StarChoice, 4DTV and Digicipher II

[Alonso]

It seems to be that the root of all evil is the XC chip
not a timer by the way.
The result of taking a box into digital signal again sincronizes time.
No mistery about it so this proves this system has an advantage for GI everything is controlled by means of the datastream.
In order to make this work i think we have to get in to the gain access to the uid area of the xc chip.
then everything will turn on as light bulbs.
If doing it externally by means of code seams more difficult.
Now im starting to belive that this XC chip is a des processor with a memory backed ram data comes in encrypted and goes out decrypted .
That makes the process to happen invisible for us. This guys at gi motorola made it hard this time no more code just hardware.I guess we need people from the oldschool times.
Does any one has a microscope electron photo of that XC chip?need to look inside of it
Ill be cracking mine half to see inside it.
See you later bye.

[Alonso]

Have some extra time and im playing around with my new BDMNT and my DSR920.
Im not sure if the registration process went fine or not but im getting some readings.
Im testing it as a dct2224 usbbdmnt0.29a
A7=99999999
getting all 0's at dip code nvram and ram. before reading its all FF but after reading all goes to 00's

How can i figure the memory map? i know im completly capable of finding that info just tell me what to look for.
Do you need me to explore the board? find traces between processor to find the address bus and the databus and the chip enable pins that activate the various memories in the board?
suggestions are all welcome.

[GideonOmega]

Have some extra time and im playing around with my new BDMNT and my DSR920.
Im not sure if the registration process went fine or not but im getting some readings.
Im testing it as a dct2224 usbbdmnt0.29a
A7=99999999
getting all 0's at dip code nvram and ram. before reading its all FF but after reading all goes to 00's

How can i figure the memory map? i know im completly capable of finding that info just tell me what to look for.
Do you need me to explore the board? find traces between processor to find the address bus and the databus and the chip enable pins that activate the various memories in the board?
suggestions are all welcome.

you will need to run an init command before you can access anything outside of the boot area -- as for the memory map -- I have found all the starchoice SD boxes pretty much the same -- now the HD boxes have much larger ram/flash -- so I would adjust you lengths based on that and check out the 405 xml config file for a general memory map.

as the 4dtv receivers are very similar to SC that is where I would start.

[Alonso]

1.-I ve been doing serius investigation about the XC chip XC78066-9 found inside my DSR920 also taking into consideration the facts pointed by the spi logs performed by some users in this forum.
Im almost sure that it is a "DES processor" why? datastream is too fast for the procesor and leaves unveiled the whole process thats why GI&motorola placed a hardware solution its fast and the whole process that happens inside is really hidden from everyone. At our homes we can order eprom and every kind of memory readers but we are not able to decipher to a molecular level what that chip does even if we had a microscope electron and look inside of it we still need experts that decode the microscope electron photo into discrete components so we can build our un DES processor with discrete devices wich is totally possible but we will need that extra knowledge people and help.And let me tell you i cant see how can this be happening soon.
As an Digital Electronics Engineer i ve done many things i ve even built in discrete components an 8 bit processor that has given me lots of experience.
That means that if we knew the right peoples at an ic manufacturing facility we could even redisign the des processor.
I suggest looking at this patent info

US Patent 5687237 - Encryption key management system for an integrated circuit
I conclude it is a des processor based on the research that every one has done in this forum and to be more specific the spi logs really point into that way.
Check this chip
Supports ANSI X3.92 Data Encryption Algorithm - DES
Product ID:
DES Chip (SC72020)Perhaps this is parent of my DSR920 XC78066-9 68pinQFP

2.-I plugged in my BDM programmer into my DSR920 performed reading after reset and using usbjtagnt 029a dct2224 Could successfully read DIP and code eprom RAM and NVRAM still read only 00's I did a post before were i found traces in the board having 2 ram memories tied to CS1 AND CS2 of the MC68331 i still have desire of reading this memories so i can find the copy of the UID that relies on them.
The first reading on DIP range as if it were a dct2224 i can see on the first 4 bytes 99 99 99 99 A7=all 9's It is also readable the words CABLE HOME COMUNICATION CORP A SUBSIDIARY OF GENERAL INSTRUMENT OF DELAWARE this one looks more like the code its the same space a 29F800 will use there are 2 of this 29F800. but im not sure yet. i can send the files if you want to so if it is possible we can make a script for accesing all memories on board.
Still want to contribute to decipher the memory map of this receiver JUST TELL ME what to do and ill do it .
IN advance thanx to every one helping this forum to grow up.

[GideonOmega]

like I said -- I would start with the SC DSR related files -- as the hardware is very similar

check out:
http://www.usbjtag.com/vbforum/download ... file&id=77

this dll will allow you to check the app and platform versions of the code -- as well as recalculate the checksums. -- (is valid with every Standard Def Starchoice box I have found) -- Haven't been able to dump and HD box yet -- so It might not help


there was a 405 xml config file around with the memory map -- I can't seem to find it now -- would also be a good place to start -- when I get a chance -- I will post the contents if I can't find it here.

[Alonso]

using usbjtagnt 0.29a i placed that .dll into the dll dir but that only made the menu dct2224 apear and show various options like uid change clear ppv etc i pressed every button on it but doing so causes an error and the program shuts down so nothing in the script dct2224 seems to be helpful for the DSR920 it behaves completly different.

[GideonOmega]

using usbjtagnt 0.29a i placed that .dll into the dll dir but that only made the menu dct2224 apear and show various options like uid change clear ppv etc i pressed every button on it but doing so causes an error and the program shuts down so nothing in the script dct2224 seems to be helpful for the DSR920 it behaves completly different.

that is because the dct2224 specificly uses a different dll -- here is a copy of the xml for the TDSR405.xml file -- put it in your config directory -- close and reopen the software -- then under the dishird option select the dsr405 -- then it will show the 405 memory map and dll options -- you may need to alter the lengths of the address ranges depending on the flash/ram setup on that box -- but this should be a good start.

Code: Select all

<Test>
   <Name>DSR405</Name>
   <Cat>DishIrd</Cat>
   <Protocol>BDM</Protocol>
   <Endian>Big</Endian>
   <Dll>DSR401.dll</Dll>
   <Programram>0xffb60000</Programram>
   <Speed>1</Speed>
   <Memorys>
      <Memory>
         <Name>boot</Name>
         <Type>1</Type>
         <Address>0x0</Address>
         <Size>0x4000</Size>
      </Memory>
      <Memory>
         <Name>plat</Name>
         <Type>1</Type>
         <Address>0x4000</Address>
         <Size>0x7c000</Size>
      </Memory>
      <Memory>
         <Name>app</Name>
         <Type>1</Type>
         <Address>0x80000</Address>
         <Size>0x180000</Size>
      </Memory>
      <Memory>
         <Name>Nvram</Name>
         <Type>0</Type>
         <Address>0xff800000</Address>
         <Size>0x20000</Size>
      </Memory>
      <Memory>
         <Name>Ram</Name>
         <Type>0</Type>
         <Address>0xffb00000</Address>
         <Size>0x100000</Size>
      </Memory>
   </Memorys>
</Test>

[Alonso]

as i said before on dip wich looks like the code i can clearly see GENERAL INSTRUMENTS on the first 4 bytes i can see 99 99 99 99 (i also have a corrupted flash dsr920 wich on this first 4 bytes reads 91 99 91 99 and A7=99919991 need to load fresh code to this one)
Now code reads 00's nvram ram and all reads 00's using DSR405.XML on the DSR401 tab ,every button produces "address not defined on tab ERROR"
Using usbjtag 0.29a AS if it was a dct2224 has already produced the best results i can read dip and code just that lengths need to be adjusted
because after reading 1mb i start to see 00's on both(dip and code)
the board has 2 29F800B flash memories
the code tab (as if it was a dct2224.dll) Reads values wich look more like a default channel map F5 35 F7 35 things like that all over the space wich is also 1 mb AS the same part where i can read general instruments but adjusting the lenght solves trouble as if it was a dct2224. as you said we can work with that because we are reading info wich is the main goal.
The second part i would like to see working is the reading of the ram memories backed by 3.6 volt battery its 2 of them KM416C254D data bus and address bus are tied to the MC68331 but the part that i dont know is how to modify the scripts so that in BDM mode CS1 and CS2 can be selected and the contents of this memories can be downloaded to the ram and nvram tabs or what ever you want to call them(the tabs i mean) this is the part im getting suck because i want to find the unit id copy wich the proccesor reads from the xc chip and stores it in those ram memories. Giving you all this info i think now i ve been more specific.
Ill continue testing and hearing every advise from you.
In advance thanks to all in the forum

[Harry181]

Thanks for sharing your testing results...

If you need any help, PM me

[usbbdm]

Anyone interested in the fake UID for SC boxes? I think it is possible with the proper disassemble and put back the checksum.

[Alonso]

I ll be glad to do some testing on DSR920 and share results

[Harry181]

That would be a BIG BIG boost to those that test DSR's

Thanks BOSS ... 2 Thumbs UP...

Hey Alonso, check out the Boss' finding on memory

http://usbjtag.com/phpbb3/viewtopic.php?t=2447

[GideonOmega]

Anyone interested in the fake UID for SC boxes? I think it is possible with the proper disassemble and put back the checksum.

for sure -- if you need any information for comparisons from different models -- let me know

[Alonso]

I would like to know how does usbjtagnt works regarding to the memory read function.
If i know the hardware memory map of a board and need configure the usbjtagnt to read baterry backed ram memories and i know those rams are tied to processor pins CS1 CS2 how can i configure usbjtagnt to select the target memory device.
Were can i change the target memory CS BOOT CS1 CS2 CS3 is it user selectable?
so i can make the code tab on software match the target memory on board.
I have found memory length it is user selectable thats not a problem but cant find nothing on chip select function on software usbjtagnt for target memory.

[Alonso]

readed the post
http://usbjtag.com/phpbb3/viewtopic.php?t=2447
and found it is similar to DSR920 at least now i can read data
cannot write to flash it asks for use DETECT command
if i write DETECT then says address $2xxxxxxx missing at the tab.
so at least i need a working .dll to be able of reading and writing to memories.
Editing DCT2224 is not working any more far than reading, now i need writing to memories enabled and working.