Hello.

You will find this an interesting read.

Credit goes to Packin18 & Edmonton Guy for original concepts and n3 roms and eeproms
dumps from dish and bell providers currently making way around irc and private
underground forums around the net. Thank Packin18 for your N3 fix and no other.

A virgin non sub card was inserted into a modified blue T911 mod loader with 4053 muxs.
The virgin non sub card was reset and the atr was sent as usual.
A packet containing nops with a bclr instruction at the end was sent to the n3 cam.
When the last bit of the checksum was sent to the cam 16 additional clocks followed.
The cam was soft reset by sending the RST cam pin low from high.
As the cam rst pin swung low a bunch of glitching followed.
This glitching carried on until the RST cam pin came high again.
This glitching carried on for the first clock.
200+ additional clocks were sent to the card.
The cam i/o line was monitored for a full cycle low i/o pin result of the bclr instruction.
The cam was quickly reset, glitched, & clocked a few hundred times again. repeatidly.
When the full cycle low i/o pin signal was seen N3 cams were hacked.
The bclr instructions were removed and replaced with more bsets and bclr instructions
that ROR'd rom and eeprom a bit at a time out of the cam i/o pin without need for the
rom routines that usually handle I/O output.

What Happened?

The packet was stored in the I/O buffer and the card reset before packet processing.
The reset caused the program counter and the stack pointer to reset but not ram values.
The packet full of nops that pulled the i/o line low stayed resident in ram on soft reset.
The card was reset and the addressbus latching of the reset vector was glitched until
the new reset vector became the i/o buffer where NOPS and BCLR code opened N3.

N3 roms/eeproms (142/206/240) for all providers has successfully been dumped.
(interestingly enough this attack works on all N1/N2 cams/icams as well)
(i dont have any dave cams do you?)

If you want a private fix email me here or at the card doctor at ***********
if you want portions of n3 rom/eeprom dumps for verification do the same.

See You Boys In The Ring.

i would like to see a pic of the loader/glitcher, and also a demo if you have one..

would love to see the script and dump send away

sounds like good news for all
but what do I know!!

shinanigans!!@!@!@!!

Everyone knows that over the years, Packin18 & Edmonton Guy (which are the same person) has claimed stupid crap like this, and tried to scam money out of idiots. 4 different super unlooper claims, now this.

So post these dumps for everyone to see and be a HERO, or wait for idiots to email you and scam your $$$ and disappear till you need to scam more money.

I'm going with the latter on this one, because the only thing you're good at is talking a bunch of useless banter to make yourself sound like you know what you're doing.

shinanigans!!@!@!@!!

Everyone knows that over the years, Packin18 & Edmonton Guy (which are the same person) has claimed stupid crap like this, and tried to scam money out of idiots. 4 different super unlooper claims, now this.

So post these dumps for everyone to see and be a HERO, or wait for idiots to email you and scam your $$$ and disappear till you need to scam more money.

I'm going with the latter on this one, because the only thing you're good at is talking a bunch of useless banter to make yourself sound like you know what you're doing.

It's a novel (and simplistic?) idea, at least for those of us on the public side of the cutting edge techniques. As mentioned above, hard to believe a garden variety modded loader is capable, and the .vxb script would be a sight to see as well.
I do recall seeing those names associated with all talk and no proof over the years.
For me the solution is simple, put up or shut up. Post the script, I'll see what an N1 and N2 will give up (and an Hu & P4 for that matter). If the technique works for them then maybe the theory holds water. But if not, N3 is surely out of reach by this method.

now that I look a little closer....its hard to believe coming from someone with 1 post and 1 rep point....sorry cardoctor
put up or shut up!

Hey cardDoctor whats up. You started this, now end it. Sounds like you are scamming since you have not replied. Get out of the game. It's not for people like you.

An apple a day keeps the doctor away. WHATS UP DOC?????????

128k rom dump released in #ex****vu on effnet. sorry charley.

dantes, as you may recall, romdump's first post that released n2 101 rom and eeproms released on his/her first post. a little blue bird told my sisters uncles nephew the romdump useraccount password was chuckufarley. ;)

wonder if its a good time to by echo stalk now the gear unexpectantly worth so much
now.

guess quoting a provider name got my post removed, but just the same, nothing was posted on said irc channel, stop telling lies, thanks.

If i am gonna pay for something i might as well pay for full sub and to hell with wat is call free to air lol or should i say pay for free to air

hey friend who are you paying for fta it is free lol

i was being sarcastic from wat card doctor is trying to do

It is not free. We pay for our boxes and in turn coders keep the bins coming and keep the business of fta going. It is one big circle that keeps us in free to air tv. So why pay the Doc for something that the coders are working so hard for.

My point exactly

no offense to everyone on this topic, but I think this thread should be locked by a mod or admin that's my oppinion.