Thread: keyroll emm and the fix (code it ur self)
View Single Post
   
cable satellite consoles Old 1st December 2008, 20:49   #132 (permalink)
cydine_
Senior Member +++
 
cable satellite consoles cydine_'s Avatar
 
Join Date: Nov 2005
Location: /tmp
Posts: 350
Downloads: 4
Uploads: 0
Thanks: 0
Thanked 1 Time in 1 Post
cable satellite consoles cydine_ is a glorious beacon of lightcable satellite consoles cydine_ is a glorious beacon of lightcable satellite consoles cydine_ is a glorious beacon of lightcable satellite consoles cydine_ is a glorious beacon of light
Re: keyroll ecm and the fix (code it ur self)
Quote:
Originally Posted by Donnie Darko cable satellite consoles View Post
Once i change to CD XX XX,where how do i attach/create the patch?is the patch within the first reply in this thread.
I'm also assuming non of this is possible without an EMM log to begin with.

ROM:74F1 BD 81 call EMMBUF_01

This is the point where the code in the emm buffer is executed.


ROM:74EC CD 74 27 call ENSUREIRDINFO ; Ensure we have a type $01 item,

At this point, just before the above jump, the keyroll emm has been loaded into the buffer but not yet executed.

The idea is to, at this point, jump to a section of patch code. This will modify the emm buffer in such a way that when the code in the buffer is executed, the correct key will be returned.

So if this is the keyroll emm:

Code:
0081: 5F           clrx                 ; x <-- 0
0082: A6 10        lda #$10             ; Load in A
0084: B7 21        sta RC0ADDRH         ; Store A in...
0086: A6 02        lda #$02             ; Load in A
0088: 2D 07        bms $91              ; Branch if mask=1
008A: 9B           sei                  ; I <-- 1
008B: CD 20 0F     jsr $200F            ; Go to subroutine
008E: 9A           cli                  ; I <-- 0
008F: 20 03        bra $94              ; Branch always
0091: CD 20 0F     jsr $200F            ; Go to subroutine
0094: 9F           txa                  ; X --> A
0095: B8 AF        eor $AF              ; A= A xor ...
0097: B7 AF        sta $AF              ; Store A in...
0099: 9F           txa                  ; X --> A
009A: B8 BB        eor $BB              ; A= A xor ...
009C: B7 BB        sta $BB              ; Store A in...
009E: A6 26        lda #$26             ; Load in A
00A0: CC 48 BB     jmp FILTEROK         ; 2
what the patch does is modify the above code - after it has been stored in the buffer but before it has been run

to look like this:

Code:
0081: 5F           clrx                 ; x <-- 0
0082: AE 10        ldx #$10             ; Load in X
0084: 20 0E        bra $94              ; Branch always
0086: A6 02        lda #$02             ; Load in A
0088: 2D 07        bms $91              ; Branch if mask=1
008A: 9B           sei                  ; I <-- 1
008B: CD 20 0F     jsr $200F            ; Go to subroutine
008E: 9A           cli                  ; I <-- 0
008F: 20 03        bra $94              ; Branch always
0091: CD 20 0F     jsr $200F            ; Go to subroutine
0094: 9F           txa                  ; X --> A
0095: B8 AF        eor $AF              ; A= A xor ...
0097: B7 AF        sta $AF              ; Store A in...
0099: 9F           txa                  ; X --> A
009A: B8 BB        eor $BB              ; A= A xor ...
009C: B7 BB        sta $BB              ; Store A in...
009E: A6 26        lda #$26             ; Load in A
00A0: CC 48 BB     jmp FILTEROK         ; 2
Thus loading the correct value into x then jumping straight to the xor.

I change

CD 74 27
to
CD 93 63

and start the patch code at that location. Remember the rom 10 codespace starts at 4000 so in your hex editor 9363 is actually 5363.
cable satellite consoles cydine_ is offline                  
Quote Post