I'm doing the Atmega Challenge

[DodgyTech]

Hey guys

I am doing the atmega challenge and it is actually sinking in

I need the following things to help me in my learning:

1. Just a number indicating how many types of keyrolls have happened so far (i think we're on 6 or 7)
2. Decrypted EMM's for each of them (so that I may understand what the code in the atmega challenge thread is doing)

Edds did send me everything, but after running make32.bat, it would create the hex and delete it (i think maybe because edds mustave played with the extracted files ). So I require the follwing files from nozzer or anyone who has them:


Redneck.rar
Atmel_Instruct.pdf
NagraFaq.pdf
Rom10Rev028_Gesinas.zip


Nozzer teaches us the basic (easy way) for the fix in the thread, hopefully I will try and do some defensive coding once I get the hang of it.

Finally, I want to thank nozzer for doing that thread and to Edds to passing it on

Regards

p.s: either PM me or use an external site to host the files, DW will not host any files anymore

 

[edds]

Nowt I've done. I've just run the make.bat and I, too, am getting an error

Creating 'redneck.eep'
Creating 'Redneck.hex'
Creating 'redneck.obj'
Creating 'redneck4.lst'
Creating 'redneck.map'

Assembling 'redneck4.asm'
Including 'm163def.inc'
redneck4.asm(77) : redneck4.asm(78) : redneck4.asm(80) : Including 'i2c.inc'
Including 'autoroll.asm'
Including 'ntlkeys.asm'
Including 'MUL8x8_m.asm'
Including 'MUL32x32.ASM'
Including 'SQU32x32.ASM'
Including 'MulMonty.asm'
Including 'Decrypt1.asm'
Including 'Div_Modu.asm'
Including 'ExpMod.asm'
autoroll.asm(70) :
Assembly complete with 1 error

Deleting 'redneck.eep'
Deleting 'redneck.obj'
Deleting 'Redneck.hex'
Deleting 'redneck.map'

It looks like it's deleting them because an error occurred, time to discover what caused the error and thus the files should NOT then be deleted.

 

[DodgyTech]

Nowt I've done. I've just run the make.bat and I, too, am getting an error It looks like it's deleting them because an error occurred, time to discover what caused the error and thus the files should NOT then be deleted.

Oh, I thought you had a go at the challenge mate. didnt wanna trouble anyone over PM for a trivial matter. Plus, I thought I would raise awareness of the challenge

I've been contacted by nozzer, so I will be getting the requested files soon

I can't believe it all started to make sense! Are you gonna do the challenge too? or have you mastered it?

 

[edds]

I had a quick shufti at the time of saving the thread was all I did, as well as running the batch file. I do recall that there were NO errors at that time, so no idea why we are both getting them now.

I may take up the challenge, yeah. Can you PM a link to the requested files, please? (after you get them that is, lol)

 

[despdan]

This sounds interesting can you talk more about what it is or PM me.
thanks

 

[mastichick]

Hi

I too would like to learn this from the very basics if you could send me the required info would be very appreciated.

Thanks

 

[DodgyTech]

@edds - That reminds me why I came to that conclusion: because the files that make32.bat creates were there. I got some of what I was looking for, will send them over later tonight

@despan,mastichick - will just check if I'm allowed to send this on then you can have what you need tonight


-----------------------------------------------------------

I still need Decrypted EMM's.

All I have so far is the one for Keyroll 5 and the latest one which I believe is 6 or 7.

Keyroll 5:

; 3F -> Filter: ANY CARD
; 5A01 PROVIDER ID (Telewest (Cable))
;
; FA -> RUN CODE FOR ROM10:
; 3F41A602CD90E33F 4DA6B9B74EA60ECD 90E3A6ADB74EA60E CD90E3A621CC6B01
; 835B014205F29612 F4475D5100000000 3C8B73CE26E32600 BC4285BD
;
; DISASSEMBLY OF CODE:
; ------------------------------
;
; 0081: 3F 41 clr TEMPA ; <-- 0
; 0083: A6 02 lda #$02 ; Load in A
; 0085: CD 90 E3 jsr $90E3 ; Go to subroutine
; 0088: 3F 4D clr RC2L ; <-- 0
; 008A: A6 B9 lda #$B9 ; Load in A
; 008C: B7 4E sta RC3H ; Store A in...
; 008E: A6 0E lda #$0E ; Load in A
; 0090: CD 90 E3 jsr $90E3 ; Go to subroutine
; 0093: A6 AD lda #$AD ; Load in A
; 0095: B7 4E sta RC3H ; Store A in...
; 0097: A6 0E lda #$0E ; Load in A
; 0099: CD 90 E3 jsr $90E3 ; Go to subroutine
; 009C: A6 21 lda #$21 ; Load in A
; 009E: CC 6B 01 jmp $6B01 ; Jump
;
; BYTES DUMP:
; ---------------------
; 00A1: 83 5B 01 42 05 F2 96 12
; 00A9: F4 47 5D 51 00 00 00 00
; 00B1: 3C 8B 73 CE 26 E3 26 00
; 00B9: BC 42 85 BD

Keyroll 6/7:

3F -> Filter: ANY CARD
5401 PROVIDER ID (NTL)
FA -> RUN CODE FOR ROM10:
5FA679B741A6022D 079BCD20209A2003 CD20209FB8B1B7B1 9FB8B6B7B6A626CC
6B01000000835501 420562BD220AC686 E593428580D4D1D3 8090FF2B
DISASSEMBLY OF CODE:
------------------------------
0081: 5F clrx ; x <-- 0
0082: A6 79 lda #$79 ; Load in A
0084: B7 41 sta TEMPA ; Store A in...
0086: A6 02 lda #$02 ; Load in A
0088: 2D 07 bms $91 ; Branch if mask=1
008A: 9B sei ; I <-- 1
008B: CD 20 20 jsr $2020 ; Go to subroutine
008E: 9A cli ; I <-- 0
008F: 20 03 bra $94 ; Branch always
0091: CD 20 20 jsr $2020 ; Go to subroutine
0094: 9F txa ; X --> A
0095: B8 B1 eor $B1 ; A= A xor ...
0097: B7 B1 sta $B1 ; Store A in...
0099: 9F txa ; X --> A
009A: B8 B6 eor $B6 ; A= A xor ...
009C: B7 B6 sta $B6 ; Store A in...
009E: A6 26 lda #$26 ; Load in A
00A0: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A3: 00 00 00 83 55 01 42 05
00AB: 62 BD 22 0A C6 86 E5 93
00B3: 42 85 80 D4 D1 D3 80 90
00BB: FF 2B

If there are any more, which woul dhelp me with understanding the constants and variables in each then that would be greatly appreciated. Also, these are needed to see a breakdown of each one to understand them and also to see the differences in the masks.

Cheers

 

[nozzer]

You don't have permission to view the code content. Log in or register now.

Thats a Rom10 one from a while back. Its the one that checked if Reg07 worked properly or not (most emulators, it doesn't). Think the Rom11 version was nearly identical just different target addresses for the subroutines.

 

[nozzer]

This is the one that started it all !

You don't have permission to view the code content. Log in or register now.

Its also the most difficult to work out. It basically does a DES encrypt of the transmitted keyset using a part of the cards own Rom as the 8 byte key.

 

[nozzer]

Here's a very simple one to play with that you've probably never seen before

You don't have permission to view the code content. Log in or register now.

As you can see thats whats called a plain-vanilla keyroll. The update is done via the 42 nano rather than via executable code. This has never occured in the UK

 

[nozzer]

Another one that i've just been given -

You don't have permission to view the code content. Log in or register now.

Thats one of the MAP ones. Seems to run a MAP function then check the result. If not expected result then crash card by a jump to $B4 (garbage) otherwise just increment a couple of bytes and complete the keyroll

 

[DodgyTech]

hey all, sorry for the late reply. just got back in.

nozzer, thanks for the ECM/EMMs. I got one question from the challenge and one which i thought up overnight.

1) In one of the posts, you said: "So, piece of code to compare bytes $00 to $26 excluding bytes $01 and $25 please !"

My query is: looking back through autoroll.asm, i can see in the following keymask data:

.DB 0x3F,0x00,0x01,0xFA,0x3F,0x41,0xA6,0x02
.DB 0xCD,0x90,0xE3,0x3F,0x4D,0xA6,0x00,0xB7
.DB 0x4E,0xA6,0x0E,0xCD,0x90,0xE3,0xA6,0x00
.DB 0xB7,0x4E,0xA6,0x0E,0xCD,0x90,0xE3,0xA6
.DB 0x21,0xCC,0x6B,0x01,0x83,0x00,0x01,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
.DB 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

byte 0 is compared and byte 1 is not compared, BUT byte 25 IS compared.

Am i looking at the right place or does the code below this do the checks?

2) An ECM/EMM looks like the following. If the ECM/EMM (correct me about this diff plz lol) contains rom10 code as well as a bytes bump, why do we have to code anything since the ECM/EMM contains the bytes dump and the instructions to procedd that bytes dump.

Is it because we have to do processor specific coding to allow our processor to translate the rom10 code and execute it?

You don't have permission to view the code content. Log in or register now.

 

[DodgyTech]

@despan,mastichick - I don't want to take any credit for any of the work nor do I want to take the credit for having an offline version of the thread. Edds worked hard at archiving that thread so it's only fair that you should ask him to give you the thread

Sorry if i'm being long about it, don't wanna ruffle any feathers

 

[windy1603]

I was following the challenge when it was originally posted and managed the Redneck6 fix it does take a while to sink in but it does makes sense in the end.

 

[mastichick]

@despan,mastichick - I don't want to take any credit for any of the work nor do I want to take the credit for having an offline version of the thread. Edds worked hard at archiving that thread so it's only fair that you should ask him to give you the thread

Sorry if i'm being long about it, don't wanna ruffle any feathers

Hi

No probs I`l drop Edds a pm. Ive been trying to understand what you guys are on about must admit Im a little lost.

Thanks

 

[nozzer]

2) An ECM/EMM looks like the following. If the ECM/EMM (correct me about this diff plz lol) contains rom10 code as well as a bytes bump, why do we have to code anything since the ECM/EMM contains the bytes dump and the instructions to procedd that bytes dump.

Is it because we have to do processor specific coding to allow our processor to translate the rom10 code and execute it?

The AtMega processor is a very different beast to the 6805/ST7 based processor within the Rom10/11 and the two speak completely different languages.

With the Fun/ATMega cards the actions of the Rom10 code are reverse engineered by the programmer and then the relevant bits implemented as a hard coded block. This method of coding requires that each new keyroll type has a new handler.

A neater but much more technically difficult solution would be a program called an emulator. This emulates the Rom10 hardware and software environment to effectively allow the actual Rom10/Rom11 Emm's to be run. For the Fun/ATMega cards this is difficult due to space requirements but its how things are done on the Titananium/OPOS type cards.

Of course, many of the keyrolls now are deliberately designed to trap obscure handling differences within the emulators, which is why the Titanium/OPOS cards and other emulators also often require patches.

 

[edds]

@despan,mastichick - I don't want to take any credit for any of the work nor do I want to take the credit for having an offline version of the thread. Edds worked hard at archiving that thread so it's only fair that you should ask him to give you the thread

Sorry if i'm being long about it, don't wanna ruffle any feathers

There was little to no effort on my part archiving the thread. Really all credit is nozzer's. All I did was click and save, lol. :drink:

 

[DodgyTech]

@windy1603 - thanks for that confidence boost mate
@mastichick - you got any idea yet? it's basically a thread where nozzer was teaching us how to make our own (crude) fix for Atmega AU
@nozzer - alrite, i get it now. so we use emmstudio to decipher the rom10/11 code which then allows us to code our own code which works the same as the rom10/11 code? no wait that sounds the same as my earlier post. hmm, let me try again. so our atmega au contains code which looks at emm's and acts on bytes according to which emm it finds? does our code just do the same things that the rom10/11 code does? (in other words, the lda x and stuff that emmstudio decrypts, do we just copy those steps in our code?)
@edds - yes of course, but it was a very good idea to save it

 

[dont do it it"ll hurt]

i am haveing a go at this myself great work nozzer and wish you all good luck in the challenge

perhaps some one can advise me
in the thread it says ;- open up "Redneck.asm" in your favourite text editor
i got ultra edite as advised by edds many thanks m8
but i do not get the same displayed as in the thread mine comes up like hex editer not as should be ( if that sounds right )
how would i sort this as am a noob and any advice would be great advice

 

[nozzer]

Never used UltraEdit but sounds like its in hex edit mode. Dunno if there's an option to switch it to normal mode or whether it is actually a hex editor.

I just use notepad and/or wordpad for all my text editing needs.