Can someone please direct me to the diagram / instructions on how to JTAG the VIP612 and VIP211 receivers in order to extract the box key out of them? Thanks in advance.

The 612 is useless, the 211 you can send out to be modded, I offer that service. Neither one can be JTAG-ed.

mili

can you get a box key out of the 612 or 211? I need it to run with Myth

xski7,

The answer was and remains - no.

The 612 is useless, the 211 you can send out to be modded, I offer that service. Neither one can be JTAG-ed.

mili

Hey Mili - are you able to get the box key out of VIP211 TSOP? I don't need the receiver to be modded, just the box key extracted. Are you able to do this? Please PM / advise on instructions / pricing how to coordinate this. Thanks!

Hey Mili - are you able to get the box key out of VIP211 TSOP? I don't need the receiver to be modded, just the box key extracted. Are you able to do this? Please PM / advise on instructions / pricing how to coordinate this. Thanks!

Hey mili can you please PM me if you can extract a box key from 211 TSOP (need the 211 to remain fully stock functional after this as this will be then subscribed)

xski, all new receivers from dn need to be modified on the board of the receiver. there are no more jtag ports on them. there is no way you can have a fully stock 211 after modification. you would need to remod the 211 back if you want it back to stock. im sure people are working on some adapters for multi bga for all receivers. as of right now there are NO ways to modify and vip receiver with jtag or any method know to the public. it can be done but contacts are very small. thats why you must take off the chip and swap it with a modded one.

Isn't the modded chip a blank chip that is flashed with modded tsop image, so wouldn't someone be able to remove the chip from the reciever and read the chip in the same tool used to flash the blanks and then re-install the same chip. Thereby getting the box keys? I don't need this help but could help the guy asking to get box keys read.

There are no box keys on the vips just sk's. You need to pull the chip read the sk's reprogram a blank chip and reinstall it. The 612, 222K, 722K can not be done a whole differnt processor.

exactly. check the vip files. they have 622 and 211 chip images ready to be programmed and installed. not sure if they are good for current use because they are using a rom 103 spoof. the file was out in 2008 so it could be outdated. here is the process i came up with.

1. have stock vip receiver with latest firmware update. copy down receiver info at info screen

2. remove flash chip from receiver. make sure its the right chip to remove first.

3. read the image from the chip with an adapter to dip , or just get a programmer, ( commercial stuff is expensive) into a bin file. save a few backups just incase.

4. load bin info with your favorite hex editor.

5. search for data from info copied from step 1.

6. once memory locations are found, edit with public info.

7. program your empty chip.

8. install new chip

9. turn receiver on and hope for the best.

10. use your method of choice for testing. (slinger is the only thing up right now)

This is only a step by step idea. I'm not sure if information is scattered for security reasons.

Hope it helps.

I believe you guys are incorrect...

But thats just my opinion..

Mopar

Isn't the modded chip a blank chip that is flashed with modded tsop image, so wouldn't someone be able to remove the chip from the reciever and read the chip in the same tool used to flash the blanks and then re-install the same chip. Thereby getting the box keys? I don't need this help but could help the guy asking to get box keys read.

Yes, the modded chip is a new blank replacement chip that's flashed with a modded TSOP image, so yes, the original chip must be removed and replaced with the modded one. But the image the replacement chip is flashed with isn't from the original chip. How could it be if the original chip cannot be completely read and the main part that's needed is in the part that's locked?

There's no way to retrieve the key info from an original VIP TSOP chip as of yet and there will continue to be no way to retrieve this key info until a way to unlock the locked part of the TSOP is figured out.

But even then you won't be finding a Box Key anywhere in a VIP TSOP because, like moses said, the VIP models have no Box Keys, they just have SK's.



There are no box keys on the vips just sk's. You need to pull the chip read the sk's reprogram a blank chip and reinstall it.

Good luck reading the SK's!



check the vip files. they have 622 and 211 chip images ready to be programmed and installed. not sure if they are good for current use because they are using a rom 103 spoof. the file was out in 2008 so it could be outdated.

You seem to be confusing the VIP TSOP images with the ROM images, but as far as the ROM images go, neither the Slinger nor the card-sharing setups are using ROM spoofs, they're using real ROM 102 or 103 images and they're actually the same or basically the same images a lot of us were using in the N2 data stream. But the ROM image and the TSOP image are two different images. But they of course do have to work together.

But anyway, those TSOP images, or ones basically just like them, are still being used to this day and those are the same images that all the VIP models are being flashed with by everybody who's modding them, be they with "public" keysets or "private" keysets. These are the same images that are currently making them work with the Slingers and with the card-sharing setups. They're N2 images, not N3. The only real difference between the public and private keysets are all the numbers in the public keysets, IRD #, Box Key or SK and CAM ID, are known publicly and all the ones in the private keysets are not.



here is the process i came up with.

1. have stock vip receiver with latest firmware update. copy down receiver info at info screen

The only info you'll get off the System Info screen will be the IRD # and CAM ID, if you have a CAM inserted into the cardslot. If you don't you will of course just see all zeros for the CAM ID. But if you do insert a card into the cardslot and it's the wrong card, you'll just get the "wrong card inserted" message until you pull the card out of the cardslot and then it will show you the CAM ID of that wrong card even.



3. read the image from the chip with an adapter to dip , or just get a programmer ( commercial stuff is expensive) into a bin file. save a few backups just incase.

Even if the guy could afford the expensive programmer to do this, since the info on the chip is locked, what good would reading or trying to read the chiip do him?

The expensive programmers are for programming the replacement chips and most all of these replacement chips are programmed with the old N2 keysets anyway, not new N3 keysets. This doesn't really matter though because the only way to use these receivers at this time is with either a Slinger or a card-sharing setup and all that's required in this type of setup is communication between the receiver and the dummy cards in their cardslots, whether they be the dummy card used with a Slinger or a Max&Mel or AVR type card used in a card-sharing setup.

Even though they may still be using an N2 keyset these setups still allow the facilitation of communication between the receiver and the Slinger or between the receiver and whatever type of card-sharing device you may have connected to it, be it a Max&Mel or AVR board or whatever. All they need is the Control Words to authorize the audio/video of the N3 channels and this is how they get them. No actual cracking or hacking of the N3 data stream is involved in this process at all. It's just a simple work-around that's been being used for several years.



4. load bin info with your favorite hex editor.

If the actual part of the bin that's needed is locked, what good is this going to do you?



5. search for data from info copied from step 1.

Good luck finding it!



6. once memory locations are found, edit with public info.

Did you find them?



7. program your empty chip.

Now this can be done! But ONLY if you have the expensive programmer that's required to do it with!



8. install new chip

Not an easy task!



9. turn receiver on and hope for the best.

Good luck with it!



10. use your method of choice for testing. (slinger is the only thing up right now)

Well, Slinger is not the only thing up now. Card-sharing is also working just fine. But these two methods are basically achieved the same way, with the Control Words generated by REAL subbed cards.

Hey mili can you please PM me if you can extract a box key from 211 TSOP (need the 211 to remain fully stock functional after this as this will be then subscribed)


Dont let these guys mislead you..

You can in fact retrieve your bks.

Oh ya, this is public info..
If you know where to look.

I will pm you on where to go.

Mopar

The VIPs most definately do have BOX KEYs but they are hididen inside those 96 bytes in the BGA firmware dump. they got smart and hid them better using an XOR method. below is the procedure for how to calculate a VIps "true" BOX KEYs so you can card share it with any Legacy or cardless IRD or even another VIP. Of course you still have to dump the OEM firmware chip and reinstall a fresh new BGA firmware chip that has been 100% cloned to restore it to normal operation.

Below is an example of the 96 bytes we patch to a VIP when we mod. them.

This is the SK area in the VIP firmware dumps. For example the SK area is ,hex address: 0040FF9C -> 0040FFFB = in threse models (211-222-322-411-522-625-622, 942).

Once we found out where they where and how they were XOR hidden from us, they started making the VIP-K series and storing SK data there instead.

That Broadcomm 7038 BGA is way too big to remove and dump safely, its five times bigger than the older firmware BGA chips in the VIPs which were as small as a postage stamp. So for now there is no way to calculate SK/BOX KEYS in them since that 7038 Broadcomm chip is too hard to remove safely in a VIP K series; I know I tried and trashed a VIP622 doing some EJTAG tracing....:-)

Someday maybe they will be able to trap or ejtag these VIP-Ks and then maybe we can capture the BOX KEYS/SK using the procedure shown below: I'm half surprised they didn't take the lesson from XBOX360 and smother that 7038 chip in epoxy resin to make it harder to work with them.


# II II II II XX XX XX XX XX XX XX XX XX XX
# Y1 Y1 Y1 Y1 Y1 Y1 Y1 Y1
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# Y2 Y2 Y2 Y2 Y2 Y2 Y2 Y2 CS CS

Your box keys should be equal to :

Y1 Y1 Y1 Y1 Y1 Y1 Y1 xor Y2 Y2 Y2 Y2 Y2 Y2 Y2 Y2 = Boxkey

Use windows scientific calculator to confirm and do the XOR math.

# II = IRD serial number.
# XX = Unimportant.
# Y1, Y2 = SK signature and also used to calculate the "TRUE" VIPs Box Keys.
# SK = Actual secondary key data (CAM N, public modulus).
# CS = Checksum.

- open windows calculator and set it on scientific mode, highlight the hex button then enter what you find for Y1
- then click on XOR
- now enter ur Y2
- lastly lick on the = button, u now have your TRUE boxkeys

Nice post sdeens Thanks

Very nice Sdeens

Can you make a 102 bin file with a dump from bga firmware? If you have the 96 byte sk's.

The VIPs most definately do have BOX KEYs but they are hididen inside those 96 bytes in the BGA firmware dump. they got smart and hid them better using an XOR method. below is the procedure for how to calculate a VIps "true" BOX KEYs so you can card share it with any Legacy or cardless IRD or even another VIP. Of course you still have to dump the OEM firmware chip and reinstall a fresh new BGA firmware chip that has been 100% cloned to restore it to normal operation.

Below is an example of the 96 bytes we patch to a VIP when we mod. them.

This is the SK area in the VIP firmware dumps. For example the SK area is ,hex address: 0040FF9C -> 0040FFFB = in threse models (211-222-322-411-522-625-622, 942).

Once we found out where they where and how they were XOR hidden from us, they started making the VIP-K series and storing SK data there instead.

That Broadcomm 7038 BGA is way too big to remove and dump safely, its five times bigger than the older firmware BGA chips in the VIPs which were as small as a postage stamp. So for now there is no way to calculate SK/BOX KEYS in them since that 7038 Broadcomm chip is too hard to remove safely in a VIP K series; I know I tried and trashed a VIP622 doing some EJTAG tracing....:-)

Someday maybe they will be able to trap or ejtag these VIP-Ks and then maybe we can capture the BOX KEYS/SK using the procedure shown below: I'm half surprised they didn't take the lesson from XBOX360 and smother that 7038 chip in epoxy resin to make it harder to work with them.


# II II II II XX XX XX XX XX XX XX XX XX XX
# Y1 Y1 Y1 Y1 Y1 Y1 Y1 Y1
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK SK
# Y2 Y2 Y2 Y2 Y2 Y2 Y2 Y2 CS CS

Your box keys should be equal to :

Y1 Y1 Y1 Y1 Y1 Y1 Y1 xor Y2 Y2 Y2 Y2 Y2 Y2 Y2 Y2 = Boxkey

Use windows scientific calculator to confirm and do the XOR math.

# II = IRD serial number.
# XX = Unimportant.
# Y1, Y2 = SK signature and also used to calculate the "TRUE" VIPs Box Keys.
# SK = Actual secondary key data (CAM N, public modulus).
# CS = Checksum.

- open windows calculator and set it on scientific mode, highlight the hex button then enter what you find for Y1
- then click on XOR
- now enter ur Y2
- lastly lick on the = button, u now have your TRUE boxkeys



After i calculate my boxkey how can i create an sk patch so i can use this sk info on another receiver like a 301.013 or any other sk receiver

BUmp

After i calculate my boxkey how can i create an sk patch so i can use this sk info on another receiver like a 301.013 or any other sk receiver