Please read the following carefully :
This FAQ is provided for educational purposes only and will be posted approximately every quarter in alt.satellite.tv.crypt. The section headers will be posted in alt.satellite.tv.europe, rec.video.satellite.europe, rec.video.satellite.dbs every month.
Updated versions of this FAQ will be posted on:
And of course on all good websites and BBSes. Any interim developments and other news that will eventually make it into the FAQ as a section will be posted on:
What you do with the information herein is your business. The contributors to this FAQ do not necessarily condone the illegal use of the devices or programs mentioned here. The contributors to this FAQ are in no way liable for any damage to equipment, revenue, or sanity as a result of the use or misuse of this information.
Permission is granted for the reposting of this document and the news document on any BBS, FTP site, WWW site as long as the complete *UNMODIFIED* document is posted. Addition of HTML tags to facilitate WWW posting is allowed. The copyright of this document rests with the contributors.
1.0 The Focus Of This FAQ
This is a FAQ for the European area. It covers European scrambling systems as opposed to the American systems. The hacks mentioned refer to European hacks. It is common to refer to the VideoCipher II system as VC2. However VC1 and VC2 used in this FAQ refer to the European VideoCrypt system variants.
The systems covered in this FAQ are satellite based systems. Though many of these are reused on cable systems in Europe, the majority of cable based systems are still based on primitive synch attenuation and or video inversion techniques.
A section on the piracy of the US based DirecTv system has been included due to the fact that News Datacom developed the security overlay on this system with utterly predictable results.
Return To FAQ Index
A scrambling system is applied to a television signal to ensure that it is only receivable by the audience for which it is intended. The more cynical amongst us may rephrase that to "those who have paid to receive it". Therefore a good scrambling system is one that can effectively make the picture unusable to all except those who have paid.
There are two basic types of scrambling system: dumb and addressable. The dumb system does not have any over-the-air (OTA) addressing. As a result the channel cannot turn a subscriber's descrambler off. This type of system is cheap and offers minimal security. As a result it is not used for high value channels.
An addressable scrambling system is more complex in that it allows the channel to individually turn on and off descramblers. Most systems in operation today are addressable.
The basis of a scrambling system is the method by which it renders the picture unwatchable. The early scrambling systems were analogue. These systems interfered with the synch pulses or inverted the video either on a frame, field or line basis. Some actually delayed each line by one of three delays on a pseudo- random basis.
All of the analogue scrambling systems were vulnerable and offered little protection to the channel using them. It was trivial to build a descrambler that worked in an identical manner to the official descrambler.
As the years and technology advanced, more complex systems came into operation. These systems were digital based systems. They digitised the picture or sound information and manipulated it. In order to descramble or decode the picture, the picture had to be digitised and then decoded.
However the systems seen to date are all firmly rooted in analogue technology. It would be better to describe these systems as transitional systems rather than digital systems. VideoCrypt, D2- MAC EuroCrypt M, S, S*, S2 and Nagra Syster are all transitional systems. They all digitise the video in order to decode it. VideoCrypt and D2-MAC use line cut and rotate to scramble the picture. Nagra Syster uses Line Shuffle to scramble the picture. It takes a block of lines and changes the order. In each of these cases the video is still transmitted in an analogue format.
All of the above systems are smart card based. They rely on the fact that the smart card can be economically replaced in the event of a hack. The concept behind this is that of "The Secure Detachable Microcontroller". The older systems designs were based on the "Secure Embedded Microcontroller" concept. This concept was fundamentally flawed in that if there was a hack on the secure microcontroller (the chip that held the system's secrets), then all of the decoders would have to be replaced or upgraded.
1.2 Overview of scrambling in Europe
The main systems in use in Europe are: VideoCrypt, EuroCrypt, Nagravision, Luxcrypt and B-MAC. There are variants of some systems. VideoCrypt comes in two versions, VideoCrypt I and VideoCrypt II. They are parallel, and the idea is that VC I is to be used inside the UK and Ireland, and VC II in the rest of Europe. EuroCrypt also has variants: EuroCrypt-M, EuroCrypt-S, EuroCrypt-S2, EuroCrypt-S*.
Since Europe is still a multi-copyrights area, there is often the need to sell the programming on one channel to two markets. Rather than create two separate channels, it is often easier to use the same channel, with the same scrambling system but two distinct datastreams. Of course this dual datastream illustrates a major vulnerability. It only requires one of the datastreams to be hacked for the system to collapse completely.
With the VideoCrypt variants, the scrambling system is the same - line cut and rotate, but the information to descramble it is encrypted in the VideoCrypt 1 and VideoCrypt 2 datastreams. The datastreams are sent out on the one channel. Therefore the channel is available both in the UK and the continent using what on the surface appears to be two different systems. Of course this underlines an important flaw in using two or more datastreams on one scrambling system - if only one of these datastreams is hacked, then there is effectively no more protection for the channel.
Almost all efforts at cracking VideoCrypt had concentrated on VideoCrypt 1 variant. VideoCrypt 2 had not been much of a target though there were three working hacks on this system. There are VideoCrypt 1 <> VideoCrypt 2 adaptors. These are plug-in boards with the switchable 68705 / 8752s that allow a VideoCrypt 1 decoder to be converted to use as a VideoCrypt 2 decoder and vice versa.
With the shutting down of the main FilmNet CE service on VideoCrypt 2, the incentive for hacking it is not really there anymore. Much to the disgust of the pirates selling VC2 cards and conversion kits, the owners of FilmNet CE decided to upgrade all of their existing legitimate subscribers to PAL Nagra Syster decoders.
VideoCrypt 2 was hacked and pirate cards were available in three formats: Battery Card, reprogrammed 09 BSkyB Cards and PIC16C84 cards. The main attraction of VideoCrypt 2 (VC2) was that FilmNet was available on this system. Since many of those wishing to hack the service had VideoCrypt 1 decoders already from the years of abject piracy on Sky, a conversion kit was a very cheap way of getting the other channels.
The VC2 variant was more reliant on the serial number routines as many of the cards that were knocked out seem to be operating on a master-clone basis. This may well indicate that the Fiat- Shamir ZKT is working properly.
The source code for the PIC16C84 based VC2 cards is now in wider distribution and the Voyager 1.6 software now works with the VC2 channels as well as the previously hacked ones.
The data rate on VC2 is higher than the 9600 Baud used for the VideoCrypt 1 system, This means that running Voyager on some PCs will be tricky.
JSTV is the only broadcaster that broadcasts Europe wide using VideoCrypt I. This channel differs from the standard in that it is a very high fee channel but it is also very much a minority interest channel since it broadcasts programmes for the Ex-pat Japanese market. This channel is also hacked though various ECMs have been tried.
D2-Multiplexed Analogue Component (D2-MAC) is a transmission standard. The scrambling system overlay is EuroCrypt. EuroCrypt comes in a number of variants (M, S, S*, S2) but according to European law, EuroCrypt-M is the European standard. Nobody takes much notice of that anyway.
France Telecom developed EuroCrypt. Since the system is open as regards the scrambling algorithms, France Telecom chose a modified form of the US Data Encryption Standard algorithm. They removed the initial and end permutations to make it run faster in the smart card. They also believed that this algorithm would be top secret and apparently that their smart card would be unhackable.
Eurocrypt-M is the commonest. Only four channels (Sweden 1 and 2, Norway 2 and TV Erotica) use Eurocrypt S, the two first in the lesser used D-MAC format of the MAC standard.
An older MAC variant, B-MAC, is used by the American Forces Radio and Television Service, The Satellite Information Services Racing Channel and several business TV applications. Gradually this system is fading out of use as American forces bases in Europe close down.
The B-MAC system applies relatively simple line delay scrambling to the MAC video and hard encrypts the digital audio and teletext services. The hacks on this system involve cloning a valid subscriber identity number and then arranging for a continual supply of weekly keys. These keys are programmed into an EEPROM chip in the decoder.
There are two flavours of B-MAC in operation in Europe: B-MAC 525 and B-MAC 625. The numbers refer to the line numbers. The 525 variant is used for the US AFRTS service and the 625 version is used for the Racing Channel. Pirate decoders for these services are expensive, typically costing in excess of five hundred pounds. The problem of course is arranging the continual flow of keys. A current hack claims to have worked around these problems.
There have been reports that AFRTS will be switching from the B- MAC standard to a more secure system. Consequently the B-MAC decoders will be phased out of operation. However the Racing Channel (SIS) still seems to be committed to the B-MAC system for their Bookie feeds. A version of the Racing Channel is available to VideoCrypt-1 decoder users. Setanta Sport, an Irish originated special events sports feed also uses VideoCrypt-1.
Nagravision is also known as Syster and as Nagra, and is used in France, Spain, Turkey and Germany. Unlike VideoCrypt and Eurocrypt, Nagravision decoder boxes are not for sale. They are only rented out to subscribers, but still operate with a smart card. Nagravision is now replacing the older and less secure Discret system in France.
There are confirmed reports of a hack on Nagravision. The hack is a pirate decoder based on hacking the video scrambling as opposed to the access control aspect. The hack at the moment only affects the SECAM implementation of the system. The PAL implementation as used by Premiere is still intact though again there are rumours of a PAL based hack.
The SECAM version of the hack exploited a weakness caused by the SECAM system. The same form of hack will not work directly on PAL. There is some research into a PAL based hack but to date the results have been somewhat less than usable.
The Luxcrypt system is a cut down implementation of the IRDETO system. Basically the Luxcrypt system is a synch replacement and inversion system. It is easily hacked and circuit diagrams of various decoders are available at all good FTP sites. The full IRDETO system has digital audio. The LuxCrypt system has ceased to be a satellite based system. However it is still the basis for the CableCrypt system used some European cablenets.
Even the old SATPAC system as used by FilmNet before they switched to D2-MAC has been used lately on FilmNet transmissions to Greece. Apparently the Digital Audio decoders as included in the Hi-Tech Xtravision XV200, XV2000 and XV3000 still work on this channel.
The Italian Satisfaction Club TV, a hard core porn channel was originally using the Nokia LS256 line shuffle scrambling system. However they have recently replaced it with a system called "Ping Pong" which is believed to be based on a similar process.
Return To FAQ Index
TV Standard: PAL
Video: Line Cut And Rotate
Smart Card: Yes
Users: BSkyB Multichannels, Adult Channel, Eurotica, JSTV etc.
Hack Status: Temporarily Secure
Pirate Cards: Yes
Season Programs: Yes
Status: Largely Secure Though Hack Exists
TV Standard: PAL
Video: Line Cut And Rotate
Smart Card: Yes
Users: Discovery, FilmNet.
Hack Status: Hacked
Pirate Cards: Yes
Season Programs: Yes
Status: DECEASED or Soon To Be So
TV Standard: D2-MAC
Video: Line Cut And Rotate on Chroma And Luma
Audio: Encrypted Digital
Smart Card: Yes
Users: FilmNet, TV1000, TV3, Canal Plus.
Hack Status: Hacked
Pirate Cards: Yes
Season Type Programs: Yes
TV Standard: PAL & SECAM
Video: Line Shuffle
Audio: Spectrum Inversion
Smart Card: Yes, key shaped rather than conventional card shape.
Users: Premiere, Canal Plus, Various French and Spanish Channels.
Hack Status: Hacked. Only SECAM variant is affected at the moment.
Pirate Cards: No
Season Type Programs: No
TV Standard: PAL
Video: Frame / Average Peak Level Inversion with synch replacement
Audio: Digital PCM but not used
Smart Card: No. Just a dumb and cheap system.
Users: NOT USED ON SATELLITE
Hack Status: Totally compromised
Pirate Cards: No
Season Type Programs: No
TV Standard: B-MAC
Video: Line Delay
Audio: Hard Encrypted with DES like algorithm
Smart Card: No
Users: AFRTS, SIS Racing Channel
Hack Status: Hacked. Cost of decoders / key feeds are a problem.
Pirate Cards: No
Season Type Programs: No
Return To FAQ Index
1.4 The European Scrambled Channels
The following is a list of scrambled channels generally receivable over the European area. The list is not complete and in some cases it is not 100% accurate. It is however a start. The frequencies may be +/- 10 MHz or so depending on the LNB. Some of these channels are spot beams. This means that to receive them outside the spot, a larger dish is required. To explain the intricacies of multisatellite reception would require another FAQ. It is something that I am working on at the moment. The list of scrambled channels has been compiled from a number of European satellite television magazines, most notably "TeleSatellit" and "What Satellite" and the World Satellite Yearly.
One of the best sites on the internet for information on the
traffic on satellites is the Satcodx website.
All Frequencies Are in GHz (GigaHertz)
H = Horizontal Polarization
V = Vertical Polarization
R = Right Hand Circular Polarization
L = Left Hand Circular Polarization
Return To FAQ Index
2.0 HACKING PAY TV
This part of the FAQ deals with the techniques used to hack satellite television channels in Europe and the US. The use of some of the material herein may be illegal for use in certain jurisdictions.
The only difference between a hobbyist hacker and a professional is that the professional takes money for it. This is often reflected in a country's legislation. The fines for commercial hacking are generally higher than those for hobbyist hacking. It is not a wise thing to hack a channel that is uplinked from your country. It would more than likely be covered under local laws.
One of the main motivations for commercial piracy is that the channel is not available legally in the jurisdiction. Where the channel is available, the logical thing to to would be to subscribe rather than hack it. Grey Market piracy is perhaps the lesser of two evils if you are desperate to get access to a foreign channel. Such Grey Market subscriptions are often safer in terms of ECMs in that a channel is less likely to ECM one of their own legitimate cards on purpose. However if your Grey Market card is ECMed, the worst thing that you can do is to ring up the Subscription Management Centre. For example, Sky's Subscriber Management Centre has Caller ID on their lines. This means that when calling from a number in the UK, the phone number of the caller will be displayed to Sky. If they see that you are calling from outside the UK, they may deduce that the card is a Grey Market card and refuse to reactivate it. Always get the local agent to dial the relevant subscriber management and ensure that he uses Caller ID Blocking to prevent his number from being tied to any particular card.
2.1 Is it legal ?
The cynical answer would be that it is only illegal if you get caught. The legal position on hacking varies from country to country. Basically a good rule is that a channel being uplinked from a particular country is probably going to be protected by that country's laws. For example hacking BSkyB in the United Kingdom is illegal under that country's laws. However hacking FilmNet in the UK may not be directly protected under the UK's law.
The UK law on pirating Sky channels has changed as the result of the October amendment to the Copyright Patents And Designs Act which now, apparently makes the advertising or offering for sale or hire of unauthorised devices illegal in the UK. The act applies to the UK and to channels licenced in the UK. This has some very tricky aspects.
The main channels to benefit directly from this legislation are the BSkyB ones. It is now clearly illegal to hack or pirate these channels in the Uk. The posting of the X-Files (The Sky 10 pirate battery card files) on UK WWW, FTP and BBS sites is in question even though the files do not work as is. The hidden aspect is BBC Prime.
The BBC Prime channel is a D2-MAC channel intended for reception outside of the UK. It still is a UK originated channel. Therefore under this new legislation it is an offence to offer for sale or hire in the UK unauthorised devices capable of decoding this channel. Now most pirate D2-MAC cards are capable of decoding this channel and would therefore be illegal under this legislation. However it is still unclear as to who or what would have to take action against people selling or advertising these cards.
It is safe to say that pressure will be brought to bear on the UK Satellite television magazines not to carry such card adverts. Naturally these magazines, so dependent on the Sky programme listings, will spinelessly cave in. For the main part however, the situation on advertising pirate Tv1000 and FilmNet will remain the same until the law is clarified.
The recent clarification of the UK's copyright legislation makes it an offence to advertise pirate cards for a UK originated channel. This means that advertising or selling a pirate BBC Prime or MTV capable card in the UK is illegal. To date there has been no legal action from the channel concerned.
According to a report on Cardtronix's website, What Satellite? magazine caved in recently to Sky. Basically the magazine at the behest of Sky refused Cardtronix's advert. The hypocritical thing about this was that What Satellite were running adverts for pirate BBC Prime cards in the issues where they blocked the Cardtronix advert. Cardtronix happened to be selling cards capable of decoding Sky though these cards were not the ones in question.
A further development of the Cardtronix/Mactronix - What Satellite fiasco has resulted in What Satellite refusing to refund monies paid for an advertisement that the magazine never ran. Apparently What Satellite were pressured into dropping the advert under threat of injunction. This application of pressure in the UK satellite TV press may well increase over the next few months. There are some arguments that would consider advertising TV2 capable cards to be illegal since they include the UK originated Premier soccer matches as part of the schedules. Thus if the argument is correct then advertising pirate TV2 cards is illegal under UK legislation. One thing is for certain in this - the advertising revenue that magazines like What Satellite have extracted from the industry will dry up over the next few months.
Europe is still a multi-copyright area. It is therefore possible for BSkyB and FilmNet to purchase the rights to show the same film. Perhaps in the future, the copyright issue will be worked out and we will have a single copyright area for Europe, but for now we have to cope with the current mess.
To date most of the prosecutions for piracy in the UK have been against people who have been too visible. It is not economically viable for a channel to prosecute every user of a pirate smart card. Instead they will generally concentrate on dealers and distributors.
Of course they may also decide to make an example of an individual pirate card user. The logic of the legal departments of channels is not as predictable as that of their engineering departments.
If you get caught you are unlikely to be able to plead any clever excuse that you may come up with. More importantly, could you afford the expensive legal mouthpiece to argue your case?
The recent European Commission green paper on the legal protection of encrypted services does indicate that there is a growing movement in the European political world to extend the legal protection of channels. This has come about through the lobbying of the afflicted channels who, having been unsuccessful at protecting their services with technology are now turning to lawyers to protect their channel. This is like using a Band-Aid to to fix a slit jugular vein.
However in real terms, the Blackbox market in Europe may well be forced to go underground. Some of the proposals covered, such as making the possession of pirate decoders a criminal offence are clearly stupid and the product of minds ignorant of the realities of piracy. For any channel it is a battle for hearts and minds and Rather than criminalising a potential subscriber it would be more logical to offer him the option to subscribe when caught.
It is perhaps accurate to say that the current legal stasis that exists in Europe at the moment will change soon. When it does, the face of piracy will darken. It will be forced underground becoming harder to catch and perhaps more difficult to stem. From the centre of Europe, companies will flee to the periphery outside the incompetent grasp of the channels and their "employees" in the European commission. Piracy on the channels will continue.
2.1a A Sly Move To Destroy Piracy
It is almost like the scene from Hitchhiker's Guide To The Galaxy, the one in which the Vogon constructor fleet floats through the atmosphere in the way that bricks don't. The situation also resembles the scene in that like the astronomers who completely missed this event, most hackers and pirates in Europe are oblivious to what happened. It started with a report on the European Parliament briefing service.
The article stated that MEPs (Members Of European Parliament) were considering ways of cracking down on piracy at a European level. The background for this was that legal action was being mounted in the UK against pubs and clubs showing the TV2 soccer. Surprisingly nothing was mentioned about the Boxing on TV1000. Perhaps it may have been too difficult to convince a court on that issue as the main event only lasted ninety seconds.
The main mover on this was a Greek EPP MEP named Georgios Anastassopoulos. He apparently introduced his report to the parliament. The weird thing is that I, nor most of the people I spoke to, have never heard of the character. Greece also does not seem to have much of a pay television industry either. The figures quoted in this article were interesting and familiar. An estimate that the market is between 5% and 20% pirate (The Green Paper) and that the value of this market is estimated at being in the region of 200 Million ECU per year (AOPCE).
In this report, Anastassopolous argued that the problem of piracy had to be dealt with in order for the industry (pay television) to advance, the internal market to be improved and the intellectual property rights protected. A stunning conclusion and one a lot of other people arrived at years before. But the most dangerous thing was that the method of bringing some semblance of lucidity to the individual national legal frameworks was by means of a directive. A directive, is effectively law throughout the EU from when it is published.
The suggestion of using a directive was agreed upon by Heidi Hautala (Finland, Greens) on behalf of the monetary affairs committee, Manuel Medina Ortega (Spain, PES) on behalf of the legal affairs committee, Marlies Mosiek-Urbahn (Germany, EPP) and Wily DeClerq (Belgium, ELDR). DeClerq made the point that "piracy should be combatted to not protect the manufacturers and broadcasters in the industry, but the consumer too." This of course is an interesting point. It is like the hangman asking the condemned if the rope is too tight. There appeared to be nothing about enforcing some form of quality control on the manufacturers of scrambling systems. DeClerq was also worried about the possibility of the piracy shifting into other areas and advocated discussions with the World Trade Organisation on the topic. A Commissioner, Marcelino Oreja also agreed that as a result of lengthy discussion, a directive would be the best way forward and that the Commission would table a text. It all proved that politicians love to see their names in print. What was discussed next was blinding in its stupidity, breathtaking in its shortsightedness and questionable in its logic.
The EC Resolution On Piracy
The European Parliament
2.2 VideoCrypt Smart Cards
The Sky 11 card went active on the morning of April 20th 1997. From that time, all Sky 10 card hacks and cards stopped working. To date, (01-08-97) there is no working hack on the Sky 11 card. This pattern is one that is now standard in the industry. Each new card enjoys a relatively hack free period of three to six months. At the earliest, the first hacks should start to surface in September. The worst case is that the hacks will not appear until close to Christmas.
The main speculation now relates to the format of the new hack. Most of the work on the basic structure seems to indicate that the new hack will be a variant of the Battery card approach. The history of the Sky 10 card hack as outlined below shows roughly how that approach works.
The original hack on the Sky 10 card had been by means of a Battery Card. This hack had been confirmed on 05-04-96 by Megatek, an Irish based company. A mixture of overload and questionable legalities scuttled Megatek earlier this year. Two court orders, an injunction preventing them from trading and a Mareva order preventing them from reducing their assets within the state below £200000, were granted against them by an Irish High Court Judge on foot of a raid in the UK on their supplier.
The Battery card hack worked exceedingly well and most people who received their cards before Megatek was hit were happy with the performance. Other legal hassles forced Benedex out of the market. This left Cardtronix as the main company in the field of Battery Cards. This fact was to become apparent when News Datacom and Sky implemented an ECM in early August 1996, the day was, significantly, a public holiday in Ireland.
Cardtronix had the upgrade within a few days though it did involve sending the card back to them. This somewhat undermined the reprogrammability aspect that had attracted many into purchasing this card. Of course with the absence of Megatek, who had earlier disappeared due to legal action, interdiction and some rather dodgy infiltration work by Sky's security "consultancy", Megatek card owners were left with the option of sending their card to Cardtronix for upgrade. Cardtronix were charging in the region of thirty five pounds for this upgrade. The owners of Benedex cards were in a similar position. This did not please some some pirate card vendors and one in particular tried to represent himself as the saviour of the masses, bleating loudly about the upgrade fee that Cardtronix were charging.
Subsequent ECMs by Sky, aimed at the Cardtronix battery card were temporarily successful. Sky were the losers in this situation as Cardtronix generally posted the update codes with in a few days at most. The situation was not helped by Cardtronix having a number of versions of the card software in the market. This meant that some versions of the card were affected differently. This gave ammunition to the feud between Defiant's marketing buddy and Cardtronix. However these cards have now largely been reprogrammed.
The hack pattern for VideoCrypt is that the official card remains more or less secure for the first six months and then a hack appears. The hack, for the system, is of a catastrophic nature. Once it appears, there is a running battle of countermeasure versus counter-countermeasure for the remaining twelve months or so of the card's lifetime.
Pirate smart cards are cards that have been manufactured to hack a channel. They are, in most cases totally different from official smart cards. The majority of these cards are based on the PIC16Cxx series of microcontrollers. Other variations have been seen but the PIC16Cxx cards are the commonest.
Over the past few months, the more expensive end of the market has tended towards the Battery Cards. These cards use the Dallas Semiconductors 5002FP secured microcontroller and are updatable by the card user. It is simply a question of dialing a phone number and getting the set of numbers to punch into the Battery Card.
There is also a trade in what are referred to as Grey Market smart cards. These are official cards, that are exported to another country. Generally it is a one for one trade with the broker taking a commission. For example, a BSkyB subscription would be taken out in the UK and a FilmNet subscription would be taken out in Sweden. The cards would then be swapped via a broker. The subscriptions would be kept up to date by both parties. The legal position on this activity is not clear as the channels benefit from the transaction in that they both get subscriptions. It does rely on mutual trust.
Purchasing a pirate card involves risk. The channels will implement electronic countermeasures to try and kill the pirate cards. Technically speaking, no pirate card can ever be 100% safe. This point has been proven too frequently over the last few months.
The system used by FilmNet Plus and TV1000 (among others) is EuroCrypt-M. This system has been continually hacked since 1992. In terms of value for money, users of EuroCrypt-M pirate smart cards have fared better. This is because the channels have not frequently implemented countermeasures. Of course the recent countermeasure by TV1000 has had a devastating effect. Most of the pirate smart cards have been knocked out.
The VideoCrypt system, as used by BSkyB and the Adult Channel, has been updated more regularly. The present BSkyB card is issue 11 or in technical terms, the 0B card. It is commonly referred to as issue 11 but the reason for the 0B reference is purely technical. In hexadecimal, the number 11 is represented as 0B.
In addition to issuing a new smart card every eighteen months or so, BSkyB and News Datacom also implement countermeasures to knock out pirate smart cards. Over the last few months of the Sky 10, the time between these countermeasures had only been a few weeks. For about a month preceding the switch to 10, BSkyB was in a transition from issue 09 to 10. Therefore they did not execute that many ECMs during that period. This is because the 10 card only had a simplified version of the 09 algorithm in order to cope during this transition stage. The same situation applied to the Sky 10 to Sky 11 transition.
As a direct result of ECMs such as key changes, many of the pirate cards had to be sent back to the dealer for upgrade. Some innovative pirates designed their cards (The Battery Cards) so that they can be upgrade by the customer. The solutions for the countermeasures are recorded as a set of numbers on an answering machine. The customer rings the phone number with the answering machine and gets the update numbers. He then enters them into the pirate card via a key pad. Other solutions such as a modem on the pirate card have also been seen.
Though the piracy on Sky 10 was not as bad as that on previous card issues, it flourished. Much of the piracy on the 10 card was based on Phoenixed 10 cards. These cards are Sky 10 card that have been activated for all channels. On November 7th 1996, an ECM designed to hit these Phoenixed cards managed to knock out a major portion of these cards. The cards were rendered invalid and thus were only suitable for recycling for their ASICs.
The deluge of hacks that followed the initial ones has put Sky in a very tricky position. The collapse of cooperation among pirates meant that the Phoenix Hacks, PIC16C84 based hacks and SEASON 10 hacks entered the public domain in a very short timeframe.
Faced with the total collapse of the security on the Sky 10 and the strategic value of already having a new card in situ, Sky moved against the pirates. The move occurred on April 20th the eve of the Cable And Satellite Show in London on the 21st of April. The Cable and Satellite Show is the biggest satellite trade show in the UK and it is one that most of the trade in Europe attends. The move by Sky had the effect of of causing disruption to pirates and hackers who had hoped to attend confident in the knowledge that once more Sky had to demonstrate a compromised system.
In real terms, anyone purchasing a pirate card is taking a risk. The pirate card will eventually be hit by a countermeasure. If it is not, then the channel may issue a new smart card with the consequence that all of the old pirate smart cards will be knocked out. Nowhere was this more clearly demonstrated than with the Sky 10.
2.3 What is Season or Omigod software?
The Season software began life as an attempt by Markus Kuhn and others to watch the final season of Star Trek: TNG. The final season was Season 7. As a result, the first working PC program that decoded BSkyB was named SEASON7. The first version of this program appeared in March of 1994. At the time, the current issue of the BSkyB card was Issue 7. Therefore some confusion arose.
The term Omigod (Oh My God!) was also used to describe the programs. Well the preceding hack using the PIC cards was known as the Ho Lee Fook hack! Over the months from March to May 1994, versions for different computers appeared. Many of these were posted on the alt.satellite.tv.europe newsgroup.
On May 18th 1994 BSkyB changed from issue 07 cards to their new issue 09 card. In hacker terms, May 18th is referred to as Dark Wednesday. The 09 card proved harder to hack but a temporary solution appeared in June of that year. It only lasted a few week before BSkyB changed codes again. Though some attempts at an issue 09 SEASON hack were made, the change of code by BSkyB stopped it cold. Well at least until just before Christmas.
On Christmas Eve 1994, no less than three versions of the SEASON hack appeared. Two of them worked on the PC and the other one worked on the Apple MAC. Of course BSkyB was paying attention and on January 4th 1995, they implemented a countermeasure that knocked out pirate cards and all of the SEASON hacks. The war between BSkyB and the pirates had recommenced. Updated versions of the SEASON hacks became available. This spiral of countermeasure and update has continued until the present. The issue of the new BSkyB card, has changed the situation somewhat. The VideoCrypt SEASON hack was now living on borrowed time.
The algorithm in the 09 card issue was far more complex than the one used in the 07 card. While the 07 algorithm was not really designed to be extremely upgradable, the 09 algorithm is an extremely flexible algorithm. No doubt the 10 card algorithm will build heavily on the lessons of the 09.
At present only The Adult Channel (UK soft porn) and Eurotica (UK Hard Core Porn) are decoded by VideoCrypt SEASON programs without an on-board ASIC. None of the official BSkyB channels will be decoded by any of the old versions of SEASON programs available.
2.4 Where can I get the software from ?
At present, there are working versions of the SEASON hacks for the Adult Channel and Eurotica available on almost every European BBS. Though according to the law, hacks for the Adult Channel should not be distributed in the UK, they are widely circulated. It seems that the Adult Channel makes more money from advertising than subscriptions as the porn is heavily censored. The most popular of these programs is the Voyager program which also decodes the D2-MAC EuroCrypt-M channels.
With the change to Sky 10, most of the version 09 SEASON programs such as Voyager, SEASON, Freeview etc. stopped working. This is also the case with the Sky 11 card. All Sky 10 hacks ceased operation on 20-04-97. However in the meantime, these programs are available at all good sites, a few of which are listed below.
Note the capital letters and the forward slashes (/). They do make a difference as most of the ftp sites are run on UNIX systems. Unix systems are case sensitive.
The best site for these files at the moment is the Defiant site though due to the risk of legal action, Defiant has not posted software for hacking Sky on his site. It should be mentioned at this point that the day to day operation of the site has been taken over by Defiant's marketing buddy Mark Lee. Lee has turned the site into a commercial venture and as such it has rather gone downhill. The hits counter is rigged so that any page visited on the site will register as a hit. To get a more realistic view, divide the hits counter by the number of pages on the site.
2.5 The Season Cardadapter
The computer has to be connected to the VideoCrypt decoder via an interface. This interface is sometimes referred to as an Omigod or Season interface. It is essentially a simple design that allows the RS232 serial port of the computer to be connected to the TTL levels of the card socket. Most of the versions of the Season software include a text file on the construction details of this interface in a file called ADAPTER.TXT. Details of the adapter are on Erlangen in the directory :
The artwork for making the PCB interface is available in postcript form at:
Because this software is using the serial port, timing can be
critical. Other programs running in the background can interfere
with the proper operation of the SEASON program. It is better to
run the SEASON programs on PCs that do not have Memory Managers or
Serial Device Drivers loaded.
The paulmax site listed above is Paul Maxwell-King's website and
it is a very useful resource. It is also possible to purchase the
PCB, the kit or indeed a fully constructed interface from his
site. If you have any doubts about your electronic constructional
abilities then buy a ready made interface.
Because this software is using the serial port, timing can be critical. Other programs running in the background can interfere with the proper operation of the SEASON program. It is better to run the SEASON programs on PCs that do not have Memory Managers or Serial Device Drivers loaded.
The paulmax site listed above is Paul Maxwell-King's website and it is a very useful resource. It is also possible to purchase the PCB, the kit or indeed a fully constructed interface from his site. If you have any doubts about your electronic constructional abilities then buy a ready made interface.
The newsgroups alt.satellite.tv.crypt, alt.satellite.tv.europe and rec.video.satellite.europe are not for posting binaries. There is an associated binaries group, alt.satellite.tv-binaries though the availability of this group varies. The reason for this is that many of the Internet Service Providers tend to block the alt.binaries.* groups because they take up too much space on their newsservers and of course some of the stuff may be of questionable legality.
If you can't use ftp from your account then get yourself acquainted with ftpmail. As well as allowing you to get the software yourself and keeping traffic in the group down, it will also enable you to get any software on any subject !
For details of how to use ftpmail send a message with the word "help" in the body to:
The files will be returned uuencoded. This format is used to convert a file like an executable into straight ASCII capable of being sent as e-mail. In order to recover the file, you will have to have a program known as a uudecoder. Most e-mail clients now have the capability to decode these files.
2.7 What are blockers and what is Phoenix?
In the middle of the summer of 1994, there was little success in hacking BSkyB. A program was written in the TV-CRYPT for testing a theory. The theory dealt with the over the air addressing system on VideoCrypt. The question was: "could the presently available knowledge be used to switch on or off a BSkyB card?". At that time, the available knowledge consisted of the fragment of the 09 code that was killed in June and a working knowledge of how BSkyB encoded card numbers in their over the air addressing system. The available knowledge was sufficient.
The computer program written to test the theory was called Phoenix. Since most of the cards experimented upon were Quickstarts that BSkyB had killed, Phoenix, the mythical bird that rises from its own ashes seemed a good name.
Of course the program fell into the hands of commercial pirates. The Phoenix program on its own was useful to switch on the 09 Quickstarts that BSkyB had killed. It was also being used to switch on all channels on a BSkyB card with only the Multichannels subscription. It was a Musketeer hack - all for one and one for all. But that hack name had already been used.
Unfortunately these reactivated cards were only lasting a few days before being killed again by BSkyB. Then when BSkyB increased their kill cycle the cards only lasted a few hours. Some solution had to be found.
The solution lay in a hack of 1992 - the KENtucky Fried Chip. This was a modified version of the smart card - decoder microcontroller in the VideoCrypt decoder. It stopped BSkyB from turning off a card by examining each over the air packet for the identity number of the card in the card socket and stopping such a packet from reaching the smart card. BSkyB could not kill the card because the card never received the kill instruction.
Of course the chip used in the decoder was too expensive and there was a rather large number of redundant PIC16C84 chips available. The first blockers to hit the market had the blocking program in a PIC16C84. They consisted of a card socket, a PIC16C84 and a PCB. The official card, having being activated by the Phoenix program would then only be used in the blocker. Luckily it was not named the Condom hack.
Of course the popularity of these devices soon meant that individually activating the Quickstart cards with the Phoenix program was taking too much time. The solution was to incorporate the Phoenix routines in the PIC16C84. These new blockers were more successful. Over the months from August to November, they were given a bewildering array of names; Genesis, SunBlocker, Sh*tblocker, Exodus.
Naturally BSkyB were a little upset with this resurrection of their dead cards. Their response, at first was purely technical. Later in 1994, they took legal action in the Uk against some people supplying blockers.
There was more to the VideoCrypt 09 smart card than people realised. The most important aspect was that BSkyB could actually write to the card. The instructions for doing this were carried in the same packets that carried the activation and deactivation instructions.
The blockers only looked for the specific identity number of the card in the card socket. As long as that identity number did not appear in the packet, it was let straight through to the card. BSkyB had managed to knock out a number of cards while they were in the blockers.
Some of these countermeasures were reversible in that the card itself was not completely dead. One of BSkyB's countermeasures did actually hit the card in a manner that effectively locked it. At that point, the blockers were becoming irrelevant - there were working pirate smart cards for VideoCrypt.
The Phoenix program, in various guises, still works. Of course some of the newer smart cards from BSkyB have been found to be resistant to being activated with Phoenix.
During the wait for new code, some people started sending around files that look like the new code. During the lifetime of the Sky 10 there were a few incidents such as 10BLOCK.ZIP. This was not actually the code for a 10 Blocker but merely 09 Blocker code that does not work on 10. Using this code in the hope that it would stop a 10 card being killed was dangerous to say the least. The latest incarnation of this little scam was a supposed Sky 11 activator called 11alive.exe.
At the moment 01-08-97 there is no working Phoenix activation software for the Sky 11 card in general distribution. It is expected that the first hack on the Sky 11 card will be a Phoenix based program however the lack of Sky 11 cards may limit the damage of this hack. Unless the Phoenix hack gets to the public domain.
2.8 Are there any D2-MAC EuroCrypt-M Versions of The Season Hack?
The simple answer is yes. The original program was called MACcess. There is now a number of variants available. The most widely used variant is the Voyager program from William Jansen and ToySoft. This initially started out as a VideoCrypt program but MAC capability was added. Others such as Whopper and Minimac have also appeared.
The original author of the MACcess program did not update it due to the sheer abuse of the program. The comments from a few ungrateful idiots wanting the new version and at the same time insulting the original author for not supporting the program irritated not only the author but many hackers as well.
The EuroCrypt-M system is DES based. In an ironic way the system's greatest strength was its greatest weakness. Again the progression from pirate smart card to computer program was apparent. The main failure of D2-MAC EuroCrypt is in the minds of the people who employ it. They are not clever enough to appreciate the strengths of the system they are using and as such rely on a long period key update sequence.
Other programs such as Whopper and SEAMAC have also begun to gain acceptance. However the most widely used program is still the Voyager.
2.9 Is there a hack on Nagra?
There is no OMIGOD program for hacking Nagra. What occurred was that some JAFA from the English consumer publication, "What Satellite" heard about a program for monitoring the Nagra card- decoder communications and ignorantly assumed that it was an OMIGOD hack.
The Nagra Syster system has been hacked but it is not a hack on the access control system. It is rather a hack on the video scrambling aspect that takes advantage of a flaw in the SECAM standard. At present the hack only affects the SECAM version of the system. The pirate device is a decoder rather than a smart card and is based on a 68HC11 and a MACH130. It ascertains the shuffle sequence rather than hacking the datastream. Later versions use a different MACH.
The system has been hacked after five years of operational use without any real marketable hack. This is something of a record for a scrambling system in Europe.
Basically the SECAM based hack will determine the shuffle sequence and will then reassemble the video in the proper order. It has been pointed out that a key change may nuke this hack. However the hacker decoders continue to work at this time.
2.10 PIC Source code for hacks
Since late April 1995, there has been no security on the PIC16C84 microcontrollers. This is ironic because this microcontroller formed the backbone of the European piracy business. In late April, the information on popping (extracting the protected contents of the chip's memory) the PIC16C84 was published in a USENET newsgroup. An article on this can be found on the following webpages:
As a result of this information being published on the USENET, result everybody found out how to pop the PIC. All the code for the D2-MAC hacks and the BSkyB hacks were laid bare.
The source code for the PIC based D2-MAC cards is widely available on the net. The following WWW pages have D2-MAC code:
The PIC16C84 is still the backbone of the hobbyist market by accident rather than design. It is one of the more freely available microcontrollers due to its use in the 07, 09 and D2-MAC hacks. When the 07 and 09 VideoCrypt hacks became obsolete, most of these cards were pressed into use as D2-MAC EuroCrypt-M cards.
2.11 Other Smart Card Projects
A number of designs of DIY smart cards for VideoCrypt appeared during the lifetime of the 09 card. With the switch to 10, most of these became redundant unless the software could be converted for D2-MAC. As the software for the Sky 10 hack only became available late in the Sky 10 period, there was no conversion of the released Battery Card code (the X-Files) to run on any of these cards.
2.11a Michael Stegen's Multimac PIC Program
Many of the microcontrollers previously used for Sky 09 and Sky 07 hacks were converted to use as D2-MAC EuroCrypt-M hacks. The most popular hack available for this is Michael Stegen's program. This program is known as Multimac and it allows the user to select the programming parameters, (which pin is to be used for the Data port etc) for the PIC16C84. When the user is satisfied, the program will then generate an image file that can be loaded into the PIC16C84 using any one of a number of available PIC programmers.
In Defiant's Golden Axe award, Michael Stegen won by an astounding margin. A lot of people watching D2-MAC EuroCrypt channels are doing so courtesy of his excellent program. The program can be obtained on the following sites the first of which is Michael Stegen's own site:
2.11b The PIC Programmers
There are two methods of programming the PIC16C84; the parallel method and the serial method. The first method is that used by most commercial programmers typically costing in excess of one hundred pounds. The serial method is more suited to the hobbyist and it is on this method that most of the PIC programmers currently on sale on various WWW sites operate.
The two initial designs for programming the PIC16C84 via the serial method are the David Tait design and the Henk Schaer design. These designs are very cheap to implement typcially costing less than five pounds.
The initial David Tait design used a 4066 for switching. The Henk Schaer design used PNP transistors. In practice the Schaer design became more popular because it was easier to modify for PICBusting operation.
Both of these designs run off of the Parallel printer port. The Tait design comes with the source code in Basic and in C. The program with the Schaer design, PIC.EXE is essentially self contained and easy to use. Both of these designs are extremely easy to construct even on Veroboard. Variants of the Tait programmer design appeared over the last few years. These variants could use either Inverting Open Collector buffers or Non-Inverting Open Collector buffers. The later variants also were capable of using transistor or 4066 switching. Other programmers such as Lidwig Catta's Ludipipo programmer were developed and are now in popular use.
One of the better PIC programmer file pages is given below:
2.11c PIC Programmers And Files Sites On The WWW
Some of the best sites for information on PIC programming and programmers are:
Luckily, the usual barrage of programs purporting to be a hack on Sky 11 has not materialised. However a few made it through and were found to be nothing other than renamed Sky 10 hacks. A Season hack always occurs at the very start of a card issue or at the very end of a card issue.
The reasons for the timing of such a hack are logical. At the start of the card issue, the implementation of the algorithm is at the most basic level. The more complex aspects would not have been used since there is no need for them. At the end of the issue, the code is public domain and there is enough expertise and knowledge to implement a SEASON hack.
With the Sky 11 card, many of the arguments that applied to Sky 10 also apply. Given the complexity of the BSkyB 10 card, a SEASON type hack was difficult but not impossible. The BSkyB 10 card had two chips; an Application Specific Integrated Circuit (ASIC) and a Siemens 8051 smart card microcontroller. The microcontroller had been popped and the ASIC has been reverse- engineered. It is the ASIC that has caused the delay in a hack getting to the market. Again the Sky 11 hack will face the same difficulties.
The pattern of the SEASON hacks in the past was trickle-down. The commercial hackers would hack the smart card and then after a few months, the code would be released to the hobbyists either by design or by mistake. The hobbyists would then develop the SEASON type hacks.
The Sky 10 SEASON relied on the ASICs being provided by commercial pirates. Cardtronix and Defiant's marketing buddy were selling ASICs and ASICed SEASON interfaces during the end of the Sky 10 issue.
2.13 BSkyB 10 & 11 Blockers
At the end of the Sky 10 card, a Sky 11 activator/blocker was marketed. This device depended on the dual datastream for operation. It worked. However with the switch to Sky 11 on 20-04- 97, the device stopped working. At the moment there is no working Sky 11 blocker.
One of the commonest forms of blocker is one based on a Replay Hack. This is where the turn-on packet for the card is recorded and then when the card is knocked out, the card is re- authorised using the recorded packet. Of course such a hack could only be guaranteed to work for one month. After that the date code changes. From the 09 on, the card program was designed not to respond to an authorisation packet dated earlier than the current or highest month value.
Past Experiences With Sky 10
Given the fact that the ASIC in the BSkyB 10 card allowed for some really nasty encryption to be applied to the authorisation packets, BSkyB 10 Blockers were not that reliable. This coupled with the fact that official 10 cards were a lot more difficult to obtain meant that a hack on the scale of the original Phoenix/Genesis blocker hack was unlikely.
As was expected, the first product from the X-Files was a Phoenix activator program. It did of course activate the official cards. It was ECMed a few weeks later though a new Phoenix was released shortly after this ECM.
The problem here is that there was no Quickstart program in operation and therefore there was no readily accessible official smart card supply.
This may have had a far more lethal effect on Sky's subscriber base as the majority of piracy that will occur by this means will be on legitimate cards. If BSkyB lose control of their access control system again in the same fashion as the 09 Phoenix, they will face potential annihilation.
2.14 The Fictional Pentium Hack On VideoCrypt
The internet is often the source of some amazing stories and rumours. It appears that "What Satellite" has fallen victim to one of the oldest ones. The story in question was the Pentium based video only hack on VideoCrypt.
According to "What Satellite", the hack was based on a Pentium chip that decoded the scrambled VideoCrypt signal in real time. The contradictions in the story were rife. The hack was apparently a stand-alone hack that was housed on a daughter-board that could be fixed inside IRDs. If it was a stand-alone hack then why was it referred to as a daughter-board? Stand-alone hacks are just that - stand-alone. They have their own cases.
Other more apparent mistakes slipped by unnoticed. The hack was said to, "by sheer dint of processing power", to be able to reconstruct the scrambled picture at a rate of 50 frames per second. This was what What Satellite called normal video quality. Unfortunately, the normal video rates in PAL625 are 50 fields per second or 25 Frames per second. This fictional hack was running at twice normal frame rate. Either that or "What Satellite" had just proven that in order to write about technology you should at least understand technology.
It seems that someone at "What Satellite" had read a few messages on the Usenet newsgroups discussing such a hack. This topic of a processor based attack on VideoCrypt rears its head every few months. As the internet and usenet get more popular, it is not unusual to see the same questions being asked a few times each month.
The main problem with this hack is that it requires a lot of digital signal processing. Using a Pentium to carry out the calculations might, on the surface, seem attractive but there are other chips that are better suited. These chips are Digital Signal Processors.
There was a processor based hack on VideoCrypt a few years ago. The hack, carried out by Markus Kuhn, used a rather expensive computer to reassemble the scrambled video. The processing power used was far in excess of that available from a Pentium and it was not completely real-time.
The source code for a test of this type of hack is readily available on the internet and on various BBSes. A sampled scrambled picture is included. It does take a few minutes to decode even on a relatively fast computer.
One factor that "What Satellite" seems to have overlooked is the cost of this fictional hack. A fast Pentium, with motherboard, RAM and interface would be in the region of L1000 or so. This would definitely not be an economical hack. One of the first rules of piracy is that you have got to be able to sell the hack. It would be difficult to envisage anyone desperate enough to waste L1000 on watching BSkyB.
A number of people are working on DSP experiments with VideoCrypt. One hack used four DSPs to decode but the hack crashed every few minutes. The primary reason was that the screen fades and single colour backgrounds are hard to analyse successfully.
For those interested, it was the February 1996 issue of the magazine that carried the article, not the April issue!
Some work is being done on the problem of hacking a line cut and rotate signal such as VideoCrypt with DSPs. There are a number of schools of thought on the usability of the hack. However given the advances in chip technology and the falling prices of the relevant technology, such a hack will occur sooner or later. It is all a question of cost. If the situation arises that the smart card is too complex or costly to be hacked then alternative methods of hacking the system will be looked at.
2.15 The DDT Hack On VideoCrypt
Delayed Data Transfer was a hack that was created in the period between the hacks for BSkyB 07 and BSkyB 09. Basically it was a case of continuing to watch the VideoCrypt encoded channels using the Season type interface and a video recorder.
The hack was elegant in execution. The hacker would record the scrambled version of the programme off-air. Then when the programme was over, he would download a VCL file off of a BBS or internet site. The VCL file is a data recording of the valid card answers for the particular programme. It was then a question of rewinding the tape and playing back the scrambled program through the video recorder. The VCL file would be fed to the decoder via the Season interface. The programme would be decoded as if there was an officially authorised smart card in the decoder's card slot. The video quality was not brilliant but the hack works.
BSkyB replayed the Bruno Vs Tyson Fight a few times over the 17- 03-96. Each time they replayed it, it was only available to PPV viewers. Any subscriber who had paid for it once was able to watch any of these replays.
Of course it also meant that a VCL file is created on the first play at 0400 Hrs and uploaded to an internet site or BBS, voided subsequent replays.
The reason for the subsequent replays of the event being void is that the VCL would exist and therefore rather than paying for the event, it would be a case of recording the scrambled event and the using the VCL.
The use of VCL files is a direct assault on BSkyB's PPV mechanism. There is a large base of hackers with Season interfaces and VCL files for various programmes on Sky One and the movie channels have been seen on internet FTP sites and BBSes throughout Europe.
To date most of the VCL files have appeared on internet sites and BBSes outside of the UK jurisdiction. While posting such a file inside the UK may be an offence under UK law, the situation changes when the site is outside the UK. It is conceivable that the VCL files could be posted on to a Usenet newsgroup via an anonymous remailer. It would be extremely difficult for BSkyB to stop such messages getting through other than by issuing control messages to cancel them or by threatening internet service providers who allow access to newsgroups carrying these messages. The chances are that BSkyB will try to play down the effects by saying that they are negligible. In the meantime, the PPV events may well have thousands of extra viewers.
The legal position of this is untested. The blockers and pirate cards were covered under UK law and even then BSkyB could not successfully prosecute all of those using and distributing these devices. It is difficult to decide if this counter-piracy failure was due to the sheer numbers of users and sellers or just plain cluelessness.
The terms and conditions for the PPV event mention that any part of the transmission may not be reused or redistributed. Therefore it could be argued that distributing the VCL file would be a breach of the conditions. However it would still not stop the VCLs being distributed.
Moving against the redistribution of the VCL files would be counterproductive for BSkyB. They would be drawing attention to the gaping wound in their PPV system and even the clueless media analysts may take notice.
At present, the only users of the DDT hack are outside the UK and Ireland and are unable to get a legitimate subscription to the BSkyB channels. It has been mentioned that most of the current users of VCL files do so only to watch a few specific programmes rather than the complete schedule. Therefore the threat of such a hack to BSkyB could be considered minimal.
Other factors come into play as well. Some VCRs do not reliably record the scrambled picture and data. Most VideoCrypt decoders are now integrated with the receivers (IRDs) and stand-alone VideoCrypt decoders are becoming rare. This means that a hardware modification is necessary to use the DDT hack.
2.16 How Did BSkyB Implement Pay Per View
The original PPV implementation in VideoCrypt depended heavily on the 8052 microcontroller in the decoder. This was not a good thing as the code from this microcontroller was easily extracted. It was a token based system where the a token would be deducted from a reservoir in the card when the subscriber pressed the Authorise button. This implementation was compromised and it forced News Datacom to implement a pseudo-channel based system.
Each event is assigned its own channel identification. A subscriber wishing to view the event would have to ring BSkyB and request that his card is authorised for the event. The subscriber's card ID would then be added to the turn-on list transmitted on the event channel. Once the card is authorised, the On-Screen-Graphics will display "EVENTS PAID 66".
If the Bruno-Tyson fight is anything to go by, each PPV event will be repeated at various times in the day. An authorised card will decode any of these repeat showings. Of course by the time of the second showing, the VCL file will probably be available thereby compromising the PPV security.
The compromise to the PPV security comes from the fact that the PPV program can be recorded and the VCL file can be reused. This means that the PPV transport is compromised.
2.17 How BSkyB's 17-03-96 PPV Event Was Compromised
In addition to the DDT hack, the PPV event was compromised by means of a Phoenix hack that upgraded existing Sky cards to receive the PPV event. It appeared as a message posted on the internet and some dial-up BBSes early on Saturday 16-03-96. The message is reproduced below:
By midday on Saturday, the above string had been incorporated into a number of Phoenix programs which were posted on to various BBSes, WWW sites and also into the main usenet newsgroups. The commonest one in circulation was FREETYSO.ZIP.
In order to use the program it was necessary to have a Phoenix/Season interface capable of activating Sky cards. A lot of these are still in circulation and are currently used for the D2- MAC emulators.
2.18 The Battery Card Hack On The Sky 10 Card
Shortly after the Sky 10 card went active, Megatek, an Irish company announced that they would be shipping their upgrade for their battery card. Their main product was a battery card which since 31-10-95 had decoded only the D2-MAC channels.
The upgrade to their battery card consisted of an additional board carrying the ASIC emulation and a reprogramming of the battery card's main memory. As a result the card did not have enough memory to include the routines to decode the D2-MAC channels. In lieu, Megatek were offering a free wafer card (reprogrammed Sky 09 card?) to decode these channels as part of the upgrade.
This time, the hack on the Sky card was more complex. It required an additional ASIC emulator which Megatek had, in their design, named the Skylark chip. Other battery card implementations had similar ASIC emulators.
As predicted in a previous version of the FAQ, the alternative to a free SEASON program is a commercialised SEASON whereby the user would be able to obtain the SEASON program freely on the Internet or the BBSes but they would have to purchase a SEASON interface with an integrated ASIC emulator. However the dealers would probably make more of a profit from the sale of battery cards than a modified SEASON interface. This actually occurred when Cardtronix started to market the ASICs for the SEASON interface at the end of the Sky 10.
2.19 What Happened To Megatek?
Megatek were eliminated by a combination of legal action, supply interdiction, and some infiltration of questionable legality by Sky's security consultancy.
Apparently Sky's security consultancy, Network Security Management, had managed to obtain the confidence of a key player in the Megatek operation. Having obtained that confidence they proceeded to introduce another Network operative into the Megatek shop.
By this subterfuge, they managed to set up the UK end of the Megatek operation for a raid by the Federation Against Copyright Theft. The result was that the supply of battery cards was interdicted and Megatek were forced to close as a result.
People who sent their battery cards and funds to Megatek are unlikely to have them returned. In the end it looks like the overall responsibility of the closure of Megatek lies with the people in Sky and News Datacom who took, what in hindsight is a foolish decision.
The raid on the UK premises was covered in the Daily Mirror, a UK tabloid newspaper. A Sky source at the pre-raid briefing was quoted in the newspaper as saying that the piracy on Sky 09 was of such an extent that it threatened the existence of BSkyB. Whether this was just another clueless quotation from a Sky 'droid or a genuine expression of fear has not been established.
The legal situation in the UK on this raid has yet to be resolved and there are some questions about the raid that have yet to be answered. Perhaps of comically crucial importance, did the Network Security Management operatives commit any crimes of fraud in the jurisdiction of Ireland by being involved in selling pirate Sky cards? After all they were not pirates but were pretending to be so in order to continue their work for Sky. In this respect, people who were dealing with them were defrauded as they were not dealing with pirates. Or since they were working for Sky, does this mean that Sky by a rather circuitous route were linked to the sale of pirate Sky cards? For a lawyer it would be a target rich environment. At the heart of it would be the arguments whether it is right to break the law in order to bring a prosecution for breaking the law; and in which jurisdiction can the prosecution be brought; and finally who gets prosecuted?
The capability for strategic thinking has been absent in the people responsible for the elimination of Megatek. It of course is not surprising considering their lacklustre performance in the past. When Megatek were in operation, the problem of piracy on Sky 10 was largely under control. There was no real home market problem for Sky. The cost of the Battery Card was high enough to make it relatively unattractive in the UK. Phoenixed cards by comparison were selling poorly. But then Sky, News Datacom and their cohorts had to go and wreck the stable situation. The result is that piracy spun out of control on the Sky 10. To paraphrase a line from "All The President's Men", these are just not very bright people.
The business of piracy is complex and is often beyond those who think in the simple terms of black and white. In piracy, everything is best considered in shades of grey. Piracy can be used to help a channel or indeed certain types of piracy, notably Grey Market Piracy, can be used to control the piracy on a channel. Properly handled, the piracy situation can be used to control the level of piracy on a channel or service. Such skills and levels of complexity are beyond many of the European channels and indeed the US channels as well.
The main business of Megatek has been taken over by Cardtronix. They were the heirs to the battery card empire much to the disgust of some other pirate dealers.
2.20 Phoenixed 11 Cards
At the time of writing there are rumours of Phoenixed 11 cards but nothing has been seen yet. Of course there are always rumours in the Blackbox industry.
Phoenix - The Sky 10 Experience
The first hack on the Sky 10 card was a Phoenix hack. Some of these early Phoenix cards kept working right up until the activation of the Sky 11 card. While the software for this operation was largely overshadowed by the Battery Card hack, it continued to putter away in the background providing revenue of small time pirates denied access to the battery cards.
The Phoenixed 10 cards were ex official cards that had, in some cases, their card numbers changed to that of a master card number. As long as the master card's subscription remains current and it is not detected as a clone master card subscription, then the clone cards will work.
On 22/12/96 there was a release of a public domain Phoenix which enabled the ordinary users to activate their own cards. Naturally a few companies who took advantage of this Christmas present and started to gouge the market posting adverts in the newsgroups at a rather high price. Of course the pirate dealers continued to maintain their prices for a very good reason. When the inevitable ECM came, these gougers were out of business.
Most of the real Phoenix piracy occurs outside the home market of BSkyB. The reason for this is that the people there cannot get legitimate access to the BSkyB services. It follows that they are also unable to get access to the actual Sky 10 cards so even with the publicly available Phoenix they would still be left in the same position as before the release. The pirate dealers, being aware of this looked on the Phoenix release as a temporary glitch.
The ECMs by Sky were aimed at the Phoenix cards. The effect of the 07-11-96 ECM was not complete in that it rendered some of the Phoenixed cards INVALID and others off. The ECM of 15-01-97 did not render cards INVALID. Instead it just set them to INCORRECT CARD. When a card is rendered invalid then it is only good for recycling. The ASIC is still usable in the card and it is extracted for use with Battery Cards. The Sky 10 cards showing INCORRECT CARD were reactivated by a later Phoenix that lasted until the 20-04-97.
2.21 The Hacks On DSS
At the moment, DSS appears to have moved to the 02 Datastream. It is believed that the new DSS card is based on the Sky 10 card and uses an ASIC. The first Phoenix hacks have appeared on the system with prices varying from $250 to $600. It is not known how long these hacks will last for or whether the Phoenixed cards will be hit with a drop-dead ECM.
The Digital Satellite System as used in the USA is a digital television system. The encryption overlay was supplied by News Datacom and it is this aspect that has been hacked. This will come as no surprise to Europeans who are more than familiar with News Datacom's record with the VideoCrypt system.
Basically the DSS implementation is a more complex version of VideoCrypt that has a fully functional Pay Per View aspect. The IRD has a second level of security in that it has an internal modem. This modem is used in the PPV implementation.
The initial form of piracy on DSS was Grey Market. At the moment, DSS is only legitimately available in the USA. Canada, Mexico and the Caribbean islands are therefore de-facto Grey Market areas.
People in these Grey Market areas purchased their IRDs and smart cards in the USA and shipped them out of the USA. IRDs are currently on sale in the Grey Market areas through satellite television dealers.
The PPV of course did cause some problems for these areas. The solution was a call spoofer. This device enabled a call from the IRD in a Grey Market area to appear like it originated inside the USA.
The second phase piracy, an actual hack on the smart card, entered the market in the last quarter of 1995. This was a pirate card based on the Dallas 5002FP but unlike the European version, it did not have a keypad.
A sequence of ECMs was implemented by News Datacom and DSS. They succeeded in knocking out the pirate cards for at most a few days. After a while, the situation began to resemble the last days of the 09 Sky card in Europe where ECM was matched against ECCM.
A number of pirate smart cards were available for DSS-01. Most of them were based on the Dallas microcontrollers. The original pirate card is a Dallas 5002FP based card. The second card is based on the Dallas 5000.
The DSS-01 card was based on the 6805 architecture used on the 09 Sky cards. It is using a 38K4 baud rate for the card - decoder link. In this respect it is similar to the VideoCrypt 2 card which also uses a 38K4 link. The VideoCrypt 1 card uses a 9600 Baud link.
The source code for a program to read the subscription details from a DSS card using the Phoenix interface is given in European Scrambling Systems 5. (see Section 3.2) and should be in widespread distribution.
There was a large market in Phoenixed DSS-01 cards as well. The software for this was widely available from about September 1996 onwards.
A SEASON for the DSS was released. It was almost inevitable that one would be. The program by Pierre G. Martineau ran on a 486/40 with 1 MB of RAM. Basically it made an image of the address space of a genuine DSS card and used that to read to and write from in the emulation. In this respect the DSS card is similar to the Sky 09. Many of the same ideas can be found in that card that were carried over to DSS. It is not surprising considering the time frame and News Datacom's habit of reusing code modules and techniques.
However with the switch to the new datastream, this program does not work any more.
The DSS-01 Season program is available from:
This is the FAQ for the alt.satellite.tv.crypt newsgroup. It is largely a European group but there is a lot of interest worldwide. There is now a brief FAQ on the hacking of DSS available on the following sites:
With the switch to the new datastream, it is not likely that this code will work. The new card is apparently based on the Sky 10 card and as such represents a significant shift in design.
The relevant DSS-01 cloning software is available from:
It should be noted that according to the page, all of these programs will be downloaded from the UK site which is outside of US jurisdiction. This is necessary because paranoia.com, the company that hosts the www.eurosat.com site is a US domiciled company and is therefore liable under US copyright law.
The new DSS card may well be heavily based on the Sky 10 card with perhaps some modifications to the ASIC. Some DSS cards resembling Sky 10 cards have turned up in the USA. These cards had the ASIC underneath the microcontroller so that the pad area did not look that different from the existing DSS card.
Given that the DSS is now completely compromised, a new card was essential to restore the system's integrity. Most of the legal cases taken in Canada against dealers and pirates have been thrown out of court on appeal. It looks like News Datacom and their US surrogates were just as unsuccessful there as they were in Europe.
The best sites for details on the American situation are:
2.22 The X-Files (The Release Of the Sky 10 Files)
The X-Files were released to BBSes around the 18th of September. The origin of the files was in question, and many SysOps, especially those in the UK, had grave reservations about posting them. One Sysop apparently took the risk and his line was continually engaged for about 48 hours.
The file made its way to the www.eurosat.com website and it was posted on 22-09-96. Apparently within hours of the file being posted, the site had about eight thousand hits. It is difficult to estimate the number of hackers who have the files. It is certainly in the region of thousands, perhaps tens of thousands. The problem with establishing the number of times that the file was downloaded is that most of the pages on the eurosat.com site contain a hidden HTML counter that will cause the hits counter to be incremented by one each time any of the pages are accessed. Thus with this confusion, it may be safer to divide the hits count displayed by the number of pages carrying this hidden HTML fragment. Even with that taken into consideration, it is probable that the X-Files were downloaded tens of thousands of times before they were removed from eurosat.com.
One particularly nasty thing dogged this otherwise, well for hackers at least, joyous event. An attempted e-zine on the eurosat.com site posted a fabricated story that Markus Kuhn had released the files and had threatened Sky and News Datacom.
The author of that e-zine, Defiant's marketing buddy Mark Lee, is not a journalist nor a reporter and of course had not checked out the facts as a journalist is bound to do. A hotchpotched semi-retraction was posted days later. However the offending article had not been removed. Only the sections where Markus Kuhn's name had been altered.
The actual origin of the files is still largely unknown. Indeed the files were uploaded to BBSes by someone using the logon of Sky Television. It was apparently a fake account name. After all would Sky be distributing such files? Their audience figures could not have sunk to such an all-time low that they actually need piracy.
The X-Files are intriguing. The files are the HEX files for the Megatek Battery Card and the Benedex Battery Cards. In addition to the HEX files, there was a serialisation file for the Megatek cards and a loader file.
It took a considerable amount of time for the code of the Battery card files to be fully reversed. However it seems that there was no implementations in alternative processors other than the PIC16C84. That emulation came from Cardtronix rather from the hobbyist area of the industry. They had implemented the code to fit in an 09 pirate PIC16C84 card. However the essential element was the ASIC. There were only two supplies of ASIC: the official card and the Cardtronix supply.
There were mixed feelings over using the ASIC from an official Sky card as part of a pirate card. The reason for this is that it would have been easier to Phoenix the official card thus making it a more easily processed product.
Other aspects of the HEX files include the code for D2-MAC channels including Rendezvous. However Rendezvous carried out an ECM recently (and disappeared from the screens completely) and the code in the X-Files may not work at present.
According to some sources the implementation of the Sky 10 emulation in the Dallas 5002FP was quite an achievement as the official card has twice the RAM of the 5002FP.
2.23 The Christmas 1996 Phoenix And Subsequent ECM
On the evening of 22-12-96, a Phoenix program was released to the public. The program, 10ON.EXE carried an interesting quotation from the movie "Pulp Fiction". It was the quotation from the Bible that one of the main characters recited just before shooting someone. It was a rather apt quotation considering that in this program it preceded the VideoCrypt access control system being shot. A more enigmatic line was just below it: "Defiant as always". This could have meant that the program was to be posted on Defiant's www.eurosat.com as per the usual pattern of hacks or that Defiant was somehow implicated in the release. It is the former that is most logical.
A second activator program followed on the groundwork of 10ON.EXE. This program Phoenix III from Toysoft built on the codes given in 10ON.EXE, had a more featureful user interface and allowed the selection or deletion of some PPV events. It was this program that was largely posted in WWW sites.
Over Christmas and for the first two weeks of January, people were readily able to upgrade their cards. The Phoenix hit Sky at a very awkward time. Had they decided to try an ECM during the Christmas holidays, they risked hitting many legitimate subscribers. It would have been disastrous for their already faltering public relations image. They waited until they had a large enough target.
On 15-01-97, Sky and News Datacom implemented the ECM. This ECM knocked out the Phoenixed cards leaving the Battery Cards unaffected. The manner in which it affected the Phoenixed cards was unusual. It did not render the cards INVALID. Instead it made the cards produce an INCORRECT CARD message when inserted in the decoders. Effectively the cards hit by the ECM could be reactivated.
Some of the commercially Phoenixed cards were unaffected giving weight to the to the clone ID hypothesis. Others were flashing INCORRECT CARD every fifteen seconds or so. The commercial pirate dealers were able to update their cards. However the companies and individuals who had hopped on the clones bandwagon were unable to update their activated cards. Naturally some have disappeared. It seems that those who do not learn from history are often doomed to repeat it.
On the 23-01-97, there was some concern over a program that was floating around purporting to be a fix for the 15-01-97 ECM. According to ToySoft, this program was nothing to do with him and would eventually render any card it was used on INVALID. Apparently the program would reactivate the ECMed card but Sky would eventually manage to render the card INVALID. In some cases this is exactly what this rogue program did.
2.24 The *REAL* History Of The Hacks On VideoCrypt
Some people quickly forget their history. Other never knew enough to forget in the first place. This section has been added because of a rather addled account of the evolution of the hacks on the VideoCrypt system being posted on the bpsc site. The problem is that the person who posted that account seems to have got the idea that a picture replaces a thousand words rather than being worth a thousand words. That account is at best fanciful and at worst wrong.
Originally Sky and News Datacom believed that they had the most pirate proof system yet developed. Five seconds later, (fifteen if you include the 10 seconds it took to write down), VideoCrypt was hacked. This hack was exceedingly simple. By tapping the data line and feeding the data to another VideoCrypt decoder, the other decoder would act as if it had the same card inserted in the decoder. It is a major flaw that affects most smart card based systems.
The theory was proven with two decoders, one card and a few bits of wire. The second decoder needed the data from the first decoder, the RESET signal and 0V. It was that simple. Of course the wire connection was an extraordinary primitive method. Others, more user friendly such as modem, RF modem and internet distribution were suggested and in some cases proven to work perfectly in an operational environment. The people in News Datacom and Sky were not pleased.
If the VideoCrypt system had worked as they had planned then this type of hack would not have worked. The original plan was that each decoder would be married to the card using a process called personalisation. In this process, the card would implant an ID number ensuring that the decoder would only work with that card. The card would then be authenticated by the decoder using the Fiat Shamir Zero Knowledge Test. However neither the decoder personalisation nor the Fiat Shamir ZKT worked. The results of those failures proved to be the complete and utter downfall of the VideoCrypt system. Had these aspects of the system been in proper operation, this hack and subsequent hacks would not have taken place or would have taken place with great difficulty. The McCormac Hack still works.
The Infinite Lives Hack allowed a Sky 1, 2, 3, 4 or 5 card to be used for the lifetime of the card without Sky being able to turn it off. It relied on a flaw in the programming of the card.
Prior to issue 06 of the Sky cards, the cards were commonly ST1834 microcontrollers. These were cards with EPROM memory. They required a programming voltage of approximately 21 Volts to write to the card.
This hack was also very simple in implementation. When Sky activated the card, all the hacker had to do was to make sure that the voltage on the programming pin Vpp was never allowed to rise near 21 Volts again. This involved fitting a 15 Volt Zener Diode and a resistor on the Vpp line to limit the voltage. There were of course commercial models available potted in epoxy resin and selling at very high prices.
Matters were only confused when some marketing idiot in Sky came up with the idea of giving away Sky cards activated for three months free subscription with the purchase of each new IRD. Of course these cards rarely made it to the purchaser of the IRD.
The KENtucky Fried Chip was the first time that a microcontroller in the VideoCrypt decoder had had its program altered to operate in a piratical manner. This was the birth of the Genesis Blocker theory and it took place during the lifetime of the 06 card.
The card - decoder interface is controlled by the 8052 in the decoder. The program was dumped from this microcontroller and analysed. It wasn't that hard to dump as someone in the manufacturing process had forgotten to set the protection on the chip thus allowing everyone to read it.
The KENtucky Fried Chip was a replacement for the original 8052. The modified program in it read the serial number from the card inserted in the decoder and then checked all of the packets going to the card. If it detected a packet with the card's serial number in it, it dropped that packet. Thus it prevented a kill packet from reaching the card.
The hack had been named after Ken Crouch, the head of Sky security as a mark of respect with a bit of humour. He had been successful in keeping the UK largely free of scam pirate operations and was respected by most pirates and hackers. The introduction of the 07 saw some new elements designed to counter this type of hack. A second version of the KFC was ready for launch during issue 07 but it was overtaken by events in the Blackbox industry.
The first reports of this started filtering through around Christmas of 1992. It was April 1993 before the hack appeared. Initially the hack was being marketed as a replacement for the 8052. It became known as the Ho Lee Fook hack after the exclamation uttered by executives when told of it.
One of the German hackers involved in the very early days of this hack was contacted and offered the platry sum of five thousand pounds to forget about the hack. Needless to say he and many others did not. The origin of the code for this hack is shrouded in mystery. However it is believed that one of the initial 8752s that made its way to Germany was popped thus allowing the spread of the code. It spread like wildfire effectively crippling Sky.
The 8752 was a very messy hack. It was known as the Ho Lee Fook chip and the Futuretron CLO(W)N chip. It was messy because it was not user friendly. The decoder had to be modified in order to use it and this was a time consuming operation. Though the analogue Blackbox market was at its peak at that time, people were wary about modifying the VideoCrypt decoders. With the ECMs, these chips would have to be extracted from the decoders and sent for reprogramming.
The solution came in the form of the newly available PIC16C54, a low cost microcontroller with EPROM memory. It was a cheap microcontroller and it allowed the hack to be implemented in the form of a smart card. The hack was coded up in the space of a wet afternoon in the summer of 1993. By then what had been a trickle for Sky became a deluge. The 07 card was totally and utterly hacked. A number of ECMs were implemented by Sky in a mad effort to stop the piracy. They worked - temporarily. The hackers and pirates always came back.
The problem with the PIC16C54 and PIC16C57 became apparent as Sky and News Datacom began to increase the frequency of their ECMs. The PIC chips being used were the One Time Programmable versions. Thus when an ECM was implemented, the pirate card was effectively junk. The solution came in the form of a reprogrammable PIC, the PIC16C84.
Later that year, the pirates started to use the PIC16C84. This was a microcontroller with EEPROM memory. It meant that the pirate cards using this chip could be reprogrammed over and over again. It even got to the stage of some pirates including a small EEPROM chip on the card to hold all of the countermeasures for the ECMs. Sky and News Datacom had truly lost control of issue 07 during the Winter of 1993 but it was to be May 18th 1994 before they would finally admit their defeat and go active with Sky 09. They had dropped Sky 08 because all it involved was a change of keys.
In 1994 Sky was running the last ever season of Star Trek:TNG. It was Season 7. The program, running initially on an IBM compatible PC, emulated a VideoCrypt 07 card. It was developed by Markus Kuhn and others. The program was widely distributed on the internet and the BBSes. (see Section 2.3 for further details)
On May 18th 1994, Sky switched to issue 09. The code for issue 09 was put on auction a month later in the Dorchester Hotel in London. Only a fragment of the code, believed now to have been the transition form, made it to distribution. The code only worked for a week before Sky ECMed it. For both the commercial pirates and hobbyist hackers, it was to be a long hot summer of desperation.
A Phoenix program is a program that will activate a smart card that has been shut off or one that has not been activated. It largely originated from the TV-CRYPT and was heavily commercialised during the summer of 1994. With the availability of Quickstart 09 Sky cards, there was no shortage of official cards that could be pirated.
The Genesis Blockers/Activators allowed the official cards to be activated using code from a Phoenix program and blocked in the manner of the KENtucky Fried Chip. The software for this was coded into a PIC16C84. It was easy enough for Sky and News Datacom to counter as nobody knew about the Nanocommands. These instructions appeared as ordinary subscriber numbers to the blockers and since the number of the card being protected or blocked was not in their these packets went right to the card and killed it. (see Section 2.7 for more details)
The 09 Ho Lee Fook achieved operational stability in October 1994. Operational stability means that it operated smoothly and was only affected by ECMs. The initial versions were on dual PIC16C84 versions with a smaller EEPROM on the same card. Gradually as the use of Nanocommands as part of News Datacom's strategy of Counter- Piracy increased the Battery Cards came into their own. They were susceptible to ECMs but they were faster at recovering. The 09 Ho Lee Fook was largely operational until 31st October 1995. There was over a year of complete piracy on Sky 09. Due to the huge loss of official cards in its Quickstart program (circa 1 million cards), Sky stopped its Quickstart program in May 1995. They had to or they would have been in a very tricky situation over cards for new subscribers.
It was not convenient for the users of pirate cards to send them back for reprogramming every few weeks. The theory of reprogrammable pirate devices was well known in the US market with VideoCipher II. However it was not that well known in the European market. The original theory and diagram of a reprogrammable card was presented on page 7-78 of European Scrambling Systems 3, published in late 1992. It took a while for the ideas from this version of the Black Book and the American VideoCipher II market to soak into the European market.
The first Battery Card in Europe, the Futuretron / Benedex Omega Card filtered into the market just before Christmas 1994. It used a Dallas 5002FP microcontroller. This microcontroller was way beyond the PIC16C84 in terms of security. It had a lithium battery to back up the memory.
After a while, the card became known as the Battery Card. It was a revolution in technological terms. It meant that the card did not have to be returned to the dealer for reprogramming. All that was required was a simple set of numbers or letters that the user could enter into the card. These codes were made available via BBS, telephone answering machine and the internet.
Initially the Battery Card was not a great commercial success. It was expensive to manufacture and it was highly priced. The market had been flooded with low cost PIC16C84 cards that did VideoCrypt and others that did D2-MAC EuroCrypt. These cards were half or a third the price of the Battery Card and the dealers would generally reprogram them for a few pounds.
The Battery Card idea was also taken up by Megatek who produced their own card after the German model. The Megatek model used a different code input algorithm and was in some senses more successful due to better marketing. It was not until the 09 and 10 issues that the strengths of the Battery Card would become readily apparent.
Just before Christmas 1994, a number of 09 Season programs were released. At first their operation was unstable. As time passed, they achieved operational stability. The 09 algorithm, with its use of Nanocommand sub-instructions was a more complex beast than the 07.
Eventually, having become irritated by the number of people adding colourful front-ends to the program, the original programmer of the 09 Season released the source code. Markus Kuhn had decided against releasing a Season 09 due to the fact that there was a conflict over copyright. The Season 09 required an image of the Sky 09 card for operation.
The day before Sky's first Public PPV event, a code string was released. The code string when encoded in a Phoenix program allowed people to activate their Sky card for the event. (see Section 2.17 for more details)
One of the first products of the hack on the Sky 10 was the commercial Phoenix program. This program with interface was only available to dealers. Many of the cards activated by this method continued to operate successfully until recent ECMs. Some activated cards continue to operate successfully even after ECMs. (see Section 2.20 for more details)
The Megatek Battery Card was the first commercial hack on the Sky 10 card. It used Megatek's battery card and an add-on board carrying an ASIC. The ASIC was an emulation of the ASIC in the official Sky card. It has been the most successful hack of the Sky 10 to date. (see Section 2.18 for more details)
Being gluttons for punishments, Sky staged another PPV event on 09-11-96. This event was billed as Judgment Night. Naturally it was hacked in the same manner as the initial PPV event was hacked. The string was released in the usual manner but this time it was released as a working Phoenix program. The most widely used program was FREETYSO.EXE, a program by Toysoft that built on the released program.
On 22-12-96, a Phoenix program was released into the public domain. This program activated all channels on a Sky 10 card. It was subsequently ECMed on 15-01-97.
Amid releases and rumours of releases it appeared. While the conversation topics largely centred on the the release of the Sky 11 card, a message was posted in alt.satellite.tv.crypt by Jan Saggiori that the Season 10 program and source code was available for download on two sites. The origin of the program was Romania.
The file containing the Season 10 program and source code was posted on a Compuserve website and on a website in Switzerland. A short while later, the file was reposted on websites and BBSes all over Europe and also on websites in North America.
In September last year, the X-Files were released. These were the actual battery card files. However they had been ECMmed and few if any were able to get them working again. The supply of ASICs was, as it still is, a problem. However the research on the programs released was always going on in the background.
The first few weeks of the year had been filled with uncertainty. Some reports were beginning to filter out about a new Sky 11 card, the 0B, finally being launched. A new website, claiming to be a project to develop a Season 97 program and soliciting donations towards the estimated nine thousand five hundred pounds development costs was launched. The e-mail address of the website's creators was mailbombed when it transpired that the site was just soliciting funds.
Cardtronix, on seeing the claims made by the website, asked if there was a market for a genuine Season 97 but that was on Thursday the 27th. Then on Friday 28th of February, the knockout punch came. Jan Saggiori announced in a posting at 20:38 that the Romanian program Season71/MIMAS was available. This was the real thing.
A few hours later, Cardtronix posted a message that they had the ASICs for sale. These ASICS were properly encapsulated and can be used as an add-on to a season interface.
The documentation released with the Season 10 archive stated that an ASIC from the Megatek battery card had been used with this program. It gave the pin outs for this chip. Unfortunately for the bulk of users of this program, they did not have access to this chip. There were two options; either buy one of the ASICs from Cardtronix or scavenge an ASIC from a legitimate Sky 10 card.
The general reaction to the program was muted though Defiant's rather vociferous marketing buddy tried to jump on the bandwagon selling ASICed SEASON interfaces. On his website (the bpsc one) he referred to the people who bought the ASICed interfaces from him as "Lucky Bastards". With the eventual change to Sky 11 nobody was lucky least of all those with ASICed Interfaces.
In terms of market penetration, this hack was not that successful. It was cumbersome and not as usable as previous hacks had been. This all goes to illustrate that the fundamental quality of a hack is that it has to be user friendly. Without that, it is merely dependent on the hobbyist market.
In early March, the fix for the Phoenix was released. This new version largely undid the damage that Sky and News Datacom had inflicted with their ECMs. The cards upgraded with this program lasted until the switchover on 20-04-97.
History is repeated itself. This of course is a fairly typical thing with Sky. This time, on the anniversary of their first hacked PPV debacle, a PIC16C84 version of the Sky 10 code was released.
The file was released on the Cardtronix website. This site is domiciled outside of the UK. At the moment, the file has not appeared on many of the UK based websites though it has been released into the alt.binaries.satellite-tv newsgroup. This Usenet newsgroup is widely available though many sites do not carry the alt.binaries newsgroups due to the massive amount of harddrive space that they take up. It is not unusual to see 1Gb of traffic in these groups per day. However the fact that the file is on an easily accessible website meant that the distribution was assured.
The release of the Sky 10 code on a PIC16C84 is something that was more or less unexpected. The value of the Sky 10 code had increased dramatically over the code from the Sky 09. The reason for this is that the code from the Sky 10 was kept relatively secure in the Dallas 5002 based Battery cards. Thus there was no rapidly compromisable source code to release.
With the advent of the X-Files in September last year, it was expected that there would be some attempt at a Phoenix, a SEASON and some sort of PIC implementation. However the time frame for these products was at least six months.
The release of the Sky 10 code on a PIC16C84 was a logical result of all this chaos. However it was released by Cardtronix rather than via a hobbyist source. The PIC16C84 based card required an ASIC from a legitimate card. This was the sticking point that prevented this hack becoming a viable product. Well that and the fact that roughly a month later Sky activated the 11 card.
Roughly a week before the switch to the Sky 11 card, a blocker appeared for the new card. This blocker was based on the PIC16C61. It used the dual 10/11 datastream that was being transmitted during the transition phase. With the switch to the Sky 11 datastream, this blocker was rendered useless.
2.25 The Loss Of Security - Popping The Dallas 5000 and 5002FP
Recent papers on smart card technology and tamper resistance have caused some upset in the Blackbox industry and in the secured microcontroller industry in general. The papers by Markus Kuhn and Ross Anderson outline some techniques used for reverse engineering smart cards and secured chips. However some of the chips involved are the Dallas 5000 and the Dallas 5002FP.
This paper should be read by anyone dealing with the Dallas 5002FP as it gives the details of the approach used by Markus Kuhn to successfully pop the Dallas 5002FP. It also gives the details of the vulnerability of the Dallas 5000 used in the DSS battery cards.
The paper on Tamper Resistance is available on the following sites:
In another paper on Differential Fault Analysis, a technique of spiking the clock of a smart card to derive the key is outlined. This technique has apparently been used in the Blackbox industry to obtain the DES keys for EuroCrypt.
Implementing the ideas in these papers can take some time. However the conclusions that the Dallas 5002FP is no longer secure is evident. Dallas have modified their silicon so that the attack outlined may not work anymore. However there is a huge installed market where the approach outlined can be applied.
2.26 Digital TV Hacking
It is ironic that the services perceived to be the motivators of the recent legal moves by the European Parliament were the forst to suffer from piracy on their digital services. Of course it was also rather convenient in that it emphasised the point of the proposed legislation to ignorant politicians.
The hack initially started out as a PIC based hack though the source code that was released apparently was COP based. The hack worked on the Multichoice channels and the DMX channels. Cardtronix released a BPSC version of the hack for their cards though the majority of the cards sold were COP based. However shortly after the hack went public domain, it was ECMed. There were some rumours that a new hack, based on a real smart card would surface but to date nothing has been seen.
During the lifetime of the hack a Dutch magazine quoted a Multichoice official as saying that they were using a very low security algorithm on their system until certain problems were resolved. Some took this as being the usual guff from Multichoice and were rather shocked to find out that apparently this was the truth. The ECM knocked out all of the pirate cards. According to Defiant's marketing buddy, one Phoenixed official card survived the ECM. There is a fundamental difference between a Phoenixed official card and a pirate card. The pirate card only has a very cut down implementation of the algorithm and necessary protocol to make the card work. The official card has everything (the algorithms and most of the static keys) and so unless an ECM was directly aimed at hitting Phoenixed cards, the Phoenixed cards would continue to run.
There are reports that a program, MPEG2.EXE posted on some of the WWW sites and on the binaries newsgroup worked on the Irdeto digital services. There were also posts from people using other digital decoders that the program did not work. On some boxes it apparently left a message on the On Screen Graphics continually but the picture was decoded. However I have not been able to fully verify this at the moment. Apparently some of the channels are transmitted in the clear but the IRD keeps checking to see if the card is a genuine one before decoding.
2.27 Speculations And Other Events
All speculation at this stage is concentrated on the Sky 11. At the moment nobody is sure when the new pirate cards or the Phoenix hacks will surface. However some tell-tale ripples have been spotted. Strange advertisements have been seen in a few Irish newspapers claiming that Sky will soon be pirated again. The accuracy of these claims cannot be verified. The earliest date, however, that a hack may appear would be September.
A recent posting in the alt.satellite.tv.crypt newsgroup claimed that a hack on the video scrambling aspect of the VideoCrypt and Nagra systems had been achieved in Hungary. This hack was based on a DSP or possibly an ASIC performing Fast Fourier Transform to detect the cut points, and in the case of Nagra, the order of the sliding block.
The posting went on to state that there was only one prototype at the moment. The ramifications of such a hack are profound. It essentially means that all of the existing analogue scrambling methods are vulnerable to this kind of hack. Unlike the pirate cards of the past few years, this hack operates on the scrambling system itself. The pirate cards operate on the access control aspect.
When the VideoCrypt system was being developed circa 1987, the DSPs and the processing power necessary for such a hack was not available at an economically viable cost. Thus it was concluded that this type of hack was not possible on a commercial basis. However this is ten years later and the DSPs are available and perhaps in sufficient quantity and at a low cost. The cost of the pirate decoder based on this method is the key issue. If it can be marketed at a price of about two hundred pounds or so, then VideoCrypt as an analogue scrambling system is finished. It all depends on the costings and until these become clear, this is still only a prototype hack. The Blackbox industry however has greeted the news of the hack with a subdued glee.
The phoenix programs released over the last quarter of 1996 and the first quarter of 1997 had some unexpected effects. According to one posting, there were over 10,000 calls to Sky from subscribers claiming that the dog had eaten their card. This is one boast that Sky is not likely to publicise. The commonest excuses used were:
2.27a Clueless and Bad Information
One of the most dangerous things in this business is bad information. Perhaps in the same category is the sales talk that often masquerades as unbiased information. One of the worst offenders is the pseudo-FAQ and collection of "stories" about the hacks on Sky and VideoCrypt on Defiant's marketing buddy's BPSC website. (http://www.euronet.nl/users/bpsc). Lately, this BPSC site has been transplanted on to the Defiant site as a buttress for the dotclones e-zine. If his career in satellite television piracy grinds to halt, he has a somewhat promising future in writing fiction.
Much of the information on Lee's BPSC site, which incidentally was also Benedex's WWW site is farcical in that it is woefully inaccurate in most places. Prior to the activation of the Sky 11 card, Lee was trying to convince people that the best option for people outside of the UK and Ireland was his Phoenixed Sky 10 card rather than a Grey Market subscription. Apparently he also tried to infer that the editor of this FAQ was incorrect in suggesting that the Grey Market subscription was the safest. Of course the fact that Lee's Phoenixed Sky 10 cards stopped working on Sunday 20th April while the Grey Market subscribers had received their new cards proved how stupid that statement was.
The best example of cluelessness on the whole situation is his rant, which has been transplanted to the Defiant site, on the numbers of pirate cards that were in operation on Sky.
LEE: "However, one thing is certain, the figure of many hundreds of thousands, strongly advocated by a certain "authority" and widely quoted by various members of the press, is absoblute [sic] garbage. "
Again, the problem with this is that he just does not have a clue. He even said that it was impossible to accurately assess the number of pirate cards in operation and here he is trying to do the impossible. Then in the next paragraph (shown below) he gives his view that there was not even a hundred thousand cards in circulation at the peak of the Sky 07 piracy.
LEE: "During the final days of Card 07, the single-PIC card was retailed for as low as 20 Pounds (DM50) in certain areas of Europe. Knowledge about Season 7 software and hardware was also spreading like wildfire. Those were undoubtedly the darkest days for BSkyB and News Datacom. But even during these hey-days, I doubt if there was ever a hundred thousand pirate cards in circulation. "
The proof of Lee's cluelessness is to be found in a 1994 article from Hack Watch News dealing with a court action Sky took against BSB Electronics shortly before Sky was floated on the stock market. More precisely it is the section in that article where a Sky employee actually went on the record and quantified the damage that Sky considered that they had sustained during the Sky 07 piracy. Now look at the quotation from the Sky affidavit sworn on November 4th 1994.
"These 50,000 subscribers would have been lost at various times
since 1st January and 18th May 1994, but I estimate that an
average of three months' revenue was lost for every lost
subscriber in that period. This gives a figure for my estimate of
total losses to BSkyB of L2.25M."
This estimate is only for the period between 1st January and 18th May 1994 and as such is extremely sparse in accuracy. Of course the affidavit is scripted so that it gives away as little as possible. This is a typical thing with legal documents.
The 07 Ho Lee Fook hack had been operation since April 1993. These months are significantly omitted from the calculation. The calculations for eight months are missing. By taking this extrapolation to the extreme, BSkyB could have lost 10,000 subscribers a month over that eight month period. Given that sources in the Blackbox industry have estimated that at 1st January 1994 there were approximately 150,000 pirate Sky cards in the UK, what appears in the affidavit seems extraordinarily conservative. Is Lee agreeing with Sky's estimates? No. Even extrapolating Sky's estimates, they would have lost 130000 subscribers over that period. So arguably even Sky disagrees with Lee's estimates considering them, by extrapolation, too low.
At that time, the minimum purchase quantity for the PIC16C84 chip was 15000 units and there was a few weeks backlog at most times. Lee's hundred thousand card figure seems far short of the mark. And that relates to the Sky 07 period only. The Sky 09 would have largely had the same level of piracy if not more with the advent of battery cards and PICBUSTER.
The Phoenix program, and its offspring the Genesis blockers only became available in late August 1994. However their effect was far greater in that it hit at the heart of Sky's access control system. Sources monitoring the over the air kills in late 1994 recorded the following details: 569430 new card kills recorded in September; 220073 kills recorded in October. The differential of some 350000 kills could point to a major problem forcing Sky to kill every card they could not satisfactorily account for. And that was only to target official Sky cards that had not been accounted for, the pirate cards were almost unquantifiable. However few people there are who could have some go at estimating the number of pirate Sky cards there were in operation, Lee is definitely not one of them.
3.0 FINDING OUT MORE
3.1 Who are / what is the TV-CRYPT and how can I subscribe ?
The TV-CRYPT is a closed mailing list. It was set up to enable the discussion of the methods and technology of TV scrambling systems. It is more of a forum for the exchange of ideas than anything else.
Contrary to popular belief, it is not a private means of distributing the most recent copies of software for hacking BSkyB, FilmNet or TV1000. Neither is it an "elite" group of super hackers whose sole intent is to hack channels just to watch the movies.
It is an "by invitation only" list. If you can demonstrate a knowledge of scrambling systems through your posts here in the newsgroup, then you may be invited to join.
3.2 Reading List
Obviously the new developments will be listed in further versions of this FAQ. Since this FAQ will be posted every month or so from now on it should be a fairly good source of information.
The de-facto standard text on encryption and scrambling systems is the European Scrambling Systems - The Black Book. Now available either directly from the contact details below or from a number of suppliers. It has apparently been banned in a number of countries and there are rumours of other countries in Europe trying to ban it.
According to some interpretations, the proposed European legislation would seek to ban the Black Book in Europe. The basis for this is that it could be considered as part of the preemptory process.
The first chapter of the book is available on-line at:
European Scrambling Systems - Black Book 5
By Post Or Fax To:
e-mail email@example.com , firstname.lastname@example.org
4.0 Netiquette On A.S.T.E & A.S.T.C & R.V.S.E
The first rule is that there are no hard and fast rules. There are, however some protocols designed to reduce the risk of incineration. It would be in the best interest of the newsgroup for adverts to be confined to the forsale newsgroup. The noise level in the group is high enough as it is.
The newsgroup alt.satellite.tv.crypt is the group where overt discussion of scrambling systems and attacks on scrambling systems are considered worthy topics. The newsgroups alt.satellite.tv.europe and rec.video.satellite.europe are for the discussion of satellite television and related topics. Posting of chain letter get-rich-quick schemes in any of these newsgroups is frowned upon and will draw quick and certain retaliation.
The standard European satellite television newsgroup, alt.satellite.tv.europe split into two to cope with the increasing traffic on hacking swamping the existing satellite discussions. The first rec.video.satellite.europe, became part of the REC hierarchy. This is the proper group for discussion of general European satellite television topics. Please do not post messages asking for the latest hack on the R.V.S.E group. The second group became alt.satellite.tv.crypt.
The alt.satellite.tv.crypt newsgroup is where the discussion of scrambling systems and hacking is meant to be conducted. It started out as a European group but there are many non-European readers. The alt.satellite.tv.europe group was supposed to be phased out but this does not seem to have happened yet.
Please bear in mind that some people have to pay to download the newsgroups. In the past few months there have been a few flame wars about posting UUENCODED binaries into the alt.satellite.tv.crypt and alt.satellite.tv.europe groups. The argument on this is that the procedure is now to upload any file to a popular ftp site and announce that it is available there rather than posting it as a UUENCODED message.
A while ago, another newsgroup, alt.satellite.tv-binaries was set up for the posting of binaries relating to satellite television and hacking. It is not a major newsgroup and most newsservers do not carry the group. It seems that the administrators do not want to waste disc space on the binary groups. This newsgroup is apparently available from some of the free newsservers.
Advertising of devices on the newsgroups is another subject that draws strong reactions. It is recommended that only adverts related to the newsgroup topic are posted. Furthermore these adverts should only be posted ONCE per week.
If you have to advertise, then observe the standard Usenet protocol of including the word AD or ADVERT in the subject line. Only post to the groups where relevant. If you are posting an advert for a device with European usage do not post in the US satellite newsgroups. Ideally keep your adverts in the forsale newsgroup.
A number of recent advert posts in the alt.satellite.* groups have omitted the word AD and ADVERT from the subject heading. The level of spam on the Usenet is getting to be a major problem. Do not add to it by repeating the same advert every day or so.
In many European countries there are complex legal rules regarding "goods to be used for criminal purpose". As the European situation evolves some of the arguments that were used in the past such as the goods being used for educational purposes become less and less tenable. However the discussion of information relating to hacking on newsgroups is not an area that the channels would like to get involved with legally if they had any sense. It would bring up questions of freedom of expression, which is apparently part of some European charters and indeed many constitutions.
Because programmers and smart card readers are multifunctional, it would be difficult to get a conviction in a court because the channel would have to prove that the goods were intended for illegal use. It is almost like they would have to prove conspiracy. Such a thing would be costly and would prevent channels going after the commercial pirates. However the importation of pirate smart cards, especially if they are banned by law in the country of import is risky. At the least, the Customs authorities could confiscate the goods if they find them. Piracy is always a risky business.
There is also a grey area of the law that is presently untested. This surrounds the possible prosecution of Internet service providers because of material they carry. If the newsgroup becomes a source of software for hacking pay TV you may find your site removes it, just as some providers strip the alt.binaries.pictures.erotica groups.
Apart from trying to keep on-topic for the newsgroup you are posting to, try to refrain from excessive crossposting of articles. This is essential if you are going to comment on a spam message as sometime the posting software will post your comment to all the groups affected by the spam message in the first place.
Major contributor: John McCormac (email@example.com)Contributors:
Knut Vikor (firstname.lastname@example.org)
Martyn Williams (email@example.com)
Rene Vreeman (firstname.lastname@example.org)
Linus Surguy (email@example.com)
Brian McIlwrath (firstname.lastname@example.org)
Please send any corrections to email@example.com with the subject ERROR or CORRECTION.