/**************************/ /* A Guide to Porno Boxes */ /* by Carl Corey */ /**************************/ Keeping with tradition, and seeing that this is the first article in Phrack on cable TV descrambling, any illegal box for use in descrambling cable television signals is now known as a PORNO BOX. There are many methods that cable companies use to insure that you get what you pay for - and _only_ what you pay for. Of course, there are always methods to get 'more than you pay for'. This file will discuss the most important aspects of these methods, with pointers to more detailed information, including schematics and resellers of equipment. Part I. How the cable company keeps you from getting signals A brief history ---Older Systems--- Most scrambling methods are, in theory, simple. The original method used to block out signals was the trap method. All traps remove signals that are sent from the CATV head end (the CATV company's station). The first method, which is rarely used anymore was the negative trap. Basically, every point where the line was dropped had these traps, which removed the pay stations from your signal. If you decided to add a pay station, the company would come out and remove the trap. This method was pretty secure - you would provide physical evidence of tampering if you climbed the pole to remove them or alter them (sticking a pin through them seemed to work randomly, but could affect other channels, as it shifts the frequency the trap removes.) This was a very secure system, but did not allow for PPV or other services, and required a lot of physical labor (pole-climbers aren't cheap). The only places this is used anymore is in an old apartment building, as one trip can service several programming changes. Look for a big gray box in the basement with a lot of coax going out. If you are going to give yourself free service, give some random others free service to hide the trail. The next method used was termed a positive trap. With this method, the cable company sends a _very_ strong signal above the real signal. A tuner sees the strong signal, and locks onto the 'garbage' signal. A loud beeping and static lines would show up on the set. For the CATV company to enable a station, they put a 'positive' trap on the line, which (despite the name) removes the garbage signal. Many text files have been around on how to descramble this method (overlooking the obvious, buying a (cheap) notch filter), ranging from making a crude variable trap, to adding wires to the cable signal randomly to remove the signal. This system is hardly used anymore, as you could just put a trap inside your house, which wouldn't be noticed outside the house. ---Current Systems--- The next advent in technology was the box. The discussion of different boxes follows, but there is one rather new technology which should be discussed with the traps. The addressable trap is the CATV's dream. It combines the best features of the negative trap (very difficult to tamper with without leaving evidence) with features of addressable boxes (no lineman needs to go out to add a service, computers can process Pay Per View or other services). Basically, a 'smart trap' sits on the pole and removes signals at will. Many systems require a small amp inside the house, which the cable company uses to make sure that you don't hook up more than one TV. I believe that the new CATV act makes this illegal, and that a customer does not have to pay for any extra sets (which do not need equipment) in the house. Of course, we all know that the cable TV company will do whatever it wants until it is threatened with lawsuits. Cable boxes use many different methods of descrambling. Most are not in use anymore, with a few still around, and a few around the corner in the future. The big thing to remember is sync suppression. This method is how the cable companies make the picture look like a really fucked up, waving Dali painting. Presently the most popular method is the Tri-mode In-band Sync suppression. The sync signal is suppressed by 0, 6, or 10 dB. The sync can be changed randomly once per field, and the information necessary for the box to rebuild a sync signal. This very common system is discussed in Radio-Electronics magazine in the 2/87 issue. There are schematics and much more detailed theory than is provided here. The other common method currently used is SSAVI, which is most common on Zenith boxes. It stands for Sync Suppression And Video Inversion. In addition to sync suppression, it uses video inversion to also 'scramble' the video. There is no sync signal transmitted separately (or reference signal to tell the box how to de-scramble) as the first 26 lines (blank, above the picture) are not de-synched, and can be re-synched with a phased lock loop - giving sync to the whole field. The data on inversion is sent somewhere in the 20 or 21st line, which is outside of the screen. Audio can be scrambled too, but it is actually just moved to a different frequency. Radio Electronics August 92 on has circuits and other info in the Drawing Board column. ---Future Systems- For Pioneer, the future is now. The system the new Pioneers use is patented and Pioneer doesn't want you to know how it works. From the patent, it appears to use combinations of in-band, out-band, and keys (also sending false keys) to scramble and relay info necessary to descramble. These boxes are damn slick. The relevant patents are US #5,113,411 and US #4,149,158 if you care to look. There is not much information to be gained from them. Look for future updates to this article with info on the system if I can find any :) Other systems are the VideoCipher + (used on satellites now - this is scary shit.) It uses DES-encrypted audio. DigiCable and DigiCipher are similar, with Digi encrypting the video with DES also (yikes)... And they all use changing keys and other methods. Oak Sigma converters use similar methods which are available now on cable. (digital encryption of audio, etc...) Part II. How the cable company catches you getting those signals There are many methods the CATV company can use to catch you, or at least keep you from using certain methods. Market Code: Almost _all_ addressable decoders now use a market code. This is part of the serial number (which is used for pay per view addressing) which decodes to a general geographic region. Most boxes contain code which tell it to shut down if it receives a code (which can be going to any box on the cable system) which is from a different market area. So if you buy a converter that is say, market-coded for Los Angeles, you won't be able to use it in New York. Bullets: The bullet is a shut down code like above - it will make your box say 'bAh' and die. The method used most is for the head end to send messages to every box they know of saying 'ignore the next shutdown message' ... and once every (legit) box has this info, it sends the bullet. The only boxes that actually process the bullet are ones which the CATV system doesn't know about. P.S. Don't call the cable company and complain about cable if you are using an illegal converter - and be sure to warn anyone you live with about calling the CATV co. also. Leak Detection: The FCC forces all cable companies to drive around and look for leaks - any poor splice jobs (wiring your house from a neighbors without sealing it up nice) and some descramblers will emit RF. So while the CATV is looking for the leaks, they may catch you. Free T-Shirts: The cable company can, with most boxes, tell the box to display a different signal. So they can tell every box they know of (the legit box pool) to display a commercial on another channel, while the pirate boxes get this real cool ad with an 1800 number for free t-shirts... you call, you get busted. This is mostly done during PPV boxing or other events which are paid for - as the company knows exactly who should get that signal, and can catch even legit boxes which are modified to receive the fight. Your Pals: Programs like "Turn in a cable pirate and get $100" let you know who your friends _really_ are. Part III: How to get away with it. I get a lot of questions about opening a box that you own. This is not a good idea. Most, if not ALL boxes today have a tamper sensor. If you open the box, you break a tab, flip a switch, etc... This disables the box and leaves a nice piece of evidence for the CATV co. to show that you played with it. I also have had questions about the old "unplug the box when it is enabled, then plug it back in later"... The CATV company periodically sends a signal to update all the boxes to where they should be. If you want to do this, you'll need to find out where the CATV sends the address information, and then you need to trap it out of the signal. So as soon as the fraudulent customer (let's call him Chris) sees his box get the signal to receive the PPV porn channel, he installs the trap and now his box will never get any pay per view signals again... but he'll always have whatever he was viewing at the time he put the trap in. Big problem here is that most _newer_ systems also tell the box how long it can descramble that channel - i.e. "Watch SPICE until I tell you not to, or 3 hours have passed"... Where to make/buy/get porno boxes: You can order a box which has been modified not to accept bullets. This method is pretty expensive. You can also get a 'pan' descrambler - it is a separate piece that takes whatever goes in on channel 3 (or 2 or 4) and descrambles it. These boxes can't be killed by the bullets, and work pretty well. There are some pans which are made by the same company as your cable box and are sensitive to bullets, so beware. There are two basic ideas for modifying a box (provided you get detailed instructions on how to get it open, or how to fix it once you open it). You can change the S/N to something which is known as 'universal' or disassemble the code and remove the jump to the shutdown code. The universal codes are rare, and may be extinct. Besides, if the cable company finds out your code, they can nuke it. This happens when someone who makes (err made) 'universal' chips gets busted. The modification of the actual code is the best way to do it, just forcing a positive response to permission checks is the easiest way. A 'cube' is not a NeXT, it's a device which removes the data signal from the cable line, and inserts a 'nice' data signal which tells your box to turn everything on. A 'destructive' cube actually re-programs all the boxes below it to a new serial number and gives that number full privileges, while a 'non-destructive' cube needs to know your boxes serial number, so it can tell your box (without modifications) that it can view everything. You have to get a new IC if you change boxes, but the plus is that you can remove the cube and the box functions as normal. Then again, you have to trust the place you are ordering the cube from to not be working for the cable company, as you have to give them your box serial number - which the CATV cable has in their records. Cubes have been seen for sale in the back of Electronics Now (formerly Radio Electronics). Of course, you could check in the above mentioned articles and build circuitry, it would be a lot cheaper. The only problem is that you have to be good enough not to fuck it up - TV signals are very easy to fuck up. Then there is the HOLY GRAIL. Most scrambling systems mess with the sync pulse. This pulse is followed by the colorburst signal on NTSC video. Basically, the grail finds the colorburst and uses it as a reference signal. In theory, it works wonderfully (but does not fix the video inversion problems found on SSAVI systems). However, with the sync pulse whacked, the colorburst method may give weak color or color shifts. The schematics are in the May 1990 Radio-Electronics. I have also received email from aa570@cleveland.Freenet.Edu about his colorburst kit, which is a modified (supposedly higher quality) version of the R-E schematics. The schematic and parts list is 5 bucks, 16 bucks for a pre-drilled and etched board. A little steep, but not too bad. E-mail the above for more information. Anyway, that's all for now. Remember, information (including XXX movies) wants to be free! Carl Corey / dEs