Digibox hacking - Serial Messages
This information pertains
to the Pace BSkyB 2500B.
For other receivers, your
mileage/success may vary.
The serial port
I made a discovery the other day. The serial port on the back of the receiver has a purpose!
I have tried connecting a null modem cable to the receiver, and nothing seemed to work, except the Digibox socket was "back to front". I put this down to not wanting exposed pins on the back of the box.
Well, I decided instead to shove in a modem lead. Wired straight through and not crossed over. I fired up HyperTerminal (I know, I know, not exactly 'ideal') and saw random junk appear in the display. So the next thing I decided to try was different serial protocols.
Eventually the Digibox and I settled on 57600bps, 8, N, 1, hardware flow control.
Status data codes
Here are the results of pressing various things on the remote controller. Note that there may well be embedded codes that HyperTerminal has not shown or has stripped. Nulls, that sort of thing.
The keypress responses:
| Yellow | |
016SYIC01180803b |
| then | |
014SYIC009--ca when "back up" to cancel. |
|
| help | |
016SYIC01180803b |
| then | |
014SYIC009--ca when "back up" to cancel (as above, you'll notice the codes are the same). |
|
| Number keys, first press only: |
| 1 | |
015CE000101--a4 |
| 2 | |
015CE000102--a5 |
| 3 | |
015CE000103--a6 |
| 4 | |
015CE000104--a7 |
| 5 | |
015CE000105--a8 |
| 6 | |
015CE000106--a9 |
| 7 | |
015CE000107--aa |
| 8 | |
015CE000108--ab |
| 9 | |
015CE000109--ac |
| 0 | |
016CE00011x---21 (the 'x' is ASCII 127) |
| This is modified as: |
| 1 | |
(1st press)
(2nd press)
(3rd press) |
|
015CE000101--a4
015CE0001011-a8
041CE00010111 followed by time information |
|
| | | As you can see, the dashes are replaced with the three digits of the channel number as you enter it.
Most likely the weird code for the '0' is because this kicks in the four-digit radio channel. I only though of this as I wrote this document, so I'll need to play around with it later on...
If you press 'back up' while changing channels, it will resubmit the previous keypress information.
|
Going to channel "
118" (
ITV2) reports: (
the odd spacing is due to justification)
015CE000101--a4
015CE0001011-a8
041CE00010118SSDT02610.44pm Sat 24 Jun 97
252SSCN010118SSCA011ITV2SSDT02610.44pm Sat 24 Jun SST001410.25pmSSN0021åSupernaturalçSSE0165Pilot: Science-fiction drama series. Sam and Dean go in search of their father in a little town called Jericho, where unmarried men disappear without a trace.9b
Every so often, this information is resent, with a new time and the "
.9b" would be "
.9c" and "
.9d" etc.
I presume the '97' is some sort of status, and not as in
1997!
Going to channel "
123" (
Player) with
no card inserted reports: (
the odd spacing is due to justification)
015CE000101--a4
015CE0001012-a9
041CE00010123SSDT02610.48pm Sat 24 Jun 97
074PUSP069Audio Unavailable Please check your digital satellite receivere3
074PUSP069Audio Unavailable Please check your digital satellite receivere3
(etc)
It is interesting that the problem report is that there is no audio being received, instead of the actual reason - the required card is not inserted.
Pressing "
red" or "
text" on
BBC1 reports:
014SYIC009--ca
047SYIA0081SYD1034Press Sky For Channel Audiof2
#INTPRT[RUNNING] exited, status:0x1
#INTPRT[CLEANING_UP] init
#INTPRT[LOADING] in progress
#INTPRT[LOADING] module
#INTPRT[RUNNING] running:0xffffffff
No further status. Entering the full interactive service shows no further prompts, including when changing channel.
Exiting the service reports: (
the odd spacing is due to justification)
#INTPRT[RUNNING] exited, status:0x1
#INTPRT[CLEANING_UP] init
#INTPRT[RUNNING] running:0x2
013SYIA00809c
167SSCN010984SSCA018BBC 1 SouthSSDT02610.56pm Sat 24 JunSST001410.43pmSSN0017åBBC NewsçSSE0077National and international news from the BBC. [S] Followed by Weather.8b
The same thing happens for "
red" button presses on
ITV1.
For "
text" button presses on
ITV1, we see:
014SYIC009--ca
047SYIA0081SYD1034Press Sky For Channel Audiof2
#INTPRT[RUNNING] exited, status:0x1
#INTPRT[CLEANING_UP] init
#INTPRT[LOADING] in progress
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] module
#INTPRT[LOADING] code module
#INTPRT[RUNNING] running:0xffffffff
Leaving
ITV teletext behaves as for leaving
BBCi.
Pressing "tv guide", "box office", "services", or "interactive":
014SYIC009--ca
047SYFS0081SYD1034Press Sky For Channel Audio01
There is no report on things done in menus. When leaving:
013SYFS0080ab
When setting box into standby:
014SYIC009--ca
013SYST0081ba
When taking box out of standby:
013SYST0080b9
And sending data back? [the bad news]
There is a tool called
Digidebug (known as
Libby in the incarnation leaked into 'the wild') which is apparently able to provide full control of a Pace Digibox (and cable boxes too).
But it is no good to you.
Here's why: When the box starts, it looks for a specific communication between itself and the attached computer. If this communication is correct, the box will enter a small command processor which only deals with the
Digidebug commands. It is intended as a utility to be used on the production line to rapidly run through the functions to ensure the box works correctly.
If the box starts without the specific communication, it will start up the EPG software, the normal interface that we see and use daily. The thing is, the EPG software incorporates
no form of remote command processing. It is simply not possible to instruct the box to change channels via a serial link when it is running in the EPG. About the best we could hope for is freaky modulation of the iRDA port to try to fake the remote controller!
As for the information that I discovered - it has been suggested to me that it may be there for a Nielsen recorder - the gadget that notes what you are watching and when in order to build audience profiles. I think there are a (few?) hundred of these in use around the country, and audience viewing figures are based upon an extrapolation of this data. The TV companies do not actually know that 9 million people watch ClassicFM TV, they instead know that - of their known sampling - such-and-such many watch the channel on a regular basis. And from that they expand the data subset to generally cover the viewing of the entire country.
It may be that the additional information is stuck in there so the data recorder can track things such as:
- Do you watch the programme from beginning to end?
- Do you channel hop? (hence data on button presses)
- Do you often consult interactive/videotext services?
- Were any of your programmes auto-view?
These sorts of things would help to give a clearer picture of the viewing habits of their mini-demographic, which will then be extrapolated to cover the nation at large.
So, if you have a Pace receiver, you should be able to control it, but not as-is. The data that I have found is more for status and statistics than anything else.
Shame.
PSMD (v0.05)
PSMD is a program that I have written to display the status messages, decoded, on-screen. When it starts, you are asked to choose COM1: or COM2: (unless you only have COM1: in which case it'll be used automatically). Then the main screen appears. This is divided into three boxes.
The upper box shows the 'raw' data received from the digital receiver. The middle box shows information on the current channel and programme. The lower box shows status messages.
The latest version is v0.05, dated 2006/07/03.
This software is a 16 bit MS-DOS program and it should work on anything from MS-DOS 3.3 on a 1Mb 80286 upwards. Note, however, that it assumes the ability to directly poke the serial port and interrupt mask, therefore it may fail to work on Windows NT, Windows XP, etc.
It will work fine in a DOS window within Windows98SE - it is doing so as I type this!
Plain MS-DOS, perhaps PC-DOS, Windows 3 (any version), Windows 95, Windows 98(SE), and Windows ME should all work fine.
The recommended version is the self-install, but it will need Windows 95 or later:
If you wish to run PSMD on an earlier platform, download the zip archive:
You can also read the version notes to see what has changed:
Let's face it, I'm unlikely to make further additions to this software, and an insider has confirmed that Digibox communications don't work at the same time as the normal EPG interface. Therefore, I have decided to release the code in case anybody would like to play with it.
The source is written in C. Also included are the project files. This software compiles with TurboC++ version 1.0 which you will find for free download somewhere on Borland's website (look for 'museum' or something like that).
Please note that I do not wish for this software (or source, or modified versions) to be (re)distributed.
Therefore I grant you the right to download this software/source gratuit and install it as you wish (executable: full details shown during install or in the psdm.txt file, source: in the source itself or the readme.txt file); however you do not have the right to (re)distribute this software, for whatever reason (modified from source - ask for permission first).
Return the Digibox index
Copyright © 2006 Richard Murray
