Cracking Smart Cards
Teaching Assistant Setup Instructions
Overview:
This lab will require a couple of stations to be configured for the students to use. Each
station will be configured the same, and students will sign up for a time to complete the
lab.
Hardware Requirements:
OS: Windows XP
Software Required:
 XtremeHU (http://www.interesting-devices.com/)
 WinExplorer (http://www.intersting-devices.com/)
Hardware:
 1 Glitching ATR Analyzer (per station)
 1 DirecTV period 3 Smart Card (per station)
 1 9-pin Serial cable (per station)
 1 9V Power Supply (per station)
Setup:
 Install XtremeHU and WinExplorer. Just accept all the defaults during the install.
 Connect Glitching ATR Analyzer to serial port with serial cable. Apply power to
Analyzer using 9V power supply.
 Open XtremeHU
 Click Card, Check Card Info
Expected Results: Shows Reset Complete then ATR: 3F7F1325… followed by
card information.
This confirms that communication between the software and the card reader is
working properly.
 Place the files original.bin, program.bin and corrupted.bin on the desktop.
 Execute Card, Write, Current EPROM, With Normal Glitching. Give the process
several seconds to execute and an EPROM write complete should be received.
 Click Card, Check Card Info and verify that the Card ID has changed.
Cracking Smart Cards
Student Lab
Group Number:_______
Member Names: ______________________
________________________________
Date Assigned: TBD
Date Due: TBD
Last Edited: Monday, March 07, 2016
Please read the entire lab and any extra materials carefully before starting. Be sure to
start early enough so that you will have time to complete the lab. Answer ALL questions
in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in
Checklist on or before the Date Due.
Goal: This lab will introduce smart cards, their vulnerabilities, and how to control
them.
Summary: This lab is divided into four major parts.
Part 1 will be performing
various analyses of information that can be gained by interfacing with the smart card.
Part 2 will forcefully extract information from the smart card and modify it. Part 3 will
repair a damaged EPROM and restore the damaged smartcard to working condition. Part
4 will perform reconnaissance on smart cards to obtain public data from the patent office.
Background:
Smart cards have been used by the satellite TV industry for many
years and are starting to find their way into credit cards, ID cards, and other applications.
Knowing smart cards’ limitations and vulnerabilities is key to maintaining secure use of
these devices.
Lab Scenario: WinExplorer and XtremeHU have been installed on some of the lab
computers. A card reader has been provided for your use in this lab. In this lab you will
use the card reader to passively examine data on the card, as well as forcefully extract
and overwrite sensitive data on the card. For this lab the only operating system you will
use is a windows XP machine.
The card reader you will be using is an ISO7816 smart card reader with an Atmel
ATS9213 AVR chip added. The purpose of this chip is to control the clock and voltage
lines going to the card such that the card can be controlled (forcefully) by the reader.
Appendix A is a commented disassembly of the smart card’s EPROM.
All information contained in this lab is widely available on the internet. All
programs and code was obtained from www.interesting-devices.com.
Page 1
1.0
Analyzing Basic Smart Card information
1.1
1.2
1.3
Check to make sure the serial cable is connected to the ATR Analyzer
(card reader) and that the ATR Analyzer is plugged into AC power.
Insert the smart card into the reader with the gold contacts facing
downward (i.e. logo facing upward).
On the Windows XP machine open XtremeHU and execute Card, Check
Card Info
QUESTION 1.1: What kind of information do you see from the card?
1.4
2.0
Note: At this point we have only read from the card. We have not
modified or written anything to the card. The information we have
obtained merely tells us the status of the card and does not divulge any
secure information (i.e. account information, program package
information, card keys) stored on the card. This type of test is performed
by the TV receiver each time the card is inserted or the unit is powered up
to determine if the card is operating correctly.
Forcefully Extracting Secure Information from the Card
2.1
Now we will coerce the card into giving up its private data. This will be
done by sending a series of voltage variations and fast clock pulses known
as glitches to the card. Glitches alter instruction execution on the card
allowing one to gain control of the card. This is typically done by stack /
buffer overruns.
2.2
Inside XtremeHU, click Card, Read Card. Allow this process to run to
completion. You should see a screen of hex values when it is finished.
This may take several attempts as using glitches to read a card is not a
precise science.
2.3
Scroll through the EPROM data to get a concept of the amount of data on
the card.
Screenshot #1 – Take a screenshot of the EPROM image.
2.4
At this point we have forced the card to reveal its contents. This process is
known as dumping a card. Also note that we have still not written or
modified anything on the card.
2.5
Execute File, Open. Choose the file program.bin from the Desktop. A
new EPROM image should open in the window.
2.6
This image will be written to the card. If this image were a copy of an
active card, writing it to a new card would allow us all the accesses of the
card we copied it from (i.e. in TV we would have the same programming
package (channels) as the person whose card we copied).
2.7
Execute Card, Write, Current EPROM, With Normal Glitching. Give the
process several seconds to execute and an EPROM write complete should
be received.
2.8
Click Card, Check Card Info.
Page 2
QUESTION 2.1: What is different about this information from the last time
we ran this command?
3.0
Repairing a Corrupted EPROM
3.1
3.2
3.3
In this section we will corrupt the card so that it will not function properly
and then return it to normal functionality. This is how glitching was
originally developed: to repair corrupted EPROMs that happened during
hashes.
Execute Card, Write, Current EPROM, With Normal Glitching. Give the
process several seconds to execute and an EPROM write complete should
be received.
Click Card, Check Card Info.
QUESTION 3.1: What is different about this information from the last time
we ran this command?
3.4
3.5
Click Card, Unloop Card, Start Unlooping. This will start the EPROM
repair routine. This may take a few seconds or three to four minutes.
When the glitcher has gained control of the card a menu will appear
asking you to choose an EPROM file to write to the card. Select
original.bin.
We have now successfully repaired a corrupt EPROM, we now have the
ability to reuse an otherwise useless smart card.
QUESTION 3.2: Why is it important to be able to repair smart cards if the
cards become damaged?
3.6
4.0
Click Card, Check Card Info to verify that the card has a valid ATR and
is in good working condition. If the card does not have a valid ATR then
repeat steps 3.4, and 3.5.
Using Winexplorer Scripts
4.1
4.2
4.3
4.4
Now we are going to use another program called winexplorer to execute
programs that perform similar tasks as XtremeHU. Click on the StarGlitch
icon on the desktop to open the program.
Click on Card, Execute Script, and a menu should appear with options that
allow the card to be read, unlooped, or programmed.
Click on Read Card, and allow the card to be read. When prompted save
the EPROM image as Test1.bin.
Click on Unloop Card, and ignore any warnings about the card not being
Page 3
looped. When prompted for an EPROM file to write to the card select
Test1.bin.
QUESTION 4.1: What is different about WinExplorer than XtremeHU?
QUESTION 4.2: Which program is the faster unlooping program?
4.5
Continue to explore both WinExplorer, as well as XtremeHU and note as
many differences as possible.
QUESTION 4.3: Which program do you prefer using?
4.6
Please make sure that original.bin is currently written to the card, and
unplug the power supply to the card programmer before leaving the lab.
How long did it take you to complete this lab? Was it an appropriate length lab?
What corrections and or improvements do you suggest for this lab? Please be very
specific and if you add new material give the exact wording and instructions you
would give to future students in the new lab handout. You may cross out and edit
the text of the lab on previous pages to make corrections. What corrections and or
improvements do you suggest for this lab? Please be very specific and if you add
new material give the exact wording and instructions you would give to future
students in the new lab handout. You need to be very specific and provide details.
You need to actually do the suggested additions in the lab and provide solutions to
your suggested additions. Caution as usual: only extract and use the tools you
downloaded in the safe and approved environment of the network security
laboratory.
Page 4
Question 1.1: What kind of information do you see from the card?
[ANSWER: Reset Complete, then ATR: 3F7F1325 …, Card ID, IRD Number, Fuse
Bytes, Guide Bytes, WSW, DSW, Ratings Lmt, Time Zone, Activated On Information,
PPV Information, etc]
Question 2.1: What is different about this information from the last time we ran this
command?
[ANSWER: Most notably the Card ID has changed. Also Tier information is
different.]
Question 3.1: What is different about this information from the last time we ran this
command?
[ANSWER: The card’s ATR is invalid. That is, the information on the card is not what
is expected by the program (or the TV receiver) so the card is unusable.]
QUESTION 3.2: What is it important to be able to repair smart cards if the cards
become damaged?
[ANSWER: In order for the card to work it must be able to accept stream updates from
the satellite provider. Often these updates target hacked cards, and corrupt the
EPROMS]
QUESTION 4.1: What is different about WinExplorer and XtremeHU?
[ANSWER: WinExplorer allows the user to write unique glitch routines and private
scripts. XtremeHU is good for novice users while WinExplorer is much more robust]
QUESTION 4.2: Which program is the faster unlooping program?
[ANSWER: Usually WinExplorer is the faster unlooping program, because it has the
ability to adapt itself to the glitcher]
QUESTION 4.2: Which program is the faster unlooping program?
[ANSWER: Opinion Question]
Page 5
Turn In Checklist
 Screenshot of EPROM dump
 Answers to all questions
 Additions or corrections to the lab
Page 6
Appendix A
This will be the last public release by the HUDCT. This is technically V2.1. It includes many updates from V1.9a I know many
of you waited and waited for 2.0 and were promised a new format.. With everything that is happening that new interface was
put on hold for now. All we as a team ask is that if you make updates to this document, please release your updates to the
public, so we all can continue to learn from this information.. Thanks to all those who helped get the project this far.
WRNGLRPTCH
;Hu eeprom dis
:
2000 : 00 00
2002 : 8A 65 E3 26 03
2007 : 00
2008 : 96 A5 B3 4C
200C : 52
200D : 00
200E : A5
200F : 00
2010 : 03
2011 : 3F
2012 : 04
2013 : 0C
2014 : 20
2015 : DF
2016 : 44 31
2018 : 8A D3 DB 64 73
: 74 00 3A
2020 : 14 01 24 20
same on all cards)
;PPV Area:
;Bytes 0,1 are the PPV Tier
;Byte 2 is the Month
;Byte 3 is the Day
;Bytes 4,5 are the Cost
;Byte 6 is the PPV Status Byte
;Bytes 7,8 are 2 Byte Checksum
:
2024 : 00 00 00 00 00 00 00
the table entry is already in use
202D : 00 00 00 00 00 00 00
2036 : 00 00 00 00 00 00 00
203F : 00 00 00 00 00 00 00
2048 : 00 00 00 00 00 00 00
2051 : 00 00 00 00 00 00 00
205A : 00 00 00 00 00 00 00
2063 : 00 00 00 00 00 00 00
206C : 00 00 00 00 00 00 00
2075 : 00 00 00 00 00 00 00
207E : 00 00 00 00 00 00 00
2087 : 00 00 00 00 00 00 00
2090 : 00 00 00 00 00 00 00
2099 : 00 00 00 00 00 00 00
20A2 : 00 00 00 00 00 00 00
20AB : 00 00 00 00 00 00 00
20B4 : 00 00 00 00 00 00 00
20BD : 00 00 00 00 00 00 00
20C6 : 00 00 00 00 00 00 00
20CF : 00 00 00 00 00 00 00
20D8 : 00 00 00 00 00 00 00
20E1 : 00 00 00 00 00 00 00
20EA : 00 00 00 00 00 00 00
20F3 : 00 00 00 00 00 00 00
20FC : 00 00 00 00 00 00 00
2105 : 00
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
;00 00 on all cards
;card specific bytes
;00 on all cards
;MFR code test bytes
;number of tier slots
;00 on all cards
;loop byte : self xor and inv must be 00
;oo on all cards
;5th byte of ATR
;C283 ors 1AH with this byte and re-stores it
;04 on all cards
;seems to be either 0C or 0E
;fuse byte 1
;fuse byte xor
;44 31 on all cards
;last 8 bytes of ATR key 1
db
;these 4 bytes are write disabled (but are the
db
; ppv area slot 1,byte 7, bit 2 set means that
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
;2
;3
;4
;5
;6
;7
;8
;9
; 10
; 11
; 12
; 13
; 14
; 15
; 16
; 17
; 18
; 19
; 20
; 21
; 22
; 23
; 24
; 25
db
;Tier Area:
;Bytes 0,1 are the Tier
Page A-1
;Byte 2 is the Month
;Byte 3 is the Day
;Bytes 4,5 are the Checksum Bytes
2106 : 00 00 00 00 00 00
210C : 00 00 00 00 00 00
2112 : 00 00 00 00 00 00
2118 : 00 00 00 00 00 00
211E : 00 00 00 00 00 00
2124 : 00 00 00 00 00 00
212A : 00 00 00 00 00 00
2130 : 00 00 00 00 00 00
2136 : 00 00 00 00 00 00
213C : 00 00 00 00 00 00
2142 : 00 00 00 00 00 00
2148 : 00 00 00 00 00 00
214E : 00 00 00 00 00 00
2154 : 00 00 00 00 00 00
215A : 00 00 00 00 00 00
2160 : 00 00 00 00 00 00
2166 : 00 00 00 00 00 00
216C : 00 00 00 00 00 00
2172 : 00 00 00 00 00 00
2178 : 00 00 00 00 00 00
217E : 00 00 00 00 00 00
2184 : 00 00 00 00 00 00
218A : 00 00 00 00 00 00
2190 : 00 00 00 00 00 00
2196 : 00 00 00 00 00 00
219C : 00 00 00 00 00 00
21A2 : 00 00 00 00 00 00
21A8 : 00 00 00 00 00 00
21AE : 00 00 00 00 00 00
21B4 : 00 00 00 00 00 00
21BA : 00 00 00 00 00 00
21C0 : 00 00 00 00 00 00
21C6 : 00 00 00 00 00 00
21CC : 00 00 00 00 00 00
21D2 : 00 00 00 00 00 00
21D8 : 00 00 00 00 00 00
21DE : 00 00 00 00 00 00
21E4 : 00 00 00 00 00 00
21EA : 00 00 00 00 00 00
21F0 : 00 00 00 00 00 00
21F6 : 00 00 00 00 00 00
21FC : 00 00 00 00 00 00
2202 : 00 00 00 00 00 00
2208 : 00 00 00 00 00 00
220E : 00 00 00 00 00 00
2214 : 00 00 00 00 00 00
221A : 00 00 00 00 00 00
2220 : 00 00 00 00 00 00
2226 : 00 00 00 00 00 00
222C : 00 00 00 00 00 00
2232 : 00 00 00 00 00 00
2238 : 00 00 00 00 00 00
223E : 00 00 00 00 00 00
2244 : 00 00 00 00 00 00
224A : 00 00 00 00 00 00
2250 : 00 00 00 00 00 00
2256 : 00 00 00 00 00 00
225C : 00 00 00 00 00 00
2262 : 00 00 00 00 00 00
2268 : 00 00 00 00 00 00
226E : 00 00 00 00 00 00
2274 : 00 00 00 00 00 00
227A : 00 00 00 00 00 00
2280 : 00 00 00 00 00 00
2286 : 00 00 00 00 00 00
228C : 00 00 00 00 00 00
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
; tier 1
; tier 2
; tier 3
; tier 4
; tier 5
; tier 6
; tier 7
; tier 8
; tier 9
; tier 10
; tier 11
; tier 12
; tier 13
; tier 14
; tier 15
; tier 16
; tier 17
; tier 18
; tier 19
; tier 20
; tier 21
; tier 22
; tier 23
; tier 24
; tier 25
; tier 26
; tier 27
; tier 28
; tier 29
; tier 30
; tier 31
; tier 32
; tier 33
; tier 34
; tier 35
; tier 36
; tier 37
; tier 38
; tier 39
; tier 40
; tier 41
; tier 42
; tier 43
; tier 44
; tier 45
; tier 46
; tier 47
; tier 48
; tier 49
; tier 50
; tier 51
; tier 52
; tier 53
; tier 54
; tier 55
; tier 56
; tier 57
; tier 58
; tier 59
; tier 60
; tier 61
; tier 62
; tier 63
; tier 64
; tier 65
; tier 66
Page A-2
2292 : 00 00 00 00 00 00
2298 : 00 00 00 00 00 00
229E : 00 00 00 00 00 00
22A4 : 00 00 00 00 00 00
22AA : 00 00 00 00 00 00
22B0 : 00 00 00 00 00 00
22B6 : 00 00 00 00 00 00
22BC : 00 00 00 00 00 00
22C2 : 00 00 00 00 00 00
22C8 : 00 00 00 00 00 00
22CE : 00 00 00 00 00 00
22D4 : 00 00 00 00 00 00
22DA : 00 00 00 00 00 00
22E0 : 00 00 00 00 00 00
22E6 : 00 00 00 00 00 00
22EC : 00 00 00 00 00 00
22ED : 00 00 00 00 00 00
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
;begin cmd 4D (validate guide bit for ppv)
22F2 : 22 10
mov #10,A
22F4 : E3
trap 12
22F5 : 77 02 27 0C
btjz #02,27H,2305
22F9 : 8E E2 B6
call #E2B6
22FC : 76 10 28 05
btjo #10,28H,2305
2300 : 75 FC 67
and #FC,67H
2303 : D5 6A
clr 6AH
2305 : 8C DC E7
ljmp #DCE7
; tier 67
; tier 68
; tier 69
; tier 70
; tier 71
; tier 72
; tier 73
; tier 74
; tier 75
; tier 76
; tier 77
; tier 78
; tier 79
; tier 80
; tier 81
; tier 82
; ?????
; set code to verify tier
; check for tier match
; if not match, continue down
; else check for expired date
; if expired continue down
; clr 67h.0/67h.1
; clr 6Ah
; and continue
2308 : 12 60
230A : 8E DB 7E
230D : 7D 00 29
2310 : 02 0B
2312 : 98 2A 30
2315 : EF
2316 : 1D 61
2318 : 02 03
231A : 8C D4 B5
mov 60H,A
call #DB7E
cmp #00,29H
jz 231D
movw [2AH],30H
trap 0
cmp 61H,A
jz 231D
ljmp #D4B5
; begin CMD 69
; look up on screen message
; rtn if 0
231D : F9
ret
231E : 7D 40 BE
2321 : 06 03
2323 : 75 FE D2
2326 : 8C D1 5C
cmp #40,BEH
jne 2326
and #FE,D2H
ljmp #D15C
; cmd processing (from D179)
; chk if were in an ins 40
; else set clr bit D2H.0
; back to ins 40
2329 : 40 01 00 17
232D : C5
232E : AA 00 60
2331 : AB 01 01
2334 : C3
2335 : 3D 17
2337 : 0F F5
2339 : 74 80 28
233C : F9
mov 17H,*0100
clr B
mov *0060+B,A
mov A,*0101+B
inc B
cmp 17H,B
jlt 232E
or #80,28H
ret
; Begin cmd 82 (dynamic copy)
; write totalbytes to 0100
; set source=0060h and move
; set dest=0101, put byte in 0101+
; increment counter
; check if counter < totalbytes
; if less then repeat for all bytes
; set 28.7 (enable dynamic code)
; and return
233D : 88 00 60 30
2341 : 88 00 3B 32
2345 : 72 02 06
2348 : 8E E5 AD
234B : F9
movw #0060,30H
movw #003B,32H
mov #02,06H
call #E5AD
ret
234C : 72 60 15
234F : 88 2A CE 2A
2353 : 72 02 04
2356 : E7
2357 : 00 09
mov #60,15H
movw #2ACE,2AH
mov #02,04H
trap 8
jr 2362
2359 : 8A 2A CF
235C : B3
235D : 4D 00 61
mov &2ACF,A
inc A
cmp 00H,61H
;
; check message data
; against 0061
;
;
; encrypt new message to slot
; Begin cmd 83 (encrypt 2 bytes to 3B,3Ch)
; src=0060,dest=003B,cnt=02
; count=06h=02
; call RamCryptAndMoveBytes
; and return
; begin write handler update
; dest=2ACE, src=60h
; set count=2
; write eeprom
; and return
; begin cmd 86 (write handler update)
; get handler update number
; and increment
; check that handler update is newer
Page A-3
2360 : 02 EA
2362 : F9
jz 234C
ret
2363 : 12 08
2365 : 8E 3C 96
2368 : F9
mov 08H,A
call #3C96
ret
2369 : C5
236A : AA 2A F8
236D : D0 24
236F : AA 3F 50
2372 : 13 24
2374 : 8E 3C 96
2377 : C3
2378 : 5D 08
237A : 0F EE
237C : F9
clr B
mov *2AF8+B,A
mov A,24H
mov *3F50+B,A
xor 24H,A
call #3C96
inc B
cmp #08,B
jlt 236A
ret
; Begin cmd 80/84/86 prolog
; get ASIC init key #1
; and put in 24h
; get ASIC init key #2
; and xor the 2 together
; and send to asic & hash
; inc count
; send all 8 bytes
; loop until done
; cmd 82/83 prolog vectors here
; Begin cmd 85 prolog
237D : 8E 23 CE
2380 : 8E 23 CE
2383 : D0 29
2385 : 8E 23 CE
2388 : D0 2A
238A : 12 29
238C : 25 E0
238E : B2
238F : BC
2390 : B3
2391 : D0 09
2393 : 42 29 04
2396 : 75 03 29
2399 : 52 03
239B : DF 2A
239D : DF 29
239F : CA FA
23A1 : 74 20 29
23A4 : 88 29 0D 2C
23A8 : 8E 23 D5
23AB : 52 08
23AD : 9A 2A
23AF : 77 10 04 04
23B3 : 98 2A 30
23B6 : EF
23B7 : 70 01 2A
23BA : 8E 3C 96
23BD : C7
23BE : 04 ED
23C0 : D7 09
23C2 : 04 E0
23C4 : D5 08
23C6 : 88 27 05 2A
23CA : 8E D1 B0
23CD : F9
call #23CE
call #23CE
mov A,29H
call #23CE
mov A,2AH
mov 29H,A
and #E0,A
swap A
rr A
inc A
mov A,09H
mov 29H,04H
and #03,29H
mov #03,B
rlc 2AH
rlc 29H
djnz B,239B
or #20,29H
movw #290D,2CH
call #23D5
mov #08,B
mov *[2A],A
btjz #10,04H,23B7
movw [2AH],30H
trap 0
incw #01,[2AH]
call #3C96
dec B
jp 23AD
dec 09H
jp 23A4
clr 08H
movw #2705,2AH
call #D1B0
ret
; get xor'd byte from asic and send to asic
; get xor'd byte from asic and send to asic
; put byte in 29h
; get xor'd byte from asic and send to asic
; put byte in 2Ah
; put 29h in A
; mask off bottom 5 bits (111X XXXX)
; swap nibbles (XXXX 111X)
; shift right (XXXX X111) (0-7)
; inc A (1-8)
; and put in 09h (8 byte multiplier)
; put 29h in 04h (decrypt bit)
; mask off top 6 bits (XXXX XX11) (0-3)
; B=03
; multiply val in 2Ah by 2
; multiply 29h by 2 (XXXX X11X)
; repeat 2 more times 29h(XXX1 1XXX)
; set bit 5 in 29h (XX11 1XXX)(20,28,30,38
; set pointer to 290D (boundary addresses)
; call Check Bounds for 29:2A
; set counter to 8
; put value at 29:2A into A
; if bit 4 set (of 29h) then decrypt
; set decrypt pointer
; eeprom decrypt byte into A
; inc pointer
; send A to ASIC & hash
; dec dounter
; loop until all 8 bytes are done
; decrement 8 byte multipler counter
; loop up to 8 times
; 08h=00
; set pointer to cmd 00
; load cmd data from table
; and return
; Vectored from cmd 8x code
23CE : 8E D2 1D
call #D21D
23D1 : 8E 3C 96
call #3C96
23D4 : F9
ret
; Begin Check Bounds for 29:2A (cmd 85)
23D5 : C5
clr B
23D6 : 8E 23 F5
call #23F5
23D9 : F4 CC 2E 2A
cmpw 2EH,2AH
23DD : 0F 0C
jlt 23EB
23DF : 8E 23 F5
call #23F5
23E2 : F4 CC 2A 2E
cmpw 2AH,2EH
23E6 : 0F 07
jlt 23EF
23E8 : 22 3F
mov #3F,A
23EA : E6
trap 9
; if yes then write update
; else return
; Begin cmd 81 prolog
; send 08h to asic & hash
; and return
; get byte from i/o, byte from asic & xor
; send A to ASIC & hash
; and return
; counter = 0
; call Put *[2C] & *[2C+1] in 2D:2E
; check 29:2A is above lower boundary
; if below then skip high bound chk
; call Put *[2C] & *[2C+1] in 2D:2E
; check 29:2A is above higher boundary
; if so then continue
; else error out
; error code 3F
Page A-4
23EB : D3 2C
23ED : D3 2C
23EF : C3
23F0 : 5D 0C
23F2 : 0F E2
23F4 : F9
inc 2CH
inc 2CH
inc B
cmp #0C,B
jlt 23D6
ret
; Begin Put *[2C] & *[2C+1] in 2D:2E (cmd 85)
23F5 : 9A 2C
mov *[2C],A
23F7 : D0 2D
mov A,2DH
23F9 : D3 2C
inc 2CH
23FB : 9A 2C
mov *[2C],A
23FD : D0 2E
mov A,2EH
23FF : D3 2C
inc 2CH
2401 : F9
ret
; skip lsb of high bound
; skip msb of high bound
; inc B
; do routine 12 times
; loop until done
; and return
; get value at 2B:2C
; and put in 2D
; inc pointer
; get value at 2B:2C
; and put in 2E
; inc pointer
; and return
2402 : FF FF FF FF
db
;unused
2406 : 03 E8
db
;user set spending limit
2408 : 00 00 00 00
db
;activation date, set by CMD D2
240C : 00 00 00 00
db
;password, proccessed by CMD 19
;Activation Date at 2408:
;Byte 1 is the Month
;Byte 2 is the Day
;Bytes 3,4 are ???
;Zipcode at 2410:
;55 3x 3x 3x 3x 3x 20 20 format where xxxxx is the Zip Code
2410 : 00 00 00 00 00 00 db
: 00 00
db
2418 : 00 00 00
241B : 00
241C : 00 01
241E : 00 00
2420 : 00 00 00 00 00 00
2426 : 00 00 00 00
242A : 00 01
242C : 00 00
242E : 00 00 00 00 00 00
2434 : 00 00 00 00
2438 : 00 01
243A : 00 00
243C : 00 00 00 00 00 00
2442 : 00 00 00 00
2446 : 00 01
2448 : 00 00
244A : 00 00 00 00 00 00
;zipcode
db
db
db
db
db
;ppv provider slot 1 - guide
;option
;amt purchased
;Spending Limits
;checksum
db
db
db
db
;ppv provider slot 2
;
;
;
db
db
db
db
;ppv slot 3
;
;
;
db
db
db
db
;ppv slot 4
;
;
;
2450 : 00 00 00 00
bytes)
2454 : 00 00
date
2456 : 00 00
2458 : 00 00 00 00
Encrypt input bytes 9-12 here
245C : 00 00 00 00
db
;data used by cmd 0C (2 bytes+2 chksum
db
;used by cmd 2B (unswap card) maybe a exp
db
db
;used by cmd 27 (for card swap prep),
db
;used by cmd 4E
2460 : 23 44 E9 1A
db
;ird locaton 1
2464 : 09
2465 : 00 00
db
db
;rating limit
2467 : D1
db
;this is the 4th ATR byte
Page A-5
2468 : 18 88 36 29 70 4F
: FF 00
2470 : 18 88 36 29 70 4F
: FF 00
2478 : 18 00 71 39 27 4F
: FF 00
2480 : 18 00 71 39 27 4F
: FF 00
db
;Call out phone numbers (1-888-362-9704)
db
;cmd 2F writes 7 bytes to
db
;one of 2468,70,78,80
db
;(the last digit is always 00)
2488 : 01 02 00 00
248C : 01 02 00 00
2490 : 01 02 00 00
2494 : 03 04 00 00
2498 : 01 02 00 00
249C : 01 02 00 00
24A0 : 01 02 00 00
db
db
db
db
db
db
db
;this is the PPV credit area
;CMD 07 proccesses
24A4 : 00 00 00 01
db
;married ird location 2
24A8 : 57 8B 92 1D 07 05 db
: 01 EE
24B0 : 17 7D A5 B5 1D 72 db
: 0C 96
;ScratchPadAreaforRAMKey1Gen
24B8 : 88 38 4C C2 F1 FD db
: DC 86
;ram key 1
24C0 : 1F 9A 27 2B 0B 65 db
: E3 F3
;eeprom decrypt key 1
24C8 : 00 00
24CA : 00
24CB : 00
24CC : 00 00 00 00
db
db
db
db
;USW
;cmd 81 counter
;ins 36 data (date/time of last ins 36)
24D0 : 48 55 55 56 03 29
: 00 00
db
;card version info
24D8 : xx xx xx xx
24DC : xx
24DD : 00
24DE : 00 00
db
db
;cam id digits 0-3
;cam id digit 4
24E0 : A6
24E1 : C4 C4
24E3 : 2B 00
24E5 : 17
db
db
db
db
;timezone
;ins 36 data
;ins 5E message area pointer
;ins 5E message total count
24E6 : 00 00
db
;DSW
24E8 : 00 00 00 00 00 00 db
24EE : 00 00 00 00 00 00 db
24F4 : 77 AA 4E 8E 0A CC
24FA : 2E 76 BD 5C C6 DA
;12 byte key written by cmd 97
db
db
;12 byte videocrypt key
2500 : 00 FF FF FF FF FF FF
: FF FF FF FF FF FF FF
2511 : FF
;Channel Blackout Bits
2512 : 00 00 00 00 00 00 00
251A : 00 00 00 00 00
;Channel Blackout Bits
251F : 0D
;Guide Byte
2520 : 00 00 00 00 00 00 00 00
2528 : 00 00 00 00 00 00 00 00
2530 : 00 00 00 00 00 00 00 00
;Unknown Data
;Locals Byte
Page A-6
2538 : 00 00 00 00 00 00 00 00
2540 : 34 F9 17 52 5A 5B 0E
ZKT)
;Variable Random Number Seed(Used For
2548 : 25 63 CB DA C4 F6 02
Seed(Used For ZKT)
;Static Card/Special Random Number
;***Primary ZKT***
2550 : E3 73 71 C2 30 18 B0 01
2558 : A6 74 99 9B C3 A0 98 A4
2560 : 45 A1 AD 70 79 34 AF 2C
2568 : 95 4E BF AE DE 62 F5 29
2570 : 98 61 F3 A8 17 CF 96 07
2578 : 07 87 3E D1 81 F0 EE 09
2580 : 85 F4 CB 9C 7F B5 0C 40
2588 : 46 B5 7B AE 45 77 62 00
;***Secondary ZKT***
2590 : 88 75 E9 56 8B 07 99 0C
2598 : AA B2 8D 01 BA 09 BA E8
25A0 : 09 18 B5 AF 0D 5E 1C 35
25A8 : 63 69 6B 7B 34 D4 E8 D4
25B0 : A8 96 FD 77 1A 60 17 5E
25C8 : D8 59 36 84 24 44 20 E8
25C0 : 12 54 52 0F 4D 20 E3 FE
25C8 : 84 0A 75 AF 63 64 94 00
;***Tertiary ZKT***
25D0 : FA 70 1C 8E 6B 34 E2 BD
25D8 : D1 18 7C 6D 5A 22 10 B8
25E0 : E4 4E 18 CF FC 6B CB B7
25E8 : 70 4A DA 9C 37 F0 BF E9
25F0 : 0F 4D EA C5 3D EC D2 44
25F8 : 6B 6E EF 22 2D 89 65 15
2600 : 77 76 00 D5 D3 4F B4 2A
2608 : 1A 6F 1A 60 7A B3 6A 00
;***ZKT Random Number****
2610 : 9C DA 63 6B 19 54 92 74
2618 : D4 EE EC 9C 97 78 DC 68
2620 : AE 2B 0E DC 23 6C 94 AF
2628 : 6C 1C 1D D8 0A B8 03 8B
2630 : B4 F1 9E D1 99 A8 B0 A9
2638 : 58 E0 E0 FB BD AB F0 9E
2640 : CF 4E 2D F6 4C EC 06 C4
2648 : CF 12 98 5D 19 83 69 00
;***RAM Key 2***
2650 : 0F 55 A1 3F 16 35 96
;***EEPROM Key 2***
2658 : 23 5F E3 E0 74 3F 57
2660 : 71 BA 01 40 9E C3 2C
2668 : 38 00 1A 5C 4A AB F7
2670 : CD 8A B5 43 DE B8 A8
2678 : CD 8A B5 43 DE B8 A8
2680 : 9F B2 4A 58 6E 20 3C
2688 : E5 1D D5 3D 07 A3 A2
2690 : 00 00 00 00 00 00 00
Primary Public Key
Secondary Public Key
Primary Group Key
Secondary Group Key
Primary Private Key
Secondary Private Key
;***HU Swap Lookup Data Table***
;*****Used By HU Swap Routine to Call HU Swap Table
;*****Loads Byte From Data Table into Source Address #26xx
2698 : B3 B8 BD C2 C7 C7 C7
26A0 : C7 C7 C7 C7 C7 B3 B3
26A8 : B3 B3 CC D1 D1 D1 D1
26B0 : D1 D6 DB
Page A-7
;***HU Swap Table Data***
26B3 : 06
26B4 : C9 DC
26B6 : 3E 13
;HU Swap Table Number of Entries
;Default Processing Function
;HU Swap Table Address
26B8 : 06
26B9 : C9 DC
26BB : 3E 2B
;HU Swap Table Number of Entries
;Default Processing Function
;HU Swap Table Address
26BD : 08
26BE : C9 DC
26C0 : 3E 43
;HU Swap Table Number of Entries
;Default Processing Function
;HU Swap Table Address
26C2 : 06
26C3 : C9 DC
26C5 : 3E 63
;HU Swap Table Number of Entries
;Default Processing Function
;HU Swap Table Address
26C7 : 01
26C8 : C9 DC
26CA : 3E 7B
;HU Swap Table Number of Entries
;Default Processing Function
;HU Swap Table Address
26CC : 04
26CD : C9 DC
26CF : 3E 7F
;HU Swap Table Number of Entries
;Default Processing Function
;HU Swap Table Address
26D1 : 01
26D2 : C9 DC
26D4 : 3E 8F
;HU Swap Table Number of Entries
;Default Processing Function
;HU Swap Table Address
26D6 : 01
26D7 : C9 DC
26D9 : 3E 93
;HU Swap Table Number of Entries
;Default Processing Function
;HU Swap Table Address
26DB : 03
26DC : C9 DC
26DE : 3E 97
;HU Swap Table Number of Entries
;Default Processing Function
;HU Swap Table Address
;**Command Router Table**
;*****Find Command Number; Count Bits ('1') Up To That Point; Multiply By #05 (Number
;*****of Bytes Per Command); Add to 2705
;00----07 08----0F 10----17 18----1F ;Command Number
26E0 : FF C8 A0 CE
;11111111(08) 11001000(11) 10100000(13) 11001110(18) ;Binary Number
;20----27 28----2F 30----37 38----3F
26E4 : 0D 16 F0 82
;00001101(21) 00010101(24) 11110000(28) 10000010(30)
;40----47 48----4F 50----57 58----5F
26E8 : AC 86 02 C0
;10101100(34) 10000110(37) 00000010(38) 11000000(40)
;60----67 68----6F 70----77 78----7F
26EC : 81 58 07 03
;10000001(42) 01011000(45) 00000111(48) 00000011(50)
;80----87 88----8F 90----97 98----9F
26F0 : 00 00 FF 40
;00000000(50) 00000000(50) 11111111(58) 01000000(59)
;A0----A7 A8----AF B0----B7 B8----BF
26F4 : 00 00 00 00
;00000000 00000000 00000000 00000000
;C0----C7 C8----CF D0----D7 D8----DF
26F8 : 00 00 00 00
;00000000 00000000 00000000 00000000
;E0----E7 E8----EF F0----F7 F8----FF
26FC : 00 00 00 00
;00000000 00000000 00000000 00000000
;***Command Table Data***
;*****Loaded Into R18,R19,R1A,R1B,R1C
;*****R18,R19=Call Address; R1A=Length Flag(If Bit 8 is on, then length is included in packet else length = R1A)
;*****R1B=CMD Flag1 (Bit 6 on then command only executed inside INS 42;Bit 7 on then CMD is valid)
;*****R1C=CMD Flag2
;(# Bits)
2700 : DF E1 F0 1A 00
;(00) Dummy? Ret*
2705 : DF E1 00 38 00
;(01) CMD 00 Dummy? Ret*
270A : DF 83 04 38 00
;(02) CMD 01 Set Date and Time*
;***USW 0400***
270F : 2D 42 01 18 00
D5 13 01 18 00 (03) CMD 02 Program Rating*
;(03) CMD 02 Program Rating* (Originally : 270F :
Page A-8
2714 : D9 12 03 18 00
2719 : D5 97 00 18 20
271E : D5 9B 00 18 20
2723 : DA E5 0B 18 00
2728 : D8 B1 81 28 20
272D : D7 AF 82 38 00
C7H,C8H *
2732 : 38 50 03 D0 00
2737 : 28 9E 05 1C 00
273C : DF E1 02 38 00
2741 : DA BE 12 28 60
2746 : D7 B3 03 28 E0
274B : D6 A1 01 28 60
2750 : DF E2 00 28 60
2755 : D7 F3 82 28 60
275A : D4 11 08 28 E0
275F : D8 83 00 38 00
2764 : DF 7F 00 38 00
Closed *
2769 : 28 C5 0D 28 E0
276E : DE BA 02 28 E0
2773 : D8 34 04 28 60
2778 : D8 B8 08 28 60
277D : D8 DE 00 38 00
2782 : D8 D7 04 38 00
2787 : D9 0B 03 38 00
278C : D9 3B 23 38 00
Match??*
2791 : D9 CE F0 38 00
2796 : DA B7 00 38 60
279B : DA D0 00 38 20
27A0 : DA D4 02 38 60
27A5 : DB 16 04 38 00
27AA : D4 2A 05 28 60
27AF : DB 28 00 18 10
27B4 : 22 F2 F0 18 00
27B9 : DF F0 04 28 60
27BE : DD 80 8D 28 E0
27C3 : D9 CE F0 38 00
Filter Already Open)*
27C8 : DB 4C 85 38 60
(Same As CMD 95 Except Checks New Day>Existing Day) *
27CD : DF E1 01 18 00
27D2 : 28 A1 88 3C 00
27D7 : 23 08 E1 28 60
27DC : D5 E7 82 18 00
27E1 : D6 67 84 28 60
27E6 : DB 9F D5 28 60
27EB : E0 02 82 28 60
27F0 : DB D0 81 38 00
27F5 : D8 09 D2 90 00
Adjustment*
27FA : DF E1 F0 90 00
27FF : 38 30 03 F0 00
2804 : D9 60 86 28 E0
2809 : 2F C7 90 28 A0
280E : 2F 10 80 28 A0
2813 : 2A BF 89 D0 00
2818 : DB 4C 85 28 E0
*
281D : 2F 08 84 28 E0
2822 : DE 45 8C 28 E0
2827 : DE 54 86 28 E0
;***Build RAM XOR Key***
282C : 55 07
and
282E : AA 24 B8
2831 : 43 00 0E
xor
2834 : AA 26 50
mov
2837 : 13 0E
xor
#07,B
mov *24B8+B,A
A,0EH
*2650+B,A
0EH,A
;(04) CMD 03 Tier Reference*
;(05) CMD 04 Set Bit 1 of B5h*
;(06) CMD 05 Clear Bit of B5h*
;(07) CMD 06 PPV Tier Reference*
;(08) CMD 07 ?* (PPV Credit Check???)
;(09) CMD 08 Move word From 0060,0061 to
;(10) CMD 09 Select Key *
;(11) CMD 0C Set Packet Signature
;(12) CMD 10 HU CMD 90 Initialization Vector?*
;(13) CMD 12 Write Blackout Bits*
;(14) CMD 18 Write PPV Tier to Card*
;(15) CMD 19 Set TimeZone*
;(16) CMD 1C Reset System Password*
;(17) CMD 1D Write to 00CD,00CE *
;(18) CMD 1E Set Zip Code*
;(19) CMD 24 Close Filters *
;(20) CMD 25 Close Filter If Open/Open Filter If
;(21) CMD 27 Card Swap??
;(22) CMD 2B Unswap Card??
;(23) CMD 2D Set Activation Date*
;(24) CMD 2F Write Dial Out Phone Number *
;(25) CMD 30 Open Filters *
;(26) CMD 31 Open Filters on Exact CAM ID Match *
;(27) CMD 32 Open Filters on Partial CAM ID Match *
;(28) CMD 33 Open Filters on Partial/Exact CAM ID
;(29) CMD 38 Test Various Bytes/Open Filters *
;(30) CMD 3E DeActivate Card*
;(31) CMD 40 Add/Update Tier*
;(32) CMD 42 Drop Tier*
;(33) CMD 44 Open Filters on IRD # Match *
;(34) CMD 45 Write 4 Bytes To PPV Credit Area*
;(35) CMD 48
;(36) CMD 4D *
;(37) CMD 4E Write 4 Bytes To 245C*
;(38) CMD 56 Set PPV Provider Slot Info *
;(39) CMD 58 Test Various Bytes/Open Filters (If
;(40) CMD 59 Update PPV Provide Slot Info Day Code
;(41) CMD 60 ??? Ret*
;(42) CMD 67 End Encrypted Command*
;(43) CMD 69 Lookup On Screen Message*
;(44) CMD 6B *
;(45) CMD 6C
;(46) CMD 75 * Write Blackout Bits
;(47) CMD 76 * (Do Something w/Blackout Bits??)
;(48) CMD 77
;(49) CMD 7E Packet Signature Adjustment/Video Key
;(50) CMD 7F Dummy? Ret*
;(51) CMD 90 (Encrypted Command Processor*
;(52) CMD 91 * (Verify/Update Tier???)
;(53) CMD 92 *
;(54) CMD 93 *
;(55) CMD 94 *
;(56) CMD 95 Update PPV Provide Slot Info Day Code
;(57) CMD 96 *
;(58) CMD 97 Write 12 byte key at 24D8 *
;(59) CMD 99 Verify Checksum and add new tier *
;Called From E559,E57E,E5A6 (RAM Decrypt)
;RAM Key1
;RAM Key2
;XORs RAM Keys 1+2 and stores in A
Page A-9
2839 : F9
ret
283A : D1 FE
283C : FE
283D : AA FF FD
2840 : 8E 3F 3D
2843 : 2D F7
2845 : 8C 2F 5C
mov B,FEH
stsp
mov *FFFD+B,A
call #3F3D
cmp #F7,A
ljmp #2F5C
;Move value of B into FEh
;Copy Stack to B
;Move #8A + B into A .
;***Generate Checksum and Store at 30H,31H***************
2848 : 8E 3F 58
call #3F58
;Trace Code Through 3F58
284B : 12 39
mov 39H,A
284D : 9B 30
mov A,*[30]
284F : 12 3A
mov 3AH,A
2851 : F4 EB 01 30
mov A,*01+[30H]
2855 : F9
ret
;***Calculate Checksum***
2856 : B8
push A
2857 : C8
push B
2858 : D8 29
push 29H
285A : D8 2A
push 2AH
285C : C5
clr B
285D : AA 2A F0
mov
2860 : D0 07
mov A,07H
2862 : AA 3F 48
mov
2865 : 13 07
xor 07H,A
2867 : AB 00 DD
mov
286A : C3
inc B
286B : 5D 08
cmp #08,B
286D : 0F EE
jlt 285D
286F : 22 A0
mov #A0,A
2871 : 64
or B,A
2872 : AB 00 DD
mov
2875 : C3
inc B
2876 : 5D 10
cmp #10,B
2878 : 0F F5
jlt 286F
287A : C5
clr B
287B : 9A 30
mov *[30],A
287D : AB 00 ED
mov
2880 : 70 01 30
incw #01,[30H]
2883 : C3
inc B
2884 : 3D 06
cmp 06H,B
2886 : 0F F3
jlt 287B
2888 : 8C 30 39
ljmp #3039
288B : 00
;***Jump Table***
288C : 8C C2 98
288F : 8C C0 EC
2892 : 8C 3E EB
2895 : 8C 3B 06
2898 : 8C 3B 34
289B : 8C 38 19
289E : 8C 39 78
28A1 : 8C C2 7A
28A4 : 8C 3C 96
28A7 : 8C 39 3A
28AA : 8C E0 74
28AD : 8C 2F 43
28B0 : 8C 37 00
28B3 : 8C E3 0E
28B6 : 8C 3D 12
28B9 : 8C 37 80
28BC : 8C 37 70
28BF : 8C E0 43
28C2 : 8C 3C 96
28C5 : 8C 3D 56
28C8 : 8C D6 B2
28CB : 8C 29 C4
ljmp
ljmp
ljmp
ljmp
ljmp
ljmp
ljmp
ljmp
ljmp
#3B06
#3B34
#3819
#3978
ljmp
ljmp
ljmp
ljmp
ljmp
#3700
ljmp
ljmp
#3780
ljmp
ljmp
ljmp
ljmp
ljmp
ljmp
*2AF0+B,A
*3F48+B,A
A,*00DD+B
A,*00DD+B
A,*00ED+B
#C298
#C0EC
#3EEB
#C27A
#3C96
#393A
#E074
#2F43
#E30E
#3D12
#3770
#E043
#3C96
#3D56
#D6B2
#29C4
;Routine called from 3F62,E63A,2848
;Routine XORs Packet Key1 with Packet Key 2
;and stores the 8 Byte result at 00DD-00E4
;Loads A8,A9,AA,AB,AC,AD,AE,AF into 00E5-00EC
;Then loads 06H more bytes from 30h to 00ED-00xx
;Move Packet Key 1 into A
;then to 07h
;Move packet Key 2 into A
;and Xor it with Key 1
;Store 8 Byte Result in 00DDh + 00E4h
;Increment Counter
;Compare #08 with B
;Loop
;Move #A0 into A
;OR them
;and store the result
;Increment Counter
;Compare #10 with value in B
;Loop 8 Times and Store in 00E5h + 00ECh
;Clear B
;Move 30h value into A
;Move A into 00ED + 00XX
;Increment 30h By 1
;Increment Counter
;Compare Value in 06h with value in B
;If less Loop and store in 00ED + 00XX
;
; send ATR vector
; trap 13 vector
; trap 14 ram key generate vector
; get byte from zkt mod vector
; set 2A to zkt secret vector
; process Ins 36 info vector
; cmd 0C vector
; cmd 67 vector
; SendATOAsic&Hash vector
; Ins 44 vector
; trap 12 vector (find tier/ppv entry)
; 2nd trap 12 vector (cmd code parser)
; preprocess packet vector
; cmd 07 vector
; Ins 36 Sig Calc vector
; ComputeIns56HashKey vector
; clear 0Bh vector
; Ins 36 Table Processing vector
; SendATOAsic&Hash vector
; cmd 27 vector (prep for card swap)
; ppv chk/write vector
; trap 8 ee write vector
Page A-10
28CE : 8C 2F 56
28D1 : 8C 31 81
28D4 : 8C 3F 37
28D7 : 8C 2A C5
28DA : 8C 3B 55
28DD : 8C 3B 79
28E0 : 8C 36 EA
28E3 : 8C C4 30
28E6 : 8C 33 B7
28E9 : 8C 2F 9D
28EC : 8C D6 F6
28EF : 8C 31 03
28F2 : 8C D3 43
28F5 : 8C 36 F5
28F8 : 8C 23 1E
28FB : 8C 37 73
28FE : 8C 3E D0
2901 : 8C 29 32
2904 : 8C EC 9C
2907 : 8C 37 72
290A : 8C 37 72
ljmp
ljmp #3181
ljmp #3F37
ljmp
ljmp
ljmp
ljmp
ljmp #C430
ljmp #33B7
ljmp
ljmp
ljmp #3103
ljmp #D343
ljmp #36F5
ljmp #231E
ljmp #3773
ljmp
ljmp #2932
ljmp
ljmp #3772
ljmp #3772
290D : 2020
290F : 3FEF
dw
dw
#2F56
#2AC5
#3B55
#3B79
#36EA
#2F9D
#D6F6
#3ED0
#EC9C
; trap 13 delay vector
; deferred cmd 8x processing vector
; cmd 06 vector
; from ins 30
; cmd 8x processing vector
; cmd 8x processing vector
; from trap 9 vector
; CallAddressAt35:36h vector
; process ack vector
; cmd 38 (activate card) patch
; ppv chk/write vector
; cmd 8X vector
; deffered ins40/cmd 8x vector
; get asic byte and xor vector
; cmd processing vector
; A3 rom sig code vector (E906)
; goto cmd oc and startup
; stack check & ins dispatch vector
; 2D (ER) vector
; vectored to an RTS
; vectored to an RTS
; cmd 85 lower boundary
; cmd 85 upper boundary
2911 : 00 00 00 00 00 00 00
2919 : 00 00 00 00 00 00 00
db
db
; these are the hash seed
; tables used by the 3EB2
2921 : 00 00 00 00 00 00 00
2929 : 00 00 00 00 00 00 00
:
:
2931 : 00 22 C2 B8 22 7A B8
2939 : 30 5C 43 F9 5C DA 5E
db
db
; hash routine (ECA5)
;
db
db
; 1st 16 byte seed used in USW hash
; routine (usw 7 wrote 2932-293C)
;** USW 7 CODE ADDITION **
; this section also translates as code
; vectored from 2901 (originally to 305C)
2932: : 22C2
mov #0C2h,A
2934: : B8
push A
2935: : 227A
mov #7Ah,A
2937: : B8
push A
2938: : 88305C43
movw #305Ch,42h:43h
293C: : F9
rts
; this code pushes C27A onto the stack
; and then overwrites it with 305C only
; if the stack has not been altered by
; a call. otherwise C27A will be above 42:43h
; and the rts will unwind to C27A(loop vector)
; and return into 305C if stack is correct
; (if another call is added in, the rts will
; vector to C27A and loop the card)
2941 : 8F 61 52 EA 1C FE D0
2949 : 04 3D A9 77 45 BB 98
db
db
; seed for cmd 81/82
;
2951 : 18 03 EC F7 66 BD 35
2959 : C1 DF 22 4A 8E A4 59
db
db
; seed for cmd 81/82
;
2961 : 94 A5 B8 FF 49 0C 27
2969 : 3B 80 DE 52 CD 7A E1
db
db
; seed for cmd 81/82
;
2971 : 4D AA F7 94 38 C9 25
2979 : BC 61 7F 80 16 EE 03
db
db
; 2nd 16 byte seed used in
; USW hash routine
;Clear Ram Table
2981 : 01
2982 : 29 84
2984 : 01
2985 : 00 5C
db
db
db
db
; # of table entries
; first table slot address
; 01= 0100's, no encryption
; clear ram 0100h-015Ch
2987 : 0A
db
; cmd 90/09 D7h EEprom storage
2988 : 3C 7D 91 9A
db
;
;Encrypt_16bytes_with_RAMXorKey
Page A-11
298C : C5
298D : AA 24 B8
2990 : AB 00 ED
2993 : AA 26 50
2996 : AB 00 F5
2999 : C3
299A : 5D 08
299C : 0F EF
299E : C5
299F : 22 A0
29A1 : 64
29A2 : AB 00 DD
29A5 : C3
29A6 : 5D 10
29A8 : 0F F5
29AA : 88 00 ED 2A
29AE : 88 00 DD 2C
29B2 : 72 10 FD
29B5 : 8E 3E B2
29B8 : 72 DD 15
29BB : 88 24 B0 2A
29BF : 72 10 04
29C2 : E7
29C3 : F9
;EEpWriteorErase
29C4 : C8
29C5 : 77 20 27 03
29C9 : 75 7F 27
29CC : 75 EF 27
29CF : 42 2A 02
29D2 : 75 F7 27
29D5 : 75 1F 02
29D8 : 73 1F 02
29DB : D3 02
29DD : 4D 04 02
29E0 : 0F 03
29E2 : 42 04 02
29E5 : 4C 02 04
29E8 : F7 50 11
29EB : 32 15
29ED : D8 02
29EF : 98 2A 34
29F2 : 77 80 27 0D
29F6 : D1 05
29F8 : D5 0E
29FA : 32 2A
29FC : 8E 28 3A
29FF : 32 05
2A01 : 00 0A
2A03 : 77 20 27 03
2A07 : B5
2A08 : 00 03
2A0A : AA 00 00
2A0D : 76 40 27 0E
2A11 : D0 03
2A13 : 9A 2A
2A15 : B8
2A16 : 13 03
2A18 : D4 03
2A1A : 15 03
2A1C : 02 06
2A1E : B9
2A1F : 9B 2A
2A21 : 74 08 27
2A24 : C3
2A25 : 70 01 2A
2A28 : DA 02 C7
2A2B : D4 02
2A2D : 77 08 27 07
clr B
;clear B
mov *RAMXorKey1[B],A
; |-----------mov A,*00EDh[B]
; |
mov *RAMXorKey2[B],A
; |
mov A,*00F5h[B]
; |
inc B
; |
cmp #08h,B
; | Loop loads ED-F4 with RAM XOR Key1
jlo 298Dh
; |<-then loads F5-FC with RAM XOR Key2
clr B
;clear B
mov #0A0h,A
; |-------------or B,A
; |
mov A,*00DDh[B]
; |
inc B
; |
cmp #10h,B
; |
jlo 299Fh
; |<- Loop loads DD-EC with #A0-#AF
movw #00EDh,29h :2Ah
;
movw #00DDh,2Bh :2Ch
;
mov #10h,0FDh
;set number of times to loop
call 3EB2h
;call routine to encrypt DD-EC with ED-FC
mov #0DDh,15h
;set source start address
movw #ScratchPadAreaforRAMKey
;set destination address
mov #10h,04h
;set length
trap 8
;write 16 bytes to 24B0h
rts
;and return
push B
btjz #20h,27h,29CCh
and #7Fh,27h
and #0EFh,27h
mov 2Ah,02h
and #0F7h,27h
and #1Fh,02h
xor #1Fh,02h
inc 02h
cmp 04h,02h
jlo 29E5h
mov 04h,02h
sub 02h,04h
mov #50h,EepWriteCtrlReg
mov 15h,B
push 02h
movw 29h:2Ah,33h:34h
btjz #80h,27h,2A03h
mov B,05h
clr 0Eh
mov 2Ah,B
call 283Ah
mov 05h,B
jmp 2A0Dh
btjz #20h,27h,2A0Ah
clr A
jmp 2A0Dh
mov *0000h[B],A
btjo #40h,27h,2A1Fh
mov A,03h
mov *29h:2Ah,A
push A
xor 03h,A
pop 03h
and 03h,A
jz 2A24h
inv A
mov A,*29h:2Ah
or #08h,27h
inc B
incw #01h,29h:2Ah
djnz 02h,29F2h
pop 02h
btjz #08h,27h,2A38h
;Save B for later
;is 27h.5 is zero, skip to 29CC
;clear 27h.7
;clear 27h.4
;put 2Ah in 02h
;clear 27h.3
;clear top 3 bits of 02h
;XOR result with 1F
;increment result by one
;compare result with write length
;if lower, jump to 29E5
;else overwrite 02h with write length
;subtract 02h from write length
;set bits 4 & 6 of P11h
;copy source addresss to B
;save 02h for later
;copy target address to 33:34
; | |if 27h.7 is clear, skip to 2A03
; | |else copy source address to 05h
; | |clear 0Eh
; | |copy LSB of target addy to B
; | |call 283A, decrypt byte
; | |copy source addy to B
; | |skip to 2A0D
; | |if 27h.5 is clear, skip to 2A0A
; | |else clear A
; | |skip to 2A0D
; | |copy byte *0000h+B to A
; | |if 27h.6 is set, skip to 2A1F
; | |else copy A to 03h
; | |copy byte at destination addy to A
; | |save it to stack
; | |XOR copy of byte@destination addy with 03h
; | |get original value of A from stack ->03h
; | |AND A with previous value of A
; | |if zero, no bits need to be cleared
; | |if not, restore A to original bits to be cleared
; | |and copy it to EEprom write buffer
; | |set 27h.3
; | |increment B to next RAM byte
; | |increment target addy
; | +----skip back to 29F2 until 02h=0
; |then pop 02h off stack
; |if 27h.3 is zero, skip to 2A38
Page A-12
2A31 : 88 2A A7 2A
29FF : 32 05
2A01 : 00 0A
2A03 : 77 20 27 03
2A07 : B5
2A08 : 00 03
2A0A : AA 00 00
2A0D : 76 40 27 0E
2A11 : D0 03
2A13 : 9A 2A
2A15 : B8
2A16 : 13 03
2A18 : D4 03
2A1A : 15 03
written
2A1C : 02 06
2A1E : B9
2A1F : 9B 2A
2A21 : 74 08 27
2A24 : C3
2A25 : 70 01 2A
2A28 : DA 02 C7
02h=0
2A2B : D4 02
2A2D : 77 08 27 07
2A31 : 88 2A A7 2A
2A35 : 8E 2A 95
2A38 : 75 F7 27
2A3B : 32 15
2A3D : F7 50 11
2A40 : 76 20 27 27
2A44 : 77 80 27 0D
2A48 : D1 05
2A4A : D5 0E
2A4C : 32 34
2A4E : 8E 28 3A
2A51 : 32 05
2A53 : 00 03
2A55 : AA 00 00
2A58 : 76 40 27 0A
2A5C : D0 03
2A5E : 9A 34
2A60 : 13 03
2A62 : 15 03
written
2A64 : 02 05
2A66 : 9B 34
2A68 : 74 08 27
2A6B : C3
2A6C : 70 01 34
2A6F : DA 02 CE
2A72 : D1 15
2A74 : 77 08 27 07
2A78 : 88 2A B3 2A
2A7C : 8E 2A 95
it
2A7F : 98 34 2A
2A82 : 7D 00 04
2A85 : 02 03
2A87 : 89 FF 45
2A8A : 75 7F 27
2A8D : 75 DF 27
2A90 : 75 BF 27
2A93 : C4
2A94 : F9
;LoadRAM & Call It
2A95 : C5
2A96 : 9A 2A
2A98 : AB 00 ED
movw #2AA7h,29h:2Ah
mov 05h,B
jmp 2A0Dh
btjz #20h,27h,2A0Ah
clr A
jmp 2A0Dh
mov *0000h[B],A
btjo #40h,27h,2A1Fh
mov A,03h
mov *29h:2Ah,A
push A
xor 03h,A
pop 03h
and 03h,A
jz 2A24h
inv A
mov A,*29h:2Ah
or #08h,27h
inc B
incw #01h,29h:2Ah
djnz 02h,29F2h
;
;
;
;
; |otherwise set 29:2A to 2AA7
; |copy 05h to B
; |and skip to 2A0D
|if 27h.5 is clear, skip to 2A0A
; |else clear A
; |and jump to 2A0D
; |copy byte from 0000+B into A
| |if 27h.6 is set, skip to 2A1F
; | |else copy data to be written to 03h
| |copy the data to be overwritten to A
; | |save it to the stack
; | |XOR the two together to A
| |pop data to be overwritten to 03h
; | |create bitmask, determine if any '0s' need to be
; | |if there are no bits to be cleared, skip to 2A24
; | |else restore data to be written to A
; | |and copy it to EEprom write buffer
; | |set 27h.7
; | |increment B to next RAM byte
; | |increment target addy
; | +----decrement 02h, jump to 29F2h until
pop 02h
; |pop 02h off stack
btjz #08h,27h,2A38h
; |if 27h.7 is clear, skip to 2A38
movw #2AA7h,29h:2Ah
; |else set 29:2A to 2AA7 (clear bits in Eeprom)
call 2A95h
; |transfer control to RAM
and #0F7h,27h
; |clear 27h.3
mov 15h,B
; |copy RAM source address to B
mov #50h,EepWriteCtrlReg
; |set bits P11h.4 & P11h.6
btjo #20h,27h,2A6Bh
; | |if 27h.5 is set, skip to 2A6B
btjz #80h,27h,2A55h
; | |if 27h.5 is clear and 27h.7 is set, skip to 2A55
mov B,05h
; | |if here, 27h.5 is clear, 27h.7 is clear, copy B to 05h
clr 0Eh
; | |clear 0Eh
mov 34h,B
; | |copy 34h to B
call 283Ah
; | |decrypt byte
mov 05h,B
; | |copy 05h to B
jmp 2A58h
; | |skip to 2A58h
mov *0000h[B],A
; | |copy byte *0000h+B to A
btjo #40h,27h,2A66h
; | |if 27h.6 is set, skip to 2A66
mov A,03h
; | |copy A to 03h
mov *33h:34h,A
; | |copy byte at target address to A
xor 03h,A
; | |XOR that with data to be written
and 03h,A
; | |create bitmask, determine if any '1s' need to be
jz 2A6Bh
mov A,*33h:34h
or #08h,27h
inc B
incw #01h,33h:34h
djnz 02h,2A40h
mov B,15h
btjz #08h,27h,2A7Fh
movw #2AB3h,29h:2Ah
call 2A95h
; | |if there are no bits to be written, skip to 2A6B
; | |copy A to EEprom Write Buffer
; | |set 27h.7
; | |increment B
; | |increment 33:34
; | +-----loop 02h times
; |copy B to RAM source address (15h)
; |if 27h.3 is clear, skip to 2A7F
; |set 29:2A to 2AB3 (set bits in EEprom)
; |load RAM with executable code and call
movw 33h:34h,29h:2Ah
cmp #00h,04h
jz 2A8Ah
jmpl 29CFh
and #7Fh,27h
and #0DFh,27h
and #0BFh,27h
pop B
rts
; |copy 33:34 to 29:2A
; |if 04h
; |if they match, skip to 2A8A
; |otherwise repeat 04h times
;clear 27h.7
;clear 27h.5
;clear 27h.6
;pop B
;return
clr B
;clear B
mov *29h:2Ah,A
; |Load RAM with 12 bytes of executable code
mov A,*00EDh[B]
; |from either 2AA7 or 2AB3
Page A-13
2A9B : 70 01 2A
2A9E : C3
2A9F : 5D 0C
2AA1 : 0F F3
2AA3 : 8E 00 ED
2AA6 : F9
incw #01h,29h:2Ah
inc B
cmp #0Ch,B
jlo 2A96h
call 00EDh
rts
;ClearBitsinEEp
2AA7 : F7 60 11
2AAA : F7 61 11
2AAD : 8E E7 AE
2AB0 : 8C E7 99
;SetBitsinEEp
2AB3 : F7 62 11
2AB6 : F7 63 11
2AB9 : 8E E7 AE
2ABC : 8C E7 99
mov #60h,P11h
mov #61h,P11h
call 0E7AEh
br 0E799h
mov #62h,P11h
mov #63h,P11h
call 0E7AEh
br 0E799h
;CMD 94
Routine
2ABF : 8E DC BB
2AC2 : 8C D5 53
;Signature Error Counter
2AD0 : 00 00
2AD2 : 00
|
|
|
+-----;then call it to perform EEprom write
;and return
;setup EEprom Write Control Register
;enable write zeroes
;delay #50h x #31h x #06 clocks
;delay, clear EEpWriteControlRegister,set
;carry, set 27h.4
;setup EEprom Write Control Register
;enable write ones
;delay #50h x #31h x #06 clocks
;delay, clear EEpWriteContrlRegister, set
;carry, set 27h.4
call 0DCBBh
br 0D553h
;if PktParamBit2 12h.1 is set, strip off bottom bit of A
2AC5 : 77 02 12 02
btjz #02h,PktP2Byte,2ACBh
2AC9 : 25 FE
and #0FEh,A
2ACB : 8C C8 9E
br 0C89Eh
;CMD87 Counter
2ACE : 00 00
;
;
;
;
;If PkyParamBit2 12h.1 is set
;strip off bottom bit of A
;trap 14&return
db
db
;#ofBytesinCMD82 Used in Decryption Process (Written by Cmd91 sub02)
2AD3 : 01
db
;CMD82 Verification Key #1
2AD4 : 67 B0
db
2AD6 : E3
2AD7 : 67 47
2AD9 : 26 F9 70
;CMD82 Verification Key #2
2ADC : 61
db
2ADD : E5
2ADE : BB
2ADF : C1
2AE0 : 37 A9 BD
2AE3 : 29
;12 Byte Key #1
2AE4 : 80
2AE5 : CE
2AE6 : C0
2AE7 : 6B
2AE8 : 6F
2AE9 : D3 94
2AEB : 8A F3 3D
2AEE : 52 6B
;Packet Key #0
2AF0 : D7 7D
2AF2 : 4C 54 0A
2AF5 : 97 75 9A
2AF7 : 37
db
db
2AF8 : 11 8C
Page A-14
2AFB : CD
2AFC : C8
2AFD : 70
2AFE : C8
2AFF : 70
;On Screen Message Area
;Header format: 01 L1 2F L2 FF FF 01 FF 07 FF.
2B00 : 00 00 00 00 00 00 00
2B08 : 00 00 00 00 00 00 00
2B10 : 00 00 00 00 00 00 00
2B18 : 00 00 00 00 00 00 00
db
db
db
db
2B20 : 00 00 00 00 00 00 00
2B28 : 00 00 00 00 00 00 00
2B30 : 00 00 00 00 00 00 00
2B38 : 00 00 00 00 00 00 00
db
db
db
db
2B40 : 00 00 00 00 00 00 00
2B48 : 00 00 00 00 00 00 00
2B50 : 00 00 00 00 00 00 00
2B58 : 00 00 00 00 00 00 00
db
db
db
db
2B60 : 00 00 00 00 00 00 00
2B68 : 00 00 00 00 00 00 00
2B70 : 00 00 00 00 00 00 00
2B78 : 00 00 00 00 00 00 00
db
db
db
db
2B80 : 00 00 00 00 00 00 00
2B88 : 00 00 00 00 00 00 00
2B90 : 00 00 00 00 00 00 00
2B98 : 00 00 00 00 00 00 00
db
db
db
db
2BA0 : 00 00 00 00 00 00 00
2BA8 : 00 00 00 00 00 00 00
2BB0 : 00 00 00 00 00 00 00
2BB8 : 00 00 00 00 00 00 00
db
db
db
db
2BC0 : 00 00 00 00 00 00 00
2BC8 : 00 00 00 00 00 00 00
2BD0 : 00 00 00 00 00 00 00
2BD8 : 00 00 00 00 00 00 00
db
db
db
db
2BE0 : 00 00 00 00 00 00 00
2BE8 : 00 00 00 00 00 00 00
2BF0 : 00 00 00 00 00 00 00
2BF8 : 00 00 00 00 00 00 00
db
db
db
db
2C00 : 00 00 00 00 00 00 00
2C08 : 00 00 00 00 00 00 00
2C10 : 00 00 00 00 00 00 00
2C18 : 00 00 00 00 00 00 00
db
db
db
db
2C20 : 00 00 00 00 00 00 00
2C28 : 00 00 00 00 00 00 00
2C30 : 00 00 00 00 00 00 00
2C38 : 00 00 00 00 00 00 00
db
db
db
db
2C40 : 00 00 00 00 00 00 00
2C48 : 00 00 00 00 00 00 00
2C50 : 00 00 00 00 00 00 00
2C58 : 00 00 00 00 00 00 00
db
db
db
db
2C60 : 00 00 00 00 00 00 00
2C68 : 00 00 00 00 00 00 00
2C70 : 00 00 00 00 00 00 00
2C78 : 00 00 00 00 00 00 00
db
db
db
db
2C80 : 00 00 00 00 00 00 00
db
Page A-15
2C88 : 00 00 00 00 00 00 00
2C90 : 00 00 00 00 00 00 00
2C98 : 00 00 00 00 00 00 00
db
db
db
2CA0 : 00 00 00 00 00 00 00
2CA8 : 00 00 00 00 00 00 00
2CB0 : 00 00 00 00 00 00 00
2CB8 : 00 00 00 00 00 00 00
db
db
db
db
2CC0 : 00 00 00 00 00 00 00
2CC8 : 00 00 00 00 00 00 00
db
db
;InitDBh,Setup24hforHash
2CD0 : 55 03
2CD2 : AA 01 3A
2CD5 : D0 DB
2CD7 : D5 24
2CD9 : 88 2D 48 2E
2CDD : D5 E3
2CDF : F9
and #03h,B
;Make B a number from 0-3
mov *013Ah(B),A
;Get a hash initialization byte
mov A,0DBh
;Put it in DBh
clr 24h
;Set up to call the routine at 2D8Ch
movw #2D48h,2Dh :2Eh
;With the first table entry
clr 0E3h
rts
; and return
2CE0 : 00 00 00 00 00 00
: 00 00
;CheckforINS40
2CE8 : 7D40BE
2CEB : 00 52
2CED : F7 80 3D
2CF0 : FF
2CF1 : FF
2CF2 : C5
2CF3 : F7 08 3D
2CF6 : AA 2C E0
2CF9 : A6 01 3D FC
2CFD : 21 30
2CFF : C3
2D00 : 5D 07
2D02 : 0F F2
2D04 : 88 39 07 2C
2D08 : 8E 38 EE
2D0B : AA 2C E0
2D0E : A6 01 3D FC
2D12 : 21 30
2D14 : D5 24
2D16 : 77 20 1E 03
(Pre-USW 0800)
2D1A : 74 20 D2
2D1D : 8E 38 66
2D20 : F9
;USW0600 Key - Was used in
;'Jumpless 3m' Prior to USW 0700
cmp #40h,PktInsByte
jmp 2D3Fh
;check to see if current INS=40
;branch to 2D3Fh->C1C9
mov #80h,ASICStatus
;set P3Dh to #80h
nop
nop
clr B
;clear B
mov #08h,ASICStatus
;set P3Dh to #08h
mov *USW006Key[B],A
;get byte of USW0600 Key
btjo #01h,ASICStatus,2CF9h ; |wait for ASIC
mov A,Byte->Asic
; |and transmit to ASIC
inc B
; |
cmp #07h,B
; |
jlo 2CF6h
; +----loop 8x
movw #3907h,2Bh :2Ch
;set 2B :2C -> #3907 (3rd entry at 3901Table)
call LoadP32,34,3Dw/TableByte ;P32=02,P34=44 P3D=26
mov *USW006Key[B],A
;get byte of key written by USW006 into A
btjo #01h,ASICStatus,2D0Eh ;wait for ASIC
mov A,Byte->Asic
;then send byte of USW006 key to ASIC
clr 24h
;clear 24h
btjz #20h,1Eh,2D1Dh
;if 1Eh.5 is clear, pick up where original code left off
or #20h,0D2h
call 3866h
rts
;otherwise set D2h.5 first,
;call 3866h (do something with public keys?)
;then return
2D21 : 77 20 D2 06
2D25 : 74 20 B7
2D28 : 75 DF D2
2D2B : 8C C3 8F
btjz #20h,0D2h,2D2Bh
or #20h,0B7h
and #0DFh,0D2h
br 0C38Fh
;if D2h.5 is clear, branch back to ROM
;if D2h.5 is set, then set B7h.5 and
;then clear D2h.5
;return to ROM
2D2C : 80 35
mov ASIC->Byte,A
;get byte from ASIC (USW 0800 Skips- Never Executed)
;USW 0800 Updated 2D2E ? 2D3E
2D2E : 88 01 77 2C
movw #0177h,2Bh:2Ch
;now instruction reads movw #0177, 2B:2C
2D32 : 77 20 B7 06
btjz #20h,0B7h,2D3Ch
;if B7h.5 is clear, decrement 2Ch and return
2D36 : 9A 2C
mov *2Bh:2Ch,A
;if B7h.5 is set, copy byte *2B:2C to A
2D38 : 25 BF
and #0BFh,A
;clear bit 6 from retrieved byte
2D3A : 9B 2C
mov A,*2Bh:2Ch
;then copy byte back to 2B:2C
2D3C : D7 2C
dec 2Ch
;decrement 2Ch
2D3E : F9
rts
;and return
:
2D3F : 8C C1 C9
br 0C1C9h
2D42 : 76 04 28 03
btjo #04h,28h,2D49h
2D46 : 8C D5 13
br Cmd02-ProgramRating
Page A-16
2D49 : 8C C2 7A
with a call to loop
2D4C : 22 F2 00 8B
2D50 : 23 D5 00 31 26 98
: 00 7A 27 11 03 BD
: 2C D0 00 10
2D60 : 2C E8 00 64 2D 4C
: 00 40 2D 8C 00 2B
: 2F 08 01 32
2D70 : 30 39 01 1E 31 59
: 07 E1 39 3D 06 0B
: 3F 58 00 10
2D80 : 3F 88 00 77 3F FF
: 00 01 3F FF 00 01
br CallLoop
;USW7 replaced 'jumpless' branch to 2024
;Eprom Hash Table (2D4c - 2D8B)
;Part of DSW 0006 Code
2D8C : 7D 08 E3
cmp #08h,E3h
;Compares the #08h to rE3h
2D8F : 06 03
jnz 2D94h
;Jump to 2D94h if not Zero
2D91 : 42 DE DD
mov DEh,DDh
;Moves rDEh into rDDh
2D94 : 7D 10 E3
cmp #10h,E3h
;Compares the #10h to rE3h
2D97 : 02 1D
jz 2DB6h
;Jumps to 2DB6h if is Zero
2D99 : D3 E3
inc E3h
;Add 01h to rE3h
2D9B : 70 04 2E
incw #04h,rpd 2Eh-1h :2Eh
;Adds 04h to 2Dh:2Eh
2D9E : DE DD
rl DDh
;Rotate left the bits in rDDh
2DA0 : 07 EA
jnc 2D8Ch
;if bit 7 of rDDh is set, repeat
2DA2 : C5
clr B
;Clears B
2DA3 : 9A 2E
mov *rps 2Eh-1h :2Eh,A
;Get a Bytes from 2D:2E, Goto that address and move the byte at
that address into A
2DA5 : AB 00 29
mov A,*0029h [B]
; MOVES the byte from register A and to address
0028h + whatever is in register B
2DA8 : 70 01 2E
incw #01h,rpd 2Eh-1h :2Eh
;Advanced Table Pointer, inc 2D:2E by 01h
2DAB : C3
inc B
;inc register B by 01h
2DAC : 57 04 F4
btjz #04h,B,2DA3h
;tests BIT #4 in register B and JUMPS to 2DA3h if it is
ZERO
2DAF : 70 FF 2C
incw #FFh,rpd 2Ch-1h :2Ch
;Increments WIDE pair register 2Bh:2Ch by FFh
2DB2 : 70 FC 2E
incw #FCh,rpd 2Eh-1h :2Eh
;Increments WIDE pair register 2Dh:2Eh by FCh
2DB5 : C3
inc B
;Increments B
2DB6 : F9
rts
;and Return
2DB7 : 00 00 00 00 00 00
: 00 00 00
2DC0 : 01 17 2F 15 FF FF 01
2DC8 : 07 FF 50 4C 45 41 53
2DD0 : 20 53 54 41 4E 44 20
2DD8 : 59 00 00 00 00 00 00
;Encrypted DSW Code
2DE0 : 00 00 00 00 00 00
referenced by CMD82
: 00 00 00 00 00 00
: 00 00 00 00
2DF0 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2DE0 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2E10 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2E20 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2E30 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2E40 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
;<-----Message Slot #17 (Please Stand By)
;Encrypted DSW Code written to RAM addresses 0100h-013Fh
Page A-17
2E50 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2E60 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2E70 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2E80 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2E90 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2EA0 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2EB0 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2EC0 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2ED0 : 00 00 00 00 00 00
: 00 00 00 00 00 00
: 00 00 00 00
2EE0 : 00 00 00 00 00 00
key at 2EF8
: 00 00 00 00 00 00
01
;After Exposure to Data Stream, this 12bytes matches
;First Byte In 12 Byte Key From CMD81 Subcommand
2EEC : CF C0 54 63
2EF0 : 0C CD 5A 50 00 E2
: 5F 57
NOT TAKE THE UPDATE
;12-byte Key for USW Counter
;If this does not match the
;proper USW counter then the card WILL
2EF8 : A5 A5 A5 A5 A5 A5
: A5 A5 A5 A5 A5 A5
;After Exposure to Datastream
;This Matches 12 Byte Key at 2EE0
2F04 : 00FF
2F06 : FF
2F07 : FF
jmp 2F05h
nop
nop
2F08 : 76 01 D0 01
2F0C : F9
2F0D : 8C DE 3A
btjo #01h,CardStatus,2F0Dh
rts
br DE3Ah
2F10 : 72 05 04
2F13 : 88 2A CE 2A
2F17 : 8E E6 A0
2F1A : 72 0C 04
2F1D : 88 24 F4 2A
2F21 : 8E E6 A0
2F24 : 22 02
2F26 : E3
2F27 : 77 02 27 01
2F2B : F9
mov #05h,04h
movw #CMD87Counter,29h:2Ah
call 0Write(04hx#00)->EEph
mov #0Ch,04h
movw #VideoCryptKey,29h:2Ah
call 0Write(04hx#00)->EEph
mov #02h,A
trap 12
btjz #02h,27h,2F2Ch
rts
2F2C : D5 D0
2F2E : 8E E0 2F
2F31 : 88 24 66 2E
2F35 : 88 24 06 2C
2F39 : 8E C5 07
2F3C : 88 22 F2 2E
2F40 : 8C D8 99
2F43 : 2D 00
2F45 : F4 06 E0 93
2F49 : 8E E0 F3
2F4C : 77 10 26 03
clr CardStatus
call SetCardStatusInEEPROM
movw #2466h,2Dh:2Eh
movw #SpendingLimit,2Bh:2Ch
call 0C507h
movw #22F2h,2Dh:2Eh
br 0D899h
cmp #00h,A
bnz 0E093h
call 0E0F3h
btjz #10h,26h,2F53h
Page A-18
2F50 : 42 24 93
2F53 : 8C E0 D4
mov 24h,93h
br 0E0D4h
;Delay#23x6Clks
2F56 : 72 23 03
2F59 : 8C C0 C1
mov #23h,03h
br Delay(03h*6)Clks
2F5C : 06 2F
2F5E : AA FF FC
2F61 : 2D D8
2F63 : 06 28
2F65 : B4
2F66 : B4
2F67 : C4
2F68 : D5 0B
2F6A : F4 D9 00 2A 0E
2F6F : C8
2F70 : 32 2A
2F72 : 8E 2F 8F
result in A
2F75 : C4
2F76 : D0 0E
2F78 : AA 00 60
2F7B : 43 00 0E
2F7E : 44 0E 0B
2F81 : C3
2F82 : D3 2A
2F84 : 3D 07
2F86 : 0F E2
2F88 : B4
2F89 : B4
2F8A : 12 0B
2F8C : F9
jnz 2F8Dh
mov *0FFFCh[B],A
cmp #0D8h,A
jnz 2F8Dh
pop A
pop A
pop B
clr 0Bh
mov *00h[29h:2Ah],0Eh
push B
mov 2Ah,B
call 2F8Fh
pop B
mov A,0Eh
mov *0060h[B],A
xor 00h,0Eh
or 0Eh,0Bh
inc B
inc 2Ah
cmp 07h,B
jlo 2F6Ah
pop A
pop A
mov 0Bh,A
rts
;Decode0E_w/EepromXORKeys->A
2F8D : 32 FE
mov 0FEh,B
2F8F : 55 07
and #07h,B
2F91 : AA 24 C0
mov *EEPROMXorKey1[B],A
XOR Keys
2F94 : 43 00 0E
xor 00h,0Eh
2F97 : AA 26 58
mov *EEPROMXorKey2[B],A
2F9A : 13 0E
xor 0Eh,A
2F9C : F9
rts
2F9D : 7D FF 60
2FA0 : 02 03
2FA2 : 8C D9 E5
2FA5 : 12 17
2FA7 : 02 1D
2FA9 : 72 02 07
2FAC : 8E DA 99
2FAF : 32 60
2FB1 : CD
2FB2 : 5D 03
2FB4 : 0B 10
2FB6 : AA 2A D0
2FB9 : 1D 61
2FBB : 02 06
2FBD : 0F E6
2FBF : 77 01 60 E2
2FC3 : 74 80 D3
2FC6 : F9
2FC7 : 8E DC 99
2FCA : 77 02 27 45
2FCE : C5
2FCF : AA 00 64
2FD2 : AB 00 ED
2FD5 : C3
2FD6 : 5D 0C
;clear 0B
;
;
;
;
|put byte at (A+(29 :2A)) into 0Eh
|save B onto stack
|put low byte of destination address in B
|decode 0E with Eeprom XOR Keys, put
;
;
;
;
;
;
|restore B
|put decoded byte in 0Eh
|get byte from 0060h+B
|and XOR decoded byte
|OR 0Bh with 0Eh
|increment B and 2A
; |
; |compare B with counter 07h
; |loop if B<07h
;put FEh in B
;make B a number between 0-7
;decode source byte in 0Eh with EEPROM
;put result in A
;and return
cmp #0FFh,60h
jz 2FA5h
br 0D9E5h
mov 17h,A
jz 2FC6h
mov #02h,07h
call 0DA99h
mov 60h,B
rrc B
cmp #03h,B
jhs 2FC6h
mov *ErrorCountTable[B],A
cmp 61h,A
jz 2FC3h
jlo 2FA5h
btjz #01h,60h,2FA5h
or #80h,0D3h
rts
call 0DC99h
btjz #02h,27h,3013h
clr B
mov *0064h[B],A
mov A,*00EDh[B]
inc B
cmp #0Ch,B
Page A-19
2FD8 : 0F F5
2FDA : AA 29 7C
2FDD : AB 00 ED
2FE0 : C3
2FE1 : 5D 10
2FE3 : 0F F5
2FE5 : 88 29 41 2A
2FE9 : 88 00 ED 2C
2FED : 72 10 FD
2FF0 : 8E 3E B2
2FF3 : C5
2FF4 : AA 00 ED
2FF7 : D0 0B
2FF9 : AA 00 64
2FFC : 13 0B
2FFE : AB 00 64
3001 : C3
3002 : 5D 0C
3004 : 0F EE
3006 : 88 24 F4 2A
300A : 72 0C 04
300D : 72 64 15
3010 : 8C DC 54
3013 : F9
jlo 2FCFh
mov *297Ch[B],A
mov A,*00EDh[B]
inc B
cmp #10h,B
jlo 2FDAh
movw #2941h,29h:2Ah
movw #00EDh,2Bh:2Ch
mov #10h,0FDh
call 3EB2h
clr B
mov *00EDh[B],A
mov A,0Bh
mov *0064h[B],A
xor 0Bh,A
mov A,*0064h[B]
inc B
cmp #0Ch,B
jlo 2FF4h
movw #24F4h,29h:2Ah
mov #0Ch,04h
mov #64h,15h
br 0DC54h
rts
;INS44-Receive Card Swap Data
3014 : E2
trap 13 rcv A
3015 : 88 01 00 30
movw #0100h,2Fh:30h
3019 : E9
trap 6
301A : D5 0B
clr 0Bh
301C : C5
clr B
301D : AA 24 F4
mov *VideoCryptKey[B],A
3020 : D0 09
mov A,09h
3022 : AA 2A E4
mov *VideoCryptKey[B],A
3025 : 13 09
xor 09h,A
3027 : 44 00 0B
or 00h,0Bh
302A : C3
inc B
302B : 5D 0C
cmp #0Ch,B
302D : 0F EE
jlo 301Dh
302F : 12 0B
mov 0Bh,A
3031 : 02 03
jz 3036h
3033 : 22 05
mov #05h,A
3035 : E6
trap 9
3036 : 8C D0 0D
br 0D00Dh
3039 : 22 50
303B : 64
303C : AB 00 ED
303F : C3
3040 : 5D 10
3042 : 0F F5
3044 : 88 00 DD 2A
3048 : 88 00 ED 2C
304C : 72 06 FD
304F : 8E 3E B2
3052 : 98 EE 3A
3055 : D4 2A
3057 : D4 29
3059 : C4
305A : B4
305B : F9
;ProcessINS
305C : 75 BF CF
305F : 32 BE
3061 : AA 30 73
3064 : D0 29
3066 : AA 30 74
3069 : D0 2A
306B : 8E C3 7A
mov #50h,A
or B,A
mov A,*00EDh[B]
inc B
cmp #10,B
jlo 3039h
movw #00DDh,29h:2Ah
movw #00EDh,2Bh:2Ch
mov #06,0FDH
call 3EB2h
movw 0EDh:0EEh,39h:Ah
pop 2Ah
pop 29h
pop B
pop A
ret
mov
mov
mov
mov
mov
;Routine moves the values 5x,5x...
;to 00F3-00FC
;Move A into 00ED + 00XX
;Increment Counter
;Compare #10 with B for Match
;Loop until B=#10h
;Load 16 Byte word (XOR Packet Key) into 2Ah
;Load 16 Byte word (30h) into 2Ch
;Set Counter FDh to 6
;Change ROM Key and Call Encrypted ROM
;Move EDh:EEH into 39h:3Ah
;|------Pop
;|29h:2Ah
;|A & B
;|------Onto Stack
;Return
and #0BFh,0CFh
0BEh,B
*Ins00Vec[B],A
A,29h
*3074h[B],A
A,2Ah
call 0C37Ah
Page A-20
306E : 9E 2A
3070 : 8C 34 04
call *29h:2Ah
br 3404h
;Ins Jump Table
3073 : C3 58
3075 : CE 77
3077 : C7 EC
3079 : CF F8
307B : C3 58
307D : C3 58
307F : C3 58
3081 : C3 58
3083 : C3 58
3085 : C7 FB
3087 : C3 58
3089 : C3 58
308B : C3 58
308D : C3 58
308F : C3 58
3091 : C3 58
3093 : C3 58
3095 : C3 58
3097 : C3 58
3099 : C3 58
309B : C7 5F
309D : CF 56
309F : C8 06
30A1 : C6 A4
30A3 : CC C4
30A5 : 3E DC
30A7 : C3 58
;Ins00Jump
;Ins02Jump
;Ins04Jump
;Ins06Jump
;Ins08Jump
;Ins0AJump
;Ins0CJump
;InsoEJump
;Ins10Jump
;Ins12Jump
;Ins14Jump
;Ins16Jump
;Ins18Jump
;Ins1AJump
;Ins1CJump
;Ins1EJump
;Ins20Jump
;Ins22Jump
;Ins24Jump
;Ins26Jump
;Ins28Jump
;Ins2AJump
;Ins2CJump
;Ins2EJump
;Ins30Jump
;Ins32Jump
;Ins34Jump
30A9 : CF 08
30AB : C9 83
30AD : C3 58
30AF : C3 58
30B1 : C3 58
30B3 : D0 EE
30B5 : D0 EE
30B7 : 30 14
30B9 : 3F 20
30BB : CE 3F
30BD : 37 10
30BF : C6 E4
30C1 : C3 58
30C3 : C3 58
30C5 : CE AD
30C7 : 3B A1
30C9 : C9 A0
30CB : CE B8
30CD : 37 22
30CF : C8 A0
30D1 : C5 49
;Ins36Jump
;Ins38Jump
;Ins3AJump
;Ins3CJump
;Ins3DJump
;Ins40Jump
;Ins42Jump
;Ins44Jump
;Ins46Jump
;Ins48Jump
;Ins4AJump
;Ins4CJump
;Ins4DJump
;Ins50Jump
;Ins52Jump
;Ins54Jump
;Ins56Jump
;Ins58Jump
;Ins5AJump
;Ins5CJump
;Ins5EJump
;CALL CMD8X Processing
30D3 : 8E 31 1C
call 311Ch
from table
30D6 : 9A 2A
mov *29h:2Ah,A
30D8 : D0 2B
mov A,2Bh
30DA : 70 01 2A
incw #01h,29h:2Ah
30DD : 9A 2A
mov *29h:2Ah,A
30DF : D0 2C
mov A,2Ch
30E1 : 9E 2C
call *2Bh:2Ch
30E3 : 8E D2 78
call 0D278h
30E6 : 12 08
mov 08h,A
30E8 : 8E D3 10
call 0D310h
30EB : D5 17
clr 17h
30ED : 12 08
mov 08h,A
30EF : 02 08
jz 30F9h
30F1 : 8E 23 CE
call 23CEh
;call CMD8X Processing, retrieve address
;copy byte at 29 :2A into A
;then store in 2Bh
;increment to 29 :2A to next address
;copy byte into A
;and store in 2C
;then call address in 2B :2C
;call D278h
; put cmd# into A
; call check ptr and get from 0100-015C
; 17h=0
; pur cmd in A
; if 00 then skip down & continue
; rcv byte, send to ASIC & hash
Page A-21
30F4 : D0 17
30F6 : 8E D3 10
30F9 : 8C D2 5A
30FC : 7D 87 08
30FF : 0F D2
3101 : 00 05
mov A,17h
call 0D310h
br 0D25Ah
cmp #87h,08h
jlo 30D3h
jmp 3108h
3103 : 7D 80 08
3106 : 0B F4
3108 : 8A 2A CE
310B : 2D 02
310D : 02 0A
310F : F4 CA 2A 27 05
3114 : 06 03
3116 : 22 40
3118 : E6
3119 : 8C D2 42
cmp #80,08H
;(08h)-#80h, is it cmd80?
jhs 30FC
;if cmd80 or higher, then loop see if cmd87
mov &CMD87Counter,A
;else move (2ACEh) into A
cmp #02,A
;(A)-#02h
jz 3119
;if A=#02h jump to 3119h
cmpw 2A,#2705
;is (29 :2A)=#2705h?
jnz 3119h
;if not, jmp->3119->D242
mov #40h,A
;else move #40 into A
trap 9
;then trap 9 and abort
br 0D242h
;branch to D242
;CMD8X Processing
311C : 32 08
311E : 55 07
3120 : 5A 07
3122 : 88 31 2F 2A
3126 : 4B 01 2A
3129 : 49 00 29
312C : 8C D1 B0
mov 08h,B
and #07,B
mpy #07,B
movw #312F,2Ah
add 01h,2Ah
adc 00h,29h
ljmp #D1B0
312F : 3190 F038 20 2369
: 3280 CF38 20 2363
: 2329 D238 10 237C
execution flag
: 233D 8238 00 237C
: DFE1 F038 20 2369
: DFE1 8238 00 237D
: 2359 8238 60 2369
3160 : 8E 31 1C
3163 : 7D 82 08
3166 : 0B 25
3168 : 8E D3 AE
316B : 77 02 27 05
316F : 8E D4 07
3172 : 9E 19
3174 : 4B 17 38
3177 : 8C D3 80
317A : 7D 87 08
317D : 0F E1
317F : 00 0C
3181 : 76 10 B6 03
3185 : 22 41
3187 : E6
3188 : 7D 80 08
318B : 0B ED
318D : 8C D3 6C
;CMD80 - USW Update
3190 : 22 0F
3192 : 8E 32 71
3195 : 88 24 C8 30
3199 : 88 00 9E 32
319D : 72 02 06
31A0 : EB
9Eh, 9Fh
31A1 : 4D 60 9E
Counter
31A4 : 06 0A
31A6 : 42 61 24
31A9 : 4C 9F 24
31AC : 02 02
31AE : 03 14
call 311Ch
cmp #82h,08h
jhs 318Dh
call D3AEh
btjz #02h,27h,3174h
call D407h
call *rpd 19h-1h :19h
add 17h,38h
br D380h
cmp #87h,08h
jlo 3160h
jmp 318Dh
btjo #10h,B6h,3188h
mov #41h,A
trap 9
cmp #80h,08h
jhs 317Ah
br D36Ch
; put result in 17h
; call check ptr and get from 0100-015C
; and jump back to rom cmd processing
; B = Cmd #
; Strip out lower 3 bits
; Multiply to get line
; move base table address to 29 :2A
; add B to Lo byte
; add A to Hi byte
; place table entry in 0018-001C
;3190h
;3280h
;2329h
dw CMD80 - USW Update
dw CMD81 - Pre-dynamic Code packet
dw CMD82 - Copy Ram bytes, set dynamic code
;233Dh
;DFE1h
;DFE1h
;2359h
dw
dw
dw
dw
CMD83 - Encrypt/decrypt ram bytes
CMD84 - NOP
CMD85 - NOP
CMD86 - Update counter @ 2ACE-CF
;process CMD8X
;check for CMD82
;if 82 or higher, jump to 318D->D36C->Call D3A3
;call D3A3 anyway
mov #0Fh,A
;set A to #0Fh
call 3271h
;dcrypt #0Fh bytes from DefCMDbuffer -> work buffer at 0060h
movw #USWCounter,2Fh:30h ;set 2F:30 to the USW Counter
movw #009Eh,31h:32h
;set 31:32 to #009E
mov #02h,06h
;set 06h to #02
trap 4
;decrypt the two bytes of USW Counter and store in
cmp 60h,9Eh
jnz 31B0h
mov 61h,24h
sub 9Fh,24h
jz 31B0h
jc 31C4h
;compare value in 60h with MSB of USW
;if they don't match, jump to 31B0h
;copy 61h to 24h
;subtract LSB of USW Counter from 24h
;if result is zero, skip to 31B0h
;if 24h < LSB of USW counter, skip to 31C4h
Page A-22
31B0 : D3 9E
31B2 : 4D 60 9E
31B5 : 06 0C
31B7 : 4D 62 9F
31BA : 06 07
31BC : 42 61 24
31BF : D3 24
31C1 : 00 01
31C3 : F9
inc 9Eh
31C4 : C5
31C5 : AA 00 63
31C8 : AB 00 90
31CB : C3
31CC : 5D 0C
31CE : 0F F5
31D0 : C5
31D1 : AA 00 90
31D4 : AB 00 70
31D7 : C3
31D8 : 5D 0C
31DA : 0F F5
31DC : AA 29 31
31DF : AB 00 90
31E2 : C3
31E3 : 5D 10
31E5 : 0F F5
started)
31E7 : 88 29 71 2A
USW hash)
31EB : 88 00 90 2C
31EF : 72 10 FD
31F2 : 8E 3E B2
31F5 : C5
31F6 : AA 00 70
from
31F9 : D0 0E
31FB : AA 00 90
31FE : 13 0E
3200 : AB 00 90
3203 : C3
3204 : 5D 10
3206 : 0F EE
3208 : D7 24
320A : 04 C4
320C : D5 0B
320E : C5
320F : AA 2E EC
3212 : D0 0E
3214 : AA 00 90
3217 : 43 00 0E
with
321A : 44 0E 0B
0Bh
321D : C3
321E : 5D 0C
3220 : 0F ED
3222 : 12 0B
3224 : 02 02
3226 : 00 9B
clr B
;UpdateUSWKey
3228 : 72 63 15
322B : 88 2E EC 2A
322F : 72 0C 04
3232 : E7
3233 : 88 00 60 30
24C8h
3237 : 88 24 C8 32
323B : 72 02 06
cmp 60h,9Eh
jnz 31C3h
cmp 62h,9Fh
jnz 31C3h
mov 61h,24h
inc 24h
jmp 31C4h
rts
mov *0063h[B],A
mov A,*0090h[B]
inc B
cmp #0Ch,B
jlo 31C5h
clr B
mov
mov
inc B
cmp #0Ch,B
jlo 31D1h
mov
mov
inc B
cmp #10h,B
jlo 31DCh
*0090h[B],A
A,*0070h[B]
*2931h[B],A
A,*0090h[B]
;increment MSB of RAM copy of USW Counter
;compare 60h with inremented counter
;if they don't match, jump to ret_31C3h and exit
;compare 62h with LSB of USW Counter
;if they aren't the same, jump to ret_31C3h and exit
;otherwise copy 61h to 24h
;increment 24h
;and skip to 31C4h
;return
;clear B
; |copy bytes from 0063h-006Dh into
; |90h-9Ch
; |
; |
; +----loop 12 times
; /clear B
; | |copy bytes from 90h-9Ch into 70h-7Ch
; | |
; | |
; | |
; | +----loop 12 times
; | |copy four bytes byte from USW Hash Key
; | |from 293Dh-2940h to 90h-93h
; | |
; | |
; | +----loop 4 times (B was still #0C when routine
movw #2971h,29h:2Ah
; |set 29:2A to #2971h (address of 2nd 16-byte seed in
movw #0090h,2Bh:2Ch
mov #10h,0FDh
call 3EB2h
clr B
mov *0070h[B],A
;
;
;
;
;
|set 2B:2C to 0090h
|set FDh to #10
|perform hash with routine in ROM3C
|clear B
| |XOR 16 bytes from 90h-9Fh with the 16 bytes
mov A,0Eh
; | |70h-7Fh, and store result in 90h-9Fh
mov *0090h[B],A
; | |
xor 0Eh,A
; | |
mov A,*0090h[B]
; | |
inc B
; | |
cmp #10h,B
; | |
jlo 31F6h
; | +----loop 16 times
dec 24h
; |decrement 24h
jp 31D0h
; +----loop 24h times
clr 0Bh
;clear 0Bh
clr B
;clear B
mov *USWUpdateKey[B],A ; |copy byte from USW Update Key into A
mov A,0Eh
; |then into 0Eh,
mov *0090h[B],A
; |copy bytes from 90h-9Bh into A
xor 00h,0Eh
; |XOR byte from EEprom copy of USW update key
or
0Eh,0Bh
inc B
cmp #0Ch,B
jlo 320Fh
mov 0Bh,A
jz 3228h
jmp 31C3h
; |key stored in 90h-9Bh, then set the bits in
; |
; |
; +----loop 12 (0Ch) times
;copy 0Bh to A
;if A=0, skip to 3228h and write new USW Update Key
;otherwise, jump to ret_31C3h
mov #63h,15h
movw #USWUpdateKey,29h:2Ah
mov #0Ch,04h
trap 8
movw #0060h,2Fh:30h
movw #USWCounter,31h:32h
mov #02h,06h
;prepare to write 12 bytes from 63h-6Eh to the USW
;Update Key Data address at 2EEC
;
;write via trap 8
;prepare to encrypt two bytes at 60h-61h and write to
;to update the USW Counter
;
Page A-23
323E : ED
;ProcessUSWUpdates
323F : 12 17
3241 : 02 80
3243 : 22 03
3245 : 8E 32 71
3248 : 42 61 FD
324B : 98 62 2A
update)
324E : 75 3F 29
3251 : 12 60
3253 : B7
3254 : B7
3255 : D0 04
3257 : 8E 32 71
;Write USW Update
325A : 77 80 FD 0D
325E : 88 00 60 30
3262 : 98 2A 32
3265 : 42 04 06
3268 : ED
3269 : 00 D4
326B : 72 60 15
326E : E7
326F : 00 CE
trap 2
;encrypt RAM and write to EEprom via trap 2
mov 17h,A
jz 31C3h
mov #03h,A
call 3271h
mov 61h,0FDh
movw 61h:62h,29h:2Ah
;copy 17h to A
;if 17h was zero, jump to ret_31C3h and exit
;otherwise set A to #03
;decrypt 3 bytes from DefCMDBuffer -> 0060h
;copy 61h to FDh
;set 29:2A to 61h:62h (61h:62h=starting EEp address to
and #3Fh,29h
mov 60h,A
dec A
dec A
mov A,04h
call 3271h
;clear 29h.6 & 29h.7
;copy 60h to A
;
;decrement it 2x
;copy A to 04h, set length of write
;decrypt next 'A' bytes of packet to 0060h
btjz #80h,0FDh,326Bh
movw #0060h,2Fh:30h
movw 29h:2Ah,31h:32h
mov 04h,06h
trap 2
jmp 323Fh
mov #60h,15h
trap 8
jmp 323Fh
;If FDh.7 is clear, skip to 326B (unencrypted data)
;if FDh.7 is set, data is encrypted, set 2F:30 to 0060h
;copy 29:2A to 31:32
;copy 04h to 06h
;encrypt RAM and write to EEprom
;jump back to 323Fh
;set RAM source for write to 60h
;write 04h bytes from 60h to 29:2A
;then jump back to 323Fh
;Decrypts A bytes from DeferredCmdBuffer into the command 'work' buffer at 0060.
3271 : 42 17 0B
mov 17h,0Bh
;copy 17h to 0Bh
3274 : D0 17
mov A,17h
;then copy A to 17h
3276 : 8E D3 D5
call 0D3D5h
;decrypt 17h bytes to 0060h
3279 : 4C 17 0B
sub 17h,0Bh
;subtract 17h from 0Bh
327C : 42 0B 17
mov 0Bh,17h
;copy result to 17h
327F : F9
rts
;and return
;CMD81-Pre Dynamic Code Packet
3280 : 74 40 CF
or #40h,0CFh
3283 : 22 03
mov #03h,A
3285 : 8E 32 71
call Dcd_A_byt->0060h
3288 : 12 62
mov 62h,A
328A : 02 04
jz 3290h
328C : 2D 04
cmp #04h,A
328E : 0F 01
jlo 3291h
3290 : F9
rts
;set CFh.6
;set A to #03
;Decrypt 3 bytes from CmdBuffer -> 0060
;copy 62h to A
;return if zero
;not zero, compare it with #04h
;if A<#04 skip to 3291
;if A>#03, return
3291 : 88 24 E6 30
3295 : 88 00 9E 32
3299 : 72 02 06
329C : EB
329D : F4 CC 9F 61
32A1 : 0A 05
32A3 : 7D 01 62
32A6 : 02 12
32A8 : 06 E6
movw #DSWCounterh,2Fh :30h ;set 2F :30 to DSW Counter
movw #009Eh,31h :32h
;set Destination to 9E :9F
mov #02h,06h
;set #of bytes to Decrypt
trap 4
;Decrypt 2F :30 -> 9E :9F
cmpw 9Eh :9Fh,60h :61h
;compare it with DSW in CMD
jle 32A8h
;if DSW is not updated, br->32A8->ret_3290
cmp #01h,62h
;compare 62h with #01
jz 32BAh
;if 62h=#01, proceed to 32BA
jnz 3290h
;else branch to ret_3290
32AA : 88 24 CA 30
32AE : EF
32AF : B0
32B0 : 02 DE
32B2 : 25 07
32B4 : B3
32B5 : 4D 00 62
32B8 : 06 D6
32BA : 98 61 9F
32BD : 32 62
32BF : 22 4C
32C1 : C7
32C2 : 02 07
32C4 : 22 31
movw #CMD81Counterh,2Fh :30h
;set 2F :30 to CMD81 Counter
trap 0
;Decrypt Eep
tst A
;clear status register
jz 3290h
;if zero, br->ret_3290
and #07h,A
;make A a # between 0-7
inc A
;increment A
cmp 00h,62h
;compare 62h with A
jnz 3290h
;if they don't match, br->ret_3290
movw 60h :61h,9Eh :9Fh
;copy 60 :61 -> 9E :9F
mov 62h,B
;copy 62h->B
mov #4Ch,A
;set A to #4C
dec B
;decrement B
jz 32CBh
;if B=0, skip to 32CBh
mov #31h,A
;B<>0, set A to #31
Page A-24
32C6 : C7
32C7 : 02 02
32C9 : 22 40
32CB : 1D 17
32CD : 06 C1
32CF : 72 0C 04
32D2 : 88 2E F8 2A
32D6 : 8E E6 A0
32D9 : 32 62
32DB : D1 FF
32DD : C7
32DE : 06 58
32E0 : 22 0C
32E2 : 8E 32 71
32E5 : C5
32E6 : AA 00 60
32E9 : AB 00 DD
32EC : C3
32ED : 5D 0C
32EF : 0F F5
32F1 : AA 29 7C
32F4 : AB 00 DD
32F7 : C3
32F8 : 5D 10
32FA : 0F F5
32FC : 88 29 41 2A
3300 : 88 00 DD 2C
3304 : 72 08 FD
3307 : 8E 3E B2
330A : C5
330B : AA 00 60
330E : D0 0E
3310 : AA 00 DD
3313 : 13 0E
3315 : AB 00 DD
3318 : C3
3319 : 5D 0C
331B : 0F EE
331D : 72 DD 15
3320 : 88 2E E0 2A
3324 : 72 0C 04
3327 : E7
3328 : 88 2D E0 2A
332C : 8E 33 7C
332F : 88 2E 00 2A
3333 : 8E 33 7C
3336 : 00 2B
dec B
;decrement B
jz 32CBh
;if B=0, skip to 32CB
mov #40h,A
;B<>0, set A to #40
cmp 17h,A
;compare 17h with #40
jnz 3290h
;if 17h <> #40, br->ret_3290
mov #0Ch,04h
;17h=#40, so set 04h to #0C
movw #12bytCMD82VfyKey,29 :2A
;set 29 :2A to 12ByteCMD82Verify Key at 2EF8
call 0Write(04hx#00)->EEph ;and write 12 zeroes to 2EF8
mov 62h,B
;copy 62h to B
mov B,0FFh
;and into FFh
dec B
;decrement B
jnz 3338h
;if B <> 0, branch to 3338h
mov #0Ch,A
;B=0, set A to #0C
call Dcd_A_byt->0060h
;Decode 12 bytes to 0060h
clr B
;clear B
mov *0060h[B],A
; |
mov A,*00DDh[B]
; |copy 12 bytes from 0060 to DDh-E8h
inc B
; |
cmp #0Ch,B
; |
jlo 32E6h
; +----loop
mov *297Ch[B],A
; |copy 4 bytes from (297C+0C)=2988 (3C,7D,91,9A?)
mov A,*00DDh[B]
; |to E9-EC
inc B
; |
cmp #10h,B
; |
jlo 32F1h
; +----loop
movw #2941h,29h :2Ah
;set 29 :2A to #2941
movw #00DDh,2Bh :2Ch
;set 2B :2C to #00DDh
mov #08h,0FDh
;set FDh to #08
call 3EB2h
;!!!Decrypt DDh-ECh with EDh-FCh?
clr B
;clear B
mov *0060h[B],A
; |
mov A,0Eh
; |
mov *00DDh[B],A
; |XOR DDh-ECh with 12 bytes from 60h-6Bh
xor 0Eh,A
; |and overwrite DDh-E8h with result
mov A,*00DDh[B]
; |
inc B
; |
cmp #0Ch,B
; |
jlo 330Bh
; +----loop
mov #0DDh,15h
;set 15h to #DDh
movw #CMD81_12ByteKey,29 :2A
;set 29 :2A to CMD81 12 Byte Key at 2EE0
mov #0Ch,04h
;set 04h to #0C
trap 8
;write 12 byte key from DD-E8 to 2EE0-2EE8
movw #2DE0h,29h :2Ah
;set 29 :2A to #2DE0
call Dcd#20RAMbyt->29 :2Ah ;Decode 1st #20 RAM bytes to Eeprom copy of DSW Code
movw #2E00h,29h :2Ah
;set 29 :2A to #2E00
call Dcd#20RAMbyt->29 :2Ah ;decode 2nd #20 RAM bytes to EEprom copy of DSW Code
jmp 3363h
;branch to 3363h
3338 : C7
3339 : 06 1A
333B : 22 11
333D : 8E 32 71
3340 : 88 00 60 30
3344 : 88 2A D3 32
3348 : 72 11 06
334B : ED
334C : 88 2E 20 2A
3350 : 8E 33 7C
3353 : 00 0E
dec B
;decrement B
jnz 3355h
;if B<>0, skip to 3355h
mov #11h,A
;B=0, so set A to #11h
call Dcd_A_byt->0060hh
;decrypt #11h bytes to 0060h
movw #0060h,2Fh :30h
;set 2F :30 to 0060h
movw #CMD82byt/Decrypt,31 :32
;set 31 :32 to #ofCMD82bytes to decrypt @ 2AD3
mov #11h,06h
;set 06h to #11h
trap 2
;Encrypt RAM @ Write to Eep
movw #CMD82VfyKey,29h :2Ah
;set 29 :2A to CMD82 Verify Key at 2E20
call Dcd#20RAMbyt->29 :2Ah ;Decode #20h bytes of RAM @ write CMD82 Verify Key
jmp 3363h
;branch to 3363h
3355 : 88 2E 40 2A
3359 : 8E 33 7C
335C : 88 2E 60 2A
3360 : 8E 33 7C
3363 : 88 00 9E 30
3367 : 88 24 E6 32
336B : 72 02 06
336E : ED
336F : 12 FF
3371 : 88 24 CA 30
movw #2E40h,29h :2Ah
;set 29 :2A to #2E40h
call Dcd#20RAMbyt->29 :2Ah ;Decode #20h bytes of RAM @ write to 2E40h
movw #2E60h,29h :2Ah
;set 29 :2A to #2E60h
call Dcd#20RAMbyt->29 :2Ah ;Decode #20h bytes of RAM @ write to 2E60h
movw #009Eh,2Fh :30h
;set 2F :30 to 009Eh
movw #DSWCounter,31h :32h ;set 31 :32 to DSW Counter at 24E6h
mov #02h,06h
;set 06h to #02 (#of bytes to process)
trap 2
;Encrypt RAM @ write DSW Counter
mov 0FFh,A
;copy FFh to A
movw #CMD81Counterh,2Fh :30h
;set 2F :30h to CMD81 Counter @ 24CA
Page A-25
3375 : EA
3376 : 75 BF CF
3379 : 89 FF 14
trap 5
and #0BFh,0CFh
jmpl 3290h
;Encrypt A and write to CMD81 Counter
;strip off CFh.6
;br ret_3290
;Decrypt#20RAMbyt->29 :2A
337C : 22 20
mov #20h,A
337E : 8E 32 71
call Dcd_A_byt->0060hh
3381 : 88 00 60 30
movw #0060h,2Fh :30h
3385 : 98 2A 32
movw 29h :2Ah,31h :32h
3388 : 72 20 06
mov #20h,06h
338B : ED
trap 2
338C : F9
rts
;set A to #20h
;decrypt #20h bytes to 0060h-007Fh
;set 2F :30 to 0060h
;copy 29 :2A to 31 :32
;set 06h to #20
;Decrypt 60h-7Fh and write to 29 :2A
;return
338D : 88 24 CA 30
3391 : EF
3392 : 25 07
3394 : F9
movw #CMD81Counter,2Fh :30h
trap 0
and #07h,A
rts
;set 2F :30 to CMD81 Counter @ 24CA
;Decrypt Eeprom
;make A # between 0-7
;and return
3395 : B8
3396 : 72 60 BE
3399 : 8E 35 37
339C : D4 BE
339E : 00 25
33A0 : 12 BE
33A2 : 2D 5C
33A4 : 0B EF
33A6 : 76 40 CF EB
33AA : 00 19
push A
mov #60h,PktInsByte
call 3537h
pop PktInsByte
jmp 33C5h
mov PktInsByte,A
cmp #5Ch,A
jhs 3395h
btjo #40h,0CFh,3395h
jmp 33C5h
;push A onto stack
;put #60 in PktINSByte
;!!!!?
;Pop value off stack to PktINSByte
;!!!!?
;copy INS# to A
;compare with #5C
;if INS5C or higher, branch to 3395
;if CFh.6 is set, branch to 3395
;branch to 33C5h
33AC : D7 D7
dec D7h
33AE : 8E 33 8D
call 338Dh
33B1 : 2D 03
cmp #03h,A
33B3 : 0B EB
jhs 33A0h
33B5 : 00 0E
jmp 33C5h
33B7 : C5
clr B
33B8 : B5
clr A
33B9 : AB 00 DA
mov A,*00DAh [B]
33BC : C3
inc B
33BD : 5D 26
cmp #26h,B
33BF : 0F F8
jlo 33B9h
33C1 : 12 D7
mov D7h,A
33C3 : 06 E7
jnz 33ACh
33C5 : 22 90
mov #90h,A
33C7 : 8C 2D 21
br 2D21h
;end of process ack routine jumps to 2D21
first before returning to ROM at C38F after vector - USW 0800 Chaged from C38Fh
33CA : 52 FF
mov #FFh,B
33CC : 8E 35 1F
call 351Fh
33CF : 12 0B
mov 0Bh,A
33D1 : 02 39
jz 340Ch
33D3 : 00 2C
jmp 3401h
33D5 : 30 01 00 60
33D9 : C5
33DA : AA 01 01
33DD : AB 00 61
33E0 : C3
33E1 : 3D 60
33E3 : 0F F5
33E5 : 88 24 E6 30
33E9 : 88 00 9E 32
33ED : 72 02 06
33F0 : EB
:9F
mov &0100h,60h
;copy byte @0100h to 60h, set CMD length
clr B
;clear B
mov *0101h[B],A
; |Loop transfers CMD82 from 0101h+ to 61h+
mov A,*0061h[B]
;|
inc B
;|
cmp 60h,B
; |loop until B=60h (CMD length)
jlo 33DAh
;|
movw #DSWCounterh,2Fh :30h ;put 24E6 into 2F :30
movw #009Eh,31h :32h
;put 009E into 31 :32
mov #02h,06h
;put #02 into 06
trap 4
;Decrypt 2 DSW bytes at 24E6 and move to RAM at 9E
33F1 : F4 CC 9F 62
33F5 : 02 D3
33F7 : 00 08
cmpw 9Eh :9Fh,61h :62h
jz 33CAh
jmp 3401h
;compare to verify at correct DSW
;if DSW=006, branch to 33CA
;else branch to 3401
33F9 : 88 24 CA 30
33FD : EF
movw #CMD81Counterh,2Fh :30h
trap 0
;put 24CA in 2F :30
;decrypt Eeprom
Page A-26
33FE : B0
33FF : 02 D4
3401 : 89 00 AE
tst A
jz 33D5h
jmpl 34B2h
;clear status register
;jump to call authorize video routine
; Officially, that is not a 'Hash Flag'. Its a flag that tells the card whether
; it may execute the CMD82 or not when it gets to deferred mode. Probably a more
; appropriate term is 'execute CMD82 flag'.
3404 : 76 80 28 F1
3408 : F9
btjo #80,28H,33F9
ret
;Check if bit 7 of 28H is On (If On,Then Hash)
;else return
3409 : 8C C2 7A
340C : 5D 0C
340E : 06 F9
br CallLoop
cmp #0Ch,B
jnz 3409h
3410 : C5
3411 : AA 29 51
3414 : AB 01 00
3417 : C3
3418 : 5D 10
341A : 0F F5
341C : 88 2A D3 30
3420 : EF
3421 : D0 0B
3423 : C5
3424 : AA 00 63
3427 : AB 01 00
342A : C3
342B : 3D 0B
342D : 0F F5
342F : C5
3430 : AA 01 00
3433 : AB 01 40
3436 : C3
3437 : 5D 10
3439 : 0F F5
343B : 88 29 61 2A
343F : 88 01 00 2C
3443 : 72 04 FD
3446 : 8E 3E B2
3449 : 22 3C
344B : 8E 3E CB
344E : D5 DB
3450 : 32 DB
3452 : C2
3453 : A8 01 00 2C
3457 : 8E EC A5
again?
345A : 8E EC A5
345D : C5
345E : 9A 2C
3460 : D0 09
3462 : AA 01 40
3465 : 13 09
3467 : 9B 2C
3469 : F4 EB 10 2C
346D : AB 01 40
3470 : D3 2C
3472 : C3
3473 : 5D 10
3475 : 0F E7
3477 : D3 DB
3479 : 7D 04 DB
347C : 0F D2
347E : 88 01 40 2C
3482 : 8E EC A5
3485 : 8E EC A5
3488 : 22 6A
348A : 8E 3E CB
348D : D5 09
clr B
;
mov *2951h[B],A
; |copy 16 bytes at 2951-2960 to 0100h-010Fh
mov A,*0100h[B]
; | (18,03,EC,F7,66,BD,35,70,
inc B
; | C1,DF,22,4A,8E,A4,59,9B)?
cmp #10h,B
; |
jlo 3411h
; +----loop
movw #CMD82byt/Decrypt,2F :30
;set 2F :30 to # of CMD82 bytes to Decrypt @ 2AD3
trap 0
;decrypt EEprom
mov A,0Bh
;and put result in 0Bh
clr B
;clear B
mov *0063h[B],A
; |copy bytes @63h - (63h + 0Bh)
mov A,*0100h[B]
; |to 0100h - (0100h + 0Bh)
inc B
; |
cmp 0Bh,B
; |
jlo 3424h
; +----loop
clr B
;clear B
mov *0100h[B],A
; |copy 16 bytes from 0100h - 010Fh
mov A,*0140h[B]
; |to 0140h - 014Fh
inc B
; |
cmp #10h,B
; |
jlo 3430h
; +----loop
movw #2961h,29h :2Ah
;set 29 :2A to #2961
movw #0100h,2Bh :2Ch
;set 2B :2C to #0100
mov #04h,0FDh
;set FDh to #04
call 3EB2h
;setrk to #3C and call decryption routine @ECA5?
mov #3Ch,A
;put #3C in A
call SetRomKeytoAh
;and set ROM key to #3C
clr 0DBh
;clear DBh
mov 0DBh,B
; |copy DBh to B
swap B
; |swap nibbles in B
movw #0100h[B],2Bh :2Ch
; |set 2B :2C to #(0100+B)
call 0ECA5h
; |back to the decryption routine @ECA5
;if B <> #0C, br->3409 and call Loop
call 0ECA5h
; |and again?
clr B
; |clear B
mov *2Bh :2Ch,A
; | |Copy byte *2B :2C to A ->09h
mov A,09h
; | |
mov *0140h[B],A
; | |XOR 0140h-014F with data from (2B :2C)-((2B :2C)+#10h)
xor 09h,A
; | |
mov A,*2Bh :2Ch
; | |copy result to *2B :2C
- *2B :2C + #10
mov A,*PktP1Byte[2Bh :2Ch] ; | |copy result to *2B :2C + 10h - *2B :2C + 10h + #10
mov A,*0140h[B]
; | |copy result to 0140 - 0140 + #10
inc 2Ch
; | |
inc B
; | |
cmp #10h,B
; | |
jlo 345Eh
; | +----loop 16x
inc 0DBh
; |increment DBh
cmp #04h,0DBh
; |
jlo 3450h
; +----loop 4x
movw #0140h,2Bh :2Ch
;set 2B :2C to #0140
call 0ECA5h
;decryption routine @ECA5 again
call 0ECA5h
;and again
mov #6Ah,A
;set A to #6A
call SetRomKeytoAh
;set ROM key back to #6A
clr 09h
;clear 09h
Page A-27
348F : C5
3490 : AA 01 40
3493 : D0 0B
3495 : AA 01 48
3498 : 13 0B
349A : AB 01 40
349D : D0 0B
349F : A8 2A DC 30
34A3 : EF
34A4 : 13 0B
34A6 : 44 00 09
34A9 : C3
34AA : 5D 08
34AC : 0F E2
34AE : 12 09
34B0 : 02 0D
34B2 : 8E DE D9
34B5 : 77 01 B8 03
34B9 : 72 17 C6
34BC : 89 FF 49
clr B
;clear B
mov *0140h[B],A
; |Build CMD82 Verify Key by XORing
mov A,0Bh
; |0140h-0147 with 0148h-014Fh
mov *0148h[B],A
; |
xor 0Bh,A
; |
mov A,*0140h[B]
; |
mov A,0Bh
; |
movw #CMD82VfyKey#2[B],2F :30
; |Decode CMD82 Verify Key from 2ADC
trap 0
; |and XOR it with previously built key
xor 0Bh,A
; |Result should=0...if any bits are set, something
or 00h,09h
; |didn't match up
inc B
; |
cmp #08h,B
; |
jlo 3490h
; +----loop 8x
mov 09h,A
;copy 09h to A
jz 34BFh
;branch to 34BF if zero (should be if the keys match)
call SetVideoBasedonBits
;authorize video based on bits
btjz #01h,0B8h,34BCh
;if B8h.0 is zero, skip to 34BC->ret_3408
mov #17h,0C6h
;if B8h.0 is set, set C6h to #17
jmpl 3408h
;then branch to ret_3408
34BF : C5
34C0 : AA 01 00
34C3 : D0 0B
34C5 : A8 2D E0 30
34C9 : EF
34CA : 13 0B
34CC : AB 01 00
34CF : C3
34D0 : 5D 40
34D2 : 0F EC
34D4 : C5
34D5 : A8 2A D4 30
34D9 : EF
34DA : AB 00 DD
34DD : C3
34DE : 5D 08
34E0 : 0F F3
34E2 : 88 2A D3 30
34E6 : EF
34E7 : C0
34E8 : 12 60
34EA : B7
34EB : B7
34EC : 6C
34ED : D0 24
34EF : 88 00 63 2A
34F3 : 4B 01 2A
34F6 : C5
34F7 : 3D 24
34F9 : 0B 05
34FB : 9A 2A
34FD : AB 00 DD
3500 : D3 2A
3502 : C3
3503 : 5D 08
3505 : 0F F0
clr B
3507 : 8E 01 00
call 0100h
350A : C5
350B : AA 00 DD
350E : D0 0B
3510 : AA 00 A0
3513 : 13 0B
3515 : AB 00 A0
3518 : C3
3519 : 5D 08
351B : 0F EE
351D : 00 9D
clr B
;Clear B
mov *0100h[B],A
; |copy Decode Key from 0100h-013Fh into A
mov A,0Bh
; |
movw #2DE0h[B],2Fh :30h
; |
trap 0
; |Decode Encrypted DSW Code at 2DE0
xor 0Bh,A
; |
mov A,*0100h[B]
; |and write it to 0100-013F
inc B
; |
cmp #40h,B
; |
jlo 34C0h
; +----loop
clr B
;clear B
movw #CMD82VerifyKey[B],2F:30
; |
trap 0
; |
mov A,*00DDh[B]
; |copy 8-byte CMD82 Verify Key from 2AD4
inc B
; |to DDh-E4h
cmp #08h,B
; |
jlo 34D5h
; +----loop
movw #CMD82byts/Dcrypt,2F:30
;set 2F :30 to # of CMD82 Bytes to Decrypt
trap 0
;decrypt Eeprom
mov A,B
;and put it in B
mov 60h,A
;put CMD length into A
dec A
;
dec A
;decrement by 2
sub B,A
;then subtract B from A
mov A,24h
;and copy it into 24h
movw #0063h,29h :2Ah
;loop transfers values in 0063
add 01h,2Ah
clr B
;clear B
cmp 24h,B
; |if #of CMD82 bytes + hash range bytes is less than B
jhs 3500h
; |then jump to 3500h
mov *29h :2Ah,A
; |else, copy a CMD82 byte into A
mov A,*00DDh[B]
; |copy it to 00DDh[B]
inc 2Ah
; |increment pointer
inc B
; |increment counter
cmp #08h,B
; |
jlo 34F7h
; +----loop 8x
;call DSW006
;clear B
mov *00DDh[B],A
; |
mov A,0Bh
; |
mov *00A0h[B],A
; |XOR 8 bytes at A0h-A7h with DDh-E4h
xor 0Bh,A
; |and copy result back to A0h-A7h
mov A,*00A0h[B]
; |
inc B
; |
cmp #08h,B
; |
jlo 350Bh
; +----loop 8x
jmp 34BCh
;br 34BC->ret_3408
Page A-28
351F : D5 0B
3521 : C5
3522 : AA 2E E0
3525 : D0 0E
3527 : AA 2E F8
352A : 13 0E
352C : 44 00 0B
match)
352F : C3
3530 : 5D 0C
3532 : 0F EE
3534 : 12 0B
3536 : F9
clr 0Bh
clr B
;clear 0Bh
inc B
cmp #0Ch,B
jlo 3522h
mov 0Bh,A
rts
; |
; |
; +----loop 12x
;copy 0Bh to A
;and return
3537 : 8E 3E D6
353A : 8A 28 8B
353D : 02 07
353F : 88 2F 04 2A
3543 : 8E E6 8E
3546 : 88 24 CA 30
354A : EF
354B : D0 16
354D : 25 07
354F : 2D 03
3551 : 06 1C
3553 : 8E 36 A1
3556 : 72 60 0C
3559 : 72 02 12
355C : 8E E4 09
355F : 8E E4 1A
3562 : 88 2E 80 2A
3566 : 8E 36 C1
3569 : 8E 36 A1
356C : 89 01 21
356F : 2D 04
3571 : 06 1E
3573 : 8E 36 A1
3576 : 88 2E 80 30
357A : 88 01 00 32
357E : 72 60 06
3581 : EB
3582 : 72 60 0C
3585 : 72 02 12
3588 : 8E E4 1A
358B : 8E 36 BD
358E : 89 00 FF
3591 : 2D 07
3593 : 02 59
3595 : D5 E9
3597 : 26 01 02
359A : D9 E9
359C : 8E 36 A1
359F : 88 29 81 2A
35A3 : 8E C4 AE
35A6 : C5
35A7 : 42 E9 EA
35AA : 5D 06
35AC : 0B 02
35AE : D9 EA
35B0 : AA 2E E0
35B3 : 15 EA
35B5 : AB 00 DD
35B8 : C3
35B9 : 5D 0C
35BB : 0F EA
35BD : 22 2D
35BF : 8E 3E CB
35C2 : 88 00 DD 2A
35C6 : 22 60
call 3ED6h
mov &288Bh,A
jz 3546h
movw #2F04h,rpd 2Ah-1h :2Ah
call E68Eh
movw #24CAh,rpd 30h-1h :30h
trap 0
mov A,16h
and #07h,A
cmp #03h,A
jnz 356Fh
call 36A1h
mov #60h,0Ch
mov #02h,12h
call E409h
call E41Ah
movw #2E80h,rpd 2Ah-1h :2Ah
call 36C1h
call 36A1h
jmpr 3690
cmp #04h,A
jnz 3591h
call 36A1h
movw #2E80h,rpd 30h-1h :30h
movw #0100h,rpd 32h-1h :32h
mov #60h,06h
trap 4
mov #60h,0Ch
mov #02h,12h
call E41Ah
call 36BDh
jmpr 3690
cmp #07h,A
jz 35EEh
clr E9h
btjo #01h,A,359Ch
inv E9h
call 36A1h
movw #2981h,rpd 2Ah-1h :2Ah
call C4AEh
clr B
mov E9h,EAh
cmp #06h,B
jhs 35B0h
inv EAh
mov *2EE0h [B],A
and EAh,A
mov A,*00DDh [B]
inc B
cmp #0Ch,B
jlo 35A7h
mov #2Dh,A
call 3ECBh
movw #00DDh,rpd 2Ah-1h :2Ah
mov #60h,A
;clear B
mov *CMD81_12ByteKey[B],A
; |
mov A,0Eh
; |XOR 12Byte CMD82 Verify Key with
mov *12ByteCMD82VfyKey[B],A
; |CMD81 12Byte key
xor 0Eh,A
; |
or 00h,0Bh
; |then OR 0Bh with results (shoud be 00 if 2 keys
Page A-29
35C8 : 8E EB EF
35CB : 22 6A
35CD : 8E 3E CB
35D0 : C5
35D1 : AA 01 00
35D4 : AB 00 60
35D7 : C3
35D8 : 5D 20
35DA : 0F F5
35DC : 72 60 0C
35DF : 72 02 12
35E2 : 8E E4 09
35E5 : 8E E4 1A
35E8 : 8E 36 BD
35EB : 8C 36 90
35EE : 72 48 94
35F1 : 8E ED 82
35F4 : D5 DB
35F6 : 32 DB
35F8 : 5D 40
35FA : 0B 06
35FC : A8 2D E0 2A
3600 : 00 22
3602 : 5D 48
3604 : 0B 06
3606 : A8 2A 94 2A
360A : 00 18
360C : 5D 50
360E : 0B 06
3610 : A8 2A 94 2A
3614 : 00 0E
3616 : 5D 51
3618 : 0B 06
361A : A8 2A 83 2A
361E : 00 04
3620 : A8 2D CF 2A
3624 : 98 2A 30
3627 : EF
3628 : 8E ED A4
362B : C3
362C : 12 95
362E : 02 09
3630 : 5D B1
3632 : 0F C4
3634 : C8
3635 : 8E EE 89
3638 : C4
3639 : 12 96
363B : 06 B9
363D : D1 DB
363F : 5D B1
3641 : 0F B3
3643 : C5
3644 : AA 00 88
3647 : AB 00 DD
364A : C3
364B : 5D 0C
364D : 0F F5
364F : AA 29 7C
3652 : AB 00 DD
3655 : C3
3656 : 5D 10
3658 : 0F F5
365A : 88 29 41 2A
365E : 88 00 DD 2C
3662 : 72 08 FD
3665 : 8E 3E B2
3668 : C5
3669 : AA 00 88
366C : D0 0E
call EBEFh
mov #6Ah,A
call 3ECBh
clr B
mov *0100h [B],A
mov A,*0060h [B]
inc B
cmp #20h,B
jlo 35D1h
mov #60h,0Ch
mov #02h,12h
call E409h
call E41Ah
call 36BDh
br 3690h
mov #48h,94h
call ED82h
clr DBh
mov DBh,B
cmp #40h,B
jhs 3602h
movw #2DE0h [B],rpd 2Ah-1h :2
jmp 3624h
cmp #48h,B
jhs 360Ch
movw #2A94h [B],rpd 2Ah-1h :2
jmp 3624h
cmp #50h,B
jhs 3616h
movw #2A94h [B],rpd 2Ah-1h :2
jmp 3624h
cmp #51h,B
jhs 3620h
movw #2A83h [B],rpd 2Ah-1h :2
jmp 3624h
movw #2DCFh [B],rpd 2Ah-1h :2
movw rps 2Ah-#1h :2Ah,rpd 30h
trap 0
call EDA4h
inc B
mov 95h,A
jz 3639h
cmp #B1h,B
jlo 35F8h
push B
call EE89h
pop B
mov 96h,A
jnz 35F6h
mov B,DBh
cmp #B1h,B
jlo 35F6h
clr B
mov *0088h [B],A
mov A,*00DDh [B]
inc B
cmp #0Ch,B
jlo 3644h
mov *297Ch [B],A
mov A,*00DDh [B]
inc B
cmp #10h,B
jlo 364Fh
movw #2941h,rpd 2Ah-1h :2Ah
movw #00DDh,rpd 2Ch-1h :2Ch
mov #08h,FDh
call 3EB2h
clr B
mov *0088h [B],A
mov A,0Eh
Page A-30
366E : AA 00 DD
3671 : 13 0E
3673 : AB 00 DD
3676 : C3
3677 : 5D 0C
3679 : 0F EE
367B : 72 DD 15
367E : 88 2E F8 2A
3682 : 72 0C 04
3685 : E7
3686 : 8E 35 1F
3689 : 02 08
368B : 52 02
368D : 8E 3E A3
3690 : 12 16
3692 : B3
3693 : 88 24 CA 30
3697 : EA
3698 : B5
3699 : 88 2F 04 2A
369D : 8E E6 8E
36A0 : F9
36A1 : 88 2E 20 2A
36A5 : 72 60 04
36A8 : C5
36A9 : 98 2A 34
mov *00DDh [B],A
xor 0Eh,A
mov A,*00DDh [B]
inc B
cmp #0Ch,B
jlo 3669h
mov #DDh,15h
movw #2EF8h,rpd 2Ah-1h :2Ah
mov #0Ch,04h
trap 8
call 351Fh
jz 3693h
mov #02h,B
call 3EA3h
mov 16h,A
inc A
movw #24CAh,rpd 30h-1h :30h
trap 5
clr A
movw #2F04h,rpd 2Ah-1h :2Ah
call E68Eh
rts
movw #2E20h,rpd 2Ah-1h :2Ah
mov #60h,04h
clr B
movw rps 2Ah-#1h :2Ah,rpd 34h
36AC : 9A 34
36AE : AB 01 00
36B1 : 70 01 34
36B4 : C3
36B5 : 3D 04
36B7 : 0F F3
36B9 : 8E 36 C4
36BC : F9
36BD : 88 2E 20 2A
36C1 : 72 60 04
36C4 : 88 01 00 2C
36C8 : 42 04 22
36CB : C5
36CC : 9A 2C
36CE : AB 00 60
36D1 : 70 01 2C
36D4 : C3
36D5 : 5D 20
36D7 : 0F F3
36D9 : 88 00 60 30
36DD : 98 2A 32
36E0 : 72 20 06
36E3 : ED
36E4 : 7C 20 22
36E7 : 04 E2
36E9 : F9
36EA : 2D 08
36EC : 06 04
36EE : C5
36EF : 8E 3E A3
36F2 : 8C C3 A3
mov *rps 34h-1h :34h,A
mov A,*0100h [B]
incw #01h,rpd 34h-1h :34h
inc B
cmp 04h,B
jlo 36ACh
call 36C4h
rts
movw #2E20h,rpd 2Ah-1h :2Ah
mov #60h,04h
movw #0100h,rpd 2Ch-1h :2Ch
mov 04h,22h
clr B
mov *rps 2Ch-1h :2Ch,A
mov A,*0060h [B]
incw #01h,rpd 2Ch-1h :2Ch
inc B
cmp #20h,B
jlo 36CCh
movw #0060h,rpd 30h-1h :30h
movw rps 2Ah-#1h :2Ah,rpd 32h
mov #20h,06h
trap 2
sub #20h,22h
jp 36CBh
rts
cmp #08h,A
;trap 9 continued
jnz 36F2h
;if a not 08, then C3A
clr B
;else set B=0 (error counter 2AD0)
call 3EA3h
;increment error counter
br C3A3h
;and goto AssertFailedAbort
;DecryptRECVdASICbyte
36F5 : D0 02
36F7 : A6 01 3D FC
36FB : 80 35
36FD : 13 02
36FF : F9
mov A,02h
btjo #01h,ASICStatus,36F7h
mov ASIC->Byte,A
xor 02h,A
rts
;check for INS54
3700 : 7D 54 BE
3703 : 06 08
3705 : 7D 40 09
cmp #54h,PktInsByte
jnz 370Dh
cmp #40h,09h
;copy A to 02h
;wait for ASIC
;put byte from ASIC into A
;XOR it with 02h
;and return
;if not, branch to 370D
;check to see if last INS was an INS40
Page A-31
3708 : 02 03
jz 370Dh
370A : 22 00
mov #00h,A
370C : E6
trap 9
370D : 8C 2C E8
br 2CE8h
INS40, br->2D3F br->C1C9
;INS4A-ZKT Step 1
3710 : E2
3711 : D0 C1
3713 : 8E D0 6A
3716 : 72 60 15
3719 : 72 40 04
371C : 88 26 10 2A
3720 : E7
3721 : F9
;yes, so jump to 370D
;no, put #00 in A
;then trap 9 and abort
;br->2CE8, compare current INS with
trap 13
;Read a byte into A
mov A,0C1h
; This determines which identity(N) to use
call Compute512BitRandomNum
;put 64 bytes into buffer from 60-9F
mov #60h,15h
;set start address to 60h
mov #40h,04h
;set length to write
movw #ZKTRand#h,29h :2Ah ;set destination address
trap 8
;then write 64ByteRandomZKT from 60h-9Fh to 2610
rts
;INS5A-ZKTSteps2&3
3722 : 76 01 12 17
btjo #01h,PktP2Byte,373Dh
;Branch if Param2.1 is set
3726 : 8E D0 6A
call Compute512BitRandomNum;
3729 : 77 01 25 05
btjz #01h,25h,3732h
; Branch if the random number is the same as the one computed by
last Ins4A
372D : 8E CE FF
call SendPktLength0Bytes
; If not, send back a bunch of zeroes
3730 : 00 28
jmp 375Ah
; Then jump to end the instruction
3732 : 8E D0 4D
call UpdateZKTRandomNumSeed
; Generate a new random number seed and
write it to EEPROM
3735 : 88 26 10 2A
movw #ZKTRandomNumber,2ah
; Set pointer at 29h/2Ah to 2610h (the start of
ZKTRandomNumber)
3739 : 77 01 10 11
btjz #01h,PktP1Byte,374Eh
; Branch if Param1.1 if clear (indicating the random number should
be sent and not the hash value)
373D : 72 40 0C
= 512 bits)
3740 : 8E E4 09
in RAM at 0Ch)
3743 : 8E E4 1A
N...
3746 : 88 01 00 2A
probably just computed)
374A : 76 01 12 0D
374E : C5
374F : 9A 2A
3751 : E1
3752 : 70 01 2A
3755 : C3
3756 : 5D 40
3758 : 0F F5
375A : F9
mov #40h, 0Ch
; Number of bytes to clear (in this case, #40h = 64 bytes
call ClearBufferAt100h?
; Clear RAM buffer at 100h (number of bytes to clear is
call func_E41A
; This function probably does a 512-bit multiply mod
375B : 98 C3 AB
375E : 88 37 D2 2A
TEAM' nibble-reversed!)
3762 : 8E 37 9B
3765 : C5
3766 : AA 00 88
8Fh
3769 : E1
376A : C3
376B : 5D 08
376D : 0F F7
376F : F9
movw 0C2h:0C3h,0AAh:0ABh ; Copy C2/C3 to AA/AB? Not sure about this.
movw #ZKTHashInputBytes,2ah
; Set pointer at 29h/2Ah to 37D2 (note! 37D2 is 'NDR
movw #0100h,2ah
; Set pointer at 29h/2Ah to 0100h (the start of the buffer that was
btjo #01h,PktP2Byte,375Bh
clr B
mov *29h:2Ah,A
trap14
incw #01h,29h:2Ah
inc B
cmp #40h,B
jlo 374Fh
rts
; Branch if Param2.1 is set
;
; | This loop sends 64 bytes from the buffer at 0100h-013Fh
;|
;|
;|
;|
;|
;
call func_379B
clr B
mov *0088h[B],A
trap14
inc B
cmp #08h,B
jlo 3766h
rts
;ZKTHashInputBytes
37D2 : E4 44 25 02 45 54 14 D4
becomes 4E, etc.)Clear0Bh
3770 : D5 0B
clr 0Bh
3772 : F9
rts
:
3773 : 32 03
mov 03h,B
3775 : AB 01 64
mov A,*0164h[B]
3778 : B8
push A
; Call to compute ZKT hash value
;
; | This loop sends the hash value from the buffer in RAM at 88h;|
;|
;|
;|
;
; Nibble reverse each byte to get 'NDR TEAM' (E4
;set offset to value in 03h
;put byte in A in 0164+B
;the push A onto stack, save for later
Page A-32
3779 : 12 02
377B : AB 01 6C
377E : B4
377F : F9
:
3780 : 22 40
3782 : 52 2D
3784 : AB 01 00
3787 : C3
3788 : 5D 3F
378A : 0F F8
378C : 12 10
378E : AB 01 00
3791 : 88 26 90 2A
3795 : 8E 37 9F
3798 : 8C 37 65
mov 02h,A
mov A,*016Ch[B]
pop A
rts
;put value in 02h in A
;then into 016Ch+B
;pop value off stack, restore A
;and return
mov #40h,A
;put #40 into A
mov #2Dh,B
;put #2D into B
mov A,*0100h[B]
; |write 0100-0112 with #40
inc B
; |increment B
cmp #3Fh,B
; |compare #3F with B
jlo 3784h
; |loop 12 times
mov PktP1Byte,A
;move PktP1Byte into A
mov A,*0100h[B]
;and put it in 0113h
movw #CardSwapSendKeyh,29h:2A
;load #2690 into 29 :2A
call 379Fh
;Prepare for CardSwap
br 3765h
;transmit 8 bytes in 88h-8Fh to IRD & return
;Jmp to 37B3 if bit 0 of PktP1Byte is set
379B : 76 01 10 14
btjo #01h,PktP1Byte,37B3h
;seed A4-AB with CardSwapSendKey @2690-2698
379F : C5
clr B
;clear B
37A0 : 9A 2A
mov *29h :2Ah,A
;copy byte @29 :2A into A
37A2 : 7D 5A BE
cmp #5Ah,PktInsByte
;check if INS5A
37A5 : 06 01
jnz 37A8h
;if not, jump to 37A8
37A7 : B2
swap A
;if INS5A, put swap nibbles with bytes retrieved from
2690-2698
37A8 : AB 00 A4
mov A,*00A4h[B]
; |put result into A4-AB
37AB : C3
inc B
; |increment B
37AC : 70 01 2A
incw #01h,29h :2Ah
; |put data 2690-2697 into A4-AB
37AF : 5D 08
cmp #08h,B
; |
37B1 : 0F ED
jlo 37A0h
; |loop 8 times
37B3 : 72 48 94
mov #48h,94h
;put a 48 into 94
37B6 : 8E ED 82
call 0ED82h
;load 12ByteKey to 7Ch-87h & 88h-93h
37B9 : 7D 44 BE
cmp #44h,PktInsByte
;check if INS44
37BC : 02 0D
jz 37CBh
;if INS44, jump to 37CB
37BE : 7D 56 BE
cmp #56h,PktInsByte
;check if INS56
37C1 : 02 08
jz 37CBh
;if so, jump to 37CB
37C3 : 8E 37 DA
call 37DAh
;not an INS44 or 54
37C6 : 8E 37 DA
call 37DAh
37C9 : 00 06
jmp 37D1h
37CB : 8E 37 F3
call 37F3h
37CE : 8E 37 F3
call 37F3h
37D1 : F9
rts
37D2 : E4
37D3 : 44 25 02
37D6 : 45 54 14
trap 11
or 25h,02h
and 54h,PktLenByte
37DA : C5
37DB : AA 01 00
37DE : 8E ED A4
37E1 : C3
37E2 : 5D 40
37E4 : 0F F5
clr B
37E6 : C5
37E7 : AA 00 A4
37EA : 8E ED A4
37ED : C3
37EE : 5D 08
37F0 : 0F F5
37F2 : F9
clr B
37F3 : C5
37F4 : A8 01 00 30
37F8 : EE
37F9 : 8E ED A4
37FC : C3
37FD : 5D 2D
clr B
movw #0100h[B],2Fh :30h
trap 1
call 0EDA4h
inc B
cmp #2Dh,B
;Clear B
; |copy 64 bytes beginning at 0100h
; |
; |
; |
; |loop
mov *0100h[B],A
call 0EDA4h
inc B
cmp #40h,B
jlo 37DBh
;Clear B
; |copy 8 bytes from A4-AB
; |
; |
; |
mov *00A4h[B],A
call 0EDA4h
inc B
cmp #08h,B
jlo 37E7h
rts
; |loop
;Clear B
; |
; |decrypt RAM &0100-012D
; |
; |
; |
Page A-33
37FF : 0F F3
3801 : AA 01 00
3804 : 8E ED A4
3807 : C3
3808 : 5D 40
380A : 0F F5
380C : C5
380D : AA 00 A4
3810 : 8E ED A4
3813 : C3
3814 : 5D 08
3816 : 0F F5
3818 : F9
jlo 37F4h
; +------loop
mov *0100h[B],A
; /
call 0EDA4h
; |copy bytes from 012E-0140
inc B
; |
cmp #40h,B
; |
jlo 3801h
; +---------loop
clr B
;clear B
mov *00A4h[B],A
; |copy 8 bytes from A4-AB
call 0EDA4h
; |
inc B
; |
cmp #08h,B
; |
jlo 380Dh
; +--------rts
;return
3819 : D5 13
381B : D5 0B
381D : 7D 36 BE
3820 : 02 01
3822 : F9
3823 : 72 04 1E
3826 : 8E 38 66
3829 : 22 36
382B : 8E 3C A0
382E : 00 F2
clr 13h
clr 0Bh
;CMD90
3830 : 8E DC 0A
3833 : 88 00 62 30
3837 : EE
3838 : 27 20 04
383B : 30 29 87 D7
383F : 8A 2A CE
3842 : 27 01 07
3845 : 76 40 1E 03
3849 : 22 3E
384B : E6
384C : 8E 2D 16
384F : F9
3850 : 30 29 87 D7
3854 : 8A 2A CE
3857 : 27 02 03
385A : 22 3D
385C : E6
cmp #36h,BEh
jz 3823h
rts
mov #04h,1Eh
call 3866h
mov #36h,A
call 3CA0h
jmp 3822h
call DC0Ah
movw #0062h,rpd 30h-1h :30h
trap 1
btjz #20h,A,383Fh
mov 37C6987h,D7h
mov &2ACEh,A
btjz #01h,A,384Ch
btjo #40h,1Eh,384Ch
mov #3Eh,A
trap 9
call 2D16h
rts
mov 37DB987h,D7h
mov &2ACEh,A
btjz #02h,A,385Dh
mov #3Dh,A
trap 9
385D : D5 1E
385F : 74 80 1E
3862 : 8E 38 66
3865 : F9
:
3866 : 72 01 D9
3869 : 77 80 1E 03
386D : 72 00 D9
3870 : 8E 39 16
3873 : 8E 38 B1
entries
3876 : 88 38 91 2A
387A : 77 80 1E 04
387E : 88 38 A1 2A
3882 : C5
3883 : 9A 2A
3885 : AB 00 A0
3888 : C3
3889 : 70 01 2A
388C : 5D 10
388E : 0F F3
3890 : F9
clr 1Eh
or #80h,1Eh
call 3866h
rts
3891 :
38A1 :
db 50,E7,5F,A4,07,24,0E,C5,A8
db B3,02,9E,19,2F,C4,CF,36,5A
;USW 0800 Changed from 3866h
;clear 1Eh
;set 1Eh.7
;seed A0-AF with 16 bytes at 38A1
mov #01h,0D9h
;set D9h to #01
btjz #80h,1Eh,3870h
;if 1Eh.7 is zero skip to 3870
mov #00h,0D9h
;if 1Eh.7 is set, set D9h to #00
call 29 :2A,2D :2E->PrimPubKey
;set pointers to PrimaryPublicKeys
call 38B1h
;Transmit key to ASIC, set peripherals with table
movw #3891h,29h :2Ah
btjz #80h,1Eh,3882h
movw #38A1h,29h :2Ah
clr B
mov *29h :2Ah,A
mov A,*00A0h[B]
inc B
incw #01h,29h :2Ah
cmp #10h,B
jlo 3883h
rts
;set 29 :2A to #3891
;if 1Eh.7 is clear
;if 1Eh.7 is set, set 29 :2A to #38A1
;clear B
; |Seed A0-AF with 16 bytes from 3891 or 38A1, depending
; |on status of 1Eh.7
; |
; |
; |
; +-----------;return
Page A-34
;BldPubKey&SeedPRegwTblEntry
38B1 : F7 00 38
mov #00h,P38h
;clear P38h
38B4 : F7 00 3A
mov #00h,P3Ah
;clear P3Ah
38B7 : F7 80 3D
mov #80h,ASICStatus
;set ASICStatus to #80
38BA : FF
nop
;
38BB : 52 07
mov #07h,B
;set B to #07
38BD : F7 08 3D
mov #08h,ASICStatus
;set ASICStatus to #08
38C0 : 8E 38 D9
call 38D9h
; |XOR 2 Public Keys together and
38C3 : C7
dec B
; |transmit to ASIC
38C4 : 04 FA
jp 38C0h
; +----------38C6 : 88 39 01 2C
movw #3901h,2Bh :2Ch
;set 2B :2C to #3901
38CA : 77 80 1E 04
btjz #80h,1Eh,38D2h
;if 1Eh.7 is clear
38CE : 88 39 0A 2C
movw #390Ah,2Bh :2Ch
;if 1Eh.7 is set, set 2B :2C to #390A
38D2 : 8E 38 EE
call TbleByt->P32,P34,P3Dh ;LoadP32,34,3Dw/TableBytes
38D5 : 8E 38 D9
call 38D9h
38D8 : F9
rts
;BuildKey->ASIC
38D9 : 9A 2A
38DB : D0 05
38DD : 9A 2E
38DF : 13 05
38E1 : A6 01 3D FC
38E5 : 21 30
38E7 : 70 01 2A
38EA : 70 01 2E
38ED : F9
mov *29h :2Ah,A
mov A,05h
mov *2Dh :2Eh,A
xor 05h,A
btjo #01h,ASICStatus,38E1h
mov A,Byte->Asic
incw #01h,29h :2Ah
incw #01h,2Dh :2Eh
rts
;LoadP32,34,3Dw/TableBytes
38EE : 9A 2C
mov
38F0 : 21 32
mov
38F2 : 70012C
incw
38F5 : 9A 2C
mov
38F7 : 21 34
mov
38F9 : 70 01 2C
incw
38FC : 9A 2C
mov
38FE : 21 3D
mov
3900 : F9
rts
*2Bh :2Ch,A
A,P32h
#01h,2Bh :2Ch
*2Bh :2Ch,A
A,P34h
#01h,2Bh :2Ch
*2Bh :2Ch,A
A,ASICStatus
;move byte @29 :2A to A
;then into 05h
;move byte @2D :2E to A
;and XOR it with byte from 29 :2A
;wait for ASIC
;then send byte to ASIC
;increment pointers
;
;and return
;put first table byte in P32h
;
;
;put second table byte in P34h
;
;
;put third table byte in P3Dh
;
;return
3901 : 02 62 2C
02 40 : 34
02 44 : 26
390A : 01 64 2D
01 60 : 34
01 42 : 2F
03 40 : 3C
;29 :2A,2D :2E->PrimPubKey1&2
3916 : 12 1E
mov 1Eh,A
;copy 1Eh to A
3918 : 25 07
and #07h,A
;make it a # between 0-7
391A : 27 04 02
btjz #04h,A,391Fh
;if bit 2 is clear, skip next instruction
391D : 25 04
and #04h,A
;clear all bits except bit 2
391F : B2
swap A
;swap nibbles
3920 : BC
rr A
;divide by 2
3921 : 88 26 60 2A
movw #PrimaryPubKey,29h :2Ah
;increment 29 :2A by A
3925 : 4B 00 2A
add 00h,2Ah
;
3928 : 79 00 29
adc #00h,29h
;
392B : 88 3F 58 2E
movw #PrimaryPubKey2,2Dh :2Eh
;increment 2D :2E by A
392F : 4B 00 2E
add 00h,2Eh
;
3932 : 79 00 2D
adc #00h,2Dh
;
3935 : F9
rts
;and return
;setB6h.4
3936 : 74 10 B6
3939 : F9
or #10h,0B6h
rts
393A : 75 EF B6
393D : 22 40
393F : AB 01 00
and #0EFh,0B6h
mov #40h,A
mov A,*0100h[B]
;set B6h.4
;and return
;clear B6h.4
;set a to #40h
; |load 0100h-013Fh with #40h
Page A-35
3942 : C3
3943 : 5D 40
3945 : 0F F8
3947 : 8E 3E D6
394A : C5
394B : AA 26 88
394E : D0 24
3950 : AA 3F 80
3953 : 13 24
3955 : AB 00 A4
3958 : C3
3959 : 5D 08
395B : 0F EE
395D : 8E 37 B3
3960 : C5
3961 : D5 09
3963 : E2
3964 : D0 02
3966 : AA 00 88
3969 : 13 02
396B : 44 00 09
396E : C3
396F : 5D 08
3971 : 0F F0
3973 : 12 09
3975 : 02 BF
3977 : F9
3978 : 8E 3E D6
397B : 7D 40 BE
397E : 06 1A
3980 : 88 24 50 30
3984 : 88 00 90 32
3988 : 72 04 06
398B : EB
398C : 12 90
398E : 14 91
3990 : 02 08
3992 : 72 02 06
3995 : 88 00 90 30
3999 : E5
399A : 8E 3A 83
399D : 75 EF B6
39A0 : 8E 3A E4
39A3 : 8E 3F 88
39A6 : 72 97 0A
39A9 : 92 0A
39AB : 8E E7 D1
39AE : 72 6A 0A
39B1 : 92 0A
39B3 : 52 0C
39B5 : 8E 3A FC
39B8 : 7D 67 08
39BB : 06 01
39BD : E2
39BE : 52 08
39C0 : A6 01 3D FC
39C4 : 80 35
39C6 : 8E 3C A0
39C9 : C7
39CA : 04 F4
39CC : C5
39CD : AA 00 A0
39D0 : 2D FB
39D2 : 0F 02
39D4 : 2C FB
39D6 : AB 00 7C
39D9 : C3
39DA : 5D 08
39DC : 0F EF
39DE : 12 D9
inc B
; |
cmp #40h,B
; |
jlo 393Fh
; |
call 3ED6h
;Set05h.1JmpGlitchPrevent
clr B
;clear B
mov *CardSwapRecvKeysub1h[B]
mov A,24h
; |and put it in 2 4h
mov *CardSwapRecvKeysub2h[B]
xor 24h,A
; |and XOR it with byte retrieved
mov A,*00A4h[B]
; |put 8 byte result from A4h-AFh
inc B
; |
cmp #08h,B
; |
jlo 394Bh
; |
call 37B3h
clr B
clr 09h
trap 13
mov A,02h
mov *0088h[B],A
xor 02h,A
or 00h,09h
inc B
cmp #08h,B
jlo 3963h
mov 09h,A
jz 3936h
rts
call 3ED6h
cmp #40h,PktInsByte
jnz 399Ah
movw #CMD0C_2bytes+2chksumh,2
movw #0090h,31h :32h
mov #04h,06h
trap 4
mov 90h,A
or 91h,A
jz 399Ah
mov #02h,06h
movw #0090h,2Fh :30h
trap 10
call 3A83h
and #0EFh,0B6h
call 3AE4h
call 3F88h
mov #97h,0Ah
setrk 0Ah
call 0E7D1h
mov #6Ah,0Ah
setrk 0Ah
mov #0Ch,B
call 3AFCh
cmp #67h,08h
jnz 39BEh
trap 13
mov #08h,B
btjo #01h,ASICStatus,39C0h
mov ASIC->Byte,A
call 3CA0h
dec B
jp 39C0h
clr B
mov *00A0h[B],A
cmp #0FBh,A
jlo 39D6h
sub #0FBh,A
mov A,*007Ch[B]
inc B
cmp #08h,B
jlo 39CDh
mov 0D9h,A
Page A-36
39E0 : 88 E9 1F 30
39E4 : B0
39E5 : 02 04
39E7 : 88 EA 3F 30
39EB : 98 30 2A
39EE : 72 A3 0A
39F1 : 92 0A
39F3 : 12 D9
39F5 : 8E E8 9F
39F8 : 72 6A 0A
39FB : 92 0A
39FD : C5
39FE : E2
39FF : D0 07
3A01 : A8 01 5C 30
3A05 : EE
3A06 : 13 07
3A08 : AB 00 60
3A0B : C3
3A0C : 5D 08
3A0E : 02 0D
3A10 : 7D 67 08
3A13 : 02 E9
3A15 : 5D 05
3A17 : 0F E5
3A19 : D5 07
3A1B : 00 E4
3A1D : F7 80 3D
3A20 : FF
3A21 : C5
3A22 : F7 08 3D
3A25 : AA 00 60
3A28 : A6 01 3D FC
3A2C : 21 30
3A2E : C3
3A2F : 5D 07
3A31 : 0F F2
3A33 : 88 39 07 2C
3A37 : 77 80 1E 04
3A3B : 88 39 10 2C
3A3F : 8E 38 EE
3A42 : 12 67
3A44 : A6 01 3D FC
3A48 : 21 30
3A4A : C5
3A4B : A6 01 3D FC
3A4F : 80 35
3A51 : AB 00 7C
3A54 : C3
3A55 : 5D 08
3A57 : 0F F2
3A59 : 98 2A 30
3A5C : 72 A3 0A
3A5F : 92 0A
3A61 : 12 D9
3A63 : D5 03
3A65 : 8E E8 D5
3A68 : 72 6A 0A
3A6B : 92 0A
3A6D : 7D 08 03
3A70 : F4 06 C2 7A
3A74 : B0
3A75 : 02 1B
3A77 : 77 02 1E 05
3A7B : 52 01
3A7D : 8E 3E A3
3A80 : 8C DC DF
movw #0E91Fh,2Fh :30h
tst A
jz 39EBh
movw #0EA3Fh,2Fh :30h
movw 2Fh :30h,29h :2Ah
mov #0A3h,0Ah
setrk 0Ah
mov 0D9h,A
call 0E89Fh
mov #6Ah,0Ah
setrk 0Ah
clr B
trap 13
mov A,07h
movw #015Ch[B],2Fh :30h
trap 1
xor 07h,A
mov A,*0060h[B]
inc B
cmp #08h,B
jz 3A1Dh
cmp #67h,08h
jz 39FEh
cmp #05h,B
jlo 39FEh
clr 07h
jmp 3A01h
mov #80h,ASICStatus
nop
clr B
mov #08h,ASICStatus
mov *0060h[B],A
btjo #01h,ASICStatus,3A28h
mov A,Byte->Asic
inc B
cmp #07h,B
jlo 3A25h
movw #3907h,2Bh :2Ch
btjz #80h,1Eh,3A3Fh
movw #3910h,2Bh :2Ch
call LoadP32,34,3Dw/TableByte
mov 67h,A
btjo #01h,ASICStatus,3A44h
mov A,Byte->Asic
clr B
btjo #01h,ASICStatus,3A4Bh
; |wait for ASIC
mov ASIC->Byte,A
; |get byte from ASIC to A
mov A,*007Ch[B]
; |put it in 7Ch+B
inc B
; |increment B
cmp #08h,B
; |
jlo 3A4Bh
; |
movw 29h :2Ah,2Fh :30h
;copy 29 :2A -> 2F :30
mov #0A3h,0Ah
;put #A3 in 0A
setrk 0Ah
;and set rom key to #A3
mov 0D9h,A
;copy D9h into A
clr 03h
;clear 03h
call 0E8D5h
;call E8D5?
mov #6Ah,0Ah
;then restore #6A
setrk 0Ah
;rom key
cmp #08h,03h
;compare 03h to #08
bnz CallLoop
;if they don't match, call loop
tst A
;else clear the status register
jz 3A92h
btjz #02h,1Eh,3A80h
mov #01h,B
call 3EA3h
br DiscardPktLenBytes
3A83 : 52 08
3A85 : A6 01 3D FC
mov #08h,B
btjo #01h,ASICStatus,3A85h
;set B to #08
; |wait for ASIC
Page A-37
3A89 : 80 35
3A8B : 8E 3C 96
3A8E : C7
3A8F : 04 F4
3A91 : F9
:
3A92 : 74 10 B6
3A95 : 88 00 B0 2A
3A99 : 88 00 3B 2E
3A9D : 72 02 07
3AA0 : 8E DB D8
3AA3 : 7D 40 BE
3AA6 : 06 D8
3AA8 : F7 80 3D
3AAB : 88 39 0A 2C
3AAF : F7 08 3D
3AB2 : 8E 38 EE
3AB5 : F7 28 3D
3AB8 : C5
3AB9 : AA 00 A0
3ABC : A6 01 3D FC
3AC0 : 21 30
3AC2 : C3
3AC3 : 5D 07
3AC5 : 06 05
3AC7 : F7 24 3D
3ACA : 00 ED
3ACC : F7 28 3D
3ACF : 5D 0F
3AD1 : 0F E6
3AD3 : 88 39 13 2C
3AD7 : 8E 38 EE
3ADA : 12 AF
3ADC : A6 01 3D FC
3AE0 : 21 30
3AE2 : 00 9C
3AE4 : 88 39 04 2C
3AE8 : 77 80 1E 04
3AEC : 88 39 0D 2C
3AF0 : 8E 38 EE
3AF3 : 12 D8
3AF5 : A6 01 3D FC
3AF9 : 21 30
3AFB : F9
mov ASIC->Byte,A
call 3C96h
dec B
jp 3A85h
rts
3AFC : B5
3AFD : 8E 3C A0
3B00 : 12 D8
3B02 : C7
3B03 : 04 F8
3B05 : F9
clr A
3B06 : 32 11
3B08 : 7D 60 BE
3B0B : 06 06
3B0D : 8E FF BC
3B10 : 23 17
3B12 : F9
mov 11h,B
cmp #60h,PktInsByte
jnz 3B13h
call 0FFBCh
xor #17h,A
rts
3B13 : 12 BE
3B15 : 25 0F
3B17 : 2D 0A
3B19 : 06 11
3B1B : 12 D4
3B1D : 02 03
3B1F : 8C FF B6
3B22 : 76 20 C1 03
3B26 : 8C FF 9E
3B29 : 8C FF AE
mov PktInsByte,A
and #0Fh,A
cmp #0Ah,A
jnz 3B2Ch
mov 0D4h,A
jz 3B22h
br 0FFB6h
btjo #20h,0C1h,3B29h
br 0FF9Eh
br 0FFAEh
or #10h,0B6h
movw #00B0h,29h :2Ah
movw #003Bh,2Dh :2Eh
mov #02h,07h
call 0DBD8h
cmp #40h,PktInsByte
jnz 3A80h
mov #80h,ASICStatus
movw #390Ah,2Bh :2Ch
mov #08h,ASICStatus
call LoadP32,34,3Dw/TableByte
mov #28h,ASICStatus
clr B
mov *00A0h[B],A
btjo #01h,ASICStatus,3ABCh
mov A,Byte->Asic
inc B
cmp #07h,B
jnz 3ACCh
mov #24h,ASICStatus
jmp 3AB9h
mov #28h,ASICStatus
cmp #0Fh,B
jlo 3AB9h
movw #3913h,2Bh :2Ch
call LoadP32,34,3Dw/TableByte
mov 0AFh,A
btjo #01h,ASICStatus,3ADCh
mov A,Byte->Asic
jmp 3A80h
movw #3904h,2Bh :2Ch
btjz #80h,1Eh,3AF0h
movw #390Dh,2Bh :2Ch
call LoadP32,34,3Dw/TableByte
mov 0D8h,A
btjo #01h,ASICStatus,3AF5h
mov A,Byte->Asic
rts
; |then retrieve byte from ASIC to A
; |send it back to ASIC
; |
; +-----loop 8x
;and return
;set B6h.4
;set 29 :2A to B0h
;set 2D :2E to 3Bh
;copy #02 to 07h
call 3CA0h
mov 0D8h,A
dec B
jp 3AFDh
rts
Page A-38
3B2C : 7D 56 BE
>FF9E
3B2F : 02 F5
3B31 : 8C FF A6
cmp #56h,PktInsByte
jz 3B26h
br 0FFA6h
3B34 : 7D 60 BE
3B37 : 06 05
3B39 : 88 2E 20 2A
3B3D : F9
cmp #60h,PktInsByte
jnz 3B3Eh
movw #CMD82VerifyKeyh,29h :2A
rts
3B3E : 12 D4
3B40 : 02 05
3B42 : 88 25 D0 2A
3B46 : F9
mov 0D4h,A
jz 3B47h
movw #TertiaryZKTh,29h :2Ah
rts
3B47 : 76 20 C1 05
3B4B : 88 25 50 2A
3B4F : F9
btjo #20h,0C1h,3B50h
movw #PrimaryZKTh,29h :2Ah
rts
3B50 : 88 25 90 2A
3B54 : F9
movw #SecondaryZKTh,29h :2Ah
rts
;set 2B :2C to 264F if INS<>60
3B55 : 7D 60 BE
cmp #60h,PktInsByte
3B58 : 06 1A
jnz 3B74h
3B5A : 8E 33 8D
call 338Dh
3B5D : 2D 03
cmp #03h,A
3B5F : 06 05
jnz 3B66h
3B61 : 88 2E 7F 2C
movw #2E7Fh,2Bh :2Ch
3B65 : F9
rts
3B66 : 2D 04
3B68 : 06 05
3B6A : 88 2E 4F 2C
3B6E : F9
cmp #04h,A
jnz 3B6Fh
movw #2E4Fh,2Bh :2Ch
rts
3B6F : 88 00 7F 2C
3B73 : F9
movw #007Fh,2Bh :2Ch
rts
;Set 2B :2C to 264F
3B74 : 88 26 4F 2C
3B78 : F9
:
3B79 : 7D 60 BE
3B7C : 06 1D
3B7E : 8E 33 8D
3B81 : 2D 03
3B83 : 06 06
3B85 : F4 CA 2C 2E 4F
3B8A : F9
3B8B : 2D 04
3B8D : 06 06
3B8F : F4 CA 2C 2E 1F
3B94 : F9
3B95 : F4 CA 2C 00 5F
3B9A : F9
3B9B : F4 CA 2C 26 0F
3BA0 : F9
;INS54
3BA1 : 8E 3E D6
3BA4 : 77 10 B8 2F
3BA8 : D5 08
3BAA : D5 B8
3BAC : 77 08 D0 08
3BB0 : 72 16 08
3BB3 : 74 04 B8
3BB6 : 00 51
;if INS56, branch to 3B26-
;compare if INS60
;if not, jump to 3B74
movw #264Fh,2Bh :2Ch
rts
cmp #60h,PktInsByte
jnz 3B9Bh
call 338Dh
cmp #03h,A
jnz 3B8Bh
cmpw 2Bh:2Ch,#2E4Fh
rts
cmp #04h,A
jnz 3B95h
cmpw 2Bh:2Ch,#2E1Fh
rts
cmpw 2Bh:2Ch,#005Fh
rts
cmpw 2Bh:2Ch,#260Fh
rts
call 3ED6h
btjz #10h,0B8h,3BD7h
clr 08h
clr 0B8h
btjz #08h,CardStatus,3BB8h
mov #16h,08h
or #04h,0B8h
jmp 3C09h
;Set 05h.1, jump to glitch prevention
;if B8h.4 is zero, branch to 3BD7
;if B8h.4 is set, clear 08h
;clear B8h
;if CardStatus D0h.3 is zero, branch to 3BB8
;put #16 in 08h
;set B8h.2
;jump to 3C09
;--D0h.3 is clear, B8h.4 is set
Page A-39
3BB8 : 76 40 B5 4D
3BBC : 88 01 76 30
3BC0 : 88 00 A0 32
3BC4 : 72 08 06
3BC7 : 8E E5 B7
3BCA : D5 A8
3BCC : D5 A9
3BCE : 74 01 B8
3BD1 : 8E 3C 74
3BD4 : 89 00 96
;--B8h.4 is clear
3BD7 : C5
3BD8 : AA 24 F4
3BDB : D0 0B
3BDD : AA 00 A0
3BE0 : 43 00 0B
3BE3 : AA 2A E4
3BE6 : 13 0B
3BE8 : AB 00 A0
3BEB : C3
3BEC : 5D 0C
3BEE : 0F E8
3BF0 : 8E DE D9
3BF3 : 8E DF 61
3BF6 : 7D 17 C6
3BF9 : 06 03
3BFB : 72 04 B8
3BFE : 77 08 B8 03
3C02 : 74 02 D1
3C05 : 76 01 B8 0F
btjo #40h,0B5h,3C09h
movw #0176h,2Fh :30h
movw #00A0h,31h :32h
mov #08h,06h
call 0E5B7h
clr 0A8h
clr 0A9h
or #01h,0B8h
call 3C74h
jmpl 3C6Dh
;clear A8h
;clear A9h
clr B
mov *VideoCryptKey[B],A
mov A,0Bh
mov *00A0h[B],A
xor 00h,0Bh
mov *VideoKeyCrypt[B],A
xor 0Bh,A
mov A,*00A0h[B]
inc B
cmp #0Ch,B
jlo 3BD8h
call SetVideoBasedonBits
call 0DF61h
cmp #17h,0C6h
jnz 3BFEh
mov #04h,0B8h
btjz #08h,0B8h,3C05h
or #02h,0D1h
btjo #01h,0B8h,3C18h
;--B5h.6 is set, D0h.3 is clear, B8h.4 is set
3C09 : C5
clr B
3C0A : B5
clr A
3C0B : AB 00 A0
mov A,*00A0h[B]
3C0E : AB 00 88
mov A,*0088h[B]
3C11 : C3
inc B
3C12 : 5D 0A
cmp #0Ah,B
3C14 : 0F F5
jlo 3C0Bh
3C16 : 00 37
jmp 3C4Fh
;--B8h.0 is set
3C18 : C5
3C19 : 88 01 76 2C
3C1D : A6 01 3D FC
3C21 : 80 35
3C23 : 8E 3C A0
3C26 : A8 01 76 30
3C2A : EE
3C2B : 13 D8
3C2D : 9B 2C
3C2F : 70 01 2C
3C32 : C3
3C33 : 5D 0A
3C35 : 0F E6
3C37 : FF
3C38 : 8E 2D 2E
3C3B : C5
3C3C : 9A 2C
3C3E : AB 00 A0
3C41 : AB 00 88
3C44 : B5
3C45 : 9B 2C
3C47 : C3
3C48 : 70 01 2C
3C4B : 5D 0A
3C4D : 0F ED
3C4F : 77 40 B7 03
3C53 : 8E 3D 90
;if B5h.6 is set, branch to 3C09
;else move #0176 into 2F :30
;put #00A0 in 31 :32
;put #08 in 06h
;set B8h.0
;Transmit A0-AC to IRD
;then branch to 3CD6
;clear B
; |Encrypt A0-AB with 12-byte VideoCryptKey
; |
; |
; |
; |
; |
; |
; |
; |
; |loop
;set video based on bits
;clear 08h based on bits
;check if C6=#17
;if not, branch to 3BFE
;clear B8h, set B8h.2
;if B8h.3 is clear, branch to 3C05
;set D1h.1
;if B8h.0 is set, branch to 3C18
;clear B
;clear A
; |
; |clear A0-A9, clear 88-91
; |
; |
; |loop 10 times
;branch to 3C4F
clr B
;clear B
movw #0176h,2Bh :2Ch
;put #0176 in 2B :2C
btjo #01h,ASICStatus,3C1Dh ;wait for ASIC
mov ASIC->Byte,A
;copy byte from ASIC into A
call 3CA0h
movw #0176h[B],2Fh :30h
trap 1
xor 0D8h,A
mov A,*2Bh :2Ch
incw #01h,2Bh :2Ch
inc B
cmp #0Ah,B
jlo 3C1Dh
nop
;USW 0800 replaces movw #0176, 2Bh:2Ch
call 2D2Eh
clr B
mov *2Bh :2Ch,A
mov A,*00A0h[B]
mov A,*0088h[B]
clr A
mov A,*2Bh :2Ch
inc B
incw #01h,2Bh :2Ch
cmp #0Ah,B
jlo 3C3Ch
btjz #40h,0B7h,3C56h
call 3D90h
Page A-40
3C56 : 76 01 B6 04
3C5A : D5 A8
3C5C : D5 A9
3C5E : 8E 3C 74
3C61 : C5
3C62 : AA 00 88
3C65 : AB 00 A0
3C68 : C3
3C69 : 5D 08
3C6B : 0F F5
3C6D : 98 D6 C3
3C70 : 98 A7 D6
3C73 : F9
btjo #01h,0B6h,3C5Eh
clr 0A8h
clr 0A9h
call 3C74h
clr B
mov *0088h[B],A
mov A,*00A0h[B]
inc B
cmp #08h,B
jlo 3C62h
movw 0D5h :0D6h,0C2h :0C3h
movw 0A6h :0A7h,0D5h :0D6h
rts
;return 3C26 end trace of INS54
;TransmitA0-ACtoIRD
3C74 : 42 B5 AA
3C77 : 12 B8
3C79 : 25 07
3C7B : D0 AB
3C7D : 32 C7
3C7F : 34 C8
3C81 : 02 05
3C83 : 74 01 D2
3C86 : D5 08
3C88 : 42 08 AC
3C8B : C5
3C8C : AA 00 A0
3C8F : E1
3C90 : C3
3C91 : 5D 0D
3C93 : 0F F7
3C95 : F9
mov 0B5h,0AAh
;put B5h in AAh
mov 0B8h,A
;copy B8h to A
and #07h,A
;strip all but bottom 3 bits
mov A,0ABh
;and put it in AB
mov 0C7h,B
;copy C7 to B
or 0C8h,B
;then OR it with C8h
jz 3C88h
;if result is zero, jump to 3C88
or #01h,0D2h
;otherwise, set D2h.0
clr 08h
;clear 08h
mov 08h,0ACh
;and put 08h into ACh
clr B
;clear B
mov *00A0h[B],A
; |Transmit 12 bytes in A0-AC to IRD
trap 14
; |
inc B
; |
cmp #0Dh,B
; |
jlo 3C8Ch
; |loop
rts
;return
3C96 : A6 01 3D FC
3C9A : 21 30
3C9C : 8E 3C A0
3C9F : F9
btjo #01h,ASICStatus,3C96h
mov A,Byte->Asic
call 3CA0h
rts
;wait for ASIC
;then send A to ASIC
3CA0 : B8
3CA1 : C8
3CA2 : D5 DB
3CA4 : D5 DC
3CA6 : D0 D8
3CA8 : 7B 05 DC
3CAB : 32 DB
3CAD : AA 00 A8
3CB0 : 1B D8
3CB2 : AB 00 A8
3CB5 : D0 DA
3CB7 : AA 00 A0
3CBA : 13 DA
3CBC : AB 00 A0
3CBF : 13 DC
3CC1 : 25 1F
3CC3 : C0
3CC4 : AA 3C F2
3CC7 : D0 DA
3CC9 : 32 DB
3CCB : 53 06
3CCD : AA 00 A8
3CD0 : 13 DA
3CD2 : AB 00 A8
3CD5 : B0
3CD6 : BD
3CD7 : D0 DA
3CD9 : 32 DB
3CDB : 53 05
3CDD : AA 00 A0
3CE0 : 1C DA
3CE2 : AB 00 A0
push A
push B
clr 0DBh
clr 0DCh
mov A,0D8h
add
mov 0DBh,B
mov
add 0D8h,A
mov
mov A,0DAh
mov
xor 0DAh,A
mov
xor 0DCh,A
and #1Fh,A
mov A,B
mov
mov A,0DAh
mov 0DBh,B
xor #06h,B
mov
xor 0DAh,A
mov
tst A
rrc A
mov A,0DAh
mov 0DBh,B
xor #05h,B
mov
sub 0DAh,A
mov
;save A & B on stack
;
;clear DCh & DBh
;
;copy A to D8h
; |add #05 to DC
; |copy DB into B
; |copy byte from (A8+B) into A
; |add D8h to A
; |put result in (A8+B)
; |and DA
; |copy byte from (A0+B) into A
; |XOR byte with byte in DA
; |put result in (A0+B)
; |xor with byte in DC
; |strip off top three bits
; |copy into B
; |put byte at 3CF2+B into A
; |then into DA
; |copy DB into B
; |xor B with #06
; |put byte at A8+B into A
; |xor that with byte in DA
; |copy result into A8+B
; |clear carry bit
; |divide A by 2
; |and put result in DA
; |put DB in B
; |and XOR with #05
; |put A0+B in A
; |subtract DA from result
; |and put back in A0+B
#05h,0DCh
*00A8h[B],A
A,*00A8h[B]
*00A0h[B],A
A,*00A0h[B]
*3CF2h[B],A
*00A8h[B],A
A,*00A8h[B]
*00A0h[B],A
A,*00A0h[B]
Page A-41
3CE5 : 43 00 D8
3CE8 : D3 DB
3CEA : 7D 08 DB
3CED : 0F B9
3CEF : C4
3CF0 : B4
3CF1 : F9
xor 00h,0D8h
inc 0DBh
cmp #08h,0DBh
jlo 3CA8h
pop B
pop A
rts
; |xor D8 with A
; |increment DB
; |compare #08 with DB
; |if lower, loop back to 3CA8
;
;restore A & B
;and return
;UNKNOWN (ref by 3CC4)
3CF2 : BF
rlc A
3CF3 : 12 93
mov 93h,A
3CF5 : 92 42
setrk 42h
3CF7 : AF E7 E3
callr *@E7E3h [B]
3CFA : B2
swap A
3CFB : C6
tst B xchb B
3CFC : B8
push A
3CFD : 91 80
mov p80h,B
3CFF : B4
pop A
3D00 : E8
trap 7
3D01 : 73 9E F7
xor #9Eh,F7h
3D04 : 5D FD
cmp #FDh,B
3D06 : A0
db
3D07 : 82 F9
mov A,pF9h unknown
3D09 : 6F
db
3D0A : 25 17
and #17h,A
3D0C : 7D 0B 55
cmp #0Bh,55h
3D0F : 97 0C 80
btjz B,p0Ch,3C92h
3D12 : 22 67
mov #67h,A
;ref by 28B6
3D14 : 8E E0 6F
3D17 : 74 04 25
3D1A : 22 08
3D1C : 8E E0 6F
3D1F : 8E 3A 83
3D22 : 8E 3A E4
3D25 : 8E 3F 88
3D28 : 72 97 0A
3D2B : 92 0A
3D2D : 8E E7 D1
3D30 : 72 6A 0A
3D33 : 92 0A
3D35 : 52 0A
3D37 : 8E 3A FC
3D3A : 88 39 01 2C
3D3E : 8E 38 EE
3D41 : C5
3D42 : A6 01 3D FC
3D46 : 80 35
3D48 : 8E 3C 96
3D4B : 12 D8
3D4D : 8E E0 6F
3D50 : C3
3D51 : 5D 08
3D53 : 0F ED
3D55 : F9
3D56 : 8E FA 27
3D59 : B0
3D5A : 06 F9
3D5C : 88 00 68 30
3D60 : 88 24 58 32
3D64 : 72 04 06
3D67 : ED
3D68 : C5
3D69 : AA 26 88
3D6C : D0 07
3D6E : AA 3F 80
3D71 : 43 00 07
3D74 : AA 00 60
3D77 : 13 07
call E06Fh
or #04h,25h
mov #08h,A
call E06Fh
call 3A83h
call 3AE4h
call 3F88h
mov #97h,0Ah
setrk 0Ah
call E7D1h
mov #6Ah,0Ah
setrk 0Ah
mov #0Ah,B
call 3AFCh
movw #3901h,rpd 2Ch-1h :2Ch
call 38EEh
clr B
btjo #01h,p3Dh,3D42h
mov p35h,A
call 3C96h
mov D8h,A
call E06Fh
inc B
cmp #08h,B
jlo 3D42h
rts
call FA27h
clrc & tst A
jnz 3D55h
movw #0068h,rpd 30h-1h :30h
movw #2458h,rpd 32h-1h :32h
mov #04h,06h
trap 2
clr B
mov *2688h [B],A
mov A,07h
mov *3F80h [B],A
xor 00h,07h
mov *0060h [B],A
xor 07h,A
Page A-42
3D79 : AB 00 60
3D7C : C3
3D7D : 5D 08
3D7F : 0F E8
3D81 : 72 60 15
3D84 : 88 26 90 2A
3D88 : 72 08 04
3D8B : E7
3D8C : 74 20 D1
3D8F : F9
mov A,*0060h [B]
inc B
cmp #08h,B
jlo 3D69h
mov #60h,15h
movw #2690h,rpd 2Ah-1h :2Ah
mov #08h,04h
trap 8
or #20h,D1h
rts
3D90 : 88 24 60 30
3D94 : 88 00 ED 32
3D98 : 72 04 06
3D9B : EB
(end trap 4 call 3E08)
3D9C : 72 04 07
3D9F : D5 06
3DA1 : 32 06
3DA3 : AA 00 A0
3DA6 : D0 04
3DA8 : 55 03
3DAA : AA 00 ED
3DAD : D0 05
3DAF : 32 06
3DB1 : C3
3DB2 : 55 07
3DB4 : AA 00 A0
3DB7 : 4B 00 05
retrieved from EDh+B
3DBA : C8
3DBB : 55 03
3DBD : AA 00 ED
3DC0 : D0 09
3DC2 : 32 04
3DC4 : 3C 00
3DC6 : 55 3F
3DC8 : 8E 3E 08
ZKTModulusN
3DCB : 43 00 05
result
3DCE : 12 04
3DD0 : 13 09
from EDh+B
3DD2 : BD
3DD3 : B0
3DD4 : BD
3DD5 : C0
3DD6 : 8E 3E 08
ZKTModulusN
3DD9 : BE
3DDA : 1B 05
3DDC : C4
3DDD : AB 00 A0
3DE0 : C5
3DE1 : D8 F0
3DE3 : AA 00 ED
3DE6 : D002
3DE8 : B0
3DE9 : BF
3DEA : D0 03
3DEC : B4
3DED : D8 02
3DEF : 25 80
3DF1 : BE
3DF2 : 14 03
3DF4 : AB 00 ED
3DF7 : C3
3DF8 : 77 04 01 E7
3DFC : B4
movw #CurrentIRD#,2Fh :30h
movw #00EDh,31h :32h
mov #04h,06h
Trap 4
;set 2F :30 to CurrentIRD#
;set 31 :32 to 00EDh
;set 06h to #04
;Decrypt CurrentIRD# and store in ED-F0
mov #04h,07h
clr 06h
mov 06h,B
mov
mov A,04h
and #03h,B
mov
mov A,05h
mov 06h,B
inc B
and #07h,B
mov
add
;set 07h to #04
; |clear 06h
; | |put 06h in B
; | |copy byte @A0h+B into A
; | |and into 04h
; | |make B a # between 0 and 3
; | |copy byte @EDh+B into A
; | |and into 05h
; | |copy 06h to B
; | |and increment
; | |make it a # between 0 and 7
; | |copy byte @A0+B into A
; | |and add that to byte in 05h
*00A0h[B],A
*00EDh[B],A
*00A0h[B],A
00h,05h
push B
and #03h,B
mov *00EDh[B],A
mov A,09h
mov 04h,B
sub 00h,B
and #3Fh,B
call 3E08h
;
;
;
;
;
;
;
xor 00h,05h
call 3E08h
rl A
add 05h,A
pop B
mov A,*00A0h[B]
clr B
push 0F0h
mov *00EDh[B],A
mov A,02h
tst A
rlc A
mov A,03h
pop A
push 02h
and #80h,A
rl A
or 03h,A
mov A,*00EDh[B]
inc B
btjz #04h,01h,3DE3h
pop A
|save B to stack
|and make B a # between 0 and 3
|copy byte @EDh+B into A
|and into 09h
|copy 04h into B
|subtract A from B
|make B an offset between 0-3F (64d)
; | |process byte with
; | |and xor byte in 05h with
mov 04h,A
xor 09h,A
rrc A
tst A
rrc A
mov A,B
|
|
|
|
|
|
|
; | |copy 04h into A
; | |and XOR it with byte at 09h retrieved
; | |divide A by 2
; | |clear status bits
; | |divide A by 2
; | |and copy into B
; | |process byte with
; |
; |
; |
; |
; | |shift bits in result to the left
; | |add 05h to result
; | |restore B
; | |put processed byte in A0h+B
; | |clear B
|push F0h onto stack
; | | |copy byte @EDh+B into A
; | | |and into 02h
; | | |clear status register
; | | |multiply A by 2
; | | |and put result in 03h
; | | |get F0h value off stack and into A
| |push 02h onto stack
; | | |strip all but bit 7 of A
; | | |shift the bits to the left
| |OR it with 03h
; | | |and put it in EDh+B
; | | |increment B
| +---if bit 6 of B is clear, jump back to 3DE3
; | |pop 02h off stack and into A
Page A-43
3DFD : D3 06
3DFF : 77 08 06 9E
3E03 : D7 07
3E05 : 04 98
3E07 : F9
inc 06h
btjz #08h,06h,3DA1h
dec 07h
jp 3D9Fh
rts
; | |increment 06h
; | +-------if bit 7 of 06h is clear, jump back to 3DA1
; |decrement 07h
; +---if 07h is positive, jump back to 3D9F
;return
3E08 : 8E FF B6
call 0FFB6h
@F0BD+B and XOR it with #98
3E0B : 7D 00 D4
cmp #00h,0D4h
3E0E : 06 F7
jnz 3E07h
3E10 : 8C FF 9E
br 0FF9Eh
from PrimaryZKTModulusN+B, XOR it with #83, then return
3E13 : 00 12 01 01
3E17 : 25 00 20 08
3E1B : 00 1E 01 01
3E1F : 24 10 08 08
3E23 : 00 1A 01 01
3E27 : 24 06 02 08
3E2B : 00 13 01 01
3E2F : 25 20 20 08
3E33 : 00 2D 01 01
3E37 : 24 08 04 08
3E3B : 00 D0 01 01
3E3F : 24 65 01 08
3E43 : 00 2E 01 01
3E47 : 24 68 20 08
3E4B : 00 4E 01 01
3E4F : 24 5C 04 08
3E53 : 00 58 01 01
3E57 : 24 E0 01 08
3E5B : 00 F3 01 01
3E5F : 24 A4 04 08
3E63 : 00 19 01 01
3E67 : 24 64 01 08
3E6B : 00 FE 01 01
3E6F : 24 0C 04 08
3E73 : 00 41 01 01
3E77 : 21 06 04 08
3E7B : C9 F4 00 00
3E7F : 00 45 01 01
3E83 : 24 88 1C 08
3E87 : 00 F8 01 01
3E8B : 20 24 09 08
3E8F : CA 36 00 00
3E93 : CA 75 00 00
3E97 : CA B1 00 00
3E9B : 00 44 01 01
3E9F : 24 E8 0C 08
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
db
;Get Byte from ZKT#
;
;if D4h <> 0, br ret_3E07
;if D4h = 0, br FF9E, get byte
; 0012h 01 byte 01=ram
; 2500h 20 bytes 08=eeprom
; 001Eh
; 2410h
; 001Ah
; 2406h
; 0013h
; 2520h
; 002Dh
; 2408h
; 00D0h
; 2465h
; 002Eh
; 2468h
; 004Eh
; 245Ch
; 0058h
; 24E0h
; 00F3h
; 24A4h
; 0019h
; 2464h
; 00FEh
; 240Ch
; 0041h
; 2106h
; call C9F4
; 0045h
; 2488h
; 00F8h
; 2024h
; call CA36
; call CA75
; call CAB1
; 0044h
; 24E8h
3EA3 : B8
3EA4 : A8 2A D0 2A
3EA8 : 9A 2A
3EAA : B3
3EAB : 02 03
3EAD : 8E E6 8E
ErrorCountTable
3EB0 : B4
3EB1 : F9
push A
movw #ErrorCountTableh[B],29h
mov *29h :2Ah,A
inc A
jz 3EB0h
call WriteAto29 :2Ah
pop A
rts
;then restore A
;and return
3EB2 : 22 3C
3EB4 : 8E 3E CB
3EB7 : 42 04 FE
3EBA : D5 0E
3EBC : 8E EC A5
FCh (ROM)
3EBF : D3 0E
3EC1 : 4D FD 0E
3EC4 : 0F F6
3EC6 : 42 FE 04
mov #3Ch,A
call SetRomKeytoAh
mov 04h,0FEh
clr 0Eh
call 0ECA5h
;put a #3C in A
;change ROM decryption key to 3C
;put byte in 04h in FEh
inc 0Eh
cmp 0FDh,0Eh
jlo 3EBCh
mov 0FEh,04h
;save A to stack
;set 29 :2A to ErrorCountTable
;get byte from ErrorCountTable
;and increment it by one
;if zero (?) restore A and return
;else write incremented A to
;clear 0Eh
; |Decrypt DDh-ECh with EDh;|
;|
; |loop until 0E=FDh
;put FEh in 04h
Page A-44
3EC9 : 22 6A
mov #6Ah,A
;SetRomKeytoA
3ECB : D0 0A
3ECD : 92 0A
3ECF : F9
mov A,0Ah
setrk 0Ah
rts
;MainLoopRoutines
3ED0 : 8E 3E D6
3ED3 : 8C C1 A4
startup
;set A to #6A
;put A in 0A
;set ROM key to value in 0A
;and return
call 3ED6h
br 0C1A4h
;Set05h.1JmpGlitchPrevent
3ED6 : 72 02 05
mov #02h,05h
3ED9 : 8C C2 04
br 0C204h
in ROM
;INS32
3EDC : E2
3EDD : C0
3EDE : 76 04 D1 03
3EE2 : 75 BF D3
3EE5 : 75 F7 CF
3EE8 : 8C C9 59
3EEB : 76 01 CF 1B
3EEF : 2D 7F
3EF1 : 06 17
3EF3 : 8E 29 8C
3EF6 : 8E C2 4C
3EF9 : 8A 2F 04
3EFC : 02 0A
3EFE : 88 2E 20 2A
in 29:2A
3F02 : 72 C0 04
3F05 : 8E E6 A0
3F08 : 22 7F
3F0A : 7D 5E BE
3F0D : 06 0E
3F0F : 7D 01 12
3F12 : 06 09
3F14 : D3 1D
3F16 : 7D 08 1D
3F19 : 06 02
3F1B : 22 01
set A to#01
3F1D : 8C C0 0B
;INS46-PurchasePPV
3F20 : 77 02 12 10
3F24 : 8E D0 EE
3F27 : 8E DE D9
3F2A : 76 08 B8 03
3F2E : 75 BF B4
3F31 : 8C CC 4E
3F34 : 8C CC 36
3F37 : 75 FB B4
3F3A : 8C D5 9F
;set 05h.1
;Clear RAM areas, resume
;jump to glitch prevention routine
trap 13
mov A,B
btjo #04h,0D1h,3EE5h
and #0BFh,0D3h
and #0F7h,0CFh
br 0C959h
btjo #01h,0CFh,3F0Ah
cmp #7Fh,A
jnz 3F0Ah
call Encrypt_16bytes_with_RAM
call ClearRAMAreas
mov &2F04h,A
jz 3F08h
movw #CMD82VerifyKey,29h :2Ah
;receive byte into A
;and put a copy in B
;if D1h.3 is set, skip
;strip off bit D3h.6
;strip off bit CFh.3
;strip off bit D1h.7
;if CFh.0 is set, branch to 3F0A
;else compare A with #7F
;if they don't match, branch to 3F0A
;A=7F, so Encrypt
;then clear RAM
;put byte @2F04 (#00?) in A
;if zero, skip to 3F08
;NOT zero,put CMD82 Verify Key Address
mov #0C0h,04h
call Write(04hx#00)->EEph
mov #7Fh,A
cmp #5Eh,PktInsByte
jnz 3F1Dh
cmp #01h,PktP2Byte
jnz 3F1Dh
inc 1Dh
cmp #08h,1Dh
jnz 3F1Dh
mov #01h,A
;set 04h to #C0
;Write #00 to 2E20-2EE0
;set A to #7F
;check for INS5E
;if <> INS5E, br->C00B
;yes, INS5E, check PKTP2Byte for #01
;if <> #01, br->C00B
;increment 1D
;check 1Dh for #08
;if <> #08, br->C00B
;INS5E=yes,PKTP2Byte=#01,1Dh=#08,so
br 0C00Bh
btjz #02h,PktP2Byte,3F34h
call Ins40Ins42
call SetVideoBasedonBits
btjo #08h,0B8h,3F31h
and #0BFh,0B4h
br 0CC4Eh
br 0CC36h
and #0FBh,0B4h
br 0D59Fh
;If 2B :2C=CBB9->46h=#86
3F3D : F4 CA 2C CB B9 cmpw 2Bh:2Ch,#0CBB9h
3F42 : 06 03
jnz 3F47h
3F44 : 72 86 46
mov #86h,46h
3F47 : F9
rts
;Packet Key #1
3F48 : 00 00 00 00 00 00 00
;branch to C00B
;authorize video based on bits
;Is 2B :2C #CBB9 (jump point trap 12)
;no, so return
;yes, put #86 in 46h
;return
db
;Primary Public Key subkey2 (doubles as executable code?)
3F58 : 12 93 7D 04 06 06 03
db
Page A-45
;Secondary Public Key subkey2
3F60 : 1F 93 8E 28 56 D0 93
3F58 : 12 93
3F5A : 7D 04 06
3F5D : 06 03
3F5F : 75 1F 93
3F62 : 8E 28 56
3F65 : D0 93
3F67 : F9
mov 93h,A
cmp #04h,06h
jnz 3F62h
and #1Fh,93h
call CalculateChksm
mov A,93h
rts
;Card Specific Keys
3F68 : 00 00 00 00 00 00 00
3F70 : 00 00 00 00 00 00 00
3F78 : 00 00 00 00 00 00 00
3F80 : 00 00 00 00 00 00 00
;(Called from 39A3, 3D25)
3F88 : 72 7B 02
3F8B : 52 05
3F8D : 8E 3F
3F8F : B8
3F90 : 72 29 02
3F93 : 00 0A
3F95 : 52 0F
3F97 : AA 00 A0
3F9A : BC
3F9B : F0 08
3F9D : D0 02
3F9F : 8E 3F B3
3FA2 : AA 00 A0
3FA5 : 82 3F DF
>br3F95
3FA8 : C5
3FA9 : 22 C7
3FAB : 23 06
3FAD : 72 4B 02
3FB0 : 4B 02 00
3FB3 : 52 03
3FB5 : A4 02 20
3FB8 : AA 00 AA
3FBB : 1B 02
3FBD : AB 00 AA
3FC0 : AA 00 9F
3FC3 : CA F3
3FC5 : F9
db
db
db
db
db
mov #7Bh,02h
mov #05h,B
call 3Fh
push A
mov #29h,02h
jmp 3F9Fh
mov #0Fh,B
mov *00A0h [B],A
rr A
ldst #08h
mov A,02h
call 3FB3h
mov *00A0h [B],A
call 3FDF/retPC+XX
clr B
mov #0C7h,A
xor #06h,A
mov
add 02h,00h
mov #03h,B
or #02h,P20h
mov
add 02h,A
mov
mov
djnz B,3FB8h
rts
#4Bh,02h
*00AAh[B],A
A,*00AAh[B]
*009Fh[B],A
3FC6 : 1E 72
3FC8 : CB
3FC9 : 25 02
3FCB : 99 A8
3FCD : 66 F0
3FCF : DA
3FD0 : 23 4B
3FD2 : 00 F8
3FD4 : F5 A0
3FD6 : AB A7 00
3FD9 : 05 00
3FDB : 9F CA
3FDD : B9
3FDE : F9
compl B
and #02h,A
jmpl *0A7h :0A8h
btjo B,A,3FBFh
djnz h,3FD2h
xor #4Bh,A
jmp 3FCCh
clrb #0A0h,ST
mov A,*0A700h[B]
jpz 3FDBh
callr *0C9h :0CAh
inv A
rts
3FDF : 52 03
3FE1 : AA 00 A0
3FE4 : D0 02
3FE6 : AA 00 AC
3FE9 : 4B 00 02
3FEC : AA 3F 94
3FEF : 13 02
3FF1 : 2B 5A
mov #03h,B
mov *00A0h [B],A
mov A,02h
mov *00ACh [B],A
add 00h,02h
mov *3F94h [B],A
xor 02h,A
add #5Ah,A
;put 93h in A
;
;if 06h=#04,
;strip off top three bits of 93h first
;call 2856
;Primary Group Key subkey2
;Secondary Group Key subkey2
;Private Key subkey2
;Card Swap Receive Key subkey2
;calls 3FDF, but ret address is 3FE7;clear B
;set A to #C7
;XOR it with #06 (#C1?)
;set 02h to #4B
;add 02h (#4B) to A (#C1) (#010Ch?)
;set B to #03
;set P20h.1
; |copy AAh-ADh to A
; |Add #4B to result
; |and write back to AAh-ADh
; |copy 9Fh-A2h into A
; |
Page A-46
3FF3 : BE
3FF4 : 23 6B
3FF6 : AB 00 AC
3FF9 : CA E6
3FFB : A3 FD 20
3FFE : F9
3FF0 : 00
rl A
xor #6Bh,A
mov A,*00ACh [B]
djnz B,3FE1h
and #FDh,p20h
rts
;end of EEprom
Page A-47