💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › CABLE › ct_cpir1.txt captured on 2022-07-17 at 01:53:43.
⬅️ Previous capture (2022-06-12)
-=-=-=-=-=-=-
. + . _______ ____ ________ ___ _______ _____/| + / __ // \ / ______\ / / / __ // ____! / /_ \// /\ \\ \ ___ / / / /_ \// /___ / __/ / / \ \\ \ \ \/ / / __/ \____ \ \ \__/\\ \ / / \ \/ /\__\___\ \__/\.____/ / ' * \_____/ \__\/ / \____/ \__/ \_____/| _____/ | /__/ . / _ / |/ - --+- - USR HST Dual Standard 14400 / / \/ 285 Megs : | _____________________ / \ ______________________ . . \__ __ _ _ \_/ \_/ _ _ __ __/ : \___ __ _ _ Sysop: Zaphod Beeblebrox _ _ __ ___/ | \___ __ _ _ Control Team EHQ _ _ __ ___/ ---+--- - \___________ ICS SHQ ___________/ | \___ : ___/ : +46-18-262804 \ | / 24 Hours/Day. ' . * \ | / . .______ _____/ | \___/|___________ | _ \ / _/ __|__ \__! ______ / ' | | \ \/ /_\| / /|/_ \/ | | \/ | | \ \ _/ ' \___' \ | | + | | / / \__/\____/ / | | !__! /__/\______| _____/ !__! |/ : File: CT_CPIR1.TXT (Version 1.00). ---------------------------------- Control Team Scandinavia Brings you: Cable Scrambling Systems - All you wanted to know about them, but were afraid to ask the Cable Co. How they work and how to defeat their security and get pay-channels for free. Part I: Salora Cable Descramblers SAHT 1006 Type 4256 and SAHT 2000 Type 4270 ============================================================================= The Salora Cable Descrambler is the most common one in Sweden and the other Scandinavian countries. It's manufactured by Salora/Luxor, probably either in Sweden or Finland. This is probably one of the more advanced descramblers currently in use, and the scrambling method is one out of four possible ones listed below. The audio signal is always left untouched (At least it appears to be that way!!!). This textfile will concentrate on the Mark 1 Saloras, but some of this will also be true for the Mark 2's: 1. Supressed HSYNC pulses only 2. Supressed HSYNC pulses and inverted video signal. 3. Normal Picture, inverted video signal. 4. A variation of all the above srambling techniques, for example they can send every second picture unscrambled and inverted, and then send a scrambled picture that is not inverted. Most pirate descramblers are not fast enough to detect whether they use this scrambling technique or not!!!! This is enough about how they scramble the channels for now, let us concentrate on how the descrambler works, and how to defeat it. Hacking Salora Mark 1 Cable Descramblers: ========================================= First, we start with the standard Mark 1 Salora Cable Descrambler box: It's a grey box, about the size of a HST, but about double the height. On the front there is five pushbuttons, one for On/Off, Channel Step forward, Channel Step Backward and then two switches concerning shifting between your in-memory pre-programmed channels and the decoders hyperband channels. On thr right of the box you have a key-lock that can lock the hyperband feature of the box, so you can only watch the first 20 channels (Those you programmed in the box via your remote control). On the back of the box you have the usual RF in and RF out for the antenna wires from the cablenet, and then Test Signal and Antenna amplifier On/Off. And of course, on the front you also have a few leds indicating if you're in hyperband or normal mode, and a two-digit led display showing the current channel you're watching (Just the channel number, no fancy text or anything...). About opening the box: You're on your own now, most boxes that you rent nowadays have some platic seals in the two bottom screw-holes, and the cable company tends to get highly pissed-off if they find their seals are not in place when you return your rented box. Although, I have looked at the contract you sign when you get the box, and it doesn't say anywhere that you are not allowed to open it, but in the manual it says the box will stop working if you open it, and that you are not allowed to do that. It will *NOT* stop working if you open it. I did that to a box we rented a long time ago, and it worked when I put it back together, but sad enough that was before I knew what to do with cable boxes to get free channels... Yak-Yak!!! But on the seals that are right over the first two bottom screws are some kind of tracks that could be for a very large screwdrives, one who has almost the same diameter as the hole it resides in, so maybe there is a way to remove the seal without damaging it. Or, even better, get a descrambler they don't know you have, then you can fuck around with it as much as you like. When you have opened the box, start with removing the large daughterboard to the left, and put it aside. Do not unplug the leads between the main circuitboard and the daughterboard, they will just be alot of trouble getting them back in the right places. Now, locate IC13 and IC15, they should be down to the left corner of the main PCB. They are very often covered with molten glue, which we will have to remove first. Don't worry, just use a knife, but be carefull not to damage the CPU or the ID Prom, since they are the only circuits in the descrambler you cannot buy at an electronics part store. The CPU is custom made for Salora, and the ID prom has to be saved for when you are going to return your cable-box. After you have removed all of the molten glue, remove the screws that hold the main PCB and remove the main PCB from the box, then desolder IC15 and put a 16 pin socket where it was. (Use a good socket, not the low-budget ones they sell for .01 cents a piece!!!). Check which pin of IC15 the circuit trace from Pin 11 of IC13 goes to. This is the data bit of the prom containing your ID number that they decided to use on your box. The ID prom is normally a 54S287 or N82S129 (256*4 Bits Bipolar PROM, 50 ns). Inside the bipolar prom, only one of the four bits available are used. In the first 32 bit segment your ID number is stored, and in segment 3 Saloras Service address, which is 1024 is always stored. The decoders address is in fact only 20 bits, but what's the other 12 bits then?? Well, they there just to make life hard for us. For example if you should have ID #042424 it will be $A5B8 and in binary it will be %00001010010110111000. This is then shifted right 11 times (Or let us for simplicity use a multiplication with 2^11. 42424*(2^11)=86884352, $52DC000, and binary %00000101001011011100000000000000. This ID number is then OR:ed with the check: %10000000000000000000010001001101 and finally we get the bitstream which the decoder CPU will read from the ID Prom. So, now we do know what we should encode into the ID prom, now the only problem is where to obtain valid decoder id numbers and how to program them onto the bipolar prom... Wait a second... Doesn't the sticker on the back of the box look very similar to the numbers I read from my ID prom?? Fuckin'A dude... The decoders ID number is almost always written on a sticker on the back/under the decoder. There are two stickers, one with only 6-8 digits on it, and one with both letters and digits on it. You are only interested in the one with digits-only!!! That is the number to process with the above method and program into a prom for the decoder. Bipolar proms are a bit of a pain to program, so I have included some pictures explaining how to use a standard 2764 Eprom (Yeah, I know, it's 10000 times too big, but it's easier to program one of those, right???), and how to build a 32 bit multiplexer circuit; In other words, build your own 32 bit eprom, but this one is programmed with 32 DIP switches which you flip low or high manually when you need to change ID number on your box. I have tested both designs on my own box, and they work very good. However the multiplexer is much more complex to build, so I only recommend that one for the serious hardware wizards!!! Oh yes, it's usually bit 3 or 4 on the bipolar prom that are used to send data to the CPU, that is, pins 10 and 9 on IC15. Switching between the normal address and the service address is done by cutting or closing J64 which is a jumper between VCC and A6 on IC15. A6 is otherwise grounded via a 220 Ohm resistor. (See the diagram over the Salora address pinout. This one was made by Lord Canis, and some of the information in this text as well as the original Salora Address Creator v2.0 for Pc and comaptibles were also programmed by Lord Canis and Electronic Power. I do not know any of them, but I feel that I have to credit them for their work, if it hadn't been for them I would never have started hacking cable descramblers at all, and this file would never have been written!!!! But I felt that I had to write some more-precise descriptions on how to hack the Saloras, and how they work, and most important of all: How to use other circuits instead of the hard to program bipolar proms. I will also include an Atari ST compatible conversion of the Salora Address creator, but the ST version will support 8 bit address proms, since using a 2764 eprom will give you 8 databits, and that is 8 ID numbers for each address. You'll understand what I am talking about if you know anything about memory chips. Have a look at the pictures supplied in this archive for schematics for build -ing the 2764 Eprom adaptor and the address creator multiplexer mentioned a bit earlier in this text. Anyway, as an example, here's the dump-files from a Salora decoder....... Binary Dump of Salora Decoder Prom #88768 (Old Salora Decoder). =============================================================== 10011111111111111111111111111111 11111111111111111111111111111111 10111111111111111111111111111111 11111000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 10000000000000000000000000000000 00000000000000000000000000000000 10000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 10000000000000000000000000000000 00000000000000000000000000000000 10000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 10001010110101100000010001001101 = 88768 = $15AC0 00000000000000000000000000000000 10000000001000000000000000000000 = 1024 = $400 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 When you look at this dump, you will recognize that the old Salora decoders only have one address burned on the pro except for the service address. The original decoder address is always programmed in bit 3 or 4 at the first 32 bit segment. The service address is always at bit 3 or 4 at the third 32 bit The old Salora is the easiest one to hack...... Now we will have a look at the rom from a new Salora NT:....Binary ump of Salora NT Decoder Prom #134076 - B228010 (Salora NT). ==================================================================== 10011111111111111111111111111111 10011111111111111111111111111111 10011111111111111111111111111111 10011111111111111111111111111111 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 10000000000000000000000000000000 10000000000000000000000000000000 10000000000000000000000000000000 10000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 10011010111101110100110001001101 = 220905 = $35EE9 00000000000000000000000000000000 10000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 10000000001000000000010000000000 = 1024 = $400 00000000000000000000000000000000 10010000010111011110010001001101 = 134076 = $20BBC 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 What can we say about the prom dump of the Salora NT decoder you see above??? Well, bits 1 and 2 are always the same on all of the Salora NT's I have dumped the proms from. And in fact they are not even connected to anything at all if you have a look inside the LF0101 VLSI module. Bit 4 contains the service addr in the first 32 bit segment, and the actual cable ID in the second 32 bit segment. The rest of bit 4 is unused. In bit 3 the first segment appears to be connected to the CPU in the VLSI module, as far as I can see, and the first 32 bit segment is the only part that is in use in bit 3. This might or might not be anything important, I am not 100% sure, since I have *NOT* successfully hacked one of these new babies.... Either it's a checksum of bit 4 segment 2, or it might be a value that is also programmed in the main CPU, to make it impossible to replace the ID prom without reading off the checksum from it first. That means you have to build yourself a read-device for bipolar proms (This is not too hard, but the average lamer would probably end up destroying both the decoder and the computer he tried to read the prom with!!!). To desolder the prom is out of the question, since it's a surface mounted PLCC device, which resides inside the LF0101 VLSI module. To reach the prom, you have to open up the VLSI module, and melt a bit of the glue they used to hide all of the goodies inside it.... I have successfully hacked one of these new decoders now, and to hack it, you do like this: Remove the top black cover of LF0101, and you'll see a small black chip beneath the molten glue. Remove all of the molten glue around that chip, which is the 74S287 (256*4 Bit PROM), and solder wire wrap wires from address pins VCC,GND,A0,A1,A2,A3,A4 to your pirate prom. Cut the leg that is marked as D4 between the circuitboard and where it enters the 20 pin PLCC module, and connect D4 from the pirate prom to the end that is going to the circuitboard. (See picture schematics). First we have the pinconfig of both the PLCC 74S287 and the DIL N82S129 chips: V C C V C A E E D D D D A 6 N C A C 7 1 2 1 2 3 4 5 A C C 7 | | | | | | | | | | | | | ----------------- /---------- | | A4-| |-CE1 \ N82S129 | A3-| 74S287 |-CE2 / | A0-| |-D1 | | A1-| |-NC ----------------- A2-| |-D2 | | | | | | | | ----------- A A A A A A A G | | | | | 6 5 4 3 0 1 2 N N G N D D D C N C 4 3 D Legend: ------- "+" = Wires joined here. The two wires are connected with each other. "=" = Wires cross each other here. *NOT* connected in any way at all!!! "!" or "-" = This is a wire connecting two points in the circuit. Schematics for connecting pirate PROM in Salora NT "SAHT 2000 Type 4270". ========================================================================= Note #1: This leg must be cut off in some fashion as close to the body of the PLCC chip. The lead from the pirate prom or address creator must be connected to the part of the chip leg that goes down to the circuitboard, and *NOT* to the end which goes in to the chip's body.... +-------------------------------------------+ | +-+-+----------+ | | | | | | | | | | | +--=--------------------------=-------+ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ----------------- | /---------- | | | | +---------| |- | \ N82S129 | | | +-------| 74S287 |- | / (256*4) | | | | +-----| 256*4 |- | | | | | | | +---| |- | ----------------- | | | | | +-| |- | | | | | | | | | | | | | | | ----------- | | | | | | | | +--+ | | | | | | | | | | | +-+-=-=-=-=-=-+ | | | | | | | | | | | | | +------------=-=-=-=-=----+ | | | | | | | | | | | | +-------+ <-- See Note #1 | | | | +--------------=-=-=-=-+ | | | | | | | | | | | +----------------=-=-=-+ | | | | | | | | +------------------=-=-+ | | | | | +--------------------+ | | | +------------------------+ This is how to connect a normal bipolar Signetics N82S129 256*4 Bit bipolar prom to one of the new SAHT 2000 Type 4270 decoders. For the older types, just plug in the bipolar prom in the spot marked for IC15 in the decoder. They use bit 3 or 4 for the descrmabler address, and you can program one address at segment 0 and another one at segment 3 of the bit used. To find out which bit they use, get an ohm meter and check the connection between Pin 11 of IC13 and pins 9 (Bit 4) and 10 (Bit 3) of IC15. The one that reads close to 0 ohms is the one in use. If you do not have access to the equipment needed for prog- -ramming bipolar memory devices, use the schematics below, which describes how to use a standard 2764 eprom instead of a bipolar memory. The eprom thing has been tested and works fine in the old SAHT 1006 - 4256 decoders, but I have not at todays date tested it on the new SAHT 2000 - 4270 modells... Pinconfig of the 2764 Eprom Chip: ================================= V P A A C G N A A 1 O 1 C D D D D D C M C 8 9 1 E 0 E 7 6 5 4 3 | | | | | | | | | | | | | | ----------------------------- | | | | \ 2764 EPROM CHIP | / | | | | | ----------------------------- | | | | | | | | | | | | | | V A A A A A A A A A D D D G P 1 7 6 5 4 3 2 1 0 0 1 2 N P 2 D How to Connect the 2764 Eprom Chip instead of the bipolar prom chip: ==================================================================== +------------------------------------+ | +-----------------------------+ | | | +--=--=-+-------------------+ | | | | | | | +---+-+ | | | | | | | | | +-+-+-+-+-+-+ | | | +-+-+ +---+ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ----------------------------- | | ----------------- | | | | | | | | | | | | | | | | \ N82S129 | | | | \ 2764 EPROM CHIP | | | / (256*4) | | | | / | | | | | | | | | | | | ----------------- | | | | | | | | | | | | | | | | | | ----------------------------- | | | | | | | | | | | | | | | | | | | | | | | | | | | +--=--=-+ | | | | | +---=---+ | | +-+-+ | | | | | | | | | | | | | | | | | +---+ | | | | | | | | | | | | | | | | | | | | | | | | | | +-------+--=-=-=-=-=-=-=-+ | | | | | | | | | | | | | | | | | | | | | | | | +-----=----------=---=-=-=-=-=-----+ | | | | | | | | | | | | | | | | | | +-=-=-------=----------=---=-=-=-=-+ | | | | | | | | | | | | | | | | +-=-------=----------=---=-=-=-+ | | | | | | | | | | | | | | +-------=----------=---=-=-+ | | | | | | | | | | | +-------------=----------=---=-+ | | | | | | | | +---------------=----------=---+ | | | | +-----=-----------------+ | | | +----------------------------+ Do remember that the decoder ID's are stored binary in the prom, but they are stored serially; one bit at each address. Since a 2764 is 8 bits wide, you can store 8 decoder ID's at segment 1 and another 8 at segment 3. (With the prom hooked up like this, segment 3 really is segment 2 of the 2764...). You choose which segment you wanna use with jumper J64 on the old Salora SAHT 1006 - 4256 and jumper Q201 on the new Salora SAHT 2000 - 4270's.... Salora Decoder 32 Bit Address Multiplexer - Construction Plans: =============================================================== The idea behind the 32 Bit address multiplexer for the Salora decoders is quite easy and straightforward. I use two 74150 1-of-16 multiplexers, whose outputs are fed into one 74LS157 1-of-2 multiplexer. Then, the highest address bit selects which of the two 16 bit multiplexors that the bit should be read from. If this sounds complicated to you, do not worry, it is!!! Just follow my plans and everything will be just fine. The idea is to set the address by using four 8 bit hex switches connected to the two 16 bit multiplexers. So multiplexer #1 will deliver the high 16 bits, and multiplexer #2 the low 16 bits. Just look at the schematic below..... For the construction of the multiplexer you will require: * Two 74150 (1-of-16 multiplexer) * One 74LS157 (1-of-2 multiplexer) * Four 8 bit hex switches (You know, DIL packagem switches) * Four 10kOhm*8 Resistorpacks * Two 24 Pin Sockets * One 16 Pin Socket * One Piece of Experiment Circuitboard * One 16 Pin thingy to connect the Circuitboard to the socket on the circuitboard inside the Salora decoder. Now for the construction plans. We'll start out with the pin configurations of the 74150 and the 74LS157: O O V _ U U C C 4 4 T 3 3 T C E A B 4 A B 3 | | | | | | | | ----------------- | | \ 74LS157 | / | | | ----------------- | | | | | | | | S 1 1 O 2 2 O G E A B U A B U N L T T D 1 2 V " " " C 1 1 1 1 1 1 1 2 4 C 8 9 0 1 2 3 4 5 " " " | | | | | | | | | | | | ------------------------- | | | | \ 74150 | / | | | | | ------------------------- | | | | | | | | | | | | 7 6 5 4 3 2 1 0 _ O " G C U 8 N E T " D This was the pinconfigurations of the two IC's involved in this project. Now onto the actual construction of it... NOTE: If you are gound to make a version that fits directly in the socket of the Saloras ID prom holder, make sure you check for how much space you have in the decoder to put this little gizmo on before you build it. I have tried it, and it works fine, but I carefully designed mine to fit in the space I know is available...... VCC GND * * | | +--------------------=----------------+ | | | | Bits 8-15 | | Bits 16-31 | | | | +-+-+-+-+-+-+-+----------------=--+-------+-+-+-+-+-+-+-+ | | | | | | | | | | | | | | | | | | | | ----------------- | | ----------------- | |# # # # # # # #| | | |# # # # # # # #| | ----------------- | | ----------------- | | | | | | | | | | | | | | | | | | | | ------------------ | | ----------------- | % 10kOhm*8 Pack % +----------+ | | % 10kOhm*8 Pack % +----------+ | ------------------ | +------+ | | | ----------------- | +------+ | | | | | | | | | | | | | +--+ | | | | | | | | | | | | | | | +--+ | | +----+ | | | | | | | | | | | | | | +--=-+---+ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ------------------------- | | | | | ------------------------- | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | \ 74150 | | | | | | \ 74150 | | | | | / Multiplexer #1 | | | | | | / Multiplexer #2 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ------------------------- | | | | | ------------------------- | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--+ | | | | | | | | | | | | | | | | +-+ | | | | | | | | | | | | | | | | | | | | | | | | | | | | +--=-=-=------+ | | | | | | | | | | | | | | | | | ----------------- | | | | | | | | ----------------- | | | | | | | | % 10kOhm*8 Pack % +-=-=-+ | | | | % 10kOhm*8 Pack % +-=-=-+ | | | | ----------------- | | | | | | ----------------- | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ----------------- | | | | | | ----------------- | | | | | | | |# # # # # # # #| | | | | | | |# # # # # # # #| | | | | | | | ----------------- | | | | | | ----------------- | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +-+-+-+-+-+-+-+-+-=-=----=-=-=------+-----+-+-+-+-+-+-+-+-+-=-=-+ | | | | | | | | | | | | | | | | | +-=-=------------------------+-----=-=----+ | | | | | | | | | | | | +-------------------+ | | +-=---------------------+--=-----=-=------+ | | | | | | | | | | | | +--------------+--=--=-+ +------------------+--=--=-----=-=--------+ | | | | | | | | | | | | | | | | +---------------------------=--=--=-----=-+ | | | | | | | | | | | | | | | | | | | | +---------------------------=--=--=--+--+ ----------------- | | | | | | | | | | +--=--=-=-------------+----------+ | | | | \ 74LS157 | | | | | | BITS! | | | | | / | | | | | | / | | \ | | | | | | | | +--=-=-------+ +-+ * * * * | | | | | ----------------- | | | | | | | | | | | | | | | | | | | | | | | | | | | ----------------- | | | | | | | | | +--+ | | | 1 2 3 4| | | | | | | | +-=----------------+ | \ EPROM | | | | | | | | | | / SOCKET | | | | | | | +---=------------------+ | | | | | | | | | ----------------- | | | | | | * | | | | | | | | | | | | | | BIT | | | | | +--+ | | | | +------------------------------------+ | | | | | | | | | | | +-------+ | | | | | | | | | | | +------------+ | | | | | | | +-----------------+ | | | +----------------------+ Connect a jumper-wire between the BIT output and *ONE* of the BIT inputs, dep- ending on which of the four bits that is used in you descrambler, check by looking at IC13 and see where the circuitboard trace from PIN 11 goes. Should be pin 9 or 10 (Bit 4 or Bit 3) of the PROM. Solder a socket in the place of the prom, build the address creator according to the ASCII picture above, and set the switches to a working decoder ID number and there you have it working fine!!! Good luck to all ye cable pirates!!!!!! Zaphod Beeblebrox of ICS and Control Team Scandinavia. This has been a Beeblebrox Industries Unlimited Production '93. P.S: This is only for information purposes, and if *YOU* screw with a cable descrambler which you have rented from the cable company, it's entirely your own problem, I accept no reponsibility for your actions. Also, this is only for the advanced hardware wizards, I will not answer any questions about this, if you don't know what this is about, you don't need to know!!!! I have not yet written the Salora address calculator for the ST, so you'll have to make do with the Pc version written by Electronic Power & Lord Canis. It can be run from Pc Ditto for those of you who has got that program. I will not release any beta versions of the ST version until I have tested it a bit more.... So go out and hack the shit out of them decoders d00dez!! D.S