cable

(1)

Overview

This guide has been designed as an educational aid for the enthusiast interested in Analogue Cable, Digital cable and Satellite TV technology.

Contributions have been made from many different sources including

www.dragonalfa.co.uk/shop/ and the editorial team gratefully acknowledge their support and assistance.

The scope of the help file attempts to provide a point of reference to both the new and the experienced enthusiast. With this in mind, the documentation is constantly being updated and new versions will be released as fresh information becomes available.

This documentation has been compiled from various resources on the Internet. Wherever possible the original authors have been acknowledged and credited as the source and for their contributions.

Please see the Credits and the Resources sections for further information, websites and links.

GO TO JAIL WARNING:

Tampering with cable boxes to receive Pay TV signals without paying for them is illegal in most countries. The information here should be used for test purposes only.

Getting Started

Before you start you should browse through the different sections of this help documentation and try to become familiar with the terms and expressions used throughout these pages.

There is a detailed glossary which will help you understand any technical expressions and terms used within the documentation.

You should also equip yourself with some basic tools, software and equipment. Most of the items you need can be purchased from www.dragonalfa.co.uk/shop/ such as card programmers and software but some tools that will be needed are as follows

(2)

Basic tools you will need:

• A soldering iron, solder and flux

• A De-solder gun and de-solder braid (optional) • Screwdrivers

• A Pic/card Programmer • Pic Chips and/or cards

• An electrical tester (optional but worthwhile).

• Common Sense and patience

Digital Introduction

This section covers the Cable Decoders for the Digital cable system. Most of these are

manufactured by PACE.

There is another section on Analogue Cable decoder systems. Please ensure you are reading the correct section for your Cable Decoder

before proceeding.

Before attempting to make any modifications to a decoder it is important to become familiar with the terms used and the internal mechanics of how the system works to transfer and decode/encode the transmissions..

Please read the information on Talkback and Rom Cards in order to gain some familiarity with these terms.

Also use the Glossary to look up the meaning of any terms and technical jargon. Please Note:

The tutorials described here are broadly similar for each different model. However each model will have subtle differences so it is recommended you consult the technical specifications for the model on which you are working before attempting to implement any modifications.

What Not To Do

Never attempt to modify any decoder whilst it is connected to a mains supply!

(3)

• There is a risk of serious electric shock which could prove fatal. Always ensure the decoder is disconnected from the mains supply and the plug removed from the wall.

• Do not use any tools which are not suited to the purpose of electrical work.

• Never allow children to connect your test equipment to a mains supply

• Never allow children to adapt any electrical components or decoder boxes.

Safety Precautions

• If possible wear appropriate rubber soled shoes in case of surplus static current.

• If possible obtain an anti-static strap and wear this whilst working on electrical components, even when the test unit is disconnected from the mains

• Always earth yourself by touching a metal surface before touching any electrical components - this will remove surplus static from your body.

• Only use tools which are appropriate for the task you are attempting.

• Keep small children and pets away from your work area and test equipment.

You should not attempt any modifications on a rented digital decoder.

Only modify a box you own. They can be purchased from online auctions or through the classified adverts sections of newspapers.

You should not attempt any modifications on a ROM Card without making a back-up of the original data within the card.

For details on ROM and ROM cards see the Card Information section

Tip:

Using a digital splitter with a rented box and a modified box will mask the signal from the modified box which has had Talkback disabled.

Digital Box Types

There are a number of different models for the Digital cable decoder. They are generally manufactured by Pace and all of them look similar to one another. However, the internal board layouts are somewhat different for each model. The different models are released in series and the higher the number the more recent the release of each model series.

The Pace series digital decoder models are:

The Pace Ditv1000 series

Pace DITV1000 Pace DITV1010

(4)

Pace DITV2000

The Pace Ditv4000 series

Pace Di400N Pace Di4001N Pace Di4010N

These are available from www.dragonalfa.co.uk/shop/ including some of the tools you will need, I contacted the store and they were able to email me the software.

About Digital Decoder ROM Cards

The cards which come with the Digital Decoder box (or are married to the box) are called ROM cards. There are different versions of the ROM cards.

UK suppliers, namely NTL and

TeleWest, support Rom7, Rom10 and Rom11 cards. "ROM" is the type of card you will have if you own a digital

decoder which has been supplied by either of these.

The ROM cards are pre-encoded by the manufacturers using software provided by NagraVision. You can see this on the rear of the ROM card.

To edit the card, a software package is available called Nagra edit. This is not provided by NagraVision but is generally available through Internet Discussion Forums.

At the time of writing nagra edit software only supports Rom10 cards. Rom11 is newer and currently is not supported. Rom10 is the only card which can be MOSC'D (modified) to receive all channels.

Most modern boxes will have Rom11 cards which can be MOSC'D (modified) and can be copied from the ROM11 and used in a ROM10 card.

(5)

Use of a computer, card programmer and nagra edit software will tell you the ROM version of a card. This information is very useful before thinking of making any modifications to the digital decoder.

Important Note:

Always take a back-up copy of your ROM Card before attempting any modifications. This can be done by using Nagra edit to back-up the card.

Understanding Talkback

Talkback is a way for the cable company to be able to tell the box is online and is

also used for interactive services.

The box will communicate with the cable company and ask for permissions such as access to the channels.

By disabling the Talkback function the box no longer communicates with the cable company and asks permission. Since the box no longer communicates with the cable company it is unlikely the cable company will know it exists.

However, if a rented box stops communicating then the cable company will suspect it has been modified, since they keep an accurate log of all box communications on their system.

Similarly, if a box which has been modified to receive all of the channels

communicates with the cable company, they will identify it as an illegal attempt to steal their Pay TV services and trace its source.

There are a few ways to modify the box to prevent Talkback. This involves cutting a track inside the tuner part of the box or lifting a leg of a component.

Both methods disable the unit from using Talkback.

There have been rumours of a filter which means no internal modifications are necessary. Allegedly this can be put in line with the cable which comes in from white cable box on the wall and into the back of the digital receiver. However, at the time of writing these are only rumours and are unconfirmed.

(6)

There are two stages to modifying a Pace digital decoder. The first stage is to modify the hardware (the decoder itself) and the second is to modify the ROM card using a computer, a card programmer and some special software.

Hardware/Tools

• Pace Ditv1000 cable box

• ROM 10 Card – preferably married to the box • A Digital Splitter (optional but recommended).

• Smart Card Programmer - preferably with 3.68mhz crystal fitted. • Small tip Soldering Iron and solder (or sharp craft knife)

• Screwdriver

Software:

• Lib debug software

• Tw.cfg – the hex file

• Nagra Edit 3 – Software

• Getbox PC2 – to get the box key (Non-Rom 10/Rom 11 cards)

Some Alternatives:

• You can also write to your card in the box, using a modem lead straight into your computer using the RS232 Ports and a software application called cam whistler.

• You will need:

• A Modem cable for box to computer editing using the RS232 Ports and software

• Cam Whistler Software

Ditv-1000 - Modifying the Hardware

Getting Started

There are two stages to modifying a Pace digital decoder. The first stage is to modify the hardware (the decoder itself) and the second is to modify the ROM card using a computer, a card programmer and some special software.

Remove the Cover Remove the Tuner Disable Talkback Reassemble the Tuner Replace the Cover IMPORTANT:

DO NOT CONNECT THE BOX UP TO THE MAINS YET! THIS IS ONLY THE FIRST STAGE. ONCE YOU HAVE COMPLETED THE ABOVE MODIFICATIONS YOU NEED TO COMPLETE STAGE TWO.

(7)

DiTV-1000 - Removing the Cover

Clear a work surface and gather your tools. Place the Pace DiTV 1000 box on your work surface. Ensure it is not connected to the mains and if it is then disconnect it and unplug it from the wall. Unscrew the box and remove the cover.

Image (1) - Models DiTV1000 and DiTV 4001

The rear of the decoder will look different depending on the model series you are working with. The procedure for removing the screws is much the same.

You will need a tamper-proof screwdriver to remove the screws or possibly an hexagonal bolt remover. Put the screws to one side in a safe place or in a plastic bag so you do not lose them. You will need them again to put it back together.

The above Image (2) illustrates the location of the screws to be removed.

Once the screws have been removed you will be presented with the internal mechanics of the decoder. You should see the tuner and main control board. Depending on the model series of the decoder the layout may be different.

(8)

Image (3) - General view of the board once the case is removed

Ditv1000 - Removing the Tuner

Once the cover has been removed the next step is to remove the tuner.

The first step in removing the tuner can is to gently prise up the tuner can shield with a screwdriver.

The shield can be located on top of the tuner can.

Be very gentle with the screwdriver. Image 1 - prise up the tuner can shield

Identify the tuner can then identify the tuner can retaining screw - see image on the left.

Unscrew the silver screw holding the tuner in place. This will allow you to easily unplug the tuner device. It should pull out very easily.

(9)

Put the screws in a safe place or in another plastic bag so you do not lose them.

Carefully unplug the tuner from the side of the tuner can.

When pulling out the tuner can be careful not to force it or dislodge anything. You will need to put it all back together again when the final modifications have been made.

Image 2 - Tuner Retaining Screw

Next you need to take of the side of the tuner. To do this there is a little twist locking lug. (See Image 3) Carefully twist the locking lug until it allows the tuner to move freely. Use a pair of long-nosed pliers but be careful not to snap the locking lug.

Image 3 - Twist the Tuner Twist Locking lug.

Top view of the Tuner can once it has been removed from the case.

The images were captured and supplied by buffs

Top View of the inside of the Tuner Can with the Tuner Cover Removed.

The images were captured and supplied by buffs

(10)

The box sends and receives information from the cable company. This is known as Talkback. To disable some modifications need to be made to the tuner board. This is done after removing the tuner and gently taking off the cover.

Cutting the track

To disable Talkback you will need to cut a track on the board or you can lift the leg of the component above the track cut. You can use a sharp craft knife to cut the track or a soldering iron to undo the component leg and lift it up.

This image shows the track to cut on a Ditv4000 Unit.

Alternative to cutting the track is to lift then leg located directly above the track cut.

The component is shown here and the legs are the silver bits (ten of them on the lower part of the component).

Image 1 - DiTV4000 Track Cut

Image 2- DiTV2000 Track Cut

(11)

Image 3- DiTV1000 Track Cut

The component leg lift on this model is not clearly identifiable so it is best to adopt the cut-track method.

Image 4 - DiTV1010 Track Cut

Once the track is cut or the leg lifted the hardware modifications are almost

complete. Double check to make sure you have the track lifted and or the leg lifted. Now it is time to reassemble the tuner

Ditv1000- Reassemble the Decoder

Having confirmed and double checked the correct track has been cut or the leg lifted it is time to reassemble the Tuner.

This is done in the same way it was taken apart but in reverse order. Use the correct screws you removed and put to one side when taking the tuner out of the box.

Replace the Cover

With the Talkback cut and the tuner refitted you can now replace the cover and screw it back together using the correct screws you removed and put to one side when unscrewing the cover.

The next stage will be to modify the ROM card using a card programmer and Nagra-Edit software.

IMPORTANT:

DO NOT CONNECT THE BOX UP TO THE MAINS YET! THIS IS ONLY THE FIRST STAGE. ONCE YOU HAVE COMPLETED THE ABOVE MODIFICATIONS YOU NEED TO COMPLETE STAGE TWO.

(12)

Ditv1000-Modifying the ROM card

Once the modifications have been made to the decoder hardware, the next stage is to modify the ROM card using software and a computer.

The procedure for modifying the ROM card depends on the actual ROM card version. Some can be written to whereas others cannot. Different versions also use different software to perform the modifications.

For example, ROM 10 uses Nagra-edit whereas ROM 7 uses a software application called Sorryshakes. A ROM 10 can be written whereas a ROM 7 and ROM 11 cannot, so can only be used to obtain the data dumps. An alternative would be to use a Fun Card which can be written to with the data from any ROM card version. These are less prone to "Zapping".

Background information on ROM cards and Fun cards Determine which type of card you have using software

Making the Modifications to your ROM Card

Before you start Things you will Need Getting Started

Edit your local area ID Get the box keys

Programme the data into the card Configure the decoder

Get the Box Keys Using Libdebug

You can use the Libdebug software to get the box-keys.

• Connect the computer/laptop up to the digital box, using your programmer lead.

• Once it is connected, load up the libdebug software.

• Load up the .cfg file (e.g. 'tw.cfg') using the drop down menu if necessary.

• FILE > OPEN RECIEVER CONFIG, then point it to the file in question.

(13)

Watch lib debug, you will see it logging data. Once it has finished, if you have your TV hooked up to the computer and decoder, the TV screen will be black and the display on the decoder box will be blank.

Click on the following:

1. 'Erase SRAM (U5700)' then click : 2. Execute command,

This will clear the ram, in case you need to reset the Pay Per View password.

Now click on the following:

1. 'Network ID' and then 'Set Network ID', then click: 2. Execute command.

This will set the id to the same as the one you put in the 'tw.cfg'. Obviously this should be your area id number taken from the list of locations and corresponding NetID numbers.

Next click on the following:

1. 'Get Network ID', then click:

2. Execute command, in the box on the right

(14)

Close the LibDebug Software

Tip: You can also use software called alternative software such as boxget_pc to

read the box keys on the card. Once you get the cam id using boxget_pc use windows calculator to convert from decimal to hex and add it as hex.

Getting Box Keys without a ROM Card

If you do not have an original ROM card for the box the box keys can be obtained directly from the box. This involves using tools and some careful work with a soldering iron to remove two eeproms so you can read the box key details from them.

REMOVING EEPROMS FROM THE BOX:

To get the boxkey directly from the box you need to remove two eeproms. These chips are the ATMEL AT49LV1614 type.

You would only need to do this if you did not have an original card with the box. You will need a programmer to read the Atmel chips such as the VX VxMulti2 8 Mode Programmer or the VxMulti2 Pro from http://www.vxtools.com

To get the boxkey from the ATMEL chips do the following:

Make sure you know which chip is which. This is very important so mark one with a bright marker or some nail varnish. Make sure they are clearly labelled.

Next you need to read and make a dump of each chip. Imagine you labelled the chips one and two (1 being the front leftmost chip) think of the chip on the left as dump 1 and the chip on the right as dump 2. This will help you remember which chip should have which dump file.

Now you have the data it looks like this:

DUMP 2 = 100100000 8734 B143 BF21 8270000000000000000A1 DUMP 1 = 100100000 9653 3342 8687 000900000000000000004D

(15)

Take the 8734 turn it round so it looks like this 3487 (because the 2 bytes staying together are important). next take the 9653 and switch this around also. you should get 5396. We now have 3487 5396.

The whole boxkey and ird are 3487 5396 43B1 4233 21BF 8786.

Another Example:

Remove & read both chips ATMEL AT49LV1614

Looking at the box from the front name the dumps for left hand chip dump 2 and right hand chip dump 1.

For example box Key and IRD are as follows :

1205 5996 and 155B 0F34 FAAB 5D88

Dump 1 right hand chip :1001000005125B15ABFAF8270000000000000000A1 Dump 2 left hand chip :100100009659340F885D000900000000000000004D

Programming the data into the card

This stage is done using the nagra-edit software and a card programmer. If you are programming a ROM 10 card you need a card programmer with a 3.68mhz crystal.

Step 1

Connect up the card programmer to the laptop/pc. Insert the card and start up the nagraedit software.

(16)

Make sure the power is on to the programmer and card is inserted firmly.

Press CTRL+R on the keyboard or click on where it says Data editor in the nagra-edit menu. Alternatively click the shortcut icon (circled in blue on the image below). Any of these methods will read the contents of the card.

(17)

Once the card has been read, make a back-up of the data by using the file tab at the top then selecting save image as. Give it a unique file name and keep it safe. Once the back-up file has been made it is time to edit the card.

Step 2

Click in the field where it says IRD status in the open nagra-edit window. This will open the data editor box.

The main keys to find are as follows:

• BOXKEY (Blue arrow on the image example)

• IRD KEY (Orange arrow on the image example)

• CAM KEYS (Purple arrows on the image example)

(18)

Check the IRD status of the card

Click on '02 Provider Filter' to check in the IRD status and make some changes if necessary.

• If irdstatus reads 80 it means the card has been switched off.

• To switch the card back on again change this to the two digits zero zero (00).

Click on '08 Standard Tier (31) which may or may not have more than 1 tiers. If it has more than one, start from the top tier. Change the values to the same as the following, leaving everything else the same.

(19)

Do this for each tier:

IRD Status Byte 10

Rights Identifier 00 DB BD

Expire date 17 00

Rights date 17 00

Min Channel 00 01

Max Channel 7F FF

Configure the Pay per View (PPV) settings

On the far left (above the topmost standard tier (1), you will see a title called 0CSpending Limits (20). Click on this and the right hand side of the screen will change to another set of input fields.

(20)

• Change the IRD status byte to 00. This turns on the Pay Per View.

• Then change the Credit in cash to 00 00 00.

• Finally change the Debit in Cash to 00 FF FF FF. This will put £65,000 on the viewing card.

Note: Changing these values will increase or decrease the amount of credit on the viewing card. It is likely these values will be targeted by ECM (electronic counter measures) so finding a different set of values would be prudent.

Once all this has been done the data modifications have been finished. It is time to write the modified data back to the ROM card.

• Go to "card" and select from the drop-down menu >write to card. The software will now write the modified information to the ROM card.

(21)

Once the software has finished writing the data to the card remove the ROM card from the programmer.

The card modification and writing process is now finished.

Configuring the Engineers menu

Accessing the Engineers menu for the digital box.

Make sure the power is OFF on the decoder and insert the modified ROM card into the vacant card slot in the digital decoder. To get into engineer menu, make sure the decoder is connected to the T.V. and the card is inserted.

Boot Up the Box

Take the mains power out of box and when reapplying power hold up and down on the box, and it will enter the engineers menu.

Note: up/down is NOT channel up and down.

Press and hold the up and down buttons on the decoder then insert the power lead and switch it on at the mains.

The engineers menu should appear on the screen.

Let go of the buttons when you come to the installations menu.

Set the PIN Number

Once in the installations menu, go down to the bottom and set your PIN number to one of your own choosing.

Use chan up,down and ok to change the digits, then press tv to store the information.

It should change to ****

Check the card credit

Check to see if you have programmed the card up properly by going to the smart card data page and checking the credit.

If it agrees with the amount you coded into the card everything is on schedule.

Reset and test the decoder Move through the engineers menu to page 10 and do a soft reset.

The box will re-boot.

If all is well, once the box has rebooted and reset itself you will have all channels. Test this by trying to view a Pay per View Movie. (You may have to order it first) If it appears on screen the modifications were successful.

(22)

Troubleshooting

If the box is from an area different from where you live

On the engineers menu (page 1) change the frequency to the one required of your area.

If you cannot set the password

You will need to edit the .cfg file using libdebug to suit your local area ID.

DiTV - Local Area Netid Groups

Key

TW Telewest Area

NTL NTL Area

Location NetId Freq

7 Kings 41050 666.750 Ashford 41052 Basingstoke (ntl) 00013 803.000 Bedford 00005 755,000 Belfast (Ireland) 00021 755.000 Birmingham 41011 643.000 Bolton (ntl) 41060 666.750 Bournemouth 41043 666.750 Brighton (ntl) 41044 666.750 Bromley 41041 Cheltenham Glos (1) 40971 433.000 Cheltenham Glos (2) 40971 651.000 Chesham Bucks 41051 666.750 Coventry 00019 811.000 Derby 41056 666.750 Durby 41046 East London 41050 666.750 Edinburgh/Lothian (TW) 40981 Essex NTL 41050 Falkirk (TW) 40981 619.000 Fife (TW) 40981 619.000 Gateshead 40969 571.000 Glasgow (ntl) 00002 755.000 Grimsby (ntl) 00022 755.000

(23)

High Wycombe 00013 803.000 Ipswich (ntl) 00011 755.000 Kidderminster Worcs (TW) 40974 130.000 Keighley (TW) 40961 539.000 Leeds 41053 666.750 Leicester (ntl) 00012 643.000 Lewisham 41047 Liverpool 1 - North (TW) 40966 571.000 Liverpool 2 - North (TW) 40965 571.000 Luton 739.000 Maidstone Kent 40976 Manchester 1 (ntl) 41040 Manchester M46 (ntl) 41060 666.750 North Lanarkshire (TW) 40984 619.000 Norwich 41055 Nottingham 1 (ntl) 00008 755.000 Nottingham 2 (ntl) 00008 739.000 Peterborough 41049 Plymouth (TW) 40988 787.000 Portsmouth / Cosham (ntl) 41042 666.750 Solent 41042 South Herts 41051 Stafford (ntl) 00015 826.250 Stockport 41066 666.750 Stoke 41064 Surrey 41045 Sussex 41044 666.750 Solent 41042 Southampton 41048 666.750 South Yorkshire 40964 539.000 Swindon 00006 579.000

Walsall / West Midlands 40974 131.000

Warrington 41060

Washington Tyne & Wear (ntl) 41054 666.750

Watford / Herts (ntl) 41051 666.750

Wearside 41054

Wessex 41043

West Yorkshire (TW) 40961 539.000

West Yorkshire (ntl) 00001 755.000

West London / Middlesex (TW) 40980 539.000

(24)

Wirral Merseyside CH41 41048 666.750

Wirral Merseyside CH43 41060 666.750

Wolverhampton (ntl) 40973 131.000

York 41065

Using the CFG Files

To use the .cfg file within this document open up the relevant file and copy all of the text below the title (without including the title) to the clipboard.

Launch your favourite text editor (e.g. windows notepad) and paste the contents of the clipboard into the new untitled text file.

Save the text file with the same filename as the title (e.g. tw.cfg) - remembering to change the drop-down box in the notepad "save as" menu to "all files".

Editing the .cfg file with your local area ID

Tip: You can get your local area ID from the local area ID table Open up tw.cfg with wordpad. find the lines where it says: :Network ID

Set Network ID ntl 406141060

Set Network ID

406141060<<<<<<<<<<<< change the last five digits of this to your area id number.

Get Network ID 4010

Save a copy of the file somewhere safe. It will be needed later.

tw.cfg

****************************************************** * *

* Cable & Wireless Phase 2 * * DigDebug 2.3 Config File Version 1.8 *

* Written By Fred Bloggs, Test Software Department * * *

(25)

* Ver Date By Comment * * 1.1 08/03/99 Initial Version *

* 1.2 28/05/99 Various commands added * * 1.3 07/07/99 Various commands added * * 1.4 16/07/99 MCNS Tune command for build 45.2 * * 1.5 21/09/99 Channel select command added for * * Nagra playout. *

* 1.6 22/12/99 Renamed some commands * * *

* Version History Phase 2 *

* 1.1 25/01/99 SW Various commands added * * 1.2 17/02/99 SW Various commands changed see * * Testtask spec version 1.5 *

* 1.3 28/02/99 SW Key responses changed for '9' * * 1.4 03/03/99 SW Command to tune DVB signal on * * MCNS system * * 1.5 10/04/00 SW 'R' commands modified to include * * factory feed or true MCNS * * This version of 1.5 will only * * work with digdebug v1.8 * * 1.6 16/05/00 SW 'X' command now does CRC in pairs * * 1.7 27/06/00 SW '3' SDRAM test not applicable * * will return '22' *

* 1.8 08/08/00 SW Network ID command now 5 bytes * * *

* Version History NTL MCNS Phase 2 * * Ver Date By Comment *

* 1.0 20/10/00 SW New name for CWCPH2 * ******************************************************

This Digdebug config is used to test the interface for the Cable & Wireless digital unit.

It is for use with the Windows 95 DigDebug.exe program

This file should be be read in conjuction with the spec for testtask comms for Cable & Wireless receiver

Usage Notes: Packet format: Byte: 1 2 3 4 5 6... Content SYNC,SYNC,COMMAND,LABEL,BYTECOUNT,DATA... where: SYNC is 0xB1

COMMAND is product specific command code

LABEL is currently always zero but in future may have the MSB of BYTE count BYTECOUNT is num of bytes in data field

DATA is a variable num of bytes depending on packet so smallest packet is 5 bytes (bytecount=0)

Sections in the file start with a tag in column 1 ie *COMMANDS or *RESPONSES then the data follows in pairs of lines

(26)

for commands it is :

line1:description seen in window line2:packet (less sync,sync)

note that the software recalculates the byte count before transmission so although is is needed as a placeholder it can be left at 0.

for responses:

line1:is received bytes to match (less sync,sync) line2:is message for response window

Packets in the both lists do not have the sync sync, its hard to type it in the software adds it for you.

to insert user text into a packet add *(TXTPrompt) in the packet where definition Prompt is the text used on the input window which will

pop up for you to enter the text

There is a special packet that does not get sent to the product it is d015 which causes the software to wait, the delay is specified by the last digit, in this above example a 5 sec delay is set.

to spec a value > 9 use the ascii char where char code= val+48d i.e. d01D=20 Multiple packets can be specified by a space in between and hence

spaces cannot be used inside packets.

special escape sequences can be used at present they are as follows: \r replaced by char 13d

\n replaced by char 10d *COMMANDS

Start Test (Done Automatically) 000 Version Number 200 Product ID :00 Tune to PMF Test Q0;06907506952 d012 O0@0908090A09080000 Erase SRAM (U5700)

G00 :RS232 Tests RS232 RTS low 1010 RS232 RTS high 1011 :Memory Tests Memory Test - Flash 3010

Memory Test - SDRAM 3011

Memory Test - BCM3250 SDRAM 3012

Memory Test - CL9300 SDRAM 3013

(27)

Memory Test - GTX DRAM 3014

Memory Test - SRAM 3015 :Network ID Set Network ID ntl 406141060 Set Network ID 406141060 Get Network ID 4010 :Audio

Left Audio Attenuation On 50510010

Right Audio Attenuation On 50510001

Left+Right Attenuation On 50500011

Left + Right Attenuation Off 50510000

Left+Right Half Volume 50505000 Mute C011 Un-Mute C010 :LED Control

LED Control - All ON 70:7?7?7?7?71 LED Control - 55 70:5500000000 LED Control - All OFF 70:0000000000

LED Control Colon On 70:0000000001

:IR and Key Controls IR Front Panel Test 8010 IR Rear Test 8011 Enable Keys 9011 Disable Keys 9010 :Card Tests

Mondex Init (Do this first!) A014

(28)

Reset Nagra Card A010

Mondex Reset A012

Nagra Card Test A0<1Ý1234567890 Mondex Test

A013

Nagra (Bottom) Detect B010

Mondex (Top) Detect B011

:I2C Test

Verify IIC Channels D00

:Real Time Clock Read Real Time Clock H010

Reset Real Time Clock H011

:Parallel port

Parallel Port Walking '1's I010

Parallel Port Reset Chip I01E

Parallel Port Read Status I01F :Tuner Status MCNS Status K00 DVB Status L00 DVB Lock+BER M0200 MCNS Lock+BER M0210 PCR Lock N00 :MCNS Tune

Tune to MCNS 331MHz (Low Level) R0=0331000695211 MCNS 586.750 MHz R0=0586750695211 MCNS 309.250 MHz R0=0309250695211 MCNS 586.750 MHz (64 QAM) R0=0586750695211

(29)

MCNS 586.750 MHz (256 QAM) R0=1586750695211 Tune + Lock 8.0 MHz DVB on MCNS R0=0690750695200 603MHz QAM 256(BER) DVB on MCNS R0=1603000695200 MCNS BER 683.000 MHz R0=0683000695211 Tune to MCNS 830MHz(BER) R0=0830000695211 MCNS 830 64QAM R0=0830000695211 :DVB Tune BER DVB 495.250 MHz (low) Q0;04952596952 Tune to DVB 760MHz(BER) Q0;07600006952

Tune to 603MHz QAM 256(BER) Q0;16030006952

Tune to DVB 309.250MHz(Low Level) Q0;03092506952 Tune to DVB 690.750 MHz(Playout) Q0;06907506952 Tune to DVB 666.750 MHz(Nagra1) Q0;06667506952 Tune to DVB 462.000 MHz(Nagra2) Q0;04620006952 Nagra Playout Q0;06667506952 Tune IRDETO Q0;05061505728 :PIDS ITV O0@0200028A1FFE8191 Channel 4 O0@0B060B070B028191 Film Four O0@0B090B0A0B028191 ITV2 O0@0B030B040B018191 BBC1 O0@0258025902588191 BBC2 O0@0262026302628191 News24 O0@0280028102808191 NDS Encoder PID

(30)

O0@020002811FFE0000 Trouble (690.750MHz) O0@0908090A09080000 Bravo (690.750MHz) O0@00F100F200F10000 Living (690.750MHz) O0@00D300D400D30000 ? (690.750MHz) O0@00DD00DE00DD0000 :Channel Command Channel 1 U03001 Channel 2 U03002

Channel 3 (Nagra Card) U03003 Channel 4 (Free) U03004 Channel 5 U03005 :CIM Tone

CIM 8MHz Tone Full Amp P0?081000710040001 CIM 10MHz Tone Full Amp P0?101000710040001 CIM 8MHz Tone Half Amp P0?081000350040001 CIM Power Down P0?081000660040000 CIM Power Up P0?081000660040001 MCNS 8MHz Tone P0?081000660040001 MCNS 20MHz Tone P0?201000660040001 :Cable Modem

Start Cable Modem S010

Cable Modem Status S011

:Ethernet Test Ethernet Test V00

:Read Nagra / MAC Read Nagra Serial No =010

(31)

=011

:Teletext Controls TeleText Page On >011

TeleText Page Off >010

:Banner Controls RGB Banner On ?011

Test Banner WHITE ?01W

Test Banner BLACK ?01L

Test Banner Off ?010

:Scart Controls

Scart Routing IRD - TV Composite *010

Scart Routing IRD - TV RGB *012

Scart Routing VCR - TV Composite *016 Scart Routing VCR - TV RGB *018 TV Pin8 0V +010 TV Pin8 6V (16:9) +011 TV Pin8 12V (4:3) +012 VCR Pin 8 Status +013 :Flash Tests Flash1 Sector(U5600) !010 Flash2 Sector(U5601) !011 Flash3 Sector(U5602) !012 Flash4 Sector(U5603) !013 Flash ID U5600 !014 Flash ID U5601 !015 Flash ID U5602 !016

(32)

Flash ID U5603 !017

Flash1 U5600&U5601 Checksum X010

Flash2 U5602&U5603 Checksum X011 :GTX Tone GTX Tone 1KHz 100 Amp %0310A GTX Tone 1KHz 90 Amp %03109 GTX Tone 1KHz 80 Amp %03108 GTX Tone 1KHz 50 Amp %03105 GTX Tone 500Hz %03059 GTX Tone 100Hz %03018 GTX Tone 0KHz %02000 :UHF Tune UHF 21 Output )0521000

UHF 21 Test Pattern )0521100

UHF 38 )0538000

UHF 38 Test Pattern )0538100

UHF 69 )0569000

UHF 69 Test Pattern )0569100 UHF 21 +10db )0521001 UHF 38 +10db )0538001 UHF 69 +10db )0569001 :AK4319

AK4319 Power Down ,010

AK4319 Power Up ,011

:LED Misc 7-Seg 1

(33)

70:4000000000 7-Seg 2 70:0100000000 7-Seg 3 70:0200000000 7-Seg 4 70:0400000000 7-Seg 5 70:0800000000 7-Seg 6 70:1000000000 7-Seg 7 70:2000000000 7-Seg 8 70:8040000000 7-Seg 9 70:8001000000 7-Seg 10 70:8002000000 7-Seg 11 70:8004000000 7-Seg 12 70:8008000000 7-Seg 13 70:8010000000 7-Seg 14 70:8020000000 7-Seg 15 70:8080400000 7-Seg 16 70:8080010000 7-Seg 17 70:8080020000 7-Seg 18 70:8080040000 7-Seg 19 70:8080080000 7-Seg 20 70:8080100000 7-Seg 21 70:8080200000 7-Seg 22 70:8080804000 7-Seg 23 70:8080800100 7-Seg 24 70:8080800200

(34)

7-Seg 25 70:8080800400 7-Seg 26 70:8080800800 7-Seg 27 70:8080801000 7-Seg 28 70:8080802000 7-Seg 29 70:8080808010 7-Seg 30 70:8080808020 7-Seg 31 70:8080808040

Notes For Responses:

responses have a packet to match and the message to display when it is found. The sync,sync is not included in the file

but is taken care of by the software.

A special packet field TEST should be included which is matched if the AT command and response is found. The AT and response to initiate testtask is handled automatically when a receiver is powered up while connected to a PC running the software.

Another special field DELAY is matched when the special delay packet is sent.

In general leave these entries alone.

To include decoded values out of the packet in the response window use %hxy in the text line where x is the position of the value in the

received packet (1st char is number 0 and count should include 2 for sync,sync) and y is how many to use for the value ie 1 byte, 2bytes, 4bytes

see existing entries for example.

note that the packet must use 'funny hex' ie 0123456789:;<=>?

to spec a value > 9 use the ascii char where char code= val+48d i.e. D=20 To help with decoding the matched bytes are only matched up to the length in this list.Once a match has been found the process stops. This means that you can give some fully decoded entries ie 1010 and 1011 and then give a 'catch all' entry ie 101.

*RESPONSES TEST

Receiver TestTask Started DELAY Waiting %h71 secs GOTO Next... PASS Receiver Passed FAIL Receiver Failed

(35)

CERR

Comms Error 000

Receiver Tests Initialised 1010

CTS low 1011 CTS high 20

SWare & HWare Version 30500000

Flash Pass 303122

SDRAM Test Not Applicable 30220 BCM3250 SDRAM Pass 303300 CL9300 SDRAM Pass 3044000 GTX DRAM Pass 30250 SRAM Pass 50 Audio Control 404 Network ID 700 LED Control 8011 IR Fail 8010 IR Pass 900 Enable/Disable Keys 9041321 Channel Up (Pressed) 9041331

Channel Down (Pressed) 9041421

OK (Pressed) 9041431

Menu Left (Pressed) 9041451

Menu Up (Pressed) 9041441

Menu Right (Pressed) 9041461

(36)

Menu Down (Pressed) 9041381 TV (Pressed) 9041391 TV Guide (Pressed) 9041521 Services (Pressed) 9041411 Favourites (Pressed) 9041281 Standby (Pressed) 9042571 Volume + (Pressed) 9042581 Volume - (Pressed) 9042621 Red (Pressed) 9042631 Green (Pressed) 9042641 Yellow (Pressed) 9042651 Blue (Pressed) 9042771 Up (Pressed) 9042761 Right (Pressed) 9042781 Down (Pressed) 9042751 Left (Pressed) 9040491 1 (Pressed) 9040501 2 (Pressed) 9040511 3 (Pressed) 9040521 4 (Pressed) 9040531 5 (Pressed) 9040541 6 (Pressed) 9040551 7 (Pressed) 9040561 8 (Pressed)

(37)

9040571 9 (Pressed) 9040481 0 (Pressed) 9042791 ? (Pressed) 9042591 Mute (Pressed) 9041320 Channel Up (Released) 9041330

Channel Down (Released) 9041420

OK (Released) 9041430

Menu Left (Released) 9041450

Menu Up (Released) 9041440

Menu Right (Released) 9041460

Menu Down (Released) 9041380 TV (Released) 9041390 TV Guide (Released) 9041520 Services (Released) 9041410 Favourites (Released) 9041280 Standby (Released) 9042570 Volume + (Released) 9042580 Volume - (Released) 9042620 Red (Released) 9042630 Green (Released) 9042640 Yellow (Released) 9042650 Blue (Released) 9042770 Up (Released) 9042760

(38)

Right (Released) 9042780 Down (Released) 9042750 Left (Released) 9040490 1 (Released) 9040500 2 (Released) 9040510 3 (Released) 9040520 4 (Released) 9040530 5 (Released) 9040540 6 (Released) 9040550 7 (Released) 9040560 8 (Released) 9040570 9 (Released) 9040480 0 (Released) 9042790 ? (Released) 9042590 Mute (Released) A00 Smart Card D06000000 IIC Pass G010 SRAM erased D05 IIC Fail V03000 Ethernet Pass E010 SPI Pass E011 SPI Fail B010

Card Detect (Out) B011

(39)

A010

Card Reset/Test Pass A011

Card Reset/Test Fail C00 Mute Control K0G0 MCNS Status (Locked) K0 MCNS Status L0G0 DVB Status (Locked) L0 DVB Status M0 BER Rate Q00 Tuner set O00 PIDs set *00 Scart Control +00

Direct Pin Control H0:

Real Time Clock Read (Day%h;4 %h91%h:1:%h71%h81:%h51%h61) )00 Modulator initialised P00 MCNS Tone R00 MCNS Tune =0

Nagra / Mac numbers ?00 Test Banner ,00 AK4319 Control %00 GTX Tone >00 TeleText N010 PCR Lock N011 PCR No Lock I011

(40)

Parallel Port Fail I010

Parallel Port Pass S010

Cable Modem Started S011

Cable Failed to Start S02ZZ

Not Started/No Failures !04c01f FLASH ID Match S02AZ DS Channel Scan S02UZ UCD S02MZ Map S02BZ Ranging - Broadcast S02NZ Ranging - Multicast S02DZ DHCP S02TZ TOD S02SZ Security S02CZ Config File S02RZ Registration S02PZ Privacy S02OZ Operational U00 Channel Change

How to Convert Your IRD # and Other

Numbers to Hex

(41)

You will need to know how to convert your ird# to hex for several reasons, tsop editing, programming plastic, and simlar reasons. It may sound complicated but it is not.

First a word of caution:

DO NOT EVER GIVE YOUR IRD# OR BOXKEYS TO SOMEONE YOU DO NOT KNOW!!!!!!!!!

Getting started:

Your ird# can be found by looking on the back of the receiver. It is on the white sticker and looks similar to R0012345678-10. You can also find it on the ird’s system information screen.

Step 1

Open windows Calculator.

(42)

You should get this. Make sure Dec is selected.

Step 2

Look at the ird#.

You need to enter the numbers between R00 and the -.

Example>>>R0012345678-10<<< Just input the red highlighted numbers.

(43)

Step 3

Click the Hex button.

In this example you get the hex equivalent of BC614E.

Step 4

Since ird#’s have to be 4 bytes (8 digits) long and this is only 3 bytes (6 digits) long what do we do now?

Well this is where it gets complicated

(44)

Example>>>00BC614E<<<.

This is the hex equivalent you will use.

Another example:

If the result is 2B4DC46, this is only 7 digits, so you must add a 0 to the beginning, making it 02B4DC46.

Finish

You can convert other numbers in the same way. Use this for all your conversion needs.

Just remember if the converted number is too short add 0’s (that is zeros) to the front until it is long enough.

That’s it. You are done.

You are now an expert and can tell others how to do it.

Card and Pic Programmers

Elvis multi-programmer

Elvis Card/Pic Programmer

These can be used to read a ROM 10 card but it may not write to it. However it will write to a fun card using the information you get from reading the ROM card. Tip provided by JPM646

The Elvis programmer can also be used to programme the hex pic chips for Analogue Cable boxes. The chips are usually 12C509 pics.

The Elvis programmer usually has a 3.58mhz crystal but some versions are dual functional.

The superb Elvis Multi-Programmer 3.5 from Ad-Teknik will program all the funcards, gold cards and silver with no special loader.

The Elvis is fully software controlled, 9V battery powered, has an External PSU socket and software.

Average price is £45.00+VAT and Postage costs.

The Clanzer Minisdk

(45)

Clanzer's miniSDK can both read ROM 10's as well as read and write all versions of the

funcards.

The Zeus Programmer

The Zeus will programme the fun cards and read the ROM cards.

It is a very popular and reasonably priced card programmer.

Phoenix Smartmouse

Phoenix/Smartmouse

Connects to a PC thru a serial port, and is used for communicating with a smartcard / funcard.

About Digital Decoder ROM

Cards

To edit the card, a software package is available called Nagra edit. This is not provided by NagraVision but is generally available through Internet Discussion Forums.

(46)

At the time of writing nagra edit software only supports Rom10 cards. Rom11 is newer and currently is not supported. Rom10 is the only card which can be MOSC'D (modified) to receive all channels.

Most modern boxes will have Rom11 cards which cannot be MOSC'D

(modified) but the box key can be copied from the ROM11 and used in a ROM10 card.

Important Note:

Always take a back-up copy of your ROM Card before attempting any modifications. This can be done by using Nagra edit to back-up the card.

About Digital Decoder ROM Cards

To edit the card, a software package is available called Nagra edit. This is not provided by NagraVision but is generally available through Internet Discussion

Forums.

At the time of writing nagra edit software only supports Rom10 cards. Rom11 is

(47)

newer and currently is not supported. Rom10 is the only card which can be MOSC'D (modified) to receive all channels.

Most modern boxes will have Rom11 cards which cannot be MOSC'D (modified) but the box key can be copied from the ROM11 and used in a ROM10 card.

Important Note:

Always take a back-up copy of your ROM Card before attempting any modifications. This can be done by using Nagra edit to back-up the card.

Know Your Cards

The card is known as the CAM – Conditional Access Module. Also called the Smartcard. This card can be removed from the IRD and interacts with the signal emitted by the satellite or cable system and in return allows the IRD to be

programmed. If you do not understand a technical term or expression, use the glossary to find out what it means.

There are different types of CAMs:

ROM2:

This type of card (relatively old) can be reprogrammed in an ISO programmer to receive every channel without the use of an AVR or Atmega board.

ROM3:

This card replaced the ROM2 for security reasons.

It was also reprogrammable in the same way as the ROM2 due to a malfunction called a “backdoor”.

These were locked by an ECM in July 2001. The ROM3 cards which were not affected by this ECM are called “open” and can be reprogrammed.

It is possible to “reopen” a card that has been closed by the ECM but usually dealers and experts do this at great cost.

ROM7:

Model used exclusively by BEV which can not be easily reprogrammed.

ROM10:

Used to replace ROM3 and ROM7.

This card can be reprogrammed using Nagra-Edit Software and a card programmer.

(48)

At the time of writing the ROM 10 cards are being targeted by the Cable

Companies and "zapped" so they cannot be rewritten. This changes the backdoor keys and renders them useless.

ROM 11:

ROM 11

These are programmable yet you can read the details off them and programme a fun card with the information.

Funcards

These are ROM card emulators (i.e. they are manufactured to contain the same functionality) and can be programmed with the data from any ROM card.

At the time of writing the ROM 10 cards are being targeted by the Cable

Companies and "zapped" so they cannot be rewritten. This changes the backdoor keys and renders them useless.

In comparison, the fun cards are not prone to this zapping and work with all pay per view channels unlocked. The current most suitable funcard version will be type 3 or 4. The Elvis card programmer will work for programming the funcards

Where to purchase the Funcards:

http://www.dragonalfa.co.uk http://interesting-devices.com/ http://www.rom10.co.uk

To determine which type of card you have using software:

Launch Nagra Edit software, place the card in the card programmer and load up the card data. It should tell you the card version and ROM type.

To determine which type of card you have on a satellite:

• Put the CAM in the receiver and power on;

• On the remote hit SysInfo;

You will see a window with this information:

MODEL ID: 2700 ( or the one you have ) RECEIVER CA ID: R00xxxxxxxx-xx SMARTCARD CA ID: S0xxxxxxxx-xx

(Card ROM version) => DNASP003 Rev xxx <= software version

DNASP003 represents a ROM3 card type A2012 or 288-02 these are

programmable (if they were not hit by the ECM of July 2001) or can be fixed.

DNASP002 represents a ROM2 card type – 288-01. This card is programmable

(49)

DNASP010 represents a ROM10 card type. This card is not easily programmable

and can not be fixed.

How to tell if your card is marked

Your smartcard (CAM) may be marked. This is important to know because there are separate blockers for marked cards which must be used.

Marked smartcards can be a target for ECM's so these specially designed blockers protect the smartcard.

Also if your smartcard is marked, the MAP of the smartcard is disabled. This portion of the card is needed to do math operations in decryption processes. These blockers also re-enable the MAP, so it is important to know if your card is marked or not.

Marking usually happens if you try to dump a locked card. Or if you open a locked card at home using the various freeware applications available.

Instructions:

Load up the NagraEdit Software

Load the card image from backup using File

Open Card Image option (CTRL + O)

or

read the card using the Card

Read Card option (CTRL +R) Switch to the EEPROM Editor

(50)

Our first area of interest is circled in red.

E007: Can be anything here other than FF. (If it says FF it is marked)

This marking is caused by trying to dump a locked card or when a card has been looped by an ECM.

You will need to use a blocker for marked cards, called either a "E007 fix" or a "MAP fix".

Our second area of interest is {00000000000000000000} marked in red.

Range E010 to E01F: Are all 00's

If anything is here other than 00's then the card is marked. This marking is usually caused by opening locked cards at home

You will NOT need to use a blocker for marked cards, since no ECM as of yet targets this range.

(51)

Tampering with cable boxes to receive Pay TV signals without paying for them is illegal in most countries. The information here should be used for test purposes only.

Know your ROM3a from your ROM3b

When applying a blocker/E3M for Dish Network, it is important to determine whether you have a ROM3a or ROM3b card. While they are identical on the

outside, there are several key differences in the data stored in the card. This guide will show you how to tell which type of card you have.

Instructions:

Load up NagraEdit

Load the card image from backup using File

or

read the card using the Card Switch to the EEPROM Editor

(52)

Our first area of interest is circled in red: E4E0.

If this location contains "06", then you have a ROM3a card.

If the area circled in blue: E4E7 contains "06", then you have a ROM3b card.

Here are some other differences between ROM3a and ROM3b cards: ROM3a Offset Data

$E4E0 $06

$E508 Decrypt Key 0

$E510 Decrypt Key 1

$E4E4 Third CAM ID

$E4FC Blackout Bit Map