====== Simulcrypt CA Configuration ======
Jan 2017
\\
\\
{{:ncc_map.jpg?450|}}
\\
==== Introduction ====
This page is for an MX8400 / AVP / nCC based system
\\
\\
These notes have been compiled using nCompass 9 from R3.12 SVT06 (nCC_9.01.25636.0) and will be valid for nCC versions from around v8.5. Unlike earlier version of nCompass, no XML files need to be edited (there is one if you are doing Director, not covered here) and no extra services need to be manually started.
\\
\\
The parameters used for the CA relate to equipment (ECMG, EMMG) that exists in SVT that is currently managed by Rob O’Neil. The concept is the same for configuration on customer sites, the only difference will be IP addresses / Ports and CA parameters, but the configuration remains the same.
\\
\\
This is not a comprehensive CA guide, it’s a simple set of notes designed to assist in a Simulcrypt CA configuration for anyone who has dealt with CA before, but needs a reminder of the basic configuration steps. If you have never dealt with a CA configuration before, this may not be that helpful.
\\
\\
I suggest reading this document in its entirety before starting a configuration, as all the information within is required for a working system.
\\
\\
This guide assumes that you are a competent user of nCompass Control as it is assumed you will know how to perform tasks such as creating a map, profile, scheduling profiles etc.
\\
\\
----
==== Topics ====
The steps covered here are:
\\
- Basic Terminology
- Quick Overview
- Adding items to nCompass map
- ECMG/EMMG map settings
- Mux Static Parameters
- Adding Components to Profiles
- Profile Scrambling Settings
- Telnet testing functions
\\
----
==== Basic Terminology ====
//**ECMG**// is the //**Entitlement Control Message Generator**//, this is an external server provided by the CA vendor that communicates with the SCS and sends ECMs on request.
\\
\\
//**ECM**// is the //**Entitlement Control Message**//, the ECM contains an encrypted version of the //**Control Word (CW)**// and //**Access Criteria (AC)**//, and this provides the means for the receiver/STB to descramble the content.
\\
\\
The //**CWG**// is the //**Control Word Generator**//, and this generates a random 8 byte Control Word. This is forwarded on request to the //**SimulCrypt Synchronizer (SCS)**//.
\\
\\
//**Control Words (CW)**// are also knows as //**keys**//.
\\
\\
Typically every 10 seconds, the CW will change. The time between new CWs is defined as the //**the Crypto Period (CP)**//. CWs are defined as ODD or EVEN and alternate every CP to allow the STB to distinguish between CWs of adjacent CP, thus the CW is made available ahead of time.
\\
\\
//**EMMG**// is the //**Entitlement Management Message Generator**//, this communicates with the Mux and sends EMMs.
\\
\\
//**EMM**// is the //**Entitlement Management Message**//, and the EMM contains the authorization details for the smartcard/receiver to determine whether it is “allowed” to descramble the content.
\\
\\
//**Scrambler**// physically scrambles the required content using the //**CSA. (Common Scrambling Algorithm)**//.
\\
\\
Remember, the //**ECMG**// is the key to descramble the content, but you can only descramble if the //**EMM**// entitles you (your smartcard) to do so.
\\
\\
//**CSA**// is the //**Common Scrambling Algorithm**// and this is the part of the Mux that scrambles the components.
\\
\\
//**Encryption**// – The //**ECMG Encrypts**// the Control Words sent by the CW Generator in the Mux.
\\
\\
//**SuperCAS**// ID is the //**CA System ID**// + //**CA Sub System ID**//.
\\
\\
----
==== Quick Overview ====
It is worth remembering that Scrambling and Encryption are not the same:
\\
\\
**//Components//** (Video/Audio) are scrambled (by the scrambler in the Mux)
\\
**//Control Words//** are Encrypted (by the ECMG)
\\
\\
In general, services can be scrambled at service or component level, unless you are using Director, where only service level scrambling is available.
\\
\\
//**Scrambling / Encryption**// (the following values are examples, not real data)
\\
* String 0 0 1 0 1 0 0 1
* Scrambling 0 0 0 1 1 0 1 0
* Encryption 22 34 56 67 89
\\
//**ECMs**// are referenced by **//PMT//**
\\
\\
{{:ecm_referenced_in_pmt_boxed.jpg?400|}}
\\
\\
**//EMMs//** are referenced by **//CAT//**
\\
\\
{{:emm_referenced_in_cat_boxed.jpg?400|}}
\\
\\
ECMs are sent in the clear, but their contents are //**encrypted**// (not scrambled)
\\
\\
EIS in most cases is the control system (so nCompass for most of our demos)
\\
\\
Mux and decoder times must be accurate with each other (for RX8200 you will need a TDT/TOT to set the time)
\\
\\
Director is based on Simulcrypt, but cannot be used for DTH
\\
\\
//**T22/T23**// (ECM/EMM) is specific to Sky (NDS)
\\
\\
If using the Mux Control ports for CA (this only works for Director) then you still need to draw the CA connections to the Mux on the Map for routing purposes (from the ECM/EMM to the CA Port)
\\
\\
//**PDG**// goes at network level\\
//**EMM**// at TS level\\
//**ECM**// can be service or component level\\
\\
\\
{{:ca_ts_labels.jpg?600|}}
\\
\\
----
==== Scrambling ====
The **//SCS//** in the Mux sends two **//Control Words (CW)//** from the Mux **//Control Word Generator (CWG)//** in packets to the **//ECMG//**, the **//ECMG//** encrypts the **//CWs//** and sends them back as **//ECMs//** with added vendor specific criteria.
\\
\\
The **//SCS//** also forwards the **//Access Criteria (AC)//** (obtained from the CA configuration) to the **//ECMG//**.
\\
{{:mux_scs_diagram.jpg?400|}}
\\
**//The yellow dotted box in the diagram is the Mux//**
\\
\\
**//ECMs//** are passed along to the **//scrambler//** (**//CSA//** in Mux) which uses the vendor specific information to scramble the content; **//ECMs//** are also passed in the Transport Stream (**//TS//**).
\\
\\
The ECM typically contains the following:
\\
* The **//Access Criteria (AC)//** which must be satisfied before the STB can descramble the incoming services/components.
* The **//Control Word (CW)//** used to scramble the required services/components
\\
\\
----
==== Descrambling ====
**//EMMs//** provide authorization details to the Decoder/STB. These details must match the **//Access Criteria//** that is recovered from the **//ECM//**. The **//EMMs//** relate to the content of the subscription that the viewer has paid for. The **//EMMs//** can be targeted to individual STBs or groups of STB. The STB will only act on the **//EMM//** if it contains target information in its header that relates to the STB
\\
\\
The STB/Decoder passes the TS to the descrambler, and the ECM to the CA Processor (Smart Card/CAM module).
\\
{{:emm_process.jpg?400|}}
\\
\\
If the ECM matches the TS components (is the correct ECM for those components) and the EMM has the correct entitlement (you are allowed to descramble those components) then descrambling will start.
\\
\\
----
==== Adding items to nCompass map ====
//**Before attempting to configure CA, please ensure you have a working system that is running in the clear**//
\\
\\
To enable Conditional Access, the map has to be altered, the main steps are:
\\
\\
Add EMM/ECM components to the map
\\
\\
Edit Mux Static Parameters to include:
\\
\\
* Set Map Global Settings
* Add EMMG/ECMG to Map
* Mux CA Ethernet Interface IP Address:Port
* EMMG Parameters
* ECMG Parameters
* EIS/SCS Parameters (if using external devices)
* Control / CA Static Routes
* CA Mode / CSA Version
\\
\\
----
==== Set Map Global Settings ====
\\
From the Equipment Setup application, open the Maps Global Settings (Edit -> Global Settings…)
\\
\\
{{:ncc_map_global_settings_conditional_access_boxed.jpg?400|}}
\\
\\
Look for the ‘**//Conditional Access//**’ section, it will just have a single entry labelled ‘**//Any//**’
\\
\\
Enter the type of CA you are configuring (Conax, Nagra etc.) This box is just a label, and anything can be
entered here. This entry will be visible is further menus when configuring CA.
\\
\\
Click ‘Ok’ to close this section, save the map.
\\
\\
----
==== Add EMMG/ECMG to Map ====
\\
To start Add the following components to the Physical Map
\\
\\
* Simulcrypt ECMG
* Simulcrypt EMMG
* Ethernet Hub
\\
{{:ncc_map_boxed.jpg?600|}}
\\
\\
Double Click the Simulcrypt ECMG icon to show the properties.
\\
\\
Connect the Simulcrypt components to the hub, and then connect the hub to the CA port of the Multiplexer(s). A hub is required on the map as the Mux only has a single CA interface.
\\
\\
{{:ncc_map_simulcrypt_ecmg_settings_boxed.jpg?500|}}
\\
\\
Edit the information in the relevant sections.
\\
- ID – This is just a label to describe this ECMG map item
- CA Vendor – Use this drop down list to add your CA Vendor
- CA System ID – This will be supplied by the CA Vendor / customer
- CA SubSystem ID – This will be supplied by the CA Vendor / customer
- CA Types – This list comes from the list you edited in the map Global Settings
** Remember – SuperCas = CaSystem ID + CA SubSystem ID **
Click OK to close this window
\\
\\
Double Click the Simulcrypt EMMG icon to show the properties.
\\
\\
{{:ncc_map_simulcrypt_emmg_settings_boxed_numbers.jpg?500|}}
\\
\\
Edit the information in the relevant sections.
\\
\\
* ID – This is just a label to describe this ECMG map item
* CA Vendor – Use this drop down list to add your CA Vendor
* CA System ID – This will be supplied by the CA Vendor / customer
* CA Types – This list comes from the list you edited in the map Global Settings
* EMM Mux Connectors - This will be supplied by the CA Vendor / customer. You can chose a Mux (this is populated from the Mux) but in general, set ‘Any Mux’
\\
Click OK to close this window
\\
\\
----
==== Mux Static Parameters ====
=== Mux CA Ethernet Interface IP Address:Port ===
\\
\\
On the physical Map, double click the Mux icon, then click ‘Edit’
\\
\\
This is where the IP Address of the CA Interfaces on the Mux are defined. There are three IP Addresses per configuration (there are two interfaces running as a redundant pair.
\\
\\
{{:ncc_map_mux_static_parameters_01.jpg?400|}}
\\
\\
Enter the Primary, Backup and Virtual IP Address details.
\\
\\
----
=== Control / CA Static Routes ===
If the network that hosts the ECMG/EMMG is not directly reachable from the CA network, you may need to add a static route.
\\
\\
{{:control_ca_static_routes_table_menu.jpg?450|}}
\\
\\
In the Mux Static Parameters there is a section called ‘Control / CA Static Routes’ this is a table, double click this to open the table.
\\
\\
{{:control_ca_static_route.jpg?450|}}
\\
\\
Add the desired routing information (this will come from the customer, as it will be their network you are connecting to). Click OK to close this window.
\\
\\
----
=== EMMG Parameters ====
The only parameter we have to supply for the EMM connection is a port (TCP/UDP) But the CA vendor will need to put the CA Port address of the Mux in to the EMMG so that the EMMs are sent to the Mux CA Port.
\\
\\
----
=== ECMG Parameters ===
In the Mux Static Parameters, there is an entry entitled ‘ECMGs’ This is a table that lists the available ECMG servers (on a real system, there may be redundant servers).
\\
\\
{{:ecmgs.jpg?450|}}
\\
\\
Double click the ECGMs entry to open the table.
\\
\\
{{:editing_ecmgs.jpg?450|}}
\\
\\
Add each server in the table as shown. In this example the ECMG server address is 192.168.3.35. Again this information will come from the CA Vendor / Customer.
\\
\\
Don’t forget to scroll along and add the ECMG Port to the ECMG settings above.
\\
\\
----
=== EIS/SCS Parameters (if using external devices) ===
EIS/SCS parameters will only be used if there is an external scheduler or scrambling system being implemented; normally these settings are not used when the Ericsson Mux is doing the scrambling.
\\
\\
----
=== Mux Static Parameters – Control / CA Static Routes ===
At the end of the Mux Static Parameters list there are two entries that we need to configure
\\
\\
{{:mux_static_params_simulcrypt.jpg?450|}}
\\
\\
The CA Mode is by default set to ‘None’ this needs to be changed to ‘SimulCrypt’
\\
\\
The CA CSA Version is set to ‘SimulCrypt EIS Control’ by default. This is generally fine but can be set to ‘Force CSA1’ or ‘Force CSA2’
\\
\\
----
=== After all of these changes, please do the following ===
* Close all windows and accept any changes you made
* Save the Map (if you only have the original map then create a copy)
* Upload the Map
* Once uploaded, reboot the Mux for any IP Address / Parameter changes to take effect
\\
\\
----
==== Profile Manager ====
Having configured the components on the Map and the Mux Static Parameters, we need to add the relevant components to the Profile, set the scrambling and schedule the profile to start the CA Configuration.
\\
\\
=== Adding an EMM ===
EMMs are added at the Transport Stream (TS) level. To add an EMM right click your profile at the TS level and from the menu select ‘Add EMM…’
\\
\\
{{:add_emm_01.jpg?300|}}
\\
\\
{{:add_emm_02.jpg?300|}} {{:add_emm_03.jpg?300|}}
\\
\\
Most of the information required here will come from the Customer or CA Vendor. If you do not have this information you will not be able to proceed.
\\
\\
Fill out the General and Streams tabs, the Private Data is not required in this example.
\\
\\
=== General Tab ===
**//Label//** - This is just a label to allow you to identify this EMM in your TS configuration
**//CA System ID//** - Select the correct CA type from this list
**//CA Type//** - This list is populated from the entries made in the map Global Settings
\\
\\
=== Streams Tab ===
**//Output PID//** - The PID you wish to assign to this component.
**//Bit Rate//** - Bit rate of EMM (this is used by nCompass for TS size calculations)
\\
\\
=== Adding an ECM ===
ECMs can be added at Component or Service level to scramble just a single component or the entire list of components in a service.
\\
\\
To add an ECM, right click the desired service in the profile, and from the list select ‘Add ECM…’
\\
\\
{{:add_ecm_01.jpg?300|}}
\\
\\
{{:add_ecm_02.jpg?300|}} {{:add_ecm_03.jpg?300|}}
\\
\\
=== General Tab ===
**//Label//** - This is just a label to allow you to identify this EMM in your TS configuration
**//CA System ID//** - Select the correct CA type from this list
**//CA Type//** - This list is populated from the entries made in the map Global Settings
**//SGD ID//** - Scrambling Control Group ID
\\
\\
=== Scrambling Control Group ID (SGC ID) ===
The SGD ID is the Scrambling Group ID, this must be unique per TS. The SGD ID can be used to give several components the same access, where access is controlled by the EMM via the smart card.
\\
\\
Vendor 1
Service 1 Video AC 1
Audio AC 1
Audio AC2
Service 2 Video AC2
Audio AC2
Audio AC1
Service 3 Video AC3
Audio AC3
Audio AC1
\\
\\
In the above example, the SGC ID is an example of using different SGD IDs. If the Smart Card being used only allows for SGD ID 1, then you can only descramble any components marked AC1.
\\
\\
This only really works like this if ECMs are at component level, if ECMs are at Service Level,
\\
\\
=== Streams Tab ===
Output PID - The PID you wish to assign to this component.
Bit Rate - Bit rate of EMM (this is used by nCompass for TS size calculations)
SGD ID - TBC
\\
\\
{{:ecm_private_data.jpg?300|}} {{:ecm_access_criteria.jpg?300|}}
\\
\\
Private Data is not required in this example.
\\
\\
The Access Criteria (AC) will be supplied by the CA Vendor.
\\
\\
----
==== Device Profile Properties ====
Having added all of the required components to the transport stream, the profile for the service to be scrambled must be edited.
\\
\\
{{:device_profile_01.jpg?500|}}
\\
\\
Each component must be selected and the Scrambling changed
\\
\\
----
==== PSI/SI Transport Stream Settings ====
If you have been running in the clear, then chances are that you are not generating a Conditional Access Table (**//CAT//**). This will now need to be added.
\\
\\
{{:cat.jpg?500|}}
\\
\\
From the Transport Stream settings in the Profile Manager, ensure to select the CAT table.
\\
\\
----
==== MX8400 Telnet Menu ====
We can test the connectivity between the CA servers and the MX8400 Mux using some Telnet menus, Telnet to the MX8400 and login using:
\\
engineer
engineer
\\
\\
=== Time Configuration ====
If the time of the MX8400 is out, then CA will at some point stop working, as it will assume all the CA messages are out of date.
\\
\\
From the Telnet Menu select //**1,1 Time (1. Configuration, 1. Time)**//
\\
\\
{{:mx8400_telent_menu_1-1_time.jpg?500|}}
\\
\\
Here the Mux time can be seen, if this time is incorrect, then you may not be able to descramble any components.
\\
\\
----
=== ECMG Status ===
To test the **//ECMG//** status, use the following menu selection.
\\
\\
2,4,1 (2. Status, 4. Conditional Access, 1. ECMG Status) (go back to main menu first)
\\
\\
{{:mx8400_telent_menu_2-4-1_ecmg_status.jpg?500|}}
\\
\\
Here it can be seen that there is an active connection to the ECMG.
\\
\\
Press 1 again – ECMG Status
\\
\\
{{:mx8400_telent_menu_2-4-1-1_ecmg_0_status.jpg?500|}}
\\
\\
Here we can see the status of the ECM, the SuperCAS ID, Channel ID etc.
\\
\\
Press 1 again – ECMG Details
\\
\\
{{:ecmg_stream_details.jpg?500|}}
\\
\\
Here we can see the Stream Details, CP Parity (CP is Crypto Period) and the CP duration (10s by default)
\\
\\
----
=== EMMG Status ===
To test the **//EMMG//** status, use the following menu selection.
\\
\\
2,4,2 (2. Status, 4. Conditional Access, 2. EMMG/PDG Status) (go back to main menu first)
\\
\\
{{:emmg_status_02.jpg?500|}}
\\
\\
Here we can see the EMMG Status (Client ID 0x00000001 in this example) As we only have as single EMM we only see one connection in this example.
\\
\\
Select '1' to see the EMMG Details.
\\
\\
{{:emmg_status_03.jpg?500|}}
\\
\\
Here we can see the Client ID, Channel ID and number of Streams.
\\
\\
Press '1' for the Stream Details
\\
\\
{{:emmg_status_04.jpg?500|}}
\\
\\
Here we can see that the EMMG is initialised, that it is un use and we can see Bandwidth useage etc.
\\
\\
----
==== Mux RS232 Telnet redirection ====
The RS232 port on the Mux displays some more information about the Mux status, this is quite useful. However if you do not have an RS232 cable, or port on your laptop, then you can use this method.
\\
\\
The RS232 messages are redirected to port 12, so you can Telnet to port 12 (instead of the normal port 21)
\\
\\
**//Telnet ‘mux-control-address:12’//** e.g. **//Telnet 192.168.27.31:12//**
\\
\\
{{:telnet_port_12.jpg?500|}}
\\
\\
This display can be very useful to see what errors the mux is trying to report.
\\
\\
----
\\
\\
\\
----
==== Ericsson CA Test System Parameters ====
//**For Test System Mux ONLY**//
\\
These parameters will only work in demos (due to routing) and will only work on our Mux.
\\
\\
Alan Walker Demos Ext Num Provided By:
Rob O’Neill
Date Current 16-11-15
Review 06-01-16
Link To Room Patch panel ID
F54 – CAPEN V&I Int 11 G7
Network Gateway SCS 1 SCS 2
10.101.101.x/24 10.101.101.254 10.101.101.3 10.101.101.6
ECMG CAS ID SubSystem ID IP Port AC TS Section/Packet Max ECMs
Conax 0B00 0001 192.168.3.70 5000 00000066 Packet 25
Irdeto 0604 0000 192.168.3.90 4350 Packet 25
EMMG CAS ID SubSystem ID TCP Port UDP Port TS Section/Packet Bandwidth (KbS) Channel Stream
Conax 0B00 0001 5001 - Packet 100 1 1
Irdeto 0604 0000 5001 Packet 50 0 0
CAM CAM sn Type Smartcard AC Valid Until
Smit Icecrypt SVT 81 OAK1T134500097 Single Svc 10075964063 90010006000100010065 Review date
(Irdeto Access Criteria)
\\
\\
----
==== UPDATED 2017 - Ericsson CA Test System Parameters ====
//**For Test System Mux ONLY**//
\\
These parameters will only work in demos (due to routing) and will only work on our Mux.
\\
\\
{{:ca_2017.png?800|}}
\\
\\
----