Sign in to follow this  
Followers 0
Phirel

Scientific Atlanta Cable Box Gdb

8 posts in this topic

Warning, Before I say anything I want everybody to know that I DO NOT want to do anything illegal with this.

Also, I have already tried reporting this bug to Scientific Atlanta/Cisco. I'm not sure if my message ever got sent to the right person. But I have also called a software engineer and told him about the problems. If you try this, I take no responsibility if you cable box gets bricked or anything else that I could be sued about happens. I am 14-15 years old and I did this by reading the scientific atlanta creativedge documentation. If you do this, Promise me that you WON'T exploit ppv, or try to get free tv. Even though that is probably impossible.

The scientific atlanta cable box have a built in gdbserver. You can dump the entire firmware with this and upload code to the box using a linux computer, a TTL level serial cable like a cell phone data cable for rs232, and a headphone jack that you don't need anymore. The headphone jack has to have three pins, and three wires or else it won't work. First of all, once you put your cable box in this mode, you will have to unplug it to take it out. If you can hold down the middle button or the down button, and unplug it from the wall and plug it back in and it displays something like b081 then you have entered the gdb mode. If not don't bother collecting the supplies. connect the ground wire (normally back or with no insulation) on both the ttl level serial cable and the three wire headphone cable. Then try the connect both of the wires in any order to the other two wires. If the rest of this doesn't work after starting gdb, then swap the wires and try again. Then connect the headphone jack to the IR port on the cable box. next connect the ttl level serial converter cable to the computer. Then download sparc-rtems-gdb. Next, run the program "sparc-rtems-gdb -b 57600" if that doesn't work type "sparc-rtems-gdb -b 115200" instead. You need to do this because different models use different baud rates. once gdb starts type "target remote /dev/ttyUSB0" if you are using a serial converter for usb, or type "target remote /dev/ttyS0". If there is no error type "show registers". If you get a response, look at the PC register. That should tell you where the code stopped before gdb. you can also type "dump memory /tmp/file.bin 0x(smwhere before the pc register) 0x(like 10000 after the start address)" look at /tmp/file.bin under a hexeditor then search for 1f 8b 08 as a hex string. If you find one, you probably have the later firmware version. If not, then you have the earlier firmware version. The transfers have no progress marker. You can also do a much larger transfer, to dump the whole firmware, but I won't describe this here. My goal for this is to run linux on the cable boxes. Some have a mips arch. Some have a sparc arch. If you have a mips cable box. Please tell me the model number. This is because I would like to buy one off of ebay to port the powertv linux arch to it. If I missed anything, Or you need help with something legal relating to this, please reply. If somebody works at scientific atlanta and is here, please notify somebody to set up a password protected gdb if they want more security. There may be some spelling errors, but I don't post on forums much.

1

Share this post


Link to post
Share on other sites

Cool.

Am I following you right? you connect a stereo audio jack into the IR port. with TX to tip, RC to ring, and GND to the sleeve or some other combination similar to that?

Pretty neat. I wonder how many other gadgets have this capability.

0

Share this post


Link to post
Share on other sites

Cool.

Am I following you right? you connect a stereo audio jack into the IR port. with TX to tip, RC to ring, and GND to the sleeve or some other combination similar to that?

Pretty neat. I wonder how many other gadgets have this capability.

sounds interesting - what could be done with this?

0

Share this post


Link to post
Share on other sites

you connect a stereo audio jack into the IR port. with TX to tip, RC to ring, and GND to the sleeve or some other combination similar to that?

Yes, but at TTL level serial not standard rs232 serial. If you do standard rs232 you might break the ir port. Also, you might have to switch TX and RC.

what could be done with this?

You could upload a linux kernel and ramdisk into ram. You might need to use uclinux.

I am trying to figure out a way to upload the original firmware into ram and run it.

You can also change the registers and run code at a different point in memory.

The best part is that you can get a basic memory map.

I am pretty sure that it is either a microsparc or mips arch. But the older cable boxes seem to be microsparc.

0

Share this post


Link to post
Share on other sites

The scientific atlanta cable box have a built in gdbserver.

Whoops... looks like someone forgot to do the 'production' build. Good for the hackers I guess :-)

Mungewell.

0

Share this post


Link to post
Share on other sites

I actually think that the development build has a download feature that isn't available in the production build. Both have gdb. GDB has the same features though, but you can't write to the NAND flash. The way to enter GDB is not in the developers manual but I have tested it on multiple cable boxes that I bought off of ebay and got from our local e-waste place.

0

Share this post


Link to post
Share on other sites

GDB has the same features though, but you can't write to the NAND flash.

If you have access to memory (providing there's not a memory manager locking you out) you can push code into a location and run it.... you might need to write a NAND flash driver but that's possible too.

Mungewell.

0

Share this post


Link to post
Share on other sites

I found out more information about the scientific atlanta cable boxes. I have been reading through the developer manuals at www.sciatl.com, and I found out about a utility called xld. I also found a ftp site with anonymous access called ftp.sciatl.com. That site has virtually every firmware file known to scientific atlanta. Look under the directories in the scicare directory. It is very disorganized, and it was supposed to be shutdown July first, so look while it is still there. I don't want to get in trouble for showing anybody this. So do so at your own risk. There is the xld utility mixed in with another program somewhere on the web. I won't say where, but you can find it by looking for scientific atlanta xld on google. You should be able to use some of the rom files from ftp.sciatl.com with the xld utility. Before attempting any of this, find a cable box that you own yourself, not that the cable company owns. You would still need to buy or build a serial cable. You should be able to put the 3250hd cable box into loader mode for xld by holding down the middle/select button, and guide at the same time. Most of this is inside the scientific atlanta developer manual, which is available from scientific atlanta with no restrictions as of now. You can flash the scientific atlanta cable boxes with xld, that much I know for sure. Even the production cable boxes still have this feature for repair/other uses. Please note, that this is likely to BRICK the cable box if you do it wrong. You most likely won't find the passport os firmware at scientific atlanta's ftp site, but you can get the SARA/PowerTV firmware. For anybody that works at scientific atlanta, I mean no harm, I only want to run linux on scientific atlanta cable boxes, or at least develop a custom application for the scientific atlanta cable boxes. I am NOT attempting to get free tv.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0