FAQ - European Scrambling Systems - 2.0

=========================== Last Update: 25-01-97 ===========================

Contents Of FAQ

0.0 Disclaimer / Explanation

1.0 The focus of this FAQ

2.0 Hacking Pay TV

3.0 Finding out more

4.0 Netiquette On The Newsgroups

5.0 Credits


0.0 Disclaimer / Explanation :

Please read the following carefully :

This FAQ is provided for educational purposes only and will be posted approximately every month in alt.satellite.tv.crypt. The section headers will be posted in alt.satellite.tv.europe, rec.video.satellite.europe, rec.video.satellite.dbs every month.

Updated versions of this FAQ will be posted on:
http://web.hackwatch.com/faq.html
http://www.iol.ie/~kooltek/faq.html

And of course on all good websites and BBSes. Any interim developments and other news that will eventually make it into the FAQ as a section will be posted on:

http://web.hackwatch.com/news.html

What you do with the information herein is your business. The contributors to this FAQ do not necessarily condone the illegal use of the devices or programs mentioned here. The contributors to this FAQ are in no way liable for any damage to equipment, revenue, or sanity as a result of the use or misuse of this information.

Permission is granted for the reposting of this document and the news document on any BBS, FTP site, WWW site as long as the complete *UNMODIFIED* document is posted. Addition of HTML tags to facilitate WWW posting is allowed. The copyright of this document rests with the contributors.

Return To FAQ Index

Next Section


1.0 The Focus Of This FAQ

This is a FAQ for the European area. It covers European scrambling systems as opposed to the American systems. The hacks mentioned refer to European hacks. It is common to refer to the VideoCipher II system as VC2. However VC1 and VC2 used in this FAQ refer to the European VideoCrypt system variants.

The systems covered in this FAQ are satellite based systems. Though many of these are reused on cable systems in Europe, the majority of cable based systems are still based on primitive synch attenuation and or video inversion techniques.

A section on the piracy of the US based DirecTv system has been included due to the fact that News Datacom developed the security overlay on this system with utterly predictable results.

Return To FAQ Index

Next Section


1.1 What Is A Scrambling System ?

A scrambling system is applied to a television signal to ensure that it is only receivable by the audience for which it is intended. The more cynical amongst us may rephrase that to "those who have paid to receive it". Therefore a good scrambling system is one that can effectively make the picture unusable to all except those who have paid.

There are two basic types of scrambling system: dumb and addressable. The dumb system does not have any over-the-air (OTA) addressing. As a result the channel cannot turn a subscriber's descrambler off. This type of system is cheap and offers minimal security. As a result it is not used for high value channels.

An addressable scrambling system is more complex in that it allows the channel to individually turn on and off descramblers. Most systems in operation today are addressable.

The basis of a scrambling system is the method by which it renders the picture unwatchable. The early scrambling systems were analogue. These systems interfered with the synch pulses or inverted the video either on a frame, field or line basis. Some actually delayed each line by one of three delays on a pseudo- random basis.

All of the analogue scrambling systems were vulnerable and offered little protection to the channel using them. It was trivial to build a descrambler that worked in an identical manner to the official descrambler.

As the years and technology advanced, more complex systems came into operation. These systems were digital based systems. They digitised the picture or sound information and manipulated it. In order to descramble or decode the picture, the picture had to be digitised and then decoded.

However the systems seen to date are all firmly rooted in analogue technology. It would be better to describe these systems as transitional systems rather than digital systems. VideoCrypt, D2- MAC EuroCrypt M, S, S*, S2 and Nagra Syster are all transitional systems. They all digitise the video in order to decode it. VideoCrypt and D2-MAC use line cut and rotate to scramble the picture. Nagra Syster uses Line Shuffle to scramble the picture. It takes a block of lines and changes the order. In each of these cases the video is still transmitted in an analogue format.

All of the above systems are smart card based. They rely on the fact that the smart card can be economically replaced in the event of a hack. The concept behind this is that of "The Secure Detachable Microcontroller". The older systems designs were based on the "Secure Embedded Microcontroller" concept. This concept was fundamentally flawed in that if there was a hack on the secure microcontroller (the chip that held the system's secrets), then all of the decoders would have to be replaced or upgraded.

Return To FAQ Index

Next Section


1.2 Overview of scrambling in Europe

The main systems in use in Europe are: VideoCrypt, EuroCrypt, Nagravision, Luxcrypt and B-MAC. There are variants of some systems. VideoCrypt comes in two versions, VideoCrypt I and VideoCrypt II. They are parallel, and the idea is that VC I is to be used inside the UK and Ireland, and VC II in the rest of Europe. EuroCrypt also has variants: EuroCrypt-M, EuroCrypt-S, EuroCrypt-S2, EuroCrypt-S*.

Since Europe is still a multi-copyrights area, there is often the need to sell the programming on one channel to two markets. Rather than create two separate channels, it is often easier to use the same channel, with the same scrambling system but two distinct datastreams. Of course this dual datastream illustrates a major vulnerability. It only requires one of the datastreams to be hacked for the system to collapse completely.

With the VideoCrypt variants, the scrambling system is the same - line cut and rotate, but the information to descramble it is encrypted in the VideoCrypt 1 and VideoCrypt 2 datastreams. The datastreams are sent out on the one channel. Therefore the channel is available both in the UK and the continent using what on the surface appears to be two different systems. Of course this underlines an important flaw in using two or more datastreams on one scrambling system - if only one of these datastreams is hacked, then there is effectively no more protection for the channel.

Almost all efforts at cracking VideoCrypt had concentrated on VideoCrypt 1 variant. VideoCrypt 2 had not been much of a target though there are three working hacks on this system. There are VideoCrypt 1 <> VideoCrypt 2 adaptors. These are plug-in boards with the switchable 68705 / 8752s that allow a VideoCrypt 1 decoder to be converted to use as a VideoCrypt 2 decoder and vice versa.

VideoCrypt 2 is hacked and pirate cards are available in three formats: Battery Card, reprogrammed 09 BSkyB Cards and PIC16C84 cards. The main attraction of VideoCrypt 2 (VC2) is that FilmNet is available on this system. The VC2 variant is more reliant on the serial number routines as many of the cards that were knocked out seem to be operating on a master-clone basis. This may well indicate that the Fiat-Shamir ZKT is working properly.

The source code for the PIC16C84 based VC2 cards is now in wider distribution and the Voyager 1.6 software now works with the VC2 channels as well as the previously hacked ones.

The data rate on VC2 is higher than the 9600 Baud used for the VideoCrypt 1 system, This means that running Voyager on some PCs will be tricky though William Jansen and Toysoft are working to stabilise the program.

JSTV is the only broadcaster that broadcasts Europe wide using VideoCrypt I. This channel differs from the standard in that it is a very high fee channel but it is also very much a minority interest channel since it broadcasts programmes for the Ex-pat Japanese market. This channel is also hacked though various ECMs have been tried.

D2-Multiplexed Analogue Component (D2-MAC) is a transmission standard. The scrambling system overlay is EuroCrypt. EuroCrypt comes in a number of variants (M, S, S*, S2) but according to European law, EuroCrypt-M is the European standard. Nobody takes much notice of that anyway.

France Telecom developed EuroCrypt. Since the system is open as regards the scrambling algorithms, France Telecom chose a modified form of the US Data Encryption Standard algorithm. They removed the initial and end permutations to make it run faster in the smart card. They also believed that this algorithm would be top secret and apparently that their smart card would be unhackable.

Eurocrypt-M is the commonest. Only four channels (Sweden 1 and 2, Norway 2 and TV Erotica) use Eurocrypt S, the two first in the lesser used D-MAC format of the MAC standard.

An older MAC variant, B-MAC, is used by the American Forces Radio and Television Service, The Satellite Information Services Racing Channel and several business TV applications. Gradually this system is fading out of use as American forces bases in Europe close down.

The B-MAC system applies relatively simple line delay scrambling to the MAC video and hard encrypts the digital audio and teletext services. The hacks on this system involve cloning a valid subscriber identity number and then arranging for a continual supply of weekly keys. These keys are programmed into an EEPROM chip in the decoder.

There are two flavours of B-MAC in operation in Europe: B-MAC 525 and B-MAC 625. The numbers refer to the line numbers. The 525 variant is used for the US AFRTS service and the 625 version is used for the Racing Channel. Pirate decoders for these services are expensive, typically costing in excess of five hundred pounds. The problem of course is arranging the continual flow of keys. A current hack claims to have worked around these problems.

There have been reports that AFRTS will be switching from the B- MAC standard to a more secure system. Consequently the B-MAC decoders will be phased out of operation. However the Racing Channel (SIS) still seems to be committed to the B-MAC system for their Bookie feeds. A version of the Racing Channel is available to VideoCrypt-1 decoder users.

Nagravision is also known as Syster and as Nagra, and is used in France, Spain, Turkey and Germany. Unlike VideoCrypt and Eurocrypt, Nagravision decoder boxes are not for sale. They are only rented out to subscribers, but still operate with a smart card. Nagravision is now replacing the older and less secure Discret system in France.

There are confirmed reports of a hack on Nagravision. The hack is a pirate decoder based on hacking the video scrambling as opposed to the access control aspect. The hack at the moment only affects the SECAM implementation of the system. The PAL implementation as used by Premiere is still intact though again there are rumours of a PAL based hack.

The SECAM version of the hack exploited a weakness caused by the SECAM system. The same form of hack will not work directly on PAL. There is some research into a PAL based hack but to date the results have been somewhat less than usable.

The Luxcrypt system is a cut down implementation of the IRDETO system. Basically the Luxcrypt system is a synch replacement and inversion system. It is easily hacked and circuit diagrams of various decoders are available at all good FTP sites. The full IRDETO system has digital audio. The LuxCrypt system has ceased to be a satellite based system. However it is still the basis for the CableCrypt system used some European cablenets.

Even the old SATPAC system as used by FilmNet before they switched to D2-MAC has been used lately on FilmNet transmissions to Greece. Apparently the Digital Audio decoders as included in the Hi-Tech Xtravision XV200, XV2000 and XV3000 still work on this channel.

The Italian Satisfaction Club TV, a hard core porn channel was originally using the Nokia LS256 line shuffle scrambling system. However they have recently replaced it with a system called "Ping Pong" which is believed to be based on a similar process.

Return To FAQ Index

Next Section


1.3 Characteristics of the major European scrambling systems

VideoCrypt 1:
TV Standard: PAL
Video: Line Cut And Rotate
Audio: None
Smart Card: Yes
Users: BSkyB Multichannels, Adult Channel, Eurotica, JSTV etc.
Hack Status: Battery Card Hack. Phoenixed Cards
Pirate Cards: Yes
Season Programs: Not Yet

VideoCrypt 2:
TV Standard: PAL
Video: Line Cut And Rotate
Audio: None
Smart Card: Yes
Users: Discovery, FilmNet.
Hack Status: Hacked
Pirate Cards: Yes
Season Programs: Yes

D2-MAC EuroCrypt-M:
TV Standard: D2-MAC
Video: Line Cut And Rotate on Chroma And Luma
Audio: Encrypted Digital
Smart Card: Yes
Users: FilmNet, TV1000, TV3, Canal Plus.
Hack Status: Hacked
Pirate Cards: Yes
Season Type Programs: Yes

Nagra Syster:
TV Standard: PAL & SECAM
Video: Line Shuffle
Audio: Spectrum Inversion
Smart Card: Yes, key shaped rather than conventional card shape.
Users: Premiere, Canal Plus, Various French and Spanish Channels.
Hack Status: Hacked. Only SECAM variant is affected at the moment.
Pirate Cards: No
Season Type Programs: No

LuxCrypt:
TV Standard: PAL
Video: Frame / Average Peak Level Inversion with synch replacement
Audio: Digital PCM but not used
Smart Card: No. Just a dumb and cheap system.
Users: NOT USED ON SATELLITE
Hack Status: Totally compromised
Pirate Cards: No
Season Type Programs: No

B-MAC:
TV Standard: B-MAC
Video: Line Delay
Audio: Hard Encrypted with DES like algorithm
Smart Card: No
Users: AFRTS, SIS Racing Channel
Hack Status: Hacked. Cost of decoders / key feeds are a problem.
Pirate Cards: No
Season Type Programs: No

Return To FAQ Index

Next Section


1.4 The European Scrambled Channels

The following is a list of scrambled channels generally receivable over the European area. The list is not complete and in some cases it is not 100% accurate. It is however a start. The frequencies may be +/- 10 MHz or so depending on the LNB. Some of these channels are spot beams. This means that to receive them outside the spot, a larger dish is required. To explain the intricacies of multisatellite reception would require another FAQ. It is something that I am working on at the moment. The list of scrambled channels has been compiled from a number of European satellite television magazines, most notably "TeleSatellit" and "What Satellite" and the World Satellite Yearly.

All Frequencies Are in GHz (GigaHertz)
H = Horizontal Polarization
V = Vertical Polarization
R = Right Hand Circular Polarization
L = Left Hand Circular Polarization

ASTRA 19 Degrees East:

Eutelsat II-F3 16 Degrees East

Eutelsat II-F1 13 Degrees East

Eutelsat II-F2 10 Degrees East

Eutelsat II-F4 07 Degrees East

Sirius 05.2 Degrees East

Telecom 2C 03 Degrees East

TV-Sat 2 0.6 Degrees West

Thor 0.8 Degrees West

Intelsat 707 01 Degrees West

Telecom 5B 05 Degrees West

Telecom 2A 08 Degrees West

TDF-2 18.8 Degrees West

Intelsat K 21.5 Degrees West

Intelsat 601 27.5 Degrees West

Hispasat 1A/1B 30 Degrees West

Return To FAQ Index

Next Section


2.0 HACKING PAY TV

This part of the FAQ deals with the techniques used to hack satellite television channels in Europe and the US. Some of the material herein may be illegal for use in certain jurisdictions.

The only difference between a hobbyist hacker and a professional is that the professional takes money for it. This is often reflected in a country's legislation. The fines for commercial hacking are generally higher than those for hobbyist hacking. It is not a wise thing to hack a channel that is uplinked from your country. It would more than likely be covered under local laws.

One of the main motivations for commercial piracy is that the channel is not available legally in the jurisdiction. Where the channel is available, the logical thing to to would be to subscribe rather than hack it. Grey Market piracy is perhaps the lesser of two evils if you are desperate to get access to a foreign channel. Such Grey Market subscriptions are often safer in terms of ECMs in that a channel is less likely to ECM one of their own legitimate cards on purpose. However if your Grey Market card is ECMed, the worst thing that you can do is to ring up the Subscription Management Centre. For example, Sky's Subscriber Management Centre has Caller ID on their lines. This means that when calling from a number in the UK, the phone number of the caller will be displayed to Sky. If they see that you are calling from outside the UK, they may deduce that the card is a Grey Market card and refuse to reactivate it. Always get the local agent to dial the relevant subscriber management and ensure that he uses Caller ID Blocking to prevent his number from being tied to any particular card.

Return To FAQ Index

Next Section


2.1 Is it legal ?

The cynical answer would be that it is only illegal if you get caught. The legal position on hacking varies from country to country. Basically a good rule is that a channel being uplinked from a particular country is probably going to be protected by that country's laws. For example hacking BSkyB in the United Kingdom is illegal under that country's laws. However hacking FilmNet in the UK may not be directly protected under the UK's law.

The UK law on pirating Sky channels has changed as the result of the October amendment to the Copyright Patents And Designs Act which now, apparently makes the advertising or offering for sale or hire of unauthorised devices illegal in the UK. The act applies to the UK and to channels licenced in the UK. This has some very tricky aspects.

The main channels to benefit directly from this legislation are the BSkyB ones. It is now clearly illegal to hack or pirate these channels in the Uk. The posting of the X-Files (The Sky 10 pirate battery card files) on UK WWW, FTP and BBS sites is in question even though the files do not work as is. The hidden aspect is BBC Prime.

The BBC Prime channel is a D2-MAC channel intended for reception outside of the UK. It still is a UK originated channel. Therefore under this new legislation it is an offence to offer for sale or hire in the UK unauthorised devices capable of decoding this channel. Now most pirate D2-MAC cards are capable of decoding this channel and would therefore be illegal under this legislation. However it is still unclear as to who or what would have to take action against people selling or advertising these cards.

It is safe to say that pressure will be brought to bear on the UK Satellite television magazines not to carry such card adverts. Naturally these magazines, so dependent on the Sky programme listings, will spinelessly cave in. For the main part however, the situation on advertising pirate Tv1000 and FilmNet will remain the same until the law is clarified.

The recent clarification of the UK's copyright legislation makes it an offence to advertise pirate cards for a UK originated channel. This means that advertising or selling a pirate BBC Prime or MTV capable card in the UK is illegal. To date there has been no legal action from the channel concerned.

According to a report on Cardtronix's website, What Satellite? magazine caved in recently to Sky. Basically What Satellite, at the behest of Sky refused Cardtronix's advert. The hypocritical thing about this was that What Satellite were running adverts for pirate BBC Prime cards in the issues where they blocked the Cardtronix advert. Cardtronix happened to be selling cards capable of decoding Sky though these cards were not the ones in question.

Europe is still a multi-copyright area. It is therefore possible for BSkyB and FilmNet to purchase the rights to show the same film. Perhaps in the future, the copyright issue will be worked out and we will have a single copyright area for Europe, but for now we have to cope with the current mess.

To date most of the prosecutions for piracy in the UK have been against people who have been too visible. It is not economically viable for a channel to prosecute every user of a pirate smart card. Instead they will generally concentrate on dealers and distributors.

Of course they may also decide to make an example of an individual pirate card user. The logic of the legal departments of channels is not as predictable as that of their engineering departments.

If you get caught you are unlikely to be able to plead any clever excuse that you may come up with. More importantly, could you afford the expensive legal mouthpiece to argue your case?

The recent European Commission green paper on the legal protection of encrypted services does indicate that there is a growing movement in the European political world to extend the legal protection of channels. This has come about through the lobbying of the afflicted channels who, having been unsuccessful at protecting their services with technology are now turning to lawyers to protect their channel. This is like using a Band-Aid to to fix a slit jugular vein.

However in real terms, the Blackbox market in Europe may well be forced to go underground. Some of the proposals covered, such as making the possession of pirate decoders a criminal offence are clearly stupid and the product of minds ignorant of the realities of piracy. For any channel it is a battle for hearts and minds and Rather than criminalising a potential subscriber it would be more logical to offer him the option to subscribe when caught.

It is perhaps accurate to say that the current legal stasis that exists in Europe at the moment will change soon. When it does, the face of piracy will darken. It will be forced underground becoming harder to catch and perhaps more difficult to stem. From the centre of Europe, companies will flee to the periphery outside the incompetent grasp of the channels and their "employees" in the European commission. Piracy on the channels will continue.

Return To FAQ Index

Next Section


2.2 VideoCrypt Smart Cards

On 31/10/95 BSkyB switched over to the new 10 card. The fundamental result of this is that ALL season programs and pirate smart cards do not work anymore.

The original hack on the Sky 10 card had been by means of a Battery Card. This hack had been confirmed on 05-04-96 by Megatek, an Irish based company. A mixture of overload and questionable legalities scuttled Megatek earlier this year. Two court orders, an injunction preventing them from trading and a Mareva order preventing them from reducing their assets within the state below L200000, were granted against them by an Irish High Court Judge on foot of a raid in the UK on their supplier.

The Battery card hack worked exceedingly well and most people who received their cards before Megatek was hit were happy with the performance. Other legal hassles forced Benedex out of the market. This left Cardtronix (http://www.cardtronix.com) as the main company in the field of Battery Cards. This fact was to become apparent when News Datacom and Sky implemented an ECM in early August, the day was, significantly, a public holiday in Ireland.

Cardtronix had the upgrade within a few days though it did involve sending the card back to them. This somewhat undermined the reprogrammability aspect that had attracted many into purchasing this card. Of course with the absence of Megatek, who had earlier disappeared due to legal action, interdiction and some rather dodgy infiltration work by Sky's security "consultancy", Megatek card owners were left with the option of sending their card to Cardtronix for upgrade. Cardtronix were charging in the region of thirty five pounds for this upgrade. The owners of Benedex cards were in a similar position. This did not please some some pirate card vendors and one in particular tried to represent himself as the saviour of the masses, bleating loudly about the upgrade fee that Cardtronix were charging.

Subsequent ECMs by Sky, aimed at the Cardtronix battery card have been temporarily successful. To date Sky are the losers in this situation as Cardtronix generally post the update codes with in a few days at most. The situation was not helped by Cardtronix having a number of versions of the card software in the market. This meant that some versions of the card were affected differently. However these cards have now largely been reprogrammed.

The hack pattern for VideoCrypt is that the official card remains more or less secure for the first six months and then a hack appears. The hack, for the system, is of a catastrophic nature. Once it appears, there is a running battle of countermeasure versus counter-countermeasure for the remaining twelve months or so of the card's lifetime.

Pirate smart cards are cards that have been manufactured to hack a channel. They are, in most cases totally different from official smart cards. The majority of these cards are based on the PIC16Cxx series of microcontrollers. Other variations have been seen but the PIC16Cxx cards are the commonest.

Over the past few months, the more expensive end of the market has tended towards the Battery Cards. These cards use the Dallas Semiconductors 5002FP secured microcontroller and are updatable by the card user. It is simply a question of dialing a phone number and getting the set of numbers to punch into the Battery Card.

There is also a trade in what are referred to as Grey Market smart cards. These are official cards, that are exported to another country. Generally it is a one for one trade with the broker taking a commission. For example, a BSkyB subscription would be taken out in the UK and a FilmNet subscription would be taken out in Sweden. The cards would then be swapped via a broker. The subscriptions would be kept up to date by both parties. The legal position on this activity is not clear as the channels benefit from the transaction in that they both get subscriptions. It does rely on mutual trust.

Purchasing a pirate card involves risk. There is a probability that the pirate card will be killed in the future. The channels will implement electronic countermeasures to try and kill the pirate cards. Technically speaking, no pirate card can ever be 100% safe. This point has been proven too frequently over the last few months.

The system used by FilmNet Plus and TV1000 (among others) is EuroCrypt-M. This system has been continually hacked since 1992. In terms of value for money, users of EuroCrypt-M pirate smart cards have fared better. This is because the channels have not frequently implemented countermeasures. Of course the recent countermeasure by TV1000 has had a devastating effect. Most of the pirate smart cards have been knocked out.

The VideoCrypt system, as used by BSkyB and the Adult Channel, has been updated more regularly. The present BSkyB card is issue 10 or in technical terms, the 0A card. It is commonly referred to as issue 10 but the reason for the 0A reference is purely technical. In hexadecimal, the number 10 is represented as 0A.

In addition to issuing a new smart card every year or so, BSkyB and News Datacom also implement countermeasures to knock out pirate smart cards. Over the last few months, the time between these countermeasures has only been a few weeks. For about a month preceding the switch to 10, BSkyB was in a transition from issue 09 to 10. Therefore they did not execute that many ECMs during that period. This is because the 10 card only had a simplified version of the 09 algorithm in order to cope during this transition stage.

As a direct result of ECMs such as key changes, many of the pirate cards have had to be sent back to the dealer for upgrade. Some innovative pirates have designed their cards (The Battery Cards) so that they can be upgrade by the customer. The solutions for the countermeasures are recorded as a set of numbers on an answering machine. The customer rings the phone number with the answering machine and gets the update numbers. He then enters them into the pirate card via a key pad. Other solutions such as a modem on the pirate card have also been seen.

Though the piracy on Sky 10 is not as bad as that on previous card issues, it is flourishing. Much of the piracy on the 10 card is based on Phoenixed 10 cards. These cards are Sky 10 card that have been activated for all channels. Recently on November 7th 1996, an ECM designed to hit these Phoenixed cards managed to knock out a major portion of these cards. The cards were rendered invalid and thus were only suitable for recycling for their ASICs.

In real terms, anyone purchasing a pirate card is taking a risk. The pirate card will eventually be hit by a countermeasure. If it is not, then the channel may issue a new smart card with the consequence that all of the old pirate smart cards will be knocked out.

Return To FAQ Index

Next Section


2.3 What is Season or Omigod software?

At the time of writing, NONE of the Season programs are working on channels encrypted with the 10 codes. There have been at least two spoof attempts over the last few months. One of this is named SEASON10.ZIP and is very definitely a fake.

With the release of the Sky 10 code in the X-Files, there are thousands of hackers working on a SEASON type program. However it is necessary to understand the operation of the Battery card code first. This would be complicated at the best of times but with the differences in architecture, some extra study will be involved. However the binary for the Sky 10 card is in general distribution.

The Season software began life as an attempt by Markus Kuhn and others to watch the final season of Star Trek: TNG. The final season was Season 7. As a result, the first working PC program that decoded BSkyB was named SEASON7. The first version of this program appeared in March of 1994. At the time, the current issue of the BSkyB card was Issue 7. Therefore some confusion arose.

The term Omigod (Oh My God!) was also used to describe the programs. Well the preceding hack using the PIC cards was known as the Ho Lee Fook hack! Over the months from March to May 1994, versions for different computers appeared. Many of these were posted on the alt.satellite.tv.europe newsgroup.

On May 18th 1994 BSkyB changed from issue 07 cards to their new issue 09 card. In hacker terms, May 18th is referred to as Dark Wednesday. The 09 card proved harder to hack but a temporary solution appeared in June of that year. It only lasted a few week before BSkyB changed codes again. Though some attempts at an issue 09 SEASON hack were made, the change of code by BSkyB stopped it cold. Well at least until just before Christmas.

On Christmas Eve 1994, no less than three versions of the SEASON hack appeared. Two of them worked on the PC and the other one worked on the Apple MAC. Of course BSkyB was paying attention and on January 4th 1995, they implemented a countermeasure that knocked out pirate cards and all of the SEASON hacks. The war between BSkyB and the pirates had recommenced. Updated versions of the SEASON hacks became available. This spiral of countermeasure and update has continued until the present. The issue of the new BSkyB card, has changed the situation somewhat. The VideoCrypt SEASON hack is now living on borrowed time.

The algorithm in the 09 card issue is far more complex than the one used in the 07 card. While the 07 algorithm was not really designed to be extremely upgradable, the 09 algorithm is an extremely flexible algorithm. No doubt the 10 card algorithm will build heavily on the lessons of the 09.

At present only The Adult Channel (UK soft porn) and Eurotica (UK Hard Core Porn) are decoded by VideoCrypt SEASON programs. None of the official BSkyB channels will be decoded by any of the SEASON programs available at the time of writing.

Currently there is no SEASON software available for the Sky channels.

Return To FAQ Index

Next Section


2.4 Where can I get the software from ?

At present, there are working versions of the SEASON hacks for the Adult Channel and Eurotica available on almost every European BBS. The most popular of these programs is the Voyager program which also decodes the D2-MAC EuroCrypt-M channels.

There are many ftp and webpages (WWW) where the programs are freely available. There are no known versions that cover VideoCrypt 2. (A hack on JSTV was claimed a few months ago though this was a card based hack rather than a SEASON type hack).

There are many version of SEASON: Voyager, SEASON, Freeview etc. All of these have stopped working on the BSkyB channels since BSkyB switched to their 10 cards. However in the meantime, these programs are available at all good sites, a few of which are listed below.

FTP:

ftp.informatik.uni-erlangen.de/pub/multimedia/tvcrypt/

ftp.paranoia.com/pub/users/defiant

ftp.ua.pt/pub/misc/satellite

Note the capital letters and the forward slashes (/). They do make a difference as most of the ftp sites are run on UNIX systems. Unix systems are case sensitive.

WWW:

The best site for these files at the moment is the Defiant site:

http://www.eurosat.com/softzone

Return To FAQ Index

Next Section


2.5 The Season Cardadapter

The computer has to be connected to the VideoCrypt decoder via an interface. This interface is sometimes referred to as an Omigod or Season interface. It is essentially a simple design that allows the RS232 serial port of the computer to be connected to the TTL levels of the card socket. Most of the versions of the Season software include a text file on the construction details of this interface in a file called ADAPTER.TXT. Details of the adapter are on Erlangen in the directory :

ftp://ftp.informatik.uni-erlangen.de/pub/multimedia/tvcrypt/cardadapter/

The artwork for making the PCB interface is available in postcript form at:

ftp harley.pcl.ox.ac.uk/pub/crypt/smartpc/smart.ps

joule.pcl.ox.ac.uk/pub/mark/smart.ps

WWW:

http://www.demon.co.uk/paulmax

http://joule.pcl.ox.ac.uk/~mark/sat.html

http://www.eurosat.com/softzone

Because this software is using the serial port, timing can be critical. Other programs running in the background can interfere with the proper operation of the SEASON program. It is better to run the SEASON programs on PCs that do not have Memory Managers or Serial Device Drivers loaded.

The paulmax site listed above is Paul Maxwell-King's website and it is a very useful resource. It is also possible to purchase the PCB, the kit or indeed a fully constructed interface from his site. If you have any doubts about your electronic constructional abilities then buy a ready made interface.

Return To FAQ Index

Next Section


2.6 I can't ftp. Can someone post it for me ?

The newsgroups alt.satellite.tv.crypt, alt.satellite.tv.europe and rec.video.satellite.europe are not for posting binaries. There is an associated binaries group, alt.satellite.tv-binaries though the availability of this group varies. The reason for this is that many of the Internet Service Providers tend to block the alt.binaries.* groups because they take up too much space on their newsservers and of course some of the stuff may be of questionable legality.

If you can't use ftp from your account then get yourself acquainted with ftpmail. As well as allowing you to get the software yourself and keeping traffic in the group down, it will also enable you to get any software on any subject !

For details of how to use ftpmail send a message with the word "help" in the body to:


bitftp@wm.gmd.de
ftpmail@ftp.uni-stuttgart.de
ftpmail@grasp.insa.lyon.fr
ftpmail@ieunet.ie
ftpmail@plearn.edu.pl
ftpmail@doc.ic.ac.uk

The files will be returned in a format known as uuencoded. You'll need a uudecoder to make these into useful files. These are widely available for all platforms although if you can't ftp you'll have to work out how to get one. More details on e-mail use of the net are on Super Channel CNBC text page 188.

Return To FAQ Index

Next Section


2.7 What are blockers and what is Phoenix?

In the middle of the summer of 1994, there was little success in hacking BSkyB. A program was written in the TV-CRYPT for testing a theory. The theory dealt with the over the air addressing system on VideoCrypt. The question was: "could the presently available knowledge be used to switch on or off a BSkyB card?". At that time, the available knowledge consisted of the fragment of the 09 code that was killed in June and a working knowledge of how BSkyB encoded card numbers in their over the air addressing system. The available knowledge was sufficient.

The computer program written to test the theory was called Phoenix. Since most of the cards experimented upon were Quickstarts that BSkyB had killed, Phoenix, the mythical bird that rises from its own ashes seemed a good name.

Of course the program fell into the hands of commercial pirates. The Phoenix program on its own was useful to switch on the 09 Quickstarts that BSkyB had killed. It was also being used to switch on all channels on a BSkyB card with only the Multichannels subscription. It was a Musketeer hack - all for one and one for all. But that hack name had already been used.

Unfortunately these reactivated cards were only lasting a few days before being killed again by BSkyB. Then when BSkyB increased their kill cycle the cards only lasted a few hours. Some solution had to be found.

The solution lay in a hack of 1992 - the KENtucky Fried Chip. This was a modified version of the smart card - decoder microcontroller in the VideoCrypt decoder. It stopped BSkyB from turning off a card by examining each over the air packet for the identity number of the card in the card socket and stopping such a packet from reaching the smart card. BSkyB could not kill the card because the card never received the kill instruction.

Of course the chip used in the decoder was too expensive and there was a rather large number of redundant PIC16C84 chips available. The first blockers to hit the market had the blocking program in a PIC16C84. They consisted of a card socket, a PIC16C84 and a PCB. The official card, having being activated by the Phoenix program would then only be used in the blocker. Luckily it was not named the Condom hack.

Of course the popularity of these devices soon meant that individually activating the Quickstart cards with the Phoenix program was taking too much time. The solution was to incorporate the Phoenix routines in the PIC16C84. These new blockers were more successful. Over the months from August to November, they were given a bewildering array of names; Genesis, SunBlocker, Sh*tblocker, Exodus.

Naturally BSkyB were a little upset with this resurrection of their dead cards. Their response, at first was purely technical. Later in 1994, they took legal action in the Uk against some people supplying blockers.

There was more to the VideoCrypt 09 smart card than people realised. The most important aspect was that BSkyB could actually write to the card. The instructions for doing this were carried in the same packets that carried the activation and deactivation instructions.

The blockers only looked for the specific identity number of the card in the card socket. As long as that identity number did not appear in the packet, it was let straight through to the card. BSkyB had managed to knock out a number of cards while they were in the blockers.

Some of these countermeasures were reversible in that the card itself was not completely dead. One of BSkyB's countermeasures did actually hit the card in a manner that effectively locked it. At that point, the blockers were becoming irrelevant - there were working pirate smart cards for VideoCrypt.

The Phoenix program, in various guises, still works. Of course some of the newer smart cards from BSkyB have been found to be resistant to being activated with Phoenix.

At present there is some PIC source code that has been labeled 10BLOCK.ZIP. It is believed that this is not actually the code for a 10 Blocker but merely 09 Blocker code that does not work on 10. Using this code in the hope that it would stop a 10 card being killed is dangerous to say the least.

At the moment 23-01-97 there is no working Phoenix activation software for the Sky 10 card in general distribution. The Phoenix program released on 22-12-96 should not be used to activate a card as there is an ECM in effect that will render the card temporarily useless.

Return To FAQ Index

Next Section


2.8 Are there any D2-MAC EuroCrypt-M Versions of The Season Hack?

The simple answer is yes. The original program was called MACcess. There are now a number of variants available. The most widely used variant is the Voyager program from William Jansen and ToySoft. This initially started out as a VideoCrypt program but MAC capability was added. Others such as Whopper and Minimac have also appeared.

The original author of the MACcess program did not update it due to the sheer abuse of the program. The comments from a few ungrateful idiots wanting the new version and at the same time insulting the original author for not supporting the program irritated not only the author but many hackers as well.

The EuroCrypt-M system is DES based. In an ironic way the system's greatest strength was its greatest weakness. Again the progression from pirate smart card to computer program was apparent.

Other programs such as Whopper and SEAMAC have also begun to gain acceptance. However the most widely used program is still the Voyager.

Return To FAQ Index

Next Section


2.9 Is there a hack on Nagra?

There is no OMIGOD program for hacking Nagra. What occurred was that some JAFA from the English consumer publication, "What Satellite" heard about a program for monitoring the Nagra card- decoder communications and ignorantly assumed that it was an OMIGOD hack.

The Nagra Syster system has been hacked but it is not a hack on the access control system. It is rather a hack on the video scrambling aspect that takes advantage of a flaw in the SECAM standard. At present the hack only affects the SECAM version of the system. The pirate device is a decoder rather than a smart card and is based on a 68HC11 and a MACH130. It ascertains the shuffle sequence rather than hacking the datastream.

The system has been hacked after five years of operational use without any real marketable hack. This is something of a record for a scrambling system in Europe.

Basically the SECAM based hack will determine the shuffle sequence and will then reassemble the video in the proper order. It has been pointed out that a key change may nuke this hack. However the hacker decoders continue to work at this time.

Return To FAQ Index

Next Section


2.10 PIC Source code for hacks

Since late April 1995, there has been no security on the PIC16C84 microcontrollers. This is ironic because this microcontroller formed the backbone of the European piracy business. In late April, the information on popping (extracting the protected contents of the chip's memory) the PIC16C84 was published in a USENET newsgroup. An article on this can be found on the following webpages:

http://www.hackwatch.com/~kooltek/picbust.html

As a result of this information being published on the USENET, result everybody found out how to pop the PIC. All the code for the D2-MAC hacks and the BSkyB hacks were laid bare.

The source code for the PIC based D2-MAC cards is widely available on the net. The following WWW pages have D2-MAC code:

http://www.demon.co.uk/paulmax
http://www.eurosat.com/softzone

The PIC16C84 is still the backbone of the hobbyist market by accident rather than design. It is one of the more freely available microcontrollers due to its use in the 07, 09 and D2-MAC hacks. When the 07 and 09 VideoCrypt hacks became obsolete, most of these cards were pressed into use as D2-MAC EuroCrypt-M cards.

Return To FAQ Index

Next Section


2.11 Other Smart Card Projects

A number of designs of DIY smart cards for VideoCrypt appeared during the lifetime of the 09 card. With the switch to 10, most of these became redundant unless the software could be converted for D2-MAC.

Return To FAQ Index

Next Sub Section


2.11a Michael Stegen's Multimac PIC Program

Many of the microcontrollers previously used for Sky 09 and Sky 07 hacks were converted to use as D2-MAC EuroCrypt-M hacks. The most popular hack available for this is Michael Stegen's program. This program is known as Multimac and it allows the user to select the programming parameters, (which pin is to be used for the Data port etc) for the PIC16C84. When the user is satisfied, the program will then generate an image file that can be loaded into the PIC16C84 using any one of a number of available PIC programmers.

In Defiant's Golden Axe award, Michael Stegen won by an astounding margin. A lot of people watching D2-MAC EuroCrypt channels are doing so courtesy of his excellent program. The program can be obtained on the following sites:

http://www.eurosat.com/softzone/multi203.zip
http://www.demon.co.uk/paulmax/stegen/hwsw.htm

Return To FAQ Index

Next Sub Section


2.11b The PIC Programmers

There are two methods of programming the PIC16C84; the parallel method and the serial method. The first method is that used by most commercial programmers typically costing in excess of one hundred pounds. The serial method is more suited to the hobbyist and it is on this method that most of the PIC programmers currently on sale on various WWW sites operate.

The two initial designs for programming the PIC16C84 via the serial method are the David Tait design and the Henk Schaer design. These designs are very cheap to implement typcially costing less than five pounds.

The initial David Tait design used a 4066 for switching. The Henk Schaer design used PNP transistors. In practice the Schaer design became more popular because it was easier to modify for PICBusting operation.

Both of these designs run off of the Parallel printer port. The Tait design comes with the source code in Basic and in C. The program with the Schaer design, PIC.EXE is essentially self contained and easy to use. Both of these designs are extremely easy to construct even on Veroboard. Variants of the Tait programmer design appeared over the last few years. These variants could use either Inverting Open Collector buffers or Non-Inverting Open Collector buffers. The later variants also were capable of using transistor or 4066 switching. Other programmers such as Lidwig Catta's Ludipipo programmer were developed and are now in popular use.

The Henk Schaer Design is avilable at:

http://www.demon.co.uk/paulmax/stegen/files/picpro.zip

The Ludipipo Design is available at:

http://www.demon.co.uk/paulmax/stegen/files/ludipipo.zip

A Dual Henk Schaer / David Tait Programmer is available at:

http://www.demon.co.uk/paulmax/stegen/files/pic24c71.zip

Return To FAQ Index

Next Sub Section


2.11c PIC Programmers And Files Sites On The WWW

Some of the best sites for information on PIC programming and programmers are:

http://www.microchip.com
http://www.man.ac.uk/~mbhstdj/piclinks.html
http://www.man.ac.uk/~bmhstdj/files
http://www.sistudio.com

Return To FAQ Index

Next Section


2.12 SEASON10

Over the past few months, various programs have appeared purporting to be hacks on the BSkyB 10 card. One notable program was the SATHACK.EXE program. These programs did not work. Indeed the SATHACK.EXE had the Answer To Reset string of a 07 issue pirate card.

Given the complexity of the BSkyB 10 card, a SEASON type hack would be difficult but not impossible. The BSkyB 10 card has two chips; an Application Specific Integrated Circuit (ASIC) and a Siemens 8051 smart card microcontroller. The microcontroller has been popped and the ASIC has been reverse-engineered. It is the ASIC that has caused the delay in a hack getting to the market.

A SEASON10 type hack would have to successfully emulate the ASIC in software in addition to emulating the smart card microcontroller. To call this difficult would be an understatement.

The pattern of the SEASON hacks in the past was trickle-down. The commercial hackers would hack the smart card and then after a few months, the code would be released to the hobbyists either by design or by mistake. The hobbyists would then develop the SEASON type hacks.

With the release of the X-Files, it is safe to say that there are thousands of hackers working on a SEASON implementation. However it will take some time for the operation of the Battery card code to be understood and replicated. Then there is the question of the ASIC.

Return To FAQ Index

Next Section


2.13 BSkyB 10 Blockers

There are some products being marketed as BSkyB 10 Blockers. Some are matched to the card inserted. Given the past experience of Phoenix and Blockers, it is not likely that these devices will completely, if at all, protect the cards inserted.

Some of these devices may be based on a Replay Hack. This is where the turn-on packet for the card is recorded and then when the card is knocked out, the card is re-authorised using the recorded packet. Of course such a hack could only be guaranteed to work for one month. After that the date code changes. In the 09, the card program was designed not to respond to an earlier dated packet. This may also be the case with the 10 card.

Given the fact that the ASIC in the BSkyB 10 card allows for some really nasty encryption to be applied to the authorisation packets, a BSkyB 10 Blocker would not be reliable. This coupled with the fact that official 10 cards are now a lot more difficult to obtain means that a hack on the scale of the original Phoenix/Genesis blocker hack is unlikely. Well, not unless BSkyB start another QuickStart scheme and another backdoor like the Sam Chisum PPV hack is found.

As was expected that the first product from the X-Files was a Phoenix activator program. It did of course activate the official cards. It was ECMed a few weeks later and now the wait is on for a patch that will allow these cards to be reactivated.

The problem here is that there is no Quickstart program in operation and therefore there is no readily accessible official smart card supply at the moment.

This may have a far more lethal effect on Sky's subscriber base as the majority of piracy that will occur by this means will be on legitimate cards. If BSkyB lose control of their access control system again in the same fashion as the 09 Phoenix, they will face potential annihilation.

Return To FAQ Index

Next Section


2.14 The Fictional Pentium Hack On VideoCrypt

The internet is often the source of some amazing stories and rumours. It appears that "What Satellite" has fallen victim to one of the oldest ones. The story in question was the Pentium based video only hack on VideoCrypt.

According to "What Satellite", the hack was based on a Pentium chip that decoded the scrambled VideoCrypt signal in real time. The contradictions in the story were rife. The hack was apparently a stand-alone hack that was housed on a daughter-board that could be fixed inside IRDs. If it was a stand-alone hack then why was it referred to as a daughter-board? Stand-alone hacks are just that - stand-alone. They have their own cases.

Other more apparent mistakes slipped by unnoticed. The hack was said to, "by sheer dint of processing power", to be able to reconstruct the scrambled picture at a rate of 50 frames per second. This was what What Satellite called normal video quality. Unfortunately, the normal video rates in PAL625 are 50 fields per second or 25 Frames per second. This fictional hack was running at twice normal frame rate. Either that or "What Satellite" had just proven that in order to write about technology you should at least understand technology.

It seems that someone at "What Satellite" had read a few messages on the Usenet newsgroups discussing such a hack. This topic of a processor based attack on VideoCrypt rears its head every few months. As the internet and usenet get more popular, it is not unusual to see the same questions being asked a few times each month.

The main problem with this hack is that it requires a lot of digital signal processing. Using a Pentium to carry out the calculations might, on the surface, seem attractive but there are other chips that are better suited. These chips are Digital Signal Processors.

There was a processor based hack on VideoCrypt a few years ago. The hack, carried out by Markus Kuhn, used a rather expensive computer to reassemble the scrambled video. The processing power used was far in excess of that available from a Pentium and it was not completely real-time.

The source code for a test of this type of hack is readily available on the internet and on various BBSes. A sampled scrambled picture is included. It does take a few minutes to decode even on a relatively fast computer.

One factor that "What Satellite" seems to have overlooked is the cost of this fictional hack. A fast Pentium, with motherboard, RAM and interface would be in the region of L1000 or so. This would definitely not be an economical hack. One of the first rules of piracy is that you have got to be able to sell the hack. It would be difficult to envisage anyone desperate enough to waste L1000 on watching BSkyB.

A number of people are working on DSP experiments with VideoCrypt. One hack used four DSPs to decode but the hack crashed every few minutes. The primary reason was that the screen fades and single colour backgrounds are hard to analyse successfully.

For those interested, it was the February 1996 issue of the magazine that carried the article, not the April issue!

Some work is being done on the problem of hacking a line cut and rotate signal such as VideoCrypt with DSPs. There are a number of schools of thought on the usability of the hack. However given the advances in chip technology and the falling prices of the relevant technology, such a hack will occur sooner or later. It is all a question of cost. If the situation arises that the smart card is too complex or costly to be hacked then alternative methods of hacking the system will be looked at.

Return To FAQ Index

Next Section


2.15 The DDT Hack On VideoCrypt

Delayed Data Transfer was a hack that was created in the period between the hacks for BSkyB 07 and BSkyB 09. Basically it was a case of continuing to watch the VideoCrypt encoded channels using the Season type interface and a video recorder.

The hack was elegant in execution. The hacker would record the scrambled version of the programme off-air. Then when the programme was over, he would download a VCL file off of a BBS or internet site. The VCL file is a data recording of the valid card answers for the particular programme. It was then a question of rewinding the tape and playing back the scrambled program through the video recorder. The VCL file would be fed to the decoder via the Season interface. The programme would be decoded as if there was an officially authorised smart card in the decoder's card slot. The video quality was not brilliant but the hack works.

BSkyB replayed the Bruno Vs Tyson Fight a few times over the 17th of March. Each time they replayed it, it was only available to PPV viewers. Any subscriber who had paid for it once was able to watch any of these replays.

Of course it also meant that a VCL file is created on the first play at 0400 Hrs and uploaded to an internet site or BBS, voided subsequent replays.

The reason for the subsequent replays of the event being void is that the VCL would exist and therefore rather than paying for the event, it would be a case of recording the scrambled event and the using the VCL.

The use of VCL files is a direct assault on BSkyB's PPV mechanism. There is a large base of hackers with Season interfaces and VCL files for various programmes on Sky One and the movie channels have been seen on internet FTP sites and BBSes throughout Europe.

To date most of the VCL files have appeared on internet sites and BBSes outside of the UK jurisdiction. While posting such a file inside the UK may be an offence under UK law, the situation changes when the site is outside the UK. It is conceivable that the VCL files could be posted on to a Usenet newsgroup via an anonymous remailer. It would be extremely difficult for BSkyB to stop such messages getting through other than by issuing control messages to cancel them or by threatening internet service providers who allow access to newsgroups carrying these messages. The chances are that BSkyB will try to play down the effects by saying that they are negligible. In the meantime, the PPV events may well have thousands of extra viewers.

The legal position of this is untested. The blockers and pirate cards were covered under UK law and even then BSkyB could not successfully prosecute all of those using and distributing these devices. It is difficult to decide if this counter-piracy failure was due to the sheer numbers of users and sellers or just plain cluelessness.

The terms and conditions for the PPV event mention that any part of the transmission may not be reused or redistributed. Therefore it could be argued that distributing the VCL file would be a breach of the conditions. However it would still not stop the VCLs being distributed.

Moving against the redistribution of the VCL files would be counterproductive for BSkyB. They would be drawing attention to the gaping wound in their PPV system and even the clueless media analysts may take notice.

At present, the only users of the DDT hack are outside the UK and Ireland and are unable to get a legitimate subscription to the BSkyB channels. It has been mentioned that most of the current users of VCL files do so only to watch a few specific programmes rather than the complete schedule. Therefore the threat of such a hack to BSkyB could be considered minimal.

Other factors come into play as well. Some VCRs do not reliably record the scrambled picture and data. Most VideoCrypt decoders are now integrated with the receivers (IRDs) and stand-alone VideoCrypt decoders are becoming rare. This means that a hardware modification is necessary to use the DDT hack.

Return To FAQ Index

Next Section


2.16 How Did BSkyB Implement Pay Per View

The original PPV implementation in VideoCrypt depended heavily on the 8052 microcontroller in the decoder. This was not a good thing as the code from this microcontroller was easily extracted. It was a token based system where the a token would be deducted from a reservoir in the card when the subscriber pressed the Authorise button. This implementation was compromised and it forced News Datacom to implement a pseudo-channel based system.

Each event is assigned its own channel identification. A subscriber wishing to view the event would have to ring BSkyB and request that his card is authorised for the event. The subscriber's card ID would then be added to the turn-on list transmitted on the event channel. Once the card is authorised, the On-Screen-Graphics will display "EVENTS PAID 66".

If the Bruno-Tyson fight is anything to go by, each PPV event will be repeated at various times in the day. An authorised card will decode any of these repeat showings. Of course by the time of the second showing, the VCL file will probably be available thereby compromising the PPV security.

The compromise to the PPV security comes from the fact that the PPV program can be recorded and the VCL file can be reused. This means that the PPV transport is compromised.

Return To FAQ Index

Next Section


2.17 How BSkyB's 17-03-96 PPV Event Was Compromised

In addition to the DDT hack, the PPV event was compromised by means of a Phoenix hack that upgraded existing Sky cards to receive the PPV event. It appeared as a message posted on the internet and some dial-up BBSes early on Saturday 16-03-96. The message is reproduced below:

--------
send this header to your card via a season interface followed by the bytes below
53 86 01 00 2D
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 00 00 00 00 00 db
fd f0 b7
and your card will gain the credits for the Tyson Fight I dont know about cards that are turned off but they gain the events anyway

Sam Chisum.

Important: please distibute this file as quick as possible
can somebody put it on Paranoia.
--------

By midday on Saturday, the above string had been incorporated into a number of Phoenix programs which were posted on to various BBSes, WWW sites and also into the main usenet newsgroups. The commonest one in circulation was FREETYSO.ZIP.

In order to use the program it was necessary to have a Phoenix/Season interface capable of activating Sky cards. A lot of these are still in circulation and are currently used for the D2- MAC emulators.

Return To FAQ Index

Next Section


2.18 The Battery Card Hack On The Sky 10 Card

Shortly after the Sky 10 card went active, Megatek, an Irish company announced that they would be shipping their upgrade for their battery card. Their main product was a battery card which since 31-10-95 had decoded only the D2-MAC channels.

The upgrade to their battery card consisted of an additional board carrying the ASIC emulation and a reprogramming of the battery card's main memory. As a result the card did not have enough memory to include the routines to decode the D2-MAC channels. In lieu, Megatek were offering a free wafer card (reprogrammed Sky 09 card?) to decode these channels as part of the upgrade.

This time, the hack on the Sky card is more complex. It requires an additional ASIC emulator which Megatek had, in their design, named the Skylark chip. Other battery card implementations will have similar ASIC emulators.

This does tend to initially reduce the likelihood of a SEASON hack appearing in the immediate future unless it is possible to emulate the ASIC in software.

A possible alternative to a free SEASON program would be a commercialised SEASON whereby the user would be able to obtain the SEASON program freely on the Internet or the BBSes but they would have to purchase a SEASON interface with an integrated ASIC emulator. However the dealers would probably make more of a profit from the sale of battery cards than a modified SEASON interface.

Return To FAQ Index

Next Section


2.19 What Happened To Megatek?

Megatek were eliminated by a combination of legal action, supply interdiction, and some infiltration of questionable legality by Sky's security consultancy.

Apparently Sky's security consultancy, Network Security Management, had managed to obtain the confidence of a key player in the Megatek operation. Having obtained that confidence they proceeded to introduce another Network operative into the Megatek shop.

By this subterfuge, they managed to set up the UK end of the Megatek operation for a raid by the Federation Against Copyright Theft. The result was that the supply of battery cards was interdicted and Megatek were forced to close as a result.

People who sent their battery cards and funds to Megatek are unlikely to have them returned. In the end it looks like the overall responsibility of the closure of Megatek lies with the people in Sky and News Datacom who took, what in hindsight is a foolish decision.

The raid on the UK premises was covered in the Daily Mirror, a UK tabloid newspaper. A Sky source at the pre-raid briefing was quoted in the newspaper as saying that the piracy on Sky 09 was of such an extent that it threatened the existence of BSkyB. Whether this was just another clueless quotation from a Sky 'droid or a genuine expression of fear has not been established.

The legal situation in the UK on this raid has yet to be resolved and there are some questions about the raid that have yet to be answered. Perhaps of comically crucial importance, did the Network Security Management operatives commit any crimes of fraud in the jurisdiction of Ireland by being involved in selling pirate Sky cards. After all they were not pirates but were pretending to be so in order to continue their work for Sky. In this respect, people who were dealing with them were defrauded as they were not dealing with pirates. Or since they were working for Sky, does this mean that Sky by a rather circuitous route were linked to the sale of pirate Sky cards? For a lawyer it would be a target rich environment. At the heart of it would be the arguments whether it is right to break the law in order to bring a prosecution for breaking the law; and in which jurisdiction can the prosecution be brought; and finally who gets prosecuted?

The capability for strategic thinking has been absent in the people responsible for the elimination of Megatek. It of course is not surprising considering their lacklustre performance in the past. When Megatek were in operation, the problem of piracy on Sky 10 was largely under control. There was no real home market problem for Sky. The cost of the Battery Card was high enough to make it relatively unattractive in the UK. Phoenixed cards by comparison were selling poorly. But then Sky, News Datacom and their cohorts had to go and wreck the stable situation. The result is that piracy spun out of control on the Sky 10. To paraphrase a line from "All The President's Men", these are not very bright people.

The business of piracy is complex and is often beyond those who think in the simple terms of black and white. In piracy, everything is best considered in shades of grey. Piracy can be used to help a channel or indeed certain types of piracy, notably Grey Market Piracy, can be used to control the piracy on a channel. Properly handled, the piracy situation can be used to control the level of piracy on a channel or service. Such skills and levels of complexity are beyond many of the European channels and indeed the US channels as well.

The main business of Megatek has been taken over by Cardtronix. They are the heirs to the battery card empire much to the disgust of some other pirate dealers.

Details can be found on the following website.

http://www.cardtronix.com

Return To FAQ Index

Next Section


2.20 Phoenixed 10 Cards

At the moment there are a number of WWW sites advertising Phoenixed 10 cards. These are Sky 10 cards that have been activated with all channels.

These cards are legitimate Sky 10 cards that have had in some cases their card numbers changed to that of a master card number. As long as the master card's subscription remains current and it is not detected as a clone master card subscription, then the clone cards will work.

These cards are commercially activated cards. On 22/12/96 there was a release of a public domain Phoenix which enabled the ordinary users to activate their own cards. Naturally there were a a few companies who took advantage of this Christmas present and started to gouge the market posting adverts in the newsgroups at a rather high price. Of course the pirate dealers continued to maintain their prices for a very good reason.

Most of the real Phoenix piracy occurs outside the home market of BSkyB. The reason for this is that the people there cannot get legitimate access to the BSkyB services. It follows that they are also unable to get access to the actual Sky 10 cards so even with the publicly available Phoenix they would still be left in the same position as before the release. The pirate dealers, being aware of this looked on the Phoenix release as a temporary glitch.

The recent ECMs by Sky were aimed at the Phoenix cards. The effect of the 07-11-96 ECM was not complete in that it rendered some of the Phoenixed cards INVALID and others off. The ECM of 15-01-97 did not render cards INVALID. Instead it just set them to INCORRECT CARD. When a card is rendered invalid then it is only good for recycling. The ASIC is still usable in the card and it is extracted for use with Battery Cards. The Sky 10 cards showing INCORRECT CARD can be reactivated.

Return To FAQ Index

Next Section


2.21 The Hacks On DSS

The Digital Satellite System as used in the USA is a digital television system. The encryption overlay was supplied by News Datacom and it is this aspect that has been hacked. This will come as no surprise to Europeans who are more than familiar with News Datacom's record with the VideoCrypt system.

Basically the DSS implementation is a more complex version of VideoCrypt that has a fully functional Pay Per View aspect. The IRD has a second level of security in that it has an internal modem. This modem is used in the PPV implementation.

The initial form of piracy on DSS was Grey Market. At the moment, DSS is only legitimately available in the USA. Canada, Mexico and the Caribbean islands are therefore de-facto Grey Market areas.

People in these Grey Market areas purchased their IRDs and smart cards in the USA and shipped them out of the USA. IRDs are currently on sale in the Grey Market areas through satellite television dealers.

The PPV of course did cause some problems for these areas. The solution was a call spoofer. This device enabled a call from the IRD in a Grey Market area to appear like it originated inside the USA.

The second phase piracy, an actual hack on the smart card, entered the market in the last quarter of 1995. This was a pirate card based on the Dallas 5002FP but unlike the European version, it did not have a keypad.

A sequence of ECMs was implemented by News Datacom and DSS. They have succeeded in knocking out the pirate cards for at most a few days. It does however look like the situation is beginning to resemble the last days of the 09 Sky card in Europe where ECM was matched against ECCM.

There are currently two pirate DSS cards in the market with a third rumoured to be entering the card soon. The original pirate card is a Dallas 5002FP based card. The second card is based on the Dallas 5000.

The DSS card is based on the 6805 architecture used on the 09 Sky cards. It is using a 38K4 baud rate for the card - decoder link. In this respect it is similar to the VideoCrypt 2 card which also uses a 38K4 link. The VideoCrypt 1 card uses a 9600 Baud link.

Unfortunately there are no data logs available for comparison at the moment. It should be relatively easy to modify the source code of some of the SEASON programs to cope with the higher baud rate and then to passively monitor the card - decoder traffic. The source code for a program to read the subscription details from a DSS card using the Phoenix interface is given in European Scrambling Systems 5. (see Section 3.2)

Return To FAQ Index

Next Sub Section


A SEASON for the DSS has been released. The program by Pierre G. Martineau runs on a 486/40 with 1 MB of RAM. Basically it will make an image of the address space of a genuine DSS card and will use that to read to and write from in the emulation. In this respect the DSS card is similar to the Sky 09. Many of the same ideas can be found in that card that were carried over to DSS. It is not surprising considering the time frame and News Datacom's habit of reusing code modules and techniques.

The DSS Season program is available from:
http://www.eurosat.com/paulmax/cardrea/6805c212.zip

Return To FAQ Index

Next Sub Section


This is the FAQ for the alt.satellite.tv.crypt newsgroup. It is largely a European group but there is a lot of interest worldwide. There is now a brief FAQ on the hacking of DSS available on the following sites:

http://www.demon.co.uk/paulmax/dssfaq.html
http://www.maxking.co.uk/dssfaq.html

Return To FAQ Index

Next Sub Section


The relevant DSS cloning software is available from:

http://www.eurosat.com/paulmax/cardrea/alldsscl.zip
http://www.eurosat.com/paulmax//cardrea/cl45dss.zip
http://www.eurosat.com/paulmax/cardrea/nomoppvs.zip
http://www.eurosat.com/paulmax/cardrea/dssfile.zip
http://www.eurosat.com/paulmax/cardrea/reset.zip
http://www.eurosat.com/paulmax/cardrea/dss97.zip
http://www.eurosat.com/paulmax/cardrea/plastic4.zip

It should be noted that according to the page, all of these programs will be downloaded from the UK site which is outside of US jurisdiction. This is necessary because paranoia.com, the company that hosts the www.eurosat.com site is a US domiciled company and is therefore liable under US copyright law.

DSS will be changing their cards soon. It is expected that the changeover should begin in March. However given the vast geographical expanse of the market, getting the cards to all users may take a considerable time, possibly two or three months.

The new DSS card may well be heavily based on the Sky 10 card with perhaps some modifications to the ASIC. Some DSS cards resembling Sky 10 cards have turned up in the USA. These cards had the ASIC underneath the microcontroller so that the pad area did not look that different from the existing DSS card.

Given that the DSS is now completely compromised, a new card is essential to restore the system's integrity. Most of the legal cases taken in Canada against dealers and pirates have been thrown out of court on appeal. It looks like News Datacom and their US surrogates were just as unsuccessful there as they were in Europe.

The best site for details on the American situation is:

http://www.scramblingnews.com

Return To FAQ Index

Next Section


2.22 The X-Files (The Release Of the Sky 10 Files)

The X-Files were released to BBSes around the 18th of September. The origin of the files was in question, and many SysOps, especially those in the UK, had grave reservations about posting them. One Sysop apparently took the risk and his line was continually engaged for about 48 hours.

The file made its way to the www.eurosat.com website and it was posted on 22-09-96. Apparently within hours of the file being posted, the site had about eight thousand hits. It is difficult to estimate the number of hackers who have the files. It is certainly in the region of thousands, perhaps tens of thousands. The problem with establishing the number of times that the file was downloaded is that most of the pages on the eurosat.com site contain a hidden HTML counter that will cause the hits counter to be incremented by one each time any of the pages are accessed. Thus with this confusion, it may be safer to divide the hits count displayed by the number of pages carrying this hidden HTML fragment. Even with that taken into consideration, it is probable that the X-Files were downloaded tens of thousands of times before they were removed from eurosat.com.

One particularly nasty thing dogged this otherwise, well for hackers at least, joyous event. An attempted e-zine on the eurosat.com site posted a fabricated story that Markus Kuhn had released the files and had threatened Sky and News Datacom.

The author of that e-zine is not a journalist nor a reporter and of course had not checked out the facts as a journalist is bound to do. A hotchpotched semi-retraction was posted days later. However the offending article had not been removed. Only the sections where Markus Kuhn's name had been altered.

The actual origin of the files is still largely unknown. Indeed the files were uploaded to BBSes by someone using the logon of Sky Television. It was apparently a fake account name. After all would Sky be distributing such files? Their audience figures could not have sunk to such an all-time low that they actually need piracy.

The X-Files are intriguing. The files are the HEX files for the Megatek Battery Card and the Benedex Battery Cards. In addition to the HEX files, there was a serialisation file for the Megatek cards and a loader file.

It will take a while before the code of the Battery card files has been fully reversed and implemented in alternative processors. To date there has been little if any visible development. It is not known if the essential code for the current Sky implementation will fit in an 09 pirate PIC16C84 card (one with a PIC16C84 and a 24C65). However the essential element will be the ASIC. There are are only supplies of ASIC at the moment: the official card and the Megatek supply.

There are mixed feelings over using the ASIC from an official Sky card as part of a pirate card. The reason for this is that it would be easier to Phoenix the official card thus making it a more easily processed product.

Other aspects of the HEX files include the code for D2-MAC channels including Rendezvous. However Rendezvous carried out an ECM recently and the code in these cards may not work at present.

By the next posting of the FAQ, it is expected that there will be a modified Season interface that can use a legitimate Sky card. This of course depends on the code being reverse-engineered and understood.

According to some sources the implementation of the Sky 10 emulation in the Dallas 5002FP was quite an achievement as the official card has twice the RAM of the 5002FP.

Return To FAQ Index

Next Section


2.23 The Christmas 1996 Phoenix And Subsequent ECM

On the evening of 22-12-96, a Phoenix program was released to the public. The program, 10ON.EXE carried an interesting quotation from the movie "Pulp Fiction". It was the quotation from the Bible that one of the main characters recited just before shooting someone. It was a rather apt quotation considering that in this program it preceded the VideoCrypt access control system being shot. A more enigmatic line was just below it: "Defiant as always". This could have meant that the program was to be posted on Defiant's www.eurosat.com as per the usual pattern of hacks or that Defiant was somehow implicated in the release. It is the former that is most logical.

A second activator program followed on the groundwork of 10ON.EXE. This program Phoenix III from Toysoft built on the codes given in 10ON.EXE, had a more featureful user interface and allowed the selection or deletion of some PPV events. It was this program that was largely posted in WWW sites.

Over Christmas and for the first two weeks of January, people were readily able to upgrade their cards. The Phoenix hit Sky at a very awkward time. Had they decided to try an ECM during the Christmas holidays, they risked hitting many legitimate subscribers. It would have been disastrous for their already faltering public relations image. They waited until they had a large enough target.

On 15-01-97, Sky and News Datacom implemented the ECM. This ECM knocked out the Phoenixed cards leaving the Battery Cards unaffected. The manner in which it affected the Phoenixed cards was unusual. It did not render the cards INVALID. Instead it made the cards produce an INCORRECT CARD message when inserted in the decoders. Effectively the cards hit by the ECM could be reactivated.

Some of the commercially Phoenixed cards were unaffected giving weight to the to the clone ID hypothesis. Others were flashing INCORRECT CARD every fifteen seconds or so. The commercial pirate dealers were able to update their cards. However the companies and individuals who had hopped on the clones bandwagon were unable to update their activated cards. Naturally some have disappeared. It seems that those who do not learn from history are often doomed to repeat it.

On the 23-01-97, there was some concern over a program that was floating around purporting to be a fix for the 15-01-97 ECM. According to ToySoft, this program was nothing to do with him and would eventually render any card it was used on INVALID. Apparently the program would reactivate the ECMed card but Sky would eventually manage to render the card INVALID. As a result many readers of the newsgroups and Syndicated HackWatch) are somewhat worried. The matter has not yet been resolved. As soon as there is more information available it will be posted on the aforementioned site and in the relevant newsgroups.

Return To FAQ Index

Next Section


2.24 The *REAL* History Of The Hacks On VideoCrypt

Some people quickly forget their history. Other never knew enough to forget in the first place. This section has been added because of a rather addled account of the evolution of the hacks on the VideoCrypt system being posted on a WWW site. The problem is that the person who posted that account seems to have got the idea that a picture replaces a thousand words rather than being worth a thousand words. That account is at best fanciful and at worst wrong.

Return To FAQ Index

Next Sub Section


Originally Sky and News Datacom believed that they had the most pirate proof system yet developed. Five seconds later, (fifteen if you include the 10 seconds it took to write down), VideoCrypt was hacked. This hack was exceedingly simple. By tapping the data line and feeding the data to another VideoCrypt decoder, the other decoder would act as if it had the same card inserted in the decoder. It is a major flaw that affects most smart card based systems.

The theory was proven with two decoders, one card and a few bits of wire. The second decoder needed the data from the first decoder, the RESET signal and 0V. It was that simple. Of course the wire connection was an extraordinary primitive method. Others, more user friendly such as modem, RF modem and internet distribution were suggested and in some cases proven to work perfectly in an operational environment. The people in News Datacom and Sky were not pleased.

If the VideoCrypt system had worked as they had planned then this type of hack would not have worked. The original plan was that each decoder would be married to the card using a process called personalisation. In this process, the card would implant an ID number ensuring that the decoder would only work with that card. The card would then be authenticated by the decoder using the Fiat Shamir Zero Knowledge Test. However neither the decoder personalisation nor the Fiat Shamir ZKT worked. The results of those failures proved to be the complete and utter downfall of the VideoCrypt system. Had these aspects of the system been in proper operation, this hack and subsequent hacks would not have taken place or would have taken place with great difficulty. The McCormac Hack still works.

Return To FAQ Index

Next Sub Section


The Infinite Lives Hack allowed a Sky 1, 2, 3, 4 or 5 card to be used for the lifetime of the card without Sky being able to turn it off. It relied on a flaw in the programming of the card.

Prior to issue 06 of the Sky cards, the cards were commonly ST1834 microcontrollers. These were cards with EPROM memory. They required a programming voltage of approximately 21 Volts to write to the card.

This hack was also very simple in implementation. When Sky activated the card, all the hacker had to do was to make sure that the voltage on the programming pin Vpp was never allowed to rise near 21 Volts again. This involved fitting a 15 Volt Zener Diode and a resistor on the Vpp line to limit the voltage. There were of course commercial models available potted in epoxy resin and selling at very high prices.

Matters were only confused when some marketing idiot in Sky came up with the idea of giving away Sky cards activated for three months free subscription with the purchase of each new IRD. Of course these cards rarely made it to the purchaser of the IRD.

Return To FAQ Index

Next Sub Section


The KENtucky Fried Chip was the first time that a microcontroller in the VideoCrypt decoder had had its program altered to operate in a piratical manner. This was the birth of the Genesis Blocker theory and it took place during the lifetime of the 06 card.

The card - decoder interface is controlled by the 8052 in the decoder. The program was dumped from this microcontroller and analysed. It wasn't that hard to dump as someone in the manufacturing process had forgotten to set the protection on the chip thus allowing everyone to read it.

The KENtucky Fried Chip was a replacement for the original 8052. The modified program in it read the serial number from the card inserted in the decoder and then checked all of the packets going to the card. If it detected a packet with the card's serial number in it, it dropped that packet. Thus it prevented a kill packet from reaching the card.

The hack had been named after Ken Crouch, the head of Sky security as a mark of respect with a bit of humour. He had been successful in keeping the UK largely free of scam pirate operations and was respected by most pirates and hackers. The introduction of the 07 saw some new elements designed to counter this type of hack. A second version of the KFC was ready for launch during issue 07 but it was overtaken by events in the Blackbox industry.

Return To FAQ Index

Next Sub Section


It was the hack that was supposed to be impossible, well according to News Datacom anyway. Of course given their track record, things that they said were impossible were often not. This was one of them.

The first reports of this started filtering through around Christmas of 1992. It was April 1993 before the hack appeared. Initially the hack was being marketed as a replacement for the 8052. It became known as the Ho Lee Fook hack after the exclamation uttered by executives when told of it.

One of the German hackers involved in the very early days of this hack was contacted and offered the platry sum of five thousand pounds to forget about the hack. Needless to say he and many others did not. The origin of the code for this hack is shrouded in mystery. However it is believed that one of the initial 8752s that made its way to Germany was popped thus allowing the spread of the code. It spread like wildfire effectively crippling Sky.

The 8752 was a very messy hack. It was known as the Ho Lee Fook chip and the Futuretron CLO(W)N chip. It was messy because it was not user friendly. The decoder had to be modified in order to use it and this was a time consuming operation. Though the analogue Blackbox market was at its peak at that time, people were wary about modifying the VideoCrypt decoders. With the ECMs, these chips would have to be extracted from the decoders and sent for reprogramming.

Return To FAQ Index

Next Sub Section


The solution came in the form of the newly available PIC16C54, a low cost microcontroller with EPROM memory. It was a cheap microcontroller and it allowed the hack to be implemented in the form of a smart card. The hack was coded up in the space of a wet afternoon in the summer of 1993. By then what had been a trickle for Sky became a deluge. The 07 card was totally and utterly hacked. A number of ECMs were implemented by Sky in a mad effort to stop the piracy. They worked - temporarily. The hackers and pirates always came back.

The problem with the PIC16C54 and PIC16C57 became apparent as Sky and News Datacom began to increase the frequency of their ECMs. The PIC chips being used were the One Time Programmable versions. Thus when an ECM was implemented, the pirate card was effectively junk. The solution came in the form of a reprogrammable PIC, the PIC16C84.

Return To FAQ Index

Next Sub Section


Later that year, the pirates started to use the PIC16C84. This was a microcontroller with EEPROM memory. It meant that the pirate cards using this chip could be reprogrammed over and over again. It even got to the stage of some pirates including a small EEPROM chip on the card to hold all of the countermeasures for the ECMs. Sky and News Datacom had truly lost control of issue 07 during the Winter of 1993 but it was to be May 18th 1994 before they would finally admit their defeat and go active with Sky 09. They had dropped Sky 08 because all it involved was a change of keys.

Return To FAQ Index

Next Sub Section


In 1994 Sky was running the last ever season of Star Trek:TNG. It was Season 7. The program, running initially on an IBM compatible PC, emulated a VideoCrypt 07 card. It was developed by Markus Kuhn and others. The program was widely distributed on the internet and the BBSes. (see Section 2.3 for further details)

Return To FAQ Index

Next Sub Section


On May 18th 1994, Sky switched to issue 09. The code for issue 09 was put on auction a month later in the Dorchester Hotel in London. Only a fragment of the code, believed now to have been the transition form, made it to distribution. The code only worked for a week before Sky ECMed it. For both the commercial pirates and hobbyist hackers, it was to be a long hot summer of desperation.

Return To FAQ Index

Next Sub Section


A Phoenix program is a program that will activate a smart card that has been shut off or one that has not been activated. It largely originated from the TV-CRYPT and was heavily commercialised during the summer of 1994. With the availability of Quickstart 09 Sky cards, there was no shortage of official cards that could be pirated.

The Genesis Blockers/Activators allowed the official cards to be activated using code from a Phoenix program and blocked in the manner of the KENtucky Fried Chip. The software for this was coded into a PIC16C84. It was easy enough for Sky and News Datacom to counter as nobody knew about the Nanocommands. These instructions appeared as ordinary subscriber numbers to the blockers and since the number of the card being protected or blocked was not in their these packets went right to the card and killed it. (see Section 2.7 for more details)

Return To FAQ Index

Next Sub Section


The 09 Ho Lee Fook achieved operational stability in October 1994. Operational stability means that it operated smoothly and was only affected by ECMs. The initial versions were on dual PIC16C84 versions with a smaller EEPROM on the same card. Gradually as the use of Nanocommands as part of News Datacom's strategy of Counter- Piracy increased the Battery Cards came into their own. They were susceptible to ECMs but they were faster at recovering. The 09 Ho Lee Fook was largely operational until 31st October 1995. There was over a year of complete piracy on Sky 09. Due to the huge loss of official cards in its Quickstart program (circa 1 million cards), Sky stopped its Quickstart program in May 1995. They had to or they would have been in a very tricky situation over cards for new subscribers.

Return To FAQ Index

Next Sub Section


It was not convenient for the users of pirate cards to send them back for reprogramming every few weeks. The theory of reprogrammable pirate devices was well known in the US market with VideoCipher II. However it was not that well known in the European market. The original theory and diagram of a reprogrammable card was presented on page 7-78 of European Scrambling Systems 3, published in late 1992. It took a while for the ideas from this version of the Black Book and the American VideoCipher II market to soak into the European market.

The first Battery Card in Europe, the Futuretron / Benedex Omega Card filtered into the market just before Christmas 1994. It used a Dallas 5002FP microcontroller. This microcontroller was way beyond the PIC16C84 in terms of security. It had a lithium battery to back up the memory.

After a while, the card became known as the Battery Card. It was a revolution in technological terms. It meant that the card did not have to be returned to the dealer for reprogramming. All that was required was a simple set of numbers or letters that the user could enter into the card. These codes were made available via BBS, telephone answering machine and the internet.

Initially the Battery Card was not a great commercial success. It was expensive to manufacture and it was highly priced. The market had been flooded with low cost PIC16C84 cards that did VideoCrypt and others that did D2-MAC EuroCrypt. These cards were half or a third the price of the Battery Card and the dealers would generally reprogram them for a few pounds.

The Battery Card idea was also taken up by Megatek who produced their own card after the German model. The Megatek model used a different code input algorithm and was in some senses more successful due to better marketing. It was not until the 09 and 10 issues that the strengths of the Battery Card would become readily apparent.

Return To FAQ Index

Next Sub Section


Just before Christmas 1994, a number of 09 Season programs were released. At first their operation was unstable. As time passed, they achieved operational stability. The 09 algorithm, with its use of Nanocommand sub-instructions was a more complex beast than the 07.

Eventually, having become irritated by the number of people adding colourful front-ends to the program, the original programmer of the 09 Season released the source code. Markus Kuhn had decided against releasing a Season 09 due to the fact that there was a conflict over copyright. The Season 09 required an image of the Sky 09 card for operation.

Return To FAQ Index

Next Sub Section


The day before Sky's first Public PPV event, a code string was released. The code string when encoded in a Phoenix program allowed people to activate their Sky card for the event. (see Section 2.17 for more details)

Return To FAQ Index

Next Sub Section


One of the first products of the hack on the Sky 10 was the commercial Phoenix program. This program with interface was only available to dealers. Many of the cards activated by this method continued to operate successfully until recent ECMs. Some activated cards continue to operate successfully even after ECMs. (see Section 2.20 for more details)

Return To FAQ Index

Next Sub Section


The Megatek Battery Card was the first commercial hack on the Sky 10 card. It used Megatek's battery card and an add-on board carrying an ASIC. The ASIC was an emulation of the ASIC in the official Sky card. It has been the most successful hack of the Sky 10 to date. (see Section 2.18 for more details)

Return To FAQ Index

Next Sub Section


Being gluttons for punishments, Sky staged another PPV event on 09-11-96. This event was billed as Judgment Night. Naturally it was hacked in the same manner as the initial PPV event was hacked. The string was released in the usual manner but this time it was released as a working Phoenix program. The most widely used program was FREETYSO.EXE, a program by Toysoft that built on the released program.

Return To FAQ Index

Next Sub Section


On 22-12-96, a Phoenix program was released into the public domain. This program activated all channels on a Sky 10 card. It was subsequently ECMed on 15-01-97. The current status is that there is no solution just yet. (see Section 2.23 for more details)

Return To FAQ Index

Next Section


2.25 The Loss Of Security - Popping The Dallas 5000 and 5002FP

Recent papers on smart card technology and tamper resistance have caused some upset in the Blackbox industry and in the secured microcontroller industry in general. The papers by Markus Kuhn and Ross Anderson outline some techniques used for reverse engineering smart cards and secured chips. However some of the chips involved are the Dallas 5000 and the Dallas 5002FP.

This paper should be read by anyone dealing with the Dallas 5002FP as it gives the details of the approach used by Markus Kuhn to successfully pop the Dallas 5002FP. It also gives the details of the vulnerability of the Dallas 5000 used in the DSS battery cards.

The paper on Tamper Resistance is available on the following sites:

http://www.ft.uni-erlangen.de/~mskuhn/tamper.html

http://www.cl.cam.ac.uk/users/rja14/tamper.html

In another paper on Differential Fault Analysis, a technique of spiking the clock of a smart card to derive the key is outlined. This technique has apparently been used in the Blackbox industry to obtain the DES keys for EuroCrypt.

ftp://ftp.cl.cam.ac.uk/users/rja14/dfa

Implementing the ideas in these papers can take some time. However the conclusions that the Dallas 5002FP is no longer secure is evident. Dallas have modified their silicon so that the attack outlined may not work anymore. However there is a huge installed market where the approach outlined can be applied.

Return To FAQ Index

Next Section


2.26 Digital TV Hacking

There are reports that a program, MPEG2.EXE posted on some of the WWW sites and on the binaries newsgroup worked on the Irdeto digital services. There were also posts from people using other digital decoders that the program did not work. On some boxes it apparently left a message on the On Screen Graphics continually but the picture was decoded. However I have not been able to fully verify this at the moment.

Given that many of the companies involved with the new digital systems have less than brilliant track records in protecting signals anyway, such a hack on digital would not surprise people in the least.

Return To FAQ Index

Next Section


2.27 Speculations And Other Events

The Sky 10 card is perhaps in the last nine months of its lifetime. It is expected that it will be replaced soon. According to one post in the newsgroups the new card would filter into the market in February with an eventual switchover in April. However the more conventional expectation is that the new card, the Sky 10 (0B) will start to filter into the market around July of this year with a switchover on September first.

The reason for this is that Sky hope to have a Digital Television service in operation by September. Creating a new card especially for this service would be expensive. The more logical thing would be to create a card capable of working on the analogue VideoCrypt system and the new Digital system.

In this respect, News Datacom may draw heavily on the DSS experience and use much of the same theory in their 0B card. It would not be unusual that their new Digital Television system uses DSS as a starting point. If this is the case then the wheel will have turned full circle. At the moment things are too unclear to make any definite predictions.

With the ECMming of the Christmas Phoenix, the Sky 10 card has now replaced most leading dogfoods as the dog's food of choice. According to one posting, there were over 10,000 calls to Sky from subscribers claiming that the dog had eaten their card. This is one boast that Sky is not likely to publicise. The commonest excuses being used at the moment are:

Return To FAQ Index

Next Section


3.0 FINDING OUT MORE

3.1 Who are / what is the TV-CRYPT and how can I subscribe ?

The TV-CRYPT is a closed mailing list. It was set up to enable the discussion of the methods and technology of TV scrambling systems. It is more of a forum for the exchange of ideas than anything else.

Contrary to popular belief, it is not a private means of distributing the most recent copies of software for hacking BSkyB, FilmNet or TV1000. Neither is it an "elite" group of super hackers whose sole intent is to hack channels just to watch the movies.

It is an "by invitation only" list. If you can demonstrate a knowledge of scrambling systems through your posts here in the newsgroup, then you may be invited to join.

Return To FAQ Index

Next Section


3.2 Reading List

Obviously the new developments will be listed in further versions of this FAQ. Since this FAQ will be posted every month from now on (I've got the internet link running), it should be a fairly good source of information.

The de-facto standard text on encryption and scrambling systems is John Mc Cormac's Black Book. Now available either directly from the contact details below or from a number of suppliers. It has apparently been banned in a number of countries and there are rumours of other countries in Europe trying to ban it.

European Scrambling Systems - Black Book 5
ISBN 1-873556-22-5
Price Details:
Ireland & UK: IRP 32.00 Including Postage
Europe: IRP 35.00 Including Postage
Rest Of World: IRP 44.00

Order Details:


http://www.iol.ie/~kooltek/bb4.html

By Post Or Fax To:


Waterford University Press
MC2 (Publications Division)
22 Viewmount
Waterford
Ireland
Voice: +353-51-873640 (After 1400 Hrs GMT)
Fax +353-51-873640
BBS +353-51-850143

e-mail jmcc@hackwatch.com , kooltek@iol.ie

Return To FAQ Index

Next Section


4.0 Netiquette On A.S.T.E & A.S.T.C & R.V.S.E

The first rule is that there are no hard and fast rules. There are, however some protocols designed to reduce the risk of incineration.

The newsgroups alt.satellite.tv.europe and alt.satellite.tv.crypt are the groups where overt discussion of scrambling systems and attacks on scrambling systems are considered worthy topics. Posting of chain letter get-rich-quick schemes is frowned upon and can draw retaliation.

The standard European satellite television newsgroup, alt.satellite.tv.europe split into two to cope with the increasing traffic on hacking swamping the existing satellite discussions. The first rec.video.satellite.europe, became part of the REC hierarchy. This is the proper group for discussion of general European satellite television topics. Please do not post messages asking for the latest hack on the R.V.S.E group. The second group became alt.satellite.tv.crypt.

The alt.satellite.tv.crypt newsgroup is where the discussion of scrambling systems and hacking is meant to be conducted. It started out as a European group but there are many non-European readers. The alt.satellite.tv.europe group was supposed to be phased out but this does not seem to have happened yet.

Please bear in mind that some people have to pay to download the newsgroups. In the past few months there have been a few flame wars about posting UUENCODED binaries into the alt.satellite.tv.crypt and alt.satellite.tv.europe groups. The argument on this is that the procedure is now to upload any file to a popular ftp site and announce that it is available there rather than posting it as a UUENCODED message.

A while ago, another newsgroup, alt.satellite.tv-binaries was set up for the posting of binaries relating to satellite television and hacking. It is not a major newsgroup and most newsservers do not carry the group. It seems that the administrators do not want to wast disc space on the binary groups. This newsgroup is apparently available from some of the free newsservers.

Advertising of devices on the newsgroups is another subject that draws strong reactions. It is unfortunately now a fact of life. If you have to advertise, then observe the standard Usenet protocol of including the word AD or ADVERT in the subject line. Only post to the groups where relevant. If you are posting an advert for a device with European usage do not post in the US satellite newsgroups.

A number of recent advert posts in the alt.satellite.* groups have omitted the word AD and ADVERT from the subject heading. There have also been incidences of a European advertiser posting his adverts for equipment intended for the European market on the American rec.video.satellite.dbs and rec.video.satellite.tvro groups.

In many European countries there are complex legal rules regarding "goods to be used for criminal purpose". As the European situation evolves some of the arguments that were used in the past such as the goods being used for educational purposes become less and less tenable. However the discussion of information relating to hacking on newsgroups is not an area that the channels would like to get involved with legally if they had any sense. It would bring up questions of freedom of expression, which is apparently part of some European charters and indeed many constitutions.

Because programmers and smart card readers are multifunctional, it would be difficult to get a conviction in a court because the channel would have to prove that the goods were intended for illegal use. It is almost like they would have to prove conspiracy. Such a thing would be costly and would prevent channels going after the commercial pirates. However the importation of pirate smart cards, especially if they are banned by law in the country of import is risky. At the least, the Customs authorities could confiscate the goods if they find them. Piracy is always a risky business.

There is also a grey area of the law that is presently untested. This surrounds the possible prosecution of Internet service providers because of material they carry. If the newsgroup becomes a source of software for hacking pay TV you may find your site removes it, just as some providers strip the alt.binaries.pictures.erotica groups.

Apart from trying to keep on-topic for the newsgroup you are posting to, try to refrain from excessive crossposting of articles. This is essential if you are going to comment on a spam message as sometime the posting software will post your comment to all the groups affected by the spam message in the first place.

Return To FAQ Index

Next Section


5.0 CREDITS

Major contributor: John McCormac (jmcc@hackwatch.com)

Contributors:
Knut Vikor (knut.vikor@smi.uib.no)
Martyn Williams (martyn@euro.demon.co.uk)
Rene Vreeman (renev@intouch.nl)
Linus Surguy (lis@mfltd.co.uk)
Brian McIlwrath (bkm@starlink.rutherford.ac.uk)


Maintained By: John McCormac (jmcc@hackwatch.com)

Please send any corrections to faqman@hackwatch.com with the subject ERROR or CORRECTION.

Return To FAQ Index