Contents

1. Novice angles digital cable guide

2. Wembley downgrade trick
3. Digital area codes
4. How to Convert an X-Box PC-Bioxx Modchip into an Atmel
Reader
5. Atmel removal and refitting
6. Funcard, Zeus & Distance V1.0 Tutorial
7. How To Add Digital Audio To A Di4000

Compiled by yz450
 The Beginners guide to Cable TV
Written by NoviceAngel

Converted by YZ450

This Guide has been written to help you understand

the technicalities of a modern Pay TV system. It has
been written for educational purposes only.
Modshack and I do NOT encourage or condone the
illegal viewing of cable TV.

The first thing to say is that understanding cable TV takes some thought and
persistence, and a modicum of common sense. Many of you will be familiar
with SECA and On-digital (ITV Digital), you may be familiar with programming
a gold card and using it for ITV digital, this is a very different system. Much
more complicated to understand (and hack ! ). However with perseverance it
can be done.

There has been much debate about the writing of this guide. Many didn't want
a guide to be written at all ! If I or anybody else wrote a complete document
on hacking cable TV, then that would encourage the cable Companies to
actively shut-down the loop holes in the system.

This IS NOT a complete Guide to hacking cable. This guide is provided

FREE OF CHARGE and no charge should ever be made to read or
download it.

In short this guide in its entirety will NOT give you FREE TV. It will
however give you a very clear understanding of the software you will require,
and give you a basic overview of the cable TV system.

I have tried to write this guide with the minimum of information. I am only
typing things that you need to know and deliberately cutting out aspects that I
don't think are relevant to this guide.

I would advise you to read ALL the guide, just not the bits you feel you are
unsure about.

Here's a few quick links to the various sections.

1 Let's Begin

Compiled by yz450
2 Purchasing a cable box

3 Cutting Talk-Back

4 Setting the NET ID

5 Lets Have A Look At Libby

5 Setting The Default Frequency

6 Card Programmers

7 NagraEdit

8 Expiry Dates

9 The EMM Mod

10 Rom Studio

11 Making a Fun Card

12 Splitting The Cable Feed

13 Connecting The Digibox

14 Problem Solving

15 External Links

16 Summing up and Credits

Let's begin

First put the kettle on, mines one sugar and not too much milk.... This will take
some reading.... and you'll need a cuppa or something a little stronger!

To start with, you need cable TV installing. The broadband internet service is
the same cable which carries the CATV signal. However, I strongly
recommend that you have the minimum package of CATV installed. The
reason for this is simple. This is the ONLY way to ensure the signal levels
entering your home will be at the correct levels for your STB (set-top box).
Many people try and split the cable from the internet broadband connection,
and then spend weeks trying to get the levels correct. The second reason for
paying for the minimum package is ITV DIGITAL! The idea of a hacker is to
be a parasite, living off its host. Kill the host and you die. The third reason, if
the first two weren't enough is that TW (Telewest) & NTL do use different
cable boxes in different areas. So getting a SUBBED (subscribed) box is the
best way to ensure your purchase the correct model of STB.

Compiled by yz450
That's right - purchase! YOU
MUST NEVER EVER
TAMPER WITH A SUBBED BOX!!!!!!!!!
You will probably end up in jail if you do........ YOU HAVE BEEN WARNED

Purchasing a Cable Box

Your shiny new cable box will probably be a PACE, although other brands are
starting to filter through. You must purchase a cable box with the same cable
Companies name on it. IE: - DO NOT PURCHASE AN NTL BOX FOR A TW
AREA. You will also need to purchase the same model number of box. My
personal favourite is the DI4000 box. It is quite a new box and is very easy to
modify, although a DI2000 & DI1000 are readily available and are an older
version of the DI4000. Do NOT purchase a DI300 box or a box from any other
manufacturer other than Pace. It may not be easy to find a box for sale as
technically all these boxes are the property of the cable companies as they
DO NOT sell their boxes. However, 'missing' boxes are available for private
purchase at car boot sales and on eBay. EBay have just recently started to
close the auctions of cable boxes, so it might be worth an e-mail to the seller,
just in case the auction that you’re bidding on ends abruptly. You should be
able to purchase a box for around the £60 mark, any more and you're getting
ripped off. Every time I look on eBay prices are rising and this is a concern.

This is a bit early in the guide to be mentioning words like Davic and Docsis
but you need to understand a little about these terms. There are two boxes
which are different to others, Firstly there's the DI4001. This box is what we
term 'Davic'. The second box that's different is the DI4010. This box is both
compatible with the Davic and Docsis systems. All TW regions use the Docsis
system, so you don't have to worry about buying a TW Davic box by mistake,
because there aren't any!

To identify which area you’re in look at the map below:

Compiled by yz450
If your area starts with 1, 2 or 6, then you are in a Davic area. If your area
starts with a 3, 4 or 5 then you are in a Docsis area (ex C&W)

Most regions use the Docsis system. We do get a few questions from
members asking if a DI4001 box can be used in a DI4000 area. After all it’s
only a 1 instead of a 0! Well yes it's technically possible, but PLEASE don't
try. It's not worth the hassle. Please give yourself the best chance of success
and don't mix these boxes up!

Purchasing your box, is the single most important part of this cable hack,
making a mistake here could cost you ££££'s.

You will see many sales saying "With Unlocked Rom 10/11 card ". Others will
be without a card. Let's take a moment to understand in very basic terms how
the cable system operates.

Compiled by yz450
When a cable box is installed by a cable company, it comes with a digital
smart card. This card, unlike ITV Digital, is unique to that box. This is a
similar system to Sky TV. Have you ever tried to put a Sky digital card in
another Sky receiver? You will find you get a message to say "Incorrect card
for this box". That's because Sky, like cable, PAIR the card to the box by the
means of a BOX KEY (BK). This BK is critical to the entire cable hack. Each
box produced has a unique BK and in order for that box to work you need the
BK to be programmed into the digital smart card.

This digital smart card, in the case of cable, is called a Rom card. There have
been many revisions of Rom cards, the most common Rom 10 and a further
Rom 11 card.

So, just to recap, we know we need the BK, which is on the Rom card that
was paired to the box. So purchasing a box without the correct paired card is
like buying a car without the ignition key.

There are ways to get the BK without the card. A database has been released
of BK's, this is mainly for the older DI1000 pace boxes so don't hold your
breath for any other model of PACE STB. You can download the database by
looking around for it.

If you really can't purchase a box with an unlocked Rom 10/11 card. Then
your best bet is to get an early DI1000 and hope you can get the BK from the
database. You will of course, need a card , luckily a 'FUN' card can be used.
More on this later.....

One more way is to obtain the BK is to use a piece of software called

Libdebug. This software is used to allow you to connect to the box and do
basic tasks. This is not very reliable as the cable companies were very quick
to close this door, and the vast majority of boxes out there will have been re-
programmed to stop you using this method.

The very last resort is to remove the actual IC's inside the box that contain the
BK and read the IC's in a Willem programmer. This programmer will cost you
about £110 and the skills needed to de-solder a 48 pin surface mount IC (one
in the DI4000 - Two in other models) are way beyond the remit of this
beginners guide.

So you really need to purchase a box with its original Rom 10 or Rom 11 card.
However, the cable Companies are not slow off the mark here, because over
the last few months, they have been locking the Rom 10/11 cards and altering
the cards electronically to stop hackers from being able to read them
anymore. In the case of a Rom 10, we call it being A3C'd (locked). Rom 11
cards get changed to B08. However Rom 11 cards that have a revision of B06
and above are locked.

So we need to purchase a box with a paired card that is still readable to

obtain the BK.

This is a major challenge and asking the right questions of the seller could
save you £££'s!

Compiled by yz450
You need to ask the seller if the number printed on the card, matches the
longer number printed underneath the box (This does NOT apply to Telewest
Cards). This is a good indication that the card does actually belong to that
box. A quick visual check is all that's needed.

To establish if the card is locked, takes a little more effort.

In many parts of this guide you will need to enter the engineers menu. This
gives vital information about the box, and is an important part of the hack.

To enter the engineers menu you need to plug a scart lead into the box and
select the TV's AV channel. DO NOT CONNECT THE BOX TO A CABLE TV
FEED. Now apply the mains supply to the box and press the cursor up &
down keys simultaneously on the front of the box, hold them in until you see
this picture (below left) on your TV.

This is the engineers menu, the numbers may vary but you get the idea.
Now, using the right(vol+) and left(vol-) keys scroll to page number 7 as
shown above right.

For the moment ignore all the other information shown and look at the
Smartcard Version/Revision. It says DNASP010 REVA16
Compiled by yz450
The first section 'SP010' confirms that the card is a ROM 10. The second bit
of info is the ROM 10 Revision code, in my case is A16.

If yours says A3C then don't buy the box. The card is locked and you
will NOT be able to access the card for the BK!

Similarly if the ROM Revision is DNASP011 REVB06 or above then again

walk away. Any Other combinations are fine.. e.g. Rom 10 A48 or Rom
11 B01

Also notice Card Status is shown as OK, if it says 'NOT PAIRED' then
walk away. This 'OK' confirms that the BK on the card is the correct one for
the box ! If it says 'no t-stream' this simply means that no cable connection
has been made to the box, DO NOT connect the box to the stream to
check the card status. You will have to take a chance !

So hopefully, you can now purchase your box. You have a ROM 10/11 card
paired to the box and the card is unlocked. At this point it's worth noting that in
the above example that the PIN is shown as '****' this means that a PIN has
been set. Will we need to erase this later as the PIN will probably not be
known. If the PIN is '0000' than no PIN has been programmed into the box.

Cutting Talk-Back

This means removing the top cover from the box. The later boxes have
security screws holding them firmly shut. In reality, this isn't really a problem,
just a slight annoyance. I didn't purchase any special drivers. Just grabbed the
screw heads with some long nose pliers and slowly loosened the screws until
they were slack. Then you can wedge a small screwdriver in them and
remove them fully. When it comes to putting the casing back on, just use any
three 'normal' screws. If you really struggle to get the screws out, you can buy
a security screwdriver bit kit from Maplins it will cost you about £8.

Talkback is another crucial part of the CATV hack, you MUST prevent talk-
back.

Talkback is the method that cable boxes communicate with their Control
Centre back at the cable companies head office. They will get very suspicious
if they find a reported 'MISSING' box shouting "HELLO COME AND RESCUE
ME" from your living room! So you have to remove the cover of the box and
make a modification, called 'Cutting Talk-back'.

On a 4000 series box it's very simple. This is a picture of where to cut the
track...... Courtesy of Gadgetfiend.....

Compiled by yz450
A 1000 series box is less easy, you need to disassemble the tuner and cut the
track as shown here:

Here's one for the DI2000 box below still inside the tuner :

Compiled by yz450
So let's take a moment to review everything. We now have a digi-box with an
unlocked Rom 10 or Rom 11 card and a box that can't phone home anymore!

Setting the Net ID

The next step is to set the cable box up for the particular area in which you
live. The easiest way to think about this is like tuning a TV. You wouldn't
expect a TV working in the south of England to work in the north without re-
tuning it first, the same goes for cable TV. So each area has a specific
network ID and frequency. It would be a very long tutorial if I were to list
every Network ID.

If you have a Davic box , this section you can skip ! Remember Davic from
earlier ? That's a region that uses the DI4001/DI4010 series of boxes. These
boxes set their own network ID so you don't have to worry about this section !

There are two ways to get the network ID. First have a look at the Sticky
threads in Modshack - seek and ye shall find! The second is that you do have
a subbed box and you could have a peep in the engineers menu, remember
that photo above way back in the tutorial when we were looking at the card
revision. Look at page 2 in the eng.menu. You will find the Network ID. This is
NOT recommended as the cable company will know you have been peeking
around in the eng.menu !

You hopefully now have the Net ID for your area. How on earth do you
programme that into the box ? Time for another drink of vodka at this stage,
forget the tea !

The earlier boxes DI1000,2000 have an RS232 Socket at the rear, this is
used to connect your set-top box to your home PC. This is the point at which I
should introduce you to Libby (Libdebug). This is a leaked piece of software
that Pace use to carry out certain functions with the box. One of these is
setting the Network ID, have a search around Modshack and you will be able
to download Libdebug.

Compiled by yz450
The DI4000 box DOES NOT have an RS232 socket at the rear. This is a
problem that can be easily overcome. There are various methods of
connecting your PC to a DI4000. Some use a scart to RS232 adapter. This
will cost you around £20 to purchase, and you will be lucky if you get one that
works. A more reliable method is to use a Nokia data cable. This works well.
The best way, in my humble opinion, is to make an RS232 socket on a small
piece of Vero board and make a small circuit consisting of a MAX232 IC and 4
x capacitors. The circuit is shown below:

This method is known as the MAX232Mod, the parts can be purchased from
Maplins Electronics for less than £3. Here's a couple of part numbers to help !
FD92A and FG25C. After making this small circuit up I mounted the whole
thing inside the DI4000 mounted on a Lego brick stuck to the main PCB with
Superglue.

Let's Have a Look at Libby

Compiled by yz450
Now you need to download a config file to make Libby work correctly.
Depending on which STB model you have depends on which config to use.
The 4000 series uses a different config to the other boxes. Again, have a look
around, you won't have to look that hard !

If you have downloaded the DI4000 config. You will need to edit the config
file. To do this open up the config file in notepad.

1 Right Click the config file.

2 Click 'Open with.....'

3 Select Notepad from the list.

4 Look through the file for the words 'Set network ID to 40961

a06100001'.

5 edit the last few digits for example for a net ID of 40475 then edit the text to
say ' Set network ID to 40475

a06140475'.

6 Now select 'File', 'Save as'

7 Enter 'My Config.cfg' as the filename

8 Change the 'Save as type' from .txt to 'All files'

9 Click Save and then close notepad.

Install Libby and load the config for your model. Libby will prompt you to load
the config and select the new config you've edited. Select the correct comm.
port in Options , usually comm. port one, but that depends on your PC.

Then connect Libby to your box's RS232 socket, Then connect power to your
box. You will then see lots of data being transferred to and from the box as
it boots.

If the PIN in the eng. menu was set and is unknown then double click 'Erase
SRAM'. You ONLY need to do this if the pin shows up as '****' in the eng.
menu. The PIN inside the box will now be erased.

Then select 'Options', then 'Quick Command'. Enter " = " or in 'command
letter' and " 0 " in 'Payload'. (That's zero not the letter). Your box should then
respond with the IRD and loads of numbers (If your lucky !). What you have
just tried to do is obtain the IRD & BK with Libby. It may not have worked if
your box has been updated. If it has worked and you have some numbers to
look at, then the first 8 digits form your IRD ending in '12' , more of this later!
The next 16 digits are your BK ! This will only work if the software in your box
is cr1. You can see the software version your box is using by looking at page
2 in the engineers menu, 'Code Release Version' is what to look out for. If the
Compiled by yz450
above doesn't work at all then try "<" in 'command letter' instead of " = " and
"1" instead of " 0 " in 'Payload'. This command tends to work better with
DI1000/2000 boxes.

Don't be too disheartened if this don't work, you shouldn't need it anyway as
you will soon have the BK from the card.

Now to set the Network ID.

Click on 'Get Network ID'. If the box returns 00000 then unplug the box and
power up again, and Click on 'Get Network ID' again. The box should return
09999, or another Network ID. This is because if you have needed to clear the
SRAM then you will have to let the box set the Net ID to 09999 first, then re-
boot and the box should then allow you to change the Net Id successfully !

If you have a 4000 Config file Click the + in the left hand window of Libby next
to Misc, you may have to scroll down to find it, and select 'set Net ID'. This will
be the text you edited in the config file above.

If you are using the config. file for a 1000 series, then click the '+' in the left
hand window of Libby, next to Network ID, double-click the network ID for
your area.

You can then re-boot the box and read the network ID using Libby Just click
on 'Get Network ID'. Hopefully it will have been programmed.

If the Net ID has not been set then repeat the procedure again. Once you
have done this disconnect the box and close Libby.

Setting the default frequency

Connect the box up to the TV and pop into the eng. menu on page 1. You
will find the default frequency, use the direction arrows on the front of the box
to enter the correct frequency for your area, press the 'submit/TV' key to store
the changes on the front of the STB. Just check the QAM and default symbol
rate. They should be as set up in the above picture, but they can vary, in a
few areas. While you’re in this menu scroll down to the bottom and using the
cursor keys on the front of the STB Enter a PIN. Don't forget it ! :-) Press the
'submit/TV' key to store.

Card Programmers

You will need a phoenix programmer. This does NOT mean a programmer that can emulate phoenix. So
an ELVIS programmer will not work with your ROM 10/11.

As a special offer to Modshack members Sat Shop will supply a clanzers universal
Phoenix/Smartmouse interface £20 with FREE Delivery and a free 3.68Mhz & 6.00Mhz crystal. You also
can purchase a power supply and serial lead along with the programmer for an extra £5 ! again click
Sat Shop and you will be taken directly to the special offer page !! This in my opinion is the best deal
around on programmers.

This is the Clanzers programmer :

Compiled by yz450
Other reputable suppliers include Sat Store look for his Smartmouse Micro 3.68 around £27 inc.p&p,
many forum members have commented on how helpful Mark at Sat Store is. Another supplier is
Goldwafers they also have a good reputation with fast delivery look for their Cryptik Smartmouse
programmer at £27.50 inc.p&p, this is switchable between 3.68Mhz and 6Mhz.

I have NO connection to any of the above retailers and I DO NOT get any
commission from any sales. They have earned a place in this guide because
of their excellent customer levels and good value for money products. If you
have an existing good reputation and can supply any products that would be
useful to us, then please get in touch with me on Modshack.

If you decide to order a smartmouse programmer from Maxking, you may

have to change the crystal to a 3.68Mhz crystal, they seemed to have a new
supplier and members of the forum have had problems with the latest models
despatched. When you receive your programmer you will have to set the
switches correctly. On Modshack we do get quite a few posts from members
that don't know which positions the switches should be in. Here's a photo of
the ID Programmer from Maxking, with the switches in the correct positions.
The thin red arrow represents the jumper location. The thicker red arrows
represent the bigger switches :

Now connect your programmer up to your PC via an RS232 connection lead.

You will need to download two pieces of software, one is called 'NAGRAEDIT
4.0' and the other is called 'ROM Studio 1.6'. This software can be found at
Modshack.

Compiled by yz450
If you have a Rom 10/11 card then Nagraedit will be easier to use. If you have
a Rom 10 or Rom 11 card with corrupt backdoor keys then you will need to
use Rom Studio.

Download and install both pieces of software.

Whilst we talk about programmers it may be worth mentioning the good old
Elvis

You can make use of the Elvis, remember I mentioned not having a rom 10/11
card ?

Well, you can use a fun card instead, and of course, an Elvis can program a
fun card. However you WILL need the BK, IRD and the keys for your area. If
you don't have an Elvis then you will need to purchase a fun card
programmer, this is NOT the same as a rom10/11 phoenix card programmer,
but you can purchase a programmer that will program both types of card this
is called the Clanzers Minisdk and you can get it from Sat Shop cost about
£45. Here's a picture :

More on programming a Fun card later in the guide.

NagraEdit 4.0

Open up Nagraedit and you should see this :

Compiled by yz450
Click on 'Tools', 'Options' and the Communications tab :

Compiled by yz450
Copy the settings as above, again the comm. port is normally one.

Next step is to insert your NTL/TW card inside the reader. Now the moment of
truth what will happen next ?

Is now a good time to have another cup of tea ? I could do with one, my
fingers hurt from typing !

Anyway, on we go ! Click on the 'OK' as above and then Click on the icon that
looks like an envelope with a green standby symbol on it. The fifth icon from
the left Hover your mouse over it says Reset Card ATR

Now click on the icon to the right of the above, it's an envelope with a blue
arrow pointing to the left.

After a short pause you should get something like

Card read successfully

Efficiency: 99.3%, Packets: 141, Retries: 1, Time: 20.59s
Closing of COM1 was successful

Now click on Data Editor just underneath and to the right of the icon above.

And you should have :

Compiled by yz450
You should now be able to see your BK and other details on the right, make a
note of your BK and IRD. Then click on the envelope icon with the RED arrow
pointing to the right and save your card image. This is very important , save
the image now before you make any changes to your card.

Now it is possible to start editing your card image, however, there is a much
easier way, Look around Modshack for blank images. These are modified
card images that contain ready to go data, to give you all the channels free
and loads of credit for the PPV movies !

This is the lazy easy method and much simpler for the beginner. Details on
how to Modify your original image can be found at Helpfiles.

You will find a number of images, the main three are

TW - card image

NTL - card image

NTL (ex cw) - card image

The correct image for you obviously depends on the area that you live. The
only time you might struggle is if your not sure if your in an NTL (ex cw) area.
Just try any of the three files. It can only NOT work !
Compiled by yz450
To open the new card image into Nagraedit simply press 'File' and 'Open card
image' Load your brand new fresh card image.

Nagraedit doesn't like you writing a ROM 10 image onto a Rom 11 card.
Nagraedit will prompt you with an error message, so if you have a problem
writing your image to the card, simply use Rom Studio.

Then enter your BK. In the above example we have entered a BK of

1F,87,46,E3,F0,13,18,47 The IRD is 12,36,27,14. Notice how the IRD is
entered backwards, compared to how it's displayed in the engineers
menu. e.g. IRD = 12,36,27,14 is entered as 14,27,36,12. Make a CAM ID up
and enter it three times as above, any random number will do !

Expiry Dates

It is worth just mentioning the Expiry Dates on the card image as you can see
below, by clicking on the tier 8, there are dates on here that need to be
checked and amended if necessary.

You can see above that the Begin Date is stated as 10 21. The Expire Date is
17 21. The Rights Date is 74 41. Now I could spend the next half hour
explaining how you covert a date into a nagra date, or I could ask you to
Compiled by yz450
download an excellent utility called 'Nagra Date' Guess which option I've
taken ?............You can add Nagra Date to your required software list !

Let's have a quick look:

So you can see from the above that the expiry date on the card has Expired !
Using this program you can quickly calculate a new date. I am not going to
give a date as an example, because this could be used for a card attack, if we
all had the same expiry date. So make one up, perhaps in a few months time.
I bet you forget and while watching your box, as the expiry date is reached,
you'll then spend the next few days trying to figure out what's happened ! :)
Don't forget to check the Rights Date !!

Enter the new dates onto the card and proceed to the EMM Mod.

The EMM MOD

The next step is to do something called the EMM Mod. This involves changing
a byte of information in the EMM key. This is the process in which the cable
companies lock your card. In order to prevent them from doing so Click on the
left section and select '07 Decrypt Keys' the table on the right then changes :

Compiled by yz450
Look at the top right at the Key Set Number 5C 3F in this case.

It may say : 54 3F or 5A 3F.

NB. If it says 55 3F or 5B 3F or 5D 3F then select a different 07 Decrypt

Keys tier on the left, You must not change any of these decrypt keys on
any of these Key Set Numbers, they are used for PPV functions. If you
find there are a few 07 tiers, check all key set numbers , you should only need
to mod one tier, but there may be two or more 07 tiers that require
modification, depending on the image used.

You now know which key set to modify you will see that there are a collection
of Numbers called the EMM Decrypt Key. This is the key we are going to
modify. If the above example it begins... 16 49 B1..........

It doesn't matter which number you change or how many ! I usually just
change a couple, so for example we could change the second byte in the last
line from 25 to 36, and the F1 to 09

It doesn't matter which ones just change any two ! Do this for each tier 07 that
requires modification.

Compiled by yz450
You have now completed the EMM Mod.

Now you have finished modifying your Rom 10 image and it's time to write the
modified image back to the card. Simply click on 'Card' and select 'Write to
card' and after about 20 seconds your card will have been modified.

It is also worth saving this new card image save it somewhere safe in your
PC.

As you use the card, slowly PPV information will start to build up on your card
and it will require cleaning ....... You can either , open up Nagra edit and
select 'Tools' then 'Clean Card'

Follow the above options, DO NOT FULLY clean the card or you may have
problems getting back into it again.

Another method is to simply re-write your image that you have saved at this
point, back to the card.

We now call your card a MOSC (Modified Original Smart Card). Time to have
another cuppa, you’re just a whisker away from having a complete working
cable TV system for free, but we have to let the guys with a corrupted back-
door catch up first!

Rom Studio 1.6

Compiled by yz450
Open the program and you have the above. You can pop into settings and
select Phoenix, make sure the correct comm. port is selected.

Then Hit the Tab Backdoor

Compiled by yz450
As above select Dump $D000-$DFFF and select Login Aprendiz, your card
will start to be read this may take a while, depending on the speed of your PC.
Rom Studio is much slower than Nagra Edit. If you get an error, use another
login name.

You will then be asked if you want to install ghost provider just say NO then
click FAT Editor. You will be faced with a layout very similar to the Nagra edit
layout,

Click on 'File' and 'Save/Dump image' save the image before you do any
adjustments to the card, you now can follow the same instructions as above
for Nagra edit in brief,

1) Make a note of your IRD and BK

2) Open up a blank card image !

This point you might have problems with, most of the card images have a
.bn10 file extension, You can re-name these files to .bin. Rom Studio will then
be able to open the .bin image

3) Add your IRD and BK.

4) Check and amend card expiry/rights dates.

Compiled by yz450
5) Do EMM Mod.

6) Finally, click Backdoor, Write $D000-$DFFF and login Aprendiz, or another

login name if you get an error.

7) Save your new card image to your PC Click 'File' then 'Save/Dump Image'.

8) If you wish to clean the card at a later stage you can clean the card using
the above saved image.

Hopefully you now have your Card ready for your box.

Making a Fun Card

Quite a few people use a fun card instead of the original (MOSC). It has some
advantages and many disadvantages. I always recommend you use a MOSC,
It's the easiest way to ensure compatibility. At the moment card attacks from
the cable companies are nothing like the battle we suffered from On-digital
and your not going to get ECM'd every Saturday night by using a fun !

The biggest disadvantage is that you can't get Per-Per-View (PPV) Movies
with a fun card. There is a way if you’re on NTL to make your cable
DI1000/2000/4000 box downgrade to the older software cr1. This is called
the Wembley trick ! This does involve soldering inside the box , but it's not that
daunting please visit the forums for more information, this is not really a
subject I want to include and explain after all this is just a beginners guide. At
the time of writing this guide, downgrading software is a constantly evolving
technique to obtaining PPV using a funcard, pop in and see us for the latest
information.

So let's imagine you have your DI1000 box but don't have a Rom card. You
can search the database for the BK. To find your IRD look in the engineers
menu and select page 2.

You will see Nagra Serial Code listed. This is your IRD it should start with '12'
and be 8 digits long E.G. 12 10 07 37 It may be shown in decimal and not in
hexadecimal so you may need to use windows calculator in scientific mode to
convert it. If you get stuck ask for help on our forum, we don't bite honest ! All
you do is miss the leading 0 then click on the hex radio icon.

You now have your BK and IRD. You will also need some keys, these may
change but at the time of writing these are :

::NTL KEYS::
0: 79 F7 5A 5B F8 35 04 81
1: CE 97 58 27 7C 81 EF 28

::TW KEYS::
0: EA 92 C0 BD AA 1F 2B 0E
1: 60 20 E6 25 08 C8 7E 2A

::C&W KEYS::
Compiled by yz450
0: 95 1F F5 40 DC CF 48 32
1: 5F 5D B8 E0 E4 8C C4 62

Now you need to download ANY digital cable hex fun file, Look around
Modshack in the Cable Files downloads section.

There are a number of digital cable hex files, Let's look at Distance V3.
Download and unzip.

1 Run the file nce-rev2015

You should have this :

2 Now fill in the blanks.

a) The Cam ID can be anything you like.

b) Enter the IRD backwards E.G. 12 10 07 37 Is entered as 37 07 10 12.

c) Enter the Key 0 & Key 1 from the above area list. IE NTL, NTL (ex C&W) or
TW.

d) Leave the Hash Key at zeros.

3 Now hit the Save icon and save the file, call it something like My hex and
close the program nce v2.

To program your card you need to download MultiProg.

This is an excellent piece of software that allows you to program many

different types of smart cards.

Compiled by yz450
Install the program. If your programmer is NOT on comm. port 1 then select
the set-up icon and select the appropriate comm. port.

Insert your Fun card into your FUN programmer, It can be any type of fun
card, most use a FUN4. These are available from Sat Shop, Goldwafers and
other retailers. Shop around for the best price!

Install Multiprog and copy the settings below.

NOTE Nothing is in the External EEprom, this is different from On-digital and
European satellite cards that use the External EEprom.

Hit Program and after a few seconds you will have made your Fun Card !

Splitting the cable feed.

You have your SUBBED box connected to your cable line, so how do you
connect your modified box at the same time?

The easiest way is to purchase a Cable splitter device from Maplins order
code QQ69A you will also need a small length of cable and a few screw on F
connectors. Again if you can't get cheaper locally Maplins can supply.

Connecting the digibox

Well, It's time for that heart stopping, moment when you are going to try the
box. The first thing to say is don't panic if things don't work. If it's any
reassurance I can tell you, that my box didn't work first time, I made a silly
mistake, but at the moment I tried the box, I felt like I was useless.
Compiled by yz450
If you have followed everything in this tutorial, then hopefully all will be well.
OK then....... Let's give things a try.

Insert the card into the box the smart card goes in with the chip facing down
and if your digi box has two smartcard slots it goes in the lower slot.

Connect the cable feed, into the box. Connect the scart lead and now connect
the power.

You box will probably go through an installation/update cycle. This may take a
few minutes. 'PACE' followed by 'nit' may also be shown. Eventually the box
should settle down and the box may tune to the movies preview channel.

You may see 'Loading' appear in the bottom right, again this is normal and
may take a while to disappear, wait until all banners have disappeared from
the screen, then try and change the channel to BBC1.

Now move up the channels, each channel should clear.

Are you opening up the champagne ? or are you reaching for the hankies ?

If you do have a problem we can run through a few checks now. You may
notice that the middle green LED is constantly flashing THIS IS NORMAL and
correctly indicates that talkback has been cut correctly. If it stays lit, start to
worry !

Problem solving

If you don't get ANY channels not even the preview. Try connecting the box
without the splitter direct on the known good cable signal. Just in case you
have made a bad connection in one of the F connectors. Now check the net
ID and frequency, symbol rate and QAM settings. All these you should look at
if you have NO PICTURE on ANY channel.

If you only get a few channels being decoded, IE BBC1,BBC2,ITV clear and
others are saying 'NOT SUBSCRIBED' then look at the BK, IRD on the card.
Both these need to be correct. You can double check the IRD by looking up
the nagra code in the eng.menu this should be the same as your IRD on the
card. It also should be printed on a white label stuck inside the box on top of
the scart screening can. This number might (on older boxes) be printed in
decimal and you can use windows calculator to convert it to hexadecimal. You
could also check that the correct area blank image is being used IE NTL hex
when you should be using NTL (ex CW) hex.

Summing up and Credits

I have written this guide over a few days, and it's NOT intended to be an
exhaustive guide to cable TV. More a starting point and the correct procedure
Compiled by yz450
to follow. If you do have problems after reading and trying everything in this
guide please visit us at Modshack and I or any other member will be glad to
help.

I do not want to take ANY credit for the contents of this guide, this is purely a
collection of the knowledge I have learnt from others over the last couple of
months.

I cannot begin to list ALL the members of Modshack that have furnished me
with the knowledge of cable TV.

So I simply say a heartfelt thank you to you all for sharing your knowledge.
Hopefully in this guide, I have continued the tradition of sharing knowledge
and information.

I hope you all have enjoyed reading this guide

Many Thanks

NoviceAngel

Wembley downgrade trick.

This trick can only be done from a NTL ex C&W area.

DI 1000.

You need to reset your box by removing the RED jumper, (leave off for at least one
minute). Then load up LibDebug and reset your NetID to 41047 (Wembley Net Id)
Freq 666.750. or use the Wembley.cfg file. Now connect the box back up to your
cable line, hold the power button in and connect up the mains. When "0000" is
displayed on the L.E.D, press "fav, interactive, tv guide, tv" so that "4321" appears,
then press OK. If successful your box should load the CR1 software, the box should
now be CR1 , check in the Eng menu.

Once you have used the Wembley Net ID to get the CR1 s/w, you have to lock the
box from accepting the newer CR3 s/w once you set your local area Net ID again.

In order to do that, you should either lift one side of each Atmel on the SIMM card
pins 1 - 24 (Use insulation tape under the lifted pins of each Atmel to prevent them
touching the pads), or remove both the Atmels on the SIMM card altogether (Harder
should you need to refit them again) or fit a 1000Phase1b SIMM card (as it has no
Atmels, same as removing them from the original SIMM)

Make a fun card using your box details, & that’s it watch as much free TV as you
want.

Compiled by yz450
Remember, you cannot use the Wembley Net ID to watch cable if you're not in the
Wembley area. If you don't lock the Atmels, minutes after connecting the box with
your own local Net ID your box will update back to CR3.

Digital area codes.

Location Co Net Id Freq Sym Rate

7 Kings 41050 666.750

Ashford 41052
Batley NTL 00001 755.000
Bath TW 40970 651.000
Basingstoke NTL 00013 803.000
Bedford 00005 755.000
Belfast (Ireland) 00021 755.000
Bexley Heath NTL 41050 666.750
Birmingham 41011 643.000
Blackburn NTL 41048 666.750 6.952
Bolton NTL 41060 666.750
Bournemouth 41043 666.750
Bradford W.Yorks TW 40961 539.000
Brighton NTL 41044 666.750
Bristol TW 40970 651.000
Bromley NTL/ex C&W 41041 666.750
Cardiff NTL 00004 755.000
Carlisle OM 42650 322.000
Cheltenham Glos 1 40971 433.000
Cheltenham Glos 2 40971 651.000
Chesham Bucks 41051 666.750
Coventry 00019 811.000
Derby 41056 666.750
Dewsbury NTL 00001 755.000
Durby 41046
Dundee TW 40982 619.000
Dublin (Ireland) NTL 42753 363.000
East London 41050 666.750
Edinburgh/Lothian TW 40981 619.000
Essex 1 NTL 41050
Essex 2 TW 40978 619.000
Falkirk TW 40981 619.000
Fife TW 40981 619.000
Gateshead 40969 571.000
Glasgow NTL 00002 755.000
Grimsby NTL 00022 755.000
Hackney N. London TW
Hanwell W.London NTL 41047 666.750/562.750
Harrow NTL ex C&W 41047
Hemel Hempstead NTL 00017 803.000
Hearts & Beds. 00005 643.000
High Wycombe 00013 803.000
Hounslow/Osterley TW 40979 531.000
Huddersfield TW 40961 539.000
W.Yorks
Huddersfield NTL 00001 755.000
Ipswich NTL 00011 755.000
Irvine OM 42648 322.000
Kingstone 40979 531.000
Kidderminster TW 40974 130.000
Worcs.
Compiled by yz450
 Keighley TW 40961 539.000
Leyland Lancs. 41000 531.000
Lancaster OM 42653 322.000
Leeds 41053 666.750
Leicester NTL 00012 643.000
Leamington Spa 00016 803.000
Lewisham NTL ex 41047 666.750
C&W
LIVERPOOL 1 - NORTH TW 40966 571.000
LIVERPOOL 2 - NORTH TW 40965 571.000
Luton 739.000
Maidstone Kent 40976 619.000
Manchester 1 NTL 41040
Manchester 2 NTL ex 41060 666.750
C&W
Newbury Berks. 00013 803.000
North Lanarkshire TW 40984 619.000
North London TW 40985 515.000
North West London NTL
Norwich 41055
Nottingham 1 NTL 00008 755.000
Nottingham 2 NTL 00008 739.000
Northampton NTL 00018 579.000
Oxford 1 00020 578.250 /
818.250
Oxford 2 00013 803.000
Peterborough NTL 41049 666.750
Plymouth TW 40988 787.000
Portsmouth (Cosham) NTL 41042 666.750
Preston Lancs. TW
Reading 00013 803.000
Richmond upon Thames 40979 531.000
Sedgley West 40973
Midlands
Solent 41042
South Herts. 41051
South Yorks. TW 40964 539.000
Southampton 41048 666.750
Stafford NTL 00015 826.250
Stockport NTL ex 41066 666.750
C&W
Stoke on Trent 41063 666.750
Surrry 41045
Sussex NTL 41044 666.750
SWINDON 1 00006 579.000
SWINDON 2 803.000
Swansea NTL 00007 755.000
Sutton/Micham TW 40979 531.000
Teeside NTL 00010 571.000
Telford TW 40973 131.000
Thames Valley 00013 803.000
Walsall West Mids. 40974 131.000
Warrington NTL ex 41060 666.750
C&W
Washington Tyne+Wear NTL 41054 666.750
Watford Herts NTL 41051 666.750
Wearside 41054
Westminster London NTL
Wessex 41043
West TW 40980 539.000
London/Middlesex
West Yorkshire TW 40961 539.000
West Yorkshire NTL 00001 755.000
Widnes Cheshire 41048 666.750
Compiled by yz450
 Wigan TW 40967 531.000
Wirral Merseyside 1 41048 666.750
Wirral Merseyside 2 41060 666.750
Wolverhampton NTL / TW 40973 131.000
Woodgreen TW
York 41065

How to Convert an X-Box PC-Bioxx Modchip into an Atmel Reader.

Written by Merlin – with BIG thanks to Romps for the original idea.

The Legal Stuff

Firstly, I do not condone the theft of cable TV. Theft is theft, fact. If you get
caught, remember you took the risk.

This tutorial is purely how to convert the PC-Bioxx modchip to allow it to read
Atmel chips – what you do with it is up to you.

OK, now that’s out of the way….

Step 1

Here is a picture of the PC-Bioxx, courtesy of DVD Upgrades.

Your first task is to remove the existing Atmel chip on the right of this picture.
You can do this with a soldering iron, hot air station, or, if you are quick (!), a
hot air paint stripper gun like a Black and Decker.

Once the chip has been removed, flux and clean the excess solder from the
pads.

Step 2

The next step is to carefully remove the 25 pin printer port socket and solder it
to the underside of the board. This is for 2 reasons: one is that the pins are
Compiled by yz450
reversed with the socket on the top and soldering it underneath corrects this,
the other is that the Meritec socket won’t fit with the printer port socket in the
way. You can also cut the male connector off the ribbon cable and solder the
female connector onto the board – just remember to go pin for pin starting at
pin 1. Then you can use a parallel port scanner cable to connect to the board
or go direct into the printer port.

Step 3

With me so far? Good. Now all we need to do is solder a Meritec TSOP 48

socket onto the pads where the original Atmel chip was. This is what the
socket looks like:

Carefully apply just a touch of flux to the pads and carefully solder the socket
in place with a soldering iron or a hot air station. An iron with a fine tip is the
preferred method – heat the pads and flow the solder to attach the socket. Pin
1 is marked with a white circle on the board (in case you forgot where pin 1
was).

The sockets can be bought from Willem www.willem.org and cost about 20-25
Euros including shipping. You can find them on the Eprom programmer parts
page.

Step 4

Now all we need is power. See the 12 pins to the left of the first picture? We
need to attach power to pins 9 and 12. The pins count left to right and down
like this:

1 2
2 4
5 6
6 8
9 10
11 12

Attach a red wire to pin 9 and a black wire to pin 12. You can attach these
power leads to a transformer but I used a 2 x AA battery pack and 2 Duracells
as power. For neatness I used the sticky pad which came with the Bioxx kit to
attach the battery pack to the underside next to the 25 pin socket – nice and
tidy and it fits well.

Step 5

Compiled by yz450
Connect the board to your PC and fire up Bioxx Flasher. If you have made
your board correctly it will recognise the Bioxx board.

Insert your Atmel into the socket (noting the correct way round for pin 1) then
press “Read”. The board will read the chip then stop. Press “Save File” and
save the file (e.g. myfile.bin).

If you are reading Atmels from a 1000 or a 2000 series box it is best to name
them left.bin and right.bin – you will see why in a minute.

Compiled by yz450
Step 6

Now if you are being naughty and have read an Atmel from a Pace box, you
can use BKE 1.6 bin (courtesy of Mr. Wiz) version to read the bin file(s) for the
IRD and BK.

That’s it really – bring on the Funcard and put the Atmels back!!

Merlin

Atmel removal & refitting.

This Tutorial covers removing Atmels from a Pace Intergrated Reciever

Decoder [IRD] you will require the following Items as well as the IRD of
course.

A :: Solder Pro [Gas Soldering Iron] with attachment as shown.

B :: Solder Flux Pen

C :: Solder

D :: Scalpel to help lift the chip with.

1 :: Photo just showing the solderpro and deflector and relevance in size to
tsop.

Compiled by yz450
2 :: Showing position of scalpel under edge of tsop.

Compiled by yz450
3 :: Solderpro being applied to legs with enough heat to melt solder you can
just see the deflector glowing as it does apply it to legs and apply small
pressure to the scalpel.

4 :: The atmel lifting after heat was applied

Compiled by yz450
5 :: Dont over do it lifting it. It only needs to be a few mil above pads this just
showing it clearly lifted.

6 :: Once both sides are done your left with something like this...it just needs
cleaning.

7 :: Same as 6 really just a better angle.

Compiled by yz450
8 :: Flux the pads well and with a basic iron run it across the pads from left to
right removing excess solder as it goes.

9 :: Excess solder removed and ready for refitting.

Compiled by yz450
10 :: Atmel in place and fluxed ready for iron (ignore the mingling fingernail).

11 :: Start with the iron at the top of the tsop and pull it towards the end of the
pins. This will drag all the solder along the pins and leave the space in
between clear, basically your dragging iron from the top of the leg to the end
with plenty of flux as this will remove excess solder as well as sticking the
atmel in place.

Compiled by yz450
 12 :: Wooohoo its stuck and it boots, while it does'nt look like its held in with
much solder it is but you can now apply more flux and a very small amount of
solder to the nib of the iron and basically repeat step 11 this will add just
enough solder to keep all pins covered well, start from your left and work to
your right this will pull the excess solder to the last pin and be easier to
remove with a clear iron. Finally clean the excess flux and then repeat for
second atmel depending on model.

This is only intended as a guide and each person will find a way more suitable
for them.
Compiled by yz450
Find an old scrap box and practice with it.

Finally we take no responsibility for any damage you may cause using the
details
we supply

you do this at your own risk!!!!

Unauthorised modification of stb's not owned by you is illegal please only use
this on equipment owned by yourself.

Regards Mr-E & X @ Muppet Labs

Authors :: Mr-E, X
Formating :: Doit4Kicks, Speccy, H, yz450

Funcard, zeus & distance v1.0 tutorial.

How to program a funcard using Distance

Hex and
the Zeus multiprogrammer. By Klorel

Part 1. Getting Required details from Original Card.

1. Insert your original card into your Smartmouse / Phoenix

programmer and Click Reset, you should be shown information similar to
below.

Compiled by yz450
If your ROM Revision is 010 and your EEPROM Revision is
Below A3C then your card should not be locked (See NagraEdit Method
section
below), If it is A3C then your card is locked and you will not be able to get
the required information from it.

If your Rom Revision 011 and your EEPROM Revision is before

B07 then you can use RomStudio v1.6 to read it (See Rom Studio Method
section
below), Revisions B07 and B08 are locked and you will not get the required
information from them.

NagraEdit Method:

Click on “Read From Card” and wait until the card is read.

Compiled by yz450
2. Next click Data Editor then Data Space and make a note of your IRD
Number, Boxkey and Cam ID.

Rom Studio Method:

Click on the Backdoor tab, then the Dump ($D000 - $DFFF) drop down menu
and then Login Aprendiz.

Compiled by yz450
2. When the card is read you will get a message saying “Do you want to install
Provider Ghost?” Choose No.

3. Click on the Fat Editor Tab then 01 IRD Info (41) and make a note of your
IRD # and Boxkey.

4. Click on 06 Provider info (58) and make a note of your Card #.

Compiled by yz450
Part Two: Creating Internal Eeprom Hex.

1. Open up nce-rev-2015.exe (included in this zip) and enter your IRD

Number, Boxkey and Cam ID (Card #) you got from NagraEdit or Rom Studio,
also from the list below select the appropriate keys for the area you are in.
(IRD number should always end in 12).

NTL:

KEY0: 79 F7 5A 5B F8 35 04 81

KEY1: CE 97 58 27 7C 81 EF 28

HASH KEY: 41 75 B0 3B D7 DE 2E 91

TW:

KEY0: EA 92 C0 BD AA 1F 2B 0E

KEY1: 60 20 E6 25 08 C8 7E 2A

HASH KEY: 2C 96 F6 1F 6B FA 3E E6

Compiled by yz450
 C&W:

KEY0: 95 1F F5 40 DC CF 48 32

KEY1: 5F 5D B8 E0 E4 8C C4 62

HASH KEY: 0D E3 2C 52 4E 56 E6 43

2. Now hit Save to create the internal eeprom hex file,

save it on your desktop or somewhere you can remember.

Compiled by yz450
Part 3: Setup Zeus and Cardwriter.

1. Now from the zip file extract the main flash hex for
your area to the desktop or wherever you saved the internal eeprom.

2. Set all the jumpers on the Zeus to the left and the switch in the out position.
Connect the Zeus to your PC and to the power supply, I find that 1200mA Multi Volt
Adaptor from Argos set at 12v works.

3. Open Cardwriter (also included in zip), Click on Configuration and select the
appropriate com port and click Save.

Compiled by yz450
Part 4: Programming Funcard.

1. Now click on the AVR tab and then AVR 90S8515. Also make sure
EEPROM is NOT checked in the bottom right corner.

2. Click the Load 1 icon and open the Main flash hex file from where ever you
extracted the main flash to.

Now click Load 2 and load the internal eeprom hex saved by NCE.

Compiled by yz450
3. Next click the write icon, then click OK then Ja in the Information and
Warnung windows.

The card will then be written to in two stages, the first stage (the main flash)
should take approx 3 minutes and the second stage (the internal eeprom)
should take approx 15 seconds.

Compiled by yz450
A progress indicator will allow you to monitor how the write process is doing.

Hopefully you now have a working funcard, stick it in your box and enjoy J

If you need to use this tutorial with other programmers / software it should be
basically the same just remember the flash
generated by nce it the internal eeprom and the main flash is in the zip, you
should never have anything loaded in the external eeprom.

It has taken me quite a few hours to compile this tutorial so please give me
some credit if you decide to distribute it.

How to add digital audio to a di4000.

You will need :

common sense!
6mm drill bit & drill
Black Gold Plated chassis mount phono socket code FT95D from Maplins
(gold cos it looks nice!)
a 47 Ohm Resistor Maplins code M47R (any 47R resistor will do!)
Soldering iron & solder

I started on this little project because the audio output of my 4000 box was
Compiled by yz450
locked at -10 in the engineers menu, no matter how I tried I could not get it to
stay at 0. As a result the audio output from the box was very low. NOT
GOOD!

So I thought I would have a look through the manual to see if I could find a
way to add a co-axial digital output to the box.

The MPeg decoder is U5000 which is a cx22490 IC and you can get a
description of this IC HERE

It does say it's capable of Dolby Digital but I guess that's only if cable
broadcast the channels with the stream encoded with Dolby/DTS.

If they simply grabbed the m-peg stream from sky and pumped it straight into
the cable network, then you would get the Dolby/DTS carrier, but first
impressions suggest there is no Dolby carrier available on cable

Not to worry, the digital stream is far better than the analogue from the box
and the digital volume level doesn't appear to be attenuated by any silly
settings in the engineers menu

Anyway, back to the subject in hand, the AUD-SPIF stream comes out of G3
on U5000 from there through R5016 and then off to socket SK4402. Which
appears to be an optical output socket. Strange I thought ! can't remember
seeing one of those on a pace box !

Then I noticed the space in my box and the three stars next to the component.
An option, that ntl have decided not to be bothered with ! That's nice of them -
NOT !!!

Makes it alot easier for us to add though !.

So first thing get yourself a 6mm drill bit and drill a hole above the SK4402
socket markings in the box.

Put your phono socket in place.

You will notice three solder points on the PCB where SK4402 should be

Viewed from the front of the box from left to right, these are GND, +5V and
SPDIF data.

Connect your standard 47 ohm resistor between the centre pin of your phono
socket and the SPDIF solder point. (this is in place of R5016)

Connect the outer part of your phono socket to GND.

You don't need to connect anything to the +5V rail

Now you have the socket in place and all the connections made to it, you will
remember that we have fitted R5016 to the phono socket and not in the PCB.
This is because the original resistor is a surface mount !

Compiled by yz450
So we need to locate the missing R5016 and short the pads out.

Compiled by yz450
From the front of the box on the right hand side of the main PCB locate the
crystal X5300 then about an inch down you will see a gap where U5302 could
be fitted. just to the bottom right of U5302 you will see two solder points, very
close together. This is where R5016 should be fitted. Simply bridge it with a
tiny piece of wire.

and there Job done...

Enjoy your digital audio output.

Hope you guys have found this helpfull

Cheers

NoviceAngel

Compiled by yz450