Hacking a weird TV censoring device

Recently, something I saw on the YouTube channel criticized me as a nerd. Technological connections. If you're not already familiar, you should stop watching this video and like and subscribe to everything he's produced, but now that you have, you might remember. In a recent video, he took a look at something called TV Guardian. TV Guardian filters out bad language from cable/satellite television and home video sources such as VHS tapes, DVDs and let's not forget laserdiscs. It goes into a lot of detail about what this era of the 80s was like. Marvel Works includes mention that in their programming there is a dictionary of offensive words and phrases that science would love to see, but it is not written anywhere in the manual, oh shit, so i thought it would be a good idea for science to see. what it takes to extract data from a

device

like this so I found mine on eBay and let's take a look at what I got and I must say the build of this thing looks exceptionally cheap but inside it's pretty simple with just a single plate.

One of the first things I noticed when I open this is that there's a chip here with a label that says 1.05 and that label is presumably a version of software programmed into that chip by the TV manufacturer Guardian, so let's try to get it. Remove the label and see what type of chip this is, so this is a chosen microcontroller, choose 16c622a and a microcontroller is basically a microprocessor with some RAM and ROM all integrated into a single package and in this case it looks like there are 2K of ROM and 128 bytes of ram, so there will definitely be some code programmed into the ROM in this selection, but that might be hard to come by, but let's take a look at what else we have on this board.

We have the xylog z8612912ssc. it's a line 21 ntsc decoder, so it's going to decode the subtitles and then this jrc chip, this Japan radio Corporation 2207, which is a video overlay, that's how it's going to put the subtitles back on the video that you post. so it makes sense that you would have a subtitle decoder and some kind of super printer to put text on top of the video and there are a couple more chips here that we have, this looks like an lm358, an op amp of some kind. and then an lm393 comparator, I'm not sure exactly what they are used for, but maybe it has something to do with audio muting or something or maybe it does something with a video signal, I'm not too sure and then up here we have a 74 HC. 4066, this is a quad analog switch, so maybe this is what makes it difficult to mute the audio without tracing all the traces and everything, finally we get to this chip here, which is a 93 lc86 and which is an eprom on series, so there is some data stored. on this chip too, so getting the data from the ROM that is built into the microcontroller might be difficult, but getting the data that is in this ROM will actually be quite easy, so let's start with the easiest and see. what we can extract from this guy and the first step is to remove the chip from the circuit board so I'm using a combination of copper braid and a small suction tool to suck up the solder and once I have most of the Soldering I'll use hot air to loosen any remaining solder while I remove the chip with tweezers, so here we go, here's the 93 lc86 and I have it on a board of course, but to figure out how to read. data from it let's take a look at the data sheet so here's the pin and it says pins eight and five are power and ground so I'm going to go ahead and start connecting them because pin 8 is power and pin 5 is land, etc. that will supply power to the chip and it says it's a two and a half volt chip, but if we look at the specs here it says it will actually run on anything from two and a half volts to six volts, so there's no power issue. with 5 volts which is good so we have chip select clock data input and output and this looks suspiciously like a serial peripheral interface or an SPI interface and I already made a whole video on that so we'll get to that in a minute. then there are these other two pins PE and org, so if we look at the description it says 93 LC, we have the 86, so it will be a 16k electrically erasable programmable read-only memory and 16k refers to it containing 16,000 bits. of data, then it says that it is configured as an 8 or 16 bit organization depending on the configuration of the organization pin, so in other words, the chip contains 16,000 bits of data and this pin tells it if it is storing the data as 2008. bit words or 1016 bit words now we don't have to guess what mode TV Guardian is using because we can just look at the circuit board where I removed it so here is the power pin and here is a power pin ground and if you look closely you can see that there is a connection between the ground pin and the organization pin.

Now, if we go back to the datasheet and look at the pin descriptions, we can see that when the org board is linked to VSS, it is connected to ground, the 8 bits. The memory organization is selected so we can go ahead and connect our organization pin here to ground like that, so that's the orc pin and now for the PE pin, if you look closely again, you can see that it is actually connected and that all three are connected to each other. so the PE pin is also connected to ground and PE is the program enable pin which says if this pin is tied to VSS or ground programming will be inhibited, so connecting this pin to ground like this basically makes the chip be read-only and that really tells us something about TV Guardian tells us that you could never actually erase or write data to this chip because the program enable pin is always connected to ground this way, so this chip is always read-only and that leaves us with the clock chip select the data input and output pins of the clock and we will need to manipulate these pins in order to read the data from the chip, so I will connect them all to an Arduino which will allow us to do what we want with them, so I'll connect digital pin 2 on the Arduino to the chip, select pin three.

I'll connect to the watch. Pin 4 will be the data input and then pin 5 will be the data output and then conveniently the Arduino can provide 5 volts. power source so I'm going to use that to power the chip and then of course I'll also need to connect a common ground and all of that should allow us to start pulling data from this chip to the Arduino and read what's on the chip so with that connected, let's program the Arduino. I'll start by creating some definitions so that the chip select is on pin two. We connect the clock pin to connect three data to pin four and the data to pin five, then we will initialize those pins. here then the chip select is the output clock which will also be output from the Arduino and the data that comes in is output because remember the data is on the ROM chip so it will be output to the Arduino and so Similarly, data output on the ROM chip is input.

Then the Arduino to read the data from the ROM, the datasheet shows the different commands we can send to it, so we have the 93 lc86 with the organization pin tied to ground and for the read instruction we send a start bit followed by the read instruction of a zero and then an 11-bit address of the byte we want to read, then it will send back eight bits of data that are stored at that address, the rest of these commands delete write enable delete delete ok write all delete Disable correctly, we don't need any of those and in fact none of them will work because we have properly shielded the chip, but the read command is what we want and the datasheet also includes a timing diagram showing the same in more detail, so the chip select goes up and then the clock pulses high and low and every time the clock goes up, we have to have the right data in the online data, so a leading bit of one one zero and then 11 bits of address that we want to read every time the clock cycles so let's do it so the first thing that happens is the chip select goes high so we'll set the chip select pin to High and then the instruction we want send will be uh 110 followed by 11.

Bit address we want to read from and eventually we want to read from each address to read everything in the ROM, but let's start with address 0. And to transmit this one bit at a time, I'll create a loop that moves a little. all 14 bit positions in the instruction and that will act as a bit mask, so basically I'll start with a mask with one bit set all the way to the left and then every time I go through the loop I'll change it. mask bit on the right and in the loop we can test if the instruction has the same bit set, so if we and the mask with the instruction we are comparing this first bit here with the first bit of the instruction and if that is one what is it? in this case then we want to send one so we will set the data to high remember it is data in ROM otherwise we will set the data to low and the next time you do this loop this right shift will change this bit. here on the right and then we'll compare the next bit in the instruction and then we'll continue to slowly write whatever is high or low depending on which bit we're on until we check all the bits in the instruction, but anyway, after send the bit value, we need to toggle the clock, so we will set the clock pin high and then set the clock pin low and based on the timing information in the datasheet, there should be no need to add any delay additional here, so now we transmit this instruction and the address, if we keep pressing the clock, the ROM should start spitting out the data and so that we are synchronized here, we simply transmit this last address bit. and the clock is low so we are here if we transition the clock high and then low again we will be here ready to read the first bit of data so let's create a variable to store any data we read and then I will create a loop to read eight bits of data, so I'll start by putting the clock high and low again and that will tell the ROM that we want the next bit of data, so if the data goes out, pin on the ROM is high , in that case we have read a 1.

So in that case, I will shift our data variable one bit to the left and then invert the last bit by originating it with a 1. Otherwise, I will simply shift the variable and not invert the last bit , so at this point we have read the eight bits of data and we are done with this whole process so we can set the chip select line to low level and then let's print the data we received, so first I need to initialize the serial output of the Arduino so I'm going to go ahead and do it up here and then down here we can just print the data to the serial port to see what we got so I'm going to load the program onto the Arduino and see what it does so I have an oscilloscope hooked up to the four lines so you can see what's happening here and here is the chip selection so you can see it goes up throughout the operation and then goes down. is the clock and you can see that there are 22 clock pulses, so there is the start bit, the two bits that indicate that it is a read operation, then 11 address bits and then eight more clock pulses for the eight bits of data that we are going to read. there's the data inside and so you can see here's the one zero that we started with and then all the zeros for the address and here's the data you can see we're getting at least one bit here and maybe it's happening anything else.

There's some data coming out here that we're reading, so if we look at the Arduino serial monitor here it shows that we're getting 65 and I know that 65 is the ASCII code for the uppercase letter A, but we could also if we expect this to be text, we can just print the Arduino as a character and if we run it again, we will load it and let it run again. Look at our serial monitor, here we go, we print to a but that's just one byte of the you know, there are 2048 bytes in the ROM, so let's get the rest of it and see if we can figure it out.

I'll start by factoring this loop where we send the instructions to a separate function to send the instructions, so we can just call this function every time we want to send a read instruction and it will also factor the loop where we read the data into a separate function to read data that way after we have sent an instruction we want to read a byte. from the realm we can simply call the read byte function, that way we set the chip select to high, we send the instruction to read a byte, we are reading a byte and we set the chip select to low and now we have We got our data and printed it, so now that I've simplified it, I'll create a loop that reads the 2048 bytes from the ROM.

Let's use the variable address to iterate through the 2048 addresses and then inside this loop we'll set the check select. Stop sending the instruction reading a chipbyte setting select low and then print the data except of course the instruction. I want to send that instruction with the particular address that we want to read and then when we print instead of putting each letter on a new line. we'll just print them all on the same line, so let's try that. Actually, maybe we'll read the first hundred bytes for now to see if we get anything interesting, so go ahead and load this.

What did I do? Oh, to return. data doesn't return bytes look at our serial amount oh look at that so that seems to be some naughty words so here yeah here's the first bite of the round we read is the a but now we're reading the next one , you know 99 bytes and we're looking at some, potentially, a list of words to be censored and it also looks like maybe there are some special characters here separating each word and yes, I know it would be easier to just dump the contents of the ROM using a commercial eprom programmer like this one that I sell on my eater.net website, but where is it? fun because it's much better to take a random product like this, take it apart and figure out how it works from first principles and, to extract the rest of the content from the ROM, I modified the program a little. through the 2048 bytes, but I'm retrieving 16 bytes at a time so you can see I'm still setting the High chip select here and then I send the instruction to retrieve the current address, but then I'm retrieving 16 bytes at a time and that's a feature of the ROM that if you keep reading bits without setting the chip select low, it will just send the next byte in order, then the chip select goes low here after we've read those 16 bytes and then the rest of the code here it just prints the data we read 16 bytes at a time in both HEX and ASCII so let's load this up and run it and see what we get so we'll open up our serial monitor and it looks like it's a little confusing let's clear that up and I'll reboot the Arduino to run it again and voila, this is the complete contents of the ROM and I've looked through it quite a bit to try to figure out what I can learn. and I think I figured out most of it, but there are still some things I'm not sure about, so first, obviously, it's a list of words to censor separated by some kind of non-ASCII characters that you know, in some cases between words. there is a zero and then a larger value like nine eight, in other cases you will have a word followed by a zero followed by a two or in some cases a one followed by a larger value, in this case eight one, but in many cases there's only a single byte between words and it's just a higher value byte, so you have a bunch of words and then eventually you get to a point where you get a word followed by a higher value byte here, followed by a FF and then after.

FF, they're all zeros until you get to the next 256-byte block, so you have these 256-byte blocks that have words up to a certain point and then they're just zeroes and then you move on to the next block and it goes on for a while. period of time and then you get this FF and then it's all zeros until you get to the next block and then here you have another block, actually this one ends right at the end of the 256 bytes and the next one starts immediately but then at the end of that block, you get to another block and there are a total of six of these 256-byte blocks of naughty words, then the seventh block here actually appears to be the replacement words.

I think these are the G-rated words. and in this case the format is actually a little bit different, the words are separated only by nulls, so there is just a zero between each of these words and then after the replacement words, you have that FF again followed by nulls and then the latter. The 256 byte block seems to have some version data or metadata or something and that's it so there's not much to it, it's a bunch of words and each word is followed by some bytecode of some kind and the question is what is it? What do those byte codes mean and can we find out something about how this

device

works by trying to decode them to better analyze what's going on?

I put all the data into a spreadsheet so I would have all the words here and how you saw each word. It can be followed by a zero, one or two and then some byte of higher value, so the interesting thing is that if we convert this byte of higher value to binary, we could do it in the spreadsheet, which is the hexadecimal to bin function and I spent a while looking for patterns in these bits and one pattern I notice is that it seems that among this list of censored words there are also some words on the white list, for example, but it is censored, but presumably butter and button are allowed, for what the words look like are allowed to have a one in this bit position five or third from the left, so we can test that bit to be able to bit by bit and the decimal value of that binary string with uh 32 since the bit 6 is the 32nd place, so I'm just going to copy this into each row here and this shows us all the allowed words, which is kind of interesting.

The other thing I noticed is that if you look at the list of replacement words here, there are actually exactly 32 of them if you count this first white space because the first byte in that section was a zero and 32 is a power of two, that makes me suspicious, um and because you can represent any number from 0 to 31 using exactly five bits, so if we go back up here and look, but the last five bits of this are zero zero zero zero one and go back to the word list of replacement, if this blank is index 0, index one would be queue and I assume queue is a reasonable replacement for putt. so it looks like maybe those last five bits correspond to which of the replacement words should be used, so let's test that theory, so that if the word is still not allowed, then let's do bitwise and decimal representation of that binary string with 31 so that' I'm going to take the last five bits and then copy them across all of these rows so this will show us the index in the list of allowed words that will replace each of these words, but we can actually have the spreadsheet search the index into the list of allowed words using the index function index into this range here and then it will be that index Value Plus 1. and we need to make sure we anchor them and I'll copy it and there we go. those are all the substitutions and it's interesting that it seems like it's actually a pretty strict limit that you can only have 32 possible replacements for all of these words now it would seem to limit expressiveness but I guess that's the point but anyway let's get back to it. these bits, the last five tell us the replacement word, the first is always set and then the third indicates whether the word is whitelisted or not, so it leaves the second bit and that appears to indicate if the word only is centered when the device is in strict mode, so we can test it the same way again, we will do it bit by bit and, uh, the bit we are looking for is the 64th place and that indicates if it is centered only in strict mode and there He has it so he can.

I see strict mode sensors, things like balls and butt, as well as religious things, so it's interesting to see what qualifies there, but I'll still leave a link to this spreadsheet in the video description if you want to explore it further and there are still some things I haven't figured out yet, you know, it seems like by default it will match anything that starts with a blocked word, hence the need to whitelist butter while buttblocking, but I think if there is a zero byte after the word then that makes it an exact match, so I would block Christ but allow Christmas for example, but I have no idea what the ones and twos are, so if you can see a pattern of some kind, then you know, put it in the comments because I have no idea, although, by the way, I find it funny how much effort they put into whitelisting to make sure that, you know, Dick Van Dyke Don't turn into a gay fan idiot, but I guess everyone else named Dick is some kind of idiot.

I don't know, but speaking of mysteries, there are some totally innocuous words like that and those that are explicitly whitelisted but don't seem related to any of the blocked words, are also different from the other whitelisted words because they have this last bit was set while the others don't again, no idea what it is, maybe suggestions to clean up the grammar around other block words, but I don't know, I can't figure it out, but anyway that's it , it certainly was a fun little rabbit hole to fall down and thanks to the technological connections for being a nerd attacking me and of course thanks to all my sponsors for making it possible for me to go buy one of these random things and Spend all your time playing with her.