💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › CABLE › vidocrpt.txt captured on 2022-06-12 at 08:43:54.

View Raw

More Information

-=-=-=-=-=-=-




                 ==========================


                         VIDEOCRYPT


                 ==========================




 VideoCrypt is without doubt a resilient system. It has been hacked
in the past eighteen months and it has recovered successfully. The
fact that it has been hacked illustrated that it is not pirate proof or
indeed hacker proof.


  When the system was launched, some of the public relations
people claimed that it was the most pirate proof system yet devised.
This pirate proof attribute was a myth. A myth is an attempt to explain
a reality with the mental tools available. Therefore since the public
relations people neither understood the abilities of hackers or
security of the system it would be, to them at least, pirate proof.


  The philosophy of the VideoCrypt system is that of the Detach;
Secure Processor. The decoder itself is merely a dumb terminal.
detachable secure processor is the smart card. Theoretically
smart card contains the Critical data and the decoder contains not
of significance. This "dumb terminal' idea has been echoed by N
Datacom and Sky executives.           


  The scrambling technique used in VideoCrypt is line cut and rotate.               
The video is digitised and then cut at one of 256 possible points. the              
digitised video segments are then rotated about this point and the                  
digital video is converted back to analogue.


  The fact that the cut point is one of 256 points means that it can be           
defined as an eight bit word. This byte is supplied by a Pseudo
Random Number Generator. The PRNG is sixty stages long and is
reset approximately every two and a half seconds. The seed is sent in
an encrypted format in the vertical blanking data.


  VideoCrypt transmits addressing and access control data in a few
lines of the VBI. The data rate is slower than that of teletext. Each of
the packets of data has a checksum. This checksum is a product of
the active data in the packets. 

 
  The checksum is apparently not a standard one. It is, according to
sources, some sort of message digest or hash function. The data is
fed into a routine that generates a fixed length output. This output
block is attached to the data packet. If any of the bits in the data are
changed, the change will be detected. The decoder will run the data
through the same routine. The output block should be the same as
that transmitted with the data packet. If the comparison check fails
then the data has been altered.


  Only 585 lines or so in each frame are scrambled. This is to enable
the VBI signals to be checked without descrambling the video. The
reason for this is so that the signal quality can be checked on SMATV
and cablenets without having to descramble the signal. It is a
standard feature on most scrambling systems.



Decoder Architecture
====================

  The VideoCrypt stand alone decoder is a hybrid design. It uses
both discrete components and surface mount components. This is
necessary to reduce the size of the board. The board type used in the
early stand alone decoders is SRBP or synthetic resin bonded paper.
It is not the most reliable of board materials but it is one of the
cheapest. It does reject the television manufacturing industry as most
of the boards in television receivers are SRBP.


  In the IRD version, the power supply is part of the main receiver 
PSU. There are four voltage rails in the decoder: +21V, +12V5, +15V 
and +5V. The main part of the circuitry runs off of the +5V0 rail. 

 
The House Keeper microcontroller
================================

  The main processor in the descrambler is the 8052 from Intel. This 
is a microcontroller and has an on-chip ROM and RAM. There are
also two types of this microcontroller available; the BASIC  ROM
version and the Mask programmable version. It is probable that the
version used in the descrambler is the Mask version. This means that
there is an 8K program running the descrambler. The 8052 can be
forced to disgorge the control program.


  Many veteran hackers who examined the Sky decoder were
suspicious of the ease with which the 8052 could be forced to
disgorge the control program. By putting a finger across pins on the
ICs, some very strange messages came up on the screen. One of
these was "FALSE CUT POINT". The control program when
disassembled proved to be little more than house keeping with a few
card zap routines.



  The incriminating text proved that the ZC404044 was a secure            
Microcontroller. There was one other way of getting confirmation - 
phone Motorola, the manufacturers of the chip, and ask them about         
the IC.


  Of course the fact that the program in the 8052 could be read and        
examined meant that the whole card to secure processor interface
could be monitored and where necessary the data could be modified.        
This has led to the most devastating hack on VideoCrypt - The             
KENtucky Fried Chip.


The Secure Processor
====================

 The real heart of the Sky decoder is the ZC404044 or in later            
versions the ZC404047. The earlier decoders have an eight pin
EEPROM. The later versions incorporate the EEPROM data on the             
ZC404047. The control program is held in masked ROM and as such           
is very difficult to read. Ordinary attempts to disgorge it failed and    
there are rumours that the ICs are being reversed in the Far East. 


The Custom Logic
================
 
  TCllOG03AP is custom logic. It handles the control of the video          
descrambling circuitry. This is also the most likely area for the PRNG.   
On same of the later versions of VideoCrypt decoders this part is         
labelled TCE mV-2. The TCE possibly standing for Thomson
Consumer Electronics. This IC also handles the clock generation for       
the whole decoder. The IC's clock is derived from a 28 MHz crystal.       


The Video Descrambler
=====================

  The video section of the VideoCrypt decoder is elegantly simple.
The scrambled video is digitised by a TDA8703 ADC. This turns the
video into a sequence of 8 bit words. The digitised video is then fed to  
a set of two FIFO memories. FIFO stands for first in first out. These
ICs are capable of storing 910 8 bit words each.


  Each FIFO holds one segment of the line so that reassembling the 
video is merely a question of switching between the two FIFOs when 
clocking out the data. The descrambled digitised video, with the
segments in the correct order, is fed to a TDA8702 DAC.
The multiplexing and latching is controlled by the custom logic IC.
The analogue video is then fed to the output stage. This stage is a
discrete transistor design. The video signal is clamped and the on
screen graphics are added. The resulting signal is filtered before
being routed to the SCART connector or back into the receiver.