Figuring out the SPI capture data

XC chip, auth and block SPI command.
Locked
kai
Junior Member
Posts: 34
Joined: Thu Jul 28, 2005 12:54 pm

Figuring out the SPI capture data

Post by kai »

Here is SPI data captured right after changing to HBO.

06 01:31:27
90 09 01 ;get audio pid 901
55 00 00

06 01:31:27
92 09 00 ;get video pid 900
55 00 00

06 01:31:27
94 00 24 ;get ecm # 0024 (Entitlement control message)
55 00 00

06 01:31:27 ;don't know what the rest mean, but I always get the same results when on a non free channel (98=00,99=00,9A=30,0B=80)

98 00
55 00

06 01:31:27
99 00
55 00

06 01:31:27
9A 30
55 00

06 01:31:27
9B 80
55 00

06 01:31:27
87 70
55 00

06 01:31:27
00
55

06 01:31:27
00 00
87 13 ;get channel authorization status

06 01:31:27
01
55

06 01:31:27
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 01 00 7E 00 01 00 00 00 00 EB 00 01 00 00 00 00 00 ;still has data from last channel

06 01:31:27
80 07 01 00 06
55 00 00 00 00

06 01:31:27
00
55

06 01:31:27
00 00
87 13 ;get auth status cmnd, return 13 bytes (19 bytes) + crc byte

06 01:31:27
01
55

06 01:31:27
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 02 00 7E 00 00 00 00 00 00 EB 00 00 00 00 00 00 03 ;right ID, but didn't get the auth data yet


06 01:31:27
00
55

06 01:31:27
00 00
07 13

06 01:31:27
01
55

06 01:31:27
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 02 00 7E 00 00 00 00 00 00 EB 00 00 00 00 00 00 83 ;still didn't get the auth data


06 01:31:27
00
55

06 01:31:27
00 00
87 13

06 01:31:27
01
55

06 01:31:27
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 02 00 7E 80 12 00 00 00 00 EB 00 00 00 00 00 00 91 ;finally got it. ID=0002,epoch num=7e,epoch type=80,12=auth ok,next epoch=EB
NOTE--This is HBO and the channel is working on this box

06 01:31:29
80 0E 05 30 01 03 01 6D 55 ;Not sure what the 0e command does, but the 6th and 7th bytes alternate between 0301 and 05E6

55 00 00 00 00 00 00 00 00

06 01:31:29
00
55

06 01:31:29
00 00
0E 02 ;command 0E, get 2 bytes

06 01:31:29
01
55

06 01:31:29
00 00 00
30 00 3C ;got 30 00 with 3c checksum? ;I always get this same response

06 01:31:29
80 0E 05 30 01 05 E6 CA 13 ;heres the alternate with 05 E6
55 00 00 00 00 00 00 00 00

06 01:31:29
00
55

06 01:31:29
00 00
0E 02

06 01:31:29
01
55

06 01:31:29
00 00 00
30 00 3C

06 01:31:31
80 0E 05 30 01 03 01 6D 55 ;and again
55 00 00 00 00 00 00 00 00

06 01:31:31
00
55

06 01:31:31
00 00
0E 02

06 01:31:31
01
55

06 01:31:31
00 00 00
30 00 3C

06 01:31:31
80 0E 05 30 01 05 E6 CA 13 ;once more
55 00 00 00 00 00 00 00 00

06 01:31:31
00
55

06 01:31:31
00 00
0E 02

06 01:31:31
01
55

06 01:31:31
00 00 00
30 00 3C



;Here's the good stuff. I believe this retrieves the 8 byte video decryption key

06 01:31:33
80 29 3C 6B EA FE 8F 80 75 30 00 00 00 20 61 03 22 1C 48 AA 83 D6 34 2A 22 39 02 00 20 04 53 FF
55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

;this 29 command always starts with 80 29 3C followed by 4 bytes that are always different, followed by 25 bytes that are always the same. I'm guessing that the 4 bytes are some form of time/date?


06 01:31:33
81 9A B8 14 BD E2 DB A9 6C CD DF FF FF FF FF 00 F0 B0 D4 DF B6 3C 0C 80 72 3E 38 09 9D EF 74 64
55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

;Now we have 24 bytes that are always the same followed by 8 bytes that always change. Maybe this is the control word?



06 01:31:33
81 53 ;this is interesting, always have 81 followed by one byte that is always different
55 00

06 01:31:33
00
55

06 01:31:33
00 00
29 0D ;finish the 29 command, retireving 0D bytes (13 bytes) plus the crc?

06 01:31:33
01
55

06 01:31:33
00 00 00 00 00 00 00 00 00 00 00 00 00 00
6B EA FE 8F 80 C6 CE 62 63 B0 A5 3A C5 B7 ;I believe this is the 8 byte video decryption key here. Notice the first 4 bytes are the same 4 bytes in the 80 29 command, followed by 80, then the 8 bytes, then the CRC?

06 01:31:35
87 00

Please, anyone feel free to correct me as a lot of this is speculation
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

u only read the spi or u send commands?

did u make taht hbo enc12 or was like that


i belive is only one key for all the channels the enctiption key u have the reset are dealed in other ways

i have a ppv box i can order but get no picture and saids ENC10 or 15 so i belive the decoding key or whatever is diferent since the box is not from my area is wrong


al the boxes come with digital 02 :) i realize this when programmed they make them to waht they want i have many boxes on digital 02 that are not programed in my area the ones in my area have digital 40 :)
kai
Junior Member
Posts: 34
Joined: Thu Jul 28, 2005 12:54 pm

Post by kai »

These were read. I'm having trouble with some of the commands not giving the correct response codes when I write them. The 0e command is supposed to respond with 30 00 3C, but when I write it, I get 30 00 00. I was assuming the 3c was a crc, but now I'm not so sure.

This box came this way with enc 12. Must have been subbed in this area previously. Not bad for 10 bucks!

I just moved to cable from satellite, so the cable specific stuff is all new to me.

Unfortunately, I haven't found any boxes yet with PPV enabled. Well, 1 old box, but it must have been analog PPV.

I'm just hoping more people will get into figuring out the SPI stuff.
Phredog
Junior Member
Posts: 39
Joined: Tue Jul 26, 2005 3:46 pm

Post by Phredog »

kai wrote: The 0e command is supposed to respond with 30 00 3C, but when I write it, I get 30 00 00. I was assuming the 3c was a crc, but now I'm not so sure.
If 3C is the checksum, then they have some strange way of computing it. Hmm, an 8 bit polymonial???
: )
santino
Junior Member
Posts: 197
Joined: Wed Jul 19, 2006 4:50 pm

Post by santino »

How do I get the spi log to work I have a dct2224 ph 8 and have the serial connected to box and computer when i run spi log stays blank
Locked

Who is online

Users browsing this forum: No registered users and 4 guests