Hacking a weird TV censoring device

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

This is a sort of follow-up video to one posted by another YouTube Channel called Technology Connections: https://www.youtube.com/watch?v=ZiXg6H_FycI&t=0s If you haven't checked it out, highly recommend you do so!

πŸ‘οΈŽ︎ 19 πŸ‘€οΈŽ︎ u/dmcnaughton1 πŸ“…οΈŽ︎ Nov 21 2022 πŸ—«︎ replies

Just saw this .. Fun list of dirty words :-)

πŸ‘οΈŽ︎ 12 πŸ‘€οΈŽ︎ u/RusselPolo πŸ“…οΈŽ︎ Nov 21 2022 πŸ—«︎ replies

Ben is clearly my long lost brother. The moment I saw the Tech Connections video I wanted to eBay one and dump the eeprom πŸ˜‚

Very interesting work by Ben.

πŸ‘οΈŽ︎ 11 πŸ‘€οΈŽ︎ u/vswr πŸ“…οΈŽ︎ Nov 21 2022 πŸ—«︎ replies

No way! First TC, then Foone, and now Ben. Good times

πŸ‘οΈŽ︎ 5 πŸ‘€οΈŽ︎ u/lunayylmao πŸ“…οΈŽ︎ Nov 21 2022 πŸ—«︎ replies

Ben mentions it might be hard to dump the ROM of the PIC chip. Does anyone here have experience with PICs? It doesn't seem too difficult from the MPLABX docs. Or was he just referring to the fact that the SOP package would be a hassle to wire a PICkit to?

πŸ‘οΈŽ︎ 3 πŸ‘€οΈŽ︎ u/andjmp πŸ“…οΈŽ︎ Nov 22 2022 πŸ—«︎ replies

Youtube crossover I never knew I needed! Love that Ben covered Tech connections video.

Also that list of words is just interesting, some of it just weird. As a lesbian I'm stunned that the machine lets you say gay but not lesbian. Also it's pretty funny how 90's it is, Nookie is one of your big bad scary banned words, seriously?

πŸ‘οΈŽ︎ 3 πŸ‘€οΈŽ︎ u/dream6601 πŸ“…οΈŽ︎ Nov 22 2022 πŸ—«︎ replies

He’s not dead!

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/Friendly_Addition815 πŸ“…οΈŽ︎ Nov 22 2022 πŸ—«︎ replies

This is so random yet so interesting. I would also do anything for a list of dirty words.

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/eXperienceddddd πŸ“…οΈŽ︎ Nov 22 2022 πŸ—«︎ replies
Captions
I was recently nerd sniped by something I saw on the YouTube channel technology connections if you're not already familiar you should stop watching this video and go watch like And subscribe to everything he's ever produced but now that you've done that you may recall in a recent video he took a look at something called the TV Guardian the TV Guardian filters out foul language from cable or satellite TV and Home Video sources like VHS tapes DVDs and let's not forget laserdiscs he goes into plenty of detail about how this 1980s era Marvel Works including mentioning that baked into its programming is a dictionary of offensive words and phrases which for science I'd love to see but it's not written anywhere in the manual oh shucks so I figured it'd be a good idea to for science see what it takes to extract data from a device like this so I found my own on eBay and let's take a look at what I got and I have to say the construction of this thing feels exceptionally cheap but inside it's pretty straightforward just a single board one of the first things I noticed when I open this up is there's a chip here with a sticker that says 1.05 and that's sticker presumably is a version of software something that's programmed into that chip by the manufacturer of the TV Guardian so let's try to get that sticker off and see what kind of chip this is and so this is a pick microcontroller pick 16c622a and a microcontroller is basically a microprocessor with some RAM and ROM all built into one package and in this case looks like there's 2K of ROM and 128 bytes of ram so there's definitely going to be some code programmed onto the ROM on this on this pick so but that could be that could prove difficult to get but let's take a look at what else we have on this board we've got the xylog z8612912ssc this is a ntsc line 21 decoder so this is going to decode the closed captioning and then this jrc chip this Japan radio Corporation 2207 that is a video superimposer so that's how it's going to put the closed captions back on the video that it that it puts out so that sort of makes sense that you'd have a closed caption decoder and some sort of superimposer for putting text on top of video and there's a couple other chips here we've got uh this looks like an lm358 a op amp of some sort and then an lm393 comparator not sure exactly what those are used for but maybe something to do with the audio muting or or something like that or maybe it does something with a video signal not really sure and then up here we've got a 74 HC 4066 this is a quad analog switch so maybe this is what does the audio muting hard to say without tracing out all the traces and everything finally we get to this chip here which is a 93 lc86 and that is a Serial eprom so there's some data stored on this chip as well so getting the data out of the ROM that's built into the microcontroller could could prove to be difficult but getting data that's on this ROM is actually going to be pretty easy so let's uh let's start with the low hanging fruit and see what we can extract from this guy and the first step is extracting the chip from the circuit board so I'm using a combination of copper braid and a little suction tool to suck the solder out of there and once I've got most of the solder out I'll use hot air to loosen any remaining solder while easing the chip out with some tweezers so there we go so here it is the 93 lc86 and I've got it on a breadboard of course but to figure out how to read data from it let's take a look at the data sheet so here's the pin out and it says pins eight and five are power and ground so I'll go ahead and start hooking those up because pin 8 is power and pin 5 is ground and so that'll Supply power to the Chip And it says it's a two and a half volt chip but if we look at the specs here it says uh it'll actually work with anything from Two and a Half volts to six volts so no problem powering with 5 volts which is nice then we've got chip select clock data in and data out and this looks suspiciously like a Serial peripheral interface or SPI interface and I already did a whole video on that so we'll get to that in a minute then there are these two other pins PE and org so if we look at the description it says the 93 LC we have the 86 so it's going to be a 16k electrically erasable programmable read-only memory and the 16k refers to it holding 16 000 bits of data then it says it's configured as either an 8-bit or 16-bit organization depending on the org pin setup so in other words the the chip holds 16 000 bits of data and this pin tells it whether it's storing the data as a 2008-bit words or 1016-bit words now we don't have to guess which mode the TV Guardian is using because we can just look at the circuit board where I removed it so here's the Power Pin and here's a ground pin and if you look closely you can see there's a connection between the ground pin and the org pin now if we go back to the data sheet and we look at the pin descriptions we can see that when the org pane is tied to VSS which is ground the 8-Bit memory organization is selected so we can go ahead and tie our org pin here to ground like that so that's the orc pin and now for the PE pin if you again look closely you can see it's actually connected as well all three of these are connected together so the PE pin is also connected to ground and PE is the program enable pin that says if this pin is tied to VSS or ground programming will be inhibited so connecting this pin to ground like this basically makes the chip read only and that actually tells us something about the TV Guardian it tells us that it would never actually be able to erase or write data into this chip because the program enable pin is is always grounded like this and so this chip is just always read only and so that just leaves us with the clock chip select clock data in and data out pins and we'll need to manipulate these pins in order to read data from the chip so I'm going to connect them all to an Arduino that'll just let us do whatever we want with them so I'll connect digital pin 2 on the Arduino to chip select pin three I'll connect to the clock pin 4 is going to be data in and then pin 5 is data out and then conveniently the Arduino can provide a 5 volt power source so I'll use that to power the chip and then of course also need to connect a common ground and so all of that should allow us to start extracting data from this chip into the Arduino and read what's on the chip so with that hooked up let's uh program the Arduino I'll start out by creating some definitions so Chip select is on pin two we hooked up the clock pin to pin three data in to pin four and data out to pin five then we'll initialize those pins here so Chip select is output clock is also going to be output from the Arduino and data in is output because remember it's data in on the ROM chip so it'll be output on the Arduino and similarly data out on the ROM chip is input on the Arduino then to read the data from the ROM the datasheet shows the different commands we can send it so we've got the 93 lc86 with the org pin tied to ground and for the read instruction we send a start bit of one followed by the read instruction of one zero and then an 11-bit address of the byte we want to read then it'll send back eight bits of data that are stored at that address the rest of these commands erase write enable erase erase all right write all erase right disable we don't need any of those and actually none of them are going to work because we've right protected the chip but the read command is what we want and the datasheet also includes a timing diagram showing the same thing in in more detail so Chip select goes high and then the clock pulses high and low and each time the clock goes High we have to have the right data on the data inline so a start bit of one one zero and then 11 bits of address that we want to read each time the clock Cycles so let's do that so the first thing that happens is Chip select goes high so we'll set the chip select pin High and then the instruction that we want to send is going to be uh 110 followed by the 11-bit address we want to read from and eventually we want to read from every address to read everything on the ROM but let's start with address 0. and to transmit this one bit at a time I'll create a loop that shifts a bit through all 14-bit positions in the instruction and that'll act as a bit mask so I'm basically going to start with a mask with one bit set all the way to the left and then each time through the loop I'll shift that mask bit to the right and in the loop we can test if the instruction has the same bit set so if we and the mask with the instruction we're comparing this first bit here with the first bit in the instruction and so if that's a one which which it is in this case then we want to send a one so we'll set data in high remember that's data into the ROM otherwise we'll set data in low then the next time through this Loop this shift right will shift this bit here over to the right and then we'll compare the next bit in the in the instruction and then we'll just keep going Bit by Bit by Bit writing out whichever whether it's high or low depending on which bit we're on until we go through all of the bits in the instruction but anyway after we send the bit value we need to toggle the clock so we'll set the clock pin high and then set the clock pin low and based on the timing info in the data sheet we shouldn't need to add any additional delay here so now we transmitted this instruction and the address if we keep pulsing the clock the ROM should start spitting out the data and just so we're in sync here we just transmitted this last bit of address and the clock is low so we're right here if we transition the clock high and then low again then we'll be right here ready to read the first bit of data so let's create a variable to store whatever data we read and then I'll create a loop to read eight bits of data so I'll start by toggling the clock high and setting the clock low again and that'll signal the ROM that we want the next bit of data so if the data out pin on the ROM is high in that case we've read a 1. so in that case I'll shift our data variable to the left by one bit and then flip the last bit by oring it with a 1. otherwise I'll just shift the variable and not flip the last bit so at this point we've read all eight bits of data and we're done with this whole process so I can set the chip select line low and then let's print out whatever data we received so first I need to initialize the serial output of the Arduino so I'll go ahead and do that up here and then down here we can just print the data to the serial port to see what we got [Applause] so with that I'll upload the program to the Arduino and see what it does so I've got an oscilloscope hooked up to all four lines so you can see what's going on here and so here's the chip select so you can see that that goes high for the entire operation and then goes low this is the clock and you can see there's uh 22 clock pulses so there's the start bit the two bits indicating it's a read operation then 11 bits of address and then eight more clock pulses for the eight bits of data that we're going to read this is the data in and so you can see here's the the one one zero that we start with and then all the zeros for the address and here's data out you can see that we're getting at least one bit here and maybe something else going on here with some data coming out that we're reading so if we look at the Arduino serial monitor here it shows that we received 65 and I happen to know that a 65 is the ASCII code for the capital letter A but we could also if we expect this to be text we can just have the Arduino printed as a character and so if we rerun this we'll upload and let it run again look at our serial monitor there we go we printed in a but that's just one byte out of the you know 2048 bytes that are in the ROM so let's get the rest of them and see if we can make any sense of it I'll start by factoring out this Loop where we send the instruction into a separate function for sending the instructions so we can just call this function each time we want to send a read instruction and it'll also factor out the loop where we read the data into a separate function for reading data that way after we've sent an instruction we want to read a byte from the realm we can just call the read byte function [Applause] so that way we're setting chip select High we're sending the instruction to read a byte we're reading a byte and we're setting chip select low and now we've got our data we printed out so now that I've simplified that I'll create a loop that reads all 2048 bytes of the ROM let's use the variable address to iterate through the 2048 addresses [Applause] and then inside this loop we're setting check select High sending the instruction reading a byte setting chip select low and then printing the data except of course for the instruction I want to send that instruction with the particular address we want to read and then when we print instead of putting each letter on a new line we'll just print them all on the same line and so let's give that a try actually maybe let's just read the first hundred bytes for now to see if we get anything interesting so go ahead and upload this huh what did I do oh to return data not return byte look at our serial amount oh look at that so these appear to be some naughty words and so here yeah here's that first bite in the round that we read is the a but now we're reading the next uh you know 99 bytes and we're we're seeing some uh some potentially a list of words to be censored and it also looks like there's maybe some special characters in here separating each word and yeah I know it'd be easier to just dump the contents of the ROM using a commercial eprom programmer like this one that I sell on my website eater.net shop but where's the fun in that it's much cooler to take a random product like this pull it apart and figure out how it works from first principles and so to extract the rest of the contents of the ROM I've modified the program a little bit I'm going through all 2048 bytes but I'm fetching 16 bytes at a time so you can see I'm still setting chip select High here and then I'm sending the instruction to fetch the the current address but then I'm fetching 16 bytes at a time and that's a feature of the ROM that if you just keep reading bits without setting chip select low it'll just send the next byte in order then chip select goes low here after we've read those 16 bytes and then the rest of the code here is just printing out the data that we read 16 bytes to time both in HEX as well as ASCII so let's upload this and run it and see what we get so we'll open up our serial monitor and it looks like it got a little bit garbled let's clear that and I'll reset the Arduino so it runs again and there we go this is the entire contents of the ROM and I've looked at this quite a bit actually to try to figure out what I can learn and I think I figured most of it out but there's still a few things I'm not sure about so first it's obviously a list of words to censor separated by you know some sort of non-ascii characters you know so in some cases between words there's a zero and then a larger value like nine eight in other cases you'll have a word followed by a zero followed by a two or in some cases a one followed by a larger value in this case eight one but in many cases there's just a single byte between words and it's it's just some higher value byte and so you've got a bunch of words and then eventually you get to a point where you get a word followed by a higher value byte here followed by an FF and then after FF it's all zeros up until you get to the next block of 256 bytes so you have these 256 byte blocks that have words up until a certain point and then it's just all zeros and then you get into the next block and it goes on for some period of time and then you get this FF and then it's all zeros until you get to the next block and then here you've got another block actually this one actually ends right at the end of the 256 bytes and the next one starts right away but then at the end of the that block you get to another block and so there's a total of six of these 256 byte blocks of naughty words then the seventh block here actually appears to be the replacement words I think these are the G-rated words and in this case the format's actually a little bit different the words are separated just by nulls so there's just a single zero between each each of these words and then after the replacement words you've got that FF again followed by nulls and then this last block of 256 bytes just seems to have some version data or metadata or something and that's it so there's not that much to it it's a bunch of words and each word is followed by some byte code of some sort and the question is what is what are those byte codes mean and can we figure out anything about how this device works by trying to decode them so to better analyze what's going on I put all the data into a spreadsheet so I've got all the words here and as you saw each word may be followed by a zero a one and or a two and then some higher value byte and so what's interesting is if we convert this higher value byte to Binary and we could do that in the spreadsheet which is the hex to bin function and I spent some time looking for patterns in these bits and one pattern I notice is that it seems like among this list of censored words there's also some whitelisted words so for example but is censored but presumably butter and button are allowed and so it seems like the words that are allowed have a one in this bit position five or the you know the third from the left and so we can actually test for that bit so I can bitwise and the uh the decimal value of that binary string with uh 32 since the bit 6 is the 32's place so I'll just copy this to every row here and so this shows us all the allowed words so that's kind of interesting the other thing I noticed is that if you look at the list of replacement words here there's actually exactly 32 of them if you count this first blank because the first byte in that section was a zero and 32 is a power of two so that makes me suspicious um and so because you can represent any number from 0 to 31 using exactly five bits so if we go back up here and look at but the last five bits of this are zero zero zero zero one and going back to the list of replacement words if this blank is is index 0 index one would be tail and I guess tail is a reasonable replacement for putt so it looks like maybe those last five bits correspond to which of the replacement words should be used so let's let's test that theory so if the word isn't already allowed then let's bitwise and the decimal representation of that binary string with 31 so that'll just grab the last five bits and then I'll copy this down to all of these rows so this shows us the index into the list of allowed words that'll replace each of these words but we can actually get the spreadsheet to look up the index in the list of allowed words using the index function index into this range here and then it's going to be that index Value Plus 1. and we need to make sure we anchor these and I'll copy that down and there we go so those are all the substitutions and it's interesting that it seems like it's actually a pretty hard limit that you can only have 32 possible replacements for all of these words now it would seem to limit the expressiveness but I guess that's kind of the point but anyway going back to these bits the last five tell us the replacement word the first is always set and then the third signals whether the word is whitelisted or not so that leaves the second bit and that one appears to Signal whether the word is only centered when the device is in strict mode so we can test for that the same way again we'll bitwise and it and uh the bit we're looking for is the 64s place and that indicates if it's centered in strict mode only [Applause] and there you go so you can see strict mode sensors things like balls and butt as well as the religious stuff so it's interesting to see what qualifies there but anyway I'll leave a link to this spreadsheet in the video description if you'd like to explore it further and there's still a few things I haven't figured out yet you know it seems like by default it'll match anything starting with a blocked word hence the need to whitelist butter while blocking butt but I think if there's a zero byte after the after the word then that makes it an exact match so this would block Christ but it would allow Christmas for example but no idea what the ones and and the twos are so if you can see a pattern of some sort then you know put it in the comments because I I have no idea although by the way I find it hilarious how much effort they put in to uh White list to make sure that uh you know Dick Van Dyke doesn't turn into jerk fan gay but I guess everyone else named dick is some sort of jerk I don't know but uh speaking of mysteries there are some totally innocuous words like that the and those that are explicitly whitelisted but don't seem related to any of the blocked words they're also different from the other whitelisted words because they have this last bit set whereas the other ones don't again no idea what that's about maybe hints for cleaning up grammar around other block words but I don't know I can't figure it out but anyway that's pretty much it this was certainly a fun little rabbit hole to fall into and thanks to technology connections for nerd sniping me and of course thanks to all my patrons for making it possible for me to randomly go buy one of these things and spend all the time to play with it
Info
Channel: Ben Eater
Views: 1,831,263
Rating: undefined out of 5
Keywords:
Id: a6EWIh2D1NQ
Channel Id: undefined
Length: 20min 58sec (1258 seconds)
Published: Mon Nov 21 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.