ACP analysis and command creation tool
-
- Junior Member
- Posts: 101
- Joined: Fri Mar 31, 2006 12:15 pm
I'm reading this treath and I have some testings questions:
1) Does the Coax stream is plugged while spi command reply (to test E11)?
2) Can the xp chip or the connexant can be put in ''freeze mode''(clock or/and freeze pin) while testing the E11 supposed junk board to avoid different software or hardware interrupt that can trig different watch dog timer in the acces processor ?
3) Random timer in xc ?
4) If the boot sector of firmware is corrupt, does the 683xxuc accept update from stream as soon as possible ? if it does, maybe someone have already logged spi at this time ?
I would like to help more but I can't use the 793 firmware and it's difficult for me to log spi by software mod.....
Always great to read your post guys !!!
1) Does the Coax stream is plugged while spi command reply (to test E11)?
2) Can the xp chip or the connexant can be put in ''freeze mode''(clock or/and freeze pin) while testing the E11 supposed junk board to avoid different software or hardware interrupt that can trig different watch dog timer in the acces processor ?
3) Random timer in xc ?
4) If the boot sector of firmware is corrupt, does the 683xxuc accept update from stream as soon as possible ? if it does, maybe someone have already logged spi at this time ?
I would like to help more but I can't use the 793 firmware and it's difficult for me to log spi by software mod.....
Always great to read your post guys !!!
-
- Junior Member
- Posts: 101
- Joined: Fri Mar 31, 2006 12:15 pm
Thanks cipher for the reply !
I can try to explain question 2: A lot of hardware devices like asic or mosc or any micro may have a enable pin or freeze pin that can be pulled up or down with proper resistance, just to simplify the analyse of the log to be sure that everyone compare same statament with same testing device and results....
There is an avalaible pinout for the xc chip, whatever if the system only use a few number of this pinout...??? does it is look as a xillinx micro pinout ?
Forget this post if it does'nt affect to let the coax rg-6 plugged on (or any different user config) while testing (E11)...
I wish that I will have more time to learn how thing works......
I can try to explain question 2: A lot of hardware devices like asic or mosc or any micro may have a enable pin or freeze pin that can be pulled up or down with proper resistance, just to simplify the analyse of the log to be sure that everyone compare same statament with same testing device and results....
There is an avalaible pinout for the xc chip, whatever if the system only use a few number of this pinout...??? does it is look as a xillinx micro pinout ?
Forget this post if it does'nt affect to let the coax rg-6 plugged on (or any different user config) while testing (E11)...
I wish that I will have more time to learn how thing works......
-
- Junior Member
- Posts: 164
- Joined: Sun May 06, 2007 10:24 am
- Location: Everythings bigger in Texas
-
- Junior Member
- Posts: 101
- Joined: Fri Mar 31, 2006 12:15 pm
USBBDM wrote:
At one point I analyzed the code and seems finally there are some code does something odd and then generate channel 07 command. If this the final path to decrypt video, then if we can generate good channel 07 command we should be able to decrypt video. Treat XC chip as black box since finally each box will generate same 07 command to decrypt the same channel.
Any progress in this way, does it should work if stream replay is possible ?
Any progress in NDS videoguard compatibility with this ACP ? it may help to learn some decrypt features (des or 3des, xor,...) ?
At one point I analyzed the code and seems finally there are some code does something odd and then generate channel 07 command. If this the final path to decrypt video, then if we can generate good channel 07 command we should be able to decrypt video. Treat XC chip as black box since finally each box will generate same 07 command to decrypt the same channel.
Any progress in this way, does it should work if stream replay is possible ?
Any progress in NDS videoguard compatibility with this ACP ? it may help to learn some decrypt features (des or 3des, xor,...) ?
-
- Junior Member
- Posts: 8981
- Joined: Mon Jul 18, 2005 9:33 pm
No progress. I was fighting against clone hardware and now I am focus on USB 2.0 project.
I heard someone in Mexico uses two serial port that can pass keys from one box (DCT700) to another. The theory is similar to the card sharing for ROM102 in dish testing. Not see it really work but I think it is absolutely possible. It needs a lot of effort and I was tide up with site attack for the last month and now working on USB 2.0 project.
You are welcome to post anything you know here.
I heard someone in Mexico uses two serial port that can pass keys from one box (DCT700) to another. The theory is similar to the card sharing for ROM102 in dish testing. Not see it really work but I think it is absolutely possible. It needs a lot of effort and I was tide up with site attack for the last month and now working on USB 2.0 project.
You are welcome to post anything you know here.
-
- Junior Member
- Posts: 101
- Joined: Fri Mar 31, 2006 12:15 pm
The SkyWalker-1 card support the Digicipher II 8PSK modulation frame and can work with tsreader software. Maybe, this could be an another analysis logging tool to compare with real system and can help to brute force the command 07 control key (considering xc chip as a black box) ? Or just help to understand the stream in deep ???
-
- Junior Member
- Posts: 21
- Joined: Wed Jul 27, 2005 9:16 pm
- Location: NewYork&Chicago
- Contact:
the broadcom decrypts video....broadcom
if you can capture keys that are fed to the broadcom to decrypt you can also develop a software like they use in fta.
xc on encrypts the keys stored and also the keys in the system broadcast so cant spoof...but on your box you should be able to log the key . and that is the video key. not the encryption key of XC chip
since we dont know how to feed the keys to the broadcom,,,there is no reason to try to find video keys for now....
if you can capture keys that are fed to the broadcom to decrypt you can also develop a software like they use in fta.
xc on encrypts the keys stored and also the keys in the system broadcast so cant spoof...but on your box you should be able to log the key . and that is the video key. not the encryption key of XC chip
since we dont know how to feed the keys to the broadcom,,,there is no reason to try to find video keys for now....
-
- Junior Member
- Posts: 164
- Joined: Sun May 06, 2007 10:24 am
- Location: Everythings bigger in Texas
maybe we could make a program to log the type of processes that occur in our machines so we can cypher through what process is the one that deliever's keys to the broadcom, then go from there. The keys are processed by the firmware at some point and time...Even if the broadcom uses a separate Ram to verify keys....I guess this isn't possible since there is no way of caching the processes.
-
- Junior Member
- Posts: 245
- Joined: Wed Jan 03, 2007 8:57 pm
you have the link or some more info I what to learn how they are using the to com ports or if they are using virtual serial port.usbbdm wrote:No progress. I was fighting against clone hardware and now I am focus on USB 2.0 project.
I heard someone in Mexico uses two serial port that can pass keys from one box (DCT700) to another. The theory is similar to the card sharing for ROM102 in dish testing. Not see it really work but I think it is absolutely possible. It needs a lot of effort and I was tide up with site attack for the last month and now working on USB 2.0 project.
You are welcome to post anything you know here.
thanks...
-
- Junior Member
- Posts: 164
- Joined: Sun May 06, 2007 10:24 am
- Location: Everythings bigger in Texas
Is it possible that these keys (to the host cpu) are encrypted and delivered from the audio? I remember setting up my dct2224 box to work with my tivo and i had to use a serial to audio jack to get them to work together. And then I remember reading the difference between DVB and DC|| and two different systems were developed meaning the keys probably aren't delivered thur video. Just thought i would throw that idea out there. Thanks for any comments back about this.
-
- Junior Member
- Posts: 164
- Joined: Sun May 06, 2007 10:24 am
- Location: Everythings bigger in Texas
Who is online
Users browsing this forum: No registered users and 1 guest