|
Jtag?
Apr 27, 2005 23:40:03 GMT -5
Post by adrianbv6 on Apr 27, 2005 23:40:03 GMT -5
anyone know what is that J201 looks like a jtag port anyone know anything about jtag and how to use one ? see whats that for maibe we can access some other part of the board to change the unit address or maibe even other things.
i have a jtag but i dont have a software for it so i dont know how to use it
updated***
the J201 is used to talk or even maibe program the XC chip xc420061 infoda1 infosc1 infock1
i double check that on the 2500's and dosent have a J201 but has the pins come out straight from the Xc 420061 cip and u can acces there the 2000 models have a sepatate long 6 pin
so that is uses defenetly to talk to that chip program it or whatever
|
|
|
Jtag?
Apr 28, 2005 6:01:07 GMT -5
Post by adrianbv6 on Apr 28, 2005 6:01:07 GMT -5
i also disconected the batery on one ph7 to test if i get e11 again and unit address is still on and displays E00 so batery is removed and i have no error
things are getting weird i also have done this tests...tvturners are diferent some nvrams have wrong info.....
i tested 3 boxes......
a=legal box not from my area.....ph9 b=ph8 c=ph7
a --->gets premiums in my area about 10 of them and a few CLR and some otehr crap all premiums have ENC 12 b---> cloned exact memory and firmware application everything it works i havent checked if gets all the exact premiums but gets them about at least 7 c---> cloned this crap actualy i cloned 2 ph7 a ph6 a non ph none of them get any channel premium only some CLRs
conclusion= there is something in the box that has data about the channels u can watch like purchaced or not anyone know exact steps how this boxes work? like from when u start the firmware decompress into ram or whats gooing on something else is responsible of premium channels........so advice if u buy boxes try to ask the guy if he had any premiums get a box that hadd all the premiums dosent have to be from your area but somone that paid for digital packedges then clone the nvram from your area and voila u get all the digitals in your area
and extra eeprom or something containg unit address and ppv option whatever i dont know
|
|
|
Jtag?
Apr 28, 2005 6:43:21 GMT -5
Post by patsfan on Apr 28, 2005 6:43:21 GMT -5
have you unplugged the box since the battery was removed? if battery is out and the box is unplugged you should get e11.
by CLR you mean channels that are in the clear (wide open)? and what do you mean by ENC12?
i have three boxes that are all non ph boards and if i try to clone nvrams or firmwares it won't work at all.
|
|
|
Jtag?
Apr 28, 2005 8:44:24 GMT -5
Post by adrianbv6 on Apr 28, 2005 8:44:24 GMT -5
box unpluged for hours is unpluged right now and plug it in same thing e00 i dont have e11 the unit address might be stored somewere else then
|
|
|
Jtag?
Apr 28, 2005 8:46:48 GMT -5
Post by adrianbv6 on Apr 28, 2005 8:46:48 GMT -5
i hava a no ph i clone the nvram and afther like 5 min it download the firmware and application from the company then i cant power up it updated wrong
i threw in the garbade the non ph and ph6 to much headache i dont wana waste my time
i like ph7,8,9
preferable ph8 or 9 those are the best most compatible with the system
|
|
|
Jtag?
Apr 28, 2005 9:43:17 GMT -5
Post by usbbdm on Apr 28, 2005 9:43:17 GMT -5
By reading the firmware, the unit address is definitely from XC4200.
No question. But XC4200 may not be battery backed up. I remember one of the E11 I created was to use multimeter to scan the pins of XC4200. There are SPI commands to enable XC4200 to let the box purchasable. It is type 04 command. Type 05 command is to request unit address.
Here is part of the disassembled firmware. 00464994 0C6B00650004 CMPI.W #$0065,($0004,A3) 0046499A 666A BNE 00464A06 0046499C 0C6E0086FFF4 CMPI.W #$0086,($FFF4,A6) 004649A2 6662 BNE 00464A06 004649A4 2015 MOVE.L (A5),D0 004649A6 720E MOVEQ #$0E,D1 004649A8 D081 ADD.L D1,D0 004649AA 2F00 MOVE.L D0,-(A7) 004649AC 2015 MOVE.L (A5),D0 004649AE 7211 MOVEQ #$11,D1 004649B0 D081 ADD.L D1,D0 004649B2 2F00 MOVE.L D0,-(A7) 004649B4 4EB900464B02 JSR $00464B02.L ;SetUnitAddressAndAttr(Pointer,BYTE*_Attr) 004649BA 2880 MOVE.L D0,(A4) 004649BC 486EFFE8 PEA ($FFE8,A6)
Address 0046499C check for the type of 0086 which was the converted tag of 05 in another table. The unit address table has two parts, the real 5 bytes of address and on "Seed Health". If the Seed Health is 0xFF, then it is a good address, else it is not. To find "Seed Health", go to diag screen and select unit address, you will see a good box with "Seed Health" 0xFF. E11 box will have 0xFC and unit address are all 0. But for E11 box, the SPI command will not give all 0 address but when show on the screen, it check to see if 0xFF else all 0.
|
|
|
Jtag?
Apr 28, 2005 10:04:50 GMT -5
Post by adrianbv6 on Apr 28, 2005 10:04:50 GMT -5
no E00 unit address is there and FF
everything is ok but i know i did that before on a ph8 and i got e11 i am suprized this ph7 dosent. so that means is stored in a small eprom somewere or something
|
|
|
Jtag?
Apr 28, 2005 11:47:01 GMT -5
Post by patsfan on Apr 28, 2005 11:47:01 GMT -5
it sounds like you got lucky with that box. it's the only one that i personaly have hear of that didn't go e11 with battery dead/pulled and no power.
|
|
|
Jtag?
Apr 28, 2005 19:10:51 GMT -5
Post by adrianbv6 on Apr 28, 2005 19:10:51 GMT -5
i just sodered the batery back everything seems fine but i dont get any premiums no more keeps teling me please wait this channel will be aveilable soon......wel i odnt have the right channel aligment eitehr but before i could watch like startz that use to be on 533 i watch it on 822 was weird but worked now i only get music channels and some crappy news channels
unit address is still there and everything is ok
****updated i removed the batery on my second ph7 and still no E11 i remember the ph8 gave me E11 PH7 must be diferent as i seen the batery only keeps the data thats extracted into ram thats tv guide application or something favorite channels names menu etc.
|
|
|
Jtag?
Apr 29, 2005 0:51:13 GMT -5
Post by adrianbv6 on Apr 29, 2005 0:51:13 GMT -5
|
|
|
Jtag?
Apr 29, 2005 9:44:38 GMT -5
Post by usbbdm on Apr 29, 2005 9:44:38 GMT -5
God post. But typically the chip is protected and you are not likely to be able to read the data from it. But worth someone to have a try.
|
|
|
Jtag?
May 22, 2005 1:46:56 GMT -5
Post by elvanwzrd on May 22, 2005 1:46:56 GMT -5
|
|
|
Jtag?
May 22, 2005 11:08:24 GMT -5
Post by usbbdm on May 22, 2005 11:08:24 GMT -5
|
|
|
Jtag?
May 22, 2005 15:59:29 GMT -5
Post by elvanwzrd on May 22, 2005 15:59:29 GMT -5
Also see www.algotronix.com/content/security%20FPL%202001.pdfThe method of protection described at the end is not the same as in the xc4000. If your results are repeatable (I'm not suggetsing anyone try this)- fpga data is lost when the battery is removed - Seems like the bitstream is not stored on the board, but programed by the cable provider, and re-programmed when there is a subscription change. If that is true, I don't see a way of reading this data. However, if the data is stored in sram, or a prom of some kind, then there is a means of cloning. Perhaps capturing the data at the time of a subscription upgrade by inserting an interrupt or probing the xc4000 if the data downloaded to ram is somehow encrypted.
|
|
|
Jtag?
May 22, 2005 17:10:01 GMT -5
Post by patsfan on May 22, 2005 17:10:01 GMT -5
yep that's exactly what happens. they "hit" the box after it is installed to authorize you channels and they hit it again when you change packages. you can actually call to downgrade your channels, have the box unlpugged for a day or so and hook it back up (reverse filtered out or unhooked of course) and you won't lose your channels you cancelled. eventually they well do a refresh and probably shut them off, but it's not uncommon to have them for a month or so. some cable companies might be more diligent and send the refresh hits more often.
|
|
|
Jtag?
May 22, 2005 18:04:59 GMT -5
Post by elvanwzrd on May 22, 2005 18:04:59 GMT -5
The real question is, is the fpga also supported by an onboard sram or prom chip. The fact that premiums can be lost by removing battry power (possibly)-from the xc4000 indicates strongly that it's battery backed and there is no boot prom (as is customary) to re-program it, thus partially securing the data it stores.
The white papers above pose the idea that a battery backed fpga ic is succeptible to loosing its data out in the field, if for example the battery was to fail. And that this is not a good Idea. Seemingly however this is what Motorola/GI have done as a security measure.
The interesting part is that the chip can be reprogrammed over the cable network. Therefore surely the firmware can be modified to duplicate any downloaded upgrades or place a breakpoint after such an update is received and before the fpga is reprgrammed. Then the bitstream for each type of upgrade could be captured.
Then would come questions like, is each premium package programmed into the fpga, or perhaps each possible configuration of packages reprogrammed as a whole, or (and sensibly) a general module is downloaded and then modified in ram enabling or disabling certain bits indicating that a module (package) is active or not before programming the fpga.
I'm adlibbing here, I'm sure some of you can tell.
Is the fpga simply an authorization unit, or is it programmed as a DSP chip to work as a DAC, or just decrypt the data before sending it to a DAC.
|
|
|
Jtag?
May 22, 2005 18:30:31 GMT -5
Post by usbbdm on May 22, 2005 18:30:31 GMT -5
I have captured the command to the XC4200 when call for a new channel. The command is very long. About 4x160 bytes. But it is a special command you normmally do not see. Clone the same command to anothe box has failed. The command does not get rejected but the channel is not opened.
|
|
|
Jtag?
May 22, 2005 19:21:42 GMT -5
Post by elvanwzrd on May 22, 2005 19:21:42 GMT -5
Is the network &/or unit address part of the command?
|
|
|
Jtag?
May 22, 2005 21:04:20 GMT -5
Post by adrianbv6 on May 22, 2005 21:04:20 GMT -5
XC chip is not batery backup......it might made a small voltage fluctuacion that mest up the chip but is a stand alone....satelites have that too and no batery
|
|
|
Jtag?
May 23, 2005 8:29:39 GMT -5
Post by patsfan on May 23, 2005 8:29:39 GMT -5
isn't the xc4000 chip the digicipher II chip? i don't think it would need battery backup. some models will stop working completely when the battery dies and the box gets unplugged. all the 1000 series dct's and some of the 2000 series. not sure about 2500's. the only way to fix them after this happens is to send them back to motrola. can't be fixed by the cable company through the cable stream using the dac.
|
|
|
Jtag?
May 23, 2005 12:40:51 GMT -5
Post by adrianbv6 on May 23, 2005 12:40:51 GMT -5
i seen them do it man they even stick 2 addresses on my friends box i havent seen with my eyes but they stick 2 stikers on the box with the ip over the old one.
if we are pacient it will come to us somone is working on this and already found a way to temporary execute new one
|
|
|
Jtag?
May 23, 2005 13:48:07 GMT -5
Post by elvanwzrd on May 23, 2005 13:48:07 GMT -5
isn't the xc4000 chip the digicipher II chip? . The XC4000 is a programmable logic chip that does need power to keep its data see xilinx website for more info or the pdf's referenced above. It can be programmed to be almost anything the manufacturer wants it to be. You can write C algorithms and download them to it etc. In this case (probably) the digicypher algorithm. --correction-- it doesn't need battery power, however it looses its programing when the power is removed, therefore if there is no battery, it would need to be re-programmed when the unit reboots. If it is programmed again after the power is removed, this is a security risk for the data stored in a flash or prom (such that the xc4000 can be re-programed) ... hence (possibly) the battery on the motorla board. Adrian''''s test showing that his unit lost the ability to decypher encrypted digital channels after the battery and power were removed - stronly supports the theory that the xc4000 on our cable boxes is battery backed. If there isn't a battery on the satelite boards, the xc4000 must be programmed by some other means each time the unit boots. To answer this question for sure - 'Might be a good idea to trace the power from the battery to the power backup pins on the chip and see if it goes low when the battery is removed.
|
|
|
Jtag?
May 23, 2005 15:44:37 GMT -5
Post by patsfan on May 23, 2005 15:44:37 GMT -5
ah ha. yes i am pretty sure it is digicipher II. same thing is also used by starchoice.
|
|
|
Jtag?
May 23, 2005 19:26:04 GMT -5
Post by adrianbv6 on May 23, 2005 19:26:04 GMT -5
i also said that i tested 3 other boxes i disconected 2 ph7 and one ph8 batery and left them unpluged for hours and didnt get an error.....
a short i have done in the box caused that error when i removed the batery one one box i tryed long time ago.
xilinx has a programer jtag for this chips. and i am sure it can be programmed with no problem with that programer.
satelites have the same chip just they are programmed by the smart card that they have like a plastic credit card u guys know those cards look like direct tv dishnetwork .........this cable boxes xc chip are programed by the TV pass Card i am 100% sure verry confident about this
|
|
|
Jtag?
May 23, 2005 20:13:46 GMT -5
Post by patsfan on May 23, 2005 20:13:46 GMT -5
i believe this was brought up by a member on this board awhile ago. they mentioned something about using the tv card slot for repairing a box with E11 etc.
|
|
|
Jtag?
May 23, 2005 22:28:40 GMT -5
Post by elvanwzrd on May 23, 2005 22:28:40 GMT -5
I have captured the command to the XC4200 when call for a new channel. The command is very long. About 4x160 bytes. But it is a special command you normmally do not see. Clone the same command to anothe box has failed. The command does not get rejected but the channel is not opened. Assuming that the subscription data is first downloaded to nvram...When capturing these commands, is it possible to capture all changes to nvram over time as well as data sent to the xc4000 over time? -- -Possibly a tall order lol. I was thinking that there may be an update and then an authorization phase.. hmmm brain churning.... Interesting thought.... If you were to call to cancel that channel, then re-issue the captured command on that same box - and the command worked. It may be that the command is box (or id) specific. Sorry - I do go on.
|
|
|
Jtag?
May 23, 2005 23:00:48 GMT -5
Post by usbbdm on May 23, 2005 23:00:48 GMT -5
I think the command IS chip specific. But might be computed in the box. So there is a chance to re-construct the command. This is just a possibility. Has anyone have a chance to disassemble the firmware and start analyze the code?
|
|
|
Jtag?
May 24, 2005 5:57:10 GMT -5
Post by patsfan on May 24, 2005 5:57:10 GMT -5
the command is probably the same but it would have to contain the code to address that particular box. you have to remeber that when the DAC sends out a command, hit, authorization, etc to a certain box it doesn't know where it is going. it just sends it out over the cable stream and all other boxes just ignore it.
i'm guessing that's why, usbbdm, when you sent the captured command to the other box it didn't reject it but realised it wasn't intened for it and ignored it.
|
|
|
Jtag?
May 24, 2005 11:13:38 GMT -5
Post by usbbdm on May 24, 2005 11:13:38 GMT -5
patsfan, I am not replaying the command to the box via TV stream. I am replaying the SPI command to xc chip. So I am sure the SPI command is box (or XC chip) specific.
|
|
|
Jtag?
May 24, 2005 11:18:38 GMT -5
Post by DCTGoddess on May 24, 2005 11:18:38 GMT -5
It's true a DCT might have two IP stickers (or more). Returned DCTs are sent back to the factory to be refurbished, wiped clean, then re-loaded w/ the basic firmware and new unit address. Out in the field, if for some improbable reason, the DCT's address is whiped out, the digi-box can only get a new one at the factory.
|
|