keyroll emm and the fix (code it ur self) - Page 4 - Digital World Cable Satellite Console Forum

carvegio · 28th November 2008, 16:34

Can someone please just talk about how this relates back to the dbox please?

Thanks

abaddon · 28th November 2008, 16:35

Quote:

Originally Posted by cydine_

You're getting there.

At $94 it's loading the value of X into A.
At $95 it's xoring A against the value at $B1

The problem is that the value of X is not what it is meant to be.

At $82, the correct value - #$79 is loaded into A. Somewhere in the following subroutines this value should be transferred to X. This is where the emu breaks down.

So when you get to $94, the value of X is not #$79 as it should be. Therefore the result of the xor is incorrect and so is the resulting key.

The fix - load X with the corrrect value (found at $83) before the xoring occurs and the correct key will be produced

I can follow all of this, but the problem I have is knowing what tools to use to turn this into the appropriate ROM file - or even to edit a ROM file. Can you give me some pointers as to tools I should be using to do this?

Thanks.

abaddon

abaddon · 28th November 2008, 16:37

Quote:

Originally Posted by carvegio

Can someone please just talk about how this relates back to the dbox please?

Thanks

My understanding is that this is contained in one or more ROM files that you find on your dbox. These ROM files contain the instructions, the trick is figuring out what edits need to be made to the instructions, but before that, figuring out how to edit the ROM file in the first place.

abaddon

pritesh · 28th November 2008, 16:41

am i right in thinking the code in the first page is assembly?

carvegio · 28th November 2008, 16:42

Hi abaddon,

Yes your post following mine is exactly what I am asking. I know it is coming out wrong and I think I know why (with some help), but I have no idea what to do with this information :P

How do we know where this code is to edit or patch the rom files.

cydine_ · 28th November 2008, 16:44

All I use is notepad and a hex editor.

To fix you need to find the point in the code where the emm has been loaded into the buffer but has not been processed.

You then jump out of that code to your patch. The patch will modify the data in the buffer so the correct key is produced.

Then jump back to the original code.

torrentthief · 28th November 2008, 16:48

hope you clever guys can patch the roms soon, fingers crossed, us dreambox guys bow down to you!

carvegio · 28th November 2008, 16:49

Hi cydine_,

when you say

To fix you need to find the point in the code where the emm has been loaded into the buffer but has not been processed.

You then jump out of that code to your patch. The patch will modify the data in the buffer so the correct key is produced.

Then jump back to the original code.

The code is the nagrarom7.bin file I take it?

How do I get this to load and compile somewhere to tell when the emm has been loaded into the buffer but not been processed yet?

My problem is I can't see the code or know where it is to be able to fix it.

Thanks

carvegio · 28th November 2008, 16:51

When I load nagrarom7.bin into a hex editor I get a lot of rubbish on the right, I guess it is not decoding right?

Which step am I missing.

cydine_ · 28th November 2008, 17:00

Look for a disassembled rom 7 listing. I will up one somewhere if you can't find it.

Try looking for "nagra coding package"

28th November 2008, 16:34	#31 (permalink)
carvegio Member Join Date: Aug 2006 Posts: 54 Downloads: 0 Uploads: 0 Thanks: 0 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll ecm and the fix (code it ur self) Can someone please just talk about how this relates back to the dbox please? Thanks
	Quote Post

28th November 2008, 16:41	#34 (permalink)
pritesh DW Respected Member ++ Join Date: Jun 2005 Posts: 1,416 Downloads: 2 Uploads: 0 Thanks: 5 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll ecm and the fix (code it ur self) am i right in thinking the code in the first page is assembly?
	Quote Post

28th November 2008, 16:42	#35 (permalink)
carvegio Member Join Date: Aug 2006 Posts: 54 Downloads: 0 Uploads: 0 Thanks: 0 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll ecm and the fix (code it ur self) Hi abaddon, Yes your post following mine is exactly what I am asking. I know it is coming out wrong and I think I know why (with some help), but I have no idea what to do with this information :P How do we know where this code is to edit or patch the rom files.
	Quote Post

28th November 2008, 16:44	#36 (permalink)
cydine_ Senior Member +++ Join Date: Nov 2005 Location: /tmp Posts: 350 Downloads: 4 Uploads: 0 Thanks: 0 Thanked 1 Time in 1 Post Feedback Score: 0 reviews	Re: keyroll ecm and the fix (code it ur self) All I use is notepad and a hex editor. To fix you need to find the point in the code where the emm has been loaded into the buffer but has not been processed. You then jump out of that code to your patch. The patch will modify the data in the buffer so the correct key is produced. Then jump back to the original code. __________________ http://profile.mygamercard.net/cydine
	Quote Post

28th November 2008, 16:48	#37 (permalink)
torrentthief Member + Join Date: Sep 2007 Posts: 76 Downloads: 0 Uploads: 0 Thanks: 0 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll ecm and the fix (code it ur self) hope you clever guys can patch the roms soon, fingers crossed, us dreambox guys bow down to you!
	Quote Post

28th November 2008, 16:49	#38 (permalink)
carvegio Member Join Date: Aug 2006 Posts: 54 Downloads: 0 Uploads: 0 Thanks: 0 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll ecm and the fix (code it ur self) Hi cydine_, when you say To fix you need to find the point in the code where the emm has been loaded into the buffer but has not been processed. You then jump out of that code to your patch. The patch will modify the data in the buffer so the correct key is produced. Then jump back to the original code. The code is the nagrarom7.bin file I take it? How do I get this to load and compile somewhere to tell when the emm has been loaded into the buffer but not been processed yet? My problem is I can't see the code or know where it is to be able to fix it. Thanks Last edited by carvegio; 28th November 2008 at 16:52.
	Quote Post

28th November 2008, 16:51	#39 (permalink)
carvegio Member Join Date: Aug 2006 Posts: 54 Downloads: 0 Uploads: 0 Thanks: 0 Thanked 0 Times in 0 Posts Feedback Score: 0 reviews	Re: keyroll ecm and the fix (code it ur self) When I load nagrarom7.bin into a hex editor I get a lot of rubbish on the right, I guess it is not decoding right? Which step am I missing.
	Quote Post

28th November 2008, 17:00	#40 (permalink)
cydine_ Senior Member +++ Join Date: Nov 2005 Location: /tmp Posts: 350 Downloads: 4 Uploads: 0 Thanks: 0 Thanked 1 Time in 1 Post Feedback Score: 0 reviews	Re: keyroll ecm and the fix (code it ur self) Look for a disassembled rom 7 listing. I will up one somewhere if you can't find it. Try looking for "nagra coding package" __________________ http://profile.mygamercard.net/cydine
	Quote Post

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode