 |
|
|
For those of you who have not already guessed it...
General Instrument products will be the focus of this event. Through this 11
part series the reader should be able to build a series of devices which WILL
totally compromise any GI analog set top. If you are a cable company employee
reading this then I highly recommend you build some of these projects before
considering the purchase of any future GI set tops.
Why GI?
Why not! They claim to have 60% of the set top market. Let's look at some
facts to see what General Instrument HAS done for cable companies:
In 1983 a company called Jerrold Electronics released a SBD-3A addressable descrambler. This descrambler used the 106.5Mhz carrier for authorization data.
In 1997 a company now called General Instruments released a CFT2200
addressable set top descrambler with massive on-screen programming options.
The SBD-3 used a 6850 uart, PIC16C70 microcontroller, and a simple 106.5Mhz FM data receiver.
The CFT2200 uses custom components including a custom chip with an advanced 6850 UART CORE in it.
A few YEARS prior to General Instruments release of the CFT2200 they became aware of a "cube" type device which would totally crack the SB*,DPV*,DPBB model converters. General instruments put out a press release which said "We are actively working on the cube problem and will stop them.". See, GI used the SAME NON-ENCRYPTED data stream for ALL AUTHORIZATION data for all set tops over the past 18 years!
Well, after their press release did they solve the problem?
No! They build a nice looking CFT2200 with a 68000 in it and it still used the SAME UNENCRYPTED data stream and even the SAME AUTHORIZATION COMMANDS USED IN THE SBD-3A!
If you are a cable company then do this test:
Switch your headend to "mixed mode scrambling" (for sb-3 compatibility) and
go to your local DUMP and find a SBD-3A (looks like a black pan -
pancake). Now, hook it up to your sysstem and hook up the NEWEST model of a
CFT2254 you have. Set both ESNS (internal serial numbers) to : E0 BF 7F 3E
(just for an example) - [if you don't know how to do this then don't worry, you
WILL be doing that later today]
Now - send these commands to BOTH units, make sure both unit are on PAY-TV:
(I put this in decimal notation so you can BETTER understand it)
8 253 176 224 191 127 62 255 240
8 253 177 224 191 127 62 255
239
8 253 178 224 191 127 62 255 238
8 253 179 224 191 127
62 255 237
8 253 180 224 191 127 62 255 236
8 253 181 224
191 127 62 255 235
8 253 182 224 191 127 62 255 234
8 253
183 224 191 127 62 255 233
8 253 184 224 191 127 62 255 232
8 253 185 224 191 127 62 255 231
8 253 186 224 191 127 62
255 230
8 253 187 224 191 127 62 255 229
8 253 188 224 191
127 62 255 228
8 253 189 224 191 127 62 255 227
8 253 190
224 191 127 62 255 226
8 253 191 224 191 127 62 255 225
8
253 232 224 191 127 62 255 184
8 253 233 224 191 127 62 255 183
8 253 234 224 191 127 62 255 182
8 253 235 224 191 127 62
255 181
8 253 236 224 191 127 62 255 180
8 253 237 224 191
127 62 255 179
8 253 238 224 191 127 62 255 178
8 253 239
224 191 127 62 255 177
8 253 240 224 191 127 62 255 176
8
253 241 224 191 127 62 255 175
8 253 242 224 191 127 62 255 174
8 253 243 224 191 127 62 255 173
8 253 244 224 191 127 62
255 172
8 253 245 224 191 127 62 255 171
8 253 246 224 191
127 62 255 170
8 253 247 224 191 127 62 255 169
[8] is the length
[253] modify command
[176-191] paytv (8 channels
per byte) [232-247] pay-per-view (8 channels per byte)
[224 191 127
62] - is the ESN (electronic serial number - change this to E0 80 40 00
(hex) for test)
[255] is the channels allowed to view , 11111111b (1 =
watch, 0 = no watch)
[checksum] - one byte checksum to ensure packet is
good.
After sending both these packets you will actually see both the SBD and the
CFT2200 descramble the channel!
Now, collect some of YOUR data on YOUR system:
Build the Data Logger on Boot.html
Now, the software on that page I wrote in a few hours. Here is another piece of software that will allow you to log hours, days, even MONTHS of your Jerrold Data Stream.
I DID NOT WRITE THE SERIAL CAPTURE TOOL COMMHEX. I did write the program: PROCESS which converts the logged data to a USABLE format.
This is what the program produces (just happens to be the Jerrold 4-wire
testchip boot-up procedure):
11 FD 4C E0 81 6D 06 13 00 18 19 1A 1B 1C 1D 1E 1F E3 FF FF FF
11
FD 4C E0 81 6D 06 14 00 20 21 22 23 24 25 26 27 A2 FF FF FF
11 FD 4C
E0 81 6D 06 15 00 28 29 2A 2B 2C 2D 2E 2F 61 FF FF FF
11 FD 4C E0 81
6D 06 16 00 30 31 32 33 34 35 3E 3F 10 FF FF FF
11 FD 4D E0 81 6D 06
17 42 00 41 00 00 00 00 40 00 F7 FF FF FF
11 FD 4D E0 81 6D 06 18 01
3D 00 00 00 00 00 00 00 7B FF FF FF
(this happens to be part of a boot up sequence programming the channel map)
Now, get those logs and get ready to have on Hour 2 of Judgement day!
Jim Borden
http://www.magicboxes.com