any progress on sa 8300/4250

[Pranksta]

As the title says has there been any progress on programming the Scientific Atlanta 8300 or 4250 boxes?

Thanks.

[CAPONE]

As the title says has there been any progress on programming the Scientific Atlanta 8300 or 4250 boxes?

Thanks.

You won't find Much Info Here. I do know of a tool that will comunicate with SA Boxes But its Not the USBJTAG NT or USBBDM NT.

The sereach conitnues.

[cpxdish]

what may this tool be if you don't mind ?and in communicate does it read & write ? ive been involved with these units for a few years now (testing purposes only)

if you like pm me

[Wolfgang]

what may this tool be if you don't mind?

Regarding the hardware it's only a 3.5mm Serial TTLtoRS232 cable or/and USBtoRJ45 cable, LOL.
In order to access the comm ports you need to put the SA boxes (any model) into a diagnostic mode.
Regarding the software the Code Loader and images for every model/revision are required.

[Skillet50]

To explain the last post. The Rs232 to TTL adapter is used to talk to the box thru the IR blaster plug on the back. The older boxes would load a program in RAM and give you a prompt thru hyperterminal to run commands. The newer boxes RNGs will set the box to download the program thru the USB port with the RJ45 to USB adapter. (Faster Loading). The boxes do have jtag ports but they are vacant, Also on the box I'm working on pins 4 & 8 have pullup resistors to 3.3V. If I get further I will start a new thread...

[CAPONE]

To explain the last post. The Rs232 to TTL adapter is used to talk to the box thru the IR blaster plug on the back. The older boxes would load a program in RAM and give you a prompt thru hyperterminal to run commands. The newer boxes RNGs will set the box to download the program thru the USB port with the RJ45 to USB adapter. (Faster Loading). The boxes do have jtag ports but they are vacant, Also on the box I'm working on pins 4 & 8 have pullup resistors to 3.3V. If I get further I will start a new thread...

The IR port serves a Double function!!!!!!!!!!!!!!

[Wolfgang]

The older boxes would load a program in RAM and give you a prompt thru hyperterminal to run commands. The newer boxes RNGs will set the box to download the program thru the USB port with the RJ45 to USB adapter. (Faster Loading). The boxes do have jtag ports but they are vacant, Also on the box I'm working on pins 4 & 8 have pullup resistors to 3.3V. If I get further I will start a new thread...

Good findings .... I am glad I have someone to talk to about these.
Anyway, once in the diag mode there are no limits, TeraTerm rocks there after

The IR port serves a Double function!!!!!!!!!!!!!!

Yepp. Most of the STBs lately have serial connection through the IR port. All new Motorola DCX series use the IR port for serial connection via Hyperterminal. I remember DCT2000 having DB9 at the time but I don't see anything like that anymore.

[merkin]

All new Motorola DCX series use the IR port for serial connection via Hyperterminal.

This dcx3200 has seperate serial(j706) and ir(j23) ports on the back.
http://usbjtag.com/phpbb3/viewtopic.php?t=8283

Also j23 is much more than three pins, unlike j706.

So do you have proof/pinout?

[Skillet50]

Capone - I was amazed too when I saw it Tx & Rx
Merkin - Sent me to the Snooze ya loose thread for Broadband studio. I chased that one for awhile
Wolfgang - which model box do you have ?
I have a 3250HD Explorer with Diag loaded in ROM. But I am playing with a Cisco RNG100. I put in the Jtag header this morning , but no response yet...

[CAPONE]

Capone - I was amazed too when I saw it Tx & Rx
Merkin - Sent me to the Snooze ya loose thread for Broadband studio. I chased that one for awhile
Wolfgang - which model box do you have ?
I have a 3250HD Explorer with Diag loaded in ROM. But I am playing with a Cisco RNG100. I put in the Jtag header this morning , but no response yet...

You will get nowhere on the RNG with the JTAG Buddy..........

[MrRogers]

You will get nowhere on the RNG with the JTAG Buddy..........

I said this before a while ago when I first got my hands on a DCX3400 and RNG110. Jtagging will not work.

People really have a hard time using search or just want to believe they can work miracles when others have failed using the same method.

You should be more concerned with the M-Card than the actual box. The M-Card and the box are paired so they can be used together and one without the other will not work. The real programming is on the card itself and so far reprogramming that requires a $25,000 piece of equipment (card programmer) and clearance codes from an ISP in order to work the software that is used with the card programmer, so good luck with that unless you are one of the few for the cable companies engineering department that have access to use these things.

But yeah keep trying to crack this box which I am telling you, is uncrackable by all conventional means. Anything with an access card works this way, bottom line. So please let us know when you get the equipment and software and we will be all ears.

And the tools that you guys are so fond of regarding the IR port is a waste because you will be able to get the functions to change but as soon as the box reboots which you will need to do, the original data is restored to before you changed values and alas, a waste. The box communicates back to the M-Card that the data is mismatched and then the box tells the M-Card to change values back to what they are on the card. It is pretty airtight in terms of security. - You will not be able to change anything on the box or the M-Card PERMANENTLY, and will not help you in any way other than diagnostic testing (not the kind of testing you are thinking of). I am all for you guys testing but what you are proposing will not work.

[merkin]

Merkin - Sent me to the Snooze ya loose thread for Broadband studio. I chased that one for awhile

http://hardware.wikinet.org/wiki/BCM7405
https://docs.google.com/file/d/0B_1Sqvi ... sp=sharing
https://docs.google.com/file/d/0B_1Sqvi ... sp=sharing
https://docs.google.com/file/d/0B_1Sqvi ... sp=sharing

p.s. the usbjtagnt can be used as the bbs tool, but this is easier choice
http://www.ebay.com/itm/CY7C68013A-56-E ... 2ec72ccbe8

[lafraga]

there is a way to comunicate with the m-card using the serial port and hyperterm software the code its just not public

[Wolfgang]

Wolfgang - which model box do you have ?
I have a 3250HD Explorer with Diag loaded in ROM. But I am playing with a Cisco RNG100. I put in the Jtag header this morning , but no response yet...

I've got a few different models including 3250HD. Do you have an image to load back the firmware? In a Diag mode you can do a lot of testing but as you may already know you get only the internal generator's color bars video.
JTAG is usually disabled on most models lately, by the firmware or by removed resistors.

[Wolfgang]

there is a way to communicate with the m-card using the serial port and hyperterm software the code its just not public

One can reflash/upgrade the card firmware on SA boxes via the serial connection once in a Diag mode. Not saying it's easy to copy the keys from one to another but there is a probability if one is dedicated for such a project. Not that I am interested in doing such a task. It would be not appropriate to even publish such a thing.