Hey guys I know this may have been asked before why cant we jtag the nfhd and find out somehow to make a ps bin? if we can make a router work or noi (since we faked the suns server) I think jtag route would help? Jvvh am I right? I have jtagged 301s and pansat 2500 and 2700 to revive them. anyone's input to the idea of jtagging nfhd to make a ps bin please post a response THX

Godd idea

I remember Using the Jvvh to Jtad, and the jtag file had the new bin already in the program.

BUT the problem with your idea, is nobody's making any money.
Selling new boxes is funding productivity, not writing new bins for old boxes.

Good luck though.

you still need the source code what was never released
so you need to know what your looking at

Not sure if it is rumor or true, but back around 2008 or so I recall reading that boxes were required by FCC to not have jtag functional--the processor still has or had a jtag feature but the pins for it were not taken out to connectors.

Jtag is not on many newer processors. Or the testing method is not one you can do with the standard jtag programs (ICE was used on some conexant processors). The ST Micro line like the sti5518 was jtagable in a way that was great for experimenters because of the reverse engineering or public release of codes required to do features. If a processor's private command set for jtag is not known, you have very limited ability to jtag it--basically all that is public in many cases is how to get the ID code of the processor.

Because of limited jtag features, the way to experiment with code is to disassemble the code and figure out how to use the serial port (if any) to dump data. You can dump conexant ARM based boxes, it has been done on MIPS core boxes, and I bet you can do it with ST Micro's newer C1 core boxes too (you see a few of them in HD boxes). Having some sample source code for a similar box helps a lot as reference for disassembly--so first thing to do is figure out what processor is used in your box and see if there is a source code example for a similar box. Helps if you look up data sheets for the chips in the box if you can find some. Listen in on the serial port for any output that will help you find serial send routines. I like to look up the remote codes for the box's remote as a starting point in figuring out things too--so visit jp1 and lirc sites to see if there is a file for the box's remote. You can also use Audacity or other sound recorder with a photo detector on the mike or aux input to "see" the remote send IR data and try to decode it for yourself too.

useful information thanks for you responses now isn't nfusion hd made by AMT? here is a website of something to do with them hxxp://www.satcruiser.com/down_load_satcruiser.htm and hxxp://satcruiser.com/shop/home.php and hxxp://www.skyfiles.net/ and hxxp://--/forums/showthread.php?t=109567&page=14 hxxp://--/forum/nfusion-reciever-help-files/24607-reviving-nf-hd.html

plus theres a jtag zip download on the left hand side scroll down a bit hxxp://www.skyfiles.net/skyfiles_download_Star9000-R3X.htm also nf hd part hxxp://www.skyfiles.net/skyfiles_download_nfusion_hd.htm

heres some jtag nf tools hxxp://--/forum/other-nfusion-files/13745-nfusion-jtag-repair-kit.html

another website hxxp://www.usbjtag.com/vbforum/archive/index.php?t-5176.html

I found this

CPU :
ST
STi7101BWC
C2L VQ751XPW
220CS VQ
MLT22813

Boot memory chip :
EON
EN29LV320AT-70TCP
172B29B
0812TDA

It has a 10 pin header at J402 on the mother board . Here's the Data sheet on the EN29LV320AT-70...big so here's a link

hxxp://www.datasheetdir.com/EN29LV320AT-70TCP+download

Here's the data sheet so far what I could find on the STi7101

hxxp://pdf1.alldatasheet.com/datasheet-pdf/view/244194/STMICROELECTRONICS/STI7101.html

also hxxp://--/forum/other-nfusion-files/25810-nfusion-bin-editer.html also theres checksum info here hxxp://--/forum/other-nfusion-files/29015-nois-hd-server-file.html

nice project
also nice of you to break site rules
satfix over there comes up xxxxxx
but here pros swills to to the top..lol

not a problem if my posts need to be changed mods please change it thanks

Well, what I got out of that is:
CPU :
ST
STi7101BWC

That is a C1 core chip and IDA can disassemble the code pretty well. I've been able to jtag out the flash contents of a C1 based box (Channel Master digital converter box for OTA) with the old jtag code "jtagger" (I think was the name on the source code--I used lcc-win32 to compile and had to use a parallel port control program to let the code run on my PC with W2k), but if I remember right jkeys would not do it. Some ST toolsets have some C1 info, some 71xx register set info--worth looking into anyway--try something around 2.1.2 or higher toolset version, but any will compile some C1 code for you if you know what to do. If the maggie source code is still floating around the web somewhere you might want to download it as example code (maggie == MagnumView I think)

and this can lead to finally making a ps bin? is there light at the end of the tunnel Jvvh?

I found another link hxxp://9700.com.ua/cs/pages/97xx-series/protek-9750hd.php

Don't own the box, don't know what your box can do and what it can't, haven't done any research on it--don't know. I suspect if you want to get it done, you can do it--how long that might take and what you end up doing--don't know.

Oh the program that I used on CM DTV box was "jtagp". I think the problem that jkeys had was because the chip was DCU3 and not DCU2.

can we start to do something I only own the nf hd I don't have any software or hardware to start this mission lol can someone other than me or jvvh help?

for kbox hd there was talk about freesat conversion and ilink 9500 hd? so is protek 9750 same as nf hd?

Turns out I did take apart nf hd file awhile ago--long enough that I recalled none of it. Turns out the ST chip is one that uses SH4 code rather than C1, but Ida can disassemble it and I did find a few routines looking through the code. I'm busy with a project for something that I own, so you are on your own for this project (bit bored with IKS mods anyway).


file header says is A3X mainsw offset 0x300 for 0x29e46e
I get file un-packed at 0x5b6ca9 bytes. deflate finds compressed data starting at 0x322

Found strings in unpacked file:
D:\Develop\source\STB\STBSrc\driver\st7100\src\sto s\os21/os21semaphore.c
NF HD BOX
MB411 development board
@319720 ECM Data
@2AE0F0 Main menu strings (0x848AF0FC -- pointer to that location found in table at 4148BC ==0x84A158BC goes to about 415470 but other pointers around there too-- say to 417C90)
@318E30 Security IC
@276530 NagraVision S.A. --odds are this is used by IDEA step of ecm decrypt but another at 2E7820 (part of card dump) and 2EC040
"i:%s / n:%s / p:%s / Emul:%s / S.U.N.S. %s"

8467CB20 "Front_ProcTask"
tuner chip STV0903 (demod chip) and STV6110 (PLL) (note sv8k uses stv6110 but ZL10312 demod I think)
-------------------------------------------------
Processor and development board are the same as used in sonicview 8000 box.

Info found says that the code is SH4 Hitachi core type.
RAM start location of unpacked data (from header) 0x84601000

use IDC to search for byte sequence E6 2F 22 4F for routine starts.
Last hit around 274F50 (0x84875F50) so take that as end of code. First hit around 001C70 (0x84602C70)

possible other search term for routine start 86 2F 96 2F
Hum...seems the routine start addrs are often seen as data in routines--maybe IDC should search for word alligned addresses between StartAddr and EndAddr!
---YES---Lots better disassembly!
----------------------------------------------------
8462AD20 ; IDEA
8462B060 ; ecm handling?--uses RSA key
routine that calls the last uses:
ROM:84618440 word_84618440: .data.w h'1816 ; DATA XREF: ROM:84618390r
ROM:84618442 word_84618442: .data.w h'1815 ; DATA XREF: ROM:8461839Er
routine start:ROM:84617CB0 mov.l r14, @-r15
84618640 ; 1801 prov handling?

846D5D40 ; pes_monitor_task
846D5C60 ; Sfilter_monitor
846C0AE0 ; Month/Day string use
8486C2AC ; display message?
84680700 ; connect/disconnect SUNS
846D0B80 ; call to SUNS connect/disconnect

8486D0EC ; Vfprintf
84869278 ; uses vfprintf
8483BE04 ; detect usb format type
848323B8 ; usb setup?
8468A3C0 ; write .TS file?
84684180 ; get data from Http123_108
8486A994 ; debug message?

ROM:8468426A mov.l @(h'11C,pc), r5 ; [84684388] = aConnectionKeep
ROM:8468426C mov #h'19, r6
ROM:8468426E mov r0, r4
ROM:84684270 jsr @r12 ; sub_8486A994 ; debug message


8467CB20 "Front_ProcTask"
846D4960 ; ?Task install?
84680DA0 ; "Monitorig_ProcTask"
846DB1C0 ; Osd_copytask

846D4A60 ; queue intall
84602A40 ; Ptciidlinktask
8460A7C0 ; install a number of tasks and queue
84681DE0 ; Init
84681FC0 ; Booting main
84622080 ; call to task install
8462CD80 ; install Sc_command_task
8462CE60 ; sc_command_task
8466EFA0 ; ECM/CAS/EMM data handling?
8486B4C8 ; load to serial TX buffer?--used by "Booting...." message @84681FD0
8468DB80 ; Find flash (NAND)
846ACF00 ; Find tuner
846D56A0 ; call to serial write? maybe i2c debug write

8485EBFC ; serial write?
846E7760 ; defeated debug write?--used by HDMI,AUD and VID
846CA7C0 ; HTTP auth basic/admin--main menu?--it goes on
846DA480 ; boot/main init
84680000 ; "remote control on"
8467C1A0 ; front LED display (part of "Monitorin)
84680B80 ; install "Monitorig_ProcTask"g_ProcTask"


----------------------------------
Note the nfhd25 file is bigger than the 27 by C48C bytes overall.
2764e8-267360 = F188 diff at ~end of code. Still 25 bigger than 27.



That what I had in my notes file. Best of luck.

jvvh do you think it is possible to make a ps bin? what you disassembled is it doable? I would like to help but I don't own a pc with com port or serial cable

jvvh do you think it is possible to make a ps bin? what you disassembled is it doable? I would like to help but I don't own a pc with com port or serial cable

You could get a USB to serial adapter and null modem cables (serial cables) are cheap or easy to make.

If HD Nfusion has been collecting dust would this work instead of NOI?

If HD Nfusion has been collecting dust would this work instead of NOI?

I know people who have personally Tested this and it works Great with a Modded Netgear Router but most use Linksys WRT54G/GL/GS

Read on.

This is a dd-wrt based router bin which will connect to your server and work with all Nfusion HD and SD boxes using the last Nfusion bins.

A tutorial is included to so everyone will understand how to apply it.

This was designed to be used with the linksys wrt54g routers ( But you can use some Netgears ), linksys wrt54g routers versions 1-8, but may work with other broadcom based routers. It is recommended you just buy a used wrt54g as they seem to be selling for $10 to $15.

This is the real deal, the Nfusion breakthrough everyone has been waiting for

Yea you can run from Router.... read and look at pics

DD-WR-Goo2 Tutorial
The purpose of this tutorial is to help with the install of dd-wr-goo2 bin on your broadcom based router. The dd-wr-goo2 bin is in reality a dd-wrt micro bin to which has been added an Nfusion client. After installing and configuring this bin, you will be able to connect to your iks server with any of the last Nfusion bins with any SD box, and Nfusion bins r25 and r27 for the HD box. Those using this client are reporting a rock solid connection equal to the original server for these boxes.
The first step is to go to the dd-wrt website; xxx.ddwrt.com
Find your router on the ddwrt site, and save the loading instructions. Some routers require a prep bin be loaded first. If so for your router, download and save the correct prep bin. If the instructions require you use tftp to load bins to your router, you can download that also at the ddwrt site.
The bin was originally designed to be used with the linksys wrt54g routers. If you need one of these routers, they are selling for cheap on ebay and craig's list. If you have another router you would like to use for this, first verify on the ddwrt site that it has a broadcom chipset. Next verify that it can be flashed with the BrainSlayer-V24-preSP2 05-27-2013-r21676 dd-wrt.v24_micro_generic.bin. This was the bin that was the basis for the dd-wr-goo2 bin, so if this bin can be used with your router, you should be ok. However it would be best to just buy a used wrt54g for $10 or so.
The next step is to flash your router with the dd-wr-goo2 bin. Just follow the instructions for your router you previously saved.
As always, flash at your own risk!!!
The next step is to configure the server(s). Open a browser window and type 192.168.1.1 in the address bar and hit enter. That will take you to the ddwrt user panel. You will be asked to enter a user name and password that you will use everytime you log in to your router. Go ahead and do that now.
If you are ok with the 192.168.1.1 address for the router, you can skip the next step. If your
modem is on the "1" subnet, you will have to change the address of your router to something
like 192.168.0.1 or 192.168.2.1 . This can changed in your router panel by going to Setup/Basic
Setup/Local IP Address and editing it. See pic below;

http://i62.tinypic.com/dc54c6.jpg



http://i60.tinypic.com/34t1imu.jpg

If you change your router's address, remember you must use the NEW address in your browser's
address window when logging back in
You should also make a note of your router's address, you will need it when configuring your Nfusion
stb.

Next we will configure the server settings. take the following script and CP it to a notepad window;
#!/bin/sh
serial_port=/dev/ttyS0
serial_speed=19200
server_timeout=10
server_retries=0
receiver_protocol=5
ignore_caid=0
server_0="username:[email protected]:12345/123456789012345678901234"
server_1="username:[email protected]:12345/123456789012345678901234"
server_2="username:[email protected]:12345/123456789012345678901234"


. /bin/make_inis

xx-client-broadcom &


Now just reboot your router, the easy way is to just unplug for 30 seconds.
Your router is now configured and the Nfusion client should be running. Connect your Nfusion stb to your router, either hard wire or wifi works. Go to network settings and manually enter your network settings, or use dhcp. Now verify your gateway is set to the IP Address of your your router. THIS IS A
MUST. If you didn't change your router's ip, you should still be at 192.168.1.1. It would probably be best to set your network to static if you are ok with your settings.
Ok, now reboot your stb, wait a minute, watch tv!!


If the update is not here for your Router let me know and Ill upload it or Google is a great TOOL

Search for dd-wr-goo2.rar