Full Report
Back in the day, there was a device called the TV Guardian. The idea was that captions and spoken word with foul language could be removed from a stream in real time using this device. How does this actually work? Ben Eater takes apart the device to find out! They reverse engineer the board to get a good idea of what each chip does. From there, the author removes an EEPROM chip from the board by removing a large amount of the solder then using a hot air gun to pull off the chip. Dead bug debugging time! They find the documentation for this specific chip and begin trying to understand how it works. While reading the docs, the author is unsure what addressing mode it is using. However, by looking at the traces on the PCB where the chip was at, pins 5-7 are all connected! This tells us that the 8-bit memory organization is set and the the program enable pin is disabled. The author puts the chip onto a breadboard and hooks up the pins. First, they connect GND and power to the proper locations. After that, they connect the Memory Organization Pin and Program Enable Pin to ground, just as it was on the actual board. Finally, they hook up the reminder SPI interface pins to GPIO pins on an Arduino. Ben writes up an implementation of the protocol in an Arduino sketch, but this could also be done via a standard EEPROM reader too. This is done by reading the documentation and putting the GPIO pins high and low at specific times to emulate the SPI interface. For a read command, the opcode 10 is sent, followed by an 11 bit address. Following this, the chip will send back 8 bits of data. Simply writing to the GPIO lines with the protocol implemented will simulate the SPI interface. In order to make this work, we have to make sure the Serial timing is correct. Luckily for us, since we are now the controller, we control the clock rate and how fast data is sent out. After running this and using a hexdump, a bunch of words appear! In particular, most of them are obscene words that children shouldn't be hearing. After the bad words was a list of good words, likely used for the replacements. However, the format was a little weird. Each word was followed by a small value (0, 1 or 2) then a larger byte. The author throws all of the data into a spreadsheet then analyzes what the bytes actually mean. Excel has some pretty powerful functions for quickly testing stuff! In the list of words, some of the phrases are explicitly allowed. The author noticed that all words with a 1 in the 6th most significant bit were allowed. Secondly, there are exactly 32 replacement words - which can be represented in 5 bits. The final 5 bits of the strange byte are an index for the replacement words. For instance, ass goes to tail. The most significant bit is always set. The 2nd most significant bit determines if the word is ONLY restricted in strict mode or not, such as religious things or butt. There are still some things that Ben doesn't understand about the format though. Overall, awesome post showing off the capabilities of an Arduino, dumping memory and pattern matching. Thanks for all of the work Ben!
Analysis Summary
# Research: Reverse Engineering the TV Guardian: Hardware Analysis and Memory Extraction
## Metadata
- **Authors**: Ben Eater
- **Institution**: Independent Research (Eater.net)
- **Publication**: YouTube / Technical Blog
- **Date**: Circa 2020 (Analysis of legacy hardware)
## Abstract
This research performs a comprehensive reverse engineering of the "TV Guardian," a legacy consumer electronics device designed to censor offensive language from broadcast television in real-time. By utilizing hardware teardown techniques, signal tracing, and custom microcontroller-based memory dumping, the researcher successfully extracts the device's internal "profanity database" and decodes the proprietary binary logic used to map offensive terms to euphemisms.
## Research Objective
The primary objective of this study was to understand the mechanical and logical operations of a real-time hardware-based content filter. Specifically, the research sought to answer:
1. How does the device store and access its filtering parameters?
2. What is the logic behind the replacement of specific words?
3. How is the internal memory organized and addressed?
## Methodology
### Approach
The researcher employed a bottom-up hardware reverse engineering approach:
1. **Physical Inspection:** Disassembly of the chassis and identification of integrated circuits (ICs).
2. **Circuit Tracing:** Visual and multimeter analysis of PCB traces to determine the configuration of pins on the non-volatile memory.
3. **Data Extraction:** Desoldering of the EEPROM and interfacing it with a modern microcontroller.
4. **Protocol Emulation:** Bit-banging the SPI protocol via custom software to dump the chip's contents.
5. **Cryptanalysis/Pattern Recognition:** Statistical analysis of the resulting hex dump to decode the word-mapping logic.
### Dataset/Environment
The subject of study was a retail TV Guardian unit. The internal environment consisted of an embedded system featuring a 93C66 or similar serial EEPROM chip.
### Tools & Technologies
- **Solder/Desoldering Tools:** Hot air rework station for chip extraction.
- **Hardware Interface:** Arduino (used as a bridge between the EEPROM and a PC).
- **Software:** Arduino IDE for protocol implementation, hexdump for visualization, and Microsoft Excel for data pattern analysis.
## Key Findings
### Primary Results
1. **Unencrypted Storage:** The device stores its profanity list in plaintext within an 8-bit organized EEPROM.
2. **Flag-Based Logic:** Word replacement is governed by "metadata bytes" that determine strictness levels and replacement indices.
3. **Limited Euphemism Library:** The device utilizes a hard-coded set of exactly 32 replacement words.
### Supporting Evidence
- **Memory Dump:** Hexadecimal analysis revealed a structured list of obscene words followed by a 32-word replacement list.
- **Bitwise Consistency:** Analysis of the metadata byte showed consistent bit-positioning:
- **Bit 7 (MSB):** Always set (likely a delimiter/validity bit).
- **Bit 6:** Determines "Explicitly Allowed" status.
- **Bit 5:** "Strict Mode" toggle (e.g., for religious terms).
- **Bits 0-4:** 5-bit pointer to the 32 replacement words.
### Novel Contributions
- Demonstration of "Dead Bug" debugging and breadboard-to-microcontroller interfacing for legacy chip extraction.
- Decoding of a proprietary legacy data format using basic spreadsheet software.
## Technical Details
The extraction relied on emulating the Microwire/SPI-like protocol. The researcher identified that by grounding the "Memory Organization" pin on the EEPROM, the device was forced into an 8-bit mode. The read command required a specific sequence: sending the opcode (10), followed by an 11-bit address string. Because the researcher controlled the clock (SCK), timing constraints were easily managed, allowing the data to be pulsed out and captured bit-by-bit by the Arduino GPIO.
## Practical Implications
### For Security Practitioners
- This research highlights the vulnerability of legacy embedded systems to simple physical attacks.
- It demonstrates that proprietary "black box" devices often rely on "Security through Obscurity" rather than encryption.
### For Defenders
- Even if data is not "valuable" (like a list of swear words), unprotected EEPROMs can lead to total system understanding or firmware modification (MIM attacks).
### For Researchers
- Provides a blueprint for extracting data from discontinued hardware where official documentation or readers may no longer exist.
## Limitations
- The research focused purely on the memory content; the actual real-time processing of the Closed Captioning (CC) signal by the main CPU was not fully explored.
- The sample size was limited to one version of the hardware.
## Comparison to Prior Work
Unlike traditional software reverse engineering (disassembling binaries), this work focuses on **Data Reverse Engineering**. It treats the hardware as a physical lock to be picked, moving from the physical layer (solder) to the logical layer (SPI) to the semantic layer (word mapping).
## Real-world Applications
- **Hardware Auditing:** Techniques for verifying what data a "smart" device is storing locally.
- **Digital Archeology:** Recovering data from obsolete consumer hardware.
## Future Work
- Analysis of the main processor's firmware to understand the VBI (Vertical Blanking Interval) decoding of captions.
- Modification of the EEPROM to inject custom "censored" words (Proof of Concept for data integrity attacks).
## References
- Ben Eater: "Reverse Engineering a TV Guardian"
- 93C66 Serial EEPROM Datasheet
- hxxps://eater[.]net/
- hxxps://www.youtube[.]com/watch?v=D_v_pAn9G1A