Sammy Ram Dump with USB Jtag how to:

[fes_786]

ok guys here is how to dump ur sammy

first u need a usb jtag

i used this 1

You don't have permission to view the code content. Log in or register now.

and it would be helpfull if u install a 2x10 pin header

You don't have permission to view the code content. Log in or register now.

ok once u got the pinheader installed and have the usb jtag
u need to download the following drivers

You don't have permission to view the code content. Log in or register now.

also u will need hexworkshop or anyother hex file editor u like
and u will need openocd r717 that i have attached to this thread.

once drivers are installed

put the openocd folder into C:\program files

plug jtag into box and pc

power on the box WITH card inserted and on Stream

once box is powered up go to a pay channel

open up a command window type the following command:

You don't have permission to view the code content. Log in or register now.

now u need to enter this command:

You don't have permission to view the code content. Log in or register now.

now if everything is working u should get the following

You don't have permission to view the code content. Log in or register now.

and the box would have rebooted and stuck on pl30 or similar

now u need to use putty (included in openocd-r717 folder)

choose telnet and enter the following:

You don't have permission to view the code content. Log in or register now.

it should say the following in putty:

Open On-Chip Debugger
>

now u type the following command

You don't have permission to view the code content. Log in or register now.

now it will start dumping the ram should take around 20 / 30mins

once its dumped the ram

u need to close putty and command window
unplug box take scart out and unplug usb cable from pc

then repeat the steps 3 times remember same paychannel and just change file name like

ramwithcard.bin , ramwithcard1.bin , ramwithcard2.bin , ramwithcard3.bin

now in C:\program files\openocd-r717\bin u should have 4 32mb bin files

now load these into hex editor and u want to search for your bk, ird and ird reversed

now sk is in the dumps

but this is as far as im going to spoonfeed

now research up on the sk data block / sk format .etc
and u will find it in the dumps

then all u need to do is stick it in a cam with camid and it should pair up with ur card

dont bother asking any questions regarding sk like: how does it look? , what address is it, .etc
as i wont reply

if u do ur research u will know how it looks .etc

i hope this gets some people intrested in cable again



Thanks to: The_coder, Mr0, Trojan, Chef1 for pointing me in right direction

 

[zad]

is this good news then? looks like it might be..

 

[fes_786]

well once u got ram dumps and u do ur research then it will enable u to use ur n3 card in a third party reciever or server

 

[cuebase]

Great Post fes as usual thanks goin to have a bit of fun trying it.

ok guys here is how to dump ur sammy

first u need a usb jtag

i used this 1

You don't have permission to view the code content. Log in or register now.

and it would be helpfull if u install a 2x10 pin header

You don't have permission to view the code content. Log in or register now.

ok once u got the pinheader installed and have the usb jtag
u need to download the following drivers

You don't have permission to view the code content. Log in or register now.

also u will need hexworkshop or anyother hex file editor u like
and u will need openocd r717 that i have attached to this thread.

once drivers are installed

put the openocd folder into C:\program files

plug jtag into box and pc

power on the box WITH card inserted and on Stream

once box is powered up go to a pay channel

open up a command window type the following command:

You don't have permission to view the code content. Log in or register now.

now u need to enter this command:

You don't have permission to view the code content. Log in or register now.

now if everything is working u should get the following

You don't have permission to view the code content. Log in or register now.

and the box would have rebooted and stuck on pl30 or similar

now u need to use putty (included in openocd-r717 folder)

choose telnet and enter the following:

You don't have permission to view the code content. Log in or register now.

it should say the following in putty:

Open On-Chip Debugger
>

now u type the following command

You don't have permission to view the code content. Log in or register now.

now it will start dumping the ram should take around 20 / 30mins

once its dumped the ram

u need to close putty and command window
unplug box take scart out and unplug usb cable from pc

then repeat the steps 3 times remember same paychannel and just change file name like

ramwithcard.bin , ramwithcard1.bin , ramwithcard2.bin , ramwithcard3.bin

now in C:\program files\openocd-r717\bin u should have 4 32mb bin files

now load these into hex editor and u want to search for your bk, ird and ird reversed

now sk is in the dumps

but this is as far as im going to spoonfeed

now research up on the sk data block / sk format .etc
and u will find it in the dumps

then all u need to do is stick it in a cam with camid and it should pair up with ur card

dont bother asking any questions regarding sk like: how does it look? , what address is it, .etc
as i wont reply

if u do ur research u will know how it looks .etc

i hope this gets some people intrested in cable again



Thanks to: The_coder, Mr0, Trojan, Chef1 for pointing me in right direction

 

[rawsy]

im gutted i only have a 3110

 

[JimmyP]

Ive made this a sticky for you fes thanks

 

[fes_786]

Cheers m8

Will make a new thread about rsa/sk format .etc and maybe some people could join in and share some info
About block cipher encryption / decryption
How it works and what version kudelski implement .etc

 

[fes_786]

sooooo
did any 1 try and dump ram???

or no 1 wants to do any work 4 them selfs??

 

[gooner71]

im gutted i dont have a 2100 withan n3 card in otherwise i would have definately had my jtag out by now!!

 

[nozzer]

I'm presuming this is only for the Sammy 2100 box and not the later Sammy boxes ?

Unfortunately, not that many of them around these days and usually only concentrated in exCW areas.

 

[nozzer]

Cheers m8

Will make a new thread about rsa/sk format .etc and maybe some people could join in and share some info
About block cipher encryption / decryption
How it works and what version kudelski implement .etc

If your dumping from RAM then the data is surely already decrypted into a usable form ?

If you want to learn about pairing then just read through all the N2 documents available from various places (including N2 card dumps and 'simulators'). N3 pairing is very nearly identical to N2 pairing.

 

[fes_786]

If your dumping from RAM then the data is surely already decrypted into a usable form ?

If you want to learn about pairing then just read through all the N2 documents available from various places (including N2 card dumps and 'simulators'). N3 pairing is very nearly identical to N2 pairing.

i already know the data is decrypted and have SK to pair up my card to SBox on Dreambox

just wanted to help other people out.

first of all they need a Ram dump with Card inserted

then we can start from there about finding SK

alot of people want a app that will just tell them the RSA / SK

i want people to readup a bit and then understand the procedure

as u know most of the Guys in the know, dont make tuts anymore

the Sammy 2100c is the easiest box to get SK / RSA / Cam_n from

 

[nozzer]

the Sammy 2100c is the easiest box to get SK / RSA / Cam_n from

Pretty much correct, only the DT08 based boxes are easier.

Pity the later Sammy's aren't also that easy !

 

[fes_786]

the later sammy's well if u could get ram dumps then it wont be too hard as the rsa / sk follow a set format

#hint look for the header and ird

now i heard some 1 did dump ram on the later sammy's but dont know how he did it possible options are:

replace ram chips with somthing more *static*
use a ram emulator *expensive
read ram incircuit using a clip?

basically the N3 has a weak spot for cs purposes and that is the reciever in tsop / bga rsa is encrypted
in ram its decrypted *major weak spot

only problem is to figure out how to dump the ram on the other recievers

You don't have permission to view the code content. Log in or register now.

 

[dont do it it"ll hurt]

i know the redneck was for n2 but could this not be used for n3 or is that thinking way to far
only thought this way as your reading the stream for rst
i am away till next week m8 then i will jump in and and try to help might take a little time to get bits tho

 

[nozzer]

the later sammy's well if u could get ram dumps then it wont be too hard as the rsa / sk follow a set format

#hint look for the header and ird

yeh, I know how its done and its easy enough except for the rather expensive equipment you need. A RAM emulator/simulator will probably cost you £3000-4000 and in-circuit soic connectors will likely cost you another £200 each. If you've already got the equipment though, then the process is ridiculously easy taking no more than 15-20 mins.

Given those kinds of prices, I cant see this being something your average guy will be doing on his home box just to allow a card to be paired to a dreambox.

 

[nozzer]

basically the N3 has a weak spot for cs purposes and that is the reciever in tsop / bga rsa is encrypted in ram its decrypted *major weak spot

Not so much of a weak spot as a programming error, which is relatively easy for VM to correct. The major weak spot is that the actual encryption used on the flash version is relatively transparant. Kudelski really haven't tried to hide it very sucessfully but, to some extent, thats also down to the chipset manufacturers not providing proper security facilities.

If you've got a box you can jtag then you can do a lot more than just dump memory. You can also single step through code and set breakpoints at 'interesting' locations. When you can do that, hiding stuff becomes very difficult indeed !

Remember also that Nagra is NOT limited to VM boxes. You can learn an awful lot by examining dumps from boxes in other countries. Some of them have even been disassembled and commented so tracing through Kudelski's bit of code becomes fairly simple.

 

[fes_786]

ive seen some hobyists who have up2008 programmers that cost £500

the soic clips u could probably find a chinese company doing them cheap

or buy a orignal set use them then sell them to chinese to clone = cheap clips for every 1....lol

//edit

found some clips

http://www.testpath.com/Categories/SOIC-Test-Clips-4600.htm

@nozzer

u got any links to some good reading material
would love to see a commented disassembled dump

i want to try and work out how the encrypted rsa / sk is decrypted into its ram equivilent

 

[nozzer]

ive seen some hobyists who have up2008 programmers that cost £500

Eprom/Flash readers aren't at all the same kind of thing as Ram emulators but yes, some hobbyists are remarkably well equiped. I'm sure some electronics hobbyist will have an in-circuit ram dumper but i'm also betting there wont be too many of them. Its a very specialist field - by comparison up2008 owners will be 10-a-penny.

the soic clips u could probably find a chinese company doing them cheap

or buy a orignal set use them then sell them to chinese to clone = cheap clips for every 1....lol

//edit

found some clips

SOIC Test Clips - Shop Online For SOIC Test Clips From TestPath Electronic Test Equipment Accessories

Maybe those would work, not too sure. You need to remember that this RAM is likely working with just a couple nanosecs data window. It will be similar to the DDR stuff running in your PC so is likely clocked at approaching 100Mhz with data on both positive & negative edges. Thats close to 20 times the speed that a flash memory will be run at and those barely run properly with a clip stuck on them !

@nozzer

u got any links to some good reading material
would love to see a commented disassembled dump

Well, not handy but they do pop up occasionally. The US scene did some quite amazing things with reprogramming various provider boxes, as did some of the Spanish guys. During the N1 days, they often didn't bother with Atmel cards etc - they just inserted new code into the boxes so they ran the emulation themselves (sort of like the old SV/KV boxes did here).

Pretty sure there was also virtually the complete source code available for a premiere box a while ago, including the complete Kudelsi Nagra libraries (the libraries were binary only link-libraries I think but in standard linux elf format so routines could easily be extracted for disassembly).

For some interesting code you could also try the Samsung site - the base code of the smt-3110 is a linux based open source affair. You wont find any Nagra code in there but its still interesting to see how a stb works and you get an idea of how you could possibly write and insert new code modules.

i want to try and work out how the encrypted rsa / sk is decrypted into its ram equivilent

lol, be prepared to get down and dirty then. Chances are your going to have to learn some fairly detailed info regarding at least one stb. Probably the easiest one to go for are the MIPS based cores. They have a nightmare instruction set (very much like the old transputer chips) but at least they are well supported by various tools and simulators.

 

[Spectre]

What is the memory part? I guess it will be DRAM so you'd need to figure out what's going on refresh wise but it might be possible to attach a logic analyser with deep storage (are there any vacant footprints on the board?) and watch the bus while the memory is written.

You don't have permission to view the code content. Log in or register now.

SOIC devices are generally 1.27mm pitch and I'm guessing what is in the box is not. I saw a WII clip recently, I was quite impressed with it.