Let me be the first one to post here.
For XM Radio you need a DishNet (or BEV) receiver, one that has a JTAG port and a JTAG programmer. You basically clone XM Radios or subscribe to XM radio, then install a TSOP lock then cancell service and since your TSOP is locked you are keeping the service. If you have a friend with a subscription who will let you massacre his XM radio a bit you remove its TSOP, put it into an Echostar (DishNet or BEV) receiver and use a JTAG to read then save it, put a blank TSOP in the receiver and clone the read BIN onto it then put it into the new XM radio. Simple shit. The How To is here:

http://www.dssftp.com/filedownload/download/xm-hack.zip

mili

Sounds great! Any idea where I can get the equiptment and blank cards?

JTAGs are for sale on my order page, and what blank cards?
It you meant TSOP chips look on www.digikey.com

mili

Perfect! Yes, I was talking about the TSOP chip (I thought it was card!) This is very new to me. I didn't even know it was possible to hack XM. Once I gather everything I need I'll post my results. Thanks again Mili!

Is there a TSOP file for this anywhere. Would anyone sell one. Just trying to skip the subscritpion part of this.

From what I have read, only the Sony Plug N Play's have the TSOP style chip. I took apart a Pioneer XM and theres no TSOP to be found. I'm sure they stuck it in some other kind of eprom just to prevent an easy way to clone it. If anyone else can add to this feel free.

jkeys, just like reading/writing the dishnet TSOP only you'll be doing the XM TSOP.

If any one of you could email me a TSOP dump of a valid XM sub I'd appreciate it. I will keep is confidential and for own use only.

mili

LOL...you guy make me laugh. the hack sounds somewhat feasable but shit, let's be honest. let's say u sub to xm radio just like u do to dave and u stop paying..don't you think you dump will be disabled? best thing to do is get a dump from someone who is paying and then you can talk about "attempting to hack this shit"

falconhack, don't mean to be rude but don't be a part of the problem..be a part of the solution. if these guys don't know what they are doing tell us why it wont work and your opinion. nobody here is gonna get a nobel prize for this shit but it would be cool to get free music don't u think?

Best I understand, activation is a stream of packets directed at one receiver ID# that, because of the limited bandwidth XM has to work with on top of 100 channels, only lasts 36 hours.

If you did not have a subscription and had already cloned the IRDs, you call, activate, and both your reported IRD# and your clones would be activated.

If you alredy have service, and then clone an additional unit, you must lapse service for some period (probably at least 30 days) in order to get the activation signal sent back down, which would activate both units.

This coincides with the facts I have on activating one unit, and is the theory I shall work with if successful in cloning another unit.

I agree, if there is a reputable person who needs funding to do research on XM testing, I think we need to set up a paypal fund or whatnot. Possibly even set up a strictly XM radio testing site where everyone can come forward and share ideas/findings just like the dss/xbox scene has.

I believe this is the only way to get somewhere with XM testing. Let me know your thoughts.

OK, All reputable hackers take one step forward.

borg1, step down

Well I think any real (Hacker) will tell you its just Zeros and Ones....

Any information on the chips used will lead us to the answers.....

arcane1 has already provided this....

http://img.cmpnet.com/eet/news/03/july/UTH1278.gif

ok it is easy just clone tsop and eprom from sub to clone receiver and you are ready to go

tigersat, right....

The ST19 family features high density EEPROM with flash programming, security firewalls and a MAP (Modular Arithmetic Processor) for public key cryptography using up to 2176 bit keys, supported by crypto-library firmware in the system ROM.

* From 32 KBytes of User ROM with partitioning
* Up to 2 KBytes of RAM
* Up to 64 KBytes of EEPROM with partitioning
* An 8 bit timer and unpredictable number generator
* 512 bit and 1088 bit cryptographic processor for public key algorithms
* User defined ASIC block
* An ISSUER mode for efficient card testing, before delivery in USER mode
* 3 or 5V operation, with standby mode for power saving
* Static electricity protection grater than 5000V
* Sub-micron technology from 0.6 µm, with migration to 0.35 µm

The ST19 family includes contact/less products that operate using either contact ISO7618 or contactless ISO14443 interfaces. In contactless mode the products use the new ISO14443-2 Type B RF interface that supports continuous MCU operation and thus supports high security features.

Anti-Intrusion Security Features:
Very High Level including Voltage And Clock Frequency Sensors


Yeah, walk in the park.

Point being?

Point being, if you just unsolder this chip and plop it in your programmer, as soon as you hit 'read' you will get a communications error.

More than likely the only way to address the chip is in Issuer mode.

The first thing this chip will ask for is authentication.
Since the programmer software wil not understand this request, it will produce a communications error.

Lets say you aquire the proper STMicro interface and try again.

You will have to provide the correct authentication to force the chip into Issuer mode. If we are only talking 8 bit encription, this is 16.7 million possible responses. Although a smartcard application designer will not typically use ALL security features available on a card family, it is a fair bet he picked a secure method to lock the card into User mode.

It appears more likely that a breakthrough on this chipset will come from an employee of XM who gets either greedy or pissed.

Hack as been posted in XM files section. Should be listed by tomorrow.
Been browsing posts here for a while - thought I'd lend a hand - this is a great place.
-dssdude :cool:

What does this hack involve and how was it developed?

pisko was on the right track. It is a standard 8 pin 8kb serial eeprom chip. NOT the tsop. I repeat - DO NOT touch the tsop unless you are attempting something like the NOZKT mod for XM (yes, it can be done)
You can use an I2C interface OR chip programmer using the atmel 24c64 algorithm. You can read more when mili gets around to posting it.
- dssdude

dssdude, i would like to be the first to thank you for sharing the documentation. I've done tons of no-zkt on directv RCAs, and I'm anxious to see how all this comes together for XM.

Any more action boards you can share with me via pm for active discussion?

Let me get this straight, if we subscribe, clone the receiver by dumping the eeprom bin & modify the bin with new RID & Serial, then proceed to cancel subscription. How does subscription come into the over all picture.

Where and how does subscription work. Can blocker code be made to keep subscription alive after cancellation?

Basically, is the assumption that XM streams all subscribed RIDs in the stream valid?

I spoke too soon. It seems as though the RID # is stored in two or more places. One in plain text on the serial eeprom chip and another one elsewhere. It may be encrypted on the serial eeprom or stored in another memory location.
I'll post more information as it comes...
Sorry for the confusion.

Ok guys, heads up on myself; Ive been hacking DirecTv satellite boxes for the last 4 years. Now about the XM Radio, obviously its a receiver, and in no way can it send info back out. Now I would like to know where to get a Sony portable receiver, that has a tsop in it. I figure, once we can understand just how the tsop/eeprom model works, the rest opf the picture would be obviously simple. I would also like to request that yall can become an active part in this project, and Im willing to do most of the work, and it would also be nice to get paypal donations to pay for tools and whatnot, if you have questions, comments, or anything, please feel free to email me at John2619@optonline.net. Thank you.

Smith2619, I'm sure a few of us would be willing to contribute a few bucks for this cause. Problem is, you haven't showed us anything yet and we don't even know who you are. Although your interest is appreciated, our money is hard-earned.

dssdude has been playing around and spending a lot of time, just as many others in here. If you would like to help, then your contributions will be widely accepted and appreciated. I don't have a Sony receiver myself but I'm ebay has many up for sale.

donations are great... however, all the money in the world is useless without the technical knowledge & device resources to back up a project like this...

Smith2619: What kind of programming skills do you have?

I've compiled a small library of info & chip dumps for the XM01 receivers and am willing to share some of it if you'd like to learn.
This is a very difficult task at least. It seems the most unabtrusive way to reprogram the XM01 is through it's USB port. The sony firmware on the 29LV400BC tsop appears to have several different "hidden menu's" including a RS232 interface. My guess is that reprogramming can be done through secret codes on the unit. Possibly by holding down the 2 & Roller Dial buttons while the unit is off. A diagnostics menu can be found by holding the 5 & Roller dial buttons down.

While scanning through the firmware program I noticed several different strings proving the fact that in-unit programming is possible... but may require access to a factory issued code - similar to the security code feature on car stereos.

The USB port on these unit's is actually a USB->RS232 conversion circuit which leads me to believe that you should be able to do several types of I/O with a standard serial port JTAG if you bypassed the USB circuit and connected directly to IO pins... that is just a guess though.

nonetheless, it will be possible eventually... will post more info as it comes.

Well, I can take any chip out, and be able to read/write it with the equipment I have, but as far as security blocks, Im not sure what to do about that. I know the guy that built the nozkt mods for the RCA/Philips boxes, and I asked him if he could help with the dissection part of the firmware, but he doesnt know the first thing about XM Radio, and how their signals work.If anyone could elaborate, that would be great. And dssdude, as far as taking apart the eeprom, what do you use to view whats on it?

Well, I can take any chip out, and be able to read/write it with the equipment I have, but as far as security blocks, Im not sure what to do about that. I know the guy that built the nozkt mods for the RCA/Philips boxes, and I asked him if he could help with the dissection part of the firmware, but he doesnt know the first thing about XM Radio, and how their signals work.If anyone could elaborate, that would be great. And dssdude, as far as taking apart the eeprom, what do you use to view whats on it?

I have posted several XM files, the target chip to get into is the ST19AF08. This is the same processor that was approved by VISA for financial transactions in the form of the ST19SF08. Which is obviously a very secure chip. If someone could hack into this chip, what would stop them from doing the same to the VISA smart card? Sounds like a can of worms to me.

This chip is ISO-7816 compatible (via 4 pins - CLK, Vcc, GND, IO) which means it can be interfaced with a standard ISO programmer/Unlooper... and may also be vulnerable to "glitching" ....
There are 8K of user eeprom on chip. if you could read/write this information
you could then modify your subscription tiers & subscriber number.

I have posted several XM files, the target chip to get into is the ST19AF08. This is the same processor that was approved by VISA for financial transactions in the form of the ST19SF08. Which is obviously a very secure chip. If someone could hack into this chip, what would stop them from doing the same to the VISA smart card? Sounds like a can of worms to me.

This chip is ISO-7816 compatible (via 4 pins - CLK, Vcc, GND, IO) which means it can be interfaced with a standard ISO programmer/Unlooper... and may also be vulnerable to "glitching" ....
There are 8K of user eeprom on chip. if you could read/write this information
you could then modify your subscription tiers & subscriber number.

Dont you think if we can get a eeprom model only or whatever, Im not sure of what they have out there, and feel free to correct me, but wouldnt it be easier ? ANd does XM have access cards ?

Dont you think if we can get a eeprom model only or whatever, Im not sure of what they have out there, and feel free to correct me, but wouldnt it be easier ? ANd does XM have access cards ?

What do you mean by eeprom model?
XM has their access card built into the onboard ST19AF08 chip...

What do you mean by eeprom model?
XM has their access card built into the onboard ST19AF08 chip...

Sorry but Im new to Xm. So the access card is built into the ST processor ?

dssdude, what kind of info is being stored in the ST19AF08?
I don't think we can glitch because doing a quick search on the internet, some of the ST19 security features include: "Very High Level including Voltage And Clock Frequency Sensors"

Is there any way we can trick it into dumping its rom? You mentioned a hidden debug mode, can that be of any use?

This board is annoying, lol, anyone have AIM or something to have a group chat with, It would seem much better...

The information stored on the ST19AF08 is similar to the data stored on an HU card... it has 8KB of eeprom and it a software version of an ASIC in ROM which controls data IO through ISO7816 interface... here's memory specs:

32 KBYTES OF USER ROM WITH PARTITIONING
SYSTEM ROM FOR LIBRARIES
960 BYTES OF USER RAM WITH PARTITIONING
8 KBYTES OF USER EEPROM WITH PARTITIONING

The hidden modes would be the prefered method of entry... rather than relying on external hardware to reprogram.

Well if you guys want, you can contact me on yahoo or AIM/AOL at Outlaw Okiniwa, and MSN on John2619@optonline.net

Smith2619 do NOT solicit donations here. First and last warning.
Also it seems to me that you are not clear on even the basics of XM radio's inner workings so what would those donations exatly buy to help you?

mili

Ok listen.....I managed to get a service manual for the Sony XM radio...seems there is a Sony Service Tools CD used to repair these units. Service disk is loaded into the computer and the unit is accessed through the USB port on the radio. Service manual says that when the TSOP or the Eprom is replace on the unit the serial number and ID off the back of the unit must be entered into the service tool screen and writen back to the chips at whick point when the radio is reenterd into the stream it will update the subscription information. Looks to me that what we are looking for is this Service Tools Disk. Schematic shows the Eprom as a Hitachi chip gonna try and find the configuration as I still don't think we are reading all of it.

That sounds interesting. I would love to see a copy of the service manual, if you could scan it into a pdf. I don't imagine they'd include too much information... but probably enough to find a few leads. Could you look through the manual for any hidden menu access codes (other than 5 + Scroll Button) and post results?
Thanks

I'm not too sure that the Sony Service Tools CD would be all that useful. From what you wrote, it appears that subscription is based on serial/ID being correct, therefore XM is probably sending all valid subscribed serials in their stream. The tools CD might be good to see what addresses the program is writing the serial/unit # values to on the eeprom/tsop. This is just my guess, I could be wrong.

I'm not too sure that the Sony Service Tools CD would be all that useful. From what you wrote, it appears that subscription is based on serial/ID being correct, therefore XM is probably sending all valid subscribed serials in their stream. The tools CD might be good to see what addresses the program is writing the serial/unit # values to on the eeprom/tsop. This is just my guess, I could be wrong.

I think the tools CD would be a great way to view the actual data being sent to the receiver during reprogramming. It is the "passive" programming method that will provide the most information - rather than trying to directly hard code the ST19AF08 (which can't be done easily). The receiver already contains all the information to reprogram itself, its just a matter of triggering the right sequence of data.
Access to the tools CD is pretty slim, as I don't know anyone who has it or can get it... if someone has any info about it - I'd love to hear from them.

I think the tools CD would be a great way to view the actual data being sent to the receiver during reprogramming. It is the "passive" programming method that will provide the most information - rather than trying to directly hard code the ST19AF08 (which can't be done easily). The receiver already contains all the information to reprogram itself, its just a matter of triggering the right sequence of data.
Access to the tools CD is pretty slim, as I don't know anyone who has it or can get it... if someone has any info about it - I'd love to hear from them.

Couldnt we just subscribe, get some access numbers and shit, work on it, then after awhile, cancel the subscription ?

Couldnt we just subscribe, get some access numbers and shit, work on it, then after awhile, cancel the subscription ?

Supposedly you can write protect the TSOP. However the TSOP contains no information about the receiver subscription anyways... regardless of all those false posts you see everywhere. This would only prevent XM radio from having it's firmware updated through the stream - which probably won't happen anyways.
Updated decryption keys are sent down the stream at intervals of about 1 month from what I've heard... these keys are stored on the CAP (Conditional Access Processor) or ST19AF08, supposedly along with your RID #.
The receiver knows how to communicate with the ST19AF08 passively, this is what we need to be able to do.
So ultimately, no you cannot just subscribe and then cancel the subscription.
This may be possible with a firmware modification... you would need to be very good at assembly - disassemble the XM01 firmware using the TLCS-90/900 instruction set(look up Neo Geo disassembler) and then modify your firmware to jmp any receiver ID number look ups... The firmware contains all routines for controling subscription information in/out flow data(everything goes through the TMP91CW12A)
This chip is your CPU and the TSOP contains it's operating system.
The operating sytem communicates with the ST19AF08 to use the RID # and performs all subscription updates processing and then writes this information back to the ST19AF08 and then retreives this information again... and so on... and so on... this occurs at every data stream call for that receiver ID.

The STA450 & STA400 simply decrypt & uncompress respectively, the incoming data stream. This uncompressed data is stored in 256MB of on board RAM during processing and is then buffered out through DSP and into your ears.

Supposedly you can write protect the TSOP. However the TSOP contains no information about the receiver subscription anyways... regardless of all those false posts you see everywhere. This would only prevent XM radio from having it's firmware updated through the stream - which probably won't happen anyways.
Updated decryption keys are sent down the stream at intervals of about 1 month from what I've heard... these keys are stored on the CAP (Conditional Access Processor) or ST19AF08, supposedly along with your RID #.
The receiver knows how to communicate with the ST19AF08 passively, this is what we need to be able to do.
So ultimately, no you cannot just subscribe and then cancel the subscription.
This may be possible with a firmware modification... you would need to be very good at assembly - disassemble the XM01 firmware using the TLCS-90/900 instruction set(look up Neo Geo disassembler) and then modify your firmware to jmp any receiver ID number look ups... The firmware contains all routines for controling subscription information in/out flow data(everything goes through the TMP91CW12A)
This chip is your CPU and the TSOP contains it's operating system.
The operating sytem communicates with the ST19AF08 to use the RID # and performs all subscription updates processing and then writes this information back to the ST19AF08 and then retreives this information again... and so on... and so on... this occurs at every data stream call for that receiver ID.

The STA450 & STA400 simply decrypt & uncompress respectively, the incoming data stream. This uncompressed data is stored in 256MB of on board RAM during processing and is then buffered out through DSP and into your ears.

I cant dissassemble firmware, but if you could mod it, couldnt you make it access the system information and store it on the tsop ?

I cant dissassemble firmware, but if you could mod it, couldnt you make it access the system information and store it on the tsop ?

I couldn't... maybe someone else would be able to... not sure.
One thing to keep in mind about flash chips is that you are not able to just program a byte or a few bytes on the fly. First of all you need to erase either the whole chip or a block of data before you can reprogram it with the information you want. Then programming can ONLY be done by the block or by the chip. So essentially, writes need to be done in blocks of 8,16,32, or 64 KB blocks...

Not so sure that bypassing RID checks would be all that hard. Once we disassemble (w/ NGDsi) we can pretty much figure out references made to the RID and checks against it. dssdude, what success rate do we have in dumping the tsop?

Not so sure that bypassing RID checks would be all that hard. Once we disassemble (w/ NGDsi) we can pretty much figure out references made to the RID and checks against it. dssdude, what success rate do we have in dumping the tsop?


How do you disassemble the files, any programs ? If so can you send them to John2619@optonline.net ? Thanks alot, the sooner I can learn, the better..

Not so sure that bypassing RID checks would be all that hard. Once we disassemble (w/ NGDsi) we can pretty much figure out references made to the RID and checks against it. dssdude, what success rate do we have in dumping the tsop?
100% Know any REALLY good embedded device programmers (people)?

Depends on the scope of what needs to be done, and what prior knowledge they have about XM. I know some good hardware guys, and I can see if any device programmers would be interested, but not sure we needs to be done at this point. Still trying for that Sony CD.

For those who are interested and don't know, the full service manual for the xm01 (including schematics) is available from sony at http://servicesales.sel.sony.com/web/index.jsp product code: 987326802

Just thought I'd post for sake of information

After reading all the post's here, I can see this is way over my head. But if an XM unit can be cloned, why cancel the subscription ? Why not share it ? Sub price at just under $20/mo. Find 20 people willing to share the sub. Find 20 more and cut the $$ in half. It wouldn't matter if there were a hundred willing to share, I'd be willing to fork out a buck a month.

We aren't doing this simply to get "free radio".
We all can afford $10 a month.

So I guess this effort has died?

So I guess this effort has died?

No, not dead.. just on hold for now.

i might be wrong... but the way i understand the service to work is that it xm sends a signal to certain id#'s for x days saying they are allowed to have service. then when you cancel they send another code for x days saying that you have canceled. if you subscribe, allow your radio to be activated, then cancel, then turn your radio off and put it out of sat. range for the x days they are sending you the cancel signal....would your radio function?

no it will update when you hook up again takes about a day and a half and dead.

Are the files that have been posted been any use for someone?

i cant see ruining a perfectly good xm radio if your not sure what your doing or if a bonafide hack isnt confirmed by quite a few testers.....on this site as well as a few others.....if you could buy them at yard sales and such for what ive bought dave/charlie recievers for {$5-$20},then it would be worth it to run thru a couple of them but then again,the monthly programming is so cheap $10.....its almost not worth it??...and whomever said it is right,"we can all afford $10 per month"...lol

ok well cant we insert some device and log what goes on ?



EDIT: also does anyone have a spare laying around or a broken one that they could send me to analyze ? Im not too certain how XM works...and for all you people who think the 10 bucks isnt worth it....it really isnt about the money...its about the experience, and the pride you get when you finish your work and listen to it, and youre like....damn....i did that...well, along with the help of others, but we all contribute in some way.

Oh hmm...would there be anyway to monitor the information live ?

So this guy is subbing, paying for 6 months (US$60.00) and keeping the rest for himself, so 6 months from now, when he has installed 100 system and has saved about 50,000.00 Canadian dollars, your radios will stop working and you'll never see him again.

I've got the exact same situation as rangestarr; unplugged while still active and allowed the service to expire. This was spring of 02. Plugged back in fall of 03, and has been up and running for a year.

Did anyone look into hacks for sirius sattelite radio? I've been getting free dish net for the past 5 years. I have sirius with charlie, but too bad it's not portable or car ready unless you want to get one of the mobile dishes and throw it on the roof of your car :-P. Did anyone look into the portable sirius systems? http://www.sirius.com/servlet/ContentServer?pagename=Sirius/CachedPage&c=Page&cid=1065475754231 one of these systems are bound to be hackable :-)

Question? Is there anyone you can send a Pioneer GEX 910 to and get it fixed to receive xm free?

We aren't doing this simply to get "free radio".
We all can afford $10 a month.

Not is te $10.oo, is the fun of hack in some system!!!!

i think there is some confusion here is some info i got from somewhere else the thing about removing the tsop is for clone of the unit so you pay for one and have ten there is also some info on a lock for the tsop and eeprom

i think there is some confusion here is some info i got from somewhere else the thing about removing the tsop is for clone of the unit so you pay for one and have ten there is also some info on a lock for the tsop and eeprom

Can anyone verify that this method would work or not? I saw this same file circulating a year ago, but have yet to hear of anyone that has successfully completed it and get two cloned receivers that work on one sub.

Don't waste your time, it was proven long ago not to work.

Your Link shown below is broken; not responding - please correct or update.

Thanks

http://www.dssftp.com/filedownload/download/xm-hack.zip

mili[/QUOTE]

Another "Dead Link" - your file attachment......please correct or update your link.

Thanks

i think there is some confusion here is some info i got from somewhere else the thing about removing the tsop is for clone of the unit so you pay for one and have ten there is also some info on a lock for the tsop and eeprom

:) Can someone PLEASE provide "EASY" Step-By-Step instructions (for dummies so-to-speak) on actually what Brand(s) and what Model Number(s) of XM Radio Receivers can currently be hacked into - plus Easy to follow instructions for us ALL.....no "Goobee-de-gook instructions" - that must be translated by a rocket scientist. And if anyone out their does provide or suggest ANY helpful information or suggest any helpful internet links.....please check this information out before posting them here - to make sure they are "VALID" and currently "UP-TO-DATE" for the year 2005+. This would make it EASY and a "Blessing for ALL of here" at this Forum.

Thanks a million!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

it is worth it now....with XM raising the prices and me with 5 XM radios..post the "XM Hack for Dummies"

We aren't doing this simply to get "free radio".
We all can afford $10 a month.

$10,off course... but no is the money is the fun, is one hobby remember :) :) :)

OK, Here is the:

"EASY" Step-By-Step instructions (for dummies so-to-speak) on actually what Brand(s) and what Model Number(s) of XM Radio Receivers can currently be hacked into - plus Easy to follow instructions for us ALL.....no "Goobee-de-gook instructions" - that must be translated by a rocket scientist.

1. Get your Paxil refilled.
2. Suscribe.

Actually, I just looked at the 'forwarded to my new address' price increase letter and realized that I had to respond by two days ago. I may try the one method claimed to work; when the subscription expires, put the receiver in the basement for a month and then reconnect it. Knowing the bandwidth limitations that did exist and factoring in the new programming which XM seems to think justifies another 30%, it just may work. Problem is I have to wait half a year to try it. I would not be surprised though, if when I call to cancel, I get offered another year at the old rate.

I noticed Wallmart is closing out Delphi XM units for 60 bucks ( External) And indash am/fm/xm/cd units for 90 bucks.

I noticed Wallmart is closing out Delphi XM units for 60 bucks ( External) And indash am/fm/xm/cd units for 90 bucks.


Hey BirdieMod,
Long time, no talk....
What clue are you trying to give (share) about the Delphi XM units...?
Thanks

Been awhile Doobiedog, Good to see you.

Don't know anything special on the delphi models, Just was passing along the cheap closeout prices. May just be a wallmart closeout, But I remember in the past wallmart closing out dishnet 301 setups that still had rom 10's so who knows.

Yea,

I remember that also....

Use to be able to buy Dave receivers with an "H" card at Wally World, when the "HU" was the new killer of any and all hacks....

Damn I urn for the good ole days....

Thanks for the info. on XM....

Let me start by letting everybody know this is all my interpetation and please don't take it factual, thanks.

Ive been hunting around all day to see how I could program the tsop of a xm reciever and install it in my car. Unfortunetly I need a few things

1. A tsop dump of a subbed xm reciever(If anybody has one please just pm me, strictly for testing purposes on this website)
2. A "Milsop" a device that was used on Xbox tsop's and supposelly can read/flash the xm reciever's tsop. (Not to mention I will have to build the device because I don't think anybody sells them already assebled)
3. An actually xm reciever.

If I could get my hands on any subbed tsop dump from an xm radio I think I might be able to do it and would gladly update my progress. Please let me know if anybody has heard of a Milsop or has a subbed tsop dump. Thanks again.

-John

how about XM radio in car? any idea to get it?

Let me start by letting everybody know this is all my interpetation and please don't take it factual, thanks.

Ive been hunting around all day to see how I could program the tsop of a xm reciever and install it in my car. Unfortunetly I need a few things

1. A tsop dump of a subbed xm reciever(If anybody has one please just pm me, strictly for testing purposes on this website)
2. A "Milsop" a device that was used on Xbox tsop's and supposelly can read/flash the xm reciever's tsop. (Not to mention I will have to build the device because I don't think anybody sells them already assebled)
3. An actually xm reciever.

If I could get my hands on any subbed tsop dump from an xm radio I think I might be able to do it and would gladly update my progress. Please let me know if anybody has heard of a Milsop or has a subbed tsop dump. Thanks again.

-John

You could purchase an already assembled 'eepromer', or a cheaper version i think around 40 bucks, a 'willem eeprom programmer' and some smt to dip conversion boards or a zif socket.

I highly doubt anybody will give you thier subbed info unless of course you are a trusted friend.. isn't that like 'bin begging'!?! For the sake of testing a sub is only 10 bucks a month.

roddy

so no 1 can make exact duplicates of xm radios so we can sub one and clone it and get a bunch for free???????????????

if a sirius or xm radio unit can be cloned can i get the step by step guide and hardware needed information???

As far as I know there is no xm hack, You can not simply copy the TSOP.

A little tid bit of information I just learned. It may or may not be of any benifit. I canceled my XM sub a few weeks ago. I've had it in the house all this time, powered up and playing. My sub was deactivated only after powering down the receiver (original roady) Once I moved it to the automobile, and powered it back up, I was only able to get the preview or free channel. I am wondering if the cancelation signal only takes effect once the receiver is powered down.

It's funny you say that. Because I shut my XM down on a truck that I rarely use. And had the truck out the other day, 3 months after I deactivated it and it is still playing strong.

Let me be the first one to post here.
For XM Radio you need a DishNet (or BEV) receiver, one that has a JTAG port and a JTAG programmer. You basically clone XM Radios or subscribe to XM radio, then install a TSOP lock then cancell service and since your TSOP is locked you are keeping the service. If you have a friend with a subscription who will let you massacre his XM radio a bit you remove its TSOP, put it into an Echostar (DishNet or BEV) receiver and use a JTAG to read then save it, put a blank TSOP in the receiver and clone the read BIN onto it then put it into the new XM radio. Simple shit. The How To is here:

http://www.dssftp.com/filedownload/download/xm-hack.zip

mili
looking for the software can you help me

keep readin..

heavymman PM me, I'll be willing to work with you.

sorry if I missed it but can this be done in the same manner to do sirius sat radio. Any imput would be appreciated

Let’s get this going again, unless it’s been solved already. Let me know.
Here are my findings so far:
- XM radios get an activation signal, which allows the radio to output audio.
- XM radios get a deactivation signal, which stops the radio from outputting audio.
- Activation/deactivation signals are sent over the air and contain the radios unique ID code.

Here are a few thoughts:
- Change the ID in a radio to one that will never be used during an active period and it will not deactivate?
- Lock the radio in “active” mode, by disabling deactivation firmware and it will never deactiveate?

Anybody know how to:
- Change the radio’s ID?
- Lock the firmware in “active” mode?
- How long does the “deactivate” code get broadcast with an ID after an account lapses?

Known Sirius Facts:

Activation can be done at sirius.com or by phone.
Account number is created, also user name & password.
Units have a SN # and ESN #.

To activate Sirius, the unit must be turned on, in order to recieve a hit,
sent to activate. Takes appoximately two minutes.

Virgin Sirius units come with one active audio channel, 184 Weather.

If a unit has been deactivated, it recieves zero. So it becomes a step
below a virgin.

Deactivation can happen with the unit out of the stream.
A virgin unit never in the stream, can be deactivated.
A deactivated unit can only be reactivated by phone with CSR.


Now can someone research the activation & deactivation XM Facts?
We might as well start from the beginning, since the early myth
never clarified the XM brand.

Those deactivating XM have some interesting stories, we need to
find more desubbing.

Concerning a dump, a process needs to be fully determined.

Some items on XM Sat I’ve found.

Activation:
- Happened within 10 minutes after operator activates it.
- Can occur with radio repeaters since the unit didn’t get a satellite signal at the time.

Other:
- Seems to be limited bandwidth for the digital stream of all the channels and the data for activation.

I have a .pdf of a possible solution I Googled but it’s not very detailed and talks in general terms about TSOP changes.

Here are some possible solution ideas:

- Lock the unit so the deactivation signal won’t implement. Can an IC leg or trace be cut or jumpered to accomplish this????
- Can the receivers ID be changed to some obscure number so it never gets a deactivation signal once active????
- Can the unit be turned off near the end of an activation period, antenna removed for a period of time so the signal never makes it to the unit???? Is the deactivation signal broadcast for a short period or does it continue for a time or periods of time????

That's about all know at this point..... anybody else have anything?

I've read about possable XM hacking in other forums before.

- Can the unit be turned off near the end of an activation period, antenna removed for a period of time so the signal never makes it to the unit???? Is the deactivation signal broadcast for a short period or does it continue for a time or periods of time????

They tried canceling supscriptions after boxing the recieve back up a week before and leaving it in the closet for a year. They hooked it back up and it worked great.
...for 10 seconds. Then it was silent.

I currently pay 14 something Canadian a month for XM in my car that I'm not in all the time...

Can someone get a working link to that step-by-step guide for cloning off of Mili??

I am in the process of disassembling an Audiovox XM receiver.
I will post pix within a few days.
So far, it looks like XM supplies a battle hard case (metal sandwich) that covers a small PCA for the TSOP and other proprietary IC's. They don't trust Audiovox it appears.

Stay tuned.....

I don't trust them

It's a Crapy-Tire brand :P

The metal tin can is good news, meaning XM doesn't want anybody to touch the
TSOP.

I think all newer XM's have been tin can contained.
Maybe thats why this hack has stalled, when the Sony was uncanned.
Let's us know what is involved in doing the can opening.

The TSOP needs to be dumped before and after the sub to compare the HEX code finding the activation key & its personal info.
Then compaire the file and find the sub key.

I read you can add a socket for TSOPs making it easier to solder on, then unsolder on the dish ird you use for copying the TSOPs. Then add sockets to XM for reprogramming purposes.

When you have the pictures you can add this into the text.

Indentify the Dish & XM TSOP chip location's, XM number was 29lv400bc.

When in place using Jkeys:
2MB tsop's start address 7FE00000 length 200000.
1MB tsop 's start address 7FF00000 length 100000.

C&P condensed version:
Read & backup the tsop, then solder the tsop that you are going to use & erase.
Chose the bin the you save from the sub XM and program the tsop.
If it does not read, check solder connections.
Now you have a perfect copy of your XM radio.
Put that tsop in other unit. You can verify as it will keep the same
memory stations.
Now you can clone all XM's, but still have to keep the original paid for.

...... see attached thumbs. Click to enlarge.

Umm.. I'd love to. put you need to attach thumbs.
I tried clicking on my two thumbs, but thinging happens. :(

:P

.... here are the pix but why is this site so slow lately?

So which chip is the TSOP. Nothing looks like a TSOP from a DISH IRD.

hey guys is it possible to do this for cars also i have sub on my new car for 3 months how can i keep my sat radio and not pay for subscription.

From the pictures of the audiovox, it would seem that if we could just find the TSOP chip it would be a simple lock method. Like the displayer 7200s. ... just grounding one of the connections in turn could prevent the unit from taking the commands from XM corp satellites

Hey guys..first time posting.

I've been running XM radio on my Dave receiver for over a month now. Simply programmed an old hu card and all the music channels come in strong. Why is no one considering this easier solution? Theres lots of receivers and old hu cards to be had. Just check ebay for instance.

Why is no one considering this easier solution?

The Dave ird along with the Bev, Dish and FTA ird's will all get satellite radio. The signals are FTA. The ird's however are not quite as portable as an XM radio. I believe that most people here who are interested in an XM hack would prefer the more difficult task, mainly for the personal satisfaction of that challenge.

roddy

Hello,
My friends have attempted to perform surgery on the Roady 2 and have gotten so frustrated that it's not even funny. There are several posts here that are so confusing that they are almost ready to pull their hair out.
I know the Roady 2 has the Tin Can surrounding a chip looking thing. They thought it was the TSOP but they weren't sure. Once they located that chip, they weren't sure exactly what to do next. Not even sure if they have the right equipment to read the TSOP. They have the J Tag, and several bootloaders such as the Mikkubo, Majic C, and the latest is the Nexus Iso. I think all do the Rom 3, and Rom 10, but not sure how they would relate to using it for XM.

1.Has anyone done a Roady 2 successfully yet?
2.If so can anyone offer suggestions on the step by step instructions for it.
3. Is there a portable car unit that someone has successfully done and if so what type and model number?.
4. Would anyone please offer any information so that I may pass it along before they lose faith, and give up. __________________

Hi,
I also have xm from a dave reciver and a hu card. Used a 3m from last year. Works great. Thanks to all.

Ok has anyone gotten any real answers at all as to Cloning or hacking either XM or Sirrus portable units for the car. I'm not interested in the home system unless it can be utilized in the car as well. I have asked for assistance and did receive a few responses but I did not receive any response at all from the people that claim they have had success and that theirs work. I have even sent them a pm and still didn't receive a response back. To everyone that did respond, I really do appreciate it, but it is still a mystery to me if XM or Sirrus can actually be hacked or cloned or if anything exists for the mobile units. It really doesn't matter to me if it is for Sirrus or XM, but I thought XM (especially the Roady2 might be easier to work with). If anyone has any real answers please respond or feel free to pm me if you don't wont your information posted on the site, so that I can put some type of closure on this matter one way or another.
Thanks again in advance, donzx999

And just to be clear with everyone, I do currently have a prepaid subscription that is paid for through June 06, but I'm trying to get a head start on this now.
Thanks for your time

I'm a newbie to SatRad's. I've seen some of the previous messages on hacking XM and I have a SiriusOne (SV1) that I'm trying to mod. My approach has been slightly different. I've been trying to interface with the Atmel ATMega32L microcontroller via either Serial Interface or JTAG to retreive what's on the Flash Mem. and see if the SID# is present there. Then try to recode a new SID# and reflash.

Has anyone ever tried this approach. If so please post your results. I know there are lock and fuse bits that most likely are set preventing this. I've read about bypassing these by way of power glitching but I don't know how succssfull that is.
I also noticed that XM has the Atmel ATMega32L as well (see link from previous post: http://i.cmpnet.com/eet/news/03/july/UTH1278.gif) (http://i.cmpnet.com/eet/news/03/july/UTH1278.gif%29).

Thanks

you are on the right track. i would love to try but dont have the time.

We have tried several things, but we couldn't figure out exactly where we needed to put the j-tag to get a reading. We almost fried the unit and our efforts went unresolved. We began begging for help here from people that claimed they have gotten success, and that their radio is still working. Needless to say, I have to question that posting, since we heard responses from people such as yourself that were still trying things, but nothing concrete. All the people that claimed their system worked for the car, never provided any proof, and I must say, I am very dissapointed in the fact, that if they actually did get theirs to work, they would be so selfish as to not share the information. (Even if they didn't want to go public, I asked them to pm me, and guess what, my pm box is still empty). Several people however were very helpful concerning a house unit and I do thank them for sharing. If you have any success would you please share it with us. Good luck, and God-speed !!!

i too would like info on doing the roady2....i have a cloned roady2
that a friend of mine had done for me so i know it can be done...
i have asked my friend if he knows how the guy did it..all he saw
was the guy soldered 3 wires and used a laptop..but guy wouldn't
give anymore details...i have googled til i eyes bleed..u can also
pm me if thats the way u choose to offer any help...thx

how ould i use dish ird to prorgram this chip its completely different . its not pccl version??
can expert help please??

Looks like the Roady uses the ST19AF08. First step is get your hands on a datasheet (not the summary available on the net). I bet it is locked down tighter than a nun's ass.

It appears that the research on this topic has died!!

Has anyone had any success?

I am trying to verify if there is any truth that one of the legs on the eprom can be clipped to write protect it from being shut off. Has anyone heard or can verify this?

Sorry my friend. All my folks totally lost interst from lack of interest by everyone here. Nothing was ever confirmed or ruled out at all. If you come up with anything keep me posted, maybe we can try it again.

sirius is much much easier than xm, the clonin tsops crap with dish irds is just that! nuttin to do with it, seriously, look at the componants, seen them before? hmmm easier than dish hint hint

sirius is much much easier than xm, the clonin tsops crap with dish irds is just that! nuttin to do with it, seriously, look at the componants, seen them before? hmmm easier than dish hint hint

Can you please elaborate on that, thinking of getting a Siri*us portable unit and frankly $14.95 Cdn. is alot just to listen to Stern (can get my music off B*v or Charlie and burn DVDS).

i am a bit curious as well but i don't know anything about it.

i am a bit curious as well but i don't know anything about it.

Back about a decade ago when our cellphones were analogue, there was a guy in town that cloned celluar units. I had an account, and an older cellphone and he charged me $50 and now had two phones for the price of one.


Back then the minimum charge for a basic, basic account was $15/monthly, so saved that and just moved up to the next tier with more minutes as essentially they were Free and my Wife had use of a cellphone.

These sat radios have both an ESN and Eeprom and as the other fellow that knows something said, Siriu*s is easier and my preferred choice, hope he gets back here to fill us in.

PS why do I have a very positive suspicion that the ESN is in PROM(OTP)??

ok.

if it is possible to add a TSOP lock to the XM/SIRIUS receiver to prevent stream deactivation, can someone who is an electronics engineer please post some photos of this done to an available model receiver???

if call and bitch they let you have for $60.00 a year

Hi do you cant re-post the file for the xm radio please

i am sorry for using caps everyone but please, please, please read this...

THE SO CALLED XM HACK FILES THAT INVOLVE PULLING THE XM TSOP AND SOLDERING IT INTO AN IRD ARE COMPLETELY FASLE!!!!!

IN FACT XM DOESNT EVEN USE TSOPS FOR ANYTHING THAT HAS TO DO WITH THE ACTIVATION OR EVEN THE RADIO'S ID!!!!

THEY USE A FREAKIN ST19 ISO-7816-3 MCU!!!!

DOES THAT SOUND FARMILIAR?

IF YOU WANT TO KEEP KILLING YOUR TUNERS, THEN KEEP TRYING TO USE THE FILES SOMEONE POSTED AS A HOAX 10 YEARS AGO!!!

ok, sorry for the yelling, i just dont want anyone else to kill any more radios. i killed enough of em for all of us lol! but i guess thats the price ya pay to play as we all know :)

once again i will introduce you to our friend Mr. Larry Wilcott. Please read this carefully, i know i have posted this several times before. there is alot more to playing with XM tuners than most people have the tools for, on the other hand people with time/patience/and a little experience with nagra systems can have a little fun with a certain other radio provider. :)


\/\/ \/\/ \/\/.larrywolcott.com/projects/XM01/page1.html

happy testing folks, i wish more people would take interest in this topic :(
yabro,
disco

The original thought was that the unit id was held in the tsop.
On the first Sony units they tried to copy the tsop to other units to allow validation by cloning.
I think Sony did update the original unit to a newer model shortly after its release.

There is a ST chip as stated above that is the same as your satellite access card onboard that
handles granted rights.

. on the other hand people with time/patience/and a little experience with nagra systems can have a little fun with a certain other radio provider. :)

disco[/quote]

I would like any info on the other provider you allude to if you have any

hello dellow testers, another tid bit for you, XM uses rom10 cam in a SOIC20 footprint.

disco

Why waist you time with XM? Sirius now owns xm. They have just launched new sats and are now streaming audio, video and internet to the newest recievers.
You want to hack something? hack sirius for sure. I have 4 legit sirius subs and a Jtag from milli. Going to go get my radio (streamer GT) right now and take it apart. Will take pics and post if allowed. Maybe somebody could give me some direction??

dude your way off...
they do not officially own them yet and it is the other way around XM will own sirrius, actually it is a merger so they neither will own the other but the main players and I mean top echelon people will be the XM people.
the main programers and prgram directors will be from sirrius yes.

Xm leads the way in this shit, they always have had better hardware and the up to date technology, .
the guy who invented sat radio works for XM not sirrius.
they have not launched any new birds as far as I know, unless you got some kind of press release then I dont belive what you say.
to my knowledge it was going to be a few years before any new birds went up they wer going to use what they already got and thats only if the last two stages of the merger go thru.
They still have to get the go ahead from congress, the FCC and The SEC.

I swear people should be held acountable for what they say on the radio...the fuckin sirius guys all talking shit saying they are buying XM and the XM guys talking same shit just to make the others look bad.
I hate the media and the way they try to play us as fuckin idiots

Can we debate the merits of Opie & Anthony over Stern too?

a) Stern put a gag order on O&A during his divorce...champion of free speech INDEED! A Fake phony hypocrite he is....

b) Stern hasn't been funny since the early 90's.

c) Stern's overpaid, overrated, and works 4 days a week while his fans are paying for 5 days. Half a billion dollars he gets while Siruis stock is hurtin.

d) Stern's ratings on terrestrial are 0.0 while O&A were second for their target demo

e) O&A make me laugh every day and that's all that really matters. And this all comes from an old Howard fanatic who finally saw him for what he really is. It stinks when your heroes fall but someone else is usually there to take over....

XM > Sirius

I cant debate you on that, I agree with you.

It is not that stern was never funny, he was, I dont have to listen to him them, and I dont have to now and I dont.
being from the south stern was never that big of a deal to any of us down here.
if not for lil jimmy, and anthony I dont think opie would be shit right now. but put them all together and I laugh on a daily basis.

My hero is ronnie B AKA Ronnie two bucks, but unless you got xm you dont here him on CBS any more.

All in all from what I have heard and more importantly remember, stern and bubba the love sponge have nothing on O & A.
Xm music sux......bad, but the boneyard is a good channel and I got cd's when I want music so who cares, as far as talk radio goes XM wins hands down.

Wow Fubr.. I have a new found respect for you. I love Ronnie B. Wisest man alive. Fezzy is the queerest. Dave is the Dumbest. Earl is the blac..err laziest.

shit,,,dont forget about smoking hott Lilly. man I love to hear her.

I used to hate fez but you cant but help like him after awhile.
This is no joke I listen to that channel 90% of the week, I miss hardley any of it.
I am streaming it now :) YOUR RIGHT EARL IS A IDIOT

shit,,,dont forget about smoking hott Lilly. man I love to hear her.

I used to hate fez but you cant but help like him after awhile.
This is no joke I listen to that channel 90% of the week, I miss hardley any of it.
I am streaming it now :) YOUR RIGHT EARL IS A IDIOT

I'm in the Whatley Posse, even got the shirt. Ronnie B is the quickest/funniest living human on the planet. I can't wait till the merger which will double the audience and maybe we can get a Comedy Pyramid started again.

Fuck the Clinton Brothers.

Bill Burr's Uninformed is a honorable second to the buddays.

dude your way off...
they do not officially own them yet and it is the other way around XM will own sirrius, actually it is a merger so they neither will own the other but the main players and I mean top echelon people will be the XM people.
the main programers and prgram directors will be from sirrius yes.

Mel Karmazin is the CEO of Sirius now and will be the CEO of the new merged company.

Xm leads the way in this shit, they always have had better hardware and the up to date technology, .

This was once the deal but is no longer true at all


I swear people should be held acountable for what they say on the radio...the fuckin sirius guys all talking shit saying they are buying XM and the XM guys talking same shit just to make the others look bad.
I hate the media and the way they try to play us as fuckin idiots

The new company will be absorbed by Sirius not XM.

I love the Howard vs O&A argument. Stern has brought Sirius from 600,000 to over 7 million subs since he announced his move to Sat radio, less than three years. O&A managed to bring 30,000 subs to XM. O&A are hanging on for dear life, Krock is about to go country and they are losing affiliates weekly. You know when you say "Stern's ratings on terrestrial are 0.0 while O&A were second for their target demo" you are hurting for good things to say. Lets face it, if Stern ever went back to Terestrial radio he'd own it again straight away.

So getting back on topic. Has anyone made any advancements on the XM hack? Seems to be the ST19AF08 is the common piece in all of the units....

only finished page one but cant you take a activated account tsop with a deactivated account a compare the two to find out what activates it.

then move from there.

sorry wanted to write this before i forget when i get to page two.
be gentle.

Do the XM/Sirus service get activated by sending a packet to the subscribing radio? Is that activation packet continue to be sent until the sub runs out, or is it sent for a week or so and then shut off. Does the deactivation process work the same way? Is the deactivation signal sent for several weeks, then shut off.

Could one subscribe and activate the radio, and then later when the sub runs out, just unplug the radio for about six months so it doesn't really get de-subed?

This ain't cloning, but could one get service with this method?

With sirius the activation signal can be sent any time from the web as long as you have an account. I don't think it stays in the "stream" just gets sent out to the radio and it updates. Only takes 1or 2 minutes 5 tops.

PS. HOWARD ROCKS!!! He paved the way..... When the other 2 get a TV show and have porn stars riding a sybian in the studio I'll change my tune. LMAO!!!

In March 2007, Sirius announced the upcoming availability of its first video service called "Backseat TV". In August 2007, the company revealed details of the first receiver, the SVC1, was originally offered exclusively through Chrysler OEM factory units. The service includes streaming video from three "family" television channels: Nickelodeon (http://en.wikipedia.org/wiki/Nickelodeon_%28TV_channel%29), Disney Channel (http://en.wikipedia.org/wiki/Disney_Channel) and Cartoon Network (http://en.wikipedia.org/wiki/Cartoon_Network) Mobile. There will be a single screen (or a dual screen option in the Chrysler Town and Country (http://en.wikipedia.org/wiki/Chrysler_Town_and_Country) and Dodge Grand Caravan (http://en.wikipedia.org/wiki/Dodge_Grand_Caravan)) for back seat passengers to watch while front seat passengers have the option of simultaneously listening to any normal Sirius radio channel. The service is reported to cost an additional US$6.99 per month on top of the standard Sirius subscription price.[8] (http://en.wikipedia.org/wiki/Sirius_Satellite_Radio#cite_note-spr573-7)[9] (http://en.wikipedia.org/wiki/Sirius_Satellite_Radio#cite_note-eng070815-8) The MSRP of the factory installed units is US$470 and the aftermarket unit has an MSRP of US$299.99. Both were made available in the fourth quarter of 2007

I have 4 sirius receivers and pay no monthly fees for any of them. The oldest one has been going now for 2 years. They are cracked. I read here a few years back there was a guy on ebay selling them so I purchased one from him to try it. If you do a search of ebay look for Demo models. I choose the older models like the orbiter thinking that since it was older it would have less checks and balances to turn it off and I have been correct.

I have found the best ones on ebay come with everything you need meaning 1. the cradle 2. the power supply 3. the antenna for either home use or car use.

I like the car kit ones since the cradle can broadcast on paticular channel you just tune your car stereo to that channel and their is no wiring to do into the dash. The car antenna's also are magnetic so the can stick on any top of a car easily.

Look at the sellers feedback thats what I do to see if he is good at what he does. It won't say anything about fixing them. People willl say things like What A Great Deal it worked right out of the box etc.

The last one I purchased for my wifes Escalade and I got everything for like 115 bucks. Not bad for no commercials with no monthly bill.

Enjoy,

Joe

Wow, Thats awesom!! Wonder how they don't need a sub update every year?

dude your way off...
they do not officially own them yet and it is the other way around XM will own sirrius, actually it is a merger so they neither will own the other but the main players and I mean top echelon people will be the XM people.
the main programers and prgram directors will be from sirrius yes.

Xm leads (USED TO)the way in this shit, they always have had better hardware and the up to date technology, .
the guy who invented sat radio works for XM not sirrius.
they have not launched any new birds as far as I know, unless you got some kind of press release ( I actually did, Shareholders meeting minutes, as well and monthly updates.) then I dont belive what you say.
to my knowledge it was going to be a few years before any new birds went up they wer going to use what they already got and thats only if the last two stages of the merger go thru.
They still have to get the go ahead from congress, the FCC and The SEC.

I swear people should be held acountable for what they say on the radio...the fuckin sirius guys all talking shit saying they are buying XM and the XM guys talking same shit just to make the others look bad.
I hate the media and the way they try to play us as fuckin idiots

http://www.ses-sirius.com/press-releases/sirius-4-satellite-successfully-launched---new-sirius-satellite-at-orbital-position-5-east-/

Feel free to click the link and get updated on the new bird thats already up. Acording to my Sirius shareholders letter, another 3 new birds going up in August of 2008. I have over 10K invested in Sirius in stocks and I don't think they would be lying to share holders. Not only is immoral but also Illigal.

While both companies declare the deal to be a "merger of equals", Bloomberg reports Sirius has acquired XM for US$4.57 billion in stock.

Regardless of what you want to call it,, Sirius does own XM. I recieved a letter stating the Sirius's new worth (my stocks) is about to take a shit because of $ 10 billion loan that will be used to purchase XM and finance the R&D and launch of the new birds. Sirius4 and Sirius5,(sirius 4 was up Nov 18th 2007) and secure Howard for the next 5 years.

As far as Sirius VS XM goes, Opinions are like A** Holes everybody's got one. I'm sorry if mine differs from yours. Havent really heard much about XM doing anything new? Sirius has the foot ball, baseball, Nascar, Howard, and hell even Martha! And now the weather network(for us Canadians), NHL will be on sirius for the 2009 season (contract with XM ends with the 2008 season).

Whats new and up and coming on XM?

I am going to guess that its a clone of a sub or an actual store demo unit.

Joe

Buying an activated radio for Sirius is a great plan. The only downside is that sooner or later they will kill it. I just lost two that had worked for almost 2 years over the weekend. One of them got killed at almost midnight last night. I don't know if it's a purge or what but keep this in mind. It would seem like a TSOP lock or something similar would be able to keep the kill signal from going through to an activated radio.

I have heard people talk about the hack. Then again, I heard people talk about a DTV hack.

Can one of you that has a hacked set open it up and take some pictures...does anything look like it has been soldered/disturbed???

I doubt that anyone has a truly hacked unit. There are a lot of activated units out there though that work perfectly fine for long periods of time. Two years ago I bought 11 Sirius Starmate radios from a wholeseller who actually let me rummage through all of the ones he had to find the ones that still worked without a paying sub. He had a number of bad ones that I took apart and swapped screens and cases with non-subbed ones to fix defects in the still-subbed units. There were no differences whatsoever. I suspect, although I have no evidence to prove it, that they just are not that dilligent with their kill signals when a sub expires.

That said they are apparently doing something different right now. I know several people (including me) that have lost a "free" radio in the last week.

Hi,
I also have xm from a dave reciver and a hu card. Used a 3m from last year. Works great. Thanks to all.


you gona put that big bulky thing in your car?





lets get a dump with known rec id. could the rec id be as simple as in hex. i just bought a roady at a garage sale. havnt cracked it open yet but maybe possible j-tag pionts with out removal of t-sop. there gota be some comm to processer. just finding it.

even with dump i beleive there gotta be some conditiomal access chip not t-sop that controles activation. find it remove the write pin. hopefullt lift pin after activation and keep it from desub. i think when it uploads new channels it must store them in the t-sop.

t-sop has to just be for fimware and some channel (guide storage and channel favs.

who knows. who's working on the project now?

I lost a 1 activated demo Orbiter like 2 weeks ago it came up on the screen push any button to take the update when I did I got a cal 1-888 message. I left the unit on hoping it was a cloned sub and someone might pay last night 2 weeks later it again came up with the same push any button that my rec had been updated so I did hoping the radio would start but it didn't it said call 1-888 message to activate so they are turning off the prior subs for sure at least the model of the orbiter my advice is to leave units off uless using them. I purchased 2 more off a guy from ebay for 50 bucks that one lasted 2 years so hopefully by getting 2 one of them will make it 2 more years that would be nice.

Joe

They had somethign in their data stream starting about 10 days ago that wiped out a shitload of non-subscribed but working units. I lost two starmates that had worked for almost 2 years.

Apparently they were pushing updates and in the process trying to kill off as many unauthorized units as they could. I suspect they were fairly successful. I have also "heard" but have absolutely no way to confirm, that the updates are now out of the stream.

I agree totally with SEARCHY4....there has got to be a way to block the updates. It would be nice if it were as aeasy as bending a pin but having looked inside these things I doubt we'll get that lucky. If we do I have almost a dozen to play with.

how about a scan. we dump the tsop that contains the rec id#. locate id and jump id's few digits at a time till we locate a subbed unit. that meens re-flashing unit again and again till found. once discovery is made. a public# could be shared. or scanning and finding your own private #'s.

going to crack open the unit and throw the bad boy under my board light and look for some traces.i would rather find some j-tag points.
once thats done i think my scan plan would work.

whatcha think?

I thank what is going on is the starmate receiver and the orbiter receiver both have strong fm transmitters that the fcc has declared are to strong so possibly sirius is killing them off. As I said before they have hit my orbiter receiver 2 times in the past 14 days so its not out of the stream yet it is being sent when they want to.

My advice to anyone with one of these 2 types of receivers is to keep them pulled from the stream for a while. Mine got hit toward the weekend.

I am leaving my de-sub'd unit on to see if it gets hit again if so I will let folks know.

I might take it apart since I have 2 more coming to see what kind of chips are in it. I know it gets hot as hell at the top which brings me to my next point I have one coming that someone modded putting a fan in the top of it is activated so I am hoping to get a look inside it to see what has been done to it if anything maybe a lifted pin?? or evidence of jtagging of some sort???

Just pulled the back off mine it has a AMIC TSOP chip A29L400UV-70 (looks like 48 pins 24 on each side) in it similar to all chips used in pansat and echostar receivers and others. This chip should be able to be removed then placed in a echo rec then read the flash. I suspect that is where the rec number/activation is contained. I thank that pin 12 normally allows or dis-allows re-writing it might be possible to lift it to stop rights or ground it possibly any suggestions from anyone????? Does anyone have jtag points for the chip only?????

Their is also an 8 pinned chip beside it (EEPROM??). Pin number 7 has a trace coming off of it. I bet if I cut that trace cut that would lock that eeprom chip same as lifting the leg???? I will try that on my sub'd units I have coming as well as looking for a data sheet on amic chip.

I am cutting the trace cut on my d'subd unit now to see if they deactivate it again they have done so 2 times if it doesn't happen again this weekend I will hook up my actual activated units with that trace cut-cut to hopefully stop them from de-activating them. I have a buddy thats good at soldering my try and pull the tsop chip from an activated one and read it. I will let folks know.

What do folks thank. I will let ya know.

Joe

Back to report my findings for the Orbiter receiver. I lifted pin number 7 on eeprom chip (which is 16 pins not 8 like I mentioned above its 8 per side) and unit would come on but wouldn't go into radio channel mode it only said Sirius. I then took a voltage measurement with pin number 7 re-connected it was around 4.5 volts. Usually anything around 2- 3 volts (thank of your jtag 2 1.5volt batts equals 3 volts) is programmable.

With pin re-connected unit would power up and go into radio mode as normal showing me that chip needed voltage to operate. I then decided to leave it connected I took my voltage meter lead and carefully scraped a clean spot into the copper trace that goes to pin 7 so I could solder a piece of wrapping wire (very small wire available at rat shack) to it which I did. I then soldered the other end to a spot of a microprosser point called U701 (its on corner of chip) with it connected the unit would power up but would not go into radio channel mode so I took a voltage measurrment on the wire it is about 2.09 volts (I had used a different spot that gave it like 2.2 volts but it still worked so I chose spot U701 to further lower voltage) . I placed a switch between the wrapping jumper wire that stays on and when pushed it breaks the contact/continuity of the jumper wire. Now when I want to change channels I simply push the button (this allows 4.5 volts to pin 7 of eeprom chip so it works) and do so then let off (back to 2.09 volts keeping it safe). With wire connected voltage is 2.09 volts thus making eeprom not programmable. Also the button also has to be pushed to power up unit. Remember pushing the button breaks the continuity of wrapping jumper wire I just installed. The switch is spring loaded that way the wife won't forget to put it back into the right posistion which keeps continuity on wrapping jumper wire when not pushd..

It is my hopes they can't turn off the sub since the eeprom can't be programmed or accessed when continuity is between pin 7 of eeprom and point U701 corner pin of microprocessor.

One other thing I have noticed is that the display stays on the song which it starts on meaning in order to change a channel I have to break the continuity of the jumper wire by using the switch for like 2 seconds then when that channel starts I let off switch and continuity returns you see the artist and name of song then but it stays like that even when new song starts not a biggy though if they can't hit it.

Whatcha Thank Pretty Cool eh!

Joe

PS.....One thing that is interesting is that I did 2 of them yesterday and when I would push (breaking continuity of jumper wire) the switch the unit read activation updated push any button to continue and I did and everything worked as normal. I did that like 3 times and it worked all 3 times but then I haven't got that message since. The antenna wasn't connected. Might have been a fluke who knows.


PSS...Their will be some sceptics that say what if they hit the box while you have button pushed changing channels. Easy solution you can always disconnected antenna wire wait 8 secs since box holds about 8 seconds of streamming then push button and change channels let off switch then reconnect antenna. I primarily listen to about 4 channels depending on my mode or how much beer I have so the real pain in the arse is not having my music when I get some time off.

I will try and draw a diagram if any one is interested.

Be Cool,
Joe

This is really good work Joe. At least someone is finally making an effort here so mad props to you for trying!

The older high power FM transmitter radios are still good as long as you pay for the sub. They sure won't sell them anymore but they are only trying to deactivate the unauthorized subs rather than kill the unit. That would result in a lot of pissed off paying customers.

If you find direct JTag points on the chip so we dont have to unsolder and put in an echo receiver that would be very helpful. I'd like to just reprog the chip to have the same ID as some of my other subbed receivers, or clone tiers if necessary... keep up the good work. great to see someone playin around with these things

I have had the best luck with the Orbiter Receiver. It is an easy mod to lock eeprom just jump 2 points and it is locked and re-versable meaning when points are not connected you have access to eeprom. I did find tsop style chip in these units like ones in sat boxes. These 2 points continuity has to be broken to change channels, program channels, turn on, etc which all I did was put a spring loaded switch on units to break the jumper wire continuity briefly to do so.

I locked a sporster unit but it stayed semi locked I couldn't access the rec id or other menu features and when I broke the continuity of jumper wire I still couldn't but oh-well it is locked and that is what matters so I re-connected jumper wire and left it alone. I could turn dial on radio and program stations still so that is good and I couldn't access receiver ID which is good or any other menu items which is good. I didn't find a tsop style chip in those units.

I have been running the whiz out of the Orbiter Receiver leaving it on to see if it gets inactivated which it has not. I don't have a very good camera but what I may do is draw some pics to show what I did. The orbiter does have a tsop style chip like the ones used in sat boxes. I haven't looked for the jtag points yet but I do have one that is for research that I have looked at it had like 7 traces coming off tsop chip. These units get extremely hot and the parts inside are brittle at best. The traces are not good quality so they are delicate to solder to. It would be nice to have a Cap to place onto top of chip to jtag I know they exsist just don't know where to get one????


Joe

I think trying to making analogies between sat Tv and sat radio does not make sense.
Sat radio does not have card, and different subscription packages, so there is no need for complicated system of activation and authorization.
There is no need for Tiers, and software upgrades.
I think the TSOP is only for system software, it has nothing to do with authorization.
Since every unit displays Id number for authorization, these numbers must be stored somewhere, and the logical place would be EPROM.
The easy way to clone would be just copy Id from one unit to another and authorize all of them at once.
In my Stilette unit I have found Rohm made EPROM BR93C66R in small 8 pin soic package. Ther is also another one C39N which I can not find datasheet for.

I think trying to making analogies between sat Tv and sat radio does not make sense.
Sat radio does not have card, and different subscription packages, so there is no need for complicated system of activation and authorization.
There is no need for Tiers, and software upgrades.
I think the TSOP is only for system software, it has nothing to do with authorization.
Since every unit displays Id number for authorization, these numbers must be stored somewhere, and the logical place would be EPROM.
The easy way to clone would be just copy Id from one unit to another and authorize all of them at once.
In my Stilette unit I have found Rohm made EPROM BR93C66R in small 8 pin soic package. Ther is also another one C39N which I can not find datasheet for.

Actually I have found the EPROM; it is Atmel AT88SC6416 encrypted EPROM.
It can not be copied or written to untill the proper password is entered.
Here is the datasheet: http://www.atmel.com/dyn/resources/prod_documents/doc5210.pdf

I believe, during authorization, sirius is sending this password to the chip in order to write authorization code.
If we could capture this password logging the incoming data, we can get access to the chip, copy it , read the content and write our own authorization codes.
Also knowing the data send to stop the service we can block the data and keep authorization forever.

I agree with most your statements except that these can't be compared to sat boxes I thank they can they are using some of the same technology. I do agree that the tsop chip is a 1 time program and the eeprom controls activation and de-activation. I thank in the orbiter boxes since they are so old they used technology that was dated and not as good as this crypto chip. In the orbiter and the sporster I have been dealing with a 16 leg chip 8 per side. I may have just got lucky but I have the eeprom locked in the orbiter and it can be unlocked and locked with the touch of a button. I locked the sporster eeprom but now I can't access the Rec ID number which might have to do with I locked up chip so it can't be accessed anymore which if I can't they can't. I will take that and run or should I say Jam.

I am going to guess that the crypto number that allows entrance to the eeprom chip corresponds with the reciever number. Backwards, Hex frontwards/backwards, conversion table?? Have to be something like that. Most likely the entrance into 1st level is a certain length number and is the same for all of that type radios then the second number gets you in to that specific radio and those attempts are unlimited. Got to be something like that with up to 7 layer of encryption.

Also looks like their is a PAC so you can't just keep trying different passwords.

Since it has a PAC if the unit was activated and a person hit it with more than the allowances the eeprom would lock up and not be readable or writeable?? true or false. or would it be just not writeable but readable?? (Decrementing the PAC to $00 permanently disables the corresponding password and permanently renders the corresponding user zone(s)
under protection inaccessible.)

ETA – Eight Trials Allowed So if a person tried say 9 (The password fields contain eight sets of two 24-bit passwords for read and write operations) times that would lock up eeprom if it is still readable then they couldn't turn it off.

Whatcha Thank thats a good thing possibly.


What unit are you working on??


Joe



















The password fields contain eight sets of two 24-bit passwords for read and write operations.
















The customer defines the values of these passwords during personalization. Successfully verifying
the Write password allows modification of the Read and the Write passwords of the same
set.

Password Verification


The use of passwords protects read and write accesses to the user zones. Any one of 8 password



sets is available for assignment to any user zone through configuration of access registers.
CryptoMemory provides separate 24-bit passwords for read and write operations. Read passwords
grant only read accesses to zones under password protection, while write passwords
grant both read and write accesses. Successful presentation of any password renders the verify
password command active until the presentation of another password or device reset. Only one
password may be active at a time. Presenting incorrect passwords decrements the value of the
corresponding password attempts counter (PAC). Decrementing the PAC to $00 permanently
disables the corresponding password and permanently renders the corresponding user zone(s)
under protection inaccessible. Operation in authentication or encryption modes requires encryption
of passwords for all password transactions.

ETA – Eight Trials Allowed










Asserting this bit (ETA = “0”) extends the trials limit to 8 incorrect attempts to verify a password.


The password attempt counter (PAC) will decrement ($FF, $FE, $FC, $F8, $F0, $E0, $C0, $80,
$00) with each incorrect attempt. Disabling this bit (ETA = “1”) limits password verification trials
to only four incorrect attempts ($FF, $EE, $CC, $88, $00). The ETA bit also has an application
in the authentication mode of operation.

The receiver I have is Stiletto SL10, portable.
The smart memory chip seems to be hard to hack, but it may be some way around.
From block diagram I can see, that the asynchronous portion is used to pass password data for verification.
I believe this has to happen after a reset signal.
The reset could be then used to gate number of data bytes in order to capture password, during activation.
Also if this is true the reset signal could be used to mute incoming RF amplifier.
In this case any update data wil be blocked.
I just have to check how often the reset signal is used, it may be not that often since the data is synchronous with the clock. Oscilloscope may help here.
Even the reset maybe needed for other smart chip function, this may be the only possible way to block de-activation. Some intelligent logic circuit maybe needed to block only these resets that are needed for writting to smart memory.

Keep up the good work. Let us know if you capture the data.

Joe

Has anyone had any luck with this?

Having just aquired a Stiletto SL10, I am already reasoning that Sirius is following a standard manufacturing cost savings and having a base component system for all models (10, 100, etc) and it is the firmware that is the difference.

So the 10 does not have wi-fi capability, is this just a matter of firmware or do you think that they had diffierent boards for each model? I am thinking it is a matter of firmware.

Anyone have any information on this?

I have had the best luck with the Orbiter Sirius Recv's. I installed a switch that allows the eeprom to remain locked and unlocked when I need to change channels or power it up. Sometimes when I push the button to allow access to eeprom I get the message. YOUR SUBSCRIPTION HAS BEEN RENEWED PUSH ANY BUTTON TO UPDATE. I then do not push anybutton on unit I simply unplug then re-plug the unit and it continues to work. My suggestion to anyone that gets that message is to not push any button simply unpower and repower their units and hopefully then the sub will continue to work. I have also noticed the traces are not very good and easy to damage. I have done like 4 units now for buddies and have 4 more to do I will try and take some pics and post them.



Written Earlier

Note: Point U701 is close to the 16 pin chip I am calling eeprom chip use trace off pin 7 to lightly clean and solder wire to it. When wire is jumped between pin 7 and U701 corner eeprom is locked.


"With pin re-connected unit would power up and go into radio mode as normal showing me that chip needed voltage to operate. I then decided to leave it connected I took my voltage meter lead and carefully scraped a clean spot into the copper trace that goes to pin 7 (16 pin chip) so I could solder a piece of wrapping wire (very small wire available at rat shack) to it which I did. I then soldered the other end to a spot of a microprosser point called U701 (its on corner of chip) with it connected the unit would power up but would not go into radio channel mode so I took a voltage measurrment on the wire it is about 2.09 volts (I had used a different spot that gave it like 2.2 volts but it still worked so I chose spot U701 to further lower voltage) . I placed a switch between the wrapping jumper wire that stays on and when pushed it breaks the contact/continuity of the jumper wire. Now when I want to change channels I simply push the button (this allows 4.5 volts to pin 7 of eeprom chip so it works) and do so then let off (back to 2.09 volts keeping it safe). With wire connected voltage is 2.09 volts thus making eeprom not programmable. Also the button also has to be pushed to power up unit. Remember pushing the button breaks the continuity of wrapping jumper wire I just installed. The switch is spring loaded that way the wife won't forget to put it back into the right posistion which keeps continuity on wrapping jumper wire when not pushd..

It is my hopes they can't turn off the sub since the eeprom can't be programmed or accessed when continuity is between pin 7 of eeprom and point U701 corner pin of microprocessor.

One other thing I have noticed is that the display stays on the song which it starts on meaning in order to change a channel I have to break the continuity of the jumper wire by using the switch for like 2 seconds then when that channel starts I let off switch and continuity returns you see the artist and name of song then but it stays like that even when new song starts not a biggy though if they can't hit it."

I hate to ask... but why would one want to hack XM..???

I hate to ask... but why would one want to hack XM..???
for the same reason people want to hack anything,,to learn from it?

Fred Raud

Hi guys. I came across this thread while searching for some XM info and I thought I would set you all on the straight path.

First off, don't bother with hacking the ST19AF08. There's nothing valuable on it except the skipjack key and the counters that make the encryption dynamic. There is NO HACK in the ST19AF08. However, if someone wants to dump it just for fun, you can use a standard Tucker with a few mods to the firmware and a few more to the hardware. Nothing anyone who actually glitched and dumped any of the other ST Micro CAMs like the ROM 102 couldn't do in a couple month project. Maybe less.

What you need to do to actually hack the XM subscription service is to reverse the STA450/850 chip. That will require that you remove the 80 pin TQFP chip and remount it for testing. OK, just lost about 90% of you there.

Next you will need to dump the uRom. Forget the Tucker design. Won't do it. So, you'll need to design a glitcher. OK, just lost about 9% out of the remaining 10%.

So, for the remaining 1% who might be capable of this task, you need to find the instruction set (Hint MMDSP+). Then you'll need to slow the clock down to about 1/4 of it's 23.92 MHz, route the CLK outside the PLL (Hint: pins M_0 and M_1). And, then you'll need to build a new loader to talk to the STA450.

The loader will have to speak i2c. That's the comm the ST Micro chipsets use in the XM radio. Attach the loader to the slave and master ports on the STA450.

Oh yeah, on the master i2c side, you'll also have to reverse the crc algo for the comm before you can even say hello. It's a pretty common crc. I'm sure you'll figure it out.

On the slave side, just learn to send DSP CMDs and get a proper DSP CFM response.

If anyone gets this far, I'll provide some more help. However, I'm not a freeware guru. If you want the XM hack, you will have to figure it out. If anyone shows the incentive to go further, I will be happy to help.

I'll check back on this thread in a few days when I get back home from vacation.

Good luck, guys.

I think I'm in love !!

Don't bother. I'm a lizzy. And, could probably whip yo ass as well. ;)

No XM takers, eh?

OK, I'll leave you with this.

XM is 10x tougher than the DTV P4 card. The P4 card has a tough outer candy shell but inside, it's the same old soft chocolate from the HU and H cards.

Luv ya all.....

god damned,,i sure hope she is kanukian,,lizzy or not,,ill make her a believer!

Fred Raud

P4 too ?? Now I know I'm in love !!

Tell me more about the candy shell shell please. I'll even take the ass whipping if that's what you want.

All kidding aside welcome...

P4 too ?? Now I know I'm in love !!

Tell me more about the candy shell shell please. I'll even take the ass whipping if that's what you want.

All kidding aside welcome...

On as slow sunday luv 2 read and learn and 1/2 a good laughs


lol

Iou1dave