Back door 0 on rom 10 issue

Rom Studio !!!
Card succesfully written ($D000-$DFFF)!
Retries( 0) =>Eficience=100.00%
Glitched
Script version 1.4c - experimental prototype - not for general release

Work still to be done before release
------------------------------------
1. Add BD key correction or display

Do NOT remove card while script is running!!!

Card is a Rom 10 RevA82 (5C01)

Checking card status..........

This card is already open

IRD is 120E6E96
BK is 00000000035C031C

Script has finished - it is now safe to remove your card

Script C:\Documents and Settings\Owner\Desktop\mrmp1.4 prerelease (unfinished)dev4 .xvb Transmission Completed

Nagra
Opening of COM2 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 38 32 40
ROM Revision: 010
EEPROM Revision: RevA82
ProviderID: 5C
CamID: 25 00 00 01
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Backdoor retrieval has been blocked
Attempting to login to BD3
Attempting to login to BD0
Unable to login, bad password detected
Login attempt aborted
Reading ROM10 failed
Closing of COM2 was successful
Xncs
Opening of port was sucessfull.
ATR=3FFF9500FF918171A04700444E4153503031302052657641383240
Info=DNASP010 RevA82
Retrieving card info...
Card info retrieved :)
Dumping card,try #0.
Dumping card,try #1.
Dumping card,try #2.
Dumping card,try #3.
Couldnt Dump Card...
Also cant install a ghost provider!!
 
First we are going to try to read with Romstudio backdoor method Aprendiz”!
And when finished reading it will ask if you want to install ghost? Say yes”!
Once done”! Next to it is write, click on Login Aprendiz and press write and hopefully it will write (If it reads it will write)

Now open Caton and send this command”! 21000DA0CA00000721050103FFFF012046


and the answer should be this one bellow

A1: Resp. a comando 21 (Petición de UN ITEM de un TIPO de DATOS)

122020A11E6901080100000C3A04FF0F064246000000000000000000000000000000000C

12 CAM->IRD
20 00100000, Bloque de instrucción, sec.0, necesita al menos un paquete más
20 Longitud del envío
A1 Respuesta a comando 21
1E Longitud de datos respuesta
-------------------01: INFORMACIÓN IRD y DUEÑO TARJETA
6901 Tipo Sistema
08 EstIRD: 00001000
01 Grupo acceso libre
00000C3A Código postal: 3130
04 Zona horaria = 1:00 (GMT)
FF Byte de desviación DVB
0F064246 Número IRD: 1178732047
0000000000000000 Revisión bootstrap: ........
0000000000000000 Revisión firmware: ........
Boxkey
--------------------------------
0000 SW ?????????????????
0C Control Redund. Lineal.: CRL Ok

If so? Then send this command to reset bugcatchers to 00

210053A0CA00004D004B6901029D250A8525B2D7B20E3E518AAF8FF5DBEECA7E5985978F15E5625A8837E58A8751EEF704309C44039DF20D59BDBA1A87B1C8D9B5179082226F383EE24FD42414528F2C506D034E520597

Then try reading with XNCS or Nagraedit
 
ByteMaster said:
Image sent to card now attached
Click to expand...

That image is not in card m8"!
you still have the original image A82 in there
 
This is the response rom caton
A1: Resp. a comando 21 (Petición de UN ITEM de un TIPO de DATOS)

122020A11E990100010000000000FFDDDDDDDD00112233445566770011223344556677CB

12 CAM->IRD
20 00100000, Bloque de instrucción, sec.0, necesita al menos un paquete más
20 Longitud del envío
A1 Respuesta a comando 21
1E Longitud de datos respuesta
-------------------01: INFORMACIÓN IRD y DUEÑO TARJETA
9901 Tipo Sistema
00 EstIRD: 00000000
01 Grupo acceso libre
00000000 Código postal: 0
00 Zona horaria = 0:00 (GMT)
FF Byte de desviación DVB
DDDDDDDD Número IRD: -572662307
0011223344556677 Revisión bootstrap: .."3DUfw
0011223344556677 Revisión firmware: .."3DUfw
Boxkey
--------------------------------
6677 SW ?????????????????
CB Control Redund. Lineal.: CRL Ok
 
Yes M8 the card revision doesnt change
hense bd0 problem
Using Xncs
Should i Login aperndiz
Answer yes to ghost
THEN do i load new image the one posted then write aperndiz?
 
Script version 1.4c - experimental prototype - not for general release

Work still to be done before release
------------------------------------
1. Add BD key correction or display

Do NOT remove card while script is running!!!

Card is a Rom 10 RevA82 (5C01)

Checking card status..........

This card is already open

IRD is 120E6E96
BK is 00000000035C031C


why are u using this script? this will just check the card and the return will say its open.

u need to use a single provider script or one that doesnt check the card open status.
 
@ SimonK

Executing Script: C:\Documents and Settings\Owner\Desktop\cab\t911\Scripts\5C01 auto A82_Final Rom 10.xvb
TX Data : A0
TX Data : A1
TX Data : 07 0E 03 10 01 03 9A 00
RX Data : 07 1B
RX Data : 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 38
TX Data : 12 15 AB 21 00 08 A0 CA 00 00 02 12 00 06 55 0E
03 85 00
RX Data : 12 06
RX Data :

Now we will try 12FF delay
TX Data : B0 99
TX Data : 47 15 E0
TX Data : 21 00 3D A0 CA 00 00 37 03 35 5C 01 10 31 05 4E
69 70 50 45 72 20 49 E3 40 7C AD FD B9 64 29 F4
F6 77 C2 35 6D 74 74
TX Data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 05 C6
TX Data : 0E 05 8A 00
RX Data : 47 0B
RX Data : 12 40 07 83 03 B1 01 01 90 00 F4
TX Data : 6A 15 FF 21 00
TX Data : 5C A0 CA 00 00 56 03 54 5C F7 10 81 05 FA CD 7A
TX Data : B7 C0 A1 A6 00 4A 15 33 19 E1 FB 5B 63 48 50 7E
TX Data : 8E 46 A2 1D EF D3 71 16 17 9E 4C 52 66 B6 DB 4C
TX Data : 59 6C D8 6F D9 E7 FF 65 D1 63 8E 1B AE 6D 29 25
TX Data : D9 B8 84 46 ED D9 9E EF 33 A3 A1 6A AD BD F3 46
TX Data : 82 06 67 9C C0 BD 06 F6 85 AE E4 18 76 5C 20 12
FF 09 0E 05 85 00
RX Data : 6A 06
RX Data : 12 00 07 83 03 B1


*********** we hit our bug *************
1200078303
===========================================
83 was hit at 12FF delay ----VCC WAS 99 , our GlitchType was 09

TX Data : 12 15 AB 21 00 08 A0 CA 00 00 02 C0 00 06 87 0E
03 85 00
RX Data : 11 00
TX Data : 0A 15 A3 21 98 00 B9 0E 03 85 00
RX Data : 03 00
TX Data : 0A 15 A3 21 92 00 B3 0E 04 85 00
RX Data : 03 00
***************************
* A82 CAM should be OPEN *
* test in Nagra to see. *
* if not, try again. *
***************************

Script C:\Documents and Settings\Owner\Desktop\cab\t911\Scripts\5C01 auto A82_Final Rom 10.xvb Transmission Completed
 
@ Simonk
Nagra still asking BD0
Guys would it be possible to open a livechat at top of page great got you all in helping can keep it private if so wish page or pm me thanks
 
read the card in xncs - look @ $C0A1 - what is the value there?

also post your bd0 key @ $C040 - C04F
 
Last edited:
You have Provider 9901 installed in card

With Caton send this EMM

210053A0CA00004D004B990182BC0A97EFD75EFD67CE2CB03A2C3C58B3BC1B185E9A094F62787F329749DBAF7A171D9E1FDA8B97C5F274E382B38339693070720386BF5161B05B6EBD64524CAA4D611026A70E9D7C0578

and see what happens
 
@ carwash
afterv sendin emm
Respuesta corrupta:

210053A0CA00004D004B990182BC0A97EFD75EFD67CE2CB03A2C3C58B3BC1B185E9A094F62787F329749DBAF7A171D9E1FDA8B1282009097C5F274E382B38339693070720386BF5161798200FBB05B6EBD64524CAA4D611026A70E9D7C05780B820089
 
@ Simon
xncs refusing to dump these cards
pening of port was sucessfull.
ATR=3FFF9500FF918171A04700444E4153503031302052657641383240
Info=DNASP010 RevA82
Retrieving card info...
Card info retrieved :)
Dumping card,try #0.
Dumping card,try #1.
Dumping card,try #2.
Dumping card,try #3.
Couldnt Dump Card...
 
You will have no choice but to repair with Mrom trying all types of delays and changing provider to 40, then with Tomb_reader try to get the BD0
With Mrom try this delays
RXdelay 120
TX delay300
loop delay 10
then do a reset and press reperar

Keep persisting with MROM and you will get there

Remember”!! Only do this if your card provider says 40, 41, 48 or 49
Open tomb reader, click on Mosc & Digital+, then click on cmunicacion, Reset, then press button LEER BD0 you will see this writing inside box ((ID Proveedor:4001
Leyendo BackDoor0..and at the bottom you should get Backdoor0
 
Last edited:
Can do the business everytime with Mrom
No probs all strings write ok using method 1 or 2
Tomb reader gives all the detais but always has an error when trying leer bd0?
Provider always changes to 40 also
 
ByteMaster said:
Can do the business everytime with Mrom
No probs all strings write ok using method 1 or 2
Tomb reader gives all the detais but always has an error when trying leer bd0?
Provider always changes to 40 also
Click to expand...

You have to go past string 2 for it to do the all thing
no erros with Mrom otherwise it will not work
 
This is the result of nagra after Mrom the card again
all strings sent ok
No"S*hit" results come up
Nagra out put notice provider change
Opening of COM2 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 38 32 40
ROM Revision: 010
EEPROM Revision: RevA82
ProviderID: 40
CamID: 1B 83 F0 D8
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Backdoor retrieval has been blocked
Attempting to login to BD3
Attempting to login to BD0
Unable to login, bad password detected
Login attempt aborted
Reading ROM10 failed
Closing of COM2 was successful
 
@carwash
Tomb reader
On all the tabs ie boxkey dates etc I get results
on leer bd0 i get this "Fallo Al Leer Backdoor 0"
On pressing restore back door i get "El commando no ha aceptado,el bug no funciona en la vista":Chainsaw:
 
as i said b4 bytemaster ,i had this prob and persisted with mrom and after a while it did read in nagra ,must be bustin your b***s by now lol
 
You must log in or register to reply here.

Similar threads

joeblaze
some people in twitter now claiming to have found stuff on a way back machine that chinese knew a lot earlier and maybe released it deliberately?
Replies
14
Views
694
joeblaze
joeblaze
loady
cypress board wont connect to jtag H2
Replies
2
Views
1K
loady
loady
Grimeire
Terrestial tuner signal issue?
Replies
6
Views
1K
Grimeire
Grimeire
silverdale
    • Like
Change rules to improve Football
Replies
8
Views
1K
countryboy
countryboy
Mick
    • Like
PORN ID Checks to be introduced
Replies
8
Views
886
cactikid
cactikid
Back
Top