Bell ExpressVu Satellite TV Set-top box

This is a an ExpressVu 4100 set-top box from around 2006:-

The 4100 was (According to Wikipedia) the last SD set-top box that Bell used, getting discontinued in 2012.

Opening it up, there is a single large (20.6cm x 18.6cm) PCB with 3 metal boxes over the RF sections, and a SIM card reader visible in top right:-

Here is the board with the metal boxes (Farday cages) removed and the main ics annotated

On the board we have:-

Conexant CX24109  – Digital Satellite Tuner




Conexant CX24123 – QPSK Demodulator




Conexant CX24153 – MPEG 2 Decoder




Micron – 48LC8M16A2  128Mb DRAM                                                 ST – M28W640FS 64Mb Flash memory



Mystery Chip?  NC206B2B     144138 =045794524458




Conexant CX20493 Digital Isolation Barrier – Line Interface




Conexant CX86500 – SCXV.92/V.34/V.32bis Modem




Cirrus Logic – CS4335K  24 bit 96kHz Stereo D/A Convertor




ST Viper 53 – Off-line primary switch




Also on the board but not annotated up is a Philips 74HCT08 (Quad And Gate)  an ST LM358 Op Amp, an unknown chip labelled CNY-17F and an another 24AA64 (Possibly a small serial Flash).  A lot of Conexant silicon on this board.

Also on the board is the information “Designed in the UK 2005” and “Asssembled in Mexico”.  Given the UK design  I wonder if this this box (or variant) was also be used by BSkyB in UK which was/is a big Satellite TV system.

Lets look at the silicon starting with the RF “Satellite In” connection.  Reading up about this, the very high C-band (4-8GHz) or Ku-band (12-18GHz) satellite signal is downconverted to L-band (950MHz -2125MHz) by an LNB (Low noise block downconverter) in the feedhorn of Parabolic dish.  That looks like something worth tearing down, I will add it to my list of stuff I want to look out for!

CX24109 Satellite TV Tuner

Straight from the coaxial connector the signal goes into the CX24109 – this is a 3.33 mm x 3.15 mm Bipolar chip with a very distinct layout

This is quite an advanced Bipolar process with small geometry metal tracks. The layout looks quite interesting with several distinctive blocks visible. A datasheet exists  for this part and indicates how much is going on. It consists of an LNA, variable RF attenuator, quadrature downconverter, variable IF gain amplifiers, variable low-pass filters, VCO, and synthesizer.

You can see 7 instances of this circuit using two inductors connecting to interdigitated finger MIM capacitors and some resistors and other capacitors – this may be an impedance matching circuit or possibly an LNA circuit

This similar circuit with a single inductor and a pair of MIM caps is also seen twice on the die

The Bipolar transistors used all seem to be dual emitter configurations, with circular emitters, octagonal base, with a minimum (That I could find) 2 emitters per collector.  Here you can see single collector two emitter transistors, together with single collector 8 emitter transistor configuration.

CX24123  QPSK Demodulator

This is the RF tuning -demodulation block diagram from the CX24109 datasheet

You can see the output of the the tuner IC goes directly into the CX24121 – in our case it is a CX24123.

As you might expect this is a mostly digital die made on 0.25μm or 0.18μm CMOS process measuring 2.5mm  x 2.1mm

CX24153 MPEG 2 Decoder

From the QPSK demodulator the signal is fed to a CX24153 MPEG 2 decoder chip, the biggest device on the board that is connected with Flash and DRAM memory.  This BGA (Ball Grid Array) mounted device has a 6.2mm x 5.92mm die inside.  Again made on a (estimated) 180nm CMOS process

Once the signal is converted to MPEG 2 it is put directly into the the TV out circuitry, which is just a bunch of discrete devices (Impedance matching to reduce insertion loss).

CX86500 and CX20493

The CX86500 modem chip and CX20493 digital isolation barrier/line interface are circuitry used to allow phone line interconnection to the board (Given the acronym DAA-Data Access Arrangement) as per this implementation

I thought the Digital Isolation Barrier that is in effect emulating an isolation transformer sounded interesting.  Here is the die (Measures 2.16mm x 2.05mm)

Its fabbed on a 0.25μm CMOS process and you can see has a mix of digital and mixed signal analog circuitry.  You can see a lot of on chip capacitors in the die photo. However not sure you can make out any real functionality here.

The 86500 modem chip is a bit boring really just a 5.08mm x 2.7mm digital die.

Mystery Chip

Lastly tucked away in the top left corner of the board next to the power supply components is the strangely marked thin BGA.

After depot we can find out a little more.  The die is a 2.9mm x 3.0mm  strange looking die

Almost nothing is visible, zooming in (With the 80x objective) what I think you can see is a die covered with an Aluminum plate, above which is a continuous metal chain meandering around the die. 

I think what we have here is a secure MCU.  This is the chip that descrambles the signal encryption. The vendor goes to great length to prevent reverse engineering the meandering track is designed such that if it is broken (By delayering) then the chip cannot function.

The die marks show the MCU is made by STM (Designed in 2003) and indicates there are ROMs associated to NFC and XRB(?)

The last part of the mystery why is this chip located in the corner with the power supply, I would have expected it to be associated with the MPEG decoder (Or the QSPK demodulator) and  if you look at the corner of the board you can see the (output of this) secure MCU is connected to a 14 pin ic. Which on inspection is a 7400 series logic chip, in fact the 74HCT08 a quad AND gate!  Which I blogged about last week








Why on earth would you connect a 32 bit MCU through 4 AND gates??!

This entry was posted in Teardown and tagged , , , , , , . Bookmark the permalink.

8 Responses to Bell ExpressVu Satellite TV Set-top box

  1. Evgheni says:

    Would be really interesting to delayer that secure MCU.

  2. Gary says:

    I did actually try to delayer that chip. But I don’t have the tools or skills to do it. I tried polishing it with some diamond paste on a glass microscope slide. Layers were removed but it turned into a mess.

    • Evgheni says:

      In my experience, polishing works somewhat ok only if you chemically etch the passivation away first.

  3. Evgheni says:

    Found an interesting note about that SMCU’s mesh in some presentation:
    Turns out there are active sensing in the mesh, witch, if tripped, will bulk erase the eeprom. Interesting..

    • Gary says:

      yeah it is a bit like an ‘arms race’. They add technology to add costs to the act of penetration/hacking. In this case the sense grid prevents/hinders probe attacks which is one of the cheaper form of attacks. The penetrator needs to short out and cut the lines to keep the sense grid active, whilst allowing an area to be de-processed and probed. In the end it is about cost of breaking the chip vs. reward/gain from doing so. The chip could be fully delayered and reversed engineered. It is only the use of advanced technologies that makes this expensive enough that it isn’t worth doing. (And there is also the fact that reading out a digital encryption block, is in fact reading out software code, that is considered illegal in most countries in a lot of circumstances).

      • Evgheni says:

        You are right. But what I also meant, is that is not ‘just’ a conductor grid, you need to short after tampering. But that it also has an active “probe” in the mesh too, the sense terminal. If it senses abnormalities in meshe’s parameters, like capacitance, inductance change and whatnot else, it will also trip the erase mechanism even if the mesh integrity is still intact.

        With this kind of security, I’d guess it is actually easier to gain access from the back side of the chip.

      • Evgheni says:

        Just found an interesting presentation by Dr Sergei Skorobogatov, “Fault attacks on secure chips”. Got me quite interested, I think it’s worth reading.

        • Gary says:

          Thanks, that is a really good read (If you like this sort of stuff). I agree with the conclusions, especially “There is no such thing as absolute protection – Given enough time and resources any protection can be broken.”
          Also on slide 45 he talks about ‘straight forward invasive reverse engineering’ it shows that if you spend enough you can break in to any chip.
          Like I said earlier its an arms race between the chip suppliers (Using more techniques like the sense grid sensing capacitance, and more advanced process technologies all to increase the difficulty and cost of penetration) and the ‘bad guys’ wanting to hack the secure chips.

Comments are closed.