A lot of shit has been tossed around this week about a new hack for Dave
it has been coming from the right people.. I guess we will hear more if they are anything to it..

LB

if you are refering to the Mili DTV this, it ain't a hack, it is a workaround

I also heard there is a P4 hack,we just have to wait to see if it goes public.

it's just going to 'coincidentally' happen at the same time as the dish hack will come out... guys have been sitting on it for a while, i mentioned it here months ago and got ostracized for it and actually had to recant what i said because i got in shit from the guy that told me, on this site. This is all about money and there wasn't a hack when dish was making people paper, so why worry about it, now that dish isn't completely open they release DTV again and make a killing.

M

Ohh how nice it would be !

Can anyone elaborate more on this, or has it just turned out to be more BS? Man I would like to use my boat anchors and ice scrappers for something!

If there is anything for DTV it will be released now. I seriously doubt it, what is in the air is the stench from New Orlenans' sewage.

mili

Mili,
I'm sure you are right about N. O. Sewage.. very sad.. plus no gas in my area..

All of the info that has been passed to me from my old buddies have been right on..

but this DTV thing was just a rumor.. but I agree if they are anything working for dave it should come out in the next few days..I know you have very strong contacts in this area.. its time to check with them again..I know the guy that had the blocker board got poped..but testing of the board proved that it did work..

but I been hearing of a new hack..but no one I know has got their hands on it yet so it may be more BS..


LB

come on, you guys are working the cards somehow, why do you need a specific card to do this 'subscription', haw are you 'restreaming' after it goes 711? I'm not trying to stir the pot here or anything but it's obvious that there is something coming up from Mili's site here, not to mention magneto stating that there may be ppv subs in the future, but you're not allowed to plug your phone line in??? that my friend is a hack.

M

think about what you are saying.
they are not working on the cards. The bird is.......

lol

I think Mili has given us a little clue on what's to come. Take a look at the products Mili is selling now and the change in price for some things compared to a week or 2 ago. Bring it on Mili, the porn dogs are barking.

think about what you are saying.
they are not working on the cards. The bird is.......

WHAT???

Think about what they're saying, there is manipulation of the card by someone. If you can explain to me and break down how they're doing this subscription without programming the cards themselves then i'll admit i'm wrong...

M

Key word is "SUB" now if it is SUB to DTV then the bird activates it.
Unless I am misreading this then you do not actualy send your card to Mili so if he is working on the card then I gues SJ, JT and the gang sneak in your house while you sleep and get your card.
Thats what I mean about not working on the card.
I see no reverse engineering being done but then again wtf do I know.
I could be wrong

Sorry, i didn't mean physically working the card... i think that this has to be some kind of cloing as well, how can they just activate a card remotely, why does it have to be a certain card and so forth... I'm just saying that they've manipulated 'A' card and are cloning it somehow... and to steal your comment... then again what the hell do i know.

monkeyluv-

I think what they're getting at is that Mili is doing some kind of shared subscription, where a new IRD / CAM# is called into Dave, and he sends down the activation to the card in the stream...basically, what is being said is that Mili has some kind of insider at Dave, I guess...

But, like fubr, wtf do I know...

don't see shared sub working for god know's how many subs... and what happens when this get's pinched, all of them go down? and he's pushing 4 months and beyond, that would kill his rep if it went down tomorrow and i've been a member here for a long time and haven't seen him fuck up on thinking long term. It seriously looks as though there is an 'insider' that is loading these cards and the fact that they don't put PPV on it as well is due to the fact that it would set off too many red flags... who know's though, whatever's going on it's a step in the right direction

lol
EVEN the great Mili cannot control a sattelitte signal..(can you Mili?)
maybe the two jacks sneaking in my house explains my wife's new found love for romance.
:)
and explains the eye patch she tried to get me to wear,, ARRRRRR!!!!!!!

Who said anything about controlling sat signal, i'm trying to get a grasp on how he's offering this option with a guarantee that it won't go down, if you've got an idea then lets hear it.

Dave has guarantee, Is the only one I have saw.

there is no way for you to grasp this. If you do not understand the "read betwen the line smart ass cracks" I have already posted.
I am not trying to belittle you just saying you cant do this at home from this approach, This is not a hack a crack or a leak.
it is excatly what is advertised, A discounted sub.
A sub man A sub , nothing for you to understand.
hope that helps you understand ")

whish you were right though it would be nice

Excuse me? you don't need to read between the lines with your comments, they're quite apparent. There is something up here and it's quite obvious, construct the scenario that you've suggested in your mind and look at all the holes. Last post.

Thanks,

M

Be very very careful with this. DTV busted HUworks in Waterloo, ON, Canada and affiliated sites earlier this year and they were fined millions by the courts if I recall correctly. Pretty expensive sub if you ask me.

Now that N2 Hack is out (For FTA and DVB at the moment, more to come soon)... Wny bother?

By the way, Canada Computers has a USB DVB for $109 CDN. Will this work for BEV/Dish??

Was thinking about buying one, and know very little about FTA or DVB.

Bobcat

Unable to buy P4 cards in mili's store. Take it for what its worth...

I gues SJ, JT and the gang sneak in your house while you sleep and get your card.



LOL, that's where my beers been dissapearing to.

Monkeyluv, there is no hack for the p4s. They are just being subbed.

Fubr, the eye patch got me rolling....

If there was a hack for p4/p5,it'd be out now.Why,because now is the most profitable time.Every freeware release for N2 makes a dave hack less profitable.Since I don't see my DTV working at this time .I highly doubt there's a hack to be released at this time.

Yea, strange i know but I"m starting to hear a P4 hack is ready and will be released soon.

Xmas, everything ( P4, P5,N2 ) will be released as Freeware , just wait and see and if you don't believe me then you must not believe in sants claus either...and on christmas morning you will also wake -up with a 14 inch dick , only problem is that it probably won't be connected to you...unless it's up your ass....LOl, HaHaHa or should I say HoHoHo..LOL

hey sucknutts.....stfu!...only a true fag imagines waking up on christmas morning with a 14" prick..this is a dss site...it's not right to promote your homosexuality fantasies here!..go to the ncn site......fags galore there..as the rumor goes...

hmm, did this thread go off course or what? but i would wear the i patch if you dont want to fubr.....lol

I hear ya hitman.
Monkey luv. all I am saying is they are not hacking a card, dont know how they do it but as I read the page seems they are subbing the card numbers, Who knows how but Mili and his guy be it magneto or someone else is not really my concern. To be hacking the card as you call it that way would really mean they are hacking the sat to send signal to the ird to activate the card.

ANYBODY NO HOW TO DO THIS
NDS Command Structure 2 v0.5
Card Version 2.0

This information is for academic interest and educational purposes only. There is nothing in this
text that will enable decoding of NDS encryption. Illegal watching of encrypted TV is not condoned.

1. Introduction
2. Answer to Reset (ATR)
3. The Zero Knowledge Test (card verification)
4. The communication Protocol
5. The Entitlement Control Message (ECM)
6. The Entitlement Management Message (EMM)
7. The Instructions in detail
8. The signature
9. Codes
9.1 The Fuse Byte
9.2 The Rating Byte
9.3 The Parental Control Byte (PCB)
9.4 The Country Code.
9.5 The Regional code
9.6 The Bitmap algorithm
9.7 The keys
9.8 Structure of Date and Time
9.9 The Status Words
9.10 The Channel Entitlements (taken from Colibri Doc: http://colibri.move.to/)

1.Introduction:

The card is always asked by the ICAM to receive or send information.
The card never asks the ICAM to do anything! To do this the ICAM always sends
a 5 byte long command packet header to the card.

Standard 5 byte ISO-7816 header : "CLASS INSTRUCTION PARAM1 PARAM2 PARAM3"

With the introduction of the new card 2 new classes were introduced:

Class Meaning
D0/D1 Replaces 48 of the old card
D2 appends a 16 byte signature on the instruction reply
D3 Use an additional stream cipher to secure transmission between card and box
(NOT using internal HashCircuit)

(Class 48 is no longer supportet and causes the card to rerun part of the initialisation
including the ATR output.)

PARAM1 and PARAM2 are used differently and are often ignored. PARAM3 is the length of
the packet to be send or expected to receive. The cards first reply is the instruction
number which is a vital value for the ICAM. These instruction numbers are possibly contained
in a jumptable in the ICAMs source leading to a specific offset where processing continues.

2.The Answer To Reset (ATR):

Former ATR: 3F 7F 13 25 03 40 B0 0B 69 4C 4A 50 C0 00 00 53 59 00 00 00
New ATR : 3F 7F 13 25 03 33 B0 06 69 FF 4A 50 D0 00 00 53 59 00 00 00

3F TS - "3F" indicates inverse convention ("3B" would be direct convention)
7F T0 - "7" (0111...) indicates TA1,TB1,TC1 will be sent "F" (...1111) indicated that
15 historical bytes will be send.
13 TA1 \
25 TB1 - used for baudrate calculation
03 TC1 /
33 B0 06 69 - version Info. Has been "40 B0 0B 69"
FF - Has been ASIC reply. Now FF because he is no longer used due to multiple reasons
4A 50 C0 00 00 53 59 00 00 00 - the 15 historical bytes (system ID)

3. The Zero Knowledge Test (card verification)

These three Instructions are sent to verify that the card in the decoder is a true NDS card

Variables used:
r - 512 bit random number
n - 512 bit number which is the product of two large prime numbers;is constant;can be found
in the ROM of the card and in the IRD firmware
s - based on a complex function of n

3.1 generate a random number r
>D1 4A 10 01 01
<4A - acknowledgement
>01 - selects one of two seeds that is to be used for a random number r
<90 20 - OK (90 00 not OK)

3.2 send 96-bit hash of r² MOD n to IRD

>D1 5A 10 01 10
<5A - acknowledgement
<F2 64 20 49 81 D4 14 86 E2 9A FE CA 00 00 00 00 - 96bit hash of r² MOD n
<90 20 - OK (90 00 not OK)

3.3 send either r*s MOD n or r to IRD

3.3.1 IRD asks for r
>48 5A 10 02 40
<5A
<bd fa d2 2d ef 2b 63 fa c7 b2 68 82 9c 5d 13 31
<33 f5 99 a1 63 cb aa cf 41 c9 b0 78 d4 c4 42 f1
<1f d8 93 b9 bb 3b 6f 6f 62 2f c7 2f 06 d3 c4 1d
<48 84 d7 b2 c1 64 6e 7c 05 56 f1 29 61 bc c7 00
<90 20 - OK (90 00 not OK)


3.3.2 IRD asks for r*s mod n
>48 5A 11 02 40
<5A
<71 94 69 64 7F 84 B2 EA 1D E2 16 E9 AE 79 F2 49
<CC 64 42 FE 36 52 44 90 FA C5 E9 C9 72 66 71 25
<6E 6A 82 D9 B5 7B 1C EE 21 1C 55 0B BF DE 51 B4
<A0 F0 98 BD 19 E8 AD 9C C0 61 E2 B1 DA 39 02 00
<90 20 - OK (90 00 not OK)


4.The communication Protocol:

4.1 Instruction Overview

Instruction Meaning
02 BSkyB identifier "SYAV" and ROM version 02.00
04 receives one byte and writes it to 8022h
06 sends the byte at 8022h
0E sends one byte (09) - unknown
12 sends encrypted chip information
1E sends 9 bytes - unkown
28
2A sends detailed card information (mostly from EEPROM)
40 makes it possible to process commands
42
4C

4.2 Command Overview

The values in brackets indicate the fixed length byte for this command. The remaining
commands have all a variable length.

Red - commands are processed in realtime (no matter if signature is correct or not)
Fuchsia - commands are buffered and executed via the deferred command buffer only if the
signature is correct
Lime - command is processed in real time but don't change anything. Only important for ASIC.
Blue -
Teal -
Black - handled seperatly

Basic command set:

00 [00] - No Operation
01 [04] - Sets Date/Time
02 [01] - Sets rating byte, marks message as ECM
03 [03] - checks channel entitlements
04 [00] - set bit 2Ah.0
05 [00] - clear bit 2Ah.0
06 [0B] - compares Postal code, opens card filter if they match
07 LE - set bit 2Ch.6
08 LE - Bogus!
09 [03] - initialise ASIC with specified key, flushes the command buffer
(nanos which need no signature stay)
0A [05] - Bogus!
0B LE - write 14 bytes to 9E36h
0C [00] -
0D [00] - Bogus!
0E [00] - Bogus!
0F [04] - Bogus!
10 [02] - Bogus!
11 [04] - Bogus!
12 [12] - set Blackout bits
13 [02] - Bogus!
14 [01] - clear Blackout bits
15 LE - Bogus!
16 [07] - Bogus!
17 LE - Bogus!
18 [03] -
19 [01] - stores the Time Zone in EEPROM (9CC9h)
1A [04] - Bogus!
1B [03] - Bogus!
1C [00] - Bogus!
1D LE - stores the Zip Code in EEPROM (9CA8h)
1E [08] - set the PostCode
1F LE -
20 [00] - Bogus!
21 [00] - Bogus!
22 [00] - Bogus!
23 [00] - Bogus!
24 [00] - Close Filter
25 [00] - Flip filter, from open to closed or vice versa
26 [01] -
27 [0D] - Card Swap! (write cardswap key to 9FF5h/Date stamp to 9CA0h/update fuse)
28 [07] - Bogus!
29 [08] - something to do with PPV (add entry to purchase list?)
2A [01] - Bogus!
2B [02] - UnSwap card! (write cardswap send key to 9FF5h/Date stamp to 9CA0h/update fuse)
2C [04] - Bogus!
2D [04] - sets Activation Date/Time
2E [08] - Bogus!
2F LE - Bogus!
30 [00] -
31 [03] - checks Serial Number
32 [03] - checks Shared Address (whole card group)
33 LE - checks Shared Address, processes bitmap
34 LE - Bogus!
35 [00] - Bogus!
36 [00] - Bogus!
37 LE - Bogus!
38 [00] - checks Postal Code
39 [00] - Bogus!
3A [00] - Bogus!
3B LE - Bogus!
3C LE - Bogus!
3D [02] - activates card and write PPV spending limit
3E [00] - deacivate card
3F [02] - Bogus!
40 [00] -
41 [05] - add/update channel entitlements (tier)
42 [02] - drop channel entitlement (tier)
43 [02] - Bogus!
44 [04] -
45 [05] - Bogus!
46 LE - Bogus!
47 [01] - Bogus!
48 [00] -
49 [02] - Bogus!
4A [05] - Bogus!
4B [04] - Bogus!
4C LE - Bogus!
4D [00] - sets some data, PPV related, both in PPV ECM and EMM
4E [04] - writes four bytes
4F [14] - Bogus!
50 LE - Bogus!
51 LE - Bogus!
52 LE - Bogus!
53 LE -
54 LE - same as cmd53
55 LE - Bogus!
56 LE - Bogus!
57 LE -
58 [00] -
59 LE -
5A LE - Bogus!
5B LE -
5C LE - Bogus!
5D LE -
5E LE - Bogus!
5F LE -
60 LE - Bogus!
61 LE - Bogus!
62 LE - Bogus!
63 LE - Bogus!
64 LE - Bogus!
65 LE - Bogus!
66 LE - Bogus!
67 LE - contains signature to authorise packet
68 LE -
69 LE - Bogus!
6A LE - Bogus!
6B LE - Bogus!
6C LE - Bogus!
6D LE - sets some data, unknown, values can be read with INS78
6E LE - same as cmd6D
6F LE - Bogus!
70 LE - Bogus!
71 LE - Bogus!
72 LE - sets some data, unknown
73 LE -
74 LE -
75 LE - writes some data including Local Region Code. Values can be read with INS58
76 LE - Bogus!
77 LE - Bogus!

Extended command set:

7E LE - sets signature and key adjustment bytes
7F LE - sets signature and key adjustment bytes (bridges gap between 1.X and 2.0 cards)
CB 02 - sets two bytes, unknown

4.3. Card initialisation:

The following Instructions are issued by the box during initialisation:

1. Ins48
2. Ins4C

????

D1 48 00 00 36
D1 4C 00 00 09

D1 40 40 80 4A
D1 42 00 00 16
D1 5C 00 00 04

3. The IRD then askes to send 09 bytes with 48 4C 00 00 09

>D1 4C 00 00 09
<4C card acknowledges Instruction
>IN IN IN IN IRD Serial Number
>02 00 00 D8 02 unknown
<90 20 correctly married

If the card belongs to this box it replies 90 20 (OK).
If the card does not belong to this box it replies 90 00 (Not OK).
If the card has the fuse byte set but is previously unmarried, this command writes
the IRD number to the card, thereby completing the marriage (sw1/2 = 90 a1).
If the card is deactivated and this command arrives the IRD Serial Number is
written to the cards EEPROM too (sw1/2 = 90 20).
If the IRD number is set to 00 00 00 00 it will be accepted by any box. eg an engineer's card.
The card must receive the correct IRD number before it will give valid responses to ECMs and EMMs.

4. The card is then asked for 09 bytes with 48 2C 00 00 09.

>48 2C 00 00 09
<2C card acknowledges Instruction
<00 00 convert to HEX and add then 8000h - this is your PIN
<XX XX 00 00 on active card: FF FF 00 00, on deactivated card: 00 00 00 00
<00 Parental Control Byte (PCB) - see below
<00 00 unknown
<90 20 sw1/sw2

We can change the PIN using command 48 2e 80 00 09.

5. Next we have an often repeated cmd 48 5C 00 00 04. It's a bogus instruction.
Nothing is done although the box knows the card is still present and working.

>48 5C 00 00 04
<5C card acknowledges Instruction
<00 00 00 00 allways zero
<90 20

The command flushes a buffer containing the 7E nano. So don't issue INS5C if you
haven't allready asked for the key (issued INS54) after sending an ECM to the card.
You would get a totally wrong key.

5. The Entitlement Control

5.1. The Entitlement Control Message (ECM)

The following is a sample ECM packet logged with a DVBs.
You'll see that only the last part is actually passed on to the smartcard.
The first part is processed by the Box.

81 70 5C 00 00 01 0E 4D 1D 69 78 FF FF 19 25 01 20 01 00 00 B8 49 7E 12 00 00 00 00 00 00 00 00
E0 17 EA C7 14 8E 45 23 00 00 7F 12 E0 C0 32 4E 1A F8 5F 1A D6 78 DF F0 92 F1 BE 56 DD F7 09 10
10 00 01 4D 1D 69 78 CB 02 FF FF 02 00 03 00 10 00 03 B8 69 00 67 08 5D E7 B2 D3 82 0B 2F 70

Processed ONLY by the Box:

81 70 - packet separator, first byte alternates between 80 and 81 indicating even
and odd CW
5C - length of the whole packet
00 00 01 - allways the same
0E - Header length
4D 1D 69 78 - Date and Time
FF FF - different on BOX office but usually FF FF
19 25 - 9th and 10th byte of key returned by INS54
01 - either 01 or 11 indicating plain CW or encrypted CW is returned by card
20 01 00 00 - allways the same
B8 - Checksum (00+00+01+0E+4D+1D+69+78+FF+FF+19+25+01+20+01+00+0 0=...B8)
49 - length of the packet send to the SmartCard

Processed ONLY by then SmartCard:

>D1 40 00 00 41 generated instruction header from the ICAM
<40
>00 - dummy send by the ICAM too
>7E 12 00 00 00 00 00 00 00 00 E0 17 EA C7 14 8E 45 23 00 00 - signature and key adjustment
>7F 12 E0 C0 32 4E 1A F8 5F 1A D6 78 DF F0 92 F1 BE 56 DD F7 - signature and key adjustment
(bridge gap between 1.X and 2.0 cards)
>09 10 10 00 - set key
>01 4D 1D 69 78 - current Date and Time
>CB 02 FF FF - sets two bytes
>02 00 - current rating byte for the film
>03 00 10 00 - Check for Channel "00 10" entitlement entry
>03 B8 69 00 - Check for Channel "B8 69" entitlement entry
>67 08 5D E7 B2 D3 82 0B 2F 70 - signature
<90 00 - sw1/sw2

5.2 Generation and output of the key (which includes the CW)

>D3 54 00 00 3C
<54 - Box acknowledges instruction
<XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX \
<XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX - encrypted data
<XX XX XX XX XX XX XX XX XX XX XX XX XX /
<XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX encrypted signature
<90 20 - Sw1/Sw2

6. The Entitlement Management Message (EMM)


9. The interesting EMMs 48_42. These are variable length 16h, 22h, 30h, 31h, 35h or 3Eh etc.

They can be addressed to all cards using public key 10 (sometimes using a post-code filter),
a group of cards (using shared address/CUSTWP bitmap and group key 12), or to a single card
using private key 14 and unique address.

EMM length 16h This seems to be used for setting the date and time.
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>01 36 15 91 1d Set date and time
>10 cc 33 10 nano and two data bytes that increment on each successive EMM
>67_08 Signature nano
>d8 2f 9a 8e 40 0b 3e 6a Digital signature (not neccessary for the included nanos)
<90 20


EMM length 30h
>09_10 00 00 initialise ASIC with selected 10 (public key - all cards)
>24 Flag, Close Filter
>38_09 postal code address nano
>06 Opens card filter if this is the post code.....
>48 52 33 20 20 35 51 41 "HR3 5QA" postal code
>6d_09 nano and length
>01 08 00 73 17 92 9f ff ff data - always the same?? This is found in the 48_78 string.
>6d_09 nano
>02 03 45 57 60 00 ff ff ff data - always the same??
>67_08 signature nano
>60 7f c9 6b dd f4 8c e6 signature



EMM length 31h. This EMM sets the Time Zone and Region Code
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>24 Flag, Close Filter
>38_09 postal code address nano
>06 Opens card filter if this is the post code.....
>4c 4e 32 20 20 34 50 5a "LN2 4PZ"
>19 00 Set time zone to 00 (GMT)
>75_13 Nano and length
>00 47 42 52 XX 00 00 00 00 00 00 00 00 00 00 00 00 00 00 GBR Region byte
>67_08
>59 16 84 78 a0 d5 ef 8a sig

EMM length 35h
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>24 Flag, Close Filter
>38 09 postal code address nano
>06 opens card filter if this is the post code.....
>4c 53 31 37 20 38 42 51 "LS17 8BQ"
>6e_07 6e_07 Nano
>06 01 01 01 01 20 08 data, unknown
>6e_07 6e_07 Nano
>07 01 01 01 01 8f 00 data, unknown
>6e_07 6e_07 Nano
>08 01 01 01 01 20 00 data, unknown
>67_08 signature nano
>7a ee 04 4c 88 66 db 0a signature

EMM length 3Eh
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>24 Flag, Close Filter
>38 09 postal code address nano
>06 Opens card filter if this is the post code.....
>47 4c 37 20 20 33 53 44 "GL7 3SD"
>6e_07 6e_07 Nano
>01 01 01 01 01 8f 00 data, unknown
>6e_07 6e_07 Nano
>02 01 01 01 01 8f 00 data, unknown
>6e_07 6e_07 Nano
>03 01 01 01 01 8f 00 data, unknown
>6e_07 6e_07 Nano
>05 01 01 01 01 8f 00 data, unknown
>67_08 signature nano
>e1 29 d2 77 3c 0d f3 11 signature

-----------
The following seem to be the activation EMMs. Usually addressed to a Shared Address/CUSTWP bitmap.
These occur about every ten minutes. The channel entitlements seem to be activated one at a time.
This explains why when a card is activated the channels do not all get switched on at the same time.

EMM addressed to SA/CUSTWP bitmap Expired Card
>48 42 00 00 3c
<42 card acknowledges Instruction
>09 12 00 00 initialise ASIC with non-public (group) key 12
>33 33 nano
>00 SN SN 1st three bytes of SN (Shared Address)
>00 02 00 00 00 00 00 00 00 00 0c 00 00 00 02 80
>10 00 00 00 02 00 00 00 00 00 00 02 00 00 80 20 CUSTWP bitmap
>41 b7 21 38 06 C0 Channel Entitlement update and expiry date
>25 Flip filter cmd from open to closed or vice versa
>42 b7 21 Delete Channel Entitlement
>67_08 signature nano
>97 d2 a5 bd df 5f e7 eb signature
<90 80 Not OK.


EMM addressed to SA/CUSTWP bitmap Valid Card
>48 42 00 00 3c
<42 card acknowledges Instruction
>09 12 00 00 initialise ASIC with non-public (group) key 12
>33 33 nano
>00 SN SN 1st three bytes of SN
>00 00 22 00 00 06 02 30 84 40 02 00 00 00 10 00
>00 40 00 40 00 00 04 20 40 00 10 00 00 00 20 00 CUSTWP bitmap
>41 b7 77 38 0f C0 Channel Entitlement update and expiry date
>25 Flip filter cmd from open to closed or vice versa
>42 b7 77 Delete Channel Entitlement
>67_08
>1a 56 57 00 de 40 64 74
<90 a0 Not OK. Not in valid bitmap.

Same Card ten minutes later:
>48 42 00 00 3c
<42 card acknowledges Instruction
>09 12 00 00 initialise ASIC with non-public (group) key 12
>33 33 nano
>00 SN SN 1st three bytes of SN (Shared Address)
>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 CUSTWP bitmap (Only one card addressed)
>41 b8 2d 38 09 C0 Another Channel Entitlement update and expiry date
>25 Flip filter cmd from open to closed or vice versa
>42 b8 2d Delete Channel Entitlement
>67_08 signature nano
>ae d2 35 47 a7 46 66 f0 signature
<90 a0 Not OK. Is not to be written to the card as not entitled.


A successful entitlement update:
>48 42 00 00 3c
<42 card acknowledges Instruction
>09 12 00 00 initialise ASIC with non-public (group) key 12
>33 33 nano
>00 SN SN 1st three bytes of SN (Shared Address)
>ff 7e 1f ec d8 3c 29 b9 c9 ab e9 a2 fc 58 cf 6d
>9d fd 1e 9c 2b ed 73 e4 e2 f6 34 cb 36 1f 7e 39 CUSTWP bitmap
>41 00 1d 38 1b C0 BBC channel entitlement ID
>25 Flip filter cmd from open to closed or vice versa
>42 00 1d Delete Channel Entitlement
>67_08 signature nano
>e4 5c eb c7 64 2c 97 31 signature
<90 21 OK. Accepted

Another type of group update addresses the card by its shared address but uses the 32 nano
without a CUSTWP bitmap. This is another way of updating a whole group of cards.

>48 42 00 00 15
<42
>09 12 00 00 Initialise ASIC with non-public (group) key 12
>32 Open filter for whole card group
>SN SN SN SN of card group
>42 b7 82 Delete Channel Entitlement
>67 08
>30 51 8c a7 eb 0a 32 c8
>90 a0 Not OK. Update not needed as Channel Entitlement did not exist?

The PPV EMMs seem to use INS46
>48 46 20 01 3E
<46 card acknowledges Instruction
>1f 08 unknown
>09 10 00 00 initialise ASIC with selected 10 (public key - all cards)
>01 39 04 0c 70 Set date and time
>02 52 rating byte
>38_03 08 00 cc nano and data (length can also be 05 or 07)
>25 Flip filter cmd from open to closed or vice versa
>04 Flag, unknown
>4d_0e 1e 00 39 10 00 65 06 00 00 a3 e3 00 d9 e4 unknown, same as in PPV ECM
>4d_0e 1e 00 39 10 00 65 06 00 01 45 e3 01 b1 e4 unknown, same as in PPV ECM
>67_08 signature nano
>f1 54 d4 97 66 c3 7b 37 signature
<90 a0 Not OK



================================================== ===========================================

12. Occasionally we get a 48 5e 00 0b 01. Reads one status byte from card.
48 5e 00 0b 01
5e card acknowledges Instruction
03 03=valid?, 00=invalid?
90 20 sw1/sw2

[See also additional INS 48 5e 00 0e 62]

This cmd always seems to be followed by the next one:-

13. Another occasional cmd. 48_78. This seems to follow the 48_5e. Are they related?

48 78 03 00 14
78 card acknowledges Instruction
08 00 73 17 92 9F FF FF 01 08 00 73 17 92 9F FF FF 01 8F 00 pink string was written with
the 6D_09 nano
90 20 OK

48 78 08 00 14
78 card acknowledges Instruction
08 00 73 17 92 9F FF FF 01 08 00 73 17 92 9F FF FF 01 20 00 pink string was written with the
6D_09 nano
90 20 OK

================================================== ===========================================
The Switch-On Commands
This is a log of the activation of a BBC card. They use the private key 14 and address the card
by its unique address using nano 31.
These commands follow the activation EMMs for the card's postcode area. This is why you have to
wait for the commands to be sent. Three of the EMMs are repeated a number of times, at about
20 minute intervals, over a period (24 hours?).

This is the first activation command:
>48 42 00 00 16
<42 card acknowledges Instruction
>09 14 00 00 initialise ASIC with private key 14
>31 checks Serial Number nano
>00 SN SN SN Serial Number
>3D 03 ec sets PPV spending limit and activates card (fuse byte now 05)
>67_08 signature nano
>01 02 03 04 05 06 07 08 signature
<91 81 successfully written

The greater the values set with the 3D the greater the fuse value?

The IRD then sends this request:
>48 58 00 00 35
<58 card acknowledges Instruction
>05 Fuse byte
>01 09 60 always the same
>SN SN SN SN card SN (unique address)
>ff ff ff ff unknown
>SN SN SN three bytes of card number (shared address)
>00 ff ff ff 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 unknown
>00 00 00 00 will be written with the 4e nano on activation (still zero)
>47 42 52 "GBR" on British cards only
>00 01 00 00 0X 0X 00 00 00 00 unknown
<91 80 OK

Note the sw1/2 has changed from 90 00 on a virgin card to 91 80 now that the fuse byte has been
set and the region code is intact.

Next comes the IRD number.
>48 4C 00 00 09
<4C card acknowledges Instruction
>IN IN IN IN IRD Serial Number
>02 00 00 58 02 unknown
<90 A1 IRD number saved successfully/correctly married

It would seem that when the fuse byte has been set, the first time the card receives this IRD
number test command, the IRD number is written to the card. The sw1/2 is 90 a1.

Next, request the PIN and Parental control rating byte (3F).
>48 2c 00 00 09
<2C card acknowledges Instruction
<84 d2 convert to HEX and add then 8000h - this is your PIN
<FF FF 00 00 on deactivated card: 00 00 00 00
<3F Parental Control Byte (3F - unrestricted)
<00 00 unknown
<90 a0 sw1/sw2



Request region code. Note at this stage the specific region byte is still zero.
>48 1C 00 00 20
<1C card acknowledges Instruction
<47 42 52 "GBR" on British cards.
<00 Region code is still not set!
<00 00 00 00 00 00 00 00 00 00 00 00 00 00 unknown
<00 00 00 00 00 00 00 00 00 00 00 00 01 00 will be written with the 75 0F nano on intital
activation, zero on virgin cards
<90 20 OK


The next command seems to have six functions:
>48 42 00 00 32
<42 card acknowledges Instruction
>09 14 00 00 initialise ASIC with private key 14
>31 checks Serial Number nano
>SN SN SN SN Serial Number
>3d 03 EC sets PPV spending limit and activates card (fuse byte now 05)
>2d 3A xx xx xx Set activation date and time
>1e PC PC PC PC PC PC PC PC Set the PostCode
>4e 00 6c 4d 58 writes the four bytes " IMX" to before the region code in the
48_58 string (can vary)
>2b 03 EB writes "03 eb" to the 48_36 string. Some form of counter?
>41 B7 65 3A 1F c0 Add channel entitlement b7 65 (expiry date 3A 1F)
>67 08 signature nano
>01 02 03 04 05 06 07 08 example signature
<91 a1 Write cmd accepted

Add channel entitlements 00 1d, b7 66, b7 72 and b7 73 using 41 nano:
>48 42 00 00 2f
<42 card replys command for ICAM
>09 14 00 00 initialise ASIC with private key 14
>31 checks Serial Number nano
>SN SN SN SN Serial Number
>41 00 1d 3A 1F C0 Add channel entitlement 00 1D (expiry date 3A 1F)
>41 b7 66 3A 1F C0 Add channel entitlement B7 66 (expiry date 3A 1F)
>41 b7 72 3A 1F C0 Add channel entitlement B7 72 (expiry date 3A 1F)
>41 b7 73 3A 1F C0 Add channel entitlement B7 73 (expiry date 3A 1F)
>72_02 00 01 unknown propose
>67_08 signature nano
>01 02 03 04 05 06 07 08 example signature
<91 A1 Write cmd accepted

Next EMM:
48 42 00 00 24
<42 card replys command for ICAM
>09 14 00 00 initialise ASIC with private key 14
>31 checks Serial Number nano
>SN SN SN SN Serial Number
75 0F 75_0F nano
12 01 06 02 00 00 00 00 00 00 00 08 00 03 0D is being written to the Region code string
>67_08 signature nano
>01 02 03 04 05 06 07 08 example signature
<91 A1 Write cmd accepted


IRD requests again:
>48 58 00 00 35
<58 card replys command for ICAM
<05 fuse byte
<01 09 60 always the same
<SN SN SN SN card SN (unique address)
<FF FF FF FF unknown
<SN SN SN three bytes of card number (shared address)
<00 FF FF FF 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 unknown
<00 6c 4d 58 was written with the 4e nano on activation
<47 42 52 "GBR" on British cards only
<00 01 00 00 03 0D 00 00 00 00 unknown
<91 A0 sw1/sw2

The sw1/2

I hear ya hitman.
Monkey luv. all I am saying is they are not hacking a card, dont know how they do it but as I read the page seems they are subbing the card numbers, Who knows how but Mili and his guy be it magneto or someone else is not really my concern. To be hacking the card as you call it that way would really mean they are hacking the sat to send signal to the ird to activate the card.


I may be wrong but as I understand it you are sharing a sub with someone else . and as for the PPV you can use up just that dollars amount on that sub. What I think mili is saying That he is in great hopes of a PPV wipe. when he say that PPV maybe very near

J5, thats the old european system, similar to HU, definately not P4/D1 since all of the packets are encrypted now.

Some mods/admins on DSS forum are claiming to have received a wide open P5 and an "activated" P4. They also claim to have been the first with the news of a N2 clone hack back in FEB.

hey sucknutts.....stfu!...only a true fag imagines waking up on christmas morning with a 14" prick..this is a dss site...it's not right to promote your homosexuality fantasies here!..go to the ncn site......fags galore there..as the rumor goes...Hey Matisse ( manly name? ) I was referring to you pal...eh?

? then why dose the program reed and right to the card`s p-4 and p-5 both
? why can`t someone who no the command`s make the file`s we need for it
? thir a lot big brain in here and i think some of them can get this going for all of us to use
i downloaded this program about a year ago and it did not work about 7 mo`s ago my hard dr whent bad i loaded up a new hard dr and when i open up this program it was and is working now i try some of the command in the reed me and they are working but i don`t no what thay mean so i stop becaus it righting thing to the card and i don`t no what i am doing so can someone pls take a look at this program useing an iso [and one of the no adwere or spywere program keep it from working right somehow ] but it working right now real good but i for got what all i need to do to make the card do what need to be done it been so long ago see what you can do with this thank you

J5, you are a lying scum!

its all been done and only the elite share it and if it it gets out they lose thier password all files are on a private server from what I have read.

has anyone heard about this P45 board for DTV?????

J5, thats the old european system, similar to HU, definately not P4/D1 since all of the packets are encrypted now.

THIS IS WHAT I WAS REPLYING TO THANK YOU

sorry J5 i didn,t know that was what u were talkin bout can u give me more info on it??

J5,
I want to thank you for sending me the program..P/4 P/5 utility.. yes the programs works.. I have tested it.. now before anyone get excitied..

what the program will do.. reads ATR, resets card, does a surface read.. not a dump..
reads PPV, spending limits, ratings,

this programs was made to read INS response when INS commands are sent to the card.. this also works..

now what the program will not do..

it doesn't write to the card.. it will not dump the card..although this is a real p/4 p/5 program and it does work its not going to help directly open a card..

sorry j5 wish I could help more..

LB

J5,
I want to thank you for sending me the program..P/4 P/5 utility.. yes the programs works.. I have tested it.. now before anyone get excitied..

what the program will do.. reads ATR, resets card, does a surface read.. not a dump..
reads PPV, spending limits, ratings,

this programs was made to read INS response when INS commands are sent to the card.. this also works..

now what the program will not do..

it doesn't write to the card.. it will not dump the card..although this is a real p/4 p/5 program and it does work its not going to help directly open a card..

sorry j5 wish I could help more..

LB


Shit man I have had that program for about a year now.Where have you been?

Xmas, everything ( P4, P5,N2 ) will be released as Freeware , just wait and see and if you don't believe me then you must not believe in sants claus either...and on christmas morning you will also wake -up with a 14 inch dick , only problem is that it probably won't be connected to you...unless it's up your ass....LOl, HaHaHa or should I say HoHoHo..LOL
\

Man i got to tell yah I only got about XX grand invested in dave shit,cards and whatever.I would love for this to be true ,but what you are saying sounds like me going to the titti bar and only seeing tits and no ass.I am so very tiered of no Ass,You git me?for the kind of money I am looseing with no-hack Dave I would almost turn gay for your words to be true,but There is a 99.99% probability that what you say is just NO-ASS.So I am not worrying

151 thank you for takeing a good look at it and that the end of that thank you

The P4 hack that has been talked about recently turned out to be just a rumor.

LOL.. I been right here..watchin Charlie.. J5 ask me to look at the program so I did..
BTW all the info he posted is not Eurpean system info.. it is P/4 info.. logged between
card and Ird.

LB

The P4 hack that has been talked about recently turned out to be just a rumor.

LOL

That's right. It's all "JUST A RUMOR PEOPLE"...."NOTHING TO SEE HERE"....."MOVE ALONG"....... You can bet it's NEVER going to see the light of day...

BTW, "light of day" in this sense refers to the public forums and in large part the Internet testing community... The days of davetv for free-tv-ers is gone...

Why bother trying to release something and make money if the drawbacks outweigh the benefits? Think about it... If they released it then 1) it would be targetted thus requiring inevitable constant fixes, 2) the money made from it MIGHT be enough to pay their way out of legal trouble once dave's legal goons tracked them down, and 3) the Internet testing community (ie: free-tv-ers such as myself and other non-coders) will be once again demanding urgent fixes...

If they do NOT release it, then 1) it will NOT be targetted, and 2) they have no legal worries...

Not to mention the fact that now FTA company coders are GIVING AWAY N2-capable bins....

LMAO..... sounds like a tough decision to me...... (not!!) :rolleyes:

"it is P/4 info.. logged between card and Ird."

"D1 40 00 00 41 generated instruction header from the ICAM
<40
>00 - dummy send by the ICAM too
>7E 12 00 00 00 00 00 00 00 00 E0 17 EA C7 14 8E 45 23 00 00 - signature and key adjustment
>7F 12 E0 C0 32 4E 1A F8 5F 1A D6 78 DF F0 92 F1 BE 56 DD F7 - signature and key adjustment
(bridge gap between 1.X and 2.0 cards)
>09 10 10 00 - set key
>01 4D 1D 69 78 - current Date and Time
>CB 02 FF FF - sets two bytes
>02 00 - current rating byte for the film
>03 00 10 00 - Check for Channel "00 10" entitlement entry
>03 B8 69 00 - Check for Channel "B8 69" entitlement entry
>67 08 5D E7 B2 D3 82 0B 2F 70 - signature
<90 00 - sw1/sw2"

No P4 stuff inn there.
the packet starts with D1, thats european.
The packet has an 8 byte signature after the 67, thats HU style and european
You can decipher the bytes in the package - definately not P4 since the P4 packets are encrypted after the key so neither the commands nor signature are clear.

ok whats the good news out there?...... any?
i m tired of the same old shit from the tv suppliers like over priced and nothing to watch except buying crap !!!!!

Why bother trying to release something and make money if the drawbacks outweigh the benefits?

I disagree.

It takes money to make a hack, so someone is going to want money out of it. It'll need to be sold to make money. Satellite thieving is a business, plain and simple.

Plus, there's always at least one unscrupulous person out there, who'd release it just to get it out there, for fun, profit or notoriety.

If a hack really does exist, it won't take too long before we all know about it.

P.S. Just because Dave/Charlie knows about it, doesn't mean he can shut it down. Look at Mili's blocker, worked like a hot damn, and I bet Charlie had his own copy too.

drphibes,
I don't think I made myself very clear.. the stuff that J5 posted was not on any card most of what he post was EMM sig that had been logged by a data logger..we were talking about a piece of software that was using these sig. to test responces when they were sent to the card..

I thought the D1 was part of the NDS instructions: as follows
>>>>>>>>>>>>

NDS Command Structure 2 v0.5
Card Version 2.0

This information is for academic interest and educational purposes only. There is nothing in this text that will enable decoding of NDS encryption. Illegal watching of encrypted TV is not condoned.

1. Introduction
2. Answer to Reset (ATR)
3. The Zero Knowledge Test (card verification)
4. The communication Protocol
5. The Entitlement Control Message (ECM)
6. The Entitlement Management Message (EMM)
7. The Instructions in detail
8. The signature
9. Codes
9.1 The Fuse Byte
9.2 The Rating Byte
9.3 The Parental Control Byte (PCB)
9.4 The Country Code.
9.5 The Regional code
9.6 The Bitmap algorithm
9.7 The keys
9.8 Structure of Date and Time
9.9 The Status Words
9.10 The Channel Entitlements (taken from Colibri Doc: hxxp://colibri.move.to/)

1.Introduction:

The card is always asked by the ICAM to receive or send information. The card never asks the ICAM to do anything! To do this the ICAM always sends a 5 byte long command packet header to the card.

Standard 5 byte ISO-7816 header : "CLASS INSTRUCTION PARAM1 PARAM2 PARAM3"

With the introduction of the new card 2 new classes were introduced:

Class Meaning
D0/D1 Replaces 48 of the old card
D2 appends a 16 byte signature on the instruction reply
D3 Use an additional stream cipher to secure transmission between card and box (NOT using internal HashCircuit)

(Class 48 is no longer supportet and causes the card to rerun part of the initialisation including the ATR output.)
>>>>>>>>>>>>>>>>>>>

but its no biggie.. it was just my take on what the s/w was doing

all of this stuff he posted was part of the sw.. not anything taken from a card


LB

I wonder why there are people that goes on and on and on ....cut/paste....rumors...blah..blah...blah .....

Do they really think by posting rumors from "respected" source or "well-respected" person ..or "buddies"...or cut/paste crap ....would make other people think that they "really" know "something" here ? ...

What a forking waste of bandwidth .....and besides Mili/Drphibes ...you're all a bunch of idiots....

What a forking waste of bandwidth .....and besides Mili/Drphibes ...you're all a bunch of idiots....

So is your ass-kissing post.

Yeah, I've had enough of people cutting and pasting stuff.

It's funny when something originally posted here ends up on another site and then some noob thinks they have found the solution and it end up back where it came from.

I know that it is frustrating to go from website to website just to see the same cut and paste info..
I don't really think that people are trying to fake some one out as to what they know.. they are just trying to help..
plus you can't always tell what some knows by reading a few post.. some people have sensitive positions and only let their work be leaked and want no credit for it at all..sometimes a cut and paste article can shed some light on a work in progress.. it keeps you from searching every forum to see what's going on.. right now a lot of new stuff is coming out.. for dish anyway..my only reason for being here is to learn and help others.. hell.. I don't even watch TV..

LB

I wonder why there are people that goes on and on and on ....cut/paste....rumors...blah..blah...blah .....

Do they really think by posting rumors from "respected" source or "well-respected" person ..or "buddies"...or cut/paste crap ....would make other people think that they "really" know "something" here ? ...

What a forking waste of bandwidth .....and besides Mili/Drphibes ...you're all a bunch of idiots....

HAHAHAHAHAHAHAHA

That laugh made my afternoon. And I agree, anymore posting that isn't freebie handouts for the dis-mantling of the P4/5 or a script for TV is useless and a total waste of time and resources... I mean come on, why discuss something that could possibly be pertinent info, right? You registered here in April of this year and wanna call the ENTIRE ROOM of members idiots... Release the hack already, hell, we're tired of the waiting game too!! Geez... Gimme a break dude.

It's cut and dry as of the rom101 info released yesterday and today: If there's a hack in existance for davetv, and the creator/author wants to cash in, NOW is the time... If the Nagra2 info is gonna be given out, and new updates and products are in the works, the you'd better get what you've got ready to offer for sale ASAP, or there market will be gone because testers will have already jumped onto the Nagra2/FTA bandwagon......that's it. If we see nothing, then A) nothing exists to be marketed, or B) the creator is holding it on the D/L as per my previous post.

We shall see.

Hi: I am new in this stuff, but I have a question. I heard that there was a hacked for Direct TV Latin America. Is this true?, The encryption system for them is VideoGuard.

Also I had a Hacked Dish network receiver which uses aan Atmega Card(right now the receiver is disconnected for obvious reasons) I wonder if somone knows when something like Atmega will be released for Nagra 2.

Thanks

151 I Save The Setting And Just Close It Out And Re Open It And It Still Working Good Going To Send You A New Copy You May Not Have To Do Anything But Put A Card In And Run

Don't worry boys...the PIRACY community (both public and private) are even worse at keeping a SECRET than even Charlie or Dave.

:-)

it is P/4 info.. logged between card and IrdDo these logs belong to a BSkyB P2 (dark blue - yellow house) card ?

thats the old european system, similar to HU, definately not P4/D1Those cards are still in use in the UK (since early 2003), though they are
indeed similar to the HU, and have nothing to do with P4/SLE66 technology.

The old European BSkyB P1 cards (Oct. 1998 - early 2003), which still used class
byte 48 were derivatives of the DirecTV H/P2 (SLE44), with some of it's holes fixed.

thats too funny, on the back of the card it says do not remove and insert card unnecessarily. that card looks like it has been in and out a thousand times !! its almost worn a hole in the card !!

if there were a viable hack for dave as rumored in the last two years,it would have already hit the market...period!...to believe anything else is just plain ignorant and borders on stupidity
if a hack were available,it would have already hit the market to capitalize on a propietary and exclusive means to deliver free tv to the masses.....what they wouldnt have done was wait for some group to come up with a nagra2 solution and then have competition for their product.
as the saying goes..the first rat to hit a new block of cheese gets the most cheese [$$] and becomes the fatter rat..kaching!

Those cards are still in use in the UK (since early 2003), though they are
indeed similar to the HU, and have nothing to do with P4/SLE66 technology.


Do you know what type of cards Sky Italia uses? NDS is being emulated on these cards (as well as other European systems). Try a google search on NCEmucam 1.02.

A 1020a can receive a dss signal.

So the question is how close the systems are and if something can be shared.

I talked to my guy who is pretty well connected in the Dave community about 6 mo ago. He said a Dave hack will happen when the white sox make it to the world series........WUUHOOO

I wonder if perhaps he was trying to say something like "when hell freezes over" but substituted the White Sox? I mean it's been what... 46 years since they made it to the series?

But it does show something... if the Sox can make it to the series, anything is possible.

--DB

I talked to my guy who is pretty well connected in the Dave community about 6 mo ago. He said a Dave hack will happen when the white sox make it to the world series........WUUHOOO


Well the ball is in his court now, ask him if he is gonna pony up now.

if there were a viable hack for dave as rumored in the last two years,it would have already hit the market...period!...to believe anything else is just plain ignorant and borders on stupidity
if a hack were available,it would have already hit the market to capitalize on a propietary and exclusive means to deliver free tv to the masses.....what they wouldnt have done was wait for some group to come up with a nagra2 solution and then have competition for their product.
as the saying goes..the first rat to hit a new block of cheese gets the most cheese [$$] and becomes the fatter rat..kaching!
Obviously you do NOT understand ORGANIZED crime! It IS hack...has been hack for a long time! They HAVE NOT let it get to the net...money lost ++ jail time being the motivation. I'm willing to bet that ALL H/A clubhouses have been watching dave for some time now. Do you think they'd even be around if the "chirped" about every illegal enterprise that they indulge in...just for some peeon ta turn em in to avoid a sentence?? Think hard about this. Just wayyy too much cash involved.

Obviously you do NOT understand ORGANIZED crime! It IS hack...has been hack for a long time! They HAVE NOT let it get to the net...money lost ++ jail time being the motivation. I'm willing to bet that ALL H/A clubhouses have been watching dave for some time now. Do you think they'd even be around if the "chirped" about every illegal enterprise that they indulge in...just for some peeon ta turn em in to avoid a sentence?? Think hard about this. Just wayyy too much cash involved.
Well i guess i am going to have a rumble with our chapter president then. Our clubhouse has been left out, all we have is cable and dish. :rolleyes:

"I talked to my guy who is pretty well connected in the Dave community about 6 mo ago. He said a Dave hack will happen when the white sox make it to the world series........WUUHOOO"

Made it, won it, now where is the Dave hack?

da2

"I talked to my guy who is pretty well connected in the Dave community about 6 mo ago. He said a Dave hack will happen when the white sox make it to the world series........WUUHOOO"

Made it, won it, now where is the Dave hack?

da2
It's there!....and it doesn't go down neither!

It's there!....and it doesn't go down neither!
SSSHHHHHHHH, don't tell anyone about this. I found out the skinny on the Dave hack.
Its called SUBSCRIBING !

Its guaranteed to NEVER go down, unless you don't pay your bill. LMAO !

SSSHHHHHHHH, don't tell anyone about this. I found out the skinny on the Dave hack.
Its called SUBSCRIBING !

Its guaranteed to NEVER go down, unless you don't pay your bill. LMAO !

yeah right. it had gone down before for me numerous times. on a sunny day, no rain, no snow, no redioactive, no solar flare. absolutely nothing in the sky. it went down. and when you called them, they said wait 30 minutes, it should come back on.

Do you know what type of cards Sky Italia uses?
Those cards are HU like, but the class byte has been changed
from 48 to D0...D3.

Nice to see your still lurking Lee, don't see much of you these days, especially at Snatty's old site( sure ain't what it used to be).

Its indeed a tragedy. Nagra and Dish got the main focus on most boards,
whereas N*S was downgraded to a sideshow only.

My next release will take 10 days or so. It doesn't make much sense to
issue great posts everywhere bcs of a few new intervals found through
timing analysis, thus making a mountain out of a mole hill.

I choose to gather some more results before posting again.

Recently I got this .xvb script from an unnamed source, claiming that the following
script reveals a RAM register, that is not completely cleared after reset of the BSkyB P2.
Could a similar flaw also exist for the P4 ?

'remove this call if you prefer your own settings
Call DxSetting()
Sub Main()
PRINT "CHECK THE E213 AREA"
sc.Verbose =true
sc.write ("D0 36 00 00 CC")
Sc.read(1) 'ack
Sc.read(206) 'data
sc.reset
print "1st reset"
sc.reset
print "2st reset"
sc.reset
print "3th reset"
PRINT "INS BUG"
Sc.write ("D0 2E 04 00 00")
sc.read (2)
Print "second INS 36 is starting now"
Sc.write ("D0 36 00 00 CC")
Sc.read(1) 'ack
Sc.read(206) 'data
Print ">>>>ATTENTION CHECK THE E213 AREA"
End Sub
'===============================================
Function HexString(ThisNumber, Length)
Dim RetVal
Dim CurLen
RetVal = Hex(ThisNumber)
CurLen = Len(RetVal)
If CurLen < Length Then
RetVal = String(Length - CurLen, "0") & RetVal
End If
HexString = RetVal
End Function
'================================================
Sub DxSetting()
BaudRate=38400
ResetBaudRate=9600
ResetDelay=20000
ByteDelay=400
RxByteTimeout=1000
Parity=1
StopBits=2
FlushBeforeWrite=1
FlushEchoByte=1
DTRControl=1
RTSControl=0
ResetMode=1
IgnoreTimeouts=1
ResetAfterTimeout=1
ResetLine=0
LogTransactions=0
DisplayUSW=0
DisplayFuse=0
ByteConvention=0
End Sub
the result reads as follows
RX ATR : 3F 7F 13 25 03 33 B0 06 69 FF 4A 50 D0 00 00 53 59 00 00 00
CHECK THE E213 AREA
TX Data : D0 36 00 00 CC
RX Data : 36
RX Data : 90 00 04 02 FA 00 00 00 00 00 00 00 00 01 00 86
4A 01 00 5E 07 B1 00 00 F3 01 BB 84 CF DE 07 00
00 00 00 00 00 00 F9 00 00 03 EE DF 55 06 00 80
E2 13 00 EF 26 83 00 00 00 00 00 FF FF FF FF FF
FF 00 00 00 00 F6 02 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 67 08 BF 7B C6 9E B7 95 63 BE 90 00 1st reset2st reset3th resetINS BUG
TX Data : D0 2E 04 00 00
RX Data : 90 01 second INS 36 is starting now
TX Data : D0 36 00 00 CC
RX Data : 36
RX Data : 90 00 04 02 FA 00 00 00 00 00 00 00 00 01 00 86
4A 01 00 5E 07 B1 00 00 F3 01 BB 84 CF DE 07 00
00 00 00 00 00 00 F9 00 00 03 EE DF 55 06 00 80
E2 13 00 23 45 FD 00 00 00 00 00 FF FF FF FF FF
FF 00 00 00 00 F6 02 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 67 08 9A 1C 38 3C B0 C3 B4 C3 90 00 >>>>ATTENTION CHECK THE E213 AREA
Isn't the RAM register not totally cleared after reset ?

The 90 01 response to the 2E command indicates something changed because of that packet which was sent after the resets.
DO you get the same response when you dont send that packet before repeating the 36 command?
Since those are unsigned packets you should be able to do the same experiment with an H card once you change the D0 to a 48. I dont recall what a 2E or a 36 does offhand, but unsigned command processes are very similar between all cards so you could take an H disassembly and trace the process.

I dont recall what a 2E or a 36 does offhand2E changes the PIN on the card and 36 reads out the "PPV phoning home data"
from it. But in this particular example the INS 2E is intentionally malformed with
the PIN missing.
Since those are unsigned packets you should be able to do the same experiment
with an H card once you change the D0 to a 48.
It's more similar to the HU.
DO you get the same response when you dont send that packet before repeating
the 36 command ?Generally a discussion how the results changes when u modify this script, currently
takes place at:

w*w.sky-digital.org/forum/showthread.php?t=2215

I read ALL this so i could find out the rest on the "Fag Story", Mattise u gonn'a let that slide?