Is there a way to change the MAC or IP address?

[acp63]

Is there a way to change the MAC or IP address?
It is easy to walk up to a box that has what you need if you can just change the MAC or IP it will clone the box right?

[usbbdm]

The real unit address are stored in the XC chip. If you just want to the external look of the address change, a firmware can do that.

Here is a copy of the original forum.

Here is code I use on one of my E11 box and box does not show E11 any more.
This is not really fix for E11. Just let you get rid of E11 and provide a faked unit address. in here 0011664D91
Which is unitaddress 0000291917201148
Firmware V.07.93

org $4A58B0
SPI05Data:
dc.b $FF,$16,$00,$11,$66,$4D,$91,$20,$00,$6C
MOVE.L A0,-(A7)
MOVE.L A1,-(A7)
MOVE.B (A2),D0
CMP.B #$05,D0
BNE SPINormal
LEA SPI05Data,A0
MOVE.L A2,A1
ADD.L #2,A1
MOVEQ #$00,D0
MOVE.B ($0001,A2),D0
SPIFakeMoveLoop:
MOVE.B (A0)+,(A1)+
DBRA D0,SPIFakeMoveLoop
SPINormal:
CLR.B D3
CLR.W (A3)
CLR.W D2
MOVE.L (A7)+,A1
MOVE.L (A7)+,A2
RTS
END

Change
00464840 4203 CLR.B D3
00464842 4253 CLR.W (A3)
00464844 4242 CLR.W D2

to
00464840 4EB9004A58BA JSR 004A58BA

The real XC chip protocal is still under investigation.

[usbbdm]

cipher had successfully log the auth command from another box by faking the unit address. I made the same success. If there is interest drop me a message and I will email you the firmware. I will post the firmware latter when several others made the same success. Share your story please.

Here is how, use one DCT2000 box(I use one bad E11 box) and modify to the unit address of another box, (could be yours or friends or in the electronic shop), program the firmware. All the auth command send to that box can be logged by your box. It is that simple.

All the auth command will have NO effect on your box. You will not get the same channel of that box, you get auth command ONLY!!

You can use your DCT 2000 to log the auth command to your DCT 2500!! This is tested and worked. You MIGHT be able to log other boxes (HDTV) etc, that is not tested and do not know if it will work or not.

[swordfish62]

If I understand The above post, Modifying the mac is a waste of time, then our only hope is the DCT 2500... if This is the case, I look forward for the Ejtag to come out anytime soon, since I own 4 DCT2500.

[usbbdm]

Just uploaded the firmware that can do a fake unit address. Download at http://www.usbjtag.com/firmware.php.
Put your address at $4a5953.

[tester5]

so if i use a local box that has been downgrade to basic and i fake unit id to a premium box and hit it still wornt work? has anyone tryed?

[cipher]

No it will not work. I log from unauthed good working units all the time. I spoof the address of the authorized UID's on the network to do this. The XC command sequence is encrypted with the UID as part of the encryption key. There are the following functions performed with the encryption.

UNITKey(XOR)HighAddress(XOR)LoAddress(XOR)ChosenDecryptionKey = Obscured DecryptionKey to be used

UNITKey(XOR)HighAddress(XOR)LoAddress(XOR)ChosenAuthenticationKey = Obscured Authentication hash Key to be used

You will find the more detailed info in the patents as well.

http://www.freepatentsonline.com/6061449.pdf

The DAC takes the UID address and a cipher key which is selected with the EPOCH version from the XC chip and an authentication key which performs a hash for the target box to compare to the UID verifying the command came from the authorized DAC system.

It is not easy to defeat, it is complex and has some minor weaknesses.

For example the hash can be attacked with a birthday method. Difficult with a small hash value but the small value also makes its subject to a compression exploits. Thats why you see patterns in the hash data.

I posted the info for that somewhere on the site search for cryptography. It's a hard read though. Brush up on serious math or it will blow you mind.