hacktv:analogcable:gi_fskdata

This is an old revision of the document!


GI FSK data format

This is the data format used by the control channel on General Instrument and Jerrold analog cable boxes.

NOTE: The information on this page is intended for educational use only, to assist in setting up your own headend. It is only of relevance to analog boxes (not digital), which (as far as I'm aware) are massively obsolete. Most analog cable networks were shut down and upgraded to digital perhaps ten or more years ago.

:!: TODO:

  • Validate the physical and data-link layer notes against the ESNv2 code and REF:JTE01, REF:JTE02, REF:JTE03
  • Multimode – scrambling mode changes triggered by FSK data. Is this a real thing?
  • Logical Address (LA) – also referred to elsewhere as a Dynamic Subscriber Number or Electronic Serial Number (ESN)
    • Operator-defined address of the box.
    • Used to address the box for: channel mapping, authorise or deauthorise programmes, two-way communications, time and date, shutdowns and timer resets.
    • Error E5 indicates this number is not set (set to the default)
  • IRG: Inter-record gap.
    • A series of FF bytes sent to separate packets in the data stream.
    • Also used as a preamble so the receiver can synchronise to the incoming data packet.
  • Serial number: The box's unique serial number.
    • Displayed by the F2 diagnostic command.
    • Used to set the box's ESN, site code, etc.
    • Stored in RAM: if the battery dies or the RAM is shorted out, this will be lost.
  • Site code: A number unique to the cable operator. Used to prevent a box from being moved from one area to another.
    • 12 bits in length, but transmitted as four octal bytes, from most to least significant bits: 03x 02x 01x 00x.
    • Error E8 indicates a site code mismatch.

Much of this is from patent REF:US4558464A.

Each byte is packed into an RS232-style frame, idle high (data is inverted when sent):

Start bit (0) 8 data bits Odd parity Stop bit (1)

Data bits are transmitted from least-significant to most-significant; this means binary 01 011 111 (octal 137, or hex 0x5F) would be transmitted as 111 110 10.

The parity bit is low if all the data bits XOR'ed together are equal to zero, or high if it is equal to one.

Line coding

Framed bytes are Manchester biphase encoded before transmission:

  • Every bit period starts with a change of line polarity (from 0 to 1, or 1 to 0).
  • In the middle of the bit period, there is a data transition. This will be present for a 1 bit, or absent for a 0 bit.

The bit rate is a binary division of a 3.579545 MHz colour-burst crystal; usually the division ratio is 256. This gives a bit rate of around 13982.6 Hz.

The clock frequency for the Manchester encoder (the transition point) is twice the data rate (a divide ratio of 128), or around 27965.2 Hz.

A constant stream of Manchester-encoded '1' bits will produce a 13982.6 Hz square wave, or half this (6991.3 Hz) for a constant stream of encoded '0' bits.

In practice (per REF:JTE01) the box will accept timing which is a few microseconds too fast or too slow.

RF modulation

Framed and line-coded serial data is FSK modulated onto the RF carrier with a deviation of 25kHz.

The IMPULSE 7000 CFT-2000 specification sheet quotes the following specifications for the RF data carrier:

  • Bandwidth: ± 200 kHz
  • Level: -15 dBmV

Applying Carson's rule to calculate the bandwidth:

  • $\mathit{OBW} = 2 \times (\mathit{\Delta F} + \mathit{F_m})$
    • $\mathit{\Delta F}$: Peak frequency deviation
    • $\mathit{F_m}$: Highest frequency in the modulating signal
  • $\mathit{OBW} = 2 \times (50 \mathrm{kHz} + 13982.6 \mathrm{Hz})$
  • $\mathit{OBW} = 127.9652 \mathrm{kHz}$

This means the 200kHz channel bandwidth is sufficient. The deviation could likely be increased as far as ± 42.5 kHz before issues arose.

Data channel frequencies

The following frequencies are known to be in use:

Frequency CFT2xxx variant DPV7/DPBB7 variant Notes
89.3 MHz S9
97.5 MHz S7 Commonly used in US/Canada.
106.5 MHz S8, S6 (Canada) Commonly used in US/Canada. Per Group42, DPV5 and older units mostly use this frequency.
108.5 MHz C1 S9 :?:, C1 Commonly used in US/Canada. Per Group42, CFT models “almost always” use this frequency.
122.7 MHz * :?: :?: UK. Frequency disputed, see below.

*: There is some debate about the true frequency of the UK-model CFT series boxes: 122.7 MHz (GI ACC-4000 manual, Magicboxes), 122.75 MHz (Group42) or 122.8 MHz (REF:JTE01). The true frequency is 122.7 MHz, as quoted by GI: the reference crystal is 133.4 MHz, with an IF of 10.7 MHz, giving a tuned frequency of 122.7 MHz.

Variant codes are from the following sources:

The standard command format is:

Preamble (FF FF FF FF FF) Length byte TYPE CMD Parameters … Checksum byte
  • Preamble or IRG: Synchronisation sequence, to allow the STB to lock onto the incoming data stream's clock.
    • Stream of 0xFF bytes. Five (per US4558464A patent) or six (ESNv2) in total.
  • Length: Total length of the packet, from the type byte to the checksum byte inclusive (excludes the length byte itself).
  • Command type byte:
  • Command byte:
  • Parameters:
  • Checksum byte: Two's complement checksum.
    • Modulo-256 sum of all of the bytes from the length to the last parameter byte, XORed with 0xFF, plus 1.
    • The sum of all bytes from the length to the checksum inclusive should be zero.

The serial number field carries the BCD-encoded truncated serial number of the box. This is the value displayed by the F 2 diagnostic function.

  • F 2 displays the sequence: 01 12 23 34 45 56 67 78 89 90
  • Which equates to serial number 1234567890
  • Which is packed into bytes as 12 34 56 78 90 hex, in left-to-right order of transmission (SN4..SN0).

The Site Code is a 4-byte sequence which encodes a 12-bit number, which uniquely identifies the cable network.

SC3 Range D8 to DF 1101 1xxx
SC2 Range D0 to D7 1101 0xxx
SC1 Range C8 to CF 1100 1xxx
SC0 Range C0 to C7 1100 0xxx

Each byte encodes three bits (one octal digit) of the Site Code.

The default site code is D8 D0 C8 C0.

The headend will incorporate the site code into commands wherever possible or reasonable. This is done to allow boxes to check the site code against the one stored internally.

The Reset Disconnect command may have a site code incorporated into it thusly:

06 F9 LA LA LA LA CHK is the reset disconnect command.
0A F9 SI TE CO DE LA LA LA LA CHK is the same command with exactly the same function but also now containing the site code.
      ^^-^^-^^-^^
      These are the 4 bytes of the SITE CODE.

The Time Set command also exists in a with and without Site Code form:

Without site code:  09 60 FD 60 0F 02 13 01 15 CHK
With    site code:  0C 60 FD 60 0F 02 13 01 15 D8 D0 C8 C0 CHK
                                               ^^^^^^^^^^^ Site code

Logical Addresses are sent as a sequence of four bytes:

LA3 (first byte sent) Range E0 to FF 111x_xxxx 5 bits :?:
LA2 Range 80 to BF 10xx_xxxx 6 bits :?:
LA1 Range 40 to 7F 01xx_xxxx 6 bits :?:
LA0 (last byte sent) Range 00 to 3F 00xx_xxxx 6 bits :?:

This gives a total addressing range of 23 bits, or 8,388,608 boxes.

In practice the first byte is almost always 0xE0, giving only 18 bits of addressable range, or 262,144 boxes.

:!: The first byte may be the “Geocode” (see ACC-4000 manual)

The logical address is often set to E0 BF 7F 3E (one less than the maximum) by pirate 'cubes'.

More than one logical address with the same first three bytes may be addressed in the same packet. This is done by appending additional bytes to the packet, containing the last byte of the LAs to be addressed.

For example, the following compressed LA stream addresses boxes E0 BF 7E 01 through E0 BF 7E 05, but skips E0 BF 7E 03:

E0 BF 7E 01 02 04 05

Len. CMD (hex) Addressing Function
9 60 Broadcast Set Time
7 E9..F7 LA Bitwise Turn On/Off Channel
6 F8 LA Disconnect / Shutdown Box
6 F9 LA Reset Disconnect
8 FD 47 LA Enable/Disable Functions :?:
11 FD 4F LA Set Site Code
12 FD 5F S/N Set Logical Address and/or Site Code
3 FD 6E Broadcast Reset Timer (All Boxes)
4 FD 7F+FD 81 Broadcast Turn On Channel (All Boxes)
7 FD 8D LA Reboot Box (locally addressed)
7 FD 8E LA Reset Timer (locally addressed)
8 FD 9F+FD A1 LA Turn On Channel (locally addressed)

Note: Length includes checksum byte, but it is not shown in the tables.

Addressing modes:

  • Broadcast: All boxes which receive this command will execute it.
  • LA: Logical Address. Targeted to a specific Logical Address.
  • S/N: Serial Number. Targeted to a specific box Serial Number.

The following commands are currently unknown and undocumented:

Len. CMD (hex) Addressing Function
6 FB LA :?: From TCINIT. Sent as 06 FB E0 BF 7F 3A A6
9 FD 44 LA :?: :?: From ESNv2 “extra”. Sent as 09 FD 44 E0 BF 7F 3E 00 00.
17 FD 4D LA :?: :?: From ESNv2 “CHANNELMAP”. Sent as 11 FD 4D E0 BF 7F 3E 1F 0F 7F 7F 7F 7F 1F 1F 63 63 1B
10 FD 8C LA :?: :?: From ESNv2 “COMMFD8C”. Sent as 0A FD 8C E0 BF 7F 3E 7F 07 0A. Described as “Set checksum command”.
8 FD B0..FD BF + FD E8..FD F7 LA :?: From ESNv2. Turn on/off PPV events or channels? Sent as 08 FD B0++ LA[3..0] FF then 08 FD E8++ LA[3..0] FF
FF seems to be a PPV event bitmap.
6 FE LA :?: From TCINIT. Sent as 06 FE E0 BF 7F 3E A0

:!: TODO:

  • FD 49: per REF:JERCMD, an “unknown command” from the Phantom Cube
    • According to this post by JohnW, FD 49 is “Load Default Logical Address”.
    • Will leave the box in Error E5 state until FD 5F command is sent.
  • FD 4D: per REF:JERCMD, “set channel map”. Examples:
    • 11 FD 4D (—LA—-) 0B 00 2A 00 00 00 00 00 00 00 CSUM (REF:JERCMD)
    • 11 FD 4D (—LA—-) 1F 0F 7F 7F 7F 7F 00 17 63 63 CSUM (REF:JERCMD, ESNv2 with fixed E0 BF 7F 3E LA, Magicboxes post)
  • FD 4E: per REF:JERCMD, “part of a generic Jerrold cube startup”
    • 06 FD 4E ESN1 ESN2 ESN3 ESN4 CSUM
  • FD 50: unknown command (REF:JERCMD)
    • Seen in Magicboxes comm log below
  • FD 5D: unknown command (REF:JERCMD)
  • FE: enable reboot
  • 08 FD 4B 02 (LA) – set global timeout to 4 hours.

Without site code

LE CMD Unknown data Month Day of Month Hour Minute
9 60 FD 60 0F

With site code

LE CMD Unknown data Month Day of Month Hour Minute Site code
13 60 FD 60 0F SC3..0 (4 bytes)
  • Month: Month of the year. Zero based (0=January, …, 11=December)
  • Day of month: Day of the month. Zero based (0=1, …, 30=31)
  • Hours: Zero based (range 0 to 23)
  • Minutes: Zero based (range 0 to 59)
  • Site code: Optional site code.
LE CMD Logical Address Channel bitmap
8 0xE8..0xF7 LA LA LA LA BITMAP

Enables or disables a block of eight channels for the box with logical address LA.

:!: Command/range mappings may be incorrect:

  • REF:JTE01 lists the ranges as command E9 (channels 0-7), EA (8-15), up to F7 (120-127).
  • REF:JERCMD lists the ranges as command E8 to F7.
  • Could be that the command-base is E8 and this is a typo.
  • ESNv2 doesn't appear to send this command.
Command Channel range
E8 0-7
E9 8-15
EA 16-23
EB 24-31
EC 32-39
ED 40-47
EE 48-55
EF 56-63
F0 64-71
F1 72-79
F2 80-87
F3 88-95
F4 96-103
F5 104-111
F6 112-119
F7 120-127
LE CMD Logical Address
6 0xF8 LA LA LA LA

Shut down the box immediately.

Shut-down boxes will either:

  • OSD capable (CFT): display the “YOUR CONVERTER IS DISCONNECTED. PLEASE CONTACT YOUR CABLE OPERATOR.” barker text.
  • Non-OSD: display the barker channel.
LE CMD Logical Address
7 0xF9 LA LA LA LA

Reverses the “Shutdown Box” command. Also resets the box's communication timer.

:?: TODO

From the ESNv2 code. and REF:JERCMD.

LE CMD SubCMD Logical address Feature Bitmap
8 0xFD 0x47 LA3..LA0 (4 bytes) FEATURES

Feature flag bitmap has a '1' bit if the feature is enabled. ESNv2 and TCINIT send a bitmap of FF, T2/RFT-Gold/Phantom send 7F.

Bits are:

Bit Value hex Feature
7 0x80
6 0x40
5 0x20
4 0x10
3 0x08
2 0x04
1 0x02
0 0x01

:!: NOTE: This command is incorrectly listed in REF:JERADDR as having the serial number sent first, then the logical address and sitecode. It is correctly shown in REF:JERCMD, REF:JTE01 and REF:JTE03, and correctly implemented in TCINIT and ESNv2.

Without site code

LE CMD SubCMD Logical address Serial number
12 0xFD 0x5F LA3..LA0 (4 bytes) SN4..SN0 (5 bytes)

Set the logical address on the box with serial number SN to LA. The Site Code will not be set, and will not be checked by the box.

With site code

LE CMD SubCMD Logical address Serial number Site Code
16 0xFD 0x5F LA3..LA0 (4 bytes) SN4..SN0 (5 bytes) SC3..SC0 (4 bytes)

Set the logical address on the box with serial number SN to LA, and its Site Code to SC.

LE CMD SubCMD
3 0xFD 0x6E

Resets the disconnect timer for all boxes on the cable network.

LE CMD SubCMD Channel ID
4 0xFD 0x7F 0x00 to 0x9E (0 to 158)
LE CMD SubCMD Channel ID
4 0xFD 0x81 0x00 to 0x9E (0 to 158)

Enables access to a channel for all receiving boxes. Both commands must be sent – FD 7F followed by FD 81.

Only available on earlier boxes, pre CFT series. Ignored by CFT series and later. Known to work on DPBB7 series and earlier.

LE CMD SubCMD Logical address
7 0xFD 0x8D LA3..LA0 (4 bytes)

Reboots the addressed box. May be used with or without Site Code.

LE CMD SubCMD Logical address
7 0xFD 0x8E LA3..LA0 (4 bytes)

Resets the disconnect timer for all boxes on the cable network.

LE CMD SubCMD Logical address Channel ID
8 0xFD 0x9F LA3..LA0 (4 bytes) 0x00 to 0x9E (0 to 158)
LE CMD SubCMD Logical address Channel ID
8 0xFD 0xA1 LA3..LA0 (4 bytes) 0x00 to 0x9E (0 to 158)

Enables access to a channel for the box with logical address LA. Send command FD 9F followed by FD A1.

Only available on earlier boxes, pre UK iCFT2100 and USA CFT2200 series.

  • CFT-series receivers will not process most global commands.
    • These receivers must be addressed by their LA.
  • iCFT2100 (UK) and CFT2200 (USA) will not process LA-addressed single-channel activation commands.

TCINIT sends the following commands:

Len Cmd Payload Notes
128 bytes FF preamble/IRG
0C FD 5F E0 BF 7F 3E (SN[4..0]) 3C Set LA to E0 BF 7F 3E
28 bytes FF preamble/IRG
0A FD 8C E0 BF 7F 3E 7F 07 0A 81
12 bytes FF preamble/IRG
06 FE E0 BF 7F 3E A0
12 bytes FF preamble/IRG
07 FD 8D E0 BF 7F 3E 13 Reboot Box with LA=E0 BF 7F 3E
12 bytes FF preamble/IRG
07 FD 8E E0 BF 7F 3E 12 Reset timer on box with LA=E0 BF 7F 3E
12 bytes FF preamble/IRG
08 FD 47 E0 BF 7F 3E FF 1D Enable/disable functions :?:, enable all fuctions
12 bytes FF preamble/IRG
06 F9 E0 BF 7F 3E A5 Reset Disconnect
12 bytes FF preamble/IRG
06 FB E0 BF 7F 3E A6
44 bytes FF preamble/IRG

From https://groups.google.com/g/rec.video.cable-tv/c/GLVlZnUc3rA/m/SMYxwaVG-J8J

3 FD 6E 92 FF FF FF FF FF
11 FD 4D E0 80 76 0 B 0 2A 0 0 0 0 0 0 0 9A FF FF FF FF FF
8 FD 49 E0 80 76 0 0 DC FF FF FF FF FF
FD 50 E0 80 76 0 0 D5 FF FF FF FF FF
E8 E0 80 76 0 FF 3C FF FF FF FF
7 E9 E0 80 76 0 FF 3B FF FF FF FF
7 EA E0 80 76 0 FF 3A FF FF FF FF
7 EB E0 80 76 0 FF 39 FF FF FF FF
7 EC E0 80 76 0 FF 38 FF FF FF FF
7 ED E0 80 76 0 FF 37 FF FF FF FF
7 EE E0 80 76 0 FF 36 FF FF FF FF
7 EF E0 80 76 0 FF 35 FF FF FF FF
7 F0 E0 80 76 0 FF 34 FF FF FF FF
7 F1 E0 80 76 0 FF 33 FF FF FF FF
7 F2 E0 80 76 0 FF 32 FF FF FF FF
7 F3 E0 80 76 0 FF 31 FF FF FF FF
7 F4 E0 80 76 0 FF 30 FF FF FF FF
7 F5 E0 80 76 0 FF 2F FF FF FF FF
7 F6 E0 80 76 0 FF 2E FF FF FF FF
7 F7 E0 80 76 0 FF 2D FF FF FF FF
9 FD B0 E8 E0 80 76 0 FF 8D FF FF FF FF
9 FD B1 E9 E0 80 76 0 FF 8B FF FF FF FF
9 FD B2 EA E0 80 76 0 FF 89 FF FF FF FF
9 FD B3 EB E0 80 76 0 FF 87 FF FF FF FF
9 FD B4 EC E0 80 76 0 FF 85 FF FF FF FF
9 FD B5 ED E0 80 76 0 FF 83 FF FF FF FF
9 FD B6 EE E0 80 76 0 FF 81 FF FF FF FF
9 FD B7 EF E0 80 76 0 FF 7F FF FF FF FF
9 FD B8 F0 E0 80 76 0 FF 7D FF FF FF FF
9 FD B9 F1 E0 80 76 0 FF 7B FF FF FF FF
9 FD BA F2 E0 80 76 0 FF 79 FF FF FF FF
9 FD BB F3 E0 80 76 0 FF 77 FF FF FF FF
9 FD BC F4 E0 80 76 0 FF 75 FF FF FF FF
9 FD BD F5 E0 80 76 0 FF 73 FF FF FF FF
9 FD BE F6 E0 80 76 0 FF 71 FF FF FF FF
9 FD BF F7 E0 80 76 0 FF
Find me on Mastodon
  • Last modified: 2023/01/29 15:41
  • by philpem