Irdeto Details and MOSC Activation v8

by 007.4

I am not an expert in these matters just a hobbyist who likes to learn. I have read the FAQs, the
read.me files and postings in the various forums and then applied the knowledge gained to activate my
own card. My experience is primarily with DF* . The procedures will be similar for other countries'
Irdeto systems. I am mainly interested in how the decryption process works.
I have written this text because it would seem that no one with more knowledge than me has already
done so!

Disclaimer
If you can purchase a subscription for these TV services in your country then the procedures described
here, may well be illegal. This information is provided for educational purposes only and must not be
used to get free TV. The author accepts no responsibility for this and you do so entirely at your own
risk. There is also a small but unlikely risk that any card that you try to reprogram may be irreparably
damaged. You have been warned.

I WILL NOT SUPPLY ANY SOFTWARE THAT COULD BE USED FOR ILLEGAL
PURPOSES.
DO NOT ASK.

What you need.

A dbox or Nokia Mediamaster with Irdeto All-Cam or C-Cam (A Dutch Irdeto cam or the new Beta-
Research "Blue" cam will not work for DF1) ideally programmed with DVB 98 v80ES (Freeware) or
DVB2000 beta 36 (Shareware - so pay Uli!). You also need a Manufacturers (or Modified) Original
Smart Card (MOSC), either virgin (not officially activated) or expired.
If you have an expired card you may also want to log data traffic to the card. This can be done by two
methods:-

1. Season Interface inserted in the decoder's smart card slot and a logging program such as XS4U. You
need to apply +5 volts to the interface.

2. Serial connection by null modem cable dbox RS232 to PC RS232. Use logging programs such as
DVBLog2000 v6, DVBLog v18b4, ProLog or MasterLog v1.3b Logging may not be possible for
packages other than the German ones. Gantenkiel's MLog v0.30a is more suitable for other packages.

To write new instructions on your card you will need a Smartmouse (or equivalent) interface with a
3.57 or 6 MHz oscillator and a program such as Cardmaster (Win95/98) [Cardmaster 1.0beta is the
latest version - in English] or CDevil (Dos but works in a W95 Dos window for me) or CardWizard
(6MHz Smartmouse only). In Cardmaster 0.7e you must save the com setting and osc. frequency and
exit, then restart the program before "connecting". Do not press "Karten Reset (Card Reset)" as this
causes a hang. After you connect, press "CRD Laden (Load CRD) " to load the *.crd you want to use.
If it does not start automatically try pulling and re-inserting your card. This initiates a reset and starts
the file. Do not pull and insert to much (you might go blind!) or worse still - kill the card. Removing
the card before disconnecting with Cardmaster1.0b causes a hang.
Tron's (may he RIP) original Irdeto 98 programs Pro_01.exe and Pro_02.exe will only work in DOS at
6MHz. They have limited capability but are virtually idiot proof.

Alternatively if you have a Phoenix interface (6Mhz only) SMC v2.0a and ICard (Win95/98) seems to
work with this - and not with the Smartmouse type. There are reports that SMC v1.0 did not fully
function. ICard (Phoenix at 6Mhz only) uses *.icp files and not the more commonly used *.crd files.

You will also need the latest Irdeto 98 commands or the latest *.crd files unless you can generate them
yourself. See later.

The Basic Theory As I See It

This may not be fully correct, but it is how I understand it. I would appreciate a more informed
description from someone in the know.

For a card to give a clear picture it has to have three data strings written in it.
1. A Date Stamp. Each day a different (consecutive) two byte date code is transmitted to the card -
e.g. 02 31.
2. Correct Channel ID. A two byte code such as FF FC or 00 05.
3. A correct Key. This is a nine byte hex string, the first byte of which is the key number.
e.g. Key 10 could be 10 BC 51 7A 74 95 50 3C 69.

Each card is given a Provider ID (three bytes such as 01 96 67). The first two bytes are the group ID
(there may be 256 decimal cards in this group) and the final byte identifies that individual card.

DF1 is provider 00 and Premiere is provider 10. Other countries mostly are on Provider 00. Each
provider gives their own providerIDs. There is one difference - MC Africa C-Band is Provider 00 but
the ECMs are sent on Provider 10!

In an ECM (Entitlement Control Message) the three data strings above are sent to each group of cards.
The date stamp and channel IDs are the same for all groups but the Keys are different for each group.
Thus each provider ID (group) must have its own individual key. However, just to confuse you, there
are some parallel (or clone) groups which use the same keys! You cannot change the provider ID
without knowing the MasterKey (00) of the card. The only way to find out the masterkey is to make a
log of the official "switch on" command, or hope someone else has done this for you. There is a
database available on the web with all(?) the logged German masterkeys

In a virgin card the provider IDs are set at 000300 (for DF1) and 000400 (for Premiere). Other
countries use 000100, 000200 and 000500. The keys for the Super-packet and Prem 1,2 and 3 are also
already written in the card. As these cards have not been activated, ECMs with new keys are not sent
to these cards. That is why it is not possible to get Cinedom or the PPVs.

In the later C8000 xxxx series of cards the initial provIDs are 000700 and 000800 and I suspect that
only the necessary information for the basic channels is already written. One key and channel ID for
the Superpacket and for Prem. 1 & 2.
That is why the simple switch on commands for the other channels will not work and the special
800xx.crd files must be used. After activation the provIDs become FFFFFF/FFFFFF. It would seem
that there is a problem calculating the digital signature/checksum for this series. In earlier series there
were only 256 possible signatures to be checked. Now all five bytes of the digital signature need to be
calculated. It is a lot more secure. This proves a problem for the card writing programs.
Has anyone more information about this c8000 series?

When a virgin card is officially switched on, the initiation command [28 0d] or [68 0d] is sent to the
card along with the Master Key 00 which is eight hex bytes and the new provID - three hex bytes.
There is also a five byte digital signature which must be correct. Any one know the algorithm for
this?

Irdeto Commands and Nano Codes

Attached you should find a zipped file (CRDcmdsX.zip) containing a selection of Irdeto commands for
you to learn and experiment with. Some of these can destroy a working card - so take care! Look at
the *.crds in conjuction with the following explanations. Let me know if you find any new commands.

There seems to be some confusion as to which commands are ECMs (Entitlement Control Messages)
and which commands are EMMs (Entitlement Management Messages). As I understand it, please
correct me if I am wrong, the ECMs are the 01 01 .... commands. These enable and disable
channels/cards. The 01 05 ... commands are the EMMs. These contain the information for the
decryption process. However, in DVB98/2000 Cam Info Menu, Uli has them labelled the other way
round. Thus he has the first PID (called EMM) controlling the enable/disable commands. If this PID
is set to 1FFF then the software acts as a blocker, as this PID value is used normally used for teletext.
The value of this first PID depends upon the bouquet. eg it it 1000 for DF1 and 012C for Telepiu. The
second PID (which he has labelled ECM) is channel dependant and I believe has more to do with the
01 05 ...commands. Can anyone clarify this?

All commands are six bytes long, divided into different classes depending upon the second byte. The
first byte is always 01. The third byte is the instruction. The fourth and fifth bytes are references. The
fifth byte usually designates the provider? The sixth byte is the length of the following data
string.including the NANO codes and signature. There is also an extra checksum byte.

Class 1 Command - ECM

01 01 00 00 00 xx : Initiates ECM Update information to the card.

The first five bytes of each ECM are normally one of the following
02 (Provider group p00, 2 bytes) 00 00
03 (Provider ID p00 , 3 bytes) 00
0A (Provider group p10, 2 bytes) 00 00
0B (Provider ID p10 , 3 bytes) 00
C3 (Hex Serial Number, 3 bytes) 00

The sixth byte is always the length of the following string.

Examples [in *.crd format -see later for explanation of macros]

01 01 00 00 00 11 03 p2 00 0b 40 02 t0 94 00 s1 Deletes all ChanID information for Provider 00

01 01 00 00 01 11 0b p3 00 0b 40 02 t1 94 00 s1 Deletes all ChanID information for Provider 10
The following are possible answers to the 01 class commands.
01 01 00 00 3F : Command accepted
01 01 70 00 00 : Command not accepted???
01 01 71 00 00 : Command not accepted, wrong Provider ID
01 01 72 00 00 : Command not accepted, wrong Provider Group
01 01 7B 00 00 : Command not accepted, wrong Provider ID/Group/signature???
01 01 7C 00 00 : Command not accepted, wrong signature

Blockers work by preventing ECMs getting to the card. They only allow the following EMMs.
--------------------------------------------------------------------
Class 2 Commands - Get...

01 02 00 03 00 : Get Cards Serial Number in ASCII

01 02 01 03 00 : Get Cards Serial Number in HEX
01 02 02 03 00 : Get Cards Country Code
01 02 03 03 00 : Get Provider ID 00
01 02 03 03 01 : Get Provider ID 10
01 02 04 00 00 01 [00....09] : Get ChanIDs, dates and timer for Provider 00
01 02 04 00 01 01 [00....01] : Get ChanIDs, dates and timer for Provider 10
01 02 07 00 00 20: Writes 32 bytes to buffer. If the length is set to zero this also enables reading of the
buffer using...
01 02 08 00 00 00: Get 32 bytes from buffer. These commands only work on series < c8000 (DF1)
01 02 09 03 00 : Get/Send? CAM Key
01 02 0A 00 01: (2 bytes) xx xx; enter dbox-pin, 51 = not OK, 50 = OK
01 02 0A 01 01: (4 bytes) xx xx yy yy; change pin, pin x=old, pin y=new
01 02 0A 01 03: (4 bytes) xx xx yy yy; set dbox-pin x=old, y=new
01 02 0A 02 01: (2 bytes) xx xx; find/check dbox-pin 51 = not OK, 50 = OK
01 02 0D 00 00 : Get first four bytes of signature after an incorrect response
01 02 0E 02 00 : Read Card File 1
01 02 0E 03 00 : Read Card File 2
01 02 0F 00 00 : Get Ascii SN, ProvID for Provider 00 and 8 + 5 byte string.
The eight byte string always seems to be 42 98 2C 4D D9 EA F4 69. Even for Irdeto
cards from different countries. I assume the 5 byte
string is a digital signature.
01 02 0F 00 01 : Get Ascii SN, ProvID for Provider 10 and 8 + 5 byte string.
The eight byte string always seems to be F0 EC F2 80 85 AB 29 71.

Answers to the Class 2 Commands

00: OK
50: not OK
54: not OK
55: not OK
67: The length is incorrect.
69: Command not allowed
6B: Wrong reference (byte 4+5)
6D: The instruction code is not programmed or invalid (byte 3)
6E: The card does not support the instruction class (byte 2?)
6F: No precise diagnostic is given

-------------------------------------------------------------------
Class 3 Commands
Do these exist?
Any ideas anyone?
--------------------------------------------------------------------
Class 4 Commands Set...

01 04 00 00 00 14 3x 3x 3x 3x 3x 3x 3x 3x 3x 3x 43 36 35 31 30 36 41 20 20 20

Changes ascii serial no. to xxxx xxxx xxy This only works for defective cards without write
protection. That is with all data FFFFFFF or 000000.
Change the 10 "x" to the new ascii serial number. Leave off the last "y", it is some form of checksum
calculated by the card. Only if you enter the correct ascii SN (as printed on the card) is the last
checksum byte correct.
If this string doesn't work swap the last bytes after the 43 to:-
//43 37 30 32 32 32 41 20 20 20 for ???
//43 36 33 39 30 36 41 20 20 20 for ???
//43 36 31 36 32 33 41 20 20 20 for ARE
//43 36 31 30 31 38 41 20 20 20 for ZAF

01 04 01 00 00 00: Activates write protection

Answer is 01 04 42 00 01
01 04 00 00 00 00: Asks card if it is "write protected".
Answer 01 04 40 - not protected.
Answer 01 04 41 - protected.

If you attempt to write a new Ascii SN to a write protected card, the return code is "41" - write
protected. However the data is written into the buffer. The Ascii SN is not changed. Use
DumpBuff0708.crd to read contents of the buffer.

"Write protection" has nothing to do with blocking ECMs. I believe it is to do with the basic BIOS of
the card. Variable data such as keys, dates, channel IDs etc are written to the eeprom of the card and
this is never protected.
--------------------------------------------------------------------
Class 5 Commands Key Request

01 05 00 00 xx : Sends the channel ID, key number, date and the key to be decrypted.
--------------------------
Example of EMM (Entitlement Management Message).
01 05 00 00 02 23 ch ID 10 08 00 1D 40 02
dd dd 78 12 08 13 z1 z1
z1 z1 z1 z1 z1 z1 z2 z2
z2 z2 z2 z2 z2 z2 xx xx
xx xx xx cs
This breaks down to:-
01 05 00 00 02 23 The EMM, length 23 hex bytes
ch ID Channel ID
10 Provider 10
08 Key number
00 Always 00? Filler?
1D Length
40 02 Set date (I have also seen 00 02 meaning the same)
dd dd Date
78 12 The 78 nano and length
08 Key number
13 Always 12 or 13 ??
z1 z1 z1 z1 z1 z1 z1 z1 First 8 bytes of key to be decrypted
z2 z2 z2 z2 z2 z2 z2 z2 Second eight bytes of key (not used?)
xx xx xx xx xx Digital signature
cs Checksum
--------------------------

If the decryption is successful the answer is

01 05 9D 00 yy : Return of data including decrypted key and clear picture!
If not succesful:-
01 05 90 00 00 : No access to this ChanID - missing ChanID?
01 05 9C 00 00 : Masterkey Error
01 05 9E 00 00 : Not activated?
01 05 9F 00 00 : ??? Error?
01 05 A0 00 00 : Wrong Bouquet?
--------------------------------------------------------------------

NANO CODES

These are two byte commands embedded in the ECMs. The first byte is the instruction. The second
the length of the following string.

10 (09) Set Key [1st byte is the key number followed by eight bytes of the actual key].
10 (52) Set Multikey - TWO keys in the same command
10 (E4) Set Multikey - FOUR keys in the same command
------------------------------------
Example of MultiKey Update
01 01 00 00 00 3D 02 pg pg 00 00 37 40 02
dd dd 11 06 ch ID dd dd
0A 00 10 E4 02 k2 k2 k2
k2 k2 k2 k2 k2 04 k4 k4
k4 k4 k4 k4 k4 k4 06 k6
k6 k6 k6 k6 k6 k6 k6 08
k8 k8 k8 k8 k8 k8 k8 k8
xx xx xx xx xx cs
01 01 00 00 00 3D ECM, length 3D
02 pg pg Address provider group pg pg
00 00 Filler
37 Length
40 02 Set date dd dd
11 06 ch id 0a 00 Address this channel ID, timer
10 E4 Multikey update NANO (sometimes 50 E4) and length
02 Key number
k2 k2 ........ Key 2
04 Key number
k4 k4........ Key 4
06 Key number
k6 k6....... Key 6
08 Key number
k8 k8....... Key 8
xx xx xx xx xx Digital signature
cs Checksum

Sometimes the keys are 0A, 0C, 0E and 10.

------------------------------------

11 (06) Activate Channel ID (2 bytes chanID, 2 bytes datestamp + 2 bytes timer)

28 (0D) Change ProvID (00/11 provider, 00 + eight bytes masterkey, 3 bytes new ProvID.) Used by
German system.
This is followed by a 5 byte signature.

--------------------------
Example of New Provider ID
01 01 00 00 00 1A C3 ss ss ss 00 14 28 0D 11 00 mm mm mm mm mm mm mm mm pp pp pp xx
xx xx xx xx

1A ECM, Length 1A
C3 Get Hex Serial number
ss Hex Serial number
00 Filler
14 Length
28 0D Change provider ID and length
11 Provider
00 Key number. 00 indicates it is the Masterkey
mm Masterkey
pp New Provider ID
xx Digital Signature
--------------------------

40 (02) Set date (2 Bytes) I have seen 00 (02) where 40 (02) is normally for some bouquets.

5x ( ) These are the same as the 1x instructions, but seem to have a higher priority?
50 (09) Set Key [1st byte is the key number followed by eight bytes of the actual key].
50 (52) Set Multikey - TWO keys in the same command
50 (E4) Set Multikey - FOUR keys in the same command
51 (06) Write Channel ID (2 bytes chanID, 2 bytes datestamp + 2 bytes timer). Used when a new date
is set for channel activation. Used as "kill" when date and timer = 0000 0000
52 (06) Write 6 unknown Bytes (normally 00 00 00 00 00 00) between ProvID and date
54 (00) Erase all ChanID entries of addressed provider (sets all ChanIds, dates and timers to
FFFFFF...)
56 (02) Put two bytes after the date often (31 00 - German) or (0A 01- Greek). Anyone know the
significance of this?
56 (10) Writes sixteen bytes of 00. Used in the resetcard.crd.
58 (01) xx : Writes the last byte in the message to xx
62 (03) Set the country code. Three ascii bytes. eg 47 45 52 is GER
68 (0D) Change ProvID (00/11 provider, 00 + eight bytes masterkey, 3 bytes new ProvID). Followed
by 5 byte signature.
Used by Italian system.
78 (12) Key number + 12/13 + 16 Bytes (2 x 8 byte Keys to be decrypted?) + signature. Used in 01 05
00 command .

9x ( ) These are the same as the 5x instructions, but seem to have a higher priority?

91 (06) Write Channel ID (2 bytes chanID, 2 bytes datestamp + 2 bytes timer)

Used as "kill" when date and timer = 0000 0000
94 (00) Erase all ChanID entries of the addressed provider (sets all ChanIds, dates and timers to
FFFFFF...)
95 (02) Used after the set date nano (40 02). Usually 01 E2. Purpose unknown.
98 (01) Write one byte. The penultimate byte in the answer string to "getProvID"
CB (20) Selects the card from the users in that provider group (32 dec Bytes or 256 users)
A9 (0a) Normally 00 00 00 00 00 00 00 00 00 10. Deletes the masterkey?
A9 (02) Normally 00 00. Switch off masterkey command??? Anybody know more about the A9
nano?

CRD Macros
In *.crd files you will see some macros. This is what they do:-

R0 - Initiate card reset. If the card is OK it replies with the ATR (Answer to Reset).
// - Ignore the rest of this line. Used for remarks.
P0 - Get Card's set Provider Group 00 and put it here (2 Bytes)
P1 - Get Card's set Provider Group 10 and put it here (2 Bytes)
P2 - Get Card's set Provider ID 00 and put it here (3 Bytes)
P3 - Get Card's set Provider ID 10 and put it here (3 Bytes)
S0 - Put the HEX serial number here (3 Bytes)
S1 - Put the 5 byte digital signature here and check the value of the final byte.
T0 - Put the date stamp of Provider 00 here (2 Bytes)
T1 - Put the date stamp of Provider 10 here (2 Bytes)
I0 - Opens an input window so that you can enter HEX data. The length of the data string must be
correct.
 Parameter Format: I0Text_can_be_written_here_without_spaces,_always_end_with_;

The Activation Process

1. For Virgin Cards.

There are two basic methods.
a) Irdeto 98 Method
Connect your interface to the PC (usually com1). Start PC in DOS mode and run one of the Irdeto 98
batch files. This will write the correct channels IDs as used at the moment to your card using
pro_01.exe for provider 00 and pro_02.exe for provider10.

b) *.crd Method
Connect interface and run Cardmaster, Cdevil or SMC v2.0a. Make sure correct com port and
oscillator frequency (3.5 or 6MHz) is selected. Also check that all (if any) DIP switches on your
interface are set correctly. Cardmaster is very unstable so CDevil (DOS) is probably to be preferred.
Cardmaster 1.0 seems to be more slightly more stable than the previous version.
Insert the card first then "Connect" . You should then get an ATR and the card details read out. Do
not press "reset" as this usually causes a hang. With either system next select the *.crd file you wish to
use. (Card87 has the latest versions at the moment). Check for the latest versions. Run the file. It
will take a few minutes as it goes through potentially 256 options for each checksum to find the last
byte of the digital signature. CDevils beeps nicely when it is finished. Cardmaster states "done".
Your card is ready:-))

Since the middle of May the old methods of activating virgin DF1 cards have stopped working. You
will need to find the latest *.crd to do this now. This *.crd contains logged data from before the ECM
and if used with a blocker should continue to work. Look for Startup_new.crd on Blades site or the
faster "Start300_400.crd" on various sites.

Has anyone information on activating the c8000/9000 series?

2. For Expired Previously Activated Cards

These cards are better since the provIDs have been activated, therefore new keys are being sent for all
or most channels. The basic channels can be opened as above, but for the Cinedoms, Prem ppv and
Blue Movie you need to make a log of the Key updates for YOUR provider group. This also applies to
activating cards from other bouquets. I find the serial method the simplest but you do need to make a
hardware modification to your dbox which involves soldering a wire to connect a pin on the card
reader to a pin on the xp02 connector. This is very simple and there are photographs and instructions
posted already. Fotos.zip.

There is a good read.me file with the MasterLog beta v1.3b logging program by "Seven of nine". He
describes two methods of serial logging. You will need to experiment which serial logging method to
use with which logging program. MasterLog allows both.
Some of the Logging programs will only work with the DF1 package and not with packages from other
countries since the sync. IDs are set at 8270/8240 or 8170/8070. Other packages may require different
values. MLog030a allows selection of the correct sync.IDs.

You can also use the Season interface method and XS4U.
Instead of logging you may now be able to get keys for Cinedom and PremPPV from the program
KeyCalc v1.0a. This, I suspect, is a database made by someone making a long log with MasterLog or
similar. You may be lucky and find the update keys you require in here. It is said there may be errors
in the *.crd files generated so take care.

a) Serial Logging in Blocker Mode

In Blocker-Mode you can only log the Keys that are sent to your card-group. If you are lucky your
card may be in a group which contains a "Dealer-Card" in it. So all of the needed keys can be logged!
However, there are quite a lot of cards that can't get all the Keys because they are just not sent by the
service provider.

With your card in the dbox switch to the channel of your choice. The Nosferatu menu needs to be
configured thus:-

1. monitor_all_ecm
2. normal (with nosferatu the blocker is active)
3. BLK prot: off

5. IPPV Pin
6.
7.
8.
9. -Log prm: on (for logging DF1 - provider 00)
A. -Log sec: on (for logging Premiere -provider 10)

If you do not know how to get into the Nosferatu menu you are going to need to do some research.
The details are posted in quite a few places. I will not supply this information.
Some of the latest logging programs will automatically generate the appropriate *.crd files for you to
run, as described above.

b) Serial Logging in Data Download/PID-Mode

In this mode you can log the keys for all Card-Group not only your own.
For MasterLog v1.3b the Nosferatu menu needs to be configured thus:-

1. -monitor_no_ecm
2. -normal
3. -BLK prot: off

5.-IPPV pin
6.
7.
8.
9. -Log prm: Off
A. -Log sec: Off

The Data Download menu (menu, 6) should be set be set to:-

 1 -Log PID 1000>PC (For other bouquets enter the EMM pin. This can be found in the
black cam info menu).
2 -Mode: entire
3 -Status: Stopped (Press 3 to start the data transfer -running )
4 -BIN (Some loggers work with HEX, so experiment).
5 -Normal
6 -Buffer: 20 (try the highest value here that allows continuous running)

Connect the null modem cable and start logging. Let it run for an hour or more until you get the keys
you want and hopefully also for Cinedom (Key 0A) and Prem ppv (Key 10) if you are logging DF1.
You will also need the Channel IDs and date stamp.

For other countries' bouquets when using other logging programs you will need a different Log Pid.
You can get this by looking at the black cam menu 4 (cam info) when you are tuned to the channel of
your choice. The EMM/ECM pids are shown at the bottom (EMM = Entitlement Management
Message). Try both of these values (try EMM first) until you see the data stream. If the EMM pid is
1FFF this means that the blocker is active.

If you cannot generate your own *.crd files then you will have to put the data you have collected into
ones that have already been written. You can always edit other *.crd files with a simple text editor
replacing the relevent information. You need to set the date, load the new key and then the new
channel ID(s).

Then for Provider 00 you could run:-

date00.crd
You will be prompted to enter the date (two hex bytes).

Next run
keyon00.crd - you will be prompted to enter the nine bytes of the key you have just logged.
If the string length is rejected (by Cardmaster) try entering it again but finish with a
semicolon (;) before pressing <enter>
Finally run
idon00.crd - for each channel ID you have logged. Input the two hex bytes when requested.

Repeat these three steps again using date10.crd, keyon10.crd and idon10.crd for the Provider 10 data.

When the date stamp or the update keys are changed you will lose these channels. Therefore you must
use a software blocker - Nosferatu menu (2. Nosferatu 3.BLK prot: on) or a hardware blocker.
Your card is now ready:-))

No ATR?
If, after experimentation, you find that your card is dead - no ATR. It may be possible to revive it.
Try rapidly inserting and removing you card into the interface (10 - 30 times) whilst a reset signal is
being sent by one of the card writing programs. This MAY give you a working card again. [I use
Cardwizard at 6MHz to do this, other use CDevil whilst pressing F1. Note this is also the way to
KILL cards!!!!] However, more often than not, although you will get an ATR, all the data is set at
000000 or FFFFFF and your card will be useless for decryption. The ascii serial number is often 730.
The card can still be used for some experimentation. For instance you can write the ASCII serial
number again.

Warning
Be aware that new software and *.crd files are being released everyday. Try them at your own risk.
There are some sad bastards about who delight in posting "Permanent Kill" files - do not use
upd180199.crd for example. It changes the ProvIDs and Country Code and thereby ruins the card.

Reaktiv (di_pro) may or may not fix it. Works in DOS 6.xx on com 2 only.

Also some versions of MOSC.exe contain a virus (20kb version, 16kb version is OK). Again, this may
be a fake file (it will not change the bouquet on your card -only the chanIDs) as was the Blocker code
recently released.
Resetcard.crd is only for Greek cards that do not work. Do not use on a working card.
300-400Key.crd is resetcard.crd.
Ppv123.exe 76kb long, is a virus (Trojan Horse?) which reads your hard disc and uploads it to website
(according to Sarantos).

Links

http://www.thoic.com/satpirates/1.html SatPirat Closed permanently now?

http://www.thoic.com/kermit/home.html Kermit Also has a Forum (German)
http://satswiss.com/ SatSwiss Also has a Forum (Multi-lingual)
http://welcome.to/albundy Al Bundy (German)
http://homepages.enterprise.net/smalone (English)
http://www.digitalsin.org/ Also has a Forum (Italian)
http://sat-digital-tv.provider.com.pl/starte.htm Polish site - In English
http://www.multipage.net/multi/ Dutch site -English and German.
http://masterkeys.virtualave.net/ German masterkey database
http://members.xoom.com/blade_crd/index2.html Blades site for crds. (German)

I WILL NOT SUPPLY ANY SOFTWARE THAT COULD BE USED FOR ILLEGAL PURPOSES.
SO DO NOT ASK. ALL THE SOFTWARE MENTIONED IN THIS PAPER IS AVAILABLE ON
THESE SITES

If you have found this description useful and would like to show your appreciation I would be grateful
for any donations of Irdeto cards (virgin or expired or even dead!) for further experimentation.

Please report any errors or omissions.

I have received lots of requests for help following the posting of this document. Please re-read it and
make sure the answer to your question is not in here before asking. Please write in English only.

If you translate this to another language make sure that I receive a credit. Make it clear that I will only
respond (maybe) to queries in English

Cheers
007.4
Sometimes Stirred but Never Shaken!

[email protected]
Please write in English only.
24.2.99 v1
28.2.99 v2
02.3.99 v2.1
10.3.99 v3
15.3.99 v4
20.4.99 v5
24.4.99 v6
19.5.99 v7
12.6.99 v8