DiscoDV
Inactive User
- Joined
- Mar 22, 2006
- Messages
- 426
- Reaction score
- 7
Its the bit after this i got stuck on so if you got any pointers...
Atmega Challenge 11/04/08
- Thread starter the_blackadder1980
- Start date
Its the bit after this i got stuck on so if you got any pointers...
Code:
You don't have permission to view the code content. Log in or register now.THIS IS AS FAR AS I UNDERSTAND
windy1603
Inactive User
- Joined
- May 1, 2007
- Messages
- 68
- Reaction score
- 6
KEYMASK7CHKLOOP:
ADIW R30,0x01 ;Increase the ZL Flash pointer
INC R28 ;Increase the YL EMM Buffer pointer
INC R18
CPI R18,0x2A ;Have we done all 2A bytes of the EMM ?
BRNE KEYMASK7TOP ;Nope .. carry on checking the mask
RCALL DOKEYROLL7 ;Yes, This is a keychange EMM so handle keyroll
KEYMASK7CHKLOOPEND:
RET
All this does is compare each byte of the emm against the mask (for as many bytes as you put in the CPI R18 Line) if all bytes match it carries on to the next bit of code if it fails then it thinks this is not the correct emm and exits with no changes to the keys etc
ADIW R30,0x01 ;Increase the ZL Flash pointer
INC R28 ;Increase the YL EMM Buffer pointer
INC R18
CPI R18,0x2A ;Have we done all 2A bytes of the EMM ?
BRNE KEYMASK7TOP ;Nope .. carry on checking the mask
RCALL DOKEYROLL7 ;Yes, This is a keychange EMM so handle keyroll
KEYMASK7CHKLOOPEND:
RET
All this does is compare each byte of the emm against the mask (for as many bytes as you put in the CPI R18 Line) if all bytes match it carries on to the next bit of code if it fails then it thinks this is not the correct emm and exits with no changes to the keys etc
BigMAQ
Inactive User
This is as far as I have got:
Obviously need help now in working out the dokeyroll .... which lol is the actual 'fix' ........... what's happened to blackadder?
Code:
You don't have permission to view the code content. Log in or register now.Obviously need help now in working out the dokeyroll .... which lol is the actual 'fix' ........... what's happened to blackadder?
tonmedia11
Inactive User
- Joined
- Jul 29, 2004
- Messages
- 220
- Reaction score
- 1
What might be a good idea before writing the dokeyroll fix is to do a basic dokeyroll which writes the keys as is. It won't work obviously but will at least let you know the work you have done so far is correct. I didn't and went ahead and wrote the dokeyroll code but now i'm finding it won't write any keys so I must have an error early on but still can't find it after 4 attempts at comparing and rewriting.
windy1603
Inactive User
- Joined
- May 1, 2007
- Messages
- 68
- Reaction score
- 6
Thats what i did with my post earlier. i did mask check and then updated keys as is. my code posted earlier seems to do mask ok as when written to card with blank keys update works with 2 corrupt bytes which when xored give correct result. keyroll is what im stuck on can get one byte to update but not second
im sure we will get it in the end
roud:
im sure we will get it in the end
roud:
- Joined
- Mar 29, 2005
- Messages
- 1,912
- Reaction score
- 116
tonmedia11
Inactive User
- Joined
- Jul 29, 2004
- Messages
- 220
- Reaction score
- 1
Might not work for everyone but i like to take note in english the steps that do what i think is needed to the data before writing any code.
windy1603
Inactive User
- Joined
- May 1, 2007
- Messages
- 68
- Reaction score
- 6
:Cheers:
OK had a lot of failed attempts today but this keyroll worked today on pure. (have left acouple of ?? for you to put in your own values)
may not be the best way but does work if a bit slow took 9 mins to update on pure tonight :banana:
Code below ______________________
;If the mask check above passed then we are going to do the following block of code to process
;a Type 7 Keyroll (Map call).
;
DOKEYROLL7:
; Key0 start address =0x2E
; Key1 start address=0x38
; bytes to xor =0x0A, 0X0C, 0x18, 0x1A (-0x79 offset) to give buffer byte location
; key roll address byte offset= +0x7d
; Do first Byte of key
LDI YH, high(MP) ;load Y with memory pointer
LDI YL, low( MP)
CLR R18 ;Clear R18
LDS R18,(MP + 0x??) ;Load R18 with Key Byte Offset from emm
SUBI R18,0x7d ;Subtract difference in memory position from offset to emm buffer byte
ADD R28,R18 ;Set Y to point to byte (r28=YL)
LD R16,Y ;load keyByte from emm position
LDS R17,(MP + 0x??) ;load xor value
EOR R16,R17 ;XOR byte
ST Y, R16 ;Write keyByte back to emm position
; Do second Byte of key
LDI YH, high(MP) ;load Y with memory pointer
LDI YL, low( MP)
CLR R18 ;Clear R18
LDS R18,(MP + 0x??) ;Load R18 with Key Byte Offset from emm
SUBI R18,0x7d ;Subtract difference in memory position from offset to emm buffer byte
ADD R28,R18 ;Set Y to point to calculated byte (r28=YL)
LD R16,Y ;load keyByte from emm position
LDS R17,(MP + 0x??) ;load xor value
EOR R16,R17 ;XOR byte
ST Y, R16 ;Write keyByte back to emm position
OK had a lot of failed attempts today but this keyroll worked today on pure. (have left acouple of ?? for you to put in your own values)
may not be the best way but does work if a bit slow took 9 mins to update on pure tonight :banana:
Code below ______________________
;If the mask check above passed then we are going to do the following block of code to process
;a Type 7 Keyroll (Map call).
;
DOKEYROLL7:
; Key0 start address =0x2E
; Key1 start address=0x38
; bytes to xor =0x0A, 0X0C, 0x18, 0x1A (-0x79 offset) to give buffer byte location
; key roll address byte offset= +0x7d
; Do first Byte of key
LDI YH, high(MP) ;load Y with memory pointer
LDI YL, low( MP)
CLR R18 ;Clear R18
LDS R18,(MP + 0x??) ;Load R18 with Key Byte Offset from emm
SUBI R18,0x7d ;Subtract difference in memory position from offset to emm buffer byte
ADD R28,R18 ;Set Y to point to byte (r28=YL)
LD R16,Y ;load keyByte from emm position
LDS R17,(MP + 0x??) ;load xor value
EOR R16,R17 ;XOR byte
ST Y, R16 ;Write keyByte back to emm position
; Do second Byte of key
LDI YH, high(MP) ;load Y with memory pointer
LDI YL, low( MP)
CLR R18 ;Clear R18
LDS R18,(MP + 0x??) ;Load R18 with Key Byte Offset from emm
SUBI R18,0x7d ;Subtract difference in memory position from offset to emm buffer byte
ADD R28,R18 ;Set Y to point to calculated byte (r28=YL)
LD R16,Y ;load keyByte from emm position
LDS R17,(MP + 0x??) ;load xor value
EOR R16,R17 ;XOR byte
ST Y, R16 ;Write keyByte back to emm position
tonmedia11
Inactive User
- Joined
- Jul 29, 2004
- Messages
- 220
- Reaction score
- 1
That looks like a very big step from where the majority of the people on the thread were. If it works for you that's great, but I expect most people following the thread won't be that far on.
- Joined
- Mar 29, 2005
- Messages
- 1,912
- Reaction score
- 116
DOKEYROLL7:
; Key0 start address =0x2E
; Key1 start address=0x38
; bytes to xor =0x0A, 0X0C, 0x18, 0x1A (-0x79 offset) to give buffer byte location
; key roll address byte offset= +0x7d
I see that this first part deals with position of the keys - how did you get Key 0 start address to be 0x2e - as opposed to being byte 2A which is after 42 05 telling us that the emm is a keyroll?
; Key0 start address =0x2E
; Key1 start address=0x38
; bytes to xor =0x0A, 0X0C, 0x18, 0x1A (-0x79 offset) to give buffer byte location
; key roll address byte offset= +0x7d
I see that this first part deals with position of the keys - how did you get Key 0 start address to be 0x2e - as opposed to being byte 2A which is after 42 05 telling us that the emm is a keyroll?
BigMAQ
Inactive User
@windy1603
so what you are saying ids the code you have posted above AU's ......... you have ??marked areas that need to be filled .... now can you explain what we should be looking to put in there ... (i'm not asking for the actual details) just an idea of what we should be looking for ... in english ..lol
so what you are saying ids the code you have posted above AU's ......... you have ??marked areas that need to be filled .... now can you explain what we should be looking to put in there ... (i'm not asking for the actual details) just an idea of what we should be looking for ... in english ..lol
windy1603
Inactive User
- Joined
- May 1, 2007
- Messages
- 68
- Reaction score
- 6
If you look at it on a byte by byte basis as detailed in the notes before the keyroll we identify the byte which hold the bytes to be modified ( 0x0A, 0X0C for first byte) and ( 0x18, 0x1A) for second byte which should give a good clue to the memory postion and for the xor byte just look at the emm (address of what follows the A4?)
Hope this helps if you want to PM me i will send you the keyroll asm to look at
Hope this helps if you want to PM me i will send you the keyroll asm to look at
@ bigmaq
just done a check and your code has errors
what it looks like is your using a vaible not supposed to or an incorrect operation
just done a check and your code has errors
Code:
You don't have permission to view the code content. Log in or register now.what it looks like is your using a vaible not supposed to or an incorrect operation
Last edited:
Rs2k_Rider
DW's Resident Medic
yep im told it works, i posted in in cable tv forum thinking it was a funcard file lol .. :S i dont know what redneck is lol... i use tit2/funcard.. hope ya dont mind mate, credited to ya as well
Similar threads
- Locked
