This FAQ is provided for educational purposes only and will be posted approximately every three weeks in alt.satellite.tv.europe, alt.satellite.tv.crypt and rec.video.satellite.europe.
Updated versions will be posted on:
www.hackwatch.com/~kooltek/faq
What you do with the information herein is your business. The contributors to this FAQ do not necessarily condone the illegal use of the devices or programs mentioned here. The contributors to this FAQ are in no way liable for any damage to equipment, revenue, or sanity as a result of the use or misuse of this information.
Permission is granted for the reposting of this document on any BBS, FTP site, WWW site as long as the complete unmodified document is posted. Addition of HTML tags to facilitate WWW posting is allowed. The copyright of this document rests with the contributors.
This is a FAQ for the European area. It covers European scrambling systems as opposed to the American systems. The hacks mentioned refer to European hacks. It is common to refer to the VideoCipher II system as VC2. However VC1 and VC2 used in this FAQ refer to the European VideoCrypt system variants.
The systems covered in this FAQ are satellite based systems. Though many of these are reused on cable systems in Europe, the majority of cable based systems are still based on primitive synch attenuation and or video inversion techniques.
I intend to expand the coverage of the American DSS hacking in the next version of the FAQ. This is because the DSS encryption system has some significant commonalties with the VideoCrypt 1 and VideoCrypt 2 systems.
A scrambling system is applied to a television signal to ensure that it is only receivable by the audience for which it is intended. The more cynical amongst us may rephrase that to "those who have paid to receive it". Therefore a good scrambling system is one that can effectively make the picture unusable to all except those who have paid.
There are two basic types of scrambling system: dumb and addressable. The dumb system does not have any over-the-air (OTA) addressing. As a result the channel cannot turn a subscriber's descrambler off. This type of system is cheap and offers minimal security. As a result it is not used for high value channels.
An addressable scrambling system is more complex in that it allows the channel to individually turn on and off descramblers. Most systems in operation today are addressable.
The basis of a scrambling system is the method by which it renders the picture unwatchable. The early scrambling systems were analogue. These systems interfered with the synch pulses or inverted the video either on a frame, field or line basis. Some actually delayed each line by one of three delays on a pseudo- random basis.
All of the analogue scrambling systems were vulnerable and offered little protection to the channel using them. It was trivial to build a descrambler that worked in an identical manner to the official descrambler.
As the years and technology advanced, more complex systems came into operation. These systems were digital based systems. They digitised the picture or sound information and manipulated it. In order to descramble or decode the picture, the picture had to be digitised and then decoded.
However the systems seen to date are all firmly rooted in analogue technology. It would be better to describe these systems as transitional systems rather than digital systems. VideoCrypt, D2- MAC EuroCrypt M, S, S*, S2 and Nagra Syster are all transitional systems. They all digitise the video in order to decode it. VideoCrypt and D2-MAC use line cut and rotate to scramble the picture. Nagra Syster uses Line Shuffle to scramble the picture. It takes a block of lines and changes the order. In each of these cases the video is still transmitted in an analogue format.
All of the above systems are smart card based. They rely on the fact that the smart card can be economically replaced in the event of a hack. The concept behind this is that of "The Secure Detachable Microcontroller". The older systems designs were based on the "Secure Embedded Microcontroller" concept. This concept was fundamentally flawed in that if there was a hack on the secure microcontroller (the chip that held the system's secrets), then all of the decoders would have to be replaced or upgraded.
The main systems in use in Europe are: VideoCrypt, EuroCrypt, Nagravision, Luxcrypt and B-MAC. There are variants of some systems. VideoCrypt comes in two versions, VideoCrypt I and VideoCrypt II. They are parallel, and the idea is that VC I is to be used inside the UK and Ireland, and VC II in the rest of Europe. EuroCrypt also has variants: EuroCrypt-M, EuroCrypt-S, EuroCrypt-S2, EuroCrypt-S*.
Since Europe is still a multi-copyrights area, there is often the need to sell the programming on one channel to two markets. Rather than create two separate channels, it is often easier to use the same channel, with the same scrambling system but two distinct datastreams. Of course this dual datastream illustrates a major vulnerability. It only requires one of the datastreams to be hacked for the system to collapse completely.
With the VideoCrypt variants, the scrambling system is the same - line cut and rotate, but the information to descramble it is encrypted in the VideoCrypt 1 and VideoCrypt 2 datastreams. The datastreams are sent out on the one channel. Therefore the channel is available both in the UK and the continent using what on the surface appears to be two different systems. Of course this underlines an important flaw in using two or more datastreams on one scrambling system - if only one of these datastreams is hacked, then there is effectively no more protection for the channel.
Almost all efforts at cracking VideoCrypt has concentrated on VideoCrypt 1 variant. VideoCrypt 2 has not been much of a target though there are two working hacks on this system. There are VideoCrypt 1 <> VideoCrypt 2 adaptors. These are plug-in boards with the switchable 68705 / 8752s that allow a VideoCrypt 1 decoder to be converted to use as a VideoCrypt 2 decoder and vice versa.
VideoCrypt 2 is hacked and pirate cards are available in two formats: Battery Card and reprogrammed 09 BSkyB Cards. The main attraction of VideoCrypt 2 (VC2) is that FilmNet is available on this system. The VC2 variant is more reliant on the serial number routines as many of the cards that were knocked out seem to be operating on a master-clone basis. This may well indicate that the Fiat-Shamir ZKT is working properly.
JSTV is the only broadcaster that broadcasts Europe wide using VideoCrypt I. This channel differs from the standard in that it is a very high fee channel but it is also very much a minority interest channel since it broadcasts programmes for the Ex-pat Japanese market. This channel is also hacked though various ECMs have been tried.
D2-Multiplexed Analogue Component (D2-MAC) is a transmission standard. The scrambling system overlay is EuroCrypt. EuroCrypt comes in a number of variants (M, S, S*, S2) but according to European law, EuroCrypt-M is the European standard. Nobody takes much notice of that anyway.
France Telecom developed EuroCrypt. Since the system is open as regards the scrambling algorithms, France Telecom chose a modified form of the US Data Encryption Standard algorithm. They removed the initial and end permutations to make it run faster in the smart card. They also believed that this algorithm would be top secret and apparently that their smart card would be unhackable.
Eurocrypt-M is the commonest. Only four channels (Sweden 1 and 2, Norway 2 and TV Erotica) use Eurocrypt S, the two first in the lesser used D-MAC format of the MAC standard.
An older MAC variant, B-MAC, is used by the American Forces Radio and Television Service, The Satellite Information Services Racing Channel and several business TV applications. Gradually this system is fading out of use as American forces bases in Europe close down.
The B-MAC system applies relatively simple line delay scrambling to the MAC video and hard encrypts the digital audio and teletext services. The hacks on this system involve cloning a valid subscriber identity number and then arranging for a continual supply of weekly keys. These keys are programmed into an EEPROM chip in the decoder.
There are two flavours of B-MAC in operation in Europe: B-MAC 525 and B-MAC 625. The numbers refer to the line numbers. The 525 variant is used for the US AFRTS service and the 625 version is used for the Racing Channel. Pirate decoders for these services are expensive, typically costing in excess of five hundred pounds. The problem of course is arranging the continual flow of keys. A current hack claims to have worked around these problems.
Nagravision is also known as Syster and as Nagra, and is used in France, Spain, Turkey and Germany. Unlike VideoCrypt and Eurocrypt, Nagravision decoder boxes are not for sale. They are only rented out to subscribers, but still operate with a smart card. Nagravision is now replacing the older and less secure Discret system in France.
There are confirmed reports of a hack on Nagravision. The hack is a pirate decoder based on hacking the video scrambling as opposed to the access control aspect. The hack at the moment only affects the SECAM implementation of the system. The PAL implementation as used by Premiere is still intact.
The Luxcrypt system is a cut down implementation of the IRDETO system. Basically the Luxcrypt system is a synch replacement and inversion system. It is easily hacked and circuit diagrams of various decoders are available at all good FTP sites. The full IRDETO system has digital audio.
Even the old SATPAC system as used by FilmNet before they switched to D2-MAC has been used lately on FilmNet transmissions to Greece.
TV Standard: PAL
Video: Line Cut And Rotate
Audio: None
Smart Card: Yes
Users: BSkyB Multichannels, Adult Channel, Eurotica, JSTV etc.
Hack Status: Megatek Card, Phoenixed Cards
Pirate Cards: Not Yet
Season Programs: Not Yet
TV Standard: PAL
Video: Line Cut And Rotate
Audio: None
Smart Card: Yes
Users: Discovery, FilmNet.
Hack Status: Hacked
Pirate Cards: Yes
Season Programs: No
TV Standard: D2-MAC
Video: Line Cut And Rotate on Chroma And Luma
Audio: Encrypted Digital
Smart Card: Yes
Users: FilmNet, TV1000, TV3, Canal Plus.
Hack Status: Hacked
Pirate Cards: Yes
Season Type Programs: Yes
TV Standard: PAL
Video: Line Shuffle
Audio: Spectrum Inversion
Smart Card: Yes, key shaped rather than conventional card shape.
Users: Premiere, Canal Plus.
Hack Status: Hacked. Only SECAM variant is affected at the moment.
Pirate Cards: No
Season Type Programs: No
TV Standard: PAL
Video: Frame / Average Peak Level Inversion with synch replacement
Audio: Digital PCM but not used
Smart Card: No. Just a dumb and cheap system.
Users: RTL-4 Veronique
Hack Status: Totally compromised
Pirate Cards: No
Season Type Programs: No
TV Standard: B-MAC
Video: Line Delay
Audio: Hard Encrypted with DES like algorithm
Smart Card: No
Users: AFRTS, SIS Racing Channel
Hack Status: Hacked. Cost of decoders / key feeds are a problem.
Pirate Cards: No
Season Type Programs: No
The cynical answer would be that it is only illegal if you get caught. The legal position on hacking varies from country to country. Basically a good rule is that a channel being uplinked from a particular country is probably going to be protected by that country's laws. For example hacking BSkyB in the United Kingdom is illegal under that country's laws. However hacking FilmNet in the UK may not be directly protected under the UK's law. TV1000 on the other hand is partially uplinked from the UK and is therefore protected under UK law even though the pornography transmitted on the channel would not be permitted to be uplinked from the UK. A rather sly sidestep gets around this issue - the hardcore pornography is not uplinked from the UK.
In fact, TV1000 has threatened UK dealers with legal action many times but with few results. The problem of piracy on TV1000 in the UK has got to such a state that taking legal action against one or two dealers would not have any greater effect.
Europe is still a multi-copyright area. It is therefore possible for BSkyB and FilmNet to purchase the rights to show the same film. Perhaps in the future, the copyright issue will be worked out and we will have a single copyright area for Europe, but for now we have to cope with the current mess.
To date most of the prosecutions for piracy in the UK have been against people who have been too visible. It is not economically viable for a channel to prosecute every user of a pirate smart card. Instead they will generally concentrate on dealers and distributors.
Of course they may also decide to make an example of an individual pirate card user. The logic of the legal departments of channels is not as predictable as that of their engineering departments.
If you get caught you are unlikely to be able to plead any clever excuse that you may come up with. More importantly, could you afford the expensive legal mouthpiece to argue your case?
The recent European Commission green paper on the legal protection of encrypted services does indicate that there is a growing movement in the European political world to extend the legal protection of channels. This has come about through the lobbying of the afflicted channels who, having been unsuccessful at protecting their services with technology are now turning to lawyers to protect their channel. This is like using a Band-Aid to to fix a slit jugular vein.
However in real terms, the Blackbox market in Europe may well be forced to go underground. Some of the proposals covered, such as making the possession of pirate decoders a criminal offence are clearly stupid and the product of minds ignorant of the realities of piracy. For any channel it is a battle for hearts and minds and Rather than criminalising a potential subscriber it would be more logical to offer him the option to subscribe when caught.
On 31/10/95 BSkyB switched over to the new 10 card. The fundamental result of this is that ALL season programs and pirate smart cards do not work anymore. As of the time of writing, 05-04- 96, a hack has been declared by Megatek, an Irish based company: http://www.iol.ie/~megatek
It is expected that in addition to Megatek, Benedex and a few more of the European battery card dealers will announce their versions within the next few weeks.
The hack pattern for VideoCrypt is that the official card remains more or less secure for the first six months and then a hack appears. The hack, for the system, is of a catastrophic nature. Once it appears, there is a running battle of countermeasure versus counter-countermeasure for the remaining twelve months or so of the card's lifetime.
Pirate smart cards are cards that have been manufactured to hack a channel. They are, in most cases totally different from official smart cards. The majority of these cards are based on the PIC16Cxx series of microcontrollers. Other variations have been seen but the PIC16Cxx cards are the commonest.
Over the past few months, the more expensive end of the market has tended towards the Battery Cards. These cards use the Dallas Semiconductors 5002FP secured microcontroller and are updatable by the card user. It is simply a question of dialing a phone number and getting the set of numbers to punch into the Battery Card.
There is also a trade in what are referred to as Grey Market smart cards. These are official cards, that are exported to another country. Generally it is a one for one trade with the broker taking a commission. For example, a BSkyB subscription would be taken out in the UK and a FilmNet subscription would be taken out in Sweden. The cards would then be swapped via a broker. The subscriptions would be kept up to date by both parties. The legal position on this activity is not clear as the channels benefit from the transaction in that they both get subscriptions. It does rely on mutual trust.
Purchasing a pirate card involves risk. There is a probability that the pirate card will be killed in the future. The channels will implement electronic countermeasures to try and kill the pirate cards. Technically speaking, no pirate card can ever be 100% safe. This point has been proven too frequently over the last few months.
The system used by FilmNet Plus and TV1000 (among others) is EuroCrypt-M. This system has been continually hacked since 1992. In terms of value for money, users of EuroCrypt-M pirate smart cards have fared better. This is because the channels have not frequently implemented countermeasures. Of course the recent countermeasure by TV1000 has had a devastating effect. Most of the pirate smart cards have been knocked out.
The VideoCrypt system, as used by BSkyB and the Adult Channel, has been updated more regularly. The present BSkyB card is issue 10 or in technical terms, the 0A card. It is commonly referred to as issue 10 but the reason for the 0A reference is purely technical. In hexadecimal, the number 10 is represented as 0A.
In addition to issuing a new smart card every year or so, BSkyB and News Datacom also implement countermeasures to knock out pirate smart cards. Over the last few months, the time between these countermeasures has only been a few weeks. For about a month preceding the switch to 10, BSkyB was in a transition from issue 09 to 10. Therefore they did not execute that many ECMs during that period. This is because the 10 card only had a simplified version of the 09 algorithm in order to cope during this transition stage.
As a direct result ECMs such as key changes, many of the pirate cards have had to be sent back to the dealer for upgrade. Some innovative pirates have designed their cards (The Battery Cards) so that they can be upgrade by the customer. The solutions for the countermeasures are recorded as a set of numbers on an answering machine. The customer rings the phone number with the answering machine and gets the update numbers. He then enters them into the pirate card via a key pad. Other solutions such as a modem on the pirate card have also been seen.
In real terms, anyone purchasing a pirate card is taking a risk. The pirate card will eventually be hit by a countermeasure. If it is not, then the channel may issue a new smart card with the consequence that all of the old pirate smart cards will be knocked out.
At the time of writing, NONE of the Season programs are working on channels encrypted with the 10 codes. There have been at least two spoof attempts over the last few months. One of this is named SEASON10.ZIP and is very definitely a fake.
The Season software began life as an attempt by Markus Kuhn and others to watch the final season of Star Trek: TNG. The final season was season 7. As a result, the first working PC program that decoded BSkyB was named SEASON7. The first version of this program appeared in March of 1994. At the time, the current issue of the BSkyB card was Issue 7. Therefore some confusion arose.
The term Omigod (Oh My God!) was also used to describe the programs. Well the preceding hack using the PIC cards was known as the Ho Lee Fook hack! Over the months from March to May 1994, versions for different computers appeared. Many of these were posted on the alt.satellite.tv.europe newsgroup.
On May 18th 1994 BSkyB changed from issue 07 cards to their new issue 09 card. In hacker terms, May 18th is referred to as Dark Wednesday. The 09 card proved harder to hack but a temporary solution appeared in June of that year. It only lasted a few week before BSkyB changed codes again. Though some attempts at an issue 09 SEASON hack were made, the change of code by BSkyB stopped it cold. Well at least until just before Christmas.
On Christmas Eve 1994, no less than three versions of the SEASON hack appeared. Two of them worked on the PC and the other one worked on the Apple MAC. Of course BSkyB was paying attention and on January 4th 1995, they implemented a countermeasure that knocked out pirate cards and all of the SEASON hacks. The war between BSkyB and the pirates had recommenced. Updated versions of the SEASON hacks became available. This spiral of countermeasure and update has continued until the present. The issue of the new BSkyB card, has changed the situation somewhat. The VideoCrypt SEASON hack is now living on borrowed time.
The algorithm in the 09 card issue is far more complex than the one used in the 07 card. While the 07 algorithm was not really designed to be extremely upgradable, the 09 algorithm is an extremely flexible algorithm. No doubt the 10 card algorithm will build heavily on the lessons of the 09.
At present only The Adult Channel (UK soft porn) and Eurotica (UK Hard Core Porn) are decoded by VideoCrypt SEASON programs. None of the official BSkyB channels will be decoded by any of the SEASON programs available.
At present, there are working versions of the SEASON hacks for the Adult Channel and Eurotica available on almost every European BBS. The most popular of these programs is the Voyager program which also decodes the D2-MAC EuroCrypt-M channels.
There are many ftp and webpages (WWW) where the programs are freely available. There are no known versions that cover VideoCrypt 2. (A hack on JSTV was claimed a few months ago though this was a card based hack rather than a SEASON type hack).
There are many version of SEASON: Voyager, SEASON, Freeview etc. All of these have stopped working on the BSkyB channels since BSkyB switched to their 10 cards. However in the meantime, these programs are available at all good sites, a few of which are listed below.
FTP:
Note the capital letters and the forward slashes (/). They do make a difference as most of the ftp sites are run on UNIX systems. Unix systems are case sensitive.
The computer has to be connected to the VideoCrypt decoder via an interface. This interface is sometimes referred to as an Omigod or Season interface. It is essentially a simple design that allows the RS232 serial port of the computer to be connected to the TTL levels of the card socket. Most of the versions of the Season software include a text file on the construction details of this interface in a file called ADAPTER.TXT.
Details of the adapter are on Erlangen in the directory :
/pub/multimedia/tvcrypt/cardadapter/
The artwork for making the PCB interface is available in postcript form at:
http://joule.pcl.ox.ac.uk/~mark/sat.html
http://www.paranoia.com/~defiant
Because this software is using the serial port, timing can be critical. Other programs running in the background can interfere with the proper operation of the SEASON program. It is better to run the SEASON programs on PCs that do not have Memory Managers or Serial Device Drivers loaded.
bitftp@wm.gmd.de
ftpmail@ftp.uni-stuttgart.de
ftpmail@grasp.insa.lyon.fr
ftpmail@ieunet.ie
ftpmail@plearn.edu.pl
ftpmail@doc.ic.ac.uk
The files will be returned in a format known as uuencoded. You'll need a uudecoder to make these into useful files. These are widely available for all platforms although if you can't ftp you'll have to work out how to get one. More details on e-mail use of the net are on Super Channel CNBC text page 188.
In the middle of the summer of 1994, there was little success in hacking BSkyB. A program was written in the TV-CRYPT for testing a theory. The theory dealt with the over the air addressing system on VideoCrypt. The question was: "could the presently available knowledge be used to switch on or off a BSkyB card?". At that time, the available knowledge consisted of the fragment of the 09 code that was killed in June and a working knowledge of how BSkyB encoded card numbers in their over the air addressing system. The available knowledge was sufficient.
The computer program written to test the theory was called Phoenix. Since most of the cards experimented upon were Quickstarts that BSkyB had killed, Phoenix, the mythical bird that rises from its own ashes seemed a good name.
Of course the program fell into the hands of commercial pirates. The Phoenix program on its own was useful to switch on the 09 Quickstarts that BSkyB had killed. It was also being used to switch on all channels on a BSkyB card with only the Multichannels subscription. It was a Musketeer hack - all for one and one for all. But that hack name had already been used.
Unfortunately these reactivated cards were only lasting a few days before being killed again by BSkyB. Then when BSkyB increased their kill cycle the cards only lasted a few hours. Some solution had to be found.
The solution lay in a hack of 1992 - the KENtucky Fried Chip. This was a modified version of the smart card - decoder microcontroller in the VideoCrypt decoder. It stopped BSkyB from turning off a card by examining each over the air packet for the identity number of the card in the card socket and stopping such a packet from reaching the smart card. BSkyB could not kill the card because the card never received the kill instruction.
Of course the chip used in the decoder was too expensive and there was a rather large number of redundant PIC16C84 chips available. The first blockers to hit the market had the blocking program in a PIC16C84. They consisted of a card socket, a PIC16C84 and a PCB. The official card, having being activated by the Phoenix program would then only be used in the blocker. Luckily it was not named the Condom hack.
Of course the popularity of these devices soon meant that individually activating the Quickstart cards with the Phoenix program was taking too much time. The solution was to incorporate the Phoenix routines in the PIC16C84. These new blockers were more successful. Over the months from August to November, they were given a bewildering array of names; Genesis, SunBlocker, Sh*tblocker, Exodus.
Naturally BSkyB were a little upset with this resurrection of their dead cards. Their response, at first was purely technical. Later in 1994, they took legal action in the Uk against some people supplying blockers.
There was more to the VideoCrypt 09 smart card than people realised. The most important aspect was that BSkyB could actually write to the card. The instructions for doing this were carried in the same packets that carried the activation and deactivation instructions.
The blockers only looked for the specific identity number of the card in the card socket. As long as that identity number did not appear in the packet, it was let straight through to the card. BSkyB had managed to knock out a number of cards while they were in the blockers.
Some of these countermeasures were reversible in that the card itself was not completely dead. One of BSkyB's countermeasures did actually hit the card in a manner that effectively locked it. At that point, the blockers were becoming irrelevant - there were working pirate smart cards for VideoCrypt.
The Phoenix program, in various guises, still works. Of course some of the newer smart cards from BSkyB have been found to be resistant to being activated with Phoenix.
At present there is some PIC source code that has been labeled 10BLOCK.ZIP. It is believed that this is not actually the code for a 10 Blocker but merely 09 Blocker code that does not work on 10. Using this code in the hope that it would stop a 10 card being killed is dangerous to say the least.
The simple answer is yes. The original program was called MACcess. There are now a number of variants available. The most widely used variant is the Voyager program from William Jansen and ToySoft. This initially started out as a VideoCrypt program but MAC capability was added. Others such as Whopper and Minimac have also appeared.
The original author of the MACcess program did not update it due to the sheer abuse of the program. The comments from a few ungrateful idiots wanting the new version and at the same time insulting the original author for not supporting the program irritated not only the author but many hackers as well.
The EuroCrypt-M system is DES based. In an ironic way the system's greatest strength was its greatest weakness. Again the progression from pirate smart card to computer program was apparent.
There is no OMIGOD program for hacking Nagra. What occurred was that some JAFA from the English consumer publication, "What Satellite" heard about a program for monitoring the Nagra card- decoder communications and ignorantly assumed that it was an OMIGOD hack.
There are reports from reliable sources that the Nagra Syster system has been hacked. At present the hack only affects the SECAM version of the system. The pirate device is a decoder rather than a smart card and is based on a 68HC11 and a MACH130. It ascertains the shuffle sequence rather than hacking the datastream.
The system has been hacked after five years of operational use without any real marketable hack. This is something of a record for a scrambling system in Europe.
Basically the SECAM based hack will determine the shuffle sequence and will then reassemble the video in the proper order. It has been pointed out that a key change may nuke this hack.
Since late April 1995, there has been no security on the PIC16C84 microcontrollers. This is ironic because this microcontroller formed the backbone of the European piracy business. In late April, the information on popping (extracting the protected contents of the chip's memory) the PIC16C84 was published in a USENET newsgroup. An article on this can be found on the following webpages:
http://www.hackwatch.com/~kooltek/picbust.html
http://www.iol.ie/~kooltek/picbust.html
As a result of this information being published on the USENET, result everybody found out how to pop the PIC. All the code for the D2-MAC hacks and the BSkyB hacks were laid bare.
The source code for the PIC based D2-MAC cards is widely available on the net. The following WWW pages have D2-MAC code:
http://www.paranoia.com/~defiant
A number of designs of DIY smart cards for VideoCrypt appeared during the lifetime of the 09 card. With the switch to 10, most of these became redundant unless the software could be converted for D2-MAC. As soon as we establish which ones are converted or are in the process of being converted, we will list them in this FAQ.
Over the past few months, various programs have appeared purporting to be hacks on the BSkyB 10 card. One notable program was the SATHACK.EXE program. These programs did not work. Indeed the SATHACK.EXE had the Answer To Reset string of a 07 issue pirate card.
Given the complexity of the BSkyB 10 card, a SEASON type hack would be difficult but not impossible. The BSkyB 10 card has two chips; an Application Specific Integrated Circuit (ASIC) and a Siemens 8051 smart card microcontroller. The microcontroller has been popped and the ASIC has been reverse-engineered. It is the ASIC that has caused the delay in a hack getting to the market.
A SEASON10 type hack would have to successfully emulate the ASIC in software in addition to emulating the smart card microcontroller. To call this difficult would be an understatement.
The pattern of the SEASON hacks in the past was trickle-down. The commercial hackers would hack the smart card and then after a few months, the code would be released to the hobbyists either by design or by mistake. The hobbyists would then develop the SEASON type hacks.
There are some products being marketed as BSkyB 10 Blockers. Some are matched to the card inserted. Given the past experience of Phoenix and Blockers, it is not likely that these devices will completely, if at all, protect the cards inserted.
Some of these devices may be based on a Replay Hack. This is where the turn-on packet for the card is recorded and then when the card is knocked out, the card is re-authorised using the recorded packet. Of course such a hack could only be guaranteed to work for one month. After that the date code changes. In the 09, the card program was designed not to respond to an earlier dated packet. This may also be the case with the 10 card.
Given the fact that the ASIC in the BSkyB 10 card allows for some really nasty encryption to be applied to the authorisation packets, a BSkyB 10 Blocker would not be reliable. This coupled with the fact that official 10 cards are now a lot more difficult to obtain means that a hack on the scale of the original Phoenix/Genesis blocker hack is unlikely. Well, not unless BSkyB start another QuickStart scheme and another backdoor like the Sam Chisum PPV hack is found.
The internet is often the source of some amazing stories and rumours. It appears that "What Satellite" has fallen victim to one of the oldest ones. The story in question was the Pentium based video only hack on VideoCrypt.
According to "What Satellite", the hack was based on a Pentium chip that decoded the scrambled VideoCrypt signal in real time. The contradictions in the story were rife. The hack was apparently a stand-alone hack that was housed on a daughter-board that could be fixed inside IRDs. If it was a stand-alone hack then why was it referred to as a daughter-board? Stand-alone hacks are just that - stand-alone. They have their own cases.
Other more apparent mistakes slipped by unnoticed. The hack was said to, "by sheer dint of processing power", to be able to reconstruct the scrambled picture at a rate of 50 frames per second. This was what What Satellite called normal video quality. Unfortunately, the normal video rates in PAL625 are 50 fields per second or 25 Frames per second. This fictional hack was running at twice normal frame rate. Either that or "What Satellite" had just proven that in order to write about technology you should at least understand technology.
It seems that someone at "What Satellite" had read a few messages on the Usenet newsgroups discussing such a hack. This topic of a processor based attack on VideoCrypt rears its head every few months. As the internet and usenet get more popular, it is not unusual to see the same questions being asked a few times each month.
The main problem with this hack is that it requires a lot of digital signal processing. Using a Pentium to carry out the calculations might, on the surface, seem attractive but there are other chips that are better suited. These chips are Digital Signal Processors.
There was a processor based hack on VideoCrypt a few years ago. The hack, carried out by Markus Kuhn, used a rather expensive computer to reassemble the scrambled video. The processing power used was far in excess of that available from a Pentium and it was not completely real-time.
The source code for a test of this type of hack is readily available on the internet and on various BBSes. A sampled scrambled picture is included. It does take a few minutes to decode even on a relatively fast computer.
One factor that "What Satellite" seems to have overlooked is the cost of this fictional hack. A fast Pentium, with motherboard, RAM and interface would be in the region of L1000 or so. This would definitely not be an economical hack. One of the first rules of piracy is that you have got to be able to sell the hack. It would be difficult to envisage anyone desperate enough to waste L1000 on watching BSkyB.
A number of people are working on DSP experiments with VideoCrypt. One hack used four DSPs to decode but the hack crashed every few minutes. The primary reason was that the screen fades and single colour backgrounds are hard to analyse successfully.
For those interested, it was the February 1996 issue of the magazine that carried the article, not the April issue!
Delayed Data Transfer was a hack that was created in the period between the hacks for BSkyB 07 and BSkyB 09. Basically it was a case of continuing to watch the VideoCrypt encoded channels using the Season type interface and a video recorder.
The hack was elegant in execution. The hacker would record the scrambled version of the programme off-air. Then when the programme was over, he would download a VCL file off of a BBS or internet site. The VCL file is a data recording of the valid card answers for the particular programme. It was then a question of rewinding the tape and playing back the scrambled program through the video recorder. The VCL file would be fed to the decoder via the Season interface. The programme would be decoded as if there was an officially authorised smart card in the decoder's card slot. The video quality was not brilliant but the hack works.
BSkyB replayed the Bruno Vs Tyson Fight a few times over the 17th of March. Each time they replayed it, it was only available to PPV viewers. Any subscriber who had paid for it once was able to watch any of these replays.
Of course it also meant that a VCL file is created on the first play at 0400 Hrs and uploaded to an internet site or BBS, voided subsequent replays.
The reason for the subsequent replays of the event being void is that the VCL would exist and therefore rather than paying for the event, it would be a case of recording the scrambled event and the using the VCL.
The use of VCL files is a direct assault on BSkyB's PPV mechanism. There is a large base of hackers with Season interfaces and VCL files for various programmes on Sky One and the movie channels have been seen on internet FTP sites and BBSes throughout Europe.
To date most of the VCL files have appeared on internet sites and BBSes outside of the UK jurisdiction. While posting such a file inside the UK may be an offence under UK law, the situation changes when the site is outside the UK. It is conceivable that the VCL files could be posted on to a Usenet newsgroup via an anonymous remailer. It would be extremely difficult for BSkyB to stop such messages getting through other than by issuing control messages to cancel them or by threatening internet service providers who allow access to newsgroups carrying these messages. The chances are that BSkyB will try to play down the effects by saying that they are negligible. In the meantime, the PPV events may well have thousands of extra viewers.
The legal position of this is untested. The blockers and pirate cards were covered under UK law and even then BSkyB could not successfully prosecute all of those using and distributing these devices. It is difficult to decide if this counter-piracy failure was due to the sheer numbers of users and sellers or just plain cluelessness.
The terms and conditions for the PPV event mention that any part of the transmission may not be reused or redistributed. Therefore it could be argued that distributing the VCL file would be a breach of the conditions. However it would still not stop the VCLs being distributed.
Moving against the redistribution of the VCL files would be counterproductive for BSkyB. They would be drawing attention to the gaping wound in their PPV system and even the clueless media analysts may take notice.
At present, the only users of the DDT hack are outside the UK and Ireland and are unable to get a legitimate subscription to the BSkyB channels. It has been mentioned that most of the current users of VCL files do so only to watch a few specific programmes rather than the complete schedule. Therefore the threat of such a hack to BSkyB could be considered minimal.
Other factors come into play as well. Some VCRs do not reliably record the scrambled picture and data. Most VideoCrypt decoders are now integrated with the receivers (IRDs) and stand-alone VideoCrypt decoders are becoming rare. This means that a hardware modification is necessary to use the DDT hack.
The original PPV implementation in VideoCrypt depended heavily on the 8052 microcontroller in the decoder. This was not a good thing as the code from this microcontroller was easily extracted. It was a token based system where the a token would be deducted from a reservoir in the card when the subscriber pressed the Authorise button. This implementation was compromised and it forced News Datacom to implement a pseudo-channel based system.
Each event is assigned its own channel identification. A subscriber wishing to view the event would have to ring BSkyB and request that his card is authorised for the event. The subscriber's card ID would then be added to the turn-on list transmitted on the event channel. Once the card is authorised, the On-Screen-Graphics will display "EVENTS PAID 66".
If the Bruno-Tyson fight is anything to go by, each PPV event will be repeated at various times in the day. An authorised card will decode any of these repeat showings. Of course by the time of the second showing, the VCL file will probably be available thereby compromising the PPV security.
The compromise to the PPV security comes from the fact that the PPV program can be recorded and the VCL file can be reused. This means that the PPV transport is compromised.
In addition to the DDT hack, the PPV event was compromised by means of a Phoenix hack that upgraded existing Sky cards to receive the PPV event. It appeared as a message posted on the internet and some dial-up BBSes early on Saturday 16-03-96. The message is reproduced below:
--------
send this header to your card via a season interface followed by the bytes below
53 86 01 00 2D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 00 00 00 00 00 db fd f0 b7
and your card will gain the credits for the Tyson Fight I dont know about cards that are turned off but they gain the events anyway
Sam Chisum.
Important: please distibute this file as quick as possible can somebody put it on Paranoia. --------
By midday on Saturday, the above string had been incorporated into a number of Phoenix programs which were posted on to various BBSes, WWW sites and also into the main usenet newsgroups. The commonest one in circulation was FREETYSO.ZIP.
In order to use the program it was necessary to have a Phoenix/Season interface capable of activating Sky cards. A lot of these are still in circulation and are currently used for the D2- MAC emulators.
Megatek, an Irish company, have announced that they will be shipping their upgrade for their battery card. Their main product is a battery card which since 31-10-95 decoded only the D2-MAC channels.
The upgrade to their battery card consists of an additional board carrying the ASIC emulation and a reprogramming of the battery card's main memory. As a result the card will not have enough memory to include the routines to decode the D2-MAC channels. In lieu, Megatek are offering a free wafer card (reprogrammed Sky 09 card?) to decode these channels as part of the upgrade.
The details and costings are available on Megatek's WWW page at:
Other dealers are expected to announce upgrades within the next few weeks. Benedex claimed that they will market a wafer card version for 139 UK Pounds.
This time, the hack on the Sky card is more complex. It requires an additional ASIC emulator which Megatek have, in their design, named the Skylark chip. Other battery card implementations will have similar ASIC emulators.
This does tend to initially reduce the likelihood of a SEASON hack appearing in the immediate future unless it is possible to emulate the ASIC in software.
A possible alternative to a free SEASON program would be a commercialised SEASON whereby the user would be able to obtain the SEASON program freely on the Internet or the BBSes but they would have to purchase a SEASON interface with an integrated ASIC emulator. However the dealers would probably make more of a profit from the sale of battery cards than a modified SEASON interface.
At the moment there are a number of WWW sites advertising Phoenixed 10 cards. These are Sky 10 cards that have been activated with all channels.
These cards are legitimate Sky 10 cards that have had their card numbers changed to that of a master card number. As long as the master card's subscription remains current and it is not detected as a clone master card subscription, then the clone cards will work.
However in recent days, there have been reports that some of these cards have been shut off.
The Digital Satellite System as used in the USA is a digital television system. The encryption overlay was supplied by News Datacom and it is this aspect that has been hacked. This will come as no surprise to Europeans who are more than familiar with News Datacom's record with the VideoCrypt system.
Basically the DSS implementation is a more complex version of VideoCrypt that has a fully functional Pay Per View aspect. The IRD has a second level of security in that it has an internal modem. This modem is used in the PPV implementation.
The initial form of piracy on DSS was Grey Market. At the moment, DSS is only legitimately available in the USA. Canada, Mexico and the Caribbean islands are therefore de-facto Grey Market areas.
People in these Grey Market areas purchased their IRDs and smart cards in the USA and shipped them out of the USA. IRDs are currently on sale in the Grey Market areas through satellite television dealers.
The PPV of course did cause some problems for these areas. The solution was a call spoofer. This device enabled a call from the IRD in a Grey Market area to appear like it originated inside the USA.
The second phase piracy, an actual hack on the smart card, entered the market in the last quarter of 1995. This was a pirate card based on the Dallas 5002FP but unlike the European version, it did not have a keypad.
A sequence of ECMs was implemented by News Datacom and DSS. They have succeeded in knocking out the pirate cards for at most a few days. It does however look like the situation is beginning to resemble the last days of the 09 Sky card in Europe where ECM was matched against ECCM.
There are currently two pirate DSS cards in the market with a third rumoured to be entering the card soon. The original pirate card is a Dallas 5002FP based card. The second card is based on the Dallas 5000.
The DSS card is based on the 6805 architecture used on the 09 Sky cards. It is using a 38K4 baud rate for the card - decoder link. In this respect it is similar to the VideoCrypt 2 card which also uses a 38K4 link. The VideoCrypt 1 card uses a 9600 Baud link.
It is believe that the packet structure of the card - decoder traffic on DSS is similar to that of the VideoCrypt system. Unfortunately there are no data logs available for comparison at the moment. It should be relatively easy to modify the source code of some of the SEASON programs to cope with the higher baud rate and then to passively monitor the card - decoder traffic.
The best site for details on the American situation is:
This site also carries information on the hacks and scams operating in the American market and a wide range of publications dealing with Cable Hacking.
The TV-CRYPT is a closed mailing list. It was set up to enable the discussion of the methods and technology of TV scrambling systems. It is more of a forum for the exchange of ideas than anything else.
Contrary to popular belief, it is not a private means of distributing the most recent copies of software for hacking BSkyB, FilmNet or TV1000. Neither is it an "elite" group of super hackers whose sole intent is to hack channels just to watch the movies.
It is an "by invitation only" list. If you can demonstrate a knowledge of scrambling systems through your posts here in the newsgroup, then you may be invited to join.
Obviously the new developments will be listed in further versions of this FAQ. Since this FAQ will be posted every few weeks from now on, it should be a fairly good source of information.
The de-facto standard text on encryption and scrambling systems is John Mc Cormac's Black Book. Version 5 of the book is currently in production and will be available in May. This will be a major revision and there is the probability that the previous versions will officially be released as electronic texts in the next two months.
European Scrambling Systems - Black Book 5
ISBN 1-873556-22-5
Waterford University Press
MC2 (Publications Division)
22 Viewmount
Waterford
Ireland
Voice: +353-51-73640 (After 1400 Hrs GMT)
Fax +353-51-73640
BBS +353-51-50143
e-mail jmcc@hackwatch.com
The first rule is that there are no hard and fast rules. There are, however some protocols designed to reduce the risk of incineration.
The newsgroups alt.satellite.tv.europe and alt.satellite.tv.crypt are the groups where overt discussion of scrambling systems and attacks on scrambling systems are considered worthy topics. Posting of chain letter get-rich-quick schemes is frowned upon and can draw retaliation.
The standard European satellite television newsgroup, alt.satellite.tv.europe split into two to cope with the increasing traffic on hacking swamping the existing satellite discussions. The first rec.video.satellite.europe, became part of the REC hierarchy. This is the proper group for discussion of general European satellite television topics. Please do not post messages asking for the latest hack on the R.V.S.E group. The second group became alt.satellite.tv.crypt.
The alt.satellite.tv.crypt newsgroup is where the discussion of scrambling systems and hacking is meant to be conducted. It started out as a European group but there are many non-European readers. The alt.satellite.tv.europe group was supposed to be phased out but this does not seem to have happened yet.
Please bear in mind that some people have to pay to download the newsgroups. In the past few months there have been a few flame wars about posting UUENCODED binaries into the alt.satellite.tv.crypt and alt.satellite.tv.europe groups. The argument on this is that the procedure is now to upload any file to a popular ftp site and announce that it is available there rather than posting it as a UUENCODED message.
Advertising of devices on the newsgroups is another subject that draws strong reactions. It is unfortunately now a fact of life. If you have to advertise, then observe the standard Usenet protocol of including the word AD or ADVERT in the subject line. Only post to the groups where relevant. If you are posting an advert for a device with European usage do not post in the US satellite newsgroups.
A number of recent advert posts in the alt.satellite.* groups have omitted the word AD and ADVERT from the subject heading. There have also been incidences of a European advertiser posting his adverts for equipment intended for the European market on the American rec.video.satellite.dbs and rec.video.satellite.tvro groups.
In many European countries there are complex legal rules regarding "goods to be used for criminal purpose". If we keep the discussion at an 'educational' level, for personal use the group should attract much less attention. There is also a grey area of the law that is presently untested. This surrounds the possible prosecution of Internet service providers because of material they carry. If the newsgroup becomes a source of software for hacking pay TV you may find your site removes it, just as some providers strip the alt.binaries.pictures.erotica groups.
Apart from trying to keep on-topic for the newsgroup you are posting to, try to refrain from excessive crossposting of articles. This is essential if you are going to comment on a spam message as sometime the posting software will post your comment to all the groups affected by the spam message in the first place.
John McCormac (jmcc@hackwatch.com)
Knut Vikor (knut.vikor@smi.uib.no)
Martyn Williams (martyn@euro.demon.co.uk)
Rene Vreeman (renev@intouch.nl)
Linus Surguy (lis@mfltd.co.uk)
Brian McIlwrath (bkm@starlink.rutherford.ac.uk)
Maintained By: John McCormac (jmcc@hackwatch.com)
Please send any corrections to faqman@hackwatch.com with the subject ERROR or CORRECTION.