Hello hack satellite pirates.
You will find this an interesting read.
Credit goes to Packin18 & Edmonton Guy for original concepts and n3 roms and eeproms
dumps from dish and bell providers currently making way around irc and private
underground forums around the net. Thank Packin18 for your N3 fix and no other.
A virgin non sub card was inserted into a modified blue T911 mod loader with 4053 muxs.
The virgin non sub card was reset and the atr was sent as usual.
A packet containing nops with a bclr instruction at the end was sent to the n3 cam.
When the last bit of the checksum was sent to the cam 16 additional clocks followed.
The cam was soft reset by sending the RST cam pin low from high.
As the cam rst pin swung low a bunch of glitching followed.
This glitching carried on until the RST cam pin came high again.
This glitching carried on for the first clock.
200+ additional clocks were sent to the card.
The cam i/o line was monitored for a full cycle low i/o pin result of the bclr instruction.
The cam was quickly reset, glitched, & clocked a few hundred times again. repeatidly.
When the full cycle low i/o pin signal was seen N3 cams were hacked.
The bclr instructions were removed and replaced with more bsets and bclr instructions
that ROR'd rom and eeprom a bit at a time out of the cam i/o pin without need for the
rom routines that usually handle I/O output.
The packet was stored in the I/O buffer and the card reset before packet processing.
The reset caused the program counter and the stack pointer to reset but not ram values.
The packet full of nops that pulled the i/o line low stayed resident in ram on soft reset.
The card was reset and the addressbus latching of the reset vector was glitched until
the new reset vector became the i/o buffer where NOPS and BCLR code opened N3.
N3 roms/eeproms (142/206/240) for all providers has successfully been dumped.
(interestingly enough this attack works on all N1/N2 cams/icams as well)
(i dont have any dave cams do you?)
If you want a private fix email me here or at card doctor at gee males d0t com.
if you want portions of n3 rom/eeprom dumps for verification do the same.
See You Boys In The Ring.