Rom 110 Rev A01, Nagra2

[calhordas]

Hi boys as anyone heard of this litle new toy it is the so called N2.

Cant be read in nagraedit 4.1 only show rom revision and revA01, after error reading card.

this one is from an overseas provider.

i can extract info with winexplorer on phoenix with some scripts but not writte to card, i was wondering if anyone would be interested in share some info regrading this type of card.

any script is allways welcome for testing.

 

[TBC]

nagra2 reader in downloads just saw it!

 

[calhordas]

hi m8

on which download page , i have shearched there for at least 5 pages and nothing


thx

 

[TBC]

Bottom of this page mate :http://www.world-of-digital.com/for...2&sort=lastpost&order=desc&pp=20&daysprune=-1

 

[calhordas]

nagra2

Thx for reply mate i found it but on the following page.


i had it prevously i mean that soft , unfornutely it does not let u writte to card, or read bk, and pk's.


I think that is the big issue with this cards still to unleash.

I read that the only way to read this cards is by breacking in the actual code of card and not by glitching, which are based on IDEA Chiper 128kb encryption, which it would take some months using thousands of computers working together to break the code.

can it be true? i really don't know

but i did find this litle proggie somewhere else, which might be hepfull.

if anyone is willing to test it they are more then welcome to do it so, it will be posted in the download section.

 

[jasperconran]

Where did you get the card from?

 

[calhordas]

rom110 rev01

it is a portuguese card

from portuguese satellite company

 

[nozzer]

Your not going to break these cards in a hurry. They contains some fairly heavy anti-piracy measures including anti-glitch (both power & clock) and a random clock pulse inserter (meaning you cant guarantee which instruction you are processing after a certain amount of clocks).

The die is also supposed to be resistant to probing, sensitive to light (EEprom is erased by light), contain an Encryption unit for the EEprom, and be resistant to the usual solvents used to dissolve the epoxy coating (fuming Nitric acid etc).

I think you are probably going to have to wait until some lab opens the thing and manages to dump the ROM and EEprom - perhaps then an exploit will be found !

 

[calhordas]

rom110 revA01

Well the Key Team in germany broke their n2 from premier just a few months after release of nagra2 in germany.
Unfortunetly nothing is available at public.

Anyway we can allways wait to see what comes and goes.

It's like seca2 they said the same but eventually ended up being opened.

Thx for posting anyway it's a good sign, people are reading and posting their comments.

 

[pburns]

There is a lot of stuff bout N2 over at cardcoders

 

[nozzer]

In all cases though the card has been dumped by people with some fairly sophisticated technology.

My previous post was really meant to point out that you are unlikely to be able to do anything with these cards at home until someone with the equivelent technology dumps the cards from the supplier in question. Unfortunately, because of the way N2 works dumping the card from another supplier or using "public" N2 listings is not likely to get you very far.

 

[calhordas]

rom110 revA01

Hy guys does anyone knows how the clock cycle works on this ones.

As i have been told the only way to get into them is by opening the RSA and that would not be able to be done by glitching the clock by putting up is speed to 4x the normal speed 4.608.


Any post is more then welcome if it's meant to supply info on this case.


Thx

 

[pipino]

the only fast way to get it done is to get infos from inside Kudelsky´s company otherwise it will take a very long time ..also nagra company changed the strategy ..there will be making a systematic change of the smartcards , period of about 2years or so so any effort of investigation will be useless ..best regards

 

[calhordas]

Rom101 Back

Hi boys

Long time no see

As we all know or most of us Rom101 popped out of the cherry

we have got the eeprom for dish & gabo


but some of the info as been deleted from eeprom making thing a bit harder

But hey guess what

It was glitched aparently rom101 still hold cmd48/49 , i guess it was they way they done it


Script is still in the God's secret i doubt it will ever come out any way.

We all know we can clone firm & cards now, using a subb card you can clone firm from same rom & rev to another receiver same brand, am send commands for the card to be cloned.

Now if i get my hands on some hardware, which hardware would u recommend to read the IC from rom101 card "i think they use the ST19's die, im thinking in exctracting my rom101 from plastic.

I guess i could probably disassemble eeprom with IDA but , i just don't know which tools i should use dump it



PS- anyone interested in sharing a small project?? i got some pieces it's always worth studying it.
Let's face it will stop at our doors one day, it only takes a Software upgrade to the IRD and a new card with n2 embedded.


Thx


Calhordas

 

[compkeyall2005]

rom 110

have you find anythink for this card ?

i have one to