Results 1 to 5 of 5

Thread: comment on mrb316

  1. #1

    comment on mrb316

    hi,
    in the firm MRB316 for reborn, the AES key entered via the remote control is located at the address 04055184 (16 bytes long), but there is also an AES key list (185 keys, all differents in progressive order) beginning at 04068789 ending at 04069318 editable with an hexadecimal editor . if we can find how the program access to this list we could change the beginning address and relocate the list in a free unlimited area.
    but I am not a programmer and I can't find how the program does the to this memory area
    regards

  2. #2

    Re: comment on mrb316

    Hi
    I tried what you said. open mrb316 with Hexworshop and There is no address 04055184. But I found that after the name of TPS there is 16 keys of 8 bytes plus what I think is the present AES key.

    I compared the AES keys over one week with date and time and the AES database found (in sequential order) with in various files. It is the same keys (there are more in the week, because some keys are used several times). So I think what you said in your message should work, but I have not found the place with the AES keys between address 04068789 and 04069318. Can you confirm your value (I guess in decimal)
    Regards
    JC

  3. #3

    Re: comment on mrb316

    hi,
    here is what I have with hexworkshop:
    - in blue the AES key editable via the remote control
    - in red the table of 185 keys (of course i just put the beggining and the end of the table)
    the first key 00CECDA9... was used on 25 august 7:15
    the last one FF33FA... was used on 26 august 21:49 or 9:49pm

    000550E0 0000 0000 0000 0000 0500 0000 5450 5320 ............TPS
    000550F0 4672 616E 6365 0000 0000 0000 0000 7C00 France........|.
    00055100 0000 0000 23F8 A778 2345 A188 9528 F9FC ....#..x#E...(..
    00055110 3567 969A 0000 0000 0000 0000 0000 0000 5g..............
    00055120 0000 0000 2D29 8241 B010 2546 0000 0000 ....-).A..%F....
    00055130 0000 0000 0000 0000 0000 0000 0000 0000 ................
    00055140 0000 0000 BB75 58C5 7FA8 30B4 2015 E176 .....uX...0. ..v
    00055150 3FE9 ED27 1AA9 5722 DA22 22AA 4FC0 6186 ?..'..W"."".O.a.
    00055160 E48C 357C 8A00 CB94 FB8A 492D 124B 6C81 ..5|......I-.Kl.
    00055170 861E 02B3 CE2F 7EBA 0AA4 DD51 0000 0000 ...../~....Q....
    00055180 0000 0000 13D9 779D 2732 E76F F3EB 849F ......w.'2.o....
    00055190 AABD 92B2 0000 0000 0500 0000 4654 2043 ............FT C




    00068770 1BDF 055A 8DEF 022D 0000 0000 0000 0000 ...Z...-........
    00068780 0000 0000 0100 0000 0000 CECD A9D7 40E7 ..............@.
    00068790 2976 E66C E749 E124 3602 60F3 3241 17DE )v.l.I.$6.`.2A..
    000687A0 A09A 6BE9 0905 F3CB 7904 FE36 0EEB A0DA ..k.....y..6....
    000687B0 A05C E303 AC22 209F 6D05 19DA C666 8C19 .\..." .m....f..
    |
    |
    |
    000692F0 0D56 B742 C4AE 03B8 BBFE F114 D31A 70F3 .V.B..........p.
    00069300 B558 5B15 B80D 36C7 E6FF 33FA 39F2 5C6E .X[...6...3.9.\n
    00069310 D162 0726 AC22 2AD3 DB00 0000 0000 0000 .b.&."*.........


    regards

  4. #4

    Re: comment on mrb316

    hi,
    just a precision about the addresses
    the flash begins at the address 04000000 (00000000 in an hexadecimal editor), ending at 041FFFFF.
    the bootloader beggins at 04000000, the user program beggins at 04020000.
    regards

  5. #5

    Re: comment on mrb316

    I agree with you ( I did not know for the offset of 04000000). Today, I checked in the latest Mrb 316 dated 17 or 18 november and it is the same with 185 keys ordered in sequential order. I took the T*S AESDatabase which I found for this week with mrb 3xx. It does not fit (neither in number nor in value) with the keys we found in mrb 316.
    I think one has to load himself the T*S AESdatabase in the MRB files. May be this 185 keys are for an other satellite provider than T*S.

    If one change the keys inside the MRB do you know after how to do the check sum (there are various possible algorith offered in my HEX editor and I dont know which one to choose??

    Regards
    JC

Similar Threads

  1. comment konfé
    By isob in forum French / Français
    Replies: 1
    Last Post: 09-11-2009, 14:06:53
  2. comment rentrer les aes
    By dobbys1 in forum Technomate
    Replies: 12
    Last Post: 02-07-2006, 23:54:53
  3. Comment modifier mrv en mrb
    By evangelis in forum Matrix Revolution Cam
    Replies: 6
    Last Post: 27-03-2006, 22:44:36
  4. comment prog mrb!
    By topsaby in forum French / Français
    Replies: 13
    Last Post: 12-03-2006, 01:55:10
  5. comment??????
    By apbob in forum French / Français
    Replies: 3
    Last Post: 26-11-2005, 04:56:37

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •