Firmware for Pioneer BCT-1530
_____________________________
PI717a32

Some improvements in SHL implementation.
Thanks JulekJulek for his work on new panel :)
You may manually ajust now some SHL parameters: timeout 
(in milliseconds) and a number of packets to catch from ECM PID.
Go to service menu (+/menu) and press '8' to enter SHL ajusting menu.
By default timeout is 300 ms and number of packets is 7. This provides
quite stable work of SHL decrypting.
You may play with those parameters to reach max stability. 
Tracing of decrypt's result is possible: switch on serial device in 
service menu, 7, and watch at output of RS232, SHL error 0 means good 
decrypt, 1 - bad one.



______________________________
PI717a28

Seca2 algo fixed to allow watch of 0064 provi. I can't test it myself so pls let me know if i made some mistake.

SHL implementation changed. It runs as separate task now so MHW doesn't wait for return from function NullSubDSX7071_13A.
This function (read_pid()) is now used for:
- Creating of SHL task;
- Sending some commands to this task (allocate buffers, semaphores and pid filtering slots, start decryption, cleanup buffers);
- Stopping and deleting task.

void read_pid(int pid, byte *out, int slot, int stream_type, int flags, int timeout, int *error);  // 6010CF00

Error and pid shall be provided in any way. Other arguments are optional in on case and mandatory in other case.
   Creating of SHL task:
   ----------
   pid = 0xE000;
   error is 0 on success;
   
   Allocate buffers:
   ----------
   pid=0xE001;
   flags should provide: 
   	shl type (0 for ca id 0x4a60, 1 and 2 for ca id 0x4a61);
   	shl mode (0 for hopping pid mode, 1 for multipid one);
   	number of packets which should be received from ECM PID pointed by PMT (multipid mode);
   
   Start SHL decryption:
   ----------
   pid - real ECM PID;
   out = buffer with length of 0x1000;
   flags should provide:
   	signal about shl decrypt, else only one ts packet will be read out (slot and stream type should be provided in this case as well);
   timeout: number of nanoseconds to wait for each packet from PMT ECM PID;
   	total time of shl decrypt will be "number of packets+1"*"timeout";
   	for now i use 4 packets and timeout 0.5 second.
   error is 0 if 1st attempt to catch of ts packets and decrypt them is successfull. Don't care about it, 1st attempt may be insuccessful but next one may get us a picture.
   
   Cleanup (free buffers, semaphores, pid filtering slots):
   ----------
   pid = 0xE002;
   error is 0 on success.
   
   Stop shl task:
   ----------
   pid=0xF000;
   timeout: number of nanoseconds to wait for termination of shl task;
   error is 0 on success.
   
!!! Warning !!!
Multipid mode is implemented only !
Hopping pid isn't due to absence of any shl channel for which it may be applied.
Buffer "out" should be passed for all calls of read_pid, sometimes i use it for debug purposes.

Mapping of 'flags' argument:
most sign. byte       lowest sign byte
             0N SM TC ST   
	     ||	|| |  	
	     || || |___ 16 bits of TC status. 0x1200 to read raw transport stream packets. Used to read one ts packet from stream and for debug. 
	     || ||_____ 1 bit of mode: 0 - hopping pid, 1 - multipid mode; 3 bits of type 0..3 (0,1,2 in use now)
	     || |______ if 1 then this interprets as command to start shl decrypt, otherwise read one ts packet and exit.
	     ||________ number of packets to read from PMT ECM PID. This value must not be less then 2.
	     |_________ not used for the moment.
	     
Some bugs are present of course, i will try to locate and fix them ASAP.

	Greate thanks to all who helped me :)


______________________________
PI717a25

The bug with loosing of PMT is found and fixed. You can safely zap on and from shl channels.
Full-X channels are still working not very well. I will continue to work on improvement of SHL implementation. 
MHW now tries to autodetect shl mode by channel service ID. Thus, MHW should choose SHL mode 'MultiPid 2' for SIDs 0x1FAF and 0x1FB0 (Full-X 1 & 2), 'MultiPid 0' for SID 0x1FB3 (Full-X2 M), 'HopPid 1' for SID 0x221D (Don't panic TV).
However, you shall manually choose suitable ECM PID for CA system ID 0x4a61. 

______________________________
PI717a16
SHL implementation changed. Now it supports manual choice of decode mode.
Go to service menu (+/Perso), and press '8' to select desired mode.
Don't panic TV is working in modes 'HopPid 1' or 'MultiPid 1'. It seems 'HopPid 1' is faster.
Other SHL channels still don't work because we are late to hope on next pid and haven't enough pid slots for MultiPid mode :(  

______________________________
PI717a14

New s2 nano 51x2 implemented.
Card isn't necessary anymore to view non-seca channels. But for seca channels you still need it. Seems, we shall modify MHW a bit to avoid card nececcity forever.
 

______________________________
PI717a6

Some bugs in S2 emulation algo fixed. Thanks to everybody who took part in this project :) 

______________________________
PI717a0

S2 nanos 0F and 51 are implemented now.
A lot of thanks italian guys who has extracted and enlighten this algorithm for us :)


______________________________
PI716a12

Some bugs in SHL algo fixed. Zapping is faster then in previous release but some bugs are still present.
                  

______________________________
PI716a8

!!! For test only purposes !!!
It's my first experience with SHL Neotion encryption. For now mode 0F (free X-TV) only supported.
A lot of modifications made in EMU, HDL and MHW. Unfortunately not all modifications are made well. 
So some troubles are present (For example, very slow opening of nagra channels noticed...). Hope to fix them in future with help of my friends :)

Big thanks psycho_troop, JulekJulek and other guys (you know who are you and why can't i mention you :)) for great help in this project.


______________________________
PI716a0

1.Download of data stream (MPEG-sections) from a PID added. In receiver's firmware  
dev_mcom is used to implement the download.
For further details on data dowloading check out Mediacom 2.1 README.txt file.

Big THANXXX goes to ldnlp for his huge help in firmware disassembling and explanation 
of how DEMUX, MCOM, SECTION tasks/devices function . 

2. Also added decoding of VIACCESS 2.4 (VIA2) through U-section.  

VIA2 uses 16-byte keys: 8 bytes for DES decryption, other 8 bytes 
for data modification before and after DES.
Let's call these keys key0x, key1x. For VIA-1 only key0x are needed, while for VIA2 JulekJulek (a lot of thanks) has created an additional menu,which can be switched on with E button while editing the  keys,
allowing to enter key10 ... key1F for VIA2 providers.

Thanks Yaro for his good (as always ;) translation :)

______________________________                 
v.713a2

Script pers_reg:rx_end.cpi corrected. Bug with loosing of channel list after loading of EMU section is fixed.
Now you may safety load EMU section via COM port without reboot of receiver.
Few other little bugs fixed. For example, now after erasing of eeprom (entering K7003 mode) you shouldn't scan channels. Just download TCS/TPT/TSR/EMU sections via RS232 (install menu/4/D) and enjoy.

______________________________                 
v.713a1

Seca2 blocker corrected. For now s2 EMMs are assumed by 'table hash' bytes eigther 1001 or 1003.

______________________________                 
v.712a11

Additional MHW scripts enabling reading of MPEG-tables added. Look at MediaCom's readme file for details.


______________________________                 
v.712a7

Additional features enabling operations through serial COM-port included:

1 - dowloading of RAM/R/Settings flash dumps (approx.100 seconds per 1MByte);
2 - uploading of settings from computer (approx.35 seconds for TCS+TSR+TPT+EMU sections);
3 - sending of s to computer and receiving of decrypted Control Words from it 
(either local host or remote CardSharing Server).

How to manage added features

1. Enter Service Menu (+/B), press 7 (CONFIG), press 4 to enable COM-port.
Now you can quit Service Menu, and using program MediaCom.exe download and save 
the dumps of necessary memory areas onto your computer.

2. Enter Installation Menu, press 4 (SYSTEM SETTINGS), then D (DOWNLOAD FROM HOST). 
Using program MediaCom.exe upload the necessary files from the settings flash image.
The settings you have uploaded are activated right after you quit the menu. 
You do not need to rewrite or erase your EEPROM, nor you need to reboot your receiver.
!!!Warning!!! Don't press any key on your remote controller until the last section is 
fully uploaded. This may break the upload process and you will have to re-start it again.

3. Enter Service Menu (+/B), press 7 (CONFIG), press 5 in order to activate ECM-sending 
mode to a host server.
Now you may use either MediaCom.exe to decrypt  on the local computer
or you also may use program DSR9500Share.exe (H2Deetoo's cardshare client) 
to send ECMs to remote CardSharing Server and receive decrypted CW from that server.

HDL modifications

-Function Enable_Trace has been changed to enable 115200 baud operations.
-Several functions in ECM_TASK have been changed in order to send s to MHW scripts _BEFORE_ ECM decryption 
(earlier it was possible to receive s ONLY AFTER decryption).
-MHW API function added: 
	NullSubDSX7071_139(int ECM_PID, char *DecryptedCW); 
which sends DW from MHW buffer to CSA descrambler.

-basic.ECMOUT variable added to signal HDL NOT TO DECRYPT ECM. If basic.ECMOUT==0 then all ECMs 
are passed to EMU or smartcard, otherwise ECMs are accepted but not decrypted internally, 
they are sent to the serial port instead.
!!! Warning !!! You must correct pointer to this variable in case you change MHW !
If this is not the case you will NOT be able to handle ECMs properly. Pointer offset 
for basic.ECMOUT in PI712a7 firmware is positioned at 0x10BD09 (data 222851).

MHW modifications.

There are too many modifications to tell about :-).
Commented source code is available for those who want to work with it ;)
I'm not an expert in MHW so some things were left imperfect (I mean the panel p_reg). 
Hopefully MHW wizards can correct this.


A lot of thanks goes to:
	DiMeno, for great help with MHW serial device functions;
	Dynamit, for ideas and consultations;
	H2Deetoo, for adaptation of his cardshare client for mediaboxes;
	Yaro, for good translation ;)
================================
English translation done by YARO.
19.01.2004
Latest correction done 24.01.2004


______________________________                 
v.711a3
!!! Test only release !!!

Fixed hanging up on arrived D+ ECMs.

Greate thanks Axion for tests and Psycho_troop for cooperation :)

______________________________                 
v.711a1
!!! Test only release !!!
This firmware is uploaded only to test new D+ MECMs, so sorry for possible MHW-bugs.
I can't personally watch Hispasat so pls test it for me.

Some useful MHW modifications:

- RS232 logger added.
  	Open your favorite terminal program and configure the connected COM port as 19200-8-n-1.
  Go to Service menu (+/B) and press '7' to enter Configuration menu. Here you can switch 
  ECM-EMM logging ON or OFF via embedded COM port.
  	Press '2' to switch ECM logging on and '3' to switch EMM logging off. Precam 
  packets that have arrived will be seen in your terminal window.
  Seems like all the rest is obvious by itself.

- Marking of channels added. Press 'SERW' button to mark/unmark the currently watched channel. 
Channels marked during watching will be saved in flash during standby.
  
- Unified channel managment added. When you wish to do something about the channel list 
  (View List, Choice of favorite channels, Change numbering, Remove) you will see a 
  new universal panel.
  	Probably you'll have some time to wait (it's the time necessary for your tuner to compute 
  the number of previously marked channels) - normally about 1-2 seconds.

  From the newly popped-up panel you may :

  - Mark/Unmark channel (status added in this mode will not be saved during standby);
  - Add/Remove channel from your favorite list;
  - Lock/Unlock channel blocking;
  - Move all marked channels to desired position;
  - Delete all marked channels.
  
  Button NAV (sorry folks, I made this panel for Philips DSI175 box) does the same what
  SERW button does for Pioneers.
  
By pressing it you will be able to mark the following groups of channels
  	- All radio (video_pid is FFFF) channels;
  	- All service (both audio_pid and video_pid are FFFF) channels;
  	- All channels of current transponder.
  	
  Button C allows to move all marked channels before or after current (highlighted) channel. 
  You should mark at least one channel to be able to move the channels.
  Swapping will substitute the 1st marked channel with the current (highlighted) one.
  
  Buton D removes all marked channels. If no channels are marked then current (highlighted) 
  channel will be removed.
  
MHW by Dynamit (English interface).

Greate thanks Trouboudou for logger considerations and Kabronsete for algorithms 
of D+ MECM processing.  

______________________________                 
v.710a0


!!! Test only release !!!
Support for diseqc 1.2 positioner added. 4 commands are implemented now in "menu / 6 / C" panel (a lot of thanks julekjulek for this panel :)). 
	<- EAST - drive motor east 1 second
	-> WEST - drive motor west 1 second
	GOTO NN - drive Motor to Satellite Position nn 
	STORE NN - store Satellite Position & Enable Limits

All functions are implemented by modified API function 
	NullSubDSX7071_138(int command, int position)

1st two bytes of diseqc command (frame and address) are E0 31 according to Dynamit's experiments.	
	
For ajusting of position to east/west by "steps" (not by seconds) you have to edit script pers_ptg:posit.cpi :
replace 
	NullSubDSX7071_138(0x68, 0x1); 
	NullSubDSX7071_138(0x69, 0x1);
with
	NullSubDSX7071_138(0x68, 0xFF); 
	NullSubDSX7071_138(0x69, 0xFF);

HALT command is not yet implemented. If you want to make it just create a script which calls
	NullSubDSX7071_138(0x60, 0); 
	
Waiting for results of your tests :)	
 	
MHW by Generator (Russian interface).

______________________________                 
v.709a4

!!! Test only release !!!
Support for diseqc x4 switch added. I haven't any diseqc hardware so can't test it except watching of an 'oscillogramm' at LNB IN point.
Looks like it should work, i got proper oscillograms at channel zapping mode with different LNB index, polarisation and band. 
Unfortunately I can't test switching at scanning mode :-/  
Both diseqc x4 switch and diseqc compatible analogue switch (tone burst) should be supported. So pls test it ;)

A lot of thanks to Ldnlp for his greate .idc sripts and other help and Dynamit for tests and tutorials :)

MHW by Generator (russian interface).    
                                               
______________________________                 
v.708a2       
                                        
Fixed nagra EMM processing, AU on Digital+ should be possible now. 
I can't verify it myself coz i can't catch any nagra providers except polsat so sorry 
for possible bugs.
Script install:p_emu.cpi is modified a bit according to new HDL. 

Thanks Kabronsete for nice explanations of nagra algo and Axion for good help with EMM logs :)

MHW by Antoma (russian interface).
                                                      
______________________________                        
v.708a1                                               
                                                      
Bug with hanging up on Cabo TV is fixed. Thanks Kabronsete for clearing up of how nagra algo
works :)
                                                      
Added an autoupdated list of 'known signatures' to prevent repetitive decryption of nagra 
EMMs once decrypted. The MHW memory buffer basic.KN_SIGN was added to keep the list of known 
signatures. In standby this buffer is stored in the section 'KNOWN' of settings flash.
Sript basic:knownsig.cpi is added, basic:init1.cpi, basic:standby.cpi, install:p_emu.cpi 
are modified due to the function of KN_SIGN buffer. The RAM address of basic.KN_SIGN variable is fixed 
placed within HDL, therefor that variable should be inserted exactly to the same place in basic.cla 
like it is now (else hdl definition of its offset should be corrected at address 6011271F)  
                                                      
Original MHW by Antoma (russian interface).           
                                                      
______________________________                        
v.707a0                                               
                                                      
Corrected AU on polsat. Thanks Ramzes Pl and Axion for help. 
                                                      
______________________________                        
v.706a2                                               
                                                      
Added autoselection of operation key for No-Zap (FreeX-TV).
If this algo will work then autoupdate isn't necessary ;) But this needs to be tested. 
So we are waiting for next key change ...
                                                      
MHW Antoma (russian interface).                       
                                                      
Great thank Siciliano for set of keys and good idea :)
______________________________                        
v.706a0                                               
                                                      
Added support for No-Zap (FreeX-TV).                  
Operation Key is still placed inside the firmware, but if some MHW experts would like
to add support of No-Zap keys into EMU KEYS menu i will be happy to recompile that firm.
                                                      
MHW Antoma (russian interface).                       
                                                      
Greate thank NooK for No-Zap algo :)                  
______________________________                        
v.705                                                 
                                                      
Added support for autoroll on 4001 and 4901 providers.
Just enter 4101 and 4901 providers in EMU KEYS section and enjoy ;)
                                                      
MHW Antoma (russian interface).                       
                                                      
A lot of thanks Josillo for his simulation algo :)    
______________________________                        
v.703                                                 
New features:                                         
                                                      
* Seca1 EMU and AU in box added, with support for updates encrypted with MK01 primary 
only and also both MK01 primary and secondary, tested on 00 19, 00 25 and 00 2A.
                                                      
NOTE: Now there is EMU support in box for:            
                                                      
- Seca 1                                              
- Viaccess                                            
- Irdeto / Betacrypt                                  
- Nagravision                                         
- Conax                                               
                                                      
and AU support in box for:                            
                                                      
- Seca 1                                              
- Viaccess                                            
- Irdeto / Betacrypt                                  
- Nagravision                                         
                                                      
* Conax keys are now placed in EMU (not in HDL) so you need to put them into EMU menu like 
in Dynamit 6.18 and above.
                                                      
* Fixed Seca UA EMMs processing, they are now sent correctly to card.
                                                      
* Switch 'SECA2 EMM' in config menu added:            
                                                      
- OFF - Seca 2 EMMs are NOT send to card              
- UA/SA - all Seca 2 EMMs are send to card (on UA and SA)
- SA - only Seca 2 EMMs on SA are send to card        
                                                      
It is NOT a Seca 2 hack. How you will use it - it's up to you.
                                                      
* Switch 'CW CARD' in config menu added:              
                                                      
- OFF - firmware works as normal - all ECMs which are not supported by EMU (or in case 
  EMU decryption failed) are send to card (if there is an appropriate provider on it)
- ON - only Seca 2 and CryptoWorks ECMs are sent to card
                                                      
This switch can be also called 'STREAM FIX' for CryptoWorks cards' owners. It was made 
for those who watch using orginal, active card with external or internal blocker. 
In such case they have problems with STREAM PPV - gaps and freezes. Now they can switch 
'CW CARD' to ON - and watch STREAM PPV without any gaps and freezes. It is NOT a CryptoWorks 
hack, you still need an original active card and external or internal blocker to watch CryptoWorks 
channels.
                                                      
NOTE: When 'CW CARD' switch is set to ON only Seca 2 and CryptoWorks ECMs are sent to card 
so you can NOT use card to decrypt other systems, but of course EMU will still work fine.
                                                      
* Info menu 0 CAM fixed, now with Seca 1 and Conax support.
                                                      
* Info menu 3 EMM added, now you will see there all known EMMs (very useful for debugging, 
like Info menu 2 ECM).
                                                      
* Hold function added for both Info menu 2 ECM and 3 EMM, now you can stop / start data display.
                                                      
Great thanks Ramzes for suggestions ant tests :)       
       
       
       