Nexus T911 - B0C unlock problems :(

[chris_uk]

bought my t911 this morning, flashed it and it seems to be working fine. I installed winexplorer and loaded up a b0c script (I have 3 b0c cards here locked). Tried to unlock the first card and after about 10 minutes it comes up with hit our glitch a couple of times, telling me card is unlocked and to try logging into it with nagra. When I load up nagra I just get 'Error reading backdoor 0', restoring decrypt keys. I have tried several different scripts, but after the first time they just seem to zoom through and hit the glitches straightaway, so it seem pointless to keep trying to open the card. The card wont read in romstudio or xncs with my pheonix(no atr sent or something along those lines). So it seems im stuck there doesnt seem to be anything else to try. Any of you guys know what the problem could be? HEres what I get in the respective programs :

Winexplorer
---------------

Executing Script: C:\Documents and Settings\Chris\Desktop\XNCS1[1][1][1].8\Scripts\rom11 boc script multiproviders+4801.xvb
TX Data : A0
TX Data : A1
TX Data : 07 0E 03 10 01 03 9A 00
RX Data : 07 1B
RX Data : 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30
TX Data : 14 03 10 15 AB 21 00 08 A0 CA 00 00 02 12 00 06
55 0E 03 87 00
RX Data : 14 08
RX Data : 12 00 08 92 04 24 74 B4
TX Data : 17 15 B0 21 00 0D A0 CA 00 00 07 21 05 01 03 FF
FF 00 28 4F 0E 03 88 00
RX Data : 17 09
RX Data : 12 60 20 A1 26 54 01 00 01

Now we will try 16FF delay
TX Data : B0 30
TX Data : 07 0E 03 10 01 03 9A 00
RX Data : 07 1B
TX Data : 47 15 E0
TX Data : 21 00 3D A0 CA 00 00 37 03 35 54 01 10 31 05 27
05 0D 0B 0D 38 79 1D 11 C7 66 29 BB C2 07 92 11
03 2B 23 DB F2 BE 84
TX Data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 05 0A
TX Data : 0E 05 8A 00
RX Data : 47 0B
RX Data : 12 00 07 83 03 B1 01 01 90 00 B4
TX Data : 53 15 E8
TX Data : 21 00 45 A0 D7 10 80 40 1F F0 26 40 5B FB 22 5E
A0 90 94 A5 76 73 5D 84 58 F6 A4 9B 6D 8E 67 CE
5C BB C8 FB CD 32 E0
TX Data : AB 5A 96 CA 3F 3A ED 45 C5 58 4F A2 A0 C4 C3 5E
44 0C 94 43 21 8B 04 DB 40 7C
TX Data : A4 8C B0 9A F4 E5 5B 4C 20 16 FF 06 0E 05 85 00
RX Data : 53 06
RX Data : FF FF FF FF FF
-

*********** we hit our bug *************
9000 was our loggin = good loggin, D7 packet 1 wrote to cam
1240029000
===========================================
90 was hit at 16FF delay ----VCC WAS 31 , our GlitchType was 08



*********** we hit our bug *************
9000 was our loggin = good loggin, D7 packet 2 wrote to cam
1240029000
===========================================
90 was hit at 16FF delay ----VCC WAS 31 , our GlitchType was 08

TX Data : 07 0E 03 10 01 03 9A 00
RX Data : 07 1B
RX Data : 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30
10
TX Data : 60 15 F6
TX Data : 21 00 53 A0 CA 00 00 4D 00 4B 54 01 02 53 41 8D
70 D1 9A F0 7B 43 4F 1A 76 61 96 89 69 05 36 4B
76 5F 4B 3D 7A F9 59 B9 82 E6 57 80 C3 40 78 42
25 38 1D 90 6E EE 22 C1 B8 C2 10 51 55 BB 5B 56
92 7D F9 C9 87 55 89 4A 58 92 FB D5 16 B6 67 B1
88 73 85 77 B8 05 9C
TX Data : 20 00 FF 0E 05 85 00
RX Data : 60 06
RX Data : 12 00 07 80 03 B1
********************************
* NTL C&W ROM11 B0C EMM sent *
* ROM11 B0C cam should be open *
* test in Nagra to see. *
* if not, try again. *
********************************

XNCS
-------

Opening of port was sucessfull.
No atr sent from card.
Sorry...Not Dumping card.

Nagra 4.1
------------

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
ROM Revision: 011
EEPROM Revision: RevB0C
ProviderID: 54
CamID: 24 74 B4 93
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Error getting BackDoor 0 key
Write error encountered, attempting to restore original decrypt keys
ProviderID: 54
CamID: 24 74 B4 93
Attempting to login to BD3
Decrypt keys successfully restored
Reading ROM11 failed
Closing of COM1 was successful


----------------

Any Ideas guys ?

 

[TBC]

you must get the programmer to work with rom studio and xncs < what is the programmer.

yes use rom studio/backdoor/dump card/login apprendz
that should get you in - read line c040 for the bd 0 then dump the card using nagra method <still in rom studio - it should ask you for the bd0 - enter it then you can write a blank image to it using rom studio nagra bd0 method.

if you don't actually need the data on the card - use mrom to repair the backdoor keys < read up on it if you don't know how to use it. this should make the card able to be read in nagra by restoring them to standard.

 

[chris_uk]

hi twobeercans. I have 3 programmers, a cryptik smartmouse, a minisdk and a new nexus t911. None of these programmers will work with xncs or romstudio i get a password invalida when trying to use romstudio the way you said. Its no good using mrom as I need to get the bk from the card

 

[TBC]

you need a programmer that will work with the above there is no other way!

 

[chris_uk]

got something working in romstudio, turns out i had the wrong card in lol, i have labelled them now with a marker so i dont get it wrong. Do i install provider ghost?

 

[chris_uk]

hmm im looking in ird info and all i see is ird#:00000000

the boxkey is there though, or at least i hope its the right one....

 

[TBC]

read the pm i sent you - glitching always looses ird.
but if it was 00000000 before you started the bk is probably gonna be fake.

 

[chris_uk]

nooooo, ive programmed a funcard with the boxkey and i hexed the ird from the bottom of the box, no channels

 

[jasperconran]

read the pm i sent you - glitching always looses ird.
but if it was 00000000 before you started the bk is probably gonna be fake.

This is why its not a good idear to use glitching to get your box number

: grim :

when the CC`s switch a card off
They can change the box number on the card

 

[TBC]

This is why its not a good idear to use glitching to get your box number

: grim :

when the CC`s switch a card off
They can change the box number on the card

it is fine to glitch for bk - but if the card doesn't have an ird to start with then the bk will be false. that is what has happened in this case. it is vital when buying a box that in eng menu it stated the card is paired - it wouldn't have said that in this case.

 

[TBC]

i suppose the card was for a 2000 then !!!!

 

[chris_uk]

dont see how the bk could be false, this is a subbed card has been in stream for last 3 years and i still pay for standard package on it so its definately paired. I think its something ive done wrong

i have tried reprogramming it several times with no joy, not sure what to try next to be honest.....

the card is for a di4001 box if it makes a difference ?

Chris

 

[jasperconran]

dont see how the bk could be false, this is a subbed card has been in stream for last 3 years and i still pay for standard package on it so its definately paired. I think its something ive done wrong

i have tried reprogramming it several times with no joy, not sure what to try next to be honest.....

the card is for a di4001 box if it makes a difference ?

Chris

You have touched a subbed box your still paying 4

YOUR A NUTTER

When you open a card cc`s can tell that its been tempter with

so they check ird > to the subbed box name guess what?

Knock Knock :Laugh: :Laugh:

 

[chris_uk]

well, talkback is cut can they still tell?

 

[jasperconran]

well, talkback is cut can they still tell?

And when they come round coz there box has stop talking back what do you do then?

Rule number One is never mess with a subbed box mate

I`m not trying to put the wind up you!
but its a big mistake to mess with a subbed unit

 

[chris_uk]

I have 3 boxes here in 3 different rooms, 1 is already unlocked, the other 2 are restricted to basic package. If i cut talkback on 2 boxes all I have to say if they ask is that I unwired 2 boxes and make up some excuse, as long as one box is still going they wont be bothered, I hope

At least they havent been for the last 18 months / 2 years

1 last thing for twobeercans. I have tried unlocking 2 rom 11 cards with this nexus now, both have said success, both are readable in romstudio and i retreived the boxkey for both, but when I programme the card neither are showing any channels, have I cocked it up somehow ??

cheers guys....

Chris.

 

[jasperconran]

I have 3 boxes here in 3 different rooms, 1 is already unlocked, the other 2 are restricted to basic package. If i cut talkback on 2 boxes all I have to say if they ask is that I unwired 2 boxes and make up some excuse, as long as one box is still going they wont be bothered, I hope

At least they havent been for the last 18 months / 2 years
cheers guys....

Chris.

Hope your right mate!

I only said what it did coz i would`nt like to see another DW member get in trouble!!

Be lucky mate

 

[chris_uk]

Have opened 2 rom11 cards with my nexus now, both have given me the boxkey and ive got the ird off the box. But when I program a fun i get a black screen. I doubt the boxkeys were fake as these were boxes ive had for ages. I cant login to nagra with the cards i get an error reading backdoor 0, and when I try to read line c040 for key0 or whatever it is in romstudio i cant even see it, i only see lines starting with 'd'. Cant understand it at all, have i made some sort of mistake somewhere along the line?

I never was much good with these programmers anyway, hard enough to program a funcard

 

[capcomind]

Try Benny 59's guide to proging an au image to your rom11 after glitching em. You'll need to run your prog in pheonix mode @ 3.63 but if you use bennys image and nagra 4.1 you will have no trouble. Just follow the instructions to the letter and remember to reverse your ird pairs so that the last one is 12..... (unless its a sammy)

 

[capcomind]

Just a point worth noting. I have had experience of 2 sammy's now where you need to introduce them back into the stream to get the right ird and box key so if after the first 3 or 4 atempts it aint right stick it back in the stream (TB cut of course)