Well I thought I would start a thread on this. There's some interest in this sence BEV is looking for the proper provider mark at $3054 and now with the new rev10C update they will most likly bedoing the same. Who knows if they will start looking at the rest of the marks. But if you have the wrong provider mark you get NO video. This is what we are going to be doing. I will explain how to mark your OTP(one time program) with the emm's that both Dish and BEV used. Once you do this, there is NO going back. Once you mark the OTP it is there for the life of the card. Dish did it during the rev105 update. BEV did it during the rev241 update. This is what we are marking.

$3050=039A3174001B0000FF0000000000FFFF

039A3174=cam ID
00=provider mark
1B=checksum(will be different on most cams)
0000
FF=not sure what this mark is for
0000000000
FFFF=not sure what these marks are for


To do this you need to have a couple of things ready in your image. I sugest you try it in the sim first to make sure you have everything you need right before trying this on a cam. I will go over this for Dish. It is the same steps for BEV just different emms and Different USW(Update Status Word). First make sure you have the proper decrypt keys in your image. We are not talking key00 and key01. These are the decrypt keys used to decrypt emm-g. The data types look like this.

Decrypt Key (ikey firma EMM-G)
------------------------------
0C 00 06 1B 1B 06 ;Header
00 00 00 01 ;Timestamp
00 ;Status??
00 00 ;Provider
03 ;Key Type
18 ;??
10 ;Key Length
Key
39 17 E3 69 04 CC 05 6F FA 1F 2E 55 F9 D0 8D 07


Decrypt Key (ikey EMM-G)
------------------------------
0C 00 06 23 23 06 ;Header
00 00 00 01 ;Timestamp
00 ;Status??
00 00 ;Provider
02 ;Key Type
10 ;??
18 ;Key Length
Key
B1 1B 69 F8 92 B6 B1 F3 BF 4B 4B 01 18 D5 14 73 C5 BF 0A AF D0 08 C0 95

Decrypt Key (Módulo RSA EMM-G)
------------------------------
0C 00 06 6B 6B 06 ;Header
00 00 00 01 ;Timestamp
00 ;Status??
00 00 ;Provider
12 ;Key Type
10 ;??
60 ;Key Length
Key
F5 B2 C0 87 61 E4 1B 22 F1 B8 AD 21 D5 76 C3 B5 42 0F E9 7C 9D A8 35 4E 96 0A 50 A4 BA AD 28 DE 9D 3B 23 DD 06 CE 65 45 26 7D B7 33 51 9E 6C 82 18 16 59 2D C8 C5 65 19 A0 29 82 0F 07 17 58 E9 07 34 C4 18 77 01 D9 52 C7 4D 1A F3 24 D6 1D A0 87 AF 14 C7 39 CB AA 49 2B 31 03 46 44 47 B5 9C



These are the keys that need to be in those data types or the emms won't decrypt right.

PUBLIC N
F5B2C08761E41B22F1B8AD21D576C3B5420FE97C9DA8354E96 0A50A4BAAD28DE9D3B23DD06CE6545267DB733519E6C821816 592DC8C56519A029820F071758E90734C4187701D952C74D1A F324D61DA087AF14C739CBAA492B3103464447B59C
IDEA KEY
B11B69F892B6B1F3BF4B4B0118D51473C5BF0AAFD008C095
SING KEY
3917E36904CC056FFA1F2E55F9D08D07

Now that our decrypt keys are set right. The image has to be rev103. Now look at $30E8 and $30E9. Thats your USW. It need to be 00 04 for Dish.

$30E0=00000E5555600E5500044E6970504572

OK now that we have the decrypt keys set, it's at rev103 and the USW is right. Save the image. (yes save it. You should save ever image you write to your cam). Now I use T-REX to send cmd's to a cam. There's a couple of other programs out there that you can do this with, but I use that. So open up the program your going to use. First we need to get the cam read for the cmd by sending a cmd$C0 to the cam.

cmd$C0
210008A0CA000002C0000687

Then send the first EMM in the rev105 update.
EMM#1
21006DA0CA00006704650001820010B3797AB3E6B8CC340F8F 9BC062ECBA7EDD7AEB20BFB5193F7438659C93874EF4B64505 E8A0100707DA2A3FC4788D56E5FC6427FB3CB6AA1D4CBCF103 BA16D08B57034468F8E253FE424ADE647D5170E763C68B5DB8 BA57345FCDB405CDB825620274


At this point you will have the cam id Provider mark, and checksum marked, but not the FF marks. You can't just send the 7th emm in the update cause the USW won't allow it to process the update. So this is what you have
to do. After sending the first emm read your cam image. Now change the USW at $30E8 and $30E9 to 000A. Then write the image with the new USW back to the cam. Now send the cmd$C0 again.

Now send the 7th emm in the rev update to the cam. It will process now with the correct USW at $30E8 and $30E9.

EMM#7
21006DA0CA000067046500018200103707891F559EDE2B0A66 D572A34249A0CD6E326AE6F815E8C0C6E2E12E082C9582705A 9A5E57BFECF2C604A1A972DB20DA3A5A5A0C23E68C068CB6FE 714AE7B0EB4DE380B7A5F4C74A50811590AF03987727D3C24A 0F27AD91CDAD5609B69D190266


Now your cam will have all the correct marks on line $3050. I have done this in the sim with both Dish and BEV. BEV the only difference is the emms you send , the USW you change to and of course the decrypt keys that are needed.


-----------------------------------------------------------------------


BEV ONLY

KEYS TO DECRYPT AND EXICUTE THE FOLLOWING EMMS

Public N
713FF389C2494E6A106915C04620B6B1EF93C91B796DB15A99 5F788A2E740C7904C38323921D86178CAF368D97812084910E 042AABFAAC98EBCC19DA8AD75B87A754164DCEFACD5CDAB983 32AFEFD64F11D09C949B4ECF05DDB0190B14CF5B9C
IDEA Key
17F670655761DC6D0FF104D96B7E976D7D6EE1DD54183031
Sing Key
99423FB0BB4BD79369C8E4E0E68324A2



USW has to be 00 41 for emm#1 to run.
EMM#1
21406DA0CA000067046508018200909C88D2C0F7B506F8C743 9F797043DCDC65AF1712AD94323453380DE423CEC5B0026C5C 8376FE4A98DC9D64F04BCA8DBFE4FDC2612A9E09E098EDE73D AD01CC6852059622E400D7ADA0AF72845677E40E6C4F823CCB E73CA4CCA1F2BE29609613023E


USW has to be 00 47 for emm#7 to run.
EMM#7

21406DA0CA000067046508018200108215347F98CB061CE71F 63A1E8CC36F4AD786DA5530DF04746CC1D65C367BF33370A95 E227314ABA08F351E15AE2D0C437317E446AB2C11201542AF1 313E977F225A35C790DA1B94513B1B46A68A9BAE02FA187FF4 957A0BF50F9DF933D16A160265




Now clean code space back to rev240. Make sure the USW is 00 41 to begin with. I know with programs like N2Edit it actually writes 00 04 which is Dish's USW for rev103. So make sure it is right or none of this will work.




All of these emm's are real updates. They are the same cmd$B1's that Dish and BEV used to update there cam's to rev105 and rev241. I have tested this out it will not write over your intercepter by sending these emm's to the cam. It will mark the cam ID but it will also do another write to another spot in the codespace. But you will still have access to your cam after doing so.



EDIT= Make sure after doing this you write the good clean rev103 image back to your cam. Just cause after sending these emm's there is one other write being done to the codespace. You want it to have a good image on it.

Thanks for the great info, DB. Just one more question - if I use dish 102rev103 card with bev 102rev240 image on it, can I just follow the steps for 240?

Great discussion DB. Thanks.
Just to say it again, while this is something that is probably going to become more necessary as time goes by, once you mark your OTP area, there is no going back. You can increase the value in the OTP area, but you can't program it like the codespace of the card.

This 10C update is going to be interesting...to say the least.

I have a couple virgin 102s set aside just incase.......................................

Hey DB,

Excellent thread!

I'm using ST19 for B*V and D*SH. I'm wondering if I need to do this for my cor files? I'm also wondering how to determine the checksum to insert there.

TIA,

DH

This 10C update is going to be interesting...to say the least.

I have a couple virgin 102s set aside just incase.......................................

Is this not complete Lunacy?????

Mark your card, but for what??


Shit in the Stream.....Pull the Plastic and use Altenatives that are available here and frankly for $79, that's 1.5 PPV's (of any importance) and the rest is FREE!

There is NO WAY that I'd Write to PROM...........anyone remember Black Sunday?

Is this not complete Lunacy?????


There is NO WAY that I'd Write to PROM..

Yes there is a way you would write to the prom.......when and if it becomes the only way to get TV, you will have to.

Exactly. You will need to have the valid provider mark or NO TV. BEV added 2 checks for this. If you have 00 there because it wasn't marked during rev241 guess what no free TV. You will need to have those marks in the OTP. They marked there cams for a reason.


Dickched Yes you should mark your cor file just like you would have on a cam. I run my armulators with the OTP marked too. There is a program called Nagra2 Rom102 CamID Byte $3055 Calculator. You just type in your cam ID and it will figure out the checksum for you. Thanks goes to JohnnyL for that little tool. I know it's at the fileshop.


ge2 yes that will work. You can mark a dish cam with a BEV cam id, provider mark, and checksum. It will just be a BEV cam from then on. No going back after that. Just follow the steps I posted except for BEV.

Hey DB,

I'm also wondering how to determine the checksum to insert there.

TIA,

DHHere's the Nagra2 Rom102 CamID Byte $3055 Calculator.


hxxp://www.thefileshop.com/showthread.php?t=2238&highlight=Nagra2+Rom102+CamID+Byte+%243055+Calcula tor


replace xx with TT to make that link work.

Exactly. You will need to have the valid provider mark or NO TV. BEV added 2 checks for this. If you have 00 there because it wasn't marked during rev241 guess what no free TV. You will need to have those marks in the OTP. They marked there cams for a reason.


Well partially true I guess, my 102 is not marked, and I have bev wide open....but I can't tell you how.....just say private.

BTW I just edited my post to add this.


Make sure after doing this you write the good clean rev103 image back to your cam. Just cause after sending these emm's there is one other write being done to the codespace. You want it to have a good image on your cam.

Here's one of the checks in the rev248 codespace.

00:9069: A6 83 lda #$83
00:906B: B7 92 sta $92
00:906D: C6 30 54 lda $3054<---load byte from $3054 into "A"(provider mark)
00:9070: 4C inca
00:9071: B7 93 sta $93
00:9073: BF 94 stx $94
00:9075: 81 rts
00:9076: 83 .db #$83


Just looked and rev10C has the exact same check.

00:904B: A6 83 lda #$83
00:904D: B7 92 sta $92
00:904F: C6 30 54 lda $3054
00:9052: 4C inca
00:9053: B7 93 sta $93
00:9055: BF 94 stx $94
00:9057: 81 rts
00:9058: 83 .db #$83

There must be a way around it, cause mine is up w/o it.

Great discussion. I guess the providers do not want the cards to be interchanged for the providers. Thus if you mark '00' or '08' the card can only be used for that provider. I am pretty sure the OTP can be cloaked to show the byte that the EMM wants to see.

Thanks DB this is great info.

warpspace is working without the 3050 line as well.

I imagine they just redirect the checks to the proper info
to complete the cycle.

This wll work great for EMU though. Less code means less
targets.

t160hq

This turned out to be my missing link so to speak.

Took my private image. Edited 3050 for the right info.

Added tiers and a 10b patch. Made it my cor in st19

Fired up the system. As soon as the acquiring the guide
finished the new keys changed almost instantly.

With the old cor setup this took several minutes.
Before I was using the same 109 patch been using for
months.

t160hq

...You can mark a dish cam with a BEV cam id, provider mark, and checksum. It will just be a BEV cam from then on. No going back after that. Just follow the steps I posted except for BEV.

Yikes! I hadn't thought of that benifit. No longer will we be able to switch a rom from Bev to Charlie and vice versa. That alone is a big benifit to the providers.

Yikes! I hadn't thought of that benifit. No longer will we be able to switch a rom from Bev to Charlie and vice versa. That alone is a big benifit to the providers.Yep I would image that is the reason for the provider mark.

Here's the Nagra2 Rom102 CamID Byte $3055 Calculator.


hxxp://www.thefileshop.com/showthread.php?t=2238&highlight=Nagra2+Rom102+CamID+Byte+%243055+Calcula tor


replace xx with TT to make that link work.

how can we calculate the checksum byte if we are NOT writing it to a cam. I just need this calculation for a st19 image.

Tried this proggy and it just says, "cannot initialize com1" b/c I don't have a cam inserted.

TIA

It does nothing to the cam. It sends no cmd's to a cam. It just runs a script to calculate the checksum for you. Thats all. If it says that then you have something in your winexplorer set wrong. After running the script this is all you should see. I used the public cam id to get this checksum.


Executing Script: C:\Documents and Settings\Nagra2 Rom102 CamID Byte $3055 Calculator.xvb
EEPROM Byte $3055 should be 1B
Script C:\Documents and Settings\Nagra2 Rom102 CamID Byte $3055 Calculator.xvb Transmission Completed


Thios is the only thing you change in that script.

' New VB Script File - Created 1/10/2007
' Nagra2 Rom102 CamID Byte $3055 Calculator
'
' Produced and Directed by johnnyL :)
'
' This Winexplorer script will Calculate the Byte that should be located at $3055
'on a Nagra2 ROM102 Card, provided that you supply the correct bytes located at
'$3050 - $3054
'
' !!! BEFORE YOU DO ANYTHING ... SET WINEXPLORER TO UNLOOPER SETTINGS !!!
' AKA ... Configure Tab / Program Parameters / Quick Settings / Unlooper / OK. ;)
'
'************************************************* ********************************
' Now, Enter the CamID Hex Bytes you have at $3050 - $3054 ... (5 Bytes) Below
' Example ...
EEPROM3050Byte = "03"<---------------cam id
EEPROM3051Byte = "9A"<---------------cam id
EEPROM3052Byte = "31"<---------------cam id
EEPROM3053Byte = "74"<---------------cam id
EEPROM3054Byte = "00"<---------------provider mark 00 for Dish, 08 for BEV
'
' Then Click on the 'Hand Holding Paper' Icon above to see what the byte at $3055
'should be.
'************************************************* ********************************


Not sure what you did, but it does not write anything to a cam. No cam, ISO, or loader required to use this script.

Use the unlooper setting in the winexploer settings. I just changed it to a couple of other things like ISO 3.68, or DSS P3 HU setting. It won't run the script with it. I put mine on unlooper and it runs it. So make sure the settings are right or it will not work I guess. Never had this happen before. I guess it was always on unlooper when I ran it.

Use the unlooper setting in the winexploer settings. I just changed it to a couple of other things like ISO 3.68, or DSS P3 HU setting. It won't run the script with it. I put mine on unlooper and it runs it. So make sure the settings are right or it will not work I guess. Never had this happen before. I guess it was always on unlooper when I ran it.

Thanks bro, tried it again on my main computer and it worked!! My old POS testing computer couldn't handle it I guess lol!!

Thanks bro, tried it again on my main computer and it worked!! My old POS testing computer couldn't handle it I guess lol!!Good. I am glad you got it working.

Thanks bro, tried it again on my main computer and it worked!! My old POS testing computer couldn't handle it I guess lol!!


pecker88 when you tryed it on the POS testing computer was your emu running on COM 1 ? If so when you change the settings to unlooper in WinExplorer also change the comm port setting. This worked for me and I had the same problem.

pecker88 when you tryed it on the POS testing computer was your emu running on COM 1 ? If so when you change the settings to unlooper in WinExplorer also change the comm port setting. This worked for me and I had the same problem.

thanks bro, gotter figured out!!!test/rock on!!!!!!!!!!!!!!!!!!1

i cleaned my .cor file back to 105 applyed the patch still no ppv... got usa and others.....