Subject: Scrambling News: DBS hackers encounter CODE 99 (Part 1)
Date: Sun Jul 16 08:53:08 1995

[This is the first of a two-part update on DSS Piracy. It is 
Copyright 1995 by David Lawson (dlawson@localnet.com)
and Scrambling News. All rights reserved. If you would like a 
copy of our catalog of video hacker books, simply E-mail or 
voice 716.871.1915. Your corrections and constructive 
criticism are appreciated.]

Background

We have entered a new era of digital satellite piracy as
acknowledged by DirecTV's press release of June 16 which
is included in this issue. Many of our new subscribers are
interested in DBS (Direct Broadcast Satellite) and may consider
becoming involved in pirating DBS signals so we will discuss
the dynamics of satellite piracy in this article. The satellite piracy
which most are familiar with is that of Videocipher II and we will
concentrate on that system because there are many lessons to be
learned from it. This is not intended to be a complete history. It is
not our intent to promote piracy,but rather to provide information
for the benefit of our readers.

HBO was a pioneer in the satellite delivery of cable programming.
In 1975 it began transmitting its feeds to cable companies around
the country. Conventional distribution involved shipping videotapes
back and forth. The signals transmitted from communications
satellites at that time had a strength of about 5 watts, which is the
signal strength of a CB band radio, yet those signals had to travel
23,300 miles to earth. By that time they were so weak and noisy
that they had to be amplified thousands of times to be strong
enough to be processed by a satellite receiver. It soon became
obvious to other programmers that satellite delivery was cost
efficient and additionally, it allowed them to offer live events. The
first satellite systems purchased by cable companies cost
$120,000+ but by 1977 imrovements in technology caused the
price to decrease to the $15,000 range.

The first satellite hackers attempted to construct homebrew
systems to intercept HBO's signals and in 1976, using military
surplus and homemade dishes and homemade electronics they
were able to receive HBO. As more programming became
available on satellite more individuals became interested in
obtaining it and businesses began to manufacture equipment.
Improvements in the technology of the components lead to
radical reductions in their cost. A new cottage industry called
TVRO (television receive-only) was born.

By the late '70s "mom and pop" satellite dealerships started
opening up around the country, especially in rural areas not
serviced by cable. Most of the programming available on
satellite at that time was "in the clear." Homeowners who
 could afford to spend $6,000-7,000 on a system could
receive free, the same programming being received by the
largest cable companies around the country. They received
HBO, Showtime, TMC, Cinemax, A&E, CNN, WTBS and other
superstations from all around the country and more. The sales
of satellite systems for 1984 were estimated at approximately
750,000.

Dish owners had more entertainment than time to enjoy it but
their benefactors, the programmers, had a problem. They had
invested in satellite delivery of their programming to the
approximately 8,000 cable headends around the country
because it was the most economical means of doing so.
Many cable companies were receiving the programming and
charging their subscribers for it but they were not paying for it
themselves. The programmers decided to secure their signals
in order to prevent the cable companies from pirating them. At
that time there were more than 50 million cable subscribers in
the country and fewer than one million dish owners. Securing
the signals from dishowners was of secondary importance.

The Videocipher II satellite encryption system was designed
by M/A-Com LINKABIT. Designing an encryption system is an
expensive and time consuming proposition. Engineers must trade
off the security features they would like to provide with all the
costs and risks of providing them. In this case M/A-Com opted
to appropriate some of the access control architecture being
employed by the Oak Orion system in Canada. They were later
successfully sued for patent infringement. The VideocipherII
encryption system which they produced was described by
M/A-Com as a state-of-the-art system which was tamperproof
and undefeatable. The VCII (Videocipher II) was touted as the
"only decoder you'll ever need." It employed the "unbreakable"
DES (Data Encryption Standard).

In early January of 1986 dishowners were horrified and dish
sales plummeted as HBO and then the other programmers
scrambled their signals. Most had invested in a satellite system
in the first place because of the free programming which was
available. Now they had to purchase a $300 decoder and pay
for programming. In addition, the subscription rates being 
charged were almost double what cable companies were 
charging their customers and cable rates reflected the cost 
of building a cable plant, running cable to the house and 
maintaining the system. Dishowners supplied and maintained 
their own equipment. The signals were already being transmitted 
for the benefit of the cable companies, the scrambling system had 
been designed for cable use and the only additional expense for 
programmers in serving the home dish market was in 
administration. Some programmers did not even offer 
subscriptions to dishowners because they didn't think it was a
market worth bothering with.

Speculation about vulnerabilities in the VCII encryption system 
started in March and appeared in the form of a paragraph or two 
in each monthly issue of Coop's Satellite Digest which was a 
technical magazine for cable and wireless operators. It was also 
a monthly chronology of technical improvements in electronic 
components, dish construction, etc. Bob Coop was one of the 
original satellite hackers and he was one of the founders of TVRO.

Once a credible source started reporting details of the weaknesses
of the VCII system the scams started. Suddenly it seemed as if
everyone knew someone who had seen a fix though they had not
seen it themselves. A friend drove 600 miles to a remote farmhouse
in the middle of the night. He was going to see a demonstration of a
fix that would turn on all the scrambled channels except the pay-per-
view movie services and he would purchase 100 for $150 each and
pay cash. He would not be allowed to buy only one. One of the
individuals selling the fix soldered the leads of a small epoxied add
on board to the legs of some of the critical chips on the decoder. It
seemed credible. My friend was told that in a few minutes the
channels would be descrambled. In the quietness and suspense as
they waited for the channels to be unscrambled he heard someone
in a distant room calling in a credit card number to subscribe to all
the available channels. Several minutes later the sound and picture
appeared on the TV screen my friend was watching. The fix was
bogus. They simply had the decoder authorized legally by
subscribing to programming. The add-on board was a ruse. My
friend found an excuse to leave.

Another scam was perpetrated by an electronics store in the
Bronx. They had a box which was connected between the decoder
and receiver. It restored audio and video to the encrypted channels.
They had a working demo in their store. It cost $150 and was sold
without a warranty. Observers of the fix noted that it restored video
on all VCII encrypted channels but audio was only available on the
channels which just happened to be offered by the local cable
company. They were actually obtaining the audio from their local
cable company in the Bronx and piping it into the TV. What they
were actually selling was a sync generator which restored only the
video signal. Descrambling the video was relatively easy. It was the
audio that was "hard" encrypted.

The first of three attacks on the VCII system involved an
unsuccessful attempt to duplicate the critical proprietary IC's
through the use of a chip stripper. Then a group euphemistically
referred to as DESUG (Data Encryption Standard Users Group)
attempted to reverse the DES (Data Encryption Standard) algorithm.
This was time consuming and it was not a valid option. The third
attempt involved disassembling the decoder control program which
is stored in the system's EPROM. This approach proved successful
and lead to three major hacks on the system.

The first hack lead to a marketable fix. It was discovered that the
pointer could be redirected to enable decoding on all channels if at
least one channel was subscribed to and this only involved a change
of from one to six bytes, depending on the version of the VCII board.
This hack was known as the three musketeer hack (3M) because it
provided all channels for the cost of one. "One for all and all for one.
" The three musketeer fix was first demonstrated in September of
1986 and it was put on the market in December. It did not decode
all services or any PPV channels. It was only necessary to replace or
reprogram the system EPROM in order to 3M a box (decoder). The
response of the decoder manufacturer was to epoxy the printed
circuit board making it harder to tamper with. Hair dryers were used
to soften the epoxy and a utility knife was used to chisel it away.
During the period from January of 1986 to December only 40,000
VCII decoders were sold. In the first two weeks after
the musketeer fix was released, another 80,000-100,000, the entire
inventory of VCII's in the country were sold and dish sales picked up
again.

The second hack on the system involved cloning. There are 32 
bytes of information which make each decoder unique. This 
consists of four 7 byte seed keys numbered from 0-3 and 4 
bytes of unit ID. It was discovered that if the unique 
identification information from a subscribed decoder was 
programmed into an unauthorized unit, it would decode all the 
programming subscribed to by the master. This meant that 
hundreds or even thousands of unauthorized decoders could 
be cloned to receive the same programming as one decoder
which was subscribed to programming.

About a year after the introduction of the 3M chips, the 
"wizard" hack, which irrevocably destroyed the system was 
discovered. One of the early chips which featured this hack 
was aptly called Doomsday. In addition to the 32 bytes which 
provides a unique identity for each VCII decoder, there are 
another 28 bytes transmitted in the data stream which are 
critical to the decoding function. These bytes are often 
referred  to as public data. Included is a unique service ID 
and channel identifier for each channel, and a period indicator
which indicates the month the data is valid for. Seven bytes 
are the authorization mask which identify which services are 
subscribed to.

The VCII does a series of calculations involving unit ID 
information and the public data to obtain a working key. We 
detailed the math in our manual entitled "The Compleat Wizard". 
It was discovered that this working key was the same for all 
VCII's of the same series and that this common key turned on 
all services except the pay-per-view channels. The most 
amazing thing about the VC II system was that all non-PPV 
services would be decoded if the correct working key was 
entered into the correct RAM addresses, and none of the 
calculations mattered, and it didn't matter whether the VCII 
was authorized or not or even if the unit ID data was valid. The 
wizard software which was developed as a result of these 
discoveries calculated the working key automatically for the 
current and next month. It's operation was essentially 
transparent to the user,though it was necessary to enter 
keys for the pay-per-view movie services like Request 
TV, First Choice and Action Pay-Per-View manually 
because their working keys required different calculations.. 
The keys were entered through the keypad on the 
satellite receiver's remote control.

During the period from 1986 to 1992 dishowners engaged in
piracy would install various fixes on their boards and sooner or
later they would be ECM'd (electronic countermeasures) so their
decoder would be shut off and they would have to purchase new
hardware/software. On average, they might have spent anywhere
from $100-250/year for all programming including pay-per-view
and special events. Subscribing to all the programming would
have cost several times that amount.

There was an-going ECM program which was operated by G.I.
(General Instrument) after they bought out M/A-Com. When the
first 3M fixes were used in 1986 it was not known that the box 
ID was stored in two locations. A message was sent in the data
stream to decoders to compare the ID's in both locations. If they
did not match the box was shut off. VCII's suspected of being
clone masters would be shut off on the grounds that they were
oversubscribed. When wizard technology became predominant
ECM's involved changing channel ID information, assigning
multiple services to the same tier bit, etc. The commercial
decoders used by cable companies could recognize the
difference but residential models could be shut off. Hackers
monitored the datastream on certain channels and they were
able to observe ECM's being tested. This often allowed them to
modify software and hardware fixes and have them ready to
sell before an ECM was actually employed.

Most dishowners had their dishes installed and their decoders
modified by a satellite dealer who kept their system running so
they did not have to be aware of the latest ECM's or fixes. They
didn't have to rely on any satellite dealer though and they didn't
have to be an electronics expert to keep their VCII descrambling
satellite delivered programming. An entrepreneur started a
magazine callled the Blank Box Newsletter. The sole purpose of
that magazine was to provide advertising space for those selling
the latest fixes because they could not buy space elsewhere. It
was devoid of editorial content. Every month the advertisers
featured the latest pirate products and services. The pirate
products available ranged from how-to videotapes to seed key
pullers, hardware/software fixes for all models of VCII boards,
DES calculator software, VCII emulator software, etc. A list of
the advertisers in the magazine was a list of who had been
busted. Anyone capable of plugging in a chip or soldering could
follow the instructions which accompanied the latest chip or
hardware fix. If they couldn't do it themselves, there were a half-
dozen businesses they could overnight their descrambler to, and
most of them provided excellent service. The name Blank Box
Newsletter was discovered to be a copyright  infringement so the
name was changed to Satellite Watch News.

Dishowners did not even have to subscribe to a magazine to be
kept abreast of the latest techniques for pirating satellite 
television.They could watch it on their satellite systems. The 
patron saint of satellite dealers is the late Shawn Kenny. He 
used the medium itself. From a makeshift studio located at his 
New Jersey satellite dealership he produced a weekly show 
called Boresight and he rented time on whatever satellite had 
space available. It wasn't very expensive. He was another of the 
pioneers. He hated scrambling and considered the VCII to be a 
piece of junk. His motto was "a (decoder) module in every home." 
His show included satellite news, tech tips for dish dealers 
some kibitzing and a segment called  "Yellow Rain (Piss on 
the VCII)." He had an encyclopedic know ledge of satellite 
equipment and when he was demonstrating components  he 
considered inferior he would place them on a block and smash 
them to pieces. In the Yellow Rain segment he
delighted in showing programmers the latest means by which
their programming was being stolen. Fixes were demonstrated
and guests explained in exquisite detail how to pull seed keys
from a decoder or adapt certain fixes to different versions of
the decoder. Someone found a set of schematics and
technical information about the VCII allegedly in a dumpster
behind General Instrument's manufacturing facility. They
were marked confidential. Shawn was ecstatic. He copied
and sold them as a package every week along with his
other products. At one point G.I. sued him and got a
$625,000 judgment against his company but they were
never able to collect.

One of the more amazing hacks which was shown on
Boresight was the Parasite board. It illustrated just how
completely the Videocipher II was understood by the hackers.
It was a Videocipher II clone built with non-proprietary
components. To make it function it was only necessary to load
it with unit ID data. It was a precursor of the SUN (Secure
Universal Norm) decoder. Unlike the Videocipher II which uses
an embedded secure processor, the SUN used a detachable
secure processor. It was a plain vanilla decoder which could
be programmed to emulate a VCII, Oak, or  B-MAC and it
could be reprogrammed in case of a security breach. When
SUN boards were first introduced they were 2 years ahead
of pirate VCII technology. They stored two clone ID's and
had wizard back up for 8 different working keys and they
countered a variety of ECM's years before they were actually
employed. The only crime worse than using a Videocipher II
decoder to steal satellite delivered programming was to steal
it without using a Videocipher II decoder. General Instrument
sued Dectec,manufacturer of the SUN, on the grounds that
the SUN used the Videocipher II operating system.Dectec
denied it. Their operating and data transfer system was
encrypted using a Dallas SIP Stik which provides the same
level of security used by the banking industry to protect their
data. G.I. was not able to prove their case in Canadian courts
though they did effectively cripple the company.

By 1992 General Instrument started to take control of its
system. It established a swap out program to issue VCII
PLUS units to legitimate subscribers with untampered decoders.
Instead of a common key which turned on all services except
the PPV's each service now had its own unique working key
but it was still a common key which worked in all residential
decoders. Instead of entering a 20 digit monthly key which
would turn on all the basic services, it became necessary to
enter 20 digits for each of the 60 or so channels available.
Then the keys started changing more frequently, with some
changing weekly and then daily. This led to the development
of modem based fixes which would allow the user to simply
press a button on their remote control which would cause the
modem to call a BBS and download the latest working keys
into the RAM of the Videocipher board. This worked for a while
but other ECM's made it necessary to make frequent software
and hardware changes. In addition, many individuals were
paying for long distance charges to a BBS in order to download
the keys. When the movie channels like HBO and Showtime
moved to the VCII PLUS system, most dishowners abandoned
piracy because they could no longer get the channels they really
wanted and the cost of piracy was higher than the cost of
subscribing to the channels which were still available.

The pirates established a sophisticated computer network in
order to obtain and distribute working keys. It consisted of a
central computer connected in real time to a number of
satellite dishes around the country. The dishes were program
med to receive monthly hit data and then move to another
channel. That data was then sent from the central computer,
again in real time, to several nodes positioned around the
country. Local satellite dealers received their monthly data
from the node computers so consumers in many cases only
had to make a local phone call to a BBS operated by a local
 satellite dealer. The working keys for some services were
obtained from the commercial VCII decoders installed at
cable companies around the country by the technicians who
maintained them.Data necessary to calculate the working key
was only sent occasionally, so decoders dedicated to one
service like those at cable headends did not miss it. Once
obtained, the keys would be posted on BBS's across the country.
 G.I. tried to determine the location of these compromised
commercial decoders by sending bogus data and watching
the working keys posted on the BBS's. They could take that
informatiion, calculate the box ID from it and they would know
which cable headend it was installed at. This lead to
co-operation among the various BBS's to stop posting working
keys until they were verified, so they would not jeopardize the
individuals who obtained them. Some individuals were charged,
nevertheless.

When G.I. did finally start to shut off massive numbers of
pirate decoders they did so with almost mathematical precision.
 They knew what fixes were available for each model of their
decoder and how many dishowners were using each. They shut
them down sequentially so their production facilities and
pipeline were not overloaded because they also knew how
many VCII PLUS boards they would sell to those who had
been shut off. It is interesting that the devastatingly effective
rounds of ECM's which occurred at the very end of VCII piracy
could have been done years before.

The era of Videocipher II piracy has ended. The "de facto"
encryption standard was also the world's most hacked
scrambling system. Until very recently it was possible to 
pirate two dozen or so services. In the last few weeks the
working keys have been changing every few hours. 

The fatal flaws in the encryption system are not
lost on those designing today's systems. The access control 
system was left in the open where it was easily
accessed. It employed an embedded secure processor which
could not be changed when there was a breach of security and
the the control data could be modified.

It took General instrument 7 years to secure its encryption
system. An article in one of the satellite trade magazines a
couple of years ago estimated that over the years General
Instrument had made a profit of about $800,000 million strictly
from piracy. Many believe that G.I. itself released details of
its system so it would be hacked. With all the security
features the system employed it had a wide-open back door.
In 1987 G.I. claimed it had manufactured 300,000 decoders but
independent sources with access to information from omponent
suppliers claimed that 1.3 million had been produced. The
number of authorized decoders was only ever a small fraction
of the production figures. It was discovered that over 400,000
had been shipped to Canada at a time when it was illegal for
Canadians to own them. Hundreds of thousands more were
illegally shipped to Mexico and the Caribbean.

Today, there are 2.3 million subscribed VCII PLUS decoders in
the country. HBO has well over a million paying subscribers.
Some speculate that VCII piracy was tolerated in order to
sustain the growth of the satellite business. They believe that
if the system had not been hacked it is unlikely the industry
would have achieved the growth it has had.To the best of our
knowledge no dishowner in this country has ever been charged
with pirating satellite delivered programming but those who mod-
ified the decoders were. Hundreds of satellite dealers lost their
businesses, families, homes and liberty. During the heyday of
VCII piracy it was so pervasive that dealers who were selling
satellite systems and subscription programming simply could not
compete with dealers who sold systems with free programming.
By the same token it is difficult for a secure encryption system
to compete against one which is hacked when the public has
the choice of which system to purchase.

We have now entered the age of digital compressed satellite
programming and all analog systems are converting. Because
of compression it is possible to put several channels on a
transponder which now only carries one. The savings for
programmers far outweigh the astronomical cost of the
necessary equipment. For some consumers, a pirate smart
card which would provide access to all DirecTV programming
would be a dream come true. It may happen, despite what
now appears to be a fortress of security features built into
the system.

[In part two we focus on existing DSS piracy DSS hackers 
discover Code 99.]

END PART 1 OF 2 PARTS
-------------------------------