I am trying to find info on a new lock that is now being used. It seems to be using DQ7 as well as DQ1 and DQ4. Anyone can give me some more info?

I have not heard alot of detail about these locks,other then they are to be the best protection.Still looking for a schematic on them.


OHM

I heard that nags are eliminated. I have followed signals all over the ird trying to track this down. I do however think that it is not associated with DQ7. But, i wanted to try one to know for sure. Eventually, i will track down the address line that initiates that error and then...................

The new locks use DQ7 as a means to avoid the junk byte trap that Charlie uses to detect the old locks that use only DQ1 and DQ4.

When DQ7=0, it's latched in a D Flip-Flop and called exDQ7. On the next cycle, it's used to see that the previous command to the tsop was 55.

if exDQ7+DQ1+DQ4=0, then the lock blocks the command to the tsop.

AA 55 90 is the command for the tsop to return device ID to the CPU. Charlie's using the command "AA 20 55 90". A non locked IRD reads this as an invalid command and returns to reading array data. An IRD with the old style locks blocks the 20 (because on 20, DQ1+DQ4=0) and the tsop reads "AA 55 90" and returns the device ID to the CPU and the lock is detected.

The new locks aren't fooled by this because the 20 is not blocked because it came before the 55. In other words, exDQ7=1, so exDQ7+DQ1+DQ4=1 and the lock does not engage.

Charlie can change around the junk byte again and defeat the exDQ7 locks, but he hasn't. I think the command with the junk byte is imbedded in P189 and not something he can control through the stream.

Phiberoptik

good job phiber. now, THIS is testing! So, now the bottom line is: does this eliminate 153 error?

First of all, I don't want to take credit for someone elses work. I didn't discover the exDQ7 method. I just included it in my work. I first read about it over at ID. Someone known only as "our anonymous friend" apparently hooked up a $5000.00 logic analyzer to an IRD and extracted the command sequences so we could all see the junk byte method.

This detection, nor any other won't block the 153 nag. The exDQ7 locks will stop the 155 nag that you get when running P189 with an old DQ1-DQ4 lock so that the lock behaves like the old lock did on older firmware.

The 153 nag is caused by something being detected in your card slot. Older blockers, invalid tiers, bad CAM ID's, and something in the Nawapoms for the atmegas are the major targets there. There's no lock available that will avoid the nag when something is detected in the card slot.

Locks only serve to protect the contents of your tsop until you fix what's wrong in the card slot. When you see the 153 nag you have to get up and pull the card to reset the IRD and your IRD comes back up. That means your lock worked. If it didn't, you'd have a location ID of 0000001 and be only able to get channel 101 when it comes back up. You'd have to reflash or use the junkyard fix on it in order to get your channels back.



There is a better way though....

I came up with this new lock over the last few weeks. I just got the prototype working last night. I'ts been hit about 8 times plus whatever it got while I slept last night. Works great so far.

Instead of the conventional method of holding WE# high to block a write or erase, it reboots the IRD so you don't have to get up and pull the card to reset it. It uses exDQ7 detection, so it works with P189.

If you don't lock your eeprom, it'll boot right back to the channel you were watching.

The only visible side effect is that since an IRD can get ECM'd while it's turned off, the lock will still reboot it when this happens and it leaves it turned on. No big deal.

The schematic is actually a screenshot from EWB 5.2. I ran this in the simulator before I built it. The switches on the far right are not part of the lock, but part of the simulation. They are intended to represent the lines connecting the lock to the IRD. I used switches so I can selectively toggle them during the simulation.

The artwork (pdf) file is the mirrored image for the Epson photo paper method to make the circuitboard for this. I could have squeezed 3 or 4 more locks out of this blank, but I like to leave enough room to saw the boards out of the blank and be able to dress each side of each board on the disc sander.

The solder pad labeled VCT is experimental and untested. Unless you're running an experiment don't hook it up to anything. If anyone else has a lab and wants to play with this other avenue of experimentation, let me know and I'll post what I know about it so far. It's really kind of a backup for experimenting with the 301.013 in case I have timing problems. It involves another method of inhibiting the write to the tsop.

The PCB is single sided and it has one jumper wire to connect the chip ground pads. You'll see the extra two solder pads for this purpose. One end of the resistor also hooks to one of these jumper pads.

With the front edge of the IRD facing you. Use the left solder pad of C81 for the reset line. It's right behind a 14 pin surface mount chip in the middle of the board. Use a switch in this line to lock / unlock.

Phiberoptik

I forgot to include the chips. the D Flip Flop is a 74LVC74 and the triple 3 input nor gate is a 74LV27.

Phiberoptik

and good job! I like it! Ok think i will make one and see what i can find with it. I just love testing new things. You confirmed what i suspected about the 153. I have been leaving the storage scope on various lines hoping to catch the source of the 153/155 errors. i have found the command in several places but not the actual source. once i find it, perhaps i can figure a way to make it not happen without any undesirable side effects. i would think that someone would be way ahead of me by now. I have only been testing about 2 1/2 years now. You are doing good research for testing. this kind of stuff is what makes things happen. Sure everyone can learn good info from reading a post but someone has to make the post. I am in the process of typing some of my findings and copies of other peoples findings (with credit given always) into a usable document everyone can read and understand. It will become available when finished. Tons of good info, code scripts, ect.

The following information is useful only as research, not as practical implementation. This is something else I discovered while I was developing this lock.

The VCT terminal on the lock is a direct line from the nor gate before it enters the latch. It's quick up and down so by itself, it's quite useless as a reset line because it won't stay low long enough to use it for a reset pulse. It's the trigger that trips the latch (on the dflop) that actually times the reset pulse.

It's active low, meaning that it's normally at VCC unless the lock is tripped. Here's what I did with it during an experiment.

Using the data sheet for the tsop, I found the VCC pin (pin 12) on the flash1 tsop chip. There's a small surface mount capacitor on this line right near the tsop (C187). I removed the capacitor and cut the trace that supplies VCC to the pad under C187. Now I took the VCT line from the lock and used it to supply VCC to the tsop. Without hooking up the reset line to the lock, I jtagged the IRD and attempted to erase flash1.

Since VCT goes low when the lock trips, power is removed from the tsop immediately and the command to erase is cancelled. Remember, I removed C187 completely so it doesn't store power when VCT goes low. Jkeys errors out instantly and the IRD continues on normally for about 10 or 15 seconds and it freezes the screen.

This information by itself is quite useless, but if there are timing issues with the reset pulse on the 301.013 it could be added in addition to the reset line to protect the content of the tsop while the reset occurs. The output from the nor gate is lightning fast. Faster than the LVC02 based locks. Perhaps someone else could use this information in another method of trying to defeat the ECMs.

The new lock is working perfectly on (2) 301.010 units as of today. I unsuccessfully tried to install it in a 2700. I'll be trying an 013 next.

Phiberoptik

excellent idea. basic. simple no one thought of it before! Ok i have a couple of older models i may try it on just to see if it works on them. 3800 4000 5000.

I got the board schematic for the P189R lock. One chip is a 14 pin DIP. The other two are surface mount 14 pin ICs. Blundell sands the numbers off the 14 pin DIP so I don't know what it is. I got the numbers off the other two chips. I show the dip as a 7474 D Flip Flop in the schematic, but that isn't what it is. Take a look at the schematic and see if you can figure out what the chip is.

Here's the functional pinout of it.

VCC is pin 14 and pin 7 is ground. That's pretty standard. Here's where it gets weird. He has pins 1 and 2 wired together to accept input from DQ7. Pin 3 outputs back to the 1C input of the 3 input nor gate. DQ1 and DQ4 are connected to 1A and 1B. This is weird, remember, DQ7 goes low one WE# cycle BEFORE DQ1 and DQ4 go low. Pin 9 is wired to get VCC all the time, and pin 8 goes low when WE# and CE# are both low. This has to be a latch of some kind. I'll speculate that perhaps pin 8 is the reset for the latch.

I'll bet this is it or it's something very close.

http://rocky.digikey.com/WebLib/Texas%20Instruments/Web%20data/CD74HC(T)164.pdf

I just noticed that the two chips that have been identified are marked backwards in the schematic. The AC32 is marked LV27A and vice versa.

The connections are as follows:

Pin1 and Pin 2 tied together connect to DQ7 Those are data inputs. These are held high with VCC when the lock/unlock jumper is set to unlock. When the jumper is set to lock, they toggle with DQ7.

Pin 3 connects to Pin 13 on the 74LV27 (input 1C), so that has to be the output from our mystery chip. inputs 1A and 1B on the 27 are tied to DQ1 and DQ4. This makes sense because if all 3 go low, then the output from 1Y goes through the #3 gate as an inverter and supplies low input to 2B on the 32 chip 2A would go low with WE# and CE# and 2Y is the reset line. That all fits.

Pin 9 on the mystery chip is tied to VCC. On the 164 bringing that low would cause a reset to the latch. This is now impossible because it's hardwired to VCC. This circuit must depend on incoming data inputs and clock pulses to clear the latch after an ECM. That's feasable.

Pin 8 on the mystery chip would normally be toggle up and down with CE# and WE#. This line is fed from 1Y on the AC32 chip and is also connected to input pins 4 (2A) and 12 (4A) on the AC32.

Here's where it gets interesting. on a 301.010 or a 301.013, the installation instructions from the lock say to tie the CE# and WE# from the lock together and connect them to WE# on the IRD. On a 2700, he says to tie WE# and CE# each to thier respective lines on the IRD. This is definately the clock line to the mystery chip.

On a 2700, both CE# and WE# must go low and then one of them must go high again to generate a positive edge clock pulse, while the 301 just clocks along with WE#.

I'm pretty sure this is the correct type of chip, but I don't know if he's using positive edge triggering and I don't know what flavor of this chip he's using AC, HC, etc.

The other part of the puzzle that's still missing is that he put 2 surface mount chips on the board and hand soldered them with soldering skills equal to my own. This guy isn't afraid of surface mount chips at all. Why did he use a DIP for this mystery chip? Was it not available in surface mount? The 164 is.

Perhaps he did it to throw everyone a curve who's trying to figure out this lock. I was looking for chips available only in DIP until I stumbled onto this accidently. He did sand the numbers off the chip and he was very secretive about his design over at IM. He's taken steps to make sure he's the only supplier for this lock. I won't rule out that possibility at this point.

I'm going to put this in the simulator tonight with a 164. I'll see where that goes.

Kind of interesting when you compare this to my lock. Both have strengths and weaknesses. My lock is simpler and uses only two chips, but it only works on a 301. It creates it's own timing on the lock board by charging up a cap. Blundell's lock gets it's timing from the IRD's lines and seems to be completely unaffected by variables in the IRD's timing. This would explain why my lock won't work on a 2700 and his will.

I haven't torture tested this yet, but with the info that I have so far, this appears to be a very strong and versatile lock design.


Phiberoptik

My autoreset lock V1.7 is now working on both the 301.010 and the 301.013 single flash model. Since it works on the single flash model, that means it'll work on the 2 flash model. The .013 requires an additional 1N4148 diode to be installed at the reset point connection. Once that's tested on the .010 with 2 diodes, I can build the second diode into the lock.

Just in front of the top jtag pads is a place for another momentary switch labeled SW4. This is a place for a reset button that isn't installed on the IRD. there are 4 pads for it. Two are ground pads. Clip the leads of the diode to about 1/8" long and solder the diode in a vertical position with the black band up, on either of the non grounded pads. Connect the top lead of the diode to the reset pad on the lock.

Hot glue or silicone the lock board to the top of the tsop and keep the wires short. All my wires, except for the reset line are 2" or less in length. The reset line is 4" long.

It's been testing all night. I'm testing with a card that's deliberately been programmed to get hit and it takes the hit about once an hour.

The 301.010 IRD reboots faster than the 301.013 anyway. From the ECM to the time it's displaying the "acquiring signal" signal screen is about 5 seconds on an .010 and about 10 seconds on an .013.

Tonight I'm going to take a stab at the 2700 again. The last time it blocked the boot entirely with this lock connected. I'm not optomistic about the outcome on the 2700, but what the hell, I'm going to play with it some more anyway. Perhaps the double diode trick will help.

Phiberoptik

phiberoptik,

Keep this up bud as it is proving to be an xcellent read,I really hope you can beat this baby
;)

Yes, Phiber we are all with u on this. It looks like u are on to something. I have started looking for a 301 just so i can practice what u preach.

I really do like the 3900 but i have caught some items in the stream that appear to be aimed right at it, so, I may need a backup until i get it back up , (that's IF they do manage to make it not work). Ohhh it 's locked and blocked they cant get in it but they can make it obsolete. Now, we dont want that do we?

I just noticed that the schematic posted for my lock ver 1.7 is out of date. I'll get an updated schematic posted. The design posted will work fine, but I've made a couple of changes to the latch portion of the circuit. The PCB artwork is still good.

The diode is a 1N4148 zener, but any small rectifier diode can be used instead. I've eliminated the 1 megaohm resistor and it's connection to ground, and I've replaced the 4.7uf polarized cap with a .022uf non polarized ceramic disc cap. I use a surface mount ceramic cap and a surface mount diode, both still of the same values, on the production model. I hate drilling holes...

I had originally put in the larger cap and the resistor to create the latch timer. I found that putting the tiny cap in place and using the chip's own internal power drain instead of an external resistor achieves the same result with one less component.

Oh yeah, I almost forgot. The mystery chip in Blundell's lock is a 74XX164 as I suspected. I ran it in the simulator and it worked perfectly. The chip is available in surface mount or dip and is available in the HC flavor. Since this portion of the lock runs a full cycle behind any critical point of timing, the HC should be plenty fast enough for any IRD.

If anyone builds Blundell's lock and uses it on an .013, I'd recommend using my reset point on the .013 rather than the one he shows in his pics. He's going through the card slot switch as a reset and that was just too slow with my lock. My connection point is a direct CPU and TSOP reset, it's much faster and it uses a much shorter wire from the lock. The reset points for the .010 and for the 2700 that he shows work fine.

Ouxly40, if you're looking for a 301 and you don't mind dealing with the .013 model, the VID mod, etc., most Wal Marts have them. They're only about $95.00 there. By the time you find one on flea-bay and pay the shipping on it, you'll be almost there.

Personally, I prefer the 301.010 only because when Charlie does his big card swap, I can convert it to BEV if we're down for a little while and not lose my PPV like the .013 does when it's used on BEV.

Phiberoptik

Good advice. I will get a -010. That way, u can keep me online as well. :o

Here's the corrected schematic for the 2 chip autoreset lock. The schematic still incorrectly shows the 1N4148 switching diode as a zener. Thanks Ouxly40, for pointing that out. This shows the correct cap value and the removal of the resistor. It's tested and working in the 301.010 and the 301.013 single chip.

Phiberoptik

Dual mode lock.

This is based on Blundell's lock. The main circuit of this lock is Blundell's circuit. I just streamlined it and cleaned it up a bit. I got rid of the foolish LED and some connections that led to gate inputs that had unused gate outputs. I took the unused inputs and hooked them up to drive the unused outputs high to conserve power draw. I also added the conventional lock function so that this lock can be used as an autoreset or as a conventional lock depending on the switch settings.

Once again, I mismarked the chips on the schematic. Use the black letters under the chips and not the blue letters on top of the chips. The blue letters are reversed for the 27 and the 32 chip. The chips I used in the lock are as follows. 74LV164, 74LV27, and 74AC32.

Don't use the connection point shown if you try this on a 301.013. Use SW4 as I've described in my earlier posts. You may or may not have to add the second diode using SW4 on the 301.013.

On a 2700 or one of it's relatives, you'll need to hook up CE# to the lock or it'll block the boot with a false trigger. On anything else, such as a 301, jumper CE# and WE# on the lock together and connect it to the IRD's WE# CPU line. It is necessary to cut the trace or remove r259 to install this lock as a dual mode lock.

I've only tested this on the 2700 so far. It works perfectly in both modes. I expect it will work just fine on the 301.010. I don't know if it'll be fast enough for the 301.013 single flash. Only one way to find out...

There are 3 jumper wires on the pcb. I included solder pads on the artwork for them. Follow the schematic to see where they go.


Phiberoptik

On the pcb, you'll notice the switch points . These are for some tiny slide switches to surface mount on. I'm still waiting for the switches to arrive, so I'm just using little jumper wires for now.

Here's the connection points to hook this up.

I forgot to include a couple of thing.

The pad on the pcb marked WE# is for WE# CPU, the pad marked WE# Out is for WE# TSOP.

It is not necessary to cut the trace or remove R259 if you only want to hook this up as an autoreset lock and skip the conventional lock function. Just connect WE# on the lock to a WE# point on the IRD, don't connect the WE# out pad on the lock, leave the autoreset switch on or hard wire it on in place of the switch, and use the lock / unlock switch to control the lock.

Like my two chip lock, if you leave the eeprom unlocked, it'll return to the same channel you were watching after a reboot.

Phiberoptik

Like I didnt already have enough to do this weekend, i now have another project that i know i just cant put off.I will try a 3700. Just got 2 today

Testing Update on the Dual Mode Lock:

I installed the lock on the 301.013 single flash this afternoon. It works perfectly in both modes. I didn't think it would be fast enough for the .013, but it is.

I added another 1N4148 diode to the test unit by soldering it to the reset pad on the lock with the band down and soldered the wire to the upside lead of the diode and to the SW4 reset pad. I'm going to test this configuration in both modes on the 2700 and on the 301.010 next. This shouldn't present any problem at all, but I'm going to test it anyway.

The diode isn't necessary on those units, but it is needed on the 301.013 using reset point SW4. If it has no harmful effect on the other units, I'll add the points to the circuitboard to put the diode there on the production board. I'm going to beef up the pads for the switches too so they don't break easily. Yes, I'll repost the artwork here too.

So, it looks like we have one design that will work in both modes for any IRD.

This lock is based on Blundell's P189R. Credit goes to Blundell for the original design. I just cleaned it up a little bit and added the conventional lock feature to it. Blundell came up with a very nice way of controlling the reset pulse length with the IRD's own timing and a very nice way of getting around the false trigger at boot for the 2700 and relatives by using CE# and WE# together in an OR gate. I'm sure those two discoveries represent a lot of work by Blundell. Using the 164 shift register instead of the 74 D Flip Flop is pretty slick too. Functionally it makes no difference, but it sure simplifies the schematic.

I should have the final schematic and artwork posted before the weekend's over. The only thing that's changed in the schematic is the addition of the second diode.

I'm going to add the second diode and a slide switch to the production board of my two chip lock for the 301's as well. That lock should work fine on anything that isn't a close relative of the 2700 and it's a little bit cheaper to make. I'll post the updated schematic and artwork for that one too.

Phiberoptik

Keep it up and there will be nothing left for the rest of us to do ('cept watch tv!). Anyway good work. I have begun applying it to a 3900 but not much time during the week for me. Let u know after the weekend.

u rascal. u got me wanting to call in a sub 4 2morro so i can stay home and build this. oh yea, ur photography is primo.

Originally posted by ouxly40
u rascal. u got me wanting to call in a sub 4 2morro so i can stay home and build this. oh yea, ur photography is primo.

Actually, Credit for the photos goes to Blundell. I just liberated them from his web site by copying and pasting.

I'm wrapping up the final phase of tests for the use of the second diode today.


Phiberoptik

Update:

Both locks are working fine. On the two chip lock, the second diode is only needed on the .013 with my reset point and it raises hell with everything else. On the .013 we just solder a diode onto the reset point and connect the reset line to there.

I added the second diode in series to the dual mode lock. It seems that it works better on the .013 that way. It doesn't make much sense, but it does work better that way. Maybe they leak?

Both are working fine on 301.010, 301.013, and the 2700.

I'll post a couple of pictures and a commented PCB artwork for the dual mode lock showing component and jumper wire placement. A couple of people have commented that it's a little confusing. This should clear it up a little.

A friend of mine is shooting some pics today for my website with his 1.2 megapixel camera. I should have some better pics soon.

Phiberoptik

Dual Mode Lock V1.3 PCB Component and Jumper Placement.

Dual Mode Lock V1.3

Autoreset Lock Ver 1.9

Xcellent my friend..........
One question though............
When are you going to start mass production for the members on these forums that are not capable of creating their own?
I know I would be very interested!;)

You would have to dicuss it with mili first,though.

Originally posted by Darnat
Xcellent my friend..........
One question though............
When are you going to start mass production for the members on these forums that are not capable of creating their own?
I know I would be very interested!;)

Hi Darnat,

I've been working on that already. All the equipment is in place as of this past weekend. I ran a couple of very small batches, 6 of each type, for a first shakedown run yesterday. No problems. Everything passed QC perfectly the first time around.

The only glitch I had was that the aeriator in my etching tank is incompatible with the ferric chloride that I use to etch the boards. I'll build a new aeriator box tonight out of plastic. I had hoped to use a porous rock aeriator since it tends to sink on it's own, but a sealed plastic vial of sand should keep down the plastic aeriator box.

I wasn't planning to start selling until my web site's up at the end of this week, but there's no reason I can't sell anything right now that passes QC from the shakedown runs. So far everything's passed QC without a hitch. I'm going to run some more tonight.

I'll PM you the pricing and my url. I don't want to get too commercial out here in the public forum and get myself booted. If anyone else is interested, PM me for the details.

Phiberoptik

Just got to say it...............It's nice to have you with us,we need support like this....keep it up:D

Just check out you connections jpg,WOW..... the 3100.010, DQ7 is very close to home,is there another connection point that may be used for this instead as I can forsee alot of problems with peeps trying to connect so close to tsop,they have a hard enough time with the WE connection.
And with the 2700,you have 2 points circled but no info.........
Sorry I had to bring these points up but would like some clarification on this.

Originally posted by Darnat
Just check out you connections jpg,WOW..... the 3100.010, DQ7 is very close to home,is there another connection point that may be used for this instead as I can forsee alot of problems with peeps trying to connect so close to tsop,they have a hard enough time with the WE connection.
And with the 2700,you have 2 points circled but no info.........
Sorry I had to bring these points up but would like some clarification on this.

That's about the only place there is to grab DQ7 that I know of now. I'll look and see if I can find a better topside connection. It's really no worse than the FID17 connection for WE# next to the trace cut. It's just closer to the tsop, but under the magnifier, I could throw a cat between there and the tsop. Tsop locks in gereral aren't a job for the inexperienced. If there's any doubt about one's soldering abilities, it's always a good idea to practice on junk boards first, but there's only one way to get experience...

I just take an xacto knife and scrape away the coating to expose the copper ring, then ream the hole with a straight dental pick if needed (not always necessary) so that I can insert a piece of 30 ga wire wrap wire into the hole, put a dab of paste flux on it, stick in the wire, and solder it.

The two pads in the 2700 pic that are unmarked aren't used.

Good points though, some documentation on these things could be really useful. Once I get a decent digital camera, I think I'll make a lock install tutorial for all the exDQ7 type locks in general, not just for my locks.

You're pointing out things here that I take for granted thinking it's no problem for anyone. How quickly I forget that just 6 months ago I was a newbie myself. You just reminded me of that. I appreciate it.

Thanks,

Phiberoptik

Update:

I'm pleased to report that both locks survived the P210 update on the 301.010 and the P183 update on the 301.013. Both locks are still working fine.

The updates started yesterday. I had to change the IRD# and BK to get it on the .010, but it came in today on the .013.

Phberoptik

I have found several good locations to get DQ7 on my 3900. Will be easy to solder. Myself, I have been soldering daily for 40 years and i could probably solder a wire to that cat you've got stuck in there between DQ7 and TSOP. Let him make the connection.

Phiberoptik - perhaps some of my work on the 3900 and therefore similar units might save you some time. I do not have a digital camera that will get good pics of the ckt brds. But my 35mm will. Just have to see what they look like after scanned. I have a few good pics already and could easily add some detaled text to go with them. Maybe save u some time. I'll start getting some stuff together this weekend. send it to you when all gathered up. Surely some of it will be usefull.

Originally posted by ouxly40
I have found several good locations to get DQ7 on my 3900. Will be easy to solder. Myself, I have been soldering daily for 40 years and i could probably solder a wire to that cat you've got stuck in there between DQ7 and TSOP. Let him make the connection.



Yep, I've always said that if you put enough flux on something.....

If you can take some pics that would be great. The SW4 area on the .013 board is something I really need a photo of.

Thanks,

Phiberoptik

well if i had an 013 to photograph... but at least i have scanned some 35mm shots and they are turning out quite well. What I was suggesting is that someday you will possibly want to add some installation info on some of the models I am more familiar with.2700-2800-3700-3800-3900. I have loaded and locked eight (8) -010s, successfully, but dont hacve any around to photo.

Hi Ouxly40,

Fortunately, I keep what I fry. I have some junk .013 boards around. I'll be glad to send you one. Check your PM.

Phiberoptik

Looks like you are not the only one using DQ7......
http://www.techshop.tv/acc_dbev.asp......Go to 3100.010 #3 lock intructions.

I'm working on an installation guide for these locks. By request, I'm posting some instructions to hold people over until that's done

This includes the trace cut and CE# info for the dual mode lock.


The lock is fully assembled, but you'll have to attach the wires to the points on the IRD. I have solder pads on the lock to make it really easy to hook up. It isn't color coded, but the connections are marked on the lock. You'll have to use the pictures to find the connection points on your IRD and match them to the points on the lock by the labels.

Remove R259 or make the trace cut, depending on what receiver you're installing it on, to split WE# on the receiver just like you're hooking up an old style lock. Clean up the points on the IRD where you're going to solder wires and put a little dab of flux on each solder point.

Place the lock where you're going to mount it. I put it on top of the CPU in a 2700 and on top of the tsop chip(s) on a 301. Next, measure a length of wire for each connection to the IRD, keeping the wire as short as you can. Between 2 and 3 inches is good for any connection except the reset point. That one has to be a little longer, but keep it as short as you can.

Note that the lock has connections for CE# and WE#. On a 2700, 2800, 3700, 3900, etc. hook both wires up. On any 301 model, strip the wire from WE# about 1/4" long and solder it to both CE# and WE# on the lock so it jumpers them together. That wire goes to WE# CPU on the IRD.

WE# Out on the lock goes to WE# TSOP on the IRD. in other words, using the 301.010 as an example, WE# CPU is the FID17 connection to the left of the leftmost tsop chip, next to the trace cut. WE# TSOP is the one between the tsop chips.

Remove the lock from where you set it, strip each wire about 1/16" on both ends and solder one end to the appropriate connection point on the IRD. Put the lock back in the IRD and connect each wire by putting it on the lock's solder pad and heating the solder pad until it melts and flows around the wire. Hold the wire still for a couple of seconds as the solder cools and solidifies.

When you're finished soldering, just take a little dab of hot glue or clear silicone and stick the backside of the lock board to the chip you want to set it on.

Now set the switches on the lock. The lock / unlock switch should be set to lock. The other switch that's labeled autorst <-> off should be set to autorst unless you want to see an error message to get the number off it.

That's all there is to it. Now when the ECM hits, instead of getting the 153 nag screen with an old style lock, or even worse, getting the location ID 00000001 hit with no lock, your screen will go blank for about 5 seconds and your receiver will reboot itself. If the eeprom isn't locked, it'll reboot right back to the same channel you were watching. If the eeprom is locked, you'll have to pick up the remote and change back to the channel you were watching.

I don't have a step by step guide yet. I'm working on it. This message is about as close to that as I have. I do have some pics posted on this board of the lock. There's also a zip file called connections.zip that has the IRD connection pics. in this thread

Don't use the reset point shown for the 301.013 though. I have a better one, the SW4 point. The other connections are fine for that IRD as well as the 301.010 and the 2700.

All the pics and info is in this thread. I'll get another pic posted to show the trace cut for WE#.

Phiberoptik

Here's the Pic. I borrowed it from another site and edited it to show DQ7.

Nice pic,have a question though,
....is it possible to change a couple of soldering points for ease?As I have shown,in the case of the WE you are now able to cut trace under m/b instead of on top and with 3.3 VCC it is alot easier as you are not having to scrap of any laquer.
As always I'm just trying to make things simple for the average Joe....Keep up the goood work.

this is weird, I was replying to a post from Darnat and his post dissapeared.

Anyway, here's the reply.

Yes, that will work. There's more than one way to split and hook up WE#. The point you've shown, if I recall correctly, is the same point as the old mulestomp locks used. That works fine.

It's always a good idea to check it with a meter afterwards and make sure that you've got something close to zero ohms between your WE# TSOP point and the WE# leg on the tsop chip.

I find that attaching my exacto knife to the meter probe lead with a piece of 30 ga wire and using the blade tip as a probe makes easy work out of probing those tiny legs on the tsop chips.

Myself, I've never bothered with pulling the mainboard and cutting the bottom trace though, it's easier to take the trace by FID17.

Using an exacto knife, I score two lines across the trace about 1/32" apart, then dig out the space between them with the tip of the blade. A good sharp blade makes a big difference.

I always scrape back the trace toward the tsop and tin about 1/16" of it so if someday someone wants to repair that trace, it's ready to go. Just stick a short piece of 30 ga wire in the hole, bend it over the trace, put a dab of flux on it, and solder it. They still don't have to remove the board.

I suppose it really just boils down to a matter of preference. Functioanally, it makes no difference. I have 20/15 vision and I use a magnifier, so I like to work topside because it's much faster than pulling the board.

Phiberoptik

Ah... The picture is back. The power thing is cool too. I've never tried that one in particular, but just to the left is a couple of unused pads marked R272. The pad closest to the front edge of the board is in use in my bench test unit now and it works fine.

Phiberoptik

Here's a little something for the people who're building the ziggy-dudeboy locks. I modified the switch to simplify the wiring, other than that, it's a standard ziggy-dudeboy lock, pin for pin.

I'm batching some test boards this afternoon. This hasn't been completely tested yet, but it will be shortly. There shouldn't be any problem. The Ziggy-Dudeboy locks works fine. My switch mod simply takes out the DPDT switch and uses a SPDT switch to hold DQ7 on the lock high to unlock. The lock won't enable unless DQ7 reads low. It gets rid of some wiring this way.

The attached artwork is for the PCB. A little something different that I came up with. It uses standard DIPs like surface mount chips. So may of you have told me that you prefer to work with DIPs. Here it is, the best of both worlds.

The board is single sided, just like the surface mount boards I've made for other locks, and as such, the backside is non conductive so you can stick it just about anywhere with a dab of hot glue or silicone.

I've included the directions for making home grown circuit boards using the Epson photo paper method.

Phiberoptik

UPDATE ON THE DUAL MODE LOCK:

I've discovered a potential problem with the dual mode lock. It fails the jtag test in conventional mode on the 301.010. It jtag tests fine in autoreset mode, and it's blocked about 30 actual ECMs in conventional mode without ever letting a tsop write occur, but after failing the jtag test, I'm just not feeling warm and fuzzy about with it. I'm dumping the design.

I'm not going to totally discontinue the thing because it does work perfectly in autoreset mode and it works fine on the 2700 and relatives, but I'm going to strip it down to function as an autoreset only lock. Once that's done what's left is Blundell's lock, P189R, so that's what I'll call it. I've already changed the name of it on my website and I'll update the PCB artwork next week.

I've got another dual mode lock working on the simulator as of last night. It's conventional mode lock function comes from the Ziggy-Dudeboy lock, pin for pin, with few minor changes. I've purposely kept the design almost intact, and I've added two more chips to add the autoreset function to it.

First, I got rid of the dpdt switch. I hold DQ7 to VCC with a spdt switch to disable the lock rather than take it out of circuit to unlock it. This part has already been hardware tested and it works great. I did this when I made the surface mount dip board for the ziggy dudeboy lock. It works fine and simplifies the wiring.

Next, I have to address the timing problem with adding an autoreset lock to a 2700. I'll pull CE# and WE# through an OR gate and pull the clock line off that. This prevents false triggers during bootup on the 2700 and relatives. Same setup as the dual mode 1.3 and P189R, we just tie lock pads CE# and WE# together and connect to WE# IN on the IRD when working on a 301. We'll actually be using CE# on the 2700 and relatives. It works on the simulator, I'm going to do the actual hardware test tonight.

I'm going to bypass the AC and HC chips and I'm going right to LVC chips for everything in this one. I have LVCs right in stock. This way, propagation delay won't be an issue on any IRD. If all goes well, we should have this lock up and tested before the weekend.

Phiberoptik

Keep in mind that this is a functional schematic to test the concept, not a working schematic. Don't build this unless you know how to hook up the lock/unlock switch and what way to put the diode on the reset line.

Those things aren't difficult, but some people may not know where they go so I figured I'd better clarify the fact that this schematic is a screenshot from the EWB simulator only for the purpose of proving out the concept and isn't intended to use as a guide to build a lock.

Phiberoptik

Update on the status of all the locks:

I've been away for a few days. between overhauling my website, filling orders for locks, and doing some R&D on my latest design, I haven't had much time to keep up with things over here.

There's been a lot going on with all the different lock designs I've been posting lately. Shortly, I'll have one more new lock design to add. It's based on the last schematic that I posted. I've worked the bugs out of it and I have a working prototype. Before I post more stuff, I thought I'd let everyone know where each model stands on the previous designs. It's starting to look pretty confusing with all these different locks in the same thread.



Here's what's up with each lock.

The original two chip lock, Autoreset Lock Version 1.9, is working nicely on the 301.010 and the 301.013. No problems at all. It still needs to be tested on the 501/508 and on the X000, but it's rock solid on any 301 model. It will not work on the X700 models and relatives.

Dual Mode Lock Version 1.3 is dead. It worked perfectly in autoreset mode, but it displayed some weakness in conventional mode. I never lost a flash, it blocked actual ECMs, but I could corrupt the flash with a jtag while it was in conventional mode so I discontinued the whole lock.

P189R is Blundell's lock. Since the Dual Mode Version 1.3 was based on this design, I stripped the conventional mode stuff off it and what's left is P189R. I built and tested it over the weekend. It works great. I made up new artwork for the PCB and a new component placement chart. I've replaced Dual mode V1.3 with a functonal clone of P189R.

The Ziggy-Dudeboy lock is a proven design that's been around for quite a while now. That lock is also working very well. The surface mount dip board that I posted for that works fine. You need to use AC chips in it, not HC. It's questionable that this should be used in a 301.013. Some people say it works fine, but I think any lock that goes into a 301.013 ought to be using LVC or LV chips, so I don't endorse the installation of any AC chip based lock into a 301.013.

There's working 3 locks that work with the new firmware that you can build yourself from scratch, buy a bare board or a kit, or buy outright. I have a working prototype of my most recent design. I'll put up what I have done so far, in my next post.

Phiberoptik

New Dual Mode Lock Prototype:

This is based on the ziggy dudeboy lock. 2 of the 4 chips are the actual ziggy dudeboy lock. The other two are the autoreset function. The really cool part about this one is that it'll work on any IRD that we have conventional lock hookup points for. We can just use the non-grounded side of the card slot switch for the reset point in any IRD.

It has a couple of pads and a trace to tie WE#IN and CE# together on the lock for most IRDs. As in the case of the 301, CE# isn't needed. We just leave that pad empty on the lock and the trace connects CE# and WE# on the lock. Just hook up WE# CPU like any other lock.

To use it in an X700, just cut the trace and hook up CE# to it's own pad on the lock. To change back I put a solder pad at each end of the trace cut so you could add a jumper wire if you take it out of an x700 and put it back into something else.

Because the Ziggy-Dudeboy lock blocks the write by holding WE# high when a write occurs, we can take our time applying the reset pulse. I made the whole lock out of LVC chips so it's lightning fast anyway, but sometimes the card slot switch reset point on an IRD isn't fast enough to get the job done. Such is the case on the 301.013. This lock doesn't care how fast the reset point is.

I tested it on a 2700 and on a 301.010 over the weekend. On the 2700 I had to twist up all the lock wires as shown in the picture in order to avoid interferance with the lock from noise inside the receiver housing. Once I did that, it worked perfectly.

An observation that I made that has held true for both the 2700 and the 301.010 is that the eeprom isn't reset to defaults when the lock is running in autoreset mode.

If I run in conventional mode with the eeprom unlocked, it loses it's switch settings and every other default set and stored in the eeprom. If I run in autoreset mode with the eeprom unlocked, I still have all my settings. The reset is happening before the eeprom can be written. With the eeprom unlocked, it allows the receiver to reboot back to the channel you were watching before the ECM hits.

This board is only a proto. I'm going to shrink it down a little bit before I do the final artwork. The proto board is huge. It measures 1 7/8" x 1 5/8".

Phiberoptik

Here's the updated schematic.

Nice site bud...alot of useful info..
Keep it up!

Hello,

It's been a while. I bet most of you thought I dissapeared. Nope, been busy working on locks. I even managed to update some of the designs. I'm still working on the 4 chip dual mode lock. I've got two test units out there, working perfectly so far. I've downsized the board and redesigned to prevent noise interferance since the first prototype. I still have 6 jumper wires on a single sided board. That's too many jumpers. I think I'm going to have to go to a double sided board for this one. I'm going to build eeprom protection onto the lock and test the hell out of it before I do that. No, Ouxly40, I didn't forget you, You'll be one of the first guinea pigs if you're still interested.

I've discovered a method of protecting the eeprom from having the defaults reset during an ECM. Since I've been playing with the autoreset locks, I've seen the default settings that are stored in the eeprom, including the switch settings, get restored to default factory settings three times. While that isn't much out of literally thousands of ECMs between a number of different IRDs, it proves that it does happen. I found a way to stop it.

It's very simple. Since the eeprom write protect pin (pin 7) is held low for normal operation and high to lock it, we just invert the input from the reset line and tie it to the lifted pin 7 on the eeprom. This allows the eeprom to run unlocked so that the eeprom can store channel changes and the autoreset lock can reboot back to the same channel after the ECM. When the TSOP write is detected, it issues the reset pulse instantly, but it also takes eeprom pin 7 high to stop any write attempt to the eeprom. The reset itself protects the eeprom, but this way shaves more time off the time it takes to protect the eeprom because it doesn't have to wait 500ns for the IRD to respond to the reset pulse. Even though the IRD may be 3.3V and the eeprom is 5V, the eeprom still sees it as high when it gets locked.

I started with the autoreset 1.9, by the way is now 2.1, because it already has an inverted output on the 74LVC74 chip. Pin 6 is the trigger that goes low for the reset pulse. That pin is "Not Q" on the 74 chip, so we just use pin 5, or "Q" for the eeprom. Here's the schematic.

I'll post the updated artwork and component placement charts in the next post. I'll stick the schematic on this post.

Phiberoptik

Here's the updated materials for Autoreset Version 2.1

I'm going to make the eeprom modification to P189R and to the 4 chip lock as well. This one was easiest since it already has an inverted output. The others have extra NOR gates that I can use as inverters, but I'll have to rework the PCB artwork to do that.

Phiberoptik

Still Interested? I'm fascinated!!! Sent you a PM recently. Do I need to insure that I have P189R? And,,,how about the 3800 in the family room? I really like that unit. It has given me a year of great service. Just a few minor things (key change in March, Blocker comprimised in July). never have to checkswitch. always comes right back on same channel.Aquires signal very fast.

Here's some guidelines for playing with the locks that I've been dealing with.

Any lock that has both WE# in and WE# out needs the resistor removed/trace cut like any other lock. The little ziggy-dudeboy, big ziggy-dudeboy, and the 4 chip prototype are like this.

Any lock that has only a single WE# connection does not need the resistor removed/trace cut. P189R and AR21 are like this.

If you're removing a conventional lock and installing one that doesn't need the trace cut, it's not necessary to repair the board. Just connect both WE# wires from the old lock to the WE# pad on the new lock.

Any of my locks that has solder pads for both CE# and WE# has a small trace on the lock board between these two pads. This trace must be cut for x700, x800, and x900 receivers and the CE# wire must be connected. For all other receivers, just leave the trace there, hook up WE#, and don't connect CE#. P189R and the 4 chip lock are like this.

To find a reset point on a receiver that hasn't yet got an established reset point. There are two places to test. the card slot (preferred) and the topside jtag pads. In the case of the 301.013, the card slot reset point works, but it's not fast enough to protect the flash. The SW4 reset shown for the 301.013 is really just a trace extended from the topside jtag reset pad.

To find the card slot reset, unplug the IRD from power. With a multimeter, find the cardslot switch trace. It will be connected to ground and have a o ohm or something very close to 0 ohm reading with the card removed. It will change to an open circuit or something with much more impedance when the card is inserted fully.

To find the topside jtag pad reset point. Remove the cover to the IRD, power it on and get a picture. Hook a test lead to case ground and quickly and carefully bump each of the topside jtag pads with the ground wire until you get a reset. The pad we are looking for is not one of the active pads we use to jtag the IRD. Don't hold the wire to the pad, just bump it quickly. When you find the reset pad, you may need to solder a 1N4148 diode to the pad and connect the reset wire to that. Solder the diode, if needed, to the pad with the cathode band up away from the board. Attach the reset wire from the lock to tha cathode end of the diode.

When testing the locks, the favorites list test does not work on x700, x800, x900 ird's. A jtag write test will not work on those either. Only a jtag erase or an actual ecm will work as a test. When testing using the full erase method, it's normal for the ird to hang up. It will not hang up when hit by an actual ECM. 301 IRDs can use the jtag write test or the favorites list test.

Phiberoptik

Update:

The new 4 chip lock has developed some problems on the 301.013 box. These problems occur on both the single flash and two flash models. It's working fine on everything else, but since the whole intent of this lock was to create one lock that would work on any receiver, I'm scrapping the design in favor of another design that I have. Once the design is completed to the point that I can build a working proto to test, I'll post the usual artwork and schematics.

The AR21 lock doesn't work on the card slot switch in 501 and 508 models. We thought it did, but the test results turned out to be falsly optomistic. The card slot reset point is just too slow on that unit.

I know the lock itself is fast enough because it works on the 301.013. I had the same problem on that one too. The 301.013 card slot switch is too slow for a reset point too. Charlie drew a big bullseye on the .013 board for me when he marked SW4 "Reset". It doesn't get any easier than that. I'm going to have to follow the traces from SW4 and see if leads to something that I can identify as common the the 501/508 units.

Phiberoptik

Phiberoptik,
I made a couple of the AR 2.1 and would link to know if you have any install instructions for the 4000 IRD’s?
Thanks

Ar21 locks will only work in 301 receivers. Different trigger equation. I've had some requests for docs for the AR105 series into the greybox receivers, but I don't have any docs for that as yet.

I'm going to wait till things slow down a bit before I write those. It's kind of a one shot deal with those boxes cause there's no jtag. I want to write it step by step, very carefully. especially the 3000.

What Lock would you suggest for the 4000?

I think just about any digital lock that's documented for it will work. The greyboxes aren't a really fast box so there aren't any tricky timing issues. I'd say a digilock would be the safe bet because he has documentation for it on his site.

If you're really adventurous, use the following info entirely at your own risk. I don't have this documented and I don't want to be responsible for murdering your 4000.

My customers tell me that if you use a 3.3V power source. An AR105-A works nicely set up as a conventional lock (not autoreset). Omit the eeprom, CE#, and reset connections and hook it up like any other conventional lock using the standard connection points.

Now to dive into the realm of the unknown, if you want to take a stab at hooking up the autoreset function... I don't know if CE# is needed or not on the greybox. You'd have to pull the data sheet on the flash and locate a connecting point. It'll either need it or it won't. If it doesn't, just tie W1 and CE together on the lock like a 301. If it needs it to prevent boot blocking or false triggers, you'll have to hook it up.

The reset point is the card slot switch. It's easy to find with a meter. It's grounded with the card removed and open or very high resistance with the card fully inserted.

The eeprom, well, you know where pin 7 is. Just like any other receiver.

This info is for experimental use only for those adventurous folks that just can't pass up a small challenge. Keep in mind that one mistake and your IRD is toast. If you're not up to it, don't do it. And don't do it to your only IRD either.

Please post your results if you try this before I get to.

Phiberoptik

Do you know where I can find the component placement and PCB artwork for the digilock? I really like making my own Stuff.

Take a look at the PCB pages on oddcircuits.com. There are also some schematics on that site.

I am the adventures type and I am going to go with the AR105-A. The schematic that is posted on oddcircuits does not show where the Lock Unlock switch is. Could you let me know so that I can work it into the PCB layout? Thanks

Well, I don't understand why someone would rather go thru all that trouble to find parts,etch or even wire a board and install the componenets when the lock is so cheap,,,but,,,

The SPDT switch is wired like this:

end pin - VCC
Center pin - DQ7 on the lock
end pin - DQ7 on the receiver

By holding Lock DQ7 high with VCC, the lock can not arm.

Thanks

hello all. i am new from dave and started working on charlie this week. i have a new 3900 system. i am installing this new digilock from mili. on this lock it does not have the same board as the 1 he has pictured in the howto guide. this unit has 2 leds (1 green and 1 red). i have done these connection points so far...
GND to GRND
5V..did not use...was told use 3.3v with 3900
3.3v to VCC PAD (above location where pictured in mili's how to!!)
DQ1 to location picture in milis howto(tsop pin 31)
DQ4 to location picture in milis howto(tsop pin 38)
DQ7 did nothing???? should i have this connected somewhere?
WE#0 to TSOP WE
WE#1 to CPU WE

ANY HELP PLEASE.....AM I ON THE RIGHT TRACK?

DQ1 goes in the little feedthru judt to the upper left of SB22
DQ4 goes in SB42
DQ7 goes in SB44

Hi Ouxly40, I haven't heard from you in a while.

Just thought I'd mention a common install error that I see quite often.

Since urmama is a dave refugee and just getting started, I just thought we should point out that when connecting to SB42 for DQ4, follow the line from the letters "SB42" right to the pad. Don't hook the pad next to the letters or you'll be on SB43 instead. You'd be suprised at how many times I've seen that.

Hello Phiberoptic. I have not been in the forums lately. All my units are performing perfectly. there are no locks better than urs. That was a good point. That location is confusing, and your installation guides are very clear.

thank you guys. got it right now!

The new locks use DQ7 as a means to avoid the junk byte trap that Charlie uses to detect the old locks that use only DQ1 and DQ4.

When DQ7=0, it's latched in a D Flip-Flop and called exDQ7. On the next cycle, it's used to see that the previous command to the tsop was 55.

if exDQ7+DQ1+DQ4=0, then the lock blocks the command to the tsop.

AA 55 90 is the command for the tsop to return device ID to the CPU. Charlie's using the command "AA 20 55 90". A non locked IRD reads this as an invalid command and returns to reading array data. An IRD with the old style locks blocks the 20 (because on 20, DQ1+DQ4=0) and the tsop reads "AA 55 90" and returns the device ID to the CPU and the lock is detected.

The new locks aren't fooled by this because the 20 is not blocked because it came before the 55. In other words, exDQ7=1, so exDQ7+DQ1+DQ4=1 and the lock does not engage.

Charlie can change around the junk byte again and defeat the exDQ7 locks, but he hasn't. I think the command with the junk byte is imbedded in P189 and not something he can control through the stream.

Phiberoptik

Phiberoptik,

I am very new in this hobby and want to learn. I read your post and I see that you have very good knowledge about Digital Lock. I analyzed your circuit and your post and I have the below questions.
1) As command “AA 20 55 90” come, the DQ7+DQ4+DQ1=0. Is it the original firmware of IRD generate those signals or we have to download some specific firmware?
2) Schematic V1.9: Are C81Reset, EEPROM-Pin7, WE# all inputs? Could you tell me which one is the input/output to the circuit? Now, I just guess base on the input of Flipflop.

Thank you.