|
|
Black Sunday Hack - Screw You Dave!
DO NOT DO THIS!! It Is A Repost Of A SCAM by DTV!
This page first contains the FAQ of what happened and then how to fix with hardware. I have been able to fix 22 out of 25 H-cards as of January 23,2001 , 8:00 PM PST. All cards demonstrated no valid ATR, and upon plugging into receiver the message "Insert Valid Access Card". NOTE: This does not bring the fuses back to life - it disables the OTP PROM from being selected! I have three fixes to consider here depending on your situation:
Repair an ECM'd H Card without oscilloscope (takes a couple of attempts to get a card to work).
Repair an ECM'd H Card with an oscilloscope (for use by experts who plan to fix many).
Basically, there are six main kinds of modern solid-state memory. I'll
quickly run through them all here, then focus on how RAM, ROM, and PROM works,
and add some
commentary on how this all relates to the "Black Sunday"
ECM to the end of the list.
RAM (Random Access Memory) This
is the one we all know, love, and want more of to stuff into our computers. It
comes in two flavors: Static and Dynamic. Static holds
onto whatever
value you set in it until the power goes off, (and sometimes longer than that -
Then it's NVRAM) with no further effort needed. Dynamic needs to be
refreshed periodically, or it "forgets" whatever was written into it.
Static is a bit slower to get data into or out of, but requires less hardware.
Dynamic is quicker to read
and write, but requires "refresh" circuitry
to keep it from developing amnesia. Any bit of any byte can be set to either 1
or 0 (although for convenience, almost all RAM
modules are addressed
as either an array of bytes consisting of 8 bits, or an array of words
consisting of 16, 32, 64, or even 128 bits) Whether static or dynamic flavor,
RAM is the fastest of all types of memory for write operations. It's
also quite fast (but "straight" ROM is sometimes a smidgen faster) to read. H
cards have 128 bytes of
RAM built into the 8051 chip.
EAROM (Electrically Alterable Read Only Memory) Can be thought of as
ultra-slow-to-write RAM. Individual bits within a byte can be toggled to either
1 or 0 at will, but it
takes (relatively speaking) forever. Also slow
to read. Not (to my knowledge) used in H cards.
EEPROM
(Electrically Erasable Programmable Read Only Memory) Individual words (or
bytes, depending on how it's arranged) can be erased to FF, then
reprogrammed to the desired value by simply applying the right
voltages to the right places for the right amount of time. Like EAROM, can be
considered ultra-slow
RAM. This is the part of the H card that
programmers operate on, and unloopers dump IMG files to. "Flash Memory" is
something of a cross between RAM and
EEPROM - It has the fast access
of RAM, with (usually) the power-off data-retention capability of EEPROM.
Bit-Rot usually isn't a problem in either EAROM or EEPROM,
since most
applications using either type "refresh" things often enough to keep it from
being noticable. (Bit-Rot is explained a bit more under EPROM)
EPROM (Erasable Programmable Read Only Memory) The entire contents of
the chip can be erased (set back to all 1s) by exposing the silicon wafer to
intense
short-wave ultraviolet light, and then the chip can be
reprogrammed using a special device. Not used in H cards. These are the chips
you see with the little window in
them. (frequently covered by a
sticker of some kind, to keep light out) Impossible to write without specialized
(usually in a separate box, very rarely built into the device
the
EPROM is part of) circuitry. Medium-fast to read. Subject to "Bit-Rot" - an
unpredictable, long-term (on the order of 10-15 years) effect where some bits
may "forget"
what they're supposed to be if the device doesn't get
reprogrammed occasionally.
PROM (Programmable Read Only
Memory) Cannot be reset. These are the true "write-once" memory chips. From the
factory, a PROM memory module has every
addressable bit set to the
value "1", or "on". To program such a beast, you *usually* need a specialized,
stand-alone programming device, but occasionally, the circuitry
needed
is included in the device that uses this type of memory. Programming is
accomplished by setting some of the bits to "0" or "off" to give the patterns
needed to
make up a byte's value. Once any given bit has been set to
0, it will remain 0 forever. Theoretically, that is - "Bit-Rot" can come into
play in PROM, just like EPROM. The
16 bytes from 8000-800F in the H
card appear to be PROM. Usually decently fast to read, and (relatively speaking)
slower than molasses in January to write.
ROM (Read Only
Memory) Cannot be written to at all, and cannot be erased/changed short of
physical damage to the wafer that it was built on. Comes from the factory
pre-programmed, and that's the way it stays, forever and ever, world
without end, amen. Impossible to write, usually quite speedy to read, frequently
rivalling RAM. Like
PROM, may be subject to "Bit-Rot", but again,
we're talking several years before it becomes a significant problem.
And now, a few words about the operation of RAM/ROM/PROM,
and how they relate to the excrement that has impacted the air-moving device
since the Black Sunday
ECM came down from the bird.
A byte of RAM memory is a set of 8 cells that can each hold a one or a
zero. Which cells have 1s in them determines the value of the byte when you read
it. With RAM,
you can change the values any time you like. You can
think of that byte as 8 switches that can be turned on or off in different
combinations to give you various values.
A byte of ROM is
similar, in that it has 8 cells that can each hold a 1 or a 0. Unlike RAM, these
1s and 0s are fixed. Instead of the
"switches" that RAM has, you can
think of each bit-cell in a byte of ROM as having either a wire (for a 1) or no
wire (for a zero). They can't be changed once made. The
wire (or lack
of one) is a permanent thing. (Subject to the limitations of "Bit-Rot",
described above under the heading EPROM)
A byte of PROM has
characteristics of both RAM and ROM. Like RAM, you *CAN* write to it, under
certain circumstances. Like ROM, once written, it's *FOREVER*. Think
of a byte of PROM as being 8 microscopic fuses. When the chip is made,
all the fuses are "good". If you could see it at the microscopic level, it would
look something
like this: ( each | is a fuse that isn't blown - it has
the value "1" )
| | | | | | |
and would have the value FF, or 255 in decimal.
Now, let's say you want the byte to have the value B7 (That's 183 in
decimal, and in binary, 10110111) To write that value to it, you deliberately
burn out two fuses in the
byte, leaving it looking like this: (| =
unblown fuse = 1, : = blown fuse = 0)
| : | | : | | |
From that point, it is entirely possible to write to the
byte again, but there's a catch. You can only "blow" more fuses. You can't
"un-blow" fuses that are already blown.
(That's where the "write-once"
description comes into play) This means that a number that needs one of the
fuses that's already blown out is going to be impossible to
write.
(You can write it, but when you read it back, it isn't going to be the value you
wrote)
So why is this a problem?
Normally, byte 8000 of the H card holds the value 33 (in Decimal, 51.
In binary, 00110011) and the byte looks like this:
: : | |
: : | |
But after being hit by DTV's Black Sunday ECM, the
byte is set to 00 - it now looks like this:
: : : : : : : :
There are no fuses left to blow out. They're all gone. That
means that forever and always, byte 8000 of your ECMed card is going to say "I'm
holding the value 00" when
asked.
Why does this
loop the card? VERY early after the card gets powered up and reset, the 8051
machine-language equivalent of this code executes:
In C: if
(*(unsigned char *)0x8000 != 0x33)
for(;;); /* Loop until the
power fails or we get a reset signal */
In BASIC: 10 if
peek(8000) = 21 then goto 30: REM 21 is the decimal value of 33 hex 20 goto 20 :
REM Loop until the plug is pulled or reset happens 30 REM Keep on
truckin'. All is well.
This check is in the
card's ROM, so it can't be bypassed or changed. Reprogramming the card won't do
anything useful, since the ROM doesn't even get looked at, let
alone
messed with, by programmers (or
unloopers, for that matter) and even
if it did, it wouldn't do anything useful, since ROM can't be changed (short of
actually damaging it). The check can't be bypassed by
something like
the idea used in the 303 mod, since at the time the check gets done, the card
hasn't even considered the idea of seeing if it's in an IRD or not.
So how can it be fixed?
The simple answer: I'm
sorry to be the bearer of bad news, but the fact is, it can't. Congratulations.
If you got hit, your H card is (at least for now) nothing but an
expensive blue ice scraper. Life sucks. Thank Dave. It's only TV.
The more extended answer: If you've got the micro-tools to
"rebuild" the blown fuses on the chip, you could go that route, but unless
you're a chip manufacturer, or have
access to that type of equipment
somehow, you ain't got a prayer. We're talking about electron microscopes to see
the little fuses, microscopic tools for accurately
depositing single
atoms onto the silicon wafer itself, etc. In other words, trying to do it is
going to require way more money, knowledge, equipment, and effort than most
any of us are capable of applying to the problem.
Mention has been made of a "boot loader" that *MIGHT* be able to get
around the problem, but I'm not going to hold my breath on it.
Effectively, it would have to be a sort of "mini-unlooper" that can
automatically glitch past the check every time a reset happens (and a reset can
happen at any time, for
any reason, or for no reason at all), then
allow the card to go back into normal operating mode. Even if such a device is
created, the ATR strings I've seen reported on
"Black Sunday" cards
aren't "normal", so they may throw the IRD into fits. Only time will tell. Hang
on, folks... It's likely to be a bumpy ride!
But
what about the cards that Dave has fixed since the ECM??? Why can't we do the
same thing?
This one refers to the sporadic reports coming
in of cards that were "fixed" by making a call to Dave.
As
of this moment, this writer believes that the "reset" cards suffered some
less-drastic problem that was either totally unrelated to the ECM (Simple
coincidence that it
happened when it did) or was a "Hmmm... I'm not
sure this is *REALLY* a bogus card, but something is suspicious, so I'll knock
it out just to be sure. But to be safe, I'll
leave it so 'daddy' can
fix it." action performed by the hit.
Tools required:
Sharp knife
Magnify glass would help
Pin
After the OTP is
disabled you may need an unlooper depending on whether you have screwed with
GLITCH.
Step 1 > Access the die.
The H Card has a plastic film on the top. This is used to protect the die and adds durability. This cover is easily separated and pealed off with the use of a sharp knife. Start on an edge and carefully separate the thin transparent coating from the card like shown below:
Step 2 > With the coating removed, hold the H card to the light and mark where you can see the die. It is easy to find as the card looks "imprinted" there. Be sure to use a sharp knife at an angle and carefully cut the thin paper-like cover exposing the die. There are fine wires underneath so stay as close as you can to the edge. Do the top of the card first, then the sides. When you have the chip die exposed check carefully to ensure you haven't damaged any small wires.
You should be able to see a small die and a few wires leading to the contacts
below.
I could not get a good picture of the die so I made this picture of the
shapae of the die for the next step.
Step 3 > Disable the gating logic.
As your card was ECM'd simply disabling the charge pump is not enough. The OTP enable gate must be removed which causes the original EEPROM to be present instead.
Using a very sharp knife carefully scratch the OTP enable circuitry. This
should remove the enable connection and render the OTP non selectable. The
EEPROM will now be used instead. Make sure not to scratch too hard or you could
crack the die :-( and don't scratch to far into the die as you want that happy
circuitry! :-)
Step 4 > Cover the die die by taping the flap back. Place H Card in programmer/unlooper and check for a valid ATR. If you get an ATR or anything other than "Reset Failed" then proceed to unloop the card. If your card returns no data to a reset then go back to step 3 and try again.
Good Luck!
Follow the steps 1 & 2 above except use a DSO (Digital Storage
Oscilloscope) to find the charge pump/OTP enable gate
Step 3 > Finding the OTP or DSO.
Drill a hole in your programmer so you can expose the chip die when the card is inserted. Insert the card exposing the die and apply power. Probe with a pin on your probe in the OTP area until you find the signal:
(sorry about the blurr but I was holding the camera while holding the scope probe and having someone here click the mouse).
Have your scope set up for 2V/div and 10uS/cm.
You will have found the OTP enable line when you see the signal above (you won't find much more activity inside as the card is in a continual loop doing virtually nothing.
When you find this signal push hard to break the gates involved in switching the OTP in place of the EEPROM.
You should now have an ATR on reset. Program/Unloop the card as needed.
This is VERY important for people who still have a valid H card and don't want to run an emulator. Dave can't kill your card if he can't write to the OTP!
Follow Steps #1 and 2 to gain access to the die. You can either try and
blindly scratch off the charge pump logic:
or an easier way is to find the exact location and destroy the gate. The charge pump circuitry is easy to find as it gates 12V to the PROM VPP line (program). The signal you are looking for is shown below:
Simply push the pin attached to the scope probe into the die carefully
until the 12V signal is gone.
I am working very hard with others to try and make this easier and hopefully
tomorrow we will have a template you can print out and use on the die.
BE CAREFUL AND TAKE YOUR TIME - RUSHING COULD DESTROY YOUR CARD. MAKE SURE
YOU PROTECT YOUR VALID H CARDS!
USE INFO AT OWN RISK! EMAIL IF YOU
HAVE QUESTIONS!
This hack was brought to you by Inspector #12.