Rom A82 Unlocked [=

[JIMLCHIPIT]

what do the members think

That works out about £212.00 are any forum mebers interested?

i know this goes against some members principles, but it is a solution to a problem! i am aware that sme members are fooked on these rom 7's

 

[pburns]

Whole script.

' New VB Script File - Created 01/01/05
' FOR NTL ROM 11 BOC rev STREAMLOCKED only.
' AUTOMATIC SCRIPT
' USES Newd11.hex on LOADER only!!!!!!!!!!

'**************************************************************************************

'Instruction Table
'01 Reset Card (Leaves card clock off)
'02 4.608 MHz Card Clock Off -FREEZE CAM
'03 4.608 MHz Card Clock On - FREE RUNNING CAM

'04 DOUBLE HIT, CLOCK LOW, .5 CYCLE DELAY--2*CARD CLOCKS -- ex. 2x xx xx 04 for timing
'05 DOUBLE HIT, CLOCK LOW, 1.5 CYCLE DELAY-2*CARD CLOCKS -- ex. 2x xx xx 05 for timing
'06 Double HIT, CLOCK LOW, 6 CYCLE DELAY-- 2*CARD CLOCKS -- ex. 2x xx xx 06 for timing
'07 Three HIT, CLOCK LOW , 6 CYCLE DELAY-- 2*CARD CLOCKS -- ex. 2x xx xx 07 for rom11 hopeful.
'08 Five HIT, CLOCK LOW, 5 CYCLE DELAY--- 2*CARD CLOCKS -- ex. 2x xx xx 08 for rom11 hopeful.
'09 LOW CLOCK single hit------------------ 2*CARD CLOCKS -- ex. 2x xx xx 09 for timing
'0E XX SET WD TIMER
'0F POWER DOWN CAM
'1X TX RX SPEED

'2X XX XX Delay $2X XX XX Atmel clock cycles

'8X-9X Rx from card, instruction anded with $1f plus 1 bytes Ex. $9F = rx $20 bytes
'aX-FX Tx to card, instruction anded with $5f plus 1 bytes Ex. $FF = Tx $60 bytes
'**************************************************************************************
'Commands
'80 Check Card Presence - Sends 1 byte
'90 Get chip ID - Sends 4 Bytes (DISH)
'AX Set Bi-color Led - X = 0 off, X = 1 Red, X = 2 Green
'B0 XX Set Glitch VCC - VCC = (5/255) * XX

Option Explicit
Dim Bytes
dim TestMode
Dim BR2(5)
Dim VCCStart
Dim VCCLimit
Dim VCC
Dim DelayEnd
Dim DelayStart
Dim GlitchType
Dim TryCnt
DIM TryLimit
DIM TRYCNT2
DIM RT
DIM RT2
DIM CL
DIM Packet
TRYCNT2=1
CL=0


sc.print "________________Setting up WinExplorer_________________" & VbCr
Wx.BaudRate = 115200
Wx.ResetBaudRate = 115200
Wx.Parity = 0 ' 0 = None, 1 = Odd, 2 = Even, 3 = Mark, 4 = Space
Wx.StopBits = 0 ' 0 = 1 stop bit, 1 = 1.5 stop bits, 2 = 2 stop bits
Wx.DTRControl = 0 ' Initial state of DTR 0 = off, 1 = on
Wx.RTSControl = 1 ' Initial state of RTS 0 = off, 1 = on
Wx.ResetDelay = 100 ' In microseconds
Wx.ByteDelay = 10 ' In microseconds
Wx.RxByteTimeout = 500 ' In milliseconds
Wx.ResetMode = 2 ' 0 = No Resets, 1 = ISO Reset (Expect a ATR), 2 = Device Reset (No ATR)
Wx.ResetLine = 1 ' 0 = Toggle RTS for Reset, 1 = Toggle DTR for Reset
Wx.ByteConvention = 1 ' 0 = Inverse, 1 = Direct
Wx.FlushEchoByte = 0 ' 0 = no flush, 1 = flush - A Phoenix interface will echo each byte transmitted.
Wx.FlushBeforeWrite = 1 ' 0 = no flush, 1 = flush - Flush the receive buffer before each write to strip off Null bytes.
Wx.IgnoreTimeouts = 1 ' 0 = Abort script on a receive timeout, 1 = Ignore all receive timeouts
Wx.ResetAfterTimeout = 0 ' 0 = Don't reset after a timeout, 1 = do a reset after a timeout - Not used if "IgnoreTimeouts=0"
Wx.LogTransactions = 0 ' 0 = Don't log transactions, 1 = log transactions
Wx.DisplayUSW = 0 ' Display USW after script complete 0 = no, 1 = yes
Wx.DisplayFuse = 0 ' Display Fuse after script complete 0 = no, 1 = yes


Sub Main()

' These are the variables you can change for rom 11


' Packet = what packet does the cam need?
' Use this if you know packet one is on cam and you
' want to send Packet 2 or 3
' ex. Packet = 1
' ex. Packet = 2
' ex. Packet = 3 to send the open emm and exit.

Packet = 1 'packet 1, 2, or 3
DelayStart=&h16ff 'testing rom 11 - 1780
'hit at 140F & 1557 & 16F4 & 14F6 & 1438 & 1398 & 1555
DelayEnd = &H1380 'testing rom 11 - 1380
TryCnt = 330 '330 is good - Number of tries per delay FROM 5-50000

' end of variables


VCCStart = &h30 'YOU CAN CHANGE THIS FROM 21-99 = this is automatic now
VCCLimit = &h00 'YOU CAN CHANGE THIS FROM 00-20 = this is automatic now
GlitchType= &h06 'This is automatic now
VCC = VCCStart
RT = DelayStart
' turn led off
sc.verbose=TRUE
Sc.Write("A0")
Sc.Delay(100)
' card is in turn led on
Sc.Write("A1")


' get atr
sc.verbose=TRUE
Sc.Write("07 0e 03 10 01 03 9a 00") 'reset card
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 25 then
Sc.Read(25)
end if

SC.DELAY(30)

Sc.Write("14 03 10 15 AB 21 00 08 A0 CA 00 00 02 12 00 06 55 0E 03 87 00")
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 7 then
Sc.Read(8)
end if

print
print " Now we will try " & HexString(RT, 4) & " delay" & vbcr

SC.DELAY(30)

Do

Sc.Write("B0" & HexString(VCC, 2))

SC.DELAY(5)

IF CL = 0 then
Sc.Write("07 0e 03 10 01 03 9a 00") 'reset card
sc.read(02)
SC.DELAY(5)
' LOGIN NIPPER
Sc.Write("47 15 E0")
Sc.Write("21003DA0CA000037033554011031054E69705045722049E3407CADFDB96429F4F677C2356D7474")
Sc.Write("00000000000000000000000000000000000000000000000005CE")
Sc.Write("0E 05 8A 00")
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 8 then
Sc.Read(11)
'bytes=sc.getbyte(8)
'PRINT HexString(bytes, 2)
end if
SC.DELAY(10)
end if

CL=0

if Packet = 1 then
' Send D7 Write Packet one
Sc.Write("53 15 E8")
Sc.Write("210045A0D710804066E12439141ACAA1C1D5E9B29B68F861EF 7F043C265563F337FE29F561DB8E")
Sc.Write("17B5E19BD383995049EC665253E28195DF32905312C995CE26 F0")
Sc.Write("D9268605BEFEF2B0 20" & HexString(RT, 4) & HexString(GlitchType, 2) & "0E 05 85 00")

' Sc.Write("53 15 E8")
' Sc.Write("210045A0D710C040F8EE037B057F7753279632187D4DFECA1F D920D841CDA8B377CDCFDFCE4D0A")
' Sc.Write("EC4D7C45B49B9D390D8E5838254384985E54925C09F43B72F1 C8")
' Sc.Write("4B555A2DB4482DDD 20" & HexString(RT, 4) & HexString(GlitchType, 2) & "0E 05 85 00")

Sc.Read(2)
Bytes = Sc.Getbyte(1)
end if

if Packet = 2 then
' Send D7 Write Packet two
Sc.Write("53 15 E8")
Sc.Write("210045A0D710C040F8EE037B057F7753279632187D4DFECA1F D920D841CDA8B377CDCFDFCE4D0A")
Sc.Write("EC4D7C45B49B9D390D8E5838254384985E54925C09F43B72F1 C8")
Sc.Write("4B555A2DB4482DDD 20" & HexString(RT, 4) & HexString(GlitchType, 2) & "0E 05 85 00")
Sc.Read(2)
Bytes = Sc.Getbyte(1)
end if

if Packet = 3 then
' Send Emm to 00 Bugs at C0A1
sc.verbose=TRUE
Sc.Write("07 0e 03 10 01 03 9a 00") 'reset card
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 25 then
Sc.Read(25)
end if
SC.DELAY(50)

Sc.Write("60 15 F6")
Sc.Write("210053A0CA00004D004B54010253418D70D19AF07B434F1A766196896905364B765F4B3D7AF959B982E65780C340784225381D906EEE22C1B8C2105155BB5B56927DF9C98755894A5892FBD516B667B188738577B8059C")
Sc.Write("20 00 FF 0E 05 85 00")

SC.READ(2)
Bytes = Sc.Getbyte(1)
if Bytes > 4 then
Sc.Read(6)
bytes=sc.getbyte(3)
END IF

SC.DELAY(200)
print
PRINT "********************************" & VBCR
PRINT "* NTL C&W ROM11 B0C EMM sent *" & VBCR
PRINT "* ROM11 B0C cam should be open *" & VBCR
PRINT "* test in Nagra to see. *" & VBCR
PRINT "* if not, try again. *" & VBCR
PRINT "********************************" & VBCR
exit sub
end if

if Bytes > 4 then
Sc.Read(5)
bytes=sc.getbyte(3)
RT2 = bytes
'print HexString(bytes, 2)
if RT2 = &H69 then
VCC = VCC - .4 '.2
print "+"
CL=1
SC.DELAY(8)
end IF

if RT2 = &HFF then
VCC = VCC + 1
print "-"
end if


TryCnt2 = TryCnt2 + 1
if trycnt2 > trycnt then
RT = RT - 1.5
TRYCNT2 = 0
if rt < DelayEnd then
rt = DelayStart
END IF
print
print " Now we will try Packet " & HexString(Packet, 1) & ", " & HexString(RT, 4) & " delay, our VCC is about " & HexString(VCC, 2) & " and our Glitch Type was " & HexString(GlitchType, 2)
print
END IF

if RT2 = &H90 then
print
print
print "*********** we hit our bug *************"& VbCr
print "9000 was our loggin = good loggin, D7 packet " & Packet & " wrote to cam"
print
PRINT HEXSTRING(SC.GETBYTE(0),2) & HEXSTRING(SC.GETBYTE(1),2) & HEXSTRING(SC.GETBYTE(2),2) & HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)& VbCr
Sc.Print "===========================================" & VbCr
PRINT HexString(bytes, 2)
print " was hit at " & HexString(RT, 4) & " delay ----VCC WAS " & HexString(VCC, 2) & " , our GlitchType was " & HexString(GlitchType, 2)
print
print
Packet = Packet + 1
SC.DELAY(2500)

end if
if RT2 = &H63 then
print
print
print "*********** we hit our bug *************"& VbCr
print "6300 was our loggin = not logged in, packet didnt take!!"
PRINT HEXSTRING(SC.GETBYTE(0),2) & HEXSTRING(SC.GETBYTE(1),2) & HEXSTRING(SC.GETBYTE(2),2) & HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)& VbCr
Sc.Print "===========================================" & VbCr
PRINT HexString(bytes, 2)
print " was hit at " & HexString(RT, 4) & " delay ----VCC WAS " & HexString(VCC, 2) & " , our GlitchType was " & HexString(GlitchType, 2)
print
print
CL=0
SC.DELAY(2500)

end if

else
PRINT" ! "
VCC = VCC + 1
end if

GlitchType = GlitchType + 0.02
'print HexString(GlitchType, 2)
if GlitchType > 9.4 then
GlitchType = &h06
end if
'if you want just one Glitchtype remove the ' below
GlitchType= &h08
SC.DELAY(8)
sc.verbose=false

LOOP

End Sub

Function HexString(Number,Length)
' This function takes 2 arguments, a number and a length. It converts the decimal
' number given by the first argument to a Hexidecimal string with its length
' equal to the number of digits given by the second argument
Dim RetVal
Dim CurLen
RetVal=Hex(Number)
CurLen=Len(RetVal)
If CurLen<Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If
HexString=RetVal
End Function

 

[spaceman07]

I will be interested in raising money for charity.

Slickguy - I did post the whole script.. the only function I left out was the following

Function HexString(Number,Length)
' This function takes 2 arguments, a number and a length. It converts the decimal
' number given by the first argument to a Hexidecimal string with its length
' equal to the number of digits given by the second argument
Dim RetVal
Dim CurLen
RetVal=Hex(Number)
CurLen=Len(RetVal)
If CurLen<Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If
HexString=RetVal
End Function

 

[Slickvguy]

pburns: There is no vcc analyzer code in that script. So all you need to do is change these two variables to the proper values for your card:

VCCStart = &h30 'YOU CAN CHANGE THIS FROM 21-99 = this is automatic now
VCCLimit = &h00 'YOU CAN CHANGE THIS FROM 00-20 = this is automatic now

Also, don't forget to change the variable PACKET, depending on which Packet you are sending (1=first D7 pckaet, 2= 2nd D7 packet, 3=EMM).

' Packet = what packet does the cam need?
' Use this if you know packet one is on cam and you
' want to send Packet 2 or 3
' ex. Packet = 1
' ex. Packet = 2
' ex. Packet = 3 to send the open emm and exit.


BTW, this script is very poorly written, and is still based on penga's earliest scripts. Pretty lame that they haven't even bothered to change the variable names (e.g. RT2. How stupid!) I don't understand why a person who obviously can write SOME code, would not take the time to clean it up, and make it smarter, clearer, and more efficient. Makes no sense to me.

 

[Slickvguy]

Jim: Look at it this way. 10 guys * app. 21 gbp each, and the rom7's (<= rev715) can all be unlocked. I would PM the code to you, to do whatever you want with. You could release it to the public, or you could keep it for yourselves. That is YOUR choice - not mine.

hazera: hexstring is just a basic subroutine that converts decimal number to a hex string. It's in just about every winexplorer testing script you'll ever see.

 

[Slickvguy]

Listen, I think you have a very bad attitude towards people on this forum. You are beggining to annoy many people.

Wy start a thread saying you want people to ask you questions about something.

I think this is without question the most stupid thing I have ever read on any testing forum at any time.

Ciao.

 

[strawdog74]

omg! it works!!!!!

***************************
* A82 CAM should be OPEN *
* test in Nagra to see. *
* if not, try again. *
***************************

I started gltiching, then I went to the pub; now i am pi55ed, and i find the screen saying the above. Can it really be true I ask myself. Surely not!

But wahery, I opened up in nagra, and hey presto, my IRD ends in 12 and everything seems pretty cool.

this is the first and only card I have attepted. It feels good to have finally "glitched" a card. I now almost understand the script, and the various parameters that you edit, and have successfully used the helpful Canadians (sorry I am too pi55ed to remember names!) Vcc analyser. I have attached for other's convenience.

Wicked guys. I will now donate like I promised!

cheers!

-SD

 

[strawdog74]

ps - i meant that i am donating MORE and not the minimum,

I have already donated on gaining membership. just so you know!

pps b- thanks slickvguy and chrisz2000 (no not you chris1975!)

1HAPPYMAN

-sd

 

[aka]

I have read this thread with great interest and i have decided that i want to start having a go at this myself. What i want to know is, is this post still the definitive guide for unlocking?
http://www.world-of-digital.com/forums/showthread.php?p=237576#post237576

And where is the best place at the moment to get the programmer? Also can it be modified yourself or do you buy it already done?

Cheers lads

 

[trigger2204]

need some help with this been trying everything and still no joy heeeeeeeeeeeellllllllllllllllllllpppppppppppppp!

 

[Welshwolf]

Hi all

I got my T911 today and have been busy half the day. Thx to all for all the help. I unlocked a rom 10 but can't read it in nagra. Can i read it with the T911 or would i need the phoenix ( phoenix is round my mates house). I thought ok nevermind lets crack on with the 11s. I have run the script and my ++++++--+++++++ are very + orientated. I am trying my best to follow the advice and use vcc to get a high of 25 and low 1F. I put it in the script:

VCCStart = &h25 'YOU CAN CHANGE THIS FROM 21-99 = this is automatic now
VCCLimit = &h1F 'YOU CAN CHANGE THIS FROM 00-20 = this is automatic now
GlitchType= &h06 'This is automatic now

i have now run it and still get the same. Am i doing it right? Your all fantastically pathient people. If i get this running then i think i may write a full guide from start to finish for all the newbies like me, including all progs and scripts required.

 

[Welshwolf]

need some help with this been trying everything and still no joy heeeeeeeeeeeellllllllllllllllllllpppppppppppppp!

What have you done so far m8. Where you at. you got gear. flashed the gear. run scripts etc....

 

[pburns]

You cant use the T911 to read in Nagra Pheonix required.

 

[JimmyP]

welshwolf its automatic and will find its own glitch point so you need not change the analyzer mate its automatic

 

[pburns]

@jimmyp Any idea how to fix "the packet didnt take" problem for Rom 11 B0C Mt8. 5401.

 

[Welshwolf]

thx pburns. I have now unlocked both rom10 and rom11!!!! super excited....need my phoenix. dammit why i leave it up mates house. i'm not gonna sleep knowing i'm sooooo close.

 

[BoB !!]

really jimmy ?? ive been messin with it an some have poped in 20 mins others hours lol
you got any ideas on tweaking the scripts m8 ? slick reckoned we could clean em up to be more effective ? or any advice on gettin a better - to +, i get about a 60/40 in favour of the +'s any tips m8 ?

 

[JimmyP]

i aint sorry bob not really messing about with glitching at the moment , i suppose you could run vcc analyzer and then put ur floor and ceiling values in and save that script but it would only be useful for that card as they have diffrent floor and ceiling values ie not all cards the same mate

 

[BoB !!]

ok m8 been playin with it in the script but i think the script is overriding it ??

 

[saddon]

Faster Scripts

Bob

Been playing for a while with the scripts, when i adjust the VCC it does not really help but if i lower the trycnt to 80 i am getting results Ranging between 3 mins and 30 Mins on average they take about 20 mins

83 was hit at 1309 delay ----VCC WAS 11 , our GlitchType was 06
83 was hit at 130D delay ----VCC WAS 14 , our GlitchType was 08
83 was hit at 1305 delay ----VCC WAS 11 , our GlitchType was 06
83 was hit at 1307 delay ----VCC WAS 13 , our GlitchType was 07
83 was hit at 130A delay ----VCC WAS 0D , our GlitchType was 08
83 was hit at 1303 delay ----VCC WAS 16 , our GlitchType was 08
83 was hit at 1302 delay ----VCC WAS 13 , our GlitchType was 08
83 was hit at 130A delay ----VCC WAS 10 , our GlitchType was 08
83 was hit at 130D delay ----VCC WAS 14 , our GlitchType was 08
83 was hit at 130D delay ----VCC WAS 17 , our GlitchType was 08


These are the cards i Unlocked all rom10 TW 5A01, the script i used was the same in the downloads and all i changed was the Trycnt to 80, some cards are a pain in the ass and i wish i was a little more experienced, if some one Like Slickvguy or dNh 301 could look at my figures and see if i could do anything to make this more stable i would appreciate it...

Also explain what glitch type means and why doe's this vary, and what is the consequence of lowering the trycnt

Thanks In advance

Full script im using below

' New VB Script File - Created 01/16/05
' FOR TW rom 10 A82 rev STREAMLOCKED only.
' AUTOMATIC SCRIPT
' USES Newd11.hex on LOADER only!!!!!!!!!!

'**************************************************************************************

'Instruction Table
'01 Reset Card (Leaves card clock off)
'02 4.608 MHz Card Clock Off -FREEZE CAM
'03 4.608 MHz Card Clock On - FREE RUNNING CAM

'04 DOUBLE HIT, CLOCK LOW, .5 CYCLE DELAY--2*CARD CLOCKS -- ex. 2x xx xx 04 for timing
'05 DOUBLE HIT, CLOCK LOW, 1.5 CYCLE DELAY-2*CARD CLOCKS -- ex. 2x xx xx 05 for timing
'06 Double HIT, CLOCK LOW, 6 CYCLE DELAY-- 2*CARD CLOCKS -- ex. 2x xx xx 06 for timing
'07 Three HIT, CLOCK LOW , 6 CYCLE DELAY-- 2*CARD CLOCKS -- ex. 2x xx xx 07 for rom11 hopeful.
'08 Five HIT, CLOCK LOW, 5 CYCLE DELAY--- 2*CARD CLOCKS -- ex. 2x xx xx 08 for rom11 hopeful.
'09 LOW CLOCK single hit------------------ 2*CARD CLOCKS -- ex. 2x xx xx 09 for timing
'0E XX SET WD TIMER
'0F POWER DOWN CAM
'1X TX RX SPEED

'2X XX XX Delay $2X XX XX Atmel clock cycles

'8X-9X Rx from card, instruction anded with $1f plus 1 bytes Ex. $9F = rx $20 bytes
'aX-FX Tx to card, instruction anded with $5f plus 1 bytes Ex. $FF = Tx $60 bytes
'**************************************************************************************
'Commands
'80 Check Card Presence - Sends 1 byte
'90 Get chip ID - Sends 4 Bytes (DISH)
'AX Set Bi-color Led - X = 0 off, X = 1 Red, X = 2 Green
'B0 XX Set Glitch VCC - VCC = (5/255) * XX

Option Explicit
Dim Bytes
dim TestMode
Dim BR2(5)
Dim VCCStart
Dim VCCLimit
Dim VCC
Dim DelayEnd
Dim DelayStart
Dim GlitchType
Dim TryCnt
DIM TryLimit
DIM TRYCNT2
DIM RT
DIM RT2
TRYCNT2=1

Sub Main()

' These are the variables you can change for rom 10 NTL A82

DelayStart =&h12FF
TryCnt = 80 '180 is good, Number of tries per delay FROM 5-50000
TestMode = 0 'TestMode, 1 = ON, 0 = OFF

'TestMode is used to find a glitch point on A82 cam. once you find the
'delay on cam then set TestMode = 0, and open the cam.

' end of variables


VCCStart = &h90 'YOU CAN CHANGE THIS FROM 21-99 = this is automatic now
VCCLimit = &h00 'YOU CAN CHANGE THIS FROM 00-20 = this is automatic now
DelayEnd = &h1315
GlitchType= &h09
VCC = VCCStart
RT = DelayStart
' turn led off
sc.verbose=TRUE
Sc.Write("A0")
Sc.Delay(100)
' card is in turn led on
Sc.Write("A1")


' get atr
sc.verbose=TRUE
Sc.Write("07 0e 03 10 01 03 9a 00") 'reset card
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 25 then
Sc.Read(25)
end if

Sc.Write("12 15 AB 21 00 08 A0 CA 00 00 02 12 00 06 55 0E 03 85 00")
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 5 then
Sc.Read(0)
end if
print
if TestMode = 1 then
print " You are in testmode, cam will not open in this mode!!!" & vbcr
print " set TestMode = 0 to open cam " & vbcr & vbcr
end if
print " Now we will try " & HexString(RT, 4) & " delay" & vbcr


Do


Sc.Write("B0" & HexString(VCC, 2))

SC.DELAY(12)

' LOGIN NIPPER
Sc.Write("47 15 E0")
Sc.Write("21003DA0CA00003703355A011031054E69705045722049E3407CADFDB96429F4F677C2356D7474")
Sc.Write("00000000000000000000000000000000000000000000000005C0")
Sc.Write("0E 05 8A 00")
Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 5 then
Sc.Read(11)
'bytes=sc.getbyte(8)
'PRINT HexString(bytes, 2)
end if

SC.DELAY(24) 'set to 35 - 22

Sc.Write("6A 15 FF 21 00")
Sc.Write("5CA0CA00005603545A5B108105FACD7A")
Sc.Write("B7C0A1A600965DC269CBA2C69973D6CD")
Sc.Write("8766A2CFEB84A18FBFF8E26FCF8807B7")
Sc.Write("10983A07DD92B7575B558DBF6BE4F0CA")
Sc.Write("622BCC01F8EE441351E7B4784E4C232F")
Sc.Write("3698871E3A0CCD320C5AEA2D2D10 20" & HexString(RT, 4) & HexString(GlitchType, 2) &"0E 05 85 00")

Sc.Read(02)
Bytes = Sc.Getbyte(1)
if Bytes > 4 then
Sc.Read(6)
bytes=sc.getbyte(3)
'PRINT HexString(bytes, 2)
RT2 = bytes
'print HexString(bytes, 2)
if RT2 = &H6F then
VCC = VCC - 1
print "+"
end IF
if RT2 = &HFF then
VCC = VCC + 1
print "-"
end if

TryCnt2 = TryCnt2 + 1
if trycnt2 > trycnt then
RT = RT + 1
TRYCNT2 = 0

if rt > DelayEnd then
rt = DelayStart

END IF

print
print " Now we will try " & HexString(RT, 4) & " delay, our VCC is about " & HexString(VCC, 2) & " and our Glitch Type was " & HexString(GlitchType, 2)
print
END IF
if bytes = &H83 then
print
print
print "*********** we hit our bug *************"& VbCr
PRINT HEXSTRING(SC.GETBYTE(0),2) & HEXSTRING(SC.GETBYTE(1),2) & HEXSTRING(SC.GETBYTE(2),2) & HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)& VbCr
Sc.Print "===========================================" & VbCr
PRINT HexString(bytes, 2)
print " was hit at " & HexString(RT, 4) & " delay ----VCC WAS " & HexString(VCC, 2) & " , our GlitchType was " & HexString(GlitchType, 2)
print
print
SC.DELAY(2500)
if TestMode = 0 then
sc.verbose=TRUE
Sc.Write("12 15 Ab 21 00 08 A0 CA 00 00 02 C0 00 06 87 0E 03 85 00")
SC.READ(2)
Bytes = Sc.Getbyte(1)
if Bytes > 5 then
Sc.Read(6)
bytes=sc.getbyte(3)
END IF
sc.delay(150)
Sc.Write("0A 15 A3 21 98 00 B9 0E 03 85 00")
SC.READ(2)
Bytes = Sc.Getbyte(1)
if Bytes > 5 then
Sc.Read(6)
bytes=sc.getbyte(3)
END IF
sc.delay(150)
Sc.Write("0A 15 A3 21 92 00 B3 0E 04 85 00")
SC.READ(2)
Bytes = Sc.Getbyte(1)
if Bytes > 4 then
Sc.Read(5)
bytes=sc.getbyte(3)
END IF
SC.DELAY(30)

PRINT "***************************" & VBCR
PRINT "* A82 CAM should be OPEN *" & VBCR
PRINT "* test in Nagra to see. *" & VBCR
PRINT "* if not, try again. *" & VBCR
PRINT "***************************" & VBCR
exit sub
end if

end if
else
PRINT" RESET "
VCC = VCC + 1
End if
Sc.Write("08 0e 03 10 01 01 03 9a 00") 'reset card
sc.read(02)
SC.DELAY(4)
GlitchType = GlitchType + 0.025
'print HexString(GlitchType, 2)
if GlitchType > 9.4 then
GlitchType = &h06
end if
'if you want just one Glitchtype remove the ' below
'GlitchType= &h09

sc.verbose=false

LOOP

End Sub

Function HexString(Number,Length)
' This function takes 2 arguments, a number and a length. It converts the decimal
' number given by the first argument to a Hexidecimal string with its length
' equal to the number of digits given by the second argument
Dim RetVal
Dim CurLen
RetVal=Hex(Number)
CurLen=Len(RetVal)
If CurLen<Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If
HexString=RetVal
End Function