Results 1 to 12 of 12

Thread: DTA800B hacking

  1. #1
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default DTA800B hacking

    I removed the 512 Kbyte 8 pin flash chip from the convertor box and read the contents with SPIPGMW sort of like one jtag reads something using parallel port of PC. Have found that my older version of box has undocumented serial port (115.2Kbaud 8N1) and a menu that comes up giving you options to start an audio tone and test pattern display and other test functions that are not of much interest, but one option lets you use XModem protocol to send the box binary file to execute. I've used that option to dump the flash and RAM using code lifted from the disassembly of the flash dump.

    Here is the code I used:
    FF 50 11 3C FF FF 31 26-FE FF 21 06 00 00 00 00
    C0 9F 10 3C 08 00 11 3C-00 00 04 92 40 B0 08 3C
    80 01 08 35 01 00 0A 24-18 00 09 81 24 48 2A 01
    FD FF 2A 15 00 00 00 00-1C 00 04 A1 01 00 10 26
    FF FF 31 26 F4 FF 21 06-00 00 00 00 FF FF 00 10
    00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
    Why, you might ask? I like playing with code is part of it. The Broadcom processor uses a MIPS core, so I'm playing with mipsl code generation. I'm thinking I could use the box to monitor rf--not a lot of free memory in the flash, but I might be able to leave it in a remote location for a week or two and have it capture info.

    Anyway, if you push power and ch+ at power up the box sends out message that you should start XModem download of zlib binary--I'm pretty sure that that overwrites the flash with a new image decompressed from what you send it. There is an option in the serial menu to download compressed file to RAM for execution, but I've tried every variation of zlib I can think of and it does not get the code running--not sure what is going on (there are compressed parts inside the flash that are zlib compressed with just Adler32 sum at the end--no crc32 or size info at the end, and just a 2 byte header-- the size for the chunks are hardcoded in the "boot" code.)
    Last edited by jvvh5897; 09-19-2014 at 07:03 PM.

  2. The Following 5 Users Say Thank You to jvvh5897 For This Useful Post:


  3. #2
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    The serial port has a connector on the back wall of the box. There are 5 pins in a 2x3 pattern, all but the center two are grounds. The TX port is in center to the back, the RX line in center toward the middle of box. They are TTL-ish and you need a max232 chip or a pair of transistors to interface with PC. I use a pair of 2n3904 transistors with 10K on base and 2.2K pullup to 3.5 or so (3 to 6V seems ok). TX lines go through 10K to base, emitters are grounded and RX lines go to the collector/10K points.

  4. The Following 3 Users Say Thank You to jvvh5897 For This Useful Post:


  5. #3
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    I figured out why the serial menu download of zlib compressed binary fails--there is an error in the code and I bet it was put there just to defeat the feature. I don't see a similar problem with the power and ch+ button download though, but I've figured out a way to test it in steps before I try it for real.

    I use Hyperterm to send Xmodem protocol to the box BTW and for the dumps I do I have a 15 second or so delay built into the code to let me close Hyperterm and start up RealTerm in capture mode.

  6. The Following 5 Users Say Thank You to jvvh5897 For This Useful Post:


  7. #4
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    Ha! The silly box has a master password--not sure why though.

    So far I've used the spot that the master PIN is tested to go to my own code to use Xmodem routine to download a file (compressed image of the box) and to un-pack that file in to RAM to see if it goes OK and so far so good. Not quite ready to try to program a part of flash or erase anything but getting close to trying it.

    If I do wipe the flash, it is in a nice open part of the board, so I have that going for me.

    Have found the IF freq and TV channel freq in Hertz in the RAM. There is a table of ch frequencies in MHz in the flash (two bytes per ch entry). For digital tuners they use the center of the 6MHz band as the ch freq. Found a spot that uses the ch freq table to compute a setting so pretty sure that that is part of channel change routine.

    Most of the menu routine init and callback routines are located now, so have good idea of were to look for stuff, but some stuff is still a little vague.
    Last edited by jvvh5897; 09-21-2014 at 07:39 PM.

  8. The Following 3 Users Say Thank You to jvvh5897 For This Useful Post:


  9. #5
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    I picked up a newer DTA800B that has no smart antenna connector on the back, has tuner passthrough and no internal AC power supply board only an external wall wort. There is a similar 2 by 3 pin connector by the back wall and RX and TX are in the center w/ RX to the inside. Still 115.2K baud but the menu you get has a few things removed and a few added--seems flash upgrade is part of the new items on the list. Flash dump code worked well with this box as it did on the old (option 4, Xmodem transfer then Realterm to capture)--flash is different maker but still seems to be 512K byte. RAM dump worked as well--16 Mbyte.
    Code needed with the box is a little more than the old box I have, but the channel list is at 0x9fc7c000 as in the old box, so they fit everything needed in about the same space. Channel list is a little different than the old.

  10. The Following User Says Thank You to jvvh5897 For This Useful Post:


  11. #6
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    There is--at least one of the routines that I've looked at had a section that disabled a watchdog. But as far as I can tell the watchdog is just making the code switch between tasks and by-and-large that is not a problem for most of what I do. The routine where they disabled watchdog was erasing and re-programming flash and I think they had to disable it there so that tasks that use code in flash did not try to access it when it was disabled. The download/data dump speed when no channel is active is about 14k char per second and when video is playing out on a channel that drops in half, so multitasking takes a bit of processors resources.

  12. #7
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    Interestingly, seems the box processor comes up with NEC1 remote protocol as default, it tests for a specific remote button press about the same time as it tests for the front buttons pressed for going into factory test screen--the NEC1 remote has to have 0xc066 as custom code (the 16 bits it sends with every button press)--I'm calling that remote as the "factory remote". It is only later that the processor gets set for the RCA remote protocol (llok for use of 0xb4 sized table starting with 0x0b 0x01 0x00 0x00 sequence). Once the protocol is set you only have to read a single register to get the code the remote sends--seems the processor does all the work of reading the pulse lengths and interpreting them as 0 or 1 by itself.

  13. #8
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    Comparing the new RCA code to the older, there seem to be 3 more remotes supported in the IR section. Looking at the "normal" routine, besides the No signal, Captioning Service and Audio Lang selection, Power Saver messages there is code to do Mute and Volume--something you can't get with RCA remote. I'm thinking that there are other DTA800 clone boxes out there that have much the same hardware and use the same software (mostly) but have different remotes--might be interesting for someone to go looking for them. They might have more buttons on the front.

  14. #9
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    It seems you can even do a primitive form of serial control of the box via the serial port. You hold down the front buttons as though getting into the factory screen, but do it after you plug in the box not before. The box then starts up normally, but on the serial port it stops before giving you the console menu, and at that point you can type in numbers from 1 to 9 and they will go into the info OSD as though you pressed the keys on the remote. You can specify sub-channel in most cases, but you can get to the first channel (ie you can get 8-1 easy by just typing 8, but cant get to 8-2 this way).
    The code is just writing the number you send to a single register 0xb0102034, so you can write a little code and test other key than the numbers that the above allows. I've found the ch up and down keys sent this way tend to keep cycling throught the channels rather than move up or down a single ch. You can also get to the mute and volume up and down settings this way, but the volume up and down also keep going to one extreme or the other--still you can see that they do try to work and you do have that control in the code.

  15. The Following User Says Thank You to jvvh5897 For This Useful Post:


  16. #10
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    An update to my project. I have the box changing channels every minute in an order set by an array and using timer ticks (200 per second). While on channel I read the SNR every 4 seconds or so and test if it is the biggest or the least I've seen and save it to a spot based on if it is. Just before changing channels I save the Hi and Lo SNR to their own 4k block of RAM based on the channel--I figure a 4K block will give me 2 weeks of storage (lots more RAM free, but I think I might try to save to flash and it has 4K blocks ).

    For folks that don't own RCA DTA800B boxes, you might be interested in the hacking going on with Zenith DTT900 or 901 boxes. Seems the box has the same processor as in a DigitalStream box used in a project at
    http://www.devttys0.com/2012/08/reverse-engineering-a-dtv-converter/

  17. #11
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    I have done a successful flash replacement in the DT800B. I now have a mx25l3206 where the mx25l4005 was. Still have to write to the 4meg chip and not mess up the rest of the 512k space that the old chip used, but think I am close.

  18. The Following User Says Thank You to jvvh5897 For This Useful Post:


  19. #12
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    It turns out that the code loads 3 fonts early in the startup of the box--they are small , med and large fonts for the menu system 0xfa entries with a mix of char for French and Spanish menu items. Just a little later they load 12 more fonts with 0x107 entries in each for the captioning system. I think that one of these fonts will be space I take over for code mods and to get the compressed part of the user interface to compress down to something smaller to be sure it fits in the old space after mods--they are about 0x3000 bytes per font and missing one will not be of much matter--just map one of the others in to keep the code happy (I tried that with the small and large font set for the menu system and code was happy--menu did not even look much diff (though if I put the large font in place of the medium it made for very messed up menu)).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •