[moonlite]

I pray someone can help me. I have a ROM 102 rev 103 card that I have been using rev_109_DISHGODS_ROM 102 AIO blocker and manually updating the keys on for some time. I thought tonight would be the night to update the blocker with a fine auto-roll version, so I selected ROM103-REV309for0001-V3L-BLOCKER from the download section. I unlocked my card and read in the CAM with MR-Ultimate N2 v1.3. So far so good. So then I cleaned the card and opened up the ROM103-REV309 FOR 0001-V3L BLOCKER.txt file and decided just to make sure all was good to just change the BD key. I did, then loaded the patch file in MR-Ultimate, applied it, and then wrote it to the CAM. It wrote fine, no errors. Then I decided I was going to unlock it, so I tried, and that is when the problems began! It would not unlock it. I tried looking at the image file at $9878, where the old BD password was, and it was different, so I tried to unlock it. No go. I tried my current BD password, and no go. I tried it in Nagra Edit 5.xx and the same thing. So now I think I am locked out, and have no idea how to get back in. I am going to attach my original backup of the cam right after I removed the BD Password, as well as the penga blocker I modded, and the CAM file I put onto the card that screwed me. I now realize that I loaded a ROM103 file onto my ROM102 card (opps!). If anyone knows how to get back into this cam, I would be happy to send you some money. I don't want to have to throw this card away. Thanks everyone!
Moonlite

[sukh77]

what is the response that you get when doing a reset atr in Nagramaster, or N2edit?

[moonlite]

Opening COM1.
ATR String: 3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50
31 30 32 20 52 65 76 33 30 39 6C
ROM ID: DNASP102 (ROM102)
REV ID: Rev309
Closing COM1.

[Caddylover]

kinda tough to say, but since your card is reading, you could possibly try to glitch it open. You may fubar your card, but then lesson learned to double check your work and what you are putting on your card (but I guess you know this by now )

Worst case scenario is to just go and buy another card.

[Dave411]

Just seeing password is at 9FE8 not 9878. Default password is AACCAAAEBFFCDACC. I guess you could try that PW, but probably wouldn`t work if you changed to your own PW. Sorry.

[DB]

Sounds lke you put a rom103 blocker on a rom102 card. Thats a no no. You are probably going to have a very tough time getting into this card. I think you made the miss take of thiking rev103 ment you need a rom103 blocker. But in your first post you said rom102 and have a rom103 blocker. Then your read you have

Opening COM1.
ATR String: 3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50
31 30 32 20 52 65 76 33 30 39 6C
ROM ID: DNASP102 (ROM102) <------ROM102
REV ID: Rev309 <----------------------ROM103 REV
Closing COM1.

[DB]

If that is the case then your bug table is really messed up. Here is a rom102 bug table.

$3170=40038800301001AFB900801A80000072
$3180=7087880088598075008D908E0C008AB3
$3190=80C80093D58DFF0072FB8788008A6F8E
$31A0=A700A82693D7000000000000959981E2
$31B0=00812B8AE90060DB8C3900625A847500
$31C0=7D2A86970000000000005E758B3A007A
$31D0=87890200000000000040563280005E71
$31E0=5F230089968DF3007AC47A9900878D8C
$31F0=9A0040388C9A0040308C9A00405E8C9A
$3200=00558F8C9A0060DB8C9A00625A8C9A00
$3210=7A878C9A0080638A3200919F8EB7008C
$3220=168ED5008B6490110055EA9402005E53
$3230=94080000000000000000000000000000

Now this is what you have patched to it with that rom103 blocker.

$3170=00000000000000000000000000000000
$3180=0000000000000080859802836F0D0280
$3190=DD02823E02825D150280500280651F02
$31A0=826A0289B20000000000000000000000
$31A8=00000000000000000000000000000F40
$31C8=000000617489A20061FF89A200B2AB92
$31D0=61FF89A200B2AB928A00724492000050
$31E0=10935A00A25F8DCD004FE18F1E005171
$31F0=85BD005B4C88B1008059812000000000
$3200=0000729B8E1F0076C48BEA0000000000
$3210=00405632C2007297734F00770176D600
$3220=A14890D800BA068F7F0040388F7F0040
$3230=308F7F00405E8F7F0074CF8F7F004FE1
$3240=8F7F0051718F7F0076C48F7F00A1978D
$3250=1A00946494120092A493E10099ED93F3
$3260=0093B2954F009C65991B00752C996000
$3270=72779966000000000000000000000000

Now with that said. Lets see whats going on with the bug table that you patched over. This first line tells how big the bug table is or how many bugs there is.

$3170=40038800301001AFB900801A80000072
B9=185 bytes in the bug table or 37 bugs.

So with that line zeroed out it has no way of knowing whats going on in the bug table. Now why this is important is because the bug 60DB is hooked to the back door. So you will not beable to read the card with it gone. When you unlock a rom102 the bug table changes to this.

$3170=4003880030100105050060DB98090072
05 is 5 bytes or 1 bug in the table. 60DB is our bug. It's hooked to $9809. Our back door. So this is going to be a tough card to open with the bug table as messed up as it is.


EDIT: should have also said that the bugs in the bug table are hooked to all the code we put into our code space. So with the bug table being messed up it isn't seeing the code you patched.

[moonlite]

Thanks DB. So from what I am gathering I have pretty much screwed up the table so bad it has no way to unlock it. Is there anything I can load into my glitcher(mikobu) that might work? If not, it's a lesson I will have to learn the hard way, and pay more attention. I feel bad, but it has been my luck all week. Thanks!

[sukh77]

wow that's too bad dude. You could still try 102 unlocker on it and see if it lets you back in. Or wait till a rom 103 unlocker comes out for rev 309.

[DB]

I don't know if there is anything that will write the bug table back to what it was. The bug table in the rom103 and rom102 are different and in different locations. I haven't really studied the rom103 to know too much about it, but I know the bugs are different in it, then a rom102. You could try and do a force write to it, to put your orignal image back on. But with out being able to gain access to the card it is going to be tough to do anything to it. Having a rom103 unlocker for rev309 isn't going to help either cause it is a rom102 card.

[sukh77]

He might want to just try the 102 unlocker then. Might get lucky.

[flight]

Quote:

Originally Posted by moonlite

Thanks DB. So from what I am gathering I have pretty much screwed up the table so bad it has no way to unlock it. Is there anything I can load into my glitcher(mikobu) that might work? If not, it's a lesson I will have to learn the hard way, and pay more attention. I feel bad, but it has been my luck all week. Thanks!

Get this see if it helps you out Nagra Bug restore

Do not use on card without intercept installed !!!!!!!!!!!!!!!!!


PSS. if you can't get it PM me i send it to you

[moonlite]

Yeah, I tried a forced write to it, that didn't work at all. I am thinking I am going to have to buy a new card. This sucks, but I created my own problem by not paying attention to the file name. A hard lesson learned! Thanks for everyone's help.

Sorry to hear your misfortune....

Don't throw it away...history says something will pop it open in the future!

You can definitely get the card to accept a modified cmd04 by glitching it.
You just have to make sure you send the correct cmd04.
If you've got nothing else to lose (ie don't blame me if it fails) try this:

A lot of the unlockers write a new bug catcher at $317f as the 2nd bug catcher.

Try an unlocker that will write the bug table as DB suggested. Only one bug.
You're looking for a cmd04 unlocker which writes a single bug catcher to 3176. "RebelSerf 102 OmniUnlocker force fubar.xvb" seems to fit the bill.

[DB]

You would have to write more then just that one bug at $317F. But you are right when you unlock a card it writes that 60DB bug and then writes our intercepter. This is the bug table from a rom102 rev103. In green is the bug we write and in red is the code in the code space it is hooked to that we put there.

$3170=40038800301001141900801A80000060
$3180=DB8219008859807500812B80A0008AB3
$3190=80C80000000000000000000000000000

Then we also write our intercepter at $8219. Cause we hooked 60DB(insCA) to $8219.
$8210=0000000000000000001763A1CA2603CC
$8220=60ECCC7D990000000000000000000000

Now he would also have to write the numbug pointer, numbugs, and altnumbugs. for it to see the bug table.

$3176 = numbug pointer 00=3177 01=3178
$3177 = altnumbugs
$3178 = numbugs

$3170=40038800301001141900801A80000060
$3180=DB8219008859807500812B80A0008AB3
$3190=80C80000000000000000000000000000

Because he patched over his bug table with zero's his card thinks that there is zero bugs in the bug table. So even if his intercepter was still installed, and you wrote just that one bug, it wouldn't open his card. It wouldn't see it cause the numbugs and altnumbugs is zero.

[moonlite]

Hey everyone. Thanks so much for all your help. I tried tonight the RebelSerf 102 OmniUnlocker force fubar.xvb in WinExplorer 5.0, but it just said determining the type of ROM, then ROM 102 REV 109 found, then it starts for about 2 seconds, and then the program just closes. Not sure if it is my WinExplorer 5.0 or the loader or what.... Anyone else have this type of issue?

Quote:

Originally Posted by DB

You would have to write more then just that one bug at $317F.

Here's the code from the glitcher I suggested (filler removed).
3176BE08.......011E050060DB8219

It writes 8 bytes starting at $3176 Pointers & numbugs and all. Introducing one bug catcher.
Writes to $8219 too, of course.

I thought it had the best chance of anything I saw.

the absolute best suggestion I think would be to glitch custom packets from $30D0 to $3190. Correcting all of the differences for a rom102. Leaving the bug catcher table until last.

Quote:

Originally Posted by moonlite

WinExplorer 5.0, then it starts for about 2 seconds, and then the program just closes.

Windows, VB, who knows.

- Don't run it from a network share.
- Make sure your VB libraries are up to date. Winexplorer is pretty old, though.
- Windows update for .net service packs (clutching at straws now)

[DB]

Quote:

Originally Posted by GeordieCA

Here's the code from the glitcher I suggested (filler removed).
3176BE08.......011E050060DB8219

It writes 8 bytes starting at $3176 Pointers & numbugs and all. Introducing one bug catcher.
Writes to $8219 too, of course.

I thought it had the best chance of anything I saw.

the absolute best suggestion I think would be to glitch custom packets from $30D0 to $3190. Correcting all of the differences for a rom102. Leaving the bug catcher table until last.

He's got nothing to lose. Might actually work. I am really suprised no one has done anything lke this for the public before. There is alot of cards with messed up bug tables. I don't know how many people I have read patched the wrong relock or the wrong blocker and are not locked out like this cause of the bug table.

Quote:

Originally Posted by moonlite

Hey everyone. Thanks so much for all your help.

Did you open this card initially?
Which script did you sucessfully use?
Let me know the name & copy the line from it that is about 100 hex bytes and may have a variable name of "cmd04".

If you're feeling really daring I'll patch the cmd04 line and let you try it in your initial glitch script.
I'd let somebody else check my math first. I run out of fingers & toes sometimes.

Quote:

Originally Posted by DB

I am really suprised no one has done anything lke this for the public before.

I agree. The script I mention I think is a little flawed, that may be why fewer people have had success.
I'm not convinced about this particular script's glitching capability. It seems to go through a tortuous set of exchanges with the card before finally arriving at a false positive. I'm also not familiar with the intercept it installs. I've not tried it.

What I've done before is use the most successful glitching script and alter it to correct the whole bug table

I was bored. Here you go, this should fix it.

I even tested it on a rom102 I wrote with the same blocker you used. That really does screw things up.

Here's the result after I opened it again:

Opening COM1.
ATR String: 3F FF 95 00 FF 91 81 71 FF 47 00 44 4E 41 53 50
31 30 32 20 52 65 76 33 30 39 6C
ROM ID: DNASP102 (ROM102)
REV ID: Rev309
IFS has been set.
Backdoor found.
Backdoor ready for communications.
Reading EEPROM...
Card read successfully.
Efficiency: 98.3%, Packets: 292, Retries: 5, Time: 11.91s
Closing COM1.

The file would help. Rename to a .XVB

It'll possibly fix a lot of messed up stuff, as DB suggested.

[DB]

Good job. I bet others that applied the wrong relock could use this also and have the same results as you had. Well there you go moonlite. Give it a try and see what happens. Hopfully you get the same results.

Quote:

Originally Posted by moonlite

I pray someone can help me.

I provided a fix & tested it with one of my own cards.
I was expecting at least a "thank you" for saving you $200.
Either your situation wasn't nearly as desperate as you pleaded or else you're just plain impolite (harsh, I know).

[moonlite]

Hey GeordieCA. Sorry, after my last post, I went and pitched the card into the trash and bought a new one. I really did appreciate all the help. I lost track of this posting so I am sorry for not getting back to you and anyone else. I will save your script for the next time I do something stupid like this. And thank you BTW- - Moonlite

Thanks for the reply, dude. I was only teasing a little bit. Good luck.