 |
| |||||||
| TV GUIDE | Live Football | Fantasy F1 | Register | Articles | DW Trader | CD Covers | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
| General Cable Discussion This is the general cable tv forums where you can talk about cable tv. |
| | LinkBack | Thread Tools | Display Modes |
2nd December 2008, 00:49
| #152 (permalink) |
| DW Respected Member   Join Date: Jun 2005
Posts: 1,050
Downloads: 0 Uploads: 0 Thanks: 0
Thanked 0 Times in 0 Posts
Feedback Score: 0 reviews  | Re: keyroll emm and the fix (code it ur self) Well done guys good to see more people learning just wish i could get my head around this but think im just too thick been one of the best reading threads in a long time |
|
    |
|
2nd December 2008, 01:58
| #153 (permalink) | |
| Jnr Member  Join Date: Aug 2007
Posts: 14
Downloads: 0 Uploads: 0 Thanks: 0
Thanked 0 Times in 0 Posts
Feedback Score: 0 reviews | Re: keyroll emm and the fix (code it ur self) Quote:
Thats interesting. As cydine pointed out, it understands whats happening with "JSR 2020" (mapping call). But it seems other EMUs don't understand it, hence the reason for the patches. Here's my understanding of the EMM: 00:0081 00 80 c0 00 03fd ....Z. 5fa6e9b7 74f30000 00000904 CLR X 1. Clear the X Register so it becomes 00 00:0082 00 00 c0 00 03fd ....Z. a6e9b741 74f30000 00000907 LDA #e9 2. Load A register with the value 0xE9 (hexadecimal value) so A=E9 (or 1110 1001 in binary) 00:0084 e9 00 c0 00 03fd ...N.. b741a602 74f30000 00000909 STA 41 3. Store the value that is in the A register at location 41 so now RAM[41] = E9 (or 1110 1001 in binary) 00:0086 e9 00 c0 00 03fd ...N.. a6022d07 74f30000 0000090d LDA #02 4. Load A register with the value 0x02 (hexadecimal value) so A=02 (or 0000 0000 in binary) 00:0088 02 00 c0 00 03fd ...... 2d079bcd 74f30000 0000090f BMS 0091 (taken) 5. If Interrupt is Set then jump to code at 0091, otherwise continue on to the next code 00:008a 02 00 c0 00 03fd ...... 9bcd2020 74f30000 00000912 SEI 6. Set Interrupt - ATTENTION! 00:008b 02 00 c0 00 03fd ..I... cd20209a 74f30000 00000914 JSR 2020 7. Jump to Subroutine 2020 and do some voodoo there. 6805: breakpoint at 2020 (count=630) math call: $02 RAM[41]=$e9 In this case, the subroutine 2020 is setting the X register with the value located at memory location RAM[41] which is hex value 0xE9 (or 1110 1001 in binary) (see 3.) and that's all we're interested in at the moment. In vplus, this gets done, but in other EMUs (evocamd for example) nothing happens, so X remains untouched is 0x0. cr:-pc- aa xx yy dr -sp- VHINZC -mem@pc- -mem@sp- -cycles- 00:008e 02 e9 c0 00 03fd ..I... 9a2003cd 74f30000 0000091a CLI 8. Clear Interrupt, as you were... 00:008f 02 e9 c0 00 03fd ...... 2003cd20 74f30000 0000091c BRA 0094 (taken) 9. Skip to 10. Note: There is a code here not listed in the log which basically says skip the "JSR 2020" call as we have already done it. if point 5 was true (i.e interrupt was already set) then the jump to 91 would land here which basically does point 7. Have a look at the disassembly of EMM in emmstudio to understand what im talking about. 00:0094 02 e9 c0 00 03fd ...... 9fb8b2b7 74f30000 0000091f TXA 10. transfer content of register X to A so now,should be X=E9 and A=E9 (or 1110 1001 in binary) BUT remember X was zero due to our EMU not understanding JSR 2020? so what happens? X=0x0 and A=0x0 Now anything you do with these registers is meaningless (for our purpose anyway). 00:0095 e9 e9 c0 00 03fd ...... b8b2b7b2 74f30000 00000921 EOR b2 {04} ... Our patch will just modify these instructions so that it doesnt do the BMS and JSR 2020 calls (skipping steps 3 to 9) and just modifies step 2 so that its "load X" rather than "Load A", then skip to 10 to do "transfer X to A". There's also bit of code in the patch to check whether it indeed is the right EMM code we are modifying. You will need to modify the patch and jump addresses so that instead of: Main Code > Process EMM Buffer you do: Main Code > Do Patch > Process EMM Buffer Use EMMStudio's disassembly function, its very useful. Just grab some code from your hex editor and paste in there to disassemble and you'll understand it better. No need to memorise opcodes (though it helps). I hope this makes it slightly more clearer. | |
|
|
|
|
2nd December 2008, 02:20
| #154 (permalink) |
| Jnr Member Join Date: Aug 2007
Posts: 14
Downloads: 0 Uploads: 0 Thanks: 0
Thanked 0 Times in 0 Posts
Feedback Score: 0 reviews | Re: keyroll emm and the fix (code it ur self) By the way, i found out how to capture EMMs from Dbox2. i was doing it the long way (MLog,nagemmex,emmstudio), no-one helped me  Easy way for those who don't know: Modify camd_cfg and set : # 00 disabled # 01 enabled L: { 01 }192.168.1.11 10000 Note: put your own ip there. and use UDPLog 1.9 on the computer you want to capture packets on. Another way is to use telnet. kill evocamd processes and run it manually by typing "evocamd". Though i prefer the first method as it gives me only the decrypted EMMs and less noise. |
|
|
|
|
2nd December 2008, 02:22
| #155 (permalink) |
| Inactive User  Join Date: Sep 2006
Posts: 187
Downloads: 0 Uploads: 0 Thanks: 0
Thanked 0 Times in 0 Posts
Feedback Score: 0 reviews | Re: keyroll emm and the fix (code it ur self) xxxmkxxx thanks alot for posting and well done for patching the rom.you done it in 6 hrs you say very impressive it would take me a lifetime. |
|
|
|
|
2nd December 2008, 02:38
| #156 (permalink) | |
| Jnr Member Join Date: Aug 2007
Posts: 14
Downloads: 0 Uploads: 0 Thanks: 0
Thanked 0 Times in 0 Posts
Feedback Score: 0 reviews | Re: keyroll emm and the fix (code it ur self) Quote:
Im sure you can do this, it's very easy once you understand how. Its abit like algebra really. Theres plenty of info here to do it. Don't really need to understand how nagra encryption works. The basics will start you off and shouldn't take very long. Now that i understand how EMMs work and the processes, i could probably patch rom11 in less than hour i think, but will leave it for you to do it  Best of luck. | |
|
|
|
|
2nd December 2008, 03:28
| #157 (permalink) | |
| Member +++ Join Date: Mar 2005
Posts: 149
Downloads: 0 Uploads: 0 Thanks: 0
Thanked 0 Times in 0 Posts
Feedback Score: 0 reviews | Re: keyroll emm and the fix (code it ur self) Thanks for taking the time to give such a detailed explanation, I really appreciate it. I'll try to get some more details from the vplug developer, but don't hold your breath. Because Vplug only has internal fixes for roms 10 & 11 I think looking at how it deals with a patched rom7 might be quiet revealing. Quote:
 I’m not a natural mathematician but I’d really like to give this a shot. I'm up early so I'm going to have to call it a night, but I'll have a good look all this tomorrow. thanks again, Nick Last edited by Nick [D]vB; 2nd December 2008 at 03:36. | |
|
|
|
|
2nd December 2008, 04:05
| #158 (permalink) |
| Member +++  Join Date: Jun 2007
Posts: 100
Downloads: 0 Uploads: 0 Thanks: 0
Thanked 0 Times in 0 Posts
Feedback Score: 0 reviews | Re: keyroll emm and the fix (code it ur self) @xxxmkxxx #$02 = 0000 0010 As for the fix I did for the public OPOS card s/w.... Code: DECRYPTED EMM:
--------------------------------------------------------
SIGNATURE: OK!
3F -> Filter: ANY CARD
5C01 PROVIDER ID (NTL-Cable (England))
FA -> RUN CODE FOR ROM10:
5FA66BB741A6022D 079BCD20209A2003 CD20209FB8B0B7B0 9FB8BAB7BAA626CC
6B01000000835D01 42058A431412B634 413F4285B58EA13E 6FBCBDD2
DISASSEMBLY OF CODE:
------------------------------
0081: 5F clrx ; x <-- 0
0082: A6 6B lda #$6B ; Load in A
0084: B7 41 sta TEMPA ; Store A in...
0086: A6 02 lda #$02 ; Load in A
0088: 2D 07 bms $91 ; Branch if mask=1
008A: 9B sei ; I <-- 1
008B: CD 20 20 jsr $2020 ; Go to subroutine
008E: 9A cli ; I <-- 0
008F: 20 03 bra $94 ; Branch always
0091: CD 20 20 jsr $2020 ; Go to subroutine
0094: 9F txa ; X --> A
0095: B8 B0 eor ; A= A xor ...
0097: B7 B0 sta ; Store A in...
0099: 9F txa ; X --> A
009A: B8 BA eor ; A= A xor ...
009C: B7 BA sta ; Store A in...
009E: A6 26 lda #$26 ; Load in A
00A0: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A3: 00 00 00 83 5D 01 42 05
00AB: 8A 43 14 12 B6 34 41 3F
00B3: 42 85 B5 8E A1 3E 6F BC
00BB: BD D2
EMM DECRYPTED RAW BYTES:
-------------------------
3F5C01FA5FA66BB741A6022D079BCD20209A2003CD20209FB8B0B7B09FB8BAB7BAA626CC6B01000000835D0142058A431412B634413F4285B58EA13E6FBCBDD2
---------------------------------------------2nd EMM-----------------------------------------------------------------------
DECRYPTED EMM:
--------------------------------------------------------
SIGNATURE: BAD(B0860FAA78CDB65C)
DECRYPTED BAD DATA: 49F97776A571FB5559930EE0AE97D9AC1518397FAEB85652D75CE18B9D7F8A9512310DB019A06B1DA315FF2D87C3BBB0887E135A27DCBF6313141CF3E63B0CC4
-- Trying decrypt with signature exchange...
NEW EMM SIGNATURE: 196A8DF3B3D6B2BE
SIGNATURE: OK!
3F -> Filter: ANY CARD
5C01 PROVIDER ID (NTL-Cable (England))
FA -> RUN CODE FOR ROM10:
5FA629B741A6022D 079BCD20209A2003 CD20209FB8B0B7B0 9FB8BAB7BAA626CC
6B01000000835D01 42058A431412B676 413F4285B58EA13E 6FFEBDD2
DISASSEMBLY OF CODE:
------------------------------
0081: 5F clrx ; x <-- 0
0082: A6 29 lda #$29 ; Load in A
0084: B7 41 sta TEMPA ; Store A in...
0086: A6 02 lda #$02 ; Load in A
0088: 2D 07 bms $91 ; Branch if mask=1
008A: 9B sei ; I <-- 1
008B: CD 20 20 jsr $2020 ; Go to subroutine
008E: 9A cli ; I <-- 0
008F: 20 03 bra $94 ; Branch always
0091: CD 20 20 jsr $2020 ; Go to subroutine
0094: 9F txa ; X --> A
0095: B8 B0 eor ; A= A xor ...
0097: B7 B0 sta ; Store A in...
0099: 9F txa ; X --> A
009A: B8 BA eor ; A= A xor ...
009C: B7 BA sta ; Store A in...
009E: A6 26 lda #$26 ; Load in A
00A0: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A3: 00 00 00 83 5D 01 42 05
00AB: 8A 43 14 12 B6 76 41 3F
00B3: 42 85 B5 8E A1 3E 6F FE
00BB: BD D2
EMM DECRYPTED RAW BYTES:
-------------------------
3F5C01FA5FA629B741A6022D079BCD20209A2003CD20209FB8B0B7B09FB8BAB7BAA626CC6B01000000835D0142058A431412B676413F4285B58EA13E6FFEBDD2
1st off, you only need 1 Key update to update both public keys (0 and 1) on a card. So why 2???? Look closely at the Bytes Dump. Each key has an incorrect 6th byte... Now look at the initial LDA command at $82. This value is used to EOR the incorrect 6th byte in each key. They are both different too.. So, no point hard coding 1 EOR value as 2 are used (1 for each key update) Any solution must therefore ensure the correct EOR value is used. As time marches on, the altered key byte (in the buffer) and/or the EOR value maybe changed, so a dynamic solution is required. VM have a poor history in fighting back so any MAP call problems are a waste of time for the average programmer..I myself like a challenge and enjoy fixing these but they take a little longer than a quick patch and will not see the light of day until VM drop Nagra1.. So, as a quick patch is likely to last months, that's what most will do.. Now, we already break out of the 'official' ROM routine to our own code stored in some unused area... This custom code checks the EMM data and modifies it based on our rules before jumping back into the official routine, which runs our version of the EMM instead The key to this EMM is the use of X. What should happen is the EOR value is stored in A, then A is stored in TEMPA before being changed to #$02. Basically, we can assume that the MAP call takes TEMPA and stores it in X. The OPOS doesn't do this and so whatever X is at the time (you can work it out by reading the wrong byte off a card with the old s/w, and working out the EOR with the byte in the buffer). Anyways, why worry about routines and all the bollox when it's much easier to change the start of the EMMs from Code: 0081: 5F clrx ; x <-- 0 0082: A6 6B lda #$6B ; Load in A 0084: B7 41 sta TEMPA ; Store A in... 0086: A6 02 lda #$02 ; Load in A 0088: 2D 07 bms $91 ; Branch if mask=1 008A: 9B sei ; I <-- 1 008B: CD 20 20 jsr $2020 ; Go to subroutine 008E: 9A cli ; I <-- 0 008F: 20 03 bra $94 ; Branch always 0091: CD 20 20 jsr $2020 ; Go to subroutine 0094: 9F txa ; X --> A 0095: B8 B0 eor ; A= A xor ... 0097: B7 B0 sta ; Store A in... 0099: 9F txa ; X --> A 009A: B8 BA eor ; A= A xor ... 009C: B7 BA sta ; Store A in... 009E: A6 26 lda #$26 ; Load in A 00A0: CC 6B 01 jmp $6B01 ; Jump BYTES DUMP: --------------------- 00A3: 00 00 00 83 5D 01 42 05 00AB: 8A 43 14 12 B6 34 41 3F 00B3: 42 85 B5 8E A1 3E 6F BC 00BB: BD D2 Code: 0081: 5F clrx ; x <-- 0 0082: A6 6B lda #$6B ; Load in A 0084: 5F clrx ; x <-- 0 0085: 97 tax ; A --> X 0086: A6 02 lda #$02 ; Load in A 0088: 2D 0A bms $94 ; Branch if mask=1 008A: 9B sei ; I <-- 1 008B: CD 20 20 jsr $2020 ; Go to subroutine 008E: 9A cli ; I <-- 0 008F: 20 03 bra $94 ; Branch always 0091: CD 20 20 jsr $2020 ; Go to subroutine 0094: 9F txa ; X --> A 0095: B8 B0 eor ; A= A xor ... 0097: B7 B0 sta ; Store A in... 0099: 9F txa ; X --> A 009A: B8 BA eor ; A= A xor ... 009C: B7 BA sta ; Store A in... 009E: A6 26 lda #$26 ; Load in A 00A0: CC 6B 01 jmp $6B01 ; Jump BYTES DUMP: --------------------- 00A3: 00 00 00 83 5D 01 42 05 00AB: 8A 43 14 12 B6 34 41 3F 00B3: 42 85 B5 8E A1 3E 6F BC 00BB: BD D2 The rest of the EMM runs fine and your keys are updated Code required on a ROM10 dump (albeit pre-patched) Code: C6 00 8A load $8A into A (3rd check) A1 9B cmp 9B (keyroll method 11/08) 26 0C bne (next check or end) A6 5F load #$5F into A B7 84 store A in $84 A6 97 load #$97 into A B7 85 store A in $85 A6 0A load #$0A into A B7 89 store A in $89 84 popa (END of patch) CD 74 27 jsr $7427 ; Go to subroutine (rts) (original code at $74EC) 81 returns back to orginal subroutine after our patch jump  *taken from my post on DD Last edited by CG121; 2nd December 2008 at 04:07. |
|
|
|
|
2nd December 2008, 06:55
| #159 (permalink) | |
| Jnr Member Join Date: Aug 2007
Posts: 14
Downloads: 0 Uploads: 0 Thanks: 0
Thanked 0 Times in 0 Posts
Feedback Score: 0 reviews | Re: keyroll emm and the fix (code it ur self) Quote:
Dont worry, i'm rubbish at maths and i managed it, so can you lol Anyway, nn. | |
|
|
|
|
2nd December 2008, 07:01
| #160 (permalink) |
| Jnr Member Join Date: Aug 2007
Posts: 14
Downloads: 0 Uploads: 0 Thanks: 0
Thanked 0 Times in 0 Posts
Feedback Score: 0 reviews | Re: keyroll emm and the fix (code it ur self) Good eye CG121. Think i got carried away with the zeroes, i'll fix that now *, thanks. Good info you have there, thanks for that. Think theres plenty info here to be prepared for the next challenge. I cant wait! lol Edit: * seems i cant edit my post now, yikes! |
|
|
|
| Bookmarks |
| Tags |
| code, ecm, emm, fix, keyroll |
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
