keyroll emm and the fix (code it ur self)

[fes_786]

ok guyz not my work

credit goes to dstream from wizardmodz


Key roll ecm and the fix go do it its simple

--------------------------------------------------------------------------------

DECRYPTED EMM:
--------------------------------------------------------
SIGNATURE: OK!

3F -> Filter: ANY CARD
5401 PROVIDER ID (NTL)
FA -> RUN CODE FOR ROM10:
5FA679B741A6022D 079BCD20209A2003 CD20209FB8B1B7B1 9FB8B6B7B6A626CC
6B01000000835501 420562BD220AC686 E593428580D4D1D3 8090FF2B
DISASSEMBLY OF CODE:
------------------------------
0081: 5F clrx ; x <-- 0
0082: A6 79 lda #$79 ; Load in A
0084: B7 41 sta TEMPA ; Store A in...
0086: A6 02 lda #$02 ; Load in A
0088: 2D 07 bms $91 ; Branch if mask=1
008A: 9B sei ; I <-- 1
008B: CD 20 20 jsr $2020 ; Go to subroutine
008E: 9A cli ; I <-- 0
008F: 20 03 bra $94 ; Branch always
0091: CD 20 20 jsr $2020 ; Go to subroutine
0094: 9F txa ; X --> A
0095: B8 B1 eor $B1 ; A= A xor ...
0097: B7 B1 sta $B1 ; Store A in...
0099: 9F txa ; X --> A
009A: B8 B6 eor $B6 ; A= A xor ...
009C: B7 B6 sta $B6 ; Store A in...
009E: A6 26 lda #$26 ; Load in A
00A0: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A3: 00 00 00 83 55 01 42 05
00AB: 62 BD 22 0A C6 86 E5 93
00B3: 42 85 80 D4 D1 D3 80 90
00BB: FF 2B

current keys are in the file for all to see if your stuck. This is the current streams new key update

00A3: 00 00 00 83 55 01 42 05
00AB: 62 BD 22 0A C6 86 E5 93 <<<< b1 key altered e5 to 9c for all thos what xors e5 to 9c use windows calc
00B3: 42 85 80 D4 D1 D3 80 90 <<<< b6 is altered from d4 to ad and stored back to the memory
00BB: FF 2B
current keys are in the file for all to see if your stuck. This is the current streams new key update


if you want it handed to you on a plate the file is doing a xor on byte b1 thats the e5 bit of the key
9F txa ; X --> A
0095: B8 B1 eor $B1 ; A= A xor ... key is e5 now 9c
0097: B7 B1 sta $B1 ; Store A in...
0099: 9F txa ; X --> A
009A: B8 B6 eor $B6 ; A= A xor ... load byte from b6 key is d4 now ad
009C: B7 B6 sta $B6
if you want it any simpler

its taking memory location b1 in the decrypted key xoring it with 79 storing it back in and copying it down

then it getting byte b6 xoring it with 79 hex and restoring it



0094: 9F txa ; X --> A ld a with#79
0095: B8 B1 eor $B1 ; A= A xor ... xor location b1 with a i.e #79
0097: B7 B1 sta $B1 ; Store A in... its turned e5 to 9c
0099: 9F txa ; X --> A ld a with 79
009A: B8 B6 eor $B6 ; A= A xor ... xor location b6 with a #79
009C: B7 B6 sta $B6 ; Store A in... its turned d4 to ad
009E: A6 26 lda #$26 ; Load in A store key all updated
00A0: CC 6B 01 jmp $6B01 ; Jump


go write the code its a piss easy one

 

[teaml]

Re: keyroll ecm and the fix (code it ur self)

Thanks ,

NOW That'S A START

 

[doom11]

Re: keyroll ecm and the fix (code it ur self)

ok guyz not my work

credit goes to dstream from wizardmodz


Key roll ecm and the fix go do it its simple

--------------------------------------------------------------------------------

DECRYPTED EMM:
--------------------------------------------------------
SIGNATURE: OK!

3F -> Filter: ANY CARD
5401 PROVIDER ID (NTL)
FA -> RUN CODE FOR ROM10:
5FA679B741A6022D 079BCD20209A2003 CD20209FB8B1B7B1 9FB8B6B7B6A626CC
6B01000000835501 420562BD220AC686 E593428580D4D1D3 8090FF2B
DISASSEMBLY OF CODE:
------------------------------
0081: 5F clrx ; x <-- 0
0082: A6 79 lda #$79 ; Load in A
0084: B7 41 sta TEMPA ; Store A in...
0086: A6 02 lda #$02 ; Load in A
0088: 2D 07 bms $91 ; Branch if mask=1
008A: 9B sei ; I <-- 1
008B: CD 20 20 jsr $2020 ; Go to subroutine
008E: 9A cli ; I <-- 0
008F: 20 03 bra $94 ; Branch always
0091: CD 20 20 jsr $2020 ; Go to subroutine
0094: 9F txa ; X --> A
0095: B8 B1 eor $B1 ; A= A xor ...
0097: B7 B1 sta $B1 ; Store A in...
0099: 9F txa ; X --> A
009A: B8 B6 eor $B6 ; A= A xor ...
009C: B7 B6 sta $B6 ; Store A in...
009E: A6 26 lda #$26 ; Load in A
00A0: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A3: 00 00 00 83 55 01 42 05
00AB: 62 BD 22 0A C6 86 E5 93
00B3: 42 85 80 D4 D1 D3 80 90
00BB: FF 2B

current keys are in the file for all to see if your stuck. This is the current streams new key update

00A3: 00 00 00 83 55 01 42 05
00AB: 62 BD 22 0A C6 86 E5 93 <<<< b1 key altered e5 to 9c for all thos what xors e5 to 9c use windows calc
00B3: 42 85 80 D4 D1 D3 80 90 <<<< b6 is altered from d4 to ad and stored back to the memory
00BB: FF 2B
current keys are in the file for all to see if your stuck. This is the current streams new key update


if you want it handed to you on a plate the file is doing a xor on byte b1 thats the e5 bit of the key
9F txa ; X --> A
0095: B8 B1 eor $B1 ; A= A xor ... key is e5 now 9c
0097: B7 B1 sta $B1 ; Store A in...
0099: 9F txa ; X --> A
009A: B8 B6 eor $B6 ; A= A xor ... load byte from b6 key is d4 now ad
009C: B7 B6 sta $B6
if you want it any simpler

its taking memory location b1 in the decrypted key xoring it with 79 storing it back in and copying it down

then it getting byte b6 xoring it with 79 hex and restoring it



0094: 9F txa ; X --> A ld a with#79
0095: B8 B1 eor $B1 ; A= A xor ... xor location b1 with a i.e #79
0097: B7 B1 sta $B1 ; Store A in... its turned e5 to 9c
0099: 9F txa ; X --> A ld a with 79
009A: B8 B6 eor $B6 ; A= A xor ... xor location b6 with a #79
009C: B7 B6 sta $B6 ; Store A in... its turned d4 to ad
009E: A6 26 lda #$26 ; Load in A store key all updated
00A0: CC 6B 01 jmp $6B01 ; Jump


go write the code its a piss easy one

Top man fes,will give it ago ,cheers for the help

 

[fes_786]

Re: keyroll ecm and the fix (code it ur self)

dont thank me

credit goes to dstream from wizardmodz

 

[havelln]

Re: keyroll ecm and the fix (code it ur self)

wish i stilll lived in a cable area could of done with something to do but if they plan on changing everyday this will have to be done every day with the diff location they will change

 

[cydine_]

Re: keyroll ecm and the fix (code it ur self)

Yep quite an easy one to fix this one m8. The correct value for X is at $83

 

[fes_786]

Re: keyroll ecm and the fix (code it ur self)

here is the last chaos

source code

RapidShare: Easy Filehosting

 

[sempi]

Re: keyroll ecm and the fix (code it ur self)

ok guyz not my work

credit goes to dstream from wizardmodz


Key roll ecm and the fix go do it its simple


go write the code its a piss easy one

piss easy if you know how if you don't then its not m8.
i am glad you posted the "code" though as there are lots of peeps on here who can do it and hopefully will soon
not getting at you m8 or this post but it seems to be when things like this happen (all boxes being hit) there are loads of posts on here from people gloating and laughing that people will be on the site asking for fixes and so on,
well sorry that is what a lot of people use this site for or what they used it for when they initially joined so that they were not paying traders money to do cards and yes i can prog a card now and have helped others after i got to know how to do mine, but i do not have a clue how to write code, plenty of the people who do not know how to do this contribute in other ways and also donate financially to the site and do not need flamed every time a major hit comes along

again fes m8 nothing to do with your post i had just been reading thru a load of previous posts in the cable section and was replying to your origional post and got carried away.....should probably have posted in the rant room...lol..

 

[tlogic]

Re: keyroll ecm and the fix (code it ur self)

wish I knew how to do all this coding stuff, writting cards is the easy bit, but coding Is in a different league all together. I wounder if there a tut some Where on this?

 

[sarge]

Re: keyroll ecm and the fix (code it ur self)

here is the last chaos

source code

RapidShare: Easy Filehosting

Link dead now :CRYBABY:

 

[fes_786]

Re: keyroll ecm and the fix (code it ur self)

ok i need some 1 to make a collectors account

here is a new link

but its the last time im uploading it

RapidShare: Easy Filehosting

 

[hatchet]

Re: keyroll ecm and the fix (code it ur self)

Well im willing to learn, but would like to learn how to code the fixes for the dreambox, is it similar?

 

[parker13]

Re: keyroll ecm and the fix (code it ur self)

piss easy if you know how if you don't then its not m8.
i am glad you posted the "code" though as there are lots of peeps on here who can do it and hopefully will soon
not getting at you m8 or this post but it seems to be when things like this happen (all boxes being hit) there are loads of posts on here from people gloating and laughing that people will be on the site asking for fixes and so on,
well sorry that is what a lot of people use this site for or what they used it for when they initially joined so that they were not paying traders money to do cards and yes i can prog a card now and have helped others after i got to know how to do mine, but i do not have a clue how to write code, plenty of the people who do not know how to do this contribute in other ways and also donate financially to the site and do not need flamed every time a major hit comes along

again fes m8 nothing to do with your post i had just been reading thru a load of previous posts in the cable section and was replying to your origional post and got carried away.....should probably have posted in the rant room...lol..

#
Totally agree mate.

 

[diddlyuk]

Re: keyroll ecm and the fix (code it ur self)

Sorry for being a noob guys but what is ecm? :licka:

 

[CG121]

Re: keyroll ecm and the fix (code it ur self)

I rolled in from the pub, opened the logs I'd made from me m8s house earlier, worked out the xor value matched the initial lda command in each EMM (there are two...), coded a workaround, tested it with various mates and posted the opos fix...
All of that with a good few large gins in me belly

Surely u guyz can do this sober

Especially as some kind sole posted an EMM while I was out enjoying myself :glug: lol


ECM - either 'Electronic Counter Measure' or 'Entitlement Control Message'
(depends on the context used)

 

[nozzer]

Re: keyroll ecm and the fix (code it ur self)

Sorry for being a noob guys but what is ecm? :licka:

Could be several things but in cable context -

ECM = Entitlement control message
EMM= = Entitlement management message.

ECM's handle to minute to minute decryption of the actual picture whilst EMM's update your card with permissions to decrypt the ECM's for the various channels (as well as other things).

 

[diddlyuk]

Re: keyroll ecm and the fix (code it ur self)

Ok cool thanks lol

You guys are quick with the replys here aint ya lol

Will this codey thingy here work on my ntl fun card? or is this something completely different...

sorry for being such a noob

Also if any of you know about fun card writing can you look at my thred please

 

[westside]

Re: keyroll ecm and the fix (code it ur self)

ok i need some 1 to make a collectors account

here is a new link

but its the last time im uploading it

RapidShare: Easy Filehosting

RapidShare: Easy Filehosting

 

[jedimaster1]

Re: keyroll ecm and the fix (code it ur self)

it dosent work

 

[slain]

Re: keyroll ecm and the fix (code it ur self)

I'm not being foolish enough to ask how to do it entirely, as I'd like to have some sort of grasp on how to do this myself. Could you (or anyone else, really) give us any pointers on where we should start? I'm browsing the chaos sources and have come across some of the EMM handling routines, but I'm not sure on which I should be looking at first.

At a guess I'm thinking perhaps I should be looking the routine referenced at "Command 00: Global EMM ; 3f8", but I'm not entirely sure where to go from there. As I said, I only need some pointers, I've messed about with debugging ASM before.