I can do that, but right now I don't have time. Will try this evening.
Get all your saving done, flash and eeprom, get those out of the way and I'll post the method this evening.

In Developmental Panel each sector must be unlocked

Example
Address 7FC00000
Data 60 write byte
Data D0 write byte
Repeat for all 71 sectors

The sectors will then be unlocked and can be erased and reprogrammed.

Sector Addresses

7FC00000
7FC02000
7FC04000
7FC06000
7FC08000
7FC0A000
7FC0C000
7FC0E000

7FC10000
7FC20000
7FC30000
7FC40000
7FC50000
7FC60000
7FC70000
7FC80000
7FC90000
7FCA0000
7FCB0000
7FCC0000
7FCD0000
7FCE0000
7FCF0000

7FD00000
7FD10000
7FD20000
7FD30000
7FD40000
7FD50000
7FD60000
7FD70000
7FD80000
7FD90000
7FDA0000
7FDB0000
7FDC0000
7FDD0000
7FDE0000
7FDF0000

7FE00000
7FE10000
7FE20000
7FE30000
7FE40000
7FE50000
7FE60000
7FE70000
7FE80000
7FE90000
7FEA0000
7FEB0000
7FEC0000
7FED0000
7FEE0000
7FEF0000

7FF00000
7FF10000
7FF20000
7FF30000
7FF40000
7FF50000
7FF60000
7FF70000
7FF80000
7FF90000
7FFA0000
7FFB0000
7FFC0000
7FFD0000
7FFE0000
7FFF0000


This was not developed by me, as a courtesy I would like to thank those responsible.
Although, I have no idea who they are.

doing it manually might take months. try this method instead. instead of going through the passive trap/dcu, go into development panel and do the same thing you would do in the trap in the development panel and it should make you able to erase the entire flash.


M5

Originally posted by m5runner
doing it manually might take months. try this method instead. instead of going through the passive trap/dcu, go into development panel and do the same thing you would do in the trap in the development panel and it should make you able to erase the entire flash.


M5

Don't think that will work, wortha try tho, but don't think so.

It only takes a few minutes to unlock munually.

i wouldn't post it if it didn't work.


>>>M5

Originally posted by m5runner
i wouldn't post it if it didn't work.


>>>M5

You talking about the M28W chip??
tell us exactly how you unlock it, I'll be happy to verify it.
if there is an easier way I would love to know it.

that must have taken a while to erase everything manually. i have done this on quite a few 430's. instead of going through the passive trap/DCU, i went through the development panel and wrote the address and byte in the upper left boxes and it worked. i wouldn't post it if i haven't tried it myself.


>>>M5

Originally posted by m5runner
that must have taken a while to erase everything manually. i have done this on quite a few 430's. instead of going through the passive trap/DCU, i went through the development panel and wrote the address and byte in the upper left boxes and it worked. i wouldn't post it if i haven't tried it myself.


>>>M5

We are talking about the 430RG with a STM28W320CB flash.

With any other flash I never do anything except read, erase, and reflash, no dev. panel, no trap/DCU, no nothing.

BUT with the M28W flash you must unlock eack sector individually.
ALL 71 of them.

If you found a better way let's here it.

I have done over 35 of the 430/431/450's. Intel flash, STM29W flash, both will erase and reprogram no problem.

The STM28W MUST be unlocked one sector at a time. It will then erase, and reprogram flawlessly.

Originally posted by m5runner
that must have taken a while to erase everything manually. i have done this on quite a few 430's. instead of going through the passive trap/DCU, i went through the development panel and wrote the address and byte in the upper left boxes and it worked. i wouldn't post it if i haven't tried it myself.


>>>M5

For the STM28W, yes you go through the developmental panel and unlock all 71 sectors one by one.

For all other 430/431 flashes, those steps about the trap/DCU or developemental panel are not nescessary.

I don't post anything that I can't prove, positively.

the original post was about the M28 chip right? that's what i was referring to.


M5

Originally posted by m5runner
the original post was about the M28 chip right? that's what i was referring to.


M5

then why don't you tell us EXACTLY how you unlock the sectors without unlocking each one individually???

ok this is how i mod mine...

1. save flash
2. development panel
3. 7FFE0000/60...write byte
4. 7FFE0000/d0 ...write byte
5. read byte (you should get 80)
6. FF...write byte
7. close D. panel
8. erase flash...(watch it count all the way up)
9. program flash


***I did this method when modding 430/431 with the M28 chip
I have 2 430's in my house right now that have been up for quite some time now. I know for sure that it works because the tiers would fall off and the bin would go 745. If you do things another way then that's cool but remember there is always more than 1 way to skin a cat.

I tried that method on my very first 430 mod and I was confused why I didn't get 80 at the bytes when I go through the trap. I went development panel and it worked there so why not stick with that works.

***Modding was done under Jkeys 2.9 AND 2.0


M5

This DOES NOT work with the M28W flash, just tried it DON"T work. I tried it myself this morning, and also confimed it with 2 other people I know that do mods. Tried it with jkeys 2.0.1, 2.9.9 and 2.9.10, don't work.

Originally posted by m5runner
ok this is how i mod mine...

1. save flash
2. development panel
3. 7FFE0000/60...write byte
4. 7FFE0000/d0 ...write byte
5. read byte (you should get 80)
6. FF...write byte
7. close D. panel
8. erase flash...(watch it count all the way up)
9. program flash


***I did this method when modding 430/431 with the M28 chip
I have 2 430's in my house right now that have been up for quite some time now. I know for sure that it works because the tiers would fall off and the bin would go 745. If you do things another way then that's cool but remember there is always more than 1 way to skin a cat.

I tried that method on my very first 430 mod and I was confused why I didn't get 80 at the bytes when I go through the trap. I went development panel and it worked there so why not stick with that works.

***Modding was done under Jkeys 2.9 AND 2.0


M5

ok dude, no need to get the panties in a bunch. i do it my way, you do it your way ok.


M5

Originally posted by m5runner
ok dude, no need to get the panties in a bunch. i do it my way, you do it your way ok.


M5

You won't do a M28W320CB chip as you posted, I can assure you of that. Even the data sheet for that chip shows the unlocking proceedure.

I challenge anyone to follow the directions you give, and erase and reporgram a M28W.

Are you using jkeys 2.9.10??
2.9.9 won't work.

Hello Skinnerd, and whoever had successfully modified 430 with M28W chip.

I downloaded the Jkeys 2.9.10 and manually unlocking all 71 blocks as you suggested. When I chose the model number which is 43x and flash which is 28w and click earase, the error was unable to earase sector or some thing like that. I thought I entered some of the addresses wrong so I retyped again slowly and same thing happen.

My question is... what pin is the FP on the 28w? I counted on the intel M29w is pin 15 and it is a 56 pin chip. On the other hand, M28W is only a 48 pin chip...try to find a data sheet for this chip but couldn't. I need this pin tie to 3.3v or 5.0v in order for me to earase or write it right? Please advise, your help and other will be GREATLY appreciated.

Go back and read the threads, it is not nescessary to put power directly to the flash, put 3.3v to the trace after the cut, after unlocking the sectors, go DIRECTLY to flash programming and erase, then reflash, otherwise the sectors will relock. Do all your saving first then unlock.

Hello Skinerd, sorry to bother you again. I did exactly what you told me. solder the wire after the cut trace. Manually unlock all blocks, went straight to flashing programming...now I got an error, DCU something...went back to detect and no matter what I do, I get that error now...is it broken? IRD response addresses still good. thanks.
if you do anything except unlock and erase, and reflash those sectors, the IRD will have to be rebooted and unlocked all over again.

Do all your saving first, reboot, unlock and erase/reflash without doing ANYTHING else, or you have to start over again.

HI Skinnerd...Now I can't even do anything. Every time I plug it in I got an IRD reading DCU error...can't proceed!.

Sounds like a computer/parallel port problem, have you tried another computer??

Do you have the trace cut and 3.3v applied to enable the flash chip??

To: Skinerd

Have you found a script to automate or speed up the mehtod to unlock all 71 sectors of the STM28W flash chip?

I seem to recall reading that someone once wrote a script that executes all 71 unlock commmands automatically but was unable to share it because such a script is compiled to work only with that persons unqiue computer configuration and thus would not work on our machines.

its called a macro. read up on it

To: Skinerd

Have you found a script to automate or speed up the mehtod to unlock all 71 sectors of the STM28W flash chip?

I seem to recall reading that someone once wrote a script that executes all 71 unlock commmands automatically but was unable to share it because such a script is compiled to work only with that persons unqiue computer configuration and thus would not work on our machines.

I answered this in another thread, PLEASE don't double questions

one came before the other logical progression

i still say that this chip can be erased without typing in all the sectors.

M5

You can say what you want M5runner..but you would still be wrong.

the only way to unlock and reprogram an ST-28W320CB chip is to unlock all 71 sectors manually without any interruption or they are set to automatically re-lock..the techical guide on this chip is quite specific about this proceedure.

The other possibily I am exploring is doing a partial sector erasure of the exact patch where the nozkt was applied (on the Sony's it is litterally only one small byte)..and write that same patch to the chip manually and bypass the areas of the flash that were never modified for nozkt complaince..I am not sure that can be done without first unlocking all 71 sectors intially, but that is why we get paid the big bucks to think of these things...next time I get my hands on a 28W chip I will test my theory.

Also, I already knew about using macros..that is a possibility but not a solution for the masses since it can not be universally shared...I am seraching for something more universal.

So far I have done over 150 nozkt mods and about 7 or 8 with the M28W chip..the use of developmental panel "versus" pasive DCU/TRAP window makes no difference.

I even tried other stupid shortcuts like "60DO -write word" rather than 60-write byte, D0-write byte in an attempt to reduice the time involved..in other words write byte versus write word made no difference.

Skinerd is 100% correct in everything he has said in this thread.

For those looking do do an RCA430 with the unpopular ST-M28W chip follow ONLY Skinerds instructions..also most of you will find that the 430RG is the model than generally has that M28W chip..the use of this obscure flash chip is much rarer in the model 430RGA..so if you are buying such a receiver blind (i.e from a newspaper ad), go with the 430RGA..it is far less likley to have the 28W chip and much more likely to have the Intel E28F320 or the ST29W chips, which are alot easier to erase and modify.

The RGA model also has a better lnb power supply, better than the lnbp15sp that the RG has........

100% correct huh sdeens? so why is the data sheet telling me to apply 12 volts to pin 13 for quick programming and erase? unlike some people here i can back up my claims. hell, it's right there in black and white. well, there is the data sheet. read and enjoy.

M5

Don't know what all the fuss is about

I have used the erase all 71 sectors one by one and it worked fine, just have to sure you use jkeys 2.9.10 or it won't work

M5runner, is your way jkeys specific , as I would like to try your way as well, sound like it would save ALOT of time

just a question ......doesn't shorting out the chip worry you??

Don't know what all the fuss is about

I have used the erase all 71 sectors one by one and it worked fine, just have to sure you use jkeys 2.9.10 or it won't work

M5runner, is your way jkeys specific , as I would like to try your way as well, sound like it would save ALOT of time

just a question ......doesn't shorting out the chip worry you??

I tried the fast erase method listed in the data sheet, cannot get it to work, I would not recommend anyone put any voltage to any chip unless you are absolutely sure of what you are doing, you can destroy the flash chip.....

I tried the fast erase method listed in the data sheet, cannot get it to work, I would not recommend anyone put any voltage to any chip unless you are absolutely sure of what you are doing, you can destroy the flash chip.....



well the data sheet said you can so i don't know what you are talking about. if i am not mistaken it's the same procedure for the philips IRD, the 12 volts to pin 13. its there in black and white. i don't need to say anything more about this.


M5

I went and read the data sheet again, 12 volts is for fast erase, not fast unlocking, I have spoke with a couple other modders, and no-one is able to mod these without unlocking all 71 sectors........

m5,

not trying to be picky, but these posts seem to be contradictory..........on 7/29 you say you can unlock all sectors easily, and 9/20 you post that for a M28W chip you charge more becauce they are a pain in the ass..........now you say they can be easily unlocked again..........

7/29
http://www.dssftp.com/forum/upload/showthread.php?p=20012#post20012

9/20
http://www.dssftp.com/forum/upload/showthread.php?
p=30698#post30698

then on 8/01 this thread
http://www.dssftp.com/forum/upload/showthread.php?t=3357

I maintain that the 71 sectrs must be individually unlocked........

yeah i was wrong before. M28, E28...that was my mistake..got the 2 mixed up. well its no myth, the data sheet is there. read page 10 (all of it) and then decide. i mean think about it, when dave updates the flash do you think he unlocks all 71 sectors?? think what you may. i will stick by the datasheet. i dont see how 12 volts to pin 13 will "damage" the chip if the datasheet says its ok.

From what I can tell, there is no provision for the receiver to apply 12v to that flash for any reason, adding 12v must be manually done. I have no idea if Dave can update that particular flash or not, and if he can, how it is accomplished.

If you are having trouble with the DCU error I have found that if you unplug everything and then plug back in in this order plug in the jtag and then the receiver and then start Jkeys. Usually this will work. Also, I have found that switching from the newer Jkeys to the older Jkeys sometimes works. These receivers are no doubt tricky. Expect to have to fiddle with them a few times. Even though, I have always prevailed. Try it.

If you are having trouble with the DCU error I have found that if you unplug everything and then plug back in in this order plug in the jtag and then the receiver and then start Jkeys. Usually this will work. Also, I have found that switching from the newer Jkeys to the older Jkeys sometimes works. These receivers are no doubt tricky. Expect to have to fiddle with them a few times. Even though, I have always prevailed. Try it.

janej
most of the posters n this thread are quite capabale of modding their receiver, I have done over 300, the discussion concerns unlocking or need to unlock the 71 sectors found with the STM28W flash chip........

Well I got my first 430rg with the M28 today. WHAT A PAIN IN THE NUTZ! It took me 5 tries to get it to unlock. One note that may concern some: It would not unlock using 3.3v to the FP (that was 3 tries). I HAD to use 5v to the FP. I see why Skinerd and others use macros. Gotta go soak my fingers in palmolive now to remove the calusus. :)

Well I got my first 430rg with the M28 today. WHAT A PAIN IN THE NUTZ! It took me 5 tries to get it to unlock. One note that may concern some: It would not unlock using 3.3v to the FP (that was 3 tries). I HAD to use 5v to the FP. I see why Skinerd and others use macros. Gotta go soak my fingers in palmolive now to remove the calusus. :)

I have done about 25 of the M28W chips, 3.3v has always worked for me........

janej
most of the posters n this thread are quite capabale of modding their receiver, I have done over 300, the discussion concerns unlocking or need to unlock the 71 sectors found with the STM28W flash chip........

I myself have done probably around 100 receivers and also the ST28 chip. As per the previous posts, I agree that you must unlock all 71 sectors. But my reply was for the previous posters that were having trouble with the DCU error. Have a look at the beginning of the page. Just trying to help with what I have experienced and tried. Sorry to have bothered you!

............................Sorry to have bothered you!

Hey no bother, it's just the thread was addressing the M28W chip.

try jkeys 2.9.10

seems to work the best

select 43x

m5

you might want to send an email to mrwhites on your findings, he may want to add it to his tutorials

that data sheet refers to the 11.4-12.7 volts as an optional Vpp input power control source..and would speed up erasure NOT unlocking of the 71sectors...but that was my original interpretation.

I agree the chip can cetainly handle 12 volts..this is always true with the Phillips and Echostar DP-301-013 receivers and your right the date sheet states it can as well thru pin #13.

12 volts in NOT native to the board so fishing for it wont yield any easy successes (but if you find one let us know)..instead one will have to "leach:" the power from a 22 volt capacitor and reduce it thru a zener diode circuit.

This is how we unlocked the SECTOR lock protection that Charlie put in his newest DP 301-013 receivers (you know the ones with yellow cards)..we had to leach 12 volts from a 22 volt source off their boards and reduce it thru a zener diode w/resistor circuit..that dropped the applied voltage down to a safer level of 12 volts that was safe enough to blast the Flash chip and force an erasure of the TSOP/chip..a small easy cable made from $2 in Rat Shack parts....once we blasted thur that hardware lock we erased the chip and flashed it with older firmware that supports the blue rom3 and rom10 cards..actually a very easy technique.

reasearch the DP-301-013 (with yellow cards) trick--and you will see how we did this..old Charlie thought his Flash lockdown protection installed at the factory could not be penetratated by Jkeys via a software command..and yes he was correct in theory..but what he did not account for was a hardware approach that hits the flash chip with a voltage higher than the normal 5 volts that the chip oprates at.

I will give this new method suggested by M5runner some more thought..I actually thought of this long ago when I read the spec data-sheet;

but I dismissed it long ago because I interpreted the data sheet as a fast erasure method and NOT a fast UNLOCKING method.

But after I started doing the zener diode trick in those DP-301-013 receivers (you know the ones that come with yellow dish cards) I started to believe that these chips could withstand much higher voltages than their data sheets suggested...and that the use of such higher voltages can be used as a tool to penetrate a hardware lock that is installed in the flash chip..in the case of the ST-M28W chip it came with 71 individual hardware lock sectors that could be turned off thru software..but one could in theory penetrate it with higher voltages that exceed the control voltage which is 5 volts.

I think we should take a step back and research this further to see if M5Runner is correct...it certainly does work in the Phillips and DP-301-103's w/yellow cards..12 volts breaks thru the internal flash lock despite the sector lock that Charlie installed. My intial opinion is that it probably wont work, but there is always more than one way to skin a cat.

i will try and dig out a 430 with 28W chip and try my DP-301-013 cable (12 volt cable) I know there are several capacitors on the RCA430 that are easy to attach to and are at 22 volts..so it should be an easy task leaching it down to 12 volts and attaching it to pin #13 and execute the FULL unlock command.

we shall see what happens and I will report back later

I just read the DS again, no-where does it say 12v can be used for unlocking, it does say that 12v can be used for fast programming and erase.
The only thing I can find concerning unlocking is that each block must be individually unlocked...

I think that the original question has been answered and that M5 got it mistaken

So we all should unlock all 71 sectors one by one

The reason I believe that some do not unlock and the error happens is that jkeys pauses for a second every now and than. But if you pay attention to where the cursor is, just make sure that it moves when you write byte

I was told to expect an error, but I took my time and it erased 100% the first try

Is it necessary to write protect the board assuming it cannot be re-writtten to??

Is there a closer ground to use for grounding fp

I use a wire about 2 inches long to ground FP, have you seem my pics, very easy to enable/protect if you cut where I do.......

Send me a PM with the pic if you don't mind

Yes, I came to the same conclusion when I originally read the data sheet (the 11.4-12.7 volts is an optional Vpp power control method to pin #13 to accelerate the erasure..not to be used for the initial 71 sector unlock requirement)..but in the interests on not trying to pick on "M5runner" I will try his suggestion and see what happens..it probably wont work but stranger things have happened.

also,

M5runner, it seems your alone on this one, simply because others have tried EXACTLY your suggestion and it has never worked with respect to the M28W chip..but in the interests of keeping an open mind I will try it and see what happens. If we are ALL wrong then you can expect many applogies (me for one) and then you will get alot of cudos for being the smartest one to figure out a programming shortcut of the M28W chip, but if your wrong its a permanant stain on your reputation, one which will NOT be easily lived down.

peace :-)

JxDx2,

Maybe this will help..........



JxDx2,
Sorry, I tried to attach an eeprom file to this post but I couldnt get it to work right.........

We were ALL wrong and M5runner was right!

His method to accelerate the unlocking of ALL 71 sectors in the ST-M28W chip is 100% correct..I just tried his suggestion about using 13 volts added to pin #13 and it zipped thru all 71 sectors in about 2 seconds..also I verified all of this by first reading the flash chip and saving to separate folder its original file (not the zkt file)..then I erased it as per his instructions and yes it did bypass all 71 locks...it erased them so fast and it counted from 1..2..3.....71 in about 2 seconds flat!


The hardest part was finding a stable 12-13 volt source from the board..I was just about to give up when I found it: CR14107..if you are standing behind the receiver, it is located in the upper right hand corner of the RCA 430RG...the side with the silver stripe.

The key here is NOT to apply the 13 volts of power to the flash chip pin #13 until after you go into developmental panel and type 7FFE0000 (60, DO etc..) I am not sure why, but that was how I got it to work..its a bit tricky and I will need to iron out the exact procedures...maybe I got that part wrong..but I will do this all again on a different receiver just to be sure and report back again with my findings.

also we can use that very tiny test point directly to the left of the 5518 microprocprocessor to apply the 13 volts..you know the place where we can cut that small trace..its the easiest location to apply the power to the Flash chip...I find it works in all of the 430's and 431's regardless of which flash chip they have (Intel, ST-28W, St-29W).

Also, i observed that after it erases the ST-M28W flash chip it does not like using 13 volts to write back or program to the flash chip the NOZKT binary..I was forced to reapply the original 5 volts source we would normally use..again I am not sure why this switcheroo with power is required but between the two (13 volts and 5 volts) we can erase and program that chip is seconds...some of you may find that 13 voilts all the way thru erase and program will work fine..I was experiment some more on another receiver using ther M28W chip.

To prove that this accelerated method in fact worked I, saved my original 430RG.bin and after I erased the chip in 2 seconds with M5runners method, I re-saved it again..naturally of course I did a complete electrical restart of the receiver to ensure that would not be giving me false values..the newly erased bin after now being re-saved showed all "FF's" in all addresses..which incidently exactly what an erased flash chip should show..so now I have proven beyond any doubts that it was erased..then I restarted JTAG and did the whole thing over again and erased the chip a second time and 3rd time for good measure..then i switched back to 5 volts and programmed it with the nozkt binary.

then I unplugged receiver and re-started JTAG..I did a full reading from the intial window that JKEY shows and read the entire memory.

to verify it took, I compared the original NOZKT binary from Balcknite and compared it to the NOZKT bin I just read from the newly programmed flash chip.

I used WinHEX for these comparrions and they were 100% correct no differences detected..so this proves the flash was taken and erased 100% in seconds flat.

The reason I am keeping up on this is because the tech data sheet itself on this chip does show that 13 volts is for accelerated erasure and M5runner is correct in stating that it also bypasses the 71 locks even though its very vague about that point,..this is also very similar to the DP-301-013 VID modification for those Echostar receivers that ONLY work with yellow cards..we got around the hardware loclks by blasting it with 13 volts thur a zener diode cable.

I think the same is occuring here and the 13 volts source I found is CR-14107.

remember this is a bit more tricky and may require some back-and forth developmental panel (7FFE0000...60/D0)..but at least you don't have to unlock all 71 sectors the manual way..once I iron out the exact procedure I will post..but I want to use a diufferent receiver to be sure.

he's right it works, its just done in a slightly different manner than the way we normally erase an Intel or ST29W chip.

also, if you get an error saying its not 100% erased--..disregard that it will take the nozkt flash all the way thru 100%

good job M5runner..you were right and we were ALL wrong

Applying 5v or 13v to the trace, cut from pin 2 of the CPU, does not apply that voltage to the flash chip, rather is applies it to a transistor amplifier circuit the turns 3.3v on to the flash chip.....therefore applying 3.3v is all that is needed if you use that method.....

Personally I have never tried to put 12v to pin 13 of the M28W flash, perhaps it does work, I can find nothing in the data sheet to confirm that tho....if you try that method again please report back with your results......

I don't cuttently have a 430 with a M28W to test it with and don't think I would try if I did, because of the possibility of destroying the flash chip....using macros to unlock is plenty fast enough for me.....

it didn't destroy the flash chip and there are many precidents in the testing communtiy with these Intel, ST and Sharp flash chips..the Phillips 5250-5353 can easily handle 12 volts, the Echostar DP301-013 also can accept it (see the VID modification technique)..the bottom line is even the data sheet for the ST-M28W states it too can accept it as an "optional" method to accelerate the erasure of the chip..but the fringe benefit here is it also bypasses for some reason the 71 locks..this is somewhat of an analogy to the VID modification on the DP-301-013's which I have mentioned in earlier posts...we bypassed or deactivated the lock by using a higher voltage to break it down..if its been done before on the Phillips and DP-301-013's then why not the ST-M28W chip?

I started by asking myself..why would ST put a optional 11.4-12.7 volts to pin#13 to accelerate erasure?

The answer is obvious..because as a technician you would NOT want to spend ALL DAY long unlocking each sector one-by-one at the factory counting all the way to 71 when the receiver was first assembled in Mexico..this probably also explains why they quickly stop using this flash chip and went to the M29W (there was probably both some confusion and safety concerns about this technique)..I suspect also that somehow this optional control circuit can be turned on by Dave via some command thru the stream and thus that's how those 430Rg's took their firmware updates..besides why would we need an optional 13 volts to accelerate erasure when it ONLY takes 60 seconds anyway once the 71 sectors are manually unlocked?

the answer I believe is because is it also BYPASSes the sector locks which is what I think they were alluding to in the data sheet..i think it should have been more specific about this point.

All I know is it worked on mine and M5runner's, but I will get another one pretty soon to verify it works again..I thought there might be more to this than the data sheet suggested..it was to be fair rather vague about that optional source of 11.4-12.7 volts applied to pin #13.

it definately unlocked that chip in record time and the RCA430RG still works fine with the NOZKT bib loaded to it..no wipes and no 745's or 711's using an invalid camid..so something obviously good happened and I think these chips are more resilient if you take your time.

If anyone else has a spare 430RG (you most likely you wont find that M28W chip in a 430RGA) then check out what happens when you hit pin #13 with 13 volts leached from that source I found..its interesting how it erased the chip in seconds.

I have to refine the procedure some more so it goes more smoothly (it took me a couple of tries to get it right) and it would be nice to hear from M5runner to hear which EXACT test point he used for pin #13..and where he leached his 13 volt source from?

Also I might add that the data sheet says that pin#13 when supplied with 11.4-12.7 volts is for "programming/erasure"..pin#13 is BOTH a control pin and power supply pin...see data sheet page #10 right hand side..read section on Vpp..

I think we were misinterpreting the term "programming"..i think in the text of this discussion it is possibly referring to the "disabling of the locks" to authorize the "programming ability" of the circuit and once Vpp is greater than the control circuit value of 3.3 volts it authorizes a fast erasure...so programming and THEN erasure..they are NOT meant to be interpreted as the same thing...but I think it takes all of a minimum of 11.4 volts to get there.

this is why I think it works..it was actually right in front of us..but we were interpreting programming and erasure as meaning the same thing when in fact one is different than the other...that's what confused me when i first read it..the data sheet should have spelled it in simpler english with regards to why the locks are disabled when votage is greater than 3.3 volts..besides why would anyone create a electrically eraseable flash chip that can ONLY be erased after manual and difficult and tedious unlocking of 71 sectors..I can't image that being easily approved by Dave when he routinely sends down firmware updates to intial line of recievers when they are first sold in the stores..and the 430RG was the very first receiver he sold in that line..even before the ones that used the Intel and ST 29W chips..at least as far as I can tell.

No the answer is elsewhere..there has to be a simpler way and thats what that Vpp is for.

what is still unclear to me is the easiest test point to apply it to pin #13 on that flash chip..i had to play around with it to make good contact.

13 will destroy if applied to the wrong pin, I got 2 that someone else tried to mod following info for another chip, and put 12v to, I think pin 15, those 2 reeivers now are inoperable...

If I may make a little comment here.....

What we are talking about is TSOP's ICs. There is a difference between in-line flashing/programming, and standalone programming. Most of the chip makers would stray away from in-line programming, due to the fact that there are multiple applications for the same IC. I am talking about programming the chip onboard and on a standalone programmer. The spec sheet usually is for standalone programming, that is, they program the TSOP before they install it onboard.

But if it works than I would like to try it as well

Congrats sdeens and m5

use pin #13 and add between 11-13 volts..also I would not suggest using pin #15 since that is the WRONG pin assignment and one should expect a fried chip it in that scenario..also check for other test points that are connected to pin #13 using a continuity test with your mutli-meters..i believe they are there if you trace them backwards...hard for me to describe there exact location..but its close to the flash chip..to the left along edge of circuit board.

Also,
Befoe anyone does this, you might want to read page 10 of the data sheet that M5runner attached to this thread a few pages up 9.pdf format)..and read the right hand column about Vpp to pin #13

I found a stable 13 volt source on board..I would be curious if its the same on everyone elses' RCA430RG

I am also wondering what happens to pin #2 when we bypoass it and use pin #13 and add the 13 volts..how is that circuit affected by this optional Vpp power input source.

remember don't pass judgement on M5runner until you have personally tried his technique (reading a data sheet and testing are two different things)..because I can tell you for a fact it sure as hell erased that chip in 1 second and raced lightening fast from #1...71 sectors...so something postive is obviously going on here with regard to pin #13 and 13 volts from an optional outside source.

we nned to explore this technique and when I get some more with that M28W chip, I will confirm it a second time..I get them from time to time especially when I see an RCA430RG (not the 430RGA's)

I want to refine the procedure to make sure it goes smootly and it works on more than once receiver..but early tests look great.

don't forget pin#13 is BOTH a "control pin and optional power supply pin"..i think when they programmed these chips originally in Mexico outside the control circuit (i.e in a standalone programmer) they applied 11-13 volts to pin #13 so they do not have to manually waste time unlocking 71 sectors 9that's why they put it there in the first place)..but it is this very same pin that also doubles as control circuit pin so we can program it in circuit after its been solder to the circuit board and bypasses the normal flash control circuit that is powered thru pin #2 from the 5518 microprocessor (I belive its pin #197?, but I am not sure since I visually counted backwards so I may be off by one)..but you get the point.

I found that it erases the M28W chip fine but its best to use pin#13 only for that purpose and use the old 3.3 volts to pin #2 (i. e that tiny test pint we use to left of the 5518 microprocessor) after its been erased. at this point I noticed on a few occasions it reported that chip was not blank but it was in fact 100% erased when I saved it..this is often the case incidently with ST chips..sector #31 in the M29W chips never erases but its erased sufficiently to apply the nozkt binarary.

this I belive is a similar event with the M28W chip.

you asked for a shorcut and the data sheet shows that the factory technicians used pin #13 for a shortcut to both program and erase the chip.

I find its best to NEVER take a firm stand against anything you having personally verified.

p.s.

don't use pin #15 and over charge the flash with 12 volts..the M28W chip is designed to accept 11.4-12.7 volts safely when inputed ONLY to pin #13..the data sheet is very clear on this point (see page #10 right hand side)

sdeens, i admire you for standing up and admitting you were wrong. at least 1 guy is man enough to do it. i do appreciate your last few posts.....good to know that there are some good testers out there. for the guy that asked if i don't worry about burning up my flash, the answer is no.... i am a fearless tester and for the most part these IRDs are forgiving.

M5

PS. i used an external power supply to keep a constant 12v even though the data sheet suggest you couple it with a cap or 2. i tried using pin3 off the lnbp chip once. worked once but i think it was a fluke because it was a little over 13 volts i think but 1 to 5 volts over usually doesn't concern me even though it might have bad results when i test.

WOW! That's what I call testing!!! Good job guys!

thank you sir

///M5

I have several M28W320CBs that I put aside after doing one earlier, manually. I want to try the M5runner trick. As posted by M5runner,
1. save flash
2. development panel
3. 7FFE0000/60...write byte
4. 7FFE0000/d0 ...write byte
5. read byte (you should get 80)
6. FF...write byte
7. close D. panel
8. erase flash...(watch it count all the way up)
9. program flash

Here are my problems: I get FF and not 80 when I read byte. Also, I am tapping off CR14107 and I meter only 10V. I cannot erase even one sector as it errors . Using Jkeys 2.9.10, reads fine but cannot erase using the "trick". Is my volts too low?

According to datasheet, a minimun of 11v is needed....use a battery, that's what m5 said he used...

CR14107 also started for me at 10 volts..but you may find that after about 5-10 minutes it builds up a charge to as high as 15-16 volts..i had to wait 3-4 minutes before it was high enough for me before i applied it..also as was suggested above a stable 13 volt external source (batteries, or other device) is the better method.

also, pin#13 is a very small leg in the middle of the flash chip, so if you do not ohm it out to a test point try using a small gauge wire soldered to the end of a sewing needle..sort of like the pin#56 trick we used in the RCA222's locked.

also I started off with a value of "FF" so I don't think that will matter..in fact that is the value you ultimately are looking for anyway.

i said nothing about a battery. outside power source is what i used. i am sure there is a point on that board where it's exactly 12 volts that leads into pin 13, just like the philips IRD. i would go off that cap that sdeens suggested. i used a sewing needle to power pin 13


M5

Yes, external power was what you said, I read battery into that, my mistake.......

anyone else have success with the power to pin 13 programming? post em if you got em. i would like to see more people doing it.


M5

The M28W chip is not that common, seems like I see them in streaks, the last ones I had I had 4 of them, since then I hardly ever see one...I'll try it as soon as I get one...

I have tried unsuccessfully to erase the M28 using the m5runner "trick". I am using a 12 Volt AC/DC adapter with interchangeable adapters. I use test pins inserted in the adapter and have one wire with a needle which I use to touch Pin #13 when I go into Dev Panel. My thought was I can regulate the DC voltages to try and if succussful I could lower the voltage to 5V for programming. I keep getting Error erasing message and 0 sectors erased. Two questions.

1. Do I still have to cut the trace to Pin #2 on the STI processor and apply 3.3V?? I did not do this for erasing.

2. Confirm I apply the 13V after I close the Dev. Panel after typing in the command. Also, I will need 5V to Pin #13 to program?

Thanks for any suggestions.

1. yes you still need ti cut the trace to pin#2 otherwise the processor will try and fight you for control of the flash chip

2. also i used 3.3 volts or 5 volts 9does notmatter) to first write the 7FFE..60/DO to that test poinjt just to the immediate left of the processor..i did not use the 13 volts to write those commands in developmental panel..once those commands were written i switched to flash programming window and hit full erase button..it was at this point i applied the 13 volts to pin #13..not before.

also i find that what happens is if you toggle back and forth between developmental panle and flash erase windoiw you will lock up the 430Rg..you get to enter each wiondow only once..failign to doi it in the proper sequnce will generate the erro you receioved..thus necesseitating an electrical hardreset--pull a/c power chord and reinsert and relauch jkeys completely.

this is abit tricky and not so clear cut..but if you try enough permuatations in how you apply the power eventually you will get it.

for example,

if try the older 5 volt way (unlocking all 71 sectors)..try this experiment to proove my point:

1. try erasing just 2 or 3 of the 71 sectors using 5 volts applied to that tiny test point (cut trace of course)..enter developmental panel: tyep in 7FC00000 60/DO, 7FC02000 60/DO. 7FC04000 60/DO..just those three shoul;d erase 2 0r 3 sectors of the 71..then after doing this in developmental panel proceed directly to flash write window..select 28W chip from pull down menu..then hit full erase..it will count 1, 2, 3 and then stop giving you an error writing to flash..now, if you go back into developmental panel and type in a fewmore addressesyou will be wasting your time..the flash chip needs to be rebooted elctrically..you will get an immediate flash error

i think what this means is you have one shot each time you open a window and use developmental panel..the same goes with the 13 volts..the trick is the sequence of how it is applied, not just simply which pin (i.e #13)

i have also done this to another 430RG sucessfuly, but i notcied that I had to use an external reugalated power source to achive the trcik..the capacitopr i was leaching form on this particular 430RG was spitting how 17 volts DXC..which is probably too much and i didn not want to damage the flash chip..so unless that capacitor is between 11-14 volts i would be careful..these chips can handle a little bit over the accepted tolerance, but going too far (i.e 17 volts is probably not a safe idea)...best to use an external source and a needle to hit pin#13..also there ius a test point to the left of the flash that ohms out to pin#13..easy to find if you look along the leading edge of the board.

i think i nned to refine this procedurea little bit more..but my latest observations hsow that not all 430RG;s spit out that stable 13 volts i used in my first 430Rg thathad the m28w chip..sometimes that cap does not lerak and it charges right up to 17 volts..sop if you use that cap make sure first it falls within a safe tolerance or use an external power supply sourc..of course you could stepit down if you had the diodes and resistrors to do that...i.e make a special wire for that particular 430Rg..i did this for my DP-301-013's that need a similar leach modification to break thru its hardware locks.

I will try that next time..leaving the trace cut in-tact while erasing thru pin #13..that might explain my annomalies..it worked but I had to toggle back and forth a few times until it took.

did you also type anything different in the developmenat panel to enable fllash write control cicuitry..a code sent to to the chip before the unlockign command?

Sort of like what we do with the 420's: 20010030/FF and 20010000/FF..use the processor to write the flash rather than cutting the trace and applying 5 volts to the FP pin..I find that software developmental panel method to be alot safer on some 420's since the test point we used for leaching 5 volts is NOT always a stable source..i have seen some 420's spit out 6-6.5 volts at that point and some of thsoe sharp chips don't like being programmed outisde the processors stable 5 volt source

come to think it makes more sense to me now we should leave the trace cut intact while trying your method..I guess that test point I used got around the trace cut I made...let the processor do the erasing and control the flash enable circuity while juicng up thee voltage thru pin#13...once it detects something greater than 11.4 volts it enable Vpp bypass.

i hope i got that right :-)

and yeah your right we need to write an exact "how-to" since the procedure is somewhat differnt than the methods used on most 430Rg's which sugegst first cutting ther trace and bypass the processor to enble flash write control.

sorry about my last post....had to delete it....just woke up, not in the right frame of mind. back to business now.

i never cut traces until after i finish flashing. i found that out the hard way when i was doing this thing the "hard way" a long time ago. i ony tried the 7FFE0000/60/DO. I don't think the 20010030/FF will work on the 430 IRD. i still want someone to donate one to testing so i can write a how to for it.

M5

got a PM from another successful modder with the 12 volts to pin 13. he used a philips IRD for his 12 volt power source. ...just food for thought boys.

M5

that's a great idea..pin#7 off the main power supply ribbon is a stable 12 volts..a perfect source for those that have any of the Phillips 5250,5350 or 5353's around.

also if I might suggest he should post his findings in this thread..its nice he sent you a PM but its is more important that he support the method by posting his fiidings publically.

i have done it twice so it definately works..the trick is a stable 12-13 volt power source..I think the data sheet said it triggers the Vpp control circuit once Vpp is greater than 11.4+ volts..that's the cutoff or triggering point.

Hi guys
I live in Juarez Mexico, about 2 miles from RCA THOMSON DE MEXICO where they build ALL MODELS of RCA receivers I know personaly several technicians that work there
I purchase parts, schematics and cards from them all the time. I got the ORIGINAL SOFWARE THEY USE to reprogram the IRD's with. I use it to change the IRD serial number of as menny IRD's I can put my hand on it.(Im testing with software that charges me an eye for every IDR I 3m based on the IRD #, so now I can program plenty of receivers wit the same IRD# and pay for one only) Heres how they do it in the plant or maquila. Open the receiver and ground a specific TP or test point
located near by the eeprom on most receivers, plug in one end of a J45 cable to the back of the receiver where it reads "LOW SPEED DATA" (not to the phone plug) and the other end of the cable to the computer and run the original sofware they use at the factory. Lots of things can be changed this way, then remove the ground from TP close the receiver and either sale it or exchange it to the customer to save me time.

Hope this give you an idea of how things are done in the factory when they have to modify 50,000 or so units called back from Kmarts not too long ago.
Thanks for reading
cisco356

Hi Cisco356,
Can you upload the dsstalk.exe? Let us try it out.
Thanks

Hey cisco, get a 430 schematic, for the 430RG and RGA. I also would love to get my hands on dsstalk also.

Hey skinerd I just e-mail you an invitation

To: CISCO356,

YGM (PM)

--sdeens

Is that Juarez, the city about 150 miles southwest of El Paso?

More like 0.05 miles from El Paso, it's just across the bridge.

sorry that was a type error..I have read that some people live in the US and work at that plant and visa-versa

got a PM from another successful modder with the 12 volts to pin 13. he used a philips IRD for his 12 volt power source. ...just food for thought boys.

M5


That would be me that m5runner was referring to. I have been visiting the site as a visitor for a while and think you guys have a solid forum with alot of knowledgeable folks here and have enjoyed reading very much.


This is my 1st post and wanted to thank m5runner for his insite on the quick erase of the m28 version chip in the RCA430 series IRDs. I had done numerous Phillips boxes and when I was reading the posts I actually had one sitting in front of me and used the 12 volts from it to do the erase on the 430 and man that was cooooollll!!! :D

I sent an email to m5runner thanking him for the tip and also wanted to encourage others here and at a few other forums to give it a try!!



chep

yes indeed

The lesson I learned from this was not to believe everything I read and to always double check by reading the data sheets on these receivers flash chips...it was right in front of us on page 10, instead I just assumed it was the same architecture as the Intel chip.

a nice little shortcut..I also found you can use one of those R.S lantern batteries ($12) to do the trick..also the low end is 11.4 to enable the Vpp circuit.

this is basically the same thing as the VID mods we use on the Charlie DP301-013 receivers..the reset pin #12 on those recivers is called the "Vid" citcuit but they serve the same purpose...a power supply pin that temprarily bypasses the locks and allows faster programming.

nice to hear some more positive feedback..I told Blaknite about it, but by then he had shut down his site and it was too late to add it to the help files.

also I found another test point on the bard that is about 13-14 volts..a bit over the data sheet but it should serve ok..this is what testing is all about

thanks for the input guys.

M5

Great testing guys!! I was getting very sick of manually typing in the unlock codes for all 71 sectors. :)

So, will you need do a trace cut on pin 13 or in conjunction with pin 2 from the processor, once your done with the mod; to prevent firmware updates???
kk
:smoke:

Hello Chep, thanks for sending me over.

Cutting the trace from pin 2 of the processor will do for write protect, cut it and try to erase or program the chip without powering pin 13 of the flash...you won't be able to.

Glad you could make it dude!!! :D

Seems like a great bunch of knowledgeable testers reside here at Mili's!!



chep