Seeing as all servers having issues, and its not an ECM, wonder if Charlie flipped the anycast switch, and I KS providers are scrambling.

No they didn't few servers still up

Seems like IKS is having more and more of a hard time holding on to the Steering wheel.Channels are slow to come back and when they do there is freezing issues and lots of channels take days to resurrect.When they do resurrect another ECM Hits and we lose more ground then the last time around.

All of the monthly card hits from Dishnet has taken its toll and some seeders are getting tired of replacing receivers and cards everytime they get hit - it gets pretty expensive.
One of the big seeders has called it quits - so all of the sharing and re-sharing of caches that was going on between different services has been affected.

There are a few services now running their own card servers instead of buying a cache push - but they now prefer not to sell their cache to other services - they want them all to buy a reseller panel from them instead of using their cache - much easier to control the leaching that was going on and also more money for them. Since a cache isn't available anymore some services are starting to use their own card servers - but that will take a little while to set up new accounts, buy new cards and receivers, pull the BGA chip from the motherboard, read it, solder it back in and then feed it to their load balancer. When they get hit again - they'll have to go through that whole thing again.

I'm sure someone is working on setting up card servers that will be willing to sell his cache to other services - but it will take a few more days.

That is interesting, but I thought the idea of IKS is that it put all the tools to do signal theft in one place so that advanced ideas and tech could be used. From the sounds of that last post, no advanced tech is really in use--pretty much hobby level stuff. If you used advanced techniques, maybe new cards would not be needed with every ecm that comes along. Course with new IKS blocking anycast in the works, I'm not sure that actually using brains would be of any help at this point, but would it not have been better to do something creative earlier?

That is interesting, but I thought the idea of IKS is that it put all the tools to do signal theft in one place so that advanced ideas and tech could be used. From the sounds of that last post, no advanced tech is really in use--pretty much hobby level stuff. If you used advanced techniques, maybe new cards would not be needed with every ecm that comes along. Course with new IKS blocking anycast in the works, I'm not sure that actually using brains would be of any help at this point, but would it not have been better to do something creative earlier?

No one was able to figure how to stop the card hits. As soon as you pull a card out of the legal receiver and put it in a card server it can be hit by Dish Network. Once you have used a card in a card server - it is somehow marked for life - so even if you pull the card out and put it back into the legal receiver it will still get hit the next time Dishnet sends out the card hit ECM.

The logical answer was to leave the card in the legal receiver and try to send the Control Word requests and replies from the card to the card servers. They tried wiring the contact points of the card server to the same contact points on the legal receiver - so the signal from the dish would be sent to the legal receiver and to the card server and then the reply from the card would be send to both the legal receiver and to the card server - but they could never get it to work. The receiver would just shut down.
A lot of money was thrown at the problem - but no one has figured it out so far and I doubt if they ever will.

Well the Black Hat info says that the newer cards are no better protected than the older ones. Advanced tech includes invasive attacks. As for "never getting passive intercept of card-box comms to work"--you have got to be kidding!--that is so basic a task!

I'm guessing big money is still on the table for anyone that can find a way to avoid the card hits or to hack them. If it is so easy why hasn't anyone done it yet? The standard answer has always been nobody wants to confront the Providers - if they are smart enough to hack the cards or evade a card hit I'm sure they are smart enough to figure out a way to avoid a legal confrontation with the Providers.

funny how the OP is dated the same day the last TPs on 110/119/129 went MPEG4...

http://i1383.photobucket.com/albums/ah286/abouttosnap63/satfix/IKS_zpspus2ylta.jpg

Hopefully most know the above picture is no more than a joke. This anycast rumor if memory serves me correctly got started around this time last year so here we are almost a year later and it is still hasn't happened. Bought my first receiver back in Dec. of 2005 knowing full well that there was no guarantee it would still be up a week later. But again here we are 11 years later and even though we have changed from standalone to iks it is still going. I just have not or ever will get bent out of shape when this goes down from time to time. In 11 years I've seen it go down anywhere from hours, days, weeks and months...longest being 3 months. So anything less than that and I'm ahead of the game. I don't try to figure out if and when it is finally going down for good...about like I don't waste time waiting and wondering about another standalone fix. I'll just ride it till there is nothing left to ride. Paid around 159 and change for my first stb and it had payed for it's self within the first month...including what I had put into my original poormans dish.



https://www.youtube.com/watch?v=N1YtpjC1o8s

funny how the OP is dated the same day the last TPs on 110/119/129 went MPEG4...

dont get how that funny, i didnt even know they switched

thought so... read here... http://www.satfix.to/showthread.php?193031-3-17-16-Corrected-for-110-119-129-tp-changes&p=1185002#post1185002 ... its posted many times in other threads as well...

I'm guessing big money is still on the table
I know I don't care about that.
As for how folks might do it: There is an advanced section on this site and other's have things like Coder's corner sections or sections just for prov hacking. I posted on how one did not really need to do passive logging by "direct contact" with DTV box over at dss rookie site, you just modify the box code to send the info out on a serial port. That sort of project might be a good thing to have in a bag of tricks if anycast does happen anytime soon (if you can figure out the box code and how the processor might have access to CW in the new boxes then you have a chance at doing IKS with them). Might be good to figure out IKS with DTV boxes too--there was a little talk about that in one of the rumor threads a year or more ago, might be time to have work on that! Folks could post box flash dumps and I know a bit about disassembling box code to find interesting things. It is time that folks stop trying to guard their piece of the pie and have open work done on things of interest instead of the wall of silence on work. The idea that 'lots of money' was spent doing things with no progress is a shame!--a complete disregard of the talents available in the hobby if we work together. IKS has been around for what? 7 maybe 8 years? It was about that long ago that I pointed out in one forum that one could share CW between boxes (FTA boxes not prov). There really should be more in public about what you guys doing IKS are doing.

If I were a prov coder, I think I would have set up the DN card to require a periodic message from the box and if it were not there in a certain time period, the card would flag itself as being in a card server. Lots of other ways that one could do it though.

http://i1383.photobucket.com/albums/ah286/abouttosnap63/satfix/IKS_zpspus2ylta.jpg

Hopefully most know the above picture is no more than a joke. This anycast rumor if memory serves me correctly got started around this time last year so here we are almost a year later and it is still hasn't happened. Bought my first receiver back in Dec. of 2005 knowing full well that there was no guarantee it would still be up a week later. But again here we are 11 years later and even though we have changed from standalone to iks it is still going. I just have not or ever will get bent out of shape when this goes down from time to time. In 11 years I've seen it go down anywhere from hours, days, weeks and months...longest being 3 months. So anything less than that and I'm ahead of the game. I don't try to figure out if and when it is finally going down for good...about like I don't waste time waiting and wondering about another standalone fix. I'll just ride it till there is nothing left to ride. Paid around 159 and change for my first stb and it had payed for it's self within the first month...including what I had put into my original poormans dish.



https://www.youtube.com/watch?v=N1YtpjC1o8s

Awesome graphics there my friend...you're getting really good in that department. I may have to ask you for a better sig as mines a bit outdated...

I know I don't care about that.
As for how folks might do it: There is an advanced section on this site and other's have things like Coder's corner sections or sections just for prov hacking. I posted on how one did not really need to do passive logging by "direct contact" with DTV box over at dss rookie site, you just modify the box code to send the info out on a serial port. That sort of project might be a good thing to have in a bag of tricks if anycast does happen anytime soon (if you can figure out the box code and how the processor might have access to CW in the new boxes then you have a chance at doing IKS with them). Might be good to figure out IKS with DTV boxes too--there was a little talk about that in one of the rumor threads a year or more ago, might be time to have work on that! Folks could post box flash dumps and I know a bit about disassembling box code to find interesting things. It is time that folks stop trying to guard their piece of the pie and have open work done on things of interest instead of the wall of silence on work. The idea that 'lots of money' was spent doing things with no progress is a shame!--a complete disregard of the talents available in the hobby if we work together. IKS has been around for what? 7 maybe 8 years? It was about that long ago that I pointed out in one forum that one could share CW between boxes (FTA boxes not prov). There really should be more in public about what you guys doing IKS are doing.

If I were a prov coder, I think I would have set up the DN card to require a periodic message from the box and if it were not there in a certain time period, the card would flag itself as being in a card server. Lots of other ways that one could do it though.

jvvh, anything you can provide us will be greatly appreciated as I know you have really good skills in this department. Lead on my friend.

Why should jvvh do the work for you guys :innocent:

There used to be a lot of sharing of information in the early stages of IKS - some card coder sites merged with IKS/Dreambox sites and receiver/jtag sites. A llot of public information was available about jtaging receivers and pulling information from the images. There was also a lot of public discussion about card coding and the efforts being done to hack into the cards. In the early stages Raton shared his rqcs software and there was a lot of discussion expermenting being done in open forums. Bowman's CSP load balancing software was, and still is free, and openly discussed - but Bowman didn't want to have anything to do with monetizing his software and he stopped development.
Raton developed his FSLB, load balancing software, but took it private and sold it to the big dealers. He also developed private versions of his rqcs and fsec software and software to feed the ECMs and EMMs to the cards while they were in card servers so the keys would stay up to date and to pull the Control Words from cards to feed the cache.
Eventually leaked or hacked versions of Raton's software emerged but you couldn't post it or even discuss it in any forum since it was considered stolen software.

When Raton went private and underground the FTA guys already had what they needed from the card bangers and box testers and the collaboration and testing that was being done seemed to disapear. Some of the FTA guys, like DreamBox users, went underground and survived for a while but there wasn't a lot of testing being done and eventually they disbanded. The big IKS dealers only needed a few good box testers to pull the chips from receivers and read the keys and the rest of the testers lost interest and retired or quit testing. The card testers weren't having much luck hacking into the cards so money stopped flowing their way and they soon disappeared.

I don't know if Raton is still around developing new software underground, but I doubt if there are many card coders or box testers involved. A lof of IKS services are using stolen or hacked versions of Raton's FSLB - but they can't discuss it in any forum because it is stolen software.

Some people don't mind paying Raton, or those that use his software - but there are some strong vocal people that hate all IKS dealers/resellers or anyone that makes any money from IKS. In my opinion if any IKS service tried to lead a collaborative effort to test new ideas they would be ostracized. I don't think they are being secretive or trying to hide anything - it is just frowned upon to talk about stolen software such as FSLB or anything that would help the dealers make money.
I think the lead would have to come from outside the IKS dealers - but I'm sure they would all pitch in wherever they could.

There could be some people that are content to see things stay the way they are - perhaps they have a vested interest in keeping people in the dark - there will be some chiming in about not helping free TVers or dealers.

I'm not offering to do work for anyone. I am offering to guide folks in doing work. If you want such help start posting flash dumps and card logging, pics of boxes might help, schematics would too. Processor data sheets are nice to have as are any other data sheets that are available. I know the processor in use in some DTV boxes have started to have all but the tuner front end PLL and the card itself on the chip--so the tuner decoder, processor, decrypt engine, video and sound chain are on the same silicon (Broadcom) with external flash and RAM. That type of integration might be what one sees in anycast and if so then it can be really hard to figure out anything from the box code (I've played with the ATSC Broadcom chips in converter boxes and I've been able to do some things but lots of experimentation has to be done to really see how it works). As I don't own DN boxes and have no interest in contract TV I'm not going to be doing any of the experimentation involved in prov boxes.
I was not that impressed by Raton, I showed how the coolsat4000 code could be modified to work on pansat 2500 box, but did not have any interest in the testing for IKS, so he never bothered to support the box. I figured he was busted long ago.

I'm not offering to do work for anyone. I am offering to guide folks in doing work. If you want such help start posting flash dumps and card logging, pics of boxes might help, schematics would too. Processor data sheets are nice to have as are any other data sheets that are available. I know the processor in use in some DTV boxes have started to have all but the tuner front end PLL and the card itself on the chip--so the tuner decoder, processor, decrypt engine, video and sound chain are on the same silicon (Broadcom) with external flash and RAM. That type of integration might be what one sees in anycast and if so then it can be really hard to figure out anything from the box code (I've played with the ATSC Broadcom chips in converter boxes and I've been able to do some things but lots of experimentation has to be done to really see how it works). As I don't own DN boxes and have no interest in contract TV I'm not going to be doing any of the experimentation involved in prov boxes.
I was not that impressed by Raton, I showed how the coolsat4000 code could be modified to work on pansat 2500 box, but did not have any interest in the testing for IKS, so he never bothered to support the box. I figured he was busted long ago.

As always thank u for your input and your skills my friend. Maybe our friend is on this side of the bars .

My question is why now when it's almost over and done finished kaput terminado se acabou

Who said it was almost over? I guess sooner or later someone will finally be able to call it on when it will come to an end. Guess if and when they do they can say they told ya so. Like standing under a tree during a storm...do it enough times and you will finally get nailed. Same here...every year the rumor starts up that it's coming to an end so sooner or later someone will probably nail it.

I've been promoting folks to learn to code for at least 10 years now--nothing new about that. Not many folks bother. Not many folks bother to help each other with any skills they might have. If you are not trying to learn something, then you are likely part of the problem and not the solution.

IMO the term "Free TVer" was of little use back when it was relevant and of about as much use as a buggy whip now.

It would be a good idea for any posts to be done with some "spy craft"--use anon file host, post on one site and provide key on another, discuss in out of way site (or on "invisible" site)--those sorts of things.

Well...posting keys and any kinda card dump is like a target or plutonium .. hence the underground . So just about anyone with some knowledge of such.. I doubt you will see it in public .

Then no help from me! They can black out the box info so the box dump is not really traceable to sub. They can use cut-out users to pick up files and post in more easily found spots. But NO ONE mentioned CARD dumps or keys!!!

BTW, on DTV and IKS--In the past I've said that the CW come in every 5 seconds or so and that IKS did not do well at that speed. Seems the SD Music channels do have CW every 5 sec, but the TV channels have CW (cmd40) only every minute or so--not sure if that is a big deal or applicable to any but the couple of SD ch I tuned to, but lots better than every 5 seconds. The music ch CW packets were very short, and the TV packets bigger, so the seeds returned might be of a diff nature.

The dtv music still works . Older units .

The dtv music still works . Older units .
but iks isn't needed

Then no help from me! They can black out the box info so the box dump is not really traceable to sub. They can use cut-out users to pick up files and post in more easily found spots. But NO ONE mentioned CARD dumps or keys!!!

BTW, on DTV and IKS--In the past I've said that the CW come in every 5 seconds or so and that IKS did not do well at that speed. Seems the SD Music channels do have CW every 5 sec, but the TV channels have CW (cmd40) only every minute or so--not sure if that is a big deal or applicable to any but the couple of SD ch I tuned to, but lots better than every 5 seconds. The music ch CW packets were very short, and the TV packets bigger, so the seeds returned might be of a diff nature.

I'm on my way back home from the South and not of much help for a few days.

As far as I know I thought the CWs were every 15 seconds for IKS on the TV chanels??

When you are talking of log files are you referring to a card in a programmer using special software to send commands to the card and checking responses - or are you just looking for log files from card servers?

I love to learn and have a pretty good aresenal of hardware available and don't mind picking up more if it's needed. I'll be back North by the 3rd and look forward to learning something new.

I'm not much of a coder - I sat in on a few card blockers courses back in the day and loved it - but the site closed and I didn't get to graduate :-)

Does anyone know what "anycast" really consists of?
I found a patent filed that mentions stopping iks, I don't know if it is "anycast", but has Nagravision listed as the assignee . (US 7,986,781 B2)

but iks isn't needed

thats right.

That CW come in every 5 seconds for Dick's music channels is a real puzzle--none of the SD (and HD for all I know) audio is encrypted on that prov so why the cmd40's so often when TV chs only get them every 57 seconds? Maybe they are being used more as a test of authorization than to decrypt enything. As for how TV chs only get CW every minute or so is another good question--I've double checked and my old data shows it has been that way for a long time, also double checked that only one CA packet slot is active and it is the same for TV and music channels whether I'm testing on the same TP or not (always PID 2), but something is filtering or otherwise selecting a different set of packets for the cmd40 routine.

It is on Charlie's system that CW come in every 15 seconds or so, I was not talking about DN.

Anycast is supposed to a processor that has a 'card' on the silicon. As the CWs never have to leave the chip, there is no way to intercept them and feed IKS systems. All the decrypt happens inside the chip where one can't get to it.

I'm not offering to do work for anyone. I am offering to guide folks in doing work. If you want such help start posting flash dumps and card logging, pics of boxes might help, schematics would too. Processor data sheets are nice to have as are any other data sheets that are available. I know the processor in use in some DTV boxes have started to have all but the tuner front end PLL and the card itself on the chip--so the tuner decoder, processor, decrypt engine, video and sound chain are on the same silicon (Broadcom) with external flash and RAM. That type of integration might be what one sees in anycast and if so then it can be really hard to figure out anything from the box code (I've played with the ATSC Broadcom chips in converter boxes and I've been able to do some things but lots of experimentation has to be done to really see how it works). As I don't own DN boxes and have no interest in contract TV I'm not going to be doing any of the experimentation involved in prov boxes.
I was not that impressed by Raton, I showed how the coolsat4000 code could be modified to work on pansat 2500 box, but did not have any interest in the testing for IKS, so he never bothered to support the box. I figured he was busted long ago.

Dish receivers for South America have broadcom chip, type 7xxx. What they did it is "sprzetowe parowanie", which in translation means ---> equipment pairing, as far as I remember. So IKS was not possible initially, as CW was assigned to receiver ID. But someone found the solution, was able to partially decap that processor and read the Bx Keys and other keys using some software. What it allows is that any card was able to work in any card server, and no ECM or EMM was able to "burn" such a card in the card server, and card didn't have to be put back in the original receiver to get keys updated.
My memory is a little foggy, as it was almost 2 years ago, so excuse if I used some terms incorretly.
There are only two guys in Europe, who were able to do it, and they were charging between 10 and 20 Grants for IKS operators.

If somebody tell me what Direct TV receiver use that chip Broadcom 7005 or 7010, I might buy it and send it to Europe.

They will do it for me.

Then iKS for Dtv would be peanuts, if it is true, what jvvh is saying, that CW for video channels comes every one minute.

I am not fun of IKS, never been, presently don't use any, those few channels I watch is thru streaming, they are free in most instances.

But if possibility to screw these big criminal monopolies exist, I am all for it, why not.

He he he, might even make some bucks from IKS bozos.
========
Was interested in Dish network receivers, but somebody told me, that none Dish receiver has this Broadcom chip in it in USA.
So finally I lost interest in the subject.
========
Oh, forgot to ask, this site ID went under ????? Placed there those "coil" thingy, "leak" from Bedrock Tavern, it was most promising leak to get into charlie plastic. Knew, that lot of peps there started to exchange some PM's on the subject.

I have some note on the box that has Broadcom chip inside, I'll see what I can find. I think there were more digits than 4 though.

On passive card logging. The old way to do it was to have an extension card with an ATMEL or PIC microcontroller and a MAX232 chip--the uP got its clock from the card connection and read the ATR and regular data by bit banging it, then sending the data through 232 chip to PC serial port at a 'normal' baud rate that any PC could do. It did not take much of a uP chip to do it ATMEL 2313 was a common choice. These days it likely would be easier to just use an experimenter's board to do it and use USB port, so maybe a teensyLC--might still want an extension card of some sort even if it is just a quick and dirty DIY one.

The card should not be marked if you copy enough of the box/card comms to let the card think it is only in a box. That assumes the rate of ecm fed into card is not a factor. If the card were actually in a box then it should never get marked as a card server card, but you only get one channel of CW per card.

Ha! I figured out where the DTV CW packets are! The are embedded in the video stream if TV channel and in audio stream if music channel. The music channel often has them tacked on the end of other packets, I would look at the text description of the music paying and not notice the 0x20 or so bytes of what would show up in the cmd40 packet.

-------------------------------------------------------------------------------------------------

For those that might like to use the built-in box processor and serial port of a prov box, here is a little info that seems common to 2700, 3900 and 301-013 box code:

If you search for the sequence of code that creates the header you might find something like:
7FFB6394 2A40 loc_7FFB6394: ldc #A0
7FFB6396 76 ldl #6
7FFB6397 23FB sb
7FFB6399 2C4A ldc #CA
7FFB639B 76 ldl #6
7FFB639C 81 adc #1
7FFB639D 23FB sb

the code is storing the 0xa0 and 0xca bytes of the header onto something to transmit to the card. In RAM you might find that as:
1AF0B0 00 00 00 00 00 00 00 00-A0 CA 00 00 02 C0 00 06

A call to the code doing the above looks like:
7FFB6F7F 26292E225A ldnlp #69E2A --points to 401A78A8
7FFB6F84 79 ldl #9
7FFB6F85 6C289E call sub_7FFB6316

Haven't found the spot reading from the buffer, but above is getting close.

Also in RAM (all examples are from 3900 box code), I see what looks like a serial TX buffer for a line to the outside:
1AD070 00 00 00 00 00 00 00 00-00 00 00 00 6D 61 6C 6C mall
1AD080 6F 63 2F 66 61 72 68 65-61 70 2E 63 20 28 34 39 oc/farheap.c (49
1AD090 35 29 3A 20 69 6E 69 74-69 61 6C 69 73 69 6E 67 5): initialising
1AD0A0 20 68 65 61 70 20 61 74-20 30 78 34 30 30 30 42 heap at 0x4000B
1AD0B0 45 39 38 20 66 6F 72 20-34 35 38 37 35 32 20 62 E98 for 458752 b
1AD0C0 79 74 65 73 0A 6E 69 74-0A 2F 6E 66 73 2F 69 6E ytes ni t/nfs/in
1AD0D0 74 65 67 72 61 74 69 6F-6E 2F 72 65 6C 65 61 73 tegration/releas
1AD0E0 65 2F 45 63 68 6F 53 74-61 72 2F 45 4E 32 31 42 e/EchoStar/EN21B
1AD0F0 30 33 62 2F 6F 74 76 2F-73 72 63 2F 00 00 00 00 03b/otv/src/
1AD100 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00

So, I'm guessing that with the above box code one sees activity on the serial port TX line.

I've used both IDA Pro and DASMST20 to disassemble 2700, 3900, and 301-013. I believe the first two use the sti5500 processor and the last the sti5518, but all are st20c2 type code. All three had pretty much the same ldc a0, ldc ca sequences.

From the above you might guess with these and most boxes, figuring things out is easier if you have both flash and RAM dumps. Ram dumps from box in regular operation are best.
---------------------------------------------------------------------------------------------------------

On the Broadcom chip question the model was DTV's D12-100 model, the chip is BCM7312TKPB126 and the build date was early 2008 and built in China.

On the Broadcom chip question the model was DTV's D12-100 model, the chip is BCM7312TKPB126 and the build date was early 2008 and built in China.
Think, that I saw such receiver, my neighbour was installing them about 3-4 years ago, he might even have some left, if not I am gonna try to buy it on ebay. Hope, that BCM 7312 is not that different from BCM 7010, the procedure they have, might work on it as well. Gonna email this guy in Euro right away with question about that processor. Uuuuuuuhaha, maybee there is a chance to poke a stick into the eye of Jaczewsky's team and dtv.
~~~~~~~
On 301-013, I don't follow your train of thoughts, if it is original soft/bin of dish in this receiver, how it is gonna process stream from 101 sat ???, from what I remember it is not possible in the menu of original dish soft. Unless you use it for some kind of comparison of codes ????? Or maybee u use this bin for converting 301-013 to fta ????
Thanx for sharing this info, was looking yesterday for processor in dtv boxes, googling for two ours and finally fall asleep.

OK You 2 :D This thread has gone a lot more towards testing than Rumor
Would you like me move it to the advanced testing area
Your choice

Received email, card testing is in the final stages, new glitcher design with "bang" for about 230 Mhz was sent to the board makers.
But some instruction to use existing hardware probably will be supplied.
Do not know, where and how to proceed with the project, cause it would be dangerous not only for members ,but for the site also.

Most involved in the project probably never tried to hack modems and be anonymous or use at least use this special TOR browser.
Know, that the older version of the browser gives anonymonity , but do not know whether newer versions do not have special "back door", NSA bozos don't sleep, and God knows what they might put in the project.

Sent already email with questions about this BCM processor, jvvh was talking about, hope to receive response within day or two.
On other hand, gonna check the older DTV receivers, D10, to find out what processor it has.
---------

As far as moving this thread to different section, call is up to you, it is your site.
Maybe would be first to find out who is interested, who would contribute, who would test, and so on, and then make it invisible to others, thus protecting the site existence. Maybee access to this invisible section should be by invitation only, thus protecting others and site from snitches.
But definitely not all mods should have access to it.

We all know, what happen to BedrockTavern and ET, they all were closed down.
Think, that jvvh will have very important say on the question, as he is most important and most experienced with processor hacking on the assembler level. but I doubt, that he ever deal with the plastic, as he publicly stated on numerous occasions.

Received email, card testing is in the final stages, new glitcher design with "bang" for about 230 Mhz was sent to the board makers.
But some instruction to use existing hardware probably will be supplied.
Do not know, where and how to proceed with the project, cause it would be dangerous not only for members ,but for the site also.

Most involved in the project probably never tried to hack modems and be anonymous or use at least use this special TOR browser.
Know, that the older version of the browser gives anonymonity , but do not know whether newer versions do not have special "back door", NSA bozos don't sleep, and God knows what they might put in the project.

Sent already email with questions about this BCM processor, jvvh was talking about, hope to receive response within day or two.
On other hand, gonna check the older DTV receivers, D10, to find out what processor it has.
---------

As far as moving this thread to different section, call is up to you, it is your site.
Maybe would be first to find out who is interested, who would contribute, who would test, and so on, and then make it invisible to others, thus protecting the site existence. Maybee access to this invisible section should be by invitation only, thus protecting others and site from snitches.
But definitely not all mods should have access to it.

We all know, what happen to BedrockTavern and ET, they all were closed down.
Think, that jvvh will have very important say on the question, as he is most important and most experienced with processor hacking on the assembler level. but I doubt, that he ever deal with the plastic, as he publicly stated on numerous occasions.

Unless you guys would request it to go invisible it would always be in open forum

I think we are still in rumour stage myself.

I've been thinking about how one might do IKS with DTV. You would of course need both server(s) and user receivers. User receivers are a problem--while most hardware can do DSS streams, we don't have modern processor and tuner chip data sheets , so we really don't know how to set a box using such to do what needs to be done. Old boxes have lots more known about them, but they tend to be SD only and DTV audio might be AC3 and most older boxes do not have a DAC chip for that. 301-013 is such a box, we know lots about the chips inside and they can do DTV (the 301-013 and DTV's DRD430 are almost the same--sti5518 and Conexant tuner demod--I know the DRD430 can do DTV audio but not that sure of 301-013). The sk900 HD tuner module might have a Broadcom tuner decoder chip that can do DVB/DSS and other signals, but as far as I know, no data about how one sets that up or even pin-outs and not that sure about the chip as pics are only showing the heatsink on the chip.

The requirements on the user end are really small though. You only need the video and audio streams. Don't need the CA or APG streams (though the last would be nice to have not much is known about it). You would have to parse out the part of packets needed for the seed info and send it off over web--might just use serial port on box and a serial to web dongle. User interface could be really simple, might have a really tiny amount of code to run box. If audio chips on old boxes were OK then lots of old SD boxes could be revived--digiwave, coolsat, pansat all can be run with public coolsat code so they might be good starting places. But 3900, 2700, and 301-013 might be possible.

The DTV D11 was from around 2006 and has the Conexant CX24155-25P processor that has built-in MPEG II Decoder, so just about the same thing as the Broadcom one, but not.

On the server side I think the card only needs a feed of the PID 2 content--that is largely EMM type stuff to update tiers and internal key for cmd40 decode. Think any TP would do, even the strongest spot beam. That also is a pretty simple receiver as you would not even need to do video or audio--low bit rate--the card seems to get about 200 bytes per second typically even if the bit rate for the card could be around 44K bps (4.6 MHz clock to card and typical 372 count for ATR for about 10.8K bps and 4 times that for normal bit rate ).

Sorry guys, I screwed completely about these processor chips, it was almost 2 years ago.
There is a way to decode CWPK (control word Plain key -->in plain text) for STi 7111 and STi 7105 chips.
And dish receivers all use BCM chips. No known method for my guys.

But good news is, that there is one guy in South Balkans, who was able to get this CWPK from BCM 7402 chip. But he doesn't want to share his secrets/patent. Do not know, whether he would do it for the money. Probably 5-10 Grants would do it, but I do not have such pessos.

How is it played by Dish/nagra --->my loose translation, so do not kill me for accuracy.

"All communication between IRD <---> CAM is crypted by AES, after decoding , like in old Nagra, is generated Session Key + at the end is added Serial of processor from the IRD onto the card, It is called NUID, and thus is forced equipment pairing,
According to patent by dish, this type of method is unbreakable because keys are in the processor of IRD.

But it is a way, first of all, is neded BGA programmer, about 800 - 1000 $.

All this chip pairing depends on one key (for given provider), if u decode this CWPK (CW plain key) in the processor, thru processor in IRD (thats why u need BGA programmer and get out processor from the IRD - get those keys thru 'back door' in processor firm), then u have universal keys for the all cards of given provider.

With those decoded keys, u may use all cards in IKS, nothing else is needed."

Do not know, whether it make right sens with my translation. I am not good in any language

S merica --> Claro have this equipment pairing and some others...

IRD with this processor has to be at least 2 years old, (read 4, as mail is 2 years old), cause in the newer receivers this "back door in the firmware of the processor" is blocked.
Do not know, whether my friends will deal with the BCM processor, they are extreamly busy as of now, but if the do, they probably want to sell this CWPK to IKS providers in one time transactions, as it is harder and harder to get the money without beeing chased. And that, is very tracebly by small numerous payments. And IKS serving is big job by itself, takes tooooo much time.

I am reading this thread again from the begining: <br />
@jedi <br />
<br />
Older dish receivers, yeah jtaging was known, 3100 , 301 013 <br />
In the newer receivers jtag was secured by AES key, and I do not know and...

I think my main input into this thread has been that a lot of effort by some people has been spent on trying to prevent the Providers from killing the cards - I am not even close to being an expert in this subject - I know some of the people that have for monetrary reasons tried to help stop the card kills.
From what I have seen nothing seems to help so far. I know how the card servers work and how the load balancers work and know a little bit about jtagging and used to dabble into card hacking but some of this stuff is getting over my head about different chipsets and so on. I love to learn and may have some good resources - I would love to help in any way I can.

I don't think they are counting ECMs to kill the cards - some have tried to only pull the control words for one channel from a card but they still got hit. For a while they could pull the control words for local netwoks and the cards would not get hit - but after a while they started to hit those cards.
When someone mentioned it would be easy to passively pull the control words from a card and at the same time feed the stream to the legal receiver that seemed to me to be the logical answer - but from what I have been reading it is not so simple.
In my opinion part of the stream, at times, is asking the receiver to report something back about its status - it could be as simple as what is your Build Config? If the card is in a card receiver it may not know the answer to that question so it gets marked and eventually is killed during the next "card hit" ECM.
That is just a simple scenario - it could be something much more complex in the stream. We can try to make the card server software exactly mimic a card that is in a legal receiver but that is almost impossible to do. I am sure we can come close but we have no idea what they are lookin for.

I.M.O it is helpful to discuss some of these things openly - I don't think there is any deep dark secrets that are being hidden - people are just guarded about revealing their sources. I think everyone knows that the Providers are trying to get to the big Boys however they can. The big guys know that - so have to be very careful who they confide in and discuss their problems with. Sounds like a good plot for a movie or book ehhhhh???

My work on mods to let old boxes do DSS are getting somewhere. I've got one box (see advanced section threads on pansat and dg7k) running TV audio OK. So, the idea of doing a different IKS for that provider has some merit and you might be able to replace one prov for another if it comes to that. Perhaps that bypasses the issue that lacoster7 brings up (though likely not).

My work on mods to let old boxes do DSS are getting somewhere. I've got one box (see advanced section threads on pansat and dg7k) running TV audio OK. So, the idea of doing a different IKS for that provider has some merit and you might be able to replace one prov for another if it comes to that. Perhaps that bypasses the issue that lacoster7 brings up (though likely not).


Perhaps you should check the newer bcm740x models H10 and previous versions, new ball game with NSK AVCHIP CW protected 3DES decrypted inside AVCHIP that means inside CPU slimcore decryption is done not external RAM STB.

Good starting point is rooting the box to gain access, maybe just maybe if you get access to CPU ROM dump, you might understand how things work, OTG can be funny...

Yes DSS were the first back in 2005/6 to use CPU CW protection features, back then no one wasted time checking how things worked, so 12 years later were are they at?


just my 2 cents, let the fun begin and never trust a h/w vendor saying its secure....




BIST_USB_detect()
{
BIST_PLATFORM=`$GETMODE -fem`
BIST_USB_FILE=/mnt/update_bist.sh
BIST_SIG_FILE=/mnt/BIST_USB/images/BIST_${BIST_PLATFORM}.sig
echo "Checking for BIST in USB"
umount /mnt &>/dev/null
for USB_DEV in /dev/sdb1 /dev/sda1 /dev/sdc1; do
mount -t vfat $USB_DEV /mnt &>/dev/null
BIST_USB_STAT=$?
if [ $BIST_USB_STAT -eq 0 ]; then
break
fi
done
if [ $BIST_USB_STAT -ne 0 ]; then
return
fi
if [ "`$GETMODE -i`" = "production" ]; then
if [ ! -e $BIST_SIG_FILE ]; then
umount /mnt
return
fi
echo -n "BIST USB signature found, validating..."
$SIGTST $BIST_SIG_FILE
if [ $? -ne 0 ]; then
echo "signature FAILED"
return
fi
echo "signature OK"
BIST_SQUASHFS=`grep IMAGE $BIST_SIG_FILE | sed 's/ //g' | cut -d'=' -f2`
if [ ! -e $BIST_SQUASHFS ]; then
echo "BIST squashfs '$BIST_SQUASHFS' not found"
return
fi
echo "Mounting BIST squashfs"
mount -t squashfs -o loop $BIST_SQUASHFS $BIST_PATH
if [ $? -eq 0 ]; then
echo "usb" > $BIST_MODE_FILE
else
echo "BIST squashfs mount failed"
fi
else
if [ ! -e $BIST_USB_FILE ]; then
umount /mnt
return
fi
echo "BIST USB update found"
dos2unix $BIST_USB_FILE
chmod +x $BIST_USB_FILE
$BIST_USB_FILE
echo "usb" > $BIST_MODE_FILE
fi
}

My access to DSS boxes is limited to what I can pick up at second hand stores when the box owners do not realize they have to turn box in.

What kind of boxes are you lookin for?
I wish I had half a brain - then I might know what you guys are talkin about ..... LOL
I have a ton of different boxes I have accumlated over the years..............

I want to thank you guys for giving me a chuckle today...by reviving a year old thread...in the RUMORS section...with replies that have nothing to do with the original post! :chitchat: :tehe:

Gee, I would think listening to the news out of Washington would be keeping everyone chuckling (or chucking).

Gee, I would think listening to the news out of Washington would be keeping everyone chuckling (or chucking).

That's not funny...THAT'S SCARY!!!

As for what DSS boxes I might need--none. My interest is not really in cracking the CW exchange in the prov boxes, it was getting an FTA box to do that type of stream and I did that a year ago for a box that I have. Lots of boxes could be setup to do the same--old and new--at least for the SD streams.

As for what DSS boxes I might need--none. My interest is not really in cracking the CW exchange in the prov boxes, it was getting an FTA box to do that type of stream and I did that a year ago for a box that I have. Lots of boxes could be setup to do the same--old and new--at least for the SD streams.

Sounds interesting mt friend, care to let us all in on it?

I did. Posts were a year ago in Advanced section. The digiwave 7000 is basically the same hardware as the DTV's Gaeboa box, so the mods were relatively easy in software. I also figured out how to get the pansat 2500 box's tuner to send out the DSS stream to processor, but had trouble getting the processor to pull in that stream (even though I figured out how to mod pansat code running on DTV's DRD430 box)--there are some hints in source code I have that the Zinwell chip needs to have a setting of "ignore sync byte" in the processor. BTW, the 301-013 box is basically the same hw as DRD430 so it can do the same as DRD430 running pansat code modded for DSS.
The Conexant based Viewsat Platinum can lock into 101 degree sat with no mods at all--I bet all that that box needs is a channel list to start working--it is very similar to the D11 DTV box. For the dg7k and pansat2500, I generated a channel list by taking the TPN_mapping_domestic (saved as text) from dsstalk site and directly building a list for the boxes with python code as the DTV signal does not have a PAT but embed channel data PIDs in the APG EPG packets (I did not want to figure out the APG--getting PIDS and ch names out of MPG is easy but they shut that down a couple years ago).
The coolsat 5000 is also Conexant based but with the same tuner as in the pansat2500 type box--I bet a couple of tuner register mods and a load of the same channel list I set up for the dg7k as cs4k would get it going.
On newer boxes with 8PSK Turbo FEC modules based on BCM4500--the data brief for the chip says that is Directv compatable--might even auto detect the signal and switch itself to the right mode as does the Conexant processor (if the right register is set to do so).
The DSS SD signal is very like the DVB-S signal but shorter packets and video/audio are diff format--nothing that most processors are setup to handle. Broadcom, Conexant and ST Micro do business with DTV, so most processor/tuners based on the chips can do DSS. MStar, Ali and NovaTek most likely can not as most of their business is out of the USA.

BTW, if you want to see if your box may be "ready" for DSS signals and you are pointed at 119W already, then just see if you get any of the top 10 TP (excepting 24). The TPs 22 on up are largely DSS with spot beams on TP31 and I think 25 and 23. The channels on that set of TP are largely Spanish Lang, but there are a few other langs. Spot beams are locals that did not fit on 101 degree sat I think. You might be able to test if the box tries to get the channels by manually adding PIDs--they use a small set of PIDs.
The more interesting chs are on the 101 W sat (about 330 or so). 119W only has 100 or so.


http://www.ftaconcept.com/showthread.php?p=743224#post743224 Suggests that the Dreamlink T5 might lock onto DSS signals just fine too

I've been looking at the APG packets to see if it is easy to pull a channel list out of it. Seems 101 degree TP 2, PID 820 is the key to getting it. Some of the data is compressed as far as I can tell. Might open a thread in advanced section on the topic. So far I see lots of channels that don't seem to show up on the TPN Map--not sure why or if it makes any real diff though.

My neighbour has a DL T4 and let me do a bit of testing on 119. I created a TP in a new sat 12676, 20000, auto FEC. I got signal and quality and did a PID scan with VID PID set to auto and FEC set to auto, I wonder if the symbol rate is incorrect as I was not able to scan anything.

If I have to manually ad the PID what is the symbol rate?

It should be noted that the audio channels on David are not encrypted (music anyway) if memory serves correct.


BTW, if you want to see if your box may be "ready" for DSS signals and you are pointed at 119W already, then just see if you get any of the top 10 TP (excepting 24). The TPs 22 on up are largely DSS with spot beams on TP31 and I think 25 and 23. The channels on that set of TP are largely Spanish Lang, but there are a few other langs. Spot beams are locals that did not fit on 101 degree sat I think. You might be able to test if the box tries to get the channels by manually adding

PIDs--they use a small set of PIDs.
The more interesting chs are on the 101 W sat (about 330 or so). 119W only has 100 or so.

Suggests that the Dreamlink T5 might lock onto DSS signals just fine too

You can get all that at Lyngsat, but the freqs in use match 110, SR is 20000, FEC is 7/8 I think. You can't scan DSS signals with FTA box as they don't use PAT and other DVB-S tables (they set up their system before the international group that decided that stuff).
You might get something if your box auto-detects the DSS format and switches to the correct video and audio stream format, but you will have to build a channel (or channel list) with the PIDs in use (they use VPID at multiples of decimal 10 and english audio stream APID are 1 greater (if any additional audio streams are present then keep adding 1--many chs have spa SAP)). The music channels are similar multiples of ten but no added digits. I covered a lot of that down in the advanced section threads. And I have figured out a lot of the APG stream now--think I can generate most of the TPN_Map_Domestic from the 820 PID stream. Think local's info are on PID 800 TP2 of 101 degree sat but in old post on early TPN mapping work at dbstalk I saw a note that folks should record PID 820-82f.

And , yes all the audio channels are not encrypted on SD--so lots of music channels and lots of TV ch audio. I find that many TV shows do not really need the video. You can listen to the talking head channels like MSNBC and not really miss much.
There is one open video ch--the ch 100 (ch 200 and others) is the PPV preview channel so you might be able to view that one if you setup the PIDs right.

Thanks for the report on the box!!

Found a TSReader shot of a DSS TP and attached the PID part of display (ricks wildfeed was where I found it). You can see a fairly typical set of PID in use. Those ones with PID up around 3000 are the APG EPG update info. PID 2 is the CA equiv of EMM packets.

i too enjoyed those graphics