what EMU for azbox can clear starchoice music channels 12053v on G19 97W? my pansat 3500 does it good.
tnx

what azbox do you have?

elite f/w 4890

you can try multicass 182, to get multicass use sticky on how to add server options, after you get multicass you need to reboot
then put the receiver on the CH and let it sit there for 30 min, if its going to work it should do it within 30 min.

are you sure 182 gonna do starchoice?

are you sure 182 gonna do starchoice?
No I am not sure, as I have not tested it but it did at one time work on n2 for DN & amazonas, just try it, it will work or it want.

Hum.... This seems to be suggesting that you use IKS for the N2 radio channels. I don't have azbox so I'm not that sure. The N2 channels are pretty easy to get with a basic N2 decrypt routine--you need the right keys of course and the box code has to have the old c101 RSA stuff and the basic ecm decryption with very little post-processing code. No IKS needed.

The N2 channels are pretty easy to get with a basic N2 decrypt routine--you need the right keys of course and the box code has to have the old c101 RSA stuff and the basic ecm decryption with very little post-processing code. No IKS needed.

it is obvios. my old pansat does it. the trick is how to do this in azbox. no iks involved. i have c101 keys

it is obvios. my old pansat does it. the trick is how to do this in azbox. no iks involved. i have c101 keys
you will need the nagra keys from the pansat and add them to the azbox in the nagra edit section of the azbox menu.

The post processing code is the pain usually. The pansat code from around 2007 works, but the pansat femu and even 2008 pre-femu does not do it right. I have followed the code execution in pansat 2500 running code that works (using jtango and jtag cable while following along in disassembled code), but whether any given file for azbox will do it right is a crap-shoot, just have to try till one works I guess unless you would like to start a project to figure it out. Might be easier to start with a project to send out the ecm packets to a PC and do the decrypt in program running in PC and then feed the CWs back to box pretty much like one does for IKS. Might even be able to use IKS files for it to start with. I would not mind tryng to code some of it up--I have coolsat 4000 box that I could have spit out ecm packets pretty easy and write CWs to processor register as needed, so it would just be getting decrypt running on PC and a serial routine pretty much like that played with over the summer for the sonicview hub project down in advanced section.

The post processing code is the pain usually. The pansat code from around 2007 works, but the pansat femu and even 2008 pre-femu does not do it right. I have followed the code execution in pansat 2500 running code that works (using jtango and jtag cable while following along in disassembled code), but whether any given file for azbox will do it right is a crap-shoot, just have to try till one works I guess unless you would like to start a project to figure it out. Might be easier to start with a project to send out the ecm packets to a PC and do the decrypt in program running in PC and then feed the CWs back to box pretty much like one does for IKS. Might even be able to use IKS files for it to start with. I would not mind tryng to code some of it up--I have coolsat 4000 box that I could have spit out ecm packets pretty easy and write CWs to processor register as needed, so it would just be getting decrypt running on PC and a serial routine pretty much like that played with over the summer for the sonicview hub project down in advanced section.
I don't think you need a code, I think all you need is the nagra box keys that the pansat is using, then edit the nagra keys in the
azbox to match.

I suspect you are right for one of the box's files.

Well, to check what I could do I pulled out some old code that does the basic ecm decrypt and compared the result to what looks like a decrypted packet from a RAM dump of the pansat2500 with GC272 file. Don't know for sure, but the end results looks OK to me--just did 512 bit RSA, IdeaCBC, another RSA round and byteflop to get the result--no post-p at all. I've got the box I'm going to test with sending coolsat4000 format packets to PC, next I'll try to capture those with program to decrypt and send CWs back to box.

I did check to see if the box's code--full emu-- could be modded to just do the above steps and I did not see where that could be done. I'll look again later.

I suspect you are right for one of the box's files.

Well, to check what I could do I pulled out some old code that does the basic ecm decrypt and compared the result to what looks like a decrypted packet from a RAM dump of the pansat2500 with GC272 file. Don't know for sure, but the end results looks OK to me--just did 512 bit RSA, IdeaCBC, another RSA round and byteflop to get the result--no post-p at all. I've got the box I'm going to test with sending coolsat4000 format packets to PC, next I'll try to capture those with program to decrypt and send CWs back to box.

I did check to see if the box's code--full emu-- could be modded to just do the above steps and I did not see where that could be done. I'll look again later.
you should be able to find the nagra keys in the pansat menu, copy them then add them to the azbox.

Um....did you not spot that I don't have an azbox?

I was able to get a mod into the box code that I'm playing with an made the music play. Once I had that, I was able to get both ecm packets and decrypted packets out of the box and checked against my PC's decryption code--they match, so it seems that the decryption steps mentioned earlier are all that is needed for the N2 music. The code I'm playing with is the old panst 2700's 211 file which is the same one used for pansat IKS, so if any are interested in getting music channels on the boxes that use that code I can suggest a mod. Along the way I fixed a few things in the rq-sssp request from the box so that packet size is adjusted with the prov and the last 0x00 byte is not there anymore.

I know AZ section and I'm talking pansat, but.....

i tried some multicas (dont remember what version) a few years ago and as i can recall globecast C101 section had only 8 paires of hex keys, not 16 which N2 needed.

i tried some multicas (dont remember what version) a few years ago and as i can recall globecast C101 section had only 8 paires of hex keys, not 16 which N2 needed.
Did you try to set the nagra keys to defalt in the nagra edit menu in multicas.

it had N key for diff providers: DN, polsat, globecast, etc. globecast had room to enter only a half of N2 key. iq, if you have multicas installed just check it out.

if anybody has multicas installed could you verify how long (8 or 16) is nagra key under C101 globecast provider?

if anybody has multicas installed could you verify how long (8 or 16) is nagra key under C101 globecast provider?
They are 16, 8 sets of 2=, but I did not find globecast listed as nagra, it is listed under Viaccess.
All providers listed with multicas are 16 keys, 8 sets of 2.

tnx iq, looks like there is no place to put the keys in..... thats sucks! BTW what multicas ver do you have?

I have version 182, you can edit the provider code in the nagra edit section if you have the code, so you can add any provider
you want.

iq, you think i can add C101 provider to nagra section? and put keys in it? using MultiCASEdit? i dont think MultiCASEdit allows you to add a provider to certain keys section.

You can do it from the receiver menu, go to plugins= openxcas= camd setup= multicas= edit and convert keys= then go down to
nagravision and press ok= now press ok and you will get the edit menu, use the =<=>= to move in the menu.
remember to restart the camd in openxcas,=activation & priority setting=

but you said C101 globecast is not listed under nagra??? viaccess only?? put nagra keys in viaccess section. i doubt it does a trick.

but you said C101 globecast is not listed under nagra??? viaccess only?? put nagra keys in viaccess section. i doubt it does a trick.
No you will need to edit one of the nagra providers.

No you will need to edit one of the nagra providers.

yes, right, but C101 is not under nagra as you stated in post #19

yes, right, but C101 is not under nagra as you stated in post #19
If the TPs you are trying to get are nagra then that is where you need to edit the provider ID and the box keys.

where i can edit PROVIDER ID? multicasedit does not allow to add provider, ... edit multicas emu_module?
BTW, globecast nagra keys are two sets of 16 hex keys, the actual working keys for globecast are:

00: AF 4A 7C 67 75 42 71 83 06 B9 30 A6 60 8F 66 55
01: 51 47 F1 E1 9F F9 17 29 95 8C A1 00 88 20 66 95

OK, conclusion: multicas as EMU is useless here in NA.

So, seems you are back the choices I suggested awhile back. Modify the file, find an older file that does work, or try to use a PC to run a decode routine ala IKS.

there is no old working EMU file for azbox and i dont know how to mod a file

there is no old working EMU file for azbox and i dont know how to mod a file
Yes there is older EMUs, that's what multicas is, are they working is the big ???, you can load an older version and see if the
provider is in the nagra list, if it is then edit the box keys.

iq, see post #15

iq, see post #15
I think you can edit the index and have 2 sets -00-00 and 2 sets -01-01- that will be 4 rows of keys not 2 rows and it should work.
00-xx-xx-xx-xx-xx-xx-xx-xx
00-xx-xx-xx-xx-xx-xx-xx-xx
01-xx-xx-xx-xx-xx-xx-xx-xx
01-xx-xx-xx-xx-xx-xx-xx-xx

how to edit the index? what software? multicasedit?

You do have to have the GC RSA modulus in the code, just adding correct key does not help you if you don't have the RSA. If you can get into the file with a hexviewer or editor look for the sequence 33 69 91 just like you look for ab c5 7c for DN RSA modulus.

You do have to have the GC RSA modulus in the code, just adding correct key does not help you if you don't have the RSA. If you can get into the file with a hexviewer or editor look for the sequence 33 69 91 just like you look for ab c5 7c for DN RSA modulus.
I think that's in the older version of multicas so all you would need to do is edit the keys.

how to edit the index? what software? multicasedit?
You can edit it from the receiver menu in multicas/ nagra key edit.

@jvvh
yes, the sequence 33 69 91 is there. now what? what does it mean?

As pointed out earlier to decrypt the packets with CWs you have to do an RSA step with the RSA modulus, an IdeaCBC step with the key that you have put in the key area and then there is another RSA step and byte flop. If you have the RSA modulus in the file and if the code selects it correctly and if you have the key in there and the code selects the right one, then the CW should decrypt correctly if the steps in the code match the ones needed. I've found that as N2 aged, the prov complicated the decrypt and so while the code in a file might be right for the N2 steps needed at the time, they may not match the steps needed for GC radio now.

You can try to find another file with the RSA modulus and see if with the right key you get decrypt. OR, try to fix the file by finding the code that does the decrypt and get it to execute as needed today. OR, you can try to set up such a decrypt in a PC and send the ecm packets to the PC to decrypt and have the box use the returned CWs.

I took a quick look at the Multicas-- 1.70d I believe was the version. I had to unpack it from gzip type of compression and inside I found about 0x180000 bytes. Much of the contents are strings and data, but looks like mips type of code from about 0x12500 to 0xe0000 for a processor that might be SMP8634-2801 from one type of string I found. gcc seems to have been used to create the code as I find a "gcc" string as well. I also see addresses that look to be around 0xf0400000 and I think I have seen mips processor that used a flash address around that 0xf0000000 base address so, maybe code executes in flash around there, but I would think with gz compression used that might be RAM address--hard to say for sure just with the one sample and I haven't tried to figure out the base addrs for where the MultiCas get put.

I do see a couple of card dumps in there too: REV 340 for sure, maybe others as I see a few "DNASP" strings. Lots of copies of the DN RSA modulus, just one of the GC N2 RSA mod that is used for radio. I'm guessing that it does card emu for most of the decryption needed as I see st19 and st20 emu indications and "map" strings like were needed for 2008+ decryption.

If the code were disassembled after figuring out the base addr to use, one might be able to do some modding.

I took a quick look at the Multicas-- 1.70d I believe was the version. I had to unpack it from gzip type of compression and inside I found about 0x180000 bytes. Much of the contents are strings and data, but looks like mips type of code from about 0x12500 to 0xe0000 for a processor that might be SMP8634-2801 from one type of string I found. gcc seems to have been used to create the code as I find a "gcc" string as well. I also see addresses that look to be around 0xf0400000 and I think I have seen mips processor that used a flash address around that 0xf0000000 base address so, maybe code executes in flash around there, but I would think with gz compression used that might be RAM address--hard to say for sure just with the one sample and I haven't tried to figure out the base addrs for where the MultiCas get put.

I do see a couple of card dumps in there too: REV 340 for sure, maybe others as I see a few "DNASP" strings. Lots of copies of the DN RSA modulus, just one of the GC N2 RSA mod that is used for radio. I'm guessing that it does card emu for most of the decryption needed as I see st19 and st20 emu indications and "map" strings like were needed for 2008+ decryption.

If the code were disassembled after figuring out the base addr to use, one might be able to do some modding.
Part of the info is in the firmware of the azbox/ and all of it is stored in the DOM within the receiver, the DOM can be removed
from the receiver and put in a computer IDE port, if I wanted to get N2 music CH on sat 97.0w I think I would load an older
firmware, 0.9.5308 or older and an older multicas, JMO,LOL.

i think if multicas has only key format like this: xx-xx-xx-xx-xx-xx-xx-xx it was done to emu N1 only.

Not if the card dump inside the code is of as high a revision as I see--way past the N1 days. Plus I see map calls--those would be for late N2 decrypt. I would think that if your only choice is 8 byte key then you are not entering the keys in the right section. For N2 there should be a section with 4 groups of 8 bytes or two sections of 16 bytes. If you could find the DN or 3ev key area then you have an example of what you want.

all multicases have 4 x 8 bytes keys for DN and 3EV and only 1 x 8 bytes for C101, and i see no way to edit this.

Well, then go into the code and make some changes. Maybe swap things around so that where you enter 3ev becomes c101's spot instead.

I figured out how to disassemble the multicam file. There is an easy way and a harder way, but neither makes it easy to follow code execution because of the way the code was built. The easy way is to trim off the first 0x8000 byte to just leave the elf file and save it as an elf file, load it into IDA Pro and select mipsl processor setting and let IDA to an automatic analysis of the file as elf. It will find the entry point at 0x40a5c0 and auto label the routine names. The harder way is to just load the file to 0x3f8000 and run an IDC that I built to do the disassembly, run a readelf program to get the routine addresses and look around or use the results of the readelf to label the disassembled code. I might have a glimmer of a method to get the code execution labeled, but still thinking about it.

It looks like the nagra_ecm routine does the following:

.text:004811F0 lbu $v0, 5($s3)
.text:004811F4 andi $v0, 0xFE
.text:004811F8 sb $v0, 0x308+var_268+1($sp)
.text:004811FC
.text:004811FC loc_4811FC: # CODE XREF: nagra2_ecm+4C8j
.text:004811FC lbu $v1, 0x308+var_268+1($sp)
.text:00481200 li $v0, 0xC0
.text:00481204 beq $v1, $v0, loc_48121C

Since c101 or c001 will get the same results from the above test, it looks to me like you need to use the TV Globo keys for N2 radio.


In the code you find something that looks like default keys for c001--you could go in and change those and maybe change the c001 to c101--don't know that you have to do that in the code as you might be able to do it from the menu system or dump a key.bin file and change things then send results to box (I don't own one so hard for me to know best way):

109660 20 20 20 20 20 20 20 20-00 C0 01 00 00 00 00 00 TV Globo
109670 00 00 00 00 54 56 20 47-6C 6F 62 6F 20 20 20 20
109680 20 20 20 20 00 C0 01 10-00 00 00 00 00 00 00 00
109690 54 56 20 47 6C 6F 62 6F-20 20 20 20 20 20 20 20
1096A0 00 C0 01 01 D7 CB E9 3D-30 E2 C9 13 54 56 20 47
1096B0 6C 6F 62 6F 20 20 20 20-20 20 20 20 00 C0 01 11
1096C0 91 07 38 74 57 DB 90 23-50 52 45 4D 49 45 52 45

Anyway the keys are 00, 10, 01, 11 in the above.

thank a lot jvvh but i have not enough knowledge to do such a job

You can't enter keys?

no, to edit multicas code

You can't enter keys?
Yes you can, in nagra key edit of multicas from the receiver menu.

Well, that is where the TV Globo keys should be changed too.

no room for this key format: 00-xx-xx-xx-xx-xx-xx-xx-xx only xx-xx-xx-xx-xx-xx-xx-xx under C101
10-xx-xx-xx-xx-xx-xx-xx-xx
01-xx-xx-xx-xx-xx-xx-xx-xx
11-xx-xx-xx-xx-xx-xx-xx-xx

C001 not c101 is TV globo

right, C101 is GC. in my pansat i put keys under C101 years ago, radio is still working.....

Yes, and in the code snippet I posted, you can see that as far as the code in your Mcas is concerned C001 and c101 is the same (c0 AND fe == c1 AND fe). SO, If you put your c101 keys in the c001 spot the radio channels should try to use them--I don't know if the rest of the code will work correctly, but for that part of the N2 decrypt you should be OK.

If I were doing it, I would want to learn much more about manipulating the box code, so I would use a hexeditor to change the Mcas code directly rather than just load the keys with remote--but that is me.

OK, i'll try to explain again. in azbox multicas under GC there is the room for ONLY ONE 8x2 bytes N1 key like this xx-xx-xx-xx-xx-xx-xx-xx, not FOUR 8x2 bytes N2 keys.
i cant post a screenshot for some reason, if somebody has multicas any version installed could you post a screenshot of globecast C101 keys section?
tnx

And I will try again--you don't enter keys at c101--as you say there is not room for 4 block of 8 bytes. BUT if you look for c001, you will find four such blocks and the code does not know how to tell the diff between c001 and c101. This is in the Mcas 1.70 version.

tnx jvvh, i'll try

And I will try again--you don't enter keys at c101--as you say there is not room for 4 block of 8 bytes. BUT if you look for c001, you will find four such blocks and the code does not know how to tell the diff between c001 and c101. This is in the Mcas 1.70 version.
Multicas v1.82 has the same option.

So, did it work?

I didn't test it, when I have time I will.

did not try it yet, something wrong with freaking internet connection.

Not sure if this will make a difference but I found this in my notes: Not sure if activation will change anything before and/or after code wise. Am TFTA person but still would be interested in the music part. Excuse my post if no help to this thread.

Credit: KIKO post 1

KIKO


How to activate or deactivate EMU's you know that on Your AzBox HD

You can install and use several emu. This tutorial will help You to activate and deactivate EMUs.

Go in Menu ---> Plugi-In ---> OpenXCAS Setup choose Activation and Priority Settings, now click on Blue button on Your Remote Controll and in front of name of EMU you will see # which means that emu is disabled, and if there is no # that emu is activated.So if u put # in front of Incubus and Gcam, only one activated EMU will be MultiCAS, then press Yellow button on remote controller to Start/Restart EMU.

ok, installed multicas 1.82, entered working keys under C001 provider (from pansat), activated EMU, reboot receiver few times, waited one hour..... nothing works....

In the Azbox download section are two versions of MultiCas along with their "example files" as I am not sure if you have these examples. As before if no help, I apologized.

http://www.satfix.net/showthread.php?152327-MultiCas&p=1030968#post1030968

Did the keys for N2 radio on 97 Globecast change if they did where can i get the new ones

I think the N2 radio channels are gone. We are loosing Ebru from 97 degree sat as well at thte end of the year.

Hijack ..I know this has nothing do to with original post. Just an option . Older dtv units still work for radio .

Yep, and I think I could make older STB with sti5518 processor do the audio for that prov too. If you do older dtv boxes right they do the audio for all the SD channels.

BTW, on 97 degrees you can get retro TV and revn. And right now Tele5 TVpolonia on 12082 are not encrytped. The DFH series on 11933 are also not encrypted and you get some sports on a couple ch and overdubbed movies on another.