Info on card programming language

grooster

Inactive User
Joined
Mar 29, 2005
Messages
246
Reaction score
1
Hi I was just wondering if anyone could point me towards the basics of the coding for card programming. I used to be able to prog in 088 c++ fortran and several others but have not touched this in about 10 years. I was just wondering if I could help with trying to recode the cards.
 
they r wrote in asm
i have the idea for a fix but the inteep needs to be redone
 
here is a dissasembley of the emm that changed the key update way
if u look at lines
009B:
009D:

DISASSEMBLY OF CODE:
------------------------------

0081: 4F clra ; a <-- 0
0082: C7 01 20 sta $0120 ; Store A in...
0085: C7 01 21 sta $0121 ; Store A in...
0088: C7 01 22 sta $0122 ; Store A in...
008B: A6 29 lda #$29 ; Load in A
008D: CD 90 E3 jsr $90E3 ; Go to subroutine NEVER COMES BACK !
0090: C6 01 20 lda $0120 ; Load in A
0093: CA 01 21 ora $0121 ; A= A or ...
0096: CA 01 22 ora $0122 ; A= A or ...
0099: 27 B4 beq $4F ; Branch if =
009B: 3C A9 inc $A9 ; +=1
009D: 3C B3 inc $B3 ; +=1
009F: A6 24 lda #$24 ; Load in A
00A1: CC 6B 01 jmp $6B01 ; Jump

BYTES DUMP:
---------------------
00A4: 83 5B 01 ''42'' 05 2B 74 94 HAS TO INCREMENTED
00AC: 5F 99 92 69 58 ''42'' 85 89 HAS TO INCREMENTED
00B4: 90 DD 46 CE 6C FB BC 00
00BC: 00


42 05 is the key 0

but is u look the first byte is 1 out should have been 2C
42 85 is the key18A

if u can understand that
 
davidh said:
they r wrote in asm
i have the idea for a fix but the inteep needs to be redone

Its actually going to require part of the program in the Flash to be re-written rather than anything in the inteep. A new section of code to handle the new keyroll type will have to be added.

The real problem is the type of Emm. Whilst its relatively easy to fix this particular keyroll the next one might contain a decrement instead of an increment, or, indeed, any other of a whole host of different operations. And maybe the operation will be on the 2nd byte of each key or the 3rd etc.

Basically, the cable co's can change this Emm just as fast as the coders can fix the code so it really boils down to the fact that, to all intents and purposes, the FunAU and ATMega are dead !

I suspect this is why there haven't been any fixes issued yet. The coders know that its simply a waste of time.
 
Last edited:
so what it needs then is an all most perfect emulation :(
oh boy do we wish lol
 
davidh said:
so what it needs then is an all most perfect emulation :(
oh boy do we wish lol


dont worry the opus card has a 97% emulation of the card u might get the same for the tit2 card but we will have to wait and see also remember that one off the people that wrote the code for the amegra has left the secne as far as i know [. bt].


michael1
 
michael1 said:
dont worry the opus card has a 97% emulation of the card

lol, that might be accurate regarding the Nagra commands but I doubt if it supports more than a small percentage of the possible Emm's. Remember that Emm's can actually contain code snippets and these code snippets can pretty much do anything within the card. Couple this with the fact that there are still a lot of unknowns regarding Rom10/Rom11 cards and you end up with a very imperfect emulator.

The OPOS card survived this attack but will it survive the next one ? Lets hope so but don't count on it !
 
nozzer said:
lol, that might be accurate regarding the Nagra commands but I doubt if it supports more than a small percentage of the possible Emm's. Remember that Emm's can actually contain code snippets and these code snippets can pretty much do anything within the card. Couple this with the fact that there are still a lot of unknowns regarding Rom10/Rom11 cards and you end up with a very imperfect emulator.

The OPOS card survived this attack but will it survive the next one ? Lets hope so but don't count on it !

that is true but lets hope

..lol

michael1
 
nozzer said:
lol, that might be accurate regarding the Nagra commands but I doubt if it supports more than a small percentage of the possible Emm's. Remember that Emm's can actually contain code snippets and these code snippets can pretty much do anything within the card. Couple this with the fact that there are still a lot of unknowns regarding Rom10/Rom11 cards and you end up with a very imperfect emulator.

The OPOS card survived this attack but will it survive the next one ? Lets hope so but don't count on it !

that is true but lets hope

..lol

michael1
 
Back
Top