AuthorMessage
vickmaker
Ametuar
Posts: 127

right,
 i am trying to figure something out, and want to know if anyone has any ideas on this, firstly the guys who originally wrote these scripts basically just cut and pasted the generic parts of the script and redone the packets that are sent to the card, using a well known FAQ called stuntguys faq,
here is a miniscule quote from the faq,
 "The NagraVision cards use a variant of the ISO-7816 protocol called the
"T=1" or "asynchronous half-duplex block transfer" format.  This format
differs from the format used by DSS smartcards in that the DSS protocol (the
"T=0" format) calls for the master device (the receiver or IRD) to send a
5-byte header block to the card.  The card (or CAM) must then send back one
of the bytes from the header (specifically, the second byte, which is the INS
byte) to acknowledge receipt of the header.  At this point, the IRD will
either send the rest of the message to the CAM as one large packet, send the
rest of the packet one byte at a time, awaiting an acknowledgment after each
byte, or await the data return from the CAM

im interested in the T=0 format so i can look inside r0m10 and r0m11 type nagra cards, the same as the ones telepest and nthell use in there set top boxes, and the ones cable and witless used to use before they went bust.lol.
specifically the ones that are locked to a certain revision of firmware that cannot be read by an iso programmer untill the card has been "GLITCHED" in a t911 unlooper.
still with me? good,
sooo the script im posting with this is designed to open both types of cards ( rom 10 and 11#) and a few different providers also, thaats whyits called multir0m multiprovider script, duh, if you know VBS you will see the different providers in the script itself
eg: 5A01, 5B01 etc etc
what i am trying to do is make a script that goes beyond the abilities of the current shit so that r0m 7 cards may be opened also, ( not so bothered about this myself) and most importantly for me anyway is to try and get a script that will glitch these cards open for reading/writing purpioses once the current scripts cannot do anymore, for instance some cards do not have the correct responses in the initial comms with the programmingh device and the card, making it impossiblr ( with the current scripts) to open a card that does not have an ATR, or provider is unknown, eg 5A01 becomes 4A01 thru data corruption and the script dont know if it needs a shit or a haircut and thus dies like a bastard when it encounters these anomalies.
b4 i forget heres the best script in the known universe for r0m 11 and 10 cards on telepest or nthell.
Code:
'
' New VB Script File - Created 08/08/2005
'
' FOR ROM 10 A82 and ROM 11 BOC STREAMLOCKED only.
' AUTOMATIC SCRIPT for ntl, telewest, cable and wireless, chorus(not rom 10 yet) and cabo only
' this script automatically switches nipper logins and will will work for cards returning a 6300 error
' script design and implementation by wonko ( BARELY KNOWS VBS )
' original packets by simonkirk ( CARD COMMS EXPERT)
' testing by spudy  (SAYS HE USED TO KNOW GHOST<?)
' (a couple of functions have been pilfered off the net - original authors unknown)
'**************************************************************************************
'Instruction Table
'01 Reset Card (Leaves card clock off)
'02 4.608 MHz Card Clock Off -FREEZE CAM
'03 4.608 MHz Card Clock On - FREE RUNNING CAM
'04 DOUBLE HIT, CLOCK LOW, .5 CYCLE DELAY--2*CARD CLOCKS -- ex. 2x xx xx 04 for timing
'05 DOUBLE HIT, CLOCK LOW, 1.5 CYCLE DELAY-2*CARD CLOCKS -- ex. 2x xx xx 05 for timing
'06 Double HIT, CLOCK LOW, 6 CYCLE DELAY-- 2*CARD CLOCKS -- ex. 2x xx xx 06 for timing
'07 Three HIT, CLOCK LOW , 6 CYCLE DELAY-- 2*CARD CLOCKS -- ex. 2x xx xx 07 for rom11 hopeful.
'08 Five HIT, CLOCK LOW,  5 CYCLE DELAY--- 2*CARD CLOCKS -- ex. 2x xx xx 08 for rom11 hopeful.
'09 LOW CLOCK single hit------------------ 2*CARD CLOCKS -- ex. 2x xx xx 09 for timing
'0E XX SET WD TIMER
'0F POWER DOWN CAM
'1X TX RX SPEED
'2X XX XX Delay $2X XX XX Atmel clock cycles
'8X-9X Rx from card, instruction anded with $1f plus 1 bytes Ex. $9F = rx $20 bytes
'aX-FX Tx to card, instruction anded with $5f plus 1 bytes Ex. $FF = Tx $60 bytes
'**************************************************************************************
'Commands
'80 Check Card Presence - Sends 1 byte
'90 Get chip ID - Sends 4 Bytes (DISH)
'AX Set Bi-color Led - X = 0 off, X = 1 Red, X = 2 Green
'B0 XX Set Glitch VCC - VCC = (5/255) * XX
    Dim StartTime
    Dim Start
    Dim FinTime
    Dim Fin
    Dim Hours
    Dim Mins
    Dim Secs
    Dim I
    dim CardType
    dim fail
    dim cardrev
    dim provider
    dim providername
    dim GlitchSuccess
    Dim RT
    Dim Glitchtype
    dim packet(4)
    dim maxglitchpacket
    dim loginstring
    dim glitchfixed
    dim maxpacket
    dim packetcount
    DIM firsttime
    dim delaystart
    dim delayend
    dim trycnt
    dim logindelay
    dim rtrapenabled
    dim rtrapvalue
    dim vccstart
    dim vcclimit
    dim rtrap
    dim trycnt2
    dim cl
    dim rt2
    dim Rom11DelayStart
    dim Rom11DelayEnd
    dim Rom10DelayStart
    dim Rom10DelayEnd
    dim positiveresponse
    dim packetswitched
    sc.print "________________Setting up WinExplorer_________________" & VbCr
    Wx.BaudRate = 115200
    Wx.ResetBaudRate = 115200
    Wx.Parity = 0 ' 0 = None, 1 = Odd, 2 = Even, 3 = Mark, 4 = Space
    Wx.StopBits = 0 ' 0 = 1 stop bit, 1 = 1.5 stop bits, 2 = 2 stop bits
    Wx.DTRControl = 0 ' Initial state of DTR 0 = off, 1 = on
    Wx.RTSControl = 1 ' Initial state of RTS 0 = off, 1 = on
    Wx.ResetDelay = 100 ' In microseconds
    Wx.ByteDelay = 10 ' In microseconds
    Wx.RxByteTimeout = 500 ' In milliseconds
    Wx.ResetMode = 2 ' 0 = No Resets, 1 = ISO Reset (Expect a ATR), 2 = Device Reset (No ATR)
    Wx.ResetLine = 1 ' 0 = Toggle RTS for Reset, 1 = Toggle DTR for Reset
    Wx.ByteConvention = 1 ' 0 = Inverse, 1 = Direct
    Wx.FlushEchoByte = 0 ' 0 = no flush, 1 = flush - A Phoenix interface will echo each byte transmitted.
    Wx.FlushBeforeWrite = 1 ' 0 = no flush, 1 = flush - Flush the receive buffer before each write to strip off Null bytes.
    Wx.IgnoreTimeouts = 1 ' 0 = Abort script on a receive timeout, 1 = Ignore all receive timeouts
    Wx.ResetAfterTimeout = 0 ' 0 = Don't reset after a timeout, 1 = do a reset after a timeout - Not used if "IgnoreTimeouts=0"
    Wx.LogTransactions = 0 ' 0 = Don't log transactions, 1 = log transactions
    Wx.DisplayUSW   = 0 ' Display USW after script complete 0 = no, 1 = yes
    Wx.DisplayFuse  = 0 ' Display Fuse after script complete 0 = no, 1 = yes
    'start of user variables
    packetcount     = 1         'packet 1, 2, or 3
    Rom11DelayStart = &h16ff   'testing rom 11 - 1780
    Rom11DelayEnd   = &h1380   'testing rom 11 - 1380
    Rom10DelayStart = &h1350
    Rom10DelayEnd   = &h12ef
    TryCnt          = 330        '330 is good - Number of tries per delay FROM 5-50000
    LoginDelay      = 25     'adjust from 5-30 if having problems with aborts immediately after login
    RTrapEnabled    = 1    'antilooping script on (1) or off (0)
    RTrapValue      = 4      'number of consectutive resets required to stop script (3-6)
    'end of user adjustable variables
    'start of system variables - nothing in this area is meant to be adjusted by end users
    VCCStart        = &h40     'YOU CAN CHANGE THIS FROM 21-99 = this is automatic now
    VCCLimit        = &h00     'YOU CAN CHANGE THIS FROM 00-20 = this is automatic now
    GlitchType      = &h06     'This is automatic now
    RTrap           = 0
    TRYCNT2         = 0
    CL              = 0
    StartTime=Time
    Start=Timer
    VCC = VCCStart
    packetswitched = FALSE
    firsttime = 1
    ' end of system variables
Sub Main()
    Sc.Reset
    if GetCardInfo()<> "SUCCESS" then
        exit sub
    end if
    if CheckCardIsOK <>"SUCCESS" then
        print hexstring(Provider,2) & "01 " & Cardtype & "'s are not supported yet - sorry"
        exit sub
    else
        CardInfoOut()
    end if
    if SetupPackets()<>"SUCCESS" then
        exit sub
    end if
    'This is it - what we came here to do
    Do while (packetcount<=maxpacket)
        if (packetcount <= maxglitchpacket) then
            if (GlitchIt(packet(packetcount))<>"SUCCESS") then
                print vbcr&"script failed" &vbcr
                exit sub
            end if
        else
            'sc.verbose = true
            sc.write (packet(packetcount))
            SC.READ(2)
            Bytes = Sc.Getbyte(1)
            if Bytes > 4 then
                Sc.Read(6)
                bytes=sc.getbyte(3)
            END IF
            sc.delay(200)
        end if
        packetcount = packetcount +1
    LOOP
    'Back to the boring bit
    CardUnlooped()
End Sub
Function CheckCardIsOk()
    dim supportedcardtypes
    dim Rom10supportedproviders
    dim Rom11supportedproviders
    dim i
    dim supportedcard
    supportedcardtypes = array("Rom 10", "Rom 11")
    Rom10supportedproviders = array("54","5C","5A")
    Rom11supportedproviders = array("54","5C","5A","5E","48","40","55","5B","5D")
    'Check if revision is supported
    if ((Cardtype = "Rom 10" AND CardRev > "RevA82") OR (Cardtype = "Rom 11" AND cardrev >"RevB0C")) then
        CheckCardIsOk = "FAIL"
        print cardrev & " "
        exit function
    end if
    'check card type is supported
    for i = 0 to UBound(supportedcardtypes)
        if supportedcardtypes(i) = CardType then
            supportedcard = 1
        end if
    next
    if supportedcard <> 1 then
        CheckCardIsOk = "FAIL"
        exit function
    end if
    supportedcard = 0
    for i = 0 to UBound(Rom10supportedproviders)
        if (Rom10supportedproviders(i) = hexstring(Provider,2) AND CardType = "Rom 10") then
            supportedcard = 1
        end if
    next
    for i = 0 to UBound(Rom11supportedproviders)
        if (Rom11supportedproviders(i) = hexstring(Provider,2) AND CardType = "Rom 11")then
            supportedcard = 1
        end if
    next
    if supportedcard <>1 then
        CheckCardIsOk = "FAIL"
        exit function
    end if
    CheckCardIsOk = "SUCCESS"
End Function
Function CardUnlooped()
    print
    print "Your" & (ProviderName) & " " & (CardType) + " "
    print (CardRev) + " ("& hexstring(Provider,2)&"01"&") should now be unlocked"&vbcr
    'Display time for wombats
    FinTime=Time
    Fin=Timer
    PRINT"Started Glitching At " & StartTime & VBCR
    PRINT"Glitched Card     At " & FinTime & VBCR
    I=Fin-Start
    Hours = I \ 3600
    I = I Mod 3600
    Mins = I \ 60
    I = I Mod 60
    Secs = I
    PRINT"Done In " & Hours & ":" & Mins & ":" & Secs & VBCR
    'DO
    Sc.PlaySound "ok.wav", 1  'your own alert
    Sc.Delay 3000 'the length in milliseconds +1000 of the audio file
    'LOOP
End Function
Function GlitchIt(glitch)
    Dim Bytes
    Do
        if (glitchfixed = true) then
            GlitchType=  &h08 ' comment out this line to turn on autoglitch type
        end if
        Sc.Write("B0" & HexString(VCC, 2))
        SC.DELAY(12) ' This is NOT the prenipper delay in this script!! Never alter this or u will kill cards !!
        ' Login control
        IF CL = 0 then
            Sc.Write("07 0e 03 10 01 03 9a 00")   'reset card
            sc.read(02)
            sc.delay(logindelay)
            sc.write(loginstring)
            if (Sc.Read(02)) then
                Bytes = Sc.Getbyte(1)
                if Bytes > 8 then
                    Sc.Read(11)
                    LoggedIn = sc.Getbyte(9)
                    if LoggedIn <> &H00 then
                        print "Card wasn't logged in - check this is the right script for Provider " & HexString(Provider,2) & "01" & VBCR
                        print "Script will now exit - have a nice day "
                        glitchit = "FAIL"
                        exit function
                    else
                        if firsttime = 1 then
                            print "Card logged in successfully" &vbcr
                            print
                            print "Please wait while we do our stuff....(this could take a while)" &vbcr
                            firsttime = 0
                            print "Now we will try Packet "  & HexString(packetcount, 1) & ", " & HexString(RT, 4) & " delay, our VCC is about " & HexString(VCC, 2) & " and our Glitch Type was " & HexString(GlitchType, 2)
                            print
                        end if
                    end if
                end if
            else
                print "The normal cause of this error is a wrong login delay - but it can also be caused by" &vbcr
                print "1. Bad pot calibration" &vbcr
                print "2. Winxp" &vbcr
                print "3. Not running scripting patch" &vbcr
                print "4. Poor quality shielding on serial cable" &vbcr &vbcr
                print "Script will now exit - have a nice day "
                glitchit = "FAIL"
                exit function
            end if
            SC.DELAY(10)
        end if
        CL=0
        sc.Write(glitch & HexString(RT, 4) & HexString(GlitchType, 2) & "0E 05 85 00")
        Sc.Read(2)
        Bytes = Sc.Getbyte(1)
        'Response control and autoconfiguration code
        if Bytes > 4 then
            Sc.Read(5)
            bytes=sc.getbyte(3)
            RT2 = bytes
            select case RT2
                case positiveresponse
                    VCC = VCC - .4 '.2
                    'VCC = VCC - 1
                    print "+"
                    CL=1
                    RTrap=0
                case &HFF
                    VCC = VCC + 1
                    print "-"
                    RTrap=0
                case GlitchSuccess
                    print
                    print
                    print "*********** we hit our bug *************"& VbCr
                    print HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)&" was our login = good login, packet " & packetcount & " written to cam"
                    print
                    PRINT HEXSTRING(SC.GETBYTE(0),2) & HEXSTRING(SC.GETBYTE(1),2) & HEXSTRING(SC.GETBYTE(2),2) & HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)& VbCr
                    Sc.Print "===========================================" & VbCr
                    PRINT HexString(bytes, 2)
                    print " was hit at " & HexString(RT, 4) & " delay ----VCC WAS " & HexString(VCC, 2) & " , our GlitchType was " & HexString(GlitchType, 2)
                    print
                    print
                    SC.DELAY(2500)
                    glitchit = "SUCCESS"
                    exit function
                case &H63
                    print
                    print
                    print "*********** we hit our bug *************"& VbCr
                    print "6300 was our login = not logged in, packet didnt take!!"
                    PRINT HEXSTRING(SC.GETBYTE(0),2) & HEXSTRING(SC.GETBYTE(1),2) & HEXSTRING(SC.GETBYTE(2),2) & HEXSTRING(SC.GETBYTE(3),2)& HEXSTRING(SC.GETBYTE(4),2)& VbCr
                    Sc.Print "===========================================" & VbCr
                    PRINT HexString(bytes, 2)
                    print " was hit at " & HexString(RT, 4) & " delay ----VCC WAS " & HexString(VCC, 2) & " , our GlitchType was " & HexString(GlitchType, 2)
                    print
                    print
                    CL=0
                    SC.DELAY(2500)
                    if (packetswitched = FALSE) then
                        print "Switching to 6300 packets" &vbcr
                        packetswitched = TRUE
                        SwitchTo6300()
                    else
                        print "Got a 6300 response when already on 6300 packets - aborting script" &vbcr
                        glitchit = "FAIL"
                        exit function
                    end if
                end select
        else
            PRINT"!"
            VCC = VCC + 1
            RTrap = RTrap + 1
            if (RTrap >= RTrapValue) AND RTrapEnabled then
                print VBCR & "Too many consecutive resets"
                print "You may need to adjust your glitcher and/or script settings" & VBCR
                print "Script will now exit - have a nice day "
                glitchit = "FAIL"
                exit function
            end if
        end if
        'Trycnt loop control
        TryCnt2 = TryCnt2 + 1
        if trycnt2 > trycnt then
            RT = RT - 1.5
            TRYCNT2 = 0
            if rt < DelayEnd then
                rt = DelayStart
            END IF
            print
            print "Now we will try Packet "  & HexString(packetcount, 1) & ", " & HexString(RT, 4) & " delay, our VCC is about " & HexString(VCC, 2) & " and our Glitch Type was " & HexString(GlitchType, 2)
            print
        END IF
        'Autochange glitch type - fixed to type 8 for rom 11
        GlitchType = GlitchType + 0.02
        if GlitchType > 9.4 then
            GlitchType = &h06
        end if
        SC.DELAY(8)
        sc.verbose=false
    LOOP
End Function
Function SwitchTo6300()
    dim rawlogin
    rawlogin = "21003DA0CA0000370335" & hexstring(Provider, 2)
    rawlogin = rawlogin + "011031054E6B705045722049E3407CADFDB96429F4F677C2356D7474"
    rawlogin = rawlogin + "00000000000000000000000000000000000000000000000005"
    loginstring = "4715E0" & rawlogin & calclrc(rawlogin) & "0E058A00"
    packet(1) ="5315E8210045A0D7108040FFB4A6F225227F4B9D12FB1A2AA0034DF7AA771ED7EC1BF9F612"
    packet(1) = packet(1) + "2DD9204B2157858CE465C862AB23503F8B9EAE8CFF46EAC98227E3D2C1557871D02F"
    packet(1) = packet(1) + "748078893E20"
    packet(2) = "5315E8210045A0D710C040F5457B3A9A8F2EE3B3D2144DBE2729FAF94221643D948154E309"
    packet(2) = packet(2) + "F896FD7F54D70A707CF2400B16B504DF2E1A724A7EBACC858E8A3960F922B429B55A"
    packet(2) = packet(2) + "E280DBA57120"
End Function
Function SetupPackets()
    dim rawlogin
    ' prep loginstring
    rawlogin = "21003DA0CA0000370335" & hexstring(Provider, 2)
    rawlogin = rawlogin + "011031054E69705045722049E3407CADFDB96429F4F677C2356D7474"
    rawlogin = rawlogin + "00000000000000000000000000000000000000000000000005"
    loginstring = "4715E0" & rawlogin & calclrc(rawlogin) & "0E058A00"
    'end of login prep
    select case Cardtype
        case "Rom 10"
            GlitchSuccess = &H83
            positiveresponse = &H6F
            glitchfixed=FALSE
            maxpacket = 4
            maxglitchpacket=1
            DelayStart=Rom10DelayStart
            DelayEnd=Rom10DelayEnd
            select case provider
                case &H5A ' telewest
                    packet(1)="6A15FF2100"
                    packet(1)= Packet(1) + "5CA0CA00005603545A5B108105FACD7A"
                    packet(1)= Packet(1) + "B7C0A1A600965DC269CBA2C69973D6CD"
                    packet(1)= Packet(1) + "8766A2CFEB84A18FBFF8E26FCF8807B7"
                    packet(1)= Packet(1) + "10983A07DD92B7575B558DBF6BE4F0CA"
                    packet(1)= Packet(1) + "622BCC01F8EE441351E7B4784E4C232F"
                    packet(1)= Packet(1) + "3698871E3A0CCD320C5AEA2D2D1020"
                case &H5C 'exc&w
                    packet(1)= "6A15FF2100"
                    packet(1)= Packet(1) + "5CA0CA00005603545CF7108105FACD7A"
                    packet(1)= Packet(1) + "B7C0A1A6004A153319E1FB5B6348507E"
                    packet(1)= Packet(1) + "8E46A21DEFD37116179E4C5266B6DB4C"
                    packet(1)= Packet(1) + "596CD86FD9E7FF65D1638E1BAE6D2925"
                    packet(1)= Packet(1) + "D9B88446EDD99EEF33A3A16AADBDF346"
                    packet(1)= Packet(1) + "8206679CC0BD06F685AEE418765C20"
                case &H54 'ntl
                    packet(1)= "6A15FF2100"
                    packet(1)= Packet(1) + "5CA0CA0000560354546A108105FACD7A"
                    packet(1)= Packet(1) + "B7C0A1A6004A153319E1FB5B6348507E"
                    packet(1)= Packet(1) + "8E46A21DEFD37116179E4C5266B6DB4C"
                    packet(1)= Packet(1) + "596CD86FD9E7FF65D1638E1BAE6D2925"
                    packet(1)= Packet(1) + "D9B88446EDD99EEF33A3A16AADBDF346"
                    packet(1)= Packet(1) + "8206679CC0BD06F685AEE41876C920"
                case else
                    print"Provider " & hexstring(provider,2) & "01 not done yet"
                    setuppacket = "FAIL"
                    exit function
                end select
            packet(2) = "12 15 Ab 21 00 08 A0 CA 00 00 02 C0 00 06 87 0E 05 85 00"
            packet(3) = "0A 15 A3 21 98 00 B9 0E 05 85 00"
            packet(4) = "0A 15 A3 21 92 00 B3 0E 05 85 00"
        case "Rom 11"
            GlitchSuccess = &H90
            positiveresponse = &H69
            glitchfixed=TRUE
            maxpacket = 3
            maxglitchpacket = 2
            DelayStart=Rom11DelayStart
            DelayEnd=Rom11DelayEnd
            packet(1) ="5315E8210045A0D710804066E12439141ACAA1C1D5E9B29B68F861EF7F043C265563F337FE29F561DB8E"
            packet(1) = packet(1) + "17B5E19BD383995049EC665253E28195DF32905312C995CE26F0"
            packet(1) = packet(1) + "D9268605BEFEF2B020"
            packet(2) = "5315E8210045A0D710C040F8EE037B057F7753279632187D4DFECA1FD920D841CDA8B377CDCFDFCE4D0A"
            packet(2) = packet(2) + "EC4D7C45B49B9D390D8E5838254384985E54925C09F43B72F1C8"
            packet(2) = packet(2) + "4B555A2DB4482DDD20"
            select Case Provider
                Case &H5C ' NTL (Docsis)
                    ProviderName = "n exC&W"
                    Packet(3) = "6015F6210053A0CA00004D004B5C010254A5343681797D97B65E3F062CB4349AA955225"
                    Packet(3) = Packet(3) + "9533D1C69CD55BAE490D1EF31FE200F487653575B4B0934DE82EF17"
                    Packet(3) = Packet(3) + "0AA6A5EAE7658AC7924C99EE06165243D15E807052E4C42C7405342000FF0E058500"
                Case &H54 ' NTL(Davic)
                    'ProviderName = " Screwed Up"
                    ProviderName = " NTL"
                    Packet(3) = "6015F6210053A0CA00004D004B54010253418D70D19AF07B434F1A766196896905364B7"
                    Packet(3) = Packet(3) + "65F4B3D7AF959B982E65780C340784225381D906EEE22C1B8C21051"
                    Packet(3) = Packet(3) + "55BB5B56927DF9C98755894A5892FBD516B667B188738577B8059C2000FF0E058500"
                Case &H5A ' Telewest
                    ProviderName = " TeleWest"
                    Packet(3) = "6015F6210053A0CA00004D004B5A010236549D026DFCBDF3BE5E371B2456E1FF0F03A0B"
                    Packet(3) = Packet(3) + "279426A3AEEA553AB11580847C604EF310CD400A578CE485C50BD66"
                    Packet(3) = Packet(3) + "4C0677F8DD64AC7AB075F520F7294530F916AF7C95263C95B705C82000FF0E058500"
                Case &H48 ' Provider 4801
                    Packet(3) = "6015F6210053A0CA00004D004B480102C91C96AAE1BC94C3C92B6EC8DCB49D8A4F63A4B"
                    Packet(3) = Packet(3) + "D577342C6AA4332AA47DB27F2761E2B876955DFEE555F3F65F7D197"
                    Packet(3) = Packet(3) + "3EA210BB7DE121230EFDD6061FD2368FE9145849921CCC7969054D2000FF0E058500"
                Case &H5E ' Chorus
                    ProviderName = " Chorus"
                    Packet(3) = "6015F6210053A0CA00004D004B5E01027C3D76C9A7ECD2C8AC03E6F04055FDDFC9BB406"
                    Packet(3) = Packet(3) + "D6D42815B07F036BAFCC5C92FA03C51997C9C1B58908A2D012B40C7"
                    Packet(3) = Packet(3) + "B36E0AA5C7B4780104BAD75CD0FEB11247EE9FFFB5F912B89205792000FF0E058500"
                Case &H40 ' Provider 40
                    ProviderName = " Screwed Up"
                    Packet(3) = "6015F6210053A0CA00004D004B4001021E8F71EDD7FE1B8B710E25D6EDD98CB55BD8AE96C"
                    Packet(3) = Packet(3) & "9D1A3E56597790DBA0BD39A649BBFA3C0B68D9B64B39017F2EC959807629B7AB15D"
                    Packet(3) = Packet(3) & "739784A5F30468FA645ABE8499D0A687CB1805412000FF0E058500"
                Case &H55 ' Provider 55
                    ProviderName = " Screwed Up"
                    Packet(3) = "6015F6210053A0CA00004D004B5501022C65D7D52A17DB796C0C6A8CD8FEBDBD6FD10B91"
                    Packet(3) = Packet(3) & "B57C1E7A9E194894145B051E39F0556AB6EA9007B55ACD5FF5429A5E8D392C953264"
                    Packet(3) = Packet(3) & "4EBF9BEF591409C4A6FF163510D2B78DDDB1053C2000FF0E058500"
                Case &H5B ' Provider 5B
                    ProviderName = " Screwed Up"
                    Packet(3) = "6015F6210053A0CA00004D004B5B0102BD7E3593852B40F225AB92A637C728D51BF697B507"
                    Packet(3) = Packet(3) & "C4BAE831C3C40DC639CA967AF93455AA899257127BCB13E184DD32BA48FEA5197E1"
                    Packet(3) = Packet(3) & "E5AAF6FBBF3D584BA5F04EF882C5277B014050C2000FF0E058500"
                Case &H5D ' Provider 5D
                    ProviderName = " Screwed Up"
                    Packet(3) = "6015F6210053A0CA00004D004B5D01021AB570D274F839A8D9248FCA6422862E605239EA86"
                    Packet(3) = Packet(3) & "202102DD04EC3776C273108DE128FC4725700B29144F94717BA18BA2DE0A88C1C3B0"
                    Packet(3) = Packet(3) & "0382E076FB35FBE7EFE6B083260B9C704305E42000FF0E058500"
                Case Else
                    print "Provider " & HexString(Provider,2) & "01 Unsupported!!" &vbcr
                    print "Script will now exit - have a nice day "
                    setuppacket = "FAIL"
                    exit function
            end select
        end select
        RT = DelayStart
        setuppackets="SUCCESS"
End Function
Function CardInfoOut
    ' intro text
    print
    print "Multiprovider MultiRom script for Rom 10 and Rom 11 cards (both normal and 6300)"&vbcr
    print "Now with experimental support for Rom 11 provider 40,55,5B and 5D cards - dunno if it will work tho" &vbcr
    'print "Script version 0.2a - experimental - not for release" &vbcr
    print
    print "Do NOT remove card while script is running!!!" &vbcr
    print
    print "Card is a" & (ProviderName) & " " & (CardType) + " "
    print (CardRev) + " ("& hexstring(Provider,2)&"01"&")"&vbcr
End Function
Function GetCardInfo()
    sc.verbose=FALSE
    Sc.Write("07 0e 03 10 01 03 9a 00")
    if (Sc.Read(2))then
        Bytes = Sc.Getbyte(1)
        if Bytes > 25 then
            Sc.Read(26)
            CardType = "Rom " &chr(sc.getbyte(17))&chr(sc.getbyte(18))
            CardRev  = "Rev" &chr(sc.getbyte(23))&chr(sc.getbyte(24))&chr(sc.getbyte(25))
        end if
    else
        print "Card didn't reset - most likely cause of this error is not reseting the glitcher before starting the script" &vbcr
        print "Script will now exit - have a nice day "
        GetCardInfo = "FAIL"
        exit function
    end if
    SC.DELAY(30)
    sc.verbose=FALSE
    ' Find provider and setup accordingly
    Sc.Write("17 15 b0 21 00 0D A0 CA 00 00 07 21 05 01 03 FF FF 00 28 4f 0E 05 88 00")
    sc.read(02)
    Bytes = Sc.Getbyte(1)
    If Bytes > 2 then
        Sc.Read(09)
        provider = sc.Getbyte(5)
    else
        print "Card didn't return a valid provider - you may need to clean card & reset glitcher or card may be looped - check in nagraedit" &vbcr
        print "Script will now exit - have a nice day "
        GetCardInfo = "FAIL"
        exit function
    end if
    Sc.Write("14 03 10 15 AB 21 00 08 A0 CA 00 00 02 12 00 06 55 0E 03 87 00")
    Sc.Read(02)
    Bytes = Sc.Getbyte(1)
    if Bytes > 7 then
        Sc.Read(8)
    end if
    SC.DELAY(30)
    GetCardInfo = "SUCCESS"
    sc.delay(30)
End Function
Function CalcLRC(Command)
    DIM Size
    DIM current
    dim i
    ' Check command is valid i.e. an even number of bytes
    if (len(command) mod 2) <> 0 then
        calclrc = "FAIL"
        exit function
    end if
    Size = Len(command)/2
    current = HexStringToIntValue(mid(command,1,2))
    for i = 1 to (size-1)
        nextone = mid(command,(i*2)+1,2)
        current = current XOR HexStringToIntValue(nextone)
    next
    CalcLRC = Hex(current)
End Function
Function HexStringToIntValue( cHexDigits)
   nValue = 0
   nNumHexDigits = Len( cHexDigits )
   For i = 1 To nNumHexDigits
      c = Mid( cHexDigits, i, 1 )
      nValue = (nValue * 16) + ValueOfHexDigit( c )
   Next
   HexStringToIntValue = nValue
End Function
Function ValueOfHexDigit(cHexDigit)
   cHexDigit = UCase( cHexDigit )
   nPos = Instr( 1, "0123456789ABCDEF", cHexDigit, 0 )
   If nPos > 0 Then
      nPos = nPos - 1
   End If
   ValueOfHexDigit = nPos
End Function
Function HexString(Number,Length)
    ' This function takes 2 arguments, a number and a length.  It converts the decimal
    ' number given by the first argument to a Hexidecimal string with its length
    ' equal to the number of digits given by the second argument
    Dim RetVal
    Dim CurLen
    RetVal=Hex(Number)
    CurLen=Len(RetVal)
    If CurLen<Length Then
        RetVal=String(Length-CurLen,"0") & RetVal
    End If
    HexString=RetVal
End Function
'All functions below this point are not currently in use
'-------------------------------------------------------
Function IsCardInserted()
Dim RetValue
Dim GotInput
dim counter
counter = 1
sc.reset
Do
    Sc.Verbose = 0 'Turn off debug mode
    Sc.Write("A0") 'Turn the LED off
    Sc.Write("80") 'Is card present?
    Sc.Delay(100)
    counter = counter+1
    if counter >= 100 then
        counter = 1
    end if
    If Sc.BytesInBuffer > 0 then
        Sc.Read(&h01)
        RetValue = Sc.GetByte(0)
    end if
    If RetValue = &h0 then
    'Call Sc.ProgressBox ("Glitching...               DAC:        " & HexString(DAC,2) & vbcr & "                                Delay:        " & HexString(counter,2), 1, 999, "Hu Card Unlock")
        Call Sc.ProgressBox ("                             *** Please INSERT your card! ***", counter, 100, "                          Sure You Didn't Forget Something?")
        GotInput = False
    else
        If RetValue = &hFF then
            GotInput = True
        else
            If RetValue <> &h0 or RetValue <> &hFF then
                print "aborted"
                exit function
            End if
        End if
    End if
Loop Until GotInput = True
Call Sc.ProgressBox("", 0, 100) 'close the dialog
Sc.Write("A1")
end Function
Sub IsCardPresent()
    Dim RetValue
    Dim GotInput
    sc.verbose=false
    ScriptStart = Now
    Sc.Print "----------------------------------------------------------------" & vbCr
    Sc.Print "Start: " & ScriptStart & vbCr     'main screen
    Sc.Print "----------------------------------------------------------------" & vbCr
    Do
Sc.Write("A0")                ' turn the LED off
Sc.Write("80")                'Is card present?
Sc.Delay(100)
If Sc.BytesInBuffer > 0 then
Sc.Read(&h01)
RetValue = Sc.GetByte(0)
end if
If RetValue = &h0 then
Call Sc.ProgressBox ("*** Please insert your card... ***", 1, 999, "Unlooper/Unlocker")
GotInput = False
else
If RetValue = &hFF then
GotInput = True
else
If RetValue <> &h0 or RetValue <> &hFF then
Sc.Write("A0")                ' turn the LED off
Sc.Write("020200")
Sc.Delay(100)
If Sc.BytesInBuffer > 1 then
Sc.Read(&h02)
GotInput = False
else
GotInput = False
end if
end if
End if
End if
Loop Until GotInput = True
end sub
Function ChipVer()
    Chipver = 1
End Function
Function Checks()
    If Sc.Version < 5 Then
        ErrorString = "You need at least version 5 of WinExplorer to run this script"
        Sc.MsgBox ErrorString, vbCritical
        Err.Raise 1050, , ErrorString
    End If
    if ChipVer() <> 1 then
        sc.MsgBox("You need firmware version NewD11 to run this script" & VbCr & "            Flash your chip with the NewD11 hex")
        Exit Function
    end if
    'IsCardInserted()
    'IsCardPresent()
End Function
Function MakeRawEmm()
    dim rawemm
    rawemm = "3F" & hexstring(Provider,2) & "01F"
    select case cardtype
        case "Rom 10"
            rawemm = rawemm & "ACD456FC0A1A6003868CC7FA1"
        case "Rom 11"
            rawemm = rawemm & "BCD456FC0A1A6003868CC7FA1"
        case "Rom 07"
            rawemm = rawemm & "7CD456FC0A1A6003868CC7FA1"
        case "Rom 03"
            rawemm = rawemm & "3CD456FC0A1A6003868CC7FA1"
        case else
            MakeRawEmm = "FAIL"
    end select
    MakeRawEmm = rawemm
End Function

there is 0ne other method of trying to glitch a card to allow a write that script does not use the nipper login it uses a different login (bugtable) in codespace. examples are available for comparrison if needed.
so as u can see its hardly rocket science, im using the afore mentioned stuntguys FAQ to try to understand what i need to send the card here is a copy of it >>HERE<< if ya wanna have a look. i also have all the necessary reference materials and the VBS skills needed but could do with a hand. cheers guys..
regards
-\\v