Just curious if this would be a feasable idea. That way we can see what tiers are being written and how to the card. it would require some sort of monitor on the card, and a jtag on the box. 2 computers and that should do it.

I know i can use jtango (or some other program i saw) for watching the reciever's instructions, but what to use for the card and what hardware would i need ?

Since others have expressed that this is a good idea, I'm requesting some help from others in the forums. I figure i can mod a AVR-3 card to act as the logger for the 10x card and the IRD/CAM interaction, just not sure what exactly needs to be done. Putting a buffer on the tx and rx lines of the smartcard and tieing it to a parallel port on a PC should give me enough of a trap. Anyone done this ?

Logging a IRD/CAM setup for activation, will at least give us some idea where the card is being written to, and possibly some more information. a PPV purchase would be great, (but not sure) I think a playboy or NFL subscription at this point would tell most of the story..

Anyone ?

I'm sure it's a good idea. I can't say on the AVR3 as the AVR4 seems to be the norm from what I have heard about. You've got the right idea you'll want to incorporate a max232 in between the AVR and the computer to keep voltages right.

Far as logging the activation it will help you to see and understand a little of what is going on. It has been done before but that's no reason to stop you in your endeavor. As far as it telling you what is written unless you can decrypt the CMD $04's it will be jibberish at best but you can observe the changes in the data types from certain $04's. That will also go for any ppv purchases as well.

I'm sure that I've posted some negatives but don't let that stop you as you will gain a great deal of info along the way in your observations.

dbdan, thanks for the reply..

I dont think i was specific enough. My plan was to very precisely, log the IRD's commands via JTAG (using jtango) and CAM interaction at the same time. These would have to be done with precise timestamps for comparision. What I hope to gain at least, is memory addresses that contain the appropriate keys, and anaylzing the rom dump of the reciever (before and after) to gain some insight.

dont worry about the negatives.. this is what this is all about.. if it was easy, someone would have done it by now..

the CMD $04 strings i relalize that they would be encrypted. and cracking a 768-bit cypher is fairly complex ( could be done, but we dont have a supercomputer at our disposal, nor months to wait!) So I surmise that the only way anyone is going to get this is traping the IRD's commands.. Running a processor tap might be another idea (on the IRDs CPU) to get a more accurate depiction. Just need to figure a decent way to do it.. (without getting tooo costly)

I've just got the resources to log one activation at the moment, so I wanna make sure i've got it right, and setup for max benefit..

Cheers!

Certainly sounds like fun for sure. Sounds like you've got your bases either covered or heading in that direction. Don't have anything here to add to your post other then don't blow anything up..lol I'll take a look at jtango to get a better idea of what you are looking at doing from that end. A very weak area for me there.

dbdan, thanks for the reply..

I dont think i was specific enough. My plan was to very precisely, log the IRD's commands via JTAG (using jtango) and CAM interaction at the same time. These would have to be done with precise timestamps for comparision. What I hope to gain at least, is memory addresses that contain the appropriate keys, and anaylzing the rom dump of the reciever (before and after) to gain some insight.

dont worry about the negatives.. this is what this is all about.. if it was easy, someone would have done it by now..

the CMD $04 strings i relalize that they would be encrypted. and cracking a 768-bit cypher is fairly complex ( could be done, but we dont have a supercomputer at our disposal, nor months to wait!) So I surmise that the only way anyone is going to get this is traping the IRD's commands.. Running a processor tap might be another idea (on the IRDs CPU) to get a more accurate depiction. Just need to figure a decent way to do it.. (without getting tooo costly)

I've just got the resources to log one activation at the moment, so I wanna make sure i've got it right, and setup for max benefit..

Cheers!
theirs a sti5518 data sheet that shows the pinouts of the processor, that is if course the chip you want to jtag and use jtango with

I think you get a good idea ti activate, how can you log the communication betwen the card and IRD?if I can , perhaps I can log some more for you.
Thanx















dbdan, thanks for the reply..

I dont think i was specific enough. My plan was to very precisely, log the IRD's commands via JTAG (using jtango) and CAM interaction at the same time. These would have to be done with precise timestamps for comparision. What I hope to gain at least, is memory addresses that contain the appropriate keys, and anaylzing the rom dump of the reciever (before and after) to gain some insight.

dont worry about the negatives.. this is what this is all about.. if it was easy, someone would have done it by now..

the CMD $04 strings i relalize that they would be encrypted. and cracking a 768-bit cypher is fairly complex ( could be done, but we dont have a supercomputer at our disposal, nor months to wait!) So I surmise that the only way anyone is going to get this is traping the IRD's commands.. Running a processor tap might be another idea (on the IRDs CPU) to get a more accurate depiction. Just need to figure a decent way to do it.. (without getting tooo costly)

I've just got the resources to log one activation at the moment, so I wanna make sure i've got it right, and setup for max benefit..

Cheers!