💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › CABLE › decodfaq.txt captured on 2022-07-17 at 01:53:50.
⬅️ Previous capture (2022-06-12)
-=-=-=-=-=-=-
I've received several messages asking for this to be reposted so here it is ! Please read the disclaimer carefully so I don't get lots of messages ! -------------------------------------------------------------------------- FAQ - Decoding pay TV - 1.2 =========================== Last Updated: 22-02-95 =========================== 0.0 Disclaimer / Explanation 1.0 Overview of scrambling in Europe 2.0 Hacking pay TV 2.1 Is it legal ? 2.2 VideoCrypt Smart Cards 2.3 What is Season or Omigod software ? 2.4 Where can I get the Season software ? 2.5 The Season Cardadapter 2.6 I can't ftp, Can someone post the file for me ? 2.7 What are blockers and what is Phoenix ? 2.8 Is there a D2-Mac Eurocrypt M version of Season ? 2.9 Is there a hack on Nagra ? 3.0 Finding out more 3.1 Who / what is the TV-crypt, how can I join ? 3.2 Reading List 4.0 Advertising of pirate devices on the newsgroup 5.0 Credits 0.0 Disclaimer / Explanation : ============================== Please read the following carefully : I am merely the maintainer of this FAQ. I wrote very little in for two reasons. Firstly I do not condon the use of such devices and, secondally, personally have little interest in the subject. In fact, I have never even attempted to build such devices so please don't email questions to me - I don't know, really ! I set about asking people to contribute parts and putting it all together as there was an obvious need for an FAQ on this subject judging by the messages in the newsgroup. From the personal email I received after issue 1.0 it looks like we've got it right. If the information in this FAQ does not satisfy you please post follow ups in the newsgroup or, even better, buy the book listed at the end ! You must understand that the use of these devices in areas where offical subscriptions are available is probably illegal. If you can, get a legal subscription - it's easy and it's probably cheaper and less trouble in the long run too ! So, remember - no email to me ! Martyn 1.0 OVERVIEW OF SCRAMBLING IN EUROPE ==================================== There are about six or seven different methods in use in various parts of Europe. The three most common ones are VideoCrypt, EuroCrypt and Nagravision. Each of these has various "dialects" and variants. VideoCrypt comes in two versions, VideoCrypt I and VideoCrypt II. They are parallel, and the idea is that VC I is to be used inside the UK, and VC II in the rest of Europe. The same channel may be encrypted by both methods at the same time, thus the channels available both in the UK and the continent (Discovery, TCC etc.) use both VC I and VC II. Almost all efforts at cracking VideoCrypt has concentrated on VC I, which is what we will describe in the following. JSTV is the only broadcaster that makes programmes available Europe wide using VideoCrypt I. This is due to the small audience they serve and the substantial cost of adopting VideoCrypt II which also has subscription management deals bundled in with it. Eurocrypt is integrated into the MAC transmission standard, and only Mac channels use Eurocrypt. Eurocrypt also comes in two variants, M and S. Eurocrypt M is the most common, only three channels (Sweden 1 and 2, Norway 2) today use Eurocrypt S, the two first in the less used DMAC variant. All pirate cards referred to only decode the Eurocrypt M channels. A third Mac variant is BMAC which is used by the American Forces Radio and Television Service and several business TV applications. BMAC has apparently been hacked in the USA but the system here is slightly different and the same hacks would not work. If you want AFRTS you're out of luck, even US servicemen have probelms getting the gear. Nagravision is also known as Syster, and is used in France, Spain, Turkey and Germany. Unlike VideoCrypt and Eurocrypt, Nagravision decoder boxes are not for sale. They are only rented out to subscribers, but still operate with a smart card. Nagravision has not been cracked, and there are no known pirate cards. Nagravision is now replacing the older and less secure Discret system in France. Apart from these three big systems, others include Luxcrypt, used by the Dutch RTL networks (a box, no card - decoders easily available) and Smartcrypt (box & card, used by the French RTL channel; boxes now available for sale in France). 2.0 HACKING PAY TV ================== 2.1 Is it legal ? ----------------- The legal position on hacking varies from country to country. Basically a good rule is that a channel being uplinked from a particular country is probably going to be protected by that country's laws. For example hacking Sky in the United Kingdom is illegal under that country's laws. However hacking FilmNet in the United Kingdom is legal since it is not precisely covered by UK law. TV1000 on the other hand is partially uplinked from the UK and is therefore protected under UK law even though the pornography transmitted on the channel would not be permitted to be uplinked from the UK. In fact, TV 1000 has threatened UK dealers with legal action many times and some pirate cards sold in the UK will not decode the channel. Europe is still a multi-copyright area. It is therefore possible for Sky and FilmNet to purchase the rights to show the same film. Perhaps in the future, the copyright issue will be worked out and we will have a single copyright area for Europe. To date most of the prosecutions have been against people who have been too visible. It is not economically viable for a channel to prosecute every user of a pirate smart card. Instead they will generally concentrate on dealers and distributors. Of course they may also decide to make an example of an individual pirate card user. The logic of the legal departments of channels is not as predictable as - that of their engineering departments. If you get caught you are unlikely to be able to plead any clever excuse that you may come up with. After all, does this sound legal ? 2.2 VideoCrypt Smart Cards -------------------------- Pirate smart cards are cards that have been manufactured to hack a channel. They are, in most cases totally different from official smart cards. The majority of these cards are based on the PIC16Cxx series of microcontrollers. Other variations have been seen but the PIC16Cxx cards are the commonest. There is also a trade in what are referred to as Grey Market smart cards. These are official cards, that are exported to another country. Generally it is a one for one trade with the broker taking a comission. For example, a Sky subscription would be taken out in the UK and a FilmNet subscription would be taken out in Sweden. The cards would then be swapped via a broker. The subscriptions would be kept up to date by both parties. The legal position on this activity is not clear as the channels benefit from the transaction in that they both get subscriptions. It does rely on mutual trust. Purchasing a pirate card involves risk. There is a probability that the pirate card will be killed in the future. The channels implement electronic countermeasures to try and kill the pirate cards. Technically speaking, no pirate card can ever be 100% safe. This point has been proven too frequently over the last few months. The system used by FilmNet Plus and TV1000 (among others) is EuroCrypt-M. This system has been continually hacked since 1992. In terms of value for money, users of EuroCrypt-M pirate smart cards have fared better. This is because the channels have not frequently implemented countermeasures. Of course the recent countermeasure by TV1000 has had a devastating effect. Most of the pirate smart cards have been knocked out. The VideoCrypt system, as used by Sky and the Adult Channel, has been updated more regularly. The next card issue will be issue ten or in technical terms, the 0A card. In addition to issuing a new smart card every year or so, Sky and News Datacom also implement countermeasures to knock out pirate smart cards. Over the last few months, the time between these countermeasures has only been a few weeks. As a direct result, many of the pirate cards have had to be sent back to the dealer for upgrade. Some innovative pirates have designed their cards so that they can be upgrade by the customer. The solutions for the countermeasures are recorded as a set of numbers on an answering machine. The customer rings the phone number with the answering machine and gets the update numbers. He then enters them into the pirate card via a key pad. Other solutions such as a modem on the pirate card have also been seen. In real terms, anyone purchasing a pirate card is taking a risk. The pirate card will eventually be hit by a countermeasure. If it is not, then the channel may issue a new smart card with the consequence that all of the old pirate smart cards will be knocked out. 2.3 What is Season or Omigod software? -------------------------------------- The Season software began life as an attempt to watch the final season of Star Trek: TNG. The final season was season 7. As a result, the first working PC program that decoded Sky was named SEASON7. The first version of this program appeared in March of 1994. At the time, the current issue of the Sky card was Issue 7. Therefore some confusion arose. The term Omigod (Oh My God!) was also used to describe the programs. Well the preceding hack using the PIC cards was known as the Ho Lee Fook hack! Over the months from March to May, versions for different computers appeared. Many of these were posted on the alt.satellite.tv.europe newsgroup. On May 18th 1994, Sky changed from issue 07 cards to their new issue 09 card. In hacker terms, May 18th is referred to as Dark Wednesday. The 09 card proved harder to hack but a temporary solution appeared in June of that year. It only lasted a few week before Sky changed codes again. Though some attempts at an issue 09 SEASON hack were made, the change of code by Sky stopped it cold. Well at least until just before Christmas. Last Christmas, no less than three versions of the SEASON hack appeared. Two of them worked on the PC and the other one worked on the Apple MAC. Of course Sky was paying attention and on January 4th 1995, they implemented a countermeasure that knocked out pirate cards and all of the SEASON hacks. The war between Sky and the pirates had recommenced. Updated versions of the SEASON hacks became available. Sky implemented another countermeasure on January 25th 1995. Again the Season hacks were updated. This spiral of countermeasure and update will probably continue until the issue of the new Sky card, the 0A. The algorithm in the current card issue (09) is far more complex than the one used in the 07 card. While the 07 algorithm was not really designed to be upgradable, the 09 algorithm is without doubt an extremely flexible algorithm.- 2.4 Where can I get the software from ? --------------------------------------- There are versions of this software that will decode Sky and The Adult Channel although there are no known versions that cover VideoCrypt 2 channels or JSTV. Different versions of the SEASON software are available from a number of ftp sites and a multitude of BBSes. Some of the sites are listed below. ftp ftp.uni-erlangen.de /pub/Multimedia/VideoCrypt/ note the capital letters ! They do make a difference. A later version of the Season 9 software is available via ftp from : ftp utelscin.el.utwente.nl /pub/upload/vcrypt/ This directory holds numerous versions. Look for the most recent. 2.5 The Season Cardadapter -------------------------- The computer has to be connected to the VideoCrypt decoder via an interface. This interface is sometimes referred to as an Omigod or Season interface. It is essentially a simple design that allows the RS232 serial port of the computer to be connected to the TTL levels of the card socket. Most of the versions of the Season software include a text file on the construction details of this interface in a file called ADAPTER.TXT. Details of the adapter are on Erlangen in the directory : /pub/Multimedia/VideoCrypt/cardadapter/ The artwork for making the PCB interface is available in postcript form at : ftp harley.pcl.ox.ac.uk /pub/crypt/smartpc/smart.ps ftp joule.pcl.ox.ac.uk /pub/mark/smart.ps http://joule.pcl.ox.ac.uk/~mark/sat.html This software uses very accurate timing for the decoding, there are several reports that this software runs OK on some machines and not on others. Please expect problems and try slowing your CPU down as a first fix. Problems are reported about different COMM cards, Memory Managers and so called Serial Device drivers (like fossils). It's best to run the Season software on a 'clean' machine Some people will make the adapters for you : mark@joule.pcl.ox.ac.uk mikey@cass.demon.co.uk 2.6 I can't ftp. Can someone post it for me ? --------------------------------------------- If you can't use ftp from your account then get yourself aquanited with ftpmail. As well as allowing you to get the software yourself and keeping traffic in the group down, it will also enable you to get any software on any subject ! For details of how to use ftpmail send a message with the word "help" in the body to : bitftp@wm.gmd.de ftpmail@ftp.uni-stuttgart.de ftpmail@grasp.insa.lyon.fr ftpmail@ieunet.ie ftpmail@plearn.edu.pl ftpmail@doc.ic.ac.uk The files will be returned in a format known as uuencoded. You'll need a uudecoder to make these into useful files. These are widely available for all platforms although if you can't ftp you'll have to work out how to get one. More details on email use of the net are on NBC text page 188. 2.7 What are blockers and what is Phoenix? ------------------------------------------ In the middle of the summer of 1994, there was little success in hacking Sky. A program was written in the TV-CRYPT for testing a theory. The theory dealt with the over the air addressing system on VideoCrypt. The question was: "could the presently available knowledge be used to switch on or off a Sky card?". At that time, the available knowledge consisted of the fragment of the 09 code that was killed in June and a working knowledge of how Sky encoded card numbers in their over the air addressing system. The available knowledge was sufficient. The computer program written to test the theory was called Phoenix. Since most of the cards experimented upon were Quickstarts that Sky had killed, Phoenix, the mythical bird that rises from its own ashes seemed a good name. Of course the program fell into the hands of commercial pirates. The Phoenix program on its own was useful to switch on the 09 Quickstarts that Sky had killed. It was also being used to switch on all channels on a Sky card with only the Multichannels subscription. It was a Musketeer hack - all for one and one for all. But that hack name had already been used. Unfortunately these reactivated cards were only lasting a few days before being killed again by Sky. Then when Sky increased their kill cycle the cards only lasted a few hours. Some solution had to be found. The solution lay in a hack of 1992 - the KENtucky Fried Chip. This was a modified version of the smart card - decoder microcontroller in the VideoCrypt decoder. It stopped Sky from turning off a card by examining each over the air packet for the identity number of the card in the card socket and stopping such a packet from reaching the smart card. Sky could not kill the card because the card never received the kill instruction. Of course the chip used in the decoder was too expensive and there was a rather large number of redundant PIC16C84 chips available. The first blockers to hit the market had the blocking program in a PIC16C84. They consisted of a card socket, a PIC16C84 and a PCB. The official card, having being activated by the Phoenix program would then only be used in the blocker. Luckily it was not named the Condom hack. Of course the popularity of these devices soon meant that individually activating the Quickstart cards with the Phoenix program was taking too much time. The solution was to incorporate the Phoenix routines in the PIC16C84. These new blockers were more successful. Over the months from August to November, they were given a bewildering array of names; Genesis, SunBlocker, Sh*tblocker, Exodus. Naturally Sky were a little upset with this resurrection of their dead cards. Their response, at first was purely technical. Later in 1994, they took legal action in the Uk against some people supplying blockers. There was more to the VideoCrypt 09 smart card than people realised. The most important aspect was that Sky could actually write to the card. The instructions for doing this were carried in the same packets that carried the activation and deactivation instructions. The blockers only looked for the specific identity number of the card in the card socket. As long as that identity number did not appear in the packet, it was let straight through to the card. Sky had managed to knock out a number of cards while they were in the blockers. Some of these countermeasures were reversible in that the card itself was not completely dead. One of Sky's countermeasures did actually hit the card in a manner that effectively locked it. At that point, the blockers were becoming irrelevant - there were working pirate smart cards for VideoCrypt. The Phoenix program, in various guises, still works. Of course some of the newer smart cards from Sky have been found to be resistant to being activated with Phoenix. 2.8 Is there a D2-MAC EuroCrypt-M Version of The Season Hack? ------------------------------------------------------------- The simple answer is yes. The EuroCrypt-M system is DES based. In an ironic way the system's greatest strength was its greatest weakness. Again the progression from pirate smart card to computer program was apparent. There is a number of different versions of the hack floating around on BBSes though all of these were affected by the latest TV1000 key change. 2.9 Is there a hack on Nagra? ----------------------------- Not yet. The main problem with a working hack on the Nagra system would be the decoders. It would be easy to replicate the pirate smart card but the decoders are not easy to get. Therefore with access to the decoders controlled it is a very good demonstration of the philosophy of total access control. 3.0 FINDING OUT MORE ==================== 3.1 Who are / what is the TV-CRYPT and how can I subscribe ? ------------------------------------------------------------ The TV-CRYPT is a closed mailing list. It was set up to enable the discussion of the methods and technology of TV scrambling systems. It is more of a forum for the exchange of ideas than anything else. Contrary to popular belief, it is not a private means of distributing the most recent copies of software for hacking Sky. Neither is it an "elite" group of super hackers whose sole intent is to hack channels just to watch the movies. It is an "by invitation only" list. If you can demonstrate a knowledge of scrambling systems through your posts here in the newsgroup, then you may be invited to join. 3.2 Reading List ---------------- The de-facto standard text on encryption and scrambling systems is John Mc Cormac's Black Book. Currently in edition 4, the book gives the reader a complete overview of the industry and systems in use in Europe. Black Book 4 ISBN 1-873556-03-9 Waterford University Press MC2 (Publications Division) 22 Viewmount Waterford Ireland Fax +353-51-73640 BBS +353-51-50143 email mc2@cix.compulink.co.uk 4.0 ADVERTISING OF PIRATE DEVICES ON alt.satellite.tv.europe ============================================================ Please do not advertise or promote commercial pirate devices on alt.satellite.tv.europe, in many European countries there are complex legal rules regarding 'goods to be used for criminal purpose'. If we keep the discussion at an 'educational' level, for personal use the group should attract much less attention. There is also a grey area of the law that is presently untested. This surrounds the possible prosectution of Internet service providers because of material they carry. If the newsgroup becomes a source of software for hacking pay TV you may find your site removes it, just as some providers strip the alt.binaries.pictures.erotica groups. 5.0 CREDITS =========== Major contributors : John McCormac (mc2@cix.compulink.co.uk) Knut Vikor (knut.vikor@smi.uib.no) Contributors : Rene Vreeman (renev@intouch.nl) Linus Surguy (lis@mfltd.co.uk) Brian McIlwrath (bkm@starlink.rutherford.ac.uk) Maintained by Martyn Williams (martyn@euro.demon.co.uk)