Cable TV FAQ.
From: [email protected] (Ed J. Gurney)

: Welcome to the FYI* list! :
For Your Information

Last updated February 1, 1993


This file is Copyright (C) 1993 by Ed J. Gurney. All rights reserved.
Redistribution of this file, in both electronic and printed form,
is permitted provided NO FEE (other than direct costs) is charged.

*** WANTED!! Information on techniques used by Scientific-Atlanta, ***
*** new Pioneer boxes and any others not mentioned here!! ***


The ownership of a signal descrambler does NOT give the owner the right
to decode or view any scrambled signals without authorization from the
proper company or individual. Use of such a device without permission
may be in violation of state and/or federal laws. The information
contained herein is intended to serve as a technical aid to those person
seeking information on various scrambling techniques. No liability is
assumed for the use or misuse of this information.


CATV:Acronym for CAble TeleVision.
Approximately 8 to 10 cycles of a 3.579545 MHz clock sent during
the HBI. This signal is used as a reference to determine both
hue and saturation of the colors. A separate colorburst signal
is sent for each line of video, and are all exactly in phase (to
prevent color shifts).
Control Signal:
The first 11.1 microseconds of a line of NTSC video. The signal
area from 0 to 0.3 volts (-40 to 0 IRE units) is reserved for
control signals, the rest for picture information. If the
signal is at 0.3 volts (or 0 IRE) the picture will be black.
See IRE Units; Set-up Level.
Field:One half of a full video frame. The first field contains
the odd numbered lines, the second field contains the even
numbered lines. Each field takes 1/60th of a second to
transmit. Note that both fields contain a complete
vertical-blanking interval and they both have the same
information during that interval. Since the NTSC standard is
525 lines, each field contains 262.5 lines--therefore it's the
half-line that allows the two fields of a frame to be
dstinguished from one another. See Frame; Line.
Frame:An NTSC video signal which contains both fields. A frame
lasts 1/30th of a second. See Field; Line.
HBI:Acronym for Horizontal Blanking Interval. The first 11.1
microseconds of line of video. It contains the front porch,
the 4.71 microsecond horizontal sync pulse, the 2.31
microseconds of colorburst, and the back porch. The horizontal
sync pulse directs the beam back to left side of the screen.
Almost every scrambling method in use today mutataes this part
of the signal in some way to prevent unauthorized viewing. See
Term used to describe the dual-field approach used in the NTSC
standard. By drawing every other line, screen flicker is
reduce--if all the lines were painted sequentially, the top
would begin to fade before the screen was completely "painted".
IRE Units:
IRE is an acronym for Institure of Radio Engineers. The NTSC
standard calls for a peak-to-peak signal voltage of 1 volt.
Instead of referring to the video level in volts, IRE units are
used instead. The IRE scale divides the 1- volt range into 140
parts, with zero-IRE corresponding to about 0.3V. The full
scale goes from -40 IRE to +100 IRE. This is convenient scale
to make a distinction between control signals (< 0 IRE) and
picture signals (> 0 IRE). See Control Signal.
Line:A video signal is a series of repeated horizontal lines,
consisting of control and picture information. The color NTSC
standard allows a total time of 63.56 microseconds for each
line, and each frame is composed of 525 lines of video
information. The first 11.1 microseconds make up the horizontal
blanking interval, or control signal, the following 52.46
microseconds make up the picture signal. See HBI; VBI.
NTSC:Acronym for National Television Standards Committee (or
Never The Same Color, if you prefer ๐Ÿ™‚
Picture Signal:
The 52.46 microseconds of signal following the control signal.
Information in this area is between 0 and 100 IRE units. See
IRE Units.
Set-up Level:
Picture information technically has slightly less than 100 IRE
units available. That's because picture information starts at
7.5 IRE units rather than at 0 IRE units. The area from 0 to
7.5 IRE units are reserved for what is commonly called the
"set-up level". Having a small buffer area between the control
signal information and the picture information is a "fudge
factor" to compensate for the fact that real-life things that
don't always work as nicely as they do on paper. ๐Ÿ™‚ See IRE
VBI:Acronym for Vertical-Blanking Interval. The first 26 lines of
an NTSC video signal. This signal is used to direct the beam
back to the upper-left corner of the screen to start the next
frame. In order for the horizontal sync to continue operating,
the vertical pulse is serrated into small segments which keep
the horizontal circuits active. Both actions can then take
place simultaneously. The VBI is the most common place for
"extra" information to be sent, such as various test signals,
and in some cable systems, a data stream.


Oak (and apparently some very early Pioneer boxes) employed a sine-wave
sync suppresion system. In this system, the picture would remain
vertically stable, but wiggling black bars with white on either side
would run down the center of the screen. The lines were caused by a
15,750 Hz sine-wave being injected with the original signal, causing the
sync separator in the TV to be unable to detect and separate the sync
pulses. Later, Oak came out with a "Vari-Sync" model, which also
removed a 31,500 Hz sine-wave added to the signal. Oak was one of the
first to use extra signals ("tags") as a counter-measure for pirate
boxes -- in the normal mode, a short burst of a 100 KHz sine-wave (the
tag signal) would be sent during the VBI, along with the AM sine-wave
reference on the audio carrier and scrambled video. They would then put
the AM sine-wave reference signal onto the audio carrier, leave the
video alone, and NOT send the tag. Any box which simply looked for the
AM sine-wave reference would effectively scramble the video by adding a
sine-wave to the unscrambled video! Real decoders looked for the tag
signal and still worked correctly. Other combinations of tag/no tag,
scrambled/unscrambled video were also possible.

....................6 dB In-Band Sync Suppression......................
Early Jerrold boxes used in-band gated sync suppression. The horizontal
blanking interval was suppressed by 6 dB. A 15.734, 31.468 or 94.404
KHz reference signal (conveniently all even multiples of the horizontal
sync frequency) was modulated on the sound carrier of the signal, and
used to reconstruct the sync pulse. An article in February 1984 issue
of Radio-Electronics explains this somewhat-old technique. Converters
which have been known to use this system include the Scientific-Atlanta
8500-321/421, a number of Jerrold systems [see numbering chart], Jerrold
SB-#, SB-#-200, SB-#A, RCA KSR53DA, Sylvania 4040 and Magnavox Magna

..................Tri-mode In-Band Sync Suppression....................
A modification to the 6dB sync suppresion system, dubbed "tri-mode",
allows for 0, 6 and 10 dB suppression of the horizontal sync pulse. The
three sync levels can be varied at random (as fast as once per field),
and the data necessary to decode the signal is contained in unused lines
during the VBI (along with other information in the cable data stream.)
See the February 1987 issue of Radio-Electronics for a good article
(both theory and schematics) on the tri-mode system. Converters which
have been known to use this system include a number of Jerrold systems
[see numbering chart], Jerrold SBD-#A, SBD-#DIC, Regency, and early
Pioneer systems {anyone know for sure which ones?}.

......................Out-Band Sync Suppression........................
Out-band gated sync systems also exist, such as in early Hamlin
converters. In this system, the reference signal is located on an
unused channel, usually towards the higher end (channels in the 40's and
50's are common, but never in the low 30's due to potential false
signalling.). The signal is comprised of only sync pulse information
without any video. Tuning in such a channel will show nothing but a
white screen and will no audio.

SSAVI is an acronym for Synchronization Suppression and Active Video
Inversion and is most commonly found on Zenith converters. Besides
suppressing sync pulses in gated-sync fashion, video inversion is used
to yield four scrambling modes (suppressed sync, normal video;
suppressed sync, inverted video; normal sync, inverted video; and normal
sync, normal video). The mode of scrambling can be changed as fast as
once per field. Their is no "reference signal" per-se, but the
horizontal sync pulses during the VBI are not suppressed, allowing a
phased-lock loop to be used to generate the missing sync pulses.
Information on whether the video is inverted or not is contained in the
latter-half of one of the lines of video, usually line 20 or 21. The
Drawing Board column of Radio-Electronics starting in August '92 and
going through early '93 described the system and provided several
circuits for use on an SSAVI system. Audio in the system can be
"scrambled" - usually by burying it on a subcarrier that's related
mathematically to the IF component of the signal.

.............................Tocom systems.............................
The Tocom system is similar to the Zenith system since it provides three
levels of addressable baseband scrambling: partial video inversion,
random dynamic sync suppression and random dynamic video inversion.
Data necessary to recover the signal is encrypted and sent during lines
17 and 18 of the VBI (along with head-end supplied teletext data for
on-screen display). The control signal contains 92 bits, and is a 53 ms
burst sent just after the color burst. Up to 32 tiers of scrambling can
be controlled from the head-end. Audio is not scrambled.

.........................New Pioneer systems...........................
The newer 6000-series converters from Pioneer supposedly offer one of
the most secure CATV scrambling technologies from a "major" CATV
equipment supplier. From the very limited information available on the
system, it appears that false keys, pseudo-keys and both in-band and
out-band signals are used in various combinations for a secure system.
From U.S. patent abstract #5,113,441 which was issued to Pioneer in May
'92 (and may or may not be used in the 6000-series converters, but could
be), "An audio signal is used on which a key signal containing
compression information and informaton concerning the position of a
vertical blanking interval is superimposed on a portion of the audio
signal corresponding to a horizontal blanking interval. In addition, a
pseudo-key signal is that the vertical blanking
interval cannot be detected through the detection of the audio signal...
Descrambling can be performed by detecting the vertical blanking
interval based on the the key signal, and decoding the
information for the position which is transmitted in the form of
out-band data. Compression information can then be extracted from the
key signal based on the detected vertical blanking interval, and an
expansion signal for expanding the signal in the horizontal and vertical
blanking periods can be generated." {I have abstracts on several other
Pioneer patents if anyone is interested. If anyone has any better
information on the 6000-series scrambling technique, please send mail!}
Note that Pioneer boxes are "booby-trapped" and opening the unit will
release a spring-mechanism which positively indicates access was gained
to the interior (and sends a signal to the head-end on a two-way system,
and may disable the box completely.) {See U.S. patent #4,149,158 for
details.} The mechanism cannot be reset without a special device.

...............No Scrambling (Traps/Addressable Taps)..................
A cable system may not be scrambled at all. Some older systems (and
many apartment complexes) use "traps" or "filters" which actually REMOVE
the signals you aren't paying for from your cable. These systems are
relatively secure because the traps are often located in locked boxes,
and once a service technician finds out they're missing or have been
tampered with (by pushing a pin through it to change its frequency,
for example), it's a pretty solid piece of evidence for prosecution.
The disadvantage to these systems is that pay-per-view events are not
possible, and that every time someone requests a change in service, a
technician has to be dispatched to add/remove the traps.

Becoming more and more popular in an effort to stop "pirates" are
addressable taps. These are devices located at the pole, where your
individual cable feed is tapped from the head-end. Similar to
addressable converters, they each have a unique ID number and can be
turned on/off by a computer at the head-end. Any stations which you are
not paying for are filtered out by electronicly switchable traps in the
units. (Including the whole signal if you haven't paid your bill or had
the service disconnected.) {Several patents on such devices have
recently been granted, see the accompanying Patent List FYI.} Again,
these almost guarantee an end to piracy and don't have any of the
disadvantages of the manual traps. Plus, they provide a superior signal
to those customers paying for service because they no longer need
complicated cable boxes or A/B switches -- and they can finally use all
of the "cable-ready" capabilites of the VCR, TV, etc. About the only
known attack on this type of system is to splice into a neighbors cable,
which again provides plenty of physical evidence for prosecution.

No information on techniques used by S-A converters. {If anyone has
information on any of the 85xx-series boxes (or even the new 8600),
please send mail!}

...........................Jerrold Baseband............................
No information on techniques used by Jerrold "baseband" converters. {If
anyone has information on other Jerrold scrambling methods other than
those mentioned above, please send mail!}

The VideoCipher system was developed by General Instruments and is used
primarily for satellite signals at this time. VideoCipher I is the
"commercial" version which uses DES (Data Encryption Standard)-encrypted
audio AND video. A VCI descrambler is not available for "home" owners.
VideoCipher II is the now-obsolete system which used a relatively simple
video encryption method with DES-encrypted audio. This has recently
been replaced by the VideoCipher II+, which will be replaced by
VideoCipher IIRS (a smart-card based system) by the end of the year.
Supposedly, coded data relating to the digitized, encrypted audio is
sent in the area normally occupied by the horizontal sync pulse in the
VCII system. (The Oak Orion CATV system uses a similar technology.)
Several methods existed for pirating the VCII based system, and some
supposedly exist for the new VCII+ format. See the
FAQ list for more information.

MAC is an acronym for Mixed Analog Components. It refers to placing TV
sound into the horizontal-blanking interval, and then separating the
color and luminance portions of the picture signal for periods of 20
to 40 microseconds each. In the process, luminance and chrominance are
compressed during transmission and expanded during reception, enlarging
their bandwidths considerably. Transmitted as FM, this system, when
used in satellite transmission, provides considerably better TV
definition and resoluton. Its present parameters are within the
existing NTSC format, but is mostly used in Europe at this time. {Does
anyone know if the D2-MAC system is just a variation of this, or is it
completely different? What's new in the D2-MAC system?}


........................Two-Piece vs. One-Piece........................
There are both advantages and disadvantages to the one-piece and
two-piece descramblers often advertised in the back of electronics
magazines. The "one-piece units" are real cable converters, just like
you'd get if you rented one from the cable company. It has the
advantages of "real" descrambling circuitry and the ability to "fit-in"
well when neighbors come over (avoids those "my box doesn't look like
that...or get all these channels!" conversations ๐Ÿ™‚ A disadvantage
is that if you move or the cable company installs new hardware, you may
now have a worthless box -- most one-piece units only work on the
specific system they were designed for. Another disadvantage is that
if the box has not been modified, it can be very easy for the head-end
to disable the unit completely. (See Market Codes, below.)

A "two-piece unit" ("combo") usually consists of an any-brand cable TV
tuner with a third-party "descrambler" (often referred to as a "pan")
which is designed to work with a specific scrambling technology. The
descrambler typically connects to the channel 3 output of the tuner, and
has a channel 3 output which connects to your TV. (Although some tuners
have a "decoder loop" for such devices.) They have the advantage that
if you move or your system is upgraded, you can try to purchase a new
descrambler -- which is much cheaper than a whole new set-up. You also
can select the cable TV tuner with the features you want (remote, volume
control, parental lockout, baseband video output, etc.) Two-piece units
typically cannot be disabled by the data stream on your cable. (Note
however that there ARE add-on "pans" manufactured by the same companies
who make the one-piece units that DO pay attention to the data stream
and can be disabled similarly!) The main disadvantage is that a
third-party descrambler MAY not provide as high of quality descrambling
as "the real thing", and it may arrouse "suspicion" if someone notices
your "cable thing" is different from theirs.

.......................Jerrold Numbering System........................
To "decode" a Jerrold converter, the following chart may be helpful.
(Note that some spaces may be blank.)

__ __ __ __ - __ __ __
| | | | | | |
| | | | | | |--- T = two-way capability, C = PROM programmable
| | | | | |
| | | | | |------ DI = Inband decoder, DO = Outband decoder,
| | | | | PC = Signle pay channel, A = Addressable
| | | | |
| | | | |--------- Output channel number (3 very common)
| | | |
| | | |-------------- D or I = tri-mode system, N = parental lockout
| | | feature (6 dB only systems are "blank" here)
| | |
| | |----------------- M = mid-band only, X = thru 400 MHz,
| | | Z = thru 450 MHz, BB = baseband
| |
| |-------------------- S = Set-top, R = Remote
|----------------------- D = Digital tuning, J = Analog tuning

............................Market Codes...............................
Note that almost every addressable decoder in use today has a unique
"serial number" programmed into the unit -- either in a PROM,
non-volatile RAM, EAROM, etc. This allows the head-end to send commands
specifically to a certain unit (to authorize a pay-per-view events, for
example.) Part of this "serial number" is what is commonly called a
"market code", which can be used to uniquely identify a certain cable
company. This prevents an addressable decoder destined for use in
Chicago from being used in Houston. In most cases, when a box receives
a signal with a different market code, it will enter an "error mode" and
become unusable. This is just a friendly little note to anyone who
might consider purchasing a unit from the back of a magazine -- if the
unit has not been "modified" in any way to prevent such behavior, you
could end up with an expensive paper weight... (see next section)

........................Test Chips / "Bullets".........................
So-called "test chips" are used to place single-piece converters (that
is, units with both a tuner and a descrambler) into full service. There
are a number of ways to accomplish this, but in most cases, the serial
number/market code for the unit is set to a known "universal" case, or
the comparison checks to determine which channels to enable/disable are
bypassed by replacing an IC in the unit. The latter type of chip is
superior because it cannot be disabled, even if the cable company finds
out about a "universal" serial number. (When that happens, the cable
company has the potential to disable the converter anyway, with a
so-called "bullet".) The "bullet" is nothing more than the normal cable
data stream with the appropriate code to disable a converter which has
this serial number, or which doesn't have this market code, or... etc.
The "bullet" is NOT a harmful high-voltage signal or something as the
cable companies would like you to believe -- if it was, it would damage
anyone with a cable-ready TV or VCR connected to the cable (not
something the cable company wants to deal with!) The only way to get
"caught" by such a signal is to contact the cable company and tell them
your illegal descrambler just quit working for some reason. ๐Ÿ™‚ Not a
smart thing to do, but you'd be surprised (especially if it's someone
else in the house who calls, like a spouse, child, babysitter, etc.)
While we're on the subject, it's also not a good idea to have cable
service personnel come into your residence and find an unauthorized
decoder. If you have one, use common sense and tell anyone you live
with to call YOU and NOT the cable company if something goes wrong.
Just some friendly advice...

.......................The Universal Descrambler.......................
In May of 1990, Radio-Electronics magazine published an article on
building a "universal descrambler" for decoding scrambled TV signals.
There has been much talk on the net about the device, and many have
found it to be lacking in a number of respects. Several modifications,
hoping to fix some of the problems have also been posted, with limited
success. The Universal Descrambler relies on the presence of the
colorburst for its reference signal. In a normal line of NTSC video,
the colorburst is 8 to 11 cycles of a 3.579545 MHz clock (that comes out
to 2.31 microseconds) which follows the 4.71 microsecond horizontal sync
during the horizontal blanking interval. {Whew!} Since a large number
of scrambling systems depend on messing with the horizontal sync pulse
to scramble the picture, the Universal Descrambler attempts to use the
colorburst signal to help it replace the tainted sync pulse.
Unfortunately, random video inversion is still a problem, as are color
shifts which occur from distorted or clamped colorburst signals, etc.
Most people have not had very good results from the system, even after
incorporating some modifications.

Ed J. Gurney N8FPW Hewlett-Packard Company Vancouver (USA!) Division
[email protected] #include
"Failures are divided into two classes-- those who thought and never did,
and those who did and never thought." John Charles Salak
The Somewhat-Complete List of CATV/Satellite/Scrambling Patents

The following patents have been issued to their respective companies
from roughly 1970 through August of 1992. The patents listed here in
some way relate to the area of televison encryption and/or distribution.
Note that there are MANY other patents issued in this area to other
companies, individuals, etc. but I've chosen to include only the "major"
players in the Satellite / CATV industry.

Copies of patents may be obtained from the U.S. Patent Office at a
charge of US$3.00 for each patent. Send requests to Commissioner of
Patents and Trademarks, United States Patents and Trademarks Office,
Washington, D.C. 20231. Also note that almost every state has at least
one Official Patent and Trademark Depository (usually at a large
institution or a start library) which has copies of all patents on
microfilm. See 'comp.patents' for more information.

Many other libraries may also have the "Official Gazette", the weekly
publication from the U.S. Patent Office which provides one drawing and
one paragraph from each patent issued during the week. Armed with this
list, the "Gazette", and a few hours in the library, you can get a
better idea of the nature of the patents before ordering the full text
from the Patent Office.

If someone is willing to donate FTP space, I can make a version of this
list available which has abstracts for any related patents issued in the
last two or three years. Something of that size is simply too big to
post to the group.

Hope this is interesting / helpful to someone.


