vickmaker Ametuar Posts: 127
| right, i am trying to figure something out, and want to know if anyone has any ideas on this, firstly the guys who originally wrote these scripts basically just cut and pasted the generic parts of the script and redone the packets that are sent to the card, using a well known FAQ called stuntguys faq, here is a miniscule quote from the faq, "The NagraVision cards use a variant of the ISO-7816 protocol called the "T=1" or "asynchronous half-duplex block transfer" format. This format differs from the format used by DSS smartcards in that the DSS protocol (the "T=0" format) calls for the master device (the receiver or IRD) to send a 5-byte header block to the card. The card (or CAM) must then send back one of the bytes from the header (specifically, the second byte, which is the INS byte) to acknowledge receipt of the header. At this point, the IRD will either send the rest of the message to the CAM as one large packet, send the rest of the packet one byte at a time, awaiting an acknowledgment after each byte, or await the data return from the CAM im interested in the T=0 format so i can look inside r0m10 and r0m11 type nagra cards, the same as the ones telepest and nthell use in there set top boxes, and the ones cable and witless used to use before they went bust.lol. specifically the ones that are locked to a certain revision of firmware that cannot be read by an iso programmer untill the card has been "GLITCHED" in a t911 unlooper. still with me? good, sooo the script im posting with this is designed to open both types of cards ( rom 10 and 11#) and a few different providers also, thaats whyits called multir0m multiprovider script, duh, if you know VBS you will see the different providers in the script itself eg: 5A01, 5B01 etc etc what i am trying to do is make a script that goes beyond the abilities of the current shit so that r0m 7 cards may be opened also, ( not so bothered about this myself) and most importantly for me anyway is to try and get a script that will glitch these cards open for reading/writing purpioses once the current scripts cannot do anymore, for instance some cards do not have the correct responses in the initial comms with the programmingh device and the card, making it impossiblr ( with the current scripts) to open a card that does not have an ATR, or provider is unknown, eg 5A01 becomes 4A01 thru data corruption and the script dont know if it needs a shit or a haircut and thus dies like a bastard when it encounters these anomalies. b4 i forget heres the best script in the known universe for r0m 11 and 10 cards on telepest or nthell.
Code: | ' ' New VB Script File - Created 08/08/2005 ' ' FOR ROM 10 A82 and ROM 11 BOC STREAMLOCKED only. ' AUTOMATIC SCRIPT for ntl, telewest, cable and wireless, chorus(not rom 10 yet) and cabo only ' this script automatically switches nipper logins and will will work for cards returning a 6300 error ' script design and implementation by wonko ( BARELY KNOWS VBS ) ' original packets by simonkirk ( CARD COMMS EXPERT) ' testing by spudy (SAYS HE USED TO KNOW GHOST<?) ' (a couple of functions have been pilfered off the net - original authors unknown) '************************************************************************************** 'Instruction Table '01 Reset Card (Leaves card clock off) '02 4.608 MHz Card Clock Off -FREEZE CAM '03 4.608 MHz Card Clock On - FREE RUNNING CAM '04 DOUBLE HIT, CLOCK LOW, .5 CYCLE DELAY--2*CARD CLOCKS -- ex. 2x xx xx 04 for timing '05 DOUBLE HIT, CLOCK LOW, 1.5 CYCLE DELAY-2*CARD CLOCKS -- ex. 2x xx xx 05 for timing '06 Double HIT, CLOCK LOW, 6 CYCLE DELAY-- 2*CARD CLOCKS -- ex. 2x xx xx 06 for timing '07 Three HIT, CLOCK LOW , 6 CYCLE DELAY-- 2*CARD CLOCKS -- ex. 2x xx xx 07 for rom11 hopeful. '08 Five HIT, CLOCK LOW, 5 CYCLE DELAY--- 2*CARD CLOCKS -- ex. 2x xx xx 08 for rom11 hopeful. '09 LOW CLOCK single hit------------------ 2*CARD CLOCKS -- ex. 2x xx xx 09 for timing '0E XX SET WD TIMER '0F POWER DOWN CAM '1X TX RX SPEED '2X XX XX Delay $2X XX XX Atmel clock cycles '8X-9X Rx from card, instruction anded with $1f plus 1 bytes Ex. $9F = rx $20 bytes 'aX-FX Tx to card, instruction anded with $5f plus 1 bytes Ex. $FF = Tx $60 bytes '************************************************************************************** 'Commands '80 Check Card Presence - Sends 1 byte '90 Get chip ID - Sends 4 Bytes (DISH) 'AX Set Bi-color Led - X = 0 off, X = 1 Red, X = 2 Green 'B0 XX Set Glitch VCC - VCC = (5/255) * XX Dim StartTime Dim Start Dim FinTime Dim Fin Dim Hours Dim Mins Dim Secs Dim I dim CardType dim fail dim cardrev dim provider dim providername dim GlitchSuccess Dim RT Dim Glitchtype dim packet(4) dim maxglitchpacket dim loginstring dim glitchfixed dim maxpacket dim packetcount DIM firsttime dim delaystart dim delayend dim trycnt dim logindelay dim rtrapenabled dim rtrapvalue dim vccstart dim vcclimit dim rtrap dim trycnt2 dim cl dim rt2 dim Rom11DelayStart dim Rom11DelayEnd dim Rom10DelayStart dim Rom10DelayEnd dim positiveresponse dim packetswitched sc.print "________________Setting up WinExplorer_________________" & VbCr Wx.BaudRate = 115200 Wx.ResetBaudRate = 115200 Wx.Parity = 0 ' 0 = None, 1 = Odd, 2 = Even, 3 = Mark, 4 = Space Wx.StopBits = 0 ' 0 = 1 stop bit, 1 = 1.5 stop bits, 2 = 2 stop bits Wx.DTRControl = 0 ' Initial state of DTR 0 = off, 1 = on Wx.RTSControl = 1 ' Initial state of RTS 0 = off, 1 = on Wx.ResetDelay = 100 ' In microseconds Wx.ByteDelay = 10 ' In microseconds Wx.RxByteTimeout = 500 ' In milliseconds Wx.ResetMode = 2 ' 0 = No Resets, 1 = ISO Reset (Expect a ATR), 2 = Device Reset (No ATR) Wx.ResetLine = 1 ' 0 = Toggle RTS for Reset, 1 = Toggle DTR for Reset Wx.ByteConvention = 1 ' 0 = Inverse, 1 = Direct Wx.FlushEchoByte = 0 ' 0 = no flush, 1 = flush - A Phoenix interface will echo each byte transmitted. Wx.FlushBeforeWrite = 1 ' 0 = no flush, 1 = flush - Flush the receive buffer before each write to strip off Null bytes. Wx.IgnoreTimeouts = 1 ' 0 = Abort script on a receive timeout, 1 = Ignore all receive timeouts Wx.ResetAfterTimeout = 0 ' 0 = Don't reset after a timeout, 1 = do a reset after a timeout - Not used if "IgnoreTimeouts=0" Wx.LogTransactions = 0 ' 0 = Don't log transactions, 1 = log transactions Wx.DisplayUSW = 0 ' Display USW after script complete 0 = no, 1 = yes Wx.DisplayFuse = 0 ' Display Fuse after script complete 0 = no, 1 = yes 'start of user variables packetcount = 1 'packet 1, 2, or 3 Rom11DelayStart = &h16ff 'testing rom 11 - 1780 Rom11DelayEnd = &h1380 'testing rom 11 - 1380 Rom10DelayStart = &h1350 Rom10DelayEnd = &h12ef TryCnt = 330 '330 is good - Number of tries per delay FROM 5-50000 LoginDelay = 25 'adjust from 5-30 if having problems with aborts immediately after login RTrapEnabled = 1 'antilooping script on (1) or off (0) RTrapValue = 4 'number of consectutive resets required to stop script (3-6) 'end of user adjustable variables 'start of system variables - nothing in this area is meant to be adjusted by end users VCCStart = &h40 'YOU CAN CHANGE THIS FROM 21-99 = this is automatic now VCCLimit = &h00 'YOU CAN CHANGE THIS FROM 00-20 = this is automatic now GlitchType = &h06 'This is automatic now RTrap = 0 TRYCNT2 = 0 CL = 0 StartTime=Time Start=Timer VCC = VCCStart packetswitched = FALSE firsttime = 1 ' end of system variables Sub Main() Sc.Reset if GetCardInfo()<> "SUCCESS" then exit sub end if if CheckCardIsOK <>"SUCCESS" then print hexstring(Provider,2) & "01 " & Cardtype & "'s are not supported yet - sorry" exit sub else CardInfoOut() end if if SetupPackets()<>"SUCCESS" then exit sub end if 'This is it - what we came here to do Do while (packetcount<=maxpacket) if (packetcount <= maxglitchpacket) then if (GlitchIt(packet(packetcount))<>"SUCCESS") then print vbcr&"script failed" &vbcr exit sub end if else 'sc.verbose = true sc.write (packet(packetcount)) SC.READ(2) Bytes = Sc.Getbyte(1) if Bytes > 4 then Sc.Read(6) bytes=sc.getbyte(3) END IF sc.delay(200) end if packetcount = packetcount +1 LOOP 'Back to the boring bit CardUnlooped() End Sub Function CheckCardIsOk() dim supportedcardtypes dim Rom10supportedproviders dim Rom11supportedproviders dim i dim supportedcard supportedcardtypes = array("Rom 10", "Rom 11") Rom10supportedproviders = array("54","5C","5A") Rom11supportedproviders = array("54","5C","5A","5E","48","40","55","5B","5D") 'Check if revision is supported if ((Cardtype = "Rom 10" AND CardRev > "RevA82") OR (Cardtype = "Rom 11" AND cardrev >"RevB0C")) then CheckCardIsOk = "FAIL" print cardrev & " " exit function end if 'check card type is supported for i = 0 to UBound(supportedcardtypes) if supportedcardtypes(i) = CardType then supportedcard = 1 end if next if supportedcard <> 1 then CheckCardIsOk = "FAIL" exit function end if supportedcard = 0 for i = 0 to UBound(Rom10supportedproviders) if (Rom10supportedproviders(i) = hexstring(Provider,2) AND CardType = "Rom 10") then supportedcard = 1 end if next for i = 0 to UBound(Rom11supportedproviders) if (Rom11supportedproviders(i) = hexstring(Provider,2) AND CardType = "Rom 11")then supportedcard = 1 end if next if supportedcard <>1 then CheckCardIsOk = "FAIL" exit function end if CheckCardIsOk = "SUCCESS" End Function Function CardUnlooped() print print "Your" & (ProviderName) & " " & (CardType) + " " print (CardRev) + " ("& hexstring(Provider,2)&"01"&") should now be unlocked"&vbcr 'Display time for wombats FinTime=Time Fin=Timer PRINT"Started Glitching At " & StartTime & VBCR PRINT"Glitched Card At " & FinTime & VBCR I=Fin-Start Hours = I \ 3600 I = I Mod 3600 Mins = I \ 60 I = I Mod 60 Secs = I PRINT"Done In " & Hours & ":" & Mins & ":" & Secs & VBCR 'DO Sc.PlaySound "ok.wav", 1 'your own alert Sc.Delay 3000 'the length in milliseconds +1000 of the audio file 'LOOP End Function Function GlitchIt(glitch) Dim Bytes Do if (glitchfixed = true) then GlitchType= &h08 ' comment out this line to turn on autoglitch type end if Sc.Write("B0" & HexString(VCC, 2)) SC.DELAY(12) ' This is NOT the prenipper delay in this script!! Never alter this or u will kill cards !! ' Login control IF CL = 0 then Sc.Write("07 0e 03 10 01 03 9a 00") 'reset card sc.read(02) sc.delay(logindelay) sc.write(loginstring) if (Sc.Read(02)) then Bytes = Sc.Getbyte(1) if Bytes > 8 then Sc.Read(11) LoggedIn = sc.Getbyte(9) if LoggedIn <> &H00 then print "Card wasn't logged in - check this is the right script for Provider " & HexString(Provider,2) & "01" & VBCR print "Script will now exit - have a nice day " glitchit = "FAIL" exit function else if firsttime = 1 then print "Card logged in successfully" &vbcr print print "Please wait while we do our stuff....(this could take a while)" &vbcr firsttime = 0 print "Now we will try Packet " & HexString(packetcount, 1) & ", " & HexString(RT, 4) & " delay, our VCC is about " & HexString(VCC, 2) & " and our Glitch Type was " & HexString(GlitchType, 2) print end if end if end if else print "The normal cause of this error is a wrong login delay - but it can also be caused by" &vbcr print "1. Bad pot calibration" &vbcr print "2. Winxp" &vbcr print "3. Not running scripting patch" &vbcr print "4. Poor quality shielding on serial cable" &vbcr &vbcr print "Script will now exit - have a nice day " glitchit = "FAIL" exit function end if SC.DELAY(10) end if CL=0 sc.Write(glitch & HexString(RT, 4) & HexString(GlitchType, 2) & "0E 05 85 00") Sc.Read(2) Bytes = Sc.Getbyte(1) 'Response control and autoconfiguration code if Bytes > 4 then Sc.Read(5) bytes=sc.getbyte(3) RT2 = bytes select case RT2 case positiveresponse VCC = VCC - .4 '.2 'VCC = VCC - 1 print "+" CL=1 RTrap=0 case &HFF VCC = VCC + 1 print "-" RTrap=0 case GlitchSuccess print print print "*********** we hit our bug *************"& VbCr print HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)&" was our login = good login, packet " & packetcount & " written to cam" print PRINT HEXSTRING(SC.GETBYTE(0),2) & HEXSTRING(SC.GETBYTE(1),2) & HEXSTRING(SC.GETBYTE(2),2) & HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)& VbCr Sc.Print "===========================================" & VbCr PRINT HexString(bytes, 2) print " was hit at " & HexString(RT, 4) & " delay ----VCC WAS " & HexString(VCC, 2) & " , our GlitchType was " & HexString(GlitchType, 2) print print SC.DELAY(2500) glitchit = "SUCCESS" exit function case &H63 print print print "*********** we hit our bug *************"& VbCr print "6300 was our login = not logged in, packet didnt take!!" PRINT HEXSTRING(SC.GETBYTE(0),2) & HEXSTRING(SC.GETBYTE(1),2) & HEXSTRING(SC.GETBYTE(2),2) & HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)& VbCr Sc.Print "===========================================" & VbCr PRINT HexString(bytes, 2) print " was hit at " & HexString(RT, 4) & " delay ----VCC WAS " & HexString(VCC, 2) & " , our GlitchType was " & HexString(GlitchType, 2) print print CL=0 SC.DELAY(2500) if (packetswitched = FALSE) then print "Switching to 6300 packets" &vbcr packetswitched = TRUE SwitchTo6300() else print "Got a 6300 response when already on 6300 packets - aborting script" &vbcr glitchit = "FAIL" exit function end if end select else PRINT"!" VCC = VCC + 1 RTrap = RTrap + 1 if (RTrap >= RTrapValue) AND RTrapEnabled then print VBCR & "Too many consecutive resets" print "You may need to adjust your glitcher and/or script settings" & VBCR print "Script will now exit - have a nice day " glitchit = "FAIL" exit function end if end if 'Trycnt loop control TryCnt2 = TryCnt2 + 1 if trycnt2 > trycnt then RT = RT - 1.5 TRYCNT2 = 0 if rt < DelayEnd then rt = DelayStart END IF print print "Now we will try Packet " & HexString(packetcount, 1) & ", " & HexString(RT, 4) & " delay, our VCC is about " & HexString(VCC, 2) & " and our Glitch Type was " & HexString(GlitchType, 2) print END IF 'Autochange glitch type - fixed to type 8 for rom 11 GlitchType = GlitchType + 0.02 if GlitchType > 9.4 then GlitchType = &h06 end if SC.DELAY(8) sc.verbose=false LOOP End Function Function SwitchTo6300() dim rawlogin rawlogin = "21003DA0CA0000370335" & hexstring(Provider, 2) rawlogin = rawlogin + "011031054E6B705045722049E3407CADFDB96429F4F677C2356D7474" rawlogin = rawlogin + "00000000000000000000000000000000000000000000000005" loginstring = "4715E0" & rawlogin & calclrc(rawlogin) & "0E058A00" packet(1) ="5315E8210045A0D7108040FFB4A6F225227F4B9D12FB1A2AA0034DF7AA771ED7EC1BF9F612" packet(1) = packet(1) + "2DD9204B2157858CE465C862AB23503F8B9EAE8CFF46EAC98227E3D2C1557871D02F" packet(1) = packet(1) + "748078893E20" packet(2) = "5315E8210045A0D710C040F5457B3A9A8F2EE3B3D2144DBE2729FAF94221643D948154E309" packet(2) = packet(2) + "F896FD7F54D70A707CF2400B16B504DF2E1A724A7EBACC858E8A3960F922B429B55A" packet(2) = packet(2) + "E280DBA57120" End Function Function SetupPackets() dim rawlogin ' prep loginstring rawlogin = "21003DA0CA0000370335" & hexstring(Provider, 2) rawlogin = rawlogin + "011031054E69705045722049E3407CADFDB96429F4F677C2356D7474" rawlogin = rawlogin + "00000000000000000000000000000000000000000000000005" loginstring = "4715E0" & rawlogin & calclrc(rawlogin) & "0E058A00" 'end of login prep select case Cardtype case "Rom 10" GlitchSuccess = &H83 positiveresponse = &H6F glitchfixed=FALSE maxpacket = 4 maxglitchpacket=1 DelayStart=Rom10DelayStart DelayEnd=Rom10DelayEnd select case provider case &H5A ' telewest packet(1)="6A15FF2100" packet(1)= Packet(1) + "5CA0CA00005603545A5B108105FACD7A" packet(1)= Packet(1) + "B7C0A1A600965DC269CBA2C69973D6CD" packet(1)= Packet(1) + "8766A2CFEB84A18FBFF8E26FCF8807B7" packet(1)= Packet(1) + "10983A07DD92B7575B558DBF6BE4F0CA" packet(1)= Packet(1) + "622BCC01F8EE441351E7B4784E4C232F" packet(1)= Packet(1) + "3698871E3A0CCD320C5AEA2D2D1020" case &H5C 'exc&w packet(1)= "6A15FF2100" packet(1)= Packet(1) + "5CA0CA00005603545CF7108105FACD7A" packet(1)= Packet(1) + "B7C0A1A6004A153319E1FB5B6348507E" packet(1)= Packet(1) + "8E46A21DEFD37116179E4C5266B6DB4C" packet(1)= Packet(1) + "596CD86FD9E7FF65D1638E1BAE6D2925" packet(1)= Packet(1) + "D9B88446EDD99EEF33A3A16AADBDF346" packet(1)= Packet(1) + "8206679CC0BD06F685AEE418765C20" case &H54 'ntl packet(1)= "6A15FF2100" packet(1)= Packet(1) + "5CA0CA0000560354546A108105FACD7A" packet(1)= Packet(1) + "B7C0A1A6004A153319E1FB5B6348507E" packet(1)= Packet(1) + "8E46A21DEFD37116179E4C5266B6DB4C" packet(1)= Packet(1) + "596CD86FD9E7FF65D1638E1BAE6D2925" packet(1)= Packet(1) + "D9B88446EDD99EEF33A3A16AADBDF346" packet(1)= Packet(1) + "8206679CC0BD06F685AEE41876C920" case else print"Provider " & hexstring(provider,2) & "01 not done yet" setuppacket = "FAIL" exit function end select packet(2) = "12 15 Ab 21 00 08 A0 CA 00 00 02 C0 00 06 87 0E 05 85 00" packet(3) = "0A 15 A3 21 98 00 B9 0E 05 85 00" packet(4) = "0A 15 A3 21 92 00 B3 0E 05 85 00" case "Rom 11" GlitchSuccess = &H90 positiveresponse = &H69 glitchfixed=TRUE maxpacket = 3 maxglitchpacket = 2 DelayStart=Rom11DelayStart DelayEnd=Rom11DelayEnd packet(1) ="5315E8210045A0D710804066E12439141ACAA1C1D5E9B29B68F861EF7F043C265563F337FE29F561DB8E" packet(1) = packet(1) + "17B5E19BD383995049EC665253E28195DF32905312C995CE26F0" packet(1) = packet(1) + "D9268605BEFEF2B020" packet(2) = "5315E8210045A0D710C040F8EE037B057F7753279632187D4DFECA1FD920D841CDA8B377CDCFDFCE4D0A" packet(2) = packet(2) + "EC4D7C45B49B9D390D8E5838254384985E54925C09F43B72F1C8" packet(2) = packet(2) + "4B555A2DB4482DDD20" select Case Provider Case &H5C ' NTL (Docsis) ProviderName = "n exC&W" Packet(3) = "6015F6210053A0CA00004D004B5C010254A5343681797D97B65E3F062CB4349AA955225" Packet(3) = Packet(3) + "9533D1C69CD55BAE490D1EF31FE200F487653575B4B0934DE82EF17" Packet(3) = Packet(3) + "0AA6A5EAE7658AC7924C99EE06165243D15E807052E4C42C7405342000FF0E058500" Case &H54 ' NTL(Davic) 'ProviderName = " Screwed Up" ProviderName = " NTL" Packet(3) = "6015F6210053A0CA00004D004B54010253418D70D19AF07B434F1A766196896905364B7" Packet(3) = Packet(3) + "65F4B3D7AF959B982E65780C340784225381D906EEE22C1B8C21051" Packet(3) = Packet(3) + "55BB5B56927DF9C98755894A5892FBD516B667B188738577B8059C2000FF0E058500" Case &H5A ' Telewest ProviderName = " TeleWest" Packet(3) = "6015F6210053A0CA00004D004B5A010236549D026DFCBDF3BE5E371B2456E1FF0F03A0B" Packet(3) = Packet(3) + "279426A3AEEA553AB11580847C604EF310CD400A578CE485C50BD66" Packet(3) = Packet(3) + "4C0677F8DD64AC7AB075F520F7294530F916AF7C95263C95B705C82000FF0E058500" Case &H48 ' Provider 4801 Packet(3) = "6015F6210053A0CA00004D004B480102C91C96AAE1BC94C3C92B6EC8DCB49D8A4F63A4B" Packet(3) = Packet(3) + "D577342C6AA4332AA47DB27F2761E2B876955DFEE555F3F65F7D197" Packet(3) = Packet(3) + "3EA210BB7DE121230EFDD6061FD2368FE9145849921CCC7969054D2000FF0E058500" Case &H5E ' Chorus ProviderName = " Chorus" Packet(3) = "6015F6210053A0CA00004D004B5E01027C3D76C9A7ECD2C8AC03E6F04055FDDFC9BB406" Packet(3) = Packet(3) + "D6D42815B07F036BAFCC5C92FA03C51997C9C1B58908A2D012B40C7" Packet(3) = Packet(3) + "B36E0AA5C7B4780104BAD75CD0FEB11247EE9FFFB5F912B89205792000FF0E058500" Case &H40 ' Provider 40 ProviderName = " Screwed Up" Packet(3) = "6015F6210053A0CA00004D004B4001021E8F71EDD7FE1B8B710E25D6EDD98CB55BD8AE96C" Packet(3) = Packet(3) & "9D1A3E56597790DBA0BD39A649BBFA3C0B68D9B64B39017F2EC959807629B7AB15D" Packet(3) = Packet(3) & "739784A5F30468FA645ABE8499D0A687CB1805412000FF0E058500" Case &H55 ' Provider 55 ProviderName = " Screwed Up" Packet(3) = "6015F6210053A0CA00004D004B5501022C65D7D52A17DB796C0C6A8CD8FEBDBD6FD10B91" Packet(3) = Packet(3) & "B57C1E7A9E194894145B051E39F0556AB6EA9007B55ACD5FF5429A5E8D392C953264" Packet(3) = Packet(3) & "4EBF9BEF591409C4A6FF163510D2B78DDDB1053C2000FF0E058500" Case &H5B ' Provider 5B ProviderName = " Screwed Up" Packet(3) = "6015F6210053A0CA00004D004B5B0102BD7E3593852B40F225AB92A637C728D51BF697B507" Packet(3) = Packet(3) & "C4BAE831C3C40DC639CA967AF93455AA899257127BCB13E184DD32BA48FEA5197E1" Packet(3) = Packet(3) & "E5AAF6FBBF3D584BA5F04EF882C5277B014050C2000FF0E058500" Case &H5D ' Provider 5D ProviderName = " Screwed Up" Packet(3) = "6015F6210053A0CA00004D004B5D01021AB570D274F839A8D9248FCA6422862E605239EA86" Packet(3) = Packet(3) & "202102DD04EC3776C273108DE128FC4725700B29144F94717BA18BA2DE0A88C1C3B0" Packet(3) = Packet(3) & "0382E076FB35FBE7EFE6B083260B9C704305E42000FF0E058500" Case Else print "Provider " & HexString(Provider,2) & "01 Unsupported!!" &vbcr print "Script will now exit - have a nice day " setuppacket = "FAIL" exit function end select end select RT = DelayStart setuppackets="SUCCESS" End Function Function CardInfoOut ' intro text print print "Multiprovider MultiRom script for Rom 10 and Rom 11 cards (both normal and 6300)"&vbcr print "Now with experimental support for Rom 11 provider 40,55,5B and 5D cards - dunno if it will work tho" &vbcr 'print "Script version 0.2a - experimental - not for release" &vbcr print print "Do NOT remove card while script is running!!!" &vbcr print print "Card is a" & (ProviderName) & " " & (CardType) + " " print (CardRev) + " ("& hexstring(Provider,2)&"01"&")"&vbcr End Function Function GetCardInfo() sc.verbose=FALSE Sc.Write("07 0e 03 10 01 03 9a 00") if (Sc.Read(2))then Bytes = Sc.Getbyte(1) if Bytes > 25 then Sc.Read(26) CardType = "Rom " &chr(sc.getbyte(17))&chr(sc.getbyte(18)) CardRev = "Rev" &chr(sc.getbyte(23))&chr(sc.getbyte(24))&chr(sc.getbyte(25)) end if else print "Card didn't reset - most likely cause of this error is not reseting the glitcher before starting the script" &vbcr print "Script will now exit - have a nice day " GetCardInfo = "FAIL" exit function end if SC.DELAY(30) sc.verbose=FALSE ' Find provider and setup accordingly Sc.Write("17 15 b0 21 00 0D A0 CA 00 00 07 21 05 01 03 FF FF 00 28 4f 0E 05 88 00") sc.read(02) Bytes = Sc.Getbyte(1) If Bytes > 2 then Sc.Read(09) provider = sc.Getbyte(5) else print "Card didn't return a valid provider - you may need to clean card & reset glitcher or card may be looped - check in nagraedit" &vbcr print "Script will now exit - have a nice day " GetCardInfo = "FAIL" exit function end if Sc.Write("14 03 10 15 AB 21 00 08 A0 CA 00 00 02 12 00 06 55 0E 03 87 00") Sc.Read(02) Bytes = Sc.Getbyte(1) if Bytes > 7 then Sc.Read(8) end if SC.DELAY(30) GetCardInfo = "SUCCESS" sc.delay(30) End Function Function CalcLRC(Command) DIM Size DIM current dim i ' Check command is valid i.e. an even number of bytes if (len(command) mod 2) <> 0 then calclrc = "FAIL" exit function end if Size = Len(command)/2 current = HexStringToIntValue(mid(command,1,2)) for i = 1 to (size-1) nextone = mid(command,(i*2)+1,2) current = current XOR HexStringToIntValue(nextone) next CalcLRC = Hex(current) End Function Function HexStringToIntValue( cHexDigits) nValue = 0 nNumHexDigits = Len( cHexDigits ) For i = 1 To nNumHexDigits c = Mid( cHexDigits, i, 1 ) nValue = (nValue * 16) + ValueOfHexDigit( c ) Next HexStringToIntValue = nValue End Function Function ValueOfHexDigit(cHexDigit) cHexDigit = UCase( cHexDigit ) nPos = Instr( 1, "0123456789ABCDEF", cHexDigit, 0 ) If nPos > 0 Then nPos = nPos - 1 End If ValueOfHexDigit = nPos End Function Function HexString(Number,Length) ' This function takes 2 arguments, a number and a length. It converts the decimal ' number given by the first argument to a Hexidecimal string with its length ' equal to the number of digits given by the second argument Dim RetVal Dim CurLen RetVal=Hex(Number) CurLen=Len(RetVal) If CurLen<Length Then RetVal=String(Length-CurLen,"0") & RetVal End If HexString=RetVal End Function 'All functions below this point are not currently in use '------------------------------------------------------- Function IsCardInserted() Dim RetValue Dim GotInput dim counter counter = 1 sc.reset Do Sc.Verbose = 0 'Turn off debug mode Sc.Write("A0") 'Turn the LED off Sc.Write("80") 'Is card present? Sc.Delay(100) counter = counter+1 if counter >= 100 then counter = 1 end if If Sc.BytesInBuffer > 0 then Sc.Read(&h01) RetValue = Sc.GetByte(0) end if If RetValue = &h0 then 'Call Sc.ProgressBox ("Glitching... DAC: " & HexString(DAC,2) & vbcr & " Delay: " & HexString(counter,2), 1, 999, "Hu Card Unlock") Call Sc.ProgressBox (" *** Please INSERT your card! ***", counter, 100, " Sure You Didn't Forget Something?") GotInput = False else If RetValue = &hFF then GotInput = True else If RetValue <> &h0 or RetValue <> &hFF then print "aborted" exit function End if End if End if Loop Until GotInput = True Call Sc.ProgressBox("", 0, 100) 'close the dialog Sc.Write("A1") end Function Sub IsCardPresent() Dim RetValue Dim GotInput sc.verbose=false ScriptStart = Now Sc.Print "----------------------------------------------------------------" & vbCr Sc.Print "Start: " & ScriptStart & vbCr 'main screen Sc.Print "----------------------------------------------------------------" & vbCr Do Sc.Write("A0") ' turn the LED off Sc.Write("80") 'Is card present? Sc.Delay(100) If Sc.BytesInBuffer > 0 then Sc.Read(&h01) RetValue = Sc.GetByte(0) end if If RetValue = &h0 then Call Sc.ProgressBox ("*** Please insert your card... ***", 1, 999, "Unlooper/Unlocker") GotInput = False else If RetValue = &hFF then GotInput = True else If RetValue <> &h0 or RetValue <> &hFF then Sc.Write("A0") ' turn the LED off Sc.Write("020200") Sc.Delay(100) If Sc.BytesInBuffer > 1 then Sc.Read(&h02) GotInput = False else GotInput = False end if end if End if End if Loop Until GotInput = True end sub Function ChipVer() Chipver = 1 End Function Function Checks() If Sc.Version < 5 Then ErrorString = "You need at least version 5 of WinExplorer to run this script" Sc.MsgBox ErrorString, vbCritical Err.Raise 1050, , ErrorString End If if ChipVer() <> 1 then sc.MsgBox("You need firmware version NewD11 to run this script" & VbCr & " Flash your chip with the NewD11 hex") Exit Function end if 'IsCardInserted() 'IsCardPresent() End Function Function MakeRawEmm() dim rawemm rawemm = "3F" & hexstring(Provider,2) & "01F" select case cardtype case "Rom 10" rawemm = rawemm & "ACD456FC0A1A6003868CC7FA1" case "Rom 11" rawemm = rawemm & "BCD456FC0A1A6003868CC7FA1" case "Rom 07" rawemm = rawemm & "7CD456FC0A1A6003868CC7FA1" case "Rom 03" rawemm = rawemm & "3CD456FC0A1A6003868CC7FA1" case else MakeRawEmm = "FAIL" end select MakeRawEmm = rawemm End Function | there is 0ne other method of trying to glitch a card to allow a write that script does not use the nipper login it uses a different login (bugtable) in codespace. examples are available for comparrison if needed. so as u can see its hardly rocket science, im using the afore mentioned stuntguys FAQ to try to understand what i need to send the card here is a copy of it >>HERE<< if ya wanna have a look. i also have all the necessary reference materials and the VBS skills needed but could do with a hand. cheers guys.. regards -\\v
|