Crash when play scrambled program which has 0B00(conax) CAID with Android Box

Hi Guys,

I use tvheadend (version 3.9.2690~g6751ade-dirty) and OSCAM in my android box to play scrambled stream. I found some issues. Do anybody come across the same issue as me ?

1 I setup the CA with OSCAM capmt protocol, after several minutes, the descrambling will be stopped, tvheadend log output "not found" of the key
2 When it's descrambling, some mosaic happens, tvheadend output "can't decode the packet"
3 Then I setup the CA with newcamd protocol, soon or later (10s seconds to 10s minutes), tvheadend will crash in several case

Following is the crash stack:

(gdb) bt
#0 0xb6eb5048 in tmalloc_large (nb=4008, m=<optimized out> at bionic/libc/bionic/../upstream-dlmalloc/malloc.c:4510
#1 dlmalloc (bytes=<optimized out> at bionic/libc/bionic/../upstream-dlmalloc/malloc.c:4654
#2 0xb6eb1da4 in malloc (bytes=bytes@entry=4000) at bionic/libc/bionic/malloc_debug_common.cpp:223
#3 0x0001610c in sbuf_alloc_ (sb=sb@entry=0x1608a84, len=len@entry=564) at src/utils.c:358
#4 0x00016140 in sbuf_alloc (len=564, sb=0x1608a84) at src/tvheadend.h:679
#5 sbuf_append (sb=sb@entry=0x1608a84, data=0x1625c1c, data@entry=0x64dc74, len=564, len@entry=0) at src/utils.c:372
#6 0x00085bfc in descrambler_descramble (t=t@entry=0x15bcb00, st=st@entry=0x15bcd30, tsb=0x64dc74 "",
tsb@entry=0x1625c1c "G\001\365\327~\242\354\234\306\005H\210G.\300\060\231\026_\353FD<\033%\324'A\201\023@__\207\017\234X\367\212\344\025\201o\276Gc\242\236#V\275e\347qw\347\237H\321Q\360bB\221}\004=R\f|\225\342\004\200\264,f\316\352\206\347\236BEu<\262\300\345>X\365\267e\031\001\313\034w0yx.x5\217l\251\302'e\221\364\255F\230\070+\213F\240\372r\270\023\324\245o\201\350\061\066\301Y8>\032nV\336\350\256\362κ^d\314\037\246\322\366\271\247\240ja\263~\"\270\021\311\340r\263\210\311\025\036\177t\371F\216l\365\360\371\035ڳ\367^\242e\212\275G\001\365\330\322\310y\223\366\060\223z"..., len=0, len@entry=564)
at src/descrambler/descrambler.c:526
#7 0x0008c678 in ts_recv_packet1 (t=0x15bcb00,
tsb=tsb@entry=0x1625c1c "G\001\365\327~\242\354\234\306\005H\210G.\300\060\231\026_\353FD<\033%\324'A\201\023@__\207\017\234X\367\212\344\025\201o\276Gc\242\236#V\275e\347qw\347\237H\321Q\360bB\221}\004=R\f|\225\342\004\200\264,f\316\352\206\347\236BEu<\262\300\345>X\365\267e\031\001\313\034w0yx.x5\217l\251\302'e\221\364\255F\230\070+\213F\240\372r\270\023\324\245o\201\350\061\066\301Y8>\032nV\336\350\256\362κ^d\314\037\246\322\366\271\247\240ja\263~\"\270\021\311\340r\263\210\311\025\036\177t\371F\216l\365\360\371\035ڳ\367^\242e\212\275G\001\365\330\322\310y\223\366\060\223z"...,
len=len@entry=564, pcrp=pcrp@entry=0x0, table=1) at src/input/mpegts/tsdemux.c:188
#8 0x00089c14 in mpegts_input_process (mpkt=0x1599ed8, mi=<optimized out> at src/input/mpegts/mpegts_input.c:1131
#9 mpegts_input_thread (p=0x203638) at src/input/mpegts/mpegts_input.c:1240
#10 0x00016ac0 in thread_wrapper (p=0x15b7360) at src/wrappers.c:145
#11 0xb6eb1204 in __thread_entry (func=0x16a14 <thread_wrapper>, arg=0x15b7360, tls=0xb6568dd0) at bionic/libc/bionic/pthread_create.cpp:105
#12 0xb6eb139c in pthread_create (thread_out=0x159dc00, attr=<optimized out>, start_routine=0x16a14 <thread_wrapper>, arg=0x78)
at bionic/libc/bionic/pthread_create.cpp:224
#13 0x00000000 in ?? ()

Replies (5)

RE: Crash when play scrambled program which has 0B00(conax) CAID with Android Box - Added by KK Zhao over 9 years ago

I do the following test:

1 Run oscam in another PC
2 Set up CA to oscam server

And the tvheadend is still crash.

RE: Crash when play scrambled program which has 0B00(conax) CAID with Android Box - Added by KK Zhao over 9 years ago

(gdb) bt
#0 0x001cbe0c in dvbcsa_bs_stream_transpose_out ()
#1 0x001ca848 in dvbcsa_bs_stream_cipher_batch ()
#2 0x001c7aa4 in dvbcsa_bs_decrypt ()
#3 0x000bb124 in tvhcsa_des_flush (csa=csa@entry=0x155f2f0, s=s@entry=0x1543ae0) at src/descrambler/tvhcsa.c:53
#4 0x000bb214 in tvhcsa_des_descramble (csa=csa@entry=0x155f2f0, s=s@entry=0x1543ae0, tsb=0x16ac408 "G\001\365\247ȷHD\f", tsb@entry=0x64dc74 "",
tsb_len=tsb_len@entry=0) at src/descrambler/tvhcsa.c:152
#5 0x00085e5c in descrambler_descramble (t=t@entry=0x1543ae0, st=st@entry=0x1543d10, tsb=0x64dc74 "", tsb@entry=0x16ac408 "G\001\365\247ȷHD\f",
len=0, len@entry=188) at src/descrambler/descrambler.c:479
#6 0x0008c678 in ts_recv_packet1 (t=0x1543ae0, tsb=tsb@entry=0x16ac408 "G\001\365\247ȷHD\f", len=len@entry=188, pcrp=pcrp@entry=0x0, table=1)
at src/input/mpegts/tsdemux.c:188
#7 0x00089c14 in mpegts_input_process (mpkt=0x1520c58, mi=<optimized out> at src/input/mpegts/mpegts_input.c:1131
#8 mpegts_input_thread (p=0x203638) at src/input/mpegts/mpegts_input.c:1240
#9 0x00016ac0 in thread_wrapper (p=0x153caf8) at src/wrappers.c:145
#10 0xb6f71204 in __thread_entry (func=0x16a14 <thread_wrapper>, arg=0x153caf8, tls=0xb6628dd0) at bionic/libc/bionic/pthread_create.cpp:105
#11 0xb6f7139c in pthread_create (thread_out=0x1532c90, attr=<optimized out>, start_routine=0x16a14 <thread_wrapper>, arg=0x78)
at bionic/libc/bionic/pthread_create.cpp:224
#12 0x00000000 in ?? ()

RE: Crash when play scrambled program which has 0B00(conax) CAID with Android Box - Added by KK Zhao over 9 years ago

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 18320]
mpegts_input_table_dispatch (mm=0x184b308, tsb=tsb@entry=0x185d028 "G", tsb_len=188) at src/input/mpegts/mpegts_input.c:938
938 if (mt->mt_destroyed || !mt->mt_subscribed || mt->mt_pid != pid)
(gdb) bt
#0 mpegts_input_table_dispatch (mm=0x184b308, tsb=tsb@entry=0x185d028 "G", tsb_len=188) at src/input/mpegts/mpegts_input.c:938
#1 0x00089e10 in mpegts_input_table_thread (aux=0x184dc08) at src/input/mpegts/mpegts_input.c:1286
#2 0x00016ac0 in thread_wrapper (p=0x1842fe8) at src/wrappers.c:145
#3 0xb6e82204 in __thread_entry (func=0x16a14 <thread_wrapper>, arg=0x1842fe8, tls=0xb6637dd0) at bionic/libc/bionic/pthread_create.cpp:105
#4 0xb6e8239c in pthread_create (thread_out=0x184dcc0, attr=<optimized out>, start_routine=0x16a14 <thread_wrapper>, arg=0x78)
at bionic/libc/bionic/pthread_create.cpp:224
#5 0x018c5da0 in ?? ()
Cannot access memory at address 0x0
#6 0x018c5da0 in ?? ()
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Here I think the mt is already freed. Gdb report

(gdb) p *mt
Cannot access memory at address 0x912c6d34
(gdb)

RE: Crash when play scrambled program which has 0B00(conax) CAID with Android Box - Added by KK Zhao over 9 years ago

I think the last node is totally modified by some bad guys.

(gdb) dlist mm->mm_tables->lh_first
value is 0x1c8e4a0
value is 0x1c5c358
value is 0x1c5af40
value is 0x1c59b28
value is 0x1c58710
value is 0x1c572f8
value is 0x1c55ee0
value is 0x1c54ac8
value is 0x1c536b0
value is 0x1c52298
value is 0x1c50e80
value is 0x1c390c0
value is 0x1c37ca8
value is 0x1c36890
value is 0x1c3dac8
value is 0x1c74d18
value is 0x1c73900
value is 0x1c4f538
value is 0xd3376a84
Cannot access memory at address 0xd3376a84
(gdb) p (mpegts_psi_table_t *)0x1c4f538
$1 = (mpegts_psi_table_t *) 0x1c4f538
(gdb) p *(mpegts_psi_table_t *)0x1c4f538
$2 = {mt_link = {le_next = 0xd3376a84, le_prev = 0xeda62725}, mt_state = {first = 0x4312be7c, last = 0x79f67eb0, root = 0xaff8bfc7, entries = 7601000},
mt_name = 0x1c738d0 "descrambler", mt_opaque = 0x1c46e18, mt_table = 0 '\000', mt_mask = 0 '\000', mt_pid = 7500, mt_complete = 0, mt_incomplete = 0,
mt_finished = 0 '\000', mt_sect = {ps_cc = 1 '\001', ps_cco = 0 '\000', ps_offset = 80, ps_lock = 1,
ps_data = '\377' <repeats 80 times>, "\061~\000J\263W@\317Q\213V\264;\323c6\031\063Vf\330\034$", '\377' <repeats 80 times>, '\000' <repeats 4816 times>}, mt_err_log = {last = 0, count = 0}}
(gdb) p *(mpegts_psi_table_t *)0x1c73900
$3 = {mt_link = {le_next = 0x1c4f538, le_prev = 0x1c74d18}, mt_state = {first = 0x0, last = 0x0, root = 0x0, entries = 0},
mt_name = 0x1bfd758 "descrambler", mt_opaque = 0x1ccf610, mt_table = 0 '\000', mt_mask = 0 '\000', mt_pid = 7504, mt_complete = 0, mt_incomplete = 0,
mt_finished = 0 '\000', mt_sect = {ps_cc = 8 '\b', ps_cco = 0 '\000', ps_offset = 80, ps_lock = 1,
ps_data = '\377' <repeats 80 times>, "XH\236܁7\206\320\r\244Z\245\226\246\372E(\256\v\000\272\316>", '\377' <repeats 80 times>, '\000' <repeats 4816 times>}, mt_err_log = {last = 0, count = 0}}
(gdb)

RE: Crash when play scrambled program which has 0B00(conax) CAID with Android Box - Added by Mark Clarkstone over 9 years ago

You may want to open a bug report for this & you could have used the following in gdb & uploaded the log instead of posting it in parts.

set logging on <filenamehere.log>

HTH.

(1-5/5)

Project

General

Profile

Tvheadend