| How To Guides | Files | Links | Toplists | Forums |
|
|
 Syndrome Nagra2 cards, AVR-X Nagra2 cards Write your own 3m i for 1 am fed up with all the currect hashing and have noticed that the only way to stay ahead in this hobby is to learn how to write your own 3m's. so lets get to learning. i have put some cut and pastes together to help us all get started. the first cut and paste is for the H card. it's kind of easy and once we learn a little about the H 3m, the HU should be a little easier. remember, these are not mine but only cut and paste and i'm learning just like everyone else. FOR H CARD............ >Writing a "Private 3M Script" First it is important to define the term "3M." The term "3M" simply refers to a script's ability to unlock all of the channels, based on the saying "All for one, and One for all!" from the "3 Musketeers," (which came from the old days of hacking cable boxes where all channels were viewable through one channel). Anyway, "3M" now is just a generic term for a card that has all channels open and no stealth or write protection. In stealth scripts, the "3M" code refers to the actual part of the code that enables the video. All scripts that open all of the channels are 3M's, however most people are referring to scripts that auto-update on their own, when they refer to a 3M. The card auto-updates because it has no commands blocked, and it appears to be a normal subbed card, as much as possible. The EASIEST type of 3M to write is to modify a valid bin file, by editing it in BasicH. Before you can write a script to modify the card, you need to be able to edit a bin file manually to make those changes. If you read through this page carefully you will find everything you need to know to modify a valid bin file with unique jump points and a 3M code. After you are done editing your valid bin file you will have a private 3M that auto-updates, with private jump points. To remove simply do a 1-STEP clean in BasicH or BasicU. If you follow the directions you should have a fairly safe 3M to use. If you have a private 3M (that does not have code in any regions that have been changed ago updates) your card would still be running today no matter HOW long they've been you installed it. They can only send a "killer" ECM that will loop your cards if they have 8 known bytes in a row that they can hash. In order to ZAP your card with an ECM your card needs to be detected as being "hacked." In order to do this they need to know you card's "signature," and your signature is based on the "extra" data that is on your card: the jump points and 3M code. If they don't know your jump points or how exactly you broke up your 3M code then it is not possible for them to target you since they won't know the "signature" of your card. The advantage of picking your own jump point is that your card's signature is different from most people's cards. They are mainly interested in hashing the most public areas to hash. If you pick the INS54 area then you can bet that a many other people have also figured out what you have. You should really try to find a jump point outside of the INS 54 area. All were after here is to make your card's signature just enough different than the freeware script users. Anything you can change will help. If you clone your card then you have 2 known bytes that will be different from your CAM ID, and those bytes are a checksum for the CAM ID. It MAY be possible that they can check those two bytes against the CAM ID to see if your card is cloned, but they haven't demonstrated that ability yet. Remember- nothing is foolproof- If your card is in the data stream taking updates, you risk an update possibly writing over part of the 3M software and corrupting your card. Nobody ever knows where the update will occur on the card. Understanding How Cards Work Some of this data is filtered out before it is passed on to the smart card, such as individual unit authorizations. Of all the millions of these, only the ones for your smart card are passed on to your smart card. This is so the smart card does not get totally overloaded with messages for everyone else. Most of the other data packets DO get to your smart card. When the signal passes through a card the following routine happens:
"INS 54" Determines Authorization Normal Code Cycle When the signal passes through a card that has 3M code on it the following routine happens:
Jump to Fake Authorization or "3m code" The 3M code "tricks" the card in to thinking that the authorization is present by giving it a ZNT of it's own, and then returning the proper answer, which allows all of the channels to be unlocked (this is the JUMP POINT). Jump back from the "3M code" End of part 1 Normal Code Cycles The area of the card that is checked to see if the channel has authorization is called "INS 54." That area in the card's EEPROM is 827B-8D2D. That's why most, but not all, jump points are placed with in that area. Whenever you change the channel the card checks the "INS 54" area of the card to check and see if that channel is authorized. When the "check command" reaches your JUMP POINT it jumps out of "INS 54" directly to wherever your 3M code starts. The signal then bounces around to your selected "jump to" addresses and reads the 3m code (which fools it into thinking that the channel is authorized). The signal then jumps back to the last byte of INS 54 which is 8D2D where it continues it's normal cycle. During in all of this the card actually thinks it was always in the "INS 54" area of the card, even though it jumped out and back again. The instruction that is CRITICAL to learn about for writing 3M's is "INS 54". You should trace its path as far as possible in both directions so you can try to understand it completely. Not all jump points have to be within the INS54 handling routine from 8D03-8D2F (or 8D65) But, it is the INS54 that's the instruction sent when you change channels that returns authorization, so you'll probably want to intercept that instruction somewhere. Understanding Address Locations Report this post to a moderator | IP: Logged Registered: Feb 2001
8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
As an example to help you better understand the addresses the address location of the byte represented by XX is 805E. You will not need to modify your 3M like the above example- it is for learning purposes only. The datastream passes through your card and goes through it's normal code cycle at 8D17, then it hits 8D1A. 8D1A is the ZNT (Zero Number Test) which is used in authorization of the channels. You simply want to alter the code so that we can send the signal to the 3M code. Look at theEEPROM MAP and HCDT-Disassembly and study it carefully. LJMP and LCALL The ljmp Jump-to byte is represented by the hexadecimal byte 02. When the signal encounters a 02, it will immediately look at the next 2 bytes in sequence. This will be the address location that the signal will go to. To help you understand the "ljmp" command look at the following example: Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII 8060: 00 00 00 00 00 00 00 02 80 8A 00 00 00 00 00 00 | ................
This tells the signal to look at the next two bytes (The next 2 bytes = 80 8A). The signal will then skip to (jump to) the 808A address and encounter the 99. The above is only an EXAMPLE of how to spot the "02" and what it means, and how it works. You will not need to modify your 3M like the above example- it is for learning purposes only. The format for the ljmp instruction is: With the ljmp instruction you can jump to the ppv area, and then jump back to any address, however the code is a little longer than when using lcall. Here is a jump code (to address 8032): Here is the 3m code at address 8032 and the jump back to 8D1B: Let me give another example. Here is what the code might look like
before we alter it: Now let us say we want to jump to our 3M code from address 8333 using ljmp. We will pretend our 3M code will go at address 8333. Here is our new code with the ljmp: Since you are skipping the instructions at 8333 by putting the ljmp code there, and then skipping back to 8336, you are missing any instructions on 8333 as well as bypassing 8334. You must add those instructions (E2 79 18) to the beginning of our 3M code before you jump back to 8336.You must be careful when writing your jump code over original code, and also to be careful when jumping back so that you do not skip execution of any important code. Here is our 3M code for the ljmp beginning at address 8031: lcall When you use lcall to jump to your 3M, the address immediately following the jump is pushed onto a stack, and you can return to that address simply by using the 1 byte instruction: 22 (return). This means you do not have a choice of where to return to, but you can do so in 1 byte. By using lcall instead of ljmp our 3M footprint is 2 bytes smaller. A smaller footprint makes a more difficult target. However, there is no choice of a return location, making it more difficult to randomize the jump signature. Here is the beginning EXAMPLE unmodified code: We will change the address at 8333 and use lcall to branch to our 3M
CODE we will add at address 8032: Since you are skipping the instructions at 8333 by putting the lcall code there, and then skipping back to 8336, you are missing any instructions on 8333 as well as bypassing 8334. You must add those instructions (E2 79 18) to the beginning of your 3M code before you jump back to 8336. You must be careful when writing your jump code over original code, and also to be careful when jumping back so that you do not skip execution of any important code.
NOTE: DO NOT USE THE ABOVE EXAMPLES, THESE EXAMPLES CONTAIN 3M CODE THAT IS TOO LONG, AND WILL CAUSE YOU TO GET HASHED, IT IS JUST TO HELP YOU UNDERSTAND THE CONCEPTS INVOLVED WITH LCALL AND LJMP. Jump Points Hiding our 3m routine within either the PPV or tier area is not the real problem. What you need to do is look for a routine ALWAYS gets executed when you change channels, and then locate that address to find a point where we can jump from (and back to following our 3M code). It also has to be an address that you can overwrite without disturbing the normal card cycle. Jump points are determined by analyzing the disassembled code that is on the card and carefully choosing a point at which to intercept program flow while at the same time keeping both security from attack and integrity of the card's routine in mind. Remember to always have a picture of the EPROM table in your head and plan on where your sections will be located. Count the bytes you need to write and make sure you can fit them in your area. It is also a good idea to take notes on what your starting addresses will be and what are the bytes you will be overwriting with your jump points. You have to be very careful when choosing your jump points. You'll want your jump to come back just after your orginial jump point so it does not encounter that jump again in the cycle and cause a loop. End of part 2 If you do not have an unlooper I would not try to many things as you will have to send your card out to a cleaner or buy an unlooper and fix your card. If you place the jump point after the return jump point at 8d2d then you will have a continuous loop, in other words a "looped" card. A jump point is not just any random number- it's an EEPROM address within the card where you can place a jump command, or similar instruction, to intercept the normal program flow, redirect it to your routine that forces channel authorization (known as a 3M routine) and then jump back to a point somewhere after your jump point (again, it is not just another random address). You have to know where to jump from, it cannot be any random address. The only way to do this is to know how the program on the card operates. If you point to an area of the card which has fixed values in every legitimate card, then every legitimate card will generate the same new 10 keys which ultimately become the correct keys used to get the video. Until you learn more about how the card operates then you can use any of the known jump points. Jump points can be tricky to pick. You must have at least SOME knowledge of what those bytes mean and how many of them go together to do something. If you break up the 3M code correctly the most that they can do is hashing. Report this post to a moderator | IP: Logged Registered: Feb 2001
You need to figure out what "jump point" addresses have been used by freeware scripts because you want to stay away from those. Get as many scripts as you can find and make a list of the jump point so you will know which ones to stay away from. Also you will want to know what addresses are SAFE to use because you don't want to "loop" your card. Get a card's EEPROM image file open it up in a text editor (like NotePad). Disassemble it and trace the instruction 54 (which starts at 827B). Look at the HCDT-Disassembly and try to figure out what all of these jump points have in common, and soon you will discover private jump points of your own. To find a new jump point first find an instruction group in the Next, find a set of individual code instructions that is EXACTLY 6 bytes long when complete (such as: three 2 byte instructions, OR 2 three byte instructions, OR one 3 byte instruction and three one byte instructions, etc). You may then replace the code with your 6 bytes (3 byte jump instruction and 3 random bytes). Make sure the instructions you replace may be replicated in the 3M (no ajmp or acalls). Then rewrite the 3M code and include the replaced instructions, and change the jump back in the 3M to the address 6 bytes after your replaced jump instruction. Also notice: Only 8000-8FFF (User area) gets hashed (the 9000's that got hashed are are "wrap-around" addresses). If one location can not be split to make a jump then carry out the necessary bytes with your 3M string. A jump can always be inserted in between the code only to take it to a different location. Try to jump to a different location other then PPV (like 83XX or Old nano area). Report this post to a moderator | IP: Logged Registered: Feb 2001
You should always keep your code to a minimum exposure to public, and
keep it only to yourself. Try to avoid using public jump Avoid having empty areas that should have bytes on a normal card. USe
your common sense and try to make your card appear You can't always simply jump back to 8d2d, because doing so will skip over necessary code. If you are jumping outside the ins54 area you USUALLY need to return to the command immediately following the point you jumped from, and you will also most likely need to cycle the overwritten code back in after you jump, before the 3M. Akso- You can't use data areas as jump points because it never gets executed. A jump point has to be part of the code that gets executed every time you change a channel, and the card seeks authorization. "Pay Per View" Area The Pay Per View Area is the part of the card where information is written to record the authorization of PPV events and movies. When you clean your card the PPV area gets wiped clean so no information is present. When the PPV area is cleaned the area is "zeroed-out" (represented by NULL or 00 values). The PPV area starts at 8028 and ends at 80EF. Refer to the EEPROM MAP to find the PPV area). We can easily use the PPV area of the card to store data such as 3M code. You can use any part of the PPV area that you want, but remember that "valid" PPV's are 8 bytes long, so you will need to add random bytes (any number from 00 to FF) before and/or after your 3M code in order to cloak it, as well as appear to be a valid PPV purchase. The card expects that your PPV purchases will all start at either the "0" address or the "8" address. There are 25 PPV slots. Each PPV slot is 8 bytes long. The first PPV slot is "8028-802F," the second slot is "8030-8037," the third slot is "8038-803F," and so on. It is a good idea to work out all of the "jump to's" on paper prior to editing your bin, so you can mark the jumps clearly, etc.. End of part 3 Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII 8020: 00 00 00 00 00 00 00 00 | ................ The PPV (and tier area) are not where you put your jump point. These are the areas that the 3m activation routine is stored. You should also never start your 3M code on a 0 or an 8 in order to hide your code from the checking routine. Make the 80x6 and 80xE addresses appear to be valid PPV purchases. Here are a few examples of "valid" PPV purchases: 87 D9 69 D8 01 8F 01 00
The most important ones to keep the same are the beginning (1 or 8 ppv address slots) and the end (7 or F address slots). The best thing to do is get your own PPV examples to work from, so you can see the code for yourself. Load an activation script on your card, and purchase a few PPV's and you will notice that they will follow the above patterns with few exceptions. Some people have noticed that a while after they install the P3M on their card that one of the "random" bytes, or one of their 3M string changed to an 06. If you clear the byte and put the card back in the IRD and check it again a few minutes later it is back to 06, 20 or 26. This sometimes results in the 3M code failing to authorize the channel
(call Ext. error) or even a fake Ext. 745 error. Look at a valid PPV string to see what the card "needs" to see at certain addresses. Storing anything in the PPV area without knowing exactly how it is affected by the card could be dangerous. Some cards have been looped by having these bytes change. Many other instructions can and have been changed, sometimes resulting in the 3M code failing to authorize the channel (call Ext. 721, 711, etc.) all the way to a fake Ext. 745 error being generated. The BEST way to avoid this is to break up the 3M string and jump from chunk to chunk. You'll have to know the instructions so as not to break apart an instruction and its parameters. If you do this you may have to fix part of your 3M code if it supports locks/limits via a 20 4E xx type instruction. Instruction 20 is JB (Jump if bit set) and has a relative address as a parameter that normally jumps XX bytes ahead if bit 4E is set. If you move the bytes after that command around, it may be more bytes away and you'll need to correct this. What is happening is the card is updating the status of what it thinks is a valid PPV entry. The card has logic to set status bits to indicate what state the PPV is in. They are being updated by cmd18 which gets called from instruction 36 and command 29/49. Instruction 36 is called to get card info, probably for delivery of info via phone line if connected. Cmd 29/49 seems to be related to buying/viewing PPV. It only affects the 80x6 and 80xE addresses of the PPV area. The offending routine that writes the x6's looks like it's Cmd18/MatchFound/Ins46 at 165Bh in the ROM specifically with the four instructions at 1682h. When it gets to this section of the routine, it sets bits 1 and 2 of the 7th byte of the PPV slot (80x6 and 80xE), but it would seem to avoid that area of the code completely if both bits 0 and 1 are already set (i.e. second digit = 3, 7, B, or F). Now, depending on how it gets there, it may skip over it if only one or the other is set. The PPV area is touchy, which is why most scripts restrict their code to the tier area, which is not affected by normal operations of the card. Addresses in the PPV area that end in 06h or 0Eh could be modified (depending on exactly what the value in those locations is). Your best bet is to be aware of the fact when constructing a 3M string in the PPV area, and either work around it (you could skip over the 06h/0Eh addresses by SJMP'ing over them) or only use the tier area. If you decide to use the tier area, you aren't disabling processing of the deferred command buffer (i.e., a simple 3M that is stored in the tier area), then it is conceivable for it to be affected by a packet containing special Cmd41 or Cmd42 entries ("Add or update tier" or "Drop tier" commands). You can also prevent tier wipes by corrupting the global key Group Key 0. 3m Code There are many combinations and variations you can use. If you don't use the locks & limits you can use the following 3M code: E4 F5 45 75 27 03 028D 2D If you DO want the locks & limits use this code: 20 4E 06 E4 F5 45 75 27 028D 2D The byte 02 means "ljmp" or "JUMP TO," and the address that follows is "8D 2D," which means that our 3M code returns back to the 8D 2D address. Until you become more advanced at writing 3M's you MUST jump from "8D 1A", and you MUST jump back to "8D 2D." Report this post to a moderator | IP: Logged Registered: Feb 2001
Part 1 : 75 27 03 We do this because it makes it harder for your test card to be looped, hashed, or destroyed, since ECM's are hashed on a basis of 8 bytes, so we split our code to avoid this. You can split up your 3M code as much as you want, jas long as the bytes are in order. Writing the 3M code to your Card using "LCall" and jump points
In other words, choose your own random points to jump to. In the Basic H screen dump you will notice at 8D1A the bytes = 20 38
10. You need to change this value to include a jump to and the address
you want to jump to. 20 38 10 will now be replaced with 02 XX XX (XX
XX = The address location of your 3m code) The PPV area is between addresses 8028 - 80EF. As mentioned earlier, you can break the 3m code up into parts, and jump around to addresses within different areas of the PPV area. (NOTE: THE FOLLOWING IS AN EXAMPLE ONLY! DO NOT USE THIS EXAMPLE!! MAKE ONE OF YOUR OWN TO AVOID BEING TARGETED BY DTV!) Start BasicH and insert your card in to your programmer. Read your EEPROM and save your bin file, and remove your card. Load a VALID .bin file into BasicH and clean it to 26 updates by clicking on the AMBULANCE icon (clean EEPROM in memory), and selecting "clean to 26 updates". End of part 4 Be careful when editing the bin file to make sure you are editing the CORRECT addresses. Replace the code at 8D1A with "0280 61" (jump to address
8061) (note: at line 8D10 in this example, do NOT change the other addresses to "0"'s, just change the address at 8D1A. Again- this is an EXAMPLE- design your own!). NOTE: It is also a good idea to add random bytes (any hex number from 00 to FF) BEFORE and AFTER your 3M code to further "stealth" the code. For example: the first part of our 3M code would look like: The XX's represent random hexidecimal bytes (any hex number from 00 to FF), and the first set of random bytes would start one address earlier than our jump point, and the last set of random numbers would be at the address after our "jump back to" address (in the above example the "jump back to" address is "80A3"). For example: If our "jump to address was "8005," and we are adding ONE set of random bytes before the jump address then the random bytes would go at 8004." PPV code is displayed as sets of 8 bytes, so remember to add only enough random code to bring the string to 8 bytes. Remember, bytes are sets of 2 numbers, so 00 00 00 is 3 bytes. Addr: 0 1 2 3 4 5 6 7 8 9 A B C D E F | ASCII We would want our string to be eight bytes long, and the 1st part of our 3M (with the jump command and address) is only 6 bytes long, so we add a random byte (any number from 00 to FF) BEFORE our 3M code at address 8061, and another random byte AFTER our 3M code, at 8066 and 8067. At a glance it appears to be a "valid" PPV purchase which are 8 bytes long. KEEP IN MIND WHAT A "VALID" PPV PURCHASE LOOKS LIKE! Here is what the 1st part of our 3M code a 8061, with RANDOM BYTES added will look like:
Now your edited bin WITH RANDOM BYTES should look something like this:
XX= random bytes REMEMBER: Never start your 3M code on a 0 or an 8 address, and if it crosses the "border" between the two address be sure to fill in the bytes to make it look like a valid PPV purchase. The best thing to do is to either use the above examples, or load an activation script on your card and "buy" some PPV's and look at the code in BasicH. When constructing your own jump to areas in the PPV, keep in mind that it fills in slot one, then slot two, and so on until 25, so it is best to avoid large gaps like in the above example. Also, if your 3M string ends on a 7 you may have problems. Also try to follow the pattern that the card expects to see in the PPV area, by referring to the above examples. Again, the card expects that your PPV purchases will all start at either the "0" address or the "8" address. End of part 5 There are 25 PPV slots. Each PPV slot is 8 bytes long, so it is best not to have the jump points overlap across the "07" and "08" address, unless you fill in the entire line with additional random bytes to make it appear as 2 purchases. The first slot is "8028-802F," the second slot is "8030-8037," the third slot is "8038-803F," and so on. Disable "Edit Mode" and save the edited bin with a different name. Clean your card with a One-Step clean with BasicH, twice to 26 updates, or until zero file differences. Then write the modified bin to your card (NOTE: do not clean the bin after you have modified it or you will lose your jump point data in the PPV area- clean the bin BEFORE you modify it). Next use WHISPER, which is a script that will activate your card, but it won't work unless you have a modified bin. It is possible to edit your bin manually to include this data, however it is not necessary. Reboot your IRD, insert your card and watch TV! -------------------------------------------------------------------------------- Report this post to a moderator | IP: Logged Registered: Feb 2001
The DTV system is based on packets of data which are sent along with all the video data to every receiver out there. Some of this data is filtered out before it is passed on to the smart card, such as individual unit authorizations. Of all the millions of these, only the ones for your smart card are passed on to your smart card. This is so the smart card does not get totally overloaded with messages for everyone else. Most of the other data packets DO get to your smart card. There are dozens of types of data packets, but only a few are of vital importance. The first vital packet is the 4840 packet, which is what you get immediately after you tune to a new channel (and at regular periods afterwards too) An example could look like this: 48 40 00 00 XX 40 09 10 10 00 01 4A 12 34 02 41 03 33 42 00 0C AA BB CC DD EE Let's break this down: 48 40 00 00 XX Here 48 40 describes the type of packet and the XX is the number of bytes to follow 40 is an echo of the packet type back to the receiver to show the smart card is working 09 10 10 00. Here 09 is the command to set the key to be used in all subsequent decryption routines. In this case, key 10 is pointed to, which is a generic key shared by all smart cards. The smart card uses an algorithm which generates 10 bytes every time it is called. It uses the previous value for these 10 bytes and a new value found in the "A register" or accumulator. Once the 09 command has been issued, almost every byte read in after that goes through this algorithm and so causes a new set of 10 bytes to be generated. So the only time you can predict in advance what these 10 bytes are is just after the 09 command has been issued. The algorithm is complex enough that trying to calculate the correct result would take years of processing even with a super-computer. 01 4A 12 34 Here 01 is the command to load the time and date, where 4A would be the month and 12 34 the digital hour, minute (not directly related to our 24 hour clock). You should note following the above description of the 10 byte key process that reading in these 4 bytes causes a unique new set of 10 keys to be created after each of the 4 bytes is read in so any attempt to intercept and modify these dates causes the wrong 10 bytes to be created. 02 41 Here 02 is the command to load the program rating and the viewing status. The 1st digit '4' means you need a subscription to watch, it would be '8' if it was a preview or free. The 2nd digit is the parental rating. It should be repeated that any attempt to change the '41' (you need a subscription) to '81' (you can watch for free) will also generate the wrong 10 keys. 03 33 42 00 Here 03 is the command to check the subscription list in the smart card to see if the smart card is valid for channel 3342 at this time. So here is where the smart card response starts to change depending on whether it does have a valid entry for channel 3342 or not. Again, you can't intercept and change the data from the 3342 that the system demands you have to a different number that you know your smart card does have without creating the wrong 10 keys. This 03 command can be repeated a number of times because any channel may have more than one channel identifier that it will accept. (This is to simplify selling packages of channels without needing a unique subscription for every single channel). On a Pay-Per-View movie (PPV) the 03 command is replaced by an 06 command but the end result is the same. 0C AA BB CC DD EE Here 0C is the command to check the integrity of all the received data, everything that is after the initial 09 command was issued, right up to and including the final byte 'EE'. As explained, every single byte read causes yet another call to the decryption algorithm to generate yet another new set of 10 keys. The purpose of the 'AA BB CC DD EE' is that these 5 bytes are checked against the first 5 bytes of these newly created 10 keys and all 5 of them must match exactly. If they do not, because of noise say, or because the data was intercepted and altered, then no match occurs and the process which generates the correct video keys will not execute. You can't guess these 5 numbers as there are 256*256*256*256*256 possibilities (which is a lot). That is the end of the 4840 packet. The smart card goes back to idle waiting for the next packet. What it is has stored however, is a set of 10 keys and a status for whether it is allowed to watch this channel or not. The receiver as yet does not know what this status is, so no video is being shown. Almost immediately after this comes the next vital packet, 4854. This has a simpler format: 48 54 00 00 00 with nothing else to follow. The smart card recognizes the 48 54 type and echoes the 54 back. Then it uses the status it created with the '4840 packet' to generate a further version of the 10 keys. It crunches them through the on-die ASIC so that a pure software emulator can't be used. Then it does a final software encryption and sends the resulting 10 keys over to the receiver, together with the status info. What is vital is that the correct 10 keys are only sent if the accompanying status shows the smart card is valid for that channel at that time. Otherwise, a different set of 10 keys will be sent, created earlier by the '484A packet', and these will NOT result in any video. These 10 keys are then fed to the MPEG decoder to sort out the video which will be turned on if the sequence is correct. (The audio is not encrypted, it will be turned on if the correct status is sent even if the wrong keys are sent) You should have learned by now that; These two packets are crucial. You can add other commands in the 4840 packet than the simple 01 (time) 02 (rating) and 03 (subscription), as long as the correct final 5 bytes are calculated by the system to generate the required 10 keys correctly. You can, for example, include a 60 command, followed by a sub command string B5. 60 B5 03 81 23 01 What this does is cause yet another new set of the 10 keys to be created 8 times, one for every value it finds in the EEROM at location 8123. You can specify the number of 8 byte blocks to check (the example shows 01 for 1 block) and you can specify a list of addresses to check. The actual address would not be 8123 but another address (or list of addresses) in the 8XXX area which corresponds to code altered by 'pirates'. If you point to an area of EEROM (or ROM for that matter) which you know has fixed values in every legitimate card, then every legitimate card will generate the same new 10 keys which ultimately become the correct keys used to get the video. If any 'pirate' cards have different code in that area, then they will generate different 10 keys and get no video. They won't be damaged, they simply won't work! Because you can use
a list to specify addresses to check, you can with a few short key strokes
cover most of the so-called free space where any 3M type routines might
be written. Report this post to a moderator | IP: Logged Registered: Feb 2001
What are the RAM addresses? we need this too. You see the card has RAM (2K or 2000 bytes). Each byte is one address. The card has ROM (Read Only Memory) and within it has some addresses that are write only once. I need the amount of rom and the addresses. The card has eeprom. eeprom is rewriteable memory - but it is only good for a specified number of writes (approx 500,000) this area is how large - well if the range is 2000 - 39ff - approx 6K. The first few lines in your Hex (short for Hexadecimal) script will be the following: Line 1 #Extreme Hex Line 1 is used to indicate that the file is a Extreme HU Hex script.
2711h-2ACDh,2D4Ch-2D8Bh,2F08h-3156h,3159h-3939h,393Dh-3F47h,22F2h-237Ch,23D5h-2405h,2698h-2711h,2CD0h-2CDFh,2CE8h-2D4Bh,2D4Ch-2DB6h,
3159h-3939h, and 393Dh-3F47h. Now two questions for all of you! What does hashing mean? Hashing Abernathy, Sara The hash function is used to index the original value or key and then used later each time the data associated with the value or key is to be retrieved. Thus, hashing is always a one-way operation. There's no need to "reverse engineer" the hash function by analyzing the hashed values. In fact, the ideal hash function can't be derived by such analysis. A good hash function also should not produce the same hash value from two different inputs. If it does, this is known as a collision. A hash function that offers an extremely low risk of collision may be considered acceptable. Here are some relatively simple hash functions that have been used: The division-remainder method: The size of the number of items in the
table is estimated. That number is then used as a divisor into each
original value or key to extract a quotient and a remainder. The remainder
is the hashed value. (Since this method is liable to produce a number
of collisions, any search mechanism would have to be able to recognize
a collision and offer an alternate search mechanism.)
Now how do we cloak? Well lets begin looking a dsstechpro.hex: Line 1 #Extreme Hex Line 3 Broken Down : - Normal Line not encrypted 10 - write 16 bytes (remember in hex 10 = 16) 25 90 or 2590 is the address to start writing at (this is a rule - when you start a line with ":" you must follow it with the number of bytes to write "10" and then the address which will always be two bytes or four characters (2590) 00 - begin write (this is a rule too!) Line 3 Continued 8A 24 E7 8D 25 F7 06 60 22 25 8B 01 1A 22 A8 8B 55 - is the checksum. A checksum is a count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, it's assumed that the complete transmission was received. Both TCP and UDP communication layers provide a checksum count and verification as one of their services. This is calculated by Extrem HU for you - don't give it to much thought. Report this post to a moderator | IP: Logged Registered: Feb 2001
Before we jump in lets list some opcodes and explain them. We know 8C means jump to and that we must follow 8C with an address to jump to. We also know that each is address is two bytes long or four characters long. Lets start reviewing each opcode and thier meaning and how they are used - and why they were used here: 8A 24 E7 8D 25 F7 06 60 22 25 8B 01 1A 22 A8 8B
What does this mean? Well lets see we know the little "h" is for hexadecimal and the 8A is the opcode so we can now ignore the little h. Next the 3 - I'll let you think on that - give me the answer if you can! Now the MOV - that's a Mnemonic - simply a shortened way of explaining the action this operation code will do. So what does it do - it says Move. Now the &ad16 - ignore the & look at the ad16 - 16-bit Absolute Address - what does this mean? give me answer if you can! Now the A - what the heck does it mean? So we know we have to copy from an address to an address - so look at the line 8A 24 E7 8D 25 F7 06 60 22 25 8B 01 1A 22 A8 8B we copy (8A) location what ever is at 24 E7 (24E7) to ? (hold that thought). So we know that we copy the value at 24E7 what do we do with it? Well lets look at the next byte - 8D. 8D means CMP or compare - hmmm - compare eh. compare what? the next two bytes are the address to compare what we copied (24 F7) 24F7 So now we know we are to copy 24E7 and compare it to 25F7 but what do we do next. 06 JNZ - what the heck is JNZ, well actually it means Jump if not equal to zero. Where do we jump to? look at the next two bytes - 2225 (22 25). But what if it is equal to zero - then proceed to the next byte (opcode).
This is comparing the DSW update to ensure it equals 06.
Let s do the first line: : 10 25F8 00 8E 00 68 F9 76 40 B5 07 72 03 B8 D5 B5 D5 08 8C 52 Notice the jump at the end - the next two bytes - the address - is found on the next line (3C18) the jump to the authorization.
10 25F8 00 8E 00 68 F9 76 40 B5 07 72 03 B8 D5 B5 D5 08 8C 52 We leave 8E 00 68 F9 76 40 B5 07 72 03 B8 D5 B5 D5 08 8C but do we care about 8E 00 68 F9 76 40 B5 07 72 03 B8 D5 B5 D5 08 - is this not just some data to help cloak the jump 8C? 3M Continued Line 1 explained 10 - (write 10h bytes) Now obviously we can just use this code as it will go down. But do we need to do all the above before we get to the Jump? You guys are fast - well the answer before the question - yes we need to authorize video but not all in one location (hmmm - cloaking If you read what a hash is you know that if you take the value of 3M code if will equal to some value - they can use this to hunt your code and kill it. So if we break it up enough and put it in a range of addresses not easily searched we can successfully cloak our code. You can use a jump 8C or maybe another opcode. Lets Review OR how about this - I need lots of help here - we write code to write to the RAM. We use the MOV (copy) opcode to place each piece of code to RAM then execute it with CMP. Let's go back a minute We know we need this line and what it does :1025F8008E0068F97640B5077203B8D5B5D5088C52 this line contains the jump address 3C18 but anything else? :082608003C180100C5AA2412D0 Lets break out the code for video part 1 : 10 25F8 00 8A 00 34 76 8A 00 35 40 8A 00 36 B5 8A 00 37 07 We must know exactly what command is used to copy bytes to RAM addresses
- I am using 8A - 8A is a register copy not an address unless I'm wrong.
We can substitute 8A for the correct opcode as soon as we find it. Maybe Like this? Let's Review : 0D 25F8 00 8A 26 04 8B 00 34 8A 26 05 8B 00 35 76 40 : 0D 2606 00 8A 26 12 8B 00 36 8A 26 13 8B 00 37 B5 07 : 0D 2614 00 8A 26 20 8B 00 38 8A 26 21 8B 00 39 72 03 : 0D 2614 00 8A 26 2E 8B 00 40 8A 26 2F 8B 00 41 B8 D5 : 0D 2614 00 8A 26 3C 8B 00 42 8A 26 3D 8B 00 43 B5 D5 : 0D 2614 00 8A 26 3C 8B 00 44 8A 26 3D 8B 00 45 08 8C Now this should be mixed up alittle - don't write is in line as i have did this in word - it doesn't line up to good here - the first line in the address (last byte) the second line is the actual line of script, the third - what is being written Part 1, Card Prep #Extreme Hex Part 2, DSW Update :10 2590 00 8A 24 E7 8D 25 F7 06 60 22 25 8B 01 1A 22 A8 8B 55 Part 3, Clear IRD and Set Guide ::04 2460 00 00 00 00 00 78 Part 4, Add Fuse Bytes : 02 2014 00 25 DA CB Part 5, Authorization : 10 25F8 00 8E 00 68 F9 76 40 B5 07 72 03 B8 D5 B5 D5 08 8C 52 8E 00 68 means lcall like jump to addy 00 68 Rewrite Part 5 as follows D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F AE When you enter the script do it by byte by byte. The checksums must be added by extreme hu automatically and the first part :10203000 - that should not be entered. you enter 2030 in the address field Report this post to a moderator | IP: Logged Registered: Feb 2001
When we finally go holy shi... I mean eureka we will move to a new thread and recap. that way we don't have to weed through so much of my bad humour. Lets confirm the following: 1. RAM addresses that can be used. 2. Opcodes that will be used to: 3. Addresses to use to put the loading code into - the code we use to put code into RAM (the zkt will not be the locale as we have made it public - this address along with the final ram addresses will be determined but not used in the examples) We have the RAM address but are unsure of where to place the code within it. Yes there are specific addresses used for processing and we don't want to use those. But remember we only want to write the code to ram - execute it - erase it. this will happen each time the card is hot (each time a video packet needs to verified). We know the registers are at the beginning so we can't use the first couple of addresses. What addresses should we use. Now if we say will DAVE put code in ram and keep checking it - probably - but we can simply retrive what's in RAM hold it, write our code, execute our code and rewrite the original values back. Now how about the opcodes - the opcodes we are using are fat - they
aren't refined lets get a little more creative and use the nice ones
to our advantage - this will shorten our code and allow us to cloak
easily. 2014 - 2015: Fuse Byte - 25 DA subscribed or 20 DF virgin 2024 - 2105: PPV area 2106 - 22F1: Tier area 2406 - 2407: Spending Limit 240C - 240F: Password 2410 - 2415: Zip Code 2460 - 2463: IRD number prewrite info 24a4 - 24a8: ird number 24C0 - 24C7: Eeprom Decrypt key 1 24C8 - 24C9: USW Counter 24D8 - 24DB: CAM ID number 24E0 - 24E0: Time Zone 2500 - 2500: Guide Byte? 2550 - 258F: Primary ZKT Table 2590 - 25CF: Secondary ZKT Table 25D0 - 260F: Tertiary ZKT Table 2658 - 265F: Eeprom decrypt key 2
SendATRVec 288C 8C C2 98 ljmp SendATR ;
305F 32 BE mov i,PktInsByte ; Ins00Jump 3073 C3 58 dw DecoyIns Report this post to a moderator | IP: Logged Registered: Feb 2001
3BA1 8E 3E D6 LCALL 3ED6h 3C74 42 B5 AA 3C96 A6 3CA0 B8 lets see, at our last class we learned about the hu card in general...how we access it etc....well to day we are going to start picking the eeprom apart...... (Refer to HU Eeprom Maps, etc for the following) You will see somethings that look familiar to you in the hu eeprom, ppv area, a tier area, some stuff that looks like the h card, but if you dump an hu card you will not see all 000`s there like on a virgin h card you will see a bunch of numbers..this is because part of the hu card is encrypted. yep that is correct each hu card is encrypted with a different set of eeprom keys that generated when the card is first started up. there are actually two sets of keys that are xor`d (an exclusive or) together to get one single key.... an exclusive or is a binary bit comparison in which this gives an 8 byte key that can be used to decrypt the eeprom..actually the key must be listed twice for the 16 byte addreses. not all of the eeprom is encrypted just mainly the general stuff like ppv, tier areas, ird # etc. there are a lot of blank areas in the hu card, i am not quite sure why they are there but it gives us many places to put code. if you dump an hu card you will see a bunch of hex numbers so besides the general stuff and the hu eeprom keys what are all those numbers and what do they mean??? those numbers are operation codes or opcodes. they are hex numbers (instructions) that the card understands.. in other words each number 00-ff has a different meaning and we use these opcodes to "talk" to the card and tell it what to do.. some opcodes have some extra bytes that go along with them. these other bytes can be part of a numeric instruction/calculation, or can just simply be an address like 8c 20 50 (jump to the address 2050)
woody
1)we need to set the fuse bytes we set the fuse bytes to 25 da which basically means that this card is married and activated... the fuse bytes are located at 2022-2023 next we need to write a 12 byte key...the 12 byte key is originally located at 2ae4 and is written at 24f4...this is nothing more than a card key, it is changed with the usw...when usw 1 hit it changed the 12 byte key.. the reason that we transfer the 12 byte key is that it is transfered on any sub card... if we corrupt the 12 byte key we can partially write protect the card from taking updates... but a corrupted 12 byte key could potentially be an ecm target.. now the 3m code... 74 02 27 ;this set the video bit now in the h card the nag was called at the same time as the check for the video bit.. on the hu they are called at different times forcing us to do one of two things.. 1) use two jump points one for the videoand one for the nag 2) use 1 jump point and do a check to see what the card is checking for then clear the nag or set the video bit depending on what the card is looking for..... now i used a new term.."jump point"...a jump point is a place in the card`s code where we tell the card to jump from it original code to code that we want it to execute...it is usually accompanied by a return jump... a jump back to the card`s code... now i can imagine u guys have a dazed look on your faces...its ok we are going to go back over this in class four in which we will cover jump points in detail... some questions u should be asking yourself where do we put the 3m code? i am not sure when the next chat class will be ....i will post it a few days before the class ok today we are going to talk about jump points...... what is a jump point?? it looks like this 8C XX XX ;where XXXX= place we want to jump to 8C 20 50 ;jump to address 2050 after the code is executed there is usually a return jump which returns from the code we wanted to execute to the cards normal operation.... so where are good places to jump from???
how to find private jumps....well you just have to follow the code...by far the most complex thing to do is clear the nag...setting the video bit is pretty easy and there are a lot of places to do it.... the next chat class will be thursday at 9 pm eastern time...... i am sorry for the lack of posts by me but i have been extremly busy
Report this post to a moderator | IP: Logged Forum Jump: Forum Rules:You may not post new threads
|