💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › CABLE › voyager.txt captured on 2022-07-17 at 01:55:02.
⬅️ Previous capture (2022-06-12)
-=-=-=-=-=-=-
------------------------------------------------ VOYAGER -- MS-DOS Videocrypt smart card emulator ------------------------------------------------ INTRODUCTION ------------ Voyager is named after the new StarTrek 'Voyager' series. Most of the information about the videocrypt protocol is found in details.txt written by Markus Kuhn. This new file (VOYAGER.DOC) is a container for additional information about the videocrypt system (cards series 09, 0a and further) and also some additional information about the eurocrypt system. The archive file contains the voyager.exe program, which is compatible with season programs. Voyager currently emulates a BskyB 07/09-series smartcard, The Adult-Channel smartcard, Eurotica smartcard, RedHot smartcard and EuroCrypt smartcards with all ECM's until release date included. ATTENTION --------- We are now using two version numbers (1.3i) that is Voyager/Season71 release, and Key release (1.1) that will be used to know if Eurocrypt keys had been updated. Channel list: (VIDEOCRYPT 1) ------------- The Children's Channel, The Family Channel, The Discovery Channel, The Learning Channel, Sky Sports, Sky Sports 2, Sky Soap, U.K. Gold, Sky Travel, Bravo, Nickelodeon, U.K. Living, Sky One, Sky Movies, The Movie Channel, Sky Movies Gold, VH-1, CMT Europe, MTV Europe, Disney Channel, Racing Channel, Playboy Channel, EBN, Zee TV (TV Asia), TVX The fantasy channel, The Adult Channel and TV Eurotica. Currently only The Adult Channel and TV Eurotica are decrypted. Channel list: (EUROCRYPT M) ------------- Filmnet 1, Filmnet 2, TV1000, TV1000 Cinema, TV3 Norway, TV3 Sweden, TV3 Denmark, MTV Nordic, CNN Nordic, Eurosport Nordic, Discovery Nordic, Children Channel Nordic, BBC Prime, Canal+ 16/9, Cin?Cin?ma 16/9 and TV Plus. Please mail us infos and any Eurocrypt key that you could get. Thanks ! Channel list: (EUROCRYPT S) ------------- Not yet implemented. Eurocrypt-S will be on the next voyager release. Please mail us infos and any Eurocrypt key that you could get. Thanks ! D2Mac CARD ---------- This version is supporting both Eurocrypt and Videocrypt. Selection is done automaticaly. Various keys are implemented. SKY 0A CARD ----------- Sky has send out some new cards, decoem say it's card issue 10. Read commands for the 09 are failing. LAST D2MAC Key changes ---------------------- 21-12-95 TV3 Sweden switched back to key 0a 20-12-95 TV3 Denmark switched back to key 0a 06-12-95 TV3 Sweden/Denmark changed to key 0b 04-12-95 TV3 Norway changed to key 0b 24-09-95 Filmnet and TV1000 changed keys 28-04-95 TV3 changed the key 01-02-95 TV1000 changed keys LAST SKY ECM's -------------- 31-10-95 The big change from card 09 to card 10. 18-09-95 Code change, nanocommands are gone again. Sky is sending some strange '85' packets, card 10 commands ?? 16-09-95 Sky tested some codes, resulting in 'no key fits'. Is Sky testing 0a cards or have they found something new... 15-09-95 Code change, nanocommands are back, (old) nanosequence 0x09, 0x28, 0x39,0x46. Several other programs got defeated, many old versions started to work again, Voyager survived once again. It took some time but the change of 12-09-95 was for this ECM. 12-09-95 Code change, no nanocommands are being send anymore. Also some changes to the sub-id's: Nickelodeon was added to the tables. The last few times this happend it was for short periods and followed by an actual ECM. If no nanocommand are being send, all clonecards and programs are working. 01-09-95 Code change, Voyager could handle it so no changes needed. Several others where defeated once again. Now subnano 0xbf, 0xc0 and 0xaa are in use. 15-08-95 Code change, fixed (changing the nanopointer 0xee, subnano without effect 0x88 because it's used by the kernel) skip 30 00 after 11 0A 00 EE 01-08-95 Code change, fixed (new nanocommand 0x0f and subnano's 0xbf, 0xc0) 28-06-95 Code change, Sky cleaned-up the nanocommand code. now only nanocommand 0x28 is in use. Voyager was allready prepared for this ECM. MTV also started to transmit VC encoded. 15-06-95 Code change, fixed 0xE7.. is ram not rom. pick up data byte 0xE7 from rom. 17-05-95 Code change, fixed nano-command switching between rompages. new nano subcommand for the nano 11h command: subcommand 08 means: switching between rompage 1 and rompage 2 06-04-95 Code change, Nanocommands are back 15-03-95 Code change, no Nanocommands are being send anymore. Bit 5 in the channel-id is set. 08-03-95 Code change, adressing of packets is changed. 03-02-95 Code change, Rom-Page 0 is being used, 10 sec. picture, 2.5 sec. no picture. 25-01-95 Code change, 7.5 sec. picture, 5 sec. no picture. 18-01-95 Code change 16-01-95 Code change LAST TAC/EUROTICA ECM's ----------------------- 29-11-95 Code change, Eurotica changed but is still decoded. 01-09-95 Code change, The Adult Channel changed but is still decoded. 14-06-95 Code change, The Adult Channel switched back to the old keys. Voyager gets switch key 'J' to protect against PS ECM and a larger key table. Also autoswitch funtion implemented. 24-05-95 Code change, the ECM of 24-5-95 is called Perry Smith ECM last 64 itteration with constant 0x0d as input. 15-05-95 Code change 16-02-95 Code change 18-01-95 Code change SUB-CHANNEL I.D. ---------------- The information below is only for Sky 09/07 cards: The sub-id is found in the low nibble (4 bits) of indata[5], if indata[3]+0x02 not equals indata[7] and indata[7]+0x02 not equals indata[3] or indata[3]+0x08. equals indata[7]. The MultiChannels ID is now only for Sky One, Sky Soap and The Travel Channel. Sky sports 2 uses the Sky sports ID. All other channels are correctly identified using this method. New id-f is used for all 'open videocrypt' channels like Sky News, CNE, TVX freeview block, Hour of Power and non-decoded announcements like Showcase. QVC still uses its own sub-id in the multichannels package. AUTO DELAYS ----------- By detecting the CPU type inside voyager and combining the results of many reactions from Voyager users, Voyager has now an automatic delay. It's still possible that the standard settings don't work, in that case the auto delay can be overruled by setting the wa/wb/wc parameters on startup. The auto delay detection can be activated with the 'A' parameter at start-up. Most common settings are: XT's 86/88/V20/V30 : Voyager 1 wa50 wb0 286 up to 16 MHz : Voyager 1 wa50 wb0 386 up to 40 MHz : Voyager 1 wa50 wb1 486 up to 100 MHz : Voyager 1 wa50 wb2 Pentium : Voyager 1 wa50 wb2 All settings are also checked on old and new videocrypt chipsets. ZKT --- VideoCrypt decoders contain a few built-in algorithms to prevent pirate cards from being used. However due to a programming error on many of the original decoders and IRDs (integrated receiver/descramblers), the most powerful algorithm, the Fiat-Shamir zero-knowledge test, did not work properly. On the newer videocrypt systems this error is fixed. Voyager is patched and now acts exactly the same as the original cards preventing the decoder to see it's not an original card. VOYAGER.EXE: usage ------------------- Syntax: VOYAGER [com] [wax] [wbx] [wcx] [wdx] [wex] [a] [d] [e] [i] [j] [m] [n] [q] [v] [t] [z] com: Serial port to use. wa thru we are delays, all entered in ms (milliseconds) wa wait between reset and answer to reset wb wait after each outgoing byte wc wait between header and first procedure byte wd wait between procedure byte and data we wait between final data byte and procedure bytes a: Videocrypt Automatic delay setting. d: debug mode on when program is started. e: save time by doing less screen updates. i: Displays channelnames by sub-id for debugging. j: Switches between Adult keys before and after 24th may ECM. m: OSD suppress. n: Display nanoinfo on startup. q: Quick decoding mode. v: Show hexnumbers in o.s.d. on startup. z: set baud rate at 10000 baud. defaults are: com: 2 wa: 50 wb: 0 wc: 0 wd: 0 we: 0 dn: debug mode n on. e: no time saving m: no OSD suppression n: don't show nanoinfo vn: viewmode n on. jn: Adult ECM switching mode n on. Example: VOYAGER 1 wa0 wb0 m starts voyager using comport 1 with reset delay and byte delay set at 0 milliseconds, and with onscreen display suppressed. Voyager is patched to work on Pace MSS systems if your decoder locks-up use the wc parameter. wc150000 seems to work on some systems but you might try other values. After implementing the ZKT, the wc parameter may not be needed. It works fine on my MSS system. ----- READ the SETTINGS.TXT file for additional information on how to run voyager. ----- Keyboard commands once the program is running: F1: help -> page up, down scroll help q: quit program d: toggle debug mode on/off i: shows sub-id hex bytes for debugging j: Toggles between adult tables/algorithms n: toggle nanoinfo on/off v: toggle viewmode on/off (hexnumbers in o.s.d.) l: write last crypto messages to logfile VCLOG a: increase reset delay b: decrease reset delay +: increase byte delay -: decrease byte delay 1: increase procedure delay 2: decrease procedure delay c: clear the screen t: nano tracing mode on/off x: access command mode on/off e: time saving on/off m: OSD on/off VOYAGER VERSION HISTORY ----------------------- 1.3j, Keys release 1.2 : (Voyager/Season71 version) . 14-01-1996 (updated release) . Added a new D2Mac channel. . Added the 'C' switch to set the CI value. . Fixed some bugs. . Rewrote and optimized some of the routines. . Extended the Nokia compatibility. . Fixed a bug in the delay command line switch. Now all is working fine. . The pentium detect routine sometimes gives a wrong answer depending on the CPU used. No time to fix it.. wait on one of the next releases. . The Eurocrypt-S part is not yet finished...be patient. 1.3i, Keys release 1.1 : (Voyager/Season71 version) . 23-12-1995 (updated release) . Documented the source code (No it's NOT available). . Rewrote and optimized some of the routines. . Added the missing Eurocrypt commands. . Added Nokia compatibility. . Added Quick decoding mode (activate with 'Q' on commandline). . The automatic delay detection was left out in the last release and is now back again. The automatic delay works only for VideoCrypt and can be activated with the 'A' parameter on the commandline. . Added the new 0b key for the TV3's. . Bugfix on the answer strings. . Option 'T' transformed to 'Z', now you can always switch from 10000 to 9600 and from 9600 to 10000 with the 'Z' key when the program is running. Use the 'Z' switch also on the commandline to start with 10000 baud. . Added a pentium detection routine . The auto delay detect is back. With the 'A' switch on the commandline The program uses automatic delays, only for VideoCrypt. . The Sky 10 card is not yet implemented, be patient 1.3h, Keys release 1.0 : (Voyager/Season71 version) . 02-12-1995 (updated release) . D2Mac Eurocrypt M implemented. (Not S) Channels supported : Filmnet+, Filmnet TCMC, TV1000, TV1000 Cinema, TV3 Norway, TV3 Sweden, TV3 Denmark, Filmmax, MTV Nordic, CNN Nordic, Eurosport Nordic, Discovery Nordic, Children Channel Nordic, BBC Prime, Canal+ 16/9, Cin?Cin?ma 16/9. . The Sky 10 card is not yet implemented, be patient 1.35:. 03-10-1995 (updated release) . reprogrammed for use on XT (8088/8086) systems. . Code change, sky is using id-F for all the 'open-videocrypt' channels except QVC wich still has its own id. . Private version, so not spreaded and not available. 1.3: . 27-09-1995 (updated release) . Last version before Sky's card change ?? . New layout. . Added auto delay detect, so delays are now automaticaly set. The detected CPU type is show on-screen, the Pentium is not yet detected. . Added a new -second- delay routine, now both delay types are available Miliseconds delays and Microseconds delays (Switching with 'Y'). . Id-F for The Disney Channel added. . Sub-id for Nickelodeon added. . Added the videocrypt mode identifier. . Updated debug routines. . Updated commandline options. . Added the '?/h/H' key's to see the commandline options. . Updated the messages displayed when using the wrong serial port. . Adult channel decoding now with 3 modes: Auto ECM switching (default), PS-ECM on and PS-ECM off. ('J' key for switching) . Bug fix: black/white displaymode now working properly. . Cleaned up the sources. . Unlike some others Voyager had no problems with the ECM's and/or code changes from 01-09-95, 12-09-95 till 15-09-95 and 18-09-95 till now. . Although no longer in use, i added the RedHot TV decoding again just to have it all in one version. NOTE: The voyager 2.x versions are *NOT* mine, just ignore them they do *NOT* contain the better parts of this Voyager version !!! This is the official update !! 1.25:. 25-08-1995 (updated release) . Added FSZKT test 1, including original serial numbers. Voyager now acts as an original smartcard. No more problems after a minute of decoding. . Added the 'C' key to clear and redraw the screen with the Voyager word. . Added the 'T' key for Nano tracing. . Redefined the 'X' key to display the access commands on screen. Now you can follow the activation and deactivation of cards on screen. . Added all nanocommands. . Changed byte delay at startup to 0. . Cleaned up the complete sources. 1.2: . 16-08-1995 (updated release) . Implemented the Sky ECM of 16-08-95. . Cleaned up the nanocodes. 1.1: . 07-08-1995 (updated release) . Implemented the Sky ECM of 01-08-95. . Implemented cardcommand 72 (Answer from previous card). . Debugging now in 4 steps: None, level 1, level 2 and level 3. . The 'I' key now shows the 3 needed sub-id bytes on the PC screen. . Switches 'M' and 'E' now also when running the program. . Switches '1' and '2' implemented for procedure delay. . Updates to the channel naming tables. Also MTV-Europe name added to the table (was decoded fine allready in version 1.0) . Added full Sky 07 card decryption, just to have it all in one version. . Adult/Eurotica/??? keytable autosearch added to try to survive future ECM's. . Unlike others Voyager had no problems with the ECM of 28-06-95. Allthough it was not a real ECM but just a clean-up in the Nanocommands, various seasons and batterycards got defeated. 1.0: . 28-06-1995 (initial release) . Added the I switch to toggle between normal operation and showing the channels by sub-id on the PC screen for debugging. 'I' shows also the corresponding 'sub-id' hex byte. . Fixed various Pace MSS problems. . Fixed TV Eurotica. . Program should now autoswitch between 'old' codes and PS ECM. . Adult/Eurotica keytable extended. === . Now toggle with 'J' key between adult key tables and ECM 0d (Perry Smith ECM). . Fixed Sky ECM of 15-06-95. . ECM of 17-05-1995 implemented . Turned 'Nanoinfo' to off at start-up for slower systems. . Some cosmetic changes to async.asm . Speedup of subchannel i.d. in o.s.d.. . Subchannel i.d.'s of Discovery and The Family channel added. . Viewmode included (shows the first 8 bytes from indata in the o.s.d.) . No key fits! included. . Improved Channel i.d., subchannel I.D. of multichannels included . Nano info included, displays full nano string and last pointers and rompagenumbers used by a 30-nano command . Channel name in the o.s.d. if you press the PPV-button . Removed cursor in the left upper corner . Improved onscreen display and channel i.d. . Revised com port to COM2 on startup . Fixed 'Reset' from PACE type decoders hanging program on startup . Revised some code for xx286 cpu's . Added TV-X new channel from 03-06-95. . first implementation, derived from SEASON7.c being the source for season in the 07-series period and SKY09PUB.ZIP being the implementation of the 09-series for 8051(Thanks T.:-)) chips). . new user interface Updates at the moment also on: WWW.XS4ALL.NL/~CEYLON