I have a 6000 IRD which is subbed with minimal tiers. It is jtagged but the subbed CAM is an S04 and is currently unglitchable and can't be read. I want to test with this IRD using EMU, but also want to preserve the subscription status so I can use it during ECMs (like now). Therefore, I don't want to touch the TSOP at all. I want to be able to quickly switch to "subbed" mode without any hassle.

Question: Is it possible to generate a bin using GentDT08 which will work with the IRD? Remember, I want the IRD to function both as a testing receiver AND as a subbed receiver. The current CAM is unreadable, and I don't want to modify the TSOP.

Grateful for all responses.

Nope, sorry. If you could [and you can`t] get your entire keyset off the S04, then you could write a rom102. You can not use GenDT08 because it requires a TSOP mod.

Thanks. I appreciate the reply.

I know from reading that a 6000 can use an SK (even though it was previously believed that it couldn't). Can I modify the current subbed TSOP to use an SK with a new bin while preserving the old RSA? In essence, the EMU bin will rely on an SK while the subbed bin will use the RSA. I'm still trying to wrap my brain around all of this :) .

Also, Dave411, I read a response from you in another thread saying to the original poster that if he had a bin with a valid DT08, all he needed to do to his TSOP was update the IRD# and boxkeys, even if using private info (i.e. no other mods to the TSOP). I have a bin with this 6000's info working on another IRD (thus a valid DT08?). Why can't I use that bin?

Persistence!

You could jtag, save the current tsop, then load a public numbers tsop in. Run you emu when all is working, then during an ecm, load back the original firmware and put in your subbed cam...just an idea...a little work, but nothing too difficult.

I know from reading that a 6000 can use an SK (even though it was previously believed that it couldn't). Can I modify the current subbed TSOP to use an SK with a new bin while preserving the old RSA? In essence, the EMU bin will rely on an SK while the subbed bin will use the RSA. I'm still trying to wrap my brain around all of this :) .

Also, Dave411, I read a response from you in another thread saying to the original poster that if he had a bin with a valid DT08, all he needed to do to his TSOP was update the IRD# and boxkeys, even if using private info (i.e. no other mods to the TSOP). I have a bin with this 6000's info working on another IRD (thus a valid DT08?). Why can't I use that bin?

Persistence!

From all testing I and others have done in my stead SK will NOT work on 6000! Sk setup would require you change the sk in the tsops anyway so forget sk!

On the other hand, a dt08 only requires the keyset and standard rsakeys on the ird side to setup a dt08 on a 102. Therefore it is possible but not easy! You must save both 6000 tsops and use the 6000 TSOP Combiner to make them into one. Then seach the combined tsop using romexplorer's find command for "A4E9B585". The "A4" is the start address of Rsakey 1. Add 64 to it and you have the start address of Rsakey2. These keys are in different places for different tsops so you must search. Then these addresses must be placed into the gendt08.cfg file definition below and then this def. must be put in gendt08.cfg. Failure to do this will result in gendto8 generating non-standard rsakeys at the addresses specified. If gendt08 finds standard keys at the specified addresses then it will use them to calculate the dt08 and no modification of the tsops is needed. The resulting card dt08 will run the 6000 on the open 102 testing cam!

// 6000 12N
// DISH
// firmware=856P
// combined flash file
[6000]
model = 6000
modelid = 12NN8
modelpoint = 3DFFF4
softwarepoint = 3DFFF8
checksumstart = 200000
checksumend = 3DFFFC
checksumpoint = 3DFFFC
checkpoint = 3DFF90
bootstrappoint = 3FFFA0
bootcspoint = 3FFFA4
buildconfpoint = 3FFFA8
irdnumpoint = 3FFFC0
boxkeypoint = 3FFFC8
rsa1 = 2C7A40
rsa2 = 2C7A80
sk = 3FFF40
dualtsop = 0

Note1: It is the use of non-standard rsakeys in tsops that causes irds to go nag005 on firmware updates. Update overwrites non-standard keys with standard keys.
Note2: If gendt08-sk generated a sk for cam based off the sk in the tsop(s) then rewrite of tsop sk would not be required! The providers do this!

Here are the standard keys:

RSA 1

A4 E9 B5 85 93 2F 90 28 2F D7 0C 90 81 76 E8 60
5E 6B 2C E6 29 33 5A 0F C1 5B 31 DA B0 BF C6 FE
EB 88 CF C6 96 49 99 4C D3 FE 03 9C 99 65 C6 20
C4 D5 82 8E 91 53 99 8E E4 AE 0E 8C 25 64 4D F3

RSA 2

23 72 80 AA B3 6B E4 B2 1F C7 1F BF 08 21 8E 53
2A 54 5E 74 4D 7B 00 7F F8 69 BA 42 68 31 C4 AC
65 3F 38 25 AD E9 35 8F CD 1F 02 39 EC 44 7C BC
27 65 CC 0A EB E4 37 AF 22 70 FC 46 1C 2F A0 42

Workman, very interesting post! I don`t use GenDT08 much, but if one can work "backwards" by using a known SK and get a card to work, that is BIG news for me. I have a 921 that I know the SKs, but the card is at 30B and I can`t unlock it yet. So with another 103 card that I can open, I should be able to create a card bin that will use my SKs. That would make vid-mods and modifying TSOPs a thing of the past!!

Philly100: What I meant in the post you refer to would be more applicable to using your S04 in another receiver by just changing the IRD# and BKs to match the S04. Not clear what you mean by having a bin with the 6000`s info working in another IRD. If you did this without modding the TSOP in the second IRD, I guess it would work. With Workmans post though, I can see how it should work now by using the RSA keys in the present TSOP and working backwards. I was not aware this could be done so I`m learning this new method to.

This is really good news for those of us who prefer not to solder and vidmod stuff!!! Thanks for the info Workman! I have a lot of experimenting to do!!

Workman, just had a thought concerning what Philly is trying to do. Could he not just take say a 2800 bin with the 6000 IRD# and BKs, find the RSA keys in it and put those locations in the 2800 CFG file, and generate the DT08 card bin with that TSOP? Same RSA keys would be used so the card bin should work in any IRD with those IRD#s and BKs just like a real DT08 card. Might be easier that doing that 6000 combine deal.

Workman, very interesting post! I don`t use GenDT08 much, but if one can work "backwards" by using a known SK and get a card to work, that is BIG news for me. I have a 921 that I know the SKs, but the card is at 30B and I can`t unlock it yet. So with another 103 card that I can open, I should be able to create a card bin that will use my SKs. That would make vid-mods and modifying TSOPs a thing of the past!!

I did not say gendt08-sk would do this, in fact it will NOT! Note 2 states the Providers are doing this because they never modify the ird SK, they just mod the cam SK by using the fixed ird SK as a reference!

Gentlemen, after rereading the gendt08-sk readme file the dt08 is created by changing the rsakey 2 to a non-standard key therefore the tsop would have to be modified with the new rsakey 2. This will make the desired result of this thread impossible! Only a dt08 which uses both standard keys will work!

Workmen and Dave411,

I can't tell you both how much I'm learning and marveling at the information going back and forth. The depth of knowledge here is just outstanding.

I've reread this entire post about 10 times and am still unsure of the answer. It seems from the previous posts that Workmen is saying that I will be able to accomplish what I need with some careful virtual surgery. But later, it states that what I'm trying to accomplish will be impossible (at least using GenDT08). Can one of you clarify? Are there other tools or techniques which I might try? I don't mind experimenting so long as there is a chance of success.

Again, both of you rock, particulary Workmen who seems to have a true grasp of the inner mechanisms of the testing science.

Thanks for the help.

Which ird's use dto8's and which use sk?