I have a 301 married to a rom10, easy enough to open, right... but I fu'd the card because head up as$. I want the info from the card soI can keep from jtag'ing if possible.

Here's what I have;

I did write down the CAID and the SmartCardID from the systeminfo screen of the ird. Can I convert these to hex and add them as cam and ird to a 101/102 etc?

If not here's what I did to the cam;

With head up ass, I used "The UnlockerV101.vxb, instead of selecting unlocker I selected Loader, after a few more dumb ass clicks I selected update A21 to A23 (I cannot believe I did all of this), well the cam was updated via winex and ISO to A23 from A21. I've tried to unlock the cam with every script I can find and mu loader can't seem to get it done. This is the same loader that unlocked 4 10's and a 102, and was just used to correct the unknown provider for a 102. i get the correct response from winex but the cam still won't open.

Here's the code that I assume was written to the cam during the A21 to A23 update.

Any Help would be appreciated.

DO NOT USE AS Patch!!!

Rev A21 to Rev A23
Sub DishRevA21Update()
sc.verbose = false
ClearOutputWindow
VResponse = 0
I=0
While VResponse = 0
I=I+1
sc.print "Sending EMM update packet 1 of 4, attempt number: " & cstr(I) & vbcr & "=================" & vbcr
sc.write("210053A0CA00004D004B00012A461BF24577EC9721F7410E54 592F95F931B93874A256FE0FBA91163207093FC73E0B52C9FA 6DCBEEB947DD91A9DA897B964AA5590C6682F1BEE31AF10707 F072546FC2006B4E62D10574")
sc.print "Response from card: " & vbcr
sc.delay(80)
Call read_answer()
sc.print
sc.delay(initdelay)
Wend
VResponse = 0
I=0
While VResponse = 0
I=I+1
sc.print "Sending EMM update packet 2 of 4, attempt number: " & cstr(I) & vbcr & "=================" & vbcr
sc.write("214053A0CA00004D004B0001AAA7534155E6C3314F0B3E557A 47B3E8048CD881927E58170CAE8472711ACFAD6B8493655674 AF7ACDA5BE8C9FEFC5E0F1A92706FB3F3417EA1EBF7117D7C5 47D62BE64BCF0BB9839C0557")
sc.print "Response from card: " & vbcr
sc.delay(80)
Call read_answer()
sc.print
sc.delay(initdelay)
Wend
VResponse = 0
I=0
While VResponse = 0
I=I+1
sc.print "Sending EMM update packet 3 of 4, attempt number: " & cstr(I) & vbcr & "=================" & vbcr
sc.write("210053A0CA00004D004B00016AD87B45FE02D9B16AFDB31683 4E8AFE1172B0633932A95CC7918391ED7A360166184973FA7B 312DFE5E1AF57A22D09468364B13CE19E2556606F29AD03D46 5BCCB1FFDAE72D30590B05C7")
sc.print "Response from card: " & vbcr
sc.delay(80)
Call read_answer()
sc.print
sc.delay(initdelay)
Wend
VResponse = 0
I=0
While VResponse = 0
I=I+1
sc.print "Sending EMM update packet 4 of 4, attempt number: " & cstr(I) & vbcr & "=================" & vbcr
sc.write("210053A0CA00004D004B00016A8BCC097FD4B3F5F056B7B336 962DB5FAD49577EADE0BDDF8F70D3D69081762270537B97837 9858EDED494352C42121670C925E3649CE906606CB47FBE5EC 52B46051AFF26B34C09D05E3")
sc.print "Response from card: " & vbcr
sc.delay(80)
Call read_answer()
sc.print
sc.delay(initdelay)
Wend
wx.closeport
wx.openport
sc.print
sc.print "Card should now be updated to Rev A23! Open Nagraedit and try Reset ATR to verify." & vbcr

Not being the cam genius, I’m finding it harder and harder to get good help or knowledge. It just seems that most sites are all about FTA, dssftp members did not help me unlock this cam but were instrumental in restoring 102 programming on another one of my cheap cam’s, thanks a lot for the information! You guy’s are great.

I was able to open the Rom10 A23 after my screw up Here’s the important part of the winexplorer log, I hope it can help others.. The loader was a homemade WT, built from files on the internet.



' Script date 11/10/04 - ReK
' added popup for test vcc ranges and delay ranges
' Added check for correct flash for Rom10 - NEEDS D8 FLASH
' Modified ATR - Thanks T0Y
' Modified to set winexplorer settings for script
' Modified to add SC.restart, card insertion detect, and led "twinkle
' Added VCCanalyser routine to determine VCCStart and VCCLimit
' Added Dish or Bev card select
' FOR Dish rom 10 A23 or Bell Rom10 A81 STREAMLOCKED only.
' THANKS TO NO1B4ME, PENGA, WNC and T0Y...ReK

'************************************************* *************************************

'Instruction Table
'01 Reset Card (Leaves card clock off)
'02 4.608 MHz Card Clock Off -FREEZE CAM
'03 4.608 MHz Card Clock On - FREE RUNNING CAM
'04 XX XX Delay $XXXX card clocks and glitch VCC on high phase with 1.152 MHz Card clock
'05 XX XX Delay $XXXX card clocks and glitch VCC on high phase with 1.536 MHz Card clock
'07 XX XX Delay $XXXX card clocks and glitch VCC on low phase with 1.152 MHz Card clock
'06 XX XX Delay $XXXX card clocks and glitch VCC on low phase with 1.536 MHz Card clock
'09 rom 10 glitch DELAY -- 2*CARD CLOCKS -- ex. 2x xx xx 09 for timing
'0E XX SET WD TIMER
'0F POWER DOWN CAM
'1X TX RX SPEED

'2X XX XX Delay $2X XX XX Atmel clock cycles

'8X-9X Rx from card, instruction anded with $1f plus 1 bytes Ex. $9F = rx $20 bytes
'aX-FX Tx to card, instruction anded with $5f plus 1 bytes Ex. $FF = Tx $60 bytes
'************************************************* *************************************
'Commands
'80 Check Card Presence - Sends 1 byte
'90 Get chip ID - Sends 4 Bytes (DISH)
'AX Set Bi-color Led - X = 0 off, X = 1 Red, X = 2 Green
'B0 XX Set Glitch VCC - VCC = (5/255) * XX

Option Explicit
Dim TestFlag
Dim VCCTestMax,VCCTestMin
Dim VCCCeiling,VCCFloor
Dim VCCMax,VCCMin
DIM TryLimit
DIM Try
DIM Delay
Dim ResetCounter
Dim Bytes
dim bytes2
Dim BR2(5)
Dim VCCStart
Dim VCCLimit
Dim VCC
Dim DelayEnd
Dim DelayStart
Dim GlitchType
Dim TryCnt
DIM TRYCNT2
DIM RT
DIM TestMode
TRYCNT2=1
call setupunlocker
'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@2
'----------------------------Main Subroutine
Sub Main()
sc.verbose = false 'turns off debug, ture makes it print sent and received data
' Check for Rom10 flash
if ChipVer <> 1 then
sc.MsgBox(" You need the D8 ROM10 Flash to run this script!" & VbCr & " Flash your chip with the D8 Rom10 Flash")

Exit Sub
end if
sc.print("Chip is flashed with D8 (version REK8)and was verified.")
SC.reset
Call IsCardInserted()

' ----------------Test for good vcc glitch voltages
'
VCCMax = "&h" & Sc.InputBox( "Try Using 1a", "Please enter Test VCC High",VCCMax)

VCCMin = "&h" & Sc.InputBox("Try Ising 10", "Please enter Test VCC Lo ", VCCMin)
VCCTestMax = VCCMax
VCCTestMin = VCCMin
Sc.Print(vbCr & "VCC High " & VCCTestMax )
Sc.Print(vbCr & "VCC Low " & VCCTestMin )


TryLimit = 50 '<--- Set this to the number of glitches to test for each VCC.
Delay = &h1235 '<--- Set this to the Delay to use for each glitch try.

VCCCeiling = VCCTestMax
VCCFloor = VCCTestMin
Try = 0
TestFlag = "C"
VCC = VCCTestMax

sc.verbose = true

PowersyncUnlockRom10ver5a Testing Chuck Rom10

now we will try 11CB delay
6F6FFFFF6F6F6F6FFF6F6F6F6F6FFF RESET 6F6F6F6FFF6F6F6F6FFFFFFF6F6F6F6F6FFF6F6F6F6F6F6F6F 6FFF6FFFFF RESET 6F6FFF6F6F6F6FFFFFFF RESET RESET 6F6FFF6FFF6FFF6F6F6FFF6F6F6F6FFF6F6F6FFF6F6F6F6F6F 6FFF RESET 6F6F6F6F6F6F6F6F6F6F6FFF6F6F6F6F6FFFFF6F6F6FFFFFFF 6F6FFF6F6FFF RESET 6F6F6F6F6F6F6F6F6F6FFF6F6F6F6FFFFF6F6F6F6FFF6F6F6F 6F6F6FFF6F6FFF6F6F6F6F6FFF6F6FFF6FFF6F6F6F6F6F6F6F 6FFF6F6F6F6F6F6FFF6F6FFF RESET FF6F6F6F6F6FFF RESET 6F6F6F6F6FFF6FFF6F6FFFFFFF83

*********** we hit our bug *************
1200078303
===========================================
83 was hit at 11CB delay ----VCC WAS 04
TX Data : 0A 15 A3 21 92 00 B3 0E 03 85 00
RX Data : 0A 06
RX Data : 12 92 00 80 21
***************************
* A23 CAM should be OPEN *
* test in Nagra to see. *
* if not, try again. *
***************************
TX Data : A1
TX Data : A2
TX Data : A0