informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/hacking/CABLE/paytv.txt

442 lines
20 KiB
Plaintext
Raw Permalink Blame History

FAQ - Decoding pay TV
======================
Last Updated: 30-01-95
======================
1.0 Overview of scrambling in Europe
2.0 Hacking pay TV
2.1 Is it legal ?
2.2 VideoCrypt Smart Cards
2.3 What is Season or Omigod software ?
2.4 Where can I get the Season software ?
2.5 The Season Cardadapter
2.6 I can't ftp, Can someone post the file for me ?
2.7 What are blockers and what is Phoenix ?
2.8 Is there a D2-Mac Eurocrypt M version of Season ?
2.9 Is there a hack on Nagra ?
3.0 Finding out more
3.1 Who / what is the TV-crypt, how can I join ?
3.2 Reading List
4.0 Advertising of pirate devices on the newsgroup
5.0 Credits
1.0 OVERVIEW OF SCRAMBLING IN EUROPE
====================================
There are about six or seven different methods in use in various parts of
Europe. The three most common ones are VideoCrypt, EuroCrypt and
Nagravision. Each of these has various "dialects" and variants.
VideoCrypt comes in two versions, VideoCrypt I and VideoCrypt II. They are
parallel, and the idea is that VC I is to be used inside the UK, and VC II
in the rest of Europe. The same channel may be encrypted by both methods at
the same time, thus the channels available both in the UK and the continent
(Discovery, TCC etc.) use both VC I and VC II. Almost all efforts at
cracking VideoCrypt has concentrated on VC I, which is what we will
describe in the following.
JSTV is the only broadcaster that makes programmes available Europe wide
using VideoCrypt I. This is due to the small audience they serve and the
substantial cost of adopting VideoCrypt II which also has subscription
management deals bundled in with it.
Eurocrypt is integrated into the MAC transmission standard, and only Mac
channels use Eurocrypt. Eurocrypt also comes in two variants, M and S.
Eurocrypt M is the most common, only three channels (Sweden 1 and 2, Norway
2) today use Eurocrypt S, the two first in the less used DMAC variant.
All pirate cards referred to only decode the Eurocrypt M channels.
A third Mac variant is BMAC which is used by the American Forces Radio and
Television Service and several business TV applications. BMAC has apparently
been hacked in the USA but the system here is slightly different and the same
hacks would not work. If you want AFRTS you're out of luck, even US servicemen
have probelms getting the gear.
Nagravision is also known as Syster, and is used in France, Spain, Turkey and
Germany. Unlike VideoCrypt and Eurocrypt, Nagravision decoder boxes are not
for sale. They are only rented out to subscribers, but still operate with a
smart card. Nagravision has not been cracked, and there are no known pirate
cards. Nagravision is now replacing the older and less secure Discret
system in France.
Apart from these three big systems, others include Luxcrypt, used by the
Dutch RTL networks (a box, no card - decoders easily available) and
Smartcrypt (box & card, used by the French RTL channel; boxes now available
for sale in France).
2.0 HACKING PAY TV
==================
2.1 Is it legal ?
-----------------
The legal position on hacking varies from country to country. Basically a
good rule is that a channel being uplinked from a particular country is
probably going to be protected by that country's laws. For example hacking
Sky in the United Kingdom is illegal under that country's laws. However
hacking FilmNet in the United Kingdom is legal since it is not precisely
covered by UK law. TV1000 on the other hand is partially uplinked from the
UK and is therefore protected under UK law even though the pornography
transmitted on the channel would not be permitted to be uplinked from the
UK. In fact, TV 1000 has threatened UK dealers with legal action many times
and some pirate cards sold in the UK will not decode the channel.
Europe is still a multi-copyright area. It is therefore possible for Sky and
FilmNet to purchase the rights to show the same film. Perhaps in the future,
the copyright issue will be worked out and we will have a single copyright
area for Europe.
To date most of the prosecutions have been against people who have been too
visible. It is not economically viable for a channel to prosecute every user
of a pirate smart card. Instead they will generally concentrate on dealers
and distributors.
Of course they may also decide to make an example of an individual pirate
card user. The logic of the legal departments of channels is not as
predictable as - that of their engineering departments.
If you get caught you are unlikely to be able to plead any clever excuse that
you may come up with. After all, does this sound legal ?
2.2 VideoCrypt Smart Cards
--------------------------
Pirate smart cards are cards that have been manufactured to hack a channel.
They are, in most cases totally different from official smart cards. The
majority of these cards are based on the PIC16Cxx series of microcontrollers.
Other variations have been seen but the PIC16Cxx cards are the commonest.
There is also a trade in what are referred to as Grey Market smart cards.
These are official cards, that are exported to another country. Generally
it is a one for one trade with the broker taking a comission. For example, a
Sky subscription would be taken out in the UK and a FilmNet subscription would
be taken out in Sweden. The cards would then be swapped via a broker.
The subscriptions would be kept up to date by both parties. The legal position
on this activity is not clear as the channels benefit from the transaction in
that they both get subscriptions. It does rely on mutual trust.
Purchasing a pirate card involves risk. There is a probability that the pirate
card will be killed in the future. The channels implement electronic
countermeasures to try and kill the pirate cards. Technically speaking, no
pirate card can ever be 100% safe. This point has been proven too frequently
over the last few months.
The system used by FilmNet Plus and TV1000 (among others) is EuroCrypt-M. This
system has been continually hacked since 1992. In terms of value for money,
users of EuroCrypt-M pirate smart cards have fared better. This is because
the channels have not frequently implemented countermeasures. Of course the
recent countermeasure by TV1000 has had a devastating effect. Most of the
pirate smart cards have been knocked out.
The VideoCrypt system, as used by Sky and the Adult Channel, has been updated
more regularly. The next card issue will be issue ten or in technical terms,
the 0A card. In addition to issuing a new smart card every year or so, Sky
and News Datacom also implement countermeasures to knock out pirate smart
cards. Over the last few months, the time between these countermeasures has
only been a few weeks.
As a direct result, many of the pirate cards have had to be sent back to the
dealer for upgrade. Some innovative pirates have designed their cards so that
they can be upgrade by the customer. The solutions for the countermeasures
are recorded as a set of numbers on an answering machine. The customer rings
the phone number with the answering machine and gets the update numbers. He
then enters them into the pirate card via a key pad. Other solutions such as
a modem on the pirate card have also been seen.
In real terms, anyone purchasing a pirate card is taking a risk. The pirate
card will eventually be hit by a countermeasure. If it is not, then the
channel may issue a new smart card with the consequence that all of the old
pirate smart cards will be knocked out.
2.3 What is Season or Omigod software?
--------------------------------------
The Season software began life as an attempt to watch the final season of
Star Trek: TNG. The final season was season 7. As a result, the first working
PC program that decoded Sky was named SEASON7. The first version of this
program appeared in March of 1994. At the time, the current issue of the Sky
card was Issue 7. Therefore some confusion arose.
The term Omigod (Oh My God!) was also used to describe the programs. Well
the preceding hack using the PIC cards was known as the Ho Lee Fook hack!
Over the months from March to May, versions for different computers appeared.
Many of these were posted on the alt.satellite.tv.europe newsgroup.
On May 18th 1994, Sky changed from issue 07 cards to their new issue 09 card.
In hacker terms, May 18th is referred to as Dark Wednesday. The 09 card
proved harder to hack but a temporary solution appeared in June of that year.
It only lasted a few week before Sky changed codes again. Though some attempts
at an issue 09 SEASON hack were made, the change of code by Sky stopped it
cold. Well at least until just before Christmas.
Last Christmas, no less than three versions of the SEASON hack appeared. Two
of them worked on the PC and the other one worked on the Apple MAC. Of course
Sky was paying attention and on January 4th 1995, they implemented a
countermeasure that knocked out pirate cards and all of the SEASON hacks. The
war between Sky and the pirates had recommenced. Updated versions of the
SEASON hacks became available. Sky implemented another countermeasure on
January 25th 1995. Again the Season hacks were updated. This spiral of
countermeasure and update will probably continue until the issue of the new
Sky card, the 0A.
The algorithm in the current card issue (09) is far more complex than the one
used in the 07 card. While the 07 algorithm was not really designed to be
upgradable, the 09 algorithm is without doubt an extremely flexible
algorithm.-
2.4 Where can I get the software from ?
---------------------------------------
There are versions of this software that will decode Sky and The Adult Channel
although there are no known versions that cover VideoCrypt 2 channels or JSTV.
Different versions of the SEASON software are available from a number of
ftp sites and a multitude of BBSes. Some of the sites are listed below.
ftp ftp.uni-erlangen.de
/pub/Multimedia/VideoCrypt/
note the capital letters ! They do make a difference.
A later version of the Season 9 software is available via ftp from :
ftp utelscin.el.utwente.nl
/pub/upload/vcrypt/s9_v11.zip
/pub/upload/vcrypt/s9_v11b.zip
/pub/upload/vcrypt/s9_v11c.zip seems to be the most recent version.
2.5 The Season Cardadapter
--------------------------
The computer has to be connected to the VideoCrypt decoder via an interface.
This interface is sometimes referred to as an Omigod or Season interface. It
is essentially a simple design that allows the RS232 serial port of the
computer to be connected to the TTL levels of the card socket. Most of the
versions of the Season software include a text file on the construction
details of this interface in a file called ADAPTER.TXT.
Details of the adapter are on Erlangen in the directory :
/pub/Multimedia/VideoCrypt/cardadapter/
The artwork for making the PCB interface is available in postcript form at :
ftp harley.pcl.ox.ac.uk
/pub/smartpc/smart.ps
ftp joule.pcl.ox.ac.uk
/pub/mark/smart.ps
http://joule.pcl.ox.ac.uk/~mark/sat.html
This software uses very accurate timing for the decoding, there are
several reports that this software runs OK on some machines and not on
others. Please expect problems and try slowing your CPU down as a first fix.
Problems are reported about different COMM cards, Memory Managers and so
called Serial Device drivers (like fossils). It's best to run the Season
software on a 'clean' machine
Some people will make the adapters for you :
mark@physchem.ox.ac.uk
an180497@anon.penet.fi
mikey@cass.demon.co.uk
eetnas@zippy.dct.ac.uk
2.6 I can't ftp. Can someone post it for me ?
---------------------------------------------
If you can't use ftp from your account then get yourself aquanited with
ftpmail. As well as allowing you to get the software yourself and keeping
traffic in the group down, it will also enable you to get any software on
any subject !
For details of how to use ftpmail send a message with the word "help"
in the body to :
bitftp@wm.gmd.de
ftpmail@ftp.uni-stuttgart.de
ftpmail@grasp.insa.lyon.fr
ftpmail@ieunet.ie
ftpmail@plearn.edu.pl
ftpmail@doc.ic.ac.uk
The files will be returned in a format known as uuencoded. You'll need a
uudecoder to make these into useful files. These are widely available for
all platforms although if you can't ftp you'll have to work out how to
get one. More details on email use of the net are on NBC text page 188.
2.7 What are blockers and what is Phoenix?
------------------------------------------
In the middle of the summer of 1994, there was little success in hacking Sky.
A program was written in the TV-CRYPT for testing a theory. The theory dealt
with the over the air addressing system on VideoCrypt. The question was:
"could the presently available knowledge be used to switch on or off a Sky
card?". At that time, the available knowledge consisted of the fragment of
the 09 code that was killed in June and a working knowledge of how Sky encoded
card numbers in their over the air addressing system. The available knowledge
was sufficient.
The computer program written to test the theory was called Phoenix. Since most
of the cards experimented upon were Quickstarts that Sky had killed, Phoenix,
the mythical bird that rises from its own ashes seemed a good name.
Of course the program fell into the hands of commercial pirates. The Phoenix
program on its own was useful to switch on the 09 Quickstarts that Sky had
killed. It was also being used to switch on all channels on a Sky card with
only the Multichannels subscription. It was a Musketeer hack - all for one and
one for all. But that hack name had already been used.
Unfortunately these reactivated cards were only lasting a few days before
being killed again by Sky. Then when Sky increased their kill cycle the cards
only lasted a few hours. Some solution had to be found.
The solution lay in a hack of 1992 - the KENtucky Fried Chip. This was a
modified version of the smart card - decoder microcontroller in the VideoCrypt
decoder. It stopped Sky from turning off a card by examining each over the air
packet for the identity number of the card in the card socket and stopping
such a packet from reaching the smart card. Sky could not kill the card
because the card never received the kill instruction.
Of course the chip used in the decoder was too expensive and there was a
rather large number of redundant PIC16C84 chips available. The first blockers
to hit the market had the blocking program in a PIC16C84. They consisted of
a card socket, a PIC16C84 and a PCB. The official card, having being activated
by the Phoenix program would then only be used in the blocker. Luckily it was
not named the Condom hack.
Of course the popularity of these devices soon meant that individually
activating the Quickstart cards with the Phoenix program was taking too much
time. The solution was to incorporate the Phoenix routines in the PIC16C84.
These new blockers were more successful. Over the months from August to
November, they were given a bewildering array of names; Genesis, SunBlocker,
Sh*tblocker, Exodus.
Naturally Sky were a little upset with this resurrection of their dead cards.
Their response, at first was purely technical. Later in 1994, they took legal
action in the Uk against some people supplying blockers.
There was more to the VideoCrypt 09 smart card than people realised. The most
important aspect was that Sky could actually write to the card. The
instructions for doing this were carried in the same packets that carried the
activation and deactivation instructions.
The blockers only looked for the specific identity number of the card in the
card socket. As long as that identity number did not appear in the packet, it
was let straight through to the card. Sky had managed to knock out a number of
cards while they were in the blockers.
Some of these countermeasures were reversible in that the card itself was not
completely dead. One of Sky's countermeasures did actually hit the card in a
manner that effectively locked it. At that point, the blockers were becoming
irrelevant - there were working pirate smart cards for VideoCrypt.
The Phoenix program, in various guises, still works. Of course some of the
newer smart cards from Sky have been found to be resistant to being activated
with Phoenix.
2.8 Is there a D2-MAC EuroCrypt-M Version of The Season Hack?
-------------------------------------------------------------
The simple answer is yes. The EuroCrypt-M system is DES based. In an ironic
way the system's greatest strength was its greatest weakness. Again the
progression from pirate smart card to computer program was apparent. There is
a number of different versions of the hack floating around on BBSes though
all of these were affected by the latest TV1000 key change.
2.9 Is there a hack on Nagra?
-----------------------------
Not yet. The main problem with a working hack on the Nagra system would be the
decoders. It would be easy to replicate the pirate smart card but the decoders
are not easy to get. Therefore with access to the decoders controlled it is a
very good demonstration of the philosophy of total access control.
3.0 FINDING OUT MORE
====================
3.1 Who are / what is the TV-CRYPT and how can I subscribe ?
------------------------------------------------------------
The TV-CRYPT is a closed mailing list. It was set up to enable the discussion
of the methods and technology of TV scrambling systems. It is more of a forum
for the exchange of ideas than anything else.
Contrary to popular belief, it is not a private means of distributing the most
recent copies of software for hacking Sky. Neither is it an "elite" group of
super hackers whose sole intent is to hack channels just to watch the movies.
It is an "by invitation only" list. If you can demonstrate a knowledge of
scrambling systems through your posts here in the newsgroup, then you may be
invited to join.
3.2 Reading List
----------------
The de-facto standard text on encryption and scrambling systems is John Mc
Cormac's Black Book. Currently in edition 4, the book gives the reader a
complete overview of the industry and systems in use in Europe.
Black Book 4
ISBN 1-873556-03-9
Waterford University Press
MC2 (Publications Division)
22 Viewmount
Waterford
Ireland
Fax +353-51-73640
BBS +353-51-50143
email mc2@cix.compulink.co.uk
4.0 ADVERTISING OF PIRATE DEVICES ON alt.satellite.tv.europe
============================================================
Please do not advertise or promote commercial pirate devices on
alt.satellite.tv.europe, in many European countries there are
complex legal rules regarding 'goods to be used for criminal
purpose'. If we keep the discussion at an 'educational' level, for personal
use the group should attract much less attention.
There is also a grey area of the law that is presently untested. This
surrounds the possible prosectution of Internet service providers because
of material they carry. If the newsgroup becomes a source of software for
hacking pay TV you may find your site removes it, just as some providers
strip the alt.binaries.pictures.erotica groups.
5.0 CREDITS
===========
Major contributors :
John McCormac (mc2@cix.compulink.co.uk)
Knut Vikor (knut.vikor@smi.uib.no)
Contributors :
Rene Vreeman (renev@intouch.nl)
Linus Surguy (lis@mfltd.co.uk)
Brian McIlwrath (bkm@starlink.rutherford.ac.uk)
Maintained by
Martyn Williams (martyn@euro.demon.co.uk)
--
Martyn Williams | Internet : martyn@euro.demon.co.uk
| CI$ : 100025,1637
| Nifty : PXQ00623
letely dead. One of Sky's countermeasures
Reference in New Issue View Git Blame Copy Permalink