if u can code here is the fix

davidh

<font color="RED">Administrator</font>
VIP Member
Joined
Aug 9, 2001
Messages
14,953
Reaction score
121
Location
LIVERPOOL
DISASSEMBLY OF CODE:
------------------------------

0081: 4F clra ; a <-- 0
0082: C7 01 20 sta $0120 ; Store A in...
0085: C7 01 21 sta $0121 ; Store A in...
0088: C7 01 22 sta $0122 ; Store A in...
008B: A6 29 lda #$29 ; Load in A
008D: CD 90 E3 jsr $90E3 ; Go to subroutine NEVER COMES BACK !<<this is the one
0090: C6 01 20 lda $0120 ; Load in A
0093: CA 01 21 ora $0121 ; A= A or ...
0096: CA 01 22 ora $0122 ; A= A or ...
0099: 27 B4 beq $4F ; Branch if =
009B: 3C A9 inc $A9 ; +=1
009D: 3C B3 inc $B3 ; +=1
009F: A6 24 lda #$24 ; Load in A
00A1: CC 6B 01 jmp $6B01 ; Jump

BYTES DUMP:
---------------------
00A4: 83 PR OV 42 05 XX XX XX A9 HAS TO INCREMENTED
00AC: XX XX XX XX XX 42 85 XX B3 HAS TO INCREMENTED
00B4: XX XX XX XX XX XX XX 00
00BC: 00


u Fix it for fenrir with a jump to $009B instead of $2020

this isnt me i wish
but if u know how to do it do it and let us all use it
 
i hesitate to comment as i must confess i cannot code worth a damn, beleive there is a code fix for this as well now.(tit card)
wonder how long it will be till its implemented?
 
Come on champs, theres got to be some one on our side

Brill find David just one prob

what language is it again
 
TWOBEERCANS said:
i hesitate to comment as i must confess i cannot code worth a damn, beleive there is a code fix for this as well now.(tit card)
wonder how long it will be till its implemented?


Forgive my mis-understanding TBC,there is a tit fix for the latest probs,or the cc's have knocked out this fix straight off??
 
UNDETTERRED said:
Forgive my mis-understanding TBC,there is a tit fix for the latest probs,or the cc's have knocked out this fix straight off??

i suppose it was a bit misleading - by code fix i mean the correction for the above code. this however has yet to be put onto a card and actually put into practice. {this is simply my understanding of what i have been reading elsewhere}

TBH - it seems coming up with a code fix is not exactly fixing the cards. however since some of the opus cards are still running and they use the same chip it seems likely a fix is on the way.
shame it doesn't seem possible to erase the tit2 op system and load the opus 1.04 op system. but apparently it isn't possible to take the card back that far!
 
there is a fix out there somewhere its just gonna take time to get released to the public so the traders can all make their money first
 
JIMMYQ said:
there is a fix out there somewhere its just gonna take time to get released to the public so the traders can all make their money first
surley you mean to stop the damn traders making money ?
 
solar said:
surley you mean to stop the damn traders making money ?


Obviously who ever cracks this prob,aint doin it for the good of their health.It will then be sold onto traders who will then make their outlay back charging the punters,it will then filter down to us.
 
UNDETTERRED said:
Obviously who ever cracks this prob,aint doin it for the good of their health.It will then be sold onto traders who will then make their outlay back charging the punters,it will then filter down to us.


: grim : Suspect it's going to be a long cold winter then ..........
 
davidh said:
u Fix it for fenrir with a jump to $009B instead of $2020

You don't need to fix Fenrir. Version 1.0.5.2 of the dll and later are built to handle this type of keyroll and work just fine.

I run this with WatchTvPro and its AU'ing without problem.

On a different note, the above code is the actual code generated by the decrypted Emm. Whilst understanding it is a requirement for a fix it certainly is not a fix in itself. You cannot actually change the above code as that is what is transmitted to your box as part of every keyroll Emm. You can only change the way it is handled by an emulator.

In this context, this means changing the Rom10 ROM code itself that handles the call to $90E3. This routine is the entry point to calling a function within the MAP co-processor -

Code:
You don't have permission to view the code content. Log in or register now.

Now, from the initial Emm code, you can see that the addresses $0120-$0122 are initially set to zero before the call to $90E3 with the accumulator set to $29. This will execute MAP function $29 and change the data at $0120-$0122 in some way. On return from the MAP function, the Emm tests locations $0120-$0122 to see if they still all zero. If they are then the Emm aborts and no key update occurs. If, on the other hand any of those locations have changed then you get a key update !

So, in order to get a key update all that is required is that any of the locations $0120-$0122 are set to some value other than zero when the rts instruction is executed at $90EC. In other words, a simple patch to the ROM10 ROM code !

This method is only really applicable to emulators such as Sosia etc. Its doubtful it will work on the cards sucessfully.

Edit: Just had another look at Fenrir and yes, it is affected by these keyrolls. It is, however, picking up the Rom7 Emms and handling those just fine. Probably cos those do not use the cryptic MAP $29 call.
 
UNDETTERRED said:
Obviously who ever cracks this prob,aint doin it for the good of their health.It will then be sold onto traders who will then make their outlay back charging the punters,it will then filter down to us.

Its those kind of comments that persuade the coders that do this for fun that its really not worth the hassle !
 
nozzer said:
Its those kind of comments that persuade the coders that do this for fun that its really not worth the hassle !


too true,but its a sad fact in the past traders have lined their pockets,by the generosity of others
 
UNDETTERRED said:
too true,but its a sad fact in the past traders have lined their pockets,by the generosity of others

Very true but you just have to accept that on move on. Its of little or no real importance. It in no way detracts from the fact there are some very good people out there who play with this stuff purely for the benefit of the community.
 
have to agree with nozzer,people dont just do it for money they do it for fun and to beat the systum :)
just coz u can crack the code dont mean ur going to sell it and that ur a trader
the thing that gets me is members go out of there way each day and bring u the latest RST
now if u got a programmer it takes all of 2/3 mins to programme ur card and ur up and running again
so whats the hardship in that ?
u may say Im doing it for friends and family (so do I) and its a hassle then get them a mosc :)
or tell them to learn to programme themselfs ;) I dont mean to be blunt but theres a lot of clever and helpful people out there and it dont mean there keeping it to themselfs and if they are maybe there thinking of themselfs and not the many leechers
maybe Im wrong ?

Rat
 
Rat said:
have to agree with nozzer,people dont just do it for money they do it for fun and to beat the systum :)
just coz u can crack the code dont mean ur going to sell it and that ur a trader
the thing that gets me is members go out of there way each day and bring u the latest RST
now if u got a programmer it takes all of 2/3 mins to programme ur card and ur up and running again
so whats the hardship in that ?
u may say Im doing it for friends and family (so do I) and its a hassle then get them a mosc :)
or tell them to learn to programme themselfs ;) I dont mean to be blunt but theres a lot of clever and helpful people out there and it dont mean there keeping it to themselfs and if they are maybe there thinking of themselfs and not the many leechers
maybe Im wrong ?
Rat

fair comment mate ;)
 
Rat said:
have to agree with nozzer,people dont just do it for money they do it for fun and to beat the systum :)
just coz u can crack the code dont mean ur going to sell it and that ur a trader
the thing that gets me is members go out of there way each day and bring u the latest RST
now if u got a programmer it takes all of 2/3 mins to programme ur card and ur up and running again
so whats the hardship in that ?
u may say Im doing it for friends and family (so do I) and its a hassle then get them a mosc :)
or tell them to learn to programme themselfs ;) I dont mean to be blunt but theres a lot of clever and helpful people out there and it dont mean there keeping it to themselfs and if they are maybe there thinking of themselfs and not the many leechers
maybe Im wrong ?
Rat


Pat/Nozz, not disagreeing everything you said is correct,these people do it for the challenge,buzz.But it must be a pisser when others are creaming it.
Long live digital world and all who sail on her.
 
all traders should be shot ... for starters they charge way to much money for somethink that costs a few quid to setup. i got my box from the market. well should i say me dad got it and payed around £2 i think then i bought a card reader £35 pluss card £9 including p&p .. total £46. and i done my brotherinlaws all he payed was £25 for box and £9 for card. but the funny bit is the rest of his family got charged £170 for there setup pluss when cards were going off they had to pay to get them put back on. then when au came out they had to pay another lump sum for the au card. untill eventually the trader left the country in othere words he disapeard. now all of a suden im finding myself putting the new keys on 6 diffrent cards each day. becuase there trader slime ball has left them in the crap. ive told them to buy a cheap programer and do it themselfes . and i;ll show them how. i know it only takes a few mins each card but its getting anoying. but i cant leave them in the learch. i just hope it dosnt escalate and more people want me to do there cards. as i like my peace. but cant refuse to help people when asked.
 
nozzer said:
You don't need to fix Fenrir. Version 1.0.5.2 of the dll and later are built to handle this type of keyroll and work just fine.
I run this with WatchTvPro and its AU'ing without problem.
On a different note, the above code is the actual code generated by the decrypted Emm. Whilst understanding it is a requirement for a fix it certainly is not a fix in itself. You cannot actually change the above code as that is what is transmitted to your box as part of every keyroll Emm. You can only change the way it is handled by an emulator.
In this context, this means changing the Rom10 ROM code itself that handles the call to $90E3. This routine is the entry point to calling a function within the MAP co-processor -
Code:
You don't have permission to view the code content. Log in or register now.
Now, from the initial Emm code, you can see that the addresses $0120-$0122 are initially set to zero before the call to $90E3 with the accumulator set to $29. This will execute MAP function $29 and change the data at $0120-$0122 in some way. On return from the MAP function, the Emm tests locations $0120-$0122 to see if they still all zero. If they are then the Emm aborts and no key update occurs. If, on the other hand any of those locations have changed then you get a key update !
So, in order to get a key update all that is required is that any of the locations $0120-$0122 are set to some value other than zero when the rts instruction is executed at $90EC. In other words, a simple patch to the ROM10 ROM code !
This method is only really applicable to emulators such as Sosia etc. Its doubtful it will work on the cards sucessfully.
Edit: Just had another look at Fenrir and yes, it is affected by these keyrolls. It is, however, picking up the Rom7 Emms and handling those just fine. Probably cos those do not use the cryptic MAP $29 call.


hi

you seem to know a bit about code can u help us to put this in a patch

ROM:90E3 CALL_MAP: ; CODE XREF: LOADKEY+8p
ROM:90E3 ; LOADKEY+Dp ...
ROM:90E3 CD 82 3D call DISABLEINTERRUPTS
;ROM:90E6 CD 20 20 call MAP_EXEC ; Execute MAP function
ROM:90E6 C7 01 20 ld $0120, A
ROM:90E9 CD 82 23 call ENABLEINTERRUPTS
ROM:90EC 81 ret
ROM:90EC ; End of function CALL_MAP

it is suposse to work if not can u give us a hint [big hint ] how to do it


thanks
michael1
 
Back
Top