Back in 2004, a friend of mine passed me this very cool looking china made 'cube' that once plugged in between your cable set-top box and the cable point (and after entering in your cable box's serial number), would unlock all the channels available here. Decided to loan that for a couple of days and figure out how the heck it works.
Didn't take pictures, but internally the box houses some RF electronics, and the brains behind everything was a small 8 bit microcontroller. Attempts to dump the microcontroller weren't successful (code protected), so I decided to investigate if I could replicate it's functions.
Tore open the cable set-top box (was a General Instruments CFT2200), and started probing the box all over with an oscilloscope to see if I can view anything, probably should've just googled the processor or something (might have been a custom thing, can't remember). Anyways wire-link 55 (W55) on my box had something cool going on.
Borrowed a digital storage scope (from a friendly lab tech) to view things better (back in the day DSOs weren't so affordable). Found that W55 had Manchester encoded data flowing through it (educated guess from the constant stream of high and low signal levels, still wasn't sure if it was encrypted or scrambled at this point though). So I went ahead and built a simple interface that converts all of that and pumps out serial data to a PC.Around this time I found a very cool discussion forum that had people with experience with earlier generation hardware, and had worked out what GI/Jerrold were using for their 'instruction set' for their set-top boxes. Logging and viewing the serial data coming in from the set-top box (hooked up to the cable system), verified that everything was right (the converter was working, the box wasn't encrypting the stream and that GI/Jerrold haven't changed the instruction set and authorization commands.
I then re-logged about a night's worth of data (left the thing running) and then sorted out the data using MS excel later. Here's a sample grab. Whole night of data was probably overkill, had some problems later sifting through the data for the right authorization and init commands to "initialise" my cable box.After sifting through the data. I selected at random an ESN (electronic serial number) to be assigned to the box, as well as the proper site codes / channel maps and mode keys.
Next up I cut the wire link (W55) and programmed a small microcontroller to inject a string of the right initialization + authorization commands straight into the set-top box's MCU, and then after the box was initialized, keep generating data into the box. This effectively means you do not need the operator's data anymore (other then for time) and also prevents the operator from disconnecting/shutting down your set-top box.
The beauty of this setup is that it becomes difficult if not impossible for the operator to know that you're doing this on their end, until of course you try this on a subscriber's box and then try to return the unit (they'll know if you've tampered with it).
Don't ask me for the specific channel maps and init commands I used, the methodology is already posted here, and since analogue cable is pretty much dead, the maps are all but a piece of history now. Hopefully this post doesn't get me into trouble with local authorities LOL.
No comments:
Post a Comment