Technical info on results of Spoofing Unit Address

[cablechipz]

Hi All!

After reading various postings and trying the USB BDM for the first time it seems clear to me that the XC chip, which contains the UA as well as Digicipher II keys can be programmed into the Non-Volatile Memory.

My application is one of reverse engineering certain functions of the DCT and I am trying to understand why there is digital limitation on the E11 boxes.

Suppose I reprogram the same UA into the NVRAM and I suspect that is done using SPI? After this is done, will the CC (DAC-6000) be able to hit the DCT2000? Assuming I have access of course

Is it that the XC chip fails and the digicipher keys are no longer usable or corrupt?

If I can hit the box, will the DCT respond to the programmed UA?

I will be trying this in the next few days, time permitting of course

Technically I am trying to revive the box as close to its original programming/functionality as possible.

TYA

CableChipz

[patsfan]

unit address and seed keys can't be programmed by spi. they are stored in the xc chip itself. they are programmed at the factory using the tv passcard slot. you can spoof a UA on a box to log spi data, but it won't work to auth one. there is currently no known way to fix an E11 box either.

[cipher]

welcome cablechipz,

The XC chip is much more that a UA and decryption key store. The chip is a very sophisticated security processor and is accessed using a one way signed authentication. The decryption of video signals is performed by the XC chip and are received encrypted from and sent back clear to the Broadcom chip for further processing via the mpeg data port identified by infoda1, infosc1 and infock1. The clear stream is not likely to be sequential and is possibly sent back in an out of sequence frame order. If I had an mpeg stream analyzer I could verify it. The PID is read from the in-band data and the MC68331 sends information the the Broadcom to deal with that tiers decryption requirements. For example there are up to 6 digital channels in one analog RF channels bandwidth. The channel map deals with the digital channel correlation in that stream.

While it may possible that the chip UA and seed keys can be programmed from the SPI port. I see no evidence of this at all and it is very unlikely. The chip has 6 connections going to the TV pass connector 4 of them are identifiable as data when viewed of the scope and I highly suspect this is the secured programming interface. Please continue to use that creative thinking, I too was where you are now quite some time ago and you too will discover many more interesting areas as your quest continues.

cipher