Jtag?

[DCTGoddess]

Just a guess. I would think, for security, there would be a module for each individual premium package. Although...the cable companies tend to change their promotional offers fairly often, so lumping the premiums together in one general module download would be easier. Oh well, maybe I'm overthinking this. Either way, there's pros and cons to both methods.

[patsfan]

usbbdm said:

patsfan, I am not replaying the command to the box via TV stream. I am replaying the SPI command to xc chip. So I am sure the SPI command is box (or XC chip) specific.

yes i knew that. i guess i worded that wrong. what i was wondering is did you just replay the exact command to the other box? the command would probably work, assuming it's possible to decode the box specific part and replace it with another box id. way over my head.

[patsfan]

DCTGoddess said:

Just a guess. I would think, for security, there would be a module for each individual premium package. Although...the cable companies tend to change their promotional offers fairly often, so lumping the premiums together in one general module download would be easier. Oh well, maybe I'm overthinking this. Either way, there's pros and cons to both methods.

i'm not sure what you mean by module? the cable company can turn on any one channel they want per box. not related to any promotional offers at all. if they lumped all premiums together then you could pick the cheapest one and they would have to give you all of themm with no way of shutting them off. not good for business.

[elvanwzrd]

If I were to design such a system I might have a main module that decrypts an incoming stream using a key. The keys could be part of sub modules each representing a individually subscribable package (HBO etc) that could each be activated or deactivated. Then simply assign certain channels to a certain sub module.

Such that if you select channel 120, The unit would say. Ok this is a digital channel and direct it through the XC4000. The channel ID may be able to tell the XC4000 logic which sub module to use, and therefore if activated, decypher the channel correctly.

Just a theory.... may be entirely differnet in reality.

Does anyone know if the XC4000 can be modified in part, or if it has to be completely reprogrammed each time?

Just out of curiosity: If the network address is changed on an opperational unit, and then a request for upgrade made. Will the box be able to receive the upgrade. Put another way does the cable co reference the box via the network ID, unit ID?

[DCTGoddess]

patsfan said:

i'm not sure what you mean by module? the cable company can turn on any one channel they want per box. not related to any promotional offers at all. if they lumped all premiums together then you could pick the cheapest one and they would have to give you all of themm with no way of shutting them off. not good for business.

Yes, you're probably right. That makes more sense. I'll be quiet now.

[geekygizmo]

This is real interesting stuff!

I always thought the XC chip was custom by GI/mot and the XILINX chip happened to have the same base number, perhaps it's the XILINX with a GI/mot mask rom in it? Anyway it does contain the UID and seed keys and every command given to it MUST be encripted using one of the known keys contained within it and every unit has different keys.

I have a document I need to attach or post somewhere that contains very very good info on just this subject.

GG

EDIT:
I stuck the file here for now, mod's can you post it here somewhere?

www.curious-contraptions.com/forums/attachment.php?attachmentid=655


EDIT
I just found where the original information was posted, even more good stuff here on how the XC chip works.

id-discussions.com/forum/showthread.php?p=350336#post350336

id-discussions.com/forum/showthread.php?t=49286&page=3&pp=10&highlight=dcii

[patsfan]

no the chip isn't custom, only the info in it. thanks fo rthe good info. i've been a member at ID for years. never even thought to search it out.

[geekygizmo]

I have searched all afternoon for info for the XC42k chip on Xilinx and the web, I really think the references to xilinx at a few suppliers are mistakes, they make a XC4200 but it does not come close. GI has used this chip in ALL DCii variants and there are no Xilinx marking on it at all. The only change in number is the -00x at the end which usually notes the ROM version.

Can someone point or post the Xilinx data sheet?

USBBDM, I really think the info I posted above should be made into a new thread, it really sets it stright about how the system works.

One more note, the XC chip is doing pretty much exactly what the U7 did back in the VC2 days, battery holds ID and seed keys. The chip crunches raw tranport into final packets using that info.

Great site!
GG

[adrianbv6]

geekygizmo good info



the batery does not hold that.....i disconnected teh box batery on 3 boxes and still got digitals.....

i once disconnect the batery on a ph8 2 years ago and i had E11 maibe i done somehting else to it too i dont remember

[patsfan]

it kind of makes you wonder what the battery is actually for. i haven't pulled it on any of my boxes just in case. we use to use the 1000 series GI boxes (1124) here and they were dependant on the battery. if the battey died and power was lost the unit would go E11 everytime. the batteries were rated for 7 years so when the life was almost up the boxes in storage would get plugged in and and have the batteries changed while power up.

[geekygizmo]

There is a cap on the board that is still holding a charge, try runing a ground wire around the xc-chip, hit every pin (With no power to the board). That should do the trick.

GG

[usbbdm]

Use multimeter and scan pins of XC4200 will get E11 likely. (Do not do this!! I did once.)

[adrianbv6]

there isnt a capacitor on a ph7 or ph8 that can hold charge......for over a day


capacitors dont hold charge in the first place ....
i work in heating industry and only the start capacitors hold charge and those capacitors are not used for more then 1 split second at every startup.

[geekygizmo]

Caps do hold charge, the round cans can hold the chip for days if the circuit is done right by the engineers.

If you really want e-11 then do like usbbdm said and run your multimeter leads around the chip hitting two or more pins at a time, you will hit the pin with the charge and ground it to the pin next to it and bang, e-11

GG

[adrianbv6]

i will do otherwise i will cut every capacitor on the board

[patsfan]

geekygizmo said:

Caps do hold charge, the round cans can hold the chip for days if the circuit is done right by the engineers.

If you really want e-11 then do like usbbdm said and run your multimeter leads around the chip hitting two or more pins at a time, you will hit the pin with the charge and ground it to the pin next to it and bang, e-11

GG

you are correct, caps do hold a charge. but i don't think there are any on the board for the purpose of backing up a ram chip. why bother if you are going to put a battery in anyways.


adrianbv6; are you saying you are going to cut all the caps? you might not get E11 but i doubt the box will work at all. plus don't cut any in the power section.

[geekygizmo]

adrianbv6, no need to cut any caps! Just unplug the unit, take a wire connected to the chassis and run it around the chip, hit all the leads- I will assure you a E-11 will follow.


patsfan, Yes, they do put a Electrolytic cap in line with the battery for the express purpose to give enough time to change it.


The encription and keys in the XC chip are very very secure and in 10 years no true crack has been reported. The copy the NVRAM trick only brings unencripted channels alive. It will take some real deep probing like USB_BDM is doing on the spi port to find a way into the chip. Coldfire on ID really layed the ground work for this (in the doc I put up) and the USB_BDM device will help others to follow up. I have no where near what it will take in the software department but I can do all that is needed for the hardware.

GG

[patsfan]

I doubt the encryption will ever be broken, unless by fluke. the ticket is to find a way to spoof the box into thinking it should display all channels. similar to the 3m programs from satellite. i'm like you though geekgizmo, more of a hardware guy. i'm trying to pick up on the software/programming but it's slow going.

[DCTGoddess]

patsfan said:

I'm like you though geekgizmo, more of a hardware guy. i'm trying to pick up on the software/programming but it's slow going.

Ditto. I'm from an A/V background, & this is really fascinating stuff!

[usbbdm]

I am sorry that I have not post real things these days as I am very busy at another project.
Here are two things I had done to the SPI with USB BDM in the past.

1. I hacked the firmware so all the SPI command to and from the XC chip will send to serial port. I used 38400. Then a serial cable to PC to capture all the command.

There are two SPI devices, (address 0E and 07, 0E is to XC chip I believe).
2. I wrote a small software that run in the ram that accept the command from serial port (again 38400) and send to SPI and send the responce from SPI to serial port. That way I can replay the SPI command captured in 1.

In 1, I was able to capture the long command that cable company authorize the channel. But replay the comamnd to second box to authorize channel had failed. More investigation will be done combined with the code reading.
If anyone who had the USB BDM and would like to do some SPI command analyze, let me know and I will tell you how to do it.
By reading documents found on the internet about XC chip, it seems quite complicated, yet I still believe it is possible to break it.

For the SPI command format. Here are what I found.

A command start with (HEX)
If the command combined with head and checksum is less than 32 bytes
80 XX LL YY YY YY YY YY YY YY YY CC
XX is the type of command (05 is to read unit address, 04 to read PPV status, 07 channel auth, 3C program XC chip).
LL is the bytes of YY.
CC is the XOR of the packet exclude 80. (XX XOR LL XOR YY....)
If the command is longer than 32 bytes.
80 XX LL YY YY YY YY YY YY YY (first 32 bytes)
81 YY YY YY YY YY YY YY YY YY (second 32 bytes)
...
81 YY YY CC

The response from XC chip
XX LL (first packet two bytes)
XX the type (05 unit address, 04 PPV, 07 channel auth, ENC12 get from here).

YY YY YY YY YY YY CC
LL bytes of YY. Then CC is the checksum of XX LL and YY.

After command is received, there is a routine to break YY into strcture defined for each XX. And convert to a message type for each type. The task that receive the responses then do a case switch.

By knowing these, I was able to fake unit address. Also fake the auth (Let the diag see ENC 12 or CLR, yet no pictures yet.

[patsfan]

usbbdm said:

By knowing these, I was able to fake unit address. Also fake the auth (Let the diag see ENC 12 or CLR, yet no pictures yet.

i was wondering if that would work. obviously not, or there is another piece to the puzzle. great post btw.

[geekygizmo]

All inbound communication to the XC must be encrypted via a known key that it contains, that is why commands sent to one XC won't work on another. The when its incorrectly formatted XC seems to take the info but ignores it. Again, please take a good read of "Coolsats doc" I posted earlier in this thread, it really explains how it all works very well.

It seems most cable company’s using this box are to lazy to set up all channels securely, just using a channel map to keep people out.

Here is a interesting idea, try to drive two receivers with one XC - send the output data to a 2nd receiver and see if it can decode the same channel. That can help confirm which packets are what as far as output.

Just a crazy idea.

GG

[usbbdm]

geekygizmo said:

All inbound communication to the XC must be encrypted via a known key that it contains, that is why commands sent to one XC won't work on another. The when its incorrectly formatted XC seems to take the info but ignores it. Again, please take a good read of "Coolsats doc" I posted earlier in this thread, it really explains how it all works very well.

It seems most cable company’s using this box are to lazy to set up all channels securely, just using a channel map to keep people out.

Here is a interesting idea, try to drive two receivers with one XC - send the output data to a 2nd receiver and see if it can decode the same channel. That can help confirm which packets are what as far as output.

Just a crazy idea.

GG

This can be done by use two serial port. One send and receive "SPI" command to serial port and the other box receive serial and send send to XC and read back XC send to serial port. No time to do it yet, not hard to do.

[patsfan]

i read coolsats doc earlier and there are some differnces between the way *choice and cable boxes work. i'll post more later when i have time. the problem is once cable companies realise their system is comprimised they can change keys, secure channels.

[geekygizmo]

patsfan said:

i read coolsats doc earlier and there are some differnces between the way *choice and cable boxes work. i'll post more later when i have time. the problem is once cable companies realise their system is comprimised they can change keys, secure channels.

I know all the features of the XC chip are not being used by some or even most of the cable companys like the catagory key changing each month. It's really up to the provider how hard they lock a channel, or how often the keys change.

Are we really opening teirs or are all the chanels just one teir (one set of keys) and the external channel map in the eeprom is the only security? Seems like this is sometimes the case....

Any more info that can be provided on this would be great!

GG

[adrianbv6]

i have a box is working i got it like 2 months ago still runing all digitals and from the guy i bought it he had it for 6 months but he couldnt use it.... black screen i bougt it from him and connect.

[patsfan]

sounds like the box was never deactivated. i know with my cable company anyways, if you call to downgrade your package and you leave the box unplugged for a couple of days, when it's plugged back in you will still have all the channels. in order to keep them though the reverse needs to be unhooked so the DAC doesn't find out and shut them down.

sounds like the box holds onto it's previous channel package until it told otherwise. when you reconnected it they all came back.

[adrianbv6]

yes the info in the xc chip is there as long u dont call the company and say to downdrade is ok ....when u stop paying for the service they only disconnect the box like this one i have black screen.