Firmware for Pioneer BCT-1530

_____________________________
PI725a4

Simulator of nagra2 ROM110 card added. It's still very raw and buggy, many things are not implemented yet, but it works right now(tested on polsat).
In order to get autoroll you have to add keys for EMM provider (e.g. 7001)
  - idea keys (index 0x02 and 0x42, length of 16 (0x10) bytes);
  - RSA modulus (index 0x12, length of 96 (0x60) bytes);
  - DES key to decrypt nano $42 (index 3D, length of 8 or 16 bytes, dependant of ROM revision).
You need also to program the provided image of ROM110 (rom_mhw.bin) into data flash, use mediacom or mediasatConnect for this purpose. Order of programming is the same as otv.bin or tps.bin

-----   
   Great Thank to all guys who helped me with nagra 2 algorithms, ST19 instruction set and ROM110 structure, especially yawn, mitega and tapis  :)   
-----   


_____________________________
PI725a1

1. Calculation of TPS timestamp fixed. You need new otv.bin to be programmed in order to TPS to work.
   Order of upgrade:
      - zap on free to air channel;
      - program new otv.bin as usual (through serial port by mediacom or mediasatConnect);
      - program new firmware PI725a1;
      - reboot box.
         
2. Limited support for irdeto2 added to emulator.

   	Format of irdeto data.
   Attention!!! There are neigther keys, nor other crypto data inside firmware. You must add all stuff into emukey buffers manually.
   Support for irdeto keys/providers in embedded editor (perso/EMU) is not yet implemented? i'm waiting for help of JulekJulek.
   You need EMU Keys Editor (emuedit.exe) in order to insert irdeto related data. Example of emuedit.ini with irdeto support attached.
   
   Irdeto emulator needs the following data to work:
   - provider id (3 bytes) which is in fact 2 bytes of CA ID and one byte 00 (reserved for future use), e.g. 06 28 00 ;
   - IV_PAD key (index 0x20, length of 16(0x10) bytes);
   - ECM_SEED key (index 0x21, length of 16 bytes), needed for ECM processing;
   - EMM_SEED key (index 0x22, length of 16 bytes), needed for EMM processing;
   - Operational 3-DES keys, needed to decrypt ECM (index 0x00 to 0x1F, length of 16 bytes);
   - PMK (index 0x30,length of 16 bytes), needed to decrypt EMM;
   - provider group address (3 bytes, only 2 first bytes are meanful), which must be entered into provider's SA/PPUA field of EMU Keys editor,
     needed to setup a proper EMM filter;
   Note, indexes of opkeys are not the same as ones provided by softcam.key, opkey index is calculated as (ECM[9] >> 1) & 0x1F, so softcam.key's key 08 is key 04 for us, key 18 is key 0C and so on.
   If you have valid PMK and group address, then you don't need operational keys at all, they will be catched from the air on demand.

Unfortunately, there are a lot of things still unclear, so the support of I2 is very rough. 
Hope to fix possible bugs as soon as my knowledge grows...
 
3. Some minor bugs fixed.

Greatest thanx to remote, mrtoolate, humax, tapis and many other persons who open for me the door into irdeto2 world :)
    

_____________________________
PI724a15

Premier MECM algo implemented.

_____________________________
PI724a14

1. Temporary solution for latest tps attack (2007-12-04) added.
   Just program newest otv.bin, then program new firmware, go on any tps encrypted channel and wait about 20 seconds.
2. Provider flags for new emukeys format are implemented. Two flags are meanful: 'preferred' and 'use sharing'.
   
   'preferred' flag. It affects 'autochoice of ECM PID' algo. 
   The algo of autochoice: 
   	- if PMT ECM PID matches to TCS video ECM PID then that PID is selected;
	- else, if we have in PMT any provider marked as 'preferred' then that 	ECM PID is selected;
	- else, if CA ID of any ca_descriptor in PMT matches to 'preferred' CA ID (for the moment i set it to 0x0D00 in init1.cpi), then that ECM PID is selected;
	- else it takes 1st ECM PID from PMT.
   
   'use sharing' flag. That flag forces 'cardsharing' mode for selected SOID.
   	For example, if you have in emu SOID AABBCC, and this SOID is marked by 'sharing' flag', and box catches an ECM for that provider, then box sends this ECM into RS232 in order to use 'cardsharing'.
   	Old cardsharing flag (based on channel status flag) is not supported anymore.

A lot of thanx to tapis for help with new tps attack and g3rry for help with auto ecm pid selection :) 
  

_____________________________
PI723a8

Autoupdate of TPS-keys added.

HowTo: first of all you'll need to load the attached otv.bin file into your receiver.
The way of doing this is just the same as when you load tps.bin file,i.e. launch Mediacom,switch it into receiving mode
through activating COM-port (pressing menu,8,3), then please press Settings button in Mediacom, check OTV section and wait until section upload
is done. Now please fuse the new PI723a8 firmware into your receiver.

To get AES-keys update please switch the receiver onto any channel crypted in TPSCrypt.Mind that ECM PID of the channel you have chosen
should correspond to TPSCrypt PID.
Now wait for about 30-40 secs, switch onto any neighboring channel and back, and if the update was successful you'll get the picture.
In addition, if you also have Mediacom launched and running, you will see a message like "TPS:<num> new keys" in log window, 
<num> meaning here total number of fresh received TPSCrypt keys.

WARNING: old format tps.bin file WILL NOT WORK with new PI723a8 firmware!

Thanxxx fly to all who took part in PI723a8 firmware development :-)

=======================
English version
YARO
08.01.2007
8:28 
=======================

_____________________________
PI723a0
TPS keys autoroll improved according to latest TPS' attack. 
New MHW API function func_277(byte* request, byte* bufemu, int mode, int* offset) is added to manage EMU keys. The function is intended for fast search/update/delete keys and providers info inside BUFEMU_E and RSA_KEYS. Details and usage will be published together with next release of firmware which will contain new unified format of EMU buffers.

_____________________________
PI722a4

Limited TPS AES key autoroll added.
Encrypted AES keyshedule is stored in data flash inside the file /TPS/TPS.
According to current time MHW extracts an actual AES key and replace the old one in emu key buffer (keys 3/13 of provi 007c00).
Keyschedule itself is not updated automatically. You have to replace it manually (via rs232 port) when a new keyset is available.
To update: 
        - switch the box into "receive settings" mode (menu/8/3);
        - run mediacom.exe, click the button "Settings", choose the file to download into a receiver (tps.bin);
        - select a section which contains TPS folder, click OK and wait for download to complete.
That's all.

Big Thanx to all guys (you know who you are) who took part in that :)

_____________________________
PI721a8

Cryptoworks emulator added (Thanx humax :)). For now decoding of superencrypted ECMs is not supported (for instance, digiturk uses superencryption so will not be open by this version).
	
	Cryptoworks Keys.

To decrypt ECM you need from three to six keys.

General ECM uses 2 operational 16 byte keys (keys 00 and 01) and one constant issuer key of 6 byte length (key 02).
Superencrypted ECM needs additional 3 keys to decrypt: 
two 16-byte operational keys (10 and 11 in hexadecimal notation) 
and one 64-byte (0x40) RSA modulus (key 12 in hexadecimal notation).
Keys 00 and 01 are spread widely in Internet (e.g. Softcam.key contains them), you may use InetKeys button of Mediacom 2.5 to get them. 
Other keys need to be obtained in some other way.
An ident of cwks provider has 2 characters (softcam.key uses 6 characters to identify a provider, well i use last two chars only)

Keys may be entered by Mediacom 2.5 in the following way:
	- press button EMU Keys
	- select CRYPTO in CA system field
	- enter SOID and keys, 
	e.g. for Jetix(by British Telecom, SOID 0A) on HB 13e you need:
ident	keyid	type	len	value
a0	00	00	10	2179....
a0	01	00	10	....
a0	02	00	6	c879...

	for digiturk you will need additional deSE keys, e.g.:
c0	10	00	10	b752...
c0	11	00	10	28e3...
c0	12	00	40	214d...	

	- click Send Keys
	- watch the trace, it should show that keys are inserted or updated.

   ====== Information for developers ========
All cwks keys are stored inside the RSA_KEYS MHW file.  
The format of RSA_KEYS buffer does not suppose a separate byte for SOID (due to alignment considerations), so i place it instead of unused (for cwks) key_type field.
Therefore, cwks keys are stored as follows:
	00 - CA ID (0x60)
	01 - key ID (00,01,02,10,11,12)
	02 - SOID
	03 - key length
	04...key[3] - key value.

latest check by YARO
03.05.2006
21:32
_____________________________
PI721a7

1. Nagra2 limited emm-processing added. You need to load rsa and idea emm keys to have key autoroll.
2. MHW menu for rsa keys added.
   
Go to install menu/7 (emu keys), press "->" or "<-" buttons to open "RSA Keys" page.
Now choose suitable ca system, pressing "->" or "<-" buttons (e.g. NAGRA), enter 6 ident characters (e.g. 007101), desirable key index and type.
If key already exists then you will see it in the bottom field, press OK to edit or remove the key, press OK when finished to save new key value or SERV to delete it.
_____________________________
PI721a6

1. Serial communications are improved to allow faster card sharing.
2. Nagra2 ecm decrypt algo changed (3-des decrypt added). 
   Key storage scheme changed because of insufficient room at BUFEMU_E. There is no other interface to enter rsa keys manually, you have to use MediaCOM 2.3 to download or update nagra2 keys.
3. New RS232 command for uploading of keys and appropriate mhw scripts added.
   Note: any number and any kind of keys may be sent per one command. The only limit is the size of pioneer's rs232 receive buffer (1024 bytes).
   
   To download keys (rs232 communications on IRD side should be enabled): 
      open MediaCOM 2.3, click button "EMU Keys", fill in the key list, click "Send Keys", watch the trace window, enjoy if no errors signalled ;)
      Don't forget: all fields on "EMU Keys" form have to be filled in hexadecimal notation, i.e., if key length is 16 byte then the field "Key Len" must contain the value "10".

4. Irdeto related code removed to free up space for nagra2. Nagra1 providers removed except for 7501/7401 and 1911/1811.     
 


   ====== Information for developers ========

   All keys for n2 are stored at MHW flash file RSA/RSA_KEYS. Pointer to file RSA_KEYS stored at basic.BUFEMU_E as key 0xaa of prov 00, ca_sys 00.
   Key storage format
      4 bytes of header:  
      00 - high nibble: ca id as defined for bufemu
           low nibble:  index of provider at bufemu
      01 - key index compliant to ROM10x key indexing (e.g., $06,$86 for opkey, $07 for verify key, $16 for ecm rsa modulus, etc.)
      02 - key type compliant to ROM10x key types ($08 for idea key, $0d for triple-des key, $00 for 64 byte rsa modulus, etc.)
      03 - key length
      04 ... (3+key[3]) - the key itself;
      
   Note:    nagra has 2 idents for one service operator.
   Index for Even ident is coded as 1 to 5,
   index for odd ident is coded as 9 to 0xD (3rd bit is set to 1)
   

   RS232 Command format for p.3.
      Header (hexadecimal): 55 20 KN where $55 is standard prefix, $20 is the command (CMD_SEND_KEYS), KN is the total number of keys
      Then keys themselves follow.
   Key format. 
      for seca and viaccess:
      00 - CA System ID as defined for BUFEMU
      01...03 - 3 bytes of SOID
      04 - Key index according to BUFEMU key indexing agreements (e.g. 16 byte viaccess 2.4 key is splitted to keys $0N and $1N, tps aes key - to keys $03 and $13 respectively, etc.)
      05 ... $0d - 8 bytes of key
      
      for nagra2:
      00 - CA System ID as defined for BUFEMU. To distinguish n2 keys from emu keys described above the low nibble of the key shall be set to 0xF.
      01...03 - 3 bytes of SOID
      04 - Key index according to point 2.2 
      05 - Key type according to point 2.2 
      06 - Key length
      07 ... (6+key[6]) - the key itself.
   ================================================   
    

-----   
   Great Thank to all guys who helped me with nagra 2 algorithms :)   
-----   
_____________________________
PI721a3

MHW: OFM by Julekjulek & Eran.

1. DiSEqC switcher control routine is modified according to requests of twinLNBs owners.

It looks now like Dynamit's one, value of eeprom byte 0x41f sets the behavior of control 
function:
	00 - neither diseqc message nor tone burst are generated on channel zapping;
	01 - tone burst is generated;
	02 - diseqc 1.0 command 'switch port' is generated;
	03 - both diseqc command and tone burst are generated.

That's not necessary to write eeprom directly. Go to Menu->4->2 (Ext. TV and Video), 
the new menu item "DiSEqC Switch" will allow you to choose what you want.
	None - writes the value 00 to eeprom address 0x41f
	Tone Burst - 01
	DiSEqC CMD - 02
	Both	   - 03
	
!!!WARNING!!! You have to reboot the box for changes to take effect 
(tuner_task reads eeprom value during MHW VM startup). 	

Unused MHW API function Po_func_call_28B is replaced by a new one to allow the above stuff:

int ee_operate(int addr, byte* buff, int len, int mode, int* error)
{
	switch(mode) {
		case 0: // read data
		*error=eeprom_read_address(addr,buff,len);
		break;
		case 1: // write data
		*error=eeprom_write_address(addr,buff,len);
		break;
		default: *error = 0x10D; // E_CMDE_UNKNOWN
	}
	return 0;
}
   
2. Nagra EMU is modified in reply to last attack of TV Cabo, MAP calls to functions 
$02 & $0F are implemented (big thanks to nagra experts :))

Not tested: i cant catch Hispasat :(

_____________________________
PI721a0

Software simulation of service mode K2002 added. You don't need to shortcut k2002 service point
to re-program firmware anymore.
   
   How to install:
The file 60150000.bin contains new additional bootloader. It must be programmed under 
address 0x60150000 by JTAG interface.
Then program the firmware file PI721a0.bin as usual via com+lpt.

   How to use:
Go to Install Main menu, press 4 (Parameters setting). 
Here you see new menu item "4: Service Mode K2002". Press '4' and you are at dL1o ;)
The rest seems clear by itself :)

   How it works:
Unused function Po_func_call_28C is replaced by new one. 
New function shuts down some common threads, switches scart to 'power off' mode, 
disables hardware scheduler (so switches off all threads) and jumps to new bootloader 
at 60150000.
New bootloader uses functions of native 1st bootstrap at 7ff80000 to enter 
service mode K2002 regardless of whether K2002-point is shorted to ground or not.

   Limitations.
In fact, the new bootloader uses direct calls of few native functions located at 
1st bootloader (7ff80000...7fffffff). 
If your firmware differs from mine (i have Polish pioneer 1530), then you 
can't use the code of 60150000.bin the way it is.
If this is the case you'll need to find appropriate functions in your firmware 
and replace appropriate pointers to called functions (0x601500BC...0x601500CC) by yours.
      
Big thanks to the guy who worked on this new bootloader and made this all possible for us :)
_____________________________
PI720a5

Algo and keys for D+ (nagra2) added. Not tested coz i can't catch neither hispasat nor astra 19e.
Thanks all guys who took part in decompilation of Galaxis firmware :)

_____________________________
PI720a2

Algo for seca provid 006a added (thanx Humax and other guys who extracted it from wildcard :) 
Not tested coz i can't catch astra 19e.
However, nano 5105 is not implemented.
Mediapark's public keys are inserted.
EMU keys of viaccess provider #20 may be used to enter BISS fixed control words in the following fashion:
XX YY AA BB CC DD EE FF, where XX YY is a SID of biss service and last 6 bytes mean 6 bytes of biss CW 
(control word has 8 bytes total, 0 to 7, bytes 0..2 and 4..6 are meanful, bytes 3 and 7 are don't care, so six bytes of CW means bytes 0,1,2,4,5,6).

_____________________________
PI719a8

New parallel task improved, in conjuction with new PTI interrupt handler it allows more stable and reliable upload of TC PES data via LPT port.
Preview works worse than in previous firmware but other things seems to be much better. Unfortunately i have some unexplanable issues like following:
some channels are captured with missed packets even if they are relatively slow while other ones with greater bitrate are captured almost perfectly.
On most channels i have good results with bitrates up to 5500 kbit/sec. 

st7 algo updated for pk0 autoroll. Nagra keys 02/03 hold appropriate pk0 value.

_____________________________
PI719a5

st7 simulator algo corrected according to last attack (usage of map calls).

_____________________________
PI719a2

This firmware holds TPS AES key in EMU keys buffer (Thanks Trouboudou :)). It uses viaccess keys 03 (1st half of AES key) and 13 (the 2nd half).
So to watch tps-encrypted channel you have to enter suitable keys for provider 007c00 (or for any other provi who will use AES modification of tps-crypt)

_____________________________
PI719a0

1. Nagra algo updated according to Dynamit's code (greatest thanx :))
2. Native PARALLEL_TASK is replaced by new one (a lot of thanx guy who made this possible, you know who you are :)). 
   This one allows:
	1) Dump memory to PC.
	2) Grab data from the air to PC:
		- single pid data;
		- few pids data (e.g. video, audio and ECM streams);
		- audio/video output from STi5512 transport controller;
   There are however some limitations, read readme file of mbxECPdump.exe for details.

_____________________________
PI718a7

Some bugs fixed, thanks humax for nano_51 hashtables and <you know who you are> for nano_51 and core_51 algos corrections :)
  
_____________________________
PI718a6

Bug in calculating of seca2 hashtable Fx index fixed (thanks satourne :), bug in sha1 algo is fixed also (thanks kabronsete :)

_____________________________
PI718a4

Seca2 nano 5109 implemented. Greate thanks guys who makes this possible (you know who you are :)

_____________________________
PI717a47

TPS crypt 2 algo added. Thanks Dynamit :)

_____________________________
PI717a45

S2 algo and tables of provider 0065 added. Thanks psycho_troop :)

_____________________________
PI717a44

Processing of different filters in nagra EMMs fixed.

_____________________________
PI717a43

Some bugs fixed (seca AU, shl).

_____________________________
PI717a41

1. Seca2 algo fixed. Multiple occurences of nano 0F are processed correctly now.
2. SHL algo corrected once again. One bug found and fixed (greate thanks a guy who made this, you know who you are ;)).
3. Bug with incorrect building of viaccess SA EMMs is fixed (i hope). 

_____________________________
PI717a38

SHL algo corrected.

_____________________________
PI717a35

Tables and algorytm of seca provider 0065 are inserted. Thanks guys who provide this for us :)
And Dynamit for his source code :)

Little modification in HDL, i don't know would it be useful or not.
Due to ask of Generator it's possible now to switch tv scart audio output according to following modes:
  1. Native sound types:
    - mono (Left+Right channels mixed);
    - stereo (Left in to Left out, Right in to Right out);
  2. Additional sound types:
    - mono (Right channel only);
    - mono (Left channel only);
    - swapped (Left input to Right output and vice versa).

How to pass new values from MHW. 
That's very simple: 

	BUFFER[0] = SND_TYPE;
	Device_Call(<client>, $dev_sctv, $SCTV_SET_SND_TYPE, BUFFER, ...);

Where SND_TYPE may have the following values:

//// Sound Types ////
#define SND_TYPE_MONO_LR	0
#define SND_TYPE_STEREO		1
#define SND_TYPE_MONO_LL	2	// Left ch. only
#define SND_TYPE_MONO_RR	3	// Right ch. only
#define SND_TYPE_SWAP		4	// Swap channels

Note, you shall not call
	Device_Io(<client>, $dev_sctv, $SCTV_WRT_SND_TYPE, ...)
because i didn't implement saving of new values in eeprom (i think it's useless). 
This function expects values of sound type 0 and 1 only, so it will cause IO error E_BAD_VALUE.

  

_____________________________
PI717a32

Some improvements in SHL implementation.
Thanks JulekJulek for his work on new panel :)
You may manually ajust now some SHL parameters: timeout (in milliseconds) and a number of packets to catch from ECM PID.
Go to service menu (+/menu) and press '8' to enter SHL ajusting menu.
By default timeout is 300 ms and number of packets is 7. This provides quite stable work of SHL decrypting.
You may play with those parameters to reach max stability. Tracing of decrypt's result is possible: switch on serial device in service menu, 7, and watch at output of RS232, SHL error 0 means good decrypt, 1 - bad one.



______________________________
PI717a28

Seca2 algo fixed to allow watch of 0064 provi. I can't test it myself so pls let me know if i made some mistake.

SHL implementation changed. It runs as separate task now so MHW doesn't wait for return from function NullSubDSX7071_13A.
This function (read_pid()) is now used for:
- Creating of SHL task;
- Sending some commands to this task (allocate buffers, semaphores and pid filtering slots, start decryption, cleanup buffers);
- Stopping and deleting task.

void read_pid(int pid, byte *out, int slot, int stream_type, int flags, int timeout, int *error);  // 6010CF00

Error and pid shall be provided in any way. Other arguments are optional in on case and mandatory in other case.
   Creating of SHL task:
   ----------
   pid = 0xE000;
   error is 0 on success;
   
   Allocate buffers:
   ----------
   pid=0xE001;
   flags should provide: 
   	shl type (0 for ca id 0x4a60, 1 and 2 for ca id 0x4a61);
   	shl mode (0 for hopping pid mode, 1 for multipid one);
   	number of packets which should be received from ECM PID pointed by PMT (multipid mode);
   
   Start SHL decryption:
   ----------
   pid - real ECM PID;
   out = buffer with length of 0x1000;
   flags should provide:
   	signal about shl decrypt, else only one ts packet will be read out (slot and stream type should be provided in this case as well);
   timeout: number of nanoseconds to wait for each packet from PMT ECM PID;
   	total time of shl decrypt will be "number of packets+1"*"timeout";
   	for now i use 4 packets and timeout 0.5 second.
   error is 0 if 1st attempt to catch of ts packets and decrypt them is successfull. Don't care about it, 1st attempt may be insuccessful but next one may get us a picture.
   
   Cleanup (free buffers, semaphores, pid filtering slots):
   ----------
   pid = 0xE002;
   error is 0 on success.
   
   Stop shl task:
   ----------
   pid=0xF000;
   timeout: number of nanoseconds to wait for termination of shl task;
   error is 0 on success.
   
!!! Warning !!!
Multipid mode is implemented only !
Hopping pid isn't due to absence of any shl channel for which it may be applied.
Buffer "out" should be passed for all calls of read_pid, sometimes i use it for debug purposes.

Mapping of 'flags' argument:
most sign. byte       lowest sign byte
             0N SM TC ST   
	     ||	|| |  	
	     || || |___ 16 bits of TC status. 0x1200 to read raw transport stream packets. Used to read one ts packet from stream and for debug. 
	     || ||_____ 1 bit of mode: 0 - hopping pid, 1 - multipid mode; 3 bits of type 0..3 (0,1,2 in use now)
	     || |______ if 1 then this interprets as command to start shl decrypt, otherwise read one ts packet and exit.
	     ||________ number of packets to read from PMT ECM PID. This value must not be less then 2.
	     |_________ not used for the moment.
	     
Some bugs are present of course, i will try to locate and fix them ASAP.

	Greate thanks to all who helped me :)


______________________________
PI717a25

The bug with loosing of PMT is found and fixed. You can safely zap on and from shl channels.
Full-X channels are still working not very well. I will continue to work on improvement of SHL implementation. 
MHW now tries to autodetect shl mode by channel service ID. Thus, MHW should choose SHL mode 'MultiPid 2' for SIDs 0x1FAF and 0x1FB0 (Full-X 1 & 2), 'MultiPid 0' for SID 0x1FB3 (Full-X2 M), 'HopPid 1' for SID 0x221D (Don't panic TV).
However, you shall manually choose suitable ECM PID for CA system ID 0x4a61. 

______________________________
PI717a16
SHL implementation changed. Now it supports manual choice of decode mode.
Go to service menu (+/Perso), and press '8' to select desired mode.
Don't panic TV is working in modes 'HopPid 1' or 'MultiPid 1'. It seems 'HopPid 1' is faster.
Other SHL channels still don't work because we are late to hope on next pid and haven't enough pid slots for MultiPid mode :(  

______________________________
PI717a14

New s2 nano 51x2 implemented.
Card isn't necessary anymore to view non-seca channels. But for seca channels you still need it. Seems, we shall modify MHW a bit to avoid card nececcity forever.
 

______________________________
PI717a6

Some bugs in S2 emulation algo fixed. Thanks to everybody who took part in this project :) 

______________________________
PI717a0

S2 nanos 0F and 51 are implemented now.
A lot of thanks italian guys who has extracted and enlighten this algorithm for us :)


______________________________
PI716a12

Some bugs in SHL algo fixed. Zapping is faster then in previous release but some bugs are still present.
                  

______________________________
PI716a8

!!! For test only purposes !!!
It's my first experience with SHL Neotion encryption. For now mode 0F (free X-TV) only supported.
A lot of modifications made in EMU, HDL and MHW. Unfortunately not all modifications are made well. 
So some troubles are present (For example, very slow opening of nagra channels noticed...). Hope to fix them in future with help of my friends :)

Big thanks psycho_troop, JulekJulek and other guys (you know who are you and why can't i mention you :)) for great help in this project.


______________________________
PI716a0

1.Download of data stream (MPEG-sections) from a PID added. In receiver's firmware  
dev_mcom is used to implement the download.
For further details on data dowloading check out Mediacom 2.1 README.txt file.

Big THANXXX goes to ldnlp for his huge help in firmware disassembling and explanation 
of how DEMUX, MCOM, SECTION tasks/devices function . 

2. Also added decoding of VIACCESS 2.4 (VIA2) through U-section.  

VIA2 uses 16-byte keys: 8 bytes for DES decryption, other 8 bytes 
for data modification before and after DES.
Let's call these keys key0x, key1x. For VIA-1 only key0x are needed, while for VIA2 JulekJulek (a lot of thanks) has created an additional menu,which can be switched on with E button while editing the  keys,
allowing to enter key10 ... key1F for VIA2 providers.

Thanks Yaro for his good (as always ;) translation :)

______________________________                 
v.713a2

Script pers_reg:rx_end.cpi corrected. Bug with loosing of channel list after loading of EMU section is fixed.
Now you may safety load EMU section via COM port without reboot of receiver.
Few other little bugs fixed. For example, now after erasing of eeprom (entering K7003 mode) you shouldn't scan channels. Just download TCS/TPT/TSR/EMU sections via RS232 (install menu/4/D) and enjoy.

______________________________                 
v.713a1

Seca2 blocker corrected. For now s2 EMMs are assumed by 'table hash' bytes eigther 1001 or 1003.

______________________________                 
v.712a11

Additional MHW scripts enabling reading of MPEG-tables added. Look at MediaCom's readme file for details.


______________________________                 
v.712a7

Additional features enabling operations through serial COM-port included:

1 - dowloading of RAM/R/Settings flash dumps (approx.100 seconds per 1MByte);
2 - uploading of settings from computer (approx.35 seconds for TCS+TSR+TPT+EMU sections);
3 - sending of s to computer and receiving of decrypted Control Words from it 
(either local host or remote CardSharing Server).

How to manage added features

1. Enter Service Menu (+/B), press 7 (CONFIG), press 4 to enable COM-port.
Now you can quit Service Menu, and using program MediaCom.exe download and save 
the dumps of necessary memory areas onto your computer.

2. Enter Installation Menu, press 4 (SYSTEM SETTINGS), then D (DOWNLOAD FROM HOST). 
Using program MediaCom.exe upload the necessary files from the settings flash image.
The settings you have uploaded are activated right after you quit the menu. 
You do not need to rewrite or erase your EEPROM, nor you need to reboot your receiver.
!!!Warning!!! Don't press any key on your remote controller until the last section is 
fully uploaded. This may break the upload process and you will have to re-start it again.

3. Enter Service Menu (+/B), press 7 (CONFIG), press 5 in order to activate ECM-sending 
mode to a host server.
Now you may use either MediaCom.exe to decrypt  on the local computer
or you also may use program DSR9500Share.exe (H2Deetoo's cardshare client) 
to send ECMs to remote CardSharing Server and receive decrypted CW from that server.

HDL modifications

-Function Enable_Trace has been changed to enable 115200 baud operations.
-Several functions in ECM_TASK have been changed in order to send s to MHW scripts _BEFORE_ ECM decryption 
(earlier it was possible to receive s ONLY AFTER decryption).
-MHW API function added: 
	NullSubDSX7071_139(int ECM_PID, char *DecryptedCW); 
which sends DW from MHW buffer to CSA descrambler.

-basic.ECMOUT variable added to signal HDL NOT TO DECRYPT ECM. If basic.ECMOUT==0 then all ECMs 
are passed to EMU or smartcard, otherwise ECMs are accepted but not decrypted internally, 
they are sent to the serial port instead.
!!! Warning !!! You must correct pointer to this variable in case you change MHW !
If this is not the case you will NOT be able to handle ECMs properly. Pointer offset 
for basic.ECMOUT in PI712a7 firmware is positioned at 0x10BD09 (data 222851).

MHW modifications.

There are too many modifications to tell about :-).
Commented source code is available for those who want to work with it ;)
I'm not an expert in MHW so some things were left imperfect (I mean the panel p_reg). 
Hopefully MHW wizards can correct this.


A lot of thanks goes to:
	DiMeno, for great help with MHW serial device functions;
	Dynamit, for ideas and consultations;
	H2Deetoo, for adaptation of his cardshare client for mediaboxes;
	Yaro, for good translation ;)
================================
English translation done by YARO.
19.01.2004
Latest correction done 24.01.2004


______________________________                 
v.711a3
!!! Test only release !!!

Fixed hanging up on arrived D+ ECMs.

Greate thanks Axion for tests and Psycho_troop for cooperation :)

______________________________                 
v.711a1
!!! Test only release !!!
This firmware is uploaded only to test new D+ MECMs, so sorry for possible MHW-bugs.
I can't personally watch Hispasat so pls test it for me.

Some useful MHW modifications:

- RS232 logger added.
  	Open your favorite terminal program and configure the connected COM port as 19200-8-n-1.
  Go to Service menu (+/B) and press '7' to enter Configuration menu. Here you can switch 
  ECM-EMM logging ON or OFF via embedded COM port.
  	Press '2' to switch ECM logging on and '3' to switch EMM logging off. Precam 
  packets that have arrived will be seen in your terminal window.
  Seems like all the rest is obvious by itself.

- Marking of channels added. Press 'SERW' button to mark/unmark the currently watched channel. 
Channels marked during watching will be saved in flash during standby.
  
- Unified channel managment added. When you wish to do something about the channel list 
  (View List, Choice of favorite channels, Change numbering, Remove) you will see a 
  new universal panel.
  	Probably you'll have some time to wait (it's the time necessary for your tuner to compute 
  the number of previously marked channels) - normally about 1-2 seconds.

  From the newly popped-up panel you may :

  - Mark/Unmark channel (status added in this mode will not be saved during standby);
  - Add/Remove channel from your favorite list;
  - Lock/Unlock channel blocking;
  - Move all marked channels to desired position;
  - Delete all marked channels.
  
  Button NAV (sorry folks, I made this panel for Philips DSI175 box) does the same what
  SERW button does for Pioneers.
  
By pressing it you will be able to mark the following groups of channels
  	- All radio (video_pid is FFFF) channels;
  	- All service (both audio_pid and video_pid are FFFF) channels;
  	- All channels of current transponder.
  	
  Button C allows to move all marked channels before or after current (highlighted) channel. 
  You should mark at least one channel to be able to move the channels.
  Swapping will substitute the 1st marked channel with the current (highlighted) one.
  
  Buton D removes all marked channels. If no channels are marked then current (highlighted) 
  channel will be removed.
  
MHW by Dynamit (English interface).

Greate thanks Trouboudou for logger considerations and Kabronsete for algorithms 
of D+ MECM processing.  

______________________________                 
v.710a0


!!! Test only release !!!
Support for diseqc 1.2 positioner added. 4 commands are implemented now in "menu / 6 / C" panel (a lot of thanks julekjulek for this panel :)). 
	<- EAST - drive motor east 1 second
	-> WEST - drive motor west 1 second
	GOTO NN - drive Motor to Satellite Position nn 
	STORE NN - store Satellite Position & Enable Limits

All functions are implemented by modified API function 
	NullSubDSX7071_138(int command, int position)

1st two bytes of diseqc command (frame and address) are E0 31 according to Dynamit's experiments.	
	
For ajusting of position to east/west by "steps" (not by seconds) you have to edit script pers_ptg:posit.cpi :
replace 
	NullSubDSX7071_138(0x68, 0x1); 
	NullSubDSX7071_138(0x69, 0x1);
with
	NullSubDSX7071_138(0x68, 0xFF); 
	NullSubDSX7071_138(0x69, 0xFF);

HALT command is not yet implemented. If you want to make it just create a script which calls
	NullSubDSX7071_138(0x60, 0); 
	
Waiting for results of your tests :)	
 	
MHW by Generator (Russian interface).

______________________________                 
v.709a4

!!! Test only release !!!
Support for diseqc x4 switch added. I haven't any diseqc hardware so can't test it except watching of an 'oscillogramm' at LNB IN point.
Looks like it should work, i got proper oscillograms at channel zapping mode with different LNB index, polarisation and band. 
Unfortunately I can't test switching at scanning mode :-/  
Both diseqc x4 switch and diseqc compatible analogue switch (tone burst) should be supported. So pls test it ;)

A lot of thanks to Ldnlp for his greate .idc sripts and other help and Dynamit for tests and tutorials :)

MHW by Generator (russian interface).    
                                               
______________________________                 
v.708a2       
                                        
Fixed nagra EMM processing, AU on Digital+ should be possible now. 
I can't verify it myself coz i can't catch any nagra providers except polsat so sorry 
for possible bugs.
Script install:p_emu.cpi is modified a bit according to new HDL. 

Thanks Kabronsete for nice explanations of nagra algo and Axion for good help with EMM logs :)

MHW by Antoma (russian interface).
                                                      
______________________________                        
v.708a1                                               
                                                      
Bug with hanging up on Cabo TV is fixed. Thanks Kabronsete for clearing up of how nagra algo
works :)
                                                      
Added an autoupdated list of 'known signatures' to prevent repetitive decryption of nagra 
EMMs once decrypted. The MHW memory buffer basic.KN_SIGN was added to keep the list of known 
signatures. In standby this buffer is stored in the section 'KNOWN' of settings flash.
Sript basic:knownsig.cpi is added, basic:init1.cpi, basic:standby.cpi, install:p_emu.cpi 
are modified due to the function of KN_SIGN buffer. The RAM address of basic.KN_SIGN variable is fixed 
placed within HDL, therefor that variable should be inserted exactly to the same place in basic.cla 
like it is now (else hdl definition of its offset should be corrected at address 6011271F)  
                                                      
Original MHW by Antoma (russian interface).           
                                                      
______________________________                        
v.707a0                                               
                                                      
Corrected AU on polsat. Thanks Ramzes Pl and Axion for help. 
                                                      
______________________________                        
v.706a2                                               
                                                      
Added autoselection of operation key for No-Zap (FreeX-TV).
If this algo will work then autoupdate isn't necessary ;) But this needs to be tested. 
So we are waiting for next key change ...
                                                      
MHW Antoma (russian interface).                       
                                                      
Great thank Siciliano for set of keys and good idea :)
______________________________                        
v.706a0                                               
                                                      
Added support for No-Zap (FreeX-TV).                  
Operation Key is still placed inside the firmware, but if some MHW experts would like
to add support of No-Zap keys into EMU KEYS menu i will be happy to recompile that firm.
                                                      
MHW Antoma (russian interface).                       
                                                      
Greate thank NooK for No-Zap algo :)                  
______________________________                        
v.705                                                 
                                                      
Added support for autoroll on 4001 and 4901 providers.
Just enter 4101 and 4901 providers in EMU KEYS section and enjoy ;)
                                                      
MHW Antoma (russian interface).                       
                                                      
A lot of thanks Josillo for his simulation algo :)    
______________________________                        
v.703                                                 
New features:                                         
                                                      
* Seca1 EMU and AU in box added, with support for updates encrypted with MK01 primary 
only and also both MK01 primary and secondary, tested on 00 19, 00 25 and 00 2A.
                                                      
NOTE: Now there is EMU support in box for:            
                                                      
- Seca 1                                              
- Viaccess                                            
- Irdeto / Betacrypt                                  
- Nagravision                                         
- Conax                                               
                                                      
and AU support in box for:                            
                                                      
- Seca 1                                              
- Viaccess                                            
- Irdeto / Betacrypt                                  
- Nagravision                                         
                                                      
* Conax keys are now placed in EMU (not in HDL) so you need to put them into EMU menu like 
in Dynamit 6.18 and above.
                                                      
* Fixed Seca UA EMMs processing, they are now sent correctly to card.
                                                      
* Switch 'SECA2 EMM' in config menu added:            
                                                      
- OFF - Seca 2 EMMs are NOT send to card              
- UA/SA - all Seca 2 EMMs are send to card (on UA and SA)
- SA - only Seca 2 EMMs on SA are send to card        
                                                      
It is NOT a Seca 2 hack. How you will use it - it's up to you.
                                                      
* Switch 'CW CARD' in config menu added:              
                                                      
- OFF - firmware works as normal - all ECMs which are not supported by EMU (or in case 
  EMU decryption failed) are send to card (if there is an appropriate provider on it)
- ON - only Seca 2 and CryptoWorks ECMs are sent to card
                                                      
This switch can be also called 'STREAM FIX' for CryptoWorks cards' owners. It was made 
for those who watch using orginal, active card with external or internal blocker. 
In such case they have problems with STREAM PPV - gaps and freezes. Now they can switch 
'CW CARD' to ON - and watch STREAM PPV without any gaps and freezes. It is NOT a CryptoWorks 
hack, you still need an original active card and external or internal blocker to watch CryptoWorks 
channels.
                                                      
NOTE: When 'CW CARD' switch is set to ON only Seca 2 and CryptoWorks ECMs are sent to card 
so you can NOT use card to decrypt other systems, but of course EMU will still work fine.
                                                      
* Info menu 0 CAM fixed, now with Seca 1 and Conax support.
                                                      
* Info menu 3 EMM added, now you will see there all known EMMs (very useful for debugging, 
like Info menu 2 ECM).
                                                      
* Hold function added for both Info menu 2 ECM and 3 EMM, now you can stop / start data display.
                                                      
Great thanks Ramzes for suggestions ant tests :)       
       
       
       