@xxxmkxxx
#$02 = 0000 0010
As for the fix I did for the public OPOS card s/w....
Above are the 2 Key updates used in the latest attack...
1st off, you only need 1 Key update to update both public keys (0 and 1) on a card. So why 2????
Look closely at the Bytes Dump. Each key has an incorrect 6th byte...
Now look at the initial LDA command at $82. This value is used to EOR the incorrect 6th byte in each key. They are both different too..
So, no point hard coding 1 EOR value as 2 are used (1 for each key update)
Any solution must therefore ensure the correct EOR value is used.
As time marches on, the altered key byte (in the buffer) and/or the EOR value maybe changed, so a dynamic solution is required.
VM have a poor history in fighting back so any MAP call problems are a waste of time for the average programmer..I myself like a challenge and enjoy fixing these but they take a little longer than a quick patch and will not see the light of day until VM drop Nagra1..
So, as a quick patch is likely to last months, that's what most will do..
Now, we already break out of the 'official' ROM routine to our own code stored in some unused area...
This custom code checks the EMM data and modifies it based on our rules before jumping back into the official routine, which runs our version of the EMM instead
The key to this EMM is the use of X.
What should happen is the EOR value is stored in A, then A is stored in TEMPA before being changed to #$02.
Basically, we can assume that the MAP call takes TEMPA and stores it in X.
The OPOS doesn't do this and so whatever X is at the time (you can work it out by reading the wrong byte off a card with the old s/w, and working out the EOR with the byte in the buffer).
Anyways, why worry about routines and all the bollox when it's much easier to change the start of the EMMs from
to
So, basically, the EMM clears X, loads the EOR value into A (in the example, #$6B), clears x again (I couldn't resist it lol) and transfers A to X. Then it loads #$02 into A (no reason to alter that) and then issues the branch command. Now, notice I've changed it to branch beyond the next MAP call (using 0A instead of 07). So the EMM jumps from $88 to $94 and ignores all the MAP calls altogether...
The rest of the EMM runs fine and your keys are updated
Code required on a ROM10 dump (albeit pre-patched)
I appreciate that keys are not to be posted in the main forums, but strictly speaking, 1 byte in each key is wrong
*taken from my post on DD