keyroll emm and the fix (code it ur self) - Page 14 - Digital World Cable Satellite Console Forum

edcase · 1st December 2008, 20:44

Quote:

Originally Posted by Nick [D]vB

I don't really know what I'm looking at but I thought it looked usefull. 8)

Vahid did fixes for rom10 and 11 on friday:

vPlug news Blog Archive vPlug2.3.9

I assume his patches are hard-coded into the nagra.mdl module so the strange thing is

that vplug AU’s fine with both “original” and patches roms, even patches from 2006 and this April!

The debug output looks different but they all work,

I was expecting using patched roms would throw it off somehow?

Vahid has not done a fix for rom7 yet but it vplug AU’s fine when used with Cydine’s rom7.

I can post some more logs if they are of any interest?

.

Hello again nick

.. it seems in this case your emulator had knowledge of the map02 call that most other emulators do not. IE it knew that a map02 call exited with the value from $41 in X.

cydine_ · 1st December 2008, 20:49

Quote:

Originally Posted by Donnie Darko

Once i change to CD XX XX,where how do i attach/create the patch?is the patch within the first reply in this thread.
I'm also assuming non of this is possible without an EMM log to begin with.

ROM:74F1 BD 81 call EMMBUF_01

This is the point where the code in the emm buffer is executed.

ROM:74EC CD 74 27 call ENSUREIRDINFO ; Ensure we have a type $01 item,

At this point, just before the above jump, the keyroll emm has been loaded into the buffer but not yet executed.

The idea is to, at this point, jump to a section of patch code. This will modify the emm buffer in such a way that when the code in the buffer is executed, the correct key will be returned.

So if this is the keyroll emm:

Code:

0081: 5F           clrx                 ; x <-- 0
0082: A6 10        lda #$10             ; Load in A
0084: B7 21        sta RC0ADDRH         ; Store A in...
0086: A6 02        lda #$02             ; Load in A
0088: 2D 07        bms $91              ; Branch if mask=1
008A: 9B           sei                  ; I <-- 1
008B: CD 20 0F     jsr $200F            ; Go to subroutine
008E: 9A           cli                  ; I <-- 0
008F: 20 03        bra $94              ; Branch always
0091: CD 20 0F     jsr $200F            ; Go to subroutine
0094: 9F           txa                  ; X --> A
0095: B8 AF        eor $AF              ; A= A xor ...
0097: B7 AF        sta $AF              ; Store A in...
0099: 9F           txa                  ; X --> A
009A: B8 BB        eor $BB              ; A= A xor ...
009C: B7 BB        sta $BB              ; Store A in...
009E: A6 26        lda #$26             ; Load in A
00A0: CC 48 BB     jmp FILTEROK         ; 2

what the patch does is modify the above code - after it has been stored in the buffer but before it has been run

to look like this:

Code:

0081: 5F           clrx                 ; x <-- 0
0082: AE 10        ldx #$10             ; Load in X
0084: 20 0E        bra $94              ; Branch always
0086: A6 02        lda #$02             ; Load in A
0088: 2D 07        bms $91              ; Branch if mask=1
008A: 9B           sei                  ; I <-- 1
008B: CD 20 0F     jsr $200F            ; Go to subroutine
008E: 9A           cli                  ; I <-- 0
008F: 20 03        bra $94              ; Branch always
0091: CD 20 0F     jsr $200F            ; Go to subroutine
0094: 9F           txa                  ; X --> A
0095: B8 AF        eor $AF              ; A= A xor ...
0097: B7 AF        sta $AF              ; Store A in...
0099: 9F           txa                  ; X --> A
009A: B8 BB        eor $BB              ; A= A xor ...
009C: B7 BB        sta $BB              ; Store A in...
009E: A6 26        lda #$26             ; Load in A
00A0: CC 48 BB     jmp FILTEROK         ; 2

Thus loading the correct value into x then jumping straight to the xor.

I change

CD 74 27
to
CD 93 63

and start the patch code at that location. Remember the rom 10 codespace starts at 4000 so in your hex editor 9363 is actually 5363.

Nick [D]vB · 1st December 2008, 20:58

Quote:

Originally Posted by edcase

Hello again nick

.. it seems in this case your emulator had knowledge of the map02 call that most other emulators do not. IE it knew that a map02 call exited with the value from $41 in X.

Hi again Edcase, glad your're not Deceased after all. 8)

I'm still getting to grips with all this so I'm going to have to take your word for that!

But Vplug does seem much more complete than the other emultors we have.

Fenrir broke last april if you remember so we turned to Snitch,

which is still working with the latest rom10 patches.

I never did find an eeprom patch that worked with Snitch though,

Vplug automatically creates eeprom files, I was hoping they might be usefull

but they all seem to be empty when I open them with NagraEdit etc?

.

Donnie Darko · 1st December 2008, 21:06

Quote:

Originally Posted by cydine_

ROM:74F1 BD 81 call EMMBUF_01

This is the point where the code in the emm buffer is executed.

ROM:74EC CD 74 27 call ENSUREIRDINFO ; Ensure we have a type $01 item,

At this point, just before the above jump, the keyroll emm has been loaded into the buffer but not yet executed.

The idea is to, at this point, jump to a section of patch code. This will modify the emm buffer in such a way that when the code in the buffer is executed, the correct key will be returned.

So if this is the keyroll emm:

Code:

0081: 5F           clrx                 ; x <-- 0
0082: A6 10        lda #$10             ; Load in A
0084: B7 21        sta RC0ADDRH         ; Store A in...
0086: A6 02        lda #$02             ; Load in A
0088: 2D 07        bms $91              ; Branch if mask=1
008A: 9B           sei                  ; I <-- 1
008B: CD 20 0F     jsr $200F            ; Go to subroutine
008E: 9A           cli                  ; I <-- 0
008F: 20 03        bra $94              ; Branch always
0091: CD 20 0F     jsr $200F            ; Go to subroutine
0094: 9F           txa                  ; X --> A
0095: B8 AF        eor $AF              ; A= A xor ...
0097: B7 AF        sta $AF              ; Store A in...
0099: 9F           txa                  ; X --> A
009A: B8 BB        eor $BB              ; A= A xor ...
009C: B7 BB        sta $BB              ; Store A in...
009E: A6 26        lda #$26             ; Load in A
00A0: CC 48 BB     jmp FILTEROK         ; 2

what the patch does is modify the above code - after it has been stored in the buffer but before it has been run

to look like this:

Code:

0081: 5F           clrx                 ; x <-- 0
0082: AE 10        ldx #$10             ; Load in X
0084: 20 0E        bra $94              ; Branch always
0086: A6 02        lda #$02             ; Load in A
0088: 2D 07        bms $91              ; Branch if mask=1
008A: 9B           sei                  ; I <-- 1
008B: CD 20 0F     jsr $200F            ; Go to subroutine
008E: 9A           cli                  ; I <-- 0
008F: 20 03        bra $94              ; Branch always
0091: CD 20 0F     jsr $200F            ; Go to subroutine
0094: 9F           txa                  ; X --> A
0095: B8 AF        eor $AF              ; A= A xor ...
0097: B7 AF        sta $AF              ; Store A in...
0099: 9F           txa                  ; X --> A
009A: B8 BB        eor $BB              ; A= A xor ...
009C: B7 BB        sta $BB              ; Store A in...
009E: A6 26        lda #$26             ; Load in A
00A0: CC 48 BB     jmp FILTEROK         ; 2

Thus loading the correct value into x then jumping straight to the xor.

I change

CD 74 27
to
CD 93 63

and start the patch code at that location. Remember the rom 10 codespace starts at 4000 so in your hex editor 9363 is actually 5363.

CD 74 27
to
CD 93 63

Once i've changed the above in rom10 lst text editor,i take it i need to save a copy?

Otherwise i'm a bit stuck now?the saved rom10 do i need to open/make a change in winex?

edcase · 1st December 2008, 21:12

Its not the lst file you need to edit.. Its the physical bin file.
The disassembled one just allows you to know what code is where.

Donnie Darko · 1st December 2008, 21:14

Quote:

Originally Posted by edcase

Its not the lst file you need to edit.. Its the physical bin file.
The disassembled one just allows you to know what code is where.

Right gotcha will see if i can finish it off.

Donnie Darko · 1st December 2008, 21:41

Right i've edited the rom10 at location 5363 with a value of 83,yet it returns the wrong keys.

Key 1 2nd and 3rd characters
key 0 5th and 6th characters

Using a rom10 from april 08 fix.

Donnie Darko · 1st December 2008, 21:50

Right i've changed the value to 87 its returning the correct keys,hurrah, checked against rom 7 but no picture,lol.

edcase · 1st December 2008, 21:54

Its no good just adding a value of 83.. you need to construct some code that checks if the keyroll emm is in ram, and if it is you need to make your patch code modify the emm such that it will create the correct keys .. then return to the original romcode.

Donnie Darko · 1st December 2008, 21:59

Gonna have to come back to this tomorrow evening,thanks for the input so far.

1st December 2008, 21:12	#135 (permalink)
edcase DW Top Poster +++ Join Date: May 2005 Posts: 952 Downloads: 0 Uploads: 0 Thanks: 73 Thanked 5 Times in 4 Posts Feedback Score: 0 reviews	Re: keyroll ecm and the fix (code it ur self) Its not the lst file you need to edit.. Its the physical bin file. The disassembled one just allows you to know what code is where.
	Quote Post

1st December 2008, 21:41	#137 (permalink)
Donnie Darko DW Guru ++ Join Date: Jul 2005 Location: In the bookies Posts: 5,276 Downloads: 0 Uploads: 0 Thanks: 6 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll emm and the fix (code it ur self) Right i've edited the rom10 at location 5363 with a value of 83,yet it returns the wrong keys. Key 1 2nd and 3rd characters key 0 5th and 6th characters Using a rom10 from april 08 fix. __________________ It matters not how strait the gate. How charged with punishments the scroll,I am the master of my fate,I am the captain of my soul.
	Quote Post

1st December 2008, 21:50	#138 (permalink)
Donnie Darko DW Guru ++ Join Date: Jul 2005 Location: In the bookies Posts: 5,276 Downloads: 0 Uploads: 0 Thanks: 6 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll emm and the fix (code it ur self) Right i've changed the value to 87 its returning the correct keys,hurrah, checked against rom 7 but no picture,lol. __________________ It matters not how strait the gate. How charged with punishments the scroll,I am the master of my fate,I am the captain of my soul.
	Quote Post

1st December 2008, 21:54	#139 (permalink)
edcase DW Top Poster +++ Join Date: May 2005 Posts: 952 Downloads: 0 Uploads: 0 Thanks: 73 Thanked 5 Times in 4 Posts Feedback Score: 0 reviews	Re: keyroll emm and the fix (code it ur self) Its no good just adding a value of 83.. you need to construct some code that checks if the keyroll emm is in ram, and if it is you need to make your patch code modify the emm such that it will create the correct keys .. then return to the original romcode.
	Quote Post

1st December 2008, 21:59	#140 (permalink)
Donnie Darko DW Guru ++ Join Date: Jul 2005 Location: In the bookies Posts: 5,276 Downloads: 0 Uploads: 0 Thanks: 6 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll emm and the fix (code it ur self) Gonna have to come back to this tomorrow evening,thanks for the input so far. __________________ It matters not how strait the gate. How charged with punishments the scroll,I am the master of my fate,I am the captain of my soul.
	Quote Post

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode