p="">>00 - dummy send by the ICAM too
>7E 12 00 00 00 00 00 00 00 00 E0 17 EA C7 14 8E 45 23 00 00 - signature and key adjustment
>7F 12 E0 C0 32 4E 1A F8 5F 1A D6 78 DF F0 92 F1 BE 56 DD F7 - signature and key adjustment (bridge gap between 1.X and 2.0 cards)
>09 10 10 00 - set key
>01 4D 1D 69 78 - current Date and Time
>CB 02 FF FF - sets two bytes
>02 00 - current rating byte for the film
>03 00 10 00 - Check for Channel "00 10" entitlement entry
>03 B8 69 00 - Check for Channel "B8 69" entitlement entry
>67 08 5D E7 B2 D3 82 0B 2F 70 - signature
<90 -="" 00="" p="" sw1="" sw2="">
5.2 Generation and output of the key (which includes the CW)

>D3 54 00 00 3C
<54 -="" acknowledges="" box="" instruction="" p=""><90 -="" 20="" p="" sw1="" w2="">
6. The Entitlement Management Message (EMM)


9. The interesting EMMs 48_42. These are variable length 16h, 22h, 30h, 31h, 35h or 3Eh etc.

They can be addressed to all cards using public key 10 (sometimes using a post-code filter), a group of cards (using shared address/CUSTWP bitmap and group key 12), or to a single card using private key 14 and unique address.

EMM length 16h This seems to be used for setting the date and time.
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>01 36 15 91 1d Set date and time
>10 cc 33 10 nano and two data bytes that increment on each successive EMM
>67_08 Signature nano
>d8 2f 9a 8e 40 0b 3e 6a Digital signature (not neccessary for the included nanos)
<90 20="" p="">

EMM length 30h
>09_10 00 00 initialise ASIC with selected 10 (public key - all cards)
>24 Flag, Close Filter
>38_09 postal code address nano
>06 Opens card filter if this is the post code.....
>48 52 33 20 20 35 51 41 "HR3 5QA" postal code
>6d_09 nano and length
>01 08 00 73 17 92 9f ff ff data - always the same?? This is found in the 48_78 string.
>6d_09 nano
>02 03 45 57 60 00 ff ff ff data - always the same??
>67_08 signature nano
>60 7f c9 6b dd f4 8c e6 signature


EMM length 31h. This EMM sets the Time Zone and Region Code
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>24 Flag, Close Filter
>38_09 postal code address nano
>06 Opens card filter if this is the post code.....
>4c 4e 32 20 20 34 50 5a "LN2 4PZ"
>19 00 Set time zone to 00 (GMT)
>75_13 Nano and length
>00 47 42 52 XX 00 00 00 00 00 00 00 00 00 00 00 00 00 00 GBR Region byte
>67_08
>59 16 84 78 a0 d5 ef 8a sig

EMM length 35h
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>24 Flag, Close Filter
>38 09 postal code address nano
>06 opens card filter if this is the post code.....
>4c 53 31 37 20 38 42 51 "LS17 8BQ"
>6e_07 6e_07 Nano
>06 01 01 01 01 20 08 data, unknown
>6e_07 6e_07 Nano
>07 01 01 01 01 8f 00 data, unknown
>6e_07 6e_07 Nano
>08 01 01 01 01 20 00 data, unknown
>67_08 signature nano
>7a ee 04 4c 88 66 db 0a signature

EMM length 3Eh
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>24 Flag, Close Filter
>38 09 postal code address nano
>06 Opens card filter if this is the post code.....
>47 4c 37 20 20 33 53 44 "GL7 3SD"
>6e_07 6e_07 Nano
>01 01 01 01 01 8f 00 data, unknown
>6e_07 6e_07 Nano
>02 01 01 01 01 8f 00 data, unknown
>6e_07 6e_07 Nano
>03 01 01 01 01 8f 00 data, unknown
>6e_07 6e_07 Nano
>05 01 01 01 01 8f 00 data, unknown
>67_08 signature nano
>e1 29 d2 77 3c 0d f3 11 signature

-----------
The following seem to be the activation EMMs. Usually addressed to a Shared Address/CUSTWP bitmap.
These occur about every ten minutes. The channel entitlements seem to be activated one at a time. This explains why when a card is activated the channels do not all get switched on at the same time.

EMM addressed to SA/CUSTWP bitmap Expired Card
>48 42 00 00 3c
<42 acknowledges="" card="" instruction="" p="">>09 12 00 00 initialise ASIC with non-public (group) key 12
>33 33 nano
>00 SN SN 1st three bytes of SN (Shared Address)
>00 02 00 00 00 00 00 00 00 00 0c 00 00 00 02 80
>10 00 00 00 02 00 00 00 00 00 00 02 00 00 80 20 CUSTWP bitmap
>41 b7 21 38 06 C0 Channel Entitlement update and expiry date
>25 Flip filter cmd from open to closed or vice versa
>42 b7 21 Delete Channel Entitlement
>67_08 signature nano
>97 d2 a5 bd df 5f e7 eb signature
<90 80="" nbsp="" not="" ok.="" p="">

EMM addressed to SA/CUSTWP bitmap Valid Card
>48 42 00 00 3c
<42 acknowledges="" card="" instruction="" p="">>09 12 00 00 initialise ASIC with non-public (group) key 12
>33 33 nano
>00 SN SN 1st three bytes of SN
>00 00 22 00 00 06 02 30 84 40 02 00 00 00 10 00
>00 40 00 40 00 00 04 20 40 00 10 00 00 00 20 00 CUSTWP bitmap
>41 b7 77 38 0f C0 Channel Entitlement update and expiry date
>25 Flip filter cmd from open to closed or vice versa
>42 b7 77 Delete Channel Entitlement
>67_08
>1a 56 57 00 de 40 64 74
<90 a0="" bitmap.="" in="" not="" ok.="" p="" valid="">
Same Card ten minutes later:
>48 42 00 00 3c
<42 acknowledges="" card="" instruction="" p="">>09 12 00 00 initialise ASIC with non-public (group) key 12
>33 33 nano
>00 SN SN 1st three bytes of SN (Shared Address)
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 CUSTWP bitmap (Only one card addressed)
>41 b8 2d 38 09 C0 Another Channel Entitlement update and expiry date
>25 Flip filter cmd from open to closed or vice versa
>42 b8 2d Delete Channel Entitlement
>67_08 signature nano
>ae d2 35 47 a7 46 66 f0 signature
<90 a0="" as="" be="" card="" entitled.="" is="" nbsp="" not="" ok.="" p="" the="" to="" written="">

A successful entitlement update:
>48 42 00 00 3c
<42 acknowledges="" card="" instruction="" p="">>09 12 00 00 initialise ASIC with non-public (group) key 12
>33 33 nano
>00 SN SN 1st three bytes of SN (Shared Address)
>ff 7e 1f ec d8 3c 29 b9 c9 ab e9 a2 fc 58 cf 6d
>9d fd 1e 9c 2b ed 73 e4 e2 f6 34 cb 36 1f 7e 39 CUSTWP bitmap
>41 00 1d 38 1b C0 BBC channel entitlement ID
>25 Flip filter cmd from open to closed or vice versa
>42 00 1d Delete Channel Entitlement
>67_08 signature nano
>e4 5c eb c7 64 2c 97 31 signature
<90 21="" accepted="" ok.="" p="">
Another type of group update addresses the card by its shared address but uses the 32 nano without a CUSTWP bitmap. This is another way of updating a whole group of cards.

>48 42 00 00 15
<42 p="">>09 12 00 00 Initialise ASIC with non-public (group) key 12
>32 Open filter for whole card group
>SN SN SN SN of card group
>42 b7 82 Delete Channel Entitlement
>67 08
>30 51 8c a7 eb 0a 32 c8
>90 a0 Not OK. Update not needed as Channel Entitlement did not exist?

The PPV EMMs seem to use INS46
>48 46 20 01 3E
<46 acknowledges="" card="" instruction="" p="">>1f 08 unknown
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>01 39 04 0c 70 Set date and time
>02 52 rating byte
>38_03 08 00 cc nano and data (length can also be 05 or 07)
>25 Flip filter cmd from open to closed or vice versa
>04 Flag, unknown
>4d_0e 1e 00 39 10 00 65 06 00 00 a3 e3 00 d9 e4 unknown, same as in PPV ECM
>4d_0e 1e 00 39 10 00 65 06 00 01 45 e3 01 b1 e4 unknown, same as in PPV ECM
>67_08 signature nano
>f1 54 d4 97 66 c3 7b 37 signature
<90 a0="" not="" ok="" p="">


=============================================================================================

12. Occasionally we get a 48 5e 00 0b 01. Reads one status byte from card.
48 5e 00 0b 01
5e card acknowledges Instruction
03 03=valid?, 00=invalid?
90 20 sw1/sw2

[See also additional INS 48 5e 00 0e 62]

This cmd always seems to be followed by the next one:-

13. Another occasional cmd. 48_78. This seems to follow the 48_5e. Are they related?

48 78 03 00 14
78 card acknowledges Instruction
08 00 73 17 92 9F FF FF 01 08 00 73 17 92 9F FF FF 01 8F 00 pink string was written with the 6D_09 nano
90 20 OK

48 78 08 00 14
78 card acknowledges Instruction
08 00 73 17 92 9F FF FF 01 08 00 73 17 92 9F FF FF 01 20 00 pink string was written with the 6D_09 nano
90 20 OK

=============================================================================================
The Switch-On Commands
This is a log of the activation of a BBC card. They use the private key 14 and address the card by its unique address using nano 31.
These commands follow the activation EMMs for the card's postcode area. This is why you have to wait for the commands to be sent. Three of the EMMs are repeated a number of times, at about 20 minute intervals, over a period (24 hours?).

This is the first activation command:
>48 42 00 00 16
<42 acknowledges="" card="" instruction="" p="">>09 14 00 00 initialise ASIC with private key 14
>31 checks Serial Number nano
>00 SN SN SN Serial Number
>3D 03 ec sets PPV spending limit and activates card (fuse byte now 05)
>67_08 signature nano
>01 02 03 04 05 06 07 08 signature
<91 81="" p="" successfully="" written="">
The greater the values set with the 3D the greater the fuse value?

The IRD then sends this request:
>48 58 00 00 35
<58 acknowledges="" card="" instruction="" p="">>05 Fuse byte
>01 09 60 always the same
>SN SN SN SN card SN (unique address)
>ff ff ff ff unknown
>SN SN SN three bytes of card number (shared address)
>00 ff ff ff 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 unknown
>00 00 00 00 will be written with the 4e nano on activation (still zero)
>47 42 52 "GBR" on British cards only
>00 01 00 00 0X 0X 00 00 00 00 unknown
<91 80="" ok="" p="">
Note the sw1/2 has changed from 90 00 on a virgin card to 91 80 now that the fuse byte has been set and the region code is intact.

Next comes the IRD number.
>48 4C 00 00 09
<4c acknowledges="" card="" instruction="" p="">>IN IN IN IN IRD Serial Number
>02 00 00 58 02 unknown
<90 a1="" correctly="" ird="" married="" number="" p="" saved="" successfully="">
It would seem that when the fuse byte has been set, the first time the card receives this IRD number test command, the IRD number is written to the card. The sw1/2 is 90 a1.

Next, request the PIN and Parental control rating byte (3F).
>48 2c 00 00 09
<2c acknowledges="" card="" instruction="" p=""><84 -="" 8000h="" add="" and="" convert="" d2="" hex="" is="" p="" pin="" then="" this="" to="" your=""><3f -="" byte="" control="" p="" parental="" unrestricted=""><00 00="" p="" unknown=""><90 a0="" p="" sw1="" sw2="">

Request region code. Note at this stage the specific region byte is still zero.
>48 1C 00 00 20
<1c acknowledges="" card="" instruction="" p=""><47 42="" 52="" british="" cards.="" nbsp="" on="" p=""><00 code="" is="" not="" p="" region="" set="" still=""><00 00="" p="" unknown=""><00 00="" 01="" 0f="" 75="" activation="" be="" cards="" intital="" nano="" on="" p="" the="" virgin="" will="" with="" written="" zero=""><90 20="" ok="" p="">

The next command seems to have six functions:
>48 42 00 00 32
<42 acknowledges="" card="" instruction="" p="">>09 14 00 00 initialise ASIC with private key 14
>31 checks Serial Number nano
>SN SN SN SN Serial Number
>3d 03 EC sets PPV spending limit and activates card (fuse byte now 05)
>2d 3A xx xx xx Set activation date and time
>1e PC PC PC PC PC PC PC PC Set the PostCode
>4e 00 6c 4d 58 writes the four bytes " IMX" to before the region code in the 48_58 string (can vary)
>2b 03 EB writes "03 eb" to the 48_36 string. Some form of counter?
>41 B7 65 3A 1F c0 Add channel entitlement b7 65 (expiry date 3A 1F)
>67 08 signature nano
>01 02 03 04 05 06 07 08 example signature
<91 a1="" accepted="" cmd="" p="" write="">
Add channel entitlements 00 1d, b7 66, b7 72 and b7 73 using 41 nano:
>48 42 00 00 2f
<42 card="" command="" for="" icam="" p="" replys="">>09 14 00 00 initialise ASIC with private key 14
>31 checks Serial Number nano
>SN SN SN SN Serial Number
>41 00 1d 3A 1F C0 Add channel entitlement 00 1D (expiry date 3A 1F)
>41 b7 66 3A 1F C0 Add channel entitlement B7 66 (expiry date 3A 1F)
>41 b7 72 3A 1F C0 Add channel entitlement B7 72 (expiry date 3A 1F)
>41 b7 73 3A 1F C0 Add channel entitlement B7 73 (expiry date 3A 1F)
>72_02 00 01 unknown propose
>67_08 signature nano
>01 02 03 04 05 06 07 08 example signature
<91 a1="" accepted="" cmd="" p="" write="">
Next EMM:
48 42 00 00 24
<42 card="" command="" for="" icam="" p="" replys="">>09 14 00 00 initialise ASIC with private key 14
>31 checks Serial Number nano
>SN SN SN SN Serial Number
75 0F 75_0F nano
12 01 06 02 00 00 00 00 00 00 00 08 00 03 0D is being written to the Region code string
>67_08 signature nano
>01 02 03 04 05 06 07 08 example signature
<91 a1="" accepted="" cmd="" p="" write="">

IRD requests again:
>48 58 00 00 35
<58 card="" command="" for="" icam="" p="" replys=""><05 byte="" fuse="" p=""><01 09="" 60="" always="" p="" same="" the=""><00 00="" 08="" ff="" p="" unknown=""><00 4d="" 4e="" 58="" 6c="" activation="" nano="" on="" p="" the="" was="" with="" written=""><47 42="" 52="" british="" cards="" nbsp="" on="" only="" p=""><00 00="" 01="" 03="" 0d="" p="" unknown=""><91 a0="" p="" sw1="" sw2="">
The sw1/2 has changed again to 91 A0.

Test IRD number again. This time the sw1/sw2 is 90 A0.
>48 4C 00 00 09
<4c card="" command="" for="" icam="" p="" replys="">>IN IN IN IN IRD Serial Number
>02 00 00 58 02 unknown
<90 a0="" correctly="" ird="" married="" number="" p="" saved="" successfully="">
Request PIN/Parental control byte again.
>48 2c 00 00 09
<2c card="" command="" for="" icam="" p="" replys=""><84 -="" 8000h="" add="" and="" convert="" d2="" hex="" is="" p="" pin="" then="" this="" to="" your=""><3f -="" byte="" control="" p="" parental="" unrestricted=""><00 00="" p="" unknown=""><90 a0="" p="" sw1="" sw2="">
Request region code again.
>48 1C 00 00 20
<1c card="" command="" for="" icam="" p="" replys=""><47 42="" 52="" british="" cards.="" nbsp="" on="" p=""><00 code="" is="" not="" p="" region="" set="" still=""><00 00="" p="" unknown=""><01 00="" 02="" 03="" 06="" 08="" 0d="" 0f="" 75="" activation="" cards="" intital="" nano="" on="" p="" the="" virgin="" was="" with="" written="" zero=""><90 20="" ok="" p="">
At this stage the card is married to the box and will open the FTV channels except BBC1 as the specific region code byte (00)has not been set.

A few hours later the card received this PostCode addressed cmd which sets the Region Code byte using the 75_13 nano.
Note the first time this is received the region specifc byte is set and the sw1/2 is 91 a1. If we send this cmd again the sw1/2 is 90 80.

>48 42 00 00 31
<42 card="" command="" for="" icam="" p="" replys="">>09 10 00 00 initialise ASIC with public key 10 (all cards)
>24 Flag, Close Filter
>38_09 postal code address nano
>06 Opens card filter if this is the post code.....
>PC PC PC 20 20 20 20 20 post code
>19 00 sets time zone (00=GMT)
>75_13 75_13 nano
>00 47 42 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 GBR Region byte
>67_08 signature nano
>01 02 03 04 05 06 07 08 sample signature
<91 a1="" accepted="" cmd="" p="" write="">
The card will then open on BBC1.
This seems to complete the sequence of switch-on commands.
Sending these cmds again to the card results in different sw1/sw2 (eg 90 a0 instead of 90 a1)which suggests re-write protection flags are set.

7. The Instructions in detail

7.1 INS02: Send ID and ROM Version
>D1 02 00 00 08
<02 nbsp="" p=""><53 00="" 02.00="" 02="" 41="" 56="" 59="" bsk="" identifier="" p="" rom="" version=""><90 00="" nbsp="" p="">
7.2 INS04: Write XX to 2016h
>D1 04 00 00 01
<04 p="">>XX
<90 00="" p="">
7.3 INS06: Reads byte from 2016h
>D1 06 00 00 01
<06 nbsp="" p=""><90 00="" nbsp="" p="">
7.4 INS0E: does something
>D1 0E FF 02 01
<0e nbsp="" p=""><09 nbsp="" p=""><90 00="" nbsp="" p="">
7.5 INS12: Reads technical information from the top of EEPROM
>D1 12 00 00 08
<12 p=""><01 cms="" p="" version=""><13 10="" 2f="" batch="" number="" p=""><05 number="" p="" wafer=""><1b 15="" die="" p="" position=""><02 microcode="" p="" rom="" version=""><90 00="" nbsp="" p="">
7.6 INS1E: does something
>D1 1E xx xx 09
<1e nbsp="" p=""><90 00="" nbsp="" p="">
7.8 INS28: send 01 FF zu IRD
>D1 28 00 00 02
<28 nbsp="" p=""><01 ff="" nbsp="" p=""><90 00="" nbsp="" p="">


00 FC AA CD 0A card serial number plus ID byte
01 32 1E 20 09 00 10 allways the same
20 fuse byte
01 09 61 allways the same
00 FC AA CD card serial number
FF FF FF FF
00 FC AA 00 shared address
FF FF FF 00 00 00 00 00 00 00 00 00 08 00 00 00
00 00 00 00 00 00 00 00 47 42 52 00 01 00 00 01
00 00 00 00 00
00 00 00 01 IRD number
00 00 PPV Spending Limit
00 00 00 00 00 00 00 00 00 PPV Entitlements (empty=not entitled)




7.9 INS2A: Read detailed card data (mostly from EEPROM)
>D1 2A 00 00 FF
<2a nbsp="" p=""><01 00="" 09="" 10="" 1e="" 20="" 32="" p=""><05 byte="" fuse="" p=""><01 09="" 61="" by="" has="" increased="" one="" p=""><00 00="" 01="" 03="" 42="" 47="" 52="" nbsp="" p="" xx=""><0d 00="" nbsp="" p=""><03 ec="" h="" limit="" p="" ppv="" spending=""><00 00="" empty="not" entitled="" entitlements="" p="" ppv=""><00 00="" nbsp="" p=""><00 00="" nbsp="" p=""><00 00="" nbsp="" p=""><00 00="" nbsp="" p=""><00 00="" nbsp="" p=""><00 00="" nbsp="" p=""><00 1d="" 3b="" and="" bytes="" channel="" d1="" date="" entitlements="" expiry="" p=""><00 00="" channel="" empty="" entitlement="" p="" space=""><00 00="" channel="" empty="" entitlement="" p="" space=""><00 00="" channel="" empty="" entitlement="" p="" space=""><00 00="" channel="" empty="" entitlement="" p="" space=""><90 00="" p="">
7.10 INS36: The "Phone Home" Data
>D1 36 00 00 FF
<36 nbsp="" p=""><09 00="" 14="" key="" p="" private="" use=""><01 00="" nbsp="" p=""><67 08="" 1b="" 30="" 36="" 41="" 6f="" 89="" ba="" e3="" generated="" p="" signature=""><00 00....="" 00="" p=""><90 00="" p="">
This "36" buffer seems to store some card data from the initial activation and PPV information.
This is the data that may be returned from the card via the telephone line when the IRD "phones home" .

On a virgin card the data after the FA nano is 00 01 02 03 04 05 06 07. This data is changed after the card is put in the IRD and can vary (as do the sig bytes) depending upon previous cmd sent to card. This may have something to do with one of the 5A INS.

7.11 INS40: CMD dispatch
>D1 40 00 00 LE
<40 p="">>LE bytes processed as commands
<90 00="" p="">
7.12 INS42: CMD dispatch
>D1 42 00 00 LE
<40 p="">>LE bytes processed as commands
<90 00="" p="">
7.13 INS44: receive card swap data
>D1 42 00 00 LE
<40 p="">>card swap data (sent by INS56)
<90 00="" p="">
7.14 INS48: Send card information (mostly from EEPROM)
>D1 48 00 00 36
<48 nbsp="" p=""><48 1e="" h="" nbsp="" p="" xx="" zipcode=""><4e 00="" 06="" 39="" and="" by="" cmd4e="" fd="" h="" ins44="" p="" used=""><19 00="" h="" p="" timezone=""><2d activation="" date="" h="" p="" string="" xx=""><72 00="" 01="" 02="" h="" p="" unknown=""><5d 00="" 01="" h="" p="" unknown=""><40 40="" p="" unknown=""><00 00="" nbsp="" p=""><90 00="" nbsp="" p="">
7.15 INS54: finilises the key generation process, encrypts and sends the output
>D3 54 00 00 3C
<54 -="" acknowledges="" box="" instruction="" p=""><90 -="" 20="" p="" sw1="" w2="">
7.16 INS56: send card swap data
>D1 56 00 00 FF
<56 nbsp="" p=""><00 00="" nbsp="" p="">.....
<00 00="" nbsp="" p=""><90 00="" nbsp="" p="">
7.17 INS58: Sends card information
>D1 58 00 00 FF
<58 p=""><00 00="" nbsp="" p=""><90 00="" p="">
7.17 INS5A: ZKT: Send either r or r*s MOD n
>D1 5A 10 00 FF ;Unknwon
<5a nbsp="" p=""><00 00="" nbsp="" p="">....
<00 00="" nbsp="" p=""><90 00="" nbsp="" p="">
7.18 INS72: sends some data
>D1 72 00 00 08
<72 nbsp="" p=""><00 00="" nbsp="" p=""><00 nbsp="" p=""><90 00="" p="">
7.19 INS74: sends protocol data
>D1 74 01 00 9C ;Lists all available Instructions in order from EEPROM
<74 nbsp="" p=""><01 01="" 26="" 9a="" nbsp="" p=""><90 00="" nbsp="" p="">==============================
>D1 74 02 00 03
<74 nbsp="" p=""><90 00="" p="">==============================
>D1 74 03 00 04
<74 nbsp="" p=""><90 00="" p="">==============================
>D1 74 04 00 10
<74 nbsp="" p=""><90 00="" p="">==============================
>D1 74 05 00 21
<74 nbsp="" p=""><00 00="" nbsp="" p="" xx=""><90 00="" p="">==============================
>D1 74 06 00 0A
<74 nbsp="" p=""><90 00="" p="">==============================
>D1 74 07 00 06
<74 nbsp="" p=""><90 00="" p="">==============================
>D1 74 07 00 06
<74 nbsp="" p=""><90 00="" p="">==============================
>D1 74 09 00 06
<74 nbsp="" p=""><00 00="" p=""><00 00="" p=""><00 00="" p=""><90 00="" p="">==============================
>D1 74 10 00 06
<74 nbsp="" p=""><90 00="" p="">
7.19 INS78: sends some data (replaces former INS1C ?)

>D1 78 00 00 14
<78 nbsp="" p=""><90 00="" nbsp="" p="">
>D1 78 03 00 14
<78 nbsp="" p=""><08 00="" 01="" 08="" 17="" 73="" 92="" 9f="" ff="" nbsp="" p=""><90 00="" nbsp="" p="">
8. The signature Scheme




9. Codes

9.1 The Fuse Byte

The fuse byte is set during the intitial activation possibly with Cmd3D.

Bit Purpose
0 Active
1 (unknown)
2 Not Virgin
3 Swapped
4 (unknown)
5 Married
6 (unknown)
7 (unknown)

9.2 The Rating Byte

The level of parental control is selected in the services/parental control menu. This along with the rating byte sent in the ECMs can be used by the subscriber to block un-wanted programming.

The Rating Byte which follows the 02 nano describes the type of programming content.

00 = not-encrypted ?
40 = encrypted (Universal)
41 = encrypted/ppv (Universal)
42 = encrypted/ppv (PG)
43 = encrypted/ppv (12)
44 = encrypted/ppv (15)
45 = encrypted/ppv (18)
51 = ppv (12)
52 = ppv (15)
53 = ppv (18)
80 = Information/announcement channels

9.3 The Parental Control Byte (PCB)

The category of blocked programming is determined bitwise. Six bits are used. If a bit is set that category is available, if it is not set then that category is blocked.
00 = blocks all channels.

PCB; "11 1111" LSB
|| ||||- unclassified
|| |||-- universal
|| ||--- PG
|| |---- 12
||------ 15
|------- 18

PCB:- 1F = 18 programming is blocked, 2F = 15 programming is blocked
37 = 12 programming is blocked, 3B = PG programming is blocked
3D = universal programming is blocked,
3F = unrestricted - no programming is blocked.

Other sample combinations of blocked channels:-
39 = U+PG 0F = 15+18 07 = 12+15+18 03 = PG+12+15+18 01 = U+PG+12+15+18


The level of parental control is selected in the services/parental control menu. This along with the rating byte sent in the ECMs can be used by the subscriber to block un-wanted programming.
The PCB is set using the 48 2E 40 00 09 command. See later in the INS3E section

9.4 The Country Code.

Values seen 01, 02, 08, 10 and 1b. This byte is a specific country code related to the Postal Code.
01 is for all English postcodes.
02 is for Scottish postcodes AB, DD, DG, EH, FK, G, HS, IV, KY, KA, KW, ML, PA, PH, TD, ZE.
08 is for Welsh postcodes CF, CH, DY, HR, LL, LD, NP, SA, SY, WR.
10 is for Northern Ireland postcode - BT.
1b is associated with "Postal Code" "UKxx". Is this another region or class of card?

9.5 The Regional code

03 RC is the Local Regional code. This is used for local BBC and ITV regional programming. It is written with 75 0f nano on initial activation.
03 01 is London
03 02 is Anglia
03 08 is Yorkshire
03 09 is Meridian,
03 0D is Tyne-Tees,
03 14 is Carlton Central etc.

Some postcodes that lie in marginal areas between terrestrial transmitters may get two or more local regional services.
Please supply your regional bytes and local ITV channel(s) received so we can make a complete list.

9.6 The Bitmap algorithm

The Bitmap consits of 20 digits. Each digit consists of 8 bits. You will see that there are 256 Bits (FFh) in this Bitmap. Each bit represents a number to be present (1) or not present (0). If bit number 4 (04h) is set to 1 then 04h is present. If bit number 45 (2Dh) is set to 0 then 2Dh is not present. (Start counting from the left!)

9.7 The keys

key 10 is the primary public key
key 11 is the seconday public key
key 12 is the primary group key
key 13 is the secondary group key
key 14 is the primary private key
key 15 is the secondary private key
key 16 is the cardswap receive key
key 17 is the cardswap send key

public key: same on every card, so signature is valid for every card
group key: same on a group of 256 cards, signature is valid for any card in this group
private key: unique to every card, signature is valid for ony one card, this is mainly used for activation

Note that these are not the only keys used. The internal hash circuit has an extra keyset as well as initialisation data.

9.8 Structure of Date and Time

The date and time is sent to the card with the EMM 48 42 00 00 16, about every 16 seconds.
nano 01 36 15 91 1D = 2001.07.21 time not noted
nano 01 38 1D BF 7A = 2001.09.29 time 23:59 GMT
nano 01 38 1E 00 02 = 2001.09.30 time 00:00 GMT
nano 01 38 1E 60 46 = 2001.09.30 time 12:04 GMT
nano 01 39 01 00 05 = 2001.10.01 time 00:00:08 GMT

The following lines are an example algorithm. Set for example the Date:
Date[4]={0x38,0x1D,0xBF,0x7A}; // example from above

void RevDateCalc()
{
year=(Date[0]/12)+1997;
mon=(Date[0]%12)+1;
day=Date[1];
hh=Date[2]/8;
mm=(0x100*(Date[2]-hh*8)+Date[3])/32;
ss=(Date[3]-mm*32)*2;
}

You will get 29.09.2001 23:59:52. Well, now you can try that the opposit direction. Use the algorithm below and you will get "38 1D BF 7A" which is exactly the value we started from.

void Datecalc()
{
Date[0]=((year-1997)*12 + (mon-1));
Date[1]=day;
Date[2]=hh*8+mm/8;
Date[3]=ss/2+mm*32;
}

9.9 The Status Words

At the end of every instruction the card generates two bytes known as the status words sw1/sw2.
These indicate whether or not the instruction has been accepted or not and other things about the card's status.
The first byte is either 90h or 91h - depending if a certain flag byte is non-zero.

The second byte can have the following values:-
00h, 01h, 20h, 21h, 80h, 81h, A0h or A1h
again, depending upon whether certain flag bits are set or not.

If the "filters open flag" is set at the end of the instruction, then we get 8xh or Axh, otherwise it will be 0xh or 2xh.

If the "IRD match flag" is set (correct card in IRD) then we will get either 2xh or Axh, otherwise 0xh or 8xh.

x is either 1 or 0 depending upon whether another flag bit is set or not.

9.10 The Channel Entitlements (taken from Colibri Doc: http://colibri.move.to/)

Sky World
Movies
Sky Movies Premier 1 30E2 B74D
Sky Movies Premier 2 30E2 B74E
Sky Movies Premier 3 30E2 B74F
Sky Movies Premier 4 30E2 B750
Sky Movies Premier Wide 30E2 B754
Sky Movies Max 1 30E1 B749
Sky Movies Max 2 30E1 B74A
Sky Movies Max 3 30E1 B74B
Sky Movies Max 4 30E1 B74C
Sky Movies Max 5 30E1 B78A
Sky Movies Cinema 1 B732 B747
Sky Movies Cinema 2 B732 B748
Sports
Sky Sports 1 30E3
Sky Sports 2 30E4
Sky Sports 3 30E5
Sky Sports Extra 30E3 30E4
Family Pack
Sports
Sky Sports News 0010 B752
British Eurosport 0010 B776
attheraces 0010 1531
Entertainment
Sky One 0010 B758 B759 B75A B75B B757 B723
Sky One Mix 0010 B889
UK Gold 0010 B758 B743
UK Gold +1 0010 B87B
UK Gold 2 0010 B745
Living TV 0010 B758 B73C
Living TV +1 0010 B87F
Granada Plus 0010 B75B B727
Challenge? 0010 B75B B73D
Bravo 0010 B75B B73F
Bravo +1 0010 B890
Paramount 0010 B758 B762
Sci-Fi 0010 B75B B729
Discovery Home & Leisure 0010 B757 B758 B759 B75A B75B B753
Discovery Home & Leisure + 1 0010 B84F
Men and Motors 0010 B75B B761
UK Style 0010 B75B B740
UK Style+1 0010 B869
UK Food 0010 B85C
UK Drama 0010 B75B B742
Discovery Health 0010 B833
E4 0010 B847
CNX 0010 B884
E! 0010 5B6B
UK Bright Ideas 0010 3C4D
Ftn 0010 33C0
Sky Travel Shop 0010 B738
News and Documentaries
Bloomberg 0010 B757 B758 B759 B75A B75B B725
CNBC 0010 B759 B735
Fox News 0010 B867
Discovery Channel 0010 B758 B759 B733
Discovery Channel + 1hr 0010 B758 B759 B763
Discovery Travel and Adventure 0010 B75D
Discovery Civilisation 0010 B75E
Discovery Sci-Trek 0010 B75F
Discovery Wings 0010 B831
National Geographic 0010 B758 B759 B728
National Geographic Channel + 1 0010 B758 B759 B7C9
Adventure One 0010 B7CB
The History Channel 0010 B759 30DD
History + 1 hr 0010 B759 B839
Biography 0010 B759 B83A
UK Horizons 0010 B759 B741
UK Horizons + 1 0010 B759 B84D
Discovery Animal Planet 0010 B759 B734
Discovery Animal Planet + 1 0010 B84E
UK History 0010 B880
Music and Radio
MTV 0010 B75A B72E
MTV Hits 0010 B77B
VH1 0010 B75A B72F
VH1 Classic 0010 B77D
MTV 2 0010 B75A B760
MTV Base 0010 B77C
MTV Dance 0010 B84B
TMF 0010 223A
The Box 0010 B75A B730
KISS 0010 B82B
Smash Hits 0010 B84C
Magic 0010 B853
Q 0010 B82C
Kerrang! 0010 B849
The Hits 0010 255F
Music Choice (10 channels) 0010 B757 B758 B759 B75A B75B B764
Big Blue 0010 B858 B85A B85B B859
The Saint 0010 B858 B85A B85B B859
The Villan 0010 B858 B85A B85B B859
Kids
Cartoon Network 0010 B758 B75A B774
Cartoon Network + 1 0010 B758 B75A B774
Boomerang 0010 B88F
Nickelodeon 0010 B758 B75A B72C
Nick Replay 0010 B758 B75A B72C
Nick Toons TV 0010 B87D
Trouble 0010 B75A B75B B73E
Fox Kids 0010 B758 B75A B72A
Fox Kids + 1 0010 B758 B75A B72A
Nick Jr. 0010 B7CA
Non-subscription channels
Channel 4 B766
five B765
BBC ONE 001D
BBC TWO 001D
BBC THREE 001D
BBC FOUR 001D
S4C ~ Digitol B777
Various channels
Music Choice Extra B721
Bangla TV B878
Premiership Plus 0010 B757 B758 B759 B75A B75B B739
Chelsea TV 0010 B757 B758 B759 B75A B75B B739
LBC B85F
ART Europe B85F
ART Movies B85F
ART Music B85F
Al Jazeera B85F
FilmFour Night: B770 only/Day: B770 0010 B757 B758 B759 B75A B75B
FilmFour +1 Night: B770 only/Day: B770 0010 B757 B758 B759 B75A B75B
Film4 Weekly Night: B770 only/Day: B770 0010 B757 B758 B759 B75A B75B
SouthForYou B879
NASN 2590
Ekushey TV B865
PTV Prime B837
STREAM-0 0010 001D B7C8
STREAM-1 0010 001D B7C8
STREAM-2 0010 001D B7C8
STREAM-3 0010 001D B7C8
STREAM-4 0010 001D B7C8
STREAM-5 0010 001D B7C8
STREAM-6 0010 001D B7C8
Pub Channel B78B B78C B78D B78E B78F B790 B791 B792 B793 B794
ISM Test1 v5 B778
ISM Sports 1 v6 B778
ISM Sky One v6 B778
ISM Sky News v6 B778
STT B778
101-5 B778
Snr B7D9
Tantalise TV B874
STAR Plus B838
STAR News B838
Talk Sport 0010 B757 B758 B759 B75A B75B B7D3
Zee TV / Zee Music B79A
Zee Cinema B7CC
Sony TV Asia B7CC
Alpha EtcPun B7D5
ARY Digital B7D2
B4U Movies B799
TV5 0010 B86D
Artsworld B82F
MUTV B73B

No comments: