I have a102 card got it off ebay
tried reading it got no atr been messing around with different scrips tring to read it, have read some people have had a little success opening soft looped cards.
used UNIXWHORE's102 unlocker 2.9B
It get to where it writes a good atr then ask me what to name the image and were to save it I name it then hit enter,but it stops withan error that says "AOFF intercept is not installed or card locked.
So I found a scrip thats called glitch CMD 04- payload for AOFF write patch an ran it, It ran to almost the end line 346 (less than ten line to the end), found sever other scrips that said AOFF in them but the all did the sam thing stop on line 346
can anyone help me??????
Thanks bigd99

Is that the card that you are having problems with at that other site? Doesnt RM_1 work on softlooped cams

no this is a different card. humm?? but did come from same sorce

Umlooped? As Ralph says "Me fail English? That's umpossible". No hard feelings, I am trying to get over the lose of a loved one- my 103 icam.

those "atr responces" are fake. thos scripts lie. you are not getting a atr.

hell,cant unloop rom2's or 3's from nagra 1 days,lol.

I have a102 card got it off ebay
tried reading it got no atr been messing around with different scrips tring to read it, have read some people have had a little success opening soft looped cards.
used UNIXWHORE's102 unlocker 2.9B
It get to where it writes a good atr then ask me what to name the image and were to save it I name it then hit enter,but it stops withan error that says "AOFF intercept is not installed or card locked.
So I found a scrip thats called glitch CMD 04- payload for AOFF write patch an ran it, It ran to almost the end line 346 (less than ten line to the end), found sever other scrips that said AOFF in them but the all did the sam thing stop on line 346
can anyone help me??????
Thanks bigd99

This is because the card does not have intercept installed.I know the script you are useing very well your card is softlooped most likely from a bad write OR provider looped OR from that penga blocker misshap..If it is a true ATR its hitting please post the log from the UNIX script..Also do a seach for a script called UNIX_2.9B_READ_WRITE & chose the write function have a clean 102 image on hand just incase..

Good Luck !

I don't know how to post the log from the scritp I made a file of it but
couldn't figure how to add it to the reply



The only file I could find wasunix2.9b_both-fix Is that the same?
ran it ask read or write chose write then ask penga's,toy's or no cmd
tried all three ran until line 562
Sc. write("77150e036070"&check bugs &"8700"
delay 50
read 2 sc. get bite 1 if bites<>8
checklock=0
it stops there
I can run the program 10 times and always get the same atr # would it give the same atr# if it was a false ramdem atr? I don't know
If you have any ideas let me know
Thanks for your help and time
bigd

Try this
'UNiXWHoRe's 102 Unlooper 2.9b Dual CMD
'With Added Write Function by Toy Thanks Buddy =)
'This has worked to bring back failed write cards
'May Take awhile be patient
'For Testing Purposes only.
'
'USE NEWDOUBLED9 FLASH
'
'
'
OPTION EXPLICIT
Dim FileName
Dim Dump
Dim OutFile
Dim BootStrapCmd04
Dim BSCLen
Dim BSCRSP
Dim BSACK
Dim CmdToGlitch
Dim CTGLen
Dim CTGRSP
Dim CS
Dim Bytes
Dim BytesRead
Dim Bytes1
Dim Bytes2
Dim DelayStart
Dim DelayLimit
Dim VCCStart
Dim VCCLimit
Dim GlitchType
Dim GlitchMax
Dim GlitchMin
Dim ATRDelay
Dim VCC
Dim Dot
Dim ATRrsp
Dim loopctr
Dim AddrHiStart
Dim AddrHiEnd
Dim RomAddr
Dim PageSet
Dim trys
Dim mix
Dim Rsp, Byte1, Byte2, Byte3
Dim atrVCCStart, atrVCCEnd, atrVCC
Dim atrDelayStart
Dim atrDelayLimit
Dim atrVCCLimit
Dim atrGlitchType
Dim atrGlitchLimit
Dim atrGlitchStart
Dim atrtrys
Dim atrmix
Dim Cmd
Dim outcount
Dim InsideDelay
Dim TestMode
Dim ModeSelect
Dim ATRDelayRange
Dim ATRDelayDone
Dim Intercept
Dim Message
Const fsoSEEK_SET = 0
Const fsoSEEK_CUR = 1
Const fsoSEEK_END = 2
Const ofOverwritePrompt = &H2 ' Generates a warning message if the user tries to select a file name that is already in use,
Const ofHideReadOnly = &H4 ' Removes the Open As Read Only check box from the dialog.
Const ofPathMustExist = &H800 ' Generates an error message if the user tries to select a file name with a nonexistent directory path.
Const ofFileMustExist = &H1000 ' Generates an error message if the user tries to select a nonexistent file. (only applies to Open dialogs).
Const ofShareAware = &H4000 ' Ignores sharing errors and allows files to be selected even when sharing violations occur.
Const ofEnableSizing = &H800000 ' (Windows 98 and later) Lets the Explorer-style dialog be resized with the mouse or keyboard.
Dim T1
Dim T2
Dim T3
Dim T4
Dim T5
Dim T6
Dim EEPROMFileName
Dim OutFileHndl1, FileFilter, FileName1
Dim WriteDelay
Dim ActionChoice
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
WriteDelay = 10 'This can be edited to increase delays for slower loaders. Default = 10 X
'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Sub Main()
clearoutputwindow
sc.Reset
if CheckChipVer <> 1 then
' Sc.MsgBox("You need the NewDoubleD9 flash from UNiXWHoRe to run this script!" & VbCr & VbCr & " Flash your Atmel chip with NewDoubleD9!")
' Exit Sub
End if
'================================================= ==
'================================================= ==
'User selectable options
'================================================= ==
'================================================= ==
atrVCCStart = &h39 'CHANGE THESE TO VALUES THAT WORKED
atrVCCLimit = &h02 'FOR YOUR UNLOCKER ON 102'S BEFORE
atrDelayStart = &h5009 '&h319
atrDelayLimit = &h500A '&h390
atrGlitchStart = 4 '4 is standard
atrGlitchLimit = 9 '9 is standard
'EDITED TO USE ANY FLASH
'************************************************* ***********
'************************************************* ***********
'******** This Section is FOR ADVANCED USERS ONLY **********
'************************************************* ***********
'************************************************* ***********
Message=" The LEDs on your loader will NOT flash with this one!"
ActionChoice=Sc.ButtonBox("Choose to READ cam or WRITE cam:", vbDefaultButton4, "Select your cam option:", "READ Eeprom", "WRITE Eeprom")
Select Case ActionChoice
Case 1
ActionChoice=1
Case 2
ActionChoice=2
End Select
Intercept=Sc.ButtonBox("Please choose a A0FF Intercept method:", vbDefaultButton4, "A0FF Intercept Select", "Penga's", "T0Y's", "No CMD's")
Select Case Intercept
Case 1
ModeSelect=2
Case 2
ModeSelect=1
Case 3
ModeSelect=1
TestMode=True
End Select
ATRDelayRange = ATRDelayLimit - ATRDelayStart
Sc.Verbose = true 'Turns echo on or off
Sc.Print VbCr & "Let the ROM102 ATR glitch begin...." & VbCr & VbCr
Do
for ATRDelay=ATRDelayStart to ATRDelayLimit
ATRDelayDone=ATRDelayDone+1
for VCC=ATRVccStart to ATRVccLimit step -1
for Glitchtype=ATRGlitchStart to ATRGlitchLimit
for InsideDelay=1 to 5
sc.Delay(50)
Sc.Write("B0" & HexString(VCC, 2))
sc.delay(10)
CMD = "0A 10 01 03 20" & HexString(ATRDelay,4) & HexString(Glitchtype,2) & "50 1A 00"
Sc.Write(CMD)
Sc.Delay(10)
sc.progressbox Message & VbCr & VbCr & " Delay - " & HexString(atrdelay,4) & " VCC - " & HexString(vcc,2) & " Glitchtype - " & HexString(glitchtype,2), ATRDelayDone , ATRDelayRange, "Glitching for ATR..."
Sc.Read(02)
If Getbyte(1) = &h1B then
Sc.Verbose=True
ATRrsp = Sc.Getbyte(1)
ATRrsp = Sc.Read(ATRrsp)
byte1=Sc.Getbyte(0)
byte2=Sc.Getbyte(1)
byte3=Sc.Getbyte(2)
Sc.Verbose=True
If ActionChoice=1 Then
Call ReadCard ()
Exit Sub
End if
If ActionChoice=2 Then
Call WriteCard ()
Exit Sub
End if
select case ModeSelect
Case 1
Sc.ProgressBox 0,0,0,0
Call Read1
Case 2
Sc.ProgressBox 0,0,0,0
Call Read2
Case else
Sc.ProgressBox 0,0,0,0
print VbCr & "ModeSelect is set to an unknown value." & VbCr
print "Defaulting to Mode 1." & VbCr
Call Read1
End Select
Exit Sub
end if
next
next
next
next
Sc.Progressbox 0,0,0,0
ATRDelayDone=0
loop
End Sub
'ATR has been recieved in one form or another... CMD04!
Sub Read1()
Dim Address, Bytes, B, x, y, z, i
Sc.Verbose = True
Sc.MsgBox " We HIT!!!" & VbCr& VbCr & "ATRVCC = "& HexString(VCC, 2) & " (~" & ((5/255) * VCC) &" vdc)" & VbCr & "ATRDelay = "& HexString(ATRDelay, 4) & VbCr & "ATRGlitchType = " & HexString(GlitchType, 2) & VbCr
If testmode=True then
exit sub
end if
Sc.Delay(20)
Sc.Write("021500")
Sc.Read(2)
Sc.Delay(10)
Sc.Write("0A600421C101A041500400")
Sc.Read(2)
If Sc.Bytesinbuffer Then
Bytes=Sc.GetByte(1)
Sc.Read(Bytes)
End If
Address = 12288
Do
Bytes = "21003DA0CA000037043501018600AA9D9D9D9D9D9D9D9D1762 CD59DA010080126BA615CD5AC0" & HexString(Address,4) & "0DFA409D9DCD64729540CC7A9D9D9D9D9D9D9D9DCC008002"
Bytes = Bytes & DoCheckSum(Bytes)
Sc.Delay(10)
Sc.Write("480315E0" & Bytes & "0E108700")
Sc.Read(02)
Byte1 = Sc.Getbyte(1)
If Byte1 > 0 Then
Sc.Read(Byte1)
Byte2 = Sc.Getbyte(0)
Byte3 = Sc.Getbyte(3)
If Byte2 <> &h12 Or Byte3 <> &h84 Then
Sc.MsgBox VbCr & " --- PACKET FAILED, Check ATR --- "
Exit Sub
End If
End If
Bytes = "210007A0FF0000024800"
Bytes = Bytes & DoCheckSum(Bytes)
Sc.Print VbCr & "------------------------------------" & VbCr
Sc.Print "Attempting to load BootStrap on Card" & VbCr
Sc.Print "------------------------------------" & VbCr & VbCR
Sc.Delay(10)
Sc.Write("1215AA" & Bytes & "0E10504700")
Sc.Read(02)
Byte1 = Sc.Getbyte(1)
If Byte1 = 0 Then
Sc.MsgBox "========================" & VbCr & "Glitch FAILED!! A0FF-INTERCEPT IS OFF"&VbCr & " BootLoader 6F 00 RSP NOT Received!!" & VbCr & "========================"
Exit Sub
End If
If Byte1 = 72 Then
Sc.Read(Byte1)
x=Address
y=1
Sc.Print VbCr & "$" & HexString(x,4) & "="
For i = 5 to 68
z = Sc.GetByte(i)
Sc.Print HexString(z,2)
y = y + 1
If y > 16 Then x=x+16
If i < 68 Then
Sc.Print VbCr & "$" & HexString(x,4) & "="
End If
y=1
next
End if
Address = Address + 64
If Address = 14336 Then Address = 32768
If Address = 49152 Then Exit Do
Loop
Sc.MsgBox "========================" & VbCr & "Glitch Success!! A0FF-INTERCEPT IS ON"&VbCr & " BootLoader 6F 00 RSP Received!!" & VbCr & "========================"
End Sub
sub Read2()
Sc.MsgBox " We HIT!!!" & VbCr& VbCr & "ATRVCC = "& HexString(VCC, 2) & " (~" & ((5/255) * VCC) &" vdc)" & VbCr & "ATRDelay = "& HexString(ATRDelay, 4) & VbCr & "ATRGlitchType = " & HexString(GlitchType, 2) & VbCr
If testmode=True then
exit sub
end if
BootStrapCmd04 = "21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B1864CD7C169500BE0CA64BB76B1864CD7C163176A507CC 7A990005050060DB95009D9D9D9D9D9D9D9D9D9D9D9D9D9D9D BC801763A1CA2603CC60ECCC7D999D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D9D9D9DBC8002 "
BSCRSP = 8 'Expected Response = 12 00 04 84 00 90 00 02
BSACK = &H55 'Boot Strap running Acknowledge byte
CmdToGlitch = "21 00 08 A0 CA 00 00 02 15 00 08"
CTGRSP = 1 '14 RSP + 1 BSACK
BSCLen = GetPacketLen(BootStrapCmd04)
BSCLen = BSCLen / 2
BSCLen = BSCLen + 1 'add Checksum byte to packet length
CTGLen = GetPacketLen(CmdToGlitch)
CTGLen = CTGLen / 2
CTGLen = CTGLen + 1 'add Checksum byte to packet length
CS=DoCheckSum (BootStrapCmd04) 'Calculates BootStrapCmd04 Checksum
BootStrapCmd04 = BootStrapCmd04 + CS 'add checksum to packet
CS=DoCheckSum (CmdToGlitch) 'Calculates packet Checksum
CmdToGlitch = CmdToGlitch + CS 'add checksum to packet
Sc.Print VbCr & "------------------------------------" & VbCr
Sc.Print "Attempting to load BootStrap on Card" & VbCr
Sc.Print "------------------------------------" & VbCr & VbCR
Sc.Write("02 15 00") 'set Tx/Rx to 32 cycles per bit
Sc.Read(02)
'Send dirty EMM (Cmd04) with our ram dump code
Sc.Write(HexString((BSCLen + 5), 2) & "60" & HexString((BSCLen - 1), 2) & BootStrapCmd04 & "50" & HexString((BSCRSP - 1), 2) & "00")
Sc.Read(2)
Bytes = Sc.Getbyte(1)
if Bytes > 0 then
Bytes = Sc.Read(Bytes)
Bytes1 = Sc.Getbyte(0)
Bytes2 = Sc.Getbyte(5)
'--------check response to make sure = 12 00 04 97 00 90 00 11--------
if Bytes1 = &h12 and Bytes2 = &h90 then
sc.verbose = True
else
Sc.MsgBox "========================" & VbCr & "Glitch FAILED!! A0FF-INTERCEPT IS OFF"&VbCr & " BootLoader 6F 00 RSP NOT Received!!" & VbCr & "========================"
exit sub
end if
else
Sc.MsgBox "========================" & VbCr & "Glitch FAILED!! A0FF-INTERCEPT IS OFF"&VbCr & " BootLoader 6F 00 RSP NOT Received!!" & VbCr & "========================"
exit sub
End if
sc.delay(20)
Sc.Write(HexString((CTGLen + 10), 2) & "15 60" & HexString((CTGLen - 1), 2) & CmdToGlitch & "20" & HexString(ATRDelay, 4) & HexString(GlitchType, 2) & "50" & HexString((CTGRSP - 1), 2) & "00")
Sc.Read(2)
Bytes = Sc.Getbyte(1)
if Bytes > 4 then
Bytes = Sc.Read(Bytes)
Bytes1 = Sc.Getbyte(3)
Bytes2 = Sc.Getbyte(0)
'--------check response to SEE IF = 6F 00--------
if Bytes1 = &h6F then
Sc.MsgBox "========================" & VbCr & "Glitch Success!! A0FF-INTERCEPT IS ON"&VbCr & " BootLoader 6F 00 RSP Received!!" & VbCr & "========================"
exit sub
end if
Else
Sc.MsgBox "========================" & VbCr & "Glitch FAILED!! A0FF-INTERCEPT IS OFF"&VbCr & " BootLoader 6F 00 RSP NOT Received!!" & VbCr & "========================"
exit sub
end if
End sub
Sub ReadCard()
Dim Bytes
Dim BootStrap
Dim CS
Dim Counter
Dim PBCounter
Dim Address
Address = 12288
PBCounter = 1
Sc.Write("06100103501A00") '-Get ATR
Sc.Delay(80)
Sc.Read(2)
Bytes = Sc.GetByte(1)
Sc.Read(Bytes)
Sc.Write("021500")
Sc.Read(2)
Sc.Write("0A600421C101A041500400") '-Set IFS
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(Bytes)
GetEEPROMFileName()
Do
'Get 64 bytes from Card using "Address" as pointer
BootStrap = "21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9D7180 CD5AC0" & HexString(Address, 4) & "0DF840B691B74CCD4505CC7A959D9D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D 9D9D9D9D9D9D02"
CS = DoCheckSum(BootStrap) 'Get Checksum of BootStrap string
BootStrap = BootStrap & CS
Sc.Write("77150E036070" & BootStrap & "8700")
Sc.Read(2)
bytes = Sc.GetByte(1)
Sc.Read(bytes)
Sc.Write("1215AA210007A0FF0000024800330E03504000") 'Execute BootStrap String with A0FF intercept
Sc.Read(2)
Bytes = Sc.GetByte(1)
Sc.Read(bytes)
If Bytes = 0 Then 'Check condition of Atmel after read request
Print(VbCr & "--- Eeprom Read Failed, A0FF intercept is not installed, Or card locked. ---")
Call Sc.MsgBox("--- Eeprom Read Failed, A0FF intercept is not installed ---")
Exit Sub
End If
If Bytes = 65 Then
Counter = Counter + 1
For i = 0 To 63
Call Fs.FilePutc(OutFileHndl1, Sc.GetByte(i))
Next
Call Sc.ProgressBox("Address: " & Hexstring(Address, 4), PBCounter, 288, "Saving Eeprom information...")
Address = Address + 64 'increment address pointer by &h40 bytes
If Address = 14336 Then 'If address gets to $3800 then change it to $8000
Address = 32768
End If
PBCounter = PBCounter + 1 'Increment the progressbar
If Address = 49152 Then Exit Do 'If we're at the end, then exit
End If
Loop
Call Sc.ProgressBox("", 0, 256) 'close the progressbar
Fs.FileClose(OutFileHndl1) 'close the file
Sc.MsgBox("Reading Complete!")
End Sub
Sub WriteCard()
Dim CheckBugs
Dim BugOrig
Dim InFile
Dim FileName1
Dim FileSize
Dim ThisByte
Dim TmpStr
Dim Outfile
Dim CC
Dim Address
Dim Bytes
Dim PBCounter
Dim Tmp1
Dim Tmp2
Dim checklock
Dim Bootwrite
Address = 12416
PBCounter = 1
'---------------------------------------------------------------------------------------------
Const FileFilter = "All Eprom Files (*.bn102, *.bin)|*.bn102;*.bin;|Bin Files (*.bn102)|*.bn102|Bin Files (*.bin)|*.bin"
FileName1 = Fs.FileOpenDialog(FileFilter, "Please select a valid bin file", ofPathMustExist + ofFileMustExist + ofHideReadOnly + ofEnableSizing)
'If FileName1 <> "" Then
'If Fs.FileExists(FileName1) = 0 Then
'Sc.MsgBox("The file does not exist")
'Else
'InFile = Fs.FileOpen(FileName1, fsoOpenRead)
'End If
'End If
'FileSize = Fs.FileSeek(InFile, 0, fsoSEEK_END)
'If FileSize <> 18432 Then
'Sc.MsgBox("This file does not appear to be a valid ROM 102 EEPROM file")
'Exit Sub
'End If
'If CheckChipVer = 1 Then
'Else
'Sc.MsgBox("This script requires ND13 atmel code. Please flash your loader with ND13.")
'Exit Sub
'End If
'If CheckCard = 1 Then
'Else
'Exit Sub
'End If
Sc.Write("02 15 00") 'set baud
Sc.Read(2)
Sc.Write("0A600421C101A041500400") '-set IFS
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
'This CMD 04 Gets the original value of the first bugtable entry.
'We are going to hook here, so we need to know what was originally there, so we can replace
'after we're finished writing.
CheckBugs = ("21 00 6D A0 CA 00 00 67 04 65 01 01 86 00 AA 9D 9D 9D 9D 9D 9D 9D 9D 71 80 CD 5A C0 31 78 0D F8 06 B6 91 B7 4C CD 45 05 CC 7A 95 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 9D 02")
CC = Dochecksum(CheckBugs) 'calculates the checksum byte
CheckBugs = CheckBugs & CC 'adds the checksum byte at the end of our string
Sc.Write("77150E036070" & CheckBugs & "8700") 'sends our string
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
checklock = 1
' Exit Sub
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC
Sc.Write("12 15 AA" & checkbugs & "0E 03 50 0B 00") 'executes our string with the A0FF intercept
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If Bytes = &HC Then
T1 = Sc.Getbyte(0)
T2 = Sc.Getbyte(1)
T3 = Sc.Getbyte(2)
T4 = Sc.Getbyte(3)
T5 = Sc.Getbyte(4)
T6 = Sc.Getbyte(5)
'This variable stores the original Bugtable code, which will be replaced when we're finished writing
'BugOrig = hexstring(T1, 2) & hexstring(T2, 2) & hexstring(T3, 2) & hexstring(T4, 2) & hexstring(T5, 2) & Hexstring(T6, 2)
Else
Sc.Msgbox("The Card appears to be locked")
' Exit Sub
End If
'This CMD 04 will write our Bootstrap patch located at $9600
BootWrite = "21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B18647180CD7C169600A010CC7A95000000000000A1FF27 0187CD5A7D0DFA8080BC800000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000002"
CC = DoCheckSum(BootWrite)
BootWrite = BootWrite & CC
Sc.Write("77150E036070" & BootWrite & "8700")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
Sc.MsgBox("Write Failed")
' Exit Sub
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC
Sc.Write("12 15 AA" & checkbugs & "0E 03 50 05 00")

Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
'This CMD 04 will hook our Bugtable at $3178 = "050060DB9600" (This will later be replaced with original value)
BootWrite = ("21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B18647180CD7C163178A006CC7A95000000000000050060 DB960000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000002")
CC = Dochecksum(BootWrite)
BootWrite = BootWrite & CC
Sc.Write("756070" & BootWrite & "500700")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
checklock = 0
Exit Sub
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC
Sc.Write("12 15 AA" & checkbugs & "0E 03 50 05 00")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
Byte1 = Sc.Getbyte(0)
Byte2 = Sc.getbyte(3)
If Byte1 = &H12 And Byte2 = &H90 Then
Else
sc.msgbox("Write Failed!")
' Exit Sub
End If
'-------------------------------------------------------------------------
Call Fs.FileSeek(InFile, FileSize - (FileSize - &H80), fsoSEEK_SET)
TmpStr = ""
For ThisByte = 0 To 18304
If ThisByte > 0 And ThisByte Mod 64 = 0 Then
If Address = 12608 Then 'This makes sure we don't overwrite our bug hook
BugOrig = mid(Tmpstr, 113, 12)
Tmp1 = mid(TmpStr, 1, 112)
Tmp2 = mid(TmpStr, 125, 4)
TmpStr = tmp1 & "050060DB9600" & tmp2
End If
If Address = 38400 Then 'This makes sure we don't overwrite our Bootstrap patch
Tmp2 = mid(TmpStr, 29, 100)
TmpStr = "A1FF270187CD5A7D0DFA8080BC80" & Tmp2
End If
BootWrite = "210054A0FFA64BB76B18647180CD7C16" & HexString(Address, 4) & "9240CC7A95" & TmpStr 'Writing EEPROM to card
CC = DoCheckSum(BootWrite)
BootWrite = BootWrite & CC
Sc.Write("60156057" & BootWrite & "0E10500500")
Sc.Delay(WriteDelay)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If Bytes <> 6 Then
Sc.MsgBox("Write Failed at Address: " & hexstring(Address, 4))
Exit Sub
End If
Call Sc.ProgressBox("Address: " & Hexstring(Address, 4) & " " & TmpStr, PBCounter, 288, "Writing to Card...")
TmpStr = ""
Address = Address + 64
PBcounter = PBCounter + 1
If Address = 14336 Then Address = 32768
End If
TmpStr = TmpStr & HexString(Fs.FileGetc(InFile), 2)
Next
BootWrite = "21001AA0FFA64BB76B18647180CD7C1631789206CC7A95" & BugOrig 'Removes Bug hook, and puts original back
CC = DoCheckSum(BootWrite)
BootWrite = BootWrite & CC
Sc.Write("2415601D" & BootWrite & "500500")
Sc.Delay(100)
Sc.Read(2)
Bytes = Sc.GetByte(1)
'This CMD04 will remove the Bootstrap patch located at $9600
BootWrite = ("21006DA0CA000067046501018600AA9D9D9D9D9D9D9D9DA64B B76B18647180CD7C169600A00EAE69CC7A9B00000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000002")
CC = Dochecksum(BootWrite)
BootWrite = BootWrite & CC
Sc.Write("76156070" & BootWrite & "500700")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If bytes <> 8 Then
sc.print bytes & vbcr
Sc.MsgBox ("Temporary write patch could not be removed.")
End If
Checkbugs = "21 00 07 A0 FF 00 00 02 48 00"
CC = Dochecksum(CheckBugs)
CheckBugs = CheckBugs & CC
Sc.Write("12 0E 05 15 AA" & checkbugs & "50 05 00")
Sc.Delay(50)
Sc.Read(2)
Bytes = Sc.Getbyte(1)
Sc.Read(bytes)
If Bytes > 4 then
byte1 = Sc.GetByte(0)
byte2 = Sc.GetByte(3)
End If
If byte1 = &h12 and byte2 = &h69 then
Else
Sc.MsgBox ("Temporary write patch could not be removed. Blocker Code is applied to your card.")
End if
Call Sc.ProgressBox("", 0, 256)
If Bytes = 6 Then
Sc.MsgBox("Writing Operation Complete!")
Else
Sc.MsgBox("Could not successfully unhook bug table. Please use unlock function to get back into card.")
End If
Fs.FileClose(Infile)
End Sub
Sub GetEEPROMFileName()
EEPROMFileName = Fs.FileSaveDialog(FileFilter, "Please select a filename for the saved EEPROM file", "Rom102_Eeprom.bn102")
If EEPROMFileName <> "" Then
OutFileHndl1 = Fs.FileCreate(EEPROMFileName)
End If
End Sub
Function GetPacketLen(Packet)
Dim Length
Dim Temp
Dim PK
Dim i
PK = ""
Length = Len(Packet) 'get packet length with spaces
for i = 1 to Length
Temp = Mid(Packet, i, 1)
if Temp <> " " then 'remove all spaces in packet
PK = PK + Temp
End if
next
GetPacketLen = Len(PK) 'return packet length without spaces
End Function
Function DoCheckSum(Packet)
Dim Temp
Dim Length
Dim PK
Dim CheckSum
Dim i
PK=""
Length = Len(Packet) 'get packet length with spaces
for i = 1 to Length
Temp = Mid(Packet, i, 1)
if Temp <> " " then 'remove all spaces in packet
PK = PK + Temp
End if
next
Length = Len(PK) 'get packet length without spaces
CheckSum = 0
for i = 0 to Length
i=i+1 'Simulate Step 2 in VB scripting
Temp = Mid(PK, i, 2)
CheckSum = CheckSum XOR Hex2Dec(Temp) 'Calc Checksum
next
DoCheckSum = HexString(CheckSum, 2) 'convert checksum to a hex strimg and return it to caller
End Function
Function Hex2Dec(HexNumber)
' This function takes 1 argument, a string containing a hex value of any digit length
' and returns the decimal equivalent
Dim DecimalValue
Dim DigitCount
Dim Digit
Dim HexDigit
HexNumber = Replace(UCase(HexNumber), " ", "")
DigitCount = Len(HexNumber)
For Digit = 1 To DigitCount
HexDigit = Mid(HexNumber, Digit, 1)
If Asc(HexDigit) < 58 Then
DecimalValue = HexDigit * 16 ^ (DigitCount - Digit)
Else
DecimalValue = (Asc(HexDigit) - 55) * 16 ^ (DigitCount - Digit)
End If
Hex2Dec = Hex2Dec + DecimalValue
Next
End Function
Function HexString(Number,Length)
' This function takes 2 arguments, a number and a length. It converts the decimal
' number given by the first argument to a Hexidecimal string with its length
' equal to the number of digits given by the second argument
Dim RetVal
Dim CurLen
RetVal=Hex(Number)
CurLen=Len(RetVal)
If CurLen<Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If
HexString=RetVal
End Function
Function CheckChipVer()
CheckChipVer = 1
sc.write("90")
delay(80)
if sc.read(4) <> 4 then
CheckChipVer = 0
Exit Function
End if
if getbyte(0) <> &H4E then CheckChipVer = 0
if getbyte(1) <> &H44 then CheckChipVer = 0
if getbyte(2) <> &H44 then CheckChipVer = 0
if getbyte(3) <> &H39 then CheckChipVer = 0
End Function