hacktv:analogcable:gi_fskdata

GI/Jerrold FSK data format

This is the data format used by the control channel on General Instrument and Jerrold analog cable boxes.

NOTE: The information on this page is intended for educational use only, to assist in setting up your own headend. It is only of relevance to analog boxes (not digital), which (as far as I'm aware) are massively obsolete. Most analog cable networks were shut down and upgraded to digital perhaps ten or more years ago.

  • Logical Address (LA) – also referred to elsewhere as a Dynamic Subscriber Number or Electronic Serial Number (ESN)
    • Operator-defined address of the box.
    • Used to address the box for: channel mapping, authorise or deauthorise programmes, two-way communications, time and date, shutdowns and timer resets.
    • Error E5 indicates this number is not set (set to the default)
  • IRG: Inter-record gap.
    • A series of FF bytes sent to separate packets in the data stream.
    • Also used as a preamble so the receiver can synchronise to the incoming data packet.
  • Serial number: The box's unique serial number.
    • Displayed by the F2 diagnostic command.
    • Used to set the box's ESN, site code, etc.
    • Stored in RAM: if the battery dies or the RAM is shorted out, this will be lost.
  • Site code: A number unique to the cable operator. Used to prevent a box from being moved from one area to another.
    • 12 bits in length, but transmitted as four octal bytes, from most to least significant bits: 03x 02x 01x 00x.
    • Error E8 indicates a site code mismatch.

Much of the information in this section is based on the General Instrument/Jerrold patent on the DataChannel technology [US4558464A].

Each byte is packed into an RS232-style frame, idle high (data is inverted when sent):

Start bit (0) 8 data bits Odd parity Stop bit (1)

Data bits are transmitted from least-significant to most-significant; this means binary 01 011 111 (octal 137, or hex 0x5F) would be transmitted as 111 110 10.

The parity bit is low if all the data bits XOR'ed together are equal to zero, or high if it is equal to one.

Framed bytes are Manchester biphase encoded before transmission:

  • A 'zero' bit is transmitted as a 10 sequence.
  • A 'one' bit is transmitted as a 01 sequence.

The bit rate is a binary division of a 3.579545 MHz colour-burst crystal; usually the division ratio is 256. This gives a bit rate of around 13982.6 Hz. The Manchester encoder sub-bit rate will be twice the bit rate (i.e. a divide ratio of 128, or around 27965.2 Hz).

In practice (per [JTI01]) the box will accept timing which is a few microseconds too fast or too slow.

Framed and line-coded serial data is FSK modulated onto an RF carrier with the following specifications (from the IMPULSE 7000 CFT-2000 specification sheet):

  • Bandwidth: ± 200 kHz
  • Level: -15 dBmV
  • Deviation: ± 75 kHz [#3]

Applying Carson's rule to calculate the bandwidth:

  • $\mathit{OBW} = 2 \times (\mathit{\Delta F} + \mathit{F_m})$
    • $\mathit{\Delta F}$: Peak frequency deviation
    • $\mathit{F_m}$: Highest frequency in the modulating signal
  • $\mathit{OBW} = 2 \times (75 \mathrm{kHz} + 13982.6 \mathrm{Hz})$
  • $\mathit{OBW} = 163.9826 \mathrm{kHz}$

In practice, a CFT-2100 will accurately decode with an FM deviation as low as 5 kHz.

Excessive deviation will cause the FSK signal to be corrupted by the IF filter.

The following frequencies are known to be in use:

Frequency CFT2xxx variant DPV7/DPBB7 variant Notes
89.3 MHz S9
97.5 MHz S7 Commonly used in US/Canada.
106.5 MHz S8, S6 (Canada) Commonly used in US/Canada. Per Group42, DPV5 and older units mostly use this frequency.
108.5 MHz C1 S9 :?:, C1 Commonly used in US/Canada. Per Group42, CFT models “almost always” use this frequency.
122.7 MHz * :?: :?: UK. Frequency disputed, see below.

*: There is some debate about the true frequency of the UK-model CFT series boxes: 122.7 MHz (GI ACC-4000 manual, Magicboxes), 122.75 MHz (Group42) or 122.8 MHz ([JTI01]). The true frequency is 122.7 MHz, as quoted by GI: the reference crystal is 133.4 MHz, with an IF of 10.7 MHz, giving a tuned frequency of 122.7 MHz.

Variant codes are from the following sources:

:!: TODO.

  • ACC-4000 manual lists the frequency and level range

The standard command format is:

Preamble (FF FF FF FF FF) Length Command Parameter bytes … Checksum Postamble (FF)
  • Preamble or IRG: Synchronisation sequence, to allow the STB to lock onto the incoming data stream's clock.
    • Stream of 0xFF bytes. Five (per US4558464A patent) or six (ESNv2) in total.
  • Length: One byte. Total length of the packet, from the first command byte to the checksum byte inclusive (excludes the length byte itself).
  • Command: One (base commands) or two (extended FD-prefixed commands) command bytes.
  • Parameters: Parameters to the command, total number varies based on the command. Usually starts with addressing information.
  • Checksum byte: Two's complement checksum byte.
    • Modulo-256 sum of all of the bytes from the length to the last parameter byte, XORed with 0xFF, plus 1.
    • The sum of all bytes from the length to the checksum inclusive should be zero.
  • Postamble or final IRG: a single FF byte to terminate the command.
    • Required for the MVP scrambler and likely other boxes too, due to the way the receive loop is implemented.

The serial number field carries the BCD-encoded truncated serial number of the box. This is the value displayed by the F 2 diagnostic function.

  • F 2 displays the sequence: 01 12 23 34 45 56 67 78 89 90
  • Which equates to serial number 1234567890
  • Which is packed into bytes as 12 34 56 78 90 hex, in left-to-right order of transmission (SN4..SN0).

The Site Code is a 4-byte sequence which encodes a 12-bit number, which uniquely identifies the cable network.

SC3 Range D8 to DF 1101 1xxx
SC2 Range D0 to D7 1101 0xxx
SC1 Range C8 to CF 1100 1xxx
SC0 Range C0 to C7 1100 0xxx

Each byte encodes three bits (one octal digit) of the Site Code.

The default site code is D8 D0 C8 C0.

The headend will incorporate the site code into commands wherever possible or reasonable. This is done to allow boxes to check the site code against the one stored internally.

The Reset Disconnect command may have a site code incorporated into it thusly:

06 F9 LA LA LA LA CHK is the reset disconnect command.
0A F9 SI TE CO DE LA LA LA LA CHK is the same command with exactly the same function but also now containing the site code.
      ^^-^^-^^-^^
      These are the 4 bytes of the SITE CODE.

The Time Set command also exists in a with and without Site Code form:

Without site code:  08 FD 60 0F 02 13 01 15 CHK
With    site code:  0C FD 60 0F 02 13 01 15 D8 D0 C8 C0 CHK
                                            ^^^^^^^^^^^ Site code

Logical Addresses are sent as a sequence of four bytes:

LA3 (first byte sent) Range E0 to FF 1110_0xxx 3 bits – Geocode? :?:
LA2 Range 80 to BF 10xx_xxxx 6 bits :?:
LA1 Range 40 to 7F 01xx_xxxx 6 bits :?:
LA0 (last byte sent) Range 00 to 3F 00xx_xxxx 6 bits :?:

This gives a total addressing range of 18 bits per Geocode and eight Geocodes. This equates to 262,144 converters (set-top boxes) per Geocode region, or 2,097,152 converters if all eight Geocodes are used.

The ACC-4000 manual lists several restrictions for the logical address (the Converter ID) on page 74:

  • The number is an integer from 1 to 518144.
    • This would require 19 bits of addressing (which would allow up to 524288 addresses).
  • The range 256001 thru 262144 is excluded.
    • The range 260097 through 260999 is reserved for MVP series scramblers (page 184).
    • The range 259073 to 259975 is reserved for Data Inserter Units (DIUs) and must be the scrambler ID minus 1024 (page 197).

The logical address is often set to E0 BF 7F 3E (one less than the maximum) by pirate 'cubes'.

More than one logical address with the same first three bytes may be addressed in the same packet. This is done by appending additional bytes to the packet, containing the last byte of the LAs to be addressed.

For example, the following compressed LA stream addresses boxes E0 BF 7E 01 through E0 BF 7E 05, but skips E0 BF 7E 03:

E0 BF 7E 01 02 04 05

Len. CMD (hex) Addressing DPBB? CFT? Function
7 E8..F7 LA Bitwise Turn On/Off Channel
6 F8 LA Disconnect / Shutdown Box
6 F9 LA Reset Disconnect
8 FD 47 LA Enable/Disable Functions :?:
11 FD 4D LA Channel Mapping
11 FD 4F LA Set Site Code
12 FD 5F S/N Set Logical Address and/or Site Code
9 FD 60 Broadcast Set Time
3 FD 6E Broadcast :?: Reset Timer
4 FD 7F+FD 81 Broadcast Turn On Channel
7 FD 8D LA Initialize
7 FD 8E LA Reset Timer
8 FD 9F+FD A1 LA Turn On Channel
6 FE LA Reset/reboot

Note: Length includes checksum byte, but it is not shown in the tables.

Addressing modes:

  • Broadcast: All boxes which receive this command will execute it.
  • LA: Logical Address. Targeted to a specific Logical Address.
  • S/N: Serial Number. Targeted to a specific box Serial Number.

Receiver-specific differences:

  • CFT-series receivers will not process most global commands.
    • These receivers must be addressed by their LA.
  • iCFT2100 (UK) and CFT2200 (USA) will not process LA-addressed single-channel activation commands.

The following commands are currently unknown and undocumented:

Len. CMD (hex) Addressing Function
6 FB LA :?: From TCINIT.
Sent as 06 FB E0 BF 7F 3A A6
FD 10 LA :?: Talkback (IMPULSE return channel):
Per this post by MrBMcG, 07 FD 10 (LocalAddr) will cause the unit to transmit its serial number to the headend on the talkback channel.
FD 18 LA :?: Talkback (IMPULSE return channel):
Per a post in this thread, the FD 18 (LocalAddr) command will cause the unit to transmit channel authorisations back to the headend.
9 FD 44 LA :?: :?: From ESNv2 / cube_source “extra” function.
Sent as 09 FD 44 E0 BF 7F 3E 00 00.
FD 48 LA :?: From Super2, no description
FD 49 LA :?: per [JERCMD], an “unknown command” from the Phantom Cube.
According to this post by JohnW, FD 49 is “Load Default Logical Address”. Will leave the box in Error E5 state until FD 5F command is sent.
FD 4A :?: :?: From Super2, no description
FD 4B LA :?: From Super2
FD 4B (LA) 02: “set global timeout to 4 hours”
FD 4E LA :?: per [JERCMD], “part of a generic Jerrold cube startup”
06 FD 4E ESN1 ESN2 ESN3 ESN4 CSUM
mentioned at hackHispano
FD 50 LA :?: FD 50 (LA) PARAM: unknown command ([JERCMD])
Seen in Magicboxes comm log below
“cube-source” calls this “Tuning Type”, parameter is 00, “Standard”.
FD 5D unknown command ([JERCMD])
FD 5E unknown command, mentioned at hackHispano
10 FD 8C LA :?: :?: From ESNv2 “COMMFD8C”.
Sent as 0A FD 8C E0 BF 7F 3E 7F 07 0A.
Described as “Set checksum command”.
FD 95 LA :?: Set output channel.
Parameters seen: F6, F7, 41 (here).
8 FD B0..FD BF + FD E8..FD F7 LA :?: From ESNv2/cube_source.
Sent as 08 FD B0++ LA[3..0] FF then 08 FD E8++ LA[3..0] FF
Turn on/off PPV events or channels?
FF seems to be a PPV event bitmap.
Seems to support compressed addressing (LA_lsb+mask pairs) - see 509_gi_pic.asm
  • Per the thread on Talkback, much headend traffic is spent sending 248 (F8) shutdown commands to inactive boxes.
LE CMD Logical Address Channel bitmap
8 0xE8..0xF7 LA LA LA LA BITMAP

Enables or disables a block of eight channels for the box with logical address LA.

Note that the command range is incorrectly listed in [JTI01] as E9 to F7. [JERCMD] lists the range correctly as commands E8 to F7. ESNv2 doesn't appear to send this command.

Command Channel range
E8 0-7
E9 8-15
EA 16-23
EB 24-31
EC 32-39
ED 40-47
EE 48-55
EF 56-63
F0 64-71
F1 72-79
F2 80-87
F3 88-95
F4 96-103
F5 104-111
F6 112-119
F7 120-127
LE CMD Logical Address
6 0xF8 LA LA LA LA

Shut down the box immediately.

Shut-down boxes will either:

  • OSD capable (CFT): display the “YOUR CONVERTER IS DISCONNECTED. PLEASE CONTACT YOUR CABLE OPERATOR.” barker text.
  • Non-OSD: display the barker channel.
LE CMD Logical Address
7 0xF9 LA LA LA LA

Also referred to as “Turn On Box”.

Reverses the “Shutdown Box” command. Also resets the box's communication timer.

:?: TODO

From the ESNv2 code. and [JERCMD].

LE CMD SubCMD Logical address Feature Bitmap
8 0xFD 0x47 LA3..LA0 (4 bytes) FEATURES

Feature flag bitmap has a '1' bit if the feature is enabled. ESNv2 and TCINIT send a bitmap of FF, T2/RFT-Gold/Phantom/Super2 send 7F.

Bits are:

Bit Value hex Feature
7 0x80
6 0x40
5 0x20
4 0x10
3 0x08
2 0x04
1 0x02
0 0x01

Channel number (LCN to RF) mapping

LE CMD SubCMD Logical address Block Map Channel mappings
11 0xFD 0x4D LA3..LA0 (4 bytes) BLK MAP CH0..CH7
  • BLK: Channel block number (starting channel number divided by 8). Range 00 to 0F.
    • 00: channels 0 to 7
    • 01: channels 8 to 15
    • 0F: channels 120 to 127
  • MAP: Channel map to update
    • 00 to 0F: Map A
    • 10 to 1F: Map B
  • CH0 to CH7: Channel mappings
    • 00: channel disappears from the channel guide.
    • 01 to 7F: Map user-entered channel N to this cable channel.

As an example:

11 FD 4D E0 BF 7F 3E 00 00 00 0F 04 00 00 00 00 2D CS

Will set Map A, channels 0-7, to:

  • Channel 0: empty
  • Channel 1: RF channel 15
  • Channel 2: RF channel 4
  • Channels 3-6: empty
  • Channel 7: RF channel 45

Channel frequency mapping

LE CMD SubCMD Logical address Block Map Unknown/fixed Max Ch A Max Ch B
11 0xFD 0x4D LA3..LA0 (4 bytes) BLK MAP 7F 7F 7F 7F 00 MCA MCB
  • BLK: always 1F
  • MAP: Channel map to update
    • 0F: Map A
    • 1F: Map B
  • Unknown/fixed: unknown function
  • MCA and MCB: Max Channel (wrap point) for A and B maps, respectively.
    • Usually set to 99 or 127.

As an example:

11 FD 4D E0 BF 7F 3E 00 00 00 0F 04 00 00 00 00 2D CS

Will set Map A, channels 0-7, to:

  • Channel 0: empty
  • Channel 1: RF channel 15
  • Channel 2: RF channel 4
  • Channels 3-6: empty
  • Channel 7: RF channel 45

RF tuning

Misc notes

              ESNv2: 11 FD 4D  E0 BF 7F 3E  1F  0F  7F 7F 7F 7F 1F 1F 63 63  1B
 Hexgen4 99-channel: 11 FD 4D  E0 BF 7F 3E  1F  0F  7F 7F 7F 7F 1F 1F 63 63  1B
Hexgen4 127-channel: 11 FD 4D  E0 BF 7F 3E  1F  0F  7F 7F 7F 7F 1F 1F 7F 7F  1B
             Super2: 11 FD 4D  la la la la  1F  0F  7F 7F 7F 7F 1F 1F 63 63  cs
  • FD 4D: per [JERCMD], “set channel map”. Examples:
    • 11 FD 4D (—LA—-) 0B 00 2A 00 00 00 00 00 00 00 CSUM ([JERCMD])
      • Block 0B, Map A, channel 88 is RF channel 2A, other channels disabled.
    • 11 FD 4D (—LA—-) 1F 0F 7F 7F 7F 7F 00 17 63 63 CSUM ([JERCMD], ESNv2 with fixed E0 BF 7F 3E LA, Magicboxes post)
      • Channel range mapping, 63 63 (99 decimal) is maximum channel number for map A/B.

:!: NOTE: This command is incorrectly listed in [JERADDR] as having the serial number sent first, then the logical address and sitecode. It is correctly shown in [JERCMD], [JTI01] and [JTI03], and correctly implemented in TCINIT and ESNv2.

Without site code

LE CMD SubCMD Logical address Serial number
12 0xFD 0x5F LA3..LA0 (4 bytes) SN4..SN0 (5 bytes)

Set the logical address on the box with serial number SN to LA. The Site Code will not be set, and will not be checked by the box.

With site code

LE CMD SubCMD Logical address Serial number Site Code
16 0xFD 0x5F LA3..LA0 (4 bytes) SN4..SN0 (5 bytes) SC3..SC0 (4 bytes)

Set the logical address on the box with serial number SN to LA, and its Site Code to SC.

Without site code

LE CMD Year mod 16 Month Day of Month Hour Minute
8 FD 60

With site code

LE CMD Year mod 16 Month Day of Month Hour Minute Site code
12 FD 60 SC3..0 (4 bytes)
  • Year mod 16: Current year, modulo 16. Zero based (0=n+0, …, 15=n+15).
    • Epoch is unknown.
  • Month: Month of the year. Zero based (0=January, …, 11=December)
  • Day of month: Day of the month. Zero based (0=1, …, 30=31)
  • Hours: Zero based (range 0 to 23)
  • Minutes: Zero based (range 0 to 59)
  • Site code: Optional site code.

There is some dispute about the command code used by this command.

  • [JERCMD] quotes the command code as 60 FD 60, which seems to be accepted by CFT series boxes.
  • A post in this thread identifies the time command as 12 253 96 (time) (sitecode), or 0C FD 60 (time) (sitecode).
  • The MVP scrambler seems to expect FD 60 commands, and may reject 60 FD 60 ones.
    • :!: TODO: More testing is required. See if an MVP accepts the 60 FD 60 variant.
LE CMD SubCMD
3 0xFD 0x6E

Resets the disconnect timer for all boxes on the cable network.

LE CMD SubCMD Channel ID
4 0xFD 0x7F 0x00 to 0x9E (0 to 158)
LE CMD SubCMD Channel ID
4 0xFD 0x81 0x00 to 0x9E (0 to 158)

Enables access to a channel for all receiving boxes. Both commands must be sent – FD 7F followed by FD 81.

Only available on earlier boxes, pre CFT series. Ignored by CFT series and later. Known to work on DPBB7 series and earlier.

LE CMD SubCMD Logical address
7 0xFD 0x8D LA3..LA0 (4 bytes)

Reboots the addressed box and initializes the NVRAM settings to their defaults. May be used with or without Site Code.

The “FE: Reset” command must be sent before this one, or the reboot request will be ignored.

LE CMD SubCMD Logical address
7 0xFD 0x8E LA3..LA0 (4 bytes)

Resets the disconnect timer for the addressed box.

LE CMD SubCMD Logical address Channel ID
8 0xFD 0x9F LA3..LA0 (4 bytes) 0x00 to 0x9E (0 to 158)
LE CMD SubCMD Logical address Channel ID
8 0xFD 0xA1 LA3..LA0 (4 bytes) 0x00 to 0x9E (0 to 158)

Enables access to a channel for the box with logical address LA. Send command FD 9F followed by FD A1.

Only available on earlier boxes, pre UK iCFT2100 and USA CFT2200 series.

LE CMD Logical address
6 0xFE LA3..LA0 (4 bytes)

Reboots the addressed box and enables the “FD 8D” (Initialize) command.

TCINIT sends the following commands:

Len Cmd Payload Notes
128 bytes FF preamble/IRG
0C FD 5F E0 BF 7F 3E (SN[4..0]) 3C Set LA to E0 BF 7F 3E
28 bytes FF preamble/IRG
0A FD 8C E0 BF 7F 3E 7F 07 0A 81 :?:
12 bytes FF preamble/IRG
06 FE E0 BF 7F 3E A0 Reboot box with LA=E0 BF 7F 3E
12 bytes FF preamble/IRG
07 FD 8D E0 BF 7F 3E 13 Initialize box with LA=E0 BF 7F 3E
12 bytes FF preamble/IRG
07 FD 8E E0 BF 7F 3E 12 Reset timer on box with LA=E0 BF 7F 3E
12 bytes FF preamble/IRG
08 FD 47 E0 BF 7F 3E FF 1D Enable/disable functions :?:, enable all fuctions
12 bytes FF preamble/IRG
06 F9 E0 BF 7F 3E A5 Reset Disconnect
12 bytes FF preamble/IRG
06 FB E0 BF 7F 3E A6 :?:
44 bytes FF preamble/IRG

From https://groups.google.com/g/rec.video.cable-tv/c/GLVlZnUc3rA/m/SMYxwaVG-J8J

3 FD 6E 92 FF FF FF FF FF
  Reset timer for all boxes
  
11 FD 4D E0 80 76 0 B 0 2A 0 0 0 0 0 0 0 9A FF FF FF FF FF
  Channel map targeting LA E0:80:76:00. Block 0, map 0xB
  
8 FD 49 E0 80 76 0 0 DC FF FF FF FF FF
  Unknown

FD 50 E0 80 76 0 0 D5 FF FF FF FF FF
  Unknown, incomplete command

E8 E0 80 76 0 FF 3C FF FF FF FF
  Unknown, incomplete command
  
7 E9 E0 80 76 0 FF 3B FF FF FF FF
7 EA E0 80 76 0 FF 3A FF FF FF FF
7 EB E0 80 76 0 FF 39 FF FF FF FF
7 EC E0 80 76 0 FF 38 FF FF FF FF
7 ED E0 80 76 0 FF 37 FF FF FF FF
7 EE E0 80 76 0 FF 36 FF FF FF FF
7 EF E0 80 76 0 FF 35 FF FF FF FF
  Bitwise channel enables part one, to E0:80:76:00, enable all channels (FF)
  
7 F0 E0 80 76 0 FF 34 FF FF FF FF
7 F1 E0 80 76 0 FF 33 FF FF FF FF
7 F2 E0 80 76 0 FF 32 FF FF FF FF
7 F3 E0 80 76 0 FF 31 FF FF FF FF
7 F4 E0 80 76 0 FF 30 FF FF FF FF
7 F5 E0 80 76 0 FF 2F FF FF FF FF
7 F6 E0 80 76 0 FF 2E FF FF FF FF
7 F7 E0 80 76 0 FF 2D FF FF FF FF
  Bitwise channel enables part two, to E0:80:76:00, enable all channels (FF)

9 FD B0 E8 E0 80 76 0 FF 8D FF FF FF FF
9 FD B1 E9 E0 80 76 0 FF 8B FF FF FF FF
9 FD B2 EA E0 80 76 0 FF 89 FF FF FF FF
9 FD B3 EB E0 80 76 0 FF 87 FF FF FF FF
9 FD B4 EC E0 80 76 0 FF 85 FF FF FF FF
9 FD B5 ED E0 80 76 0 FF 83 FF FF FF FF
9 FD B6 EE E0 80 76 0 FF 81 FF FF FF FF
9 FD B7 EF E0 80 76 0 FF 7F FF FF FF FF
9 FD B8 F0 E0 80 76 0 FF 7D FF FF FF FF
9 FD B9 F1 E0 80 76 0 FF 7B FF FF FF FF
9 FD BA F2 E0 80 76 0 FF 79 FF FF FF FF
9 FD BB F3 E0 80 76 0 FF 77 FF FF FF FF
9 FD BC F4 E0 80 76 0 FF 75 FF FF FF FF
9 FD BD F5 E0 80 76 0 FF 73 FF FF FF FF
9 FD BE F6 E0 80 76 0 FF 71 FF FF FF FF
9 FD BF F7 E0 80 76 0 FF
  Unknown -- ESNv2 / 509_GI_PIC seem to describe this as PPV enable, but could be related to enabling higher service codes. 16x8 gives 128 service codes.

TBD.

  • Local oscillator
    • SiLabs Si5351 – I2C-programmable any-frequency CMOS clock generator and VCXO. 8kHz to 160MHz.
  • Mixer
  • FM Exciter
    • DDS: Analog Devices DDS chips
      • AD9834 has 75MHz reference clock, and is available on a pre-assembled board with oscillator. Frequency and phase select inputs allow FSK and PSK modulation.
  • FM detector
Find me on Mastodon
  • Last modified: 2024/02/07 15:19
  • by philpem