This is an old revision of the document!
GI FSK data format
This is the data format used by the control channel on General Instrument and Jerrold analog cable boxes.
NOTE: The information on this page is intended for educational use only, to assist in setting up your own headend. It is only of relevance to analog boxes (not digital), which (as far as I'm aware) are massively obsolete. Most analog cable networks were shut down and upgraded to digital perhaps ten or more years ago.
TODO:
- Validate the physical and data-link layer notes against the ESNv2 code and REF:JTE01, REF:JTE02, REF:JTE03
- Multimode – scrambling mode changes triggered by FSK data. Is this a real thing?
Terminology
- Logical Address (LA) – also referred to elsewhere as a Dynamic Subscriber Number or Electronic Serial Number (ESN)
- Operator-defined address of the box.
- Used to address the box for: channel mapping, authorise or deauthorise programmes, two-way communications, time and date, shutdowns and timer resets.
- Error
E5
indicates this number is not set (set to the default)
- IRG: Inter-record gap.
- A series of
FF
bytes sent to separate packets in the data stream. - Also used as a preamble so the receiver can synchronise to the incoming data packet.
- Serial number: The box's unique serial number.
- Displayed by the
F2
diagnostic command. - Used to set the box's ESN, site code, etc.
- Stored in RAM: if the battery dies or the RAM is shorted out, this will be lost.
- Site code: A number unique to the cable operator. Used to prevent a box from being moved from one area to another.
- 12 bits in length, but transmitted as four octal bytes, from most to least significant bits:
03x 02x 01x 00x
. - Error
E8
indicates a site code mismatch.
Physical layer (layer 1) protocol
Much of this is from patent REF:US4558464A.
Framing
Each byte is packed into an RS232-style frame, idle high (data is inverted when sent):
Start bit (0 ) | 8 data bits | Odd parity | Stop bit (1 ) |
Data bits are transmitted from least-significant to most-significant; this means binary 01 011 111
(octal 137
, or hex 0x5F
) would be transmitted as 111 110 10
.
The parity bit is low if all the data bits XOR'ed together are equal to zero, or high if it is equal to one.
Line coding
Framed bytes are Manchester biphase encoded before transmission:
- Every bit period starts with a change of line polarity (from 0 to 1, or 1 to 0).
- In the middle of the bit period, there is a data transition. This will be present for a
1
bit, or absent for a0
bit.
The bit rate is a binary division of a 3.579545 MHz colour-burst crystal; usually the division ratio is 256. This gives a bit rate of around 13982.6 Hz.
The clock frequency for the Manchester encoder (the transition point) is twice the data rate (a divide ratio of 128), or around 27965.2 Hz.
A constant stream of Manchester-encoded '1' bits will produce a 13982.6 Hz square wave, or half this (6991.3 Hz) for a constant stream of encoded '0' bits.
In practice (per REF:JTE01) the box will accept timing which is a few microseconds too fast or too slow.
RF modulation
Framed and line-coded serial data is FSK modulated onto the RF carrier with a deviation of 25kHz.
The IMPULSE 7000 CFT-2000 specification sheet quotes the following specifications for the RF data carrier:
- Bandwidth: ± 200 kHz
- Level: -15 dBmV
Applying Carson's rule to calculate the bandwidth:
- $\mathit{OBW} = 2 \times (\mathit{\Delta F} + \mathit{F_m})$
- $\mathit{\Delta F}$: Peak frequency deviation
- $\mathit{F_m}$: Highest frequency in the modulating signal
- $\mathit{OBW} = 2 \times (50 \mathrm{kHz} + 13982.6 \mathrm{Hz})$
- $\mathit{OBW} = 127.9652 \mathrm{kHz}$
This means the 200kHz channel bandwidth is sufficient. The deviation could likely be increased as far as ± 42.5 kHz before issues arose.
Data channel frequencies
The following frequencies are known to be in use:
Frequency | CFT2xxx variant | DPV7/DPBB7 variant | Notes |
---|---|---|---|
89.3 MHz | S9 | ||
97.5 MHz | S7 | Commonly used in US/Canada. | |
106.5 MHz | S8 , S6 (Canada) | Commonly used in US/Canada. Per Group42, DPV5 and older units mostly use this frequency. | |
108.5 MHz | C1 | S9 , C1 | Commonly used in US/Canada. Per Group42, CFT models “almost always” use this frequency. |
122.7 MHz * | UK. Frequency disputed, see below. |
*: There is some debate about the true frequency of the UK-model CFT series boxes: 122.7 MHz (GI ACC-4000 manual, Magicboxes), 122.75 MHz (Group42) or 122.8 MHz (REF:JTE01). The true frequency is 122.7 MHz, as quoted by GI: the reference crystal is 133.4 MHz, with an IF of 10.7 MHz, giving a tuned frequency of 122.7 MHz.
Variant codes are from the following sources:
- GI CFT2000/2200 ordering information (System Industrial)
- GI ACC-4000 Addressable Controller system operator's manual, appendix A “Converter Types and Features”.
Packet format
The standard command format is:
Preamble (FF FF FF FF FF ) | Length byte | TYPE | CMD | Parameters … | Checksum byte |
- Preamble or IRG: Synchronisation sequence, to allow the STB to lock onto the incoming data stream's clock.
- Stream of
0xFF
bytes. Five (per US4558464A patent) or six (ESNv2) in total.
- Length: Total length of the packet, from the type byte to the checksum byte inclusive (excludes the length byte itself).
- Command type byte:
- Command byte:
- Parameters:
- Checksum byte: Two's complement checksum.
- Modulo-256 sum of all of the bytes from the length to the last parameter byte, XORed with
0xFF
, plus 1. - The sum of all bytes from the length to the checksum inclusive should be zero.
Serial Number field formatting
The serial number field carries the BCD-encoded truncated serial number of the box. This is the value displayed by the F 2
diagnostic function.
F 2
displays the sequence:01 12 23 34 45 56 67 78 89 90
- Which equates to serial number
1234567890
- Which is packed into bytes as
12 34 56 78 90
hex, in left-to-right order of transmission (SN4
..SN0
).
Site Code field formatting
The Site Code is a 4-byte sequence which encodes a 12-bit number, which uniquely identifies the cable network.
SC3 | Range D8 to DF | 1101 1xxx |
---|---|---|
SC2 | Range D0 to D7 | 1101 0xxx |
SC1 | Range C8 to CF | 1100 1xxx |
SC0 | Range C0 to C7 | 1100 0xxx |
Each byte encodes three bits (one octal digit) of the Site Code.
The default site code is D8 D0 C8 C0
.
Embedding the Site Code into commands
The headend will incorporate the site code into commands wherever possible or reasonable. This is done to allow boxes to check the site code against the one stored internally.
The Reset Disconnect command may have a site code incorporated into it thusly:
06 F9 LA LA LA LA CHK is the reset disconnect command. 0A F9 SI TE CO DE LA LA LA LA CHK is the same command with exactly the same function but also now containing the site code. ^^-^^-^^-^^ These are the 4 bytes of the SITE CODE.
The Time Set command also exists in a with and without Site Code form:
Without site code: 09 60 FD 60 0F 02 13 01 15 CHK With site code: 0C 60 FD 60 0F 02 13 01 15 D8 D0 C8 C0 CHK ^^^^^^^^^^^ Site code
Logical Address field formatting and LA compression
Logical Addresses are sent as a sequence of four bytes:
LA3 (first byte sent) | Range E0 to FF | 111x_xxxx | 5 bits |
---|---|---|---|
LA2 | Range 80 to BF | 10xx_xxxx | 6 bits |
LA1 | Range 40 to 7F | 01xx_xxxx | 6 bits |
LA0 (last byte sent) | Range 00 to 3F | 00xx_xxxx | 6 bits |
This gives a total addressing range of 23 bits, or 8,388,608 boxes.
In practice the first byte is almost always 0xE0
, giving only 18 bits of addressable range, or 262,144 boxes.
The first byte may be the “Geocode” (see ACC-4000 manual)
The logical address is often set to E0 BF 7F 3E
(one less than the maximum) by pirate 'cubes'.
Logical Address compression (multi-LA addressing)
More than one logical address with the same first three bytes may be addressed in the same packet. This is done by appending additional bytes to the packet, containing the last byte of the LAs to be addressed.
For example, the following compressed LA stream addresses boxes E0 BF 7E 01
through E0 BF 7E 05
, but skips E0 BF 7E 03
:
E0 BF 7E 01 02 04 05
Command list
Len. | CMD (hex) | Addressing | Function |
---|---|---|---|
9 | 60 | Broadcast | Set Time |
7 | E9 ..F7 | LA | Bitwise Turn On/Off Channel |
6 | F8 | LA | Disconnect / Shutdown Box |
6 | F9 | LA | Reset Disconnect |
8 | FD 47 | LA | Enable/Disable Functions |
11 | FD 4F | LA | Set Site Code |
12 | FD 5F | S/N | Set Logical Address and/or Site Code |
3 | FD 6E | Broadcast | Reset Timer (All Boxes) |
4 | FD 7F +FD 81 | Broadcast | Turn On Channel (All Boxes) |
7 | FD 8D | LA | Reboot Box (locally addressed) |
7 | FD 8E | LA | Reset Timer (locally addressed) |
8 | FD 9F +FD A1 | LA | Turn On Channel (locally addressed) |
Note: Length includes checksum byte, but it is not shown in the tables.
Addressing modes:
- Broadcast: All boxes which receive this command will execute it.
- LA: Logical Address. Targeted to a specific Logical Address.
- S/N: Serial Number. Targeted to a specific box Serial Number.
The following commands are currently unknown and undocumented:
Len. | CMD (hex) | Addressing | Function |
---|---|---|---|
6 | FB | LA | From TCINIT. Sent as 06 FB E0 BF 7F 3A A6 |
9 | FD 44 | LA | From ESNv2 “extra”. Sent as 09 FD 44 E0 BF 7F 3E 00 00 . |
17 | FD 4D | LA | From ESNv2 “CHANNELMAP”. Sent as 11 FD 4D E0 BF 7F 3E 1F 0F 7F 7F 7F 7F 1F 1F 63 63 1B |
10 | FD 8C | LA | From ESNv2 “COMMFD8C”. Sent as 0A FD 8C E0 BF 7F 3E 7F 07 0A . Described as “Set checksum command”. |
8 | FD B0 ..FD BF + FD E8 ..FD F7 | LA | From ESNv2. Turn on/off PPV events or channels? Sent as 08 FD B0++ LA[3..0] FF then 08 FD E8++ LA[3..0] FF FF seems to be a PPV event bitmap. |
6 | FE | LA | From TCINIT. Sent as 06 FE E0 BF 7F 3E A0 |
TODO:
FD 49
: per REF:JERCMD, an “unknown command” from the Phantom Cube- According to this post by JohnW, FD 49 is “Load Default Logical Address”.
- Will leave the box in
Error E5
state untilFD 5F
command is sent.
FD 4D
: per REF:JERCMD, “set channel map”. Examples:11 FD 4D (—LA—-) 0B 00 2A 00 00 00 00 00 00 00 CSUM
(REF:JERCMD)11 FD 4D (—LA—-) 1F 0F 7F 7F 7F 7F 00 17 63 63 CSUM
(REF:JERCMD, ESNv2 with fixedE0 BF 7F 3E
LA, Magicboxes post)
FD 4E
: per REF:JERCMD, “part of a generic Jerrold cube startup”06 FD 4E ESN1 ESN2 ESN3 ESN4 CSUM
FD 50
: unknown command (REF:JERCMD)- Seen in Magicboxes comm log below
FD 5D
: unknown command (REF:JERCMD)FE
: enable reboot08 FD 4B 02 (LA)
– set global timeout to 4 hours.
60: Set Time
Without site code
LE | CMD | Unknown data | Month | Day of Month | Hour | Minute |
---|---|---|---|---|---|---|
9 | 60 | FD 60 0F |
With site code
LE | CMD | Unknown data | Month | Day of Month | Hour | Minute | Site code |
---|---|---|---|---|---|---|---|
13 | 60 | FD 60 0F | SC3..0 (4 bytes) |
- Month: Month of the year. Zero based (0=January, …, 11=December)
- Day of month: Day of the month. Zero based (0=1, …, 30=31)
- Hours: Zero based (range 0 to 23)
- Minutes: Zero based (range 0 to 59)
- Site code: Optional site code.
E8 to F7: Bitwise Turn On/Off Channel
LE | CMD | Logical Address | Channel bitmap | |||
---|---|---|---|---|---|---|
8 | 0xE8 ..0xF7 | LA | LA | LA | LA | BITMAP |
Enables or disables a block of eight channels for the box with logical address LA
.
Command/range mappings may be incorrect:
- REF:JTE01 lists the ranges as command E9 (channels 0-7), EA (8-15), up to F7 (120-127).
- REF:JERCMD lists the ranges as command E8 to F7.
- Could be that the command-base is
E8
and this is a typo. - ESNv2 doesn't appear to send this command.
Command | Channel range |
---|---|
E8 | 0-7 |
E9 | 8-15 |
EA | 16-23 |
EB | 24-31 |
EC | 32-39 |
ED | 40-47 |
EE | 48-55 |
EF | 56-63 |
F0 | 64-71 |
F1 | 72-79 |
F2 | 80-87 |
F3 | 88-95 |
F4 | 96-103 |
F5 | 104-111 |
F6 | 112-119 |
F7 | 120-127 |
F8: Disconnect / Shutdown Box
LE | CMD | Logical Address | |||
---|---|---|---|---|---|
6 | 0xF8 | LA | LA | LA | LA |
Shut down the box immediately.
Shut-down boxes will either:
- OSD capable (CFT): display the “
YOUR CONVERTER IS DISCONNECTED. PLEASE CONTACT YOUR CABLE OPERATOR.
” barker text. - Non-OSD: display the barker channel.
F9: Reset Disconnect
LE | CMD | Logical Address | |||
---|---|---|---|---|---|
7 | 0xF9 | LA | LA | LA | LA |
Reverses the “Shutdown Box” command. Also resets the box's communication timer.
FD 47: Enable Functions?
TODO
From the ESNv2 code. and REF:JERCMD.
LE | CMD | SubCMD | Logical address | Feature Bitmap |
---|---|---|---|---|
8 | 0xFD | 0x47 | LA3..LA0 (4 bytes) | FEATURES |
Feature flag bitmap has a '1' bit if the feature is enabled. ESNv2 and TCINIT send a bitmap of FF
, T2/RFT-Gold/Phantom send 7F
.
Bits are:
Bit | Value hex | Feature |
---|---|---|
7 | 0x80 | |
6 | 0x40 | |
5 | 0x20 | |
4 | 0x10 | |
3 | 0x08 | |
2 | 0x04 | |
1 | 0x02 | |
0 | 0x01 |
FD 5F: Set Logical Address and Site Code
NOTE: This command is incorrectly listed in REF:JERADDR as having the serial number sent first, then the logical address and sitecode. It is correctly shown in REF:JERCMD, REF:JTE01 and REF:JTE03, and correctly implemented in TCINIT and ESNv2.
Without site code
LE | CMD | SubCMD | Logical address | Serial number |
---|---|---|---|---|
12 | 0xFD | 0x5F | LA3..LA0 (4 bytes) | SN4..SN0 (5 bytes) |
Set the logical address on the box with serial number SN
to LA
. The Site Code will not be set, and will not be checked by the box.
With site code
LE | CMD | SubCMD | Logical address | Serial number | Site Code |
---|---|---|---|---|---|
16 | 0xFD | 0x5F | LA3..LA0 (4 bytes) | SN4..SN0 (5 bytes) | SC3..SC0 (4 bytes) |
Set the logical address on the box with serial number SN
to LA
, and its Site Code to SC
.
FD 6E: Reset Timer (global)
LE | CMD | SubCMD |
---|---|---|
3 | 0xFD | 0x6E |
Resets the disconnect timer for all boxes on the cable network.
FD 7F and FD 81: Turn on channel (global)
LE | CMD | SubCMD | Channel ID |
---|---|---|---|
4 | 0xFD | 0x7F | 0x00 to 0x9E (0 to 158) |
LE | CMD | SubCMD | Channel ID |
---|---|---|---|
4 | 0xFD | 0x81 | 0x00 to 0x9E (0 to 158) |
Enables access to a channel for all receiving boxes. Both commands must be sent – FD 7F
followed by FD 81
.
Only available on earlier boxes, pre CFT series. Ignored by CFT series and later. Known to work on DPBB7 series and earlier.
FD 8D: Reboot Box
LE | CMD | SubCMD | Logical address |
---|---|---|---|
7 | 0xFD | 0x8D | LA3..LA0 (4 bytes) |
Reboots the addressed box. May be used with or without Site Code.
FD 8E: Reset Timer (locally addressed)
LE | CMD | SubCMD | Logical address |
---|---|---|---|
7 | 0xFD | 0x8E | LA3..LA0 (4 bytes) |
Resets the disconnect timer for all boxes on the cable network.
FD 9F and FD A1: Turn on channel (locally addressed)
LE | CMD | SubCMD | Logical address | Channel ID |
---|---|---|---|---|
8 | 0xFD | 0x9F | LA3..LA0 (4 bytes) | 0x00 to 0x9E (0 to 158) |
LE | CMD | SubCMD | Logical address | Channel ID |
---|---|---|---|---|
8 | 0xFD | 0xA1 | LA3..LA0 (4 bytes) | 0x00 to 0x9E (0 to 158) |
Enables access to a channel for the box with logical address LA
. Send command FD 9F
followed by FD A1
.
Only available on earlier boxes, pre UK iCFT2100 and USA CFT2200 series.
Receiver-specific differences
- CFT-series receivers will not process most global commands.
- These receivers must be addressed by their LA.
- iCFT2100 (UK) and CFT2200 (USA) will not process LA-addressed single-channel activation commands.
Appendix: Comm samples
TCINIT.COM communications
TCINIT sends the following commands:
Len | Cmd | Payload | Notes |
---|---|---|---|
128 bytes FF preamble/IRG |
|||
0C | FD 5F | E0 BF 7F 3E (SN[4..0]) 3C | Set LA to E0 BF 7F 3E |
28 bytes FF preamble/IRG |
|||
0A | FD 8C | E0 BF 7F 3E 7F 07 0A 81 | |
12 bytes FF preamble/IRG |
|||
06 | FE | E0 BF 7F 3E A0 | |
12 bytes FF preamble/IRG |
|||
07 | FD 8D | E0 BF 7F 3E 13 | Reboot Box with LA=E0 BF 7F 3E |
12 bytes FF preamble/IRG |
|||
07 | FD 8E | E0 BF 7F 3E 12 | Reset timer on box with LA=E0 BF 7F 3E |
12 bytes FF preamble/IRG |
|||
08 | FD 47 | E0 BF 7F 3E FF 1D | Enable/disable functions , enable all fuctions |
12 bytes FF preamble/IRG |
|||
06 | F9 | E0 BF 7F 3E A5 | Reset Disconnect |
12 bytes FF preamble/IRG |
|||
06 | FB | E0 BF 7F 3E A6 | |
44 bytes FF preamble/IRG |
Magicboxes
From https://groups.google.com/g/rec.video.cable-tv/c/GLVlZnUc3rA/m/SMYxwaVG-J8J
3 FD 6E 92 FF FF FF FF FF 11 FD 4D E0 80 76 0 B 0 2A 0 0 0 0 0 0 0 9A FF FF FF FF FF 8 FD 49 E0 80 76 0 0 DC FF FF FF FF FF FD 50 E0 80 76 0 0 D5 FF FF FF FF FF E8 E0 80 76 0 FF 3C FF FF FF FF 7 E9 E0 80 76 0 FF 3B FF FF FF FF 7 EA E0 80 76 0 FF 3A FF FF FF FF 7 EB E0 80 76 0 FF 39 FF FF FF FF 7 EC E0 80 76 0 FF 38 FF FF FF FF 7 ED E0 80 76 0 FF 37 FF FF FF FF 7 EE E0 80 76 0 FF 36 FF FF FF FF 7 EF E0 80 76 0 FF 35 FF FF FF FF 7 F0 E0 80 76 0 FF 34 FF FF FF FF 7 F1 E0 80 76 0 FF 33 FF FF FF FF 7 F2 E0 80 76 0 FF 32 FF FF FF FF 7 F3 E0 80 76 0 FF 31 FF FF FF FF 7 F4 E0 80 76 0 FF 30 FF FF FF FF 7 F5 E0 80 76 0 FF 2F FF FF FF FF 7 F6 E0 80 76 0 FF 2E FF FF FF FF 7 F7 E0 80 76 0 FF 2D FF FF FF FF 9 FD B0 E8 E0 80 76 0 FF 8D FF FF FF FF 9 FD B1 E9 E0 80 76 0 FF 8B FF FF FF FF 9 FD B2 EA E0 80 76 0 FF 89 FF FF FF FF 9 FD B3 EB E0 80 76 0 FF 87 FF FF FF FF 9 FD B4 EC E0 80 76 0 FF 85 FF FF FF FF 9 FD B5 ED E0 80 76 0 FF 83 FF FF FF FF 9 FD B6 EE E0 80 76 0 FF 81 FF FF FF FF 9 FD B7 EF E0 80 76 0 FF 7F FF FF FF FF 9 FD B8 F0 E0 80 76 0 FF 7D FF FF FF FF 9 FD B9 F1 E0 80 76 0 FF 7B FF FF FF FF 9 FD BA F2 E0 80 76 0 FF 79 FF FF FF FF 9 FD BB F3 E0 80 76 0 FF 77 FF FF FF FF 9 FD BC F4 E0 80 76 0 FF 75 FF FF FF FF 9 FD BD F5 E0 80 76 0 FF 73 FF FF FF FF 9 FD BE F6 E0 80 76 0 FF 71 FF FF FF FF 9 FD BF F7 E0 80 76 0 FF
Reference documents
- Spec sheets and ordering information:
- NY DPS: Time Warner Cable franchise application – CFT2000 spec sheet included, page 63 to 65.
- Magicboxes technical notes
- “Jerrold Technical Info” by John W.
- JTI02: Part 2: Jerrold headend management channel data logger – a bit of a brute-force bodge, but probably workable.
- JERCMD: Compilation of codes for Jerrold boxes, jerroldcodes@hotmail.com
- GI patent US4558464A, “Address-programmable CATV converter”, Thomas E. O'Brien, Jr., General Instrument.
- FAQ - Jerrold addressing. Magicboxes, Jan 17, 1998.
Possible routes forward
- ROM disassembly
- Jerrold 550 / Starcom 6 ROM – reverse engineer this to figure out the command scheme.
- Only 8K of code, according to this page is for a PIC7040 microcontroller – which is a clone of the Texas Instruments TMS7040.
- CFT2100 ROM – W65C02S code, with trivial scrambling. Contains about 32K of code (27C512 EPROM with half empty).
- Lots of code, lots of functionality, might be tricky to reverse-engineer.
- Analyse “cube” or “509 chip” source code