How To Guides Files Links Toplists Forums


Please Vote for US!



Enter TopHackerz TOP Info Sites list and Vote for this site !!!

Enter to .com - The Top 100 Dss Info and Dealer Sites and Vote for this Site

Enter to TopSatSites and Vote for this Site!!!






Vote Now!

Enter to Sat-100.com and Vote for this Site!!!

Please Vote for US!



Syndrome Nagra2 cards, AVR-X Nagra2 cards


 


Writing a "Private 3M Script"

First it is important to define the term "3M." The term "3M" simply refers to a script's ability to unlock all of the channels, based on the saying "All for one, and One for all!" from the "3
Musketeers," (which came from the old days of hacking cable boxes where all channels were viewable through one channel). Anyway, "3M" now is just a generic term for a card that has
all channels open and no stealth or write protection. In stealth scripts, the "3M" code refers to the actual part of the code that enables the video.All scripts that open all of the channels are
3M's, however most people are referring to scripts that auto-update on their own, when they refer to a 3M. The card auto-updates because it has no commands blocked, and it appears
to be a normal subbed card, as much as possible. The EASIEST type of 3M to write is to modify a valid bin file, by editing it in BasicH. Before you can write a script to modify the card,
you need to be able to edit a bin file manually to make those changes. If you read through this page carefully you will find everything you need to know to modify a valid bin file with
unique jump points and a 3M code. After you are done editing your valid bin file you will have a private 3M that auto-updates, with private jump points. To remove simply do a 1-STEP
clean in BasicH or BasicU. If you follow the directions you should have a fairly safe 3M to use. If you have a private 3M (that does not have code in any regions that have been changed
ago updates) your card would still be running today no matter HOW long they've been you installed it. They can only send a "killer" ECM that will loop your cards if they have 8 known
bytes in a row that they can hash. In order to ZAP your card with an ECM your card needs to be detected as being "hacked." In order to do this they need to know you card's
"signature," and your signature is based on the "extra" data that is on your card: the jump points and 3M code. If they don't know your jump points or how exactly you broke up your 3M
code then it is not possible for them to target you since they won't know the "signature" of your card. The advantage of picking your own jump point is that your card's signature is
different from most people's cards. They are mainly interested in hashing the most public areas to hash. If you pick the INS54 area then you can bet that a many other people have also
figured out what you have. You should really try to find a jump point outside of the INS 54 area. All were after here is to make your card's signature just enough different than the
freeware script users. Anything you can change will help. If you clone your card then you have 2 known bytes that will be different from your CAM ID, and those bytes are a checksum
for the CAM ID. It MAY be possible that they can check those two bytes against the CAM ID to see if your card is cloned, but they haven't demonstrated that ability yet. Remember-
nothing is foolproof- If your card is in the data stream taking updates, you risk an update possibly writing over part of the 3M software and corrupting your card. Nobody ever knows
where the update will occur on the card.

To make things simpler to understand and follow I have color coded this page:
PURPLE for the 02 (jump to) code
BLUE for the 3M code
RED for the byte's ADDRESS


Understanding How Cards Work
The signal is based on packets of data which are sent along with all the video data to every receiver out there. Some of this data is filtered out before it is passed on to the smart card,
such as individual unit authorizations. Of all the millions of these, only the ones for your smart card are passed on to your smart card. This is so the smart card does not get totally
overloaded with messages for everyone else. Most of the other data packets DO get to your smart card.

When the signal passes through a card the following routine happens:

Normal Code Cycle
The DSS signal "passes thru" the card and does certain events that are important to the function of the card.
"INS 54" Determines Authorization
The INS 54" is the location of code on the card that determines whether or not you are authorized to view a channel, and is responsible for returning a proper value to any authorization
requests.
Normal Code Cycle
The signal comes back from the the "INS 54" area and either authorizes or turns off the signal, based on what value was returned.

When the signal passes through a card that has 3M code on it the following routine happens:

Normal Code Cycles
The DSS signal "passes thru" the card and does certain events that are important to the function of the card.
Jump to Fake Authorization or "3m code"
The card "jumps" from the "INS 54" area to an address you have specified that has your 3M code. The 3M code "tricks" the card in to thinking that the authorization is present by giving
it a ZNT of it's own, and then returning the proper answer, which allows all of the channels to be unlocked (this is the JUMP POINT).
Jump back from the "3M code"
The 3M code jumps back to the address you have specified at the end of the "INS 54" area: 8D2D
Normal Code Cycles
The signal authorizes the signal for all channels based on what was returned from the Fake ZNT or "3M code."

The area of the card that is checked to see if the channel has authorization is called "INS 54." That area in the card's EEPROM is 827B-8D2D. That's why most, but not all, jump points
are placed with in that area. Whenever you change the channel the card checks the "INS 54" area of the card to check and see if that channel is authorized. When the "check command"
reaches your JUMP POINT it jumps out of "INS 54" directly to wherever your 3M code starts. the signal then bounces around to your selected "jump to" addresses and reads the 3m
code (which fools it into thinking that the channel is authorized). The signal then jumps back to the last byte of INS 54 which is 8D2D where it continues it's normal cycle. During in all of
this the card actually thinks it was always in the "INS 54" area of the card, even though it jumped out and back again. The instruction that is CRITICAL to learn about for writing 3M's is
"INS 54". You should trace its path as far as possible in both directions so you can try to understand it completely. Not all jump points have to be within the INS54 handling routine from
8D03-8D2F (or 8D65) But, it is the INS54 that's the instruction sent when you change channels that returns authorization, so you'll probably want to intercept that instruction somewhere.

Understanding Address Locations
To gain a better understanding of address locations open BasicH and load a .bin file. Clean to USW 26 and look at the BasicH output screen:

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII

8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 XX 00 | ................

8030 is the address location of the 1st byte of data which is represented in hexadecimal format. As an example to help you better understand the addresses the address location of the
byte represented by XX is 805E. You will not need to modify your 3M like the above example- it is for learning purposes only.

The datastream passes through your card and goes through it's normal code cycle at 8D17, then it hits 8D1A. 8D1A is the ZNT (Zero Number Test) which is used in authorization of the
channels. You simply want to alter the code so that we can send the signal to the 3M code. Look at theEEPROM MAP and HCDT-Disassembly and study it carefully.

LJMP and LCALL
ljmp "Jump-To" byte: 02

The ljmp Jump-to byte is represented by the hexadecimal byte 02. When the signal encounters a 02, it will immediately look at the next 2 bytes in sequence. This will be the address
location that the signal will go to.

To help you understand the "ljmp" command look at the following example:

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII

8060: 00 00 00 00 00 00 00 02 80 8A 00 00 00 00 00 00 | ................
8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8080: 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 00 | ................

Notice that starting at address 8067 you encounter a 02 byte. This tells the signal to look at the next two bytes (The next 2 bytes = 80 8A). The signal will then skip to (jump to) the
808A address and encounter the 99. The above is only an EXAMPLE of how to spot the "02" and what it means, and how it works. You will not need to modify your 3M like the above
example- it is for learning purposes only.

The format for the ljmp instruction is:
02 XX XX (The x's are a 2 byte address).

With the ljmp instruction you can jump to the ppv area, and then jump back to
any address, however the code is a little longer than when using lcall.

Here is a jump code (to address 8032):
8D1B: 02 80 32 <-- ljmp to address 8032

Here is the 3m code at address 8032 and the jump back to 8D1B:
8032: E4 <-- 3M code
8033: F5 45 <-- 3M code
8035: 75 27 03 <-- 3M code
8038: 02 8D 1B <-- ljmp back to address 8DIB

Let me give another example. Here is what the code might look like before we alter it:
8332: 08
8333: E2
8334: 79 18
8336: 47

Now let us say we want to jump to our 3M code from address 8333 using
ljmp. We will pretend our 3M code will go at address 8333.

Here is our new code with the ljmp:
8332: 08
8333: 02 80 31 <-- ljmp to 8032 at address 8031
8336: 47

Since you are skipping the instructions at 8333 by putting the ljmp code there, and then skipping back to 8336, you are missing any instructions on 8333 as well as
bypassing 8334 You must add those instructions (E2 79 18) to the beginning of our 3M code before you jump back to 8336.You must be careful when writing your jump code
over original code, and also to be careful when jumping back so that you do not skip execution of any important code.

Here is our 3M code for the ljmp beginning at address 8031:
8031: E2 <-- the instruction from 8333
8032: 79 18 <-- the instruction from 8334
8034: E4 <-- 3M code
8035: F5 45 <-- 3M code
8037: 75 27 03 <-- 3M code
803A: 02 83 36 <-- ljmp back to address 8336

lcall
The format for the lcall instruction is: 12 XX XX (the x's are a 2 byte address)

When you use lcall to jump to your 3M, the address immediately following the jump is pushed onto a stack, and you can return to that address simply by using the 1 byte instruction: 22
(return). This means you do not have a choice of where to return to, but you can do so in 1 byte.

By using lcall instead of ljmp our 3M footprint is 2 bytes smaller. A smaller footprint makes a more difficult target. However, there is no choice of a return location, making it more
difficult to randomize the jump signature.

Here is the beginning EXAMPLE unmodified code:
8332: 08
8333: E2
8334: 79 18
8336: 47

We will change the address at 8333 and use lcall to branch to our 3M CODE we will add at address 8032:
8332: 08
8333: 12 80 32 <-- lcall to 8032
8336: 47

Since you are skipping the instructions at 8333 by putting the lcall code there, and then skipping back to 8336, you are missing any instructions on 8333 as well as
bypassing 8334 You must add those instructions (E2 79 18) to the beginning of your 3M code before you jump back to 8336. You must be careful when writing
your jump code over original code, and also to be careful when jumping
back so that you do not skip execution of any important code.

Here is our 3M code for the lcall beginning at address 8032:
8032: E2 <-- (the instruction from 8333)
8033: 79 18 <-- (the instruction from 8334)
8035: E4 <-- 3M code
8036: F5 45 <-- 3M code
8038: 75 27 03 <-- 3M code
803B: 22 <-- RETURN command (we do not specify a return address because instruction 22 will automatically take us to the address immediately following the lcall at address 8336)

NOTE: DO NOT USE THE ABOVE EXAMPLES, OR ANY EXAMPLES IN THIS GUIDE. THE EXAMPLES CONTAIN 3M CODE THAT IS TOO LONG, AND WILL
CAUSE YOU TO GET HASHED, IT IS JUST TO HELP YOU UNDERSTAND THE CONCEPTS INVOLVED WITH LCALL AND LJMP.

Jump Points
The "jump point" is a command in the program that reroutes the program operation to the PPV (or tier) area to execute the 3m routine and turn on the video and audio for our selected
channel. Hiding our 3m routine within either the PPV or tier area is not the real problem. What you need to do is look for a routine ALWAYS gets executed when you change channels,
and then locate that address to find a point where we can jump from (and back to following our 3M code). It also has to be an address that you can overwrite without disturbing the
normal card cycle. Jump points are determined by analyzing the disassembled code that is on the card and carefully choosing a point at which to intercept program flow while at the same
time keeping both security from attack and integrity of the card's routine in mind. Remember to always have a picture of the EPROM table in your head and plan on where your sections
will be located. Count the bytes you need to write and make sure you can fit them in your area. It is also a good idea to take notes on what your starting addresses will be and what are
the bytes you will be overwriting with your jump points.

You have to be very careful when choosing your jump points. You'll want your jump to come back just after your orginial jump point so it does not encounter that jump again in the cycle
and cause a loop. If you do not have an unlooper I would not try to many things as you will have to send your card out to a cleaner or buy an unlooper and fix your card. If you place the
jump point after the return jump point at 8d2d then you will have a continuous loop, in other words a "looped" card.

A jump point is not just any random number- it's an EEPROM address within the card where you can place a jump command, or similar instruction, to intercept the normal program flow,
redirect it to your routine that forces channel authorization (known as a 3M routine) and then jump back to a point somewhere after your jump point (again, it is not just another random
address). You have to know where to jump from, it cannot be any random address. The only way to do this is to know how the program on the card operates. If you point to an area of
the card which has fixed values in every legitimate card, then every legitimate card will generate the same new 10 keys which ultimately become the correct keys used to get the video.

Until you learn more about how the card operates then you can use any of the known jump points. Jump points can be tricky to pick. You must have at least SOME knowledge of what
those bytes mean and how many of them go together to do something. If you break up the 3M code correctly the most that they can do is hashing. When choosing a PRIVATE jump
point it would be best to avoid one of these jump points for your private 3M, since they are known and used by freeware, and have been targets of hashing:

8250-8257
8260-8267
8278-827F
8560-8567
8590-8597
8658-865F
8688-868F
8690-8697
8860-8867
8980-8987
89A0-89A7
89B0-89B7
89B8-89BF
8CF8-8CFF
8D00-8D07
8D08-8D0F
8D18-8D1F
8D60-8D67
8F28-8F2F
99A0-99A7 (wrap around address for 89A0 to 89A7)
9D00-9D07 (8D00-8D07)
Update 0001h/1 (8568h-856Bh)
Update 0002h/2 (8FF1h-8FF4h)
Update 0003h/3 (8FF5h-8FF8h)
Update 0004h/4 (8FF9h-8FFCh)
Update 0005h/5 (84F8h-84FBh)
Update 0006h/6 (8588h-858Bh)
Update 0007h/7 (8670h-8673h)
Update 0008h/8 (8460h-8465h)
Update 0009h/9 (8605h-860Ah)
Update 000Ah/10 (8F3Bh-8F46h)
Update 000Bh/11 (8F2Fh-8F3Ah)
Update 000Ch/12 (8F47h-8F52h)
Update 000Dh/13 (8F53h-8F5Eh)
Update 000Eh/14 (8F5Fh-8F5Fh)
Update 000Fh/15 (8965h-8966h)
Update 0010h/16 (8BA5h-8BAAh)
Update 0011h/17 (8F60h-8F68h)
Update 0012h/18 (865Ch-8660h)
Update 0013h/19 (8297h-8297h)
Update 0014h/20 (8F44h-8F44h)
Update 0015h/21 (858Bh-8592h)
Update 0016h/22 (8F70h-8F78h)
Update 0017h/23 (8C05h-8C06h)
Update 0018h/24 (8F79h-8F7Fh)
Update 0019h/25 (85D0h-85D1h)
Update 001Ah/26 (8591h-8594h)
Update 001Bh/27 (8F80h-8F86h)
Update 001Ch/28 (85D0h-85D7h)
Update 001Dh/29 (85CAh-85CBh)
Update 001Eh/30 (8660h-8667h)
Update 001Fh/31 (85D0h-85D7h)
Update 0020h/32 (8658h-865Fh) same as 18
Update 0021h/33 (8687h-8692h)
Update 0022h/34 (8702h-870Dh)
Update 0023h/35 (8693h-869Eh)
Update 0024h/36 (86F6h-8701h)
Update 0025h/37 (8762h-876Dh)
Update 0026h/38 (8732h-873Dh)
Update 0027h/39 (870Eh-8719h)
Update 0028h/40 (869Fh-86AAh)
Update 0029h/41 (86B7h-86C2h)
Update 002Ah/42 (86CFh-86D9h)
Update 002Bh/43 (8867h-8872h)
Update 002Ch/44 (874Ah-8755h)
Update 002Dh/45 (885Bh-8866h)
Update 002Eh/46 (86ABh-86B6h)
Update 002Fh/47 (871Ah-8725h)
Update 0030h/48 (85CFh-85D3h)
Update 0031h/49 (8756h-8761h)
Update 0032h/50 (86C3h-86CFh)
Update 0033h/51 (873Eh-8749h)
Update 0034h/52 (8709h-8710h)
Update 0035h/53 (888Bh-8896h)

The hard part is figure out what address you can use and have the card still work. You need to figure out what "jump point" addresses have been used by freeware scripts because you
want to stay away from those. Get as many scripts as you can find and make a list of the jump point so you will know which ones to stay away from. Also you will want to know what
addresses are SAFE to use because you don't want to "loop" your card. Get a card's EEPROM image file open it up in a text editor (like NotePad). Disassemble it and trace the
instruction 54 (which starts at 827B). Look at the HCDT-Disassembly and try to figure out what all of these jump points have in common, and soon you will discover private jump points
of your own. To find a new jump point first find an instruction group in the original H card programming which is executed frequently (INS54 is a good example). Next, find a set of
individual code instructions that is EXACTLY 6 bytes long when complete (such as: three 2 byte instructions, OR 2 three byte instructions, OR one 3 byte instruction and three one byte
instructions, etc). You may then replace the code with your 6 bytes (3 byte jump instruction and 3 random bytes). Make sure the instructions you replace may be replicated in the 3M (no
ajmp or acalls). Then rewrite the 3M code and include the replaced instructions, and change the jump back in the 3M to the address 6 bytes after your replaced jump instruction. Also
notice: Only 8000-8FFF (User area) gets hashed (the 9000's that got hashed are are "wrap-around" addresses). If one location can not be split to make a jump then carry out the
necessary bytes with your 3M string. A jump can always be inserted in between the code only to take it to a different location. Try to jump to a different location other then PPV (like
83XX or Old nano area). Learn to use other ways of intercepting such as Lcall (12 address 22 for ret) Sjump (80 XX for number of bytes to jump down). New ways to check for
authorization, hash checking and normal writes can be created making some code obsolete. You should always keep your code to a minimum exposure to public, and keep it only to
yourself. Try to avoid using public jump points and obvious bytes that shouldn't be on your card. Avoid having empty areas that should have bytes on a normal card. USe your common
sense and try to make your card appear as much like a "normal" card as possible. REMEMBER- there are other areas to jump from aside INS 54, as evidenced on the list. You can't
always simply jump back to 8d2d, because doing so will skip over necessary code. If you are jumping outside the ins54 area you USUALLY need to return to the command immediately
following the point you jumped from, and you will also most likely need to cycle the overwritten code back in after you jump, before the 3M. Akso- You can't use data areas as jump
points because it never gets executed. A jump point has to be part of the code that gets executed every time you change a channel, and the card seeks authorization.

"Pay Per View" Area
The Pay Per View Area is the part of the card where information is written to record the authorization of PPV events and movies. When you clean your card the PPV area gets wiped
clean so no information is present. When the PPV area is cleaned the area is "zeroed-out" (represented by NULL or 00 values). The PPV area starts at 8028 and ends at 80EF. Refer to
the EEPROM MAP to find the PPV area). We can easily use the PPV area of the card to store data such as 3M code. You can use any part of the PPV area that you want, but
remember that "valid" PPV's are 8 bytes long, so you will need to add random bytes (any number from 00 to FF) before and/or after your 3M code in order to cloak it, as well as appear
to be a valid PPV purchase. The card expects that your PPV purchases will all start at either the "0" address or the "8" address. There are 25 PPV slots. Each PPV slot is 8 bytes long.
The first PPV slot is "8028-802F," the second slot is "8030-8037," the third slot is "8038-803F," and so on.

It is a good idea to work out all of the "jump to's" on paper prior to editing your bin, so you can mark the jumps clearly, etc.. Here is a PPV area scratch pad for you to work from:

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII

8020: 00 00 00 00 00 00 00 00 | ................
8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

PRINT OUT THE ABOVE WORKSHEET TO MAP OUT YOUR JUMP POINTS PRIOR TO EDITING YOUR BIN

REMEMBER
The PPV (and tier area) are not where you put your jump point. These are the areas that the 3m activation routine is stored.
It is best not to have the jump to addresses overlap across the "07" and "08" address, UNLESS you fill in the entire line with additional random bytes to make it appear as 2 purchases.
You should also never start your 3M code on a 0 or an 8 in order to hide your code from the checking routine.
Make the 80x6 and 80xE addresses appear to be valid PPV purchases.

Here are a few examples of "valid" PPV purchases:

87 D9 69 D8 01 8F 01 00
8A C8 69 D8 01 8F 01 00
8B B6 69 D8 01 8F 01 00
81 1E 69 DA 01 8F 01 00
83 4C 69 D9 01 8F 01 00
81 DD 69 DA 01 8F 01 00
85 13 69 D8 01 8F 01 00
81 E9 69 DA 01 8F 01 00
81 52 69 DA 01 8F 01 00
81 9A 69 DA 01 8F 01 00
8E F3 69 D9 04 4B 01 00
81 12 69 DA 01 8F 01 00
83 E9 69 D8 01 8F 01 00
83 1D 69 DA 01 8F 01 00
82 89 69 DA 01 8F 01 00
82 7D 69 DA 01 8F 01 00
81 3B 69 DA 01 8F 01 00
81 6E 69 DA 01 8F 01 00
81 CB 69 D9 01 8F 01 01
91 07 69 D7 01 F3 01 01
8E CB 69 D7 03 1F 01 01
8E E9 69 D7 04 4B 01 01
8F 4B 69 D7 03 83 01 01
90 16 69 D7 03 83 01 01
80 FC 69 D9 07 CB 01 01
81 11 69 D9 01 8F 01 01
81 1D 69 D9 01 8F 01 01
81 2A 69 D9 01 8F 01 01
81 51 69 D9 01 8F 01 01
81 6D 69 D9 01 8F 01 01
81 82 69 D9 01 8F 01 01
81 E8 69 D9 01 8F 01 01
82 F2 69 D9 01 8F 01 01
83 41 69 D7 01 8F 01 01
85 03 69 D7 01 8F 01 01
88 A7 69 D7 01 8F 01 01
8C 8F 69 D7 01 8F 01 01
8D E1 69 D7 03 E7 01 01
8C 7A 69 D8 04 AB 09 01
82 88 69 D9 01 8F 00 01
85 9C 69 D7 01 8F 00 01
00 59 6B C1 22 C4 09 01
90 29 69 D8 03 83 01 00

You will note that the above PPV code has many addresses that are roughly the same, and once in awhile a few oddballs. The most important ones to keep the same are the beginning (1
or 8 ppv address slots) and the end (7 or F address slots). The best thing to do is get your own PPV examples to work from, so you can see the code for yourself. Load an activation
script on your card, and purchase a few PPV's and you will notice that they will follow the above patterns with few exceptions.

Some people have noticed that a while after they install the P3M on their card that one of the "random" bytes, or one of their 3M string changed to an 06. If you clear the byte and put
the card back in the IRD and check it again a few minutes later it is back to 06, 20 or 26. This sometimes results in the 3M code failing to authorize the channel (call Ext. error) or even a
fake Ext. 745 error. The "PPV status byte" is changing. Changes to bytes at XX06h and XX0Eh in the PPV area only occur when certain bit patterns exist in those locations. Some bytes
are fine, others are not. Look at a valid PPV string to see what the card "needs" to see at certain addresses. Storing anything in the PPV area without knowing exactly how it is affected
by the card could be dangerous. Some cards have been looped by having these bytes change.

Many other instructions can and have been changed, sometimes resulting in the 3M code failing to authorize the channel (call Ext. 721, 711, etc.) all the way to a fake Ext. 745 error
being generated.

The BEST way to avoid this is to break up the 3M string and jump from chunk to chunk. You'll have to know the instructions so as not to break apart an instruction and its parameters. If
you do this you may have to fix part of your 3M code if it supports locks/limits via a 20 4E xx type instruction. Instruction 20 is JB (Jump if bit set) and has a relative address as a
parameter that normally jumps XX bytes ahead if bit 4E is set. If you move the bytes after that command around, it may be more bytes away and you'll need to correct this.

What is happening is the card is updating the status of what it thinks is a valid PPV entry. The card has logic to set status bits to indicate what state the PPV is in. They are being updated
by cmd18 which gets called from instruction 36 and command 29/49. Instruction 36 is called to get card info, probably for delivery of info via phone line if connected. Cmd 29/49 seems
to be related to buying/viewing PPV.

It only affects the 80x6 and 80xE addresses of the PPV area. The offending routine that writes the x6's looks like it's Cmd18/MatchFound/Ins46 at 165Bh in the ROM specifically with
the four instructions at 1682h. When it gets to this section of the routine, it sets bits 1 and 2 of the 7th byte of the PPV slot (80x6 and 80xE), but it would seem to avoid that area of the
code completely if both bits 0 and 1 are already set (i.e. second digit = 3, 7, B, or F). Now, depending on how it gets there, it may skip over it if only one or the other is set.

The PPV area is touchy, which is why most scripts restrict their code to the tier area, which is not affected by normal operations of the card. Addresses in the PPV area that end in 06h or
0Eh could be modified (depending on exactly what the value in those locations is) Your best bet is to be aware of the fact when constructing a 3M string in the PPV area, and either work
around it (you could skip over the 06h/0Eh addresses by SJMP'ing over them) or only use the tier area.

If you decide to use the tier area, you aren't disabling processing of the deferred command buffer (i.e., a simple 3M that is stored in the tier area), then it is conceivable for it to be affected
by a packet containing special Cmd41 or Cmd42 entries ("Add or update tier" or "Drop tier" commands). You can also prevent tier wipes by corrupting the global key Group Key 0.

3m Code
The 3m Code we will be using includes the following sequence of bytes:
75 27 03 20 4E 08 E4 F5 45 028D 2D

There are many combinations and variations you can use. If you don't use the locks & limits you can use the following 3M code:

E4 F5 45 75 27 03 028D 2D

If you DO want the locks & limits use this code:

20 4E 06 E4 F5 45 75 27 028D 2D

The byte 02 means "ljmp" or "JUMP TO," and the address that follows is "8D 2D," which means that our 3M code returns back to the 8D 2D address. Until you become more
advanced at writing 3M's you MUST jump from "8D 1A", and you MUST jump back to "8D 2D."

The 3M code can be broken up into parts:
Part 1 : 75 27 03
Part 2: 20 4E 08
Part 3: E4
Part 4: F5 45 028D 2D
We do this because it makes it harder for your test card to be looped, hashed, or destroyed, since ECM's are hashed on a basis of 8 bytes, so we split our code to avoid this. You can
split up your 3M code as much as you want, jas long as the bytes are in order.

Writing the 3M code to your Card using "LCall" and jump points
Note: Do NOT use the addresses that we use in this example if you want to be private! In other words, choose your own random points to jump to.

In the Basic H screen dump you will notice at 8D1A the bytes = 20 38 10. You need to change this value to include a jump to and the address you want to jump to. 20 38 10 will now
be replaced with 02 XX XX (XX XX = The address location of your 3m code)
It is safest to use the PPV area to store your 3M code at first. The PPV area is between addresses 8028 - 80EF.

Aside from 8D1A other known jump FROM points are: 8D11, and 8D20. Experiment a bit, and you can find your own spot to jump FROM to make your 3M TOTALLY private.

As mentioned earlier, you can break the 3m code up into parts, and jump around to addresses within different areas of the PPV area.

(NOTE: THE FOLLOWING IS AN EXAMPLE ONLY! DO NOT USE THIS EXAMPLE!! MAKE ONE OF YOUR OWN TO AVOID BEING TARGETED BY DTV!)

Start BasicH and insert your card in to your programmer. Read your EEPROM and save your bin file, and remove your card. Load a VALID .bin file into BasicH and clean it to 26
updates by clicking on the AMBULANCE icon (clean EEPROM in memory), and selecting "clean to 26 updates". Enable Edit mode in BasicH. NOTE: You are editing the bin file in
memory, and not the card itself! Be careful when editing the bin file to make sure you are editing the CORRECT addresses.


Replace the code at 8D1A with "0280 61" (jump to address 8061)

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII
8D10: 00 00 00 00 00 00 00 00 00 00 02 80 61 00 00 00 | ................

At address 8061 write "75 27 03 02 80 51" (First part of the 3M & jump to 8051)

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII
8060: 00 75 27 03 02 80 51 00 00 00 00 00 00 00 00 00 | ................

At address 8051 write "20 4E 08 02 80 49" (Second part of the 3M and jump to 8049)

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII
8050: 00 20 4E 08 02 80 49 00 00 00 00 00 00 00 00 00 | ................

At address 8049 write "E402 80 31" (Third part of the 3M and jump to 80D3)

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII
8040: 00 00 00 00 00 00 00 00 00 E4 02 80 31 00 00 00 | ................

At address 8031 write "F5 45 02 8D 2D" (fourth part of the 3M and jump back to 8D2D to continue the normal code cycle)

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII
8030: 00 F5 45 02 8D 2D 00 00 00 00 00 00 00 00 00 00 | ................

Now your edited bin should look something like this:

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII
8020: 00 00 00 00 00 00 00 00 | ................
8030: 00 F5 45 02 8D 2D 00 00 00 00 00 00 00 00 00 00 | ................
8040: 00 00 00 00 00 00 00 00 00 E4 02 80 31 00 00 00 | ................
8050: 00 20 4E 08 02 80 49 00 00 00 00 00 00 00 00 00 | ................
8060: 00 75 27 03 02 80 51 00 00 00 00 00 00 00 00 00 | ................
8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8D10: 00 00 00 00 00 00 00 00 00 00 02 80 61 00 00 00 | ................
(note: at line 8D10 in this example, do NOT change the other addresses to "0"'s,
just change the address at 8D1A. Again- this is an EXAMPLE- design your own!).

NOTE: It is also a good idea to add random bytes (any hex number from 00 to FF) BEFORE and AFTER your 3M code to further "stealth" the code. For example: the first
part of our 3M code would look like:
XX 75 27 03 0280 A3 XX
The XX's represent random hexidecimal bytes (any hex number from 00 to FF), and the first set of random bytes would start one address earlier than our jump point, and the last set of
random numbers would be at the address after our "jump back to" address (in the above example the "jump back to" address is "80A3"). For example: If our "jump to address was
"8005," and we are adding ONE set of random bytes before the jump address then the random bytes would go at 8004." PPV code is displayed as sets of 8 bytes, so remember to add
only enough random code to bring the string to 8 bytes. Remember, bytes are sets of 2 numbers, so 00 00 00 is 3 bytes.

let's say we want to put the 1st part of the code at 8061:

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII
8060: 00 75 27 03 02 80 51 00 00 00 00 00 00 00 00 00 |
We would want our string to be eight bytes long, and the 1st part of our 3M (with the jump command and address) is only 6 bytes long, so we add a random byte (any number from 00
to FF) BEFORE our 3M code at address 8061, and another random byte AFTER our 3M code, at 8066 and 8067. At a glance it appears to be a "valid" PPV purchase which are 8
bytes long. KEEP IN MIND WHAT A "VALID" PPV PURCHASE LOOKS LIKE!

Here is what the 1st part of our 3M code a 8061, with RANDOM BYTES added will look like:


Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII
8060: XX 75 27 03 02 80 51 XX 00 00 00 00 00 00 00 00 |

Now your edited bin WITH RANDOM BYTES should look something like this:

Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII
8020: 00 00 00 00 00 00 00 00 | ................
8030: XX F5 45 02 8D 2D XX XX 00 00 00 00 00 00 00 00 | ................
8040: 00 00 00 00 00 00 00 00 XX E4 02 80 31 XX XX XX | ................
8050: XX 20 4E 08 02 80 49 XX 00 00 00 00 00 00 00 00 | ................
8060: XX 75 27 03 02 80 51 XX 00 00 00 00 00 00 00 00 | ................
8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
80E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8D10: 00 00 00 00 00 00 00 00 00 00 02 80 61 00 00 00 | ................

XX= random bytes

REMEMBER: Never start your 3M code on a 0 or an 8 address, and if it crosses the "border" between the two address be sure to fill in the bytes to make it look like a valid PPV
purchase. The best thing to do is to either use the above examples, or load an activation script on your card and "buy" some PPV's and look at the code in BasicH. When constructing
your own jump to areas in the PPV, keep in mind that it fills in slot one, then slot two, and so on until 25, so it is best to avoid large gaps like in the above example. Also, if your 3M string
ends on a 7 you may have problems. Also try to follow the pattern that the card expects to see in the PPV area, by referring to the above examples.

Again, the card expects that your PPV purchases will all start at either the "0" address or the "8" address. There are 25 PPV slots. Each PPV slot is 8 bytes long, so it is best not to have
the jump points overlap across the "07" and "08" address, unless you fill in the entire line with additional random bytes to make it appear as 2 purchases. The first slot is "8028-802F," the
second slot is "8030-8037," the third slot is "8038-803F," and so on.

Disable "Edit Mode" and save the edited bin with a different name. Clean your card with a One-Step clean with BasicH, twice to 26 updates, or until zero file differences. Then write the
modified bin to your card (NOTE: do not clean the bin after you have modified it or you will lose your jump point data in the PPV area- clean the bin BEFORE you modify it). Next use
WHISPER, which is a script that will activate your card, but it won't work unless you have a modified bin. It is possible to edit your bin manually to include this data, however it is not
necessary. Reboot your IRD, insert your card and watch TV!


Understanding Packets (advanced)

The DTV system is based on packets of data which are sent along with all the video data to every receiver out there. Some of this data is filtered out before it is passed on to the smart
card, such as individual unit authorizations. Of all the millions of these, only the ones for your smart card are passed on to your smart card. This is so the smart card does not get totally
overloaded with messages for everyone else. Most of the other data packets DO get to your smart card. There are dozens of types of data packets, but only a few are of vital
importance.

The first vital packet is the 4840 packet, which is what you get immediately after you tune to a new channel (and at regular periods afterwards too) An example could look like this:

48 40 00 00 XX 40 09 10 10 00 01 4A 12 34 02 41 03 33 42 00 0C AA BB CC DD EE

Let's break this down:

48 40 00 00 XX


Here 48 40 describes the type of packet and the XX is the number of bytes to follow
40 is an echo of the packet type back to the receiver to show the smart card is working
09 10 10 00 Here 09 is the command to set the key to be used in all subsequent decryption routines. In this case, key 10 is pointed to, which is a generic key shared by all smart cards.
The smart card uses an algorithm which generates 10 bytes every time it is called. It uses the previous value for these 10 bytes and a new value found in the "A register" or accumulator.
Once the 09 command has been issued, almost every byte read in after that goes through this algorithm and so causes a new set of 10 bytes to be generated. So the only time you can
predict in advance what these 10 bytes are is just after the 09 command has been issued. The algorithm is complex enough that trying to calculate the correct result would take years of
processing even with a super-computer.
01 4A 12 34 Here 01 is the command to load the time and date, where 4A would be the month and 12 34 the digital hour, minute (not directly related to our 24 hour clock). You
should note following the above description of the 10 byte key process that reading in these 4 bytes causes a unique new set of 10 keys to be created after each of the 4 bytes is read in
so any attempt to intercept and modify these dates causes the wrong 10 bytes to be created.
02 41 Here 02 is the command to load the program rating and the viewing status. The 1st digit '4' means you need a subscription to watch, it would be '8' if it was a preview or free.
The 2nd digit is the parental rating. It should be repeated that any attempt to change the '41' (you need a subscription) to '81' (you can watch for free) will also generate the wrong 10
keys.
03 33 42 00 Here 03 is the command to check the subscription list in the smart card to see if the smart card is valid for channel 3342 at this time. So here is where the smart card
response starts to change depending on whether it does have a valid entry for channel 3342 or not. Again, you can't intercept and change the data from the 3342 that the system demands
you have to a different number that you know your smart card does have without creating the wrong 10 keys. This 03 command can be repeated a number of times because any channel
may have more than one channel identifier that it will accept. (This is to simplify selling packages of channels without needing a unique subscription for every single channel). On a
Pay-Per-View movie (PPV) the 03 command is replaced by an 06 command but the end result is the same.
0C AA BB CC DD EE Here 0C is the command to check the integrity of all the received data, everything that is after the initial 09 command was issued, right up to and including the
final byte 'EE'. As explained, every single byte read causes yet another call to the decryption algorithm to generate yet another new set of 10 keys. The purpose of the 'AA BB CC DD
EE' is that these 5 bytes are checked against the first 5 bytes of these newly created 10 keys and all 5 of them must match exactly. If they do not, because of noise say, or because the
data was intercepted and altered, then no match occurs and the process which generates the correct video keys will not execute. You can't guess these 5 numbers as there are
256*256*256*256*256 possibilities (which is a lot)

That is the end of the 4840 packet. The smart card goes back to idle waiting for the next packet. What it is has stored however, is a set of 10 keys and a status for whether it is allowed
to watch this channel or not. The receiver as yet does not know what this status is, so no video is being shown.

Almost immediately after this comes the next vital packet, 4854. This has a simpler format: 48 54 00 00 00 with nothing else to follow. The smart card recognizes the 48 54 type and
echoes the 54 back. Then it uses the status it created with the '4840 packet' to generate a further version of the 10 keys. It crunches them through the on-die ASIC so that a pure
software emulator can't be used. Then it does a final software encryption and sends the resulting 10 keys over to the receiver, together with the status info. What is vital is that the correct
10 keys are only sent if the accompanying status shows the smart card is valid for that channel at that time. Otherwise, a different set of 10 keys will be sent, created earlier by the '484A
packet', and these will NOT result in any video.

These 10 keys are then fed to the MPEG decoder to sort out the video which will be turned on if the sequence is correct. (The audio is not encrypted, it will be turned on if the correct
status is sent even if the wrong keys are sent)

You should have learned by now that

These two packets are crucial
If you change ANY byte between the 09 command in the 4840 packet and the last byte of the 4840 packet, you will generate the wrong 10 keys and get no video/audio.

You can add other commands in the 4840 packet than the simple 01 (time) 02 (rating) and 03 (subscription), as long as the correct final 5 bytes are calculated by the system
to generate the required 10 keys correctly. You can, for example, include a 60 command, followed by a sub command string B5.

60 B5 03 81 23 01

What this does is cause yet another new set of the 10 keys to be created 8 times, one for every value it finds in the EEROM at location 8123. You can specify the number of 8 byte
blocks to check (the example shows 01 for 1 block) and you can specify a list of addresses to check. The actual address would not be 8123 but another address (or list of addresses) in
the 8XXX area which corresponds to code altered by 'pirates'.

If you point to an area of EEROM (or ROM for that matter) which you know has fixed values in every legitimate card, then every legitimate card will generate the same new 10 keys
which ultimately become the correct keys used to get the video. If any 'pirate' cards have different code in that area, then they will generate different 10 keys and get no video. They won't
be damaged, they simply won't work! Because you can use a list to specify addresses to check, you can with a few short key strokes cover most of the so-called free space where any
3M type routines might be written.