SIL9287 HDMI port processor with InstaPort technology

This forum is for information related with B series hardware instead of firmware/software.

sbav1
Official SamyGO Developer
Posts: 374
Joined: Fri Jan 15, 2010 10:20 am

SIL9287 HDMI port processor with InstaPort technology

Post by sbav1 »

Just found an interesting link: http://www.slashgear.com/basic-tv-hack- ... l-0258855/.
May be quite an opportunity for strong supporters of fair use doctrine :). Certainly not for the weak-hearted; good soldering skills required.

According to manufacturer specs, SIL9287 (InstaPort, TDMS output) seems to be potentially good candidate for this hack. But: there are two independent (?) HDCP crypto units (in SIL9287 and in Arsenal) in B-Series/Chelsea TVs.. I wonder which one is actually used. Any ideas?
User avatar
erdem_ua
SamyGO Admin
Posts: 3126
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: SIL9287 HDMI port processor with InstaPort technology

Post by erdem_ua »

I think there is more easy way to do that. I mean without soldering. Doesn't HDCP master key is already decrypted?
sbav1
Official SamyGO Developer
Posts: 374
Joined: Fri Jan 15, 2010 10:20 am

Re: SIL9287 HDMI port processor with InstaPort technology

Post by sbav1 »

erdem_ua wrote:I think there is more easy way to do that. I mean without soldering.
Perhaps it is (with some 150$-250$ HD capture cards + flawed drivers); I find it a little surprising, but:
http://forum.videohelp.com/threads/3321 ... ost2059278
http://dvblogic.com/phpBB3/viewtopic.php?p=42525
Also (allegedly) there are some "devices" on the grey market, available (?) for 250-350$.
Doesn't HDCP master key is already decrypted?
Yeah, but AFAIK that doesn't mean much from practical perspective (not yet, anyway). True, now it is possible to develop DIY HDMI-HDCP receiver. You will need decent (1500-2500$) FPGA board for that and a little know-how :).
Also it's now possible to design your own hdmi receiver chip (without worrying much about HDCP keys). Estimated price range: 2-3$ per piece (for 100k+ batches; small initial investment - ca. 350k$ - may be required for that).
I've heard Steve Jobs is unhappy with Samsung Mobile, and Apple is switching IC manufacturers for their iToys ;), so Samsung semiconductor / foundry may be a good choice price-wise (those guys have a lot of steppers). Good yields :).

In comparison:
- HDMI cable: 10$
- soldering 8 tiny wires (+ a bunch of GNDs) to the motherboard: ???
- having fun while voiding your warranty: priceless :).

TMDS bus (SIL9287 <-> Arsenal) is easily identifiable on the motherboard. Tiny tracks (0.5mm raster ?): way too tiny for my (pretty much non existent) soldering skills :).
SIL9287 pinout: https://www.semiconductorstore.com/pdf/ ... 287_DB.pdf
Close-ups of the relevant TMDS bus: https://rapidshare.com/files/1892017477 ... IL9287.zip

Will it work? I have no idea. Question remains: is this bus really not encrypted?

EDIT: I did a little research. Apparently there are two (!) full-fledged, HDCP compliant HDMI input ports in Arsenal (2nd one not fully implemented / not connected ?). Here is what I'm getting on serial console for HDCP source connected on HDMI1.
(SIL9287 monitoring task):

Code: Select all

[111] STABLE_HDCP: 01 STABLE_NONHDCP: 00
[111] AUTH: 04 DECRYPT: 04  MPSEL: 04
[111] PIPEPWR: 08 PORTPWR: 06
[111] AUTH: 04 DECRYPT: 04
(Arsenal HDMI receiver status, TDM -> TD Debug -> spI Debug -> HDMI RX spI level debug -> Video /Audio Output Information):

Code: Select all

******************************HDMI_RX Info******************************* 
HDMI_RX Is Normally Play Back. 
HDMI_RX Mode = HDMI Mode.
HDMI_RX Video Resolution = 1920 * 1080    Progressive Video. 
The Video Interface = Digital Video 
Input Pixel Clock = Not Repeated.
Output Video Clock = Not Divided. 
Output Video Using Falling Edge To Latch Data.
Input Video Color Depth =  Legacy Mode.
Input Video Color Space =  YCbCr4:4:4 .
Output Video Format = YCbCr4:4:4. 
Input MCLK is selected. 
Output MCLK Frequence =  256 * Fs. 
Audio Fs =  48 KHz. 
Authentication is not attempted. 
Decryption is not active. 
Note the last two lines :shock: :shock: :shock:
Looks like Arsenal HDMI RX is getting already decrypted signal from SIL9287 port processor. Oops! ;)
User avatar
erdem_ua
SamyGO Admin
Posts: 3126
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: SIL9287 HDMI port processor with InstaPort technology

Post by erdem_ua »

Doesn't it possible to capture stream over cable with tool like piratebus than decrypt with master key? I don't research it but sound comes possible :)
sbav1
Official SamyGO Developer
Posts: 374
Joined: Fri Jan 15, 2010 10:20 am

Re: SIL9287 HDMI port processor with InstaPort technology

Post by sbav1 »

erdem_ua wrote:Doesn't it possible to capture stream over cable with tool like piratebus
Bus pirate may be 100x too slow :). HDMI is 4+ Gbps bus. You will need to capture 4 channels at 1-2Ghz (continuously). I'm not aware of any sub-10000$ equipment which can do that.
than decrypt with master key?
I have no idea about potential HDCP soft-decryption part.. maybe it's doable, maybe not.
Anyway - in any case, I'm not willing to sacrifice my TVs mainboard simple to ensure that (= just soldering stripped HDMI cable into mainboard) is a viable solution :). I'm not even 100% sure it will work (more like 66.6%). Personally, I don't need this "feature", it's 100% pure gedankenenxperiment for me.
However, I think it will be nice to know for sure. Any volunteers? :D

BTW, you got me thinking about that electronics stuff and all.. thing is: there are three world-class 150MHz+ analog-digital converters inside our TVs (in Arsenal chip, aka: VGA/component inputs). We already know how to capture digital "samples" from this (or any other) input. There are (at least) 1080 3x1920x8bit "buffers" (8bit, 3 channels) in SDRAM in any moment..

SamyGO Tv Scope / SamyGo Logic Analyzer?

Seems quite possible :). We will need external H/V sync signal sources for VGA port (I guess virtually any PC/laptop with VGA output will be just fine for that purpose) and stripped VGA cable (+some basic analog stuff: 1 resistor + 2 diodes per "channel" should be a good start).
I guess it may be decent 20Mhz-150Mhz scope. Perhaps a little limited one; some gaps between the "buffer samples" may be unavoidable, because non-active pixels are typically not displayed on the screen :).
User avatar
erdem_ua
SamyGO Admin
Posts: 3126
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: SIL9287 HDMI port processor with InstaPort technology

Post by erdem_ua »

Ehehehe It's enough for me! I can use it! Now using 200kpsp via Arduino & FTDI chip & My python OpenGL scope program and it's not good to inspect some signals :)
sbav1
Official SamyGO Developer
Posts: 374
Joined: Fri Jan 15, 2010 10:20 am

Re: SIL9287 HDMI port processor with InstaPort technology

Post by sbav1 »

Eskil wrote:Hi sbav1
Is your target to get an unencrypted stream out of your tv?
Nah, not really; personally I don't need such mod. I just thought it will be nice to know if it works or not. For purely educational purposes.
Your oscilloscope idea sounds great... Like the oscilloscope for gameboy on steroids.. I guess that the (external) input-board, scaling amplifier and input protection would take some work. And getting an impedance matched signal to the TV main-board..
I still don't know for sure if it's possible to capture 'samples' for H-sync/V-sync periods. If not, it will be quite limited solution (i.e we will have 10-20% of gaps in sampled data). Well, time to sacrifice VGA cable or two..
User avatar
erdem_ua
SamyGO Admin
Posts: 3126
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: SIL9287 HDMI port processor with InstaPort technology

Post by erdem_ua »

I put $100 bounty if you make something >10Mhz oscilloscope with it :)
I think that will returns your sacrificed VGA cables :)
sbav1
Official SamyGO Developer
Posts: 374
Joined: Fri Jan 15, 2010 10:20 am

Re: SIL9287 HDMI port processor with InstaPort technology

Post by sbav1 »

So far, it's looking pretty good.

We have three 165Mhz (165MSPS) analog-digital-converters in Arsenal chip ("analog front end" in Samsung nomenclature).
Each ADC has three external inputs easily selectable in software (by lld3ChAfe_SetADC[345]Mux(); setting Arsenal I2C register bits directly shouldn't be too hard as well). I guess in European B-Series TVs all those inputs are on: PC/VGA, Component, and Scart1 (Scart2 ?) connectors, respectively.
So, we should be able to (e.g.) supply required H/V sync signals to PC/VGA connector, while capturing samples from Component inputs :).

AFAIK highest resolution available for analog inputs is 1920x1080@60. Pixel clock for this mode is 148.50Mhz, H (total): 2200, H (active): 1920. I believe we can capture pixels from H-sync/H-blank periods as well, perhaps as many as 2196 (2200-4) in total per line. I'm getting somehow promising results with the following settings:

Code: Select all

devmem2 0x309200cc w 0
devmem2 0x309200c4 w 0x894
(0x309200cc: active H position, 0x309200c4: active H size; both registers from Chelsea incapt subsystem).
We will still have ca 0.2% of gaps in the sample data, but I guess it's not that bad for DIY scope..
Unfortunately I don't have any signal generator to confirm this (I simply connected PAL CVBS signal to one of the inputs via 100nF capacitor for preliminary testing).

AFE3 ADCs are 12bit (all 36 bits transmitted digitally from Arsenal to Chelsea), but I think Samsung internal processing in Chelsea is 10bit at best. There are RGB -> YCbCr conversions involved as well, so I would expect 7-8bit final resolution for result "samples".
Fortunately, internal processing seems to be performed in 4:4:4 YCbCr format for VGA input (which is a nice surprise actually, because it's apparently 4:2:2 for HDMI inputs !!!).

Expected usable frequency range should be ca 100Hz ... 50Mhz (148.50/2.5, a little FFT magic might be required above 30Mhz or so).

Also, for best results, I think we need to disable Samsung

Code: Select all

 Fine Clamp, Offset and Gain Control
for AFE3. Hopefully it should be possible with one or more of the following functions:

Code: Select all

lld3ChAfe_SetEqualMargin
lld3ChAfe_SetGvsMode
lld3ChAfe_SelCoast
lld3ChAfe_SetResgMg
lld3ChAfe_SetMvEnd
lld3ChAfe_SetMvSt
lld3ChAfe_SetEqEnd
lld3ChAfe_SetEqStart
lld3ChAfe_SetMvEvent
lld3ChAfe_SetGhsMode
lld3ChAfe_SetVcntMG
lld3ChAfe_SetHcntMG
lld3ChAfe_SetSMCE
lld3ChAfe_SetSMCEClear
lld3ChAfe_SetSMCEThr
lld3ChAfe_SetClampSel
lld3ChAfe_SetGhsExtMode
lld3ChAfe_SetGvsPriority
lld3ChAfe_SetGvsExtMode
lld3ChAfe_SetAdcClampLength
lld3ChAfe_SetAdcClampStart
lld3ChAfe_SetUpCounterReference
lld3ChAfe_SetGhsMargin
lld3ChAfe_SetSogMg
lld3ChAfe_SetNoVSyncDetTime
lld3ChAfe_SetSyncDetTime
lld3ChAfe_SetSogSel
lld3ChAfe_SetSogModExt
lld3ChAfe_SetSogModSel
lld3ChAfe_SetCompModSel
lld3ChAfe_SetVoltageClamp
lld3ChAfe_SetAclpTarget
lld3ChAfe_SetRcrClpTarget
lld3ChAfe_SetBcbClpTarget
lld3ChAfe_SetGyyClpTarget
lld3ChAfe_SetClpSel
lld3ChAfe_SetManLevel
lld3ChAfe_SetAddBle
lld3ChAfe_SetAddSte
lld3ChAfe_SetExtHsEdge
lld3ChAfe_SetVsUse
lld3ChAfe_SetAclpSpeed
lld3ChAfe_SetAvFloorEn
lld3ChAfe_SetReduceAccGainEn
lld3ChAfe_SetManSlice
lld3ChAfe_SetUseClpUdp
lld3ChAfe_SetI2cEnable
lld3ChAfe_SetSdpmode
lld3ChAfe_SetSliceSelection
lld3ChAfe_SetCsPos
lld3ChAfe_SetTpgnPattern
lld3ChAfe_SetTpgnEn
lld3ChAfe_SetOutDataBypass
lld3ChAfe_SetOutRbSwap
lld3ChAfe_SetOutHsMode
lld3ChAfe_SetOutVsMode
lld3ChAfe_SetClampPcSel
lld3ChAfe_SetClampControlSignal
lld3ChAfe_SetExtHSyncSel
lld3ChAfe_SetCkPhaseSel
lld3ChAfe_SetBypassSel
lld3ChAfe_SetSogBw
lld3ChAfe_SetVhstVal
lld3ChAfe_SetVlcPc3
lld3ChAfe_SetVlcPc2
lld3ChAfe_SetCurrentHsComp
lld3ChAfe_SetThrVolHsComp
lld3ChAfe_SetPcgMuxSel
lld3ChAfe_SelectDllOut
lld3ChAfe_SetSsVth
lld3ChAfe_Set3ChVoltageRefRange
lld3ChAfe_SetData
lld3ChAfe_SetVcoRange
lld3ChAfe_SetMainDivider
lld3ChAfe_SetPllPol
lld3ChAfe_SetPllBandWidth
lld3ChAfe_SetPowerDownPC3
lld3ChAfe_SetPowerDownPC2
lld3ChAfe_SetPowerDownPC1
lld3ChAfe_SetPowerDownSS
lld3ChAfe_SetADC5Mux
lld3ChAfe_SetADC4Mux
lld3ChAfe_SetADC3Mux
lld3ChAfe_SetDllOut
lld3ChAfe_SetDllBw
lld3ChAfe_SetEnTun
lld3ChAfe_SetCurrentClamp
lld3ChAfe_SetAdcCurrentControl
lld3ChAfe_SetHsPhase
lld3ChAfe_SetDEEn
lld3ChAfe_SetPreOffset_Cr
lld3ChAfe_SetPreOffset_Cb
lld3ChAfe_SetCoeffMatrRcr
lld3ChAfe_SetCoeffMatrBcb
lld3ChAfe_SetCoeffMatrGy
lld3ChAfe_SetOffset_B
lld3ChAfe_SetOffset_G
lld3ChAfe_SetOffset_R
lld3ChAfe_SetInMode
lld3ChAfe_SetTPGNForQpi
lld3ChAfe_Set3chAfe
lld3ChAfe_SetEnNoSync
lld3ChAfe_SetNoSyncTPGN 

Post Reply

Return to “[B] Hardware”