New memberUsername: Klaus_hasburg
Post Number: 1
This information has been posted to several forums and will also be uploaded as an attachment if the option is available. This post was written in June 2006. This is by comparison a LONG post.
I have read on this board and others about the Scientific Atlanta Explorer 4200 (SA4200). I have NOT figured out how to modify the box (yet), but here is what I have found out so far. And I stress that some of this may be incorrect! I am quoting my notes, derived from web searches and forum information, including this one.
There is a similar dialect when discussing all digital boxes. Here's what I know:
"cable card" - a smart card that handles encryption/decryption. it will decrypt the encrypted signals that your box receives. some people say it is more correct to call these signals "streams," presumably mpeg streams. the cable card does not decrypt *all* signals to your box because some aren't encrypted.
"subbed box" - means you have a subscriber box. i.e. one from your cable company. some people also assume when you say this that your box can talkback.
"tb"/"talkback" - talkback is used to reference how your cable box communicates back to the cable company. talkback is blocked with a filter, or by opening your box and finding the talkback lead and then severing it, if you're technically inclined.
"filter" - ask most people about filters and they will say that using a filter is absurd. a properly attached filter can block your cable company from receiving talkback. some people connect a filter to a subbed box with the intent of ordering pay per view, without it being reported to the cable company. this supposedly works, although it is always temporary -- the box shuts itself off, the memory fills up with pay per view orders, etc. it seems that most people who try this end up being charged for whatever they think they stole.
"netid"/"network id" - different geographical areas may have different netids. your box has to have the right network id for your cable company and where you live. so apparently if you buy a used SA4200 box & card from california it will not work in new york.
"bk"/"box key" - just like a netid will tie a box to a particular region/provider, a box key will tie a box to a cable card. i haven't found out much about box keys.
There is an FAQ for iO digital cable from Jan 2004 that covers the SA4200 and some other boxes authorized by Cablevision here:
If you can't get in, download a copy here:
There are basically three variations of the Scientific Atlanta 4200: SD, HD, DVB. HD is what you think it is. SD boxes are just regular boxes. DVB is a type of scrambling system and the DVB boxes are used in Europe. The following information covers SD boxes, maybe HD and DVB?
To access the basic settings mode, not diagnostics (probably from iO FAQ):
Press the SETTINGS button twice. You can now use the directional buttons to navigate the menus. There are about 20 settings that can be controlled via the menus, including setting or editing favorite channels, video timers, reminders, state of the clock while watching (or not watching) the set, depth of the audio stream, sleep timer, state of the power outlet on the back of the unit, channel blocking, pin number, and others.
To view diagnostics, here are two methods. Note that if your box is subbed and you try this, the consensus is that the cable company can tell that you have accessed the diagnostics. I have no definitive information on whether or not they are notified immediately via talkback.
Method 1: On the box itself, hold down the +/diamond key in the center of the directional arrows until the LED next to the message icon on the box starts to flash. Then press INFO. You can scroll through the pages with VOL+ and VOL-. You can press the + key again so that you can watch TV and look at the settings. Press EXIT to close it out.
Method 2: On the remote, make sure the switch is set to VOD. Hold down the PAUSE key until the LED next to the message icon on the box starts to flash. Then press PAGE+. You can scroll through the pages with PAGE+ and PAGE-.
While in diagnostics, you can access a lot of information. For example, you can check signal strength. From the iO FAQ:
On the first page, FDC should be in the range --10 to +10. Tuner should be in the range --5 to +5. RDC is the amount of signal your box has to transmit back to the head end (-60 is fine). All the values should be shown in white. If any of them are orange, you may want to place a service call so a technician can check cables, splitters, etc.
To reset the box:
Simultaneously press the VOL+, VOL- and INFO buttons on the front of your Digital Cable Box and Hold until the box shuts down. Release the buttons and the box will automatically reset.
Press CBL on your remote to turn the Digital Cable Box on.
Menu Screens will need to be reloaded and may take up to 20 seconds to see.
I also read on a cable filter site: "The trick is that you have to press the buttons at least 4 or 5 times to actually reset and erase the memory of the box." Whether or not that will somehow help fully erase the box I don't know. In no way am I implying that you can erase the PPV order history.
Should you try to reset in an attempt to clear your PPV order history, please be aware that most of what I've read on digital filter sites is often refuted by hackers. Ordinary people who fall for the outrageous claims promoting digital filters usually end up making a post like this:
[ I rest my SA3250HD box and all the history went away, no past, present, or pending. I left the filter off so my provider could read the box so they wouldn't cut it and a couple of days later all of the PPV appeared on my bill. How do you clear all meemory. why did this still happen? ]
Concerning the SA4200 operating system:
The iO-TV set-top box is a computer that is connected to Cablevision's network using an operating system called Power-TV. The operating system is not obvious to the iO-TV user, but it is the key application that stitches together the hardware at Cablevision with the set-top boxes in your home.
OK now some interpretation about box modifications. As I've mentioned, I do not know how to modify the box (yet).
From what I've read, late 2004 is when the box was first hacked (in Europe). The hackers physically removed several chips from the box, in order to reprogram the box key and net id. They also had dumps of modified chips. The chips that were removed were reprogrammed with the dumps available at the time (which I could not find). Also, I looked in my box and I could not find the exact chips referenced in numerous tutorials (the box I am working with is different; more on this in a sec). I did find similar chips, and they are very tiny and/or have many pins. While removing the chips might be easy, reprogramming them requires a lot of work and I cannot see any way to replace them once they are reprogrammed. They are so small, and soldering would require a really steady hand and probably professional equipment.
The bottom line is that even if you do all the work to reprogram the SA4200, you'd need to make a substantial investment. The only way it could be financially sound is if you already had the equipment (Electrician) or you were selling the modified boxes. As I'm not interested in that, I have not spent the money to buy reprogrammers, fine tip soldering iron, somebody's steady hand, etc.
It's notable that in Europe they use the Scientific Atlanta Explorer 4200DVB. DVB is the type of content protection system. So any directions you follow in Europe will not work in the West because the boxes are different internally. For example, my box is not DVB, and some chips are (labeled) different. How different, I don't know.
.END PART 1 OF 2.
New memberUsername: Klaus_hasburg
Post Number: 2
Also! I took many macro pictures of the inside of a Scientific Atlanta 4200. Specifically an SA4200, SD, from New York, United States. I uploaded some to flickr, and you can check them out:
My flickr profile is my PGP key, which I will also post at the end of this message:
If you want all the pictures, original size, and my PGP key, you can download the zip:
md5 - a21f6f9e75f46eb1f0d9b1b2e9252a6e
Look at the overview.
On the upper right hand side you will see that the mainboard is identified as Scientific Atlanta Explorer 4010 SD/J. It's possible that the inside of your box is different, even if you have an SA 4200, in the United States, even in New York. I don't know about the various SA 4000 series revisions, and I can only guess there are other similar mainboards inside other SA4200s.
On the lower right side, you should see an uncovered rectangle metal box. A closeup of this box is labeled as U1 (the next picture), after the chip inside the box, AD8325, identified on the board as U1. By partially disabling the AD8325 chip you can disable the talkback signal. Apparently there are many ways to disable the talkback signal, and they all involve doing something in that box. Unfortunately the few other SA4000 series pictures I have seen are dissimilar from my own, with the exception of that chip.
The tutorials I have on modifying the SA4200 chips are sparse, and written for the United Kingdom. The tutorials were originally Word documents, and I converted them to PDF format. The originals used to be available at an underground site for hackers in the United Kingdom:
Unfortunately I'm told that world-of-digital recently started over, and there is a lot of good information that for now is lost.
You can download the PDF format zip here:
md5 - 816eabf6ab49a4a7ed21e86cd826f51e
BTW I don't understand much of the information in the UK tutorials. It's a slightly different dialect. They say stuff like "go down to maplins" and "modify your ird and your bk with lp" Well, whatever!
So now you've about reached the end of what I know. So here is what I would like to know.
Is it possible to reprogram the SA4200 without de/resoldering chips?
Can anyone identify the chips I took pictures of, and tell everyone what they do?
Specifically, which chips hold the subscriber memory? PPV memory?
I wonder if there is a way to save the state of the box, and then "roll" it back.
Or maybe to disable writes to certain chips. Make them temporarily read only?
It seems like an easier solution than dumping the contents and hex editing, etc.
I have read several posts from people in the United States using subbed Scientific Atlanta 4200 boxes in an area not where the box was originally subbed, and as a result the box is "unlocked" and they get the premium channels. _How_ is that possible? I know that Cablevision and other providers use encryption. But doesn't each channel have a key? Doesn't the box have to learn the key for each channel? Why would a cable company use the same key for every channel?! Am I being naive?
I remember that analog boxes had an obvious flaw that digital was supposed to correct, specifically the scrambling for every channel was done with the same method. Digital is supposed to have different keys for each channel. Now, assuming this is NOT the case, due to cost, or whatever, wouldn't it be possible to do the same bypass with digital that you could do with analog?
Subscribe to some encrypted channel, 13, on your subbed box.
Get a digital tuner and tune it to the channel you actually want to receive. Then send that sig out to a modulator which can set its sig out to the freqency for channel 13 (instead of channel 3), and that modulator goes to sig in on your subbed box, and your subbed box decrypts any channel while under the impression that it's tuned to channel 13.
Spoofing/damaging the talkback protocol (instead of disabling) seems interesting, but it seems overly complicated, and I wonder if there is a better way like what I described above. Related to this matter:
I read a post on network54 where someone named Taher says that if you change the MAC on the Scientific Atlanta 2200, the box loops the headend and can't be deactivated. He doesn't say how any of this is done. I'd like to know how he changes the MAC, even if what he's saying won't work. I've e-mailed him twice over several months, but haven't heard back (neither has anyone else).
I have read several important posts on network54 from someone named Phred. Besides hacking SA firmware, he cites an attack where you (could?) "Learn the protocol, and send a fake "Collect" command to the box, and fake the record (if it exists)." He seems quite intelligent, but no longer active (the post was from 1 year ago). If anyone knows him maybe you can convince him to review this post!
^ all-forums requires a membership and you must wait 15 days and then be vetted for cable forum access.
E-mail me if you know something, and please post in a forum as well. FYI, I do not check my yahoo account that often. I am looking for forums that are discussing the U.S. version of the SA4200, not the SA4200DVB forums. Thanks
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Klaus Hasburg <klaus_hasburg [at] yahoo.de>
-----END PGP PUBLIC KEY BLOCK-----
.END PART 2 OF 2.
Silver MemberUsername: Cableguy
Deep in the ... U.S.
Post Number: 791