Rom11 revBOC help please Error getting BackDoor 0 key

spud1966

Moderator
Staff member
Moderator
Joined
May 2, 2005
Messages
9,512
Likes
1,376
#1
Hi peeps stuck on this card
Can any one help please

Card rom11 RevBOC
Provider 5A01
Script multprovider multirom release ver 1.xvb

Nagraedit 4.1

Opening of COM1 was successful


ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
ROM Revision: 011
EEPROM Revision: RevB0C
ProviderID: 5A
CamID: AA AA AA AA
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Error getting BackDoor 0 key
Write error encountered, attempting to restore original decrypt keys
ProviderID: 5A
CamID: AA AA AA AA
Attempting to login to BD3
Decrypt keys successfully restored
Reading ROM11 failed
Closing of COM1 was successful




WinExplorer V5.42



________________Setting up WinExplorer_________________

Executing Script: C:\New Folder (119)\multprovider multirom release ver 1\multprovider multirom release ver 1.xvb

Multiprovider MultiRom script for Rom 10 and Rom 11 cards (both normal and 6300)
Now with experimental support for Rom 11 provider 40,55,5B and 5D cards - dunno if it will work tho

Do NOT remove card while script is running!!!

Card is a Rom 11 RevB0C (5A01)
Card logged in successfully

Please wait while we do our stuff....(this could take a while)
Now we will try Packet 1, 16FF delay, our VCC is about 40 and our Glitch Type was 08


*********** we hit our bug *************
9000 was our login = good login, packet 1 written to cam
1240029000
===========================================
90 was hit at 16FF delay ----VCC WAS 40 , our GlitchType was 08



*********** we hit our bug *************
9000 was our login = good login, packet 2 written to cam
1240029000
===========================================
90 was hit at 16FF delay ----VCC WAS 40 , our GlitchType was 08


Your TeleWest Rom 11 RevB0C (5A01) should now be unlocked
Started Glitching At 19:51:36
Glitched Card At 19:51:43
Done In 0:0:7

Script C:\New Folder (119)\multprovider multirom release ver 1\multprovider multirom release ver 1.xvb Transmission Completed

Can not get into card (Error getting BackDoor 0 key)

Dun a few Rom11 BOC cards with no problem , but stuck on this one

Cheers Garry
 

spud1966

Moderator
Staff member
Moderator
Joined
May 2, 2005
Messages
9,512
Likes
1,376
#2
Hi peeps think i have well killed this card now.
Put it into MrRom and the card hase changed into a Provider 4001 Unsupported!!

HELLP
 

pburns

VIP Member
VIP Member
Joined
Sep 8, 2003
Messages
1,596
Likes
16
#4
Try this D2C file in Nagra it checks all the passwords.

Just another point, something the same happened with a card of mine I rebootted and it read in Nagra no problem.
 

spud1966

Moderator
Staff member
Moderator
Joined
May 2, 2005
Messages
9,512
Likes
1,376
#5
Thanks for help i will give it a try , let use know how i get on

Cheers Garry
 

spud1966

Moderator
Staff member
Moderator
Joined
May 2, 2005
Messages
9,512
Likes
1,376
#6
Ok peeps this is how im getting on with the card

Put the card into Mrom and it changed the provider to 4001
So exoticasian30 sent me a script 4001_Via_Digital_Script (Thanks) to open the card

So I get this when I run the script (WindowsExplorer V5.42 )


________________Setting up WinExplorer_________________

Executing Script: C:\my-stuff\4001_Via_Digital_Script\(4001 VIA DIGITAL) SCRIPT.xvb
TX Data : A0
TX Data : A1
TX Data : 07 0E 03 10 01 03 9A 00
RX Data : 07 1B
RX Data : 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30
TX Data : 14 03 10 15 AB 21 00 08 A0 CA 00 00 02 12 00 06
55 0E 03 87 00
RX Data : 14 08
RX Data : 12 00 08 92 04 AA AA AA

Now we will try 17FF delay
TX Data : B0 30
TX Data : 07 0E 03 10 01 03 9A 00
RX Data : 07 1B
TX Data : 47 15 E0
TX Data : 21 00 3D A0 CA 00 00 37 03 35 40 01 10 31 05 4E
69 70 50 45 72 20 49 E3 40 7C AD FD B9 64 29 F4
F6 77 C2 35 6D 74 74
TX Data : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 05 DA
TX Data : 0E 05 8A 00
RX Data : 47 0B
RX Data : 12 00 07 83 03 B1 01 01 90 00 B4
TX Data : 53 15 E8
TX Data : 21 00 45 A0 D7 10 80 40 46 52 B0 B4 38 47 40 AC
CC 56 5F 22 9C 92 D5 C9 F0 96 CE 11 09 2D
TX Data : 4A 5D E0 30 55 91 E9 51 C0 7C EA 63 E4 A5 A5 47
A2 04 DA A3 74 E5 23 BC 6F 99 0D FC
TX Data : CD EF 77 EF E3 BC 84 1D 73 68 71 61 1D 84 3D 20
17 FF 06 0E 05 85 00
RX Data : 53 06
RX Data : FF FF FF FF FF
-

*********** we hit our bug *************
9000 was our loggin = good loggin, D7 packet 1 wrote to cam
1240029000
===========================================
90 was hit at 17FF delay ----VCC WAS 31 , our GlitchType was 08

-

*********** we hit our bug *************
9000 was our loggin = good loggin, D7 packet 2 wrote to cam
1240029000
===========================================
90 was hit at 17FF delay ----VCC WAS 32 , our GlitchType was 08

TX Data : 07 0E 03 10 01 03 9A 00
RX Data : 07 1B
RX Data : 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30
TX Data : 60 15 F6
TX Data : 21 00 53 A0 CA 00 00 4D 00 4B 40 01 02 5C E6 28
B9 20 14 84 FD 52 B3 F4 A7 90 23 D0 10 3F 78 D5
42 9C 39 9C 1E 75 2A A7 8E 5B A8 B8 E1 8A D7 7D
95 3E E2 16 9B 1B D1 B8 DC 8F FB DD 7C 6E 0C DC
13 2C BF E3 0A DF BD C8 84 A9 05 1D CB 26 A1 E2
2A 6A D4 BB AA 05 28
TX Data : 20 00 FF 0E 05 85 00
RX Data : 60 06
RX Data : 12 00 07 80 03 B1

********************************
* NTL C&W ROM10 A82C EMM sent *
* ROM10 A82 cam should be open *
* test in Nagra to see. *
* if not, try again. *
********************************

Script C:\my-stuff\4001_Via_Digital_Script\(4001 VIA DIGITAL) SCRIPT.xvb Transmission Completed


And in NagraEdit v4.1

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
ROM Revision: 011
EEPROM Revision: RevB0C
ProviderID: 40
CamID: CC CC CC CC
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Error getting BackDoor 0 key
Write error encountered, attempting to restore original decrypt keys
ProviderID: 40
CamID: CC CC CC CC
Attempting to login to BD3
Decrypt keys successfully restored
Reading ROM11 failed
Closing of COM1 was successful

So im still stuck on this mad card lol

Also got a a file from pburns (thank’s) d2c (Remodified Rom3-10-11 password unlocker list.d2c) , opened NagraEdit v4.1 and went to Comm ,open D2C , then sent the d2c file, so I get this from that.

PUBLIC*PASSWORD*UNLOCKER*FOR*ROM3*&*ROM10'MGTHESE*ARE*THE*PASSWORDS*IT*TRIES'MG0000000000000000'MG0123456701234567'MG02CEE178B38C261E'MG0316990316990316'MG092736FEED092736'MG1111111111111111'MG1111222211112222'MG1122334455667788'MG11AA22BB33CC44DD'MG1212121212121212'MG1234567890123456'MG123BADBADB0B4321'MG1966196719651966'MG1966196719661967'MG1999199919991999'MG2112211221122112'MG2222222222222222'MG264DC30E8324A1B2'MG3333333333333333'MG379465D7E54A7969'MG4444444444444444'MG44464F524D554C41'MG51424C53564D465B'MG5555555555555555'MG6666666666666666'MG6789067890678906'MG6969696969696969'MG7777777777777777'MG7373737373737373'MG7498749874987498'MG8888888888888888'MG9696969696969696'MG9999999999999999'MGA1A2A3A4A5A6A7A8'MGA1B1C1A2B2C3AAAA'MGAA11AA11AA11AA11'MGAAAAAAAAAAAAAAAA'MGAAAABBBBCCCCDDDD'MGAABBCCDDEEFF1122'MGAB12AB12AB12AB12'MGABCDABCDABCDABCD'MGABCDEF0123456789'MGACACACACACACACAC'MGB81B81B81B81B81B'MGBAADBADDDEADDEAD'MGBABA007BABA007BA'MGBADDADBEDDEDBABE'MGBEBECAFEBEBECAFE'MGCADAB0CABEBEC0CA'MGCOFFEECOFFEECODE'MGDDDDDDDDDDDDDDDD'MGDEADB10FB11DF12D'MGDEADBEEFBAADFEED'MGDEADBEEFBAADFOOD'MGDEADD00DD00DDEAD'MGDEADDEADDEADDEAD'MGDED0DEBEBECAFE99'MGDEEDBAADD00DF00D'MGDEEEEEEAAAAAAAFF'MGFEADBEEFBAADFF0D'MGFEEDDADADEADBEEF
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 0A A0 FF BA DD AD BE DD ED BA BE 34
RX: 12 00 02 69 00 79
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 25 A0 20 00 00 20 8F AB C2 64 44 9A FE 70
1D E7 62 FA B1 4C 31 06 00 11 22 33 44 55 66 77
88 99 AA BB CC DD EE FF DE
RX: 12 00 02 63 00 73
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 0A A0 FF 77 77 77 77 77 77 77 77 74
RX: 12 00 02 69 00 79
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 25 A0 20 00 00 20 8F AB C2 64 44 9A FE 70
1D E7 62 FA B1 4C 31 06 00 11 22 33 44 55 66 77
88 99 AA BB CC DD EE FF DE
RX: 12 00 02 63 00 73
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 0A A0 FF 66 66 66 66 66 66 66 66 74
RX: 12 00 02 69 00 79
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 25 A0 20 00 00 20 8F AB C2 64 44 9A FE 70
1D E7 62 FA B1 4C 31 06 00 11 22 33 44 55 66 77
88 99 AA BB CC DD EE FF DE
RX: 12 00 02 63 00 73
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 0A A0 FF 33 33 33 33 33 33 33 33 74
RX: 12 00 02 69 00 79
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 25 A0 20 00 00 20 8F AB C2 64 44 9A FE 70
1D E7 62 FA B1 4C 31 06 00 11 22 33 44 55 66 77
88 99 AA BB CC DD EE FF DE
RX: 12 00 02 63 00 73
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 0A A0 FF 22 22 22 22 22 22 22 22 74
RX: 12 00 02 69 00 79
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 25 A0 20 00 00 20 8F AB C2 64 44 9A FE 70
1D E7 62 FA B1 4C 31 06 00 11 22 33 44 55 66 77
88 99 AA BB CC DD EE FF DE
RX: 12 00 02 63 00 73
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 0A A0 FF DD DD DD DD DD DD DD DD 74
RX: 12 00 02 69 00 79
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 25 A0 20 00 00 20 8F AB C2 64 44 9A FE 70
1D E7 62 FA B1 4C 31 06 00 11 22 33 44 55 66 77
88 99 AA BB CC DD EE FF DE
RX: 12 00 02 63 00 73
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 0A A0 FF AA 11 AA 11 AA 11 AA 11 74
RX: 12 00 02 69 00 79
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
TX: 21 00 25 A0 20 00 00 20 8F AB C2 64 44 9A FE 70
1D E7 62 FA B1 4C 31 06 00 11 22 33 44 55 66 77
88 99 AA BB CC DD EE FF DE
RX: 12 00 02 63 00 73
CARD*SUCCESSFULLY*UNLOCKED,*TRY*READING*IT*NOW...
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
SCRIPT*IS*DONE


But im stuck after that bit , do I have to do something ells???
Coz the card will not dump

ROM Revision: 011
EEPROM Revision: RevB0C
ProviderID: 40
CamID: CC CC CC CC
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Error getting BackDoor 0 key
Write error encountered, attempting to restore original decrypt keys
ProviderID: 40
CamID: CC CC CC CC
Attempting to login to BD3
Decrypt keys successfully restored
Reading ROM11 failed
Closing of COM1 was successful

Hope some one can sort my prob out

ThAnK’s Garry
 

exoticasian30

Inactive User
Joined
May 31, 2005
Messages
573
Likes
0
#7
Gary,

Have you tried dumping the card with anything other that Nagra4.1?

If not try a shot at XNCS. Tick all of the options in the settings box except "ghost must be in eeprom".

A long shot I know but maybe worth a try.
 

TBC

DW Regular
Joined
May 5, 2005
Messages
4,015
Likes
50
#8
it looks like you need a reboot mate. shut down ur pc and restart then try reading the card again. as said above i too have had this a few times.
 

spud1966

Moderator
Staff member
Moderator
Joined
May 2, 2005
Messages
9,512
Likes
1,376
#9
Hi all

Did the reboot but still no good, i can read (my) mosc card with no probs , but this othere card i have now will not dump???
 

spud1966

Moderator
Staff member
Moderator
Joined
May 2, 2005
Messages
9,512
Likes
1,376
#10
exoticasian30 said:
Gary,
Have you tried dumping the card with anything other that Nagra4.1?
If not try a shot at XNCS. Tick all of the options in the settings box except "ghost must be in eeprom".
A long shot I know but maybe worth a try.

All i get is privileged instruction ???



And tried to do this to.

Then you will get 3 options
Top option is by ghost
Middle option is under dev

Click under dev middle option and you will get screen like this

No you need to change the 0000 in the COA2(NipperK) to 4E69

And now press GO
 

spud1966

Moderator
Staff member
Moderator
Joined
May 2, 2005
Messages
9,512
Likes
1,376
#12
Hi exoticasian30

In NagraEdit 4.1 I get this if I reset card

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
ROM Revision: 011
EEPROM Revision: RevB0C
CAM Date: 1ABF
Closing of COM1 was successful

And in XNCS1.8 I get this

If i tick in options all of the except ghost , I get asked for this insert card provider which I put in 5401 and get this.
ATR=3FFF9500FF918171A04700444E415350303131205265764230433B
Info=DNASP011 RevB0C
Retrieving card info...
Card info retrieved :)
Dumping card,try #0.
Dumping card,try #1.
Dumping card,try #2.
Dumping card,try #3.
Couldnt Dump Card...

ThAnK's Garry

ps just got the kids to bed thay have been on msn all night lol
 

TBC

DW Regular
Joined
May 5, 2005
Messages
4,015
Likes
50
#13
open rom studio1.6(downloads), click on backdoor and choose dump/login aprendz(for rom 11) or chucky login(for rom 10).
the card should dump. the FAT EDITOR tab should allow you to view the box details from the card. The DATA EDITOR will give you your BD keys line c040 is your bd0 and line c070 is you bd3.
rom studio can be used to write a blank image to the card using (write nagra method) and entering the bd0 from line c040. (a blank is attached for rom 10 and 11)< once a blank is on the card it should open in nagra on the card it will open in nagra. I have also attached wonkos latest script but its unfinished, it does work for rom 10,11 though and will display the BK and IRD when it finishes < it also tests to make sure the card is actually open.
I'm sure will sort your problem with this stuff and patience.
 
Last edited:

exoticasian30

Inactive User
Joined
May 31, 2005
Messages
573
Likes
0
#14
garrytate said:
Hi exoticasian30

In NagraEdit 4.1 I get this if I reset card

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 31 20 52 65 76 42 30 43 3B
ROM Revision: 011
EEPROM Revision: RevB0C
CAM Date: 1ABF
Closing of COM1 was successful

And in XNCS1.8 I get this

If i tick in options all of the except ghost , I get asked for this insert card provider which I put in 5401 and get this.
ATR=3FFF9500FF918171A04700444E415350303131205265764230433B
Info=DNASP011 RevB0C
Retrieving card info...
Card info retrieved :)
Dumping card,try #0.
Dumping card,try #1.
Dumping card,try #2.
Dumping card,try #3.
Couldnt Dump Card...

ThAnK's Garry

ps just got the kids to bed thay have been on msn all night lol
Gary, this is only a slim chance that it will help in getting this card to dump at the moment but remember that the current provider for your card was changed to 4001 due to the earlier use of MROM.

Try entering 4001 at the XNCS promt just in case that helps.

Failing that, the advice given by TBC above will give you another good shot at crackin this one.
 

spud1966

Moderator
Staff member
Moderator
Joined
May 2, 2005
Messages
9,512
Likes
1,376
#15
Cheers @exoticasian30 @TWOBEERCANS

For you time and hellp !!! , let you know how i get on

ThAnK's Garry
 

spud1966

Moderator
Staff member
Moderator
Joined
May 2, 2005
Messages
9,512
Likes
1,376
#16
Just letting you now how for I have got.

Found Rom Studio 2.4 and I can get into the card but its in Spanish

If I use Rom Studio 1.6 I can not get anything from the card (strange)

This is what I get , but stuck after i read the card.

D000: 07 27 01 40 01 08 01 00 40 52 FE F7 A0 82 24 BE .'[email protected]@RÞ÷ ‚$¾
D010: 97 FA C4 56 92 3C 57 00 00 00 00 00 00 00 D0 00 —ÚÄV’<W.......Ð.
D020: 9A 6E EB 38 6E 88 4D 83 BB 07 27 06 40 19 00 CC ŠNË8NˆMƑ».'[email protected]Ì
D030: 37 BB 7E C4 E2 C9 E9 79 BD 95 43 26 4B A2 40 DB 7»~ÄÂÉÉY½•C&K¢@Û
D040: 00 00 FF FF 00 00 00 00 20 16 94 FB 56 63 0B B1 ..ŸŸ.... .”ÛVC.±
D050: CD 26 E9 DF 54 63 D9 01 00 00 00 00 00 13 BA 00 Í&ÉßTCÙ.......º.
D060: 5F F6 2F B2 8A 97 FA CD B4 F1 1C 21 5E 31 95 DE _Ö/²Š—ÚÍ´Ñ.!^1•Þ
D070: C3 15 E2 2E 6B 51 7F D2 96 75 7F 78 8B ED 60 9B Ã.Â.KQÒ–UX‹Í`›
D080: DA 1B 5E C9 35 DC A6 B3 1D 82 AF 9F 8D 68 A5 9E Ú.^É5ܦ³.‚¯ŸH¥Ž
D090: 18 D6 33 84 AA 7F 24 30 B7 8D BA A1 93 A3 FF 59 .Ö3„ª$0·º¡“£ŸY
D0A0: 03 A0 56 04 2A 9E FA D0 38 87 BC 57 FA E7 7B 40 . V.*ŽÚÐ8‡¼WÚÇ{@
D0B0: B3 4D D3 63 60 04 D5 C3 98 20 05 B6 45 26 EF 5E ³MÓC`.ÕØ .¶E&Ï^
D0C0: F8 11 1C DA B6 82 CA B5 9F 62 2F 35 DF 8B AC A5 Ø..Ú¶‚ʵŸB/5ß‹¬¥
D0D0: 2F 33 20 39 EB 1B CC 73 EB BB BD 25 9D 57 9D DB /3 9Ë.ÌSË»½%WÛ
D0E0: 06 09 00 00 1B 13 53 90 FF 14 91 7D C7 D0 01 BC ......SŸ.‘}ÇÐ.¼

Iniciando abertura da Porta Com1
ATR = 3FFF9500FF918171A04700444E415350303131205265764230433B
Revisão Eeprom: DNASP011 RevB0C

Preparing Ghost Installation. (GHOST49b)
Ghost Items Installed :)!
=>Eficience=100.00%
Warning: Problem while searching Provider Info (Eeprom maybe Damage)

Cheers Garry
 

exoticasian30

Inactive User
Joined
May 31, 2005
Messages
573
Likes
0
#17
How about having a go at writing a blank .bin image to the card using rom studio 1.6.

That BD key at line D040 looks strange but give it a go anyway.

Try to load up your blank image into 1.6 and write to the card using the BD0 key:
0000FFFF00000000201694FB56630BB1
 

TBC

DW Regular
Joined
May 5, 2005
Messages
4,015
Likes
50
#18
i wouldn't bother all the data from D000 upwards is dataspace the code space with the bd keys in is below that range at c040 thru c070
 

exoticasian30

Inactive User
Joined
May 31, 2005
Messages
573
Likes
0
#19
TWOBEERCANS said:
i wouldn't bother all the data from D000 upwards is dataspace the code space with the bd keys in is below that range at c040 thru c070

My mistake lol.

I mistook the D for a C.
 
TEST
Top