2224 Component - XC420061

Backup of earlier posts.
Post Reply
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

2224 Component - XC420061

Post by cipher »

Hi all,

I?m new to this forum. I have a strong background in hardware and microcontrollers. I think the way to crack this device is to ID the components. This will give us the ability to understand the microcode better.

I have looked at the PN XC420061 and it is definitely a house PN but there is some info out there that may expose it?s true identity.

As defined by Moto the XC prefix simply states the testing quality level of the component which is ?Qual Partial? this can be found in the selector guide from Moto.
Moto end of life listings show a version of this dev as 420061-007-69 and reference two crossed part of it which are XCF20013PU3 PCF60002PU which I found at
http://www.freescale.com/files/shared/d ... doc?srch=1.

The CF prefix is usually used on Coldfire dev?s and the PU suffix is a packaging selection ID.

This leads me to believe that this dev is a standard micro controller with some customization. It could be a CF5407 or a XC68XXX component. The next step is to verify this with matching the actual 2224 foil layout to the CLK or power pads etc. on the package itself.

The packages can be found at
http://www.freescale.com/files/shared/d ... SG1001.pdf

I currently only have one 2224 and it is in use so I can?t take it out of service. When I get a second unit I will triage it more closely.
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

the xc chip contains the digicipher II code. it's not the main processor. the motorola 68331 is. unfourtuneatly i doubt anyone will crack the encryption system. it's more of a tricking the chip in to auth the channels. there is alot of info on SPI here and all the software you need to get started. assuming you have a usb bdm.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

I am thinking the BCM chip does the decrypting with a key that is provided by the XC dev and the XC dev manages this mapping of keys to channels. Thus if we can reach the flash code on XC dev then you can manipulate what key are stored in the dev and enable any channel based on a single authorized unit having all the required keys.

I used to code 32 bit DES using ASM I think it may be possible to crack the key manager. Thats why I what to get in the bdm side of that IC. There should be a simple table of keys used to enable each channel and by watching a channel add from the provider we can determine where this table is. Provided it is reachable through a bdm.
Phredog
Junior Member
Posts: 39
Joined: Tue Jul 26, 2005 3:46 pm

Post by Phredog »

Good thinking, Cipher
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

all i can say is good luck cipher. i don't know a thing about coding so your over my head. i'm sure usbbdm will chime in here soon with his thoughts. all i know is that the digicipher code is very secure, so i hop you are right.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

Well, I pulled my first mistake. So here is what I learned.

1) Out of all the 100-pin fpga's that looked close none match the pin configuration on the XC Chip. Dead end. No easy access into the chip.

2) Probing the XC chip for continuity is costly. It changed its stored content! Touchy little thing.

3) Backup before you probe the unit.

I have shorted adjacent pins which should not be messed with.

I now have an analog box, the keys are lost, it has a seed health error, unit address error.

Thud. (sound of head on wall)
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

someone else had tried to probe it before as well with the same results. currently there is no way of backing up the xc chip contents.
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

I think there is a JTAG interface to the XC chip. This is the 6 pins both found in * choice and DCT 2000 box. Did not found on DCT2500 box yet. But I am sure this is programmable device and JTAG should be the only interface to it.

One another found is that the same SPI command sequence is used to ORDER BY PHONE. Initially I thought there is a second key can be used to open the PPV channel. But when captured the SPI while call the cable company, I found the SPI auth command to the box. But this key seems to be time related. It is only valid during certain period of time. More investigation will be done to this command.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

Yes, I saw the 6 pin connector. And I checked it for continuity it does not go to the XC chip. It goes to the BCM chip. Most Broadcom processors have a JTAG/EJTAG connection and it may give us answers. But do we know if this chip is the BCM7015 and even if it was. Broadcom does not let just anyone have the Reference Manuals (Public access not granted user ID and password only). If this dev is the BCM7015 then it must use the channel key to decipher the video stream there is a POD DVS 213 DES interface port to retrieve the keys. The Broadcom is a complex beast though. Without data manuals it is out of my league.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

Hey usbbdm, I was thinking about that key you observed throught the Serial Peripheral Interface and having a limited life time. This would make a lot of sence. Any PPV key that is issued does not need a long life time maybe a few days etc. So there must be a short expire setting time on it. Thus the key goes dead after that and the application will disgard it. This must mean that video stream is always get new keys.
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

hmmm....i check all of my boxes (currently 5 of them) and didn't see any 6 pin headers or connectors. all of mine are 2224. also i'm pretty sure the tv pass card slot is connected to the xc chip.
tester5
Junior Member
Posts: 21
Joined: Wed Jul 27, 2005 9:16 pm
Location: NewYork&Chicago
Contact:

Post by tester5 »

the jtag is there and is for broadcom and also i am sure it can be used to mess with xc.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

On a PH8 PCB look for J201 near the XC chip. This maybe the JTAG pads without the connector installed. Hopefully it is.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

Here is a usefull link for understanding the xc chip and other functions.

http://www.eetimes.com/editorial/1995/s ... n9503.html
patsfan
Junior Member
Posts: 673
Joined: Thu Jul 21, 2005 4:02 pm

Post by patsfan »

nice link...thanks
Post Reply

Who is online

Users browsing this forum: No registered users and 8 guests