Info on card programming language

grooster

Inactive User
Joined
Mar 29, 2005
Messages
246
Reaction score
1
Hi I was just wondering if anyone could point me towards the basics of the coding for card programming. I used to be able to prog in 088 c++ fortran and several others but have not touched this in about 10 years. I was just wondering if I could help with trying to recode the cards.
 

davidh

<font color="RED">Administrator</font>
VIP Member
Joined
Aug 9, 2001
Messages
14,954
Reaction score
121
Location
LIVERPOOL
they r wrote in asm
i have the idea for a fix but the inteep needs to be redone
 

davidh

<font color="RED">Administrator</font>
VIP Member
Joined
Aug 9, 2001
Messages
14,954
Reaction score
121
Location
LIVERPOOL
here is a dissasembley of the emm that changed the key update way
if u look at lines
009B:
009D:

DISASSEMBLY OF CODE:
------------------------------

0081: 4F clra ; a <-- 0
0082: C7 01 20 sta $0120 ; Store A in...
0085: C7 01 21 sta $0121 ; Store A in...
0088: C7 01 22 sta $0122 ; Store A in...
008B: A6 29 lda #$29 ; Load in A
008D: CD 90 E3 jsr $90E3 ; Go to subroutine NEVER COMES BACK !
0090: C6 01 20 lda $0120 ; Load in A
0093: CA 01 21 ora $0121 ; A= A or ...
0096: CA 01 22 ora $0122 ; A= A or ...
0099: 27 B4 beq $4F ; Branch if =
009B: 3C A9 inc $A9 ; +=1
009D: 3C B3 inc $B3 ; +=1
009F: A6 24 lda #$24 ; Load in A
00A1: CC 6B 01 jmp $6B01 ; Jump

BYTES DUMP:
---------------------
00A4: 83 5B 01 ''42'' 05 2B 74 94 HAS TO INCREMENTED
00AC: 5F 99 92 69 58 ''42'' 85 89 HAS TO INCREMENTED
00B4: 90 DD 46 CE 6C FB BC 00
00BC: 00


42 05 is the key 0

but is u look the first byte is 1 out should have been 2C
42 85 is the key18A

if u can understand that
 

nozzer

VIP Member
VIP Member
Joined
Jan 25, 2005
Messages
6,662
Reaction score
106
Location
Who knows !
davidh said:
they r wrote in asm
i have the idea for a fix but the inteep needs to be redone
Its actually going to require part of the program in the Flash to be re-written rather than anything in the inteep. A new section of code to handle the new keyroll type will have to be added.

The real problem is the type of Emm. Whilst its relatively easy to fix this particular keyroll the next one might contain a decrement instead of an increment, or, indeed, any other of a whole host of different operations. And maybe the operation will be on the 2nd byte of each key or the 3rd etc.

Basically, the cable co's can change this Emm just as fast as the coders can fix the code so it really boils down to the fact that, to all intents and purposes, the FunAU and ATMega are dead !

I suspect this is why there haven't been any fixes issued yet. The coders know that its simply a waste of time.
 
Last edited:

davidh

<font color="RED">Administrator</font>
VIP Member
Joined
Aug 9, 2001
Messages
14,954
Reaction score
121
Location
LIVERPOOL
so what it needs then is an all most perfect emulation :(
oh boy do we wish lol
 

michael1

Inactive User
Joined
Jul 28, 2005
Messages
530
Reaction score
3
davidh said:
so what it needs then is an all most perfect emulation :(
oh boy do we wish lol

dont worry the opus card has a 97% emulation of the card u might get the same for the tit2 card but we will have to wait and see also remember that one off the people that wrote the code for the amegra has left the secne as far as i know [. bt].


michael1
 

nozzer

VIP Member
VIP Member
Joined
Jan 25, 2005
Messages
6,662
Reaction score
106
Location
Who knows !
michael1 said:
dont worry the opus card has a 97% emulation of the card
lol, that might be accurate regarding the Nagra commands but I doubt if it supports more than a small percentage of the possible Emm's. Remember that Emm's can actually contain code snippets and these code snippets can pretty much do anything within the card. Couple this with the fact that there are still a lot of unknowns regarding Rom10/Rom11 cards and you end up with a very imperfect emulator.

The OPOS card survived this attack but will it survive the next one ? Lets hope so but don't count on it !
 

michael1

Inactive User
Joined
Jul 28, 2005
Messages
530
Reaction score
3
nozzer said:
lol, that might be accurate regarding the Nagra commands but I doubt if it supports more than a small percentage of the possible Emm's. Remember that Emm's can actually contain code snippets and these code snippets can pretty much do anything within the card. Couple this with the fact that there are still a lot of unknowns regarding Rom10/Rom11 cards and you end up with a very imperfect emulator.

The OPOS card survived this attack but will it survive the next one ? Lets hope so but don't count on it !
that is true but lets hope

..lol

michael1
 

michael1

Inactive User
Joined
Jul 28, 2005
Messages
530
Reaction score
3
nozzer said:
lol, that might be accurate regarding the Nagra commands but I doubt if it supports more than a small percentage of the possible Emm's. Remember that Emm's can actually contain code snippets and these code snippets can pretty much do anything within the card. Couple this with the fact that there are still a lot of unknowns regarding Rom10/Rom11 cards and you end up with a very imperfect emulator.

The OPOS card survived this attack but will it survive the next one ? Lets hope so but don't count on it !
that is true but lets hope

..lol

michael1
 
TEST
Top