keyroll emm and the fix (code it ur self)

[wiggy9906]

Thanks for the excellent advice and pointers Cydine,

I've managed to patch a rom11, and even more amazingly it works.

https://www.digitalworldz.co.uk/index.php?threads/187330/#post1420653

Wiggy

 

[delboy13]

well done wiggy9906 for making your patchedrom. a few people on here are learning this technical stuff at the mo.thanks also to cydine for helping others understand all this.

 

[Nick [D]vB]

Good job mate! 8)

Works for me in xCW using Vplug (old version)


hi delboy, did you find that rom10 in the end?

.

 

[wiz569]

Well done wiggy m8 great work,give yourself a pat on the back :Clap:
And many thanks to cydine for being such a good teacher,now if only I wasn't thick

 

[dstream]

donnie the location not the value of $83 contains the emm xor byte is that what your confusing it over?

i can see you all fixing this then begging for a new key roll emm lol

 

[delboy13]

hi delboy, did you find that rom10 in the end?

.[/QUOTE]

no i didn't, i don't think xxxmkxxx will be on the site for a while he wrote it in 1 of his posts and link is dead because he posted it in wrong place i think

 

[xenafan]

Thanks for the excellent advice and pointers Cydine,

I've managed to patch a rom11, and even more amazingly it works.

https://www.digitalworldz.co.uk/index.php?threads/187330/#post1420653

Wiggy

Nice one m8 will give it a try tomorrow nice to see people takeing the time to post their work thanks for shareing.


Cheers

Xenafan

 

[xxxmkxxx]

hi delboy, did you find that rom10 in the end?

.

no i didn't, i don't think xxxmkxxx will be on the site for a while he wrote it in 1 of his posts and link is dead because he posted it in wrong place i think[/QUOTE]

Hi mate, sorry for the late reply. Thought i needed a break after 6 straight hours of number crunching, hex and trying to figure it all out lol

Don't know why the link got deleted. I posted it in the right section (Cable download section).

Here you go: https://www.digitalworldz.co.uk/posts/1420757/

 

[woosh]

Thanks to wiggy9906.

With nagrarom7.bin[patched] nagrarom10.bin[rolled myself but not right yet] & nagrarom11.bin[patched] in place why would you get:

ECM : 2 EMM : 2 KeyUPDATE 1 AU : 1 dir : 0 OSD : 0 NETMODE : 0 CONF_RELOAD : 0 [camd] AU thread started
3f filter
NAGRA NANO FB
[emu6805] ROM 11 EEPROM read FAILED!
3f filter
NAGRA NANO FA
[emu6805] ROM 10 EEPROM read, count 8192
[emu6805] ROM 10 RAM read, count 1024
[emu6805] opcodes: 734
3f filter
NAGRA NANO FA
[emu6805] opcodes: 734
ROM11 key try
RSA Nagra ROM11 keys not found for id xxxx
3f filter
NAGRA NANO FA
[emu6805] opcodes: 734
3f filter
NAGRA NANO FA
[emu6805] opcodes: 734
3f filter
NAGRA NANO FA
[emu6805] opcodes: 734
3f filter
NAGRA NANO FA
[emu6805] opcodes: 734
3f filter
NAGRA NANO FA
[emu6805] opcodes: 734
3f filter
NAGRA NANO FA
[emu6805] opcodes: 734
3f filter
NAGRA NANO F7
[emu6805] ROM 7 EEPROM read, count 4096
[emu6805] ROM 7 RAM read, count 1024
EMU MEM: F7 5F AE 98 20 0E A6 02 2D 07 9B CD 20 0F 9A 20 03 CD 20 0F 9F B8 B1 B7 B1 9F B8 B7 B7 B7 A6 26 CC 48 BB 00 00 00 83 5B 01 42 05 3F 32 37 03 D0 73 84 84 42 85 C6 64 1D EF 47 5A 0E EF 5A 0E EF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[emu6805] opcodes: 1930
NAGRA: Got keys for xxxx ROM7
===== N EMM on pid 0x25 ======================
prov: xxxx
got update for key 00 = xx xx xx xx xx xx xx xx
Key found, not updating !
===== N EMM on pid 0x25 ======================
prov: xxxx
got update for key 01 = xx xx xx xx xx xx xx xx
Key found, not updating !
3f filter
NAGRA NANO FA
[emu6805] opcodes: 734
3f filter
3f filter
NAGRA NANO FB
[emu6805] ROM 11 EEPROM read FAILED!

Why would it not like ROM11?

 

[xenafan]

no i didn't, i don't think xxxmkxxx will be on the site for a while he wrote it in 1 of his posts and link is dead because he posted it in wrong place i think

Hi mate, sorry for the late reply. Thought i needed a break after 6 straight hours of number crunching, hex and trying to figure it all out lol

Don't know why the link got deleted. I posted it in the right section (Cable download section).

Here you go: https://www.digitalworldz.co.uk/posts/1420757/[/QUOTE]


Thanks for shareing m8 will take a look tomorrow


Cheers

Xenafan

 

[woosh]

Thanks xxxmkxxx - now ROM10 is works. Think I'll try a different EMU.

 

[scott-ayling]

Well done guys good to see more people learning just wish i could get my head around this but think im just too thick been one of the best reading threads in a long time

 

[xxxmkxxx]

I’ve just been looking at the vplug emulator's debug output:

You don't have permission to view the code content. Log in or register now.

It seems to be detailing memory addresses and logic operations,

I don’t know if it’s any help to you lot?

Keep at it guys… 8 )

Thats interesting. As cydine pointed out, it understands whats happening with "JSR 2020" (mapping call). But it seems other EMUs don't understand it, hence the reason for the patches.

Here's my understanding of the EMM:


00:0081 00 80 c0 00 03fd ....Z. 5fa6e9b7 74f30000 00000904 CLR X
1. Clear the X Register so it becomes 00

00:0082 00 00 c0 00 03fd ....Z. a6e9b741 74f30000 00000907 LDA #e9
2. Load A register with the value 0xE9 (hexadecimal value) so A=E9 (or 1110 1001 in binary)

00:0084 e9 00 c0 00 03fd ...N.. b741a602 74f30000 00000909 STA 41
3. Store the value that is in the A register at location 41 so now RAM[41] = E9 (or 1110 1001 in binary)

00:0086 e9 00 c0 00 03fd ...N.. a6022d07 74f30000 0000090d LDA #02
4. Load A register with the value 0x02 (hexadecimal value) so A=02 (or 0000 0000 in binary)

00:0088 02 00 c0 00 03fd ...... 2d079bcd 74f30000 0000090f BMS 0091 (taken)
5. If Interrupt is Set then jump to code at 0091, otherwise continue on to the next code

00:008a 02 00 c0 00 03fd ...... 9bcd2020 74f30000 00000912 SEI
6. Set Interrupt - ATTENTION!

00:008b 02 00 c0 00 03fd ..I... cd20209a 74f30000 00000914 JSR 2020
7. Jump to Subroutine 2020 and do some voodoo there.

6805: breakpoint at 2020 (count=630)
math call: $02
RAM[41]=$e9

In this case, the subroutine 2020 is setting the X register with the value located at memory location RAM[41] which is hex value 0xE9 (or 1110 1001 in binary) (see 3.) and that's all we're interested in at the moment. In vplus, this gets done, but in other EMUs (evocamd for example) nothing happens, so X remains untouched is 0x0.

crc- aa xx yy dr -sp- VHINZC -mem@pc- -mem@sp- -cycles-
00:008e 02 e9 c0 00 03fd ..I... 9a2003cd 74f30000 0000091a CLI
8. Clear Interrupt, as you were...

00:008f 02 e9 c0 00 03fd ...... 2003cd20 74f30000 0000091c BRA 0094 (taken)
9. Skip to 10.
Note: There is a code here not listed in the log which basically says skip the "JSR 2020" call as we have already done it. if point 5 was true (i.e interrupt was already set) then the jump to 91 would land here which basically does point 7. Have a look at the disassembly of EMM in emmstudio to understand what im talking about.

00:0094 02 e9 c0 00 03fd ...... 9fb8b2b7 74f30000 0000091f TXA
10. transfer content of register X to A so now,should be X=E9 and A=E9 (or 1110 1001 in binary)
BUT remember X was zero due to our EMU not understanding JSR 2020? so what happens? X=0x0 and A=0x0

Now anything you do with these registers is meaningless (for our purpose anyway).

00:0095 e9 e9 c0 00 03fd ...... b8b2b7b2 74f30000 00000921 EOR b2 {04}
...

Our patch will just modify these instructions so that it doesnt do the BMS and JSR 2020 calls (skipping steps 3 to 9) and just modifies step 2 so that its "load X" rather than "Load A", then skip to 10 to do "transfer X to A".
There's also bit of code in the patch to check whether it indeed is the right EMM code we are modifying.

You will need to modify the patch and jump addresses so that instead of:

Main Code > Process EMM Buffer

you do:

Main Code > Do Patch > Process EMM Buffer

Use EMMStudio's disassembly function, its very useful.

Just grab some code from your hex editor and paste in there to disassemble and you'll understand it better. No need to memorise opcodes (though it helps).

I hope this makes it slightly more clearer.

 

[xxxmkxxx]

By the way, i found out how to capture EMMs from Dbox2.
i was doing it the long way (MLog,nagemmex,emmstudio), no-one helped me

Easy way for those who don't know:

Modify camd_cfg and set :

# 00 disabled
# 01 enabled
L: { 01 }192.168.1.11 10000

Note: put your own ip there.

and use UDPLog 1.9 on the computer you want to capture packets on.

Another way is to use telnet. kill evocamd processes and run it manually by typing "evocamd".
Though i prefer the first method as it gives me only the decrypted EMMs and less noise.

 

[delboy13]

xxxmkxxx thanks alot for posting and well done for patching the rom.you done it in 6 hrs you say very impressive it would take me a lifetime.

 

[xxxmkxxx]

xxxmkxxx thanks alot for posting and well done for patching the rom.you done it in 6 hrs you say very impressive it would take me a lifetime.

I had a little programming background so it helped.
Im sure you can do this, it's very easy once you understand how. Its abit like algebra really.

Theres plenty of info here to do it. Don't really need to understand how nagra encryption works. The basics will start you off and shouldn't take very long.

Now that i understand how EMMs work and the processes, i could probably patch rom11 in less than hour i think, but will leave it for you to do it

Best of luck.

 

[Nick [D]vB]

Thanks for taking the time to give such a detailed explanation, I really appreciate it.

I'll try to get some more details from the vplug developer, but don't hold your breath.

Because Vplug only has internal fixes for roms 10 & 11 I think looking at how it deals

with a patched rom7 might be quiet revealing.

...it's very easy once you understand how. Its abit like algebra really.

Maths with letters - that'll never work! lol unce:

I’m not a natural mathematician but I’d really like to give this a shot.

I'm up early so I'm going to have to call it a night, but I'll have a good look all this tomorrow.

thanks again,
Nick

 

[CG121]

@xxxmkxxx
#$02 = 0000 0010

As for the fix I did for the public OPOS card s/w....

You don't have permission to view the code content. Log in or register now.

Above are the 2 Key updates used in the latest attack...
1st off, you only need 1 Key update to update both public keys (0 and 1) on a card. So why 2????

Look closely at the Bytes Dump. Each key has an incorrect 6th byte...
Now look at the initial LDA command at $82. This value is used to EOR the incorrect 6th byte in each key. They are both different too..

So, no point hard coding 1 EOR value as 2 are used (1 for each key update)

Any solution must therefore ensure the correct EOR value is used.

As time marches on, the altered key byte (in the buffer) and/or the EOR value maybe changed, so a dynamic solution is required.

VM have a poor history in fighting back so any MAP call problems are a waste of time for the average programmer..I myself like a challenge and enjoy fixing these but they take a little longer than a quick patch and will not see the light of day until VM drop Nagra1..

So, as a quick patch is likely to last months, that's what most will do..

Now, we already break out of the 'official' ROM routine to our own code stored in some unused area...

This custom code checks the EMM data and modifies it based on our rules before jumping back into the official routine, which runs our version of the EMM instead

The key to this EMM is the use of X.
What should happen is the EOR value is stored in A, then A is stored in TEMPA before being changed to #$02.
Basically, we can assume that the MAP call takes TEMPA and stores it in X.
The OPOS doesn't do this and so whatever X is at the time (you can work it out by reading the wrong byte off a card with the old s/w, and working out the EOR with the byte in the buffer).

Anyways, why worry about routines and all the bollox when it's much easier to change the start of the EMMs from

You don't have permission to view the code content. Log in or register now.

to

You don't have permission to view the code content. Log in or register now.

So, basically, the EMM clears X, loads the EOR value into A (in the example, #$6B), clears x again (I couldn't resist it lol) and transfers A to X. Then it loads #$02 into A (no reason to alter that) and then issues the branch command. Now, notice I've changed it to branch beyond the next MAP call (using 0A instead of 07). So the EMM jumps from $88 to $94 and ignores all the MAP calls altogether...

The rest of the EMM runs fine and your keys are updated

Code required on a ROM10 dump (albeit pre-patched)

You don't have permission to view the code content. Log in or register now.

I appreciate that keys are not to be posted in the main forums, but strictly speaking, 1 byte in each key is wrong

*taken from my post on DD

 

[xxxmkxxx]

Thanks for taking the time to give such a detailed explanation, I really appreciate it.

I'll try to get some more details from the vplug developer, but don't hold your breath.

Because Vplug only has internal fixes for roms 10 & 11 I think looking at how it deals

with a patched rom7 might be quiet revealing.



Maths with letters - that'll never work! lol unce:

I’m not a natural mathematician but I’d really like to give this a shot.

I'm up early so I'm going to have to call it a night, but I'll have a good look all this tomorrow.

thanks again,
Nick

Isnt vplug just for computer EMU?

Dont worry, i'm rubbish at maths and i managed it, so can you lol

Anyway, nn.

 

[xxxmkxxx]

Good eye CG121.
Think i got carried away with the zeroes, i'll fix that now *, thanks.

Good info you have there, thanks for that.

Think theres plenty info here to be prepared for the next challenge. I cant wait! lol

Edit: * seems i cant edit my post now, yikes!