Results 1 to 9 of 9

Thread: Bin 25r question

  1. #1
    Join Date
    Jan 2013
    Posts
    235
    Satfix Buxs
    1,779,789
    Thanks
    441
    Thanked 322x in 107 Posts
    Items Immunity to TheftRepMotorcycle
Gift received at 01-29-2020, 01:16 AM from Bluegrass
Message: I forgot this one lolCheetos
Gift received at 01-27-2020, 05:19 PM from BluegrassSome beer
Gift received at 01-27-2020, 05:19 PM from BluegrassTree
Gift received at 01-27-2020, 05:19 PM from Bluegrasshelicopter
Gift received at 01-27-2020, 05:19 PM from BluegrassVintage truck
Gift received at 01-27-2020, 05:19 PM from Bluegrass

    Default Bin 25r question

    Nfusion HD bin 25r

    Does anyone know how to pull tier rights, high, low and provider ID out of the info in the card sub menus?

    I need an updated list for south?

  2. #2
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    Um, not sure if I'm the right one to try to answer, but I'm thinking that it would get you nothing to do something like that.
    There are card dumps in the files, but they are old and likely nothing about tier rights is in use.
    The easy way to find card dumps in a file is to unpack it if compression is in use and then do a search for strings used in cards like "Nagravision S.A." or "nipper" or "rev" Then you can treat the card dump as one would treat any card dump info.
    Course I'm not sure what you mean by "card sub menus"--if those are the on-screen menus that the box uses, then the menu system might lead you to the information, but it is usually a really roundabout method that requires very detailed info about how the code in the box works. You have to get clear code from the file, figure out what address base is, what processor code is used, disassemble it and start fishing around for how the menu works and where things are stored, you might have to do some code mods to dump RAM while the box is running. Lots of work. Some of that may have been done in the past as part of figuring out how to reset the expiration date for the file so you could look for threads on that for the box (if I'm remembering the box right).
    Prov ID is often extracted from the stream, either dynamically or at the initial scan. It can be hard coded, too.
    Last edited by jvvh5897; 10-14-2016 at 05:03 PM.

  3. The Following User Says Thank You to jvvh5897 For This Useful Post:


  4. #3
    Join Date
    Jan 2013
    Posts
    235
    Satfix Buxs
    1,779,789
    Thanks
    441
    Thanked 322x in 107 Posts
    Items Immunity to TheftRepMotorcycle
Gift received at 01-29-2020, 01:16 AM from Bluegrass
Message: I forgot this one lolCheetos
Gift received at 01-27-2020, 05:19 PM from BluegrassSome beer
Gift received at 01-27-2020, 05:19 PM from BluegrassTree
Gift received at 01-27-2020, 05:19 PM from Bluegrasshelicopter
Gift received at 01-27-2020, 05:19 PM from BluegrassVintage truck
Gift received at 01-27-2020, 05:19 PM from Bluegrass

    Default

    Thanks for the insite jvvh5897,

    Most everything there beyond my understanding,lol I wouldn't know where to begin!

    If you are still interested? The Challenge is to overcome green channels in the guide of a oem 211 rec.

    The Nfusion HD works fine bringing the channel but the oem one doesn't. The ch is 9421 it appears green. When selected it produces error 013. It is free and broadcast in the clear as far as I know.
    Also as a note ch 242 trutv is green, and ch106 tvlnd green as well ch166,167 green. These require control words but regardless they first need current tier info. Everything else is good.

    An idea that might have this resolved would be to read a n3 card with Cyberdbs to retreive current tier info. I don't have any access to a card, as I'm not in the land of Donald. The card of course would have to be subbed to those stations to show good tier info, duh! It looks as though it is in every sub package short of the most basic one.

    Anybody who has the ability to get it and pass it on would be heroic!

    If I had the info it could be put into tier file of Any of the tier making programs and used to make a good file.

    All older tier file programs are not able to fix the problem. It appears as though the tiers have been changed and it anybody's guess as to the new tiers (if this is the problem).

    Ironically the old files for the fta rec still work, is like its wide open. So my guess is the tier info on the nfusion is good, if it could be retrieved.

    About the sub menus, yes on the nfusion HD
    Press menu , information, CA information, Edit Code, from there there is I code, V code, S code, N code, X code, B code, C code, MB code.
    Within these sub menus are what look like 102 bin files, I don't know first which to look at and no I can't see any nipper etc info.

    Making progress ,,,
    Cheers
    Last edited by wedalan; 10-14-2016 at 07:47 PM. Reason: Added a few chs

  5. #4
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    What satellite are you talking about here?

  6. #5
    Join Date
    Jan 2013
    Posts
    235
    Satfix Buxs
    1,779,789
    Thanks
    441
    Thanked 322x in 107 Posts
    Items Immunity to TheftRepMotorcycle
Gift received at 01-29-2020, 01:16 AM from Bluegrass
Message: I forgot this one lolCheetos
Gift received at 01-27-2020, 05:19 PM from BluegrassSome beer
Gift received at 01-27-2020, 05:19 PM from BluegrassTree
Gift received at 01-27-2020, 05:19 PM from Bluegrasshelicopter
Gift received at 01-27-2020, 05:19 PM from BluegrassVintage truck
Gift received at 01-27-2020, 05:19 PM from Bluegrass

    Default

    D1shnet 110 119 129

  7. #6
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    Ah, that is what I suspected. So, what you really want is to hack a provider box and/or send the card tier info. AFAIK, all channels are encrypted except for the one that says "Welcome to Dish, what a wonderful selection you have made and here is how you run your remote" or something like that. The tier info is in EMM packets and delivered to the card encrypted and the encryption is same as those EMM packets that have keys in them--these are encrypted with the RSA private key and ASAIK no one ever figured out the older N1 or N2 private key, they could only extract the RSA private key from the card. As the card is not hacked, there is pretty much nothing you can do.
    Now, there might be ways to fool the box--say if you were to get a channel up that was on another TP that used the same PID as the one you were interested in and then you made the box tuner go to another TP freq. Hard to say if you would get much, but something you could try. That would require you to get a dump of the box flash and disassemble that code and find where the code does stuff. Just as bad as disassembling the NF box code, but doing NF code is something you could start with.
    I did get out the old ESFAQ file and look up tier info and did find the header of the channel tier in data section of code (after I decompressed the code inside the box file) I will paste in my old notes with that info at the end. There is a program to extract the code from the file (nFusion Bin Information and Utility v2 by Dalek) but you can do it with other decompress tools with a little editing, as notes suggest.

    nf_hd_v1.3sR_25
    file header says is A3X mainsw offset 0x300 for 0x29e46e
    I get file un-packed at 0x5b6ca9 bytes. deflate finds compressed data starting at 0x322

    Found strings in unpacked file:
    D:\Develop\source\STB\STBSrc\driver\st7100\src\sto s\os21/os21semaphore.c
    NF HD BOX
    MB411 development board
    @319720 ECM Data
    @2AE0F0 Main menu strings (0x848AF0FC -- pointer to that location found in table at 4148BC ==0x84A158BC goes to about 415470 but other pointers around there too-- say to 417C90)
    @318E30 Security IC
    @276530 NagraVision S.A. --odds are this is used by IDEA step of ecm decrypt but another at 2E7820 (part of card dump) and 2EC040
    "i:%s / n:%s / p:%s / Emul:%s / S.U.N.S. %s"

    8467CB20 "Front_ProcTask"
    tuner chip STV0903 (demod chip) and STV6110 (PLL) (note sv8k uses stv6110 but ZL10312 demod I think)
    -------------------------------------------------
    Processor and development board are the same as used in sonicview 8000 box.

    Info found says that the code is SH4 Hitachi core type.
    RAM start location of unpacked data (from header) 0x84601000

    use IDC to search for byte sequence E6 2F 22 4F for routine starts.
    Last hit around 274F50 (0x84875F50) so take that as end of code. First hit around 001C70 (0x84602C70)

    possible other search term for routine start 86 2F 96 2F
    Hum...seems the routine start addrs are often seen as data in routines--maybe IDC should search for word alligned addresses between StartAddr and EndAddr!
    ---YES---Lots better disassembly!
    ----------------------------------------------------
    8462AD20 ; IDEA
    8462B060 ; ecm handling?--uses RSA key
    routine that calls the last uses:
    ROM:84618440 word_84618440: .data.w h'1816 ; DATA XREF: ROM:84618390r
    ROM:84618442 word_84618442: .data.w h'1815 ; DATA XREF: ROM:8461839Er
    routine start:ROM:84617CB0 mov.l r14, @-r15
    84618640 ; 1801 prov handling?

    846D5D40 ; pes_monitor_task
    846D5C60 ; Sfilter_monitor
    846C0AE0 ; Month/Day string use
    8486C2AC ; display message?
    84680700 ; connect/disconnect SUNS
    846D0B80 ; call to SUNS connect/disconnect

    8486D0EC ; Vfprintf
    84869278 ; uses vfprintf
    8483BE04 ; detect usb format type
    848323B8 ; usb setup?
    8468A3C0 ; write .TS file?
    84684180 ; get data from Http123_108
    8486A994 ; debug message?

    ROM:8468426A mov.l @(h'11C,pc), r5 ; [84684388] = aConnectionKeep
    ROM:8468426C mov #h'19, r6
    ROM:8468426E mov r0, r4
    ROM:84684270 jsr @r12 ; sub_8486A994 ; debug message


    8467CB20 "Front_ProcTask"
    846D4960 ; ?Task install?
    84680DA0 ; "Monitorig_ProcTask"
    846DB1C0 ; Osd_copytask

    846D4A60 ; queue intall
    84602A40 ; Ptciidlinktask
    8460A7C0 ; install a number of tasks and queue
    84681DE0 ; Init
    84681FC0 ; Booting main
    84622080 ; call to task install
    8462CD80 ; install Sc_command_task
    8462CE60 ; sc_command_task
    8466EFA0 ; ECM/CAS/EMM data handling?
    8486B4C8 ; load to serial TX buffer?--used by "Booting...." message @84681FD0
    8468DB80 ; Find flash (NAND)
    846ACF00 ; Find tuner
    846D56A0 ; call to serial write? maybe i2c debug write

    8485EBFC ; serial write?
    846E7760 ; defeated debug write?--used by HDMI,AUD and VID
    846CA7C0 ; HTTP auth basic/admin--main menu?--it goes on
    846DA480 ; boot/main init
    84680000 ; "remote control on"
    8467C1A0 ; front LED display (part of "Monitorin)
    84680B80 ; install "Monitorig_ProcTask"g_ProcTask"


    ----------------------------------
    Note the nfhd25 file is bigger than the 27 by C48C bytes overall.
    2764e8-267360 = F188 diff at ~end of code. Still 25 bigger than 27.

    --------------------------------------
    C:\Documents and Settings\J\Desktop\Sat\eu_uk_bins\nf_hd>C:\Docume~ 1\J\Desktop\S
    at\eu_uk_bins\nf\bininfo -i -f nf_hd_~1.bin
    nFusion Bin Information and Utility v2 by Dalek

    Header Information
    OEM: oem
    Maker: oem
    Model: A3X
    Version: 00.00
    NumberOfFiles: 2
    HeaderCRC: 4E9F45F7 (CSUM MISMATCH)
    File 0 Information
    Filename: MainSW.bin
    Date: 00/00/00
    Compression: none
    Size: 2745454 (0x0029E46E)
    Offset: 768 (0x00000300)
    PacketSize: 2745454 (0x0029E46E)
    RomOffset: 393216 (0x00060000)
    CRC: 662B061F (OK)
    File 1 Information
    Filename: key.bin
    Date: 00/00/00
    Compression: none
    Size: 20480 (0x00005000)
    Offset: 2746242 (0x0029E782)
    PacketSize: 20480 (0x00005000)
    RomOffset: 4063232 (0x003E0000)
    CRC: 2E862D60 (OK)

    -------------------------------------------------
    using ESFAQ txt file:
    Channel Tier
    ------------
    0C 00 07 56 56 07 ;Header
    13 38 8E 52 ;Timestamp
    01 01 ;Provider
    30 ;IRD Status Byte

    then doing a search for the header finds:

    2E9DF0 00 00 00 00 02 0F 8C 00-01 0C 00 07 56 56 07 0F
    2E9E00 73 9B 96 01 01 30 00 B8-3B 37 37 00 01 00 01 00
    2E9E10 11 FF FF FF 65 0F 8C 00-01 70 00 03 63 00 62 15
    2E9E20 85 00 01 0A 7F FF 18 00-00 98 58 19 00 00 EA 60
    2E9E30 64 0F 8C 07 01 88 1D 50-50 56 00 00 00 00 00 00--50 50 56 is ascii "PPV"
    seems to be part of Rev10

    I find "PPV" in some other places with the same header around 2ed110 (maybe Rev247).


  8. The Following User Says Thank You to jvvh5897 For This Useful Post:


  9. #7
    Join Date
    Jan 2013
    Posts
    235
    Satfix Buxs
    1,779,789
    Thanks
    441
    Thanked 322x in 107 Posts
    Items Immunity to TheftRepMotorcycle
Gift received at 01-29-2020, 01:16 AM from Bluegrass
Message: I forgot this one lolCheetos
Gift received at 01-27-2020, 05:19 PM from BluegrassSome beer
Gift received at 01-27-2020, 05:19 PM from BluegrassTree
Gift received at 01-27-2020, 05:19 PM from Bluegrasshelicopter
Gift received at 01-27-2020, 05:19 PM from BluegrassVintage truck
Gift received at 01-27-2020, 05:19 PM from Bluegrass

    Default

    A lot to try to digest, and pretty much over my head.

    I really enjoy reading your posts, as they are an opportunity to look beyond the surface of why tv works. Very reminiscent of days way , way back when many people where openly discussing theories and ideas of how to work around. Codemasters was a place were I spent a lot of time learning. I miss it, as the reality for me, is its not about free tv.

    I thank you for the effort in trying to find what I'm after,

    A couple of things to ponder

    24r should be larger as it both b3ll and d1sh
    25r is only d1sh.

    Looking for tier strings in the data is an exercise in futility, but I have exhausted every avenue to resolve why fta will bring in all channels.
    Still hopeful that someone can read and post the tier info from a subbed card using cyberdbs.

    Getting closer��

  10. #8
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    FTA brings in all channels because it does not care about tiers. The EMM packets with tier info were discarded even back in the days when the bins could auto-roll. The only thing the bins do these days is to pull in the ECM packets and send them over the internet to the card servers to get back the CW -- no EMMs need be processed at all. Now the card servers have to have tier info and some types of IKS allow you to pull the tier info from the server back to your box but I'm guessing few allow it.

    The card dumps were in the bins only because part of the decryption of packets required a part of the contents of the card.

    I do like playing inside box code. The last big project I did was to figure out how to get an old box to tune into the 101 degree DSS prov to let me listen to audio on all their channels. I'm usually not looking at TV screen so audio is all I really need and doing the same on an old prov box w/ modded Hu card was a bit of a pain. And I learned that one could do IKS with that sat if one really wanted to.
    Last edited by jvvh5897; 10-18-2016 at 04:41 PM.

  11. The Following User Says Thank You to jvvh5897 For This Useful Post:


  12. #9
    Join Date
    Dec 2012
    Posts
    475
    Satfix Buxs
    135,546
    Thanks
    628
    Thanked 243x in 142 Posts
    Items DishWhiskeyA BeerPresentpoisonTreasureCashRibbon 3

    Default

    24r and 25r are both dik and b3v 27r is dik only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •