Hardware pairing

k2jones

DW Member
Joined
Apr 23, 2018
Messages
46
Reaction score
32
New support for all conax and nagra.

CAS7 & CAK7
 
  • Love
Reactions: p2p
dear arab.

I understand you want to sell a shit Chinese programmer rt809 but all your posts are total fake and off reality
Please stop this flame on this board and got to spamed some arabe, pakistan, iran or irak board ..
THX
 
  • Angry
Reactions: p2p
dear arab.

I understand you want to sell a shit Chinese programmer rt809 but all your posts are total fake and off reality
Please stop this flame on this board and got to spamed some arabe, pakistan, iran or irak board ..
THX
I'm not sell any device you are crazy man read fine before and after post . Only recomend this tool for read cpu from backdoor pinout. I have more experince on th
dear arab.

I understand you want to sell a shit Chinese programmer rt809 but all your posts are total fake and off reality
Please stop this flame on this board and got to spamed some arabe, pakistan, iran or irak board ..
THX

My friend read well before posting as this confused I do not sell anything just offer my knowledge in reverse engineering so that they can read the info of the STB Conax or Nagra. And If that tool works rt809f. It Is Foolish The astonished man who does not share ideas to improve an investigation or discovery, and more foolish one who works and starves for not charging for his work.
 
bga24 direct wire solder
 

Attachments

  • TF BGA 24-ball ROM RT809F.jpg
    TF BGA 24-ball ROM RT809F.jpg
    310.6 KB · Views: 147
  • Like
Reactions: p2p
friend if you do not know how to use something does not mean it does not work I see that you are stupid or if you do not know about electronics or programming then do not think about something that you disconnect
 
you know of hardware and finding bug in jungle circuits to read without desoldering the complete fw
 
conax sti71xx backdoor i2c hdmi ic cm2020 use rt809f and vga to hdmi cable and toolchain app sercureCRT console COM dump ram and edit with toolchain HXD nvram eepron CWPK
 

Attachments

  • dishtv full pic.jpg
    dishtv full pic.jpg
    390.9 KB · Views: 142
  • CM2020-00TR-pinout.jpg
    CM2020-00TR-pinout.jpg
    48.9 KB · Views: 128
# > bdinfo
boot_params = 0x8FDDFFA8
memstart = 0x80000000
memsize = 0x10000000 (256 MiB)
flashstart = 0xA0000000
flashsize = 0x04000000 ( 64 MiB)
flashoffset = 0x0002EDC0
ethaddr = FC:DB:96:01:1F:F1
ip_addr = 0.0.0.0
baudrate = 115200 bps
STx7111 version 3.x [32-bit mode]
EMI = 100 MHz
# > flinfo
Bank # 1: CFI conformant FLASH (16 x 16) Size: 64 MiB in 512 Sectors AMD Standard command set, Manufacturer ID: 0x01, Device ID: 0x7E2301 Erase timeout: 2048 ms, write timeout: 1 ms Buffer write timeout: 3 ms, buffer size: 512 bytes
###Partitions###
dev: size erasesize name
mtd0: 00040000 00020000 "boot"
mtd1: 00020000 00020000 "boot config"
mtd2: 004a0000 00020000 "kernel"
mtd3: 01a00000 00020000 "root"
mtd4: 02100000 00020000 "var"
mtd5: 03fc0000 00020000 "firmware"
mtd6: 04000000 00020000 "nor"
 
/ RESEARCH MATERIAL: SE-2011-01 /
/ [Security weaknesses in a digital satellite TV platform, PoC code] /

This package contains Proof of Concept codes illustrating security weaknesses
discovered during SE-2011-01 security research project. The package includes
the following codes:
- aitgen
This is the code for automatic generation of a specially crafted AIT file
that upon opening in the Xion web browser would fetch and execute malicious
Java Xlet in the environment of vulnerable set-to-box devices.

- poc
This is the main Proof of Concept code developed as part of SE-2011-01
security research. It is composed of the following components:
a) backdoor
The actual backdoor code installed on a target set-top-box device.
b) logger
Helper code providing the functionality of a debug console.
c) server
Proxy server routing command and data (Control Words) traffic between
the shell and set-top-boxes
d) shell
Attacker's command shell from which control over target set-top-boxes
can be done.

Below, a brief summary of commands implemented by the PoC (shell) is given.
Further inspection of the source code (Interpreter.java and BoxIf.java files
in particular) is advised for better understanding of specific commands and
their implementation.

POC SHELL COMMANDS:
- "list"
list set-top-boxes connected to the proxy server
- "go"
select target set-to-box for command channel
- "exit"
exit shell
- "ecmroutes"
print routing of ECM data (CW providers and receivers)
- "sysinfo"
print system information
- "cardinfo"
print Conax card information
- "pwd"
print current OS level directory
- "jpwd"
print current Java level directory
- "cd"
change OS level directory
- "jcd"
change Java level directory
- "ls"
list content of OS level directory
- "jls"
list content of Java level directory
- "get"
download OS level file
- "jget"
download Java level file
- "put"
upload OS level file
- "jput"
upload Java level file
- "del"
delete OS level file
- "jdel"
delete Java level file
- "dump"
download (dump) a portion of OS level file system
- "jdump"
download (dump) a portion of Java level file system
- "mkdir"
create OS level directory
- "jmkdir"
create Java level directory
- "rmdir"
delete OS level directory
- "jrmdir"
delete Java level directory
- "root"
elevate privileges to root
- "id"
print user id of the backdoor process
- "output"
change debug outout (file / console)
- 'jthreads"
print Java threads
- "kdump"
dump given kernel memory to file
- "openurl"
open URL in Xion web browser
- "play"
play a content from a given URL (external MPEG, DVR content)
- "avinfo"
print Audio / Video information
- "srvinfo"
print all sorts of MPEG service related information
- "cat"
print content of OS level file
- "jcat"
print content of Java level file
- "service"
change current service (programming)
- "dvrinfo"
print information about DVR content
- "jprops"
print Java properties
- "dialog"
show various dialog boxes on TV screen
- "httpsniff"
control sniffing of HTTP traffic (headers, content)
- "ps"
print process information
- "keys"
provide key input
- "urimap"
control mapping of Xion web browser URI hijacking (stealth URLs redirection)
- "subsinfo"
print information about user's subscription's status
- "epginfo"
information about Electronic Program Guide (EPG)
- "capture"
graphic screen capture
- "mpegsniff"
simple MPEG sniffing by PID value
- "pat"
print SI MPEG PAT section
- "pmt"
print SI MPEG PMT section
- "reboot"
reboot the system
- "invoices"
download customer billing information
- "dsmccmount"
mount DSMCC carousel
- "ssuinfo"
information about available device's upgrade images
- "emmblock"
block Conax EMM messages
- "keyinfo"
print information about various cryptographic keys
- "upgdnl"
download and decrypt device's upgrade image
- "dvrmgr"
Digital Video Recorder (DVR) control (scheduling recordings, etc.)
- "emmsniff"
sniff EMM messages changing Conax entitlements bits
- "mpegdump"
MPEG stream capture of arbitrary programming
- "hdcpinfo"
print HDCP related information
- "chmod"
change mode of OS level file
- "chown"
change owner of OS level file
- "fwflush"
flush all firewall rules
- "emmload"
load stored ECM message to Conax card
- "ecmreceive"
configure receivers of plaintext Control Words
- "ecmforward"
configure forwarding of plaintext Control Words
- "doorinst"
install persistent and stealth backdoor code
- "conaxinfo"
print Conax related information (chip id, RFS and paring keys)
- "cwinfo"
print current Control Word information (encrypted and plaintext)
- "vodprops"
print information about Push Video on Demand (PVOD) movies and their properties
- "vodecm"
control of VOD ECM decryption and play of arbitrary content behind the rental period
- "vodserver"
select source for VOD ECM / plaintext Control Words
- "script"
load and run shell commands from a script
 
all cmd put on SecureCRT app is on rt809f toolchain
 
I also have for bcm
 

Attachments

  • bcm fta and oem.txt
    1.1 KB · Views: 64
heh .. bla bla bla.. mabe you losted.. in all provider recivers is UART, JTAG locked and too no having HDMI chip, only direct lines in cpu..
you info about HDMI is good only for TV repairman .. via this is possible reprogramed weltrend chip in samsung tv for example
 
You still do not know what you're talking, friend. that the lines go to the cpu is because the ic hdmi is integrated into the cpu, you know how electronic or hardware development continue sucking your thumb that in this does not dabe or potatoes
 
bla bla bal.. again you posted blame and you theoretical hypoteze This is normal receiver Golden Media 990CR where have JTAG and UART default open. Try this on some provider box, for example some pace 72xx based(cube france box, or pace nc+ box or pace max tv box) and you will be see
 
bla bla bal.. again you posted blame and you theoretical hypoteze This is normal receiver Golden Media 990CR where have JTAG and UART default open. Try this on some provider box, for example some pace 72xx based(cube france box, or pace nc+ box or pace max tv box) and you will be see


box cube france
1/ is not 72xx is 7101 / 7105
2 / uart and jtag open where you from man and where you leave disneyland i think

you are crazy man
 
Back
Top