Hey all, newbie here, I'm currently under 1 yr. contract w/dishnet and have a dp301 rec w/rom10 cards. I tried to extract boxkeys using ISO-7816 and nagraedit with no luck. So it looks like jtag time. My main question is would it be better to purchase a used rec & s card for testing and will it work with my existing dish. Being a newbie I'm afraid to go too far with my subbed equip. in fear of messing up and then i'll have nothing at all. If I need to purchase a used rec & s card for testing what is a good one to look for or should I stay with the same kind that I have. Any replys would be greatly appreciated. Dan-o-mite

First of all...Welcome to the world of Testing.

Are your ROM10's locked?

If you don't want to fry your subbed ird(reciever)then yes go out and hunt for either a 2700 or 3100.010.The 2700 is a great learning ird and the easiest to jtag for a newbie.The 3100 comes with a few more extras,like interactive tv,different menu settings and so on,it's up to you,an added bonus would be to get an ird with an open smartcard,then you may try plastic programming.

Good luck on your travels.

Thanks Darnat, I'll start shopping. The two Rom 10's are the one's that go with my two subbed ird's. If they are subbed that would mean they are open, right? Oh yeah, would there be any way to get the boxkeys from these sub's without doing any soldering? Thanks again for the reply, I really appreciate it, Dan-o-mite

If they are current subs that means they are locked.

Sorry soldering required to get the boxkeys from the ird with a jtag.

t160hq

As t160hq mentioned, if the CAMs are currently subbed and you've been using them, they're most likely stream locked. However, you can use a solderless Jtag (Quad mode w/pogo pins) to extract, read & write TSOP's to your IRD. The most reliable is definately the buffered style, but the Quad will do.

Thanks Chapster, I have a (Quad mode w/pogo pins) or at least I think I do. It come with my testing package I bought. It's got 20 pins appox. 3/4" long on one side and a flat 20 pin ide cable that plugs into it and runs to my jtag TSOP Reader/Writer. I guess you think I'm really ignorant with this stuff but, one reason I don't know anymore than I do is because right after ( 2 days) I purchased my package the website I got it from went down and hasn't been back since and that's been over a month ago. So, I kind of got left in the dark until I found this place. I'm just about ready to start my venture because I've got almost all my files and how-to's downloaded. Would anyone know where I can find some info. on connecting this Quad mode w/pogo pins, if that's what I have? I really appreciate all the help I've got so far!!! Thanks, dan-o-mite

20 pins??? Hmmm...I'm not sure what type of jtag you have. Any chance of snapping a pic and posting? It could be the solderless buffered jtag but can't confirm. Are the pins 'spring loaded'?

Hey Chapster, here's the jtag pic.

It does appear to be a reader. I've never tested with that type (in pic) so I can't help you on the instructions. Sorry...

hmmm,you know the cable in that pic looks to be a little long for a jtag?:confused:

Just my observation.

OHM

Hey all, i found instructions!!! Got a testing ird unit on the way. posting another pic to get a better idea how this works. Cable's long enough to run from jtag port straight to parallel port on pc. Has anyone else seen or used one like this?

Jtag cable as OHM says "a little long"should be at max 8"
If you do find someone who knows what this is ,let us know ,will ya!

From what I can see on the pic,this is a NON-buffered jtag.The difference between this one and other Quad mode is that you can see the resistors,others are in the db plug housing,and that the pogo-pins are a little different.No switches anywhere or places to plug a power supply(buffered).

What I would recommend though,is to pull a plug apart(just a vampire type) and shorten that cable to less than 8" or when you go to read or write,you may get errors(you will be pulling your hair out).

Just a little friendly advise.


OHM

OHM, u think i would be better off just buying a buffered jtag? Also, I'm not quite sure i know what you meant by "What I would recommend though,is to pull a plug apart(just a vampire type)". I can shorten the cable to 8" but,will it make a difference how long the db cable is or will the jtag have to plug in at the back of the pc?

Don't go and waste your money buying one,here is a great how to on building one,you also get the satisfaction of knowing you built it.It doesn't matter how long your Db25 cable is,I run 1 @10ft
http://www.dssftp.com/filedownload/download/bjtag102.zip

Dan, ... build it. Its easier, cheaper, and more straight forward. Also I would recommend soldering right to the pads on the reciever if you can. I had problems reading my 301. Heres a nice pic to help.. DP301 JTAG (http://www.dssftp.com/forum/upload/showthread.php?threadid=1226)

Thanks t160hq.

...can also be soldered from top of MB (ejtag). For those who have not jtag cut out on bottom...

As in the file I attached,all info there for buffered and soldering at ejtag pads.

Thanks all!! Even as i was reviewing post's my testing ird arrived!!!! dp301 ID:010 w/288-02 Rom3. Going to try to read cam and get started on bjtag. I really appreciate the file, pics, and all info! I will keep you all informed.

Hey all, you talked me in to it. Parts ordered to build a buffered jtag and also trying to get a refund on this whatever you want to call it jtag that i have. But, i've got a question on the testing ird i got. The cam is a 288-02, which will be a rom 3. The ird is what i'm not sure of. The back of the ird says dp301 reg. Id:010 but when i hook it up and go to system info it says it's a bell expressvu 3100. Which would it be. Also, it shows no balance owed. Is there any way to read from the card. I'm a little confused on programming the cards because, my friend says he knows of someone that programs cards and all he needs is the card by itself. How can this be done if he don't know what my boxkeys are. Thanks

Ird is the same thing.
You are going to need an ISO compliant 7816 3.69 mhz programmer,download a how to and nagraedit 3.0,then you can read the cam and hopefully program it yourself......but I must insist that you read up first or you could fuck the cam.

Anyone know where I can find a good how-to program a rom 3 with nagra3? All of mine are for rom10. Also, how do I check my rom3 rev372 to see if it's open or not? Thanks

I've just uploaded a "How to RTM ROM 3 FOR BEV"Click on link to files below an search for file.

Dan what system were you planning on testing Dish or Bev.

If it's dish you are going to have to make the receiver a 301 Dish system with your jtag first.

t160hq

Hey t160hq, I'm currently under sub w/dish. I have 2 subbed dp301 w/rom10. I don't want to tamper with them just yet so I bought a test ird off ebay. It's a dp301 reg ID:010 w/rom3 rev372. When the ird is hooked up, system info shows bev and unit as a 3100. Does that just mean that the last person was subbed to bev? I'm going to test with dish but, I just wanted to see if there is any way to program the rom3 without the boxkeys. Thanks

Erase SA 3 on new unit and stream under dish,now you'll have dish f/w on it.

Originally posted by Dan-o-mite
It's a dp301 reg ID:010 w/rom3 rev372. When the ird is hooked up, system info shows bev and unit as a 3100. Does that just mean that the last person was subbed to bev? I'm going to test with dish but, I just wanted to see if there is any way to program the rom3 without the boxkeys. Thanks

Yes, if the sys info shows BEV, then it has BEV firmware on it. As for the CAM, if it is the CAM that was 'married' to that IRD, then you can read the BK from the CAM. To be sure, use your new jtag to read BK. If it's not the CAM that was 'married' to that IRD, you won't be able to program your ROM3 cuz you need the correct BK for the IRD that you will be testing with...

Hey all, finally got boxkeys!! Now working on getting from bev to dish. Once i get that, will it be better to test with the original rom 3 that come with this ird or use the atmega 128 wafer? I have both. Thanks

If the ROM3 is open,best bet...... as you can create your own tiers,but be warned...... this is however a whole new ballgame,nothing like testing AVR's or Atmega's

Great to hear, Dan! Test both cards. Like Darnat said, with plastic, you need to choose the tiers. If you give yourself all channels, you'll be setting yourself up as an easy taget for Chucky.

This is what I do...

Plastic = fav channels + PPV string
Atmega = all open


BTW Dan, curious to know if the CAM was indeed 'married' to that IRD. Did you jtag to get the BK or did you read from CAM?

I jtag'd to get bk's. I think the cam is locked. How can i be sure? This ird is still bev. do u no where to find a how-to on going from bev to dish.

Pull sat cable off ird,put cam in ird,go to Menu 6,1,3 look at what your DNS says,this will tell you what rev it is at ,don't worry if the cam is unlocked this process will not harm it as sat cable is off.

Hey dsshacker, I programmed the cam but i get "your cam does not have authorization to view or purchase this program". The guide shows all the channels but when i try to view every one gets the message. What did i do wrong?

Dan
If your going to convert you Cam to dish then I would only use the plastic to test for all others in my option are a waste of time and there are many how to convert . If you have a rom 3 card then it can be unlocked by your self

Heres how to do it

1) earse flash one U22 in your 301:010
2) make sure dish is pointed to charlie
3) clean card
4) write charlie image to card
5)use RTM to and use only the channels you want to watch, but click PPV string.
6) apply patch penga rom 3 blocker to card.
7) make sure you use your boxkeys , rom3 CamID ( In all 3 places), Zipcode(Ny 10001) and IRD NUMBER.
8) write to card
9)update IRD in stream(10 min)
10) watch TV

The one and only DssHacker

Did you use a valid cam ID?

Hey dsshacker, I programmed the cam but i get "your cam does not have authorization to view or purchase this program". The guide shows all the channels but when i try to view every one gets the message. What did i do wrong?


Not a thing wrong. You just have to:

Either wait for the public keys to roll.

Or add them yourself to the card. Use the data editor in nagraedit
to change them to the current Public key 0 and Public key 1.

You may have to do the second option. Penga dosen't seem to allow automatic key rolls unless at least one key is current.

t160hq

Not a thing wrong. You just have to:

Either wait for the public keys to roll.

Or add them yourself to the card. Use the data editor in nagraedit
to change them to the current Public key 0 and Public key 1.

You may have to do the second option. Penga dosen't seem to allow automatic key rolls unless at least one key is current.

t160hq

Hey t160hq, first of all i would like to say i really appreciate all the help!! Me being a newbie some things i just don't understand yet, but, i'm learning. I'm trying not to get too anxious but i know i'm close to finally getting my first hack. I've got a couple of questions. When i was programming the cam i used the # on the card for the cam id# and the # on the back of ird for the ird id # and i could only enter 8 digits. It (nagra3) wouldn't let me enter the last 2. Is any of this where i messed up. Also, i looked at the public keys and they are all 0's in key 0 and key 1. Which would i change and do i change all of them? Thanks

Don't forget that the CAM & IRD #'s need to be entered in hex. Also, the last 2 digits are not needed...

Example IRD# R 00 1234 5678 XX <----XX not used

converted to hex would be...BC614E. But you need 8 digits all together. So add 0's (zero) in front of the B to complete it to 8 digits. Result would be 00BC614E.

Same goes for CAM ID. If your CAM # is S 04 1234 5678, converted to hex would be 1893E54E

Hey Chapster, I changed my ird# and cam# to hex but, when i go to enter the letters it won't accept them.

What do you mean 'It won't accept them'?

When i save my tiers in rtm11.9 i'm prompted and asked if i want to add a blocker and enter my cam# & ird# and when i try to in the designated boxes it only accepts #'s no letters. And yes i did want a how-to on hex converter but, i figured it out thanks to chapster.

This thread is closed as it has answered the subject question.