Just bricked my V20 Jyaxbox. Don't really know what happened, tried channel 300 nothing, then 502 and bang, dead. Did the unplug/hardboot with nothing. Has stayed off since. Won't power up for anything. Plug unplug remote power on off, dead. Any ideas?

Happy Testing!!!

First thing, try another power supply, if that don't work unplug the JB200 module and see if it will power up.

might be a loose power supply white plastic clip a couple inches inside the box where it meets the board...

Gave it all a try. multi meter says power supply fine, found another same. With and without jb200. Red light comes on and that's all. Just another piece of throw away electronics. Without factory firmware or current files, using a loader would just be a shot in the dark. So much for the "clone"... At least i have the old T4 as backup for now.

Gave it all a try. multi meter says power supply fine, found another same. With and without jb200. Red light comes on and that's all. Just another piece of throw away electronics. Without factory firmware or current files, using a loader would just be a shot in the dark. So much for the "clone"... At least i have the old T4 as backup for now.

your back up is better

Ya, the backup is good but, get no turbo. No 129°W Would use the sonicview 8000 but, the remote is already driving me crazy on North. Going to have to find a decent replacement? Any ideas?

Happy Testing!!!

You've got it already. The T4. Put a module in it and the latest file.

Gave it all a try. multi meter says power supply fine, found another same. With and without jb200. Red light comes on and that's all. Just another piece of throw away electronics. Without factory firmware or current files, using a loader would just be a shot in the dark. So much for the "clone"... At least i have the old T4 as backup for now.
In your first you didn't say the red light was on, what you have done is loaded a bad file or 1 with a clone kill code in it, now you need to use the loader and the rs232 cable to recover it.

No files loaded, just died.

No files loaded, just died.
It could be a blown CAP on the main board.

on another site, I've been helping a guy with a clone box that has a bad security chip in it (AT88sc0104 8 pin chip). The code in the file that I looked at does not allow the box to run if the chip does not respond. There does seem to be output at the serial port as far as I can tell if the security chip tests do not pass, so you might want to see if any output on rs232 port.

on another site, I've been helping a guy with a clone box that has a bad security chip in it (AT88sc0104 8 pin chip). The code in the file that I looked at does not allow the box to run if the chip does not respond. There does seem to be output at the serial port as far as I can tell if the security chip tests do not pass, so you might want to see if any output on rs232 port.
I have a V10 with a bad security chip and it will not connect with the loader, no output at the rs232 port so that could be his problem as well.

The guy I was helping replaced the chip with another from an identical box and the box that was not working then did. I looked at the most recent jynx box file that I could find (JX_NA_Firmware_v251_dual.bin) and it looks like a chip defeat is possible. It may be that the box is set up so that if a new AT chip is discovered then the code will write the chip with the needed key and blow a fuse in the chip to show that it is programmed, but I'm not all that sure of that. Here are some routines I found in the file and notes on where one might do a defeat:

lzma compressed firmware starts 0x80 in. 0x1f875 bytes total
un-packs to 45AC64 bytes using lzma util. No encryption used as far as I can see.


800C28A8 # debug message (crypto)
800C34B8 # verify crypto chip
(uses 4394D0 CB 14 38 45 EE 0B E6 03 --and 60 57 34, 20 58 E5, )
800C30D8 # verify password 7 (8A 58 51 45 and 8A 58 51 62-9D 2B AE 47 88 44 18 0E 8B 72 E6 03) --this might be best place to do defeats

800C5CE0 # crypt test --this seems to write and read from the AT chip as core of testing
800CF898 # string copy?
800CF8D8 # mem compare?
800CF91C # find str length
800CF684 # memset?
800CF394 # memcopy?
800CF370 # long memset
800BA4D4 # fuse test and KSV test
800C2B00 # ATMEL chip detect (AT88SC0404C or AT88SC0808C strings)
800C2C54 # test ATMEL fuse
800C2F6C # user zone test
800C2DC0 # verify test and config erase
800C2CC4 # "Blow Fuse Verify Password"
800C2A50 # INIT (crypto?)
800BA87C # call init(crypto) and verify crypto chip
800BA934 # start crypto chip and find "S3602 HD STB" string --this starts the process of reading AT chip, so a defeat here might work, but might not
800C36A8 # cm_ReadConfigZone

I've advised the guy on the other site to do a similar disassembly on another file and do compare and contrast with the above info by doing a disassembly on above file too (use IDA Pro w/ mipsl processor selected and base addr of 0x80000200, auto-analyse 80000200 - 802CF500 v251 file).

Some of the above is better understood if you read the atmel docs for the chip(s)--seems there are 8 possible passwords and some 'user zone' memory in the chip.

i agree with 180... Sometime a PSU can measure good but be bad, sub a PSU with the 8psk removed, if it works shutdown and try the 8psk and see if all is well.

take out the JB200 and see if box boots up fine. Had a couple that when the JB200 went bad caused the box to be dead.

Unit just stopped working. Have tried most suggestions and none have worked. Back in box on shelf.

Happy Testing!!!

The guy on the other site managed to find M3606 source code and in it the atmel chip is started as part of HDMC init routine in root.c to generate an HDMC key--curious.

Looks like the atmel chip is using i2c comms at 100k bit per second and the base address of the chip is 0xb0, but the base is modified in the second nibble to get specific command generated. Seems that the cmd structure is at least 3 bytes with 1st being address/cmd, 2nd byte being a sub-cmd and third byte maybe length info. Here is what the source code seems to use for cmds:
cm_ResetPassword 0xba 0 0
cm_VerifyPassword 0xba 0 3
cm_ResetCrypto 0xb8 0 0xa
cm_AuthenEncrypt 0xb8 ? 0x10
cm_SetUserZone 0xb4 3 ?
cm_SendChecksum 0xb4 2 2
cm_WriteFuse 0xb4 1 0
cm_WriteConfigZone 0xb4 0 ?
cm_ReadChecksum 0xb6 2 2
cm_ReadFuse 0xb6 1 1
cm_ReadConfigZone 0xb6 0 ?
cm_WriteUserZone 0xb0 ? ?
cm_ReadUserZone 0xb2 ? ?

I suspect reading atmel doc would give one a better idea, but that is a quick look inside the sabbat 'out' file code (you don't get to see the c source for the atmel comms, just a libHTML.a ELF file is used).

All this code talk is way over my skill level... I would like to use a loader and try to force load the clone safe file, 239 I think. Where does one find the loader? Is there a force load step by step? Seems to be my only option at the moment to get this working again.

Happy Testing!!!

Loader is here....http://www.satfix.to/showthread.php?123252-Jynxbox-HD-loader