Atmega Challenge 11/04/08
- Thread starter the_blackadder1980
- Start date
please share, i didn't understand much, to be honest
Lance
Inactive User
congrats and have to say well done:Clap::Clap::Clap:
BigMAQ
Inactive User
I've just checked it and get:
Code:
You don't have permission to view the code content. Log in or register now.I've added windy1603's dokeyroll7 code at the end and have created the following hex .... can't test it myself as don't have an atmega ...lol
Can someone just check if it does work please and let me know ... slight differences from windy1603's ........ it will be interesting to see which one AU's quickest (that's assuming that mine does Au at all..lol)
nope it does au coz i zeroed all the keys and it was back up in 15 mins
I'll have a go at putting this on my Atmega but I'm having trouble extracting the zip file. I've downloaded it fine but it won't extract. I think the file is corrupt. Anyone else managed to download this?
By the way have you got any tips about what needs to be done in the DOKEYROLL7 method? I've just started reading through this thread tonight and I understand the stuff about masking the bits to recognise the type of EMM and I think I get what the actual EMM's are doing by changing the keys so they are incorrect, but I'm a little lost as to what needs to be done in the DOKEYROLL7 method to actually extract the correct keys so they can be used. I guess I'll need to do a bit more reading?
BigMAQ
Inactive User
BigMAQ
Inactive User
Sorry m8, that new one still won't extract. Getting an error message that says "Compressed folder is invalid or corrupted" when trying to extract the archive.
I've tried using WinZip. Does it extract ok on your machine? What are you using to create the zip file?
@faiz - When you said it took 15 minutes did you use BigMaq's fix or was that Windy1603's fix you used?
Last edited:
Same here mate. I was following the thread until that point and then it suddenly jumped forward to the almost finished code.
I'd also appreciate any help on writing the DOKEYROLL7 method.
@discodv sorry m78 I had to leave yesterday 4 work just seen your post there. I am at the same stage as you I think I stopped once I had to start coding the dokeyroll section.
If you jump accross to the original atmega thread and look for that part it is quite detailed. Like I say i'm at the same stage but I need to put my head down for a few hours before I try to tackle it again. Will catch up with you all in a few hours... good luck
If you jump accross to the original atmega thread and look for that part it is quite detailed. Like I say i'm at the same stage but I need to put my head down for a few hours before I try to tackle it again. Will catch up with you all in a few hours... good luck
Have a look at this thread https://www.digitalworldz.co.uk/sh...d.php?t=169942 any more questions you know where I am
Last edited by a moderator:
windy1603
Inactive User
- Joined
- May 1, 2007
- Messages
- 68
- Reaction score
- 6
Sorry if i jumped to far ahead for you guys yesterday i was on a roll and wanted to see if it worked here is detailed breakdown of the steps
First some basic info the address of the start of decrypted emm is stored in MP
Key0 start address in the emm is therefore MP+0x2E (or MP+ 46 bytes in decimal) follows the 42 05 in keyroll
Key1 start address in the emm is MP+0x38 (or MP + 46 bytes) follows 42 85 in keyroll
If the keyroll was always to stay the same we could just xor the byte in the key with a fixed value but as the keyroll changes and the bytes to xor and the xor values change we have to get data from the emm to ensure we cover all possible combinations.
Within the emm (if you look at decoded emm)
The XOR value for first changed byte is stored in the 10th byte (or 0x08 in hex)
The XOR value for second changed byte is stored in the 22 byte (or 0x16in hex)
The memory location to be xored for the first byte is stored in byte 10 (0x0a) or 12 (0x0c) they are both the same as they are the read and write instructions from the emm.
However the addresses are where the ROM10 card stores the keys NOT where they are stored in the ATmega card so we have to subtract the difference (0x79) so that we load the correct bytes
DOKEYROLL7:
; Key0 start address =0x2E
; Key1 start address=0x38
; bytes to xor =0x0A, 0X0C, 0x18, 0x1A (-0x79 offset) to give buffer byte location
; key roll address byte offset= +0x7d
; Do first Byte of key
LDI YH, high(MP) ;load Y with memory pointer (MP) start of EMM
LDI YL, low( MP)
CLR R18 ;set R18 to zero so we can use it to calculate byte address
LDS R18,(MP + 0x0A) ;Load R18 with Key Byte memory position from emm
SUBI R18,0x7d ;Subtract difference in memory position from ROM 10 to ATmega
ADD R28,R18 ;Add the position of the key byte to Y. As Y was set to MP Y now has the memory location of the byte to be changed (R28 is the same YL you just cant use YL with an add command)
LD R16,Y ;load keyByte from memmory position Y into Register 16
LDS R17,(MP + 0x08) ;load xor value from the emm into register 17
EOR R16,R17 ;XOR Register16 (Keybyte) with Register17 (xor value)
ST Y, R16 ;Write corrected key Byte back to memory position Y
;repeat for second byte using 0x18 or 0x1A for the memory position and 0x1E for the xor value.
we then have the corrected keys in memory so then load and write keys (same as all other keyrolls)
First some basic info the address of the start of decrypted emm is stored in MP
Key0 start address in the emm is therefore MP+0x2E (or MP+ 46 bytes in decimal) follows the 42 05 in keyroll
Key1 start address in the emm is MP+0x38 (or MP + 46 bytes) follows 42 85 in keyroll
If the keyroll was always to stay the same we could just xor the byte in the key with a fixed value but as the keyroll changes and the bytes to xor and the xor values change we have to get data from the emm to ensure we cover all possible combinations.
Within the emm (if you look at decoded emm)
The XOR value for first changed byte is stored in the 10th byte (or 0x08 in hex)
The XOR value for second changed byte is stored in the 22 byte (or 0x16in hex)
The memory location to be xored for the first byte is stored in byte 10 (0x0a) or 12 (0x0c) they are both the same as they are the read and write instructions from the emm.
However the addresses are where the ROM10 card stores the keys NOT where they are stored in the ATmega card so we have to subtract the difference (0x79) so that we load the correct bytes
DOKEYROLL7:
; Key0 start address =0x2E
; Key1 start address=0x38
; bytes to xor =0x0A, 0X0C, 0x18, 0x1A (-0x79 offset) to give buffer byte location
; key roll address byte offset= +0x7d
; Do first Byte of key
LDI YH, high(MP) ;load Y with memory pointer (MP) start of EMM
LDI YL, low( MP)
CLR R18 ;set R18 to zero so we can use it to calculate byte address
LDS R18,(MP + 0x0A) ;Load R18 with Key Byte memory position from emm
SUBI R18,0x7d ;Subtract difference in memory position from ROM 10 to ATmega
ADD R28,R18 ;Add the position of the key byte to Y. As Y was set to MP Y now has the memory location of the byte to be changed (R28 is the same YL you just cant use YL with an add command)
LD R16,Y ;load keyByte from memmory position Y into Register 16
LDS R17,(MP + 0x08) ;load xor value from the emm into register 17
EOR R16,R17 ;XOR Register16 (Keybyte) with Register17 (xor value)
ST Y, R16 ;Write corrected key Byte back to memory position Y
;repeat for second byte using 0x18 or 0x1A for the memory position and 0x1E for the xor value.
we then have the corrected keys in memory so then load and write keys (same as all other keyrolls)
the_blackadder1980
Inactive User
- Joined
- Dec 4, 2006
- Messages
- 132
- Reaction score
- 0
excellent work windy, glad to see some people trying and still wanting an explanation o how it was fixed etc.
so i will come back to this thread and explain in laymans terms of what was fixed and how if you like, to be honest most of it is in nozzers atmega challenge, but no hurt in having a rerun.
but first things first
i got to watch manu stuff arsenal
windy can you post your full source code for this
so i will come back to this thread and explain in laymans terms of what was fixed and how if you like, to be honest most of it is in nozzers atmega challenge, but no hurt in having a rerun.
but first things first
i got to watch manu stuff arsenal
windy can you post your full source code for this
Last edited:
Similar threads
- Locked
