StarChoice, 4DTV and Digicipher II

BDM (NT) on Star Choice
Drbuzzo
Posts: 30
Joined: Thu Sep 15, 2005 5:26 pm
Contact:

StarChoice, 4DTV and Digicipher II

Post by Drbuzzo » Thu Sep 15, 2005 5:31 pm

Hello.

I'm new to this board, so please excuse me if I ask something that seems obvious, but been studying testing for a long time.

As you probably know, Motorola digital cable systems use the Digicipher II encoding and content protection system. This is the same system used by Canadian DBS company StarChoice, as well as by many US content distributors for content which is sent to headends and is receivable with the 4DTV system.

I was wondering: Can this software and hardware be used to test or "open up" StarChoice systems and 4dtv systems? What about commercial Digicipher II systems, such as those which work with the Digicipher Megapipe transmission method?


Thank you in advance.

-Steve

usbbdm
Posts: 8492
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm » Thu Sep 15, 2005 10:35 pm

I have successfully plug in two starchoice boxes. Read firmware is fine. But have not yet disassemble the firmware. In fact, the main reason go to 0.50 software is to support startchoice or any Motorola 68331 CPU. If you can figure out the memory map, you should be able to start testing on these boxes.

Drbuzzo
Posts: 30
Joined: Thu Sep 15, 2005 5:26 pm
Contact:

Post by Drbuzzo » Fri Sep 16, 2005 12:38 pm

Awesome.

So with this will I be able to open up all the channels and the pay per view channels?

usbbdm
Posts: 8492
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm » Sat Sep 17, 2005 7:54 pm

Drbuzzo wrote:Awesome.

So with this will I be able to open up all the channels and the pay per view channels?
I do not think so.Even with DCT 2000, we can only replay the SPI command to get what was previously authorized. No one here work on * choice yet.

ddamron
Posts: 1
Joined: Wed Oct 12, 2005 9:20 pm

*choice

Post by ddamron » Wed Oct 12, 2005 9:22 pm

Just got my bdm today, I have a few * choice receivers, testing on a 405
new to this, but have experience in old 8bit 6809 programming.. should be able to get up to speed with 68331..
will keep you posted..
first, to get it hooked up and working...
:)

Anony55
Posts: 2
Joined: Fri Oct 17, 2008 8:39 am

Post by Anony55 » Fri Dec 12, 2008 1:34 pm

Sorry to dig up an old thread like this... but has anyone had any progress with the DSR-922 (or 920) 4DTV unit?

Cheers

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

How to setup mc68331 bdm read ram having this memory map dsr920

Post by Alonso » Sun Aug 02, 2009 4:50 pm

Hello my name is Alonso Avila just buyed my BDM programmer and have done some reverse engineer on the DSR920 and have found 2 battery backed rams KM681000BL6 by doing reverse engineering as i do in car engine control units i have figured out the memory map
The UA number is aparently stored in this 2 memories as the 3.6v battery feeds these Ram's the receiver was working fine until battery failed and lost its id. I have photos of the diagnostics screen before battery fail and after it failed.
This memories are tied to the MC68331 To the Address bus ADDR0 TO ADDR15 And the DATA bus also tied to the MC68331 DATA0 TO DATA7 they are 128k x 8 and they are unselected or selected using CS1 WE AND OE such as the table shows bellow.

BOTH of them have the WE WRITE ENABLED LOW tied together

OE ENABLED LOW from both memories are tied also together and enabled via 68331 PE5/DS

Then in order to make this map work with the bdm programer how should i configure the BDM software to make the MC68331 procesor read one memorie or the other being this the map
-------------------MEMORY--1------------------------MEMORY---2--------
68331-----READ-ISOLATION-STATE-WRITE--READ-ISOLATION STATE-WRITE
CS2LOW-----0--------0------------0--------------------------------------
CS1LOW---------------------------------------0-----------0------------0
R/WW=0-----1---------1------------0----------1-----------1------------0
PE5/DSDS=0-0---------1------------X----------0-----------1------------1

*This memories use CS2 AND CS1 PINS BUT ON THE BOARD CS2 IS TIEDTO +VCC To avoid power down mode on both. MAKING CS1=1 ALSO CAUSES POWER DOWN MODE ON THE MEMORIES.
BASICALLY to select one memory the other has to be in isolation state as they share the same bus so my question is how can i setup to the software to use the BDM programmer to read and write to those ram memories?
I dissasembled an old receiver wich lost its digital id and found the traces between the MC68331 and those ram memories so there is no mistake i checked several times the traces at the board.

usbbdm
Posts: 8492
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm » Sun Aug 02, 2009 5:56 pm

These receivers use the same XC chip as the DCT2224. The key is not in the NVRAM. XC chip itself has a small ram that is battery backed. The unit address is stored in the XC chip. Yes there is a copy in NVRAM.

I also have disassembled the code for DCT2224 and write small patch to fake UID. The same theory should apply to all the Motorola boxes. DCT6412 has special compressing which we cannot re-patch it yet.
So in theory to fake UID on those starchoice boxes is absolutely possible.

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

You are right

Post by Alonso » Sun Aug 02, 2009 6:41 pm

also found a pin on a XC 78066-9 Having 3 volts

Didnt imagine it was also on the xc chip

what do you suggest me to experiment with??

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

found this about the xc chip.

Post by Alonso » Sun Aug 02, 2009 7:14 pm

XC78066-9 Datasheet:
The XC78066-9 is a low cost C-band DPDT switch that operates between 4.9 and 5.9 GHz. This switch can operate as an integrated antenna diversity and transmit/receive switch for the 802.11a/HiperLAN and UNII radio platforms. The design provides 20 dB of isolation between antennas and between Tx and Rx ports. The switch features 1 dB insertion loss and high power handling capability. Switch state is con- trolled using four control voltage lines toggled between 0 and +3 to +5V.

dont know if its right but thats all i could find.

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

SECOND APPROACH to XC78066-9

Post by Alonso » Sun Aug 02, 2009 9:25 pm

Hello, Im Alonso Avila AGAIN!!!!!
Dont know about the mystery of the XC78066-9 lets try to unveil it!!!!!!!!!!
Dont you ever think about that number is a MASK?
LET ME ASSUME IT IS.
COME ON WITH ME TO DO SOME REVERSE ENGINEERING.
We know it has a battery backed ram.
And the clock mystery on DSR920 is very advanced to be only software itself
also if we give the job to other ic circuit we can save memory and relief workload on the MC68331.
Hmmm let me think mmm. Yes i have an idea
Does this number sounds any BELL "MC146818A"
REAL TIME CLOCK PLUS BATTERY BACKED RAM
ok that one has address bus so we most look for its next successor
the "MC68HC68T1" this one is almost the same idea but uses SPI conect.
Ill keep looking for something that matches the pins on the XC chip.

GideonOmega
Posts: 225
Joined: Tue Nov 27, 2007 10:45 am

Post by GideonOmega » Mon Aug 03, 2009 9:15 am

interesting theory -- worth investigating. I have also seen mods which you can replace the ram to enable stepping -- I have never tried it myself as I lack the ability with the ASM to produce any feasible results.

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

going for more testing removed XC chip and turned on receiver

Post by Alonso » Mon Aug 03, 2009 8:20 pm

As i said before my digital id on my DSR920 Box was corrupted.
So hey whats the worst it can become....not any more i think....

About the real time clock theory i did some testing and removed The
XC 78066-9 chip wich i also found it uses 3.6 volt from the lithium battery on the PIN 62 actually this is a 68 pin chip. So the space where the chip was is left empty.
So i plug the receivers power cord and tv turned on both
Well it turned on didnt expect it to happen.
10 seconds later it goes in to warm up mode and the cycle continues forever
using those ten seconds went to diagnostics screen and the digital id was all 00000000s also the receiver sn all 00000s
firmware version still displays 000ED.
pressed the guide button and month january 1 time 12 00 shows up
if i let the receiver turned off and power cord disconected time doesnt increase if i left it off with power cord plugged in time increases also with the receiver turned on same happens. went to sleep 8 hour and came back plugged in the power cord and time continues to run were it was left before removing the power cord so the conclusion is that there are 2 real time clocks one that runs on lithium battery and another that runs on software on the MC68331 and the results are continue to run in hardware shared via ram when power cord is conected or disconecte. Well at least this is the behavior i noted when testing hope this investigation results help more people thinking in reverse.Until we find out the mystery.
Ill continue investigating and posting results hope this sparks some interest on investigating.

usbbdm
Posts: 8492
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm » Mon Aug 03, 2009 10:45 pm

GideonOmega wrote:interesting theory -- worth investigating. I have also seen mods which you can replace the ram to enable stepping -- I have never tried it myself as I lack the ability with the ASM to produce any feasible results.
The BDM NT support single steping. With RAM you can stop where you want. I can integrate this into BDM NT if you want to replace the flash with RAM. MC68331 does not have the hardware breakpoint like MIPS. With MIPS it is possible we can stop anywhere we want even if it is in the flash.

GideonOmega
Posts: 225
Joined: Tue Nov 27, 2007 10:45 am

Post by GideonOmega » Tue Aug 04, 2009 6:29 am

usbbdm wrote:The BDM NT support single steping. With RAM you can stop where you want. I can integrate this into BDM NT if you want to replace the flash with RAM. MC68331 does not have the hardware breakpoint like MIPS. With MIPS it is possible we can stop anywhere we want even if it is in the flash.

sorry -- I believe the Mod was for allowing breakpoints rather then stepping -- my mistake.

Locked