Accepts rubbish registration details on their website, lol. :sneaky:If your having problems with using the command line assembler (DOS) then i'd recommend you to install AVRStudio. Download for free direct from the Atmel website.
Accepts rubbish registration details on their website, lol. :sneaky:If your having problems with using the command line assembler (DOS) then i'd recommend you to install AVRStudio. Download for free direct from the Atmel website.
Is this correct?; Check if its one of the allowed keychange EMM's and handle if it is.
RCALL CHKKEYMASK1
RCALL CHKKEYMASK2
RCALL CHKKEYMASK3 ; *** Suggest you disable this for PURE NTL ! ***
RCALL CHKKEYMASK4
RCALL CHKKEYMASK5
;*****************************************************
; Add call to your new keyroll method here !
;*****************************************************
[
I think this is there as an example but just double checking, my provider is 5E01.; Keychange Method 5
;------------------------------------------------------------------------------------------------
;
; This is the new keyroll method as implemented on 14/08/06 by NTL/TW
;
;
; 3F -> Filter: ANY CARD
; 5A01 PROVIDER ID (Telewest (Cable))
;
; FA -> RUN CODE FOR ROM10:
; 3F41A602CD90E33F 4DA6B9B74EA60ECD 90E3A6ADB74EA60E CD90E3A621CC6B01
; 835B014205F29612 F4475D5100000000 3C8B73CE26E32600 BC4285BD
;
Accepts rubbish registration details on their website, lol. :sneaky:
if they do a key roll only the bold & underlined change.BYTES DUMP:
---------------------
00A1: 83 5D 01 42 05 E3 26 AE
00A9: 0C 2F FF 13 00 00 00 00
00B1: 70 EE 80 79 77 74 46 00
00B9: 70 42 85 28
And this is why I have to write a new method to find the keys?BYTES DUMP:
---------------------
00A3: 00 00 00 83 55 01 42 05
00AB: 62 BD 22 0A C6 86 E5 93
00B3: 42 85 80 D4 D1 D3 80 90
00BB: FF 2B
I appreciate that most of you probably cant write assembly level code but that doesn't stop you asking questions or coming up with ideas. If you cant code then write out what you think needs to be done in plain English. This thread is all about trying to give you some insight into these cards and how they work and also to show you that although you may not be able to do it on your own you could probably do it as a group if your willing to put some effort in and give it a go !
3F -> Filter: ANY CARD
5E01 PROVIDER ID (Chorus Primary)
FA -> RUN CODE FOR ROM10:
5FA6CEB741A6022D 079BCD20209A2003 CD20209FB8ACB7AC 9FB8B7B7B7A626CC
6B01000000835F01 4205CED72E878061 7490428562FA17F3 CE05FA79
DISASSEMBLY OF CODE:
------------------------------
0081: 5F clrx ; x <-- 0
0082: A6 CE lda #$CE ; Load in A
0084: B7 41 sta TEMPA ; Store A in...
0086: A6 02 lda #$02 ; Load in A
0088: 2D 07 bms $91 ; Branch if mask=1
008A: 9B sei ; I <-- 1
008B: CD 20 20 jsr $2020 ; Go to subroutine
008E: 9A cli ; I <-- 0
008F: 20 03 bra $94 ; Branch always
0091: CD 20 20 jsr $2020 ; Go to subroutine
0094: 9F txa ; X --> A
0095: B8 AC eor $AC ; A= A xor ...
0097: B7 AC sta $AC ; Store A in...
0099: 9F txa ; X --> A
009A: B8 B7 eor $B7 ; A= A xor ...
009C: B7 B7 sta $B7 ; Store A in...
009E: A6 26 lda #$26 ; Load in A
00A0: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A3: 00 00 00 83 5F 01 42 05
00AB: CE D7 2E 87 80 61 74 90
00B3: 42 85 62 FA 17 F3 CE 05
00BB: FA 79
Please delete if not allowed here3F -> Filter: ANY CARD
5E01 PROVIDER ID (Chorus Primary)
F7 -> RUN CODE FOR ROM7:
5FA6F7B721A6022D 079BCD200F9A2003 CD200F9FB8ADB7AD 9FB8B6B7B6A626CC
48BB000000835F01 4205CE19D9878061 74904285620DD9F3 CE05FA79
DISASSEMBLY OF CODE:
------------------------------
0081: 5F clrx ; x <-- 0
0082: A6 F7 lda #$F7 ; Load in A
0084: B7 21 sta RC0ADDRH ; Store A in...
0086: A6 02 lda #$02 ; Load in A
0088: 2D 07 bms $91 ; Branch if mask=1
008A: 9B sei ; I <-- 1
008B: CD 20 0F jsr $200F ; Go to subroutine
008E: 9A cli ; I <-- 0
008F: 20 03 bra $94 ; Branch always
0091: CD 20 0F jsr $200F ; Go to subroutine
0094: 9F txa ; X --> A
0095: B8 AD eor $AD ; A= A xor ...
0097: B7 AD sta $AD ; Store A in...
0099: 9F txa ; X --> A
009A: B8 B6 eor $B6 ; A= A xor ...
009C: B7 B6 sta $B6 ; Store A in...
009E: A6 26 lda #$26 ; Load in A
00A0: CC 48 BB jmp FILTEROK ; 2
BYTES DUMP:
---------------------
00A3: 00 00 00 83 5F 01 42 05
00AB: CE 19 D9 87 80 61 74 90
00B3: 42 85 62 0D D9 F3 CE 05
00BB: FA 79
So The top 2 lines are no good to me._0 1 2 3 4 5 6 7 8 9 A B C D E F 101112131415161718191A1B1C1D1E1F 202122232425262728292A2B2C2D2E2F 303132333435363738393A3B3C3D3E3F
3F5A01FA3F41A602CD90E33F4DA6B9B7 4EA60ECD90E3A6ADB74EA60ECD90E3A6 21CC6B01835B014205F29612F4475D51 000000003C8B73CE26E32600BC4285BD
3F5C01FA3F41A602CD90E33F4DA6B9B7 4EA60ECD90E3A6ADB74EA60ECD90E3A6 21CC6B01835D014205E326AE0C2FFF13 0000000070EE80797774460070428528
3F5E01F75FA6F7B721A6022D079BCD20 0F9A2003CD200F9FB8ADB7AD9FB8B6B7 B6A626CC48BB000000835F014205CE19 D987806174904285620DD9F3CE05FA79
3F5E01FA5FA6CEB741A6022D079BCD20 209A2003CD20209FB8ACB7AC9FB8B7B7 B7A626CC6B01000000835F014205CED7 2E8780617490428562FA17F3CE05FA79
Now I would like to break them down so I can understand what they do:_0 1 2 3 4 5 6 7 8 9 A B C D E F 101112131415161718191A1B1C1D1E1F 202122232425262728292A2B2C2D2E2F 303132333435363738393A3B3C3D3E3F
3F5E01F75FA6F7B721A6022D079BCD20 0F9A2003CD200F9FB8ADB7AD9FB8B6B7 B6A626CC48BB000000835F014205CE19 D987806174904285620DD9F3CE05FA79
3F5E01FA5FA6CEB741A6022D079BCD20 209A2003CD20209FB8ACB7AC9FB8B7B7 B7A626CC6B01000000835F014205CED7 2E8780617490428562FA17F3CE05FA79
breaking them down.00A3: 00 00 00 83 5F 01 42 05
00AB: CE D7 2E 87 80 61 74 90
00B3: 42 85 62 FA 17 F3 CE 05
00BB: FA 79
In the above example byte 3=0xFA but on my lines it can be F7 FA or FB so should mine look like this.DB 0x3F,0x00,0x01,0xFA,0x3F,0x41,0xA6,0x02
.DB 0xCD,0x90,0xE3,0x3F,0x4D,0xA6,0x00,0xB7
.DB 0x4E,0xA6,0x0E,0xCD,0x90,0xE3,0xA6,0x00
.DB 0xB7,0x4E,0xA6,0x0E,0xCD,0x90,0xE3,0xA6
.DB 0x21,0xCC,0x6B,0x01,0x83,0x00,0x01,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
In the above I also changed a few more to match my lines does this look right?.DB 0x3F,0x5E,0x01,0x00,0x5F,0x41,0xA6,0x00
.DB 0xB7,0x00,0xA6,0x02,0x2D,0x07,0x9B,0xCD
.DB 0x20,0x00,0x00,0xA2,0x00,0x3C,0xCD,0x20
.DB 0x00,0x9F,0xFB,0x8A,0x00,0x7A,0x00,0xFB
.DB 0x8B,0x00,0x7B,0x00,0xA6,0x26,0xCC,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
Bytes in the dump arebreaking them down.
00A3:00 00 00= dont know?? 5F 01= service provider/ 42 05= key 00
00AB:CE D7 2E 87 80 62 74 90 = keys.
00B3:42 85= key 01/ 62 FA 17 F3 CE 05=keys.
00BB:FA 79= keys.
You don't have permission to view the code content. Log in or register now.
You don't have permission to view the code content. Log in or register now.
You don't have permission to view the code content. Log in or register now.
Spoted that only because I know what they should be. Is there something that explains what is going on in the "Disassembly Of Code" or do I not realy need to know?Note, in this explanation I have NOT taken into account the manipulations done by the initial code so the keys will NOT be correct.
Just looking back I think my DBs is wrong.
Because I have edited it for both types of rom, me thinks I would have to write RCALL CHKKEYMASK for each type of ROM. Please correct me if wrong.
Is there something that explains what is going on in the "Disassembly Of Code" or do I not realy need to know?
Dont have that but found one by stuntguy is that it?The NagraFaq document explains about most of the Emm Nano's
Well thats all i needed to here:arrrr:but when it comes to pure code then its basically down to a copy of the Rom10/11 disassembly and sheer hard slog !
Dont have that but found one by stuntguy is that it?
thats all i needed to here:arrrr:
OK found this hope its the right one 68HC05 Memory OrganizationFirst place to start is with the assembler pneumonics for the processor on the Rom10/11 card. Its very similar to a device from Motorola called the 68HC05
You don't have permission to view the code content. Log in or register now.
You don't have permission to view the code content. Log in or register now.
You don't have permission to view the code content. Log in or register now.
Anybody got a copy of this please?take a look at the Rom10 disassembly by Gesinas to see how the card actually does things. The listing is also an essential part of understanding what the keyroll code is doing as it may often call subroutines within the Rom code itself.
Is anybody else doing this or am I on my own?
Never mind found it.
Another bit of light reading JESUS
Yes was starting to get a nose bleedYou probably shouldn't try and get it all at once. You'll end up being very confused and not knowing what instruction is for which processor.
Like this one? AVR JTAG ICE AVRISP ISP Programmer Emulator4 ATMEL V2 on eBay, also Assemblies EM Devices, Electronic Components, Electrical Test Equipment, Business Industrial (end time 26-Mar-09 05:02:22 GMT)If you feel like really having a play then get yourself an ATMega test board. A slightly more complex board might also link into AVRStudio in a fairly seamless way so you can program the chip from within the environment and possibly even single step your code etc via the jtag port.
We use essential cookies to make this site work, and optional cookies to enhance your experience.