💾 Archived View for gemini.spam.works › mirrors › textfiles › hamradio › tvpiratedoc.ham captured on 2020-10-31 at 18:22:17.

View Raw

More Information

-=-=-=-=-=-=-

                     "Doctor Mabuse: Hacker to the M-M-Max"

                               by Morgan Russell

                         in "Reality Hackers" Magazine

                                 Issue #5, 1988




     Chicago, November 22, 1987

     9 P.M. Viewers tune into WGN TV's Nightly News for the accustomed 
broadcast
reports from the world-at-large. A mysterious TV pirate is, at the same time,
aiming a microwave antenna at WGN's STL (Studio to Transmitter Link) preparing
to overpower the station's signal.

     9:14 P.M. Sports anchor Dan Roan is interrupted in mid-report by the
f-f-f-figure of Max Headroom who remains on-air for 25 seconds before WGN
switches to its backup STL frequency.

     11:10 The pirate overpowers WTTW TV's signal going to their STL on the
Sears Tower. For one minute twwenty-eight seconds Max broadcasts his message
over one of the largest population centers in the United States, including
comments about a WGN radio and TV sports announcer, and displaying someone's
bare ass being hit with a fly swatter. WTTW loses control of its transmitter
entirely and is powerless to shut it down.

     Berkeley, March 31:

     Phone conversation between Morgan Russell and famed hacker/cracker "Deep
Tokes":

Morgan Russell: "What do you think of the comments in Television Broadcast
(leading broadcast journal) that 'millions of Americans who rely solely on TV
for news and information might be easy prey for manipulation,' that it's 'a
potential threat to national security,' and that 'our very society would be
disrupted?...'"

Mystery Caller: "I'd say stations should just belly up to the bar and ordetr
some fiber-optic cable for security and get reasonable bandwidth into the
bargain," says an adenoid-afflicted voice not belonging to my interlocutor.

     "Someone there with you, Deep Tokes?"

     "So sorry to break in, but your line was busy and my time here is short. i
don't access REMOB (remote observation) unless I'm pressed for time."

     "Uh, Morgan," Deep Tokes interjects nervously, "I've got ta workout
scheduled. Gotta go." Click.

     "Didn't mean to break anything up..." the interloper drawls.

     "Who is this?"

     "Let's just say an 'Interested Observer.' Your newsletter is amusing, but
it's a bit wimpy in the data department. you need a little hard data... a
technological hormone injection..."

     I break into the Interested Observer's languid simpering air, "we'll see
who needs a hormone injection."

     "Temper, temper, dearie. Listen, we must do lunch. If you want to know
about Max, I'm the one to talk to."

     "Well,..." I hesitate.

     "Meet me at the Durant at one. I'll be wearing a green carnation."

                                   * * * * *

     "You seem to know who I am, but what should I call you?"

     "You can call me..." he muses thoughtfully while surveying the wine list
with thinly veiled disdain, "ah, yes... why not simply call me Doktor Mabuse."

     "Tell me, Doktor, how does a TV pirate like the Max Headroom clone take
over a station?"

     "Very simply. Max Headclone isn't a model pirate, though. Certainly he's 
an
RF technician, possibly on the payroll of a fiber-optic company trying to drum
up business, but his job was amateurish in certain respects: his broadcast on
WGN had no sound because he wasn't using the proper audio subcarrier; he wasn't
able to switch STL frequencies when WGN did twenty-five seconds into the
broadcast; and his broadcast on WTTW was so brief that a viewer who went to the
bathroom or the fridge for an instant would have missed his slot entirely. If
it's not listed in TV Guide, it has to be long enough to attack people who are
channel-switching. And there's no indication that he knew the remote-control
protocol to take complete control of the transmitter."

     "Well, how would a savvier pirate do it?"

     "This is what I'd tell her: Catch the sign-off of the desired station.
They're always bragging how tall their transmitter is on the *tallest* building
or the *highest* peak, and they give their studio location so you can contact
them about it, so she'll merely need to find a hotel in between these two sites
in the cone of reception of the transmitter antenna. She can obtain frequency
information from her friendly neighborhood FCC field office or gather complete
information by putting a spectrum-analyzer in the line of the signal and 
looking
closely at what's being sent out, de-modulating it, and doing another spectrum-
analysis of that to determine the base-band.

     "Spectrum-analysis?"

     "A spectrum-analyser is a very fancy CRT display which costs 
five-to-twenty
thousand dollars. Five hundred to two thousand dollars to rent one for a month.
Generally speaking, a monthly rental on any of this equipment is about a tenth
the purchase price. But I digress. Some have digital displays and all manner of
bells and whistles. Hwelett-Packard makes a particularly fine one. Simpler
spectrum-analyzers are in the two-to-five thousand dollar range. The spectrum
analyzer can be used as a frequency measuring device with accuracy down to a
megahertz or so, which is probably close enough.

     "A normal Beta or VHS jitters too much to be acceptable for broadcast. It
may prevent operation of the STL if the STL is equipped with a mechanism which
shuts itself down in the absence of a stable signal. Super VHS with a time-base
corrector would yield broadcastable quuality. Some transmitters, however, are
equipped with a time-base correector, in which case she can send any kind of
signal. The audio requires seventy-five microseconds pre-emphasis to shape the
frequency response of the base-band."

     "Our pirate can derive the remote-control protocol by first determining 
the
brand of STL the stat ion uses. TV stations alow the public to view their
facilities at least once a year when they have open-houses. She can note the
brand they use, for example, Mosely. She could also just call the station and
ask for the Chief Engineer. These techie-types just love to discuss what they 
do
and are usually most willing to give a run-down of their equipment to anyone
who's interested and sounds halfway plausible. Anyone in college with a class
assignment, for example. She might also go to the NAB (National Association of
Broadcasters) convention - there's one coming up soon in Vegas. She could 
strike
up a conversaqtion at an STL manufacturer's booth and learn what format they 
use
and obtain a list of stations hwich use their equipment. The technical or
service manuals will indicate what frequencies subcarrier generators operate 
at,
what the deviation is, and what the level on the composite is.  She might also
analyze what's on the control-channel, though they use very high-speed signals
which can be tricky to follow.

     "The station may have a Telco link controlling the transmitter. This is a
much more secure arrangement. If our pirate can obtain the access and control
codes, she can turn the transmitter on and off, raise and lower its power, hear
sounds around the transmitter site, and get reeadings through a speech
synthesizer of the plate-current, output power, and plate voltage, all with a
touch-tone phone. She could, of course, just turn the transmitter off and leave
her phone of fthe hook to wipe out transmission entirely until someone drives 
to
the transmitter site and physically turns it back on.

     "Scanning the code is difficult. it has eight digits with twelve
possibilities for each and unsuccessful tries at the code are noted.

     "She needs a stable oscillator that can be frequency-modulated with 
sevearl
signals at once: the composite video (video and color information), the sound
information, and special sub-carriers to active the STL. She can use a VCO
(Voltage-Controlled Oscillator), or something which can be modulated like one,
as the basic source of the signal. A Gunn-oscillator unit, like an Avantek,
would operate the proper frequency band. The voltage-control input allows her 
to
frequency-modulate. She applies the voltage stated on the unit, for instance,
eight-and-a-half volts. It takes about an amp to start and puts out
approximately ten milliwatts. An attentuator must be put between the VCO and 
the
power amplifier to keep the signal from overloading the amplifier. It should be
adjustable so she can give it just enough power to do the job. She should use
attentuator-pads with her power meter. The power heads can only take one 
hundred
milliwatts and she'd want to measure up to ten watts.

     "The Gunn oscillator has a fairly thick screw which alters the volume of
the cavity ito which it moves, thereby altering the frequency. Many have a
little varactor diode which is a Voltage Variable Capacitor Diode with a little
loop of wire attached. Varyig the voltrage across this diode varies the
frequency only slightly, but enough to modulate it.

     "The 20dB directional coupler I show could just as well be a 30 dB unit if
the counter is sensitive enough. This is the tap-off off the oscillator to
monitor the frequency," Herr Doktor indicates with a golden nib. "The frequency
counter or the frequency measuring device must have a constant level.

     "A microwave frequency counter is a device that can actually count and
measure the frereequency coming out of the antenna, the VCO, or the amplifier.
She can use the counter to adjust the input of the VCO. It acts as a digital 
AFC
which holds the frequency on. A microwave frequency counter costs about five
thousand dollars, but there are enough around so one could probably be borrowed
for the night. Cheaper frequency-control methods could also be used. A ten-foot
length of coax with a line-stretcher, and an R.F. mixer would form a fairly 
good
discriminator or FM detector and is tunable. It would be a multiple-wavelength
piece that would go through a zero-point twice every hundred megahertz. She'd
adjust the length with a line-stretcher to get on the right zero-point. Other
ways of stabilizing it are static-locking or phase-locking it with a crystal,
then a frequency multiplier having an output that is filtered for the desired
frequency, comparing the two frequencies and keeping them close. If the device
is stable enough, she might be able to use it "as is" for a quickie. It 
wouldn't
drift much in a couple of minutes."

     "How could she avoid getting cut off the air if the station switches its
STL frequency on her?"

     "Most TV stations have at least two STL frequencies and can switch from 
one
to another. I've diagrammed a set-up here with a frequency counter and D/A
(Digital-to-analog) converter with offset. The D/A with offset takes the number
from the frequency counter and converts it to analog for the frequency control
loop. She could have a digital control here and set the frequency she wants.
This counter could be locked-onto and would then automatically pull the
oscillator into the right frequency. If the staton flipped to another frequency
on the same band, her broadcast would simply flip frequencies syncrhonously. If
the alternate frequency were on another band, she'd need an additional 
frequency
control loop to have the capacity to flip frequencies along with the TV 
station.

     "A travelling-wave tube is probably the most available RF Amplifier, but
GaAs FET (Gallium Arsenide Field Effect Transistor) - type amplifiers may also
be available. It would have to be a clean amlifier, preferably linear, so the
output power is readily adjustable. She'd select the power capability of the
amplifier depending on the type of antenna used and the distance from the
transmitter. She needs only twice the paltry amount of power the studio puts
out. In the typical set-up, the station sends half-a-watt into a four-foot 
dish.
If she's halfway between the station and the transmitter, a quarter-watt would
overpower the signal. Every time she halvs the distance to the transmitter, she
needs only a quarter the power. If she overloads the STL receiver, however, the
transmission quality is degraded or the receiver shuts down. STLs are as 
finicky
about a signal as pampered Persians are about a proffered hors d'oeuvre.

     "Finally, our pirate needs to tune her antenna by taking a reflected-power
reading. Ideally she'd want a hundredth part of the power returning. That would
be a good match. Once she's tuned it she can then just monitor the forward 
power
as she broadcasts.

     "A satellite uplink is very much the same basic idea as this set-up except
the power-end of it is much greater. One would want to be able to vary one's
power from fifty to five hundreed watts into a twenty-four foot dish. A large
dish is highly detectable, but if twenty people banded together, each with her
backyard dish and a ten-watt amplifier sending frequencies precisely locked to
come into phase at the same satellite, the regular satellite uplink would be
overridden and there would be no good way to determine where the signal was
coming from. The technical expertise required is considerable, but don't
underestimate the ingenuity and rebellious spirit of all the independent cusses
who bought satellite dishes, some at very great expense, to receive all the
satellite signals, only to have some of them scrambled in an attempt by the
broadcaster to sell descramblers and charge monthly fees for the dubious
privilage of watching TV."


:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-::-:-:-:-:-:
 The Convent Textfiles BBS 619-475-6187 10 megs 300/1200 baud password: PHOENIX

:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-::-:-:-:-:-: