PDA

View Full Version : Nagra3 Cards Hacked?

IPHONE
11-25-2008, 07:14 PM
Here is a copy & paste I found on european site...

Let's hope it is true....

So, here it is

C & P

Hello hack satellite pirates.

You will find this an interesting read.

Credit goes to Packin18 & Edmonton Guy for original concepts and n3 roms and eeproms
dumps from dish and bell providers currently making way around irc and private
underground forums around the net. Thank Packin18 for your N3 fix and no other.

A virgin non sub card was inserted into a modified blue T911 mod loader with 4053 muxs.
The virgin non sub card was reset and the atr was sent as usual.
A packet containing nops with a bclr instruction at the end was sent to the n3 cam.
When the last bit of the checksum was sent to the cam 16 additional clocks followed.
The cam was soft reset by sending the RST cam pin low from high.
As the cam rst pin swung low a bunch of glitching followed.
This glitching carried on until the RST cam pin came high again.
This glitching carried on for the first clock.
200+ additional clocks were sent to the card.
The cam i/o line was monitored for a full cycle low i/o pin result of the bclr instruction.
The cam was quickly reset, glitched, & clocked a few hundred times again. repeatidly.
When the full cycle low i/o pin signal was seen N3 cams were hacked.
The bclr instructions were removed and replaced with more bsets and bclr instructions
that ROR'd rom and eeprom a bit at a time out of the cam i/o pin without need for the
rom routines that usually handle I/O output.

What Happened?

The packet was stored in the I/O buffer and the card reset before packet processing.
The reset caused the program counter and the stack pointer to reset but not ram values.
The packet full of nops that pulled the i/o line low stayed resident in ram on soft reset.
The card was reset and the addressbus latching of the reset vector was glitched until
the new reset vector became the i/o buffer where NOPS and BCLR code opened N3.

N3 roms/eeproms (142/206/240) for all providers has successfully been dumped.
(interestingly enough this attack works on all N1/N2 cams/icams as well)
(i dont have any dave cams do you?)
Chameleon
11-25-2008, 07:52 PM
Very interesting....
CASPER7
11-25-2008, 09:51 PM
well hope this rumor is legit ...if it is is wonderful news to alot of member's here....
beerboy
11-26-2008, 12:47 AM
thats good news i hope its true thanks iphone
scaliajack07
11-26-2008, 01:15 AM
Here is a copy & paste I found on european site...

Let's hope it is true....

So, here it is

C & P

Hello hack satellite pirates.

You will find this an interesting read.

Credit goes to Packin18 & Edmonton Guy for original concepts and n3 roms and eeproms
dumps from dish and bell providers currently making way around irc and private
underground forums around the net. Thank Packin18 for your N3 fix and no other.

A virgin non sub card was inserted into a modified blue T911 mod loader with 4053 muxs.
The virgin non sub card was reset and the atr was sent as usual.
A packet containing nops with a bclr instruction at the end was sent to the n3 cam.
When the last bit of the checksum was sent to the cam 16 additional clocks followed.
The cam was soft reset by sending the RST cam pin low from high.
As the cam rst pin swung low a bunch of glitching followed.
This glitching carried on until the RST cam pin came high again.
This glitching carried on for the first clock.
200+ additional clocks were sent to the card.
The cam i/o line was monitored for a full cycle low i/o pin result of the bclr instruction.
The cam was quickly reset, glitched, & clocked a few hundred times again. repeatidly.
When the full cycle low i/o pin signal was seen N3 cams were hacked.
The bclr instructions were removed and replaced with more bsets and bclr instructions
that ROR'd rom and eeprom a bit at a time out of the cam i/o pin without need for the
rom routines that usually handle I/O output.

What Happened?

The packet was stored in the I/O buffer and the card reset before packet processing.
The reset caused the program counter and the stack pointer to reset but not ram values.
The packet full of nops that pulled the i/o line low stayed resident in ram on soft reset.
The card was reset and the addressbus latching of the reset vector was glitched until
the new reset vector became the i/o buffer where NOPS and BCLR code opened N3.

N3 roms/eeproms (142/206/240) for all providers has successfully been dumped.
(interestingly enough this attack works on all N1/N2 cams/icams as well)
(i dont have any dave cams do you?)

Let's hope this is very true and who knows
Thanx for the information
fullinfusion
11-26-2008, 02:21 AM
very nice... very nice hehe :loveeyes:
partsdan2002
11-26-2008, 10:09 AM
only time will tell:taz:
shawn2000
11-26-2008, 03:52 PM
let's cross finghers...:pvery good post
shawn2000 :drunk:
neo_waxworks
11-26-2008, 04:28 PM
yes very interesting.. all the steps listed, seems like someone with a card and modified loader could confirm or destroy the romur pretty quickly
danasaint
11-26-2008, 06:56 PM
good post I - phone lets hope its true, thanks for keeping K-BOX files updates danasainthttp://tvkeyzforums.com/images/smilies/001_tt1.gif
neo_waxworks
11-26-2008, 07:19 PM
eeeeeekkkkk.. just noticed my typo on rumors...lmao
Fallen Angel
11-26-2008, 09:16 PM
I'm just hoping that the N3 they use in Europe, is the same one as they are going to implement here...If not, at least they might have an idea of what to do to break it.....I know the receivers over there differ from ours, and the N3 in Europe has been around for a few years now...The one coming here ( or already here) may have been "beefed up" a little...Time will tell...


FA
Boss302
11-26-2008, 09:41 PM
would'nt that be sweet :drunk:
cinnaman
11-27-2008, 05:51 PM
I think time can tell the true...:taz:
sheeda2007
11-27-2008, 07:14 PM
Yay !!!

Cant wait until they make something good out of those dumps.