KEYMASK6_data:
.DB 0x3F,0x00,0x01,0xFA,0xCD,0x82,0x3D,0x15,0x07,0x10,0x07,0x12,0x07,0x14,0x07,0x11
.DB 0x07,0xB6,0x07,0xA4,0x07,0x48,0x88,0xB8,0xAA,0xB7,0xAA,0x84,0xB8,0xB4,0xB7,0xB4
.DB 0xCD,0x82,0x23,0xA6,0x25,0xCC,0x6B,0x01,0x83,0x00,0x01,0x00,0x00,0x00,0x00,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
CHKKEYMASK6:
LDI YH, high(M) ;Set Y pointer to start of decrypted EMM in RAM (0x019B)
LDI YL, low(M)
LDI ZH, high(KEYMASK6_data * 2) ;Set Z pointer to start of KEYMASK6 * 2 in Flash (0x0A70)
LDI ZL, low(KEYMASK6_data * 2)
CLR R18
KEYMASK6TOP:
CPI R18,0x01
BREQ KEYMASK5CHKLOOP
; Byte is a mask byte so check that its what we expect
LPM
LDD R17,Y+0
CP R0,R17
BRNE KEYMASK6CHKLOOPEND ; No, not an EMM we can use so exit
KEYMASK6CHKLOOP:
ADIW R30,0x01 ;Increase the ZL Flash pointer
INC R28 ;Increase the YL EMM Buffer pointer
INC R18
CPI R18,0x28 ;Have we done all 28 bytes of the EMM?
BRNE KEYMASK6TOP ;No, carry on checking the mask
RCALL DOKEYROLL6 ;Yes, this is a keychange EMM so handle type6 keyroll
KEYMASK6CHKLOOPEND:
RET
Is this roughly where we are expected to be before moving on?
@nozzer - that might explain why sosia seems to be having difficulty lol
any idea what implications this would have re. robustness of the existing solution?
in that case all I need to do is tidy up my mask as it's a bit catchall atm lol - ie it's virtually the same as above
and then wait for the very next keyroll to break it lol
You don't have permission to view the code content. Log in or register now.
yep - given the 2 area's emm's as far as I can see there is nothing wrong with my catchall mask atm - aint seen a 5C one yet but given the 5A's identicalness (is that a word lol) I would imagine the same code would work fine at recognising one of them as well - so not much point it tidying itSurely if the bits did change and you masked over the bits to identify it as this keyroll the code would still XOR with $06 therefore writing away the wrong keys?
So would fail anyway?
yep - given the 2 area's emm's as far as I can see there is nothing wrong with my catchall mask atm - aint seen a 5C one yet but given the 5A's identicalness (is that a word lol) I would imagine the same code would work fine at recognising one of them as well - so not much point it tidying it
I would lay money that "type 7" will simply be a mod of this tho lol - what worries me is that this may be on the next keyroll - but what the hell - I still aint had to do any coding yet
Just out of interest I had a look to see what jsr $823D does:
Code:You don't have permission to view the code content. Log in or register now.
It seems to disable interrupts and clear bits 1 and 2 of $07
Thing that got my interest was the crazy orders that it seems to do these things in. Something that needs more investigation I think.
Why clear bit1 twice, then clear bit2 then have to clear bit1 again? Huh lol.
It also does crazy setting an unsetting in the other jsr aswell, maybe certain bits can be set if other bits are in a certain state. I dont know, just a thought.
edc.
bet the gits dont give us a keyroll for ages so I can find out either lol
hint:
Location $07 is NOT a memory location - its a register. You dont necessarily read back what you write to it. This is why that particular location was chosen by Kudelski and why a lot of emulators are broken.
The actual value read back after the sequence of bset/bclr instructions is $03.......
We use essential cookies to make this site work, and optional cookies to enhance your experience.