One needs to ask a question about blocking all the EMM’s. What did Charlie do to stop the blocking on the N1 card and what was the counter measure?
Well one way Charlie made sure you did not block all the EMM’s was to do a key change and thus the EMM cmd $42 was allowed to pass in blockers.
I have seen this discussed and I have also read the solution to this and yes that would work.
However Charlie did not stop there he also used the EMM cmd $64. This is the command that caused the Location 00000001 to come on your IRD; which you then had to re flash the tsop.
What is the cmd $64. This cmd is sent to the card and a status byte is set in the IRD if the card does not process this cmd it tell the IRD that something is wrong and the byte/flag is not cleared and thus it causes the IRD to go location 00000001.
Does the N2 have this in it? I would tend to think it does.
And thus my conclusion is that it will not take Charlie to long to come up with a solution to this type of testing.
The cmd $64 was a great way to slow down the blockers on the N1. Remember you could read the EMM and see exactly what it was doing and modify your blocker to work again. On the N2 you would have no way of modifying the blocker so all you could do is keep reflashing your TSOP and hope they take it out of the stream.
This is just a thought.
Hex

In my opinion this type of testing may work on the short term but it has no real future..
Without the ability to decrypt the stream on the fly this will be short lived once the n1 stream is deactivate..

I'm also not so sure you need to be operating at 50mhz but even if you do.. I would think a simple chip change would make an AVR capable to executes the code necessary to do simple tier blocking.. of course the flash would be needed..

Point is for many of us, this is not going to be worth messing with.. if you are paying for a sub with a cardless receiver your going to need to activate a card.. that's not going to happen without the ability to write to the card..
so for now..its a waiting game..

LB

I have read that you can block N2 EMM’s with the A2 and some have suggested that an AVR could be used.
I find these thoughts interesting.
So it leads me to search more and more into the motif behind the A2.
In doing that I grasp the basic concept behind how it works.
1) Get all the tiers you want on the card through subscription.
2) Now use a blocker to block all EMM’s so that the deactivation EMM does not hit the card.
3) Then use the global tier update with an ISO programmer to keep pushing the date of the tiers up.
I would like to give credit to whomever for this idea. It is very doable and will work, but for how long?
With that being said; this method will not work on the cardless IRD’s with the 2 mentioned methods; A2 and ATR.
I am woundering is there a method that would work on the cardless IRDs’ as well as the card IRDs’.
I already know the answer to this; I just want to see if some reading this can come up with the same answer.
Also how do you plan on defeating the equivalent of an EMM $64 on the N1 for the N2?
For this I have no answer other than some way to decrypt the EMM; if this is done then it gets real easy from there.
Hex

The way I see it all boards that block like avr or magic are the same in the past like hu they kept going down but we were still running and the reason for that was we never blocked anything we increased the tiers that were inportant and by putting the date a year in advance the card stayed up longer now if you take a better chip with more space you can make the tiers last longer dave hits us now all the time and were paying every month its old tricks that but only the old coders have the skills to use it.

Another future and possible solution for those technically inclined would be to modify their older Charlie IRD firmware to block these same tier wipe EMM/commands..with dave the process was called NOZKT..which among other things prevented the ins42 tier wipe commands from being implemented on the H/HU cards...its proved to be the best and most stable hack in the entire history of Dave testing. Charlie testing needs to move in that same direction.

however I envision such a hack ONLY working with the older legacy IRD's that possses the necessary and larger 2mb TSOP..specially the 3800/3900 and 4900's...these IRD's were easily reflashed with "DUAL" firmware that mimicked/spoofed the older 2700/2800's that had smaller less robust firmware..512kb in size...thus one receiver with two different firmwares.

thus, one could reflash their 3800's with "modified" 2700/2800 firmware and install a simple toggle switch at the proper address line, that allows for "on the fly" switching between "normal" 2800 firmware (512kb in size) and "modified" 2800 firmware...one toggle allows emm's to pass, the other blocks them.

If tier wipe commands can be blocked via this A2 blocker board for subscribed cards, then theorectically it can also be done thru IRD firmware modification (without using the board)..ie. the no745 boards and NOZKT methods we all used for Dave, why not Charlie as well?

and we can easily prevent Charlie from changing or erasing our "modified" firmwares by simply spoofing or changing the BUILD CONFIG of our ird'S SERIAL eeprom...I often used ZCEA for PVR501's to keep its firmware relatively old..Iwould update it only once/year...the letter "Z" preveted firmware updates to the 501's...its worked also on all of Charlie's IRD's

It seems to me this hack theoretically can be implemented via firmware modification..the use of the model 3800/3900/4900 is the perfect "conduit: for such a technique because its TSOP is large enough to hold as I mentioned dual firmwares from the smaller and older modles 2700/2800...reverse enginerring the A2 and understanding its relationship with IRD firmware will proove very interesting.

the use of the toggle switch will allow emm's to either be permitted or blocked at the firmware level to the rom 101/102/103 card.

The best man I knew for doing TIER WIPE blocking at the firmware level on Dave's receivers was BLACKNITE who hung out over at ID..unfortunately he is deep underground now :-(

If this hack is going to last, finding a way to incorporate it into the firmware will be a more practical solution for those that who do NOT own an A2 card or want to risk the expose of purchasing one...if it can be done via wafer board/A2 card..than the firmware mod. is the NEXT logical step to its public implementation..this is how I always figured it would be released.


p.s.

In a Dave example: the TIER WIPE blocking method required literally ONLY one change to a certain byte value in the firmware of popular Sony model-B3 firmware..(someone at ID posted the necessary singular byte change) the RCA420's were a bit more complicated..also there were more versions of that NOZKT firmware on that model that NEVER was released publically, that were far more robust and immune to more than just TIER WIPE blocking...but the point is the change in firmware is very subtle and not necesarlily extensive.

also there were more versions of that NOZKT firmware on that model that NEVER was released publically, that were far more robust and immune to more than just TIER WIPE blocking...
Yes...it took care of the blacklist also.

i wasn't going to mention that, but that is correct...but there is more to that story:

The better NOZKT roms on the model RCA420 did in fact allow one to use even a BLACKLISTED camID and avoid the dreaded "call745nag" on their HU card. These roms were actually made public for a few days at ID and were pulled by its author about 2-3 days later because he was asked privately by some of the senior testers to "dis-avow" them. they were too good to be released publically.

the prevailing theory was that since they were "too powerful", they might draw too much attention from Dave and endanger the NOZKT movement (which at the time was one of the few remaining stable hacks left for Dave), and which was used only by a small percentage of the community, because of the complexity of their hardware implemnation.

I actual remember reading the posts from their author saying they were not worth using anymore and he made some material programming flaws in their developemnt that would make them more prone to camid specific ECM's..but the real truth was they were better and more stable ROM's for the RCA420 and allowed one to even use blacklisted camid's...this was just a smoke screen he posted to discourage their use, as he bowed to internal pressures from some of the membership who truly understood their power and importance to the NOZKT movement. It also served as the final straw that forced him to go seriously underground...the RCA435 (rid based IRD) was his last official public contribution..I was taught privately where the NOZKT tests occured in their firmeware on that model and I entuntually posted the ROMs for the RCA435 along with a help guide for its proper JTAG method.

So the point is this, the reverse engineering of Charlie's firmware is where this hobby will need to go. The days of plastic ROM hacks are over..emulation and firmeware mods. along with daughterboard solutions are definately the only thing that may offer some testing benefits in the future of N2.

If a blockerboard (in other words an A2) can be developed to block certain EMM's (i.e 04's) from passing thru to the ROM101/102/103 then it is theorectically possible to implement similar code changes at the firmware level to perform a similar task.

also, blocking the dreaded CMD64 (that triggers the location id 00000001 flag) would also be a good idea, since A2 blockerboards willeventually be just as vulnerable to the cmd64 attack that Charelieso frequently used to attack the public blockers on many of the older N1 cards. The A2-board may potect the cam, but it is unnaceptable to assume that the TSOP is NOT at risk to CMD64.

when Charlie hits the A2's (an he will of course) , he will certainly use CMD64 as one of his first screening tools to aggrivate the testing community...which is why I belive firmware modification with spoofed Build Config's will prove to be a more stable solution, forcing charlie to modfiy his firmware more frequently and robustly.

firmware inside these receivers is the key;

It was with Dave and also with Charlie, especially (since a rom101/102/103 dump is not yet possible) if all we can ever hope to do is block tier wipe commands.