If you have a 2700 and a valid rom 102 on bell and you can jtag your system, you are the person I am looking for. I need to compare ird ram dumps nagra1 and nagra2. Please PM me for instruction.
Thanks

What will this help you do may i ask.

EDIT: If its worth it Ill sub for ya.

With the right tools, people say that you can follow the tsop execution. There are traps and processes that may be downloaded from stream and still in memory. Having a dump, this will help to continue testing.

how could someone go about dumping the RAM ?

For those that want to try, first get a ST20 emulator. Next, take a copy of tsop to be executed. Then, when program can not fill in the blanks because information is missing, use jkeys to extract address to obtain data. The procedure in jkeys is the same as saving a copy of tsop but using user define address.

You need to attract peoples attention, not enough people are looking...

I do not have access to a legit bev ird running a nagra2, If this topic advances into Dnet I can give you dumps from probably over 50 irds, Of course ird and card number edited.
Nedd to prtotect the legits

me either, i have nagra 2 301 right here

I've got Bev & Dish if thats any help but nothing to Log the stream..Not Subbed but I do have the new nagra cards for both..

I do not have access to a legit bev ird running a nagra2, If this topic advances into Dnet I can give you dumps from probably over 50 irds, Of course ird and card number edited.
Nedd to prtotect the legits

Dump all of emi SRAM (40000000) from 2700 receiver with nagra 2 card, then convert smartcard in hex and search dump with this number using a hex editor. It should appear at 2 ot three locations. If this is the case, I am willing to try.

You need to attract peoples attention, not enough people are looking...

Maybe now people will be looking. Here is a program that works well for real!!! time testing on a 2700. Im not sure if it works on a 3100. Connect jtag, start program and peek and poke your heart out.

Please provide you findings on what addresses you have changed and its effects.
Do not change values that looks like addresses, this will crash your receiver.

I have a 3100 with new card(nagra2) and it was subbed(bev) and now i use it for dishnet(not the card).When i jtaged my ird i saved it first.Could this be any help to you ?

I have a 3100 with new card(nagra2) and it was subbed(bev) and now i use it for dishnet(not the card).When i jtaged my ird i saved it first.Could this be any help to you ?

What did you save, the tsop or sram data?

Just the tsops,where is the ram dump?

Just the tsops,where is the ram dump?

For 2700 it is 40000000, I'm not sure for 3100. I will check tonight and give you a response tomorrow.

Dnet ird's are 3900 newer with Nagra 2's of all I have seen so far, I've never seen a 2700 updated with a nagra 2 swap yet of hundreds.
Sram,Tsop same. Wouldn't simply doing a hidden service menu onscreen ram dump display the same?

Dnet ird's are 3900 newer with Nagra 2's of all I have seen so far, I've never seen a 2700 updated with a nagra 2 swap yet of hundreds.
Sram,Tsop same. Wouldn't simply doing a hidden service menu onscreen ram dump display the same?

No, the service dump displays the content of eeprom (small 8pin ic on your board).

Some interesting facts, At bootup, part of tsop is copied into sram to increase execution time. Then a checksum is executed to see if sram area was tampered in any way. Then, it prepares vector tables for different processes to be performed (multitasking). It starts these processes and continues on performing some tests which I do not know what.

One of these processes communicates with smartcard for decrypt keys.
A pattern like FFFFFCFFFF0000FF can be seen and when modified using jtango, the channel goes blank. Here is an emulator for those that understand assembly

OK, I like this and lets keep it running.
Sounds like you mylise are into bev, I am mainly Dnet, But we can learn, Also I am mainly a guts and wires circuit type person, I know enough software to get me by, Not a programming pro, But again Hex, Modding, basically if I need it figure it out in a short period of time but not my first love.
Now, Know is the receivers build and firmware version loads to a card AFTER card is subbed, Now I use a dealer nagra2 full wide in dealer mode that stays unmarried when I set up installations, Then put there card in to sub them, Without any mods to the tsop the nagra2 works perfect. This tends to make me beleive anything on at least Dnets tsop that changes after subbing has nothing to do with the nagra2/1 formats but rather perhaps a reverse marrage of the cards data to the ird.

This tends to make me beleive anything on at least Dnets tsop that changes after subbing has nothing to do with the nagra2/1 formats but rather perhaps a reverse marrage of the cards data to the ird.

It is exactly that. The tsop will verify which card is in (address 4018c7xx in 2700 bev) and use the proper processes to decode n1 or n2 (seems to use both 0109 and 0108 providers). What we need to do is disassemble the processes, find the decrypting table.

Has this stopped for now...Or has anyone came up with some interesting findings?

Has this stopped for now...Or has anyone came up with some interesting findings?

I am still waiting for a dump. I can provide differences between n1 and virgin n2 card but what you will see is a bunch of 00000000 in n2 because card is not activated.

that is the importhe machine thinks its married to a valid sub >:)
part once you have a valid image you can burn it to the disk -
like the alladin hack you need a working bin image the card like the old avr is use to do the decrypt the central keys of corse need to be found eecnm
but you can clone as long as t

Huh..?

Must have been one of those junk web tv keyboards :)

I have acces to what you need but i need to know what tools i need.I have jkeys and a jtag,but do i need that st20 emulator?Let me know what all i need and to do and i will get it for ya.

I have acces to what you need but i need to know what tools i need.I have jkeys and a jtag,but do i need that st20 emulator?Let me know what all i need and to do and i will get it for ya.

Sorry for late response, I am presently working on data logging project on other site. You will need a Jtag and Jkeys. When working choose channel 200 (make things uniform) In jkeys under save memory select ... Region = user, Start = 40000000, Bytes = 200000 then hit the save memory button.

With a hex editor, find hex values of IRD and smartcard numbers and replace them by AABBCCDD sequence. There should be 2-3 places that this must be done.

After pm me and I will compare dump with rom10 and dump with rom102. Indicate date and time that dump was taken. What I am looking for is process entry points and tier info placement. I will post a file where differences are found for others to try.

data types will be found in same place of ram dump for same ird whether it's n1 or n2 card.

data types will be found in same place of ram dump for same ird whether it's n1 or n2 card.

I am curious. Did you do the exercise to state this? I did it with a unmarried rom102 and found that there was differences. First difference, the rom card response from rom10 and 102 at reset are different, and shows up in ram dump. I have also found some differences at specific locations where tier listing is being developped. What about those many locations that were empty because of unmarried state of 102!!!!

If you are very sure of what you are have stated, show me the proof and we can end this thread.

If not, give me the dump so I can post differences and get others to participate, then collectively, we can state if this was a waste of time or useful for this cause.

I will perform this test as soon as I get my card for bell. For now, I am asking the help of others that were more fortunate!

On a 510 ird the data types will be found in ram at C00580B0, doesn't matter which nagra version is used. What you are wanting to do is not a waste of time so keep at it.

On a 510 ird the data types will be found in ram at C00580B0, doesn't matter which nagra version is used. What you are wanting to do is not a waste of time so keep at it.

First of all, I am sorry, I miss understood your comment. What you meant was that RAM addresses are found at the same location regardless of Smartcard used.

What I propose is to perform this exercise on other machines and service providers.

For 2700 --> RAM address is located at 40000000 size 200000
(Stated by dbDan) for 510 --> ram address at C00580B0 size ???

Does anyone know for other IRD models?

Next take 2 dumps with ROM10, compare them and indicate where differences occur. These are used to eliminate differences due to constant changes occuring in system.

Take a dump with ROM102 and compare it with ROM10 minus previous differences.
What is left, I believe will be the same for everyone who tries. Within these differences I hope we will find decoding tables, address of decoding sequence etc...

I wrote a QBASIC program to perform the compares and if required I can post it.

If someone wants to convert this program to VISUAL basic or C, it would be appriciated.

flow chart --> load byte from rom10 first copy, load byte from rom10 second copy, compare, if the same then load byte from rom102, compare, if different then save address location and data both in hex and asc in a compare file. If addresses follow each other then data prints on same line without address location else change line

For 2700 --> RAM address is located at 40000000 size 200000
(Stated by dbDan) for 510 --> ram address at C00580B0 size ???

Does anyone know for other IRD models?

here ya go
- 2700...4900,6000: SA=4000000, L=200000
- 301.013,501,508,5100,5800: SA=C0000000, L=800000
- 301.010, 3100: SA=0, L=800000

Nice to see people are sending me PMs. Some of you have concerns in getting caught. I will only post results of those changes that are common regardless of CAM ID and IRD. I will send a complete comparison copy to the person contributing. Therefore, I will need at least 2 sets for each IRD type. Also please indicate firmware rev. It was recently changed to E509, which has some changes to data placement in ram. Soon, I will start a new thread to test changes and note their effects using jtango. Hope many more will join.

Dnet ird's are 3900 newer with Nagra 2's of all I have seen so far, I've never seen a 2700 updated with a nagra 2 swap yet of hundreds.
Sram,Tsop same. Wouldn't simply doing a hidden service menu onscreen ram dump display the same?
birdie i have a 2700 with a rom 102 that i pay for i keep one up just in case it go's down . so what do you need from me or for me to do pm me

same here bev subbed 2700 with 102 let me know what ya need