keyroll emm and the fix (code it ur self)

Re: keyroll ecm and the fix (code it ur self)

I personally would love to be able to read and understand the codes and stuff. After this hit thing is all over and done with, maybe the fellas who know this stuff, could do a bit of a tutorial on how the do flash file. I think there would be a lot of students on here who would be really grateful.

ATB, Rigsby.
 
Re: keyroll ecm and the fix (code it ur self)

rigsby said:
I personally would love to be able to read and understand the codes and stuff. After this hit thing is all over and done with, maybe the fellas who know this stuff, could do a bit of a tutorial on how the do flash file. I think there would be a lot of students on here who would be really grateful.

ATB, Rigsby.
Click to expand...

i agree
i have some time on my hands and would love to try....
 
Re: keyroll ecm and the fix (code it ur self)

Looks like we will have to tempt one of the boffins to teach us djmagic......though I could understand their reluctance to do it. I wouldn't fancy trying to teach me how to write a flash image.....me missus' says she pitys the fella who try to attempt to teach me anything!!
 
Re: keyroll ecm and the fix (code it ur self)

As far as I can tell, it'll be two lines added/changed in prune.asm, which will be XORing (eor) values stored a couple of the rX registers. Then you compile, with your two provider lines commented out too (set to ex-c&w by default).

It's more about knowing your way around the source for a fix like this, I'd think... and being able to decipher the EMM, but there are tools around to do that already.
 
Re: keyroll ecm and the fix (code it ur self)

wow that seems like i good start i will research a little more
thanks
 
Re: keyroll ecm and the fix (code it ur self)

Erm.....thanks for that slain....I'm already struggling..lol....I'm thinking I need to refer to the first post in this thread, as a starting point?

ATB Rigsby.
 
Re: keyroll ecm and the fix (code it ur self)

Yep, the EMM has already been decoded in the original post. In effect it's all about changing code in a routine to handle that EMM. The current handler nearly does it right, just doesn't XOR those two bytes that fez_786's post pointed out. Add/modify two lines to perform those XORS on the correct registers, and it should be fine. I think?

Bare in mind I'm not entirely sure myself, and could do with some clarification as well. :)
 
Re: keyroll ecm and the fix (code it ur self)

Cheers slain thanks for replying....and at least trying to teach a fool like me. I will try later to understrand what you have told me.

Thanks again,
Rigbsy.
 
Re: keyroll ecm and the fix (code it ur self)

You're getting there.

At $94 it's loading the value of X into A.
At $95 it's xoring A against the value at $B1

The problem is that the value of X is not what it is meant to be.

At $82, the correct value - #$79 is loaded into A. Somewhere in the following subroutines this value should be transferred to X. This is where the emu breaks down.

So when you get to $94, the value of X is not #$79 as it should be. Therefore the result of the xor is incorrect and so is the resulting key.

The fix - load X with the corrrect value (found at $83) before the xoring occurs and the correct key will be produced
 
Re: keyroll ecm and the fix (code it ur self)

Where do we add the new instructions is it in the prune.asm of the chaos source code?
 
Re: keyroll ecm and the fix (code it ur self)

Can someone please just talk about how this relates back to the dbox please?

Thanks
 
Re: keyroll ecm and the fix (code it ur self)

cydine_ said:
You're getting there.

At $94 it's loading the value of X into A.
At $95 it's xoring A against the value at $B1

The problem is that the value of X is not what it is meant to be.

At $82, the correct value - #$79 is loaded into A. Somewhere in the following subroutines this value should be transferred to X. This is where the emu breaks down.

So when you get to $94, the value of X is not #$79 as it should be. Therefore the result of the xor is incorrect and so is the resulting key.

The fix - load X with the corrrect value (found at $83) before the xoring occurs and the correct key will be produced
Click to expand...

I can follow all of this, but the problem I have is knowing what tools to use to turn this into the appropriate ROM file - or even to edit a ROM file. Can you give me some pointers as to tools I should be using to do this?

Thanks.

abaddon
 
Re: keyroll ecm and the fix (code it ur self)

carvegio said:
Can someone please just talk about how this relates back to the dbox please?

Thanks
Click to expand...

My understanding is that this is contained in one or more ROM files that you find on your dbox. These ROM files contain the instructions, the trick is figuring out what edits need to be made to the instructions, but before that, figuring out how to edit the ROM file in the first place.

abaddon
 
Re: keyroll ecm and the fix (code it ur self)

am i right in thinking the code in the first page is assembly?
 
Re: keyroll ecm and the fix (code it ur self)

Hi abaddon,

Yes your post following mine is exactly what I am asking. I know it is coming out wrong and I think I know why (with some help), but I have no idea what to do with this information :p

How do we know where this code is to edit or patch the rom files.
 
Re: keyroll ecm and the fix (code it ur self)

All I use is notepad and a hex editor.

To fix you need to find the point in the code where the emm has been loaded into the buffer but has not been processed.

You then jump out of that code to your patch. The patch will modify the data in the buffer so the correct key is produced.

Then jump back to the original code.
 
Re: keyroll ecm and the fix (code it ur self)

hope you clever guys can patch the roms soon, fingers crossed, us dreambox guys bow down to you!
 
Re: keyroll ecm and the fix (code it ur self)

Hi cydine_,

when you say

To fix you need to find the point in the code where the emm has been loaded into the buffer but has not been processed.

You then jump out of that code to your patch. The patch will modify the data in the buffer so the correct key is produced.

Then jump back to the original code.



The code is the nagrarom7.bin file I take it?

How do I get this to load and compile somewhere to tell when the emm has been loaded into the buffer but not been processed yet?

My problem is I can't see the code or know where it is to be able to fix it.

Thanks
 
Last edited:
Re: keyroll ecm and the fix (code it ur self)

When I load nagrarom7.bin into a hex editor I get a lot of rubbish on the right, I guess it is not decoding right?

Which step am I missing.
 
Re: keyroll ecm and the fix (code it ur self)

Look for a disassembled rom 7 listing. I will up one somewhere if you can't find it.

Try looking for "nagra coding package"
 
You must log in or register to reply here.

Similar threads

S
help to understand log
Replies
1
Views
846
acebing
A
Smok3y666
QA Flag and 3.61 Key released by Math!
Replies
10
Views
4K
janobi
janobi
F
ntl log
Replies
5
Views
922
sharps
S
M
off
Replies
7
Views
678
FUBAR69
FUBAR69
CG121
OPOS & April's EMMs Explained
Replies
3
Views
454
DodgyTech
DodgyTech
Back
Top