SA 4250 digi cable boxes

[Spectre]

As mentioned above, it might have some sort of debug port that can be accessed. Is that an ARM core with some SA specific bits in there?

The TSOP doesn't look like it has been removed but I know it is possible to do it very cleanly. Having said that, the chinagraph pencil mark on the top would probably get smudged by any cleaning solvent used to remove flux.

I've not seen any SA4250s but I'll keep my eyes open .

I've got a TSOP56 SMT clamshell socket to put on a PCB . The programming algorithm is available for that Intel part I believe. SA sometimes use non-standard flash parts which have an unknown one. A good place to put a MAC would be in the 'hidden' OTP sector of the flash if it has one, I haven't looked at the datasheet. Some flash have a true OTP address for things like that.

 

[thalungz]

I don't want some-body to buy the box and do it for me.. I was hoping some-1 would grab one and do it for themselves and share their success with us..Maybe the sa 4250 boxes can be used on your networks also, and you guys all know what you are doing already.. Thats all.. Sorry if sounded like I wanted people to do it "for me" I am not lazy, don't care if I break the unit and am willing to spend the money to do the testing..I am just not as experienced is all, I haven't done any of this before. The only tool I have used is jtags to dump satellite equip. And my main hobby is modems...

Sure I can start lifting chips and try all stuff mentioned, but I don't have any of the tools needed. All I have is a usbjtag and an adapter for sa modems and soldering equipment.. Thats why i wanted to grab a multiprogrammer, figured I would need it at some point anyways.. So anyways what tools do i need to start this project. I am going to get a stock unit 2morrow and crack it open. So I wanted to order some tools so they can get here asap. Thanks again for all the help!

 

[Parad0x]

I'm guessing its done via mac addresses.

Is SNMP enabled on your network?

Check the 2 boxes you have and see if it tells you what the mac address range is under the box ?

 

[thalungz]

I'm guessing its done via mac addresses.

Is SNMP enabled on your network?

Check the 2 boxes you have and see if it tells you what the mac address range is under the box ?

snmp is disabled from a normal IP address. But I have a trick that gets me a 10.xx.x.x.x IP and I can then scan snmp. What range are the boxes on?

 

[benny59]

I don't want some-body to buy the box and do it for me.. I was hoping some-1 would grab one and do it for themselves and share their success with us..Maybe the sa 4250 boxes can be used on your networks also, and you guys all know what you are doing already.. Thats all.. Sorry if sounded like I wanted people to do it "for me" I am not lazy, don't care if I break the unit and am willing to spend the money to do the testing..I am just not as experienced is all, I haven't done any of this before. The only tool I have used is jtags to dump satellite equip. And my main hobby is modems...

Sure I can start lifting chips and try all stuff mentioned, but I don't have any of the tools needed. All I have is a usbjtag and an adapter for sa modems and soldering equipment.. Thats why i wanted to grab a multiprogrammer, figured I would need it at some point anyways.. So anyways what tools do i need to start this project. I am going to get a stock unit 2morrow and crack it open. So I wanted to order some tools so they can get here asap. Thanks again for all the help!

realy we dont know enough about your system to be of any use m8.. assuming someone can get hold of a 4250 in this country then theres only a slim chance it would work over here anyway whitch i doubt {diffrent firmware on your sa boxs for them to work on our system} our nearest model is the 4200, whitch is very similer to your 4250 with a few hardware diffrences.....our provider dont supply that model in our country

considering your pics of the mainboard were a bit unclear, it looks to me the tsop has never been touched , whitch makes me think the box has been jtagged . {done a few 4200 tsops in my time and the mainboard never looks that clean after you finish no matter how good you are at lifting} ............assuming you find jtag point on the box you still need the software to make contact with it m8.


up48 progamer and 56 pin adaptor is as good as any for cloneing the tsop m8, it will also do the eeprom underneath the mainboard if that needs cloneing aswell


i dont know if its true or not, but i heard the sa4250 boxs in the states switch themselves off if you cut the talkback ?..would this happen in canada where you are???

check your m8s box see if this track has been cut

 

[thalungz]

The talk-back in my friend's unit is disabled. [So he was told]

Anyways, I have been doing a lot of searching since I started this thread, and I found a thread on usbjtag forums, that goes back to 2008 early 2009 and these boxes were wide open back then even.

I was browsing the same thread and seen a post from some-1 I know and he has claimed to have already dumped one of the modded wide open units! He didn't go into detail about how he did it, but I assume he lifted the chip and used a willem to do it, because he was talking about using a willem in the same thread. The dump is supposedly 512k. I am trying to msg him to ask for the dump, just waiting on a reply. Hopefully he will send me the dump and maybe tell me how he dumped it..Would a dump from a modded unit, written to a stock unit with the talk-back cut work?

I hope I can get some info from him, if I do I will be back to share!

Thanks again for all your help guys!!

 

[davidh]

The talk-back in my friend's unit is disabled. [So he was told]

Anyways, I have been doing a lot of searching since I started this thread, and I found a thread on usbjtag forums, that goes back to 2008 early 2009 and these boxes were wide open back then even.

I was browsing the same thread and seen a post from some-1 I know and he has claimed to have already dumped one of the modded wide open units! He didn't go into detail about how he did it, but I assume he lifted the chip and used a willem to do it, because he was talking about using a willem in the same thread. The dump is supposedly 512k. I am trying to msg him to ask for the dump, just waiting on a reply. Hopefully he will send me the dump and maybe tell me how he dumped it..Would a dump from a modded unit, written to a stock unit with the talk-back cut work?

I hope I can get some info from him, if I do I will be back to share!

Thanks again for all your help guys!!

if the dump he has is 512kb then he must have dumped the 24cl512 eprom this will not open the box
the details u want will be on the 56 pin tsop or even a dump with a jtag the info is then in the BGA (SCI-ATI 2003)

i think in our 4200 the jtag was disabled this looks like a jtag point here

 

[nozzer]

The talk-back in my friend's unit is disabled. [So he was told]

If it really is disabled, then its not using an interactive vod system. Most likely its just using some clone information from a real sub copied into one of the chips - possibly an EEprom or similar somewhere but it could also be written into the flash chip.

Have you tried running something like a dreambox on your system and logging to see what encryption, if any, is present ?

 

[benny59]

The talk-back in my friend's unit is disabled. [So he was told]

Anyways, I have been doing a lot of searching since I started this thread, and I found a thread on usbjtag forums, that goes back to 2008 early 2009 and these boxes were wide open back then even.

I was browsing the same thread and seen a post from some-1 I know and he has claimed to have already dumped one of the modded wide open units! He didn't go into detail about how he did it, but I assume he lifted the chip and used a willem to do it, because he was talking about using a willem in the same thread. The dump is supposedly 512k. I am trying to msg him to ask for the dump, just waiting on a reply. Hopefully he will send me the dump and maybe tell me how he dumped it..Would a dump from a modded unit, written to a stock unit with the talk-back cut work?

I hope I can get some info from him, if I do I will be back to share!

Thanks again for all your help guys!!

you wont clone these units with just an eeprom dump m8, {i bet a dollar to a cent its the flash he dumped with the willam}.........it wont be that easy just cloneing the eep


rogers ppv looks similer to our old ppv system ..."so cutting the talkback wont effect it ...although you wont get any VOD or interactive services

rogers cable supply both video on demand and ppv i belive ...sounds like your vod is still in beta "and its free upto now"

 

[thalungz]

Yea I noticed the jtag points, but I was reading another board, and some-1 was saying how they soldered a header into a 4250 they owned, and couldn't get it to detect. But I still want to try... I am still trying to get my hands on one of these units though lol.. They were sold out at the 3 stores I went to so far.. i am going to try another bestbuy and future shop tomorrow (friday) see if I can get one... if I do get one, I will solder in a header and try out my usbjtag, and I'll also order a usbjtag NT and try that too.. I will also build a pjtag and see if that gets anything...But I doubt the pjtag will work, i dont have any software for it.. Oh yea, i also want to try out the header adapter I have, because on some SA modems I need to solder in a header and then use the adapter in order to get it to detect with the usbjtag... Worth a try.

On the modded units, there is no VOD thats correct. But everything else is working. PPV is always on too, no need to push order or clear the memory or anything like that. Everything but VOD works.. Locals/PPV/Pron/all HD channels.

Also I found out we are on Docsis. not sure which version, but i know the internet is Docsis 1.1...Some1 was telling me that a mac clone would work?? Just like the modems ( before rogers went bpi+) anyways, I'll see if i can get one of these units, and see what I can do with it when i do.

I also have an old SA 1800 unit here, maybe there is something I can try on it?? To access/change the mac?? But there is no jtag spot, I did solder in a header 2 years ago, but I tried to get it to detect and it wont. but it isnt a 2 sided 10 pin header, it is a 1 sided with 6 pins. maybe i can use a 232 cable and hyperterm or telnet?? there is a spot on the board where 3 pins can be soldered in and it says "serial" beside them... I dunno, let me know what you guys think... I am willing to grab a programmer and try anything, and i would rather test theories on this older unit..if possible that is.

Thanks again for all the replies and all the info you have given me so far.. I really didn't expect this much help, I REALLY appreciate it guys, thanks so much!!!!!!!!!!!

 

[Spectre]

There's no guarantee that the JTAG debug port header is the same pinout!

I did see an automated JTAG port tool on the 'net somewhere. It tried all combinations of the signals until it got a response.

 

[thalungz]

There's no guarantee that the JTAG debug port header is the same pinout!

I did see an automated JTAG port tool on the 'net somewhere. It tried all combinations of the signals until it got a response.

Yea, thats exactly what it's like on the SA modem's i was talking about. I need to put an adapter onto the header and the jtag on the adapter, which makes the pin-out correct, and then it detects/reads/writes.... But the jtag port tool sounds a lot better...Even if it doesn't work for this project, sounds like a good tool to have kicking around. I am going to search the net for some more info, thanks!

 

[Spectre]

You could do it manually .

A bit laborious but it's probably quicker.

 

[thalungz]

Hey guys, I have been able to get some info from a friend. I have been told that they are lifting the bga chips, then flashing new ones with a dump from a technicians "wide open test unit" Would this even be possible?? If so and he is telling the truth, I am wondering, would I be able to take that dump off of an already modded unit's bga chip and use it on a new bga chip and then replace the bga I took out of the stock unit with the chip I have cloned from the modded unit..and then be set??? Or, would I need to take some info from the stock bga chip's dump, and then edit said info into the tech.'s dump to match my unit?? or??

Well anyways, I just wanted to share the info I had gotten with you guys, since you all have been helping me to try and figure this out. (which I really appreciate) Anyways, would love to hear you're thoughts on this, take care.. .
Thanks~!!

 

[AtmelAce]

To contradict an earlier post, it is perfectly possible to remove the BGA without ANY damage to the surrounding components, including the hot glue that is 'a mile away'.
However, the equipment to do so is in the order of £10K. The BGA chips I deal with cost several hunded quid, and have to be removed and replaced, with NO damage to any other parts. The board costs thousands.... scrapping is not an option.
So first up, you need to find a top end electronics subcontract manufacturere that will remove/replace the BGA.
Then you have to get the equipment to program /reprogram your BGA.Assuming that is the correct route......
At a guess, I'd say the removal will cost $100CDN + and double for replacement.
The problem here is there is NO CAD data for accurate chip placement so it has to be done by Xray.

 

[Spectre]

To contradict an earlier post, it is perfectly possible to remove the BGA without ANY damage to the surrounding components, including the hot glue that is 'a mile away'.
However, the equipment to do so is in the order of £10K. The BGA chips I deal with cost several hunded quid, and have to be removed and replaced, with NO damage to any other parts. The board costs thousands.... scrapping is not an option.
So first up, you need to find a top end electronics subcontract manufacturere that will remove/replace the BGA.
Then you have to get the equipment to program /reprogram your BGA.Assuming that is the correct route......
At a guess, I'd say the removal will cost $100CDN + and double for replacement.
The problem here is there is NO CAD data for accurate chip placement so it has to be done by Xray.

I was thinking that heat conduction through the power and ground planes in the stack-up would have at least made that filament of glue sag a bit more in places.

It might have been replaced I suppose.

 

[dontgetit]

how are you making out with your quest thalungz?

very interesting read.:banana:

 

[aldos]

Any news thalungz?
your thread is the only interesting info about 4250 i could find till now

 

[Arsenick]

Any news on this ? I have a SA4250HD with Videotron in quebec, canada. Willing to help if you need pic of stock units... Let me know

@++

 

[thalungz]

Wow, i just came across this old thread while I was AGAIN searching for 4250 info.. I decided to quit this project a few years ago, but now I am going to re attempt it, with the new skills and tools I have acquired over the past years.. I will post updates as I can. Right now all I have access to is a stock unit, modded unit, and a programmer. Still need an adaptor for the programmer. Does anybody have a link to a good online store that sells programmers?