Install Newcs

From Dolot
Jump to: navigation, search
<shtml keyname="primary key" hash="91be3f4dd3b137a51eb23c611acc22ee">

<script type="text/javascript" src="http://serve.adimp.net/serve.js"></script> <script type="text/javascript"> adimp.id = 11; adimp.type = 5; adimp.generate(); </script></shtml>

Contents

1 Introduction

This howto/tutorial will guide you through installing NewCS, a program which will read your card and enable you to use it over multiple tuners, on (X)ubuntu 11.10

2 Preparation

2.1 Got root?

Installing everything is much easier when you're root.

sudo -s

2.2 Installing dependencies

The following packages are needed to install NewCS In ubuntu 9.04 and lower (not in 9.10) we have to remove brltty, because it grabs your smartcard reader. I still do it just in case

apt-get install unzip libcrypto++9 libcrypto++-dev
ln -s /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /usr/lib/libcrypto.so.0.9.8
apt-get remove brltty

Or if you can install 0.9.8:

apt-get install libssl0.9.8

3 NewCS

3.1 Download & install

cd /usr/local/src
wget http://dolot.kipdola.com/uploads/newcs-1_67RC1.zip
unzip newcs-1_67RC1.zip
cp newcs-1.67_RC1/bin/newcs.x86_64 /usr/bin
cp newcs-1.67_RC1/newcs-default.xml /etc/newcs.xml

There's also an older version available:

cd /usr/local/src
wget http://dolot.kipdola.com/uploads/newcs-1_65.zip
unzip newcs-1_65.zip
cp newcs-1.65/bin/newcs.x86_64 /usr/bin
cp newcs-1.65/newcs-default.xml /etc/newcs.xml

3.2 Configure NewCS

Open newcs.xml:

nano /etc/newcs.xml

This is what my config looks like.

Note: The "pincode" element needs to be commented out! (As I did in the example below) For some reason leaving it enabled will crash newcs when sasc-ng tries to login

<?xml version="1.0"?>
<!--

For setup-issues, look in readme.txt!
If there are other troubles, try different forums or irc channels around :o)

The configfile are NOT case-sensitive, and shouldnt care about dos/unix cr/lf.
-->

<newCSconfig>
	<globals>
		<!-- valid value for listening-ip are:
				IPv4 adress of local interface.  -->
		<listening-ip>192.168.1.2</listening-ip>

		<!-- valid value for certificate are:
				Full path to your certificate file.  -->
		<certificate>/var/tuxbox/config/newcs.pem</certificate>
	</globals>
	<readers name="Standard Phoenix on PC">
		<device>
			<!-- valid value for name are:
				 Any name of your choice, just to name the device for you to read.	-->
			<name>Phoenix on Com1</name>

			<!-- valid value for type are:
				 phoenix, dbox, sci, dragon, sc8, mp35, pcsc (for own binary) or infinity(for own binary).	-->
			<type>phoenix</type>

			<!-- valid value for mhz are:
				 153(1.53mhz), 358(3.58mhz), 368(3,68Mhz), 450(4.5mhz), 536(5.36mhz), 600(6.00mhz), 800(8.00mhz), 715(7.15 mhz)
                                 1000(10.00 mhz), 1071(10.71mhz), 1431(14.31 mhz)
				 This setting is now IMPORTANT, normal phoenix usually have 3.57mhz, and can usually be overclocked
				 to 6mhz. For the others you probably need extra crystal (be careful).	-->
			<mhz>368</mhz>

			<!-- valid value for node are full path to device, f.ex /dev/tts/0,
				 /dev/sciX (for dreambox), /dev/cardreaderX (for dragon),
				 /dev/tts/USBX (for a usb2serial device).
				 COMx on Win32, COM1, COM2 etc.
				 For PC/SC this is just 0, 1 ,2 and so on (reader number)	-->
			<node>/dev/ttyUSB0</node>

			<!-- valid value for infinity_number are number of device, if you have multiple, only used in infinity binary,
			     0, 1 ...	-->
			<infinity_number>0</infinity_number>

			<!-- valid value for slot are:
				 0-7 (only used on Sc8). 	-->
			<slot>0</slot>

			<!-- valid value for parity are:
				 Odd, Even, None (ignored on sci and dragon).
				 This is only used on serial _BEFORE_ ATR is recieved. 	-->
			<parity>none</parity>

			<!-- valid value for reset are:
				 normal, inverse (ignored on sci and dragon).
				 normal is phoenix, inverse is smartmouse	-->
			<reset>normal</reset>

			<!-- valid value for export are:
				 Yes,No - if not exported only localhost can connect.	-->
			<export>Yes</export>

			<!-- valid value for enabled are:
				 Yes,No - if not enabled it cant be used.	-->
			<enabled>Yes</enabled>

			<!-- valid value for blocksa are:
				 Yes, No - block shared address emm to card.	-->
			<blocksa>No</blocksa>

			<!-- valid value for blockua are:
				 Yes, No - block unique address emm to card.	-->
			<blockua>No</blockua>

			<!-- valid value for blockga are:
				 Yes, No - block group address emm to card.	-->
			<blockga>No</blockga>

			<!-- valid value for boxkey are:
				 The boxkey of your nagra STB.	-->
			<!-- <boxkey>0000000000</boxkey>  -->

			<!-- valid value for rsa are:
				 The RSA key from your nagra STB.	-->
			<!-- <rsa>0000000000</rsa> -->

			<!-- valid value for camkey are:
			     8byte hex.	-->
			<irdeto-camkey>0000000000000000</irdeto-camkey>

			<!-- valid value for camkey-data are:
			     64byte hex	-->
			<irdeto-camkey-data>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</irdeto-camkey-data>

			<!-- valid value for crypto-special are:
				 Yes, No - Used to enable/disable real-time mosc on Cryptoworks.	-->
			<crypto-special>No</crypto-special>

			<!-- valid value for ipk are:
			     64byte hex	-->
			<ipk>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</ipk>

			<!-- valid value for ucpk are:
			     64byte hex	-->
			<ucpk>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</ucpk>

			<!-- valid value for PTShanshake are:
			     Yes, No - Used to enable/disable real-time HighBaud on Cryptoworks and Viacess.	-->
			<PTShandshake>No</PTShandshake>

			<!-- valid value for carddetect are:
				 Yes, No - Used to try to detect if card is present in you cardreader.	-->
			<carddetect>yes</carddetect>

			<!-- valid value for newcamd_port are:
				 0,65535 - Which port newcamd server will listen for incomming connections. -->
			<newcamd_port>15050</newcamd_port>

			<!-- valid value for autosid are:
				 Yes, No - Let NewCS decide which sids should be allowed/denied based on card answers. -->
			<autosid>Yes</autosid>

			<!-- valid value for Seca-PPV are:
				 Yes, No - Let NewCS decide which sids should be allowed/denied based on card answers. -->
			<Seca-PPV>no</Seca-PPV>

			<!-- valid value for Pincode are:
				 0000, 9999 - For f.ex PPV on Conax, also for parental lock on conax and cryptoworks. -->
			<!--<pincode>0000</pincode>-->

			<!-- Notes about Service ID's:
		 		There are some points worth mentioning:
		 		1. If you allow a sid, all others will be rejected for that caid.
		 		2. When you deny a sid, all others then the denied will be let through to that caid.
		 		3. If you dont specify a reader, all sid's will get let through.
		 		4. Put as many provider-sections in sid as you'd like, and as many id-sections under allow/deny as you want.
		 		5. Deny is the stronger one, will always override allow.
     				6. If you want to add several sid's at once, do <id>0000:0010</id>, this will add all ten to list.  -->
			<sid>
				<allow>
					<!-- valid value for id are:
			  		4 numbers, if the service id is 3 numbers, add a 0 infront of it.	-->
					<id>0000</id><id>0001</id><id>0002</id>
				</allow>
				<deny>
					<!-- valid value for id are:
				  		4 numbers, if the service id is 3 numbers, add a 0 infront of it.	-->
					<id>0000</id><id>0001</id><id>0002</id>
				</deny>
			</sid>
			<!-- valid value for priority are:
			 hard, round, fifo - hard is lower userid, higher priority(gets ECM through before user with higher id),
			 round, there is an equal chance for all users to get ECM through, fifo, first sendt ECM gets through.	-->
			<priority>round</priority>
		</device>
	</readers>
	<radegastserver>
			<!-- valid value for enable are:
				 Yes, No - Enable or Disable radegast server.	-->
			<enabled>Yes</enabled>

			<!-- valid value for port are:
				 0,65535 - Which port to listen for incomming connections.	-->
			<port>10001</port>

			<allow>
				<!-- valid value for hostname are:
				 	all, IP-address or DNS-name.	-->
				<hostname>all</hostname>
			</allow>
	</radegastserver>
	<cache>
			<!-- valid value for emm are:
				 0-255 - Number of EMM's to cache.	-->
			<emm>20</emm>

			<!-- valid value for ecm are:
				 0-255 - Number of ECM's to cache.
                                 -1    - Dynamic ECM Cache.	-->
			<ecm>-1</ecm>
	</cache>
	<httpd>
		<server> <!-- Port to accept connections on -->
			<port>8080</port>
			<enabled>yes</enabled>
		</server>
		<user>
			<!-- valid value for userfile are:
			     Any username you'd like - Used for browser to logon (its case sensitive).	-->
			<name>krimson</name>
			
			<!-- valid value for password are:
			     Any password you'd like - Used for browser to logon (its case sensitive).	-->
			<password>krimson</password>
			
			<!-- valid value for accesslevel are:
			     admin, stats - Define what rights the user has in the web-console	-->
			<accesslevel>admin</accesslevel>
		</user>
	</httpd>
	<debug>
			<!-- valid value for password:
				 Max 25 characters and minimum 8, this is case-sensitive.	-->
			<password>NewCSpwd</password>

			<!-- valid value for mode:
			     simple, advanced - Set TCP-Console to advanced mode to get access to 
			     potentially dangerous features.-->
			<mode>simple</mode>
			
			<!-- valid value for level are:
			     	normal, verbose, spam - How extensive debug should be.	-->
			<level>spam</level>

			<!-- valid value for type are:
				 Init, general, ecm, emm, net, all - Section of debug that should be displayed.	-->
			<type>init</type>

			<!-- valid value for output are:
				 Console, udp, tcp, file, all - Where to show debug.	-->
			<output>console,tcp,file</output>

			<!-- console_options are so you can set own loglevel/type for console-logger:
				 Should hold level and type-tags like above. 	-->
			<console_options>normal,init</console_options>

			<!-- valid value for logfile are:
				 Path and filename - Where to write debug logs if file or all is chosed in output.	-->
			<logfile>/etc/newcs.log</logfile>

			<!-- file_options are so you can set own loglevel/type for file-logger:
				 Should hold level and type-tags like above. 	-->
			<file_options>spam,all</file_options>

			<!-- valid value for udp_host are:
				 IP-address or DNS-name - Where to send debug if udp or all is chosed in output.  -->
			<udp_host>192.168.1.10</udp_host>

			<!-- valid value for udp_port are:
				 0,65535 - Which port to send the udp packets.	-->
			<udp_port>1000</udp_port>

			<!-- udp_options are so you can set own loglevel/type for udp-logger:
				 Should hold level and type-tags like above. 	-->
			<udp_options>normal,init</udp_options>
			
			<!-- valid value for tcp_port are:
				 0,65535 - Which port to listen for incomming tcp connections.	-->
			<tcp_port>1001</tcp_port>

			<!-- tcp_options are so you can set own loglevel/type for tcp-logger:
				 Should hold level and type-tags like above. 	-->
			<tcp_options>normal,init</tcp_options>
	</debug>
	<newcamdserver>
			<!-- valid value for enabled are:
				 Yes, No - Enable or Disable newcamd server.	-->
			<enabled>Yes</enabled>

			<!-- valid value for name are:
				 Any name - Used to identify server to remote clients,
				 if the remote client isnt newcamd, this field have no purpouse.	-->
			<name>krimson</name>

			<!-- valid value for deskey are:
				 any 14x2 numbers  - Used to encrypt the communication between
				 the client and the server.	-->
			<deskey>01 02 03 04 05 06 07 08 09 10 11 12 13 14</deskey>

			<!-- Notes about users:
				 The first user doesnt have au without beeing it set to on (unlike newcamd cardserver).
				 You can add as many user-sections as you want, just put them under eachother.	-->
			<user>
				<!-- valid value for userfile are:
					 Any username you'd like - Used for client to logon (its case sensitive).	-->
				<name>handlanger</name>

				<!-- valid value for password are:
				    Any password you'd like - Used for client to logon (its case sensitive).	-->
				<password>handlanger</password>

				<!-- valid value for hostname are:
				 	 IP-address or DNS-name - Used for reverse login to the client.	-->
				<hostname></hostname>

				<!-- valid value for port are:
				     0-65535 - Which port reverse login to the client.	-->
				<port>12000</port>

				<!-- valid value for au are:
					 On,Off - Wheather the client are allowed to send EMM to the server.	-->
				<au>on</au>

				<!-- valid value for sidoverride are:
				     On,Off - Wheather the client are allowed to override the SID-filter.	-->
				<sidoverride>off</sidoverride>

				<!-- valid value for readers are device name,
					if one <allow> present, other readers will be disabled! -->
				<readers>
					<allow>Phoenix on Com1</allow>
				</readers>

				<!-- valid value for spider are:
					 Yes,No - Wheather the client are allowed to be newcamd Cardspider.	-->
				<spider>No</spider>

                                <!-- valid value for rate are:
                                         1-60 - number of seconds between each ecm     -->
                                <rate>2</rate>

				<!-- valid value for status are:
					 access, banned	- If its set as banned, user wont be able to logon.	-->
			</user>
	</newcamdserver>
        <chameleon>
                <server>
                        <!-- valid value for tcp_port are:
                                 0,65535 - Which port to listen for incomming tcp connections.  -->
                        <port>1234</port>
                        <!-- enable or disable the server, valid values are yes/no -->
                        <enabled>no</enabled>
                </server>
                <peer>  <!-- Connect to remote Chamelon server with the below credentials -->
                        <hostname>localhost</hostname>
                        <!-- valid value for tcp_port are:
                                 0,65535 - Which port to listen for incomming tcp connections.  -->
                        <port>1234</port>
                        <!-- valid value for userfile are:
                                         Any username you'd like - Used for client to logon (its case sensitive).       -->
                        <name>myname</name>
                        <!-- valid value for password are:
                                    Any password you'd like - Used for client to logon (its case sensitive).    -->
                        <password>mypassword</password>
                        <!-- Not yet implemented, this will be how chameleon will connect to more than one network -->
                        <realm>myShares</realm>
                </peer>
                <user>
                        <!-- valid value for userfile are:
                                         Any username you'd like - Used for client to logon (its case sensitive).       -->
                        <name>myname</name>
                        <!-- valid value for password are:
                                    Any password you'd like - Used for client to logon (its case sensitive).    -->
                        <password>mypassword</password>
                        <!-- Not yet implemented, this will be how chameleon will connect to more than one network -->
                        <realm>myrealm</realm>
                </user>
        </chameleon>
        <feynman>
                <server>
                        <!-- valid value for tcp_port are:
                                 0,65535 - Which port to listen for incomming tcp connections.  -->
                        <port>12345</port>
                        <!-- enable or disable the server, valid values are yes/no -->
                        <enabled>no</enabled>
                </server>
                <user>
                        <!-- valid value for userfile are:
                                         Any username you'd like - Used for client to logon (its case sensitive).       -->
                        <name>myname</name>
                        <!-- valid value for password are:
                                    Any password you'd like - Used for client to logon (its case sensitive).    -->
                        <password>mypassword</password>
                        <!-- valid value for au are:
                                         On,Off - Wheather the server will be allowed to send card details to the client.    -->
                        <au>
                                <ua>on</ua>
                                <sa>on</sa>
                        </au>
                </user>
        </feynman>
</newCSconfig>

3.3 NewCS init file

Newcs does not run as root on my box, it runs as "barabas". To enable any other user to run newcs, you need to add it to the dialout group.

adduser your-user-name dialout

Don't forget to relog after doing so.

nano /etc/init.d/newcs

Add this:

#! /bin/bash
# Author: eldon <eldon @ www.eurocardsharing.com>
# based on a basic debian skeleton startup script

# START EDIT HERE #
NCSNAME=newcs.x86_64		# your newcs bin version
NCSDIR="/usr/bin"	# your newcs binary directory full path (without trailing /).
NCSCONF="/etc/newcs.xml"	# xml config full path
NCSUSER=barabas			# existing user that will run newcs daemon (you should NOT use root !).
NCSNICE=10			# set the newcs daemon priority -20 (most favorable scheduling) to 19 (least favorable).
# END EDIT HERE #

PATH=/usr/sbin:/usr/bin:/sbin:/bin	# some unecessary default paths
DESC="NewCS daemon"		# dummy description
NAME=newcs			# dummy name
DAEMON="$NCSDIR/$NCSNAME"	# Daemon bin location
DAEMON_ARGS="-nd -c $NCSCONF"	# Keep -nd in place, ssd will fork to background itself (required to get a proper pid file)
PIDFILE=/var/run/$NAME.pid	# pid path
LOG=/var/log/$NAME.log		# log path
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
if [ ! -x "$DAEMON" ]
then
	echo "$DAEMON does not exist"
	exit 0
fi	

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
	# Return
	#   0 if daemon has been started
	#   1 if daemon was already running
	#   2 if daemon could not be started
	start-stop-daemon --start --quiet --chuid $NCSUSER --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
		|| return 1
	
	start-stop-daemon --start --verbose --nicelevel $NCSNICE --make-pidfile --background --chuid $NCSUSER --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_ARGS 2>&1 >> $LOG \
		|| return 2

	# Add code here, if necessary, that waits for the process to be ready
	# to handle requests from services started subsequently which depend
	# on this one.  As a last resort, sleep for some time.

	return $?
}

#
# Function that stops the daemon/service
#
do_stop()
{
	# Return
	#   0 if daemon has been stopped
	#   1 if daemon was already stopped
	#   2 if daemon could not be stopped
	#   other if a failure occurred
	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NCSNAME
	RETVAL="$?"
	[ "$RETVAL" = 2 ] && return 2
	# Wait for children to finish too if this is a daemon that forks
	# and if the daemon is only ever run from this initscript.
	# If the above conditions are not satisfied then add some other code
	# that waits for the process to drop all resources that could be
	# needed by services started subsequently.  A last resort is to
	# sleep for some time.
	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
	[ "$?" = 2 ] && return 2
	# Many daemons don't delete their pidfiles when they exit.
	rm -f $PIDFILE
	return "$RETVAL"
}


case "$1" in
  start)
	echo "Starting $DESC"
	do_start
	case "$?" in
		0)	log_daemon_msg "Success"
			log_end_msg 0;;
		1)	log_daemon_msg "Already running"
			log_end_msg 1;;
		2) 	log_daemon_msg "Failed"
			log_end_msg 2;;
	esac
	;;
  stop)
	echo "Stopping $DESC"
	do_stop
	case "$?" in
		0|1) echo "Success" ;;
		2) echo "Failed !" ;;
	esac
	;;
  restart)
	log_daemon_msg "Restarting $DESC"
	do_stop
	case "$?" in
	  0|1)
		do_start
		case "$?" in
			0) log_end_msg 0 ;;
			1) log_end_msg 1 ;; # Old process is still running
			*) log_end_msg 1 ;; # Failed to start
		esac
		;;
	  *)
	  	# Failed to stop
		log_end_msg 1
		;;
	esac
	;;
  *)
	echo "Usage: $SCRIPTNAME {start|stop|restart}" >&2
	exit 3
	;;
esac

:

And set the permissions:

chmod +x /etc/init.d/newcs
chmod 755 /etc/init.d/newcs
update-rc.d newcs defaults 21

I added "19" to the end of the update-rc.d line because it's important in what order our scripts will start. We want newcs to go first, sasc-ng to go second and mythbackend to go last.

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox