💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › CABLE › vidocrpt.txt captured on 2022-06-12 at 08:43:54.
-=-=-=-=-=-=-
========================== VIDEOCRYPT ========================== VideoCrypt is without doubt a resilient system. It has been hacked in the past eighteen months and it has recovered successfully. The fact that it has been hacked illustrated that it is not pirate proof or indeed hacker proof. When the system was launched, some of the public relations people claimed that it was the most pirate proof system yet devised. This pirate proof attribute was a myth. A myth is an attempt to explain a reality with the mental tools available. Therefore since the public relations people neither understood the abilities of hackers or security of the system it would be, to them at least, pirate proof. The philosophy of the VideoCrypt system is that of the Detach; Secure Processor. The decoder itself is merely a dumb terminal. detachable secure processor is the smart card. Theoretically smart card contains the Critical data and the decoder contains not of significance. This "dumb terminal' idea has been echoed by N Datacom and Sky executives. The scrambling technique used in VideoCrypt is line cut and rotate. The video is digitised and then cut at one of 256 possible points. the digitised video segments are then rotated about this point and the digital video is converted back to analogue. The fact that the cut point is one of 256 points means that it can be defined as an eight bit word. This byte is supplied by a Pseudo Random Number Generator. The PRNG is sixty stages long and is reset approximately every two and a half seconds. The seed is sent in an encrypted format in the vertical blanking data. VideoCrypt transmits addressing and access control data in a few lines of the VBI. The data rate is slower than that of teletext. Each of the packets of data has a checksum. This checksum is a product of the active data in the packets. The checksum is apparently not a standard one. It is, according to sources, some sort of message digest or hash function. The data is fed into a routine that generates a fixed length output. This output block is attached to the data packet. If any of the bits in the data are changed, the change will be detected. The decoder will run the data through the same routine. The output block should be the same as that transmitted with the data packet. If the comparison check fails then the data has been altered. Only 585 lines or so in each frame are scrambled. This is to enable the VBI signals to be checked without descrambling the video. The reason for this is so that the signal quality can be checked on SMATV and cablenets without having to descramble the signal. It is a standard feature on most scrambling systems. Decoder Architecture ==================== The VideoCrypt stand alone decoder is a hybrid design. It uses both discrete components and surface mount components. This is necessary to reduce the size of the board. The board type used in the early stand alone decoders is SRBP or synthetic resin bonded paper. It is not the most reliable of board materials but it is one of the cheapest. It does reject the television manufacturing industry as most of the boards in television receivers are SRBP. In the IRD version, the power supply is part of the main receiver PSU. There are four voltage rails in the decoder: +21V, +12V5, +15V and +5V. The main part of the circuitry runs off of the +5V0 rail. The House Keeper microcontroller ================================ The main processor in the descrambler is the 8052 from Intel. This is a microcontroller and has an on-chip ROM and RAM. There are also two types of this microcontroller available; the BASIC ROM version and the Mask programmable version. It is probable that the version used in the descrambler is the Mask version. This means that there is an 8K program running the descrambler. The 8052 can be forced to disgorge the control program. Many veteran hackers who examined the Sky decoder were suspicious of the ease with which the 8052 could be forced to disgorge the control program. By putting a finger across pins on the ICs, some very strange messages came up on the screen. One of these was "FALSE CUT POINT". The control program when disassembled proved to be little more than house keeping with a few card zap routines. The incriminating text proved that the ZC404044 was a secure Microcontroller. There was one other way of getting confirmation - phone Motorola, the manufacturers of the chip, and ask them about the IC. Of course the fact that the program in the 8052 could be read and examined meant that the whole card to secure processor interface could be monitored and where necessary the data could be modified. This has led to the most devastating hack on VideoCrypt - The KENtucky Fried Chip. The Secure Processor ==================== The real heart of the Sky decoder is the ZC404044 or in later versions the ZC404047. The earlier decoders have an eight pin EEPROM. The later versions incorporate the EEPROM data on the ZC404047. The control program is held in masked ROM and as such is very difficult to read. Ordinary attempts to disgorge it failed and there are rumours that the ICs are being reversed in the Far East. The Custom Logic ================ TCllOG03AP is custom logic. It handles the control of the video descrambling circuitry. This is also the most likely area for the PRNG. On same of the later versions of VideoCrypt decoders this part is labelled TCE mV-2. The TCE possibly standing for Thomson Consumer Electronics. This IC also handles the clock generation for the whole decoder. The IC's clock is derived from a 28 MHz crystal. The Video Descrambler ===================== The video section of the VideoCrypt decoder is elegantly simple. The scrambled video is digitised by a TDA8703 ADC. This turns the video into a sequence of 8 bit words. The digitised video is then fed to a set of two FIFO memories. FIFO stands for first in first out. These ICs are capable of storing 910 8 bit words each. Each FIFO holds one segment of the line so that reassembling the video is merely a question of switching between the two FIFOs when clocking out the data. The descrambled digitised video, with the segments in the correct order, is fed to a TDA8702 DAC. The multiplexing and latching is controlled by the custom logic IC. The analogue video is then fed to the output stage. This stage is a discrete transistor design. The video signal is clamped and the on screen graphics are added. The resulting signal is filtered before being routed to the SCART connector or back into the receiver.