Anyone out there have a reliable method for recovering the BD0 key on a rom10? I'm open to just about any suggestions at this point. I've hit this thing with everything I can get my hands on and the backdoor is open, but the BD3 keys have been zero'd or something to that effect. My understanding is that I need to send a call to reset BD0, but I don't have any idea how to do this. Rom is revA23.

How about recovering the backdoor password on a rom3? Same deal, the card is open, but the backdoor key is not accessable. Rom is rev382.

I am trying to program a Rom 3 card and I am getting this message:
Opening of COM2 was successful
ATR String: 3F FF 95 00 FF 91 81 71 64 47 00 44 4E 41 53 50
30 30 33 20 52 65 76 33 38 33 F5
ROM Revision: 003
EEPROM Revision: Rev383
Logging into card
Checking for BackDoor
BackDoor appears to be closed, aborting
Error reading image from card
Closing of COM2 was successful
Error detected, One Step Clean incomplete

Any suggestions on what I can do next without messing up my card??

Anyone out there have a reliable method for recovering the BD3 key on a rom10? I'm open to just about any suggestions at this point. I've hit this thing with everything I can get my hands on and the backdoor is open, but the BD3 keys have been zero'd or something to that effect. My understanding is that I need to send a call to reset BD0, but I don't have any idea how to do this. Rom is revA23.

How about recovering the backdoor password on a rom3? Same deal, the card is open, but the backdoor key is not accessable. Rom is rev382.

Just to clarify, here is how the rom's I'm referring to read in Nagra. In both cases, the backdoor is open, it's just that the keys are not accessable. Unlocking programs do nothing with these roms because they immediately return a response that they are open.
------------------------------------------------------------------------------------------------

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 32 33 4B
ROM Revision: 010
EEPROM Revision: RevA23
ProviderID: 40
CamID: 11 11 11 11
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
Unable to login, bad password detected

(Then it asks me to enter the BD3 key manually)
-------------------------------------------------------------------------------------------

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 64 47 00 44 4E 41 53 50
30 30 33 20 52 65 76 33 38 32 F4
ROM Revision: 003
EEPROM Revision: Rev382
Logging into card
Checking for BackDoor
BackDoor appears to be open, continuing...
Retrieving BackDoor password
Error retrieving BackDoor password
Error reading image from card
Closing of COM1 was successful

----------------------------------------------------------------------------------------------

I am trying to program a Rom 3 card and I am getting this message:
Opening of COM2 was successful
ATR String: 3F FF 95 00 FF 91 81 71 64 47 00 44 4E 41 53 50
30 30 33 20 52 65 76 33 38 33 F5
ROM Revision: 003
EEPROM Revision: Rev383
Logging into card
Checking for BackDoor
BackDoor appears to be closed, aborting
Error reading image from card
Closing of COM2 was successful
Error detected, One Step Clean incomplete

Any suggestions on what I can do next without messing up my card??

In your case bobby the rom is streamlocked. It can be unlocked with a modified HU unlooper and one of the many fine unlocking programs out there.

well jt, I have a rom 10 card that is in the same boat as yours, threw everything at it except the kitchen sink. Good luck and if you find something that works, let me know.

hi there
i have a couple of rom 10 that came up with the backdoor problem i use the bd3 opener able to get it to open up an able to write to them i put on a clean image bin then a bin file with blocker but for some reason i get a black screen i know the box keys are right and the ird is right try both cards and 2 different recievers i also am able to get the previews any help would appriecieated thanks

Damn Crazy, I was hoping you'd have a good suggestion for me. :cool:

The rom10 BD0 retriever CMD03 is a great little kit. Big thanks goes out to slickvguy on that one. It's worked for me before. It's what I usually use in this situation. When I tried it on this rom though, I could not get viagra to change the provider to 9000. I can get viagrarom10 to change my provider to 9000, but the CMD03 from slickvguy still returns BDO key of all zero. Cimba emailed some files last night that I hadn't seen before. They are a little old, but I think they hold a lot of promise. I'll let you guys know if I can get them to work for me. Big thanks to Cimba either way. :) I'm thinking of posting a 'backdoor recovery kit' that includes all the neat liitle ways I've gone after this 10. My bag of tricks is just about empty this time around though. Guess it's time to learn some new tricks eh? :)

FYI- so far I have tried mromV6, camwisler, viagra, backdoorbuster, speedkeyXP3 and two versions of bdkr on this rom10. I'm halfway suprised I havn't looped this sucker yet. I'm going to get this damn thing open or kill it trying! Never come across roms' as stubborn as this rom10 and the rom3 that's acting essentially the same way. I have been unable to find anything substantial for working on the rom3 backdoor recovery. Like I said, the unlocker programs are useless in this situation. The cams are already open. The problem is much more challenging than just unlocking the darn things.

Damn Crazy, I was hoping you'd have a good suggestion for me. :cool:

The rom10 BD0 retriever CMD03 is a great little kit. Big thanks goes out to slickvguy on that one. It's worked for me before. It's what I usually use in this situation. When I tried it on this rom though, I could not get viagra to change the provider to 9000. I can get viagrarom10 to change my provider to 9000, but the CMD03 from slickvguy still returns BDO key of all zero. Cimba emailed some files last night that I hadn't seen before. They are a little old, but I think they hold a lot of promise. I'll let you guys know if I can get them to work for me. Big thanks to Cimba either way. :) I'm thinking of posting a 'backdoor recovery kit' that includes all the neat liitle ways I've gone after this 10. My bag of tricks is just about empty this time around though. Guess it's time to learn some new tricks eh? :)

FYI- so far I have tried mromV6, camwisler, viagra, backdoorbuster, speedkeyXP3 and two versions of bdkr on this rom10. I'm halfway suprised I havn't looped this sucker yet. I'm going to get this damn thing open or kill it trying! Never come across roms' as stubborn as this rom10 and the rom3 that's acting essentially the same way. I have been unable to find anything substantial for working on the rom3 backdoor recovery. Like I said, the unlocker programs are useless in this situation. The cams are already open. The problem is much more challenging than just unlocking the darn things.


BTW-did anyone else notice how similar the ATR's are I'm getting off this rom10 and rom3? I got these roms from the same guy. I sure wouldn't normally expect ATR's of such similarity on a rom3 and rom10. Have no idea if it has anything to do with anything relevant, but it is a odd coincidence.

I assume you have a modded loader did you try any of the powersync scripts? Guys with problems have been using them,they work with a modded loader just a little more work then if you bought the powersync loader,just a thought.

BTW-did anyone else notice how similar the ATR's are I'm getting off this rom10 and rom3? I got these roms from the same guy. I sure wouldn't normally expect ATR's of such similarity on a rom3 and rom10. Have no idea if it has anything to do with anything relevant, but it is a odd coincidence.

Looks like someone attempted to write a rom10 image to a rom3, or vise-versa. Those ATRs looks a lot like my rom10 ATRs

WTH is the provider 40 coming from.
isnt thst what mrom puts them at when repairing atr?
good luck JT
I'm halfway suprised I havn't looped this sucker yet. I'm going to get this damn thing open or kill it trying!

dont go that far bud we will miss ya

I found a great guide that worked on a couple of mine, I posted it on the Bell expressVu card programming forum, but I don't know how to link to it. You can check there.

STP

I found a great guide that worked on a couple of mine, I posted it on the Bell expressVu card programming forum, but I don't know how to link to it. You can check there.

STP

I moved that thread over here to the glitching/unlocking forum. That is the procedure I was referring to as having promise, but alas, it has not panned out for me. I'm going to try it at least a couple more times before I give up though.

Thanks for moving the thread over JT.

I found that the procedure worked perfectly, and changed my Rom10 A81 with bad BD3 and bad BD0 to a ROM10 A16.

But then I had to use Mron_em to get the card to open, then I wrote dish gods all in one and it was good to go.

STP

BTW-did anyone else notice how similar the ATR's are I'm getting off this rom10 and rom3? I got these roms from the same guy. I sure wouldn't normally expect ATR's of such similarity on a rom3 and rom10. Have no idea if it has anything to do with anything relevant, but it is a odd coincidence.

JT, I looked a little closer and that is a ROM3 ATR on your ROM10. So it seems the person you got that card from put a ROM3 image on it.. Since Nagra sees a ROM10 and tries to use BD3, it'll fail since the ROM3 image doesn't have a BD3. Looks like that card is an ice scraper. But if you do ever find a fix for it, let me know. I have a card with the same problem..

thought nagra would not let you put a rom 3 image on a rom 10?
only the other way around.
maybe I am wrong but I thought it nagged about incorrect size file

Anyone out there have a reliable method for recovering the BD3 key on a rom10? I'm open to just about any suggestions at this point. I've hit this thing with everything I can get my hands on and the backdoor is open, but the BD3 keys have been zero'd or something to that effect. My understanding is that I need to send a call to reset BD0, but I don't have any idea how to do this. Rom is revA23.

How about recovering the backdoor password on a rom3? Same deal, the card is open, but the backdoor key is not accessable. Rom is rev382.

I have a Rom 3 with the same 383 rev. When I got the card it said the back door was open, but could report the password for the BD. The next time I read the card, it reported back door closed. Now I am stuck with what to do next. How do I open the back door??

I have a Rom 3 with the same 383 rev. When I got the card it said the back door was open, but could report the password for the BD. The next time I read the card, it reported back door closed. Now I am stuck with what to do next. How do I open the back door??

In your case bobby the rom is streamlocked. It can be unlocked with a modified HU unlooper and one of the many fine unlocking programs out there.

thought nagra would not let you put a rom 3 image on a rom 10?
only the other way around.
maybe I am wrong but I thought it nagged about incorrect size file

Who says the guy used Nagra.. ;-) I'm not sure either, but I have a ROM10 with a ROM3 ATR also.. So somehow a R3 image got onto the R10..

Who says the guy used Nagra.. ;-) I'm not sure either, but I have a ROM10 with a ROM3 ATR also.. So somehow a R3 image got onto the R10..
Good point.
I was thinking "inside my box"
I forgot there are other ways to write to a cam. I most of the time use nagedit.

I was thinking "inside my box"


My Wife slaps me when I do that.. :p

I lookin for the "#1 dish to bev " . Any ideas to where I can find it? :)

I found it, :-)

My Wife slaps me when I do that.. :p
LMAO,

OK, JT. I am here. Let's go.

I'm dealing with the first card you spoke of, the ROM10 with the provider 40.
First of all, the reason it's provider 40, is because you or somone else ran it through MROM. Understand? So the first thing we want to do, is take a look a the dataitems on the card. Run this d2c script (and save it for future use) from NE's comm window, and paste the results.

Edit: OK. I've uploaded it. This belongs in the files section.

;ROM_PROBE by Slickvguy

RS

;Set IFS
TX 21C101A041
RX ;12E101A052

MG***CAMID***
;CMD$12 - CAMID
TX 210008A0CA00000212000655
dl0200
RX

MG ***CAMDATE***
;CMD$C6 - CAMDATE
TX 210008A0CA000002C6000681
dl 0200
RX


MG ***DT01***
;CMD$20 DT01 - IRD
TX 21000CA0CA0000062004 01 02FFFF0365
dl 0200
RX

;CMD$21 DT01 Element 00
TX 21000DA0CA00000721050103FFFF 00 2047
dl 0200
RX

;CMD$21 DT01 Element 01
TX 21000DA0CA00000721050103FFFF 01 2046
dl 0200
RX

MG ***DT06***
;CMD$20 DT06 - Provider Info
TX 21000CA0CA0000062004 06 02FFFF0362
dl 0200
RX

;CMD$21 DT06 Element 00
TX 21000DA0CA00000721050603FFFF 00 2949
dl 0200
RX

;CMD$21 DT06 Element 01
TX 21000DA0CA00000721050603FFFF 01 2948
dl 0200
RX

;CMD$21 DT06 Element 02
TX 21000DA0CA00000721050603FFFF 02 2947
dl 0200
RX

MG ***DT07***
;CMD$20 DT07 - Decrypt Keys
TX 21000CA0CA0000062004 07 02FFFF0363
dl 0200
RX

;CMD$21 DT07 Element 00
TX 21000DA0CA00000721050703FFFF 00 0564
dl 0200
RX

;CMD$21 DT07 Element 01
TX 21000DA0CA00000721050703FFFF 01 0565
dl 0200
RX

;CMD$21 DT07 Element 02
TX 21000DA0CA00000721050703FFFF 02 0566
dl 0200
RX

MG ***DT02***
;CMD$20 DT02 - Provider Filter
TX 21000CA0CA0000062004 02 02FFFF0366
dl 0200
RX

;CMD$21 DT02 Element 00
TX 21000DA0CA00000721050203FFFF 00 0662
dl 0200
RX

;CMD$21 DT02 Element 01
TX 21000DA0CA00000721050203FFFF 01 0663
dl 0200
RX

Rx: 3f Ff 95 00 Ff 91 81 71 A0 47 00 44 4e 41 53 50
30 31 30 20 52 65 76 41 32 33 4b
Tx: 21 C1 01 A0 41
Rx: 12 E1 01 A0 52
***camid***
Tx: 21 00 08 A0 Ca 00 00 02 12 00 06 55
Rx: 12 00 08 92 04 00 00 00 00 00 00 3e
***camdate***
Tx: 21 00 08 A0 Ca 00 00 02 C6 00 06 81
Rx: 12 40 06 B6 02 1a 54 90 00 3e
***dt01***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 01 02 Ff Ff 03 65
Rx: 12 00 05 A0 01 01 90 00 27
Tx: 21 00 0d A0 Ca 00 00 07 21 05 01 03 Ff Ff 00 20
47
Rx: 12 40 22 A1 1e 40 01 00 01 00 00 C3 58 08 00 0e
06 68 82 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 90 00 6e
Tx: 21 00 0d A0 Ca 00 00 07 21 05 01 03 Ff Ff 01 20
46
Rx: 12 00 22 A1 1e 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 69 80 66
***dt06***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 06 02 Ff Ff 03 62
Rx: 12 40 05 A0 01 02 90 00 64
Tx: 21 00 0d A0 Ca 00 00 07 21 05 06 03 Ff Ff 00 29
49
Rx: 12 00 2b A1 27 40 00 00 1b 83 F0 D8 Ff Ff Ff Ff
Ff Ff Ff Ff Ff Ff 00 Ff Ff 00 00 Ff Ff 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 90 00 Df
Tx: 21 00 0d A0 Ca 00 00 07 21 05 06 03 Ff Ff 01 29
48
Rx: 12 40 2b A1 27 41 00 00 1b 83 F0 D8 90 03 51 19
4f Ff Ff Ff Ff Ff 04 39 9f Bf 7c Ff Ff 00 00 B4
00 01 00 00 00 00 00 00 00 00 00 00 90 00 21
Tx: 21 00 0d A0 Ca 00 00 07 21 05 06 03 Ff Ff 02 29
47
Rx: 12 91 00 83
***dt07***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 07 02 Ff Ff 03 63
Rx: 12 00 05 A0 01 03 90 00 25
Tx: 21 00 0d A0 Ca 00 00 07 21 05 07 03 Ff Ff 00 05
64
Rx: 12 40 07 A1 03 40 3f 00 90 00 18
Tx: 21 00 0d A0 Ca 00 00 07 21 05 07 03 Ff Ff 01 05
65
Rx: 12 00 07 A1 03 41 3f 00 90 00 59
Tx: 21 00 0d A0 Ca 00 00 07 21 05 07 03 Ff Ff 02 05
66
Rx: 12 40 07 A1 03 00 3f 01 90 00 59
***dt02***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 02 02 Ff Ff 03 66
Rx: 12 00 05 A0 01 01 90 00 27
Tx: 21 00 0d A0 Ca 00 00 07 21 05 02 03 Ff Ff 00 06
62
Rx: 12 40 08 A1 04 41 01 00 00 90 00 2f
Tx: 21 00 0d A0 Ca 00 00 07 21 05 02 03 Ff Ff 01 06
63
Rx: 12 00 08 A1 04 00 00 00 00 69 80 56

Well, first of all, you should NOT post your camid! lol! Please xx it out.

Your DT1 is for provider $40. (MROM did this).
Your DT6's are $40 and $41. More MROM.

Your DT7's are: $40, $41, $00. MROM replaced the first two, and the 3rd is the Dish one that was not overwritten.

Therefore, if you try using a utility like my BD0 retriever, which uses cmd03's specifically made for DN provider $00, it obviously will not work. People don't understand these basics, and then wonder why things wont' work. Why waste time and effort n something that CANNOT work? Makes no sense.

If you are going to use a Nipper login, you must use one for provider $40. Like this...
21001DA0CA000017031540011011054E697050457220497320 6120627554742648

Or, better yet, *REPLACE* the first few blocks of dataspace with DishNet dataitems, i.e. get rid of the MROM provider. You can do this if your backdoor is open (or with a glitcher). Let's assume your backdoor is open, ok? What you need to do is:

a) Login with a nipper for the existing provider on your card, which I already posted above. :)

b) Send CMD$D7's to write the Dish data to the dataspace. Simple!

Alternatively, you can install a ghost provider, and construct EMMs for the ghost provider.

Or, you can construct a CMD03 overflow for provider 40, and let 'er rip.

A few different approaches.

But - keep in mind, that after we get your BD0, and you DO read your card, it might be marked and your MAP may be flagged "off". This is frequently what is behind NagraEdit's inability to get the BD0. It writes cleartext keys, executes a CMD01, and then a CMD60 to get the BD0. The CMD01 doesn't execute,a ndt hat's why the CMD60 returns all zeros. :(

What you need to do is focus on being able to read the entire code and data space, and/or get your BD0, through various means. Once you have that, you'll know if your card is f'd or not.

Dont worry that is not a valid cam ID. but I took it out anyway replaced it with my ssn number.
LOL



thanks for the steps I will see what happens
now to figure out WTF you just said.

JT Where are you???????

First, thanks slickvguy for stepping in here. If anyone can steer us in the right direction on this it's you. Here is my log, but it sounds like your already going through the basics with fubr, and it's the same issue I think. For the record too, I ran the BD0 redriever CMD03 before I hit this thing with mrom....now it appears I have to go back and try to repair the damage I did messing with it. :rolleyes: I least now I have something to do and the expert is in the house. Greatly appreciate your time and effort slickvguy. :)

RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 32 33 4B
TX: 21 C1 01 A0 41
RX: 12 E1 01 A0 52
***CAMID***
TX: 21 00 08 A0 CA 00 00 02 12 00 06 55
RX: 12 00 08 92 04 00 BA 67 FF 90 00 3E
***CAMDATE***
TX: 21 00 08 A0 CA 00 00 02 C6 00 06 81
RX: 12 40 06 B6 02 19 3B 90 00 52
***DT01***
TX: 21 00 0C A0 CA 00 00 06 20 04 01 02 FF FF 03 65
RX: 12 00 05 A0 01 01 90 00 27
TX: 21 00 0D A0 CA 00 00 07 21 05 01 03 FF FF 00 20
47
RX: 12 40 22 A1 1E 40 01 00 01 22 22 22 22 08 00 00
00 00 00 30 30 30 37 37 39 30 37 31 33 32 50 31
30 54 4E 90 00 62
TX: 21 00 0D A0 CA 00 00 07 21 05 01 03 FF FF 01 20
46
RX: 12 00 22 A1 1E 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 69 80 66
***DT06***
TX: 21 00 0C A0 CA 00 00 06 20 04 06 02 FF FF 03 62
RX: 12 40 05 A0 01 02 90 00 64
TX: 21 00 0D A0 CA 00 00 07 21 05 06 03 FF FF 00 29
49
RX: 12 00 2B A1 27 40 00 00 11 11 11 11 FF FF FF FF
FF FF FF FF FF FF FC FF FF 00 00 FF FF 00 00 B4
00 00 00 00 00 00 00 00 00 00 00 00 90 00 27
TX: 21 00 0D A0 CA 00 00 07 21 05 06 03 FF FF 01 29
48
RX: 12 40 2B A1 27 41 00 00 11 11 11 11 FF FF FF FF
FF FF FF FF FF FF FC FF FF 00 00 FF FF 00 00 B4
00 00 00 00 00 00 00 00 00 00 00 00 90 00 66
TX: 21 00 0D A0 CA 00 00 07 21 05 06 03 FF FF 02 29
47
RX: 12 91 00 83
***DT07***
TX: 21 00 0C A0 CA 00 00 06 20 04 07 02 FF FF 03 63
RX: 12 00 05 A0 01 03 90 00 25
TX: 21 00 0D A0 CA 00 00 07 21 05 07 03 FF FF 00 05
64
RX: 12 40 07 A1 03 40 3F 00 90 00 18
TX: 21 00 0D A0 CA 00 00 07 21 05 07 03 FF FF 01 05
65
RX: 12 00 07 A1 03 41 3F 00 90 00 59
TX: 21 00 0D A0 CA 00 00 07 21 05 07 03 FF FF 02 05
66
RX: 12 40 07 A1 03 00 3F 01 90 00 59
***DT02***
TX: 21 00 0C A0 CA 00 00 06 20 04 02 02 FF FF 03 66
RX: 12 00 05 A0 01 01 90 00 27
TX: 21 00 0D A0 CA 00 00 07 21 05 02 03 FF FF 00 06
62
RX: 12 40 08 A1 04 41 01 00 00 90 00 2F
TX: 21 00 0D A0 CA 00 00 07 21 05 02 03 FF FF 01 06
63
RX: 12 00 08 A1 04 00 00 00 00 69 80 56

Hi JT.

Yes, your dataspace is in similar shape to fubr's. Read my post above, and figure out what you are going to do. It's probably your MAP that's killed, but my BD0 retriever should have worked *IF* your DT's were for Dish. Follow?

So choose your poison. If it was me, I'd use XNCS to put a ghost 6901 on the card, and then construct an EMM for ghost 6901. XNCS is terrific for that. Use the EMM that writes the Boxkey to the ird data. Send it from xncs's comm tab (it'll append the proper LRC). The reason I would use teh BOXKEY emm (nto the BD0), is because the BD0 might actually be all 00's! If the card can execute the EMM, you'll quickly and easily be able to tell, because the ird field will contain your boxkey. Right? Then, once you establish that the card processes EMMs, either send an EMM to grab the BD0, or better yet, just send an EMM to write a known valid BD0.

This shoudl take you just a few minutes to do, and then you'll know if your card is ok or not.

Yeah Thanks
This is knda sinking in on me.
Thanks also for not posting a script for us to run...I know I am learning more this way. If I dont sling this plastic through the wall first..lol..
does look like me an d JT have similair problems.
I dont think the cards are fried myself.

well hoping

I have seen this MANY, MANY times. Testers all over the Internet are posting similar questions. That's why I decided to release the ROM PROBE script. I'm tired of telling people to do it. heheh.

Bottom line: I see this all the time. Sometimes the card is killed, other times it's merely a matter of fixing up the BD0 or dataitems.

Slickvguy,

I appreciate your posts and it is nice to see someone not spoonfeeding scripts to the masses.

Before reading this thread I have too done the same as everyone else in this thread with the mr. rom etc.

But I have also tried the following.

-changed my provider to 4001 using viagra and the whole bug.

logged in with
210025A0CA00001F031D40011099054E697050457220497320
612062755474260000000000000005FD

tried to restore the keys using the following packets:

packet1
210045A0D71000406A9A5ED124D2B33E9DD69408D17448BD69
C6DE48966E9FCFDF6744147D2666D5B7C145C0B0AF8775AF05
261038EA95C8C2668432AC0042FD0EB957B7E592E68D16

packet2
210045A0D7104040F6DDE717F945B98AFCB6506524A206F299
8CA630CE320E8D19349C5ADE974179698E587C188BA3A3A430
08730CC9D608E9A80C4BE6AC3D762B3A469EEC4F37EF2D

packet3
210045A0D710804072AC3EA575E0649DA9F9A5B9EDE5A356C2
C1C6EF84E3D0662D4DB7ACA940D9ADA55E5C59F4184292CA3F
7EE0A3DEF1E33CF75F054B3EDADC32D69A3F3D4CFA6FC7

packet4
210045A0D710C040C531B9969926E8D98EE7D3A48ADC4A5B04
B13B7D93902E6A7CD1BDFEAAF9051CB73E782E8BE597897F66
FE699F4809F71431570830FC53D4410D2B35D2CE7ACA58

bd keys packet1
210053A0CA00004D004B4001026992FDB10D58F0A41CB6C8D7
6839ABC25C1F2831FD5B7D4D75B5F07E046F4E228EE71C4064
0C8FCFB5741A5E08B66DDBABDFD8620183007A98A01035E96F
FAEBC4A20FBD6DA2E1380508

bd keys packet2
210053A0CA00004D004B4001028D5894CB4AFD0D78D57880DA
ECC0E72C3DFBF52F6A288DF1F58A5764C12CD62210E22A1B58
16F6BC874DA7ADF49FA97469B344C94C7334428AEADB5F0CB7
7272263A41EBBE88BCB6050D

All my emms received a good response so I figured the emms wrote properly but it did not work. I think I am going to retry these packets but this time I will use mr.rom to change my provider and login using the packet you posted.

I am still trying to learn the emm packet structure but I dont have as much time to play since my school is taxing. I should be learning how to solve partial differential equations and not how packet structures work.. ;-) but you know you have to get sidetracked once in a while.

I am going to try to learn the CMD$D7's
or the CMD03 overflow for different providers.
But that will have to wait till after exams.


Too bad they dont teach you sosia in school. rofl

Just a note: a 9000 response after sending an EMM does *NOT* mean the emm executed the way you wanted it to! It just means it passed a few basic tests.

Just a note: a 9000 response after sending an EMM does *NOT* mean the emm executed the way you wanted it to! It just means it passed a few basic tests.

That was what I was looking for.... thanks. I think this card Is irrepairable.

Well I be damn.
looks like there is hope.
would have been easier to just have wrote me a script!!!!! :heads_or_

rom probe is the shit!!!!



Rx: 3f Ff 95 00 Ff 91 81 71 A0 47 00 44 4e 41 53 50
30 31 30 20 52 65 76 41 31 36 4d
Tx: 21 C1 01 A0 41
Rx: 12 E1 01 A0 52
***camid***
Tx: 21 00 08 A0 Ca 00 00 02 12 00 06 55
Rx: 12 00 08 92 04 00 12 23 56 90 00 3e
***camdate***
Tx: 21 00 08 A0 Ca 00 00 02 C6 00 06 81
Rx: 12 40 06 B6 02 00 00 90 00 70
***dt01***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 01 02 Ff Ff 03 65
Rx: 12 00 05 A0 01 01 90 00 27
Tx: 21 00 0d A0 Ca 00 00 07 21 05 01 03 Ff Ff 00 20
47
Rx: 12 40 22 A1 1e 40 01 00 01 00 00 C3 58 08 00 00
00 00 00 00 00 00 00 03 5c 03 1c 03 6b 01 02 00
00 00 00 90 00 A7
Tx: 21 00 0d A0 Ca 00 00 07 21 05 01 03 Ff Ff 01 20
46
Rx: 12 00 22 A1 1e 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 69 80 66
***dt06***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 06 02 Ff Ff 03 62
Rx: 12 40 05 A0 01 02 90 00 64
Tx: 21 00 0d A0 Ca 00 00 07 21 05 06 03 Ff Ff 00 29
49
Rx: 12 00 2b A1 27 40 00 00 1b 83 F0 D8 Ff Ff Ff Ff
Ff Ff Ff Ff Ff Ff 00 Ff Ff 00 00 Ff Ff 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 90 00 Df
Tx: 21 00 0d A0 Ca 00 00 07 21 05 06 03 Ff Ff 01 29
48
Rx: 12 40 2b A1 27 41 00 00 1b 83 F0 D8 90 03 51 19
4f Ff Ff Ff Ff Ff 04 39 9f Bf 7c Ff Ff 00 00 B4
00 01 00 00 00 00 00 00 00 00 00 00 90 00 21
Tx: 21 00 0d A0 Ca 00 00 07 21 05 06 03 Ff Ff 02 29
47
Rx: 12 91 00 83
***dt07***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 07 02 Ff Ff 03 63
Rx: 12 00 05 A0 01 03 90 00 25
Tx: 21 00 0d A0 Ca 00 00 07 21 05 07 03 Ff Ff 00 05
64
Rx: 12 40 07 A1 03 00 3f 01 90 00 59
Tx: 21 00 0d A0 Ca 00 00 07 21 05 07 03 Ff Ff 01 05
65
Rx: 12 00 07 A1 03 40 3f 00 90 00 58
Tx: 21 00 0d A0 Ca 00 00 07 21 05 07 03 Ff Ff 02 05
66
Rx: 12 40 07 A1 03 41 3f 00 90 00 19
***dt02***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 02 02 Ff Ff 03 66
Rx: 12 00 05 A0 01 01 90 00 27
Tx: 21 00 0d A0 Ca 00 00 07 21 05 02 03 Ff Ff 00 06
62
Rx: 12 40 08 A1 04 41 01 00 00 90 00 2f
Tx: 21 00 0d A0 Ca 00 00 07 21 05 02 03 Ff Ff 01 06
63
Rx: 12 00 08 A1 04 00 00 00 00 69 80 56


C000: D7 08 40 20 30 07 75 00 2D 00 00 00 00 00 00 FF | ×.@ 0.u.-......ÿ
C010: FF FF FF FF FF FF FF FF FF FF FF FF 0A 01 F5 00 | ÿÿÿÿÿÿÿÿÿÿÿÿ..õ.
C020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C040: 29 F4 54 FF A7 E1 D9 1E 4F 67 C1 A4 84 43 5D A3 | )ôTÿ§áÙ.OgÁ¤„C]£
C050: 7E C2 C9 EA B4 8D 0B 31 6C 0B 92 A4 E4 C0 A0 58 | ~ÂÉê´..1l.’¤äÀ.X
C060: F3 AD 06 42 5D 15 43 9C A1 58 FE 67 B1 4F 99 B9 | ó..B].Cœ¡Xþg±O™¹
C070: FF F6 F3 A6 9B 8D 68 B8 C3 DF A4 EC 8F 1F FD 05 | ÿöó¦›.h¸Ãߤì..ý.
C080: D0 00 52 65 76 41 31 36 00 00 00 00 00 00 27 05 | Ð.RevA16......'.
C090: 0D 0B 0D 38 79 1D 26 29 23 12 00 00 0F 54 54 68 | ...8y.&)#....TTh
C0A0: 06 20 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 | . NipPEr Is a bu
C0B0: 54 74 20 6C 69 43 6B 65 52 21 45 71 F6 01 9A D8 | Tt liCkeR!Eqö.šØ
C0C0: 5D 86 02 03 00 00 00 2E FF 7F 7F E3 00 FF FF FF | ]†......ÿ..ã.ÿÿÿ
C0D0: 00 00 29 40 41 C1 DA 81 F3 C1 D3 8A 83 C1 ED 89 | ..)@AÁÚ.óÁÓŠƒÁí‰
C0E0: 9B C1 F3 5F 26 C1 F9 5F 4A C2 0F 82 2A C2 32 99 | ›Áó_&Áù_JÂ.‚*Â2™
C0F0: DE C2 2A 00 00 00 00 00 00 00 00 00 00 00 00 00

I get this on a rom10 that I was useing untill today ..
Bd3 Login Failed..
RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 32 34 4C
TX: 21 C1 01 A0 41
RX: 12 E1 01 A0 52
***CAMID***
TX: 21 00 08 A0 CA 00 00 02 12 00 06 55
RX: 12 00 08 92 04 01 2B CD B3 90 00 48
***CAMDATE***
TX: 21 00 08 A0 CA 00 00 02 C6 00 06 81
RX: 12 40 06 B6 02 00 00 90 00 70
***DT01***
TX: 21 00 0C A0 CA 00 00 06 20 04 01 02 FF FF 03 65
RX: 12 00 05 A0 01 01 90 00 27
TX: 21 00 0D A0 CA 00 00 07 21 05 01 03 FF FF 00 20
47
RX: 12 40 22 A1 1E 00 01 C9 01 00 01 72 8F E8 00 E1
6D 7E 02 15 4B 31 03 31 37 42 42 44 41 4E 44 50
32 30 30 90 00 75
TX: 21 00 0D A0 CA 00 00 07 21 05 01 03 FF FF 01 20
46
RX: 12 00 22 A1 1E 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 69 80 66
***DT06***
TX: 21 00 0C A0 CA 00 00 06 20 04 06 02 FF FF 03 62
RX: 12 40 05 A0 01 02 90 00 64
TX: 21 00 0D A0 CA 00 00 07 21 05 06 03 FF FF 00 29
49
RX: 12 00 2B A1 27 00 00 00 01 2B CD B3 FF FF FF FF
FF FF FF FF FF FF 00 FF FF 00 00 FF FF 00 00 00
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 90 00 7B
TX: 21 00 0D A0 CA 00 00 07 21 05 06 03 FF FF 01 29
48
RX: 12 40 2B A1 27 01 00 00 01 2B CD B3 FF FF FF FF
50 4F FF FF FF FF 04 14 CE 7A 2A FF FF 00 00 B4
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 90 00 1F
TX: 21 00 0D A0 CA 00 00 07 21 05 06 03 FF FF 02 29
47
RX: 12 91 00 83
***DT07***
TX: 21 00 0C A0 CA 00 00 06 20 04 07 02 FF FF 03 63
RX: 12 00 05 A0 01 03 90 00 25
TX: 21 00 0D A0 CA 00 00 07 21 05 07 03 FF FF 00 05
64
RX: 12 40 07 A1 03 00 3F 00 90 00 58
TX: 21 00 0D A0 CA 00 00 07 21 05 07 03 FF FF 01 05
65
RX: 12 00 07 A1 03 01 3F 00 90 00 19
TX: 21 00 0D A0 CA 00 00 07 21 05 07 03 FF FF 02 05
66
RX: 12 40 07 A1 03 00 3F 01 90 00 59
***DT02***
TX: 21 00 0C A0 CA 00 00 06 20 04 02 02 FF FF 03 66
RX: 12 00 05 A0 01 01 90 00 27
TX: 21 00 0D A0 CA 00 00 07 21 05 02 03 FF FF 00 06
62
RX: 12 40 08 A1 04 01 01 09 00 90 00 66
TX: 21 00 0D A0 CA 00 00 07 21 05 02 03 FF FF 01 06
63
RX: 12 00 08 A1 04 00 00 00 00 69 80 56

JT
how did you come out?
I could not get ghost loaded , kept getting error so I used viagra and when it was time for a command to log in I pasted one of them slickvguy posted at the begining.
if I got error or incorrect response I would reset or send again till it errored or rx'ed with proper response.
then I wrote valid bd0 keys and used nagra to clean,
still not quite right the way it is acting but I am watching tv now with it wide open with Mili pb installed.

got lucky actualy I do not even remeber what I did or when. I do remeber I tried it after I finished another card though figured I would try it while I had it all loaded and it cleaned, I just do not remeber the last thing I did to it this morning

Whats ghost & what are you doing to try & fix the BD3 error?

xncs1.8 is a program.
ghost is some kind of shit it writes to cams, I never figured that part out.
I have not done anything to get past BD3 my prob was BD0 was all zero because I used mrom on it (see above SVGUY splains it better)
anyway I used xncs to write commands to the card somehow allowing me to get back in.
my provider was 40 so the bdo retriver always gave me the 9001 response instead of 90 00.

Ahhh ok I thought it was Bad BD3 login...

naahhh I had to click on that box in nagra that ask for alternate nipper log in though.
until this last time when it cleaned,
I think thats th whole point is logging in with a dish nipper login when the provider was for sky vista or whatever

IS marked by DN at C000: 8 WITH FF . YOU GET 32 NUMBER OPEN then after write to no pic see all channels header black screen.JCK7



THIS place say they have fix . no one post that work.

.dynamicasoftware.com/[/url]

put http:// and put in www

JT
how did you come out?
I could not get ghost loaded , kept getting error so I used viagra and when it was time for a command to log in I pasted one of them slickvguy posted at the begining.
if I got error or incorrect response I would reset or send again till it errored or rx'ed with proper response.
then I wrote valid bd0 keys and used nagra to clean,
still not quite right the way it is acting but I am watching tv now with it wide open with Mili pb installed.

got lucky actualy I do not even remeber what I did or when. I do remeber I tried it after I finished another card though figured I would try it while I had it all loaded and it cleaned, I just do not remeber the last thing I did to it this morning

I basically havn't touched that rom10 since the last time we discussed it. I'd really like to recover it though. I'll have to mess with it some more now. If you got yours working I should be able to get mine going too. I see that your rom isn't marked either. Nice job.

JCK7 Online:
Back Door 32 Numbers

--------------------------------------------------------------------------------

IS marked by DN at C000: 8 WITH FF . YOU GET 32 NUMBER OPEN then after write to no pic see all channels header black screen.JCK7
WHO?
not mine but thanks.
and that link you posted I belive is a paid for solution?
correct me if I am wrong please.
Think you are replying to cid but I was just making sure

I basically havn't touched that rom10 since the last time we discussed it. I'd really like to recover it though. I'll have to mess with it some more now. If you got yours working I should be able to get mine going too. I see that your rom isn't marked either. Nice job.
when we get time We will bump heads and with the help of slickvguy's pots I think yours is ok also looking at your rom probe results.

we will get around to it , I know your busy,
Thanks for starting this thread and opening the door for some outside help.
I am sure alot of people with benifit from all the responses.

maybe when we are done we will share a script or a how to for this.
I am curious as to why it took MRmom or why we even tried it to begin with.
I think I will not use that one anymore with cams unless I have too, I have had success with it before but roms are getting scarce,

BTW nice job during guard duty the other night.
soon as BS was posted ole JT had it fixed...... :)
later bro

How did my card get marked by DN..?
It wasnt in the stream when this happened I was actually writing a new script to it..Then all of a sudden no worky..
Could someone post that xncs1.8 for me please..
Thanks..!

Yeah fubr, I just happened to be up and online at 3am my time when all that went down. Usually no one is around at that time of day. I think that's what the trouble maker was counting on. Must have been fate.

XNCS is in the downloads.

Yeah fubr, I just happened to be up and online at 3am my time when all that went down. Usually no one is around at that time of day. I think that's what the trouble maker was counting on. Must have been fate.

XNCS is in the downloads.yes

did you ever get the ghost to load.

and yes I was lurking that night, could not sleep woke up evry 30 minutes and saw all that...lol again good job....

SLICKVGUY Any clue as to go about fixing the BD3 error..?
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BD3 login failed
Reading ROM10 failed
Closing of COM1 was successful

hey cid wont your glitchers pop that?
Have you tried the alternate login

How did my card get marked by DN..?
It wasnt in the stream when this happened I was actually writing a new script to it..Then all of a sudden no worky..
Could someone post that xncs1.8 for me please..
Thanks..!

I dont see where yours got marked,first try to do one step clean in nagedit.
when it pops up the box for alternate log in click the middle box. (sorry I dont have the 32 bit string handy
if that dont work use the viagra script in the screwd backdoor cfg. and when it says to log in instead of sending the log in packet paste this into the box and send it,

21001DA0CA000017031540011011054E697050457220497320 6120627554742648.
if you get good response keep going

When I do a 1step clean I get the same responce as above..no window pops up..
As for the the screwd backdoor cfg I have no clue whatcher talkin about..lol

file in files page called viagra screwed backdoor fix it is for A21 though so I dont know what rev yu got.

maybe later I will get a chance to fuck a cam up and see if it works..lol, you might want to wait on some better advice. thasn what fubr says

Its spoofed @ A24 kinda..lol It took a bad write

How do I go about changeing the Provider ID..Mines 40 aswell from MRom

I dont think you do. I think the ideal is to log in with a command for the provider 40
then do the cmd3's to write valid keys.

here is a dsc script I modified and used nagra on.

try at your own risk!!!!
did not hurt me none.
paste this in the comm window on nagra 4.1 and test d2c then run it.


___________________c&p________________________
tx 21001DA0CA000017031540011011054E697050457220497320 6120627554742648
rx

mg tried to restore the keys using the following packets

mg packet1
tx 210045A0D71000406A9A5ED124D2B33E9DD69408D17448BD69
C6DE48966E9FCFDF6744147D2666D5B7C145C0B0AF8775AF05
261038EA95C8C2668432AC0042FD0EB957B7E592E68D16
rx

mg packet2
tx 210045A0D7104040F6DDE717F945B98AFCB6506524A206F299
8CA630CE320E8D19349C5ADE974179698E587C188BA3A3A430
08730CC9D608E9A80C4BE6AC3D762B3A469EEC4F37EF2D
rx

mg packet3
tx 210045A0D710804072AC3EA575E0649DA9F9A5B9EDE5A356C2
C1C6EF84E3D0662D4DB7ACA940D9ADA55E5C59F4184292CA3F
7EE0A3DEF1E33CF75F054B3EDADC32D69A3F3D4CFA6FC7
rx

mg packet4
tx 210045A0D710C040C531B9969926E8D98EE7D3A48ADC4A5B04
B13B7D93902E6A7CD1BDFEAAF9051CB73E782E8BE597897F66
FE699F4809F71431570830FC53D4410D2B35D2CE7ACA58
rx

mg bd keys packet1
tx 210053A0CA00004D004B4001026992FDB10D58F0A41CB6C8D7
6839ABC25C1F2831FD5B7D4D75B5F07E046F4E228EE71C4064
0C8FCFB5741A5E08B66DDBABDFD8620183007A98A01035E96F
FAEBC4A20FBD6DA2E1380508
rx

mg bd keys packet2
tx 210053A0CA00004D004B4001028D5894CB4AFD0D78D57880DA
ECC0E72C3DFBF52F6A288DF1F58A5764C12CD62210E22A1B58
16F6BC874DA7ADF49FA97469B344C94C7334428AEADB5F0CB7
7272263A41EBBE88BCB6050D
rx
__________end c&P___________________

also what I done was I used the
21001DA0CA000017031540011011054E697050457220497320 6120627554742648 for log in in viagra evrytime it asked for a log in (for dish)on the bd0 retriver scripts

This is what I get when I do what you said..

TX: 21 00 1D A0 CA 00 00 17 03 15 40 01 10 11 05 4E
69 70 50 45 72 20 49 73 20 61 20 62 75 54 74 26
48
RX: FF FF FF FF FF FE 00 FF FF FF FF FF FF FF
TRIEDTORESTORETHEKEYSUSINGTHEFOLLOWINGPACKETS
PACKET1
TX: 21 00 45 A0 D7 10 00 40 6A 9A 5E D1 24 D2 B3 3E
9D D6 94 08 D1 74 48 BD 69 C6 DE 48 96 6E 9F CF
DF 67 44 14 7D 26 66 D5 B7 C1 45 C0 B0 AF 87 75
AF 05 26 10 38 EA 95 C8 C2 66 84 32 AC 00 42 FD
0E B9 57 B7 E5 92 E6 8D 16
RX: 16 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PACKET2
TX: 21 00 45 A0 D7 10 40 40 F6 DD E7 17 F9 45 B9 8A
FC B6 50 65 24 A2 06 F2 99 8C A6 30 CE 32 0E 8D
19 34 9C 5A DE 97 41 79 69 8E 58 7C 18 8B A3 A3
A4 30 08 73 0C C9 D6 08 E9 A8 0C 4B E6 AC 3D 76
2B 3A 46 9E EC 4F 37 EF 2D
RX: 12 00 02 63 00 73
PACKET3
TX: 21 00 45 A0 D7 10 80 40 72 AC 3E A5 75 E0 64 9D
A9 F9 A5 B9 ED E5 A3 56 C2 C1 C6 EF 84 E3 D0 66
2D 4D B7 AC A9 40 D9 AD A5 5E 5C 59 F4 18 42 92
CA 3F 7E E0 A3 DE F1 E3 3C F7 5F 05 4B 3E DA DC
32 D6 9A 3F 3D 4C FA 6F C7
RX: 12 40 02 63 00 33
PACKET4
TX: 21 00 45 A0 D7 10 C0 40 C5 31 B9 96 99 26 E8 D9
8E E7 D3 A4 8A DC 4A 5B 04 B1 3B 7D 93 90 2E 6A
7C D1 BD FE AA F9 05 1C B7 3E 78 2E 8B E5 97 89
7F 66 FE 69 9F 48 09 F7 14 31 57 08 30 FC 53 D4
41 0D 2B 35 D2 CE 7A CA 58
RX: 12 00 02 63 00 73
BDKEYSPACKET1
TX: 21 00 53 A0 CA 00 00 4D 00 4B 40 01 02 69 92 FD
B1 0D 58 F0 A4 1C B6 C8 D7 68 39 AB C2 5C 1F 28
31 FD 5B 7D 4D 75 B5 F0 7E 04 6F 4E 22 8E E7 1C
40 64 0C 8F CF B5 74 1A 5E 08 B6 6D DB AB DF D8
62 01 83 00 7A 98 A0 10 35 E9 6F FA EB C4 A2 0F
BD 6D A2 E1 38 05 08
RX: [no response]
BDKEYSPACKET2
TX: 21 00 53 A0 CA 00 00 4D 00 4B 40 01 02 8D 58 94
CB 4A FD 0D 78 D5 78 80 DA EC C0 E7 2C 3D FB F5
2F 6A 28 8D F1 F5 8A 57 64 C1 2C D6 22 10 E2 2A
1B 58 16 F6 BC 87 4D A7 AD F4 9F A9 74 69 B3 44
C9 4C 73 34 42 8A EA DB 5F 0C B7 72 72 26 3A 41
EB BE 88 BC B6 05 0D
RX: [no response]

This is what I get when I do what you said..

TX: 21 00 1D A0 CA 00 00 17 03 15 40 01 10 11 05 4E
69 70 50 45 72 20 49 73 20 61 20 62 75 54 74 26
48
RX: FF FF FF FF FF FE 00 FF FF FF FF FF FF FF
that all f means it did not log in so the rest of the rx's would not be even close to correct.

sorry dude wish I could help out

Here is a prog. that will change your provider and zero out you BD0 use in winexplorer .

My brain hurts..This all looks like Hieroglyphics to me...
So how do I read this card with provider ID 40...
I've done it 2 day's ago but now I cant remember WTF I did..lol

Ok well I ran Mrom on it again changed the provider ID to 56 Now what I get in Nagra is this...
Opening of COM2 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 31 36 4D
ROM Revision: 010
EEPROM Revision: RevA16
ProviderID: 56
CamID: 11 22 33 44
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Using BD0 Key: BC F3 FC 03 04 A1 B0 56 77 02 6F D5 F6 DD 1F 25
Attempting to login to BD3
Attempting to login to BD0
BackDoor login verified
Dumping CodeSpace
Reading ROM10 successful
Card read successfully
Efficiency: 100.0%, Packets: 141, Retries: 0, Time: 16.51s
Closing of COM2 was successful

How do I go about changeing this to provider 00..?
Just write my old bin to it..? I dont want to mess it up again..lol

Can I get a WOOT WOOT..!!


Opening of COM2 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 32 34 4C
ROM Revision: 010
EEPROM Revision: RevA24
ProviderID: 00
CamID: 11 22 33 44
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Using BD0 Key: BC F3 FC 03 04 A1 B0 56 77 02 6F D5 F6 DD 1F 25
Attempting to login to BD3
Attempting to login to BD0
BackDoor login verified
Dumping CodeSpace
Reading ROM10 successful
Card read successfully
Efficiency: 100.0%, Packets: 141, Retries: 0, Time: 16.54s
Closing of COM2 was successful

cool beans!!


will it one step clean to A16
or did you edit the cam info to A24?

i tried all above,why i still get this???

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 32 33 4B
ROM Revision: 010
EEPROM Revision: RevA23
ProviderID: 00
CamID: 01 01 01 01
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Backdoor retrieval has been blocked
Attempting to login to BD3
Attempting to login to BD0
Unable to login, bad password detected
Login attempt aborted
Reading ROM10 failed
Closing of COM1 was successful

i tried all above,why i still get this???

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 32 33 4B
ROM Revision: 010
EEPROM Revision: RevA23
ProviderID: 00
CamID: 01 01 01 01
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
BackDoor login verified
Dumping Dataspace
Backdoor retrieval has been blocked
Attempting to login to BD3
Attempting to login to BD0
Unable to login, bad password detected
Login attempt aborted
Reading ROM10 failed
Closing of COM1 was successful


Hit it with slickvguy's cmd03 and you should be good to go....hopefully anyway.

mrom, depending upon which version you use, will change your service provider to something other than 0000 or 0001. Worst case scenario, it will change your provider to 0048. Provider 0048 is a very bad place to be.

where can i get slickvguy's cmd03 and Mrom ? i couldn't find it.thans for the help! :)

I FOUND IT HERE ,BUT IT STILL DON'T WORK ON MY CARD :(
http://www.dssftp.com/forum/t40860-recovering-bd3-key-on-rom10-backdoor-key-on-rom3.html

Found elsewhere:


"There is probably a blocker on it.

You should have password from where you got it.
Default is DEADBEEFBAADFOOD .

Nagraedit; tools; remove card lock; "

Do you have a modded loader ? Are you using Mili's blocker or a public one ?

it dosn't have a password,i removed the password immediately after i write the rom10 image to the card.
i tried slickvguy's cmd03 for many times,but still get DB0 password all 0000000000.
i'm using Mili's blocker .
anybody has the same problem?
thanks!

Found this elsewhere: Don't know anything about it though.
"If you have a ROM 10 with a screwed-up BD0, i.e -> 0000000, then d/l the attached file, load it in Nagra edit D2C section and run it.
OK seems like the file was not attached
Paste this in the D2C section and run it:

; Restore BD0 via CMD03 overflow, for provider 0001
; This script will reset the BD0 to the Nipper string:
; New BD0: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74

rs ; Reset card and get ATR
tx 21 00 34 A0 CA 00 00 2E 03 2C 00 C5 10 6F 15 AE 10 D6 C0 A1 E7 AF 5A B9 B4 D7 81 7B 99 BC B0 70 95 47 4D 99 A0 24 3B 4D F7 27 77 CC 58 9E C6 0F D5 5C AC 71 51 E9 C9 ** ; Send overflow CMD03
dl 0100 ; Delay 256ms
rx ; Receive card response
cp .. .. .. 83 03 B1 01 01 90 00 .. ; Compare with this response
jf BadProvider ; If it doesn't match, wrong provider or damaged datasapce
tx 21 00 08 A0 CA 00 00 02 C0 00 06 ** ; Send CMDC0
dl 0100 ; Delay ~250ms
rx ; Receive card response
tx 21 82 00 ** ; Send followup command to execute payload
dl 0700 ; Delay ~1800ms
rx 0004 ; Receive first four bytes of response
rx ; Receive response we should receive if payload executed
cp .. .. .. 67 00 .. ; Compare with 67 00 response (sent by payload)
js Success ; If we got 67 00 response, code executed and BD0 is restored
mg BD0.NOT.RESTORED! ; Otherwise something went wrong
jp Done

:Success
mg !!!!!!........BD0.SUCCESSFULLY.RESTORED........!!! !!!
mg !!!!!!.....NEW.BD0...4E697050457220497320612062755 474
jp Done

:BadProvider
mg !!..ERROR...WRONG.PROVIDER....(NOT.0001)!! "

Also found this:"This has happened to me and seems to be a very comon thing. You can do a search and gets lots of info. This method has worked for me twice now.
You will need a program called mromv6. Run that and let it do it's thing...then go to nagraedit and try to read card. It should then prompt you to enter a BD0 password. You can find this password on your last saved BIN file at the Eeprom address C040 or you can go to NagraEdit-DataEditor-CodeSpace, and your Backdoor keys will be there. Don't bother asking for someone elses BD0 key, each card is different. THere are also some other stuff you can send to your card via the D2C in Nagraedit that will tell you your backdoor key. But there is no need to go there unless you need to.

Hope this helps. This method has worked for me with ROM 10 and ROM 11 after writing blockers and getting locked out. It has nothing to do with the lock at C600. I think it is something that gets corrupted on a write to the card every once and a while with NagraEdit. "

I.M.O.
If you are reading A23 then it is either streamlocked(depending on when it was last streamed) or has a blocker still on it. Sometimes the blocker will say blocker removed but it really was not, you can try clicking apply blocker then remove again over and over.
If you read it while the blocker was still on it can frig up the card, usually loop it but you have an ATR so your not looped yet. Did you try the the Rom 10 unlocker that comes with Mili's Blocker package? ( It runs in an ISO loader).
Again, do you have a modded hu loader ?

heres what i stubbled across hope it works for you :) frist used XNCS1.8 loaded ghost (6901) then closed XNCS1.8 , then open nagraedit4.1 picked known card image to load, when asked for book door had 3 choices choose last (bottom) did 1-step clean after load C000: xx xx xx xx xx xx xx xx xx 00 00 00 00 00 00 FF | ×áÀ:0ó€.'......ÿ
C010: FF FF FF FF FF FF FF FF FF FF FF FF 0A 01 F5 00 | ÿÿÿÿÿÿÿÿÿÿÿÿ..õ.
C020: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C080: D0 00 52 65 76 41 32 33 00 ED 2E 82 1A A2 27 05 | Ð.RevA23.í.‚.¢'.
C090: 0D 0B 0D 38 79 1D 26 29 23 12 00 00 0F 54 54 68 | ...8y.&)#....TTh
C0A0: 58 00 52 69 70 50 45 72 20 49 73 20 61 20 62 75 | X.RipPEr Is a bu
C0B0: 54 74 20 6C 69 43 6B 65 52 21 45 71 F6 01 9A D8 | Tt liCkeR!Eqö.šØ
C0C0: 5D 86 02 03 00 00 00 2E 00 7F 7F this is after everything i thorw at it but finely got it :) C000: xx xx xx xx xx xx xx xx xx 00 00 00 00 00 00 FF | ×áÀ:0ó€.'......ÿ
C010: FF FF FF FF FF FF FF FF FF FF FF FF 0A 01 F5 00 | ÿÿÿÿÿÿÿÿÿÿÿÿ..õ.
C020: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
C040: CB C6 69 DE D2 0F 40 52 7C CA FF 32 1F F4 F8 06 | ËÆiÞÒ.@R|Êÿ2.ôø.
C050: CB C6 69 DE D2 0F 40 52 7C CA FF 32 1F F4 F8 06 | ËÆiÞÒ.@R|Êÿ2.ôø.
C060: F3 AD 06 42 5D 15 43 9C A1 58 FE 67 B1 4F 99 B9 | ó..B].Cœ¡Xþg±O™¹
C070: FF F6 F3 A6 9B 8D 68 B8 C3 DF A4 EC 8F 1F FD 05 | ÿöó¦›.h¸Ãߤì..ý.
C080: D0 00 52 65 76 41 31 36 01 20 D6 C7 00 00 27 05 | Ð.RevA16. ÖÇ..'.
C090: 0D 0B 0D 38 79 1D 26 29 23 12 00 00 0F 54 54 68 | ...8y.&)#....TTh
C0A0: 06 20 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 | . NipPEr Is a bu
C0B0: 54 74 20 6C 69 43 6B 65 52 21 45 71 F6 01 9A D8 | Tt liCkeR!Eqö.šØ
C0C0: 5D 86 02 03 00 00 00 2E FF 7F 7F E3 00 FF FF FF | ]†......ÿ..ã.ÿÿÿ3 00 FF FF FF | ]†.........ã.ÿÿÿ hope it works for evey body else i just was trying every thing had no card left , cannot get emulation to work for some reason so had to do some thing :rolleyes: