This may help some of you...

[CG121]

These are the latest C&W EMMs...

Let's take a peek at it.. My comments are below each command line

You don't have permission to view the code content. Log in or register now.

So basically, looking at the above, 4 bytes of key0 (after the 42 05 in the buffer) are altered BEFORE the key is written to the card using command $42.

Those are:
$AB = CB (which it already does in the second EMM)
$B1 = EC (which it already does in the second EMM)

$AC = 8B (which it already does in the first EMM)
$B2 = 63 (which it already does in the first EMM)

Obviously, each EMM can't overwrite the keys altered by it's partner EMM...

So there you have it. I don't think anything is wrong above, but I welcome comments

 

[desijadoo]

WHAT......?????

Are you trying to communicate....are you form earth?

I thought this was the complete new to cables section? what the hell is C&W EMMs and what are those numbers, where do they go and what are they supposed to do.

:drunk: (that didn't help)

 

[CG121]

lol. Those are the EMMs sent to update your card (AU it) from the headend...

I can't post in the main section, so hopefully someone will link to it from the main section...

 

[logic_187]

its ludicrous Coolguy someone of your knowledge confined to this section LOL....but i guess rules are rules ....another 8 posts to go ;-)

Although no one is discussing much in the main cable section just mass hysteria and a fair lot of useless posts.

 

[Norman Dog]

I can't post in the main section, so hopefully someone will link to it from the main section...

That's a shame, sounds like a fix to me :Clap:

 

[CG121]

its ludicrous Coolguy someone of your knowledge confined to this section LOL....but i guess rules are rules ....another 8 posts to go ;-)

Although no one is discussing much in the main cable section just mass hysteria and a fair lot of useless posts.

I don't mind the rules so much, I post elsewhere to further spread the knowledge in the hope someone will learn and understand...

As you say, it would probably be lost among all the stupid posts in the main forum anyways

7 more now me thinks lol

 

[labaude]

You're right about all the useless posts. Is there a way to get the good info. Even if i have the latest key and use the Press yellow... Update the key list... It is still does not work. Is there a way to make it work ? or do i have a problem with my dreambox c ?

 

[shotta]

if CG121 is who I think it is he more than likely has a very good idea of what needs changing to make the opos au again... shame hes not got more than 20 posts, also a shame I dont know where to start with the above to make a fix I should really know more Ive been @ this 4 years lmao....

 

[CG121]

Just to let you know, this can be patched very easily in the ROM code of the opos emu OR in the emu itself...

I'm more than happy to upload a ROM patch for this latest counter measure HOWEVER, I will refrain just for now in order that desperation might make some put a little effort in

I'm not about to expect people to disassemble the emu who've never done any coding before, so we'll stick to the ROM patch..

I'll start you off..

Take the previous flash file for the opos. Decrypt it with Titanium Hack.

Take the plaintext opos flash file and patch one of the jumps to some custom free space and add your fix...

Basically, test for a keyroll (42 at $A9 for example) and branch if equal around the original jump code. Test for this new roll method (4E is good for this at $83 and $91) each time returning to the original code if false and then write out the 2 load in A instructions (at $81 and $8F) with 01 and 81 respectively.

Don't forget to push onto the stack data you will need for the original code BEFORE your patch and always pop it back before returning back to the original code...

Watch your return statements also

Once you've updated your flash, run it through a checksum calc and re-encrypt it with TitaniumHack...

Now, all the info you need is on this (and many other) boards, so I expect to see it online by tomorrow....

I'll ask nicely about posting it Saturday if nobody has managed this simple of tasks lol

 

[logic_187]

linked to the main cable section........

 

[DodgyTech]

any links to titanium hack mate?

so basically, our code should take in the EMMs sent by the headend, find specific codes/emms at specific locations, check to see whether or not it meets a certain criteria, jump to a new area of code which we implement, do some more checks and change something if those checks work out? and then go back to the original point of jumping once we are done?

just a little confused there mate.

i think mods need to be PM'd about upgrading your account due to your input in the scene

 

[logic_187]

titanium hack...hopefully its this one got so much crap

 

[CG121]

any links to titanium hack mate?

so basically, our code should take in the EMMs sent by the headend, find specific codes/emms at specific locations, check to see whether or not it meets a certain criteria, jump to a new area of code which we implement, do some more checks and change something if those checks work out? and then go back to the original point of jumping once we are done?

just a little confused there mate.

i think mods need to be PM'd about upgrading your account due to your input in the scene

Nearly...

Jump out of the normal subroutine just before you process the instructions in the EMM buffer at $81.

Look for a keyroll. If yes, checks it's the killer EMM oooooo lol and then doctor the EMM Buffer with your own patch, if not, return to the original subroutine

Simple


EDIT:
BTW, I still can't post in the main section lol

 

[froger]

linked to the main cable section:Cheers::Cheers::Cheers::Cheers:

 

[nozzer]

I'm more than happy to upload a ROM patch for this latest counter measure HOWEVER, I will refrain just for now in order that desperation might make some put a little effort in

Good idea. There's a few people, that with a little hint and a push, could sort the problem for themselves. Giving them the solution now wouldn't teach them anything.

Also, hopefully your access is sorted now

 

[glyndwrw]

You're right about all the useless posts. Is there a way to get the good info. Even if i have the latest key and use the Press yellow... Update the key list... It is still does not work. Is there a way to make it work ? or do i have a problem with my dreambox c ?

Instead of pressing the YELLOW button press the BLUE button

 

[DodgyTech]

titanium hack...hopefully its this one got so much crap

thanks logic. much appreciated m8

 

[DodgyTech]

Nearly...

Jump out of the normal subroutine just before you process the instructions in the EMM buffer at $81.

Look for a keyroll. If yes, checks it's the killer EMM oooooo lol and then doctor the EMM Buffer with your own patch, if not, return to the original subroutine

Simple


EDIT:
BTW, I still can't post in the main section lol

ahh i get that, emm buffer kinda lost me, i take it that the card has to store a fixed amount of emm data in a temporary storage inside the card so that it can process that lot of emms before moving onto the next lot?

and yes we cant let our cards get fried, so we check for the killer. so why do we have to doctor the emm? if its a killer, its of no use to us right?

 

[fendale2000]

Coolguy - good to see you on here ( think I remember you from the shack).

As a programmer I am very interested in this - I have grabbed the EMMs coming out of evocamd by telling it to write to the console when it gets them - I was following what you were saying at the start of this thread, but then my hex code started to differ from yours.

After the 'B7 AE - Store A in AE', I hit a 9B 11 ...

By any chance do you have any docs that list the assembler code meanings? Actually come to think of it, are they Power PC instructions?

 

[fendale2000]

I think I follow this mostly - now. Was misreadding before!

However a couple of questions.

The very first instruction, you say:

0081: B6 02 lda $02 ; Load in A
Loads #$01 or 0000 0001 into A from register $02

Where does the $01 come from - how do you know what is in register $02?

Why does the clear bit 1 instruction not actually clear it?

So, if I understand correctly - the code in the dbox CAM thinks the keys are the ones in the data part of this EMM, so it just gets them out and attempts to use them, however, these two byte swaps put in the actual keys - correct?

So if I take an EMM that I have captured, I should be able to use the steps above to work out the real key1?

I am capturing the EMM by just grabbing the console output from evocamd - is that the best way to get them?