I'm locked out of my 102 card after applying a supposely clean Rev103 bin. Here is what I get when I try to read:
ATR: 3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50 31 30 32 20 52 65 76 31 30 33 64
CAM Type: ROM102 Rev103
Provider: Dish Network
Reading Card Image...
Failed to read card.

I read card, cleaned codespace, applied this bin, it read, and then wrote image no problem. I then tried to read it, and here I am.

I still have the bin that I wrote to the card. Is there a way I can check the bin in WinHex and see if the A0FF Intercept is installed, or if something else is could be wrong with this image. I don't want to appply this image to another card just yet, and I don't want to try to glitch it just yet either, until I hear from the guy I got it from, or other feedback.

Try other app, ie if you used n2edit to do the write, try nagraedit5.2 to write clean
bin and vice versa.

try nagramaster and do a forced read/write

Will need to be reglitched.....rev.103 will pop right open.

Not sure why you wrote a "supposedly clean" image to your card when all you needed to do is clean the codespace of the original image that you read and then write that cleaned codespace image back to your card?

You need to figure out what exactly you wrote to the card. Was it a steamlocked image or an image with a blocker applied?

Your last resort would be to glitch back into it which I am thinking your going to have to do anyway unless it has a blocker on it that you can get the password.

Not sure why you wrote a "supposedly clean" image to your card when all you needed to do is clean the codespace of the original image that you read and then write that cleaned codespace image back to your card?
You need to figure out what exactly you wrote to the card. Was it a steamlocked image or an image with a blocker applied?
Your last resort would be to glitch back into it which I am thinking your going to have to do anyway unless it has a blocker on it that you can get the password.

He sent me an image and a 510 flash, I made him a married set, using those as a template, with GenDT08. He wrote the bn102 as a rev 103 to the card, it locked.
Will need to be glitched open.


He sent me an image that supposedly worked in other receivers, but it had both idea keys the same and wrong. The bin he sent was devoid of any tiers also.

So there is some miscommunication about what he has working and what he is trying to accomplish.

Ya.. Just reglitch it..

I did this last week using DT08..

The data byte in DT08 always shows up locked and I forgot to
click on unlock. So I wrote a rev103 locked and locked myself out.. ($821E is lock byte location)

I would check that byte to make sure its 03 and unlocked before you
do it again.. If thats the cause..

As far as password location goes.. Dont know. Password is not always in same place..

Try $8260 for your location of password..

Mopar

Ya.. Just reglitch it..

I did this last week using DT08..

The data byte in DT08 always shows up locked and I forgot to
click on unlock. So I wrote a rev103 locked and locked myself out.. ($821E is lock byte location)

I would check that byte to make sure its 03 and unlocked before you
do it again.. If thats the cause..

As far as password location goes.. Dont know. Password is not always in same place..

Try $8260 for your location of password..

Mopar

I'm using Winhex, and I'm having a heck of a time trying to find the addresses you mentioned. My bn102 files only goto $47F0 in Winhex but I'm sure I'm not reading it correctly.

Thanks

I'm using Winhex, and I'm having a heck of a time trying to find the addresses you mentioned. My bn102 files only goto $47F0 in Winhex but I'm sure I'm not reading it correctly.

Thanks


Winhex numerates sequentially, starting at 00000000. No offsets are added.
Use the eeprom editor in Romexplorer or GenDT08, both correctly add offsets.

In winhex, to correct the offsets: for a bn102 (all numbers are hex)

00000000 thru 000007FF offset = 3000

(3000 - 37FF) - 3000 = winhex address
__________________________________________
00000800 thru 0000047FF offset = 7800

(8000 - BFFF) - 7800 = winhex address
__________________________________________
So 821E - 7800 = A1E or 00000A1E in winhex.

Remember all numbers are HEX

I have done this myself (wrote a clean image) but afterwards card was locked? I usually use nagra edit 5.2 to do everything to card, but after I wrote image it said backdoor not found? and would not let me read, write to card as it was locked? I looked where password was supposed to be but was nolonger there all 00000's, I tried to unlock using my password and the zero' to no avail, so I tried nagramaster 4.09 and wrote my original bin back to card it worked! Before I tried to glitch into it I would suggest trying all programs hopefully one will work for you like it did me.

Ya.. Just reglitch it..

I did this last week using DT08..

The data byte in DT08 always shows up locked and I forgot to
click on unlock. So I wrote a rev103 locked and locked myself out.. ($821E is lock byte location)

I would check that byte to make sure its 03 and unlocked before you
do it again.. If thats the cause..

As far as password location goes.. Dont know. Password is not always in same place..
UTry $8260 for your location of password..

Mopar

Using RomExplorer, location $821E is '06" not '03'. So do I need to just change that to '03' and it will keep this image unlocked for my next write?

The password at location $8260 is all zeros.

I used nagramaster, using the force write, and it acted like it wrote the image, and said it was successful, yet I still can't read it in N2edit.

Glitch it open.....