PDA

View Full Version : Scientific Atlanta 4200 - sa4200 - Cablevision - United States - I took pictures



Klaus
23-06-2006, 05:14 AM
.START PART 1 OF 2.




This information has been posted to several forums and will also be uploaded as an attachment if the option is available. This post was written in June 2006. This is by comparison a LONG post.

I have read on this board and others about the Scientific Atlanta Explorer 4200 (SA4200). I have NOT figured out how to modify the box (yet), but here is what I have found out so far. And I stress that some of this may be incorrect! I am quoting my notes, derived from web searches and forum information, including this one.




There is a similar dialect when discussing all digital boxes. Here's what I know:

"cable card" - a smart card that handles encryption/decryption. it will decrypt the encrypted signals that your box receives. some people say it is more correct to call these signals "streams," presumably mpeg streams. the cable card does not decrypt *all* signals to your box because some aren't encrypted.

"subbed box" - means you have a subscriber box. i.e. one from your cable company. some people also assume when you say this that your box can talkback.

"tb"/"talkback" - talkback is used to reference how your cable box communicates back to the cable company. talkback is blocked with a filter, or by opening your box and finding the talkback lead and then severing it, if you're technically inclined.

"filter" - ask most people about filters and they will say that using a filter is absurd. a properly attached filter can block your cable company from receiving talkback. some people connect a filter to a subbed box with the intent of ordering pay per view, without it being reported to the cable company. this supposedly works, although it is always temporary -- the box shuts itself off, the memory fills up with pay per view orders, etc. it seems that most people who try this end up being charged for whatever they think they stole.

"netid"/"network id" - different geographical areas may have different netids. your box has to have the right network id for your cable company and where you live. so apparently if you buy a used SA4200 box & card from california it will not work in new york.

"bk"/"box key" - just like a netid will tie a box to a particular region/provider, a box key will tie a box to a cable card. i haven't found out much about box keys.




There is an FAQ for iO digital cable from Jan 2004 that covers the SA4200 and some other boxes authorized by Cablevision here:
groups.yahoo.com /group/cablevision_digital/files/iofaq.html

If you can't get in, download a copy here:
upload2.net /page/download/xh4DeYba16sPlkT/iofaq.html.html

There are basically three variations of the Scientific Atlanta 4200: SD, HD, DVB. HD is what you think it is. SD boxes are just regular boxes. DVB is a type of scrambling system and the DVB boxes are used in Europe. The following information covers SD boxes, maybe HD and DVB?




To access the basic settings mode, not diagnostics (probably from iO FAQ):

Press the SETTINGS button twice. You can now use the directional buttons to navigate the menus. There are about 20 settings that can be controlled via the menus, including setting or editing favorite channels, video timers, reminders, state of the clock while watching (or not watching) the set, depth of the audio stream, sleep timer, state of the power outlet on the back of the unit, channel blocking, pin number, and others.





To view diagnostics, here are two methods. Note that if your box is subbed and you try this, the consensus is that the cable company can tell that you have accessed the diagnostics. I have no definitive information on whether or not they are notified immediately via talkback.

Method 1: On the box itself, hold down the +/diamond key in the center of the directional arrows until the LED next to the message icon on the box starts to flash. Then press INFO. You can scroll through the pages with VOL+ and VOL-. You can press the + key again so that you can watch TV and look at the settings. Press EXIT to close it out.

Method 2: On the remote, make sure the switch is set to VOD. Hold down the PAUSE key until the LED next to the message icon on the box starts to flash. Then press PAGE+. You can scroll through the pages with PAGE+ and PAGE-.


While in diagnostics, you can access a lot of information. For example, you can check signal strength. From the iO FAQ:

On the first page, FDC should be in the range –10 to +10. Tuner should be in the range –5 to +5. RDC is the amount of signal your box has to transmit back to the head end (-60 is fine). All the values should be shown in white. If any of them are orange, you may want to place a service call so a technician can check cables, splitters, etc.




To reset the box:
Simultaneously press the VOL+, VOL- and INFO buttons on the front of your Digital Cable Box and Hold until the box shuts down. Release the buttons and the box will automatically reset.
Press CBL on your remote to turn the Digital Cable Box on.
Menu Screens will need to be reloaded and may take up to 20 seconds to see.

I also read on a cable filter site: "The trick is that you have to press the buttons at least 4 or 5 times to actually reset and erase the memory of the box." Whether or not that will somehow help fully erase the box I don't know. In no way am I implying that you can erase the PPV order history.

Should you try to reset in an attempt to clear your PPV order history, please be aware that most of what I've read on digital filter sites is often refuted by hackers. Ordinary people who fall for the outrageous claims promoting digital filters usually end up making a post like this:

[ I rest my SA3250HD box and all the history went away, no past, present, or pending. I left the filter off so my provider could read the box so they wouldn't cut it and a couple of days later all of the PPV appeared on my bill. How do you clear all meemory. why did this still happen? ]




Concerning the SA4200 operating system:
The iO-TV set-top box is a computer that is connected to Cablevision's network using an operating system called Power-TV. The operating system is not obvious to the iO-TV user, but it is the key application that stitches together the hardware at Cablevision with the set-top boxes in your home.




OK now some interpretation about box modifications. As I've mentioned, I do not know how to modify the box (yet).

From what I've read, late 2004 is when the box was first hacked (in Europe). The hackers physically removed several chips from the box, in order to reprogram the box key and net id. They also had dumps of modified chips. The chips that were removed were reprogrammed with the dumps available at the time (which I could not find). Also, I looked in my box and I could not find the exact chips referenced in numerous tutorials (the box I am working with is different; more on this in a sec). I did find similar chips, and they are very tiny and/or have many pins. While removing the chips might be easy, reprogramming them requires a lot of work and I cannot see any way to replace them once they are reprogrammed. They are so small, and soldering would require a really steady hand and probably professional equipment.

The bottom line is that even if you do all the work to reprogram the SA4200, you'd need to make a substantial investment. The only way it could be financially sound is if you already had the equipment (Electrician) or you were selling the modified boxes. As I'm not interested in that, I have not spent the money to buy reprogrammers, fine tip soldering iron, somebody's steady hand, etc.

It's notable that in Europe they use the Scientific Atlanta Explorer 4200DVB. DVB is the type of content protection system. So any directions you follow in Europe will not work in the West because the boxes are different internally. For example, my box is not DVB, and some chips are (labeled) different. How different, I don't know.




.END PART 1 OF 2.

Klaus
23-06-2006, 05:16 AM
.START PART 2 OF 2.




Also! I took many macro pictures of the inside of a Scientific Atlanta 4200. Specifically an SA4200, SD, from New York, United States. I uploaded some to flickr, and you can check them out:
flickr.com /photos/sa4200/

My flickr profile is my PGP key, which I will also post at the end of this message:
flickr.com /people/sa4200/

If you want all the pictures, original size, and my PGP key, you can download the zip:
upload2.net /page/download/bLzV0YLORABzvtt/Scientific_Atlanta_4200_Pictures.zip.html
md5 - a21f6f9e75f46eb1f0d9b1b2e9252a6e


Look at the overview.
On the upper right hand side you will see that the mainboard is identified as Scientific Atlanta Explorer 4010 SD/J. It's possible that the inside of your box is different, even if you have an SA 4200, in the United States, even in New York. I don't know about the various SA 4000 series revisions, and I can only guess there are other similar mainboards inside other SA4200s.

On the lower right side, you should see an uncovered rectangle metal box. A closeup of this box is labeled as U1 (the next picture), after the chip inside the box, AD8325, identified on the board as U1. By partially disabling the AD8325 chip you can disable the talkback signal. Apparently there are many ways to disable the talkback signal, and they all involve doing something in that box. Unfortunately the few other SA4000 series pictures I have seen are dissimilar from my own, with the exception of that chip.




The tutorials I have on modifying the SA4200 chips are sparse, and written for the United Kingdom. The tutorials were originally Word documents, and I converted them to PDF format. The originals used to be available at an underground site for hackers in the United Kingdom:
world-of-digital.com /forums/
Unfortunately I'm told that world-of-digital recently started over, and there is a lot of good information that for now is lost.

You can download the PDF format zip here:
upload2.net /page/download/FQrgjt3nuZnsK0O/Scientific_Atlanta_4200_UK_Mods.zip.html
md5 - 816eabf6ab49a4a7ed21e86cd826f51e

BTW I don't understand much of the information in the UK tutorials. It's a slightly different dialect. They say stuff like "go down to maplins" and "modify your ird and your bk with lp" Well, whatever!




So now you've about reached the end of what I know. So here is what I would like to know.

Is it possible to reprogram the SA4200 without de/resoldering chips?
Can anyone identify the chips I took pictures of, and tell everyone what they do?
Specifically, which chips hold the subscriber memory? PPV memory?

I wonder if there is a way to save the state of the box, and then "roll" it back.
Or maybe to disable writes to certain chips. Make them temporarily read only?
It seems like an easier solution than dumping the contents and hex editing, etc.

I have read several posts from people in the United States using subbed Scientific Atlanta 4200 boxes in an area not where the box was originally subbed, and as a result the box is "unlocked" and they get the premium channels. _How_ is that possible? I know that Cablevision and other providers use encryption. But doesn't each channel have a key? Doesn't the box have to learn the key for each channel? Why would a cable company use the same key for every channel?! Am I being naïve?




I remember that analog boxes had an obvious flaw that digital was supposed to correct, specifically the scrambling for every channel was done with the same method. Digital is supposed to have different keys for each channel. Now, assuming this is NOT the case, due to cost, or whatever, wouldn't it be possible to do the same bypass with digital that you could do with analog?

Like this:

Subscribe to some encrypted channel, 13, on your subbed box.

Get a digital tuner and tune it to the channel you actually want to receive. Then send that sig out to a modulator which can set its sig out to the freqency for channel 13 (instead of channel 3), and that modulator goes to sig in on your subbed box, and your subbed box decrypts any channel while under the impression that it's tuned to channel 13.




Spoofing/damaging the talkback protocol (instead of disabling) seems interesting, but it seems overly complicated, and I wonder if there is a better way like what I described above. Related to this matter:

I read a post on network54 where someone named Taher says that if you change the MAC on the Scientific Atlanta 2200, the box loops the headend and can't be deactivated. He doesn't say how any of this is done. I'd like to know how he changes the MAC, even if what he's saying won't work. I've e-mailed him twice over several months, but haven't heard back (neither has anyone else).

I have read several important posts on network54 from someone named Phred. Besides hacking SA firmware, he cites an attack where you (could?) "Learn the protocol, and send a fake "Collect" command to the box, and fake the record (if it exists)." He seems quite intelligent, but no longer active (the post was from 1 year ago). If anyone knows him maybe you can convince him to review this post!




Forum Links:

No links to other forums thanks




E-mail me if you know something, and please post in a forum as well. FYI, I do not check my yahoo account that often. I am looking for forums that are discussing the U.S. version of the SA4200, not the SA4200DVB forums. Thanks :)



-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Klaus Hasburg <klaus_hasburg [at] yahoo.de>

mQGiBEQzuXERBACrm+t6t3Xdem3uSHAOeDyUMryGH5UPqrQqxG WG//hSlZi1vCsM
gPxLB55LEmR2x7sb7x/bxkfzupsKpRpyN3SEDdeXaZTldlxa5PLabEXn8p8AoNl/
qV5a1P9jiTFS1SRwPGx2+4smsLKFxxkpQFJ6XJboG4pPHFpUR7 7k0w2amwCg8CaM
q7aisVZrwg8ijfbGug79EN0D/jHKXJRrvbwWdGxWWHy1jDOVlY2otQ8XGwAFswWj
xynAW/08mdsn+lakvE3eT//QptGmjyK71R037CiVKIcWPXLP0NVwoqGhQIuC2yjY
wp/ewlWMyhNyuuA8Vmq2KFS4fl/O4MFyBllzBE8cDw8ZuWUPpd1yDEM0+uO8g4JY
kYSWA/9JWo2NDrDcHcqDVo+sacjOB06WdiHPtUniaFIxxGcuZyGb4h3f 6eoPpndn
onDnHrE03sQyPripBHt3Mf9Tm8eg6p8i9iuBwozIFW7nc835FK V9SxdSPSFoy1eZ
6JlnuMxqGW+Rt+bKX7n7wu6OLwXw8AXAT05sVLCSTKXEf0KVK7 QmS2xhdXMgSGFz
YnVyZyA8a2xhdXNfaGFzYnVyZ0B5YWhvby5kZT6IYAQTEQIAIA UCRDO5cQIbAwYL
CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENSYzmepBD1TTNUAoM ITLiEtsnGpz3Dh
zWySnmWcGmuvAJ9otuOBfyK0WuBJH2RDaJihe5n4QLkDLQREM7 p/EAyAgOVirjHH
Q+HqOLCbb8cJigOO+rkB/z5VwcnLTaSmhjfsnYVDlAoWk0Mg/+ffmtka0nnlAVR7
aTkFcp84wVh9QNaPuUXf2juxi/FISuiwPvKdp2bRDrQhDWsjH58REvEFli2ZuK/X
9SAcmABIMpaXpRpdwZdnZB6vucjymOq9DCqRCgiOhvQra8FQUj 3oCImDy0Y53bn8
kvQ4dyr/BrbuEFdiWx1rqNBZkQc7W3FUXUS/4sSCSHL9W3irG1L/1hmzmsRyuYj/
A0e6W5Y9m0H9aF51lG3IWG/gkAIk+kiE0XB47WEjUNmURIV/Dp/Adkw+OYFiTbpa
UpGbv5gHYhyhwOfEPWaZqhZmvmH2C7vZcGVAX2J5q07yVtLy+j PGQLhzZMdUWpFs
GXB7yV2Mj718OgrOa1XhInMqRGI6Gqz9pa7AAlzdIoje7iBLoi aDwYh6aifkoV8r
BVL3HZ9nfKsrVphuBfAQEGuugKJ14j/vf/D6hNeP+r9hfFwvmMjxY7G6AADTiYvH
1vogbV1MATCGGwADBgx8CrOmrqzKLLY7OZDuZAaSA3288iiyWh KzkEb5sPfOmIGr
PbVyUu/zbPm0BmhZJQCv0RTx/AUSD8irkFcYj8VKy849PqgzgDZPJ9OBHXLBq3Ns
fXvIgEJpoToKpFkYkTL1Uf6VXv0oSsy0RmxQBGn5gGLb3TYYZu AXXZ7CRde9GXrh
MRS8fXuL+RipIOAHXUluZxbwtf5k+j4RG45g9rfiYN1inUK+mz DDUILf5Vg+/B4F
bL7R9zfITYZPeWM0Tj5K+COhEkqsjhL4IJSAADhPHrCzaA5pgC OMPyABsjX4pwU8
X76XvdZX6vPS0wji2HAbVH9RjrguC6u2YvVRrKP45JNXcnlw1Y bTenofR/8KonJo
tWnv67CfYfopbqIT6qDA/1G7xwEzXoJ/jwVtBEyCM4Mdynj7tXXaWN/GUrItDfF9
SZed67Nr2BXPMlymw3POWP2QAPxyz8UDITjWLMmL8Di8E/IiX/SuCJ+RswkTgTUQ
ODZjfUUk+/wJxgLTsfLTVNEamk9IaYW2TYInjgkuuYhJBBgRAgAJBQJEM7p/AhsM
AAoJENSYzmepBD1TMEkAoNKTaXPjnIbzyJ/niCJBQmQlq0osAKC4y7fCU0KG+7fG
foixImOVa2qg+g==
=f2HL
-----END PGP PUBLIC KEY BLOCK-----




.END PART 2 OF 2.

Genesis2004
19-02-2007, 07:52 PM
Hi Klaus

Nice tutorial you wrote, here on this forum they actually show you what 7 how to remove the chips & modify the cable box.

I have a scientific atlanta 4200 plus card

I live in Montreal Canada

I'm trying to learn here, its a clean forum & no bashing of any sorts :)

You should come back


Thanks again

brummyb
01-09-2007, 09:44 PM
i think m8 u should just uncap the cable modem whats built in lol ,only for educational purposes of course . one more point .lmao m8 u have posted that same post all over the world . :-{

lsd1229
27-01-2008, 09:07 PM
where is this post I've been looking for it all day.