Tv pass card

duffy · Post by **duffy** » Thu Apr 27, 2006 2:25 pm

As anyone know, the XC chip is programmed once at manufacture (by TV pass card ?). However it should contain rom (write once, for decryption algo) and eeprom (probably read write operation (fuse locked eeprom ?, for individual setting).

Then I tried to recover an old box (dsr 401, sc provider) which was altereted with BDM (5 chip desing) and I had success to dump it with usbbdm (ver0.8 works very well, Good works !). This box was never subbed and I was surprised to see that the serial number did'nt match with the serial on the label. Anyway, on info screen the status is showing ''TV pass card: 255 , TV pass card ID: not inserted , autorisation status QM (I don't know what it means, normally it's write US or S) and after booting there is a screen that say 'Please insert your tv pass card to continue viewing program. Leave your tv pass card inserted ''

I will try to change sram for a valid one with the proper serial number. Maybe it's a beta firmwire that allow TV pass card mode ? Maybe there is some commands handler for tv pass in the firmwire assembly ?

Maybe soneone have an idea, how to test or had ever see this with another box ?

cipher · Post by **cipher** » Thu Apr 27, 2006 5:50 pm

The TV PASS Card was developed as a renewable security device which replaces the UID and seed keys in case of a CC/Satco security breach of the subscriber key lists. e.g. Stolen backup of the DAC BD etc. It is like a smart card and uses a fused one way write function as described in patent 5083293. The enbodyment is defined in patent 5111504.

The XC chip is not fused it uses the battery sustained memory to hold the UID and seed keys.

duffy · Post by **duffy** » Thu Apr 27, 2006 6:50 pm

OK, Thanks for your answers

But I would like to kown what may trig this settup to give tv pass card mode ? Firmwire, sram or when xc chip is'nt valid it switch on external device ?

cipher · Post by **cipher** » Thu Apr 27, 2006 7:29 pm

I am quite certain it will be a combination of platform code and XC command responses. The XC chip is designed to host the TV Pass card and once it is mated it will want to stay that way until it is programmed to do otherwise. Check the diag screens and see if you can find a mated value or the likes of.

use http://home.austin.rr.com/drlev/Diagscrn/diaga.htm as a ref.

duffy · Post by **duffy** » Thu Apr 27, 2006 7:57 pm

Ok I will try to compare this screen value with another never subbed unit.

If the xc host the card communication and the mcu command the xc, then by logging serial port I should receive reaction (output) of the xc chip corresponding to the mcu spi command ?

Do you have an idea about speed,parity and stop bit configuration for passive logging ?

cipher · Post by **cipher** » Fri Apr 28, 2006 10:16 pm

How do you intend to log on the DSR?

Are you coding it for output to SPIlog?

It uses 38400 e 8 1.

duffy · Post by **duffy** » Sat Apr 29, 2006 11:49 am

Little other question for anyone:
Does it need moddified UART serial clock to obtain a good framing (to work at 38400) with passive logging ?

To your question Cipher:

As we can't use the original spi973 from the original routine, It can be moddified to match adress loop in another firmware.

However I need some help in this case because I'm learning instruction set in reference manual and I'm not an experienced coder with this type of cpu. If all there may help me and other that are interrested to adapt spi793 code to this firmware, it should be a good coding training for sure and it can be tested first on flash firmware modded to sram (don't worry about checksum validation).

Another way to go (not so user friendly) would be to try to compare the routines found by ''Cold Fire''(on id forum_with another dissassembler software) with them in the newest firmware. or maybe just use this old firmware that can log on original or extended sram (don't give a lot of memory to take a long log if not filtering command is done).

Thanks to share your knowledge Cipher, it's really appreciate for all there!

cipher · Post by **cipher** » Sun Apr 30, 2006 5:48 am

duffy,

Correction on the com port parameters it should be 38400 N 8 1.

I am using N 8 1 in an experimental routine and it has framming errors it seems that O 8 1 works with no framming errors so you may what to try that. This is strange since the SPI viewer uses 38400 E 8 1.

duffy · Post by **duffy** » Sun Apr 30, 2006 9:33 pm

Ok Cipher excuse me but i'm reading the patent links that you refer to me (good links thats show what happen when data is alterate in memory) and i'm missing some time to test at 38400 bps.

I checked the pinout to the xc chip (host, pin 3,5 or 7) and I'm triing to probe the proper signal to reccord some log(s). Do you know if there is some kind of ''ATR'' to receive (or to fake) after a reset (pin

is done ? And I don't know about the diag menu in jtag mode that your talking about ? It is linked on basic command find in firmware dissassembly ?

cipher · Post by **cipher** » Mon May 01, 2006 4:23 am

Probing the XC chip can mess it up if you short the battery supply. It causes the loss of the seed keys and UID. So you should use extreme caution!

You do not need to touch the XC chip to do logging.
The TV Pass connector has the SPI pins if you don't have a serial port.
You would have to convert them to RS232.

http://www.usbjtag.com/bdmjtagbb/viewto ... light=pass

Does the DSR401 have a 9 Pin serial port?

You need to expand what ATR is or quote my links.
I post so many things that its gets a bit fuzzy after a while.

duffy · Post by **duffy** » Mon May 01, 2006 9:18 am

Yes the dsr401 have the 9pin rs232 serial port on back of the unit.

Are you saying that I can log SPI without a moddified firmware by probing pin 4 and 6 on pass card connector (with chip to convert to rs232 standard) ? But how this serial bus maybe like the original SPI between mcu and xc ?

To have good control, correct me if I don't understand, I need to acces the original spi bus to take control of acp and then log whats happen on the pass card host by xc on another bus ???

cipher · Post by **cipher** » Mon May 01, 2006 1:33 pm

Yes you could tap the pins and convert it to RS232 levels. But you would not be able filter or control the activity on the SPI interface.

The dsr401 code should be very simmilar to the dct code when it deals with the SPI interface and the 9 Pin rs232 connection. It should not be very difficult to find the correct intercept point in the dsr401 microcode.

I think pins 4 and 6 are the same SPI interface connections as the XC chip.

duffy · Post by **duffy** » Tue Sep 26, 2006 7:05 pm

I was really afraid to fried the xc chip but I finally try to log this data and now, I'm able to see some communication rx/tx...cool !

However I'm getting some i/o errors (don't know if it's because framing or com port setting), I tried it at 38400bps, and works the best with 8N1.

Interresting to see data by passive login....

No pull-up or pull-down needeed on rx or tx signal....

EYEY....Filtering would be good !
and I will try to open tx trace to be able to inject signal to see if I can talk to this xc chip.....
Someone have a way to do this ?

tester5 · Post by **tester5** » Tue Sep 26, 2006 7:16 pm

hasnt been done yet

that chip has a capacitor next to it that keeps it alive dont touch it that capacitor might act like a watch doog too in case u wana write to it who knows.

duffy · Post by **duffy** » Tue Sep 26, 2006 7:49 pm

No problem I'm probing on mcu pad then it'nt near of this battery. Soldered with butane gun to avoid emi.....

Some one could provide me a log without the sat cable in ? Just the boot-up sequence to compare with what I have .....

USB JTAG

Tv pass card

Tv pass card

Who is online