Atmega Challenge 11/04/08

T

the_blackadder1980

Inactive User
Joined
Dec 4, 2006
Messages
132
Reaction score
0
Right Guys We Will Work On Sorting Out This Keyroll Together

Only Relevant Info Posted Here Please, I Will Just Upload All Files That Will Be Needed

And If There Is A Spare Tutor Hanging Around Feel Free To Help Us A Little
 
emms courtesy of coolguy

SIGNATURE: OK!


3F -> Filter: ANY CARD
5C01 PROVIDER ID (NTL-Cable (England))

FA -> RUN CODE FOR ROM10:
B6024EA410B8ABB7 AB9B11021E02B602 4EA418B8B1B7B11F 029AA626CC6B0100
0000000000835D01 4205DB8BD0FC2AB2 F4634285710DACF3 28A4FF40

DISASSEMBLY OF CODE:
------------------------------

0081: B6 02 lda $02 ; Load in A
Loads #$01 or 0000 0001 into A from register $02

0083: 4E swapa ; Nibble exchange of A
Switch hi/low bits = 0001 0000 or #$10

0084: A4 10 and #$10 ; A= A and ...
Mask or zero unwanted bits using AND with #$10
0001 0000
0001 0000
----------
0001 0000

0086: B8 AB eor $AB ; A= A xor ...
EOR A with data at $AB [#$DB]
0001 0000
1101 1011
----------
1100 1011 = #$CB

0088: B7 AB sta $AB ; Store A in...
Store A #$CB into $AB

008A: 9B sei ; I <-- 1
Set Global Interrupt (status)

008B: 11 02 bclr0 $02 ; Bit 0 <-- 0
Clear bit 0 in register $02 (or does it....)
0000 0001 would appear to become 0000 0000 (but it doesn't)

008D: 1E 02 bset7 $02 ; Bit 7 <-- 1
Sets bit 7 to 1
So, 0000 0001 now = 1000 0001 or #$81

008F: B6 02 lda $02 ; Load in A
Loads #$81 or 1000 0001 into A from register $02

0091: 4E swapa ; Nibble exchange of A
Switch hi/low bits = 0001 1000 or #$18

0092: A4 18 and #$18 ; A= A and ...
Mask or zero unwanted bits using AND with #$18
0001 1000
0001 1000
----------
0001 1000

0094: B8 B1 eor $B1 ; A= A xor ...
EOR A with data at $B1 [#$F4]
0001 1000
1111 0100
----------
1110 1100 = #$EC

0096: B7 B1 sta $B1 ; Store A in...
Store A #$EC into $B1

0098: 1F 02 bclr7 $02 ; Bit 7 <-- 0
Clear bit 7 in register $02 - result 00000001 or #$01

009A: 9A cli ; I <-- 0
Clear Global Interrupt (status)

009B: A6 26 lda #$26 ; Load in A
Loads #$26 into A. As the key update starts at $A6 ($80 + #$26)

009D: CC 6B 01 jmp $6B01 ; Jump
Starts the Key update

BYTES DUMP:
---------------------
00A0: 00 00 00 00 00 00 83 5D
00A8: 01 42 05 DB 8B D0 FC 2A
00B0: B2 F4 63 42 85 71 0D AC
00B8: F3 28 A4 FF 40


SIGNATURE: OK!
3F -> Filter: ANY CARD
5C01 PROVIDER ID (NTL-Cable (England))

FA -> RUN CODE FOR ROM10:
B6024EA410B8ACB7 AC9B11021E02B602 4EA418B8B2B7B21F 029AA626CC6B0100
0000000000835D01 4205CB9BD0FC2AB2 EC7B4285710DACF3 28A4FF40

DISASSEMBLY OF CODE:
------------------------------

0081: B6 02 lda $02 ; Load in A
Loads #$01 or 0000 0001 into A from register $02

0083: 4E swapa ; Nibble exchange of A
Switch hi/low bits = 0001 0000 or #$10

0084: A4 10 and #$10 ; A= A and ...
Mask or zero unwanted bits using AND with #$10
0001 0000
0001 0000
----------
0001 0000

0086: B8 AC eor $AC ; A= A xor ...
EOR A with data at $AC [#$9B]
0001 0000
1001 1011
----------
1000 1011 = #$8B

0088: B7 AC sta $AC ; Store A in...
Store A #$8B into $AC

008A: 9B sei ; I <-- 1
Set Global Interrupt (status)

008B: 11 02 bclr0 $02 ; Bit 0 <-- 0
Clear bit 0 in register $02 (or does it....)
0000 0001 would appear to become 0000 0000 (but it doesn't)

008D: 1E 02 bset7 $02 ; Bit 7 <-- 1
Sets bit 7 to 1
So, 0000 0001 now = 1000 0001 or #$81

008F: B6 02 lda $02 ; Load in A
Loads #$81 or 1000 0001 into A from register $02

0091: 4E swapa ; Nibble exchange of A
Switch hi/low bits = 0001 1000 or #$18

0092: A4 18 and #$18 ; A= A and ...
Mask or zero unwanted bits using AND with #$18
0001 1000
0001 1000
----------
0001 1000

0094: B8 B2 eor $B2 ; A= A xor ...
EOR A with data at $B2 [#$7B]
0001 1000
0111 1011
----------
0110 0011 = #$63

0096: B7 B2 sta $B2 ; Store A in...
Store A #$63 into $B2

0098: 1F 02 bclr7 $02 ; Bit 7 <-- 0
Clear bit 7 in register $02 - result 00000001 or #$01

009A: 9A cli ; I <-- 0
Clear Global Interrupt (status)

009B: A6 26 lda #$26 ; Load in A
Loads #$26 into A. As the key update starts at $A6 ($80 + #$26)

009D: CC 6B 01 jmp $6B01 ; Jump
Starts the Key update

BYTES DUMP:
---------------------
00A0: 00 00 00 00 00 00 83 5D
00A8: 01 42 05 CB 9B D0 FC 2A
00B0: B2 EC 7B 42 85 71 0D AC
00B8: F3 28 A4 FF 40
 
next info taken from previous thread, thanks to nozzer

Right, an easy start !

Download the attachement from the above post and decompress it to a folder. This will be your working directory.

You should now have the following files in your directory -

Asembler/tools
==============
avrasm32.exe
MAKE32.BAT

RedNeck source files
====================
RedNeck4.asm
m163def.inc
m16def.inc
i2c.inc
autoroll.asm
Decrypt1.asm
DIV_MODU.ASM
ExpMod.asm
MUL8x8.asm
MUL8x8_m.asm
MUL32x32.ASM
MulMonty.asm
SQU32x32.ASM

RedNeck Provider key files
==========================
Choruskeys.ASM
Omnekeys.ASM
Cwkeys.ASM
Twkeys.ASM
Ntlkeys.ASM


Now, as a check lets create a hex. Simply run the file "Make32.bat" and, with a bit of luck, you should see another 3 files appear !

status.txt
redneck4.lst
Redneck.hex
redneck.map

The status file tells you if everything went ok
The lst file is a listing of the whole assembled project
The hex file, thats what you stick in your card (not so hasty - its not fixed yet )
The map file is information about where everything is in the cards memory - you can ignore this file !

So, if everything went ok then congratulations - you just created your first hex !

Ok, next bit !

The hex you created above was for TW but you may not want a TW hex

So how do you make a card for your provider ?

Well, i've made it pretty easy for you !

You just need to set a few options in the main program - RedNeck.asm.

So open up "Redneck.asm" in your favourite text editor

Find the following -

Code:

; --------------------------------------------------------------------
; Custom build definitions for providers - select ONE only !
; --------------------------------------------------------------------

; .set BUILD_CW = 1 ; Only ONE of these can be enabled.
; .set BUILD_NTL = 1 ; To disable them DO NOT change the value to 0, you
.set BUILD_TW = 1 ; *MUST* comment the line out.
; .set BUILD_CHORUS = 1
; .set BUILD_OMNE = 1

I'm sure you can suss it

just take the semicolon out from the start of the provider you want. Make sure that only one is selected though or bad things will happen !

Save it away and you are ready to assemble the program again as above. You should now have a hex for your provider
 
let me know when you have done this and we can make a start

have a look at previous keyroll methods in the autoroll.asm to get a jist of the setup.

so any idea what needs to be put into the autoroll file for keyroll 7 (look at prevoius keroll methods, titles etc)
 
Last edited:
@ blackadder...........with u so far m8
So wot next...?
 
ok end of the file you should see "ret"

we need to add ou tile now for our new keyroll section

;------------------------------------------------------------------------------------------------
; Keychange Method 7
;------------------------------------------------------------------------------------------------

then looking at previous methods you can either incude the disasembled emm or not (this is not needed so we will skip this as its in this thread)

now looking at previous methods we need to add

KEYMASK5_data:

then we need the data below it, this is made up off our recent emm and i will show you how to get this next
 
Ok ...done so far .... although on the files i downloaded from above post the provider seems to be set at NTL not TW .... which is ok cause that's my area lol
 
the_blackadder1980 said:
ok end of the file you should see "ret"

we need to add ou tile now for our new keyroll section

;------------------------------------------------------------------------------------------------
; Keychange Method 7
;------------------------------------------------------------------------------------------------

then looking at previous methods you can either incude the disasembled emm or not (this is not needed so we will skip this as its in this thread)

now looking at previous methods we need to add

KEYMASK5_data:

then we need the data below it, this is made up off our recent emm and i will show you how to get this next
Click to expand...

@blackadder...........Should that be 'KEYMASK6_data;'.......?
 
now to get this data we need to have a look at our emms which are posted above

here they are

B6024EA410B8ADB7AD9B11021E02B602 4EA418B8B2B7B21F029AA626CC6B0100 0000000000835D014205ED740E7A5F6B 60584285FF6CC6A0EB8002EA

B6024EA410B8B5B7B59B11021E02B602 4EA418B8B9B7B91F029AA626CC6B0100 0000000000835D014205ED741E7A5F6B 60404285610DACF330A4FF40

what we need to do is now work out the variables in the above. i.e compare both the above and find out were they differ

i find it easier if done how nozzer has posted

can someone please post them in staright hex format to make it easier please.

right, each 2 digits is called a byte and they are grouped together, and each off these bytess have an address

for example

b6 = 0
02 = 1
4e = 2
and so on

these are posted in the txt file attached

can you please show me the address that vary

if you dont uderstand please ask and i will try in english not engrish lol
 
B6024EA410B8ADB7AD9B11021E02B602 4EA418B8B2B7B21F029AA626CC6B0100 0000000000835D014205ED740E7A5F6B 60584285FF6CC6A0EB8002EA

B6024EA410B8B5B7B59B11021E02B602 4EA418B8B9B7B91F029AA626CC6B0100 0000000000835D014205ED741E7A5F6B 60404285610DACF330A4FF40

sorry guys,calling it a night now,work tomorrow.
 
Last edited:
faiz said:
B6024EA410B8ADB7AD9B11021E02B602 4EA418B8B2B7B21F029AA626CC6B0100 0000000000835D014205ED740E7A5F6B 60584285FF6CC6A0EB8002EA

B6024EA410B8B5B7B59B11021E02B602 4EA418B8B9B7B91F029AA626CC6B0100 0000000000835D014205ED741E7A5F6B 60404285610DACF330A4FF40
Click to expand...

is this what tells us its a key roll
 
Differences in addresses: 6,8,14,16,B2,31 ... and then last 8 Bytes 34 to 3B (which I assume are the keys ;)
 
Last edited:
2tone said:
is this what tells us its a key roll
Click to expand...

from the last code that is the only things need changing or has changed that we need accomdate in our code.

starting to see the light.LOL
 
Last edited:
nearly but my fault lol, sick with me though as i should be on the pupil side

what i should have mentioned that within these emms this is 2 sets of four bytes which means a key change. these are

42 05

and

4285

so the numbers following these will always be variable, so you just need to highlight 8 bytess following 4205.

now for you need to turn what you have into the following format

KEYMASK6_data:
.DB 0x3F,0x00,0x01,0xFA,0xCD,0x82,0x3D,0x15,0x07,0x10,0x07,0x12,0x07,0x14,0x07,0x11
.DB 0x07,0xB6,0x07,0xA4,0x07,0x48,0x88,0xB8,0xAA,0xB7,0xAA,0x84,0xB8,0xB4,0xB7,0xB4
.DB 0xCD,0x82,0x23,0xA6,0x25,0xCC,0x6B,0x01,0x83,0x00,0x01,0x00,0x00,0x11,0x11,0x11
.DB 0x11,0x11,0x11,0x11,0x11,0x00,0x00,0x22,0x22,0x22,0x22,0x22,0x22,0x22,0x22,0x00

this is an example of a previous keyroll

the first bit should start

keymask7_data:
.DB 0x3F,0x00,0x01,0xFA,0xB6,0x02,0x4E,0xA4

then onto the next line, so carry on from A4 OR byte 08

once you have this done i wont you to change all variable bytes to 0x00

l
 
OFF to bed, really sorry guys feel as though i'm letting you guys down
 
you should now have somethig that looks simialr to this

; Following Mask data is what a typical decrypted Method7 EMM looks like
;
keymask7_data:
.DB 0x3F,0x00,0x01,0xFA,0xB6,0x02,0x4E,0xA4
.DB 0x10,0xB8,0x00,0xB7,0x00,0x9B,0x11,0x02
.DB 0x1E,0x02,0xB6,0x02,0x4E,0xA4,0x18,0xB8
.DB 0x00,0xB7,0x00,0x1F,0x02,0x9A,0xA6,0x26
.DB 0xCC,0x6B,0x01,0x00,0x00,0x00,0x00,0x00
.DB 0x00,0x83,0x00,0x01,0x42,0x05,0x00,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x42,0x85
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

remember to keep checking back to nozzers thread as its in far more detail and has better instructions, im off to bed soon guys but will continue tomorrow, but bear in mind i will make mistakes and i was kind of hoping someone else would be teaching us
 
You must log in or register to reply here.

Similar threads

trevortron
    • Like
Before you fly on a Boeing aircraft, especially a 737Max
Replies
0
Views
895
trevortron
trevortron
spud1966
    • Like
TX are delighted to announce the release of their SX OS, which is already available by the time of you read this!
Replies
4
Views
976
magicalbeef
magicalbeef
BIG-HOL
  • Locked
Intel nuc dn2820fykh 4gb ram 120 crucial ssd +extras ;0)
Replies
9
Views
2K
BIG-HOL
BIG-HOL
spud1966
  • Sticky
3DS [HowTo] Inject headers into scene roms to play online
Replies
1
Views
10K
GameMaster1229
G
roachieuk
Tech News Android 5.0 Lollipop release date, news and features
Replies
1
Views
3K
danko73
D
Back
Top