Rom A82 Unlocked [=

Card still wont open.
Just tried another rom 11 b0c with same script and it popped in about 10 mins But when I read card in Nagra IRD was 00 00 00 00 Got IRD from scart label wrote to fun with Bk from reading and am getting blank screen apart from free view chans,is it possible I now have wrong Bk?Considering IRD was all 0's.
 
yes


how has this happened and is it a regular feature when glitching?

Thanx.........
 
Once again: it has NOTHING to do with the glitching! Considering that you don't understand it at all, you should trust someone like myself who does. Right?

There is only ONE way that the glitching overwrote the boxkey, and that is if your DT1 is not int he correct location. I have seen THOUSANDS and THOUSANDS of cards, and not once have I ever seen a card that had the DT1 in the wrong location.

Plus, even if it was in the wrong location, it would not become 00 00 00 00. No way - impossible!

However, I have certainly unlocked a few Rom10 and ROM11 from the UK that did indeed have an ird of 00 00 00 00. I do not know why that is, but IT IS NOT THE GLITCHING!

OK? heh.
 
how has this happened and is it a regular feature when glitching?

Thanx.........

the card hasn't been activated or the box was switched off before you got hold of it m8
 
cards with irds 00 00 00 00 are virgin cards havent been activated b4 and may not have a standard teir

ps slickvguy u seem to know your stuff id like to pic your brains pm pls
 
slickvguy how comes we have to use unloopers for a82......and not with A3C'S
 
I am using a script thats auto with the vcc (script from criz guide).. so if a specify a range will it take in those values and not run the auto script.. as the script seems to run in auto even if I enter a vcc value?

running the vcc analyzer v2 i get back values ceiling 14 and floor 0E.. where do i enter this into the script?

thank you for your help.
 
i always thorght that when the ird 00 00 00 00 and the boxkey started with 6d56 that the cable company had switched the card off and sent dummy boxkeys to them as i am sure i have had a few like that and there is no way they where virgin boxes am i right or wrong?
 
happyjim: The reason is because of the RevA82 update code. It closes a hole (CMD$03 overflow) that we were using to gain access to the cards.

hazera: Originally, I made the vcc high/low spread wider, but lately I've narrowed it down considerably. Sometimes I use the same value for high and low! In the Vcc Analyzer subroutine, there is a place where the code determines the ceiling and floor. If you change that to a narrower range, you'll save time while glitching. As for manually entering the ranges, if oyu dont' already have a choice to run the glitch algo without vcc analyzer first, you can simply COMMENT the line that calls the subroutine, and plug in your own values. Post the script, then I'll be able to show you where, and which variables are used.
 
It also has data in the OTP tag area

01 02 00 00 00 00 00 00

00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00

54 AB 00 00 00 00 00 00

And it defo Aint a Virgin.

As per my other post I have said I dont know how to edit script (willing to learn though)Not being so techy minded I would need a dumie's guide.... LOL.

So what do I need to get started.
 
Have you have tried to read the card with a standard iso programmer before? thats why 01 02 are marked but the ird of all 00000 is definatley a virgin card or switched of by the cable company
 
Yeah tried 2 read it in Nagra.
Have you a rom 11 A U Image wit PPV I could add Bk and IRD to?
 
SLICKVGUY - heres the script just taken the main routine for the script.


Sub Main()
DelayStart =&h12FF
TryCnt = 180 '180 is good, Number of tries per delay FROM 5-50000
TestMode = 0 'TestMode, 1 = ON, 0 = OFF

VCCStart = &h99 'YOU CAN CHANGE THIS FROM 21-99 = this is automatic now
VCCLimit = &h00 'YOU CAN CHANGE THIS FROM 00-20 = this is automatic now
DelayEnd = &h1315
GlitchType= &h09
VCC = VCCStart
RT = DelayStart
' turn led off
sc.verbose=TRUE
Sc.Write("A0")
Sc.Delay(100)
' card is in turn led on
Sc.Write("A1")

' get atr
sc.verbose=TRUE
Sc.Write("07 0e 03 10 01 03 9a 00") 'reset card
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 25 then
Sc.Read(25)
end if

Sc.Write("12 15 AB 21 00 08 A0 CA 00 00 02 12 00 06 55 0E 03 85 00")
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 5 then
Sc.Read(0)
end if
print
if TestMode = 1 then
print " You are in testmode, cam will not open in this mode!!!" & vbcr
print " set TestMode = 0 to open cam " & vbcr & vbcr
end if
print " Now we will try " & HexString(RT, 4) & " delay" & vbcr

Do
Sc.Write("B0" & HexString(VCC, 2))
SC.DELAY(12)
' LOGIN NIPPER
Sc.Write("47 15 E0") Sc.Write("21003DA0CA00003703355C011031054E69705045722049E3407CADFDB96429F4F677C2356D7474")
Sc.Write("00000000000000000000000000000000000000000000000005C6")
Sc.Write("0E 05 8A 00")
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 5 then
Sc.Read(11)
'bytes=sc.getbyte(8)
'PRINT HexString(bytes, 2)
end if
SC.DELAY(24) 'set to 35 - 22
Sc.Write("6A 15 FF 21 00")
Sc.Write("5CA0CA00005603545CF7108105FACD7A")
Sc.Write("B7C0A1A6004A153319E1FB5B6348507E")
Sc.Write("8E46A21DEFD37116179E4C5266B6DB4C")
Sc.Write("596CD86FD9E7FF65D1638E1BAE6D2925")
Sc.Write("D9B88446EDD99EEF33A3A16AADBDF346")
Sc.Write("8206679CC0BD06F685AEE418765C 20" & HexString(RT, 4) & HexString(GlitchType, 2) &"0E 05 85 00")
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 4 then
Sc.Read(6)
bytes=sc.getbyte(3)
'PRINT HexString(bytes, 2)
RT2 = bytes
'print HexString(bytes, 2)
if RT2 = &H6F then
VCC = VCC - 1
print "+"
end IF
if RT2 = &HFF then
VCC = VCC + 1
print "-"
end if

TryCnt2 = TryCnt2 + 1
if trycnt2 > trycnt then
RT = RT + 1
TRYCNT2 = 0

if rt > DelayEnd then
rt = DelayStart

END IF

print
print " Now we will try " & HexString(RT, 4) & " delay, our VCC is about " & HexString(VCC, 2) & " and our Glitch Type was " & HexString(GlitchType, 2)
print
END IF
if bytes = &H83 then
print
print
print "*********** we hit our bug *************"& VbCr
PRINT HEXSTRING(SC.GETBYTE(0),2) & HEXSTRING(SC.GETBYTE(1),2) & HEXSTRING(SC.GETBYTE(2),2) & HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)& VbCr
Sc.Print "===========================================" & VbCr
PRINT HexString(bytes, 2)
print " was hit at " & HexString(RT, 4) & " delay ----VCC WAS " & HexString(VCC, 2) & " , our GlitchType was " & HexString(GlitchType, 2)
print
print
SC.DELAY(2500)
if TestMode = 0 then
sc.verbose=TRUE
Sc.Write("12 15 Ab 21 00 08 A0 CA 00 00 02 C0 00 06 87 0E 03 85 00")
SC.READ(2)
Bytes = Sc.Getbyte(1)
if Bytes > 5 then
Sc.Read(6)
bytes=sc.getbyte(3)
END IF
sc.delay(150)
Sc.Write("0A 15 A3 21 98 00 B9 0E 03 85 00")
SC.READ(2)
Bytes = Sc.Getbyte(1)
if Bytes > 5 then
Sc.Read(6)
bytes=sc.getbyte(3)
END IF
sc.delay(150)
Sc.Write("0A 15 A3 21 92 00 B3 0E 04 85 00")
SC.READ(2)
Bytes = Sc.Getbyte(1)
if Bytes > 4 then
Sc.Read(5)
bytes=sc.getbyte(3)
END IF
SC.DELAY(30)

PRINT "***************************" & VBCR
PRINT "* A82 CAM should be OPEN *" & VBCR
PRINT "* test in Nagra to see. *" & VBCR
PRINT "* if not, try again. *" & VBCR
PRINT "***************************" & VBCR
exit sub
end if
end if
else
PRINT" RESET "
VCC = VCC + 1
End if
Sc.Write("08 0e 03 10 01 01 03 9a 00") 'reset card
sc.read(02)
SC.DELAY(4)
GlitchType = GlitchType + 0.025
'print HexString(GlitchType, 2)
if GlitchType > 9.4 then
GlitchType = &h06
end if
'if you want just one Glitchtype remove the ' below
'GlitchType= &h09
sc.verbose=false
LOOP
 
VCCStart = &h99 'YOU CAN CHANGE THIS FROM 21-99 = this is automatic now
VCCLimit = &h00 'YOU CAN CHANGE THIS FROM 00-20 = this is automatic now
Click to expand...

You need me to tell you that this is where you change the VCC range? C'mon, dude. heheh.

VCCStart is the "high", VCCLimit is the "low". Change the values of those two variables.

One other thing. If you are plugging in the vcc range manually, then you need to make sure the script isn't "overriding" your values with it's own. The script probably sets those two variables from my VCC Analyzer code "automatically". So you should COMMENT out the line in the script that runs the subroutine that contains the vcc analyzer code. Understand? It'll be something like VccAnalyzer(). Just use the apostrophe symbol ' at the beginning of the line to make it into a comment line (instead of the statement executing), and it won't run that code automatically, and will use the values that you manually put into the script.

Geez...just post the entire script! Ctrl-a (select all), ctrl-c (copy), ctrl-p (paste) into the post. Then I'll know exactly what you are using, and will be able to show you.
 
A82

Hi Slickvguy Any Chance Of You Posting The Script You've Been Using?

Congrats On The Rom 7's By The Way!
 
Hi jimlchipit.

Thanks for the congrats.

No - I cannot post the scripts now, even if I wanted to. The reason is simple. I sold the script to someone in Europe, for a relatively large chunk of $. I promised him that if he bought it, I would not release it to the public. That wouldn't be fair to him, right? I had a few people in the UK interested in buying the s/w, but this guy is not in the UK. He isn't a dealer either. He has a HUGE amount of locked cards, and needed to unlock them all.
 
didn't see it up for sale mate, i'm sure some of the forum members would have clubbed together and given you a better price.

still never mind
 
JIMLCHIPIT said:
didn't see it up for sale mate, i'm sure some of the forum members would have clubbed together and given you a better price.

still never mind
Click to expand...

I never advertised that it was for sale, but I did receive a few offers from UK testers over the past 4 months. Nothing panned out. I think some of them were stroking me intentionally, while others couldn't afford it. Then this guy in another country somehow heard of me, and contacted me. I was sure he was just wasting my time too, but he ended up wiring me $. That takes a lot of trust, to send money to somone you don't know, and wait for the code in return. Lucky for him, I'm such an honest guy.

Well ok...since you're in such a generous mood....how much ya willing to pony up for the ROM7 code? lol! ;)

Remember - I do all the unlocking for charity!!! Tell you what - if between all of you, you can raise $500 CAD for the kid's hospital, I will release the code/information on this forum to unlock the ROM7's up to and including Rev 715.

Remember....I am NOT soliciting! *YOU* were the one who brought it up. This is for an excellent cause. Kid's cancer research!!!

And I'll make you a deal one better. If you guys raise $500, I will get a *MATCH* for your $500, and donate a total of $1,000. How's that? As it is, I plan on making at least a $2,000 donation at the end of the year, thanks to the unlocking proceeds.

And for those cynical SOBs who don't trust me - I will post the tax receipt and/or certificate from the hospital proving that I donated the money. Fair enough?

Here's a link to where the money goes...

http://www.childrenfoundation.com/page.asp?intNodeID=5588&switchLang=true

C'mon. A measly $500 CAD is like only 3 or 4 EUROS, right? ;) heheheh.
 
You must log in or register to reply here.

Similar threads

K
[DOWNLOAD] SkyLookingSetup4Vix (v2 beta)
Replies
11
Views
3K
ketmp
K
V
    • Like
OS Windows 8 Survival Guide: All the Tips, Tricks, and Workarounds
Replies
5
Views
4K
andriej
A
hamba
Wonga: the real cost of a payday loan
2
Replies
21
Views
5K
hawkish
hawkish
bro
Mobile Phones [DFT Freedom ROM] Mango 7713 SPARK Custom ROM
Replies
0
Views
2K
bro
bro
S
VIX Team Vu+ Solo Image v1.0 - 01/11/2010
Replies
0
Views
2K
Sicilian
S
Back
Top