Atmega Challenge 11/04/08

[Afz]

Thanks to you guys for the help so far in this thread. I'm sure its very much appreciated by everyone.

Unfortunately I only started looking into this yesterday and by the time I got to the DOKEYROLL bit the fix had already been released. But as some others have also said I'd really like to know the logic behind the DOKEYROLL bit.

Thanks to Windy1603 for explaining some of it already but I'd appreciate it the same description in laymans terms as well, so its nice of blackadder1980 to put the effort in to do this.

I'll read the previous Atmega challenge thread in the meantime.

 

[windy1603]

Full Keyroll 7 ASM as requested

;------------------------------------------------------------------------------------------------
; Keychange Method 7
;------------------------------------------------------------------------------------------------
;
; This is to handle the new keyroll method as implemented on 08/04/08 by NTL/TW
;
KEYMASK7_data:
.DB 0x3F,0x00,0x01,0xFA,0xB6,0x02,0x4E,0xA4
.DB 0x00,0xB8,0x00,0xB7,0x00,0x9B,0x11,0x02
.DB 0x1E,0x02,0xB6,0x02,0x4E,0xA4,0x00,0xB8
.DB 0x00,0xB7,0x00,0x1F,0x02,0x9A,0xA6,0x26
.DB 0xCC,0x6B,0x01,0x00,0x00,0x00,0x00,0x00
.DB 0x00,0x83,0x00,0x01,0x42,0x05,0x11,0x11
.DB 0x11,0x11,0x11,0x11,0x11,0x11,0x42,0x85
.DB 0x22,0x22,0x22,0x22,0x22,0x22,0x22,0x22

;0x11 and 0x22 just used to mark key locations

CHKKEYMASK7:
LDI YH, high(M) ;Set Y pointer to start of decrypted EMM in RAM (0x019B)
LDI YL, low(M)
LDI ZH, high(KEYMASK7_data * 2) ;Set Z pointer to start of KEYMASK7 * 2 in Flash
LDI ZL, low(KEYMASK7_data * 2)
CLR R18

KEYMASK7TOP:
CPI R18,0x01
BREQ KEYMASK7CHKLOOP
CPI R18,0x08
BREQ KEYMASK7CHKLOOP
CPI R18,0x0A
BREQ KEYMASK7CHKLOOP
CPI R18,0x0C
BREQ KEYMASK7CHKLOOP
CPI R18,0x16
BREQ KEYMASK7CHKLOOP
CPI R18,0x18
BREQ KEYMASK7CHKLOOP
CPI R18,0x1A
BREQ KEYMASK7CHKLOOP
CPI R18,0x2A
BREQ KEYMASK7CHKLOOP

; Byte is a mask byte so check that its what we expect
LPM
LDD R17,Y+0
CP R0,R17
BRNE KEYMASK7CHKLOOPEND ; No, not an EMM we can use so exit

KEYMASK7CHKLOOP:
ADIW R30,0x01 ;Increase the ZL Flash pointer
INC R28 ;Increase the YL EMM Buffer pointer
INC R18
CPI R18,0x2A ;Have we done all 2A bytes of the EMM ?
BRNE KEYMASK7TOP ;Nope .. carry on checking the mask
RCALL DOKEYROLL7 ;Yes, This is a keychange EMM so handle keyroll

KEYMASK7CHKLOOPEND:
RET

;If the mask check above passed then we are going to do the following block of code to process
;a Type 7 Keyroll (Map call).
;
DOKEYROLL7:
; Key0 start address =0x2E
; Key1 start address=0x38
; bytes to xor =0x0A, 0X0C, 0x18, 0x1A (-0x79 offset) to give buffer byte location
; key roll address byte offset= +0x7d

; Do first Byte of key
LDI YH, high(MP) ;load Y with memory pointer
LDI YL, low( MP)
CLR R18 ;Clear R18
LDS R18,(MP + 0x0A) ;Load R18 with Key Byte Offset from emm
SUBI R18,0x7d ;Subtract difference in memory position from offset to emm buffer byte
ADD R28,R18 ;Set Y to point to byte (r28=YL)
LD R16,Y ;load keyByte from emm position
LDS R17,(MP + 0x08) ;load xor value
EOR R16,R17 ;XOR byte
ST Y, R16 ;Write keyByte back to emm position

; Do second Byte of key
LDI YH, high(MP) ;load Y with memory pointer
LDI YL, low( MP)
CLR R18 ;Clear R18
LDS R18,(MP + 0x18) ;Load R18 with Key Byte Offset from emm
SUBI R18,0x7d ;Subtract difference in memory position from offset to emm buffer byte
ADD R28,R18 ;Set Y to point to calculated byte (r28=YL)
LD R16,Y ;load keyByte from emm position
LDS R17,(MP + 0x16) ;load xor value
EOR R16,R17 ;XOR byte
ST Y, R16 ;Write keyByte back to emm position

; Copy new Key 0 to buffer
LDI XH, high( MP + 0x2E)
LDI XL, low( MP + 0x2E )
LDI R29,0x02
LDI R28,0x63
LDI R18,0x08
KR7_1: LD R16,X+
ST Y+,R16
DEC R18
BRNE KR7_1

; Copy new Key 1 to buffer
LDI XH, high( MP + 0x38 )
LDI XL, low( MP + 0x38 )
LDI R29,0x02
LDI R28,0x6B
LDI R18,0x08
KR7_2: LD R16,X+
ST Y+,R16
DEC R18
BRNE KR7_2

; Write new keys to ext EEprom
RCALL Update_Keys
RET

 

[the_blackadder1980]

cheers, should help me and others

 

[2tone]

thanks windy1603

 

[crackerchalk]

Hi all
Im determined not to let this beat me
Right im having real probs and need a few answers
1st this is a guess but is each providers emm different
Cos Im pure and the emm in this thread is C/W
So do i need the pure emm to do it right and test it
All seems right till i get to byte 9 not far at all lol
If im correct can anyone let me have the pure emm
So i can get it right like bigmac
Next prob i have is
What do you use to disassemble the hex that you wish to edit
This will be for the future

 

[BigMAQ]

here's my code .... dokeyroll7 is same as windy's ... but you will see some differences in the first part of the code

You don't have permission to view the code content. Log in or register now.

 

[windy1603]

All of the different keyrolls emms are dirrerent as the tell the card how do the specific keyroll. we use the mask to indentify which keyroll it is


The emms are different with respect to the provider ID eg 54 or 5C etc and the key data is different so we ignore these from the keymask checks because we dont need to know the keys or provider as the key roll method is the same ie we take a byte from the key and xor it with a value which is what the keyroll7 does

it leaves all of the provider data in the emm unchanged it just mods the keys as required by the emm

 

[crackerchalk]

here's my code .... dokeyroll7 is same as windy's ... but you will see some differences in the first part of the code

You don't have permission to view the code content. Log in or register now.

Cheers for that
It appears i wasnt wrong lol
Yours at 1st glance looks like mine but cos byte 9 was different
I presumed i was doing something wrong
Right time to start again this time i wont delete it
Just assemble and check log/test
wish me luck
Now can anyone tell me how to disassemble the fun hex
Im determined to learn what nozzer started to teach
Even if i throw the comp across the room

 

[IAmATeaf]

here's my code .... dokeyroll7 is same as windy's ... but you will see some differences in the first part of the code

You don't have permission to view the code content. Log in or register now.

Would it not be a good idea to exclude more bytes from the EMM byte match rountine? ie the bytes that are likely to change? Such as the EOR value and target byte to be EOR-ed?

 

[nozzer]

See what you can all do when you put your minds to it

I guess I can forget about Fun/ATmega cards now and leave the support to you lot

 

[windy1603]

Bigmaq i think your keyroll mask will work for the existing emm but if they change the xor value or the first byte value. then the mask would fail due to changes to 0x08, 0x0a and 0x0c so you would need to add additional excludes to ensure is works for all changes.

 

[crackerchalk]

See what you can all do when you put your minds to it

I guess I can forget about Fun/ATmega cards now and leave the support to you lot

Hi
Atmega maybe if nothing changes too much
But fun ?
Or is it a case of using the same files
If not could you point us in the right direction
Cos as far as im and many are concerned
we would love to try to do it ourselves not leech
Then if we get stuck ask for help

 

[windy1603]

Nosser, IAmATeaf the Blackadder1980 and all the others who helped on the original Challenge thread and the followup thanks for your support and guidance without you i know i would not have come up a fix

 

[nozzer]

Hi
Atmega maybe if nothing changes too much
But fun ?

Its very, very similar !

The processor is basically the same. Just a couple of missing instructions (probably that you'll never use) and a much smaller code space.

The code's also not as tidied up as the ATMega but the two basically do the same thing as far as keyrolls are concerned.

 

[BigMAQ]

it's a pity no ones posted up the source code of the fun cw fix that was released ....... it would be gr8 to see what the differences were when the asm files are compared

 

[fes_786]

it's a pity no ones posted up the source code of the fun cw fix that was released ....... it would be gr8 to see what the differences were when the asm files are compared

here is a link to the grape source nozzer posted a while back

it shouldnt be that hard to impliment the atmega fix to it.

http://www.digitalworldz.co.uk/forums/showpost.php?p=650513&postcount=3

and the data sheets nozer posted for fun and atmega

https://www.digitalworldz.co.uk/showpost.php?p=899370&postcount=14

 

[snarffers]

Hve give up trying to do this for now, what i no about coding you could write on the back of a stamp with a paint brush but will keep watching and learning from the best on digitalworldz