keyroll emm and the fix (code it ur self) - Page 13 - Digital World Cable Satellite Console Forum

bigjat · 30th November 2008, 22:26

I am serious about catching up on this so please excuse me if my next question highlights my lack of knowledge in this area.

I kind of get the idea and when i started coding (ASP/PHP/JS) i always write out what i want to achive in english, then add code to achieve each step so once i get my head round it i should be ok.

I only have experience of Nokia 2x boxes. My question is without a card reader or cards etc is it possible to reverse engineer simply by decompiling a current rom and looking at the wrong values returned by multiple AU keys and comparing them with the expected (correct) key values.

Also i know i will need to knock-up a new Ubuntu running machine to build images at the last stage but can i achieve a rom patch using the files in Nagra_Coding_Package on windslows
(as well as sourcing others eg ida)

Thanks again guys, any help welcome and appreciated.

bigjat · 30th November 2008, 22:52

Quote:

Originally Posted by Donnie Darko

IDA pro? anyone link me to it?can find a freeware version 4.9 will this work?

I know this has been covered already but a few mirrors won't hurt will they?

(i hope i got the right $tuff here as i just went hunting for ida v5.2)

Windslows version
windows DataRescue.IDA.Pro.Advanced.v5.2

Mac OSX version
Mac OSX DataRescue.IDA.Pro.Advanced.v5.2

Linux version
Linux DataRescue.IDA.Pro.Advanced.v5.2

Hexrays decomplier plugin
Hex-Rays.Decompiler.v1.0.for.DataRescue.IDA.Pro.Advanc ed-v5.2

Dont know why anyone might need the SDK but here you go

DataRescue.IDA.Pro.Advanced.v5.2-SDK

can someone let me know if if i'm barking up the wrong tree, so i can DL from other links.

Mods please delete if this is a load of $h17e as i dont wanna clutter this thread with

.

Nick [D]vB · 30th November 2008, 23:22

I’ve just been looking at the vplug emulator's debug output:

Code:

>> Decrypted EMM: 3F5C01FA5FA6E9B741A6022D079BCD20209A2003CD20209FB8B2B7B29FB8B5B7B5A626CC6B01000000835D01420500588DCF279804044285C3E072B09E079B5D
keyId:0x5C01 
filter type->All cards with the same system ID
Update with CPU code->ROM 10 (FA)
Init->RomNr:10 , Id:5C01
Required files:->Rom: ROM10.bin, RomExt: ROM10ext.bin (non-fatal), EEPROM: eep10_5c.bin
mapeeprom: new map off=c000 size=2000 otp=0040
fread -> C:\Program Files\MyTheatre\Plugins\vModules\NagraBins\ROM10.bin, size: 24576 ,
Bytes read: 24576
Init -> Done...
6805: breakpoint at 81ca (count=113)
Trying to GetOpKeys...
cr:-pc- aa xx yy dr -sp- VHINZC -mem@pc- -mem@sp- -cycles-
00:0081 00 80 c0 00 03fd ....Z. 5fa6e9b7 74f30000 00000904 CLR   X 
00:0082 00 00 c0 00 03fd ....Z. a6e9b741 74f30000 00000907 LDA   #e9 
00:0084 e9 00 c0 00 03fd ...N.. b741a602 74f30000 00000909 STA   41 
00:0086 e9 00 c0 00 03fd ...N.. a6022d07 74f30000 0000090d LDA   #02 
00:0088 02 00 c0 00 03fd ...... 2d079bcd 74f30000 0000090f BMS   0091 (taken) 
00:008a 02 00 c0 00 03fd ...... 9bcd2020 74f30000 00000912 SEI   
00:008b 02 00 c0 00 03fd ..I... cd20209a 74f30000 00000914 JSR   2020 
6805: breakpoint at 2020 (count=630)
math call: $02
RAM[41]=$e9
cr:-pc- aa xx yy dr -sp- VHINZC -mem@pc- -mem@sp- -cycles-
00:008e 02 e9 c0 00 03fd ..I... 9a2003cd 74f30000 0000091a CLI   
00:008f 02 e9 c0 00 03fd ...... 2003cd20 74f30000 0000091c BRA   0094 (taken) 
00:0094 02 e9 c0 00 03fd ...... 9fb8b2b7 74f30000 0000091f TXA   
00:0095 e9 e9 c0 00 03fd ...... b8b2b7b2 74f30000 00000921 EOR   b2 {04} 
00:0097 ed e9 c0 00 03fd ...N.. b7b29fb8 74f30000 00000924 STA   b2 
00:0099 ed e9 c0 00 03fd ...N.. 9fb8b5b7 74f30000 00000928 TXA   
00:009a e9 e9 c0 00 03fd ...N.. b8b5b7b5 74f30000 0000092a EOR   b5 {c3} 
00:009c 2a e9 c0 00 03fd ...... b7b5a626 74f30000 0000092d STA   b5 
00:009e 2a e9 c0 00 03fd ...... a626cc6b 74f30000 00000931 LDA   #26 
00:00a0 26 e9 c0 00 03fd ...... cc6b0100 74f30000 00000933 JMP   6b01 
[...]
6805: breakpoint at 7172 (count=50442)
GetMem -> key0 -> *** REMOVED *** 
6805: breakpoint at 717a (count=25379)
GetMem -> key1 -> *** REMOVED *** 
6805: breakpoint at 81f7 (count=361)
New ID: 5D01
6805: breakpoint at 713d (count=24915)
No PK keys for provider 5d01 ?
Got keys for 5D01 (ROM 10)

It seems to be detailing memory addresses and logic operations,

I don’t know if it’s any help to you lot?

Keep at it guys… 8 )

Donnie Darko · 1st December 2008, 13:28

Quote:

Originally Posted by cydine_

This is exactly the part I was stuck on back in april.

Let's work with the rom 10 code. I am working with rom images for dbox etc but this is relevant to the opos etc as well.

1. There's not really space to insert a patch anywhere so just overwrite some stuff that is not relevant to an emulated card - I use a section referencing the backdoor key. This stuff is not required for softcams.

2. Open the rom10 disassembled listing in your text editor and look for the call to jump to the emm buffer - hint look for a BD 81 jsr EMMBUFF01.
Patch the call before this - CD XX XX to jump to your patch.

Is step 2 done using hex editor,is there a way to search for BD 81? i've opened the rom10 disassem but i'm struggling at this point.

Its like trying to get on a carousel at the right point,lol.Probably a distinct possibility i'm pissing in the wind also.

cydine_ · 1st December 2008, 16:31

Quote:

Originally Posted by Donnie Darko

Is step 2 done using hex editor,is there a way to search for BD 81? i've opened the rom10 disassem but i'm struggling at this point.

Its like trying to get on a carousel at the right point,lol.Probably a distinct possibility i'm pissing in the wind also.

Yeah, no need for a disassembler at any stage in this process.

The disassembled listings for all the roms are in the nagra coding package. All you need is notepad to write your code and a hex editor to patch the roms.

Open the rom 10.lst in your text editor and search for a jsr EMMBUFF01. This is the point where the keyroll is executed.

2 lines above this is the call we need to change. Change the CD 74 27 to CD XX XX where XX XX is the location of your patch code.

dstream · 1st December 2008, 19:59

cydine dont know about you but vplug seems to have a pretty good understanding of the map calls.

whats it located or running inside? one of the boxes?

Donnie Darko · 1st December 2008, 20:17

ROM:74EC EMMCMDF3:
ROM:74EC CD 74 27 call ENSUREIRDINFO ; Ensure we have a type $01 item,
ROM:74EC ; and if so, point RC1ADDRH:L at it
ROM:74EF 25 02 jrc EMMCMDF3EXIT ; If we don't have IRD info, then exit
ROM:74F1 BD 81 call EMMBUF_01 ; Else execute the code fragment at $81
ROM:74F3

Right i've found CD 74 27,although it aint at, jsr EMMBUF_01? is this correct?

Donnie Darko · 1st December 2008, 20:20

Quote:

Originally Posted by cydine_

Yeah, no need for a disassembler at any stage in this process.

The disassembled listings for all the roms are in the nagra coding package. All you need is notepad to write your code and a hex editor to patch the roms.

Open the rom 10.lst in your text editor and search for a jsr EMMBUFF01. This is the point where the keyroll is executed.

2 lines above this is the call we need to change. Change the CD 74 27 to CD XX XX where XX XX is the location of your patch code.

Once i change to CD XX XX,where how do i attach/create the patch?thinking more i'm gonna be needing values for XX XX is this within the first reply in this thread?
I'm also assuming non of this is possible without an EMM log to begin with.

Post 6 You reference to this:

Yep quite an easy one to fix this one m8. The correct value for X is at $83

cydine_ · 1st December 2008, 20:32

Quote:

Originally Posted by dstream

cydine dont know about you but vplug seems to have a pretty good understanding of the map calls.

whats it located or running inside? one of the boxes?

Dunno, this is the first time I have heard of vplug. I will need to investigate further. Cracking debug output tho eh?

Nick [D]vB · 1st December 2008, 20:38

I don't really know what I'm looking at but I thought it looked usefull. 8)

Vahid did fixes for rom10 and 11 on friday:

vPlug news Blog Archive vPlug2.3.9

I assume his patches are hard-coded into the nagra.mdl module,

the strange thing is that vplug AU’s fine with both “original” and patches roms,

even patches from 2006 and this April!

The debug output looks different but they all work,

I was expecting using patched roms would throw it off somehow?

Vahid has not done a fix for rom7 yet but it vplug AU’s fine when used with Cydine’s rom7.

I can post some more logs if they are of any interest?

.

30th November 2008, 22:26	#121 (permalink)
bigjat Newbie Join Date: Nov 2008 Posts: 4 Downloads: 0 Uploads: 0 Thanks: 0 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll emm and the fix (code it ur self) I am serious about catching up on this so please excuse me if my next question highlights my lack of knowledge in this area. I kind of get the idea and when i started coding (ASP/PHP/JS) i always write out what i want to achive in english, then add code to achieve each step so once i get my head round it i should be ok. I only have experience of Nokia 2x boxes. My question is without a card reader or cards etc is it possible to reverse engineer simply by decompiling a current rom and looking at the wrong values returned by multiple AU keys and comparing them with the expected (correct) key values. Also i know i will need to knock-up a new Ubuntu running machine to build images at the last stage but can i achieve a rom patch using the files in Nagra_Coding_Package on windslows (as well as sourcing others eg ida) Thanks again guys, any help welcome and appreciated.
	Quote Post

1st December 2008, 19:59	#126 (permalink)
dstream Jnr Member Join Date: Nov 2005 Posts: 12 Downloads: 0 Uploads: 0 Thanks: 0 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll emm and the fix (code it ur self) cydine dont know about you but vplug seems to have a pretty good understanding of the map calls. whats it located or running inside? one of the boxes?
	Quote Post

1st December 2008, 20:17	#127 (permalink)
Donnie Darko DW Guru ++ Join Date: Jul 2005 Location: In the bookies Posts: 5,270 Downloads: 0 Uploads: 0 Thanks: 3 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll emm and the fix (code it ur self) ROM:74EC EMMCMDF3: ROM:74EC CD 74 27 call ENSUREIRDINFO ; Ensure we have a type $01 item, ROM:74EC ; and if so, point RC1ADDRH:L at it ROM:74EF 25 02 jrc EMMCMDF3EXIT ; If we don't have IRD info, then exit ROM:74F1 BD 81 call EMMBUF_01 ; Else execute the code fragment at $81 ROM:74F3 Right i've found CD 74 27,although it aint at, jsr EMMBUF_01? is this correct? __________________ It matters not how strait the gate. How charged with punishments the scroll,I am the master of my fate,I am the captain of my soul.
	Quote Post

1st December 2008, 20:38	#130 (permalink)
Nick [D]vB Member +++ Join Date: Mar 2005 Posts: 149 Downloads: 0 Uploads: 0 Thanks: 0 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll emm and the fix (code it ur self) I don't really know what I'm looking at but I thought it looked usefull. 8) Vahid did fixes for rom10 and 11 on friday: vPlug news Blog Archive vPlug2.3.9 I assume his patches are hard-coded into the nagra.mdl module, the strange thing is that vplug AU’s fine with both “original” and patches roms, even patches from 2006 and this April! The debug output looks different but they all work, I was expecting using patched roms would throw it off somehow? Vahid has not done a fix for rom7 yet but it vplug AU’s fine when used with Cydine’s rom7. I can post some more logs if they are of any interest? . Last edited by Nick [D]vB; 1st December 2008 at 20:43.
	Quote Post

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode