there is no old working EMU file for azbox and i dont know how to mod a file
Printable View
there is no old working EMU file for azbox and i dont know how to mod a file
Yes there is older EMUs, that's what multicas is, are they working is the big ???, you can load an older version and see if theQuote:
Originally Posted by caseyman
provider is in the nagra list, if it is then edit the box keys.
iq, see post #15
I think you can edit the index and have 2 sets -00-00 and 2 sets -01-01- that will be 4 rows of keys not 2 rows and it should work.Quote:
Originally Posted by caseyman
00-xx-xx-xx-xx-xx-xx-xx-xx
00-xx-xx-xx-xx-xx-xx-xx-xx
01-xx-xx-xx-xx-xx-xx-xx-xx
01-xx-xx-xx-xx-xx-xx-xx-xx
how to edit the index? what software? multicasedit?
You do have to have the GC RSA modulus in the code, just adding correct key does not help you if you don't have the RSA. If you can get into the file with a hexviewer or editor look for the sequence 33 69 91 just like you look for ab c5 7c for DN RSA modulus.
I think that's in the older version of multicas so all you would need to do is edit the keys.Quote:
Originally Posted by jvvh5897
You can edit it from the receiver menu in multicas/ nagra key edit.Quote:
Originally Posted by caseyman
@jvvh
yes, the sequence 33 69 91 is there. now what? what does it mean?
As pointed out earlier to decrypt the packets with CWs you have to do an RSA step with the RSA modulus, an IdeaCBC step with the key that you have put in the key area and then there is another RSA step and byte flop. If you have the RSA modulus in the file and if the code selects it correctly and if you have the key in there and the code selects the right one, then the CW should decrypt correctly if the steps in the code match the ones needed. I've found that as N2 aged, the prov complicated the decrypt and so while the code in a file might be right for the N2 steps needed at the time, they may not match the steps needed for GC radio now.
You can try to find another file with the RSA modulus and see if with the right key you get decrypt. OR, try to fix the file by finding the code that does the decrypt and get it to execute as needed today. OR, you can try to set up such a decrypt in a PC and send the ecm packets to the PC to decrypt and have the box use the returned CWs.
I took a quick look at the Multicas-- 1.70d I believe was the version. I had to unpack it from gzip type of compression and inside I found about 0x180000 bytes. Much of the contents are strings and data, but looks like mips type of code from about 0x12500 to 0xe0000 for a processor that might be SMP8634-2801 from one type of string I found. gcc seems to have been used to create the code as I find a "gcc" string as well. I also see addresses that look to be around 0xf0400000 and I think I have seen mips processor that used a flash address around that 0xf0000000 base address so, maybe code executes in flash around there, but I would think with gz compression used that might be RAM address--hard to say for sure just with the one sample and I haven't tried to figure out the base addrs for where the MultiCas get put.
I do see a couple of card dumps in there too: REV 340 for sure, maybe others as I see a few "DNASP" strings. Lots of copies of the DN RSA modulus, just one of the GC N2 RSA mod that is used for radio. I'm guessing that it does card emu for most of the decryption needed as I see st19 and st20 emu indications and "map" strings like were needed for 2008+ decryption.
If the code were disassembled after figuring out the base addr to use, one might be able to do some modding.
Part of the info is in the firmware of the azbox/ and all of it is stored in the DOM within the receiver, the DOM can be removedQuote:
Originally Posted by jvvh5897
from the receiver and put in a computer IDE port, if I wanted to get N2 music CH on sat 97.0w I think I would load an older
firmware, 0.9.5308 or older and an older multicas, JMO,LOL.
i think if multicas has only key format like this: xx-xx-xx-xx-xx-xx-xx-xx it was done to emu N1 only.
Not if the card dump inside the code is of as high a revision as I see--way past the N1 days. Plus I see map calls--those would be for late N2 decrypt. I would think that if your only choice is 8 byte key then you are not entering the keys in the right section. For N2 there should be a section with 4 groups of 8 bytes or two sections of 16 bytes. If you could find the DN or 3ev key area then you have an example of what you want.
all multicases have 4 x 8 bytes keys for DN and 3EV and only 1 x 8 bytes for C101, and i see no way to edit this.