Overview

This guide has been designed as an educational aid for the enthusiast interested in
Analogue Cable, Digital cable and Satellite TV technology.

Contributions have been made from many different sources including

www.dragonalfa.co.uk/shop/ and the editorial team gratefully acknowledge their
support and assistance.

The scope of the help file attempts to provide a point of reference to both the new
and the experienced enthusiast. With this in mind, the documentation is constantly
being updated and new versions will be released as fresh information becomes
available.

This documentation has been compiled from various resources on the Internet.
Wherever possible the original authors have been acknowledged and credited as
the source and for their contributions.

Please see the Credits and the Resources sections for further information,
websites and links.

GO TO JAIL WARNING:
Tampering with cable boxes to receive Pay TV signals without paying for
them is illegal in most countries. The information here should be used for
test purposes only.

Getting Started
Before you start you should browse through the different sections of this help
documentation and try to become familiar with the terms and expressions used
throughout these pages.

There is a detailed glossary which will help you understand any technical
expressions and terms used within the documentation.

You should also equip yourself with some basic tools, software and equipment.

Most of the items you need can be purchased from www.dragonalfa.co.uk/shop/

such as card programmers and software but some tools that will be needed are as
follows
Basic tools you will need:
• A soldering iron, solder and flux
• A De-solder gun and de-solder braid (optional)
• Screwdrivers
• A Pic/card Programmer
• Pic Chips and/or cards
• An electrical tester (optional but worthwhile).
• Common Sense and patience

Digital Introduction
This section covers the Cable Decoders for the
Digital cable system. Most of these are
manufactured by PACE.

There is another section on Analogue Cable

decoder systems. Please ensure you are reading
the correct section for your Cable Decoder
before proceeding.

Before attempting to make any modifications to a decoder it is important to become

familiar with the terms used and the internal mechanics of how the system works to
transfer and decode/encode the transmissions..

Please read the information on Talkback and Rom Cards in order to gain some
familiarity with these terms.

Also use the Glossary to look up the meaning of any terms and technical jargon.

Please Note:
The tutorials described here are broadly similar for each different model. However
each model will have subtle differences so it is recommended you consult the
technical specifications for the model on which you are working before attempting
to implement any modifications.

What Not To Do
Never attempt to modify any decoder whilst it is connected to a mains
supply!
 • There is a risk of serious electric shock which could prove fatal. Always
ensure the decoder is disconnected from the mains supply and the plug
removed from the wall.
• Do not use any tools which are not suited to the purpose of electrical work.
• Never allow children to connect your test equipment to a mains supply
• Never allow children to adapt any electrical components or decoder boxes.

Safety Precautions
• If possible wear appropriate rubber soled shoes in case of surplus static
current.
• If possible obtain an anti-static strap and wear this whilst working on
electrical components, even when the test unit is disconnected from the
mains
• Always earth yourself by touching a metal surface before touching any
electrical components - this will remove surplus static from your body.
• Only use tools which are appropriate for the task you are attempting.
• Keep small children and pets away from your work area and test equipment.

You should not attempt any modifications on a rented digital decoder.

Only modify a box you own. They can be purchased from online auctions or
through the classified adverts sections of newspapers.

You should not attempt any modifications on a ROM Card without making a
back-up of the original data within the card.
For details on ROM and ROM cards see the Card Information section

Tip:
Using a digital splitter with a rented box and a modified box will mask the signal
from the modified box which has had Talkback disabled.

Digital Box Types

There are a number of different models for the Digital cable decoder. They are
generally manufactured by Pace and all of them look similar to one another.
However, the internal board layouts are somewhat different for each model.

The different models are released in series and the higher the number the more
recent the release of each model series.

The Pace series digital decoder models are:

The Pace Ditv1000 series

Pace DITV1000
Pace DITV1010
The Pace Ditv2000 series
Pace DITV2000

The Pace Ditv4000 series

Pace Di400N
Pace Di4001N
Pace Di4010N

These are available from www.dragonalfa.co.uk/shop/ including some of the tools

you will need, I contacted the store and they were able to email me the software.

About Digital Decoder ROM Cards

The cards which come with the Digital Decoder box (or are married to the box) are
called ROM cards. There are different versions of the ROM cards.

UK suppliers, namely NTL and

TeleWest, support Rom7, Rom10 and
Rom11 cards. "ROM" is the type of card
you will have if you own a digital
decoder which has been supplied by
either of these.

The ROM cards are pre-encoded by the

manufacturers using software provided
by NagraVision. You can see this on the
rear of the ROM card.

To edit the card, a software package is available called Nagra edit. This is not
provided by NagraVision but is generally available through Internet Discussion
Forums.

At the time of writing nagra edit software

only supports Rom10 cards. Rom11 is
newer and currently is not supported.
Rom10 is the only card which can be
MOSC'D (modified) to receive all
channels.

Most modern boxes will have Rom11

cards which can be MOSC'D (modified)
and can be copied from the ROM11 and
used in a ROM10 card.
Use of a computer, card programmer and nagra edit software will tell you the ROM
version of a card. This information is very useful before thinking of making any
modifications to the digital decoder.

Important Note:
Always take a back-up copy of your ROM Card
before attempting any modifications. This can be
done by using Nagra edit to back-up the card.

Understanding Talkback
Talkback is a way for the cable company to be able to tell the box is online and is
also used for interactive services.

The box will communicate with the cable company and ask for permissions such as
access to the channels.

By disabling the Talkback function the box no longer communicates with the cable
company and asks permission. Since the box no longer communicates with the
cable company it is unlikely the cable company will know it exists.

However, if a rented box stops communicating then the cable company will suspect
it has been modified, since they keep an accurate log of all box communications on
their system.

Similarly, if a box which has been modified to receive all of the channels
communicates with the cable company, they will identify it as an illegal attempt to
steal their Pay TV services and trace its source.

There are a few ways to modify the box to prevent Talkback. This involves cutting
a track inside the tuner part of the box or lifting a leg of a component.

Both methods disable the unit from using Talkback.

There have been rumours of a filter which means no internal modifications are
necessary. Allegedly this can be put in line with the cable which comes in from
white cable box on the wall and into the back of the digital receiver. However, at
the time of writing these are only rumours and are unconfirmed.

Ditv-1000 - Things you will need

There are two stages to modifying a Pace digital decoder. The first stage is to
modify the hardware (the decoder itself) and the second is to modify the ROM card
using a computer, a card programmer and some special software.

Hardware/Tools
• Pace Ditv1000 cable box
• ROM 10 Card – preferably married to the box
• A Digital Splitter (optional but recommended).
• Smart Card Programmer - preferably with 3.68mhz crystal fitted.
• Small tip Soldering Iron and solder (or sharp craft knife)
• Screwdriver

Software:
• Lib debug software
• Tw.cfg – the hex file
• Nagra Edit 3 – Software
• Getbox PC2 – to get the box key (Non-Rom 10/Rom 11 cards)

Some Alternatives:
• You can also write to your card in the box, using a modem lead straight into
your computer using the RS232 Ports and a software application called cam
whistler.
• You will need:
• A Modem cable for box to computer editing using the RS232 Ports and
software
• Cam Whistler Software

Ditv-1000 - Modifying the Hardware

Getting Started
There are two stages to modifying a Pace digital decoder. The first stage is to
modify the hardware (the decoder itself) and the second is to modify the ROM card
using a computer, a card programmer and some special software.

Remove the Cover

Remove the Tuner
Disable Talkback
Reassemble the Tuner
Replace the Cover
IMPORTANT:
DO NOT CONNECT THE BOX UP TO THE MAINS YET! THIS IS ONLY THE FIRST STAGE. ONCE YOU HAVE
COMPLETED THE ABOVE MODIFICATIONS YOU NEED TO COMPLETE STAGE TWO.
DiTV-1000 - Removing the Cover
Clear a work surface and gather your tools. Place the Pace DiTV 1000 box on your
work surface. Ensure it is not connected to the mains and if it is then disconnect it
and unplug it from the wall. Unscrew the box and remove the cover.

Image (1) - Models DiTV1000 and DiTV 4001

The rear of the decoder will look different depending on the model series you are
working with. The procedure for removing the screws is much the same.

You will need a tamper-proof screwdriver to remove the screws or possibly an

hexagonal bolt remover. Put the screws to one side in a safe place or in a plastic
bag so you do not lose them. You will need them again to put it back together.

The above Image (2) illustrates the location of the screws to be removed.

Once the screws have been removed you will be presented with the internal
mechanics of the decoder. You should see the tuner and main control board.
Depending on the model series of the decoder the layout may be different.
Image (3) - General view of the board once the case is removed

Ditv1000 - Removing the Tuner

Once the cover has been removed the next step is to remove the tuner.

The first step in removing the tuner can

is to gently prise up the tuner can shield
with a screwdriver.

The shield can be located on top of the

tuner can.

Be very gentle with the screwdriver.

Image 1 - prise up the tuner can shield

Identify the tuner can then identify the

tuner can retaining screw - see image on
the left.

Unscrew the silver screw holding the

tuner in place. This will allow you to
easily unplug the tuner device. It should
pull out very easily.
Put the screws in a safe place or in another plastic bag so you do not lose
them.

Carefully unplug the tuner from the side of the tuner can.

When pulling out the tuner can be careful not to force it or dislodge anything.

You will need to put it all back together again when the final modifications have
been made.
Image 2 - Tuner Retaining Screw

Next you need to take of the side of the tuner. To do

this there is a little twist locking lug. (See Image 3)

Carefully twist the locking lug until it allows the tuner to

move freely. Use a pair of long-nosed pliers but be
careful not to snap the locking lug.

Image 3 - Twist the Tuner Twist Locking lug.

Top view of the Tuner can once it has been

removed from the case.

The images were captured and supplied by

buffs

Top View of the inside of the Tuner Can with

the Tuner Cover Removed.

The images were captured and supplied by

buffs

Disabling Talkback
The box sends and receives information from the cable company. This is known as
Talkback. To disable some modifications need to be made to the tuner board. This
is done after removing the tuner and gently taking off the cover.

Cutting the track

To disable Talkback you will need to cut a track on the board or you can lift the leg
of the component above the track cut. You can use a sharp craft knife to cut the
track or a soldering iron to undo the component leg and lift it up.

This image shows the track to cut on

a Ditv4000 Unit.
Alternative to cutting the track is to
lift then leg located directly above the
track cut.

The component is shown here and

the legs are the silver bits (ten of
them on the lower part of the
component).
Image 1 - DiTV4000 Track Cut

This image shows the track to cut on

a Ditv2000 Unit.
Alternative to cutting the track is to
lift then leg located directly above the
track cut.

The component is shown here and

the legs are the silver bits (ten of
them on the lower part of the
component).
Image 2- DiTV2000 Track Cut

This image shows the track to cut on

a Ditv1000 Unit.

Alternative to cutting the track is to

lift then leg located directly above the
track cut.

The component is shown here and

the legs are the silver bits (ten of
them on the lower part of the
component).
Image 3- DiTV1000 Track Cut

This image shows the track to cut on

a Ditv1000 Unit.

The component leg lift on this model is

not clearly identifiable so it is best to
adopt the cut-track method.
Image 4 - DiTV1010 Track Cut

Once the track is cut or the leg lifted the hardware modifications are almost
complete. Double check to make sure you have the track lifted and or the leg lifted.
Now it is time to reassemble the tuner

Ditv1000- Reassemble the Decoder

Having confirmed and double checked the correct track has been cut or the leg
lifted it is time to reassemble the Tuner.

This is done in the same way it was taken apart but in reverse order. Use the
correct screws you removed and put to one side when taking the tuner out of the
box.

Replace the Cover

With the Talkback cut and the tuner refitted you can now replace the cover and
screw it back together using the correct screws you removed and put to one side
when unscrewing the cover.

The next stage will be to modify the ROM card using a card programmer and
Nagra-Edit software.
IMPORTANT:
DO NOT CONNECT THE BOX UP TO THE MAINS YET! THIS IS ONLY THE FIRST STAGE. ONCE YOU HAVE
COMPLETED THE ABOVE MODIFICATIONS YOU NEED TO COMPLETE STAGE TWO.
Ditv1000-Modifying the ROM card
Once the modifications have been made to the decoder hardware, the next stage
is to modify the ROM card using software and a computer.

The procedure for modifying the ROM card depends

on the actual ROM card version. Some can be written
to whereas others cannot. Different versions also use
different software to perform the modifications.
For example, ROM 10 uses Nagra-edit whereas ROM
7 uses a software application called Sorryshakes.

A ROM 10 can be written whereas a ROM 7 and ROM 11 cannot, so can only be
used to obtain the data dumps. An alternative would be to use a Fun Card which
can be written to with the data from any ROM card version. These are less prone
to "Zapping".

Background information on ROM cards and Fun cards

Determine which type of card you have using software

Making the Modifications to your ROM Card

Before you start
Things you will Need
Getting Started
Edit your local area ID
Get the box keys
Programme the data into the card
Configure the decoder

Get the Box Keys Using Libdebug

You can use the Libdebug software to get the box-keys.

• Connect the computer/laptop up to the digital box, using your programmer

lead.
• Once it is connected, load up the libdebug software.
• Load up the .cfg file (e.g. 'tw.cfg') using the drop down menu if necessary.
• FILE > OPEN RECIEVER CONFIG, then point it to the file in question.
• Power on your set top box.
Watch lib debug, you will see it logging data. Once it has finished, if you have your
TV hooked up to the computer and decoder, the TV screen will be black and the
display on the decoder box will be blank.

Click on the following:

1. 'Erase SRAM (U5700)' then click :
2. Execute command,
This will clear the ram, in case you need to reset the Pay Per View password.

Now click on the following:

1. 'Network ID' and then 'Set Network ID', then click:
2. Execute command.
This will set the id to the same as the one you put in the 'tw.cfg'. Obviously this
should be your area id number taken from the list of locations and corresponding
NetID numbers.

Next click on the following:

1. 'Get Network ID', then click:
2. Execute command, in the box on the right
It should bring up your network id number. If it does, power down the box.
Close the LibDebug Software

Tip: You can also use software called alternative software such as boxget_pc to
read the box keys on the card. Once you get the cam id using boxget_pc use
windows calculator to convert from decimal to hex and add it as hex.

Getting Box Keys without a ROM Card

If you do not have an original ROM card for the box the box keys can be obtained
directly from the box. This involves using tools and some careful work with a
soldering iron to remove two eeproms so you can read the box key details from
them.

REMOVING EEPROMS FROM THE

BOX:
To get the boxkey directly from the box
you need to remove two eeproms.
These chips are the ATMEL
AT49LV1614 type.

You would only need to do this if you did

not have an original card with the box.
You will need a programmer to read the
Atmel chips such as the VX VxMulti2 8
Mode Programmer or the VxMulti2 Pro
from http://www.vxtools.com

To get the boxkey from the ATMEL chips do the following:

Make sure you know which chip is which. This is very important so mark one with a
bright marker or some nail varnish. Make sure they are clearly labelled.

Next you need to read and make a dump of each chip. Imagine you labelled the
chips one and two (1 being the front leftmost chip) think of the chip on the left as
dump 1 and the chip on the right as dump 2. This will help you remember which
chip should have which dump file.

Now you have the data it looks like this:

DUMP 2 = 100100000 8734 B143 BF21 8270000000000000000A1
DUMP 1 = 100100000 9653 3342 8687 000900000000000000004D

You can get the boxkey and ird as follows:

Take the 8734 turn it round so it looks like this 3487 (because the 2 bytes staying
together are important). next take the 9653 and switch this around also. you should
get 5396. We now have 3487 5396.
The whole boxkey and ird are 3487 5396 43B1 4233 21BF 8786.

Another Example:
Remove & read both chips ATMEL AT49LV1614
Looking at the box from the front name the dumps for left hand chip dump 2 and
right hand chip dump 1.

For example box Key and IRD are as follows :

1205 5996 and 155B 0F34 FAAB 5D88
Dump 1 right hand chip :1001000005125B15ABFAF8270000000000000000A1
Dump 2 left hand chip :100100009659340F885D000900000000000000004D

Programming the data into the card

This stage is done using the nagra-edit software and a card programmer. If you are
programming a ROM 10 card you need a card programmer with a 3.68mhz crystal.

Step 1
Connect up the card programmer to the laptop/pc. Insert the card and start up the
nagraedit software.
Make sure the power is on to the programmer and card is inserted firmly.

Press CTRL+R on the keyboard or click on where it says Data editor in the nagra-
edit menu. Alternatively click the shortcut icon (circled in blue on the image below).
Any of these methods will read the contents of the card.
Once the card has been read, make a back-up of the data by using the file tab at
the top then selecting save image as. Give it a unique file name and keep it safe.

Once the back-up file has been made it is time to edit the card.

Step 2
Click in the field where it says IRD status in the open nagra-edit window. This will
open the data editor box.

The main keys to find are as follows:

• BOXKEY (Blue arrow on the image example)
• IRD KEY (Orange arrow on the image example)
• CAM KEYS (Purple arrows on the image example)
Using these keys any bin or card can be fully activated.
Check the IRD status of the card
Click on '02 Provider Filter' to check in the IRD status and make some changes if
necessary.
• If irdstatus reads 80 it means the card has been switched off.
• To switch the card back on again change this to the two digits zero zero
(00).

Click on '08 Standard Tier (31) which may or may not have more than 1 tiers. If it
has more than one, start from the top tier. Change the values to the same as the
following, leaving everything else the same.
 Do this for each tier:
IRD Status Byte 10
Rights Identifier 00 DB BD
Expire date 17 00
Rights date 17 00
Min Channel 00 01
Max Channel 7F FF

Configure the Pay per View (PPV) settings

On the far left (above the topmost standard tier (1), you will see a title called
0CSpending Limits (20). Click on this and the right hand side of the screen will
change to another set of input fields.
 • Change the IRD status byte to 00. This turns on the Pay Per View.
• Then change the Credit in cash to 00 00 00.
• Finally change the Debit in Cash to 00 FF FF FF. This will put £65,000 on
the viewing card.
Note: Changing these values will increase or decrease the amount of credit on the viewing
card. It is likely these values will be targeted by ECM (electronic counter measures) so
finding a different set of values would be prudent.

Once all this has been done the data modifications have been finished.

It is time to write the modified data back to the ROM card.

• Go to "card" and select from the drop-down menu >write to card.

The software will now write the modified information to the ROM card.
Once the software has finished writing the data to the card remove the ROM card
from the programmer.

The card modification and writing process is now finished.

Configuring the Engineers menu

Accessing the Engineers menu for the digital box.
Make sure the power is OFF on the decoder and insert the modified ROM card into
the vacant card slot in the digital decoder. To get into engineer menu, make sure
the decoder is connected to the T.V. and the card is inserted.

Boot Up the Box

Take the mains power out of box and when reapplying power hold up and down on
the box, and it will enter the engineers menu.
Note: up/down is NOT channel up and down.

Press and hold the up and down buttons on the decoder then insert the power lead
and switch it on at the mains.

The engineers menu should appear on the screen.

Let go of the buttons when you come to the installations menu.

Set the PIN Number
Once in the installations menu, go down to the bottom and set your PIN number to
one of your own choosing.

Use chan up,down and ok to change the digits, then press tv to store the
information.

It should change to ****

Check the card credit
Check to see if you have programmed the card up properly by going to the smart
card data page and checking the credit.

If it agrees with the amount you coded into the card everything is on schedule.
Reset and test the decoder Move through the engineers menu to page 10 and
do a soft reset.

The box will re-boot.

If all is well, once the box has rebooted and reset itself you will have all channels.

Test this by trying to view a Pay per View Movie. (You may have to order it first)

If it appears on screen the modifications were successful.

Troubleshooting
If the box is from an area different from where you live
On the engineers menu (page 1) change the frequency to the one required of your
area.

If you cannot set the password

You will need to edit the .cfg file using libdebug to suit your local area ID.

DiTV - Local Area Netid Groups

Key
TW Telewest Area
NTL NTL Area

Location NetId Freq

7 Kings 41050 666.750
Ashford 41052
Basingstoke (ntl) 00013 803.000
Bedford 00005 755,000
Belfast (Ireland) 00021 755.000
Birmingham 41011 643.000
Bolton (ntl) 41060 666.750
Bournemouth 41043 666.750
Brighton (ntl) 41044 666.750
Bromley 41041
Cheltenham Glos (1) 40971 433.000
Cheltenham Glos (2) 40971 651.000
Chesham Bucks 41051 666.750
Coventry 00019 811.000
Derby 41056 666.750
Durby 41046
East London 41050 666.750
Edinburgh/Lothian (TW) 40981
Essex NTL 41050
Falkirk (TW) 40981 619.000
Fife (TW) 40981 619.000
Gateshead 40969 571.000
Glasgow (ntl) 00002 755.000
Grimsby (ntl) 00022 755.000
High Wycombe 00013 803.000
Ipswich (ntl) 00011 755.000
Kidderminster Worcs (TW) 40974 130.000
Keighley (TW) 40961 539.000
Leeds 41053 666.750
Leicester (ntl) 00012 643.000
Lewisham 41047
Liverpool 1 - North (TW) 40966 571.000
Liverpool 2 - North (TW) 40965 571.000
Luton 739.000
Maidstone Kent 40976
Manchester 1 (ntl) 41040
Manchester M46 (ntl) 41060 666.750
North Lanarkshire (TW) 40984 619.000
Norwich 41055
Nottingham 1 (ntl) 00008 755.000
Nottingham 2 (ntl) 00008 739.000
Peterborough 41049
Plymouth (TW) 40988 787.000
Portsmouth / Cosham (ntl) 41042 666.750
Solent 41042
South Herts 41051
Stafford (ntl) 00015 826.250
Stockport 41066 666.750
Stoke 41064
Surrey 41045
Sussex 41044 666.750
Solent 41042
Southampton 41048 666.750
South Yorkshire 40964 539.000
Swindon 00006 579.000
Walsall / West Midlands 40974 131.000
Warrington 41060
Washington Tyne & Wear (ntl) 41054 666.750
Watford / Herts (ntl) 41051 666.750
Wearside 41054
Wessex 41043
West Yorkshire (TW) 40961 539.000
West Yorkshire (ntl) 00001 755.000
West London / Middlesex (TW) 40980 539.000
Wigan 40967 531.000
Wirral Merseyside CH41 41048 666.750
Wirral Merseyside CH43 41060 666.750
Wolverhampton (ntl) 40973 131.000
York 41065

Using the CFG Files

To use the .cfg file within this document open up the relevant file and copy all of
the text below the title (without including the title) to the clipboard.

Launch your favourite text editor (e.g. windows notepad) and paste the contents of
the clipboard into the new untitled text file.

Save the text file with the same filename as the title (e.g. tw.cfg) - remembering to
change the drop-down box in the notepad "save as" menu to "all files".

Editing the .cfg file with your local area ID

Tip: You can get your local area ID from the local area ID table

Open up tw.cfg with wordpad. find the lines where it says:

:Network ID
Set Network ID ntl
406141060
Set Network ID
406141060<<<<<<<<<<<< change the last five digits of this to your area id
number.
Get Network ID
4010
Save a copy of the file somewhere safe. It will be needed later.

tw.cfg
******************************************************
* *
* Cable & Wireless Phase 2 *
* DigDebug 2.3 Config File Version 1.8 *
* (c)2003 Bloggs Micro Technology Released xx/xx/xx *
* *
* Written By Fred Bloggs, Test Software Department *
* *
* Version History Phase 1 *
* Ver Date By Comment *
* 1.1 08/03/99 Initial Version *
* 1.2 28/05/99 Various commands added *
* 1.3 07/07/99 Various commands added *
* 1.4 16/07/99 MCNS Tune command for build 45.2 *
* 1.5 21/09/99 Channel select command added for *
* Nagra playout. *
* 1.6 22/12/99 Renamed some commands *
* *
* Version History Phase 2 *
* 1.1 25/01/99 SW Various commands added *
* 1.2 17/02/99 SW Various commands changed see *
* Testtask spec version 1.5 *
* 1.3 28/02/99 SW Key responses changed for '9' *
* 1.4 03/03/99 SW Command to tune DVB signal on *
* MCNS system *
* 1.5 10/04/00 SW 'R' commands modified to include *
* factory feed or true MCNS *
* This version of 1.5 will only *
* work with digdebug v1.8 *
* 1.6 16/05/00 SW 'X' command now does CRC in pairs *
* 1.7 27/06/00 SW '3' SDRAM test not applicable *
* will return '22' *
* 1.8 08/08/00 SW Network ID command now 5 bytes *
* *
* Version History NTL MCNS Phase 2 *
* Ver Date By Comment *
* 1.0 20/10/00 SW New name for CWCPH2 *
******************************************************
This Digdebug config is used to test the interface for
the Cable & Wireless digital unit.
It is for use with the Windows 95 DigDebug.exe program
This file should be be read in conjuction with the spec for testtask
comms for Cable & Wireless receiver
Usage Notes:
Packet format:
Byte: 1 2 3 4 5 6...
Content SYNC,SYNC,COMMAND,LABEL,BYTECOUNT,DATA...
where:
SYNC is 0xB1
COMMAND is product specific command code
LABEL is currently always zero but in future may have the MSB of BYTE count
BYTECOUNT is num of bytes in data field
DATA is a variable num of bytes depending on packet
so smallest packet is 5 bytes (bytecount=0)
Sections in the file start with a tag in column 1 ie *COMMANDS or *RESPONSES
then the data follows in pairs of lines
for commands it is :
line1:description seen in window
line2:packet (less sync,sync)
note that the software recalculates the byte count before transmission so
although is is needed as a placeholder it can be left at 0.
for responses:
line1:is received bytes to match (less sync,sync)
line2:is message for response window
Packets in the both lists do not have the sync sync,
its hard to type it in the software adds it for you.
to insert user text into a packet add *(TXTPrompt) in the packet where
definition Prompt is the text used on the input window which will
pop up for you to enter the text
There is a special packet that does not get sent to the product
it is d015 which causes the software to wait, the delay is specified
by the last digit, in this above example a 5 sec delay is set.
to spec a value > 9 use the ascii char where char code= val+48d i.e. d01D=20
Multiple packets can be specified by a space in between and hence
spaces cannot be used inside packets.
special escape sequences can be used at present they are as follows:
\r replaced by char 13d
\n replaced by char 10d
*COMMANDS
Start Test (Done Automatically)
000
Version Number
200
Product ID
:00
Tune to PMF Test
Q0;06907506952 d012 O0@0908090A09080000
Erase SRAM (U5700)
G00
:RS232 Tests
RS232 RTS low
1010
RS232 RTS high
1011
:Memory Tests
Memory Test - Flash
3010
Memory Test - SDRAM
3011
Memory Test - BCM3250 SDRAM
3012
Memory Test - CL9300 SDRAM
3013
Memory Test - GTX DRAM
3014
Memory Test - SRAM
3015
:Network ID
Set Network ID ntl
406141060
Set Network ID
406141060
Get Network ID
4010
:Audio
Left Audio Attenuation On
50510010
Right Audio Attenuation On
50510001
Left+Right Attenuation On
50500011
Left + Right Attenuation Off
50510000
Left+Right Half Volume
50505000
Mute
C011
Un-Mute
C010
:LED Control
LED Control - All ON
70:7?7?7?7?71
LED Control - 55
70:5500000000
LED Control - All OFF
70:0000000000
LED Control Colon On
70:0000000001
:IR and Key Controls
IR Front Panel Test
8010
IR Rear Test
8011
Enable Keys
9011
Disable Keys
9010
:Card Tests
Mondex Init (Do this first!)
A014
Reset Nagra Card
A010
Mondex Reset
A012
Nagra Card Test
A0<1Ý1234567890
Mondex Test
A013
Nagra (Bottom) Detect
B010
Mondex (Top) Detect
B011
:I2C Test
Verify IIC Channels
D00
:Real Time Clock
Read Real Time Clock
H010
Reset Real Time Clock
H011
:Parallel port
Parallel Port Walking '1's
I010
Parallel Port Reset Chip
I01E
Parallel Port Read Status
I01F
:Tuner Status
MCNS Status
K00
DVB Status
L00
DVB Lock+BER
M0200
MCNS Lock+BER
M0210
PCR Lock
N00
:MCNS Tune
Tune to MCNS 331MHz (Low Level)
R0=0331000695211
MCNS 586.750 MHz
R0=0586750695211
MCNS 309.250 MHz
R0=0309250695211
MCNS 586.750 MHz (64 QAM)
R0=0586750695211
MCNS 586.750 MHz (256 QAM)
R0=1586750695211
Tune + Lock 8.0 MHz DVB on MCNS
R0=0690750695200
603MHz QAM 256(BER) DVB on MCNS
R0=1603000695200
MCNS BER 683.000 MHz
R0=0683000695211
Tune to MCNS 830MHz(BER)
R0=0830000695211
MCNS 830 64QAM
R0=0830000695211
:DVB Tune
BER DVB 495.250 MHz (low)
Q0;04952596952
Tune to DVB 760MHz(BER)
Q0;07600006952
Tune to 603MHz QAM 256(BER)
Q0;16030006952
Tune to DVB 309.250MHz(Low Level)
Q0;03092506952
Tune to DVB 690.750 MHz(Playout)
Q0;06907506952
Tune to DVB 666.750 MHz(Nagra1)
Q0;06667506952
Tune to DVB 462.000 MHz(Nagra2)
Q0;04620006952
Nagra Playout
Q0;06667506952
Tune IRDETO
Q0;05061505728
:PIDS
ITV
O0@0200028A1FFE8191
Channel 4
O0@0B060B070B028191
Film Four
O0@0B090B0A0B028191
ITV2
O0@0B030B040B018191
BBC1
O0@0258025902588191
BBC2
O0@0262026302628191
News24
O0@0280028102808191
NDS Encoder PID
O0@020002811FFE0000
Trouble (690.750MHz)
O0@0908090A09080000
Bravo (690.750MHz)
O0@00F100F200F10000
Living (690.750MHz)
O0@00D300D400D30000
? (690.750MHz)
O0@00DD00DE00DD0000
:Channel Command
Channel 1
U03001
Channel 2
U03002
Channel 3 (Nagra Card)
U03003
Channel 4 (Free)
U03004
Channel 5
U03005
:CIM Tone
CIM 8MHz Tone Full Amp
P0?081000710040001
CIM 10MHz Tone Full Amp
P0?101000710040001
CIM 8MHz Tone Half Amp
P0?081000350040001
CIM Power Down
P0?081000660040000
CIM Power Up
P0?081000660040001
MCNS 8MHz Tone
P0?081000660040001
MCNS 20MHz Tone
P0?201000660040001
:Cable Modem
Start Cable Modem
S010
Cable Modem Status
S011
:Ethernet Test
Ethernet Test
V00
:Read Nagra / MAC
Read Nagra Serial No
=010
Read MAC address
=011
:Teletext Controls
TeleText Page On
>011
TeleText Page Off
>010
:Banner Controls
RGB Banner On
?011
Test Banner WHITE
?01W
Test Banner BLACK
?01L
Test Banner Off
?010
:Scart Controls
Scart Routing IRD - TV Composite
*010
Scart Routing IRD - TV RGB
*012
Scart Routing VCR - TV Composite
*016
Scart Routing VCR - TV RGB
*018
TV Pin8 0V
+010
TV Pin8 6V (16:9)
+011
TV Pin8 12V (4:3)
+012
VCR Pin 8 Status
+013
:Flash Tests
Flash1 Sector(U5600)
!010
Flash2 Sector(U5601)
!011
Flash3 Sector(U5602)
!012
Flash4 Sector(U5603)
!013
Flash ID U5600
!014
Flash ID U5601
!015
Flash ID U5602
!016
Flash ID U5603
!017
Flash1 U5600&U5601 Checksum
X010
Flash2 U5602&U5603 Checksum
X011
:GTX Tone
GTX Tone 1KHz 100 Amp
%0310A
GTX Tone 1KHz 90 Amp
%03109
GTX Tone 1KHz 80 Amp
%03108
GTX Tone 1KHz 50 Amp
%03105
GTX Tone 500Hz
%03059
GTX Tone 100Hz
%03018
GTX Tone 0KHz
%02000
:UHF Tune
UHF 21 Output
)0521000
UHF 21 Test Pattern
)0521100
UHF 38
)0538000
UHF 38 Test Pattern
)0538100
UHF 69
)0569000
UHF 69 Test Pattern
)0569100
UHF 21 +10db
)0521001
UHF 38 +10db
)0538001
UHF 69 +10db
)0569001
:AK4319
AK4319 Power Down
,010
AK4319 Power Up
,011
:LED Misc
7-Seg 1
70:4000000000
7-Seg 2
70:0100000000
7-Seg 3
70:0200000000
7-Seg 4
70:0400000000
7-Seg 5
70:0800000000
7-Seg 6
70:1000000000
7-Seg 7
70:2000000000
7-Seg 8
70:8040000000
7-Seg 9
70:8001000000
7-Seg 10
70:8002000000
7-Seg 11
70:8004000000
7-Seg 12
70:8008000000
7-Seg 13
70:8010000000
7-Seg 14
70:8020000000
7-Seg 15
70:8080400000
7-Seg 16
70:8080010000
7-Seg 17
70:8080020000
7-Seg 18
70:8080040000
7-Seg 19
70:8080080000
7-Seg 20
70:8080100000
7-Seg 21
70:8080200000
7-Seg 22
70:8080804000
7-Seg 23
70:8080800100
7-Seg 24
70:8080800200
7-Seg 25
70:8080800400
7-Seg 26
70:8080800800
7-Seg 27
70:8080801000
7-Seg 28
70:8080802000
7-Seg 29
70:8080808010
7-Seg 30
70:8080808020
7-Seg 31
70:8080808040
Notes For Responses:
responses have a packet to match and the message to display
when it is found. The sync,sync is not included in the file
but is taken care of by the software.
A special packet field TEST should be included which is matched
if the AT command and response is found. The AT and response to
initiate testtask is handled automatically when a receiver is powered up
while connected to a PC running the software.
Another special field DELAY is matched when the special delay packet
is sent.
In general leave these entries alone.
To include decoded values out of the packet in the response window use
%hxy in the text line where x is the position of the value in the
received packet (1st char is number 0 and count should include 2 for sync,sync)
and y is how many to use for the value ie 1 byte, 2bytes, 4bytes
see existing entries for example.
note that the packet must use 'funny hex' ie 0123456789:;<=>?
to spec a value > 9 use the ascii char where char code= val+48d i.e. D=20
To help with decoding the matched bytes are only matched up to the length
in this list.Once a match has been found the process stops. This means
that you can give some fully decoded entries ie 1010 and 1011 and then
give a 'catch all' entry ie 101.
*RESPONSES
TEST
Receiver TestTask Started
DELAY
Waiting %h71 secs
GOTO
Next...
PASS
Receiver Passed
FAIL
Receiver Failed
CERR
Comms Error
000
Receiver Tests Initialised
1010
CTS low
1011
CTS high
20
SWare & HWare Version
30500000
Flash Pass
303122
SDRAM Test Not Applicable
30220
BCM3250 SDRAM Pass
303300
CL9300 SDRAM Pass
3044000
GTX DRAM Pass
30250
SRAM Pass
50
Audio Control
404
Network ID
700
LED Control
8011
IR Fail
8010
IR Pass
900
Enable/Disable Keys
9041321
Channel Up (Pressed)
9041331
Channel Down (Pressed)
9041421
OK (Pressed)
9041431
Menu Left (Pressed)
9041451
Menu Up (Pressed)
9041441
Menu Right (Pressed)
9041461
Menu Down (Pressed)
9041381
TV (Pressed)
9041391
TV Guide (Pressed)
9041521
Services (Pressed)
9041411
Favourites (Pressed)
9041281
Standby (Pressed)
9042571
Volume + (Pressed)
9042581
Volume - (Pressed)
9042621
Red (Pressed)
9042631
Green (Pressed)
9042641
Yellow (Pressed)
9042651
Blue (Pressed)
9042771
Up (Pressed)
9042761
Right (Pressed)
9042781
Down (Pressed)
9042751
Left (Pressed)
9040491
1 (Pressed)
9040501
2 (Pressed)
9040511
3 (Pressed)
9040521
4 (Pressed)
9040531
5 (Pressed)
9040541
6 (Pressed)
9040551
7 (Pressed)
9040561
8 (Pressed)
9040571
9 (Pressed)
9040481
0 (Pressed)
9042791
? (Pressed)
9042591
Mute (Pressed)
9041320
Channel Up (Released)
9041330
Channel Down (Released)
9041420
OK (Released)
9041430
Menu Left (Released)
9041450
Menu Up (Released)
9041440
Menu Right (Released)
9041460
Menu Down (Released)
9041380
TV (Released)
9041390
TV Guide (Released)
9041520
Services (Released)
9041410
Favourites (Released)
9041280
Standby (Released)
9042570
Volume + (Released)
9042580
Volume - (Released)
9042620
Red (Released)
9042630
Green (Released)
9042640
Yellow (Released)
9042650
Blue (Released)
9042770
Up (Released)
9042760
Right (Released)
9042780
Down (Released)
9042750
Left (Released)
9040490
1 (Released)
9040500
2 (Released)
9040510
3 (Released)
9040520
4 (Released)
9040530
5 (Released)
9040540
6 (Released)
9040550
7 (Released)
9040560
8 (Released)
9040570
9 (Released)
9040480
0 (Released)
9042790
? (Released)
9042590
Mute (Released)
A00
Smart Card
D06000000
IIC Pass
G010
SRAM erased
D05
IIC Fail
V03000
Ethernet Pass
E010
SPI Pass
E011
SPI Fail
B010
Card Detect (Out)
B011
Card Detect (In)
A010
Card Reset/Test Pass
A011
Card Reset/Test Fail
C00
Mute Control
K0G0
MCNS Status (Locked)
K0
MCNS Status
L0G0
DVB Status (Locked)
L0
DVB Status
M0
BER Rate
Q00
Tuner set
O00
PIDs set
*00
Scart Control
+00
Direct Pin Control
H0:
Real Time Clock Read (Day%h;4 %h91%h:1:%h71%h81:%h51%h61)
)00
Modulator initialised
P00
MCNS Tone
R00
MCNS Tune
=0
Nagra / Mac numbers
?00
Test Banner
,00
AK4319 Control
%00
GTX Tone
>00
TeleText
N010
PCR Lock
N011
PCR No Lock
I011
Parallel Port Fail
I010
Parallel Port Pass
S010
Cable Modem Started
S011
Cable Failed to Start
S02ZZ
Not Started/No Failures
!04c01f
FLASH ID Match
S02AZ
DS Channel Scan
S02UZ
UCD
S02MZ
Map
S02BZ
Ranging - Broadcast
S02NZ
Ranging - Multicast
S02DZ
DHCP
S02TZ
TOD
S02SZ
Security
S02CZ
Config File
S02RZ
Registration
S02PZ
Privacy
S02OZ
Operational
U00
Channel Change

How to Convert Your IRD # and Other

Numbers to Hex
You will need to know how to convert your ird# to hex for several reasons, tsop
editing, programming plastic, and simlar reasons. It may sound complicated but it
is not.

First a word of caution:

DO NOT EVER GIVE YOUR IRD# OR BOXKEYS TO SOMEONE YOU DO NOT
KNOW!!!!!!!!!

Getting started:
Your ird# can be found by looking on the back of the receiver.

It is on the white sticker and looks similar to R0012345678-10.

You can also find it on the ird’s system information screen.

Step 1
Open windows Calculator.

Click VIEW then SCIENTIFIC

You should get this. Make sure Dec is selected.

Step 2
Look at the ird#.

You need to enter the numbers between R00 and the -.

Example>>>R0012345678-10<<<

Just input the red highlighted numbers.

Step 3
Click the Hex button.

In this example you get the hex equivalent of BC614E.

Step 4
Since ird#’s have to be 4 bytes (8 digits) long and this is only 3 bytes (6
digits) long what do we do now?

Well this is where it gets complicated

Add 0’s (that is zeros not the letter o) to the beginning until its 4 bytes long.
Example>>>00BC614E<<<.

This is the hex equivalent you will use.

Another example:
If the result is 2B4DC46, this is only 7 digits, so you must add a 0 to the beginning,
making it 02B4DC46.
Finish
You can convert other numbers in the same way.

Use this for all your conversion needs.

Just remember if the converted number is too short add 0’s (that is zeros) to the
front until it is long enough.

That’s it. You are done.

You are now an expert and can tell others how to do it.

Card and Pic Programmers

Elvis multi-programmer
Elvis Card/Pic Programmer

These can be used to read a ROM 10 card but it may

not write to it. However it will write to a fun card using
the information you get from reading the ROM card.
Tip provided by JPM646

The Elvis programmer can also be used to programme

the hex pic chips for Analogue Cable boxes. The chips
are usually 12C509 pics.

The Elvis programmer usually has a 3.58mhz crystal

but some versions are dual functional.

The superb Elvis Multi-Programmer 3.5 from Ad-Teknik will program all the
funcards, gold cards and silver with no special loader.

The Elvis is fully software controlled, 9V battery powered, has an External PSU
socket and software.

Average price is £45.00+VAT and Postage costs.

The Clanzer Minisdk
Clanzer Minisdk
 Clanzer's miniSDK can both read ROM 10's as
well as read and write all versions of the
funcards.

The Zeus Programmer

The Zeus will programme the fun cards and read the
ROM cards.

It is a very popular and reasonably priced card

programmer.
Phoenix Smartmouse
Phoenix/Smartmouse

Connects to a PC thru a serial port, and is used for

communicating with a smartcard / funcard.

About Digital Decoder ROM

Cards
The cards which come with the Digital Decoder box (or are married to the box) are
called ROM cards. There are different versions of the ROM cards.

UK suppliers, namely NTL and

TeleWest, support Rom7, Rom10 and
Rom11 cards. "ROM" is the type of card
you will have if you own a digital
decoder which has been supplied by
either of these.

The ROM cards are pre-encoded by the

manufacturers using software provided
by NagraVision. You can see this on the
rear of the ROM card.

To edit the card, a software package is available called Nagra edit. This is not
provided by NagraVision but is generally available through Internet Discussion
Forums.
 At the time of writing nagra edit software
only supports Rom10 cards. Rom11 is
newer and currently is not supported.
Rom10 is the only card which can be
MOSC'D (modified) to receive all
channels.

Most modern boxes will have Rom11

cards which cannot be MOSC'D
(modified) but the box key can be copied
from the ROM11 and used in a ROM10
card.

Use of a computer, card programmer and nagra edit software will tell you the ROM
version of a card. This information is very useful before thinking of making any
modifications to the digital decoder.

Important Note:
Always take a back-up copy of your ROM Card before attempting any
modifications. This can be done by using Nagra edit to back-up the card.

About Digital Decoder ROM Cards

The cards which come with the Digital Decoder box (or are married to the box) are
called ROM cards. There are different versions of the ROM cards.

UK suppliers, namely NTL and

TeleWest, support Rom7, Rom10 and
Rom11 cards. "ROM" is the type of card
you will have if you own a digital
decoder which has been supplied by
either of these.

The ROM cards are pre-encoded by the

manufacturers using software provided
by NagraVision. You can see this on the
rear of the ROM card.

To edit the card, a software package is available called Nagra edit. This is not
provided by NagraVision but is generally available through Internet Discussion
Forums.

At the time of writing nagra edit software

only supports Rom10 cards. Rom11 is
newer and currently is not supported. Rom10 is the only card which can be
MOSC'D (modified) to receive all channels.

Most modern boxes will have Rom11 cards which cannot be MOSC'D (modified)
but the box key can be copied from the ROM11 and used in a ROM10 card.

Use of a computer, card programmer and nagra edit software will tell you the ROM
version of a card. This information is very useful before thinking of making any
modifications to the digital decoder.

Important Note:
Always take a back-up copy of your ROM Card before attempting any
modifications. This can be done by using Nagra edit to back-up the card.

Know Your Cards

The card is known as the CAM – Conditional Access Module. Also called the
Smartcard. This card can be removed from the IRD and interacts with the signal
emitted by the satellite or cable system and in return allows the IRD to be
programmed. If you do not understand a technical term or expression, use the
glossary to find out what it means.

There are different types of CAMs:

ROM2:
This type of card (relatively old) can be reprogrammed in an ISO programmer to
receive every channel without the use of an AVR or Atmega board.
ROM3:
This card replaced the ROM2 for security reasons.

It was also reprogrammable in the same way as the ROM2 due to a malfunction
called a “back- door”.

These were locked by an ECM in July 2001. The ROM3 cards which were not
affected by this ECM are called “open” and can be reprogrammed.

It is possible to “reopen” a card that has been closed by the ECM but usually
dealers and experts do this at great cost.
ROM7:
Model used exclusively by BEV which can not be easily reprogrammed.
ROM10:
Used to replace ROM3 and ROM7.

This card can be reprogrammed using Nagra-Edit Software and a card

programmer.
At the time of writing the ROM 10 cards are being targeted by the Cable
Companies and "zapped" so they cannot be rewritten. This changes the backdoor
keys and renders them useless.
ROM 11:
ROM 11
These are programmable yet you can read the details off them and programme a
fun card with the information.
Funcards
These are ROM card emulators (i.e. they are manufactured to contain the same
functionality) and can be programmed with the data from any ROM card.

At the time of writing the ROM 10 cards are being targeted by the Cable
Companies and "zapped" so they cannot be rewritten. This changes the backdoor
keys and renders them useless.
In comparison, the fun cards are not prone to this zapping and work with all pay
per view channels unlocked. The current most suitable funcard version will be type
3 or 4. The Elvis card programmer will work for programming the funcards

Where to purchase the Funcards:

http://www.dragonalfa.co.uk

http://interesting-devices.com/

http://www.rom10.co.uk

To determine which type of card you have using software:

Launch Nagra Edit software, place the card in the card programmer and load up
the card data. It should tell you the card version and ROM type.

To determine which type of card you have on a satellite:

• Put the CAM in the receiver and power on;
• On the remote hit SysInfo;

You will see a window with this information:

MODEL ID: 2700 ( or the one you have )
RECEIVER CA ID: R00xxxxxxxx-xx
SMARTCARD CA ID: S0xxxxxxxx-xx
(Card ROM version) => DNASP003 Rev xxx <= software version

DNASP003 represents a ROM3 card type A2012 or 288-02 these are

programmable (if they were not hit by the ECM of July 2001) or can be fixed.

DNASP002 represents a ROM2 card type – 288-01. This card is programmable

but can not be fixed.
DNASP010 represents a ROM10 card type. This card is not easily programmable
and can not be fixed.

How to tell if your card is marked

Your smartcard (CAM) may be marked. This is important to know because there
are separate blockers for marked cards which must be used.

Marked smartcards can be a target for ECM's so these specially designed blockers
protect the smartcard.

Also if your smartcard is marked, the MAP of the smartcard is disabled. This
portion of the card is needed to do math operations in decryption processes.

These blockers also re-enable the MAP, so it is important to know if your card is
marked or not.

Marking usually happens if you try to dump a locked card. Or if you open a locked
card at home using the various freeware applications available.

Instructions:
Load up the NagraEdit Software

Load the card image from backup using File

Open Card Image option (CTRL + O)
or
read the card using the Card
Read Card option (CTRL +R)

Switch to the EEPROM Editor

Our first area of interest is circled in red.

E007: Can be anything here other than FF. (If it says FF it is marked)

This marking is caused by trying to dump a locked card or when a card has been
looped by an ECM.

You will need to use a blocker for marked cards, called either a "E007 fix" or
a "MAP fix".

Our second area of interest is {00000000000000000000} marked in red.

Range E010 to E01F: Are all 00's

If anything is here other than 00's then the card is marked.

This marking is usually caused by opening locked cards at home

You will NOT need to use a blocker for marked cards, since no ECM as of yet
targets this range.

GO TO JAIL WARNING:
Tampering with cable boxes to receive Pay TV signals without paying for them is
illegal in most countries. The information here should be used for test purposes
only.

Know your ROM3a from your ROM3b

When applying a blocker/E3M for Dish Network, it is important to determine
whether you have a ROM3a or ROM3b card. While they are identical on the
outside, there are several key differences in the data stored in the card. This guide
will show you how to tell which type of card you have.

Instructions:

Load up NagraEdit

Load the card image from backup using File

or
read the card using the Card

Switch to the EEPROM Editor

Scroll down until you see E4E0 in the left hand column
Our first area of interest is circled in red: E4E0.
If this location contains "06", then you have a ROM3a card.
If the area circled in blue: E4E7 contains "06", then you have a ROM3b card.
Here are some other differences between ROM3a and ROM3b cards:

ROM3a Offset Data

$E4E0 $06
$E508 Decrypt Key 0
$E510 Decrypt Key 1
$E4E4 Third CAM ID
$E4FC Blackout Bit Map
ROM3b Offset Data