Shadow
09-23-2001, 10:39 PM
Being a newbie myself to dish, I raise the question what the hell is going on? I know some about DTV but dish is intriguing me now cause it's so slow over there. This is from I want my free TV faq I downloaded from Hitecsat. I don't know who wrote this but I would like to tell whomever it was, Thanks!
Hopefully this post will help. Like I said, I'm learning at very early stages too.
I want my Free TV
So you want to hack Dishnetwork? There are a few things you will need to hack. This FAQ will explain what is involved.
Currently there are only 2 preferred methods of hacking Dishnetwork. I will describe both in detail. All other methods, for example., emulation, AVR autoroll, my brother uses a Directv "F" card, rumors, Bullshit, etc., will not be discussed here.
Working Freeware
AVR3
This is a working and stable hack that consists of a Atmel 8515 and a ISO slot for an Access Card. The AVR is used with a Dishnetwork Access card. The keys must be updated after each key change (currently once every weekday). Future versions might be made to (Auto Roll). Currently there are no working autoroll freeware, don't ask. Eepedit 3.06.06 is preferred program for AVR3's. Use an AVR3 if your card is a rom10 or locked rom3 (card in stream after June 21st)
Blocker/Activation
This is the blocker/(E*3m or Tier) Code put on a Plastic "Access Card" that does not need keys updated (autoroll) Put card in ird and watch TV. Please Note that rom2 and open rom3 cards are the only cards being loaded with blocker/activation.
In mid February the read/write hole (backdoor) to Rom3 cards was closed. Freetalk12c reopened these cards, but on June 21st, Dishnetwork re-closed this hole, Therefore, Rom3 cards that have been in the data stream since mid February but before June 21st, have their read/write holes closed. These cards can be re-opened in order to be programmed. But any rom3 card in stream after June 21st without blocker has their read/write holes closed and CAN NOT be reopened. Any attempt to open a closed rom3, whether successful or not, will mark card permanently at E010-E011 = 01FF.
How do you determine which freeware method to use? AVR or Blocker/activation
Although, this has been a topic of great debate, the answer is very simple. The preferred method is Blocker/activation. The AVR3 uses MCG306 code and has a bad fix against nags, 1 bit change and all AVR's will get the nag again. Thus AVR's are only good for rom10 and recently closed rom3's. Updating keys for AVR's is also a disadvantage.
Rule:
For Rom10 and closed Rom3 cards -> AVR... For all other cards -> Blocker s/w and activation (tier or 3m does not matter)
Let's get down to business:
1) Determine what rom type card you have with your system. Look at bottom right of card in very small print.
Card Type--------------ROM version-----------Blocker/activation s/w
A2012 ------------------ ROM3 ------------------ YES
AA-01 ------------------ ROM3 ------------------ YES
AA-02 ------------------ ROM3 ------------------ YES
AA-03 ------------------ ROM10 ------------------ NO
288-01 ------------------ ROM2 ------------------ YES
288-02 ------------------ ROM3 ------------------ YES
288-03 ------------------ ROM10 ------------------ NO
288-04 ------------------ ROM3 ------------------ YES
288-05 ------------------ ROM3 ------------------ YES
288-06 ------------------ ROM3 ------------------ YES
288-09 ------------------ ROM10 ------------------ NO
288-11 ------------------ ROM10 ------------------ NO
If you can't read the card (Rom10) or if your card is a rom3 that was in stream after June 21st w/o blocker code you will have to get an AVR3. Currently you can't use blocker/activation s/w, since you can't read/write to it.
2) Determine what method you will use. If card is Rom10 or closed Rom3, you must use AVR3. All other cards use blocker/activation software.
If you are not sure when your Rom3 card was last in stream. Check Backdoor of card by hitting X in Freetalk12c (Read the Freetalk12c user guide before continuing)
If Cam is enabled then the card backdoor is open and you can use blocker/activation.
If Cam is disabled then card is locked. You can try to reopen by using the O - Open Cam command. If the card was in stream after June 21st, it will not reopen. This is the chance you take. Either way the card will be marked if you attempt to open it. It may be wiser to wait until a better method of reopening w/o marking is discovered. If card does not open you will have to use AVR3.
3) Acquire appropriate hardware/ software for method.
Blocker/3m Hardware - Programmer Software - Freetalk12C (preferred), Blocker/3M .nee file
Programmer The hardware device that is used to write and read (dump) information from your smart card. The success of programming Dish cards will be greatly increased with a programmer that has a 3.6864 Mhz crystal. Although, not absolutely required, the ability to write to the card with other programmers varies. Direct TV programmers use a 3.5767 Mhz crystal and may or may not work with Dish.
Freetalk12C The preferred software to program Dishnetwork smartcards. See Freetalk12C userguide.
Nee These are scripts that are written to the smartcard. A blocker/3m script protects the smartcard from ECM (electronic counter measure) and opens up channels for TV. Called Nee’s because rom2 scripts have .ne2 extensions and rom3 scripts have .ne3 extensions.
AVR3
Hardware - AVR3 board - a DB25 connector plugs into parallel port.
Software - Eepedit306, Allows programming of AVR3, update of keys
EEPEDIT is a Windows 9X/ME/2000/NT GUI editing tool for the incredible MCG306 program. Eepedit was created by WeinerWater software to help AVR3 users create the EEPROM data needed to program the AVR3 or blocker for MCG306. By using EEPEDIT, you will only need a parallel port and a fbprg16 programmer (which is part of most AVR3's) to program the 8515 on your AVR3. You will not need a ISO programmer, or FBPRG16.EXE, or the MCG306.xvb script.
4)Determine Receiver (Ird) boxkey, Program card, Watch TV: Box keys are the method used by DN (Dishnetwork) to activate and identify the unit from millions of other units. Dishnetwork is very different from Direct TV in that the card has to be married to the Ird. You cannot interchange cards from one Ird to another w/o knowing the secret boxkey of Ird. Here are the ways to get the boxkeys.
(i) Pulling the TSOP and having it read and boxkey extracted. This can be costly and must be done with the proper tools. This is not meant for the novice technician. Some dealers provide this service. Costs vary (50 to 100) dollars.
(ii) Retrieve boxkey from card - How?
The easy method would be to "Subscribe" then the Card can be Dumped with Freetalk12c
Note: If you have a rom 10 or a closed rom3, you cannot read/write to these cards so you will not be able to get the Ird boxkeys. Your only option is to use an AVR. Boxkeys are not needed if the card is married to the receiver. In other words, the card must be subbed to the receiver. If you already have the boxkey for the Ird, you do not need to subscribe the unit to use w/AVR but if you know the boxkey's, why are you using an AVR? Get a rom2 or rom3 card and program it with blocker/3m instead.
Before proceeding, If you can read your card, it is a good idea to dump the cards memory in Freetalk and save. This is the cards original image and you may need it at a later date. Before writing any scripts to the card make sure you have this image stored some place safe. As always, before exposing card to stream, make sure blocker s/w is on it.
Read the Freetalk12c user guide for proper programming tips. Freetalk must be run in pure DOS, no DOS windows. It is a good idea to boot up computer with a DOS boot floppy disk and putting freetalk and all nee’s on one floppy.
If the system is/was subbed (preferred). You can retrieve the boxkey by dumping the card in Freetalk12c. Here are the steps in applying blocker/3m to card.
a) Dump card in Freetalk by hitting D
b) Write down Ird/boxkey info - check Ird from dump with back of physical ird. If they match then the boxkey are correct.
c) Dump again – rename the image.neX, your card number, ex. Sxxxxx recheck Ird/boxkey results
d) Write the appropriate blocker/3m to card (do not attempt to write a .ne3 to a rom2 or a .ne2 to a rom3)
e) Dump to check ird/boxkey again... rename the image.neX, card number+BM ex. BMxxxxx, this reminds you that it is a blocker/3m image
f) Watch TV
If you have a Virgin Card - Put blocker s/w on card then Subscribe. When you subscribe, Dishnetwork sends a packet to the card with boxkey information. You can then read the boxkey off of the card in Freetalk. You must put blocker s/w on rom3 card before subbing else the card will be closed to future read/write. It is a good idea to apply blocker to rom2 cards before subbing as well. Although Dave has yet to close rom2 cards, he has been known to do other nasty stuff. Here are the steps in subbing and applying blocker/3m to card.
a) Dump card in Freetalk - since its a virgin card, the ird info will be blank. You may see a card boxkey but this will not be the correct ird boxkey until unit is subbed.
b) Rename image.nee to your card number, ex. Vxxxxx V - virgin
c) Write appropriate blocker to card
D) Use Freetalk12c in Pure Dos (no Dos window) to write the appropriate blocker for the rom type you have (do not attempt to write a .ne3 to a rom2 or a .ne2 to a rom3)
e) Call Dish to have system subbed (a clone of a card will not work). You can get minimum package or you can cancel a month later.
f) Once you start getting picture - pull card and put back in programmer
g) Dump card in freetalk - ird/boxkey/decrypt keys should have current values now
h) Write down ird/boxkey info - check ird from dump with back of physical ird
i) Dump again - rename image.nee = S+card number, ex. Sxxxxx recheck results
j) Write blocker/3m to card
k) Dump to check ird/boxkey again... rename image card number+BM. ex. BMxxxxx, this reminds you that it is a blocker/3m image
l) Watch TV
Creating a Blocker file
Create a blocker file in order to subscribe a card to retrieve boxkey.
Run Codegen.exe (Nagra Code Generator)
1) Select Rom Type
2) Choose Blocker
3) Generate Code
Codegen.exe will create a file, codegen.ne2 (rom2) or codegen.ne3 (rom3). Rename this file B7.neX, where X is 2 or 3 depending on rom. Copy this file to your Freetalk12c directory to write to card.
Creating a Blocker/3M file
Create a blocker/3M file in order to watch TV
Run Codegen.exe (Nagra Code Generator)
1) Select Rom Type
2) Choose Blocker
3) Choose 3m Activation
4) Choose Dishnetwork provider
5) Choose Emm refresh only if your card is corrupted, Choose kill parity keys only if you have original image of card and you want added security.
6) Generate Code
Codegen.exe will create a file, codegen.ne2 (rom2) or codegen.ne3 (rom3). Rename this file B73M.neX, where X is 2 or 3 depending on rom. Copy this file to your Freetalk12c directory to write to card.
Warning:
If your card is a Rom3, make sure you have blocker software applied to it properly before putting it in the receiver (Ird). The card's backdoor will be closed if exposed to stream without blocker software on it and you will have to use an AVR3 to hack.
Using an AVR3 in Eepedit
Complete Programming with EEPEdit
EEPEDIT 3.06.06 is a Windows 9X/ME/2000/NT GUI editing tool for the incredible MCG306 program. Eepedit was created by WeinerWater software to help AVR3 users create the EEPROM data needed to program the AVR3 or blocker for MCG306. By using EEPEDIT, you will only need a parallel port and a fbprg16 programmer (which is part of most AVR3's) to program the 8515 on your AVR3. You will not need a ISO programmer, or FBPRG16.EXE, or the MCG306.xvb script.
Your card must have the most recent "public keys". If you have a subscribed card and you’re watching TV, then your card has received the latest key updates from Dish’s satellites. If your card is an ex-subscribed card, then you have to put it in the receiver so it will get the latest updates. This does expose your card to the data stream, but if you do everything correctly, it should be about the only time you’ll have to do this. Remember if you have a rom3 that has not been in the stream since June 21st, do not expose to stream w/o blocker s/w or your card will be closed to future programming. If your rom3 card is open, get a programmer and write blocker/3m.
1) Connect the AVR3 to the parallel cable, and connect the parallel cable to the printer port on your PC.
2) Double-click eepedit.exe
3) Click File, then Preferences...
Ensure that you have the correct LPT (printer) Port selected under the Parallel Port section of preferences. The most common settings are Address 378 for LPT1, 278 for LPT2 and 3BC for LPT3. If you have problems communicating, check your LPT settings in your PC’s BIOS configuration.
For Board Type, choose AVR3.
For Get Keys URL, enter http://www.echostarnet.net/keys.htmlor some other website that provides keys.
Make sure Show Tooltips is checked. This will provide online help whenever you mouse-over any field in Eepedit.exe.
Click Ok to save your preferences.
4) Network. Must be set to Dish Network.
5) Enabler Type. Must be set to Married sub
6) Zip Code. Replace with your correct ZIP Code, or use 0.
7) CAM. Select Dish Network, and enter the current Active Public Key in the Public Key Field that you got from the Internet. Click Key 0 or Key 1 to indicate which key you used. If your card is not placed in the stream, you won’t ever have to change this value again.
8) Receiver IRD #. Enter your R00 number you wrote down from the back of your receiver, exactly as it was listed. You don’t need to put in any spaces, so entering it like this example, R001234567890, will work fine. Note that after entering the number the last two digits will change to XX – this is normal, so don’t worry.
9) Receiver CAM ID. Enter your S00 number you wrote down from the back of your Access Card. You don’t need to put in any spaces, so entering in like this example, S001234567890, will work fine. Note that after entering the number the last two digits will change to XX this is normal, so don’t worry.
10) Keys. You will need to enter the keys in groups of two characters, letters capitalized, with a space in between each two letter group, as in 4C 38 02 86 11 CC E0 DB. The easiest way to do this is to copy and paste them from another program, such as mIRC if you got the keys from #DishNetwork, or click GET to get keys from http://www.echostarnet.net/keys.html, Enter Key 0 in the Key 0 field, and Key 1 in the Key 1 field. Ignore the AUX0 and AUX1 fields as they are for a different system.
11) Time Zone. Choose your correct time zone.
12) Full Write. After you’ve inputted all the correct information, choose Full Write. This will perform all programming necessary to test Dish Network!
Remove the AVR3 from the printer cable, and replace it in the receiver. Power up the receiver, and Watch TV. If you only receive preview channels then more then likely your cam public key is incorrect. Put card in ird for a minute to receive current key (0 or 1), then make sure the current key is selected in eepedit.
Back up your configuration. After you’ve successfully programmed your AVR3, click on File, and then Save. Give the file a name like myeepfile.eep and save it for future reference.
Whenever there's a key change, simply hit GET to retrieve current key from http://www.echostarnet.net/keys.html (must be connected online) then hit WRITE to write keys to AVR3. You do not have to do a FULL-WRITE again unless the AVR3 becomes corrupted somehow. You also don't have to change the cam public key again as long as you don't put card in stream w/o AVR3.
Troubleshooting - If you experience erratic results, click READ in Eepedit to read current values of the AVR3. If values are incorrect, your AVR3 may have become corrupted. Load myeepfile.eep and GET current keys and do a FULL-WRITE. Your myeepfile.eep contains the last known public cam key on card so you don't have to insert card in ird to update.
If your AVR3 continues to give faulty results, check its ISO contacts. These have been known to get dirty. Take an eraser and clean the contacts.
Autoroll:
1: A hack that can update itself to include current decryption keys or other dynamically-changing information that the hack requires in order to function.
2: The process of determining current decryption keys or other dynamically-changing information that a hack requires in order to function.
AVR:
A family of microcontrollers manufactured by Atmel. They are very popular for use in EchoStar hacks because of their high ratio of instructions per clock cycle as compared to other microcontrollers.
CAM:\
Conditional Access Module. For the EchoStar system, the CAM is the smartcard.
Charlie:
Charlie Ergen, CEO of EchoStar Communications
ishNetwork:
The programming branch of EchoStar. EchoStar provides the receivers, DishNetwork provides the programming, much like RCA, Hughes, Sony, and others provide DSS receivers, but DirecTV provides the DSS programming. In theory, DishNetwork programming is available only to American subscribers, but in practice, it's also available to viewers in Canada, Mexico, and pretty much most other countries north of the equator and on our side of the planet.
E3M:
EchoStar 3M. A hack for the EchoStar system that involves reprogramming a real EchoStar smartcard so that it will always returnvalid channel decrypt keys to the IRD. 3M - meant three musketeers in old hack days - one for all and all for one.
E*:
A common abbreviation for EchoStar.
ECM Electronic Counter Measure.
An attack sent by EchoStar and/or Nagra, the intent of which is to disable a hack or otherwise render it inoperable.
Key:
A set of bytes used to encrypt or decrypt a message. The key and a block of data to be encrypted or decrypted are fed into an encryption or decryption routine, and the result is encrypted or decrypted data.
Key change:
The process of altering the key used to encrypt or decrypt a message. For our purposes, a key change will typically refer to the changing of one of the keys that can be used to decrypt ECMs. The EchoStar/Nagra system allows selection of one of two keys (called KEY0 and KEY1) as the decryption key for a given ECM. If the current key being used to encrypt ECMs is KEY0, EchoStar/Nagra can change KEY1 without affecting the video decryption process, and when they're pretty sure most valid subscribers' cards have accepted the new KEY1, they switch the ECMs to use KEY1 for decryption.
Nagra:
Short for "NagraVision". Many people (myself included) refer to the makers of the EchoStar smartcard as Nagra or NagraVision, even though the actual name of the company that produced the EchoStar smartcard is S.A. Kudelski. See also Nagravision.
NagraVision:
The name of the conditional access system used by EchoStar (and many other digital satellite service providers). It was developed by S.A. Kudelski (a Swiss company), and has been licensed to each provider that uses it. As part of the security of the system, there are certain aspects of the encryption schemes and messaging that are (theoretically, anyway) known only to employees of S.A. Kudelski.
Hopefully this post will help. Like I said, I'm learning at very early stages too.
I want my Free TV
So you want to hack Dishnetwork? There are a few things you will need to hack. This FAQ will explain what is involved.
Currently there are only 2 preferred methods of hacking Dishnetwork. I will describe both in detail. All other methods, for example., emulation, AVR autoroll, my brother uses a Directv "F" card, rumors, Bullshit, etc., will not be discussed here.
Working Freeware
AVR3
This is a working and stable hack that consists of a Atmel 8515 and a ISO slot for an Access Card. The AVR is used with a Dishnetwork Access card. The keys must be updated after each key change (currently once every weekday). Future versions might be made to (Auto Roll). Currently there are no working autoroll freeware, don't ask. Eepedit 3.06.06 is preferred program for AVR3's. Use an AVR3 if your card is a rom10 or locked rom3 (card in stream after June 21st)
Blocker/Activation
This is the blocker/(E*3m or Tier) Code put on a Plastic "Access Card" that does not need keys updated (autoroll) Put card in ird and watch TV. Please Note that rom2 and open rom3 cards are the only cards being loaded with blocker/activation.
In mid February the read/write hole (backdoor) to Rom3 cards was closed. Freetalk12c reopened these cards, but on June 21st, Dishnetwork re-closed this hole, Therefore, Rom3 cards that have been in the data stream since mid February but before June 21st, have their read/write holes closed. These cards can be re-opened in order to be programmed. But any rom3 card in stream after June 21st without blocker has their read/write holes closed and CAN NOT be reopened. Any attempt to open a closed rom3, whether successful or not, will mark card permanently at E010-E011 = 01FF.
How do you determine which freeware method to use? AVR or Blocker/activation
Although, this has been a topic of great debate, the answer is very simple. The preferred method is Blocker/activation. The AVR3 uses MCG306 code and has a bad fix against nags, 1 bit change and all AVR's will get the nag again. Thus AVR's are only good for rom10 and recently closed rom3's. Updating keys for AVR's is also a disadvantage.
Rule:
For Rom10 and closed Rom3 cards -> AVR... For all other cards -> Blocker s/w and activation (tier or 3m does not matter)
Let's get down to business:
1) Determine what rom type card you have with your system. Look at bottom right of card in very small print.
Card Type--------------ROM version-----------Blocker/activation s/w
A2012 ------------------ ROM3 ------------------ YES
AA-01 ------------------ ROM3 ------------------ YES
AA-02 ------------------ ROM3 ------------------ YES
AA-03 ------------------ ROM10 ------------------ NO
288-01 ------------------ ROM2 ------------------ YES
288-02 ------------------ ROM3 ------------------ YES
288-03 ------------------ ROM10 ------------------ NO
288-04 ------------------ ROM3 ------------------ YES
288-05 ------------------ ROM3 ------------------ YES
288-06 ------------------ ROM3 ------------------ YES
288-09 ------------------ ROM10 ------------------ NO
288-11 ------------------ ROM10 ------------------ NO
If you can't read the card (Rom10) or if your card is a rom3 that was in stream after June 21st w/o blocker code you will have to get an AVR3. Currently you can't use blocker/activation s/w, since you can't read/write to it.
2) Determine what method you will use. If card is Rom10 or closed Rom3, you must use AVR3. All other cards use blocker/activation software.
If you are not sure when your Rom3 card was last in stream. Check Backdoor of card by hitting X in Freetalk12c (Read the Freetalk12c user guide before continuing)
If Cam is enabled then the card backdoor is open and you can use blocker/activation.
If Cam is disabled then card is locked. You can try to reopen by using the O - Open Cam command. If the card was in stream after June 21st, it will not reopen. This is the chance you take. Either way the card will be marked if you attempt to open it. It may be wiser to wait until a better method of reopening w/o marking is discovered. If card does not open you will have to use AVR3.
3) Acquire appropriate hardware/ software for method.
Blocker/3m Hardware - Programmer Software - Freetalk12C (preferred), Blocker/3M .nee file
Programmer The hardware device that is used to write and read (dump) information from your smart card. The success of programming Dish cards will be greatly increased with a programmer that has a 3.6864 Mhz crystal. Although, not absolutely required, the ability to write to the card with other programmers varies. Direct TV programmers use a 3.5767 Mhz crystal and may or may not work with Dish.
Freetalk12C The preferred software to program Dishnetwork smartcards. See Freetalk12C userguide.
Nee These are scripts that are written to the smartcard. A blocker/3m script protects the smartcard from ECM (electronic counter measure) and opens up channels for TV. Called Nee’s because rom2 scripts have .ne2 extensions and rom3 scripts have .ne3 extensions.
AVR3
Hardware - AVR3 board - a DB25 connector plugs into parallel port.
Software - Eepedit306, Allows programming of AVR3, update of keys
EEPEDIT is a Windows 9X/ME/2000/NT GUI editing tool for the incredible MCG306 program. Eepedit was created by WeinerWater software to help AVR3 users create the EEPROM data needed to program the AVR3 or blocker for MCG306. By using EEPEDIT, you will only need a parallel port and a fbprg16 programmer (which is part of most AVR3's) to program the 8515 on your AVR3. You will not need a ISO programmer, or FBPRG16.EXE, or the MCG306.xvb script.
4)Determine Receiver (Ird) boxkey, Program card, Watch TV: Box keys are the method used by DN (Dishnetwork) to activate and identify the unit from millions of other units. Dishnetwork is very different from Direct TV in that the card has to be married to the Ird. You cannot interchange cards from one Ird to another w/o knowing the secret boxkey of Ird. Here are the ways to get the boxkeys.
(i) Pulling the TSOP and having it read and boxkey extracted. This can be costly and must be done with the proper tools. This is not meant for the novice technician. Some dealers provide this service. Costs vary (50 to 100) dollars.
(ii) Retrieve boxkey from card - How?
The easy method would be to "Subscribe" then the Card can be Dumped with Freetalk12c
Note: If you have a rom 10 or a closed rom3, you cannot read/write to these cards so you will not be able to get the Ird boxkeys. Your only option is to use an AVR. Boxkeys are not needed if the card is married to the receiver. In other words, the card must be subbed to the receiver. If you already have the boxkey for the Ird, you do not need to subscribe the unit to use w/AVR but if you know the boxkey's, why are you using an AVR? Get a rom2 or rom3 card and program it with blocker/3m instead.
Before proceeding, If you can read your card, it is a good idea to dump the cards memory in Freetalk and save. This is the cards original image and you may need it at a later date. Before writing any scripts to the card make sure you have this image stored some place safe. As always, before exposing card to stream, make sure blocker s/w is on it.
Read the Freetalk12c user guide for proper programming tips. Freetalk must be run in pure DOS, no DOS windows. It is a good idea to boot up computer with a DOS boot floppy disk and putting freetalk and all nee’s on one floppy.
If the system is/was subbed (preferred). You can retrieve the boxkey by dumping the card in Freetalk12c. Here are the steps in applying blocker/3m to card.
a) Dump card in Freetalk by hitting D
b) Write down Ird/boxkey info - check Ird from dump with back of physical ird. If they match then the boxkey are correct.
c) Dump again – rename the image.neX, your card number, ex. Sxxxxx recheck Ird/boxkey results
d) Write the appropriate blocker/3m to card (do not attempt to write a .ne3 to a rom2 or a .ne2 to a rom3)
e) Dump to check ird/boxkey again... rename the image.neX, card number+BM ex. BMxxxxx, this reminds you that it is a blocker/3m image
f) Watch TV
If you have a Virgin Card - Put blocker s/w on card then Subscribe. When you subscribe, Dishnetwork sends a packet to the card with boxkey information. You can then read the boxkey off of the card in Freetalk. You must put blocker s/w on rom3 card before subbing else the card will be closed to future read/write. It is a good idea to apply blocker to rom2 cards before subbing as well. Although Dave has yet to close rom2 cards, he has been known to do other nasty stuff. Here are the steps in subbing and applying blocker/3m to card.
a) Dump card in Freetalk - since its a virgin card, the ird info will be blank. You may see a card boxkey but this will not be the correct ird boxkey until unit is subbed.
b) Rename image.nee to your card number, ex. Vxxxxx V - virgin
c) Write appropriate blocker to card
D) Use Freetalk12c in Pure Dos (no Dos window) to write the appropriate blocker for the rom type you have (do not attempt to write a .ne3 to a rom2 or a .ne2 to a rom3)
e) Call Dish to have system subbed (a clone of a card will not work). You can get minimum package or you can cancel a month later.
f) Once you start getting picture - pull card and put back in programmer
g) Dump card in freetalk - ird/boxkey/decrypt keys should have current values now
h) Write down ird/boxkey info - check ird from dump with back of physical ird
i) Dump again - rename image.nee = S+card number, ex. Sxxxxx recheck results
j) Write blocker/3m to card
k) Dump to check ird/boxkey again... rename image card number+BM. ex. BMxxxxx, this reminds you that it is a blocker/3m image
l) Watch TV
Creating a Blocker file
Create a blocker file in order to subscribe a card to retrieve boxkey.
Run Codegen.exe (Nagra Code Generator)
1) Select Rom Type
2) Choose Blocker
3) Generate Code
Codegen.exe will create a file, codegen.ne2 (rom2) or codegen.ne3 (rom3). Rename this file B7.neX, where X is 2 or 3 depending on rom. Copy this file to your Freetalk12c directory to write to card.
Creating a Blocker/3M file
Create a blocker/3M file in order to watch TV
Run Codegen.exe (Nagra Code Generator)
1) Select Rom Type
2) Choose Blocker
3) Choose 3m Activation
4) Choose Dishnetwork provider
5) Choose Emm refresh only if your card is corrupted, Choose kill parity keys only if you have original image of card and you want added security.
6) Generate Code
Codegen.exe will create a file, codegen.ne2 (rom2) or codegen.ne3 (rom3). Rename this file B73M.neX, where X is 2 or 3 depending on rom. Copy this file to your Freetalk12c directory to write to card.
Warning:
If your card is a Rom3, make sure you have blocker software applied to it properly before putting it in the receiver (Ird). The card's backdoor will be closed if exposed to stream without blocker software on it and you will have to use an AVR3 to hack.
Using an AVR3 in Eepedit
Complete Programming with EEPEdit
EEPEDIT 3.06.06 is a Windows 9X/ME/2000/NT GUI editing tool for the incredible MCG306 program. Eepedit was created by WeinerWater software to help AVR3 users create the EEPROM data needed to program the AVR3 or blocker for MCG306. By using EEPEDIT, you will only need a parallel port and a fbprg16 programmer (which is part of most AVR3's) to program the 8515 on your AVR3. You will not need a ISO programmer, or FBPRG16.EXE, or the MCG306.xvb script.
Your card must have the most recent "public keys". If you have a subscribed card and you’re watching TV, then your card has received the latest key updates from Dish’s satellites. If your card is an ex-subscribed card, then you have to put it in the receiver so it will get the latest updates. This does expose your card to the data stream, but if you do everything correctly, it should be about the only time you’ll have to do this. Remember if you have a rom3 that has not been in the stream since June 21st, do not expose to stream w/o blocker s/w or your card will be closed to future programming. If your rom3 card is open, get a programmer and write blocker/3m.
1) Connect the AVR3 to the parallel cable, and connect the parallel cable to the printer port on your PC.
2) Double-click eepedit.exe
3) Click File, then Preferences...
Ensure that you have the correct LPT (printer) Port selected under the Parallel Port section of preferences. The most common settings are Address 378 for LPT1, 278 for LPT2 and 3BC for LPT3. If you have problems communicating, check your LPT settings in your PC’s BIOS configuration.
For Board Type, choose AVR3.
For Get Keys URL, enter http://www.echostarnet.net/keys.htmlor some other website that provides keys.
Make sure Show Tooltips is checked. This will provide online help whenever you mouse-over any field in Eepedit.exe.
Click Ok to save your preferences.
4) Network. Must be set to Dish Network.
5) Enabler Type. Must be set to Married sub
6) Zip Code. Replace with your correct ZIP Code, or use 0.
7) CAM. Select Dish Network, and enter the current Active Public Key in the Public Key Field that you got from the Internet. Click Key 0 or Key 1 to indicate which key you used. If your card is not placed in the stream, you won’t ever have to change this value again.
8) Receiver IRD #. Enter your R00 number you wrote down from the back of your receiver, exactly as it was listed. You don’t need to put in any spaces, so entering it like this example, R001234567890, will work fine. Note that after entering the number the last two digits will change to XX – this is normal, so don’t worry.
9) Receiver CAM ID. Enter your S00 number you wrote down from the back of your Access Card. You don’t need to put in any spaces, so entering in like this example, S001234567890, will work fine. Note that after entering the number the last two digits will change to XX this is normal, so don’t worry.
10) Keys. You will need to enter the keys in groups of two characters, letters capitalized, with a space in between each two letter group, as in 4C 38 02 86 11 CC E0 DB. The easiest way to do this is to copy and paste them from another program, such as mIRC if you got the keys from #DishNetwork, or click GET to get keys from http://www.echostarnet.net/keys.html, Enter Key 0 in the Key 0 field, and Key 1 in the Key 1 field. Ignore the AUX0 and AUX1 fields as they are for a different system.
11) Time Zone. Choose your correct time zone.
12) Full Write. After you’ve inputted all the correct information, choose Full Write. This will perform all programming necessary to test Dish Network!
Remove the AVR3 from the printer cable, and replace it in the receiver. Power up the receiver, and Watch TV. If you only receive preview channels then more then likely your cam public key is incorrect. Put card in ird for a minute to receive current key (0 or 1), then make sure the current key is selected in eepedit.
Back up your configuration. After you’ve successfully programmed your AVR3, click on File, and then Save. Give the file a name like myeepfile.eep and save it for future reference.
Whenever there's a key change, simply hit GET to retrieve current key from http://www.echostarnet.net/keys.html (must be connected online) then hit WRITE to write keys to AVR3. You do not have to do a FULL-WRITE again unless the AVR3 becomes corrupted somehow. You also don't have to change the cam public key again as long as you don't put card in stream w/o AVR3.
Troubleshooting - If you experience erratic results, click READ in Eepedit to read current values of the AVR3. If values are incorrect, your AVR3 may have become corrupted. Load myeepfile.eep and GET current keys and do a FULL-WRITE. Your myeepfile.eep contains the last known public cam key on card so you don't have to insert card in ird to update.
If your AVR3 continues to give faulty results, check its ISO contacts. These have been known to get dirty. Take an eraser and clean the contacts.
Autoroll:
1: A hack that can update itself to include current decryption keys or other dynamically-changing information that the hack requires in order to function.
2: The process of determining current decryption keys or other dynamically-changing information that a hack requires in order to function.
AVR:
A family of microcontrollers manufactured by Atmel. They are very popular for use in EchoStar hacks because of their high ratio of instructions per clock cycle as compared to other microcontrollers.
CAM:\
Conditional Access Module. For the EchoStar system, the CAM is the smartcard.
Charlie:
Charlie Ergen, CEO of EchoStar Communications
ishNetwork:
The programming branch of EchoStar. EchoStar provides the receivers, DishNetwork provides the programming, much like RCA, Hughes, Sony, and others provide DSS receivers, but DirecTV provides the DSS programming. In theory, DishNetwork programming is available only to American subscribers, but in practice, it's also available to viewers in Canada, Mexico, and pretty much most other countries north of the equator and on our side of the planet.
E3M:
EchoStar 3M. A hack for the EchoStar system that involves reprogramming a real EchoStar smartcard so that it will always returnvalid channel decrypt keys to the IRD. 3M - meant three musketeers in old hack days - one for all and all for one.
E*:
A common abbreviation for EchoStar.
ECM Electronic Counter Measure.
An attack sent by EchoStar and/or Nagra, the intent of which is to disable a hack or otherwise render it inoperable.
Key:
A set of bytes used to encrypt or decrypt a message. The key and a block of data to be encrypted or decrypted are fed into an encryption or decryption routine, and the result is encrypted or decrypted data.
Key change:
The process of altering the key used to encrypt or decrypt a message. For our purposes, a key change will typically refer to the changing of one of the keys that can be used to decrypt ECMs. The EchoStar/Nagra system allows selection of one of two keys (called KEY0 and KEY1) as the decryption key for a given ECM. If the current key being used to encrypt ECMs is KEY0, EchoStar/Nagra can change KEY1 without affecting the video decryption process, and when they're pretty sure most valid subscribers' cards have accepted the new KEY1, they switch the ECMs to use KEY1 for decryption.
Nagra:
Short for "NagraVision". Many people (myself included) refer to the makers of the EchoStar smartcard as Nagra or NagraVision, even though the actual name of the company that produced the EchoStar smartcard is S.A. Kudelski. See also Nagravision.
NagraVision:
The name of the conditional access system used by EchoStar (and many other digital satellite service providers). It was developed by S.A. Kudelski (a Swiss company), and has been licensed to each provider that uses it. As part of the security of the system, there are certain aspects of the encryption schemes and messaging that are (theoretically, anyway) known only to employees of S.A. Kudelski.