Donnie Darko
Inactive User
I'm confused full stop,gonna re-visit the thread from the start and pick this back up later.Seem to have lost my way at the point of editing the bin file.
keyroll emm and the fix (code it ur self)
- Thread starter fes_786
- Start date
I'm confused full stop,gonna re-visit the thread from the start and pick this back up later.Seem to have lost my way at the point of editing the bin file.
Im strugling a bit with the editing too.Correct me if Im wrong but I think you patch the rom file with hex editor with the values that apply the fix to the emm buffer. So from below the fix we get
C6 00 81 lda $81 ; Load in A
A1 5F cmp #$5F ; Compare with A
26 0C bne #$0C ; Branch if <>
A6 AE lda #$AE ; Load in A
B7 82 sta $82 ; Store A in...
A6 20 lda #$20 ; Load in A
B7 84 sta $84 ; Store A in...
A6 0E lda #$0E ; Load in A
B7 85 sta $85 ; Store A in...
84 pop a ; Stack -> A
CD 51 DF jsr $51DF ; Go to subroutine
81 rts ; Return from subroutine
So we change at $5363 the bytes to
C60081A15F260CA6AEB782A620B784A60EB78584
at the location in the rom 10 file. Hope Im getting close.
Have'nt done much assembly myself. It was donkeys years ago with a Z80 for college.
By the way, i found out how to capture EMMs from Dbox2.
i was doing it the long way (MLog,nagemmex,emmstudio), no-one helped me
Easy way for those who don't know:
Modify camd_cfg and set :
# 00 disabled
# 01 enabled
L: { 01 }192.168.1.11 10000
Note: put your own ip there.
and use UDPLog 1.9 on the computer you want to capture packets on.
Another way is to use telnet. kill evocamd processes and run it manually by typing "evocamd".
Though i prefer the first method as it gives me only the decrypted EMMs and less noise.
thanks for this m8....ive been having to switch boxes to log the stream...ill give this a go...ive been looking for a way to log the stream with the dbox.
wiggy9906
Inactive User
- Joined
- Feb 21, 2006
- Messages
- 282
- Reaction score
- 11
This is how I patched Rom11
Firstly I found the location in the rom by searching for "jsr EMMBUFF01" in "Rom 11 Disasm.lst" from the Nagra code packaging. The location I found it at was 62e7. 3 lines above this at 62E0 was CD621B (jump to subroutine at 621B).
I opened nargrarom11.bin using ultraedit and located 62E0 (22E0, due to 4000 offset), the actually contents were CD 883E. I assume 883E is the location of the April patch. I located the patch in 883E and thought I would use the area after it at 885D (485D due to offset) for the patch.
The patch, as written by cydine
I change the go to addresses to jump to the April patch at 883E and came up with:
I then entered it starting from address 885D.
I then changed CD883E at 62E0 to go to the new patch by changing it to CD885D
Hope this helps some more people understand a little better.
I would not have been able to do any of this without Cydine's code and his brilliance. The next step for me would be how to read the emm and determine how to write the code to patch it.
Firstly I found the location in the rom by searching for "jsr EMMBUFF01" in "Rom 11 Disasm.lst" from the Nagra code packaging. The location I found it at was 62e7. 3 lines above this at 62E0 was CD621B (jump to subroutine at 621B).
I opened nargrarom11.bin using ultraedit and located 62E0 (22E0, due to 4000 offset), the actually contents were CD 883E. I assume 883E is the location of the April patch. I located the patch in 883E and thought I would use the area after it at 885D (485D due to offset) for the patch.
The patch, as written by cydine
Code:
You don't have permission to view the code content. Log in or register now.I change the go to addresses to jump to the April patch at 883E and came up with:
Code:
You don't have permission to view the code content. Log in or register now.I then entered it starting from address 885D.
I then changed CD883E at 62E0 to go to the new patch by changing it to CD885D
Hope this helps some more people understand a little better.
I would not have been able to do any of this without Cydine's code and his brilliance. The next step for me would be how to read the emm and determine how to write the code to patch it.
Last edited:
Donnie Darko
Inactive User
Think your there,had a few pm's with xxxkmxxx this morning,cant try at the mo till later.
The encouragement and help on this thread has been tremendous,i've taken plenty from the scene and am attempting to put some back.
I suspect i have plenty more reading to do but so far i cant thank everyone involved in this thread enough:Cheers:
CG121
Inactive User
- Joined
- Jun 1, 2007
- Messages
- 520
- Reaction score
- 113
If you're patching ROM code and testing for EMMs, instead of jumping all over the place, you'd find it much easier if you simply jump from the original code to your patch, then:
pusha (88)
Test for EMM1 or branch to next check
Fix EMM1
Test for EMM2 or branch to next check
Fix EMM2
Test for EMM3 or branch to next check
Fix EMM3
Test for EMM4 or branch to next check
Fix EMM4
popa (84)
jump back to original code (CD 7427)
rts (81)
pusha (88)
Test for EMM1 or branch to next check
Fix EMM1
Test for EMM2 or branch to next check
Fix EMM2
Test for EMM3 or branch to next check
Fix EMM3
Test for EMM4 or branch to next check
Fix EMM4
popa (84)
jump back to original code (CD 7427)
rts (81)
wiggy9906
Inactive User
- Joined
- Feb 21, 2006
- Messages
- 282
- Reaction score
- 11
It would be neater that way, I'll change the nagrarom11 later to check them sequentially. I think it'll be easy enough.
Donnie Darko
Inactive User
I've done it,lol.
85% with help here..........15% what i've learnt.
85% with help here..........15% what i've learnt.
It's still helping 
Netcat on a Linux machine will also allow you to see what the camd_cfg allows you to send to UDP:
nc -u -l 10000
Anybody any thoughts on why you'd get the ROM11 error below? Oh & where did you get the copy of UDPLog from?
3f filter
NAGRA NANO F7
[emu6805] ROM 7 EEPROM read, count 4096
[emu6805] ROM 7 RAM read, count 1024
[emu6805] opcodes: 1962
3f filter
NAGRA NANO FA
[emu6805] ROM 10 EEPROM read, count 8192
[emu6805] ROM 10 RAM read, count 1024
[emu6805] opcodes: 785
3f filter
NAGRA NANO FB
[emu6805] ROM 11 EEPROM read FAILED!
ROM11 key try
RSA Nagra ROM11 keys not found for id xxxx
Netcat on a Linux machine will also allow you to see what the camd_cfg allows you to send to UDP:
nc -u -l 10000
Anybody any thoughts on why you'd get the ROM11 error below? Oh & where did you get the copy of UDPLog from?
3f filter
NAGRA NANO F7
[emu6805] ROM 7 EEPROM read, count 4096
[emu6805] ROM 7 RAM read, count 1024
[emu6805] opcodes: 1962
3f filter
NAGRA NANO FA
[emu6805] ROM 10 EEPROM read, count 8192
[emu6805] ROM 10 RAM read, count 1024
[emu6805] opcodes: 785
3f filter
NAGRA NANO FB
[emu6805] ROM 11 EEPROM read FAILED!
ROM11 key try
RSA Nagra ROM11 keys not found for id xxxx
It's still helping
Netcat on a Linux machine will also allow you to see what the camd_cfg allows you to send to UDP:
nc -u -l 10000
Anybody any thoughts on why you'd get the ROM11 error below? Oh & where did you get the copy of UDPLog from?
3f filter
NAGRA NANO F7
[emu6805] ROM 7 EEPROM read, count 4096
[emu6805] ROM 7 RAM read, count 1024
[emu6805] opcodes: 1962
3f filter
NAGRA NANO FA
[emu6805] ROM 10 EEPROM read, count 8192
[emu6805] ROM 10 RAM read, count 1024
[emu6805] opcodes: 785
3f filter
NAGRA NANO FB
[emu6805] ROM 11 EEPROM read FAILED!
ROM11 key try
RSA Nagra ROM11 keys not found for id xxxx
I think its probably due to missing nagrarom11.bin, nagraepr10.bin or nagraram11.bin file?
You can use any UDP logger to log the streams but i prefer UDPLog 1.9 due to it being built specifically for this purpose. (It'll filter out unncessary packets and errors)
I've uploaded it here: UDPLog 1.9
Nice to see everyone learning this.
Getting easier and easier, now it's a no brainer lol
Doh! [thanks]
Didn't spot I was missing nagraepr11.bin & nagraram11.bin - won't necessarily be the right size - but I guess these are `volumes' of RAM & EPROM space that the ROM will address & change? Worth a try:
cp nagraepr10.bin nagraepr11.bin
cp nagraram10.bin nagraram11.bin
Restart the EMU [/var/bin/mmops emuShutDown noGUI && /var/bin/mmops startdefaultemu noGUI]
3f filter
NAGRA NANO FB
[emu6805] ROM 11 EEPROM read, count 8192
[emu6805] ROM 11 RAM read, count 1024
EMU MEM: FB 5F AE 9E 20 0E A6 02 2D 07 9B CD 20 20 9A 20 03 CD 20 20 9F B8 AB B7 AB 9F B8 B8 B7 B8 A6 26 CC 58 F5 00 00 00 83 5B 01 42 05 3F 32 37 03 D0 73 84 84 42 85 F0 83 35 E5 28 40 49 B2 40 49 B2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[emu6805] opcodes: 2278
NAGRA: Got keys for xxxx ROM11
===== N EMM on pid 0x25 ======================
prov: xxxx
got update for key 00 = xx xx xx xx xx xx xx xx
Key found, not updating !
===== N EMM on pid 0x25 ======================
prov: xxxx
got update for key 01 = xx xx xx xx xx xx xx xx
Key found, not updating !
So EPROMs & RAM are portable - as long as they are sized appropriately?
Ok, now back to the quest!
Thanks again - I prefer to point out Open Source solutions to stuff - because they are freely available, without having to find someone who has one in their back pocket...
Thanks for the upload, I'll give it a go - It's a shame that there isn't a central place to put & keep all these tools - I'm guessing the links in the DL area don't stay there all that long.
Might be good to put them on p2p with a set of file hashes being listed on the DL section. Then noobs who bother can find them.
Wiggs im baffled by part of your patch m8......why have you changed cydines code to jump out to the old april patch at 883e instead of returning to the routine at 7427.
So if im right here. You are telling the emm to run your patch, jump out to the april patch, which I assume jumps back again to the original code.
Can anyone clarify. I was understanding it till this point.
thanks
Just few other points or observations if anyone can help me out here. Have i got this about right?
1.It is not necessary to keep the old patches in the rom so we can overright them with the new patches is this correct. (unless vm start to re circulate the old emms to annoy everyone)
2.The problem with the current emm is actually not really a problem with the roms but that our emulaters do not understand how to handle it. Namely the part JSR 2020 or math call: $02.
3. We are therefore basically telling the emm to skip that part of the code (cause our emu's dont know what to do with it) and so we are manually telling the emm what values to use.
4. The ultimate solution would be a better emu, not unlike the vplug one being used for dvb-c. Or to improve the evocamd emu.
p.s. What happens if vm make that math call an essential part of the keyroll. Like using it to generate a rather long or random list of values.
thanks guys
1.It is not necessary to keep the old patches in the rom so we can overright them with the new patches is this correct. (unless vm start to re circulate the old emms to annoy everyone)
2.The problem with the current emm is actually not really a problem with the roms but that our emulaters do not understand how to handle it. Namely the part JSR 2020 or math call: $02.
3. We are therefore basically telling the emm to skip that part of the code (cause our emu's dont know what to do with it) and so we are manually telling the emm what values to use.
4. The ultimate solution would be a better emu, not unlike the vplug one being used for dvb-c. Or to improve the evocamd emu.
p.s. What happens if vm make that math call an essential part of the keyroll. Like using it to generate a rather long or random list of values.
thanks guys
wiggy9906
Inactive User
- Joined
- Feb 21, 2006
- Messages
- 282
- Reaction score
- 11
NoOne,
Ignore 7427 that is from rom7 (or 10) and not relevant in rom11. In Rom11 the locations an unpatched rom jumps to is 621B. This was changed to 883E by the April patch. The April patch located at 883E performed the patch then jumped to 621B. My addition initially jumps to 885D runs the November patch then jumps to 883E. From there the April patch is run and the jump to 621B.
It's probably not the best way to do it, but it works.
Wiggy.
edcase
Inactive User
- Joined
- May 2, 2005
- Messages
- 1,161
- Reaction score
- 18
That particular map call doesnt appear to do any maths.
..but..
If they were clever they could use a series of map calls to manipulate the data as you suggest and in all likelihood it would kill the hack as far as these old emulators are concerned!
You would almost certainly need the full emu source code aswell as a good understanding of the map routines to be able to fix that problem.
Depending on what they used it might be possible to patch a bin but it would take some real skill to do, not like these trivial "xor a byte" type jobs.
