@nozzer - alrite, i get it now. so we use emmstudio to decipher the rom10/11 code which then allows us to code our own code which works the same as the rom10/11 code? no wait that sounds the same as my earlier post. hmm, let me try again. so our atmega au contains code which looks at emm's and acts on bytes according to which emm it finds? does our code just do the same things that the rom10/11 code does? (in other words, the lda x and stuff that emmstudio decrypts, do we just copy those steps in our code?)
Effectively, yes. The idea is to suss out what an Emm does (using Emmstudio to decrypt it and disassemble it into 6805/ST7 code) and then to implement the same functionality in Atmel code (very different to 6805/ST7 code).
For Fun/ATMega cards the AU function consists of 2 distinct parts. The Emm recogniser, which basically just scans the Emm's and tries to recognise the new keyrolls whilst rejecting everything else, and the actual keyroll handler, which takes the recognised keyroll Emm and reconstructs actual new keys then saves them away for use.