I was looking into buying a dish 721 pvr with blue card. Its brand new, never instream so no problem for boxkeys. My question is, should I go for it? Has anyone used this receiver? Has it gotten hit? All input would be greatly appreciately...

Do u mean a 7200 then if the price is right, go for it. Just remember when it comes to todays satellite customers the operative word is cheap.

PVR721 -> Never been ecmed to my knowledge. I own 2 and I'm yet to hear somebody who got ecmed... other than the "remote control hack with FW version higher than L05x ecm"

Jewel

This is a way of getting the boxkeys through the remote control.

WARNING-WARNING-WARNING-WARNING-WARNING-WARNING-WARNING

DON'T DO THAT UNLESS THE FIRMWARE/SOFTWARE REVISION OF YOU IRD IS L050/L052/L054.

END OF WARNING-END OF WARNING-END OF WARNING-END OF WARNING

If you choose to do otherwise... It will cost you a lot to fix this, believe me !!!

Through the menu, you can reach the diagnostic mode. Once there you type in the location address of the boxkeys ($3FFF90). You write down the infos and type them into the software call "PVR721_Tool.exe". This will give you the unscrambled boxkeys.

The exact way of getting into the diagnostic mode, I don't remember. But it's written somewhere at KC or ID (Even here, I haven't checked).

If you're not sure, don't do it... You might end up with an expensive boat anchor...

Jewel

I've read the same reviews : tuners and hdu seem to be delicate (To say the least !). I have 2 and they are working great (Now...). I had to install a new drive which almost brought me to the brink of madness... but I survived and learned a great deal in the process.

I would "assume" that the bad apples (Defective tuners/hdu/etc...) have been thrown away and what's left, should be the cream of the crop. Dish has to recirculate them because of the manufacturing cost, doing so they refurbished with the right parts (Non failing ones), I would "assume".

Overall speed is not that great but the fact that this model has 2 tuners with PiP, recording, etc... AND it's hackable... make it a great choice (My personal point of view). Up to now, it's also been "immune" to ecm: I would say it's a great plus.

I would guess that the tuners are the most fragile parts and the must difficult to fix...although the chipset used is the same as a 301.010/0.13...

As far as software goes, I haven't seen anything yet with the L119 version... Maybe it's mature enough now.

Jewel

Ask me... You might be surprised ...

Jewel

721 sounds great!! do you have to jtag, vidmod, and tsop lock this one to use the dssrev cards? i just did my 301.13 and it works great! but i have a 510 subed and i hate not having dual tuners, i can only record what i am watching or i can watch a prerecorded event and record a live one, but it isnt modded so i use my 301.13 and vcr allot. i would be interested in what you need to get the 721 going? let me know please.

Ray :)

The "testing" of a 508 and PVR721 are nothing alike. The PVR721 has no usable JTAG ports. There is no such thing as a VidMod. The flash is contained in a BGA instead of a TSOP which makes it very unpractical to remove, read and sother back. They only very practical ways to get the BKs are:

1. Get them from a sub or ex-sub ROM10 revA21 or ROM11 (Depending on the version)

2. Get them through the "remote control hack" ONLY IF THE VERSION OF THE SOFTWARE IS L05x. Higher than this you would kill the receiver. Dish has implemented in the later software version (L107, L116 and L119) a very efficient countermeasure against this hack. You have been warned !!!

You also must know that some PVR721 (Refurbished ones mainly) come with a ROM10x which brings you back to only one option, the first one : removing the BGA and reinstalling it (At this point in time). It's a very pricy solution...

Jewel

Search for 721. You'll find A LOT of infos I've posted here and on ID and KC

Jewel:
Can the software be dumped and the older version loaded back to receiver? Just so someone doesn't end up with an anchor.

To do that, you would need a "way" of doing it... In the DP301, 50x, 510, 2700, 3700, etc... you have a JTAG port and VERY bright people found ways to use that "against" the providers. Like anything else, Dish got smarter and decided to change the flash format and remove JTAG ports (Or so it seems...)

To answer the question : we don't have a "practical" way of reading and writing the flashes in the PVR721.

You can fix the anchor... but it costs a lot of doe...

Jewel
Jewel:
Can the software be dumped and the older version loaded back to receiver? Just so someone doesn't end up with an anchor.

Kewl, Jewel. Thanks for that info.

Just so know, there might be another way once the version is higher than L05x... I'm yet to confirm it... but there's definitely something that can prevent the "destruction" of the PVR721 when the version is higher than L05x,

I'll keep you posted,

Jewel

I'll be watchin' for any news. TY

Jewel, I received my PVR721 on Friday. I pulled the bk's using the remote have. Actually, you don't even need the proggy for that, the bk's just show up on the screen after the first few bytes! Anyway, I had a question for you: I installed 3 dp single lnb's on my dish 500 and 61.5. I have the 721 and a 7200 hooked up to a dp34, the 7200 has the legacy adaptor. The 7200 receives all 3 stas and the 721 only picks up the 110 and 119. When I got to details under switch, it tells me for the third connection on both inputs that it had a good connection but no signal. How is this possible since the 7200 is getting a signal on 61.5?

PS This receiver ROCKS!!!!!

magev007:

Did you buy that new? Just wondering if that's what's in the stores now. I've had UTV for about two years and really like the 2 receiver feature, Switching to Dish now.

Thanks

Well, just to keep you posted, I managed to lock the flash on the PVR721 last night (Yeh !!!)... In the process I did learn a LOT about the security of the PVR721. Here are some "juicy" infos :

1. One of the first thing the PVR721 does in its security check at the beginning ("Please Wait" with the DISH logo and cursor flashing) is a write in the flash, probably followed by a read and a compare. So If the receiver's flash is locked at bootup, it will fail the "checking system". Once you unlock the flash and reboot, it will go ahead without any problem

2. Once the IRD is started, you can go in the "diagnostic hidden mode" (With the View Flash option) and type "3FFF90" in the address box. If locked, the receiver will "freeze" but no damage is done to the IRD's flash (That's what a lock is for...he! he! he!). The bad news is that it's not showing the actual line (3FFF90), it's staying at the default address (000000).

3. I did type a few "sourrounding" addresses of 3FFF90 (Examples : 3FFF40, 3FFF00, etc...) and doing this will NOT ECM the IRD... Wow !!! It WILL show the 3FFF90 line as part of the display but unfortunately, the info on the 3FFF90 line has obviously been replaced by s*hit... All other lines or A-OK! (I was comparing with the content I had extracted from the BGA earlier) in this specific region. So, the "masking" of the info is by design. No surprise there...

Conclusions drawn up to now :

It seems that Dish has learned a lot from past experiences... No JTAG, inability to see boxkeys with newer versions, BGA flash form factor instead of TSOP, write checking sequence at startup... From those who thought that the extra long booting process of this IRD was composed solely from endless program loops doing nothing, well, you know better now... There is still a lot to be learned from this IRD... I really believe that the key to hack it resides in the ability to understand the HDU security check at the POST and replacing some files by ours. To do this, we would require to understand the hashing/encryption technique used by the program in the flash for this validation. Once understood, it would only be a matter of reading the 3FFF90 line and storing it in the NVRAM in an unused zone... It's all speculation from my part... I'm no programmer, but I believe that somebody with x86 knowledge could certainly lead us to victory... I will remind everybody of the following fact : the processor is a Geode GX-1, so the flash is bound to be a "BIOS" (A PC term I guess) coded in x86 format.... If this part can be understood, I think the solutions would follow quickly.

Just my 2 cents and a half again,

Jewel

Just got a pvr721 and I get the scambled numbers on the 3fff90 line but when I try to use the program it doesn't work. Someone else said that they just show up after the first few bytes? Any help would be appreciated.....thanks

OK 721 fans, this is a MUST READ link

http://216.239.57.104/search?q=cache:AK7sGf67yHQJ:www.dbstalk.com/showthread.php%3Ft%3D6558+pvr+721+linux&hl=en

After that, do a google search on -->pvr721 linux<--

Enjoy!!!

Finally got it to work with windows 2000.

I tried the program on my 98SE computer and I got nothing. I tried it again on XP Pro and it worked like a champ!

You don’t need no stinkin’ program to get your keys from the code on line 3FFF90. Just write down the 16 pairs of hex numbers, and then number each pair from 1 to 16. Now write down the following pairs in this order: 5 6 3 8 10 2 9 13. BINGO, you have what you were looking for! Now you’re a Bletchley Park code breaker. Can anyone else confirm this?

Oh yea, 721 ROCKS!

Okay - I will admit that I am new to the "dish" way of doing things, but even though this is my first post I am a very experienced member. I DO a lot of reading. Still I guess I need to ask a question. I have a pair of PVR721's and I need the box keys. Remote hack is no good as my SW/FW version is current. Tried to sub with a blocked rom 10, but that also failed. Guess the blocker did it's job. Now I am guessing that I might be able to get the boxkeys by setting up emulation. I have my receiver ID's and cam id's. Before I go to the trouble of building the max/mel setup, anybody want to chime in and let me know if this will work ??

Let me first clear up a couple of things :

1. There's no such thing as a "vidmod" for a PVR721, period.
2. PVR721 WILL accept ROM3/ROM10/ROM11, that's a fact (I've tested it myself)
3. If an ATMEGA went down on June 10th, it's certainly not related to the PVR721... I would look into the ATMEGA... (What a POS !!!)
4. I'm yet to read a report on a DSSREV or Magic Card working on the PVR721. The reason : I BELIEVE (I have not tested any of these cards) that it might be related to the fact the PVR721 "resets" the card twice before accessing it... But again, that's an educated guess....
5. If you're subscribed and want to get the BKs, I guess emulation would be the way to go as you won't have to deal with blockers...

Jewel

Hello all, I'm waiting for my 721, should be here next week. I have been testing with an Atmega but realize that it won't work with this receiver. My question: Do I need to wait until the receiver (new) gets here before deciding what to test with or is it my understanding that I just need to order an ISO programmer and learn to use that? Also, does the card on a brand new receiver come locked and I'd have to send it away to be unlocked or is this something I can do. I've never messed with plastic before but am willing to learn and have been reading a ton, I'm just a little confussed. Thanks, any info is very much appreciated!!!!

First thing of the bat : you're right, ATMEGA don't work on PVR721. Secondly, you might want to wait for the IRD to arrive to confirm that you can do something about getting those pesky boxkeys.

1 of 4 things will happen in the smartcard department:

a. The card will be a yellow one (ROM10x) -> Untestable yet... -> Card unusable yet...
b. The card will be already married (subbed or ex-subbed) and the smartcard will probably be a ROM10 revA23 as it was updated and locked by the stream -> Cannot be opened yet... -> Card unusable yet...
c. The card will be already married (subbed or ex-subbed) and the smartcard could be a ROM10 at revA21 or lower -> YES, it can be unlocked/opened with public stuff (ISO programmer is required) and the boxkeys will be valid
d. The card is virgin as it has never been married or subbed to the IRD -> Card can be read with NagraEdit 4.1 but will NOT contain valid boxkeys (It has not be authorized yet) -> ISO programmer required


There is also the chance for the IRD to arrive with a ROM3 or ROM11 (Rarely seen or mentionned). Again it's a question of them being already married to the IRD WITHOUT being at the latest version (ROM3 -> 383 and ROM11 -> B89 I think...)

In the IRD departement, the rule is simple enough :

If the version of the firmware/software of the receiver is at L05x, you CAN read the boxkeys through the remote control hack. If it's at an higher version, WARNING : DON'T ATTEMPT. THIS WOULD TRANSFORM THE IRD INTO A EXPENSIVE DOORSTOP. Consider yourself warned.

Here are some thoughts for you :

If IRD at L05x, you will get the boxkeys. But this doesn't mean the card will be usuable (See case a.) for testing.
Most likely cases a. & b. are implying the the IRD will already be upgraded at L171 thus preventing any remote control hack (See WARNING)

There are fewer methods to test this IRD compared to others (2700, 4700, 301, etc...). Plastic works fine although you have to learn how to put blockers, etc... The general consensus for now is that the PVR721 is immuned to ECM but that might change down the road... Blockers on cards are EXCELLENT targets to ECM... So you draw your own conclusions.

The best way to test (It's my personal opinion) is with emulation (ROM3 or 10 or 11). This has the net advantage of running without extra code (e.g. blockers). This might also be your only choice if the card is unusable... yet...

You also have to consider the fact that you might not be able to read your boxkeys at all !!! (See case a. & b.). If you can afford to subscribe the IRD with Charlie, running emulation will be an excellent choice the get the boxkeys when the authorization packets come along. I've read mixed reviews, actually more bad ones than good ones, about installing a card (ROM3 or ROM10) with a blocker that will let the authorization process (e.g. Marrying process) through without having your card locked. The main problem with this method seems to be the ability to use the right blocker. There are a tons of them available. I'm yet to see one that has be deemed usable for this specific purpose. You might want to think about writing your own :D

Hope this helps,

Jewel

First thing of the bat : you're right, ATMEGA don't work on PVR721. Secondly, you might want to wait for the IRD to arrive to confirm that you can do something about getting those pesky boxkeys.

1 of 4 things will happen in the smartcard department:

a. The card will be a yellow one (ROM10x) -> Untestable yet... -> Card unusable yet...
b. The card will be already married (subbed or ex-subbed) and the smartcard will probably be a ROM10 revA23 as it was updated and locked by the stream -> Cannot be opened yet... -> Card unusable yet...
c. The card will be already married (subbed or ex-subbed) and the smartcard could be a ROM10 at revA21 or lower -> YES, it can be unlocked/opened with public stuff (ISO programmer is required) and the boxkeys will be valid
d. The card is virgin as it has never been married or subbed to the IRD -> Card can be read with NagraEdit 4.1 but will NOT contain valid boxkeys (It has not be authorized yet) -> ISO programmer required


There is also the chance for the IRD to arrive with a ROM3 or ROM11 (Rarely seen or mentionned). Again it's a question of them being already married to the IRD WITHOUT being at the latest version (ROM3 -> 383 and ROM11 -> B89 I think...)

In the IRD departement, the rule is simple enough :

If the version of the firmware/software of the receiver is at L05x, you CAN read the boxkeys through the remote control hack. If it's at an higher version, WARNING : DON'T ATTEMPT. THIS WOULD TRANSFORM THE IRD INTO A EXPENSIVE DOORSTOP. Consider yourself warned.

Here are some thoughts for you :

If IRD at L05x, you will get the boxkeys. But this doesn't mean the card will be usuable (See case a.) for testing.
Most likely cases a. & b. are implying the the IRD will already be upgraded at L171 thus preventing any remote control hack (See WARNING)

There are fewer methods to test this IRD compared to others (2700, 4700, 301, etc...). Plastic works fine although you have to learn how to put blockers, etc... The general consensus for now is that the PVR721 is immuned to ECM but that might change down the road... Blockers on cards are EXCELLENT targets to ECM... So you draw your own conclusions.

The best way to test (It's my personal opinion) is with emulation (ROM3 or 10 or 11). This has the net advantage of running without extra code (e.g. blockers). This might also be your only choice if the card is unusable... yet...

You also have to consider the fact that you might not be able to read your boxkeys at all !!! (See case a. & b.). If you can afford to subscribe the IRD with Charlie, running emulation will be an excellent choice the get the boxkeys when the authorization packets come along. I've read mixed reviews, actually more bad ones than good ones, about installing a card (ROM3 or ROM10) with a blocker that will let the authorization process (e.g. Marrying process) through without having your card locked. The main problem with this method seems to be the ability to use the right blocker. There are a tons of them available. I'm yet to see one that has be deemed usable for this specific purpose. You might want to think about writing your own :D

Hope this helps,

Jewel

nice post jewel

i have done 29 721 and to save the poeple that are going to try to retrieve the BK
i have been testing the 721 for all most a year with G2 AND CASPER and have not been ECM
not to say it is not going to happen
if you plan on trying to retriveing the BK from the 721

Dulley : these are great additions to the arsenal (G2 and Casper). I'm happy to see they are working. I've asked MANY times about the working methods and you're the first one reporting new info. People are mainly talking about ATMEGA, Magic Card or DSSREV.... Shame on them :) ...

I'll be adding this to my knowledge and the one I'm trying to transfer to others,

Jewel

i like to tested all if my wallet can take it -sometimes i have to go with out eating for a week -- if i keep this up you gals and guys are going to have to put you boots on

Has anyone with a 721 ever been ECMed? And does anyone have a clue as why Charlie would not target the 721 with an ECM (not to say it won't happen)? Is it something in the hardware or software similar to the 6000 & 7100 - 7200? Just curious because I'm thinking of getting one. Anyone?

Just to add a tidbit of info : BEV has ecmed the 6000 ONCE a while back. People testing BEV that read this will certainly remember the "NATASHA night". That night BEV nailed almost everybody at once... including some of their own customers (Legit ones)!!! They had to send back a "correction" to remove the ecm a couple of hours after because of that. Since then, there have been no reports of ECM on the 6000 on BEV or Charlie.

Jewel

You also have to consider the fact that you might not be able to read your boxkeys at all !!! (See case a. & b.). If you can afford to subscribe the IRD with Charlie, running emulation will be an excellent choice the get the boxkeys when the authorization packets come along.

Jewel - I have two 721's that I would love to get the boxkeys from. I have read and read and read and I still cannot figure out how one could get the boxkeys via emulation. Both of these receiver's are subscribed (one yellow card, one blue card). What emulation software would work? I have tried several and no luck so far. Can you shed some light on this for me please ????

Jewel - I have two 721's that I would love to get the boxkeys from. I have read and read and read and I still cannot figure out how one could get the boxkeys via emulation. Both of these receiver's are subscribed (one yellow card, one blue card). What emulation software would work? I have tried several and no luck so far. Can you shed some light on this for me please ????

if the rec have been in the stream you can not do 3FFF90

and the BLue card is at A23 and can not be opened at this time to retrieve the BK from it and the yellow card can not be opened at this time either

you are SH-- out of luck at this time

I'm gonna go on a limb here :

If you put CEMU (It's an example) to work for you with all the infos YOU KNOW (IRD & SmartCard) and call Charlie to "change" subscription, isn't this gonna "remarry" the card to the receiver hence put the right BKs on the card ? Remember, emulation setups run without ANY blocker, so you're bound to have the boxkeys after the autorization process... I'm not REALLY sure about the remarrying process. I would surely need some confirmation on this. I don't think there is much difference between the first time and the millionth time when you call Charlie to have you're subscription changed...then again I might be wrong.

There is always the solution of reading the boxkeys from the flash. It's on the expensive side though... If you have somehow deep pockets, PM me and I will tell all about it... But be seated when you read the answer...

Jewel

HOW do get ppv on 721 . I use same rom10 I made tiers with TCFD II-100 local work on 301-10 card and atmega . But 721 no ppv got local remap sat 105 have every thing but ppv. Will atmega work on 721 get PPV

JCK7

There is always the solution of reading the boxkeys from the flash. It's on the expensive side though... If you have somehow deep pockets, PM me and I will tell all about it... But be seated when you read the answer...

Jewel

Yea - I have read up on your work on the BGA flash. I can see how this can be both expensive and a real pain. If I had just known about the "remote control hack" when I first got these receivers I would be miles ahead. Oh well, guess it would be safest to backup the flash anyway before I do any "testing". So at some point I guess it is going to be time for me to grow a real set and take this thing apart....

My 721 came with a virgin ROM10 card and I could read the boxkeys from the card. Is it valid?

you have to do 3FFF90 flash to get the BK from the rec. if you put it in the stream
you can not do it the ones on the card are not the right BK

Anyone know if the recent ECM affected the 721? Need to know, I have not put mine in the stream yet. Thanks.......

I read that on KC the 721 is fine. I just got my 721 today, unlocked and programmed the card, but have not put it on the stream yet.


Jewel: Would you recommend a HD dump? I remember when I first got my PVR508 years ago, it was recommended to get a virgin image (or a few select sectors) of the HD. I'd appreciate the info, not sure if I want let mine update yet.

Pano

If someone has the DP721_1.exe working and could convert my 3fff90 line for me that would be great. I can not get it to run on any of my machines, both win2k and win98. Please pm me, and I will give you the line.

Thanks in advance

pm me and i will heLP you out -- if the 721 has been in the stream you can do it only if the software is at L050/L052/L054

Many thanks for your help Dulley.

no biggie bro

Let me first clear up a couple of things :

1. There's no such thing as a "vidmod" for a PVR721, period.
2. PVR721 WILL accept ROM3/ROM10/ROM11, that's a fact (I've tested it myself)
......................
Jewel

Jewel,

I am emulating with ROM 10 on my 721. When I got the 721 new, it came with a blue card Rom 10 Rev A21 and I was able to retrieve the BoxKeys with remote. I have not been able to emulate with Rom 3. Is there some sort of trick to do so? What do I need to do?

Thanks in advance!

Jewel,

I am emulating with ROM 10 on my 721. When I got the 721 new, it came with a blue card Rom 10 Rev A21 and I was able to retrieve the BoxKeys with remote. I have not been able to emulate with Rom 3. Is there some sort of trick to do so? What do I need to do?

Thanks in advance!

I've never emulated with ROM3. But plastic ROM3 works fine,

Jewel

I've never emulated with ROM3. But plastic ROM3 works fine,

Jewel

Do you see any reason rom 3 emu should not work?

Nope. But it would be quite informative to know WHAT exactly is the problem that you're experiencing...

Jewel

Nope. But it would be quite informative to know WHAT exactly is the problem that you're experiencing...

Jewel
Well, I'll try working with it again and let you know what I come up with. It's been several weeks since I tried and finally gave up just assuming it would not work with 3, only 10.

Nope. But it would be quite informative to know WHAT exactly is the problem that you're experiencing...

Jewel
I did some more testing. This is my setup: 721 PVR, Single chip external emulator, flashed with "EMULATOR_ONECHIP_2313_ROM3_383.Hex", latest Yvous. This emulation setup works with my 2700 IRD, but with the 721 I am missing most of my channels - they don't show up. So I don't know what else to try, all seams like it should work. The only thing I have any luck with is Cemu with Rom10