StarChoice, 4DTV and Digicipher II

BDM (NT) on Star Choice
Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

More testing DONE ON XC78066-9 DSR920

Post by Alonso » Thu Apr 08, 2010 12:50 am

I managed to BUY the XC78066-9 brand new and installed the processor in my corrupted DSR920 my surprise was to see a brand new receiver number and digital id like this: UID :5B-8408-1D54-16 AND receiver number
091-22151-24308-022
So by reverse thinking we have that when battery is installed and receiver turned on for first time with new ic this ic dumps the id from a internal rom and moves it to RAM battery backed memory only once.
When battery goes dead you can clearly see a lot of 0's at receiver number and id wich is talking about a written ram memory

The solution to fake id i guess next step is scrap epoxy from XC78066-9 find the memory and solder micro wires to external world so we can load any id we want. Thats an elegant theoretical solution i should say but next step is buying an electron microscope and tamper inside this ic and perform some reverse engineering.
So...reverse engineers come out and lets play with this its going to be fun. hehe.

usbbdm
Posts: 8496
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm » Thu Apr 08, 2010 7:58 am

Alonso wrote:I managed to BUY the XC78066-9 brand new and installed the processor in my corrupted DSR920 my surprise was to see a brand new receiver number and digital id like this: UID :5B-8408-1D54-16 AND receiver number
091-22151-24308-022
So by reverse thinking we have that when battery is installed and receiver turned on for first time with new ic this ic dumps the id from a internal rom and moves it to RAM battery backed memory only once.
When battery goes dead you can clearly see a lot of 0's at receiver number and id wich is talking about a written ram memory

The solution to fake id i guess next step is scrap epoxy from XC78066-9 find the memory and solder micro wires to external world so we can load any id we want. Thats an elegant theoretical solution i should say but next step is buying an electron microscope and tamper inside this ic and perform some reverse engineering.
So...reverse engineers come out and lets play with this its going to be fun. hehe.
How this is possible? When you install the XC chip you remove the battery and you did not program XC chip after you soldered on. I thought each XC chip has to be programed after installed to the board.

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

Post by Alonso » Thu Apr 08, 2010 10:16 am

Before installing the XC78066-9 i removed the battery
installed the XC78066-9 chip
connected brand new battery
connected the equipment to tv and ac power
warmup proccess on screen of receiver
selected Galaxy 1 channel 3 AND watch for unit id and channel list
my surprise to see i had a new digital id but the bad news is that because its not a paid serial number i cant get free tv.
No preprogramed at all just install and fire up and thats it.
Thats why i have a theory by reverse thinking that the serial number is stored in a ROM memory and when circuit is powered on serial number is moved ONCE IN ALL THE LIFE OF THIS IC CIRCUIT to a RAM memory backed by the 3 volts battery evidence of ram memory is that if you remove battery you will get almost all 0's in your id.
Next task is solder microwires from that memory to our external world and load that ram with anything we want.
If someone pays for shipping i can send you new ic XC78066-9 so you can verify with your own eyes what im telling you, i ordered 4 brand new ics installed one , have 3 of them sitting doing nothing.
But dont ask how i got them.
I think the solution we are all looking for, is changing digital id but in order to get all benefits we are all looking for we have to doit from inside that circuit.
Next step is looking patents wich involve a conditional access circuit with a rom and ram memory and a desprocesor.
Ill come back and tell you when i find that info.
For now ill do a detective job looking for such info.
See you later. bye

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

Post by Alonso » Thu Apr 08, 2010 5:27 pm

My offer still stands for the forum admins i give you free 1 Brand new XC78066-9 if someone else but not me pays for the shipping, so that you can replicate what i have done and witness the miracle of the new user id.

There are 2 options if chip memory is really well secured perhaps its possible to build the processor from discrete parts as when i was studing electronics and in order to get my engineer title profesors asked me to build a 8031 procesor from discrete parts such as gates and shift registers in protoboard tables and finally made it but it was 1.5 meter long by 1 meter tall.
Perhaps if we know the datastream structure we can try to decode it with a processor made from discrete parts the benefits of doing this is that we can generate the access services table and activate bits and with data decoded the receiver can do the rest of displaying the mpeg2 datastream This were just some ideas that came to my mind

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

Post by Alonso » Thu Apr 08, 2010 5:37 pm

i suggest taking a look to this patents that involve the process found in this ic circuit

http://www.faqs.org/patents/app/20090274295

PATENT US5880523 security chip. by reverse engineer of XC78066-9 this patent is very much related to what that chip does i suggest taking a look.

merkin
Posts: 246
Joined: Thu Jun 28, 2007 8:49 pm

interesting

Post by merkin » Wed Apr 14, 2010 9:44 pm

@Alonso
I have been following your posts for many months now and they are very interesting.
I cannot believe there are no responses considering the potential of what you have discovered.
Just got into cband wish i knew about it years ago. That is wicked that you are getting an ID on your 920 again.
I think you can get zero key (ZK) digicipher with an unsubbed box. Obviously you wouldnt get the fixed process (FP) and the fully encrypted channels. Let me hunt one down for you.

Please keep us updated of your findings

P.S. What is your rig? You hang around any cband forums?

8ft paraclipse hydro with ajax180 H-H mount and corotor ll and
3ft offset with sg2100 and invacom qph-031 over here. :-)

Harry181
Posts: 110
Joined: Sun Nov 26, 2006 3:13 am

Yep, Nice Work Alonso

Post by Harry181 » Sat Apr 17, 2010 2:58 am

Alonso, like to add as well that you are quite innovative and thinking outside of the box
and this is probobly what it takes to get inside the XC .

Great Work.
Far East of the Western World

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

Post by Alonso » Mon Apr 19, 2010 10:51 am

well thanks Harry and Merkin next step is opening that XC78066-9 chip and finding the registry where the UID is Kept but i have to admit its gonna take some time to do that
because i have to buy a microscope im not shure if a light microscope its enough or if i need an electron microscope to study the arquitecture of that chip also, with those photos could be possible the manipulation of the data inside it or taking the second way in case it is a secure chip, making it from discrete parts but we need people with that knowledge of ic structures to do this dream of free tv for real.
By the way what you mean with the word RIG?? im mexican and there are some words that i still dont know.
Is it possible to attach videos or photos into this posts?? were do i upload photos?
And my offer is still avaiable if somebody but not me pays for shipping i can send you a new xc78066-9 CHIP so you can videotape the process and uploadit i feel that the admins from this forums should be the first ones verifying the info i found so the chip is also avaiable for them for testing.
In advance thanks see you later.

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

Post by Alonso » Thu May 06, 2010 7:46 am

This question is for admins Can you host photos? dont want to use photobucket or anything like that.
This photos are really worth.

GideonOmega
Posts: 225
Joined: Tue Nov 27, 2007 10:45 am

Post by GideonOmega » Thu May 06, 2010 10:00 am

it will be interesting to see if the provider would sub that box -- they won't have the ID on record but you might be able to find someone that will be willing to Add it -- that being said -- you have some interesting findings -- however unless you got you chips from a provider I suspect the UID, serial's, etc.. are probably preprogrammed and the CAM portion is probably flashed by the provider, but until we know more -- it's just speculation.

usbbdm
Posts: 8496
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm » Thu May 06, 2010 5:36 pm

Alonso wrote:This question is for admins Can you host photos? dont want to use photobucket or anything like that.
This photos are really worth.
You can attach the file (zipped). If you have link you can use

Code: Select all

[IMG][/IMG] 
With your link.

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

Post by Alonso » Fri May 07, 2010 10:04 am

but the problem is that i dont want to host photos outside the forum
believe me THEY ARE WORT EVERY PENNY.
Not for hosting outside here.
This photos will make history.
To be more specific i have manage to open XC78066-9 im looking at the waffer.
Little wires to outside world are not broken.
The photos i want that the forum hosts are the microscope photos.
I will borrow soon a microscope and try to photograph it.
Because these photos are history is that i dont want them hosted outside from this forum.

merkin
Posts: 246
Joined: Thu Jun 28, 2007 8:49 pm

Post by merkin » Fri May 07, 2010 6:45 pm

@Alonso
Great to hear of your progress.
If you want this site to host, when you reply just click the "manage attachments" button, and upload the zip.

BTW when i asked you about your "rig", i meant satellite dish. i figured you had a big ugly dish like me, since you have a 4dtv box.
check this list http://www.gofastmotorsports.com/channellist.html (no hack talk there)

Also what is your opinion on these three posts?
http://usbjtag.com/phpbb3/viewtopic.php?t=5107
http://usbjtag.com/phpbb3/viewtopic.php?t=5110
http://usbjtag.com/phpbb3/viewtopic.php?t=5026

Alonso
Posts: 67
Joined: Sun May 03, 2009 8:46 pm
Location: Merida , Yucatan Mexico

Post by Alonso » Sat May 08, 2010 9:33 am

about the "rig" thing i have a big ugly dish tuned at G1-3 channel guide because 3 of my dsr920 got corrupted battery was ok then 1 month later it dies.
Havent found a good DSR and a nice price so i took the possible option of cloning a good uid and fix all off my equipments.

Those 3 posts, they are all urban legends, and as i know all xc chips share the same properties, thats the main reason of opening one and looking at the waffer under microscope to clearly identify RAM and the 3 volt wire attached to it. and if its protected by negative and positive layers as a sandwich making imposible to extract its data or modify it.
IF so we can say we have a positive id on the constrution of xc chip and the patents related to it.
Its possible to autorize it sometimes because code sometimes is outside xc chip and sometimes not. And no one has backed up those 3 posts with photos or datasheets that proves what they say , all of them urban leyends.
But now that i have the xc chip wafer in front of my eyes i can tell you that on the upper side i can see some processor or buffer arrays but in the lower part there is something weird i can see 2 independent layers of cooper wich are practically the size of half waffer. Have to borrow a microscope to clear my doubt.
see you later.

GideonOmega
Posts: 225
Joined: Tue Nov 27, 2007 10:45 am

Post by GideonOmega » Sat May 08, 2010 11:08 am

have you found the model markers on the waffer yet? should be on the lower part of the chip.

are those copper wires in a "Mesh"? -- if so chances are your data buses reside below those and there is a possiblility if you don't bypass that mesh properly -- you will wipe the EEPRom contents on powerup if you tap it.

Locked