GI/Jerrold FSK data format
This is the data format used by the control channel on General Instrument and Jerrold analog cable boxes.
NOTE: The information on this page is intended for educational use only, to assist in setting up your own headend. It is only of relevance to analog boxes (not digital), which (as far as I'm aware) are massively obsolete. Most analog cable networks were shut down and upgraded to digital perhaps ten or more years ago.
Terminology
- Logical Address (LA) – also referred to elsewhere as a Dynamic Subscriber Number or Electronic Serial Number (ESN)
- Operator-defined address of the box.
- Used to address the box for: channel mapping, authorise or deauthorise programmes, two-way communications, time and date, shutdowns and timer resets.
- F0 error "E5" indicates this number is not set (set to the default)
- IRG: Inter-record gap.
- A series of
FF
bytes sent to separate packets in the data stream. - Also used as a preamble so the receiver can synchronise to the incoming data packet.
- GI headend controller equipment (e.g. ANIC) transmits a constant stream of IRGs while there are no packets to transmit.
- Serial number: The box's unique serial number.
- Displayed by the
F2
diagnostic command. - Used to set the box's LA, site code, etc.
- Stored in RAM: if the battery dies or the RAM is shorted out, this will be lost.
- Site code: A number unique to the cable operator. Used to prevent a box from being moved from one area to another.
- 12 bits in length, but transmitted as four octal bytes, from most to least significant bits:
03x 02x 01x 00x
. - F0 error "E8" indicates a site code mismatch.
Physical layer (layer 1) protocol
Much of the information in this section is based on the General Instrument/Jerrold patent on the DataChannel technology [US4558464A]. Other information was gleaned by observation of the communications between the ANIC/ACC-4000 and the MVP scrambler, and examination of the 75-ohm baseband transceiver circuitry in the MVP, ANIC and ANIC-A.
75-ohm physical layer
This is used between the ANIC and headend equipment.
The output driver is usually an SN75158, which drives the 75-ohm cable (F connectors) from its “Y” output via a 68-ohm series resistor. This gives logic levels on the cable of 0 and 5V into a high impedance, or 0V and 2.5V into a 75-ohm terminated load.
The biphase input is typically implemented with an LM311 or equivalent (e.g. NJM311) comparator, implementing a non-inverting comparator with hysteresis. The input is first terminated to ground with a 75-ohm resistor. This terminated signal is passed through a 3k resistor (R1) into the LM311's positive input. The LM311's threshold (negative input) is set by a 430-ohm resistor to +5V, and a 91-ohm resistor to ground, giving a threshold voltage of 0.873V. A 300k resistor from output to positive input (R2) provides some hysteresis, to reduce noise if the signal is slow to cross the threshold.
RF modulated (FM/FSK) downlink physical layer
Framed and line-coded serial data is FSK modulated onto an RF carrier with the following specifications (from the IMPULSE 7000 CFT-2000 specification sheet):
- Bandwidth: ± 200 kHz
- Level: -15 dBmV
- Deviation: ± 75 kHz [#2]
Applying Carson's rule to calculate the bandwidth:
- $\mathit{OBW} = 2 \times (\mathit{\Delta F} + \mathit{F_m})$
- $\mathit{\Delta F}$: Peak frequency deviation
- $\mathit{F_m}$: Highest frequency in the modulating signal
- $\mathit{OBW} = 2 \times (75 \mathrm{kHz} + 13982.6 \mathrm{Hz})$
- $\mathit{OBW} = 163.9826 \mathrm{kHz}$
In practice, a CFT-2100 will accurately decode with an FM deviation as low as 5 kHz.
Excessive deviation will cause the FSK signal to be corrupted by the IF filter.
Data channel (downstream) frequencies
The following frequencies are known to be in use:
Frequency | CFT2xxx variant | DPV7/DPBB7 variant | Notes |
---|---|---|---|
89.3 MHz | S9 | ||
97.5 MHz | S7 | Commonly used in US/Canada. | |
106.5 MHz | S8 , S6 (Canada) | Commonly used in US/Canada. Per Group42, DPV5 and older units mostly use this frequency. | |
108.5 MHz | C1 | S9 , C1 | Commonly used in US/Canada. Per Group42, CFT models “almost always” use this frequency. |
122.7 MHz * | UK. Frequency disputed, see below. |
*: There is some debate about the true frequency of the UK-model CFT series boxes: 122.7 MHz (GI ACC-4000 manual, Magicboxes), 122.75 MHz (Group42) or 122.8 MHz ([JTI01]). The true frequency is 122.7 MHz, as quoted by GI: the reference crystal is 133.4 MHz, with an IF of 10.7 MHz, giving a tuned frequency of 122.7 MHz.
Variant codes are from the following sources:
- GI CFT2000/2200 ordering information (System Industrial)
- GI ACC-4000 Addressable Controller system operator's manual, appendix A “Converter Types and Features”.
Upstream (return path, talkback) physical layer
TODO.
- ACC-4000 manual lists the frequency and level range
Line coding
Framed bytes are Manchester biphase encoded before transmission:
- A 'zero' bit is transmitted as a
10
sequence. - A 'one' bit is transmitted as a
01
sequence.
The bit rate is a binary division of a 3.579545 MHz colour-burst crystal; usually the division ratio is 256. This gives a bit rate of around 13982.6 Hz. The Manchester encoder sub-bit rate will be twice the bit rate (i.e. a divide ratio of 128, or around 27965.2 Hz).
In practice (per [JTI01]) the box will accept timing which is a few microseconds too fast or too slow.
Byte transmission
Each byte is packed into an RS232-style frame, idle high (data is inverted when sent):
Start bit (0 ) | 8 data bits | Odd parity | Stop bit (1 ) |
Data bits are transmitted from least-significant to most-significant; this means binary 01 011 111
(octal 137
, or hex 0x5F
) would be transmitted as 111 110 10
.
The parity bit is low if all the data bits XOR'ed together are equal to zero, or high if it is equal to one.
Data link layer (layer 2) packet format
The standard packet format is:
Preamble (FF FF FF FF FF ) | Length | Command | Parameter bytes … | Checksum | Postamble (FF ) |
- Preamble or IRG: Synchronisation sequence, to allow the STB to lock onto the incoming data stream's clock.
- Stream of
0xFF
bytes. Five (per US4558464A patent) or six (ESNv2) in total.
- Length: One byte. Total length of the packet, from the first command byte to the checksum byte inclusive (excludes the length byte itself).
- Command: One (base commands) or two (extended
FD
-prefixed commands) command bytes. - Parameters: Parameters to the command, total number varies based on the command. Usually starts with addressing information.
- Checksum byte: Two's complement checksum byte.
- Modulo-256 sum of all of the bytes from the length to the last parameter byte, XORed with
0xFF
, plus 1. - The sum of all bytes from the length to the checksum inclusive should be zero.
- Postamble or final IRG: a single
FF
byte to terminate the command.- Required for the MVP scrambler and likely other boxes too, due to the way the receive loop is implemented.
Serial Number field formatting
The serial number field carries the BCD-encoded truncated serial number of the box. This is the value displayed by the F 2
diagnostic function.
F 2
displays the sequence:01 12 23 34 45 56 67 78 89 90
- Which equates to serial number
1234567890
- Which is packed into bytes as
12 34 56 78 90
hex, in left-to-right order of transmission (SN4
..SN0
).
Site Code field formatting
The Site Code is a 4-byte sequence which encodes a 12-bit number, which uniquely identifies the cable network.
SC3 | Range D8 to DF | 1101 1xxx |
---|---|---|
SC2 | Range D0 to D7 | 1101 0xxx |
SC1 | Range C8 to CF | 1100 1xxx |
SC0 | Range C0 to C7 | 1100 0xxx |
Each byte encodes three bits (one octal digit) of the Site Code.
The default site code is D8 D0 C8 C0
.
Embedding the Site Code into commands
The headend will incorporate the site code into commands wherever possible or reasonable. This is done to allow boxes to check the site code against the one stored internally.
The Reset Disconnect command may have a site code incorporated into it thusly:
06 F9 LA LA LA LA CHK is the reset disconnect command. 0A F9 SI TE CO DE LA LA LA LA CHK is the same command with exactly the same function but also now containing the site code. ^^-^^-^^-^^ These are the 4 bytes of the SITE CODE.
The Time Set command also exists in a with and without Site Code form:
Without site code: 08 FD 60 0F 02 13 01 15 CHK With site code: 0C FD 60 0F 02 13 01 15 D8 D0 C8 C0 CHK ^^^^^^^^^^^ Site code
Logical Address field formatting
Logical Addresses are sent as a sequence of four bytes:
LA3 (first byte sent) | Range E0 to FF | 1110_0xxx | 3 bits – Geocode? |
---|---|---|---|
LA2 | Range 80 to BF | 10xx_xxxx | 6 bits |
LA1 | Range 40 to 7F | 01xx_xxxx | 6 bits |
LA0 (last byte sent) | Range 00 to 3F | 00xx_xxxx | 6 bits |
This gives a total addressing range of 18 bits per Geocode and eight Geocodes. This equates to 262,144 converters (set-top boxes) per Geocode region, or 2,097,152 converters if all eight Geocodes are used.
The ACC-4000 manual lists several restrictions for the logical address (the Converter ID) on page 74:
- The number is an integer from 1 to 518144.
- This would require 19 bits of addressing (which would allow up to 524288 addresses).
- The range 256001 thru 262144 is excluded.
- The range 260097 through 260999 is reserved for MVP series scramblers (page 184).
- The range 259073 to 259975 is reserved for Data Inserter Units (DIUs) and must be the scrambler ID minus 1024 (page 197).
The logical address is often set to E0 BF 7F 3E
(one less than the maximum) by pirate 'cubes'.
Logical Address compression (multi-LA addressing)
More than one logical address with the same first three bytes may be addressed in the same packet. This is done by appending additional bytes to the packet, containing the last byte of the LAs to be addressed.
For example, the following compressed LA stream addresses boxes E0 BF 7E 01
through E0 BF 7E 05
, but skips E0 BF 7E 03
:
E0 BF 7E 01 02 04 05
Command list
Len. | CMD (hex) | Addressing | DPBB? | CFT? | Function |
---|---|---|---|---|---|
7 | E8 ..F7 | LA | Bitwise Turn On/Off Channel | ||
6 | F8 | LA | Disconnect / Shutdown Box | ||
6 | F9 | LA | ✅ | Reset Disconnect | |
8 | FD 47 | LA | Enable/Disable Functions | ||
11 | FD 4D | LA | Channel Mapping | ||
11 | FD 4F | LA | Set Site Code | ||
12 | FD 5F | S/N | Set Logical Address and/or Site Code | ||
9 | FD 60 | Broadcast | ✅ | Set Time | |
3 | FD 6E | Broadcast | ❌ | Reset Timer | |
4 | FD 7F +FD 81 | Broadcast | ✅ | ❌ | Turn On Channel |
7 | FD 8D | LA | ✅ | ✅ | Initialize |
7 | FD 8E | LA | ✅ | ✅ | Reset Timer |
8 | FD 9F +FD A1 | LA | ✅ | ❌ | Turn On Channel |
6 | FE | LA | ✅ | ✅ | Reset/reboot |
Note: Length includes checksum byte, but it is not shown in the tables.
Addressing modes:
- Broadcast: All boxes which receive this command will execute it.
- LA: Logical Address. Targeted to a specific Logical Address.
- S/N: Serial Number. Targeted to a specific box Serial Number.
Receiver-specific differences:
- CFT-series receivers will not process most global commands.
- These receivers must be addressed by their LA.
- iCFT2100 (UK) and CFT2200 (USA) will not process LA-addressed single-channel activation commands.
TBD - unknown/undocumented commands
The following commands are currently unknown and undocumented:
Len. | CMD (hex) | Addressing | Function |
---|---|---|---|
6 | FB | LA | From TCINIT. Sent as 06 FB E0 BF 7F 3A A6 |
FD 10 | LA | Talkback (IMPULSE return channel): Per this post by MrBMcG, 07 FD 10 (LocalAddr) will cause the unit to transmit its serial number to the headend on the talkback channel. |
|
FD 18 | LA | Talkback (IMPULSE return channel): Per a post in this thread, the FD 18 (LocalAddr) command will cause the unit to transmit channel authorisations back to the headend. |
|
9 | FD 44 | LA | From ESNv2 / cube_source “extra” function. Sent as 09 FD 44 E0 BF 7F 3E 00 00 . |
FD 48 | LA | From Super2, no description | |
FD 49 | LA | per [JERCMD], an “unknown command” from the Phantom Cube. According to this post by JohnW, FD 49 is “Load Default Logical Address”. Will leave the box in Error E5 state until FD 5F command is sent. |
|
FD 4A | From Super2, no description | ||
FD 4B | LA | From Super2 FD 4B (LA) 02 : “set global timeout to 4 hours” |
|
FD 4E | LA | per [JERCMD], “part of a generic Jerrold cube startup” 06 FD 4E ESN1 ESN2 ESN3 ESN4 CSUM mentioned at hackHispano |
|
FD 50 | LA | FD 50 (LA) PARAM : unknown command ([JERCMD]) Seen in Magicboxes comm log below “cube-source” calls this “Tuning Type”, parameter is 00 , “Standard”. |
|
FD 5D | unknown command ([JERCMD]) | ||
FD 5E | unknown command, mentioned at hackHispano | ||
10 | FD 8C | LA | From ESNv2 “COMMFD8C”. Sent as 0A FD 8C E0 BF 7F 3E 7F 07 0A . Described as “Set checksum command”. |
FD 95 | LA | Set output channel. Parameters seen: F6 , F7 , 41 (here). |
|
8 | FD B0 ..FD BF + FD E8 ..FD F7 | LA | From ESNv2/cube_source. Sent as 08 FD B0++ LA[3..0] FF then 08 FD E8++ LA[3..0] FF Turn on/off PPV events or channels? FF seems to be a PPV event bitmap. Seems to support compressed addressing (LA_lsb+mask pairs) - see 509_gi_pic.asm |
Headend traffic notes
- Per the thread on Talkback, much headend traffic is spent sending
248
(F8
) shutdown commands to inactive boxes.
E8 to F7: Bitwise Turn On/Off Channel
LE | CMD | Logical Address | Channel bitmap | |||
---|---|---|---|---|---|---|
8 | 0xE8 ..0xF7 | LA | LA | LA | LA | BITMAP |
Enables or disables a block of eight channels for the box with logical address LA
.
Note that the command range is incorrectly listed in [JTI01] as E9
to F7
. [JERCMD] lists the range correctly as commands E8
to F7
.
ESNv2 doesn't appear to send this command.
Command | Channel range |
---|---|
E8 | 0-7 |
E9 | 8-15 |
EA | 16-23 |
EB | 24-31 |
EC | 32-39 |
ED | 40-47 |
EE | 48-55 |
EF | 56-63 |
F0 | 64-71 |
F1 | 72-79 |
F2 | 80-87 |
F3 | 88-95 |
F4 | 96-103 |
F5 | 104-111 |
F6 | 112-119 |
F7 | 120-127 |
F8: Disconnect / Shutdown Box
LE | CMD | Logical Address | |||
---|---|---|---|---|---|
6 | 0xF8 | LA | LA | LA | LA |
Shut down the box immediately.
Shut-down boxes will either:
- OSD capable (CFT): display the “
YOUR CONVERTER IS DISCONNECTED. PLEASE CONTACT YOUR CABLE OPERATOR.
” barker text. - Non-OSD: display the barker channel.
F9: Reset Disconnect
LE | CMD | Logical Address | |||
---|---|---|---|---|---|
7 | 0xF9 | LA | LA | LA | LA |
Also referred to as “Turn On Box”.
Reverses the “Shutdown Box” command. Also resets the box's communication timer.
FD 47: Enable/Disable Functions?
TODO
From the ESNv2 code. and [JERCMD].
LE | CMD | SubCMD | Logical address | Feature Bitmap |
---|---|---|---|---|
8 | 0xFD | 0x47 | LA3..LA0 (4 bytes) | FEATURES |
Feature flag bitmap has a '1' bit if the feature is enabled. ESNv2 and TCINIT send a bitmap of FF
, T2/RFT-Gold/Phantom/Super2 send 7F
.
Bits are:
Bit | Value hex | Feature |
---|---|---|
7 | 0x80 | |
6 | 0x40 | |
5 | 0x20 | |
4 | 0x10 | |
3 | 0x08 | |
2 | 0x04 | |
1 | 0x02 | |
0 | 0x01 |
FD 4D: Channel Mapping
Details from http://web.archive.org/web/20071117072824/http://www.hackhispano.com/foro/showthread.php?t=14585.
Channel number (LCN to RF) mapping
LE | CMD | SubCMD | Logical address | Block | Map | Channel mappings |
---|---|---|---|---|---|---|
11 | 0xFD | 0x4D | LA3..LA0 (4 bytes) | BLK | MAP | CH0..CH7 |
- BLK: Channel block number (starting channel number divided by 8). Range
00
to0F
.00
: channels 0 to 701
: channels 8 to 15- …
0F
: channels 120 to 127
- MAP: Channel map to update
00
to0F
: Map A10
to1F
: Map B
- CH0 to CH7: Channel mappings
00
: channel disappears from the channel guide.01
to7F
: Map user-entered channel N to this cable channel.
As an example:
11 FD 4D E0 BF 7F 3E 00 00 00 0F 04 00 00 00 00 2D CS
Will set Map A, channels 0-7, to:
- Channel 0: empty
- Channel 1: RF channel 15
- Channel 2: RF channel 4
- Channels 3-6: empty
- Channel 7: RF channel 45
Channel frequency mapping
LE | CMD | SubCMD | Logical address | Block | Map | Unknown/fixed | Max Ch A | Max Ch B |
---|---|---|---|---|---|---|---|---|
11 | 0xFD | 0x4D | LA3..LA0 (4 bytes) | BLK | MAP | 7F 7F 7F 7F 00 | MCA | MCB |
- BLK: always
1F
- MAP: Channel map to update
0F
: Map A1F
: Map B
- Unknown/fixed: unknown function
- MCA and MCB: Max Channel (wrap point) for A and B maps, respectively.
- Usually set to 99 or 127.
As an example:
11 FD 4D E0 BF 7F 3E 00 00 00 0F 04 00 00 00 00 2D CS
Will set Map A, channels 0-7, to:
- Channel 0: empty
- Channel 1: RF channel 15
- Channel 2: RF channel 4
- Channels 3-6: empty
- Channel 7: RF channel 45
RF tuning
Misc notes
ESNv2: 11 FD 4D E0 BF 7F 3E 1F 0F 7F 7F 7F 7F 1F 1F 63 63 1B Hexgen4 99-channel: 11 FD 4D E0 BF 7F 3E 1F 0F 7F 7F 7F 7F 1F 1F 63 63 1B Hexgen4 127-channel: 11 FD 4D E0 BF 7F 3E 1F 0F 7F 7F 7F 7F 1F 1F 7F 7F 1B Super2: 11 FD 4D la la la la 1F 0F 7F 7F 7F 7F 1F 1F 63 63 cs
FD 4D
: per [JERCMD], “set channel map”. Examples:11 FD 4D (—LA—-) 0B 00 2A 00 00 00 00 00 00 00 CSUM
([JERCMD])- Block 0B, Map A, channel 88 is RF channel 2A, other channels disabled.
11 FD 4D (—LA—-) 1F 0F 7F 7F 7F 7F 00 17 63 63 CSUM
([JERCMD], ESNv2 with fixedE0 BF 7F 3E
LA, Magicboxes post)- Channel range mapping,
63 63
(99 decimal) is maximum channel number for map A/B.
FD 5F: Set Logical Address and Site Code
NOTE: This command is incorrectly listed in [JERADDR] as having the serial number sent first, then the logical address and sitecode. It is correctly shown in [JERCMD], [JTI01] and [JTI03], and correctly implemented in TCINIT and ESNv2.
Without site code
LE | CMD | SubCMD | Logical address | Serial number |
---|---|---|---|---|
12 | 0xFD | 0x5F | LA3..LA0 (4 bytes) | SN4..SN0 (5 bytes) |
Set the logical address on the box with serial number SN
to LA
. The Site Code will not be set, and will not be checked by the box.
With site code
LE | CMD | SubCMD | Logical address | Serial number | Site Code |
---|---|---|---|---|---|
16 | 0xFD | 0x5F | LA3..LA0 (4 bytes) | SN4..SN0 (5 bytes) | SC3..SC0 (4 bytes) |
Set the logical address on the box with serial number SN
to LA
, and its Site Code to SC
.
FD 60: Set Time
Without site code
LE | CMD | Year mod 16 | Month | Day of Month | Hour | Minute |
---|---|---|---|---|---|---|
8 | FD 60 |
With site code
LE | CMD | Year mod 16 | Month | Day of Month | Hour | Minute | Site code |
---|---|---|---|---|---|---|---|
12 | FD 60 | SC3..0 (4 bytes) |
- Year mod 16: Current year, modulo 16. Zero based (0=n+0, …, 15=n+15).
- Epoch is unknown.
- Month: Month of the year. Zero based (0=January, …, 11=December)
- Day of month: Day of the month. Zero based (0=1, …, 30=31)
- Hours: Zero based (range 0 to 23)
- Minutes: Zero based (range 0 to 59)
- Site code: Optional site code.
There is some dispute about the command code used by this command.
- [JERCMD] quotes the command code as
60 FD 60
, which seems to be accepted by CFT series boxes. - A post in this thread identifies the time command as
12 253 96 (time) (sitecode)
, or0C FD 60 (time) (sitecode)
. - The MVP scrambler seems to expect
FD 60
commands, and may reject60 FD 60
ones.- TODO: More testing is required. See if an MVP accepts the
60 FD 60
variant.
FD 6E: Reset Timer (global)
LE | CMD | SubCMD |
---|---|---|
3 | 0xFD | 0x6E |
Resets the disconnect timer for all boxes on the cable network.
FD 7F and FD 81: Turn on channel (global)
LE | CMD | SubCMD | Channel ID |
---|---|---|---|
4 | 0xFD | 0x7F | 0x00 to 0x9E (0 to 158) |
LE | CMD | SubCMD | Channel ID |
---|---|---|---|
4 | 0xFD | 0x81 | 0x00 to 0x9E (0 to 158) |
Enables access to a channel for all receiving boxes. Both commands must be sent – FD 7F
followed by FD 81
.
Only available on earlier boxes, pre CFT series. Ignored by CFT series and later. Known to work on DPBB7 series and earlier.
FD 8D: Initialize
LE | CMD | SubCMD | Logical address |
---|---|---|---|
7 | 0xFD | 0x8D | LA3..LA0 (4 bytes) |
Reboots the addressed box and initializes the NVRAM settings to their defaults. May be used with or without Site Code.
The “FE: Reset” command must be sent before this one, or the reboot request will be ignored.
FD 8E: Reset Timer (locally addressed)
LE | CMD | SubCMD | Logical address |
---|---|---|---|
7 | 0xFD | 0x8E | LA3..LA0 (4 bytes) |
Resets the disconnect timer for the addressed box.
FD 9F and FD A1: Turn on channel (locally addressed)
LE | CMD | SubCMD | Logical address | Channel ID |
---|---|---|---|---|
8 | 0xFD | 0x9F | LA3..LA0 (4 bytes) | 0x00 to 0x9E (0 to 158) |
LE | CMD | SubCMD | Logical address | Channel ID |
---|---|---|---|---|
8 | 0xFD | 0xA1 | LA3..LA0 (4 bytes) | 0x00 to 0x9E (0 to 158) |
Enables access to a channel for the box with logical address LA
. Send command FD 9F
followed by FD A1
.
Only available on earlier boxes, pre UK iCFT2100 and USA CFT2200 series.
FE: Reset
LE | CMD | Logical address |
---|---|---|
6 | 0xFE | LA3..LA0 (4 bytes) |
Reboots the addressed box and enables the “FD 8D” (Initialize) command.
Appendix: Comm samples
TCINIT.COM communications
TCINIT sends the following commands:
Len | Cmd | Payload | Notes |
---|---|---|---|
128 bytes FF preamble/IRG |
|||
0C | FD 5F | E0 BF 7F 3E (SN[4..0]) 3C | Set LA to E0 BF 7F 3E |
28 bytes FF preamble/IRG |
|||
0A | FD 8C | E0 BF 7F 3E 7F 07 0A 81 | |
12 bytes FF preamble/IRG |
|||
06 | FE | E0 BF 7F 3E A0 | Reboot box with LA=E0 BF 7F 3E |
12 bytes FF preamble/IRG |
|||
07 | FD 8D | E0 BF 7F 3E 13 | Initialize box with LA=E0 BF 7F 3E |
12 bytes FF preamble/IRG |
|||
07 | FD 8E | E0 BF 7F 3E 12 | Reset timer on box with LA=E0 BF 7F 3E |
12 bytes FF preamble/IRG |
|||
08 | FD 47 | E0 BF 7F 3E FF 1D | Enable/disable functions , enable all fuctions |
12 bytes FF preamble/IRG |
|||
06 | F9 | E0 BF 7F 3E A5 | Reset Disconnect |
12 bytes FF preamble/IRG |
|||
06 | FB | E0 BF 7F 3E A6 | |
44 bytes FF preamble/IRG |
Magicboxes
From https://groups.google.com/g/rec.video.cable-tv/c/GLVlZnUc3rA/m/SMYxwaVG-J8J
3 FD 6E 92 FF FF FF FF FF Reset timer for all boxes 11 FD 4D E0 80 76 0 B 0 2A 0 0 0 0 0 0 0 9A FF FF FF FF FF Channel map targeting LA E0:80:76:00. Block 0, map 0xB 8 FD 49 E0 80 76 0 0 DC FF FF FF FF FF Unknown FD 50 E0 80 76 0 0 D5 FF FF FF FF FF Unknown, incomplete command E8 E0 80 76 0 FF 3C FF FF FF FF Unknown, incomplete command 7 E9 E0 80 76 0 FF 3B FF FF FF FF 7 EA E0 80 76 0 FF 3A FF FF FF FF 7 EB E0 80 76 0 FF 39 FF FF FF FF 7 EC E0 80 76 0 FF 38 FF FF FF FF 7 ED E0 80 76 0 FF 37 FF FF FF FF 7 EE E0 80 76 0 FF 36 FF FF FF FF 7 EF E0 80 76 0 FF 35 FF FF FF FF Bitwise channel enables part one, to E0:80:76:00, enable all channels (FF) 7 F0 E0 80 76 0 FF 34 FF FF FF FF 7 F1 E0 80 76 0 FF 33 FF FF FF FF 7 F2 E0 80 76 0 FF 32 FF FF FF FF 7 F3 E0 80 76 0 FF 31 FF FF FF FF 7 F4 E0 80 76 0 FF 30 FF FF FF FF 7 F5 E0 80 76 0 FF 2F FF FF FF FF 7 F6 E0 80 76 0 FF 2E FF FF FF FF 7 F7 E0 80 76 0 FF 2D FF FF FF FF Bitwise channel enables part two, to E0:80:76:00, enable all channels (FF) 9 FD B0 E8 E0 80 76 0 FF 8D FF FF FF FF 9 FD B1 E9 E0 80 76 0 FF 8B FF FF FF FF 9 FD B2 EA E0 80 76 0 FF 89 FF FF FF FF 9 FD B3 EB E0 80 76 0 FF 87 FF FF FF FF 9 FD B4 EC E0 80 76 0 FF 85 FF FF FF FF 9 FD B5 ED E0 80 76 0 FF 83 FF FF FF FF 9 FD B6 EE E0 80 76 0 FF 81 FF FF FF FF 9 FD B7 EF E0 80 76 0 FF 7F FF FF FF FF 9 FD B8 F0 E0 80 76 0 FF 7D FF FF FF FF 9 FD B9 F1 E0 80 76 0 FF 7B FF FF FF FF 9 FD BA F2 E0 80 76 0 FF 79 FF FF FF FF 9 FD BB F3 E0 80 76 0 FF 77 FF FF FF FF 9 FD BC F4 E0 80 76 0 FF 75 FF FF FF FF 9 FD BD F5 E0 80 76 0 FF 73 FF FF FF FF 9 FD BE F6 E0 80 76 0 FF 71 FF FF FF FF 9 FD BF F7 E0 80 76 0 FF Unknown -- ESNv2 / 509_GI_PIC seem to describe this as PPV enable, but could be related to enabling higher service codes. 16x8 gives 128 service codes.
References
- Spec sheets and ordering information:
- NY DPS: Time Warner Cable franchise application – CFT2000 spec sheet included, page 63 to 65.
Appendix: Next steps
- ROM disassembly
- Jerrold 550 / Starcom 6 ROM – reverse engineer this to figure out the command scheme.
- Only 8K of code, according to this page is for a PIC7040 microcontroller – which is a clone of the Texas Instruments TMS7040.
- CFT2100 ROM – W65C02S code, with trivial scrambling. Contains about 32K of code (27C512 EPROM with half empty).
- Lots of code, lots of functionality, might be tricky to reverse-engineer.
- Analyse “cube” or “509 chip” source code
Appendix: Hardware for modulation and demodulation
TBD.
- Local oscillator
- SiLabs Si5351 – I2C-programmable any-frequency CMOS clock generator and VCXO. 8kHz to 160MHz.
- Mixer
- Mini-Circuits ADE-6 – LO/RF 50kHz to 250MHz, IF DC to 200MHz, +7dBm LO power.
- FM Exciter
- DDS: Analog Devices DDS chips
- AD9834 has 75MHz reference clock, and is available on a pre-assembled board with oscillator. Frequency and phase select inputs allow FSK and PSK modulation.
- FM detector
- PLL doesn't require a quad coil and may be the most practical.
- All-in-one chips: (All discontinued as of 2023)