HI guys,

I've got a tough 10b I'm trying to pop, I've done lots of reading here and from what I've read, the DT RebelSerf 102_Rev109_247 Unlocker.Modified1440.xvb seems to work pretty good on these cards. Here's my setup;

-P4 @1.8Ghz
-Powersync with diode mod and 4619 chipset (just got it a few weeks ago)
-9V 350 mA power supply
-switch 1 on (all others off, including 7, diode mod)
-flashed with RSX1
-pot at 2200 Ohm (2.2 Kohm)

I've tried RM_1C to no avail, it ran for 24+ hours at 2.2 Kohm. I tried setting it to ~200 Ohms, no luck after 2 hours.

I've looked in the files section but can't find this script, could someone point the way?

Thanks,

Drinks

You may want to try lower resistance than 2.2k with RM_1a.

taglio

Here is my success with 102 Plastic @ Rev 10B:

PowerSync (Always buy the original from Mulestomp- don't buy a "red" knock-off version from Fleabay!)
Flash it with RSX1
PIN 1 on, all others off
Power supply between 8-10vDC (mA from 300-800)
I set the ohms at 200 to start (when adjusting ohms, unplug the PowerSync and remove all cards and cables!)

I run RM-1A for five hours (allow the script to make at least a few runs to see if it hits the "55")
After 5 hours (if unsuccessful) I move the ohms down by 10 and run the RM-1A for 5 mor hours
Repeat above until you get down to 160 ohms (I would NOT go lower than 150 ohms). If you have not popped it by the time you hit 150 ohms, I would start back up at 200 ohms and work up to 250 ohms, 10 ohms at a time.

If you haven't found the "sweet spot" by then.... THEN I would look for that RebelSurf script.

BTW...the RM-1A is a "tweaked" version of RebelSurf scripts... it adjusts each script by which version of ROM102 it finds in the slot.

Frankly I've had no luck with RM-1A or RM-1C, but if that works for you Wiley-X, more power to you! On my last fatality, I was trying something similar to your method, only I was going in 5 ohm increments, and it finally looped at 225 Ohms.:mad: I was using a blue Nexus - 2 & 5 down.

Sirdrinks, I think this is what you're looking for.'********************************************* *****************************************
'* ____ __ _______ ____ *
'* / __ \___ / /_ ___ / / ___/___ _____/ __/ *
'* / /_/ / _ \/ __ \/ _ \/ /\__ \/ _ \/ ___/ /_ *
'* / _, _/ __/ /_/ / __/ /___/ / __/ / / __/ *
'* /_/ |_|\___/\____/\___/_//____/\___/_/ /_/ *
'* *
'* ____ _ __ __ __ __ *
'* / __ \____ ___ ____ (_) / / /___ / /___ _____/ /_____ _____ *
'* / / / / __ `__ \/ __ \/ / / / / __ \/ / __ \/ ___/ //_/ _ \/ ___/ *
'* / /_/ / / / / / / / / / / /_/ / / / / / /_/ / /__/ ,< / __/ / *
'* \____/_/ /_/ /_/_/ /_/_/\____/_/ /_/_/\____/\___/_/|_|\___/_/ *
'************************************************* *************************************
'* FOR STREAM LOCKED ROM 102S REVISION 10B. *
'* USES ONLY NDRS Flash *
'* Modified by DT for use with Powersync *
'* With 4619 Chips. OHMS not to exceed 192 Switch 4 *
'* *Use on 109s at your own risk* *
'* *
'* *
'************************************************* *************************************
Option Explicit
Dim Shell
Set Shell = CreateObject("WScript.Shell")
Dim StartDate
Dim FileName
Dim OutFile
Dim BuffFlg
Dim bytes2
Dim GltParm
Dim ParLen
Dim ReslFlg
Dim LoopCntr
Dim RstFlg
Dim DlType
Dim Rs2Flg
Dim DlFlg
Dim bytes
Dim Uflg
Dim Acnt
Dim Mix
Dim VS1
Dim VT1
Dim DS1
Dim LP1
Dim LP2
Dim T1
Dim T2
Dim T3
Dim T4
Dim T5
Dim T6
Dim T7
Dim T8
Dim VG
Dim DD
Dim RT
Dim GT
LP1 = 1
BuffFlg = 0
LoopCntr = 0
GltParm = 176
ReslFlg = 0
Rs2Flg = 0
ParLen = 2
RstFlg = 1
DlType = 64
DlFlg = 0
Uflg = 0
VT1 = 1
DS1 = &h1380
DD = &h1453
GT= 7
RT = DS1 'Do not change any values above this line
'^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^


Sub Main()

Call Setupunlocker()
If CheckChipVer <> 1 then
Sc.MsgBox("Flash Version NDRS needed to run this script" & VbCr & "Flash your Loader with NewDRS.hex")
Exit Sub
End if
' These, AND ONLY THESE :), are the variables you can change for rom 102 any revision up to 108/244
LP1 = 16 'Number of tries per delay FROM 20-100 in multiples of 20
VS1 = 16 'YOU CAN CHANGE THIS FROM 02-255 = semi-automatic VCC range - Loader dependent
Mix = .0625 'Glitch VCC resolution - attempts per VCC = 1/mix
'^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^
VG = VS1
sc.verbose = 0
Sc.Write("A0") ' turn led off
Clearoutputwindow
If ChkCard() = 0 then
Sc.MsgBox(" Unsupported Rom Version: Rom " & T1 & ", Rev " & T4 & " found." & VbCr & "This Script is for use with Rom 102, Rev 109/244 and higher")
exit sub
End If
If T7 = 1 then
Sc.MsgBox("Card not present or is unresponsive." & VBCr & " Unable to continue.")
Exit Sub
End If
sc.verbose = 0
Sc.Write("06 0E 03 01 03 9A 00") 'reset card
sc.read(02)
bytes = sc.getbyte(1)
sc.read(bytes)
sc.delay(16)
Sc.write("2A 6023 210020A0CA00001A041801018600AA9D9D9D9D9D9D9D9D9DAE 69CC7A9BBE000000000088 0E108500")
Sc.Read(2)
bytes = sc.getbyte(1)
If bytes > 5 then
sc.read(bytes)
bytes = sc.getbyte(0)
bytes2 = sc.getbyte(3)
If bytes = 18 and bytes2 = 132 then
Sc.MsgBox("Revision 105/241 or higher code not active on the card." & VbCr & " Card may be open or revision masked." & VBCr & " Unable to continue.")
exit sub
End if
End If

StartDate = Now()
Print "Initial Parameters = Delay:" & HexString(RT, 4) & " VCC:" & HexString(VG, 2) & " Glitch Type:" & HexString(GltParm, 2) & "/" & HexString(GT, 2)& vbcr & vbcr
Do
'sc.verbose = 1
Sc.Write(HexString(GltParm, 2) & HexString(VG, ParLen))
Acnt = 0
If RstFlg = 1 then
Do
Sc.Write("06 0E 03 01 03 9A 00") 'reset card
Sc.Read(02)
Bytes = Sc.Getbyte(1)
If Bytes > 25 then
Sc.Read(27)
RstFlg = 0
Exit Do
End if
Acnt = Acnt + 1
If Acnt > 5 then
Sc.MsgBox(" Check Loader Settings. Invalid or no atr. Card may be looped.")
exit sub
End If
Loop
'Sc.verbose = 1
Sc.write("09 6004 21C1018869 84 00")
Sc.Read(2)
bytes = sc.getbyte(1)
sc.read(bytes)
Sc.Write("14 600C 214009A0CA0000032201010E2D 0E15 5005 00")
sc.read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(Bytes)
Bytes = Sc.Getbyte(3)
If Bytes <> &hA2 And Bytes <> &h6F Then
Sc.MsgBox(" Improper Cmd22 response. Unable to continue.")
Exit Sub
End If
Sc.Delay(40)
End If
If RstFlg = 0 then
'sc.verbose = 1 'debug the packets
Sc.Write("37 702C 8D00A7A000000000000000000000AA000505007AC400807180 9CA64BB76B1864CD7C1631768008AE55CC7A9B3C" & HexString(DlType,2) & HexString(RT,4) & HexString(GT,2) & "0E20 85 00")
Sc.read(2)
bytes = sc.getbyte(1)
If bytes > 5 then
sc.read(bytes)
bytes = sc.getbyte(0)
bytes2 = sc.getbyte(3)
If bytes = &hD8 and bytes2 = &h55 then
Sc.verbose = 1
UFlg = 1
End If
If bytes = &hD8 and bytes2 = &h6F then
Print "-"
VG = VG - mix
RstFlg = 0
Rs2Flg = 0
Else
Print HexString(GT,2) & "+" & HexString(bytes2,2)
RstFlg = 1
Rs2Flg = Rs2Flg + 1
VG = VG + mix
End If
Else
PRINT HexString(GT, 2) & "Rst" & HexString(VG, 2)
RstFlg = 1
Rs2Flg = Rs2Flg + 1
VG = VG + mix
End if
If Uflg = 1 then
Print " !!!!!!!" & VBCr
Sc.Write("A1")
Shell.Run "%comspec% /c echo " & Chr(07) & Chr(07) & Chr(07) & Chr(07) & Chr(07), 0, True
Sc.delay(500)
print
print "******* Good response received! *********"& VbCr
PRINT " " & HEXSTRING(bytes2,2) & VbCr
Sc.Print "===========================================" & VbCr
print " " & HexString(bytes2, 2) & " was hit at: Delay:" & HexString(RT, 4) & " VCC:" & HexString(VG, 2) & " GlitchType:" & HexString(GltParm, 2) & "/" & HexString(GT, 2) &VBCr
print " Elapsed: " & TimeDiff(StartDate,Now())& vbcr
Print " VCC Resolution: " & mix & vbcr
Print " Delay Range: " & HexString(DS1, 4) & " to " & HexString(DD, 4) & VBCr
print
PRINT "********************************" & VBCR
PRINT "* REV 109+/247+ CAM NOW OPEN!! *" & VBCR
PRINT "* PROCEED AS NORMAL *" & VBCR
PRINT "* GOOD LUCK! :-) *" & VBCR
PRINT "********************************" & VBCR
exit sub
End If
If VG < VT1 then
VG = VS1
End If
LP2 = LP2 + 1
If LP2 > LP1 / mix then '
ClearOutputWindow
RT = RT + 1
IF RT = &h1421 Then
RT = &h1443
End If
LP2 = 0
print
print "" &vbcr
print "Ram Intercept Installed. Trying to Open the 102.... Delay:" & HexString(RT, 4) & " VCC:" & HexString(VG, 2) & " Glitch Type:" & HexString(GltParm, 2) & "/" & HexString(GT, 2) & VBCr & vbcr
sc.print "Elapsed = " & TimeDiff(StartDate,Now())& vbcr & vbcr
If RT > DD then
RT = DS1 - 1
GltParm = GltParm + 5
If GltParm > 186 Then
GltParm = 176
End If
If GltParm = 181 Then
If ReslFlg = 0 Then
ReslFlg = 1
LP1 = LP1 * 2
VS1 = VS1 * 2
VT1 = VT1 * 2
ParLen = 4
End If
End If
If GltParm <> 181 Then
If ReslFlg = 1 Then
ReslFlg = 0
LP1 = LP1 / 2
VS1 = VS1 / 2
VT1 = VT1 / 2
ParLen = 2
End If
End If
End If
End If
If VS1 >= 254 then
exit sub
End If
If DlType = &h40 Then
DlType = &h20
Else
DlType = &h40
End If
If VG =< 1 then
VG = VS1
End if
End If
If Rs2Flg >= 3 Then
Rs2Flg = 0
VG = VS1
If VT1 > 10 Then VT1 = 10
End If
If VG < VT1 Then
VG=VS1
End If
If VG + mix <=0 Then
VG = VS1
VT1=VT1+1
END If
Loop
End Sub


Function HexString(Number,Length)
Dim RetVal
Dim CurLen
RetVal=Hex(Number)
CurLen=Len(RetVal)
If CurLen<Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If
HexString=RetVal
End Function

Function CheckChipVer()
CheckChipVer = 1
sc.write("90")
delay(80)
If sc.read(4) <> 4 then
CheckChipVer = 0
Exit Function
End if
If getbyte(0) <> &H4E then CheckChipVer = 0
If getbyte(1) <> &H44 then CheckChipVer = 0
If getbyte(2) <> &H52 then CheckChipVer = 0
If getbyte(3) <> &H53 then CheckChipVer = 0

End Function

Function TimeDiff (StartTime, EndTime)
Dim Hours, Minutes, Seconds
Seconds = DateDiff("s", StartTime, EndTime)
If Seconds > 90000 Then Seconds = 90000
If Seconds < 0 Then Seconds = 0
Minutes = Seconds / 60
Minutes = Fix(Minutes)
Seconds = Seconds - (Minutes * 60)
Hours = Minutes / 60
Hours = Fix(Hours)
Minutes = Minutes - (Hours * 60)
Seconds = CStr(Seconds)
Minutes = CStr(Minutes)
Hours = CStr(Hours)
If Len(Seconds) = 1 Then Seconds = "0" + Seconds
If Len(Minutes) = 1 Then Minutes = "0" + Minutes
If Len(Hours) = 1 Then Hours = "0" + Hours
TimeDiff = Hours & ":" & Minutes & ":" & Seconds
End Function

Function ChkCard()
sc.verbose = 0
ChkCard = 1
Print ""
Print " Checking Card's Eeprom Revision ......." & VBCr
sc.delay(2000)
ClearOutputWindow
Sc.Write("06 0E 03 01 03 9A 00") 'reset card
sc.read(02)
bytes = sc.getbyte(1)
If bytes < 27 then
T7 = 1
ClearOutputWindow
Exit Function
End If
sc.read(bytes)
sc.delay(16)
T1 = chr(sc.getbyte(16))
T2 = chr(sc.getbyte(17))
T3 = chr(sc.getbyte(18))
T4 = chr(sc.getbyte(23))
T5 = chr(sc.getbyte(24))
T6 = chr(sc.getbyte(25))
T1 = T1+T2+T3
T4 = T4+T5+T6
If asc(T4) = 0 then
T4 = "000"
End If
Print " Rom " & T1 & ", Rev " & T4 & " found." & VBCR
print
Sc.delay(1500)
T8 = mid(T4, 3,1)
Select Case T8
Case "A"
T8 = 10
Case "B"
T8 = 11
Case "C"
T8 = 12
Case "D"
T8 = 13
Case "E"
T8 = 14
Case "F"
T8 = 15
End Select
If left(T4, 2) = 24 then
If T8 < 7 then
ChkCard = 0
exit function
End If
End If
If left(T4, 2) = 10 then
If T8 < 9 then
ChkCard = 0
exit function
End If
End If
If T1 <> "102" then
ChkCard = 0
exit function
End If
End Function

Function setupunlocker()
Wx.BaudRate = 115200
Wx.ResetBaudRate = 115200
Wx.Parity = 0 ' 0 = None, 1 = Odd, 2 = Even, 3 = Mark, 4 = Space
Wx.StopBits = 0 ' 0 = 1 stop bit, 1 = 1.5 stop bits, 2 = 2 stop bits
Wx.DTRControl = 0 ' Initial state of DTR 0 = off, 1 = on
Wx.RTSControl = 1 ' Initial state of RTS 0 = off, 1 = on
Wx.ResetDelay = 100 ' In microseconds
Wx.ByteDelay = 10 ' In microseconds
Wx.RxByteTimeout = 3000 ' In milliseconds
Wx.ResetMode = 2 ' 0 = No Resets, 1 = ISO Reset (Expect a ATR), 2 = Device Reset (No ATR)
Wx.ResetLine = 1 ' 0 = Toggle RTS for Reset, 1 = Toggle DTR for Reset
Wx.ByteConvention = 1 ' 0 = Inverse, 1 = Direct
Wx.FlushEchoByte = 0 ' 0 = no flush, 1 = flush - A Phoenix interface will echo each byte transmitted.
Wx.FlushBeforeWrite = 1 ' 0 = no flush, 1 = flush - Flush the receive buffer before each write to strip off Null bytes.
Wx.IgnoreTimeouts = 1 ' 0 = Abort script on a receive timeout, 1 = Ignore all receive timeouts
Wx.ResetAfterTimeout = 0 ' 0 = Don't reset after a timeout, 1 = do a reset after a timeout - Not used if "IgnoreTimeouts=0"
Wx.LogTransactions = 0 ' 0 = Don't log transactions, 1 = log transactions
Wx.DisplayUSW = 0 ' Display USW after script complete 0 = no, 1 = yes
Wx.DisplayFuse = 0 ' Display Fuse after script complete 0 = no, 1 = yes
End function

When it comes to dip switches, ONLY USE ONE DIP AT A TIME! These devices are not designed to run with multiple dip's simoutaneously. Read Skinerds sticky post on this in the rom glitching forums.

I have a clear Nexus and 2&5 are the recommended DIP settings for that line of loaders JT.

I have had my PowerSync for awhile now and I have not experimented with other DIP settings other than 5 to program and 1 to glitch. I have not looped any cards with the PS.. I do have a few that just run endlessly and won't open or loop.

Supermanny... sorry you lost a card at such (relatively) low ohms (225). The only times I have lost a card when using my clear Nexus is when I flash a loader and forget to move the dips back to 2&5 (glitch) and left it on 1&6 (program). RM-1A made quick work of the card and looped it. I have done this twice when switching between scripts and flashes.

Thanks for the info Wiley! It is a genuine Powersync (green), I'll try your advice and let you know...that Supermanny for the code too, is this one modified to start at delay 1440? Also, it says "switch 4" in the code header, I'm guessing that's not machine-specific, should I just stick switch 1 on? It says 1-4 are the clock setting switches...

Also, where's a good spot to measure mA's on the board, I think it's gotta be running to check amperage right? These cheap Chinese adaptors are always way off the claimed output...right now, I'm using a brand new duracell 9V battery to glitch, not sure how long it'll last, prolly not long...

Thanks for all your help guys!

Drinks

This card is a real BEEOCH. I ran rebelsurf's script all night and all day today at 190 Ohms, no luck. I was told this card was programmed by a dealer in Mexico, is that even possible? If so, is it possible for dealers to anti-glitch their cards?? I've thrown everything but the proverbial kitchen sink at this thing...I've dropped it down to 170 Ohms, I know I'm entering the danger zone but WTF...

I had really good luck with RebelSuirf's b5 glitch on two very stuborn 10b's. You might give that a try.

This card is a real BEEOCH. I ran rebelsurf's script all night and all day today at 190 Ohms, no luck. I was told this card was programmed by a dealer in Mexico, is that even possible? If so, is it possible for dealers to anti-glitch their cards?? I've thrown everything but the proverbial kitchen sink at this thing...I've dropped it down to 170 Ohms, I know I'm entering the danger zone but WTF...

So this card has been intercepted before and someone programmed it??? Dude, when you ask a question, you have got to give DETAILS!!!!
You might have better luck using the script that tries passwords. At least that one won't loop your card!!! It might take minutes, hours, or days, but if there is already an intercept and it is simply password protected, I would try the password script before any more glitching!!!!

If the cards are password locked, there is a script that works well for that too. But, Wiley is correct, use passord finder.

Thanks guys, that's the first thing I did! I ran passwordsender_rom102.xvb for over a day, no luck. The details are muddy as to where exactly the card came from but I was told it came from Mexico...locomex, I can't seem to find RebelSuirf's b5 script, could you please point me to it?

Thanks again for all your help guys...

Drinks

RebelSurf's b5 Glitch: I used PowerSync, SW2 at 200 Ohms, 9 volt power supply. Sorry, I don't have a way to send this to you in a zip format. Open two very stubborn rev10b cards with this script in less than 20 minutes each.

'************************************************* *************************************
'* ____ __ _______ ____ *
'* / __ \___ / /_ ___ / / ___/___ _____/ __/ *
'* / /_/ / _ \/ __ \/ _ \/ /\__ \/ _ \/ ___/ /_ *
'* / _, _/ __/ /_/ / __/ /___/ / __/ / / __/ *
'* /_/ |_|\___/\____/\___/_//____/\___/_/ /_/ *
'* *
'* ____ _ __ __ __ __ *
'* / __ \____ ___ ____ (_) / / /___ / /___ _____/ /_____ _____ *
'* / / / / __ `__ \/ __ \/ / / / / __ \/ / __ \/ ___/ //_/ _ \/ ___/ *
'* / /_/ / / / / / / / / / / /_/ / / / / / /_/ / /__/ ,< / __/ / *
'* \____/_/ /_/ /_/_/ /_/_/\____/_/ /_/_/\____/\___/_/|_|\___/_/ *
'* CHANGOLEON *
'* FOR STREAM LOCKED ROM 102S REVISION 109+/247+ OR HIGHER. *
'* USES ONLY NDRS AVR CODE WITH LOADER *
'* LOADER MUST USE MAX4619 OR ADG733 SWITCHES FOR RELIABLE UNLOCKING *
'* USE LOADER SWITCH 2 0R 3 *
'* HAPPY UNLOCKING AND GOOD LUCK!! *
'* MODIFICADO POR PERIQUITO *
'************************************************* *************************************
Option Explicit
Dim Shell
Set Shell = CreateObject("WScript.Shell")
Dim StartDate
Dim FileName
Dim OutFile
Dim BuffFlg
Dim bytes2
Dim GltParm
Dim ParLen
Dim ReslFlg
Dim LoopCntr
Dim RstFlg
Dim DlType
Dim Rs2Flg
Dim DlFlg
Dim bytes
Dim Uflg
Dim Acnt
Dim Mix
Dim VS1
Dim VT1
Dim DS1
Dim LP1
Dim LP2
Dim T1
Dim T2
Dim T3
Dim T4
Dim T5
Dim T6
Dim T7
Dim T8
Dim VG
Dim DD
Dim RT
Dim GT
LP1 = 1
BuffFlg = 0
LoopCntr = 0
GltParm = 176
ReslFlg = 0
Rs2Flg = 0
ParLen = 2
RstFlg = 1
DlType = 64
DlFlg = 0
Uflg = 0
VT1 = 1
DS1 = &h1410
DD = &h1453
GT= 7
RT = DS1 'Do not change any values above this line
'^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^

Sub Main()
Setupunlocker()
If CheckChipVer <> 1 then
Sc.MsgBox("Flash Version NDRS needed to run this script" & VbCr & "Flash your Loader with NewDRS.hex")
Exit Sub
End if
' These, AND ONLY THESE :), are the variables you can change for rom 102 any revision up to 108/244
LP1 = 40 'Number of tries per delay FROM 20-100 in multiples of 20
VS1 = 46 'YOU CAN CHANGE THIS FROM 02-255 = semi-automatic VCC range - Loader dependent
Mix = .0625 'Glitch VCC resolution - attempts per VCC = 1/mix
'^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^
VG = VS1
sc.verbose = 0
Sc.Write("A0") ' turn led off
Clearoutputwindow
If ChkCard() = 0 then
Sc.MsgBox(" Unsupported Rom Version: Rom " & T1 & ", Rev " & T4 & " found." & VbCr & "This Script is for use with Rom 102, Rev 109/244 and higher")
exit sub
End If
If T7 = 1 then
Sc.MsgBox("Card not present or is unresponsive." & VBCr & " Unable to continue.")
Exit Sub
End If
sc.verbose = 0
Sc.Write("06 0E 03 01 03 9A 00") 'reset card
sc.read(02)
bytes = sc.getbyte(1)
sc.read(bytes)
sc.delay(16)
Sc.write("2A 6023 210020A0CA00001A041801018600AA9D9D9D9D9D9D9D9D9DAE 69CC7A9BBE000000000088 0E108500")
Sc.Read(2)
bytes = sc.getbyte(1)
If bytes > 5 then
sc.read(bytes)
bytes = sc.getbyte(0)
bytes2 = sc.getbyte(3)
If bytes = 18 and bytes2 = 132 then
Sc.MsgBox("Revision 105/241 or higher code not active on the card." & VbCr & " Card may be open or revision masked." & VBCr & " Unable to continue.")
exit sub
End if
End If
RT = DD
StartDate = Now()
Print "Initial Parameters = Delay:" & HexString(RT, 4) & " VCC:" & HexString(VG, 2) & " Glitch Type:" & HexString(GltParm, 2) & "/" & HexString(GT, 2)& vbcr & vbcr
Do
'sc.verbose = 1
Sc.Write(HexString(GltParm, 2) & HexString(VG, ParLen))
Acnt = 0
If RstFlg = 1 then
Do
Sc.Write("06 0E 03 01 03 9A 00") 'reset card
Sc.Read(02)
Bytes = Sc.Getbyte(1)
If Bytes > 25 then
Sc.Read(27)
RstFlg = 0
Exit Do
End if
Acnt = Acnt + 1
If Acnt > 5 then
Sc.MsgBox(" Check Loader Settings. Invalid or no atr. Card se chingo loopeada.")
exit sub
End If
Loop
'Sc.verbose = 1
Sc.write("09 6004 21C1018869 84 00")
Sc.Read(2)
bytes = sc.getbyte(1)
sc.read(bytes)
Sc.Write("14 600C 214009A0CA0000032201010E2D 0E15 5005 00")
sc.read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(Bytes)
Bytes = Sc.Getbyte(3)
If Bytes <> &hA2 And Bytes <> &h6F Then
Sc.MsgBox(" Improper Cmd22 response. Unable to continue.")
Exit Sub
End If
Sc.Delay(40)
End If
If RstFlg = 0 then
'sc.verbose = 1 'debug the packets
Sc.Write("37 702C 8D00A7A000000000000000000000AA000505007AC400807180 9CA64BB76B1864CD7C1631768008AE55CC7A9B3C" & HexString(DlType,2) & HexString(RT,4) & HexString(GT,2) & "0E20 85 00")
Sc.read(2)
bytes = sc.getbyte(1)
If bytes > 5 then
sc.read(bytes)
bytes = sc.getbyte(0)
bytes2 = sc.getbyte(3)
If bytes = &hD8 and bytes2 = &h55 then
Sc.verbose = 1
UFlg = 1
End If
If bytes = &hD8 and bytes2 = &h6F then
Print "-"
VG = VG - mix
RstFlg = 0
Rs2Flg = 0
Else
Print HexString(GT,2) & "+" & HexString(bytes2,2)
RstFlg = 1
Rs2Flg = Rs2Flg + 1
VG = VG + mix
End If
Else
PRINT HexString(GT, 2) & "Rst" & HexString(VG, 2)
RstFlg = 1
Rs2Flg = Rs2Flg + 1
VG = VG + mix
End if
If Uflg = 1 then
Print " !!!!!!!" & VBCr
Sc.Write("A1")
Shell.Run "%comspec% /c echo " & Chr(07) & Chr(07) & Chr(07) & Chr(07) & Chr(07), 0, True
Sc.delay(500)
print
print "******* Good response received! *********"& VbCr
PRINT " " & HEXSTRING(bytes2,2) & VbCr
Sc.Print "===========================================" & VbCr
print " " & HexString(bytes2, 2) & " was hit at: Delay:" & HexString(RT, 4) & " VCC:" & HexString(VG, 2) & " GlitchType:" & HexString(GltParm, 2) & "/" & HexString(GT, 2) &VBCr
print " Elapsed: " & TimeDiff(StartDate,Now())& vbcr
Print " VCC Resolution: " & mix & vbcr
Print " Delay Range: " & HexString(DS1, 4) & " to " & HexString(DD, 4) & VBCr
print
PRINT "********************************" & VBCR
PRINT "* REV 10B+/289+ CAM NOW OPEN!! *" & VBCR
PRINT "* PROCEED AS NORMAL *" & VBCR
PRINT "* YA CHINGASTE! :-) *" & VBCR
PRINT "********************************" & VBCR
exit sub
End If
If VG < VT1 then
VG = VS1
End If
LP2 = LP2 + 1
If LP2 > LP1 / mix then '
ClearOutputWindow
RT = RT + 1
IF RT = &h1421 Then
RT = &h1443
End If
LP2 = 0
print
print "" &vbcr
print "Ram Intercept Installed. Trying to Open the 102.... Delay:" & HexString(RT, 4) & " VCC:" & HexString(VG, 2) & " Glitch Type:" & HexString(GltParm, 2) & "/" & HexString(GT, 2) & VBCr & vbcr
sc.print "Elapsed = " & TimeDiff(StartDate,Now())& vbcr & vbcr
If RT > DD then
RT = DS1 - 1
GltParm = GltParm + 5
If GltParm > 186 Then
GltParm = 176
End If
If GltParm = 181 Then
If ReslFlg = 0 Then
ReslFlg = 1
LP1 = LP1 * 2
VS1 = VS1 * 2
VT1 = VT1 * 2
ParLen = 4
End If
End If
If GltParm <> 181 Then
If ReslFlg = 1 Then
ReslFlg = 0
LP1 = LP1 / 2
VS1 = VS1 / 2
VT1 = VT1 / 2
ParLen = 2
End If
End If
End If
End If
If VS1 >= 254 then
exit sub
End If
If DlType = &h40 Then
DlType = &h20
Else
DlType = &h40
End If
If VG =< 1 then
VG = VS1
End if
End If
If Rs2Flg >= 3 Then
Rs2Flg = 0
VG = VS1
If VT1 > 10 Then VT1 = 10
End If
If VG < VT1 Then
VG=VS1
End If
If VG + mix <=0 Then
VG = VS1
VT1=VT1+1
END If
Loop
End Sub

Function HexString(Number,Length)
Dim RetVal
Dim CurLen
RetVal=Hex(Number)
CurLen=Len(RetVal)
If CurLen<Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If
HexString=RetVal
End Function
Function CheckChipVer()
CheckChipVer = 1
sc.write("90")
delay(80)
If sc.read(4) <> 4 then
CheckChipVer = 0
Exit Function
End if
If getbyte(0) <> &H4E then CheckChipVer = 0
If getbyte(1) <> &H44 then CheckChipVer = 0
If getbyte(2) <> &H52 then CheckChipVer = 0
If getbyte(3) <> &H53 then CheckChipVer = 0
End Function
Function TimeDiff (StartTime, EndTime)
Dim Hours, Minutes, Seconds
Seconds = DateDiff("s", StartTime, EndTime)
If Seconds > 90000 Then Seconds = 90000
If Seconds < 0 Then Seconds = 0
Minutes = Seconds / 60
Minutes = Fix(Minutes)
Seconds = Seconds - (Minutes * 60)
Hours = Minutes / 60
Hours = Fix(Hours)
Minutes = Minutes - (Hours * 60)
Seconds = CStr(Seconds)
Minutes = CStr(Minutes)
Hours = CStr(Hours)
If Len(Seconds) = 1 Then Seconds = "0" + Seconds
If Len(Minutes) = 1 Then Minutes = "0" + Minutes
If Len(Hours) = 1 Then Hours = "0" + Hours
TimeDiff = Hours & ":" & Minutes & ":" & Seconds
End Function
Function ChkCard()
sc.verbose = 0
ChkCard = 1
Print ""
Print " Checking Card's Eeprom Revision ......." & VBCr
sc.delay(2000)
ClearOutputWindow
Sc.Write("06 0E 03 01 03 9A 00") 'reset card
sc.read(02)
bytes = sc.getbyte(1)
If bytes < 27 then
T7 = 1
ClearOutputWindow
Exit Function
End If
sc.read(bytes)
sc.delay(16)
T1 = chr(sc.getbyte(16))
T2 = chr(sc.getbyte(17))
T3 = chr(sc.getbyte(18))
T4 = chr(sc.getbyte(23))
T5 = chr(sc.getbyte(24))
T6 = chr(sc.getbyte(25))
T1 = T1+T2+T3
T4 = T4+T5+T6
If asc(T4) = 0 then
T4 = "000"
End If
Print " Rom " & T1 & ", Rev " & T4 & " found." & VBCR
print
Sc.delay(1500)
T8 = mid(T4, 3,1)
Select Case T8
Case "A"
T8 = 10
Case "B"
T8 = 11
Case "C"
T8 = 12
Case "D"
T8 = 13
Case "E"
T8 = 14
Case "F"
T8 = 15
End Select
If left(T4, 2) = 24 then
If T8 < 7 then
ChkCard = 0
exit function
End If
End If
If left(T4, 2) = 10 then
If T8 < 9 then
ChkCard = 0
exit function
End If
End If
If T1 <> "102" then
ChkCard = 0
exit function
End If
End Function
Function setupunlocker()
Wx.BaudRate = 115200
Wx.ResetBaudRate = 115200
Wx.Parity = 0 ' 0 = None, 1 = Odd, 2 = Even, 3 = Mark, 4 = Space
Wx.StopBits = 0 ' 0 = 1 stop bit, 1 = 1.5 stop bits, 2 = 2 stop bits
Wx.DTRControl = 0 ' Initial state of DTR 0 = off, 1 = on
Wx.RTSControl = 1 ' Initial state of RTS 0 = off, 1 = on
Wx.ResetDelay = 100 ' In microseconds
Wx.ByteDelay = 10 ' In microseconds
Wx.RxByteTimeout = 3000 ' In milliseconds
Wx.ResetMode = 2 ' 0 = No Resets, 1 = ISO Reset (Expect a ATR), 2 = Device Reset (No ATR)
Wx.ResetLine = 1 ' 0 = Toggle RTS for Reset, 1 = Toggle DTR for Reset
Wx.ByteConvention = 1 ' 0 = Inverse, 1 = Direct
Wx.FlushEchoByte = 0 ' 0 = no flush, 1 = flush - A Phoenix interface will echo each byte transmitted.
Wx.FlushBeforeWrite = 1 ' 0 = no flush, 1 = flush - Flush the receive buffer before each write to strip off Null bytes.
Wx.IgnoreTimeouts = 1 ' 0 = Abort script on a receive timeout, 1 = Ignore all receive timeouts
Wx.ResetAfterTimeout = 0 ' 0 = Don't reset after a timeout, 1 = do a reset after a timeout - Not used if "IgnoreTimeouts=0"
Wx.LogTransactions = 0 ' 0 = Don't log transactions, 1 = log transactions
Wx.DisplayUSW = 0 ' Display USW after script complete 0 = no, 1 = yes
Wx.DisplayFuse = 0 ' Display Fuse after script complete 0 = no, 1 = yes
End function

LocoMex, thanks for the post...can you edit and place CODE and /CODE tags around the code to save some parsing space.

Thanks for the code locomex, the card finally popped last night! Here are my settings;

Powersync with 9V 300mA supply
Pot set at 170 Ohms
using rebelsurf's script posted by Supermanny above
switch 1 on (all others off, including 7, diode mod)


Thanks for all your help guys! I just wish I had more cards to do...:)

Congrats Sirdrink, those can be real beeeaches.