Interesting Devices Ltd
Home Forums Register FAQ Calendar Arcade Mark Forums Read
Main Menu

Categories

Products
Random Products


Arcade Control Bundle Pack


GBA FM Radio


Action Replay (PAL Only)


Gamebit Driver 4.5mm


ISO 7816 Dual Speed Smart Card Reader/Writer Interface


Smart Card Reader/Writer Enclosure
Sponsors
sophiesnappycakes.co.uk


  
Go Back   Interesting Devices Ltd > General > General Chit Chat
Reload this Page XM or Sirius radio: Are there any testing methods?
General Chit Chat An area for general discussion of any subject we do not have a forum for. MAKE SURE THERE IS NOT A FORUM FOR YOUR POST FIRST.

Reply
 
Thread Tools Display Modes
Old
  (#141)
kbfr08
New Here
kbfr08 is on a distinguished road
 
Status: Offline
Posts: 8
Join Date: Feb 2011
Age: 34
Rep Power: 80
   
Default 28th February 2011, 05:28 AM

Hoping to breathe a little bit of life back into this thread by posting a few bits of new info.

Starmate 5 has a 12 pin header that looks like jtag above the RAM chip, I will work to get the pinout for that sometime in the future (I've got 14 of these radios lying around)

All ST1 generation receivers (Starmate 1, Brix, Streamer GT, Sanyo Dish, XACT 1) have the same can/transceiver board. I will post an image with jtag pins labeled as soon as I get my pentax K-X

Currently working on a Sportster Replay / Sportster 1 (Nearly Identical boards), RX + TX pins give garbled output (baud?). Radio is stuck at sirius statup image when I access UART.

Sportster 5's have a JTAG port under the ARM chip on the left side of the board. It's a 14 pin header, someone should trace these pins since the ARM schematic is available.

I'm currently working on a starmate 2 (I've only got one chance with this).

-- Notice for the CAN boards. The Atmega chip DOES NOT hold anything related to activation, it's all held in the TSOP. I've been successful with a TSOP swap using hot air.

And those of you that have tried out XM hacking, don't give up. It's a hell of a lot easier than you think. XpressRC & XpressRCI use TSOPs, and I've done a successful swap.

Also, to the person who had the "Acquiring signal" issue with a radio, reflow it and it will work again .
  
Reply With Quote
Old
  (#142)
The Dude
An Awesome Dude
The Dude has a reputation beyond reputeThe Dude has a reputation beyond reputeThe Dude has a reputation beyond reputeThe Dude has a reputation beyond reputeThe Dude has a reputation beyond reputeThe Dude has a reputation beyond reputeThe Dude has a reputation beyond reputeThe Dude has a reputation beyond reputeThe Dude has a reputation beyond reputeThe Dude has a reputation beyond reputeThe Dude has a reputation beyond repute
 
The Dude's Avatar
 
Status: Offline
Posts: 9,304
Join Date: Aug 2000
Rep Power: 636983
   
Default 28th February 2011, 06:52 PM

Welcome to the site
  
Reply With Quote
Old
  (#143)
Cheezewiz
New Here
Cheezewiz is on a distinguished road
 
Status: Offline
Posts: 9
Join Date: Mar 2011
Age: 32
Rep Power: 81
   
Default 3rd March 2011, 07:54 PM

It was interesting reading all this stuff.

I recently have been interested in this for quite some time now and am in the process of ordering some xm/sirius radios off ebay, I'll stick with sirius now.

I had ordered a usb jtag, some other jtaging tools also a bus pirate, some wire to make custom jtag cables.

The bus pirate is able to do spi and all sorts of other cool things.

My goal is to attempt to dump some sirius radio dump another sirus radio and compare the flash's in a hex editor and see whats changed.

Maybe the subscriber ID or whatever info is printed on the sticker on the back of these radios is in plain text within the flash simple changing of numbers flashing back and see what happens.

Maybe try and find an activated sirus radio dump the firmware and load it back on one of the non subscribed radios.

Maybe you can record the data on what happens when a receiver gets activated and replay that data back to a chip... using magic perhaps...


This thread is really old, seems very interesting! tis the website we are posting on!
  
Reply With Quote
Old
  (#144)
kbfr08
New Here
kbfr08 is on a distinguished road
 
Status: Offline
Posts: 8
Join Date: Feb 2011
Age: 34
Rep Power: 80
   
Default 5th March 2011, 05:53 AM

Ok!

Starmate 2 / Streamer GTR Uses a XC9536XL CPLD on the controller board (one with the TSOP). You can access JTAG from there

Starmate 2 JTAG on Xilinx CPLD
---: PIN #
TDI: 9
TDO: 24
TMS: 10
TCK: 11


ST1 JTAG: http://i52.tinypic.com/6iy1qf.jpg
From flash chip to the left: TDI, TDO, TMS, TCK

Looking at the operations diagram for the ST1 and other models indicated that there is SPI, and JTAG onboard.

And the sportster 4 has the same style jtag port as the sportster 5, you'll need to jumper a resistor to make it work though


-- Also, I think it's worth mentioning that the newer radios have a built in test mode. I buy radios in bulk, and occasionally I get some that are on "TEST" as the category with "1800HZ" at the top right. A sportster 5 that was in test mode was able to tune into a radio station on channel 0, without a subscription; it only took a few minutes for sirius to push new firmware to the device though.
  
Reply With Quote
Old
  (#145)
adhoc
Registered
adhoc has disabled reputation
 
Status: Offline
Posts: 318
Join Date: Oct 2004
Rep Power: 637415
   
Default 5th March 2011, 10:45 PM

I have a SP4 and would be interested in learning more about J tagging it. What sort of software would one use? May have to dig out some old disc. I took it apart a year ago looking for tsops but could not see resoldering those small chips successfully. A Jtag could be sweet! I can see where the wires could hang out of the vent holes in the back

EDIT Took the back off again and can see some pads at the upper left.

SSP TX SSP RX

No DT pads though.
  
Reply With Quote
Old
  (#146)
Cheezewiz
New Here
Cheezewiz is on a distinguished road
 
Status: Offline
Posts: 9
Join Date: Mar 2011
Age: 32
Rep Power: 81
   
Default 6th March 2011, 01:35 AM

Kbfr08 / adhoc


Well, I have a JtagNT and it has some neat software with it to allow you to make custom configs basically like labels with memory addresses in them to read/write with whatever contents you want to put in them.


But it comes down to properly identifying jtag pins somehow. I'm not a jtag expert by any means so, the only thing I can think of is data sheets and a multimeter to try and trace pins.


Lots of electronic devices have some sort of writable memory device on boards and they certainly don't program them before they get put in the the oven, so they have to have a way of putting the contents on the flash chip, we just need to find out how.

Does anyone know how you would go about blindly identifying jtag pins on said devices? My guess is to start poking around the pads without solider on them that are labeled TP on circuit boards.. its also nice when they label it TDI / TDO /TMS /TCK.

anyone have any ideas??

kbfr08 have you thought about buying two of those starmate devices and dumping the firmware on both of them and comparing them?


kbfr08 I also PM'ed you I'd be curious what kind of stuff you buy in bulk!!
  
Reply With Quote
Old
  (#147)
adhoc
Registered
adhoc has disabled reputation
 
Status: Offline
Posts: 318
Join Date: Oct 2004
Rep Power: 637415
   
Default 6th March 2011, 02:24 AM

I don't think the SP4 is a good candidate for reverse engineering. I was very good at looking at circuits, making schematics and re purposing boards. However my eyesight is not as good and the traces have got smaller. 5 years ago I could read the three numbers on resistors but now I have to get glasses or a mag lamp to see the resistors.

The older units would be easier as the components are larger. I did see a few on ebay.

Reading your post I thought you had already Jtagged the SP4. I may try to get an older unit for future playing. I miss this type of fun but my time is limited. I still have a HU going but now it is Sonic and is not near as good.
  
Reply With Quote
Old
  (#148)
kbfr08
New Here
kbfr08 is on a distinguished road
 
Status: Offline
Posts: 8
Join Date: Feb 2011
Age: 34
Rep Power: 80
   
Default 6th March 2011, 02:52 AM

Quote:
Originally Posted by Cheezewiz View Post
Kbfr08 / adhoc


Well, I have a JtagNT and it has some neat software with it to allow you to make custom configs basically like labels with memory addresses in them to read/write with whatever contents you want to put in them.


But it comes down to properly identifying jtag pins somehow. I'm not a jtag expert by any means so, the only thing I can think of is data sheets and a multimeter to try and trace pins.


Lots of electronic devices have some sort of writable memory device on boards and they certainly don't program them before they get put in the the oven, so they have to have a way of putting the contents on the flash chip, we just need to find out how.

Does anyone know how you would go about blindly identifying jtag pins on said devices? My guess is to start poking around the pads without solider on them that are labeled TP on circuit boards.. its also nice when they label it TDI / TDO /TMS /TCK.

anyone have any ideas??

kbfr08 have you thought about buying two of those starmate devices and dumping the firmware on both of them and comparing them?


kbfr08 I also PM'ed you I'd be curious what kind of stuff you buy in bulk!!
Actually, I buy sirius radios in bulk for repair. Sometimes 20 or 30 units at a time, they're relatively cheap. Sportster 5s go for $7 each in lots of 20.

Anyway, in the lots I do get a few oddballs. Sirius no longer labels jtag pins (even on prototypes), and the labeled st1 board is from an odball ST1 unit.

I'm not home for the weekend, but as soon as I get home I'll be dumping the starmate 2's firmware.

Adhoc, newer devices will likely have new security on the firmware and SID stuff. Even if we do identify the pads we'll have a hard time with other things. IIRC, the RX and TX pins are used for the LCD or something, not serial.
  
Reply With Quote
Old
  (#149)
Cheezewiz
New Here
Cheezewiz is on a distinguished road
 
Status: Offline
Posts: 9
Join Date: Mar 2011
Age: 32
Rep Power: 81
   
Default 6th March 2011, 02:52 AM

well I have 3 of these right now, so something should happen with them

Maybe... :\
  
Reply With Quote
Old
  (#150)
kbfr08
New Here
kbfr08 is on a distinguished road
 
Status: Offline
Posts: 8
Join Date: Feb 2011
Age: 34
Rep Power: 80
   
Default 7th March 2011, 04:37 AM

Ok, I do not have a xilinx programming cable. I wasn't able to find any drivers that would support buspirate in ISE iMPACT. Starmate 1 uses an atmega 128 (IIRC) chip, so maybe I'd have more luck using that with the buspirate.

JTAG TPs for the starmate 2 are below the xilinx chip (stickered), and are alligned in a row. Pin 24 does not have a TP, so you need to solder onto the legs.

- I just got a sportster 4 to give JTAG a go on. Same header as the sportster 5. Also, it looks like the buttons panel connector (female) will fit over the header. I have some spares, so i'll solder one down and convert a button PCB into the test board to solder wires to (instead of tearing pads on the SP4 board).

The header and pads in question are on page 2: https://fjallfoss.fcc.gov/eas/GetApp...html?id=654761
  
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.7.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skin developed by: vBStyles.com
Copyright ©1995 - 2009, Interesting Devices Ltd

Page generated in 0.22415 seconds with 9 queries