GI/Jerrold video scrambling

TODO:

• (RF mode) Document % or dB of AM on the audio subcarrier. Will need spectrum analyser and adapters.
• (RF, BB) Add oscilloscope waveform screenshots showing the various VBI lines, RF data, etc.
  • Effect of sync suppression scrambling
  • Effect of video inversion scrambling
  • (RF) Timing and data pulses
  • (BB) VBI lines, end of field pulse

For information on the general structure of analog video signals, see "Basics of Analog Video" by Analog Devices.

The Jerrold scrambling scheme has evolved over time, which means some scramblers only support a subset of the available modes.

• STARPACK descramblers (e.g. the SRD outdoor descrambler, SD indoor descrambler, and SSE scrambler) only support 6dB and Clear modes (per the MVP and MVP-II manuals).
• RF set-top descramblers (e.g. the DPV7 series) generally support the 6dB, 10dB and Clear modes. Scrambling data is sent by amplitude-modulation of the FM audio carrier.
• Baseband set-top descramblers (e.g. the DPBB7 series and CFT series) support the 6dB, 10dB and Clear modes, and add active video inversion. Scrambling data is sent in the VBI.

To allow for both RF and Baseband set-tops to be used in the same system, both the AM and VBI data may be sent on the same video signal. This is called “Mixed” mode. In this mode, only the RF scrambling modes (sync suppression) are available.

RF scrambling is implemented by all Jerrold scramblers, and is so named because the scrambling is done by attenuating the video signal at the IF/RF stage.

Scrambling is done by attenuating the video RF signal by 0dB (passed through unmodified), 6dB or 10dB. This attenuation occurs during:

• The sync and colour burst period of every visible line
• The entire vertical blanking interval (lines 1 to 23 inclusive, of both fields).
  • This starts at the active-going edge of sync on line 1, and ends at the start of video on line 24.

Timing, tag and scrambling data is carried as amplitude modulation on the audio IF. As the audio is FM modulated, the amplitude modulation will have no effect on the TV receiver.

The format of the scrambling data is briefly documented in Coffell, J. "Tri-Mode Cable-TV Scrambling". Radio-Electronics Feb 1987, but this only includes a brief mention of how the service code is encoded.

The timing and data pulses may be 'sniffed' from pins inside the MVP scrambler. They're present on the blue wire (pin 7) which runs from the main PCB to the modulator can.

Timing pulses are sent by amplitude-modulation of the audio subcarrier. The timing pulses are sent around 900ns before the video sync pulse (this is around the time the RF attenuator is enabled), with a pulse width of 2.52us.

The first timing pulse is sent on line 24. The last timing pulse sent in an NTSC system is sent on line 262.

Data pulses are sent 19.3us after the leading edge of timing pulses. The pulse width is around 2.8us.

The data stream consists of 16 bits, encoded as per the Radio-Electronics article above. Expanding this further:

These bits are:

• Start: Start bit, always '1'.
• Service: 8-bit service code (minus one), sent least-significant bit first.
• Payload: Payload data.

Each field carries one packet, and there are 16 packets in a loop:

N	Payload	Function
1	0000 0000	Null padding
2	0000 0000	Null padding
3	0000 0000	Null padding
4	0000 0000	Null padding
5	0000 0000	Null padding
6	0000 0000	Null padding
7	1111 0000
8	0001 LHC0	Scrambling data
9	0000 0000	Null padding
10	0000 0000	Null padding
11	0000 0000	Null padding
12	0010 LHC0	Scrambling data
13	0000 0000	Null padding
14	0100 LHC0	Scrambling data
15	1000 LHC0	Scrambling data
16	1111 1111	Latch scrambling data for next frame

The scrambling data bits function as follows. Note that only one of the L, H, C bits may be set.

• L: 6dB sync attenuation enable
• H: 10dB sync attenuation enable
• C: Clear, no sync attenuation

This is a mode of the MVP scrambler which attempts to obfuscate timing data. Its mode of operation is unknown.

TODO: Investigate

This is a mode of the MVP scrambler which attempts to obfuscate scrambling data. Its mode of operation is unknown.

Baseband scrambling is an extension of RF scrambling. 0dB/6dB/10dB sync suppression scrambling modes are supported as before, but implemented at baseband instead of RF.

Support for active video inversion and audio privacy (shifted audio subcarrier) have been added, and the tag and scrambling control data has been moved to VBI line 18. The scrambling mode can change as often as every 16 video fields if needed.

A “mixed mode” scrambling mode is also possible. This performs scrambling at baseband, but includes both the VBI data stream and RF (amplitude-modulation of the audio subcarrier) data. In mixed mode, only sync-suppression scrambling is available (not audio privacy or video inversion).

Video is scrambled from line 24 to 262 (inclusive) on both fields.

In Baseband and Mixed (not RF-only) modes, the last scrambled line of the field (line 262) includes an “end of field” burst in the same format as VBI line 13 (see below).

Scrambled video lines include a special sync burst which contains an average video level reference. The AVL reference has the following characteristics:

• Starts 1.87us from the falling edge of the sync tip.
• Is 2.2us wide, continuing until around 4.09us into the sync tip.
• Normal negative sync resumes until 4.7us when the sync pulse ends.

This AVL reference is used to define the level around which the video is inverted.

Sync suppression attenuates the sync pulses by 0dB, 6dB or 10dB after the AVL level has been inserted. Timing is as follows:

• Start of sync suppression: 2.44us before the sync tip falling edge.
• End of sync suppression: 10.56us after the sync tip falling edge (5.88us after the sync tip rising edge with typical sync timing).
• Width of sync suppression area: 13 us.

Baseband scrambling sends scrambling data using the vertical blanking interval. The following lines are used in NTSC, on both fields:

• Line 11: colour burst is replaced with 120 IRE level colour burst.
• Line 13: 16 cycles of 120 IRE level colour burst (around 4.4us), ending approx. 480ns before the sync tip.
• Line 18: Data stream, see below.

Scrambling data packets are carried in the VBI on line 18 of both fields.

These lines are formatted as follows:

• The colour burst is replaced with approx. 9 cycles of 120 IRE colour burst.
• Data bits start at 3.88us from the rising edge of the sync tip (8.6us from the falling edge).
• The average video level during the line is around 60 IRE.
• There are 24 data bits per line.
  • Each data bit is 8 cycles of colour burst wide (approx. 2.2us).
  • A '1' bit is signalled by the presence of the 120 IRE burst.
  • A '0' bit is signalled by average video level (approx. 60 IRE)

The bit format is as follows, in the order the bits are sent:

SSSSCCCCPPPPPPPPPPPPPPPP

Where:
  SSSS: 4-bit sequence code, least-significant bit first.
  CCCC: 4-bit additive checksum of all nibbles in the block, least-significant bit first.
  PP..: 16-bit payload data.

Data lines are transmitted from sequence code 15 down to zero, in an endless loop. Both fields are used. This means that sequence number 15 is transmitted on field 1, code 14 on field 2, code 13 on field 1, and so on.

The following sequence codes are in use:

• 4: Service code, minus one. Eight bits, transmitted least-significant bit first, right-aligned. (the first byte of the payload is all zero)
• 2 and 1: Next scrambling mode.
• All other sequence codes contain null packets (all zeroes).

SSSS CCCC 0000 0000 PPPP PPPP

Where:
  SSSS: 4-bit sequence code, least-significant bit first. Set to 4.
  CCCC: 4-bit additive checksum of all nibbles in the block, least-significant bit first.
  00..: Unused bits, set to zero.
  PP..: 8-bit service code minus one, least-significant bit first.

The service code sent in this packet is one less than that configured on the MVP panel. This means that the MVP's service code range of 1 to 256 translates directly to a byte value of 0 to 255.

SSSS CCCC P0VL L000 0000 0000

Where:
  SSSS: 4-bit sequence code, least-significant bit first.
  CCCC: 4-bit additive checksum of all nibbles in the block, least-significant bit first.
  P: Audio Privacy. 1 if enabled.
  V: Video Inversion. 1 if enabled.
  LL: Sync suppression level.
        11:  0dB
        01:  6dB
        10: 10dB
        00: Illegal
  
  00..: Unused bits, set to zero.
  PP..: 8-bit service code minus one, least-significant bit first.

Scrambling mode changes take place after two fields, i.e. when the sequence code returns to 15 at the start of a new loop.

The initial information used to decipher the line-18 coding came from Magicboxes, via Dave2. This had some errors and omissions, but the basics were all there.

Other parts were filled in by reading the MVP-II and MVP scrambler manuals, and by watching the output of an MVP scrambler on an oscilloscope while changing the settings.

This is included for completeness only. It has several errors (notably the data length being shown as 16 bits instead of 24, and the lack of any information on the channel code data). However, the scope traces fill in some gaps in the explanation above.

Original source: Magicboxes, via Dave2.

The GI/Jerrold systems use sync suppression at 3 attenuation levels (0, 6, and 10dB), video inversion, and audio encoding. One of the last posts from MagicBoxes concluded that all this information was transmitted during the first field on line 18. The difficult part here is that the information on line 18 could also be used for other purposes besides scrambling mode (such as authorization codes). Therefore the correct data packet must be interpreted. From MagicBoxes (a little cleaned up):

Well, here for the first time ever is a a short summary of how GI protects their entire analog line:

1. The data determining invert, sync supp. level, audio privacy is totally located on HL 18
2. The data is in the form of a start bit followed by CRC, then the scrambling level.
3. The bits are 2.2uS wide
   • note: this is around 8 cycles of NTSC colour burst
4. Only packets with a start bit should be processed.
5. Valid packets appear on every second field, packets without a start bit are random junk.
6. Only packets with a valid CRC are to be considered a mode change packet.
7. A mode change only OCCURS after 2 fields.
8. The packet data is encoded on Line 18 with 3.58Mhz bursts (2.2uS wide)

If a mode change packet below is received then mode is changed in 2 fields

Caution: the Mode Packet is represented as if the data were sent most-significant bit first. The Jerrold convention is actually to send the least-significant bit first.

The mode change packet includes the start bit.

The packet disassembled:

• If [audio privacy] = 1 then audio privacy is being used
• If [invert bit] = 1 then video will be inverted

Above is the entire scrambling data which can be used to descramble any GI analog system. Notice that the data is NOT encrypted. This data stream (as the authorization stream) are both unencrypted.

From Dave2.

Audio (from me Dave2) is usually simply encoded on to a higher carrier frequency than is normally expected by a receiver. On my system (CFT 2014) it is 31.5kHz higher, on others CFT 550 (from jpb) it is 25kHz. Because the audio is still completely in tact, it can't be called scrambling, it is simply modulated at a different frequency. This technique is widely known as SCA or SCS. It is the same manner that Second Audio Program (SAP) on televisions and how stereo FM primarily works. To retrieve the audio, all that needs to be done is to take the audio signal from the FM detector of an IF chip, prior to the de-emphasis circuit, and do an FM detect at the sub-carrier frequency. A simple PLL circuit using a MC14046B or LM/NE565 tuned to the sub-carrier frequency has been shown to work adequately.

Another method I've heard rumors of is identical but is used for stereo encoding. The audio is apparently FM modulated to 250kHz. I've seen US patent information on this one (US 4956862) but haven't had any confirmations yet.