Dumping Kaon Boxes

[August12]

After not Forwarding with my Card i wont to Dump my Boxes
so any Help is Welcome
First i want to Beginn with the Kaon NS1000 Box it is Outdated and for Study and if Mistakes Happen
it would not be so Bad like on The New Box That is Still in use
If all Works i will Try on the Kaon NS1040 Box

I Ordered all Things that are Needed some CY7C68013A and Oszilloscope for Finding Ports on the Board
all is Set only Thing that i Need is a XML for Following Flash MXIC MX25L3255DXCI 10-G
i Found the Datasheet Needed but i am not sure what are the Real Datas to Put inside MX25L3255D

Chip is BCM7358

<?xml version="1.0" encoding="utf-8"?>
<Flash maker="Macronix" name="MXIC MX25L3255DXCI10-G" type="Serial">
<Command type="Spansion" programmode="Block" maxbyte="256" addressinterface="3"/>
<ID>
<Maker maxbyte="1" offset="0x00">0xC2</Maker>
<Device maxbyte="2">
<DevId offset="0x01">0x20</DevId>
<DevId offset="0x02">0x19</DevId>
</Device>
</ID>
<Size unit="mbit">256</Size>
<Sector uniform="true" secure="false">
<MaxSector>64</MaxSector>
<Size unit="kbyte">64</Size>
</Sector>
</Flash>

Maybe Someone Knows What Ports to use on that Board or where i can Look
in Front of The Board there is 2 Possible Places for IC2 Connection but i Wait till Oszi is Arrived to be sure The Ground Pins i Found
on the Others i have 3V but i am not Sure if my Analyzer was wrong and wait for better Results with Oszi

Any Help or Suggestion is Welcome

 

[August12]

Ok i have now Connection to the Box
but my XML files dont Match so looks like only help is Testing and see what happens
most Problem is to get the right Data from the Datasheets for the XML

for the Micron MT29F2G08ABAEAH4
and for the MXIC MX25L3255DXCI10-G

and the other things is if XML Match if it the Possible to Dump or is there any Other Restriction

 

[pachecoso]

Can you give better image resolution of circuits on legend 2 please?

And can you give voltage measure for the pins on legend 1 ?

 

[August12]

J1 from left to Right (1 Pin 5V) (2 Pin GND) (3 Pin 3,3V) (4 Pin 3,3V) (5 Pin GND)

J5 from Left to Right (1 Pin 3,3V) (2 Pin 3,3V) (3 Pin 3,3V) (4 Pin GND)

On J5 Pin 2-3 are I2C Tested with Broadband Studio and Connected
The same is on the Kaon NS1040 Box

Added Pictures from NS1040 Box

 

[gustavo88]

Hi August12, search somewhere on the Chips for Uart, for this we need "datasheet" from bcm7358 I can not find it!!
another option is another box with bcm7358 have "schematic diagram"
box provider or Fta box with bcm7358

 

[gustavo88]

@August12 you are right J5 is I2c
and J1 is uart in your box I think. I found this information in forum jtag from 2014 post from kaon1300HD
you don't have box 1300HD.... or only ns 1000 1400
J1 2pin and 4pin they go to the CPU ???? look with a magnifying glass or microscope
English is not my language ...

 

[gustavo88]

J1 3pin and 4pin I think is rx tx

 

[jc0d3r]

hi

...any news, have you dumped it ?

thanks

 

[gazoil12]

Hello
I also work on a Kaon and with BBS3, I have this message when I try to connect the flash "master spi timed out waiting for response"
who has had this problem before
thank you

 

[pachecoso]

if you can't have uart you need to reflash bga with older firmware no other way

 

[adas]

Reverse engineering

Cau Adas

 

[braza]

BBS have 3 stats>

Open, PWD protected and closed. Normal by operator pwd protected. You need bbs (jtag) pwd to acess.

 

[pachecoso]

BBS have 3 stats>

Open, PWD protected and closed. Normal by operator pwd protected. You need bbs (jtag) pwd to acess.

or as i told before he has a firmware open from other operator/same receiver model reflashes bga and have fun!

 

[adas]

Signed CFE required, big work promises to be.

Cau Adas

 

[gazoil12]

Yes of course but CFE signed therefore obliged to glitch to pass the signature and nobody wants to talk about glitch here. I started the subject on another post and I was almost insulted

 

[braza]

or as i told before he has a firmware open from other operator/same receiver model reflashes bga and have fun!

Source code of bcm says: In factory mode the board is BBS open stats, Operator blow fuse to make it pwd protect ( note you cant back it to open stat, only next level o fuse is accepted ), next level blow fuse to closed state.

 

[cdgnet]

Source code of bcm says: In factory mode the board is BBS open stats, Operator blow fuse to make it pwd protect ( note you cant back it to open stat, only next level o fuse is accepted ), next level blow fuse to closed state.

Olá como posso contatar vc preciso de alguem que faça extração de BK e RSA de receptor

 

[schwarzekatze]

Yes of course but CFE signed therefore obliged to glitch to pass the signature and nobody wants to talk about glitch here. I started the subject on another post and I was almost insulted

in stb developed after 2010 you have implemented encrypted secure boot with triple-stage signature verification and you cant bypass this security by glitching because everytime you glitch cpu repeat same veriffication +2 times more and everytime it incremente random delay
to crack this security you must be able to know precise delay for beetwen all 3 veriffication steps which is unfortunatelly mission impossibly
one guy from newae forum have been glitch bcm7358 and his glitch works but not passed him to execute crypto commands and run hsm module because he didnt passed bseck encrypted firmware veriffication stage so his work is also useless
at last he can only talk via uart console to bcm7358 but he will never be able to decrypt any keys because hsm security module is desactivated

 

[schwarzekatze]

@gazoil12
you can maybe glitch sucess by that way secure boot in old sattelite chipsets like 7100 7105 and some android mcu stm32 but you will never success with bcm7358

 

[August12]

Still work on the Boxes after i Killed 2 of them and it takes me some time to get some new ones sowhere on ebay and other sources the game is still going on

in next days i will Update what till now is Possible or not possible