keyroll emm and the fix (code it ur self)

Re: keyroll ecm and the fix (code it ur self)

The one place where I found nagra coding pckage isn't hosting it "FILE TO FOLLOW UPLOAD ERROR"

So frustrating, I will carry on looking but if you post it I wouldn't complain :)

Thanks for your help
 
Re: keyroll ecm and the fix (code it ur self)

Assuming I find the nagra coding package, how do I figure out where in the hex the ecm handler is? This is where I got stuck last time ... I know I need to jump to a patch I create in some free space before jumping back to the ECM code, but where to jump from!?
 
Re: keyroll ecm and the fix (code it ur self)

donshaggy said:
lucky you mate that u in the know how. it is a pis innit? well guess what nt every1 is a genius sometimes a simple 123 will just do.
Click to expand...

u cant talk 4 sh*t ur a newbie

and funny how u just signed up when the cards went down

and no im not in the know how

im trying my best to learn!
 
Re: keyroll ecm and the fix (code it ur self)

fendale2000 said:
Assuming I find the nagra coding package
Click to expand...

Good point actually, I did hear something about a nice set of tools being packaged and made available for such things a while ago.
 
Re: keyroll ecm and the fix (code it ur self)

would this apply to sorting the rom fix for a dreambox ?.
 
Re: keyroll ecm and the fix (code it ur self)

Thanks cydine.

2 Quick questions - what tool do you use to dissassemble the .bin ROM file. and do you have the dissassembled code that has already been patched for the 'bug' earlier this years.

You package has pre dissassembled ROMs but they date back a few years.

Thanks.
 
Re: keyroll ecm and the fix (code it ur self)

Well the first step is to understand what the keyroll is doing and how to fix it to work properly.

The idea is to patch the buffer so the correct keys are returned.

There is a copy of a decrypted emm in this thread.
Alter that emm so it gives the required result ie how you want it to look after the patch.

Once that is done then we can start discussing how to actually create the patch.
 
Re: keyroll ecm and the fix (code it ur self)

cydine_ said:
Well the first step is to understand what the keyroll is doing and how to fix it to work properly.

The idea is to patch the buffer so the correct keys are returned.

There is a copy of a decrypted emm in this thread.
Alter that emm so it gives the required result ie how you want it to look after the patch.

Once that is done then we can start discussing how to actually create the patch.
Click to expand...

OK, that part I know. In English this is what is happening:

Store the value $79 into register A
Stash the contents of A into memory location $41.
Then load a 'fake' value of 02 into A

Now comes the 'hit' - the emulator cannot properly handle the interupt bit set and jump etc, which must copy the contents of $41 into register X somehow.

Then the value of X is copied into A, which is XOR'd with a byte of the key to produce the real key. This is done twice to fix each key.

Now, I think the trick here, is to bypass all that interrupt set code etc, and get the value we require into X somehow or modify the key in the patch, so a patch basically has to:

begin
before jumping to execute the emm jmp to patch code
set X to contain the contents of $83 in patch
execute the same instructions to carry out the XOR's
jmp to $6B01 (which is where the EMM should jump to on completion)
jmp to $94 (which is where the key is updated if X is correct
end

Am I correct?

The problem I have is, I can see in my mind how this works, but I have no idea:

1. How to find the place I need to insert the patch into the ROM code
2. How to locate the place the EMM gets called from, and how to place a hook there into the patch
 
Re: keyroll ecm and the fix (code it ur self)

Within grape.asm do a search for the label

_940:

The keyroll change code should be in the next block of code, this is the code that needs to change.
 
Re: keyroll ecm and the fix (code it ur self)

IAmATeaf said:
Within grape.asm do a search for the label

_940:

The keyroll change code should be in the next block of code, this is the code that needs to change.
Click to expand...

Where does grape.asm come from - I don't think I have it anywhere!
 
Re: keyroll ecm and the fix (code it ur self)

fendale2000 said:
OK, that part I know. In English this is what is happening:

Store the value $79 into register A
Stash the contents of A into memory location $41.
Then load a 'fake' value of 02 into A

Now comes the 'hit' - the emulator cannot properly handle the interupt bit set and jump etc, which must copy the contents of $41 into register X somehow.

Then the value of X is copied into A, which is XOR'd with a byte of the key to produce the real key. This is done twice to fix each key.

Now, I think the trick here, is to bypass all that interrupt set code etc, and get the value we require into X somehow or modify the key in the patch, so a patch basically has to:

begin
before jumping to execute the emm jmp to patch code
set X to contain the contents of $83 in patch
execute the same instructions to carry out the XOR's
jmp to $6B01 (which is where the EMM should jump to on completion)
jmp to $94 (which is where the key is updated if X is correct
end

Am I correct?

The problem I have is, I can see in my mind how this works, but I have no idea:

1. How to find the place I need to insert the patch into the ROM code
2. How to locate the place the EMM gets called from, and how to place a hook there into the patch
Click to expand...

This is exactly the part I was stuck on back in april.

Let's work with the rom 10 code. I am working with rom images for dbox etc but this is relevant to the opos etc as well.

1. There's not really space to insert a patch anywhere so just overwrite some stuff that is not relevant to an emulated card - I use a section referencing the backdoor key. This stuff is not required for softcams.

2. Open the rom10 disassembled listing in your text editor and look for the call to jump to the emm buffer - hint look for a BD 81 jsr EMMBUFF01.
Patch the call before this - CD XX XX to jump to your patch.
 
Re: keyroll ecm and the fix (code it ur self)

fendale2000 said:
Where does grape.asm come from - I don't think I have it anywhere!
Click to expand...

Grape is the source code for the fun au, may be called a diff name by others but I've always known it as Grape, similarly Redneck is the source code for the atmega au.
 
Last edited:
Re: keyroll ecm and the fix (code it ur self)

cydine_ said:
This is exactly the part I was stuck on back in april.

Let's work with the rom 10 code. I am working with rom images for dbox etc but this is relevant to the opos etc as well.

1. There's not really space to insert a patch anywhere so just overwrite some stuff that is not relevant to an emulated card - I use a section referencing the backdoor key. This stuff is not required for softcams.

2. Open the rom10 disassembled listing in your text editor and look for the call to jump to the emm buffer - hint look for a BD 81 jsr EMMBUFF01.
Patch the call before this - CD XX XX to jump to your patch.
Click to expand...

So I am guessing that the byte numbers in the ROM 10 disassembled will correspond directly to the ROM 10 image i have on the Dbox if I open it in a hex editor.

Basically I need to write the code to load the correct value into X and then jump to the middle of the EMM - and carefully edit that in using a Hex editor.

One more question - are there any checksums etc on the ROM10.bin that will get screwed up if i change things?
 
Re: keyroll ecm and the fix (code it ur self)

rom image starts at 4000 so in a hex editor the correct location will be -4000

no checksums
 
You must log in or register to reply here.

Similar threads

S
help to understand log
Replies
1
Views
846
acebing
A
Smok3y666
QA Flag and 3.61 Key released by Math!
Replies
10
Views
4K
janobi
janobi
F
ntl log
Replies
5
Views
927
sharps
S
M
off
Replies
7
Views
683
FUBAR69
FUBAR69
CG121
OPOS & April's EMMs Explained
Replies
3
Views
454
DodgyTech
DodgyTech
Back
Top