[JT]

Anyone out there have a reliable method for recovering the BD0 key on a rom10? I'm open to just about any suggestions at this point. I've hit this thing with everything I can get my hands on and the backdoor is open, but the BD3 keys have been zero'd or something to that effect. My understanding is that I need to send a call to reset BD0, but I don't have any idea how to do this. Rom is revA23.

How about recovering the backdoor password on a rom3? Same deal, the card is open, but the backdoor key is not accessable. Rom is rev382.

I am trying to program a Rom 3 card and I am getting this message:
Opening of COM2 was successful
ATR String: 3F FF 95 00 FF 91 81 71 64 47 00 44 4E 41 53 50
30 30 33 20 52 65 76 33 38 33 F5
ROM Revision: 003
EEPROM Revision: Rev383
Logging into card
Checking for BackDoor
BackDoor appears to be closed, aborting
Error reading image from card
Closing of COM2 was successful
Error detected, One Step Clean incomplete

Any suggestions on what I can do next without messing up my card??

[JT]

Quote:

Originally Posted by JT

Anyone out there have a reliable method for recovering the BD3 key on a rom10? I'm open to just about any suggestions at this point. I've hit this thing with everything I can get my hands on and the backdoor is open, but the BD3 keys have been zero'd or something to that effect. My understanding is that I need to send a call to reset BD0, but I don't have any idea how to do this. Rom is revA23.

How about recovering the backdoor password on a rom3? Same deal, the card is open, but the backdoor key is not accessable. Rom is rev382.

Just to clarify, here is how the rom's I'm referring to read in Nagra. In both cases, the backdoor is open, it's just that the keys are not accessable. Unlocking programs do nothing with these roms because they immediately return a response that they are open.
------------------------------------------------------------------------------------------------

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 32 33 4B
ROM Revision: 010
EEPROM Revision: RevA23
ProviderID: 40
CamID: 11 11 11 11
Using BD3 Key: 4E 69 70 50 45 72 20 49 73 20 61 20 62 75 54 74
Attempting to login to BD3
Unable to login, bad password detected

(Then it asks me to enter the BD3 key manually)
-------------------------------------------------------------------------------------------

Opening of COM1 was successful
ATR String: 3F FF 95 00 FF 91 81 71 64 47 00 44 4E 41 53 50
30 30 33 20 52 65 76 33 38 32 F4
ROM Revision: 003
EEPROM Revision: Rev382
Logging into card
Checking for BackDoor
BackDoor appears to be open, continuing...
Retrieving BackDoor password
Error retrieving BackDoor password
Error reading image from card
Closing of COM1 was successful

----------------------------------------------------------------------------------------------

[JT]

Quote:

Originally Posted by bobbypooh

I am trying to program a Rom 3 card and I am getting this message:
Opening of COM2 was successful
ATR String: 3F FF 95 00 FF 91 81 71 64 47 00 44 4E 41 53 50
30 30 33 20 52 65 76 33 38 33 F5
ROM Revision: 003
EEPROM Revision: Rev383
Logging into card
Checking for BackDoor
BackDoor appears to be closed, aborting
Error reading image from card
Closing of COM2 was successful
Error detected, One Step Clean incomplete

Any suggestions on what I can do next without messing up my card??

In your case bobby the rom is streamlocked. It can be unlocked with a modified HU unlooper and one of the many fine unlocking programs out there.

[Crazy1_79]

well jt, I have a rom 10 card that is in the same boat as yours, threw everything at it except the kitchen sink. Good luck and if you find something that works, let me know.

hi there
i have a couple of rom 10 that came up with the backdoor problem i use the bd3 opener able to get it to open up an able to write to them i put on a clean image bin then a bin file with blocker but for some reason i get a black screen i know the box keys are right and the ird is right try both cards and 2 different recievers i also am able to get the previews any help would appriecieated thanks

[JT]

Damn Crazy, I was hoping you'd have a good suggestion for me.

The rom10 BD0 retriever CMD03 is a great little kit. Big thanks goes out to slickvguy on that one. It's worked for me before. It's what I usually use in this situation. When I tried it on this rom though, I could not get viagra to change the provider to 9000. I can get viagrarom10 to change my provider to 9000, but the CMD03 from slickvguy still returns BDO key of all zero. Cimba emailed some files last night that I hadn't seen before. They are a little old, but I think they hold a lot of promise. I'll let you guys know if I can get them to work for me. Big thanks to Cimba either way. I'm thinking of posting a 'backdoor recovery kit' that includes all the neat liitle ways I've gone after this 10. My bag of tricks is just about empty this time around though. Guess it's time to learn some new tricks eh?

FYI- so far I have tried mromV6, camwisler, viagra, backdoorbuster, speedkeyXP3 and two versions of bdkr on this rom10. I'm halfway suprised I havn't looped this sucker yet. I'm going to get this damn thing open or kill it trying! Never come across roms' as stubborn as this rom10 and the rom3 that's acting essentially the same way. I have been unable to find anything substantial for working on the rom3 backdoor recovery. Like I said, the unlocker programs are useless in this situation. The cams are already open. The problem is much more challenging than just unlocking the darn things.

[JT]

Quote:

Originally Posted by JT

Damn Crazy, I was hoping you'd have a good suggestion for me.

The rom10 BD0 retriever CMD03 is a great little kit. Big thanks goes out to slickvguy on that one. It's worked for me before. It's what I usually use in this situation. When I tried it on this rom though, I could not get viagra to change the provider to 9000. I can get viagrarom10 to change my provider to 9000, but the CMD03 from slickvguy still returns BDO key of all zero. Cimba emailed some files last night that I hadn't seen before. They are a little old, but I think they hold a lot of promise. I'll let you guys know if I can get them to work for me. Big thanks to Cimba either way. I'm thinking of posting a 'backdoor recovery kit' that includes all the neat liitle ways I've gone after this 10. My bag of tricks is just about empty this time around though. Guess it's time to learn some new tricks eh?

FYI- so far I have tried mromV6, camwisler, viagra, backdoorbuster, speedkeyXP3 and two versions of bdkr on this rom10. I'm halfway suprised I havn't looped this sucker yet. I'm going to get this damn thing open or kill it trying! Never come across roms' as stubborn as this rom10 and the rom3 that's acting essentially the same way. I have been unable to find anything substantial for working on the rom3 backdoor recovery. Like I said, the unlocker programs are useless in this situation. The cams are already open. The problem is much more challenging than just unlocking the darn things.

BTW-did anyone else notice how similar the ATR's are I'm getting off this rom10 and rom3? I got these roms from the same guy. I sure wouldn't normally expect ATR's of such similarity on a rom3 and rom10. Have no idea if it has anything to do with anything relevant, but it is a odd coincidence.

I assume you have a modded loader did you try any of the powersync scripts? Guys with problems have been using them,they work with a modded loader just a little more work then if you bought the powersync loader,just a thought.

Quote:

Originally Posted by JT

BTW-did anyone else notice how similar the ATR's are I'm getting off this rom10 and rom3? I got these roms from the same guy. I sure wouldn't normally expect ATR's of such similarity on a rom3 and rom10. Have no idea if it has anything to do with anything relevant, but it is a odd coincidence.

Looks like someone attempted to write a rom10 image to a rom3, or vise-versa. Those ATRs looks a lot like my rom10 ATRs

[fubr]

WTH is the provider 40 coming from.
isnt thst what mrom puts them at when repairing atr?
good luck JT

Quote:

I'm halfway suprised I havn't looped this sucker yet. I'm going to get this damn thing open or kill it trying!

dont go that far bud we will miss ya

[STP]

I found a great guide that worked on a couple of mine, I posted it on the Bell expressVu card programming forum, but I don't know how to link to it. You can check there.

STP

[JT]

Quote:

Originally Posted by STP

I found a great guide that worked on a couple of mine, I posted it on the Bell expressVu card programming forum, but I don't know how to link to it. You can check there.

STP

I moved that thread over here to the glitching/unlocking forum. That is the procedure I was referring to as having promise, but alas, it has not panned out for me. I'm going to try it at least a couple more times before I give up though.

[STP]

Thanks for moving the thread over JT.

I found that the procedure worked perfectly, and changed my Rom10 A81 with bad BD3 and bad BD0 to a ROM10 A16.

But then I had to use Mron_em to get the card to open, then I wrote dish gods all in one and it was good to go.

STP

Quote:

Originally Posted by JT

BTW-did anyone else notice how similar the ATR's are I'm getting off this rom10 and rom3? I got these roms from the same guy. I sure wouldn't normally expect ATR's of such similarity on a rom3 and rom10. Have no idea if it has anything to do with anything relevant, but it is a odd coincidence.

JT, I looked a little closer and that is a ROM3 ATR on your ROM10. So it seems the person you got that card from put a ROM3 image on it.. Since Nagra sees a ROM10 and tries to use BD3, it'll fail since the ROM3 image doesn't have a BD3. Looks like that card is an ice scraper. But if you do ever find a fix for it, let me know. I have a card with the same problem..

[fubr]

thought nagra would not let you put a rom 3 image on a rom 10?
only the other way around.
maybe I am wrong but I thought it nagged about incorrect size file

Quote:

Originally Posted by JT

Anyone out there have a reliable method for recovering the BD3 key on a rom10? I'm open to just about any suggestions at this point. I've hit this thing with everything I can get my hands on and the backdoor is open, but the BD3 keys have been zero'd or something to that effect. My understanding is that I need to send a call to reset BD0, but I don't have any idea how to do this. Rom is revA23.

How about recovering the backdoor password on a rom3? Same deal, the card is open, but the backdoor key is not accessable. Rom is rev382.

I have a Rom 3 with the same 383 rev. When I got the card it said the back door was open, but could report the password for the BD. The next time I read the card, it reported back door closed. Now I am stuck with what to do next. How do I open the back door??

[JT]

Quote:

Originally Posted by bobbypooh

I have a Rom 3 with the same 383 rev. When I got the card it said the back door was open, but could report the password for the BD. The next time I read the card, it reported back door closed. Now I am stuck with what to do next. How do I open the back door??

In your case bobby the rom is streamlocked. It can be unlocked with a modified HU unlooper and one of the many fine unlocking programs out there.

Quote:

Originally Posted by fubr

thought nagra would not let you put a rom 3 image on a rom 10?
only the other way around.
maybe I am wrong but I thought it nagged about incorrect size file

Who says the guy used Nagra.. ;-) I'm not sure either, but I have a ROM10 with a ROM3 ATR also.. So somehow a R3 image got onto the R10..

[fubr]

Quote:

Originally Posted by Astro

Who says the guy used Nagra.. ;-) I'm not sure either, but I have a ROM10 with a ROM3 ATR also.. So somehow a R3 image got onto the R10..

Good point.
I was thinking "inside my box"
I forgot there are other ways to write to a cam. I most of the time use nagedit.

Quote:

Originally Posted by fubr

I was thinking "inside my box"

My Wife slaps me when I do that..

[Mr Dufus]

I lookin for the "#1 dish to bev " . Any ideas to where I can find it?

[Mr Dufus]

I found it, :-)

[Crazy1_79]

Quote:

Originally Posted by Astro

My Wife slaps me when I do that..

LMAO,

[slickvguy]

OK, JT. I am here. Let's go.

I'm dealing with the first card you spoke of, the ROM10 with the provider 40.
First of all, the reason it's provider 40, is because you or somone else ran it through MROM. Understand? So the first thing we want to do, is take a look a the dataitems on the card. Run this d2c script (and save it for future use) from NE's comm window, and paste the results.

Edit: OK. I've uploaded it. This belongs in the files section.

;ROM_PROBE by Slickvguy

RS

;Set IFS
TX 21C101A041
RX ;12E101A052

MG***CAMID***
;CMD$12 - CAMID
TX 210008A0CA00000212000655
dl0200
RX

MG ***CAMDATE***
;CMD$C6 - CAMDATE
TX 210008A0CA000002C6000681
dl 0200
RX


MG ***DT01***
;CMD$20 DT01 - IRD
TX 21000CA0CA0000062004 01 02FFFF0365
dl 0200
RX

;CMD$21 DT01 Element 00
TX 21000DA0CA00000721050103FFFF 00 2047
dl 0200
RX

;CMD$21 DT01 Element 01
TX 21000DA0CA00000721050103FFFF 01 2046
dl 0200
RX

MG ***DT06***
;CMD$20 DT06 - Provider Info
TX 21000CA0CA0000062004 06 02FFFF0362
dl 0200
RX

;CMD$21 DT06 Element 00
TX 21000DA0CA00000721050603FFFF 00 2949
dl 0200
RX

;CMD$21 DT06 Element 01
TX 21000DA0CA00000721050603FFFF 01 2948
dl 0200
RX

;CMD$21 DT06 Element 02
TX 21000DA0CA00000721050603FFFF 02 2947
dl 0200
RX

MG ***DT07***
;CMD$20 DT07 - Decrypt Keys
TX 21000CA0CA0000062004 07 02FFFF0363
dl 0200
RX

;CMD$21 DT07 Element 00
TX 21000DA0CA00000721050703FFFF 00 0564
dl 0200
RX

;CMD$21 DT07 Element 01
TX 21000DA0CA00000721050703FFFF 01 0565
dl 0200
RX

;CMD$21 DT07 Element 02
TX 21000DA0CA00000721050703FFFF 02 0566
dl 0200
RX

MG ***DT02***
;CMD$20 DT02 - Provider Filter
TX 21000CA0CA0000062004 02 02FFFF0366
dl 0200
RX

;CMD$21 DT02 Element 00
TX 21000DA0CA00000721050203FFFF 00 0662
dl 0200
RX

;CMD$21 DT02 Element 01
TX 21000DA0CA00000721050203FFFF 01 0663
dl 0200
RX

[fubr]

Rx: 3f Ff 95 00 Ff 91 81 71 A0 47 00 44 4e 41 53 50
30 31 30 20 52 65 76 41 32 33 4b
Tx: 21 C1 01 A0 41
Rx: 12 E1 01 A0 52
***camid***
Tx: 21 00 08 A0 Ca 00 00 02 12 00 06 55
Rx: 12 00 08 92 04 00 00 00 00 00 00 3e
***camdate***
Tx: 21 00 08 A0 Ca 00 00 02 C6 00 06 81
Rx: 12 40 06 B6 02 1a 54 90 00 3e
***dt01***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 01 02 Ff Ff 03 65
Rx: 12 00 05 A0 01 01 90 00 27
Tx: 21 00 0d A0 Ca 00 00 07 21 05 01 03 Ff Ff 00 20
47
Rx: 12 40 22 A1 1e 40 01 00 01 00 00 C3 58 08 00 0e
06 68 82 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 90 00 6e
Tx: 21 00 0d A0 Ca 00 00 07 21 05 01 03 Ff Ff 01 20
46
Rx: 12 00 22 A1 1e 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 69 80 66
***dt06***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 06 02 Ff Ff 03 62
Rx: 12 40 05 A0 01 02 90 00 64
Tx: 21 00 0d A0 Ca 00 00 07 21 05 06 03 Ff Ff 00 29
49
Rx: 12 00 2b A1 27 40 00 00 1b 83 F0 D8 Ff Ff Ff Ff
Ff Ff Ff Ff Ff Ff 00 Ff Ff 00 00 Ff Ff 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 90 00 Df
Tx: 21 00 0d A0 Ca 00 00 07 21 05 06 03 Ff Ff 01 29
48
Rx: 12 40 2b A1 27 41 00 00 1b 83 F0 D8 90 03 51 19
4f Ff Ff Ff Ff Ff 04 39 9f Bf 7c Ff Ff 00 00 B4
00 01 00 00 00 00 00 00 00 00 00 00 90 00 21
Tx: 21 00 0d A0 Ca 00 00 07 21 05 06 03 Ff Ff 02 29
47
Rx: 12 91 00 83
***dt07***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 07 02 Ff Ff 03 63
Rx: 12 00 05 A0 01 03 90 00 25
Tx: 21 00 0d A0 Ca 00 00 07 21 05 07 03 Ff Ff 00 05
64
Rx: 12 40 07 A1 03 40 3f 00 90 00 18
Tx: 21 00 0d A0 Ca 00 00 07 21 05 07 03 Ff Ff 01 05
65
Rx: 12 00 07 A1 03 41 3f 00 90 00 59
Tx: 21 00 0d A0 Ca 00 00 07 21 05 07 03 Ff Ff 02 05
66
Rx: 12 40 07 A1 03 00 3f 01 90 00 59
***dt02***
Tx: 21 00 0c A0 Ca 00 00 06 20 04 02 02 Ff Ff 03 66
Rx: 12 00 05 A0 01 01 90 00 27
Tx: 21 00 0d A0 Ca 00 00 07 21 05 02 03 Ff Ff 00 06
62
Rx: 12 40 08 A1 04 41 01 00 00 90 00 2f
Tx: 21 00 0d A0 Ca 00 00 07 21 05 02 03 Ff Ff 01 06
63
Rx: 12 00 08 A1 04 00 00 00 00 69 80 56

[slickvguy]

Well, first of all, you should NOT post your camid! lol! Please xx it out.

Your DT1 is for provider $40. (MROM did this).
Your DT6's are $40 and $41. More MROM.

Your DT7's are: $40, $41, $00. MROM replaced the first two, and the 3rd is the Dish one that was not overwritten.

Therefore, if you try using a utility like my BD0 retriever, which uses cmd03's specifically made for DN provider $00, it obviously will not work. People don't understand these basics, and then wonder why things wont' work. Why waste time and effort n something that CANNOT work? Makes no sense.

If you are going to use a Nipper login, you must use one for provider $40. Like this...
21001DA0CA000017031540011011054E697050457220497320 6120627554742648

Or, better yet, *REPLACE* the first few blocks of dataspace with DishNet dataitems, i.e. get rid of the MROM provider. You can do this if your backdoor is open (or with a glitcher). Let's assume your backdoor is open, ok? What you need to do is:

a) Login with a nipper for the existing provider on your card, which I already posted above.

b) Send CMD$D7's to write the Dish data to the dataspace. Simple!

Alternatively, you can install a ghost provider, and construct EMMs for the ghost provider.

Or, you can construct a CMD03 overflow for provider 40, and let 'er rip.

A few different approaches.

But - keep in mind, that after we get your BD0, and you DO read your card, it might be marked and your MAP may be flagged "off". This is frequently what is behind NagraEdit's inability to get the BD0. It writes cleartext keys, executes a CMD01, and then a CMD60 to get the BD0. The CMD01 doesn't execute,a ndt hat's why the CMD60 returns all zeros.

What you need to do is focus on being able to read the entire code and data space, and/or get your BD0, through various means. Once you have that, you'll know if your card is f'd or not.

[fubr]

Dont worry that is not a valid cam ID. but I took it out anyway replaced it with my ssn number.
LOL



thanks for the steps I will see what happens
now to figure out WTF you just said.

JT Where are you???????

[JT]

First, thanks slickvguy for stepping in here. If anyone can steer us in the right direction on this it's you. Here is my log, but it sounds like your already going through the basics with fubr, and it's the same issue I think. For the record too, I ran the BD0 redriever CMD03 before I hit this thing with mrom....now it appears I have to go back and try to repair the damage I did messing with it. I least now I have something to do and the expert is in the house. Greatly appreciate your time and effort slickvguy.

RX: 3F FF 95 00 FF 91 81 71 A0 47 00 44 4E 41 53 50
30 31 30 20 52 65 76 41 32 33 4B
TX: 21 C1 01 A0 41
RX: 12 E1 01 A0 52
***CAMID***
TX: 21 00 08 A0 CA 00 00 02 12 00 06 55
RX: 12 00 08 92 04 00 BA 67 FF 90 00 3E
***CAMDATE***
TX: 21 00 08 A0 CA 00 00 02 C6 00 06 81
RX: 12 40 06 B6 02 19 3B 90 00 52
***DT01***
TX: 21 00 0C A0 CA 00 00 06 20 04 01 02 FF FF 03 65
RX: 12 00 05 A0 01 01 90 00 27
TX: 21 00 0D A0 CA 00 00 07 21 05 01 03 FF FF 00 20
47
RX: 12 40 22 A1 1E 40 01 00 01 22 22 22 22 08 00 00
00 00 00 30 30 30 37 37 39 30 37 31 33 32 50 31
30 54 4E 90 00 62
TX: 21 00 0D A0 CA 00 00 07 21 05 01 03 FF FF 01 20
46
RX: 12 00 22 A1 1E 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 69 80 66
***DT06***
TX: 21 00 0C A0 CA 00 00 06 20 04 06 02 FF FF 03 62
RX: 12 40 05 A0 01 02 90 00 64
TX: 21 00 0D A0 CA 00 00 07 21 05 06 03 FF FF 00 29
49
RX: 12 00 2B A1 27 40 00 00 11 11 11 11 FF FF FF FF
FF FF FF FF FF FF FC FF FF 00 00 FF FF 00 00 B4
00 00 00 00 00 00 00 00 00 00 00 00 90 00 27
TX: 21 00 0D A0 CA 00 00 07 21 05 06 03 FF FF 01 29
48
RX: 12 40 2B A1 27 41 00 00 11 11 11 11 FF FF FF FF
FF FF FF FF FF FF FC FF FF 00 00 FF FF 00 00 B4
00 00 00 00 00 00 00 00 00 00 00 00 90 00 66
TX: 21 00 0D A0 CA 00 00 07 21 05 06 03 FF FF 02 29
47
RX: 12 91 00 83
***DT07***
TX: 21 00 0C A0 CA 00 00 06 20 04 07 02 FF FF 03 63
RX: 12 00 05 A0 01 03 90 00 25
TX: 21 00 0D A0 CA 00 00 07 21 05 07 03 FF FF 00 05
64
RX: 12 40 07 A1 03 40 3F 00 90 00 18
TX: 21 00 0D A0 CA 00 00 07 21 05 07 03 FF FF 01 05
65
RX: 12 00 07 A1 03 41 3F 00 90 00 59
TX: 21 00 0D A0 CA 00 00 07 21 05 07 03 FF FF 02 05
66
RX: 12 40 07 A1 03 00 3F 01 90 00 59
***DT02***
TX: 21 00 0C A0 CA 00 00 06 20 04 02 02 FF FF 03 66
RX: 12 00 05 A0 01 01 90 00 27
TX: 21 00 0D A0 CA 00 00 07 21 05 02 03 FF FF 00 06
62
RX: 12 40 08 A1 04 41 01 00 00 90 00 2F
TX: 21 00 0D A0 CA 00 00 07 21 05 02 03 FF FF 01 06
63
RX: 12 00 08 A1 04 00 00 00 00 69 80 56

[slickvguy]

Hi JT.

Yes, your dataspace is in similar shape to fubr's. Read my post above, and figure out what you are going to do. It's probably your MAP that's killed, but my BD0 retriever should have worked *IF* your DT's were for Dish. Follow?

So choose your poison. If it was me, I'd use XNCS to put a ghost 6901 on the card, and then construct an EMM for ghost 6901. XNCS is terrific for that. Use the EMM that writes the Boxkey to the ird data. Send it from xncs's comm tab (it'll append the proper LRC). The reason I would use teh BOXKEY emm (nto the BD0), is because the BD0 might actually be all 00's! If the card can execute the EMM, you'll quickly and easily be able to tell, because the ird field will contain your boxkey. Right? Then, once you establish that the card processes EMMs, either send an EMM to grab the BD0, or better yet, just send an EMM to write a known valid BD0.

This shoudl take you just a few minutes to do, and then you'll know if your card is ok or not.