EMU for starchoice

**jvvh5897** · 11-30-2013, 08:29 PM

Well, then go into the code and make some changes. Maybe swap things around so that where you enter 3ev becomes c101's spot instead.

**jvvh5897** · 12-01-2013, 07:07 PM

I figured out how to disassemble the multicam file. There is an easy way and a harder way, but neither makes it easy to follow code execution because of the way the code was built. The easy way is to trim off the first 0x8000 byte to just leave the elf file and save it as an elf file, load it into IDA Pro and select mipsl processor setting and let IDA to an automatic analysis of the file as elf. It will find the entry point at 0x40a5c0 and auto label the routine names. The harder way is to just load the file to 0x3f8000 and run an IDC that I built to do the disassembly, run a readelf program to get the routine addresses and look around or use the results of the readelf to label the disassembled code. I might have a glimmer of a method to get the code execution labeled, but still thinking about it.

It looks like the nagra_ecm routine does the following:

.text:004811F0 lbu $v0, 5($s3)
.text:004811F4 andi $v0, 0xFE
.text:004811F8 sb $v0, 0x308+var_268+1($sp)
.text:004811FC
.text:004811FC loc_4811FC: # CODE XREF: nagra2_ecm+4C8j
.text:004811FC lbu $v1, 0x308+var_268+1($sp)
.text:00481200 li $v0, 0xC0
.text:00481204 beq $v1, $v0, loc_48121C

Since c101 or c001 will get the same results from the above test, it looks to me like you need to use the TV Globo keys for N2 radio.

In the code you find something that looks like default keys for c001--you could go in and change those and maybe change the c001 to c101--don't know that you have to do that in the code as you might be able to do it from the menu system or dump a key.bin file and change things then send results to box (I don't own one so hard for me to know best way):

109660 20 20 20 20 20 20 20 20-00 C0 01 00 00 00 00 00 TV Globo
109670 00 00 00 00 54 56 20 47-6C 6F 62 6F 20 20 20 20
109680 20 20 20 20 00 C0 01 10-00 00 00 00 00 00 00 00
109690 54 56 20 47 6C 6F 62 6F-20 20 20 20 20 20 20 20
1096A0 00 C0 01 01 D7 CB E9 3D-30 E2 C9 13 54 56 20 47
1096B0 6C 6F 62 6F 20 20 20 20-20 20 20 20 00 C0 01 11
1096C0 91 07 38 74 57 DB 90 23-50 52 45 4D 49 45 52 45

Anyway the keys are 00, 10, 01, 11 in the above.

**caseyman** · 12-02-2013, 04:19 PM

thank a lot jvvh but i have not enough knowledge to do such a job

**jvvh5897** · 12-02-2013, 06:36 PM

You can't enter keys?

**caseyman** · 12-02-2013, 07:35 PM

no, to edit multicas code

**iq180** · 12-03-2013, 01:48 AM

Originally Posted by jvvh5897

You can't enter keys?

Yes you can, in nagra key edit of multicas from the receiver menu.

**jvvh5897** · 12-03-2013, 04:45 PM

Well, that is where the TV Globo keys should be changed too.

**caseyman** · 12-03-2013, 04:56 PM

no room for this key format: 00-xx-xx-xx-xx-xx-xx-xx-xx only xx-xx-xx-xx-xx-xx-xx-xx under C101
10-xx-xx-xx-xx-xx-xx-xx-xx
01-xx-xx-xx-xx-xx-xx-xx-xx
11-xx-xx-xx-xx-xx-xx-xx-xx

**jvvh5897** · 12-03-2013, 07:20 PM

C001 not c101 is TV globo

**caseyman** · 12-04-2013, 01:28 PM

right, C101 is GC. in my pansat i put keys under C101 years ago, radio is still working.....

**jvvh5897** · 12-04-2013, 09:08 PM

Yes, and in the code snippet I posted, you can see that as far as the code in your Mcas is concerned C001 and c101 is the same (c0 AND fe == c1 AND fe). SO, If you put your c101 keys in the c001 spot the radio channels should try to use them--I don't know if the rest of the code will work correctly, but for that part of the N2 decrypt you should be OK.

If I were doing it, I would want to learn much more about manipulating the box code, so I would use a hexeditor to change the Mcas code directly rather than just load the keys with remote--but that is me.

**caseyman** · 12-05-2013, 06:42 PM

OK, i'll try to explain again. in azbox multicas under GC there is the room for ONLY ONE 8x2 bytes N1 key like this xx-xx-xx-xx-xx-xx-xx-xx, not FOUR 8x2 bytes N2 keys.
i cant post a screenshot for some reason, if somebody has multicas any version installed could you post a screenshot of globecast C101 keys section?
tnx

**jvvh5897** · 12-06-2013, 08:14 PM

And I will try again--you don't enter keys at c101--as you say there is not room for 4 block of 8 bytes. BUT if you look for c001, you will find four such blocks and the code does not know how to tell the diff between c001 and c101. This is in the Mcas 1.70 version.

**caseyman** · 12-07-2013, 05:18 PM

tnx jvvh, i'll try

**iq180** · 12-07-2013, 10:40 PM

Originally Posted by jvvh5897

And I will try again--you don't enter keys at c101--as you say there is not room for 4 block of 8 bytes. BUT if you look for c001, you will find four such blocks and the code does not know how to tell the diff between c001 and c101. This is in the Mcas 1.70 version.

Multicas v1.82 has the same option.

Thread: EMU for starchoice

Thread Tools

The Following User Says Thank You to jvvh5897 For This Useful Post:

The Following User Says Thank You to iq180 For This Useful Post:

Posting Permissions