ACP analysis and command creation tool
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
ACP analysis and command creation tool
I have spent a significant amount of time trying to create a real time ACP command manipulation tool. There are many stability issues with the real time version so I decided to release a stable non-real time version. This version runs in a continuous polling loop on the DCT like the USBBDM command tool. The first version allows you to capture DCT SPI log info and then use the log text to create new commands and then trial them. Later versions will be much more powerful allowing function based script that automates command trialling.
To use it you must install 2.0 .NET
If you wish to try it out just PM me and I will send it to you.
This version only run on the DCT2000 series for now.
To use it you must install 2.0 .NET
If you wish to try it out just PM me and I will send it to you.
This version only run on the DCT2000 series for now.
-
- Junior Member
- Posts: 21
- Joined: Wed Jul 27, 2005 9:16 pm
- Location: NewYork&Chicago
- Contact:
-
- Junior Member
- Posts: 8982
- Joined: Mon Jul 18, 2005 9:33 pm
-
- Junior Member
- Posts: 21
- Joined: Wed Jul 27, 2005 9:16 pm
- Location: NewYork&Chicago
- Contact:
have you figured out why there is a sequence into programing the right data to the chip?
like when we use to spi capture the auth command was like in pair of 4 commands i cant remeber good. plus always the before and afther data comes like 2 3 times i use to hit the box. like waht sequence was on before and that it received next...
this is big help considering some of uss have access to a lot of boxes with same packege we can analize what registers are diferent .......
have you been able to turn a channel on so far?
like when we use to spi capture the auth command was like in pair of 4 commands i cant remeber good. plus always the before and afther data comes like 2 3 times i use to hit the box. like waht sequence was on before and that it received next...
this is big help considering some of uss have access to a lot of boxes with same packege we can analize what registers are diferent .......
have you been able to turn a channel on so far?
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
The authorization sequence can be replayed using the tool which helps those on a system where the monthly category numbers do not change.
That info is found on the SendSystemID broadcast command highlighted in yellow in XCManglers log window.
The auth 4 sequences have a specific purpose. The distribution of categories and tiers is too big to fit into one or even two sequences so they spit it into two categories which are odd and even they will be combined in the ACP this allows them to make channel changes one month in advance and allows for more flexibility in tier programming. It's too complex to get into here and it's not the best way to crack the box.
They actually encrypt the same category keys differently in each sequence which is not a wise move because it can be cryptographically attacked but it is still extreemly difficult to use since that would only give the ability to derive a working key which would have to be recracked on every category change. It is the auth keys that are the importent ones because we just can't get at the ones that are in the ACP it is a one way function.
At this point the goal is to identify valid commands and to discover if it is possible to program the ACP's UA or keys etc. I believe it can be done by trialling new sequences that would never normally be sent over the CC network. If they did that it would be like handing out candy to kids from motorola's view. The features to perform this level of manipulation are comming. I have to create that functionallity and I must say it's rather complex.
I am certain that we will not be able to turn on a new channel or change a tier by manipulating an auth sequence that would require knowledge of the key lists that were programmed into the box. They have that part well secured, trust me on that one, it's deadly complex and would require distributed DES cracking to accomplish by using known ciphers or a leak from the CC. The auth keys are well hidden. At the point it becomes possible to change the ACP UA or other values then the game will change because you have control of what goes into the ACP then you can change what tiers and categories it will allow because then you can load your own keys for the authorization sequence of the ACP.
The system is much more complex than most even think of and the info is detailed in the patents it's just really ugly to digest. There are weak points, just not very many of them.
That info is found on the SendSystemID broadcast command highlighted in yellow in XCManglers log window.
The auth 4 sequences have a specific purpose. The distribution of categories and tiers is too big to fit into one or even two sequences so they spit it into two categories which are odd and even they will be combined in the ACP this allows them to make channel changes one month in advance and allows for more flexibility in tier programming. It's too complex to get into here and it's not the best way to crack the box.
They actually encrypt the same category keys differently in each sequence which is not a wise move because it can be cryptographically attacked but it is still extreemly difficult to use since that would only give the ability to derive a working key which would have to be recracked on every category change. It is the auth keys that are the importent ones because we just can't get at the ones that are in the ACP it is a one way function.
At this point the goal is to identify valid commands and to discover if it is possible to program the ACP's UA or keys etc. I believe it can be done by trialling new sequences that would never normally be sent over the CC network. If they did that it would be like handing out candy to kids from motorola's view. The features to perform this level of manipulation are comming. I have to create that functionallity and I must say it's rather complex.
I am certain that we will not be able to turn on a new channel or change a tier by manipulating an auth sequence that would require knowledge of the key lists that were programmed into the box. They have that part well secured, trust me on that one, it's deadly complex and would require distributed DES cracking to accomplish by using known ciphers or a leak from the CC. The auth keys are well hidden. At the point it becomes possible to change the ACP UA or other values then the game will change because you have control of what goes into the ACP then you can change what tiers and categories it will allow because then you can load your own keys for the authorization sequence of the ACP.
The system is much more complex than most even think of and the info is detailed in the patents it's just really ugly to digest. There are weak points, just not very many of them.
-
- Junior Member
- Posts: 21
- Joined: Wed Jul 27, 2005 9:16 pm
- Location: NewYork&Chicago
- Contact:
-
- Junior Member
- Posts: 21
- Joined: Wed Jul 27, 2005 9:16 pm
- Location: NewYork&Chicago
- Contact:
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
You can send any command you want. For example lets make something new from an existing command.
In the XCCmdFile.txt you would add the name of your command in brackets like the following command sequence.
[GetKey1234]
0E 06 80 0B 02 12 34 2F
0E 01 00
0E 02 00 00
0E 01 01
0E 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
You will need to create an XOR checksum of the values in blue.
The red value is the calculated checksum. This can be done using the Windows Calc program.
These instructions are also in the XCCmdFle.txt file.
The new boxed name will be parsed and added to the SendCmd pulldown box when you first run XCMangler.
Make sure the last line of text in XCCmdFile.txt contains ;End
Please send me the list of GI/UID's and I will see if I can make sense of it.
In the XCCmdFile.txt you would add the name of your command in brackets like the following command sequence.
[GetKey1234]
0E 06 80 0B 02 12 34 2F
0E 01 00
0E 02 00 00
0E 01 01
0E 1B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
You will need to create an XOR checksum of the values in blue.
The red value is the calculated checksum. This can be done using the Windows Calc program.
These instructions are also in the XCCmdFle.txt file.
The new boxed name will be parsed and added to the SendCmd pulldown box when you first run XCMangler.
Make sure the last line of text in XCCmdFile.txt contains ;End
Please send me the list of GI/UID's and I will see if I can make sense of it.
-
- Junior Member
- Posts: 21
- Joined: Wed Jul 27, 2005 9:16 pm
- Location: NewYork&Chicago
- Contact:
for some reason i manage to make all the premiums on my E11 be ENC 20 they use to be digitall 00
now still got invalid uid....
no picture but some weird logs. and the dac id changed. i havent done spi before me noob i am sure i will hit something again .....and i forget to keep records how i did it.
what is a coomands like this? C4? its a bomb.......tic tac.
C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
07 03 E5 61 01
FF FF FF
07 06 C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
07 09 C5 00 01 FF FF FD 0F 00 03
FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF B4 00 00 00 71 7D 0F 0C 02 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF B7 71 49 02 0C 02 00 00 00 03
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF BA 00 00 00 00 00 03 00 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF F7 04 06 39 08 05 39 0C 06 3D
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 09 C5 00 01 FF FF FB 00 05 E1
FF FF FF FF FF FF FF FF FF
07 06 C0 00 48 FF 10 61
FF FF FF FF FF FF
07 06 C0 00 49 41 00 00
FF FF FF FF FF FF
07 06 C0 00 48 FF 10 10
FF FF FF FF FF FF
07 06 C0 00 49 41 00 00
FF FF FF FF FF FF
07 06 C0 00 48 FF 10 12
FF FF FF FF FF FF
07 06 C0 00 49 41 00 00
FF FF FF FF FF FF
07 0C C4 00 02 00 01 08 0A F0 80 00 01 80
FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C4 00 03 00 01 80 05 08 03 0A F0 80 FF 25 B6
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 83 70 F4 00 00 01 A0 70 70 00 00 01 18 70 F4 00 00 01 A6 70 70 00 00 01 1A
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 8B 70 F4 00 00 01 AC 70 70 00 00 01 1B 70 F4 00 00 01 B2 70 70 00 00 01 23
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0E 01 02
00
0E 03 00 00 00
20 06 13
07 1E C4 00 08 00 01 93 70 F4 00 00 01 BC 07 70 98 00 00 E3 70 F4 00 03 00 06 78 70 00 00 01 91
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 9B 70 F4 00 00 C0 08 78 70 00 00 02 D1 00 00 0C 70 F4 00 00 00 57 07 70 98
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0E 02 86 18
55 00
07 1E C4 00 08 00 01 A3 00 00 D9 0A F0 80 FF 2B 3B 70 F4 00 00 00 57 07 70 98 00 00 D9 0A F0 80
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 AB FF 2B 3E 70 F4 00 FF 3E 02 07 70 98 00 00 D9 0A F0 80 FF 32 78 05 0B D4
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 B3 70 F4 00 00 01 32 70 70 00 00 01 38 70 F4 00 FF 3C 7C 07 70 98 00 00 C1
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 BB 00 00 0C 5E E4 00 01 42 85 05 24 10 0B 74 D0 00 00 01 38 05 00 0B 74 D9
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 C3 00 00 03 69 D8 00 6A C8 00 6D D8 00 6E D8 00 06 D9 10 00 00 05 4E D9 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 15 C4 00 05 00 01 CB 4E 5D 00 4E DA 00 4E 5E 00 0A F0 80 FF 27 8C
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 00 4C 00 00 04 4D F0 00 00 01 CB 0C C5 88 FF FF FD 44 F4 13 00 00 01 0B C5 6C
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 00 54 20 30 44 0B C5 77 00 00 0C 0B F0 80 FF 41 21 0B F0 80 FF 3F 45 70 F4 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0E 05 80 02 01 00 03
55 00 00 00 00
07 12 C4 00 04 00 00 5C 00 00 4D 07 70 98 00 00 F7 00 00 0C
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 06 C0 00 48 00 01 08
FF FF FF FF FF FF
07 06 C0 00 49 80 00 00
FF FF FF FF FF FF
07 03 E0 0A 00
FF FF FF
07 03 E9 84 00
FF FF FF
07 06 C1 FF C8 00 0F FF
FF FF FF FF FF FF
07 06 C1 FF C9 00 B5 40
FF FF FF FF FF FF
07 03 88 01 00
FF FF FF
07 03 00 00 00
FF FF FF
0E 01 00
00
0E 02 00 00
02 01
0E 01 01
00
0E 02 00 00
00 03
0E 04 80 05 00 05
55 00 00 00
0E 01 00
05
0E 02 00 00
02 01
0E 01 01
00
0E 02 00 00
00 03
0E 04 80 05 00 05
55 00 00 00
0E 01 00
05
0E 02 00 00
05 09
0E 01 01
00
0E 0A 00 00 00 00 00 00 00 00 00 00
FC 16 27 46 5C CC 8E AC 72 47
0E 01 00
00
0E 02 00 00
86 07
0E 01 01
00
0E 08 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 81
0E 06 80 0B 02 00 00 09
55 00 00 00 00 00
0E 01 00
0B
0E 02 00 00
0B 1A
0E 01 01
00
now still got invalid uid....
no picture but some weird logs. and the dac id changed. i havent done spi before me noob i am sure i will hit something again .....and i forget to keep records how i did it.
what is a coomands like this? C4? its a bomb.......tic tac.
C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
07 03 E5 61 01
FF FF FF
07 06 C8 15 08 02 22 00
FF FF FF FF FF FF
07 06 C8 15 06 40 22 00
FF FF FF FF FF FF
07 03 E5 61 00
FF FF FF
07 09 C5 00 01 FF FF FD 0F 00 03
FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF B4 00 00 00 71 7D 0F 0C 02 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF B7 71 49 02 0C 02 00 00 00 03
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF BA 00 00 00 00 00 03 00 00 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C5 00 03 FF FF F7 04 06 39 08 05 39 0C 06 3D
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 09 C5 00 01 FF FF FB 00 05 E1
FF FF FF FF FF FF FF FF FF
07 06 C0 00 48 FF 10 61
FF FF FF FF FF FF
07 06 C0 00 49 41 00 00
FF FF FF FF FF FF
07 06 C0 00 48 FF 10 10
FF FF FF FF FF FF
07 06 C0 00 49 41 00 00
FF FF FF FF FF FF
07 06 C0 00 48 FF 10 12
FF FF FF FF FF FF
07 06 C0 00 49 41 00 00
FF FF FF FF FF FF
07 0C C4 00 02 00 01 08 0A F0 80 00 01 80
FF FF FF FF FF FF FF FF FF FF FF FF
07 0F C4 00 03 00 01 80 05 08 03 0A F0 80 FF 25 B6
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 83 70 F4 00 00 01 A0 70 70 00 00 01 18 70 F4 00 00 01 A6 70 70 00 00 01 1A
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 8B 70 F4 00 00 01 AC 70 70 00 00 01 1B 70 F4 00 00 01 B2 70 70 00 00 01 23
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0E 01 02
00
0E 03 00 00 00
20 06 13
07 1E C4 00 08 00 01 93 70 F4 00 00 01 BC 07 70 98 00 00 E3 70 F4 00 03 00 06 78 70 00 00 01 91
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 9B 70 F4 00 00 C0 08 78 70 00 00 02 D1 00 00 0C 70 F4 00 00 00 57 07 70 98
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0E 02 86 18
55 00
07 1E C4 00 08 00 01 A3 00 00 D9 0A F0 80 FF 2B 3B 70 F4 00 00 00 57 07 70 98 00 00 D9 0A F0 80
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 AB FF 2B 3E 70 F4 00 FF 3E 02 07 70 98 00 00 D9 0A F0 80 FF 32 78 05 0B D4
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 B3 70 F4 00 00 01 32 70 70 00 00 01 38 70 F4 00 FF 3C 7C 07 70 98 00 00 C1
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 BB 00 00 0C 5E E4 00 01 42 85 05 24 10 0B 74 D0 00 00 01 38 05 00 0B 74 D9
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 01 C3 00 00 03 69 D8 00 6A C8 00 6D D8 00 6E D8 00 06 D9 10 00 00 05 4E D9 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 15 C4 00 05 00 01 CB 4E 5D 00 4E DA 00 4E 5E 00 0A F0 80 FF 27 8C
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 00 4C 00 00 04 4D F0 00 00 01 CB 0C C5 88 FF FF FD 44 F4 13 00 00 01 0B C5 6C
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 1E C4 00 08 00 00 54 20 30 44 0B C5 77 00 00 0C 0B F0 80 FF 41 21 0B F0 80 FF 3F 45 70 F4 00
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0E 05 80 02 01 00 03
55 00 00 00 00
07 12 C4 00 04 00 00 5C 00 00 4D 07 70 98 00 00 F7 00 00 0C
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
07 06 C0 00 48 00 01 08
FF FF FF FF FF FF
07 06 C0 00 49 80 00 00
FF FF FF FF FF FF
07 03 E0 0A 00
FF FF FF
07 03 E9 84 00
FF FF FF
07 06 C1 FF C8 00 0F FF
FF FF FF FF FF FF
07 06 C1 FF C9 00 B5 40
FF FF FF FF FF FF
07 03 88 01 00
FF FF FF
07 03 00 00 00
FF FF FF
0E 01 00
00
0E 02 00 00
02 01
0E 01 01
00
0E 02 00 00
00 03
0E 04 80 05 00 05
55 00 00 00
0E 01 00
05
0E 02 00 00
02 01
0E 01 01
00
0E 02 00 00
00 03
0E 04 80 05 00 05
55 00 00 00
0E 01 00
05
0E 02 00 00
05 09
0E 01 01
00
0E 0A 00 00 00 00 00 00 00 00 00 00
FC 16 27 46 5C CC 8E AC 72 47
0E 01 00
00
0E 02 00 00
86 07
0E 01 01
00
0E 08 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 81
0E 06 80 0B 02 00 00 09
55 00 00 00 00 00
0E 01 00
0B
0E 02 00 00
0B 1A
0E 01 01
00
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
Channel 07 sends instructions to the BCM7015 so the 07 0C C4 is a BCM7015 command.
By the way I hard coded a auto ACPReset function if the ACP returns 0x11 you can see it in the logs as 0E 02 86 18.
If you do not want it to automatically reset the ACP then rename the [ACPReset] to [ACPReset1] in the XCCmdFile.
Of course you will need to manually correct the 0x11 ACP condition by sending [ACPReset1].
I don't know what 07 xx C4 it is doing but you are already discovering the power of trialling.
Good work!
By the way I hard coded a auto ACPReset function if the ACP returns 0x11 you can see it in the logs as 0E 02 86 18.
If you do not want it to automatically reset the ACP then rename the [ACPReset] to [ACPReset1] in the XCCmdFile.
Of course you will need to manually correct the 0x11 ACP condition by sending [ACPReset1].
I don't know what 07 xx C4 it is doing but you are already discovering the power of trialling.
Good work!
-
- Junior Member
- Posts: 8982
- Joined: Mon Jul 18, 2005 9:33 pm
I aways think channel 07 is used to send keys to BCM. If it is true maybe we do not need XC chip at all to open channel.cipher wrote:Channel 07 sends instructions to the BCM7015 so the 07 0C C4 is a BCM7015 command.
By the way I hard coded a auto ACPReset function if the ACP returns 0x11 you can see it in the logs as 0E 02 86 18.
If you do not want it to automatically reset the ACP then rename the [ACPReset] to [ACPReset1] in the XCCmdFile.
Of course you will need to manually correct the 0x11 ACP condition by sending [ACPReset1].
I don't know what 07 xx C4 it is doing but you are already discovering the power of trialling.
Good work!
Let us say I recorded one channel on subscribed box on channel 7
then i play this command to another box.
I noticed one new HD box (dual tunner) does not have XC chip. In satellite testing today they can manually enter keys, maybe the first step for cable testing is to enter key as well.
-
- Junior Member
- Posts: 21
- Joined: Wed Jul 27, 2005 9:16 pm
- Location: NewYork&Chicago
- Contact:
I noticed one new HD box (dual tunner) does not have XC chip. In satellite testing today they can manually enter keys, maybe the first step for cable testing is to enter key as well.[/quote]
it does have a XC chip the new version. just like 700 but bigger version same serial type
scf8000 and one more thing the hds have capability of smart cards not all of them but they do ......just like satelite. and the old version of boxes uses smartcards on same system dechiper2/. .........same deciper2 with cards. i have never open one but now is come up to my attention.
like BDM said we might be able to enter the righ commands if we have the right firmware....i am sure everything will be done from the firmware anyway .later on,
it does have a XC chip the new version. just like 700 but bigger version same serial type
scf8000 and one more thing the hds have capability of smart cards not all of them but they do ......just like satelite. and the old version of boxes uses smartcards on same system dechiper2/. .........same deciper2 with cards. i have never open one but now is come up to my attention.
like BDM said we might be able to enter the righ commands if we have the right firmware....i am sure everything will be done from the firmware anyway .later on,
Who is online
Users browsing this forum: No registered users and 3 guests