keyroll emm and the fix (code it ur self)

[terminator2k2]

well all i can see is the original key with the wrong bytes is xor aginst 19 to give the correct value.????

 

[dstream]

correct in that ecm it does. It take the two highlighted red values xors with 19 and stores them back.

the next ecm pics out two more differnt bytes and xors with #41 and alters bytes b1 and bc.


so the fix is read from the emm stored in the cards memory the xor byte store this to a register

read from the emm in memory the xor`ed bytes location b1 b3 b6 etc

xor it with the a byte location


store it back emm done

 

[cydine_]

Well someone just leaked my rom 7.

Bit disappointed as I hope one of you would come up with a fix. I hope you don't just give up now that a fix is out.

I will post this. First block is a decrypted rom 7 emm with comments added.

Second block is the fix applied to the rom 7.

3F -> Filter: ANY CARD
5A01 PROVIDER ID

F7 -> RUN CODE FOR ROM7:
5FA610B721A6022D 079BCD200F9A2003 CD200F9FB8AFB7AF 9FB8BBB7BBA626CC
48BB000000835B01 4205E82593B27A90 0EA2428516CF0CA7 A714C222

DISASSEMBLY OF CODE:
------------------------------

0081: 5F clrx ; x <-- 0
Load #0 or 0000 0000 into X

0082: A6 10 lda #$10 ; Load in A
Load #$10 or 0001 0000 into A

0084: B7 21 sta RC0ADDRH ; Store A in...
Store A [#$10] into mem address

0086: A6 02 lda #$02 ; Load in A
Load #$02 or 0000 0010 into A

0088: 2D 07 bms $91 ; Branch if mask=1
Branch to $91 if mask=1

008A: 9B sei ; I <-- 1
Set Global Interrupt

008B: CD 20 0F jsr $200F ; Go to subroutine
Jump to subroutine $200F

008E: 9A cli ; I <-- 0
Clear Global Interrupt

008F: 20 03 bra $94 ; Branch always
Branch to $94

0091: CD 20 0F jsr $200F ; Go to subroutine
Jump to subroutine $200F

0094: 9F txa ; X --> A
Should load #10 or 0001 0000 into A from X
Actually loads #0 or 0000 0000

0095: B8 AF eor $AF ; A= A xor ...
EOR A with data at $AF [#7A]
0000 0000
0111 1010
----------
0111 1010 = #$7A

Should be:
0001 0000
0111 1010
----------
0110 1010 = #$6A

0097: B7 AF sta $AF ; Store A in...
Store A [#$7A] into $AF

0099: 9F txa ; X --> A
Should load #10 or 0001 0000 into A from X
Actually loads #0 or 0000 0000

009A: B8 BB eor $BB ; A= A xor ...
EOR A with data at $BB [#C2]
0000 0000
1100 0010
----------
1100 0010 = #$C2

Should be:
0001 0000
1100 0010
----------
1101 0010 = #$D2

009C: B7 BB sta $BB ; Store A in...
Store A [#$C2] into $BB

009E: A6 26 lda #$26 ; Load in A
Load #$26 into A. Key update starts at $A6 ($80 + #$26)

00A0: CC 48 BB jmp FILTEROK ; 2
Start Key update

BYTES DUMP:
---------------------
00A3: 00 00 00 83 5B 01 42 05
00AB: E8 25 93 B2 7A 90 0E A2
00B3: 42 85 16 CF 0C A7 A7 14
00BB: C2 22

52A4 CD 51 DF -> CD 46 9A


88 push a ; Stack <- A
C6 00 A9 lda $A9 ; Load in A
A1 42 cmp #$42 ; Compare with A
27 05 beq #$05 ; Branch if =
84 pop a ; Stack -> A
CD 51 DF jsr $51DF ; Go to subroutine
81 rts ; Return from subroutine

C6 00 81 lda $81 ; Load in A
A1 5F cmp #$5F ; Compare with A
26 0C bne #$0C ; Branch if <>
A6 AE lda #$AE ; Load in A
B7 82 sta $82 ; Store A in...
A6 20 lda #$20 ; Load in A
B7 84 sta $84 ; Store A in...
A6 0E lda #$0E ; Load in A
B7 85 sta $85 ; Store A in...
84 pop a ; Stack -> A
CD 51 DF jsr $51DF ; Go to subroutine
81 rts ; Return from subroutine

 

[CG121]

the two key roll routines alter 2 bytes in each key

1 byte in each key

Re my public opos patch, I simply made the initial branch command jump to $94 (same as the branch always below it) and replaced the lda #$02 command with clrx (clear x) and tax (transfer a to x)

sorted

 

[cydine_]

1 byte in each key

Re my public opos patch, I simply made the initial branch command jump to $94 (same as the branch always below it) and replaced the lda #$02 command with clrx (clear x) and tax (transfer a to x)

sorted

Yep lots of different ways to do it. Take your pick.

Lots of your code in the above so thanks for that also.

 

[fendale2000]

m8..comon you should no that 1..its ida pro

Can you give me a hint as to what setting to use to dissassemble the nagrarom10.bin from the dbox? I have selected Motorola 6805 and then when it asks me what model it is, which I don't know. I have tried a few with different sizes of RAM but the dissassembled code is basically just a list of 'fcb' over and over again!

I am using IDA pro 5.2 which I grabbed from Pirate Bay ...

 

[linked]

Well someone just leaked my rom 7.

Bit disappointed as I hope one of you would come up with a fix. I hope you don't just give up now that a fix is out.

I will post this. First block is a decrypted rom 7 emm with comments added.

Second block is the fix applied to the rom 7.

no i for one would still wanna understand and learn this so i know and can edit and fix myself which to me is more fun then just downloading a file already done...

@ danefc34 yeah i should have known but its been ages and i think i been getting lazy. so wanna get back on this all.

 

[Hejira]

Just wanted to say thanx @cydine_ this thread makes for a great read it's nice to get an idea of what's going on and an op to experiment even if I don't fully understand everything! lol

Not forgetting fes for starting it all off

 

[fendale2000]

Well someone just leaked my rom 7.

Bit disappointed as I hope one of you would come up with a fix. I hope you don't just give up now that a fix is out.

I will post this. First block is a decrypted rom 7 emm with comments added.

Second block is the fix applied to the rom 7.

Thanks for posting that. I REALLY want to patch the ROM myself with this code, or even hack around with my code to see if I can get a different version working. I am still stuck however:

1. I have IDA pro, but cannot get it to dissassemble the ROM 10 or 7 I have copied from the Dbox.

2. I don't know how to assemble my or your code to get it into the form required to edit the hex - is there a workin assembler, or will I have to just look up the hex for each OP code?

If I could get some help with these two parts, I reckon I would be well on the way to victory on this!

 

[fendale2000]

Thanks for posting that. I REALLY want to patch the ROM myself with this code, or even hack around with my code to see if I can get a different version working. I am still stuck however:

1. I have IDA pro, but cannot get it to dissassemble the ROM 10 or 7 I have copied from the Dbox.

2. I don't know how to assemble my or your code to get it into the form required to edit the hex - is there a workin assembler, or will I have to just look up the hex for each OP code?

If I could get some help with these two parts, I reckon I would be well on the way to victory on this!

OK - after viewing the patched ROM 7 in the hex editor, and comparing with the dissassembled ROM 7 in the Nagra Coding Package, I think I can answer all my own questions now!

1 - there is no real need to dissassemble the existing ROM, the in the nagra_coding packge is good enough - Wouldn't mind know how to do this anyway though!

2 - I reckon I just have to look up the OP codes to do the assembling - its only a handful of instructions, so it should be simple enough.

Then all you have to do is edit the old ROM with win hex edit and sit back and watch the telly!

Thanks to all involved in this thread for helping - If I can successfully patch the April ROM7 I have with a variation of the code I posted earlier in this thread, I will try and write up a tutorial on how to do this stuff to help future noobs.

I have to say though, expecting someone from a non computing/engineering background to figure this stuff out is asking a lot - I have an engineering degree (and hence have programmed in assembler before) and am currently a programmer by trade - if you have never written any assembly code, learning how to do this stuff is going to be tough.

 

[rigsby]

A tutorial would be very well received methiinks, fendale2000, its been a really interesting thread to follow has this one. Even if I am no nearer to being able to write a fix......but I'm going to keep reading and hopefully some of this stuff will stick in my head.....................................................trouble is, its like I only have 64 megabytes of memory, and I'm trying to fit 10gigabytes of stuff into it

Thanks to all who have contributed to this thread.

ATB, Rigsby.

 

[terminator2k2]

yes ferndale2000 you hit the nail on the head there....you must have a bit of knowledge to begin with in coding...and like so many of us we dont have a clue.....

how about a tutorial for us noobs to understand....

i understand what is needed and why but when i like at the code its all gibberish..lol....

 

[abaddon]

OK - after viewing the patched ROM 7 in the hex editor, and comparing with the dissassembled ROM 7 in the Nagra Coding Package, I think I can answer all my own questions now!

1 - there is no real need to dissassemble the existing ROM, the in the nagra_coding packge is good enough - Wouldn't mind know how to do this anyway though!

2 - I reckon I just have to look up the OP codes to do the assembling - its only a handful of instructions, so it should be simple enough.

Then all you have to do is edit the old ROM with win hex edit and sit back and watch the telly!

Thanks to all involved in this thread for helping - If I can successfully patch the April ROM7 I have with a variation of the code I posted earlier in this thread, I will try and write up a tutorial on how to do this stuff to help future noobs.

I have to say though, expecting someone from a non computing/engineering background to figure this stuff out is asking a lot - I have an engineering degree (and hence have programmed in assembler before) and am currently a programmer by trade - if you have never written any assembly code, learning how to do this stuff is going to be tough.

I am a software architect by profession, but never really done any assembly language before. I am going through the stuff cydine sent - quite slowly, but I need to understand what I am doing. Once the penny drops, I'll be fine.

Any tutorial would be very much appreciated.

Thanks for everything cydine.

abaddon

 

[BLACKJACK1978]

This has been doing my head in for 2 days trying to work round this coding.I think my head is about to explode.I think a tutorial will be a good thing if someone has the time and patience with us to try and learn.I want to learn so i can give somthing back to the community.

 

[Darth Jax]

I'm not a prolific poster as you can tell by my post count, but am always around logged on or not and must say this has been a really good thread to appear in a while. I understand the concept of what is going on but as others when you look at the code you don't know where to start....

A noob tut would be magnificent

cheers

 

[learntofly]

Yeah shame some tosser screwed cydine over.. I mean is your integrity worth TV?


Although most of it has been over my head Ive been stuck in assembler for about 24 hours now and loving it, I think I would of got it within a week or so to but unfortunately am back in work tomorrow.

I would still like to patch the rom10 and 11 files though.. I was looking at the feasibility of a dirty hex cut and paste job from the rom 7 but I can see some of the registers are different...

Cydine.. I understand you are pissed off at whoever leaked your work however please do not turn your back on us.. I bet the author of the next fix in the future is subscibed to this thread!

Couple of questions, hope someone can help me..

* How do you get IDA Pro to disassemble the .bin's out of the box?
* Can IDA produce a .lst file?
* if so what tool will recompile this .lst into a binary?

Does anyone have anymore literature stashed away about this?

Many Thanks!

--
Regards

 

[phils_confused]

Thanx to all who have helped out here. Shame I didn't anywhere with it. If somebody did a tut I'd love a go at modding rom 10 and 11. My only problem is I'm a bit of a retard when it comes to programming, so the simpler the better.

Once again Thanks Cydine and everybody else who helped. Shame the fix was leaked, I'm gonna try and stick with it and learn though.

 

[xxxmkxxx]

Thanks guys!

I think i have a better understanding of how this works.
Im gonna have a crack (or patch hehe) at this for ROM10.
Fingers crossed!

 

[cydine_]

Trust me guys, if I can learn then anyone can.

I am not some elite software engineer. I'm a gravedigger ffs.

Keep at it. I will post more in the morning. Just got in from a night out and I'm half cut LOL.

 

[muskrat]

I'm a gravedigger ffs.

Don't fancy sorting out our lass do you mate? Pmsl.

Muskrat