Accepts rubbish registration details on their website, lol. :sneaky:
I'm doing the Atmega Challenge
- Thread starter DodgyTech
- Start date
Doesn't really matter as its free but if you want any device samples then a proper registration helps.
Some of the new XMega parts look really nice - Upto 256k of flash memory and 16k RAM with built in crypto engine for DES and AES (hmm wonder what you can use that for
) plus runs at upto 30Mhz from a 5Mhz box clock - thats 6 times faster than an ATMega !Ok
Now lets see if I am getting this right.
But if they change the method you get something like this
A great man once said
Now lets see if I am getting this right.
if they do a key roll only the bold & underlined change.
But if they change the method you get something like this
And this is why I have to write a new method to find the keys?
A great man once said
The Atmega Challenge Help Please
Now I have a few of examples to play
3F= filter any card.
5E 01= my provider.
F7 or FA or FB= type of rom.
bytes 5F to 6B 01 is the disassembly code?
bytes 00 00 00 00 83 to FA 79 are the dumped bytes?
Bytes in the dump are
00A3:00 00 00= dont know?? 5F 01= service provider/ 42 05= key 00
00AB:CE D7 2E 87 80 62 74 90 = keys.
00B3:42 85= key 01/ 62 FA 17 F3 CE 05=keys.
00BB:FA 79= keys.
Have I got that right??
Now i need to edit this
Now I have a few of examples to play
So The top 2 lines are no good to me.
Now I would like to break them down so I can understand what they do:
3F= filter any card.
5E 01= my provider.
F7 or FA or FB= type of rom.
bytes 5F to 6B 01 is the disassembly code?
bytes 00 00 00 00 83 to FA 79 are the dumped bytes?
Bytes in the dump are
breaking them down.
00A3:00 00 00= dont know?? 5F 01= service provider/ 42 05= key 00
00AB:CE D7 2E 87 80 62 74 90 = keys.
00B3:42 85= key 01/ 62 FA 17 F3 CE 05=keys.
00BB:FA 79= keys.
Have I got that right??
Now i need to edit this
In the above example byte 3=0xFA but on my lines it can be F7 FA or FB so should mine look like this
In the above I also changed a few more to match my lines does this look right?
Last edited:
Re: The Atmega Challenge Help Please
Part of the trick is to treat the dumped bytes as a seperate Emm. Once the code section of the Emm has completed its work (manipulating the actual key data) then it sets things up so that the card's Emm interpreter works on whats left.
so, with -
The Emm execution will be arranged so the Emm is interpreted from address $A6 (Thus the 00 00 00 are just irrelevant padding bytes) as can be seen from the following code.
If you take it that Emm execution starts at address $80, then the above is basically saying "i've executed the 1st $26 bytes so continue interpreting Emm Nano's from there" - ie $80 +$26 = $A6)
So, arranging things by Emm Nano code -
The 83 Nano tells the card that the rest of the Emm should be treated as if its for provider 5F01
the 42 Nano is the key update Nano. The next byte (05 or 85) describes which key is to be updated. 05=key0, 85=key1. The next 8 bytes are, of course, the key.
Note, in this explanation I have NOT taken into account the manipulations done by the initial code so the keys will NOT be correct.
The object of your ATMega code is to recognise the above nano's as being a keyroll AND to apply the manipulations of the initial code to this keyroll in order to get the real keys.
Part of the trick is to treat the dumped bytes as a seperate Emm. Once the code section of the Emm has completed its work (manipulating the actual key data) then it sets things up so that the card's Emm interpreter works on whats left.
so, with -
Code:
You don't have permission to view the code content. Log in or register now.The Emm execution will be arranged so the Emm is interpreted from address $A6 (Thus the 00 00 00 are just irrelevant padding bytes) as can be seen from the following code.
Code:
You don't have permission to view the code content. Log in or register now.If you take it that Emm execution starts at address $80, then the above is basically saying "i've executed the 1st $26 bytes so continue interpreting Emm Nano's from there" - ie $80 +$26 = $A6)
So, arranging things by Emm Nano code -
Code:
You don't have permission to view the code content. Log in or register now.The 83 Nano tells the card that the rest of the Emm should be treated as if its for provider 5F01
the 42 Nano is the key update Nano. The next byte (05 or 85) describes which key is to be updated. 05=key0, 85=key1. The next 8 bytes are, of course, the key.
Note, in this explanation I have NOT taken into account the manipulations done by the initial code so the keys will NOT be correct.
The object of your ATMega code is to recognise the above nano's as being a keyroll AND to apply the manipulations of the initial code to this keyroll in order to get the real keys.
Last edited:
Re: The Atmega Challenge Help Please
Just looking back I think my DBs is wrong.
Because I have edited it for both types of rom, me thinks I would have to write RCALL CHKKEYMASK for each type of ROM. Please correct me if wrong.
Just looking back I think my DBs is wrong.
Because I have edited it for both types of rom, me thinks I would have to write RCALL CHKKEYMASK for each type of ROM. Please correct me if wrong.
Spoted that only because I know what they should be. Is there something that explains what is going on in the "Disassembly Of Code" or do I not realy need to know?
Re: The Atmega Challenge Help Please
You stick with one type of Rom only. You will usually be building a card to simulate either a Rom10 or Rom11 but you'd rarely do both !
The NagraFaq document explains about most of the Emm Nano's but when it comes to pure code then its basically down to a copy of the Rom10/11 disassembly and sheer hard slog !
In order to get the real keys you really need to know a good bit about what the code section is doing. Without this information you would find it difficult to simulate the system to end up with the real keys.
You stick with one type of Rom only. You will usually be building a card to simulate either a Rom10 or Rom11 but you'd rarely do both !
The NagraFaq document explains about most of the Emm Nano's but when it comes to pure code then its basically down to a copy of the Rom10/11 disassembly and sheer hard slog !
In order to get the real keys you really need to know a good bit about what the code section is doing. Without this information you would find it difficult to simulate the system to end up with the real keys.
Re: The Atmega Challenge Help Please
Yes, thats the thing. There's a text only version and a pdf version. The pdf is much easier for navigating around.
Sorry, you dont get anything for nothing.
First place to start is with the assembler pneumonics for the processor on the Rom10/11 card. Its very similar to a device from Motorola called the 68HC05. If you have a look around you should be able to find a user manual for this processor (may be Freescale - think Motorola spun the micro branch off as a seperate company at some point). The manual should have a list of pneumonics, what they do and the corresponding hex opcodes.
Once you've got a basic idea of the instruction set then you can take a look at the Rom10 disassembly by Gesinas to see how the card actually does things. The listing is also an essential part of understanding what the keyroll code is doing as it may often call subroutines within the Rom code itself.
Unfortunately, there's no way to get around having to know the basic instruction set for both the Rom10 card and your target processor (the Fun/ATMega card)
Yes, thats the thing. There's a text only version and a pdf version. The pdf is much easier for navigating around.
Sorry, you dont get anything for nothing.
First place to start is with the assembler pneumonics for the processor on the Rom10/11 card. Its very similar to a device from Motorola called the 68HC05. If you have a look around you should be able to find a user manual for this processor (may be Freescale - think Motorola spun the micro branch off as a seperate company at some point). The manual should have a list of pneumonics, what they do and the corresponding hex opcodes.
Once you've got a basic idea of the instruction set then you can take a look at the Rom10 disassembly by Gesinas to see how the card actually does things. The listing is also an essential part of understanding what the keyroll code is doing as it may often call subroutines within the Rom code itself.
Unfortunately, there's no way to get around having to know the basic instruction set for both the Rom10 card and your target processor (the Fun/ATMega card)
Last edited:
Re: The Atmega Challenge Help Please
While I am away reading the National Library:sleep: When we had the hits in April & November i was looking at the emm dumps I have & the softcam.key file on the dreambox I have noticed that if you could get at least 3 different sets of keys like the 3 byte dumps below you could work out what the correct combo was eg
Now here comes the Noobie question would it not be easyer to just take the dumps and do a quick check on each byte & when you get 2 that match from diff byte dumps thats the correct byte. Then put them all together & you have your set of keys?:slaps: Before anybody Shoots me I have done it manual.
OK found this hope its the right one 68HC05 Memory Organization
While I am away reading the National Library:sleep: When we had the hits in April & November i was looking at the emm dumps I have & the softcam.key file on the dreambox I have noticed that if you could get at least 3 different sets of keys like the 3 byte dumps below you could work out what the correct combo was eg
Code:
You don't have permission to view the code content. Log in or register now.
Code:
You don't have permission to view the code content. Log in or register now.
Code:
You don't have permission to view the code content. Log in or register now.A better 68HC05 introduction would be one of the device manuals directly from Motorola/Freescale.
http://www.freescale.com/files/microcontrollers/doc/data_sheet/MC68HC05C8A.pdf?pspll=1
Is a pretty good one. The periperals etc aren't really whats on the smartcard but the core processor is very very smilar.
If you have a look from about Page 71 then you'll get an idea of the instructions and what they do. The Rom10 listing will likely start to make a bit more sense to you then.
Your idea for the keyrolls is ok for manual use where you dont particularly understand what the code is doing but its not really a good way for an emulator/simulator to do things. Part of the reason for that is you would have to find somewhere to store all the information you are going to aquire from multiple Emm's and storage in Funcards especially is tight. Another reason would be time taken. Funcards/ATMega's already miss 3/4 of Emm's due to their slow Emm decrypt speed (about 8 secs, whilst Emm's arrive approx once every 2 secs). It could take considerable time to aquire the correct 3 Emm's
http://www.freescale.com/files/microcontrollers/doc/data_sheet/MC68HC05C8A.pdf?pspll=1
Is a pretty good one. The periperals etc aren't really whats on the smartcard but the core processor is very very smilar.
If you have a look from about Page 71 then you'll get an idea of the instructions and what they do. The Rom10 listing will likely start to make a bit more sense to you then.
Your idea for the keyrolls is ok for manual use where you dont particularly understand what the code is doing but its not really a good way for an emulator/simulator to do things. Part of the reason for that is you would have to find somewhere to store all the information you are going to aquire from multiple Emm's and storage in Funcards especially is tight. Another reason would be time taken. Funcards/ATMega's already miss 3/4 of Emm's due to their slow Emm decrypt speed (about 8 secs, whilst Emm's arrive approx once every 2 secs). It could take considerable time to aquire the correct 3 Emm's
i,m doing it as well m80 fook me aint as easy as peeps think
You probably shouldn't try and get it all at once. You'll end up being very confused and not knowing what instruction is for which processor.
I'd advise you to start with the ATMega (Forget about card stuff initially). Download the AVRStudio package and start writing small test programs from scratch. Learn to use the tools and then learn what each processor instruction does (use the build in processor simulator). Once you've got the hang of that then your ready to look at the ATMega card programs and have a good idea of whats going on !
If you feel like really having a play then get yourself an ATMega test board (You can often find something suitable on ebay or you could just build one yourself). That way you can have the fun of watching LED's sequence or see things happen when you press a button etc. A board doesn't have to be complex - just enough to load your small test programs into and see them run.
A slightly more complex board might also link into AVRStudio in a fairly seamless way so you can program the chip from within the environment and possibly even single step your code etc via the jtag port.
Once you've had a play for a few weeks you'll soon get familiar with how things work. Then you can move onto the next stage !
Yes was starting to get a nose bleed
Like this one? AVR JTAG ICE AVRISP ISP Programmer Emulator4 ATMEL V2 on eBay, also Assemblies EM Devices, Electronic Components, Electrical Test Equipment, Business Industrial (end time 26-Mar-09 05:02:22 GMT)
Thats basically just a Jtag/programmer device although its nice that it interfaces into AVRStudio. For experimenting you would still need a target device.
The target can be very simple though. I'd recommend something like an ATMega16 or 32 device (you can get those in the easy to handle DIL package). Slap it on some veroboard with a crystal and a few connectors etc, maybe a few LED's and a switch or two and you have a perfect device to learn with.
If you wanted to use the same device as in an ATMega card then go for the Mega163 (think its jtag enabled - need to check) but its very simialr to the Mega16/32 range.
You can usually buy these processors on ebay fairly cheaply
