GI/Jerrold FSK data format

This is the data format used by the control channel on General Instrument and Jerrold analog cable boxes.

NOTE: The information on this page is intended for educational use only, to assist in setting up your own headend. It is only of relevance to analog boxes (not digital), which (as far as I'm aware) are massively obsolete. Most analog cable networks were shut down and upgraded to digital perhaps ten or more years ago.

• Logical Address (LA) – also referred to elsewhere as a Dynamic Subscriber Number or Electronic Serial Number (ESN)
  • Operator-defined address of the box.
  • Used to address the box for: channel mapping, authorise or deauthorise programmes, two-way communications, time and date, shutdowns and timer resets.
  • Error E5 indicates this number is not set (set to the default)
• IRG: Inter-record gap.
  • A series of FF bytes sent to separate packets in the data stream.
  • Also used as a preamble so the receiver can synchronise to the incoming data packet.
• Serial number: The box's unique serial number.
  • Displayed by the F2 diagnostic command.
  • Used to set the box's ESN, site code, etc.
  • Stored in RAM: if the battery dies or the RAM is shorted out, this will be lost.
• Site code: A number unique to the cable operator. Used to prevent a box from being moved from one area to another.
  • 12 bits in length, but transmitted as four octal bytes, from most to least significant bits: 03x 02x 01x 00x.
  • Error E8 indicates a site code mismatch.

Much of the information in this section is based on the General Instrument/Jerrold patent on the DataChannel technology [US4558464A].

Each byte is packed into an RS232-style frame, idle high (data is inverted when sent):

Data bits are transmitted from least-significant to most-significant; this means binary 01 011 111 (octal 137, or hex 0x5F) would be transmitted as 111 110 10.

The parity bit is low if all the data bits XOR'ed together are equal to zero, or high if it is equal to one.

Framed bytes are Manchester biphase encoded before transmission:

• A 'zero' bit is transmitted as a 10 sequence.
• A 'one' bit is transmitted as a 01 sequence.

The bit rate is a binary division of a 3.579545 MHz colour-burst crystal; usually the division ratio is 256. This gives a bit rate of around 13982.6 Hz. The Manchester encoder sub-bit rate will be twice the bit rate (i.e. a divide ratio of 128, or around 27965.2 Hz).

In practice (per [JTI01]) the box will accept timing which is a few microseconds too fast or too slow.

Framed and line-coded serial data is FSK modulated onto an RF carrier with the following specifications (from the IMPULSE 7000 CFT-2000 specification sheet):

• Bandwidth: ± 200 kHz
• Level: -15 dBmV
• Deviation: ± 75 kHz [#3]

Applying Carson's rule to calculate the bandwidth:

• $\mathit{OBW} = 2 \times (\mathit{\Delta F} + \mathit{F_m})$
  • $\mathit{\Delta F}$: Peak frequency deviation
  • $\mathit{F_m}$: Highest frequency in the modulating signal
• $\mathit{OBW} = 2 \times (75 \mathrm{kHz} + 13982.6 \mathrm{Hz})$
• $\mathit{OBW} = 163.9826 \mathrm{kHz}$

In practice, a CFT-2100 will accurately decode with an FM deviation as low as 5 kHz.

Excessive deviation will cause the FSK signal to be corrupted by the IF filter.

The following frequencies are known to be in use:

Frequency	CFT2xxx variant	DPV7/DPBB7 variant	Notes
89.3 MHz	S9
97.5 MHz	S7		Commonly used in US/Canada.
106.5 MHz	S8, S6 (Canada)		Commonly used in US/Canada. Per Group42, DPV5 and older units mostly use this frequency.
108.5 MHz	C1	S9 , C1	Commonly used in US/Canada. Per Group42, CFT models “almost always” use this frequency.
122.7 MHz *			UK. Frequency disputed, see below.

*: There is some debate about the true frequency of the UK-model CFT series boxes: 122.7 MHz (GI ACC-4000 manual, Magicboxes), 122.75 MHz (Group42) or 122.8 MHz ([JTI01]). The true frequency is 122.7 MHz, as quoted by GI: the reference crystal is 133.4 MHz, with an IF of 10.7 MHz, giving a tuned frequency of 122.7 MHz.

Variant codes are from the following sources:

• Group42
• GI CFT2000/2200 ordering information (System Industrial)
• GI ACC-4000 Addressable Controller system operator's manual, appendix A “Converter Types and Features”.

TODO.

• ACC-4000 manual lists the frequency and level range

The standard command format is:

• Preamble or IRG: Synchronisation sequence, to allow the STB to lock onto the incoming data stream's clock.
  • Stream of 0xFF bytes. Five (per US4558464A patent) or six (ESNv2) in total.
• Length: One byte. Total length of the packet, from the first command byte to the checksum byte inclusive (excludes the length byte itself).
• Command: One (base commands) or two (extended FD-prefixed commands) command bytes.
• Parameters: Parameters to the command, total number varies based on the command. Usually starts with addressing information.
• Checksum byte: Two's complement checksum byte.
  • Modulo-256 sum of all of the bytes from the length to the last parameter byte, XORed with 0xFF, plus 1.
  • The sum of all bytes from the length to the checksum inclusive should be zero.
• Postamble or final IRG: a single FF byte to terminate the command.
  • Required for the MVP scrambler and likely other boxes too, due to the way the receive loop is implemented.

The serial number field carries the BCD-encoded truncated serial number of the box. This is the value displayed by the F 2 diagnostic function.

• F 2 displays the sequence: 01 12 23 34 45 56 67 78 89 90
• Which equates to serial number 1234567890
• Which is packed into bytes as 12 34 56 78 90 hex, in left-to-right order of transmission (SN4..SN0).

The Site Code is a 4-byte sequence which encodes a 12-bit number, which uniquely identifies the cable network.

Each byte encodes three bits (one octal digit) of the Site Code.

The default site code is D8 D0 C8 C0.

The headend will incorporate the site code into commands wherever possible or reasonable. This is done to allow boxes to check the site code against the one stored internally.

The Reset Disconnect command may have a site code incorporated into it thusly:

06 F9 LA LA LA LA CHK is the reset disconnect command.
0A F9 SI TE CO DE LA LA LA LA CHK is the same command with exactly the same function but also now containing the site code.
      ^^-^^-^^-^^
      These are the 4 bytes of the SITE CODE.

The Time Set command also exists in a with and without Site Code form:

Without site code:  08 FD 60 0F 02 13 01 15 CHK
With    site code:  0C FD 60 0F 02 13 01 15 D8 D0 C8 C0 CHK
                                            ^^^^^^^^^^^ Site code

Logical Addresses are sent as a sequence of four bytes:

LA3 (first byte sent)	Range E0 to FF	1110_0xxx	3 bits – Geocode?
LA2	Range 80 to BF	10xx_xxxx	6 bits
LA1	Range 40 to 7F	01xx_xxxx	6 bits
LA0 (last byte sent)	Range 00 to 3F	00xx_xxxx	6 bits

This gives a total addressing range of 18 bits per Geocode and eight Geocodes. This equates to 262,144 converters (set-top boxes) per Geocode region, or 2,097,152 converters if all eight Geocodes are used.

The ACC-4000 manual lists several restrictions for the logical address (the Converter ID) on page 74:

• The number is an integer from 1 to 518144.
  • This would require 19 bits of addressing (which would allow up to 524288 addresses).
• The range 256001 thru 262144 is excluded.
  • The range 260097 through 260999 is reserved for MVP series scramblers (page 184).
  • The range 259073 to 259975 is reserved for Data Inserter Units (DIUs) and must be the scrambler ID minus 1024 (page 197).

The logical address is often set to E0 BF 7F 3E (one less than the maximum) by pirate 'cubes'.

More than one logical address with the same first three bytes may be addressed in the same packet. This is done by appending additional bytes to the packet, containing the last byte of the LAs to be addressed.

For example, the following compressed LA stream addresses boxes E0 BF 7E 01 through E0 BF 7E 05, but skips E0 BF 7E 03:

E0 BF 7E 01 02 04 05

Len.	CMD (hex)	Addressing	DPBB?	CFT?	Function
7	E8..F7	LA			Bitwise Turn On/Off Channel
6	F8	LA			Disconnect / Shutdown Box
6	F9	LA		✅	Reset Disconnect
8	FD 47	LA			Enable/Disable Functions
11	FD 4D	LA			Channel Mapping
11	FD 4F	LA			Set Site Code
12	FD 5F	S/N			Set Logical Address and/or Site Code
9	FD 60	Broadcast		✅	Set Time
3	FD 6E	Broadcast		❌	Reset Timer
4	FD 7F+FD 81	Broadcast	✅	❌	Turn On Channel
7	FD 8D	LA	✅	✅	Initialize
7	FD 8E	LA	✅	✅	Reset Timer
8	FD 9F+FD A1	LA	✅	❌	Turn On Channel
6	FE	LA	✅	✅	Reset/reboot

Note: Length includes checksum byte, but it is not shown in the tables.

Addressing modes:

• Broadcast: All boxes which receive this command will execute it.
• LA: Logical Address. Targeted to a specific Logical Address.
• S/N: Serial Number. Targeted to a specific box Serial Number.

Receiver-specific differences:

• CFT-series receivers will not process most global commands.
  • These receivers must be addressed by their LA.
• iCFT2100 (UK) and CFT2200 (USA) will not process LA-addressed single-channel activation commands.

The following commands are currently unknown and undocumented:

Len.	CMD (hex)	Addressing	Function
6	FB	LA	From TCINIT. Sent as 06 FB E0 BF 7F 3A A6
	FD 10	LA	Talkback (IMPULSE return channel): Per this post by MrBMcG, 07 FD 10 (LocalAddr) will cause the unit to transmit its serial number to the headend on the talkback channel.
	FD 18	LA	Talkback (IMPULSE return channel): Per a post in this thread, the FD 18 (LocalAddr) command will cause the unit to transmit channel authorisations back to the headend.
9	FD 44	LA	From ESNv2 / cube_source “extra” function. Sent as 09 FD 44 E0 BF 7F 3E 00 00.
	FD 48	LA	From Super2, no description
	FD 49	LA	per [JERCMD], an “unknown command” from the Phantom Cube. According to this post by JohnW, FD 49 is “Load Default Logical Address”. Will leave the box in Error E5 state until FD 5F command is sent.
	FD 4A		From Super2, no description
	FD 4B	LA	From Super2 FD 4B (LA) 02: “set global timeout to 4 hours”
	FD 4E	LA	per [JERCMD], “part of a generic Jerrold cube startup” 06 FD 4E ESN1 ESN2 ESN3 ESN4 CSUM mentioned at hackHispano
	FD 50	LA	FD 50 (LA) PARAM: unknown command ([JERCMD]) Seen in Magicboxes comm log below “cube-source” calls this “Tuning Type”, parameter is 00, “Standard”.
	FD 5D		unknown command ([JERCMD])
	FD 5E		unknown command, mentioned at hackHispano
10	FD 8C	LA	From ESNv2 “COMMFD8C”. Sent as 0A FD 8C E0 BF 7F 3E 7F 07 0A. Described as “Set checksum command”.
	FD 95	LA	Set output channel. Parameters seen: F6, F7, 41 (here).
8	FD B0..FD BF + FD E8..FD F7	LA	From ESNv2/cube_source. Sent as 08 FD B0++ LA[3..0] FF then 08 FD E8++ LA[3..0] FF Turn on/off PPV events or channels? FF seems to be a PPV event bitmap. Seems to support compressed addressing (LA_lsb+mask pairs) - see 509_gi_pic.asm

• Per the thread on Talkback, much headend traffic is spent sending 248 (F8) shutdown commands to inactive boxes.

Enables or disables a block of eight channels for the box with logical address LA.

Note that the command range is incorrectly listed in [JTI01] as E9 to F7. [JERCMD] lists the range correctly as commands E8 to F7. ESNv2 doesn't appear to send this command.

Shut down the box immediately.

Shut-down boxes will either:

• OSD capable (CFT): display the “YOUR CONVERTER IS DISCONNECTED. PLEASE CONTACT YOUR CABLE OPERATOR.” barker text.
• Non-OSD: display the barker channel.

Also referred to as “Turn On Box”.

Reverses the “Shutdown Box” command. Also resets the box's communication timer.

TODO

From the ESNv2 code. and [JERCMD].

Feature flag bitmap has a '1' bit if the feature is enabled. ESNv2 and TCINIT send a bitmap of FF, T2/RFT-Gold/Phantom/Super2 send 7F.

Bits are:

Details from http://web.archive.org/web/20071117072824/http://www.hackhispano.com/foro/showthread.php?t=14585.

• BLK: Channel block number (starting channel number divided by 8). Range 00 to 0F.
  • 00: channels 0 to 7
  • 01: channels 8 to 15
  • …
  • 0F: channels 120 to 127
• MAP: Channel map to update
  • 00 to 0F: Map A
  • 10 to 1F: Map B
• CH0 to CH7: Channel mappings
  • 00: channel disappears from the channel guide.
  • 01 to 7F: Map user-entered channel N to this cable channel.

As an example:

11 FD 4D E0 BF 7F 3E 00 00 00 0F 04 00 00 00 00 2D CS

Will set Map A, channels 0-7, to:

• Channel 0: empty
• Channel 1: RF channel 15
• Channel 2: RF channel 4
• Channels 3-6: empty
• Channel 7: RF channel 45

• BLK: always 1F
• MAP: Channel map to update
  • 0F: Map A
  • 1F: Map B
• Unknown/fixed: unknown function
• MCA and MCB: Max Channel (wrap point) for A and B maps, respectively.
  • Usually set to 99 or 127.

As an example:

11 FD 4D E0 BF 7F 3E 00 00 00 0F 04 00 00 00 00 2D CS

Will set Map A, channels 0-7, to:

• Channel 0: empty
• Channel 1: RF channel 15
• Channel 2: RF channel 4
• Channels 3-6: empty
• Channel 7: RF channel 45

              ESNv2: 11 FD 4D  E0 BF 7F 3E  1F  0F  7F 7F 7F 7F 1F 1F 63 63  1B
 Hexgen4 99-channel: 11 FD 4D  E0 BF 7F 3E  1F  0F  7F 7F 7F 7F 1F 1F 63 63  1B
Hexgen4 127-channel: 11 FD 4D  E0 BF 7F 3E  1F  0F  7F 7F 7F 7F 1F 1F 7F 7F  1B
             Super2: 11 FD 4D  la la la la  1F  0F  7F 7F 7F 7F 1F 1F 63 63  cs

• FD 4D: per [JERCMD], “set channel map”. Examples:
  • 11 FD 4D (—LA—-) 0B 00 2A 00 00 00 00 00 00 00 CSUM ([JERCMD])
    • Block 0B, Map A, channel 88 is RF channel 2A, other channels disabled.
  • 11 FD 4D (—LA—-) 1F 0F 7F 7F 7F 7F 00 17 63 63 CSUM ([JERCMD], ESNv2 with fixed E0 BF 7F 3E LA, Magicboxes post)
    • Channel range mapping, 63 63 (99 decimal) is maximum channel number for map A/B.

NOTE: This command is incorrectly listed in [JERADDR] as having the serial number sent first, then the logical address and sitecode. It is correctly shown in [JERCMD], [JTI01] and [JTI03], and correctly implemented in TCINIT and ESNv2.

Set the logical address on the box with serial number SN to LA. The Site Code will not be set, and will not be checked by the box.

Set the logical address on the box with serial number SN to LA, and its Site Code to SC.

Without site code

With site code

• Year mod 16: Current year, modulo 16. Zero based (0=n+0, …, 15=n+15).
  • Epoch is unknown.
• Month: Month of the year. Zero based (0=January, …, 11=December)
• Day of month: Day of the month. Zero based (0=1, …, 30=31)
• Hours: Zero based (range 0 to 23)
• Minutes: Zero based (range 0 to 59)
• Site code: Optional site code.

There is some dispute about the command code used by this command.

• [JERCMD] quotes the command code as 60 FD 60, which seems to be accepted by CFT series boxes.
• A post in this thread identifies the time command as 12 253 96 (time) (sitecode), or 0C FD 60 (time) (sitecode).
• The MVP scrambler seems to expect FD 60 commands, and may reject 60 FD 60 ones.
  • TODO: More testing is required. See if an MVP accepts the 60 FD 60 variant.

Resets the disconnect timer for all boxes on the cable network.

Enables access to a channel for all receiving boxes. Both commands must be sent – FD 7F followed by FD 81.

Only available on earlier boxes, pre CFT series. Ignored by CFT series and later. Known to work on DPBB7 series and earlier.

Reboots the addressed box and initializes the NVRAM settings to their defaults. May be used with or without Site Code.

The “FE: Reset” command must be sent before this one, or the reboot request will be ignored.

Resets the disconnect timer for the addressed box.

Enables access to a channel for the box with logical address LA. Send command FD 9F followed by FD A1.

Only available on earlier boxes, pre UK iCFT2100 and USA CFT2200 series.

Reboots the addressed box and enables the “FD 8D” (Initialize) command.

TCINIT sends the following commands:

Len	Cmd	Payload	Notes
128 bytes FF preamble/IRG
0C	FD 5F	E0 BF 7F 3E (SN[4..0]) 3C	Set LA to E0 BF 7F 3E
28 bytes FF preamble/IRG
0A	FD 8C	E0 BF 7F 3E 7F 07 0A 81
12 bytes FF preamble/IRG
06	FE	E0 BF 7F 3E A0	Reboot box with LA=E0 BF 7F 3E
12 bytes FF preamble/IRG
07	FD 8D	E0 BF 7F 3E 13	Initialize box with LA=E0 BF 7F 3E
12 bytes FF preamble/IRG
07	FD 8E	E0 BF 7F 3E 12	Reset timer on box with LA=E0 BF 7F 3E
12 bytes FF preamble/IRG
08	FD 47	E0 BF 7F 3E FF 1D	Enable/disable functions , enable all fuctions
12 bytes FF preamble/IRG
06	F9	E0 BF 7F 3E A5	Reset Disconnect
12 bytes FF preamble/IRG
06	FB	E0 BF 7F 3E A6
44 bytes FF preamble/IRG

From https://groups.google.com/g/rec.video.cable-tv/c/GLVlZnUc3rA/m/SMYxwaVG-J8J

3 FD 6E 92 FF FF FF FF FF
  Reset timer for all boxes
  
11 FD 4D E0 80 76 0 B 0 2A 0 0 0 0 0 0 0 9A FF FF FF FF FF
  Channel map targeting LA E0:80:76:00. Block 0, map 0xB
  
8 FD 49 E0 80 76 0 0 DC FF FF FF FF FF
  Unknown

FD 50 E0 80 76 0 0 D5 FF FF FF FF FF
  Unknown, incomplete command

E8 E0 80 76 0 FF 3C FF FF FF FF
  Unknown, incomplete command
  
7 E9 E0 80 76 0 FF 3B FF FF FF FF
7 EA E0 80 76 0 FF 3A FF FF FF FF
7 EB E0 80 76 0 FF 39 FF FF FF FF
7 EC E0 80 76 0 FF 38 FF FF FF FF
7 ED E0 80 76 0 FF 37 FF FF FF FF
7 EE E0 80 76 0 FF 36 FF FF FF FF
7 EF E0 80 76 0 FF 35 FF FF FF FF
  Bitwise channel enables part one, to E0:80:76:00, enable all channels (FF)
  
7 F0 E0 80 76 0 FF 34 FF FF FF FF
7 F1 E0 80 76 0 FF 33 FF FF FF FF
7 F2 E0 80 76 0 FF 32 FF FF FF FF
7 F3 E0 80 76 0 FF 31 FF FF FF FF
7 F4 E0 80 76 0 FF 30 FF FF FF FF
7 F5 E0 80 76 0 FF 2F FF FF FF FF
7 F6 E0 80 76 0 FF 2E FF FF FF FF
7 F7 E0 80 76 0 FF 2D FF FF FF FF
  Bitwise channel enables part two, to E0:80:76:00, enable all channels (FF)

9 FD B0 E8 E0 80 76 0 FF 8D FF FF FF FF
9 FD B1 E9 E0 80 76 0 FF 8B FF FF FF FF
9 FD B2 EA E0 80 76 0 FF 89 FF FF FF FF
9 FD B3 EB E0 80 76 0 FF 87 FF FF FF FF
9 FD B4 EC E0 80 76 0 FF 85 FF FF FF FF
9 FD B5 ED E0 80 76 0 FF 83 FF FF FF FF
9 FD B6 EE E0 80 76 0 FF 81 FF FF FF FF
9 FD B7 EF E0 80 76 0 FF 7F FF FF FF FF
9 FD B8 F0 E0 80 76 0 FF 7D FF FF FF FF
9 FD B9 F1 E0 80 76 0 FF 7B FF FF FF FF
9 FD BA F2 E0 80 76 0 FF 79 FF FF FF FF
9 FD BB F3 E0 80 76 0 FF 77 FF FF FF FF
9 FD BC F4 E0 80 76 0 FF 75 FF FF FF FF
9 FD BD F5 E0 80 76 0 FF 73 FF FF FF FF
9 FD BE F6 E0 80 76 0 FF 71 FF FF FF FF
9 FD BF F7 E0 80 76 0 FF
  Unknown -- ESNv2 / 509_GI_PIC seem to describe this as PPV enable, but could be related to enabling higher service codes. 16x8 gives 128 service codes.

• Spec sheets and ordering information:
  • System Industrial: GI CFT-2000 spec sheet
  • System Industrial: GI CFT-2200 spec sheet
  • NY DPS: Time Warner Cable franchise application – CFT2000 spec sheet included, page 63 to 65.
  • GI ACC-4000 Addressable Controller User's Guide
  • CFT2000/DPBB7 diagnostics and ordering information (System Industrial)

• ROM disassembly
  • Jerrold 550 / Starcom 6 ROM – reverse engineer this to figure out the command scheme.
    • Only 8K of code, according to this page is for a PIC7040 microcontroller – which is a clone of the Texas Instruments TMS7040.
  • CFT2100 ROM – W65C02S code, with trivial scrambling. Contains about 32K of code (27C512 EPROM with half empty).
    • Lots of code, lots of functionality, might be tricky to reverse-engineer.
• Analyse “cube” or “509 chip” source code
  • PIC12C509 Automapper chip source code (archived)
  • ESN V2.0 resetter cube by Magicboxes, updated by The Master and CRowmAN.
  • Hexgen 3
  • Hexgen 4.2

TBD.

• Local oscillator
  • SiLabs Si5351 – I2C-programmable any-frequency CMOS clock generator and VCXO. 8kHz to 160MHz.
• Mixer
  • Mini-Circuits ADE-6 – LO/RF 50kHz to 250MHz, IF DC to 200MHz, +7dBm LO power.
    • ADE-6 module
    • ADE-6 mixer kit
• FM Exciter
  • DDS: Analog Devices DDS chips
    • AD9834 has 75MHz reference clock, and is available on a pre-assembled board with oscillator. Frequency and phase select inputs allow FSK and PSK modulation.
• FM detector
  • Analog Devices lab page on FM modulators
  • PLL doesn't require a quad coil and may be the most practical.
  • All-in-one chips: (All discontinued as of 2023)
    • MC1458P
    • SA615 (mixer, IF amp, limiter, quad detector, muting, RSSI)
    • SA636 (SA615 with data detector).
      • AN1997: FM/IF systems for SMSK/GFSK receivers
    • These all require a quadrature detector, but the SA636 datasheet gives component values for one built from discrete inductors and capacitors for DECT applications.