Subject: Scrambling News: DBS Hackers Encounter CODE 99 (Part 2)
Date: Sun Jul 16 08:53:09 1995

[This is the second of a two part update on DSS piracy. It is 
copyright 1995 David Lawson (dlawson@localnet.com) and 
Scrambling News. All rights reserved. E-mail or voice 
716.874.2088 for a free product catalog of hacker books. 
Your corrections and constructive criticisms are appreciated.]

DSS Hackers Encounter Code 99

The DSS System

The DSS system rolled out nationally last September and in
less than a year it has acquired about 650,000 subscribers.
There are two more DBS systems ready to launch. The dish
size, ease of installation, low maintenance and up-front cost
of the systems are major reasons for the faster sales of DSS.

The DSS scams have started. It is July 6, 1995 and there are
no fixes for the system available other than gray marketing
as we have discussed. A business callled Test Card is how
ever, advertising that they are looking for dealers and
distributors for a DSS test card. Someone else has a package
for $29.95 which describes how to get $1000 worth of program
ming for $50/yr. "Don't miss out on this hot new information
package." No one we know who has responded to these ads
has received anything back yet. There may also appear in 
the next few months DSS bibles, software packages which will 
likely consist of the various pirate programs and source code 
used to break the European version of Videocrypt. They will 
probably originate from Johm Mc Cormac's Special Projects 
BBS which is a repository for Videocrypt information. There 
may also be bogus DSS reader/writer software and a PC 
interface. The data structure is non-standard. A working PC 
interface for this system is complex and very expensive.

The DSS system employs a digital and far more secure version
of the Videocrypt encryption system which is used in Europe. It
is a smartcard system which employs a detachable secure
processor. If security is breached, the smartcard is replaced.
The European system has just issued its tenth series of smart
cards. All previous series have been hacked. Europeans can
walk into shops and purchase the latest pirate smartcard or
order by mail. Services using Videocrypt are only authorized for
specific countries so those in other countries can purchase
pirate smartcards with impunity. They typically work for 6 
months or a year and cost $150. Inevitably they are shut off 
and the users wait a month or so until the next version is ready.

A rumour is that John Grayson's chief engineer at Dectec has
been hired by a Western Canadian group working on DSS.
He designed the SUN board. Supposedly there are 10
members of the group and each has contributed $50,000 to
the project. John Grayson was recently spotted at a Cable
Show in Europe and has moved on to other projects. This
means there are now two separate groups working to
develop a marketable fix for DSS. The existing work done
on the system has involved a consortium of U.S. and
European engineers. The Europeans have years of
experience with Videocrypt and there are now several
groups with expertise to work on the system..

Anyone trying to reverse engineer the smartcard will encounter
 the nefarious code 99. The card developed by RCA and
Motorola can be rendered useless by hi-frequency, low
voltage, temperature and other types of probing. Any type of
tampering results in erasure of the micro code in the EEPROM
and sets the card to code 99, rendering it absolutely useless.
The smartcard which has been developed for the DSS system
is, at this moment in time, impervious to all known methods of
hacking. In addition, code can be reprogrammed on-the-fly,
every 29 seconds. Reprogramming was used in the 09 series
smartcards in Europe which increased their longevity, although
they eventually had to be replaced anyway.

Just as hacking the Videocipher II system never involved
breaking the DES, hacks for the DSS system do not necessarily
involve being able to reverse engineer the smartcard. The fix to
be released will probably involve reprogramming the card to
add existing services to those already being paid for, including
pay-per-view credits, sports etc. An earlier plan to offer 4
different cards with different tiers of programming has been
abandoned because it has been found that the card cannot be
duplicated. Any DSS receiver can be cloned to work with any
smartcard. It can also be shut off independently of the
smartcard. A benefit for users of reprogrammed smartcards is
that they will have to maintain some level of subscription so they
will not lose all programming when the card is shut off and has
to be reprogrammed. A huge problem with making a business
of any hack for the DSS system involves the massive security
which is in place. Current plans involve distribution of
programming software to 500 sites. The software will only be
able to program 100 cards, then new software must be
purchased. This ensures that the deveopers will be paid
frequently. The software will not be generally distributed or
posted on BBS's. We do not know more about the distribution
system. Each card being reprogrammed requires a separate
program. A better distribution system would involve the internet
and would allow individuals to reprogram their cards directly
using the phone line, which is DirecTV's own backdoor into
the box. In the short term, piracy of the DSS system may be
of the gray market variety and may exclusively involve use of
the DBS Dialer which has just been developed.

Gray Market Piracy - The Dialer Systems

Some non U.S. residents subscribe to DirecTV programming
by simply obtaining a U.S. billing address. Any phone book
lists Mail Receiving Services which provide a street address.
Many telephone answering services also provide this service
as well as private phone lines. When they subscribe they
simply say they do not have a phone. This precludes them
from ordering sports packages like NFL Sunday Ticket,
NBA League Pass, the NHL Center Ice package or the regional
sports networks. They must also order special events manually
at an additional charge of $2. Since many foreign subscribers
do want access to sports and PPV events it was natural for a
variety of call forwarding services to be established.

The two dialer systems which are the subject of the press
release from DirecTV have been operating in Canada for
several months. One system is based in Ontario and the other
is in British Columbia. The Ontario system was diverting
monthly calls from the DSS boxes to a Western NY number while
the B.C. system diverted its calls to Blaine Washington.
Canadians have been purchasing thousands of DSS systems and
they are even being sold in major consumer electronics stores.
The head of the CRTC which is the Canadian equivalent of the
FCC has said on the national news that Canadians will not be
prosecuted for subscribing to DirecTV. At the same time DirecTV
has no legal right to extend subscriptions to Canadian residents.
Those complaining about DSS are the cable companies and
Expressvu, a Canadian based DBS service which is almost ready
to launch. With their dismal raster of Canadian programming they
cannot possibly compete with gray market DirecTV programming
even though Canadians must pay the high subscription prices
charged by DirecTV and USSB with Canadian dollars which are
worth $.70 U.S.

The dialers currently being used by the Canadians are Equal
Access dialers which were used at one time to dial the prefix to
connect to Sprint. They are now surplus and the operators of
these dialer services have been purchasing quantities of them
for $30 each and then charging Canadians $150 apiece with a
subscription to their redialer service. That only involves
establishing U.S. phone numbers to route the calls through.
Some operators only had one or a few U.S. numbers so
hundreds of DSS systems were connected to Canadian
phone lines and routing their monthly PPV billing calls
through the same U.S. phone number. The dialers pass ANI
data from the originating phone number as call forwarding
systems do. In addition, the systems are not secure. To
exacerbate the situation, the phone numbers being used
were posted on BBS's so many individuals piggybacked
on the system. Some foreign subscribers even plugged
their DSS boxes directly into the phone line, essentially
requesting that their systems be shut off. The problem is
that ANI (actually ANAC: Automatic Number Announcement
Circuit) data is transmitted with phone calls. This data identifies
 the billing phone number including area code. Businesses like
DirecTV which rent 800 numbers receive ANI data along with
other caller information and callers to 800 numbers give up that
data whether they know it or not, and regardless of whether
their phone number is unlisted or not. 

The DBS Dialer

This is a newly engineered gray market product intended for
use by those in offshore countries where DirecTV is not
licensed to operate. It is available from New Advanced
Technologies at 514.458.3063. The system consists of two
units. The dialer is connected between the DSS unit and the
phone line. It intercepts the 800 number call made by the unit
and routes it to whatever U.S. number it has been programmed
to call. The call is received by the diverter unit which strips out
ANI data associated with the true phone number and substitutes
the ANI of the billing phone number the diverter is connected to.
The diverter must be connected to a line with three way calling
capabilities.

The DBS Dialer system has many desirable features. It allows
users to operate their own system independently without having
to subscribe to someone's service. It is not necessary to reveal
phone numbers to anyone who might piggyback or otherwise
compromise the system. Users are not reliant on the supplier
and need not pay subscription fees.. Both dialer and diverter(s)
are password protected and the password of the the dialer(s)
must match that of the diverter. Anyone wanting to piggyback
on the system would have to know the password as long as it
is changed from the default value of 1234. The system is
completely field programmable and there is a separate
password allowing access to programming functions. The
system has been designed so that in case of a power failure
the dialer unit shuts down rather than pass ANI data about
the location of the system. DirecTV uses several 800 numbers
and DSS units store them in both the "smart" modem and in
EEPROM. The DSS modem can be programmed to execute
a wide variety of countermeasures. Designers of the DBS
Dialer have taken this into consideration. The code in the
diverter may be updated if it is necessary. The designers
are now adding capture, store and forward technology to the
dialer so it won't matter what number the DSS unit calls. The
Canadian dialers were shut off when DirecTV changed the
number the DSS units called. They can be reprogrammed
but a simple command in the data stream will shut them off
again and they will have to be reprogrammed again. .

DBS Dialer - Programming

The dialers have two RJ11 jacks. Ordinarily the DSS unit
is connected to the jack marked DSS. For programming
purposes a telephone is connected to this jack. A standard
telephone line is plugged into the other.

We received a beta version of the dialer and diverter for test
purposes. We began our test by changing the programming
password to 2198. We changed the dialer and diverter pass
words to 9299. They must be the same. In a case where
more than one diverter is used in a network, the diverter
passwords must match as well. We programmed the dialer
to call the number where the diverter was located. We left
the trigger sequence at the default value of 1-800 but If we
were on a phone system where we had to dial 9 to call out
then we would have programmed it in place of 1-800. Call
capture store and forward capability is being added to the 
system so the programming instructions we included in the 
hard copy version of this report are now redundant. We also 
stated that in the New Advanced Technologies advertisement
that it supplies U.S. addresses and phone numbers. It does 
not.

Telephone companies maintain regional ANI circuits to assist
line technicians with testing and line identification. Dialing
one of these numbers connects the caller with a computer
which reads back his ANI data. We used 1-800-MY-ANI-IS
which is an MCI service. Another service is at 10732-1404988
9664. It is also a toll free number. We connected a phone in
place of the DSS receiver and made the call. The dialer
intercepted the number we dialed, forwarded the call to
diverter, and the diverter called 1-800-MY-ANI-IS. The
ANAC computer reported the phone number and area
code where our diverter box was located and not the
actual phone number we were calling from. Individuals
from Canada, Mexico and the Caribbean have also tested
the system and found it to work. The DBS Dialer worked 
perfectly. It does the job it was designed to do.

The footprint of the DirecTV signal covers the continental
U.S.and most of Canada We have heard of reception as
far south as Mexico City (with a 3 foot dish) and throughout
the Caribbean. The DBS Dialer allows individuals in those
countries to subscribe to programming and receive pay-per-
view events. A very low profile system would have only one
DSS system connected to a diverter box located at a U.S.
address but some individuals may establish small networks.
We have no knowledge of the laws regarding the reception
of DirecTV programming in the various countries where the
signal is available. Since the system passes voice as well
as data calls it could conceivably be used to make use of
800 numbers in the U.S. or possibly to reduce long distance
charges. It could also be used by networks of cautious
individuals to manually order PPV events. The common
phone number could easily be that of a business with
several employees who have DSS systems.

The system could also be used by U.S. residents or
commercial establishments to obtain locally blacked out
sports events by misleading DirecTV about the true location
of the system. Using the DBS Dialer in the U.S. is a serious
crime and subjects users to the variety of criminal and civil
actions mentioned in DirecTV's press release. The units
could also be used by individuals who obtain the deluxe
system and take advantage of the reduced subscription
rates available to additional units. We have heard that
DirecTV is now insisting that all units in a deluxe system
be connected to the same phone number.

Appendix

DIRECTV PREPARES LEGAL ACTION AGAINST 
UNAUTHORIZED DISTRIBUTORS

Complaints Seek to Prevent Illegal Reception of DIRECTV
Service Within Canada

 Los Angeles, CA. June 19, 1995 - DIRECTV, inc., a unit of 
Hughes  Electronics Corporation, took action against 
individuals and entities  in Canadawho have facilitated the 
illegal reception of the DIRECTV programming  service in 
Canada. Cease and desist letters were issued to five potential 
civil defendants, four of whom are located in Canada. 
DIRECTV is also preparing  to file civil claims against the 
potential defendants in U.S. federal courts.

In addition, DIRECTV is deactivating the accounts of more 
than 600 known "grey market" Canadian subscribers whose 
accounts with DIRECTV had been activated by the defendants. 
These steps by DIRECTV are part of its ongoing  broader 
effort to actively protect its programming rights and to secure 
the signal integrity of the direct broadcast satellite (DBS) 
service.

 A civil complaint was delivered with the cease and desist letters 
sent to  David A. Diebert of Echo Communications and/or Dragon 
Pacific, Vancouver, B.C.; Mike McAllister of Version II Marketing, 
Waterloo, Ontario; National Computers and Supplies, also of 
Waterloo, Ontario; Digital DTH  Distributors, Edmonton, Alberta; 
and Propack Inc., Blaine, Washington. The complaints are to be 
filed shortly in U.S. District Courts in the states  of 
Washington and New York if the defendants do not meet the 
demands  contained in the letter.

 The civil claims are a result of investigations by the
 DIRECTV Office of  Signal Integrity, which is headed by 
former FBI Special Agent Larry Rissler. Rissler's 
investigation revealed that the defendants, through the
 distribution of equipment and attempts to manipulate the 
DIRECTV customer  service system, facilitated the reception 
of DIRECTV programming by residents
 of Canada. These actions were detected by DIRECTV 
through its sophisticated  security systems and procedures.

 Further, the complaint alleges that the defendants assisted 
individuals in  obtaining programming by attempting to disguise 
the location of the  installed DSS(tm) system through electronic 
devices and other schemes. These actions violate several U.S. 
federal statutes, all of which also carry  substantial criminal 
penalties.

 "We're committed to the identification and, where 
appropriate, the  prosecution of those individuals and entities 
who foster the unauthorized  receipt of DIRECTV 
programming," said Rissler. "These actions are the first
 visible results of an aggressive on-going campaign by 
DIRECTV to protect  its service and attack all types of 
unauthorized use, including Canadian  grey market activities, 
as well as any residential or commercial misuse
 within the United States," Rissler added.

The federal statutes cited in the complaints are the Federal 
Communications Act, which prohibits the unauthorized receipt 
and use of satellite communications, including commercial 
television programming; the Federal Wiretap Statute, which 
proscribes the use of electronic or mechanical devices for the 
surrepetitious reception of satellite programming; and the
Computer Fraud and Abuse Act, which addresses the 
transmission of false information through sophisticated 
computer systems.

 According to DIRECTV, the filing of the civil complaints 
would mark the  first known use of the Computer Fraud 
and Abuse Act to address satellite  signal theft. Because of 
the sophisticated nature of the computerized  DIRECTV 
authorization and billing system, the elctronic devices used by
 the defendants resulted in telephone calls from the DSS 
receivers to the  DIRECTV computer system which were 
detected and traced to the DSS units  authorized by the 
potential defendants.

 The civil complaints also cited Washington and New York
 state causes of  action, including wrongful interference with 
DIRECTV programming contracts  and wrongful interference 
with prospective business advantage.

 In all instances, DIRECTV has demanded that the defendants 
immediately cease  and desist the illegal action. Failure to 
comply could lead to the issuance  of injunctions ordering the 
defendants to stop the illegal activities and  the assessement of 
monetary damage awards. In the case of the Federal 
Communications Act, damage awards can be as much as 
$110,000 for each  violation.

 DIRECTV and DSS are trademarks of DIRECTV Inc., a unit of 
Hughes Electronics  Corporation. The earnings of Hughes
Electronics Corp., a wholly owned  subsidiary of General Motors 
Corporation, are used to calculate the earnings  per share 
of General Motors Class H Common Stock (NYSE:GMH).

For more information, please contact:

 DIRECTV, Inc.
 Linda F. Brill
 Director, Public Relations
 (310) 535-5062

Resources

American Hacker BBS.Access is included with a subscription to
the hardcopy version of this newsletter. There is a free bulletin 
section which is free to all. If there are any radical 
developments we will post news there. We also post to 
various Usenet news groups. 716.871-1915


Bomarc Services has some schematics for the RCA receiver 
(see their ad in this issue). They are contract reverse engineers 
and they have thousands of  schematics available for all kinds 
of electronic devices including most cable boxes. A catalog of 
their 22 product categories costs 4 stamps. The catalog of 
cable and satellite descramblers, converters etc. costs $5.
The following DSS schematics are available: Full Signal 
Modulator w/RF switch (Alps 3N0110A-US. $2. DSS Tuner 
Module (Sharp B5532). $4.Dual Polarity Single Channel 
Ku Band LNB for DSS Systems. $1. Dual Polarity Dual 
Channel DSS LNB. $2. Bomarc Services,Box 1113, 
Casper, WY, 82602. 

Triangle Products is the major supplier of Oak decoders. They 
are available in VCII card cages for those who don't wish to 
use free-standing units. New Oak encrypted channels include 
Mandarin and Filipino. They also carry SureWrit 9, which is a 
diagnostic test device for those studying VCII or 029 PLUS 
technology. They have raw B-MAC's as well. 616.399.6390.

Hack Watch News is the foremost hacker newsletter in Europe. It
 is available by electronic delivery or by mail. It is written by 
John Mc Cormac who is the author of  the "European 
Scrambling Systems" series. They are comprehensive texts 
on scrambling. John's Special Projects BBS is a repositary for 
Videocrypt information, smartcard programs with source code 
etc. Voice 011-353-51-73640 voice. BBS 011-353-5150143. 
E-mail jmcc@wizardr.ie. He has an article in the August issue of 
Electronics Now entitled "Has DSS been Hacked ?" That article is 
available at http://www.iol.ie/~kooltek/hasdss. We have greater 
quantity and more current information on the U.S. system 
in our zine American Hacker.European Scrambling 
Systems Volume 4 is 500 pages long and concentrates 
on Videocrypt. It is available from Baylin 
Publications, 1-800-483-2423. 

New Advanced Technologies manufactures and distributes DBS
Dialer Systems. They invite inquiries for single units or networks.
Voice 514.458.3063. FAX 514.458.0798.

END PART 2 OF 2 PARTS