Unity 4000 Mpeg2 IRD

[tester239]

I've seen various lots of Wegener Communications' Unity 4000 IRDs on eBay. The cheap ones all seem to be branded for FX/Fox/Fox Sports.. I bought one of these a little while back because it was quite cheap and thought it would be fun to play with a commercial receiver.

I found out after getting the box that it has custom settings on it that lock out the end user from changing any of the useful settings and using it for FTA type reception. Control was only enabled via the Compel network stream

I decided to open it up and see what was going on inside and see if there was a way to do some sort of factory reset. I gave up, and contacted Wegener to see what to do.. they said it was going to cost $400 bucks for them to reload the system with proper settings and be useful to me again.

This was unacceptable to me.. and being the reverse engineering kinda guy that I am, decided to take it upon myself to make my purchase useful, instead of an over-sized paperweight. Inside the box the only easily removable IC was a 24c16 serial EEPROM. This bugger looked like the cheese, especially since it had a sticker with the serial number of the box taped over it. I theorized this guy was holding the settings for everything as well as locking me out of the controls.

At this point I'd like to say that this has NOTHING to do with the theft of Fox and/or subsidiary programming! I was merely looking for a way to change the LNB LO, down freq, etc to my heart's content.

I would like to continue my story and include technical data on how to do this yourself -- but am unsure if it is allowed on this forum. Admins/Moderators, your input on the matter?

 

[pro96]

Hmmm interesting.. still might be considered as tampering IMHO.

 

[Mr Tony]

At this point I'd like to say that this has NOTHING to do with the theft of Fox and/or subsidiary programming! I was merely looking for a way to change the LNB LO, down freq, etc to my heart's content.

as long as you arent trying to override the scrambling, knock yourself out. We always like different receivers on here

 

[Tron]

Please do continue, as I have six of these (the 4:2:2 versions, decoders only). These are not branded for reception of FOX, or any other network. As my boxes are only decoders, and accept only an ASI input (they do not have LNB inputs), I imagine that they may be usable as-is. Most of the locked-out settings you describe seem to be associated with control of a receiver and not a decoder. I need to test them one day, using the ASI output from my Digitrans DTE-7150TA or my DTE-7100. Its another project I haven't gotten around to yet ...

 

[tester239]

Alright. I'll gather the information I've been able to collect/determine and make a how-to sort of thing and post it here in a few days. I still have to finish up moving, and of course, big dish setup

Since my box was locked when I got it I was never able to properly test it.. It always had an "overheating" alarm, and with the help of a working receiver, I was able to determine why. After I fix that issue I'll start digging deep on the rom dumps and try to: 1) Change the serial number to match my box (Right now I can only clone a box, issues with firmware checksum prevents it). 2) Change the Secure Micro ID in the firmware so you don't have to remove the security chip in order to use the box (Not that this matters to me personally seeing how I won't be needing to use Compel, but others in the commercial sector might want this). And 3) Hopefully map out the entire eeprom and how to set certain settings and burn your own, or create roms from scratch if you lose or damage your EEPROM. The EEPROM appears to contain no code, just settings, so HOPEFULLY this will prevent Wegener from getting all DMCA on me. The technical details will be posted on my own webserver so if complaints arise they will go directly to me and not this forum.

 

[Pismire]

Sounds interesting. I look forward to your future posts on this.

 

[tester239]

Well, I've fixed my unit's "overheating" issue.. Turns out the 12v regulator in the supply had died.. that and I found a charred cap on the back side of the mainboard. After removing the cap and replacing the regulator the overheating alarm goes away.. but I'm not sure what caused it to die in the first place, or whether or not my unit even works properly because it's been locked down ever since I purchased it. More testing is needed.. I'm still going over the rom dumps, if you'd like to look at them yourself, let me know.

 

[tester239]

I have successfully been able to unlock the box and copy over my Secure Micro ID (burned into the 68hc11 series mcu), and keep my original serial number. I'll keep going over the firmware in my free time over the next few days to fully map it out and compile a website with all of the data. This will include a how-to for allowing local control of your box. Instructions on how to make a serial eeprom reader/writer for a few pennies will also be included as well as any other neat info I've discovered in my poking and prodding.

 

[Tron]

Great information, thanks for continuing the research and this thread!

 

[tester239]

Alright folks, I've run into a bit of a wall.. Since I got the box in a locked state, I wasn't able to use/test it properly after receiving it. Now that it's unlocked and configured and hooked up to a dish/LNB, it won't find a carrier. Has anybody had any experience configuring such a box and getting one to work I.E. get a carrier lock and get an MPEG stream? I've been mulling over the manual but I can't figure what's wrong. The tuner and supporting chipset all are gettin' warm too

There was a problem with the power supply when I got it.. and I'm wondering if something else died with it? If I can't get this bad boy to work, I may scrap the project and just release the firmware info that I currently have. Also, there's always the possibility that my firmware hacking has caused it to not work in some way.. and I just want to rule out my configuration of the box before I go poking at the firmware again. Any help is appreciated!

 

[tester239]

I decided to go back and take a look at my receiver again. Turns out whatever signal I was feeding it for testing before wasn't appropriate for the unit. Not sure what I was doing wrong in the past, and I've moved and set up shop again since then. I have been able to unlock the unit to allow regular MPEG2 stream decoding and output.

On a whim, I decided to give it another shot today and after updating the settings to a current transponder, it immediately locked and worked! In the coming days I'll post what changes are necessary to the config EEPROM to release a network-control-only receiver (the ones branded for FX/Fox Sports, etc).

I'm going to do some simple testing on an available Compel stream before I release any information to make sure this does not somehow enable theft of service. If this hack passes that test, I will release everything I know (firmware map).

Stay tuned..

 

[Tron]

Sounds great, looking forward to any info you can post ...

 

[tester239]

Had some issues with the big dish.. namely, my 15 year old actuator arm seized up. I was able to put another used one I had laying around into service for the time being but I'm going to ultimately need to buy a new one.

Anyway, I got my box locked onto a Compel stream on G17 and it immediately said it was "not authorized." and gave me it's own style of "blue screen of death." This did not cripple my receiver or attempt to put it back under network control. I'll be pulling out the EEPROM and checking what, if anything, was changed for my notes.

There is still the potential of using what I put forth for malicious purposes, but that's only if Wegener has a bug in the firmware for the 68711 processor (I.E., a malformed piece of data inserted into the EEPROM causing an overflow allowing code execution. EVEN THEN, the decryption is done on a custom logic chip, that you'd need to read (but can't)) However, I feel that the information that I have figured out is by no means enough to do anything illegal.

Here's the jist of what is required, a full writeup is forthcoming. It's ridiculously simple. All you need to do is remove a socket-ed serial eeprom from the mainboard and blow away all the configuration information on it with the exception of the first ~10 bytes, which contain a unique ID, serial #, and checksum. The receiver can then rebuild any configuration information on it's own, or you can also write it to the eeprom yourself to save time pressing buttons on the front panel.

I'll provide a simple circuit that uses a PC serial port, 2 zener diodes, some resistors, and a power supply to read/write to most any serial eeprom. I will also give a what's-what listing as to where parameters are stored, and how to manipulate them to change settings.

If you have a locked down Unity 4000, don't throw it away...

I have a busy weekend ahead of me and hope to have this information neatly formatted on a website sometime next week. If you already have a serial eeprom reader or know how to make one, feel free to take yours out and dump the config, MAKE A BACKUP, and play around.

 

[markbulla]

I got a programmer on-line and fooled around a bit. I can change a lot of the parameters, but as soon as the unit locks into any signal, I lose all control again... I can program the receiver to look for any particular signals, but I haven't been able to figure out how to get it to leave me the controls...

 

[tester239]

Again, all I did to get it to play nice was to zero everything out except the beginning of the EEPROM. The information I was supposed to post a while back is here:

http://people.oregonstate.edu/~akeym/unity4k/

I never finished the page, but it gives some insight as to what's going on, as well as some sample EEPROM dumps.