keyroll emm and the fix (code it ur self)

[NoOne2]

People are running vplug on linux machines so i would have thought it could be ported in some way to the dbox but my knowlege of linux is very limited.
Ive tried to find out more about newcamd but whilst the dish people are using it and upgrading im not sure where we stand with having access to the source code. Maybe they are patching roms also?

Wiggs I have patched the other two roms successfully (7 and 10). I might try rom11 by patching directly over the old april patch or very near it and just bypassing the april patch. I dont think we need it.

Can we use rom3 on the dbox? I cant find a rom anywhere...might be something to take a look at.

thanks guys.

 

[CG121]

The problem for VM is that if they intend to continue adjusting bytes in the EMM bytes dump (the keys) they only have limited math available...

You only need to know the difference between the given byte and the actual byte, as created on a ROM card, to work out some code to replace the long winded math in order to create the final (correct) byte.

They can xor, add, subtract, LSL/LSR, etc etc, but you can always work out what's happening and write a routine to counter it...

Nagra1 is dead, it's been dead for years. You can't polish a turd, no matter what math you use

EDIT:
& another thing....

Your patch should test MULTIPLE locations for #$42 (key update command) before jumping back to the original code...
Once you have #$42 at one of the known addresses, assume it's a key update and run the 2 or 3 patches before jumping back to the original code..

Jumping all over the place is pointless and increases your chances of rogue return statements...

 

[edcase]

They can xor, add, subtract, LSL/LSR, etc etc, but you can always work out what's happening and write a routine to counter it...

The point is a real romcard has allsorts of maths routines in the map that could be used to manipulate the keys in a way that would be very difficult to mimic. There are cryptographic functions that could work on the entire block of data and not individual bytes.
I think you would struggle greatly to patch a bin if they ever chose to do it this way.

 

[NoOne2]

I just patched a r11. And now im getting two keys in each keyset wrong...lol.

At least im getting keys returned this time. My last patch resulted in total crap.

 

[wiggy9906]

I just patched a r11. And now im getting two keys in each keyset wrong...lol.

At least im getting keys returned this time. My last patch resulted in total crap.

I suspect you may need the April and November patches.

 

[CG121]

The point is a real romcard has allsorts of maths routines in the map that could be used to manipulate the keys in a way that would be very difficult to mimic. There are cryptographic functions that could work on the entire block of data and not individual bytes.
I think you would struggle greatly to patch a bin if they ever chose to do it this way.

Makes you question VM's commitment to piracy doesn't it

All I'm saying is, over the years, Nagra1 has provoked views on these undumped routines, yet never delivered.

Trust me, I'd be the 1st to welcome such a move. My private OPOS s/w doesn't use a patched ROM image at all as it's routines have been updated to better emulate a ROM card.

I must admit, these updates are assumptions on my part based on the behaviour of a real card, but that's all we've got to work with..

Should a key update seem to have no reverse engineerable path, then yes, the problem would be far greater to overcome. Do I think Kudelski will employ such an EMM on cable...?
I hope so

 

[abaddon]

People are running vplug on linux machines so i would have thought it could be ported in some way to the dbox but my knowlege of linux is very limited.
Ive tried to find out more about newcamd but whilst the dish people are using it and upgrading im not sure where we stand with having access to the source code. Maybe they are patching roms also?

One of the Linux cam's on MythTv is called sasc-ng - the source is freely available. I made an attempt to port this for the dbox in april. I got it compiled and running, but had trouble getting it to use the dvb devices on the dbox. I hit a brick wall and then left it over the months.

The reason I made the attempt was that sasc still worked in April - it was not knocked out by the change in April - no ROM patch was required. The interesting thing this time was that it WAS knocked out by the latest change. The patched ROM's from here resolved the problem for sasc and MythTv.

I know that vplug also needed a patch this time around.

It probably is a good idea to figure out and resolve the flaws in the cam - but it still leaves us a bit stuffed for dboxes as we do not have the source for the cams. I have some very old source for mgcamd and was trying to modify it to incorporate the nagra routines from sasc. Sadly, this again got left but was interesting while it lasted!

I know there are some cards that were not knocked out in April and were not knocked out this time - should we be checking these and seeing if we can turn these into ROM's? Or is it the cam's that are at fault?

abaddon

 

[NoOne2]

well in my opinion its the cams that are flawed...however as has been pointed out we have nothing to worry about at present if the keychange emms stay so simple to amend by patching the roms.

We could put in a lot of effort to port another more updated cam only to find ourselves patching roms again at a later date.

I dont know know why vm dont do a keyroll emm change like 2 times a day?
I see now the patches are fairly simple to do but who would bother to patch a rom twice a day even if you could do it quickly. And any vm guy reading the forums would now see that most or all our cams/emu cant handle the last JSR 2020 or math call: $02.

It seems baffling that even though we have a totally hacked system...it could still be formidable if they wanted it to be so.

 

[abaddon]

well in my opinion its the cams that are flawed...however as has been pointed out we have nothing to worry about at present if the keychange emms stay so simple to amend by patching the roms.

We could put in a lot of effort to port another more updated cam only to find ourselves patching roms again at a later date.

I dont know know why vm dont do a keyroll emm change like 2 times a day?
I see now the patches are fairly simple to do but who would bother to patch a rom twice a day even if you could do it quickly. And any vm guy reading the forums would now see that most or all our cams/emu cant handle the last JSR 2020 or math call: $02.

It seems baffling that even though we have a totally hacked system...it could still be formidable if they wanted it to be so.

What percentage of people who use a dbox, also pay a basic subscription? I know I do, I wonder if that is most people? If the dbox stopped working for me, I would probably go to sky. Maybe vm are happy to live with the dbox people who also pay a base subscription. It's those that only use a dbox(or other box) and pay nothing that they are most worried about.

abaddon

 

[NoOne2]

Has anyone else rom11 gone down?
My rom10 (and I assume rom7 as nobody else on forums is complaining) is ok.

My rom11 log looks like this..

DISASSEMBLY OF CODE:
------------------------------

0081: FB add $X ; Add value to A (indexed, no offset)
0082: 5F clrx ; Clear X (X = 0)
0083: AE 41 ldx #$41 ; Load value into X (immediate)
0085: 20 0E bra $95 ; Branch always
0087: A6 02 lda #$02 ; Load value into A (immediate)
0089: 2D 07 bms $92 ; Branch if Interrupt Mask is Set
008B: 9B sei ; Set Interrupts (I=0)
008C: CD 20 20 jsr $2020 ; Jump to subroutine (extended)
008F: 9A cli ; Clear Interrupts (I=0)
0090: 20 03 bra $95 ; Branch always
0092: CD 20 20 jsr $2020 ; Jump to subroutine (extended)
0095: 9F txa ; Transfer X --> A
0096: B8 B1 eor $B1 ; Exclusive OR value with A (direct)
0098: B7 B1 sta $B1 ; Store A in value (direct)
009A: 9F txa ; Transfer X --> A
009B: B8 B8 eor $B8 ; Exclusive OR value with A (direct)
009D: B7 B8 sta $B8 ; Store A in value (direct)
009F: A6 26 lda #$26 ; Load value into A (immediate)
00A1: CC 58 F5 jmp FILTEROK ; Continue processing EMM commands in $80+A


BYTES DUMP:
---------------------
00A4: 00 00 00 83 5D 01 42 05
00AC: D8 53 39 BD 3D CA C7 C1
00B4: 42 85 27 77 A1 BD 8F 9D
00BC: 34 76 9D 34 76 00 00 00
00C4: 00 00 00 00 00 00 00 00
00CC: 00 00 00 00 00 00 00 00
00D4: 00 00 00 00 00 00 00 00
00DC: 00 00 00 00 00

 

[NoOne2]

My rom11 may look a tad different to others as ive messed with it myself but it has been working since the last hit.

I think I just moved the modded code to a slightly different location but the code itself was the same.

 

[dstream]

that is how the code should look after the patch. It also runs the code fine by the looks of the altered emm.