Who is interested in SPI capture?

Backup of earlier posts.
Post Reply
mamboswing
Junior Member
Posts: 70
Joined: Fri Jul 22, 2005 4:26 am

Who is interested in SPI capture?

Post by mamboswing »

OK, here is how to capture SPI to your PC.
1 Download 07.93 altered firmware.
http://www.geocities.com/dctbdm/download/0793spi.zip
Better use PH7/PH8 board. PH6 board might work.
Use USB BDM to program to your target, (do not forget to add signature). Address $406000 length $AA000.
2. Download http://www.geocities.com/dctbdm/download/spicap.zip
and
http://www.geocities.com/dctbdm/download/SPISHOW.zip
3. Hook up the serial cable with your COM1 of your PC and the box.
3. Run the spicap.exe.
4. Turn on your box and do whatever.
5. Stop application.
6. Run spishow and open the file captured by spicap ("SPIHKSIO.BIN).

Please test these steps and see if it works. If not I will fix the description.

The explaination of the output will explain latter.
:D
all credits goes to usbbdm
twistedps
Junior Member
Posts: 62
Joined: Fri Jul 22, 2005 10:24 am
Location: boston

Post by twistedps »

looks like fun!
when i get the connector ill be sure to try this out!
i love poking around stuff hehe
kai
Junior Member
Posts: 34
Joined: Thu Jul 28, 2005 12:54 pm

Post by kai »

Got the spi capture working per your instructions. Now if I only had some idea what I'm looking at! Is there any documentation on this?
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

i posted some info from the old forum originally written by usbbdm. i'm like you i don't know much about it either. hope it helps.
kai
Junior Member
Posts: 34
Joined: Thu Jul 28, 2005 12:54 pm

Post by kai »

OK, I underatand the 05 and 07 commands. There are several others I would like to know about like the 0E and 29.

What would be helpful is to have the data show up in real time so we could see the interaction while we use the remote.

What is the baud rate and settings for the serial port with SPICAP?
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

The baud rate is 438400 8bit , 1 stop, even.
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

Will soon post a utility to send SPI via keyboard. Keep watching.
Phredog
Junior Member
Posts: 39
Joined: Tue Jul 26, 2005 3:46 pm

Post by Phredog »

You all are my eyes on this. I have no General Instruments boxes at my disposal. Thank you;

My question is this: I assume the SPI port from the uP is connected to the XC chip. Correct? Is it daisy-chained to other parts of the box?

I am just trying to determine exactly what the SPI data stream represents. If I am correct, it is communication with the XC chip. I think understanding the XC chip will be very important.

Clearly not shutting down the XC chip when an EOS is sent to the box, is an oversight on the headend administrators. We also know that the XC chip will only decode premium channels if the box once had a subscription with premiums. Once the administrators get wise to cloning the NV RAM from a sub box to a former sub box, they will correct their oversight. I suggest we learn how to initialize the XC chip very soon. Perhaps someone could monitor the SPI stream when a box gets a hit. This sort of thing will provide us with a lot of useful information.

Unfortunately I can't do this, because they don't use GI in my area.

Keep up the good work! :D
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

SPI is an interface betwenn the processor and any other chips it needs to contol directly. you are correct that the XC chip is the key. the problem is finding a way to spoof it to decode channels. The XC chip contains the digicypher II code and is not likely to be hacked directly. a workaround to make it think it should activate the channel is the ticket.
Phredog
Junior Member
Posts: 39
Joined: Tue Jul 26, 2005 3:46 pm

Post by Phredog »

patsfan wrote:The XC chip contains the digicypher II code and is not likely to be hacked directly. a workaround to make it think it should activate the channel is the ticket.
We know the keys don't change very often. We know this because a box, formerly activated with premium channels, can decode some premium channels again, once the NVRAM is cloned from a currently activated box.

So, if someone monitors the SPI, when a box is activated, we will get some idea how the protocal works, and we might even see a key for the area that the box is activated.

We don't know how often they change. We also don't know if each channel, or package of channels, has a different key.
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests