2224 Component - XC420061
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
2224 Component - XC420061
Hi all,
I?m new to this forum. I have a strong background in hardware and microcontrollers. I think the way to crack this device is to ID the components. This will give us the ability to understand the microcode better.
I have looked at the PN XC420061 and it is definitely a house PN but there is some info out there that may expose it?s true identity.
As defined by Moto the XC prefix simply states the testing quality level of the component which is ?Qual Partial? this can be found in the selector guide from Moto.
Moto end of life listings show a version of this dev as 420061-007-69 and reference two crossed part of it which are XCF20013PU3 PCF60002PU which I found at
http://www.freescale.com/files/shared/d ... doc?srch=1.
The CF prefix is usually used on Coldfire dev?s and the PU suffix is a packaging selection ID.
This leads me to believe that this dev is a standard micro controller with some customization. It could be a CF5407 or a XC68XXX component. The next step is to verify this with matching the actual 2224 foil layout to the CLK or power pads etc. on the package itself.
The packages can be found at
http://www.freescale.com/files/shared/d ... SG1001.pdf
I currently only have one 2224 and it is in use so I can?t take it out of service. When I get a second unit I will triage it more closely.
I?m new to this forum. I have a strong background in hardware and microcontrollers. I think the way to crack this device is to ID the components. This will give us the ability to understand the microcode better.
I have looked at the PN XC420061 and it is definitely a house PN but there is some info out there that may expose it?s true identity.
As defined by Moto the XC prefix simply states the testing quality level of the component which is ?Qual Partial? this can be found in the selector guide from Moto.
Moto end of life listings show a version of this dev as 420061-007-69 and reference two crossed part of it which are XCF20013PU3 PCF60002PU which I found at
http://www.freescale.com/files/shared/d ... doc?srch=1.
The CF prefix is usually used on Coldfire dev?s and the PU suffix is a packaging selection ID.
This leads me to believe that this dev is a standard micro controller with some customization. It could be a CF5407 or a XC68XXX component. The next step is to verify this with matching the actual 2224 foil layout to the CLK or power pads etc. on the package itself.
The packages can be found at
http://www.freescale.com/files/shared/d ... SG1001.pdf
I currently only have one 2224 and it is in use so I can?t take it out of service. When I get a second unit I will triage it more closely.
-
- Junior Member
- Posts: 673
- Joined: Thu Jul 21, 2005 4:02 pm
the xc chip contains the digicipher II code. it's not the main processor. the motorola 68331 is. unfourtuneatly i doubt anyone will crack the encryption system. it's more of a tricking the chip in to auth the channels. there is alot of info on SPI here and all the software you need to get started. assuming you have a usb bdm.
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
I am thinking the BCM chip does the decrypting with a key that is provided by the XC dev and the XC dev manages this mapping of keys to channels. Thus if we can reach the flash code on XC dev then you can manipulate what key are stored in the dev and enable any channel based on a single authorized unit having all the required keys.
I used to code 32 bit DES using ASM I think it may be possible to crack the key manager. Thats why I what to get in the bdm side of that IC. There should be a simple table of keys used to enable each channel and by watching a channel add from the provider we can determine where this table is. Provided it is reachable through a bdm.
I used to code 32 bit DES using ASM I think it may be possible to crack the key manager. Thats why I what to get in the bdm side of that IC. There should be a simple table of keys used to enable each channel and by watching a channel add from the provider we can determine where this table is. Provided it is reachable through a bdm.
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
Well, I pulled my first mistake. So here is what I learned.
1) Out of all the 100-pin fpga's that looked close none match the pin configuration on the XC Chip. Dead end. No easy access into the chip.
2) Probing the XC chip for continuity is costly. It changed its stored content! Touchy little thing.
3) Backup before you probe the unit.
I have shorted adjacent pins which should not be messed with.
I now have an analog box, the keys are lost, it has a seed health error, unit address error.
Thud. (sound of head on wall)
1) Out of all the 100-pin fpga's that looked close none match the pin configuration on the XC Chip. Dead end. No easy access into the chip.
2) Probing the XC chip for continuity is costly. It changed its stored content! Touchy little thing.
3) Backup before you probe the unit.
I have shorted adjacent pins which should not be messed with.
I now have an analog box, the keys are lost, it has a seed health error, unit address error.
Thud. (sound of head on wall)
-
- Junior Member
- Posts: 8962
- Joined: Mon Jul 18, 2005 9:33 pm
I think there is a JTAG interface to the XC chip. This is the 6 pins both found in * choice and DCT 2000 box. Did not found on DCT2500 box yet. But I am sure this is programmable device and JTAG should be the only interface to it.
One another found is that the same SPI command sequence is used to ORDER BY PHONE. Initially I thought there is a second key can be used to open the PPV channel. But when captured the SPI while call the cable company, I found the SPI auth command to the box. But this key seems to be time related. It is only valid during certain period of time. More investigation will be done to this command.
One another found is that the same SPI command sequence is used to ORDER BY PHONE. Initially I thought there is a second key can be used to open the PPV channel. But when captured the SPI while call the cable company, I found the SPI auth command to the box. But this key seems to be time related. It is only valid during certain period of time. More investigation will be done to this command.
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
Yes, I saw the 6 pin connector. And I checked it for continuity it does not go to the XC chip. It goes to the BCM chip. Most Broadcom processors have a JTAG/EJTAG connection and it may give us answers. But do we know if this chip is the BCM7015 and even if it was. Broadcom does not let just anyone have the Reference Manuals (Public access not granted user ID and password only). If this dev is the BCM7015 then it must use the channel key to decipher the video stream there is a POD DVS 213 DES interface port to retrieve the keys. The Broadcom is a complex beast though. Without data manuals it is out of my league.
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
Hey usbbdm, I was thinking about that key you observed throught the Serial Peripheral Interface and having a limited life time. This would make a lot of sence. Any PPV key that is issued does not need a long life time maybe a few days etc. So there must be a short expire setting time on it. Thus the key goes dead after that and the application will disgard it. This must mean that video stream is always get new keys.
-
- Junior Member
- Posts: 21
- Joined: Wed Jul 27, 2005 9:16 pm
- Location: NewYork&Chicago
- Contact:
-
- Junior Member
- Posts: 381
- Joined: Fri Oct 28, 2005 8:43 am
Here is a usefull link for understanding the xc chip and other functions.
http://www.eetimes.com/editorial/1995/s ... n9503.html
http://www.eetimes.com/editorial/1995/s ... n9503.html
Who is online
Users browsing this forum: No registered users and 6 guests