SA 4250 digi cable boxes

T

thalungz

Inactive User
Joined
Jan 8, 2010
Messages
11
Reaction score
0
Hey guys, I live in Canada, Toronto ON. and for the past few years testing digital cable was only a

rumour/fantasy for us.. But I see that you guys have been doing it in the UK for quite some time

now... But there is absolutely NO tutorials or files written for our provider/area.. BUT there is a

few dealers in our city selling modded scientific Atlanta 4250HD units (<-- most popular) and a cpl

other models (pvrs etc.) these dealers have the box wide open and ppv/pron is working also, so

being that they are wide open I know it isn't simple sub clone, bcuz if it was a clone of a sub,

ppv wouldn't work.

I found a tutorial on how to do the sa4000 boxes, it is a great tut, it explains how to remove the

u48 and u50 chips, and how to use an elvis/multiprogrammer to dump the box keys/ird info and then

how to write back to the chips. But the problem with that is, after you get to the part where you

need to program the chip, you are supposed to use a "fix" or file for your specific area, and there

isn't any for our area/provider.. But like i said, these guys have figured something out that has

the units WIDE OPEN!! .. I was just wondering if anybody knows of a universal tutorial for these

sa4250's or if there is some kind of tutorial out there that they are maybe following for a UK

provider that some-how works on our provider..Or anything....Or maybe they are using the same or

similar method as the sa4000 tut.. But with what files/fix for our provider, thats what I dont get.

At first I thought they were soldering in a header and using a jtag to dump the firmware and then

maybe writing a factory/diagnostic fimware back to the boxes, but there is no header in the box my

friend owns. (i know that doesnt mean that one wasnt used. It could have been a solderless one or

they could have just removed it after the mod) but i don't think a jtag is involved, because I have

another friend that has an unmodded 4250 unit, and he soldered a header in, and tried to use a

pjtag and a usbjtag and got nothing, it wouldn't even detect the unit.

Anyways, I figured if I was going to get info anywhere, it would probably be here. So thanks for

taking the time to read and hopefully reply. Have a nice day!!! :)
 
Last edited:
thalungz said:
Hey guys, I live in Canada, Toronto ON. and for the past few years testing digital cable was only a

rumour/fantasy for us.. But I see that you guys have been doing it in the UK for quite some time

now... But there is absolutely NO tutorials or files written for our provider/area.. BUT there is a

few dealers in our city selling modded scientific Atlanta 4250HD units (<-- most popular) and a cpl

other models (pvrs etc.) these dealers have the box wide open and ppv/pron is working also, so

being that they are wide open I know it isn't simple sub clone, bcuz if it was a clone of a sub,

ppv wouldn't work.

I found a tutorial on how to do the sa4000 boxes, it is a great tut, it explains how to remove the

u48 and u50 chips, and how to use an elvis/multiprogrammer to dump the box keys/ird info and then

how to write back to the chips. But the problem with that is, after you get to the part where you

need to program the chip, you are supposed to use a "fix" or file for your specific area, and there

isn't any for our area/provider.. But like i said, these guys have figured something out that has

the units WIDE OPEN!! .. I was just wondering if anybody knows of a universal tutorial for these

sa4250's or if there is some kind of tutorial out there that they are maybe following for a UK

provider that some-how works on our provider..Or anything....Or maybe they are using the same or

similar method as the sa4000 tut.. But with what files/fix for our provider, thats what I dont get.

At first I thought they were soldering in a header and using a jtag to dump the firmware and then

maybe writing a factory/diagnostic fimware back to the boxes, but there is no header in the box my

friend owns. (i know that doesnt mean that one wasnt used. It could have been a solderless one or

they could have just removed it after the mod) but i don't think a jtag is involved, because I have

another friend that has an unmodded 4250 unit, and he soldered a header in, and tried to use a

pjtag and a usbjtag and got nothing, it wouldn't even detect the unit.

Anyways, I figured if I was going to get info anywhere, it would probably be here. So thanks for

taking the time to read and hopefully reply. Have a nice day!!! :)
Click to expand...
first off does the unit have a smart card?
if so have u any idea which type nagra 1 seca etc etc

as for ppv and all the channels yes it is possible we used to have all the channels and ppv untill the started updating the software and locked us out

take a picture of your card and cover the card number or erase it then we may be able to help you abit more
 
also as far as i know no one has jtagged a s/atlanta in this country no matter what model it was m8.............the sa400 was fairly easy to hack compared to the later models like the 4200 and 8300


the 4250 looks very similer to our 4200 {but it all depends on the internal mainboard}........the box details on the 4200 are stored in the 56 pin tsop underneath the mainboard

a couple of pics of the mainboard top and bottom might help m8
 
benny59 said:
also as far as i know no one has jtagged a s/atlanta in this country no matter what model it was m8.............the sa400 was fairly easy to hack compared to the later models like the 4200 and 8300


the 4250 looks very similer to our 4200 {but it all depends on the internal mainboard}........the box details on the 4200 are stored in the 56 pin tsop underneath the mainboard

a couple of pics of the mainboard top and bottom might help m8
Click to expand...
there system may be like our old system
hack by card
 
Thanks for all the replies :), I do have a pic of the main board, I will attach it so you guys can take a look. As for the cards, there is a card slot in the unit, but no card is being used . Just plug in the modded unit and it works the way it is. I really wish I knew what they were doing, but they are keeping it really secret arg. Anyways, the pic i am going to attach is of the modded unit that is wide open. It is an sa 4250HD box.

I was thinking maybe they were using a similar method as the 4000 and 4200, but if they are, what are they doing to the dumps they make, and how do they get it wide open. I really hope I can get this figured out, i really want to get one, but I could never bring myself to pay 500-800$ for something I can buy for 99.99 and mod myself..Thanks again for the replies, I really appreciate it.

Here is the pic;
2m5f4b6.jpg
 
Well I see a nice big 28F640 TSOP (looks like a 56) in there - that would need to be dumped.

Second you would need to get an ATR from an official card - this will tell you the encryption system and the revision.

What is the name of your provider?
 
Looks as though the bga may been lifted on that pic. I know they can be read and reballed with the right equipment, but can they be reprogrammed?

Especially in a way that makes it a cardless system? Surely not.

Chookey
 
chookey said:
Looks as though the bga may been lifted on that pic. I know they can be read and reballed with the right equipment, but can they be reprogrammed?

Especially in a way that makes it a cardless system? Surely not.

Chookey
Click to expand...

The bga chip is one time write but you can just write the dump to a new/replacement chip,but as to what is doing the emulation ? That's another question !!
cheers..
 
Dunno if it's my eye's but looking at the pic it look's like some epoxy removel has been done on the chips? if it has it has been done very well indeed
 
the mainboard and psu in your sa4250 is near enough identical to our 4200 model m8, although the tsop {a} is underneath the mainboard on our 4200 with the ajoining spare pads left untouched ontop...{not forgetting your 4250 is HD so theres a couple of diffrent chips on the mainboard aswell}

this is where the similaritys end m8 "we dont alter dumps on these boxs to allow all channels {we get information from the tsop {a} to modify a card to allow all channels}....we only alter the dumps in the eeproms to change the box to or from diffrent areas

{a} 56 pin tsop=hasn't been touched.

{b} BGA main processor= definetly been lifted...no clean flux plus blobs of solder still on the chip.

{c+d}samsung ram chips=definetly been lifted..no clean flux still on the chips.

you would need realy good soldering skills to lift the BGA chip m8, besides the hard part will be putting it back...........expect to pay broosters for a programer or adaptor for these chips aswell
 
A lot of great, experienced replies, thanks a ton guys!

Well I see a nice big 28F640 TSOP (looks like a 56) in there - that would need to be dumped.

Second you would need to get an ATR from an official card - this will tell you the encryption system and the revision.

What is the name of your provider?
Click to expand...


There is no cards used at all, not on any unit on our system. The provider is rogers cable. All boxes get authorized by just plugging them on the network, and waiting until rogers pluggs it into their database, or you can do it yourself via the rogers website.


Dunno if it's my eye's but looking at the pic it look's like some epoxy removel has been done on the chips? if it has it has been done very well indeed
Click to expand...

Thats another thing, it looks like there is tar or glue on some of the chips. I don't know if the factory put it there (like on the xbox-360's drive chips) or if maybe the modder did it to make sure nobody could be lift the same chips and figure out what they did. I really need to get an un-modded unit and compare them.

Also if you look closely, there is couple things that are standing out to me. The chip with the blue marker line on it, looks like it is smaller than what would fit in the spot it is in. Also on r2777 it looks like a wire is attached to it and then also attached to one of the legs on the u3601 chip. I don't know if that is the talk-back disabler or if it unlocks the chips to be read or if it's just nothing and in all of the stock units aswell.. Again, i really need to get a stock one to compare it.

After reading through some of the threads here and other sites, it seems like a card is needed to hack cable.. but there is no cards being used at all... It's driving me crazy, how did they figure out what to do, and how did they do it without a fix specific for our provider.. I was thinking maybe they were following a tutorial for another unit that is similar to the 4250 and it worked on our unit/provider with a few simple altereations. but now I am starting to think this person just figured it out on their own. but the problem with that is, there is not only one dealer doing it.. There is a few that I know of, and I have no idea how many there are that I don't know of. So it has to be something that can be figured out by anyone.. Because I doubt these dealers just shared all the info with each other and it didnt leak. Get what im saying??

Anyways, I zoomed in and marked the picture in the spots that i was talking about. Let's see what you guys think.. Thanks again for trying to help me out, I really appreciate it. Everywhere else i posted this info and asked for help, I got ignored. So thanks again!

Anyways here is the pic;

2ef2n4j.jpg


The wires from r2777 is really interesting.

2vcuj4y.jpg


That chip might just be the chip that has the firmware on it, and it could be stock. but I dunno, it looked like it was worth mentioning.



EDIT:

I forgot something. I wanted to ask if any of you have an extra/un-wanted Elvis multiprogrammer (and paypal) that you would be willing to sell to me?? If so, please let me know how much for it and how much for shipping.. Thanks!!!
 
Last edited:
I'm not convinced that the BGA has been reworked.

That looks like a sealant or underfill, maybe for tropicalising purposes. It covers the top encapsulation of the chip in places, the BGA would have been floating on it if it were flux.

Also, to get the BGA off and back on would likely require the whole board to be heated or prolonged localised heating (twice).

That string of hot-melt glue from the blob stabilising the electrolytics to the bottom left would not have survived!
 
Is that wire not just hot-melt glue?

The extra pads near the Intel flash are just a dual-footprint in case they needed to use another part with different pinout. Notice the printed legend on the board at the other end of the device.
 
this chip is normal m8, same as in our 4200...although on the top off the board is an extra layer of pads for bigger tsops


the long wire intrests me m8, {if you can get a more clearer pic of that area} talkback on our units is done inside the silver box at the back of the mainboard

are you sure its glue on those chips m8...........looks like noclean flux to me
 
The pads are for a TSOP the same length as the one fitted, the small white line at the top end on the legend hints that there is a row of pads hidden under the chip
 
Spectre said:
I'm not convinced that the BGA has been reworked.

That looks like a sealant or underfill, maybe for tropicalising purposes. It covers the top encapsulation of the chip in places, the BGA would have been floating on it if it were flux.

Also, to get the BGA off and back on would likely require the whole board to be heated or prolonged localised heating (twice).

That string of hot-melt glue from the blob stabilising the electrolytics to the bottom left would not have survived!
Click to expand...


these chips are normaly spotless in our 4200 s/atlantas spectra {although i will say it could be glue}
 
Spectre said:
The pads are for a TSOP the same length as the one fitted, the small white line at the top end on the legend hints that there is a row of pads hidden under the chip
Click to expand...


hahaha i will have to get my mag lamp out to see it m8....normaly im squinting
 
assuming its glue on those chips then the 56pin tsop must have been cloned... {similer to our ppv system where the card is not used to order a film}

maybe your channels and ppv work on a similer system m8 ??
 
I am not sure if it no-clen flux or glue.. My friend owns the unit I got the pics from, he took them and sent them to me. He says it is glue, but who knows, I don't think he would have known the difference....That long wire that i mentioned, i guess it could be a sting of glue, but it looks a lot like a wire.. I will try and see if he will take some more pics or let me take some... I guess the only way for me to tell if that is glue put there by the factory or if its nc flux, is to grab a stock unit and compare it to the pic... I am trying to get one, but the two stores near me didn't have them, and I didn't have enough time to make it to bestbuy before they closed. i will have to grab one on monday.. When i do, i will take some pics of it and post them....

There is a spot for a header to be installed, maybe a jtag can be used, but u need an adapter? I know for the SA webstar modems, you need to solder in a header and then put an adapter onto the header and then the jtag onto the adapter.. That's the only it will detect it.. I have done it on a couple modems to get hax0ware onto them... I doubt it will work, because like you said, "nobody has jtagged an SA unit that you guys know of" but it's worth a try i guess... I mean maybe these guys are dumping it that way, modding the nvram and then writing it back. But in order to do the nvram on a dct box here, you need to first subscribe to a package, and then u can dump the nvram and then disconnect the sub and then write the subbed nvram back onto it, but they cant be doing that, because then PPV wouldn't work, right? Because even on a sub, you can't order every ppv channel in a package, or else it wouldn't be called "pay-per-view" right??. . Anyways, I really appreciate all the replies and help etc..Thanks a lot!!

I guess if i bought an already modded unit and then grabbed another stock unmodded unit, that would be easier. But the modded ones are selling for 500- 800$ depending on who you know and what dealer you go to.. I really wish i could figure it out without having to buy an already modded one ... Do any of you have the 4250s available near you for purchase that would be willing to try??

Also still wondering if anybody has a multi programmer (the kind you need in the 4000 tut) they can sell to me, let me know.. Thanks guys!!
 
Your not really going to find anyone who is going to buy a box and do testing for you.

What you will find is some great advice to help yourself.

So the card slot is unused? That would suggest some kind of MAC based authorisation like our VOD service - and would suggest we may be dealing with MAC cloaning. The MAC is probably set inside the TSOP or an eeprom - Step one would be to dump the TSOP from 2 units with the same firmware on and compare them.

I would not bother buying an Elvis at this stage.
 
You must log in or register to reply here.

Similar threads

magicalbeef
Free streaming apps with live uk chanels
Replies
2
Views
147
magicalbeef
magicalbeef
S
    • Haha
    • Like
Sensible Topic Warning picture of sexual exploitation of children
Replies
1
Views
124
avid
avid
G
Receiver choice advice
2
Replies
39
Views
831
Gedwal
G
ttony
what to buy to speed up my computer ?
Replies
9
Views
140
ttony
ttony
rawsy
    • Like
ISP Cityfibre Vodafone
Replies
1
Views
264
rawsy
rawsy
Back
Top