ACP analysis and command creation tool

XC chip, auth and block SPI command.
Locked
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

I'm reading this treath and I have some testings questions:

1) Does the Coax stream is plugged while spi command reply (to test E11)?
2) Can the xp chip or the connexant can be put in ''freeze mode''(clock or/and freeze pin) while testing the E11 supposed junk board to avoid different software or hardware interrupt that can trig different watch dog timer in the acces processor ?
3) Random timer in xc ?
4) If the boot sector of firmware is corrupt, does the 683xxuc accept update from stream as soon as possible ? if it does, maybe someone have already logged spi at this time ?

I would like to help more but I can't use the 793 firmware and it's difficult for me to log spi by software mod.....

Always great to read your post guys !!!
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

1) It works better with live data, yes you should connect it.
2) Don't understand the Q.
3) No.
4) No. It will not respond to anything if the platform is not initialized once.
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

Thanks cipher for the reply !

I can try to explain question 2: A lot of hardware devices like asic or mosc or any micro may have a enable pin or freeze pin that can be pulled up or down with proper resistance, just to simplify the analyse of the log to be sure that everyone compare same statament with same testing device and results....

There is an avalaible pinout for the xc chip, whatever if the system only use a few number of this pinout...??? does it is look as a xillinx micro pinout ?

Forget this post if it does'nt affect to let the coax rg-6 plugged on (or any different user config) while testing (E11)...

I wish that I will have more time to learn how thing works......
krunkcraig
Junior Member
Posts: 164
Joined: Sun May 06, 2007 10:24 am
Location: Everythings bigger in Texas

Post by krunkcraig »

Java As solve all of my problems. Thanks guys
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

USBBDM wrote:
At one point I analyzed the code and seems finally there are some code does something odd and then generate channel 07 command. If this the final path to decrypt video, then if we can generate good channel 07 command we should be able to decrypt video. Treat XC chip as black box since finally each box will generate same 07 command to decrypt the same channel.

Any progress in this way, does it should work if stream replay is possible ?

Any progress in NDS videoguard compatibility with this ACP ? it may help to learn some decrypt features (des or 3des, xor,...) ?
usbbdm
Junior Member
Posts: 8715
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

No progress. I was fighting against clone hardware and now I am focus on USB 2.0 project.
I heard someone in Mexico uses two serial port that can pass keys from one box (DCT700) to another. The theory is similar to the card sharing for ROM102 in dish testing. Not see it really work but I think it is absolutely possible. It needs a lot of effort and I was tide up with site attack for the last month and now working on USB 2.0 project.
You are welcome to post anything you know here.
duffy
Junior Member
Posts: 101
Joined: Fri Mar 31, 2006 12:15 pm

Post by duffy »

The SkyWalker-1 card support the Digicipher II 8PSK modulation frame and can work with tsreader software. Maybe, this could be an another analysis logging tool to compare with real system and can help to brute force the command 07 control key (considering xc chip as a black box) ? Or just help to understand the stream in deep ???
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

the broadcom decrypts video....broadcom
if you can capture keys that are fed to the broadcom to decrypt you can also develop a software like they use in fta.

xc on encrypts the keys stored and also the keys in the system broadcast so cant spoof...but on your box you should be able to log the key . and that is the video key. not the encryption key of XC chip

since we dont know how to feed the keys to the broadcom,,,there is no reason to try to find video keys for now....
krunkcraig
Junior Member
Posts: 164
Joined: Sun May 06, 2007 10:24 am
Location: Everythings bigger in Texas

Post by krunkcraig »

maybe we could make a program to log the type of processes that occur in our machines so we can cypher through what process is the one that deliever's keys to the broadcom, then go from there. The keys are processed by the firmware at some point and time...Even if the broadcom uses a separate Ram to verify keys....I guess this isn't possible since there is no way of caching the processes.
elkora
Junior Member
Posts: 245
Joined: Wed Jan 03, 2007 8:57 pm

Post by elkora »

usbbdm wrote:No progress. I was fighting against clone hardware and now I am focus on USB 2.0 project.
I heard someone in Mexico uses two serial port that can pass keys from one box (DCT700) to another. The theory is similar to the card sharing for ROM102 in dish testing. Not see it really work but I think it is absolutely possible. It needs a lot of effort and I was tide up with site attack for the last month and now working on USB 2.0 project.
You are welcome to post anything you know here.
you have the link or some more info I what to learn how they are using the to com ports or if they are using virtual serial port.

thanks...
krunkcraig
Junior Member
Posts: 164
Joined: Sun May 06, 2007 10:24 am
Location: Everythings bigger in Texas

Post by krunkcraig »

Is it possible that these keys (to the host cpu) are encrypted and delivered from the audio? I remember setting up my dct2224 box to work with my tivo and i had to use a serial to audio jack to get them to work together. And then I remember reading the difference between DVB and DC|| and two different systems were developed meaning the keys probably aren't delivered thur video. Just thought i would throw that idea out there. Thanks for any comments back about this.
krunkcraig
Junior Member
Posts: 164
Joined: Sun May 06, 2007 10:24 am
Location: Everythings bigger in Texas

Post by krunkcraig »

What is the significance of the messages option in the setup menu? The previous question is stupid right? The Broadcom deals with video encryption and that means the keys are pulled from the video correct?
Locked

Who is online

Users browsing this forum: No registered users and 1 guest