A Guide to Video Tape Protection, by Shane Raistlin Monroe (Decmber 11, 1989)

A Guide to Video Tape Protection Release 1.0
by Shane Raistlin Monroe
Mon Dec 11, 1989 11:23pm

(C) Copyright 1989 by Majere Files. All rights reserved. This
document is restricted to distribution per the following
distribution statement:

This document may be copied, transferred, and otherwise
reproduced if the following criteria are met:

1. When distributed, it must be copied in its entirety, including
this distribution statement and the above copyright notice.

2. No compensation can be gained, monetary or otherwise, by
distribution of this document. Compensation for expense of the
copying is authorized.

3. If you, the reader, enjoys this document or does not enjoy it,
please drop a postcard or letter with your comments (good and
bad) to the below address along with a list of the movies YOU
have the most trouble with so as to improve any later printing of
this article. Thank you.

Shane R. Monroe
USS Trepang (SSN©674) PNSY
Portsmouth, NH 03801

Table of Contents


1 © Introduction

2 © What is VTP?

3 © Identifying VTP and Why to Defeat It

4 © How to defeat VTP

5 © A Final Note

6 © Index of Companies

7 © Index of Protected Videos

Chapter One © Introduction

Though the average consumer may not know about or understand
video tape copy protection (VTP, from now on), it is necessary
for everyone who owns a Video Cassette Recorder (VCR) or who is
planning to purchase a VCR to know the facts behind one of the
nation’s biggest current industry.

Almost every movie, sporting event, musical, or film is
available on video tape. Consumers can purchase or rent anything
from the Walt Disney classic Bambi to WWF Wrestling matches.
Unfortunately, there are many consumers that rent these tapes and
copy them, causing the video tape industry to lose money in
potential sales. This was the reason for VTP’s creation.

Why does it concern the average consumer whose intent is
nothing more than renting or purchasing their favorite movie and
returning to their home and watching it? That is why this guide
was written: to inform you, the consumer, of the ‘why’ of the
above question, and how you can learn to avoid the problems and
inconvenience that VTP can create.

must make this disclaimer. The information in this guide
is NOT intended to be used illegally to violate existing
copyright laws imposed by the respective video companies. It is
‘for information only’ and for legit uses only as described in
later chapters. Now, on with the guide.

Chapter 2 © What is VTP?

VTP is the film industry’s response to video tape
collectors. According to the companies that make this VTP, legal
video users have nothing to fear from this protection as it
supposedly doesn’t effect them.

Though effective, it is a fairly simple process, which we
will not get really into technically. There are many articles in
Popular Electronics and other popular magazines. We will scrape
the surface for just a general understanding.

When a tape is copied at the plant, it is copied on a bulk
mass©producing dual©vcr machine specially designed for industrial
use. The signal that is sent from the tape is at a certain
speed. What the factory does is, by several different means
(dependant on the company that made the protection) changes the
sync of the signal outgoing from the tape slightly. This change
is so slight that a TV (usually) will not really ‘see’ a
difference in the signal and show you the picture normally. (In
other words, the TV isn’t very ‘picky’.)

Now, when you send this signal to, say a monitor or VCR, the
signal interpretation is much more ‘picky’. This signal,
slightly out of sync, causes a multitude of different effects to
a viewer. These include jitters, rolls, color fades, etc. More
about this later. This signal, if left unalter, can create
problems for us all. But, one cannot eliminate the problem
without being able to identify it. That is what chapter three is
all about.

Chapter 3 © Identifying VTP and Why to Defeat It

If you are the average consumer with a simple video set up,
you may not even know what VTP looks like. The reason, as stated
in Chapter 2, is that VTP was not intended to interfere with a
consumer using a video tape legally, i.e. simply viewing on a
television. It can only be seen (and become an irritant) if a
few conditions are met.


Connecting two VCRs together via the VIDEO IN/OUT and AUDIO
IN/OUT can generate the distortion caused by VTP. Let’s do an
sample experiment.

Connect the two VCRs together as stated above. Now, connect
your television to the SOURCE VCR (the VCR that is playing the
protected video) via the ANTENNA OUT. Have the other VCR
recording the program. Note on the television screen that there
is no evident problem with the picture. That is because the TV
is getting the true signal from the VCR as the video company

Now, switch the line going to your TV to the ANTENNA OUT of
the DESTINATION VCR (the one recording). Note that now the video
protection is very obvious. This distortion will vary from tape
to tape, but what you will very likely see is the color going
from strong to weak and then strong again, or the contrast
appearing to increase then decrease to normal again. These are
just two of the simple irritants that VTP can cause. The reason
you see the protection now is that, as stated in the last
chapter, the sync of the picture is just a tad off, causing these
weird distortions to be recorded on the DESTINATION tape,
rendering your copy poor or illegal.

Why, if copying tapes is illegal, should that make a
difference to the ‘honest consumers’? For one reason, if he/she
has a fairly permanent set up in the living room and has two VCRs
connected for the purpose of making copies of his/her home
movies, it can make that rental take a real pain to watch instead
of the pleasure it should be. Another reason, a much more valid
one, is our next topic.


If you are a computer enthusiast like myself, you probably
already know they joys of using a computer monitor for a very
nice color TV when not using your computer system. For the most
part, a monitor will interface quite nicely with the VCR and
produces a very nice picture…until you drop in a rental tape
that has been encoded with VTP. Now, on your monitor, instead of
that nice picture in graphic living color you get screen jitters,
color fades, pulsations, and in some extreme cases, a total loss
of any watchable picture. Again, the reason for this is that you
are connecting your monitor with the VCR which is now putting out
an unsynchronized signal which the monitor will display very
accurately. Unfortunately this accuracy also engages the VTP
also. So now, even the ‘honest consumer’ is being hurt by VTP.


Very rarely does a VTP scheme go so far as to distort a
standard TV signal into distracting effects, though there are
some out there that throw the signal so far off sync that even
the tolerable TV will show signs of distortion. It should be
noted, however, that only one in a hundred tapes or so will be
this severe. In fact, the only tape I have seen so severe is
THORN EMI’s film THE HITCHER, and even it is only visible on a
normal TV by a trained eye.

Now that we have seen why VTP hurts everyone, not just the
‘video pirate’ and the ‘midnight mauraders’, let’s take a look
at how the average consumer can fight it.

Chapter 4 © How to Defeat VTP

We know why VTP needs to be removed, but how do we ordinary
consumers get around it? There are three ways that I know of to
remove this protection from your set up.


If you are picking this guide up as a prelude to purchasing
a new VCR, then this section will give you something new to think
about when looking for a particular brand. Those who already own
VCRs and wondered why VTP has never been a problem for you may
also find this section interesting.

The newer, fancier models of VCRs now boast what is known as
‘digital effects’. This effects can do a number of fantastic
things including the adorned ‘picture in a picture’ display;
smooth, clear slow motion; and even ‘zoom©in’ features. These
VCRs also have another great feature: they will remove VTP.

How does this work? Simply put, the VCR inputs each frame
of the film into a ‘digital’ memory where it breaks the image up
into small ‘pixels’ (small dots of information) and stores it
inside a computer memory. This process allows the ‘effects’ we
discussed above to be possible. It also synchronizes the frame,
hence removing the VTP from playback.

So, if you are shopping for a VCR, keep in mind the
advantages of purchasing one with ‘digital’ effects. A sales
representative can point you in the right direction, or you can
see on the machines themselves as they usually sport the word
“DIGITAL” in big letters somewhere on the front.


Well, suppose you already have two VCRs and you don’t want
to spend the extra $500 to get a digital one. There is another
possibility, though it is not guaranteed by any means. This
procedure involves using a camcorder to stabilize the signal.

If you have a camcorder, you can test it with the following
procedure. Connect the VIDEO IN and AUDIO IN of the camcorder to
the VIDEO OUT and AUDIO OUT of the SOURCE VCR. Then, connect the
VIDEO OUT and AUDIO OUT of the camcorder to the VIDEO IN and
AUDIO IN of the DESTINATION VCR. (This will require an extra set
of cables available at any video store or Radio Shack). Insure
that the camcorder is switched to the VTR position or it
equivalent (see your owner’s guide for assistance. See the
Again, insure that the TV is connected through the ANTENNA OUT of
the DESTINATION VCR so that you can see if the VTP is still

On some models (I have no specifics to offer… My
apologies) it will stabilize the picture and give you a clean


Well, now we’ve seen how rich ‘honest consumers’ can protect
themselves from VTP, how about us poor consumers? Or those of us
who just plain aren’t interested in financing some big name
company’s newest electronic VCR? Thanks to some electronic
technician, we penny pinchers can still avoid the nasty effects
that VTP would put us through.

video STABILIZER can be connected between your VCRs or the
VCR and monitor the same way as a camcorder was above. It simply
takes the input video signal and returns the sync to normal
standards, thus eliminating the VTP.

Stabilizers come in many shapes, sizes, and prices, and
sport a number of different features. As a general rule, the
price is directly proportional to the features. These features
include manual stabilization, video/audio enhancers/boosters,
special effects (i.e. fades or screen wipes, like used in
professional studio). Let’s look at some of these features more
closely so you can make a more educated choice when going to
purchase one.

Manual Stabilization: This simply means that you, the user,
can adjust the sync speed manually. Though this seems like a
good feature, it can also cause trouble when watching a notªprotected movie
channeled through it. It can cause almost as
much mischief as the original VTP. One way around it is to rig
up a bypass line around the stabilizer and to bypass it when you
are not watching a VTP tape. Some models do have an off/on
switch to bypass the signal on the box itself. However, most
stabilizers have automatic stabilization so you won’t have to
worry about this feature.

Video/audio enhancers and boosters: As the name implies,
these features boost the signal to give you a better picture and
less sound loss. Overall, these are good features to have,
although these will surely cost you the extra bucks.

Special effects: These effect generators will let you do
professional style effects such as screen wipes, fades, and the
like. Certainly fun for the home videophile enthusiasts, but
very unnecessary for the ordinary consumers, as they will jack
the price up over three digits.

A final note on stabilizers. Most of them are fully
automatic and need no user intervention once connected. These I
highly recommend. Included in the indexes is a list of
advertisers and their prices on stabilizers. Included is a
phone number or address to contact these companies.
Again, a disclaimer. These prices are completely subject to
change as are the companies. Be sure to get a guarantee with any
kind of electronic device purchase like this so you can get your
money back if it fails to live up to its promises.

One company on the list, Fordham, sells a stabilizer for
$49.95 that has manual stabilization, video and audio enhancers.
This is the one that I am partial to. However, one thing to be
careful of is to insure that the video gain is not pegged out
high. The reason for this is that after you have set the
stabilization level and video gain level at one scene, a bright
scene (i.e. an explosion or a bright flash) will cause the sync
to jump out of range as cause a roll or flicker. This can be a
real bother when duplicating a home video or watching a VTP
rental tape. Be sure to watch out for this on other models too.

Chapter Five A Final Note

Just a little final note from the author before you get to
the indexes. I wrote this guide for many reasons. One, I plain
don’t like the whole idea of VTP for many of the reasons I’ve
told you above. Also, I am a firm believer in the ‘try before
you buy’ and the ‘archival backup’ theories. I realize that by
the magic of video rentals, you can try the movie out before
shelling out the $14.95 © $89.95 to buy it. But, unlike computer
software, the Federal Government will not ‘permit’ us to make a
back up copy of your valuable tapes. My feelings are that if you
bought it, you have every right to copy it again for your own
personal use. Unfortunately, VTP makes this whole idea very much
a problem. That is the second reason I wrote this guide.

Finally, one other thing I have found in my ‘travels’.
Often, a company who released an old film (Warner Brothers is
famous for this) like THE SHINING will repackage it and add VTP.
My point is that if you had no trouble with a tape once and now
find that your TV is blotted with all those nasty VTP symptoms,
you may need to go hunting around to other dealers with older,
unprotected tapes to view.

Finally, as I leave you, I just want to say welcome to the
widely unknown world and please share your knowledge as well as
this guide with anyone else who you think might find it useful.

Tue Dec 12, 1989 9:51pm

Shane Monroe
USS Trepang (SSN©674)
FPO New York

Chapter Six © Index of Companies

SCO Electronics Inc.
Dept. CR2, 581 West Merrick Rd.
Valley Stream, NY 11580
1©800©445©9285 or 1©516©694©1240

Automatic, no extra features. Uses a standard 9©volt battery.
30 day guarantee. $49.95 + $4.00 s&h.

AM Video
Dept. VR, 400 Amherst
Nashua, NH 03063

Automatic, no extra features. 30 day guarantee. $49.95 + $3.95

VSA Ltd.
Dept. R. 401 SW 11th
Portland, OR 97205

Automatic, no extras. 30 day guarantee. 2 year warranty.
(Ooohh!) $69.95 + $4.00 s&h.

M.D. Electronics Co.
875 S. 72nd St.
Omaha, NE 68114
1©800©624©1150 (order or for a free catalog)

Auto. 100 % satisfaction guarantee, one yr. warranty. $59.95.

Search Technology INC.
P.O. Box 91
Pasadena, MD 21122

The Corrector: Automatic and enhances video output on old rentals
for better viewing. 14©day money back. 1 year parts/labor.

Corrector II: Same as above. Video boost control. Bypass/power
switch and LED. $219.95 (WOW!)

Electronic Mailbox

Video processing Center: Color processor/enhancer/amplifier.
Stabilizes automatically. $199.

Avenger Video
333 S. State St. Suite 101
Lake Oswego, OR 97034

Black Box II. Probably the better of the list. Automatic. Auto
switch on/off. 60 unconditional money back, 3 year warranty.
$49.95 + $4.00 s&h.

Fordham Electronics 1©800©000©0000

Video stabilizer. Video/audio gain. Stabilizer control.

Chapter Seven © A List of Protected Videos

This is a partial list of video companies and video tapes
that frequently emplore VTP. Also is a list of companies that
have never to my knowledge (or at least never used to) VTP their


MCA, TOUCHSTONE (A biggie), Warner Bros., Thorn EMI, New
Line Cinema/Media (a real dissapointment here; they never used
to), CBS Fox, and HBO. (Just to name a few.)


(No promises here…Don’t blame me if they start.)

IVE, Nelson, New World, RCA, Virgin, and some Paramount.

Satellite Scrambling Systems: The Truth, by XL

VIDEO: Satpac – AUDIO: Digital

By XL This is a very simple system to hack
video wise. All that Filmnet do is to
remove the synch that locks the TV
The object of this article is firstly picture in place, and they have fought
to dispel the amazing amount of a very pitched battle with black box
rubbish you read about “my mate knows makers recently to such an extent that
someone who has hacked Videocrypt there is an all out offensive on this
and hes now watching it without a channel. So much so that its making
smart card, this cost him 200 quid this channel rethink its strategy
to do”. Or “My mates card lasted so against the pirates. Last year they
long and he’s never paid”. Well it’s invented a system called “digital
crap. I hate to say it and here’s why audio” which, if you listen to
I’m going to go through every single filmnets broadcast its completely
scramble system used on Astra who silent when the D.A. is in operation.
cracked it who sells the black boxes
and get rid of the rumours. In the Benelux countries Filmnet gave
it new subscribers Digital Audio
decoders costing them 18 million
pounds to upgrade there scrambling
system. They kept such a close reign identity and all the pirate decoders
on these decoders that they knew turn off.
exactly who had them. Now the only
way that the DA system could be hacked Now DA has been cracked by one company
would be for the pirate makers to copy alone it’s called Hi-Tech the cost of
the DA boxes. it’s crack would amaze you, they have
invested an outlay of some total
Filmnet used a special ASIC chip that
was custom made for them. The problem 1,500,000 they have succeed where
they faced was if the box got out it others have failed there box is non-
could be copied so they built a mode addressable by Filmnet. They sent the
in that if the box left there country ASIC of to China where it was layer
they could address the box over the stripped by laser copied and ID
air turn it off and make it useless to removed.
the pirate. Now here’s where it get
clever in order for the pirate to copy Now because Hi-Tech unit differs from
this box he must copy the ASIC if he the official unit, Filmnet reckon they
copies the ASIC then he also copies can knock this unit out and are now
the identity of the decoder. If he involved in a war of electronic
makes a batch of say 10,000 decoders counter measures that would blow our
they all have the same identity all minds they have a possible key
Filmnet has to do is turn off that combination (scramble code) of 100000
everything possible to zap that box of scramble mode. This has kept out
out. I will keep you posted. the best hackers in the world.

Premiere say that if the system is
PREMIERE cracked it can upgrade itself to a
VIDEO Nagravision – AUDIO None completely new form of scrambling
system to all its customers within
This is one of the best systems on half an hour of knowing they have been
the market from a security viewpoint. hacked. Making the hack useless to
Premiere has total control over all the pirate. So to date not one hack
their decoders not one has managed to has appeared for this system.
get out of there country. They pick
one of the lines on the TV, say 20 and
place it at line 3 line 3 to 600 etc. RTL V
VIDEO Luxcrypt – AUDIO None
This has the effect of bouncing the
picture all over the place. When a This system is so close to Filmnets
high shuffle is on the picture is video system that most decoders
totally destroyed. Premiere is so contain a Filmnet and RTL V board in
confident about its scrambling system one. I won’t go into depth on this
that it only uses it’s most very basic but to say it hasnt been upgraded in 3
years and RTL V don’t care about being
hacked. They are due to replace the display a better picture. Not what
decoders for new subscribers soon but Teleclub wanted.
sources say that its just a prettier
VIDEO Videocrypt – AUDIO None
VIDEO Payview 3 – AUDIO None This is the system that should it
become cracked the company will
A simple system in that they broadcast become multi millionaires overnight.
a signal so strong that it forces the
TV to attenuate the picture making the Right forget what you have heard,
screen go black. They then Invert nothing has broken this system.
each line on the TV in a different Here’s what it is, the picture is
order, they also shift the position of converted into a digital format each
the lines on the screen by moving the TV line is then cut at one of 256
picture left and right 2 to 3 cm at a points this cut line is then turned
time. The pirate boxes are so far around 180 degrees and stuck together
ahead of this scrambling system that the resulting line is then XORED and
an upgrade was done recently that had sent over the air to us.
the effect of making the pirate boxes

In front of the line is a code which implemented by hackers to read the
then intercepted by the decoder this program in the chip but nothing has
tells the decoder to go have a look at forced it to divulge its information.
location say 1297 in the smartcard. Thompson the designers of Videocrypt
This location contains; again will not give any information
1. the lines cut point out on this even to Sky. If this chip
2. the XORED value that was used to could be read then the card could be
code up the line. Now here’s where the forced to give its information out.
system comes into its own. I’m The decoder communicates with the
ignoring the card for a moment, the card by a two way single data path.
decoder contains two chips one is a
“housekeeping” chip that displays the Now onto the card. I’ve heard so much
on screen messages and card zap information from people on card hacks,
routines. Stuff like put it in the fridge stick
bits of sticky tape on it etc. and so
The second is the interface that much crap that its forced me to laugh.
communicates with the smart card. This
interface has a special mode that Here’s what your card has inside it.
causes all of it’s output to be 8k of Eprom, 2k of ram, 1k of rom.
scrambled by itself that only itself The card has several pins which it
can read, a self modifying algorithm talks to the outside world with.
infact. Various techniques have been Clock, 0 volts, the 5v and 18v line,
reset and data path. The rom has your wipe your card by burning out the
own personal number the same as the Eprom with a 18 volt supply to it.
one printed on your card in it. The This goes down the same line as the 5
Eeprom data contains the lines cut volt supply that the chips need to
points plus XORED data bytes. The ram run. So what you gonna do then? Well
is a temporary work area for the the rumour about putting sticky tape
decoder, stack etc. on the card won’t stop Sky it will
stop you using your decoder, because
the card needs 5v in order to run.
RUMOUR SMASHING TIME. Voltage won’t travel through sticky
tape so you can’t see any films.
“I can alter old cards to be upgraded
to the new system”. Moooo! Bullshit! Trying to examine what is under the
How can you read a card that contains gold contacts kills your card
scrambled data via a single data path instantly, the Eprom is so sensitive
giving the card the information it that it’s destroyed under light that’s
needs to decode the bytes. When it’s why no company has examined it under a
done via a secure microprocessor that electron microscope to view the chips
can’t be read. paths because it’s destroyed
instantly. So sending off for all
“I’m altering my card to stop it being these wonder card hack’s is just
overwritten by SKY”. Mooooo!. Sky making the joker a lot richer.
upgrade and send out new cards you
I will now tell you of confirmed won’t get one.
hacks, Yes real hacks in a true shown
to format, documented and added to a 3. A device was made that intercepted
world hacker database. the data path between the card and the
decoder data line this was then fed to
1. Morley Research in Gwent made a 16 other videocrypts in a block of
device that your card plugged into flats. What happened is upon a visit
this gadget then plugged into the by an engineer to repair a fault he
decoder. The gadget intercepted Sky’s noticed this cable going into one. An
Kill card sequence and fed the decoder hour later the flats no longer had
nops when trying to kill the card. access to Sky as they came and took it
Sky simply used 1 of 17 backup card out. This hack is still being used by
kill sequences and then sued the balls some people.
of Morley Research who disappeared
without a trace. 4. Morley Research has surfaced once
more as Ultra Tech they now reckon
2. A diode is placed on the 18v line that they have stopped all of Sky’s
and when the 18v is activated for card kill codes. The units cost
card kill it dumps it to earth via a
small use the power up circuit. This 2300.00 for 10. They are only sold
isn’t really a hack because when SKY in units of 10 no one has checked them
while you pay for your subscription so UPDATE
whats the point in buying them?
After writing this article I have just
In Europe the top video hackers are got my latest copy of Hackwatch and it
working on Sky hacks. To date they makes very interesting reading. PR
are at least half way through a very Technology, the makers of a DA unit
very complex system and they are for Filmnet have gone bust owing
ploughing millions into it. They hope
to have a simple box that sits on top 160,000 to various people. They said
of the TV and needs no card to view that they had a DA unit ready for
it. The time to get halfway through Filmnet, but never had.
has taken 2 years. So next time
somebody tells you “my mate has got Just before going bust they had two
this hack and he hasn’t got a card and break-in’s the first all of their DA
hes viewing SKY for now’t now” turn to equipment was stolen. The second the
him and say “Prove it now! Mooooo!” computer that had all of the customers
names and addresses that had sent them
money disappeared. So it was now not
possible for them to know what they
owed people. They still continued to
cash cheques for upto
500 of punters
Sky’s Movie cards have had an update, hardware inside for this to be taken
06 has been mailed to all subscribers. into effect.
The new card has a bigger Eprom
inserted on board. The rumour is that I forgot to say how your SKY card
Sky is about to have some new get’s wiped. When you recieve your
Videocrypt channels added to its line card, it has a number inside it which
up. is registered against your account at
Sky HQ. When the card is put into the
Sky is also now very concerned about decoder the decoder takes on this
the use of the infinite life hack. number it’s usually a 12 digit number.
The one where if you remove the card Sky simply transmit this number over
from the decoder whilst Sky is trying the air. The information is sent just
to zap your card if you haven’t paid before the teletext signal. When the
is causing a big problem for them. number sent matches the decoders
The fact that decoders cannot talk number the decoder listens to what it
back to Sky to tell them that the has to do. This is sent as a code
card is dead has become a big problem straight after the number. If it’s
for them now. told to wipe your card then it just
burns the Eprom out by sending 18v
Not only that pay per view is now into it.
rumoured to be put into operation and
card 06 now has the necessary
And how do I know so much you ask?
Well I subscribe to Hack watch and
Secondly I helped design a decoder for






The object of this article is firstly
to dispel the amazing amount of
rubbish you read about “my mate knows
someone who has hacked Videocrypt
and hes now watching it without a
smart card, this cost him 200 quid
to do”. Or “My mates card lasted so
long and he’s never paid”. Well it’s
crap. I hate to say it and here’s why
I’m going to go through every single
scramble system used on Astra who
cracked it who sells the black boxes
and get rid of the rumours.



Another file downloaded from: NIRVANAnet(tm)

& the Temple of the Screaming Electron Jeff Hunter 510-935-5845
Salted Slug Systems Strange 408-454-9368
Burn This Flag Zardoz 408-363-9766
realitycheck Poindexter Fortran 415-567-7043
Lies Unlimited Mick Freen 415-583-4102
Tomorrow’s 0rder of Magnitude Finger_Man 415-961-9315
My Dog Bit Jesus Suzanne D’Fault 510-658-8078

Specializing in conversations, obscure information, high explosives,
arcane knowledge, political extremism, diversive sexuality,
insane speculation, and wild rumours. ALL-TEXT BBS SYSTEMS.

Full access for first-time callers. We don’t want to know who you are,
where you live, or what your phone number is. We are not Big Brother.

“Raw Data for Raw Nerves”


Loosely based on the Exploits of HoHoCon 1993.

This file will appear in a future cDc publication...
December, 1993 ------------------------------------------------------------

Loosely based on the Exploits of HoHoCon 1993.

All experiences are relative.

HoHoCon 1993...Austin, Texas...

With a sigh of fatigued steel touching down on the tarmac, I was 
jarred into semi-consciousness.  A tourist from Japan seated next to 
me immediately passed gas and smiled bemusedly, mumbling something 
incomprehensible.  I decided against the quick escape of the 
Emergency Exit and blinked away tears of joy and olfactory 
irritation...my destination beckoned me.  Snatching my baggage and 
fleeing the ensuing odor, so I arrived in Austin with the best of spirits.  

They grow 'em big in Texas...as I saw the 20 foot tall inflatable Oki 900 
cellular fone anchored on the lawn of the GTE Mobile office, I knew 
this to be true.  "Life is made up of moments, and this is one of 
them" I said to the driver of the airport shuttle van.  He agreed, 
and we sat silent in awe.

Hotels are mini-ecosystems, quietly humming with the Caretakers of 
travelling human spirits.  The Hilton reminded me of an elegant 
Pueblo, draped with pottery and sandstone artifacts.  "Smoking or 
non-Smoking?" asked the receptionist at the front desk.  "Smoking" I 
replied.  "Definitely."  In my room, I sparked a Camel cigarette 
into life between my teeth.

Deth Veggie met us in the hotel restaurant, bearing gifts.  A silver 
cow's skull was pressed into my hand.  Pinning it onto my lapel, I 
felt accepted without question.  The Spirit of the Dead Cow burned 
in the metal with a bright, hard light.  Upon realizing that the 
waitress had only charged me for a fraction of the numerous 
Screwdrivers I had consumed, I felt a moment of confusion.  "It's 
the Cow," SwampRatte intoned as he stared beneath his low-brimmed 
hat.  With alcohol-numbed fingertips I fingered the metal talisman 
on my jacket.  "Yeah..."  Somewhere, a dishwasher dropped a tray of 
wine glasses.

More HoHoCon guests arrived, milling aroud the lobby like cattle on 
the open plains.  Nearby on a table was a pottery bowl full 
of stalks of wild grain and strange softball-sized spheres of 
paper-mache.  Without a word, one of the hackers plucked a sphere 
from the setting and placed it into his backpack.  "Perhaps he has a 
genuine need for it" I thought, "but *what*?"  After an hour of 
pondering this, I decided I needed a drink.

Somewhere beneath the mound of salsa, cheese, sour cream, and bean 
dip lurked my nachos.  I knew they must be in there somewhere, 
obscured by the landslide of mexican toppings.  Louis Cypher and I 
alternated between chain smoking and tugging frantically at the 
chips.  While struggling with a particularly testy slab of melted 
cheddar, we discussed our plans for the first night.  "6th Street" I 
offered.  "Plenty of clubs and music to sooth our souls."  Giving up 
on my nacho excavation, I focused my frustration on my drink.  It 
yielded without a wimper.

SwampRatte steered his truck to the side of the road.  "Damn it, 
we lost Hoss's truck" cursed Deth Veggie in the front passenger's 
seat.  "Now we'll never find 6th Street."  Without our escort, we 
were hopelessly lost in a stray suburb of Austin.  "Check my map," 
SwampRatte said.  We did.  It worked flawlessly.  Within minutes, we 
found 6th Street. "Cool..." said Deth Veggie, "but I can't seem to 
fold this map back up."  "You never can," intoned SwampRatte.

Exploring 6th Street, we found ourselves walking amongst a large 
field of automobile dealerships and antique shops.  "This looks 
wrong," I remarked.  "Let's call Base for guidance."  Pulling my 
handheld cell fone from my sportsjacket, I contacted the Hilton 
front desk and asked for directions to the "hot spots" of 6th 
Street.  Within minutes, we were back in the car and in the thick of 
things.  "You're a gadget freak," Kingpin told me.  "Be quiet, and 
give me back my laser pointer" I countered.  It returned to my 
sportscoat pocket, nestled comfortably with other smooth, 
black-matte finished electronic devices of questionable purpose.  
I'm Batman.

Emo's was a young crowd of funk and grunge.  A Lethal Enforcers game 
eagerly swallowed my handful of quarters as easily as I swallowed 
my lukewarm Rolling Rock.  Alcohol and violence mix well.  Like 
Vodka and Orange Juice.  Wandering, I randomly slapped HoHoCon '93 
stickers on every available surface I could find.  "Like the 
numerous young of the great Sea Turtle, only a few of these shall 
survive to maturity," I thought.  Natural Selection is everywhere.  
Darwin rules.

"Good place to park," I thought as SwampRatte pulled his truck into 
a space under a tree.  Stepping out of the auto, we noticed a 
brooding flock of hundreds of birds chattering immediately 
above us in the branches.  Their spotty droppings covered the heavy 
steel fence in front of us, rendering the scene in a bizarre 
pointalistic flair.  "Uh, mebbe this is a disaster waiting to
happen," someone suggested.  SwampRatte moved the truck to an 
un-defecated zone.  We praised him for his foresight.

"Any club that is named after the universal symbol of Resistance has 
got to be cool," I told Kingpin.  "I just want to meet girlies, yo." 
he replied.  We entered Ohm's and grooved to retro-techno til our 
eyes itched with white noise.  "This town is great..I could live 
here" said Deth Veggie.  "At this moment, we do," I grinned, sucking 
down a gritty Kamakazi.  Videos on the wall flashed silently, 
superimposed over dancing sillouettes.  "You dance very 80's," 
Veggie told me.  "Art Fags must die," I grunted.  In the depths of 
an overstuffed couch, SwampRatte stared at a sparkling disco ball.  
White Knight appeared, enhanced by various narcotics.  "I can't stop
dancing into that damn pole," he commented.  As quickly as he had 
appeared, he vanished into the belchings of a fog machine.  A payfone 
suddenly rang, but noone answered.  Life doesn't accept incoming 

Saturday, the conference proper began.  Tedious hours passed in a 
crowded conference room.  "You are all part of the Cyberspace 
landscape," said Bruce Sterling.  "Then I am a Shrub," I countered.  
Sterling preached against the ills and evils of viruses.  "Sounds 
like the bitter rants of a man who recently lost his FAT table to 
Stoned," I spoke up.  Other speakers came and went.  Bryan O'Blivion 
(the lawyer) spoke eloquently of the hacker spirit.  Captain Crunch 
spoke of the benefits of PGP and Raves.  Try as I could, I could not 
imagine Crunch raving or trading disks with PGP keys in so-called 
"chill rooms."  "I got an idea..How about using blotter as disk 
labels?...lick my disk and get my PGP key as well?" I asked 
Kingpin.  He simply grinned, licking his gold tooth suggestively.

Eventually, Kinpin and I collected ourselves..I donned my shades and 
carefully arranged the Cow Talisman in the center of my suit.  We
moved to the speaker table and practiced our gang hand signals to 
DrunkFux.  I spoke about the L0pht and packet radio.  Other speakers 
distributed handouts like confetti.  The crowds boiled around the 
table grasping frantically, reminding me of mornings on my 
Grandfather's boat...as we chummed for sharks in the dark waters.  
"Information not only wants to be free, it wants to be consumed," I 
pondered.  LoD members in spiffy matching shirts described their 
laudable project to archive the philes and message threads of years 
long past.  Items of semi-worth were raffled off, and most people 
went away happy.  Small acoustic couplers in vinyl pouches still 
smelling of free monomers finally found homes after years of 
neglect.  Throughout it all, Torquinada filmed the event for 
her video project...like an unblinking eye it captured all without 
bias.  Video is cool.  The cathode ray tube is the retina of the 
mind's eye.  I wish I had said that.

Kingpin and I presented a packet radio demo after the formal 
speaking broke up.  A third person brought his own packet station, 
and soon we were burning up the out-of-band airwaves on 2-meters 
with 3-way network traffic.  The demo was stopped when we were 
informed the police were coming to investigate the theft of a 
telefone handset on a nearby table.  Packet equipment was quickly 
squirreled away, and we fled.  Law enforcement officials dusted the 
area for prints, but found only cigarrete butts and the faint echos 
of radio traffic in the ether.  File this one under "Elusive."

Back in the Suite of the El1te, I grooved to a CD titled "Sedated in 
the Eighties" that Deth Veggie had offered.  "Election Day" by 
Arcadia mesmerized me.  I wandered the pool area with Diskman in 
hand and eXtended bass pulsing in my ears.  A bubbling hot-tub 
beckoned to me.  Touching the waters, Deth Veggie found it was ice 
cold.  "Freaky," I mumbled.  The Cow Talisman suddenly felt 
as hot as liquid steel.

Sunday arrived, and at the last minute I rescheduled my flight for 
Monday afternoon.  "I don't feel ready to leave," I told my 
companions as they left on a flight back to Boston.  DrunkFux swiped 
my cellular fone as I napped out by the pool where Erik Bloodaxe was 
being interviewed by Torquie.  I didn't have to watch...it would all 
be recorded to video for later viewing.  "The ability to 
fastforeward any experience...that is my dream," I thought as I woke 
up, frantically patting myself down for the missing equipment.  
Later, a group of us went to the local Mall for exploration, finding 
the usual wasteland of pastel and suburban clans.  A later trip to 
WalMart proved more inspiring.

That night, we vegetated in the hotel bar, where I unsuccessfully 
tried to seize control of the remote TV with my univeral remote 
control watch.  "No, it really works," I told Crimson Death.  "Yah 
right, now give me that laser pointer."  He proceeded to frighten 
our waitress with coherent light.  "Try these cigs, they're French..
they're harsh," said Rambone.  "I believe you," I replied, eyes 
watering after sniffing the foil package.  Torquie polished off more 
Margueritas than I could count.  "Hollywood has left its hedonistic 
mark on her," I thought.  Back in a room, I noticed that Crimson 
Death had hacked the pay TV box into giving them free access to the 
soft porn channel.  "Interesting technique," I said, brushing away 
the tiny pieces of broken plastic under the forcebly opened case.  
When in doubt, use more muscle.  A neverending melange of porn 
played on their television.  Porn wants to be free.  And so it was.

The last night, we went back to Emo's.  It was strangely quiet and 
abandoned.  "Probably because it's 1AM on a Sunday nite," said 
DrunkFux.  We drank heartily and fed quarters into the jukebox.  
Crimson Death keyed up several Sinatra tunes.  The final song played 
was one of my requests...the theme to the "Space Madness" episode of 
Ren and Stimpy.  I felt blessed.  Blessed by the Cow.

Back in Crimson Death and Rambone's room, we talked and laughed.  
Byron's tattoos still impressed me.  Torquie eventually fled with 
Drunkfux, escaping the steamy porn channel.  "Human nature isn't 
always pretty, but it's always fascinating," I thought as I watched 
the action on the tube.  Byron and I discussed a particulary nasty 
GIF he had uploaded to my BBS months ago.  We succeeded in 
nauseating ourselves, and eventually went to sleep.  

Final day...waking late...Torquie loses her battery charger...we 
hear stories from the hotel staff of smoke bombs, a compromised 
Unix-based hotel management system, and bootleg fone extensions run 
thru the hallways with reckless abandon...the usual.  I can't find 
my friends as I catch the shuttle bus to the Airport.  
Disenheartened, I ride alone to catch my plane.  Later, at 30,000 
feet, I think about the con.  Life is good.  I enjoyed myself more 
than I usually do.  Perhaps it is the fleeting nature of such 
meetings that make them so significant to me.  We never get to speak 
with everyone we want.  Several of the attendees had disappeared 
before I could say goodbye (including SwampRatte), but I still felt 

My plane was de-iced in Pittsburg.  A prehistoric looking crane 
spewed clouds of frothing liquid on the fuselage.  Bizzare.  Looking 
down, I see that I am still wearing the Cow Talisman.  I closed my 
eyes and slept.

Now, finishing this piece in the L0pht, I can relax to music and 
watch mesmerizing fractal patterns on one of my monitors.  I think 
of a con years past, where Crimson Death and I were talking with 
Bruce Sterling standing next to a payfone.  "I don't need to hack..I 
have money..I can make that payfone do anything I want without 
hacking," says Bruce.  "Yeah Bruce," replies Crimson Death, "but can 
you make it Dance?"  I laugh and accidentally extinguish my 
cigarette in Bruce's unfinished beer.  Hackers make machines dance.  

End of Line.

               ..oooOO Count Zero OOooo.. *cDc* -=RDT

"I pull my shot off and pray...I'm sacred and bound, 
to suffer this heat wave.."

December, 1993

Computer Hackers are Good People Too!

Computer Hackers are Good People Too!

I am writing this artical in hopes of dispelling the general idea that all
Hackers are terrible teenagers that dwell on Electronic Mischief!

Most Hackers are basically good kids, and the only time they really go forth
and do anything wrong against someone or some company is when they are quite
upset at that person or company and have been provoked.

Why do Hackers Hack?  Most do it to learn! Thats right learn. What do they
learn? Well they learn to think, and to think more consisely, presisely, and
clearly! When hacking onto a mainframe or other system they try to put them
selves in the place of the programer that designed the security on that system
 and they think like the programer to help themselves figure out how to get
in. When that code is finnaly broken it is a great feeling, it is a feeling of
great accomplishment and a feeling of having learned how to get into that type
of system.

Hackers use more brain power in 1 hours time of hacking than any general
public person uses in an 8 hour workday!

The general public in it's vast majority, is basically stupid about computers.
Sorry but that is my shared opinion. After watching a Donahue show on hackers
and seeing how many people that did not understand the computer field, and
listening to one lady in particular that said, "I think computers are evil!
I wont ever let my children use them", which was followed by alot of applause,
I promptly retorted to the TV screen, "You stupid pepole!". Now with Hospitals
useing computers that can be called into by other hospitals, a doctor in
Cleveland can download the medical history of an emergency patient that is
unconsious, who is from Seattle, and decide what he shouldn't or should
administer to the patient. All of that in a matter of minutes!

I am especilly suprised that the "Moral Majority" hasn't come forward
denouncing computers as "Satins New Vise!".

Now back to Hackers, most hackers are as I said good people, and enjoy learning
what they want to learn, but it seems that everyone is out to get us all and
more or less punish us for learning on our own and haveing the will to learn!
Granted also hackers are not the tidyest persons, like me, Oh I dress very
well and neat, but my room is another story. A trail through the books,
printouts, news papers. The trail starts at the door and goes to the computer,
then from the computer to the bed, the desk where I have my computer is well
organized though.

After examining everything, we have to admit that the new computer generation
kids are by far the most intellegent & well informed gereration ever in the
human race! After all most of us may be teenagers, (although I am finnaly out
of that bracket), but we do read magizines such as "NEWS WEEK", "TIME",
"US NEWS" and the News paper, watch the eveing news, etc..., we know what is
happening in our world all of the time.  I would put a 10 - 1 odds that if
you gathered together 200 - 300 or so of the best hackers in the U.S., that
they could solve our Nations problems, such as the deficit, missle buildup,
world peace, etc.. , in a fraction of the time it takes Congress to pass
a bill!

If hackers are so terrible, why is it that there big companys that hire
hackers to test their systems for security breaks & loopholes? Why are there
hackers that now make their living at designing security systems?

Hackers Are Here, And They Are Here To Stay!!  There is a Hacker saying that
says; "If some one can make it, some one can break it!

Now there are 5 types of hackers. The good ones are; The Novice, The Student,
and The Tourist. These 3 are not out to hurt anyone or destroy any data, they
are just looking around, seeing and learning!  It is the other 2 types that
are the trouble makers and they are; The Crasher, and the Thief. These 2 types
mostly do not crash a system or steal info for their own enjoyment, even
though there are some scattered individuals that proabably do. These 2
do it mostly because they are hired to crash a rivial business's computer
or steal the new info on a new product. It is these 2 that have hurt the
integrety of the Hacker!

Written by:  Ninja Squirrel  /+\
Member of: The Cartel, Hacker Supreame, Allied Hackers Alliance & NIN TEMPLE.
[ This was Article #1, More will be following. ]
Call The Works BBS - 1600+ Textfiles! - [914]/238-8195 - 300/1200 - Always Open

Hacking ARPANET Part V by The Source


       Hacking Arpanet -- Part V


             The Source



    This article discusses the commands that "anonymous guest" can use to learn
what other people are doing on the system.

The PK program can be used to PeeK at the input and output buffers of any
terminal, and the line editor buffer of a display.  To run PK, give the monitor
command "R PK".  PK will ask for a terminal line number, and will display that
terminal's buffers plus the who line of the job, if any, using that terminal.
PK can also display the contents of some of the internal system variables
associated with the terminal (see + and - commands below; the default is not to
display this system data).
If the selected terminal is hidden (by ESC H), PK will so notify you.  You may
choose to override the hiding, but if so, the selected terminal is notified that
you are spying on it.
If you are using a SAIL display, the selected terminal's buffers will be
displayed on your screen about once per second, like a WHO display.
If you are using a non-display, the PK information will be typed once.
While PK is running on a display, you can give it any of the commands in the
table below to have it display different information (in the table, <cr> means
carriage return).  Whenever PK exits on a DD or III, the last buffer display
will remain on your screen until you reset your display by BREAK P or by running
another program.

<line number><cr>  Display buffers of the given terminal line.
+<line number><cr> Display given terminal line and enable data display.
-<line number><cr> Display given terminal line and disable data display.
<linefeed>   Display buffers of the next higher numbered terminal.
<altmode>   Display buffers of the next lower numbered terminal.
^B^C<digit>   Update the display NOW and every <digit> seconds (1:9).
^B^C0   Update the display NOW, then only once for each command.
+<cr>   Enable display of system internal data at top of screen.
-<cr>   Disable display of system internal data at top of screen.
<cr>   Stop the displaying and exit to the monitor.
<monitor cmd>   Exit and execute the given monitor command.

PPK allows you to peek at the screen of someone at a display terminal (a
DataDisc, III or Datamedia).  Say "R PPK", and give it the line number of the
terminal you want to observe.  (For DataDiscs, this is NOT the number reported
by FINGER; it's the number following the PPN in the person's wholine, and can be
found with the WHERE command.)
If you are on a display yourself and have your wholine turned on, PPK changes
your wholine to be that of the job at which you're peeking.  (Your original
wholine selection is restored when you exit.)
Once you have selected a lial "observe page printer" mode. (Do NOT follow the
E or N with a carriage return, or PPK will exit!)  Typing another line number
followed by a carriage return gets you another victim.  A raw carriage return
causes the program to exit.
If the selected terminal is hidden (by ESC H), PPK will so notify you. You may
choose to override the hiding, but if so, the selected terminal is notified
that you are spying on it.
The display is updated about once every two seconds.  You can force an
immediate update by typing ALTMODE.  You can also set the rate by typing
control-meta-digit, where 1-9 = 1-9 secs and 0 causes the display never to be
updated (except when you type ALTMODE).

POLL accepts an audio channel number and lists those terminals which are
listening to it, and the PPN, if someone is logged in at that terminal.  An
argument of * will list all nonzero audio channels.
r poll
TV-46: TTY53 JOB 41 [1,BH]
TV-47: TTY64
TV-51: TTY52 JOB 46 [1,CR]
TV-63: TTY33 JOB 7 [SF,SF]

The command to communicate with another user is called TALK.  It makes
everything that either one of you types appear on both terminals.  (Note: If
you want to know about the TALK program on the Altos, READ DMCHAT, which
describes both Alto DMCHAT and Alto TALK. The writeup below is for the TALK
command on SAIL, which is completely different from Alto TALK.)  The argument
to TALK is either the programmer name of the person you want to talk to, the
device name of the terminal you want to talk to, or an ARPAnet address.  For
 TALK [email protected]  (% is legal as a host name delimiter also).
The command may fail for any of the following reasons:
user not logged in (use MAIL)
user logged in more than once (use a terminal instead of a user spec)
user gagged or (for ARPAnet TALK) refusing links (use MAIL)
the ARPAnet site is unreachable or does not support network linking
When you are in a (local) talk ring, what you type goes only to the terminals
in the ring, not to the monitor or a user program.  To leave the talk ring,
type [CALL] (control-C from non-displays).
TALKing to local users does not run a program; hence the core image is
TALKing to network users runs a program.  To leave network talk, type
<CONTROL><META>[LF] (control-Z from monitor. It is considered antisocial to
use the TALK command to establish communication with strangers. A better way is
the SEND command, which will send a message to a user but does not interfere
with his work.  For this reason, the TALK command requires that you be logged
in.  If you don't have an account, you can use SEND to request the user TALK
to you.  Type "HELP SEND" for more info.

Typing WHEN prints out your most recent logout time, and the directory which
did the logging out.  The fact that you are currently logged in does not affect
this information. As with FINGER, system crashes are not considered to be
"loggig out".  Also, if your directory was deleted when you logged out, it will
not be included by WHEN.  The WHEN command also takes optional arguments.  If
only a single argument is given, it may be typed as:
If more than one argument is used, separate them by semicolons, not commas.  The
various argument forms are:
 . Report only on current directory.
 * Give latest logouts for all of your directories.
       PRG Give latest logout from among PRG's directories.
      *,PRG Give logouts for all of PRG's directories.
      PRJ,* Give logouts for all directories with project PRJ.
     PRJ,PRG Give latest logout for the single directory [PRJ,PRG].
       *,* Give logout for every directory (not recommended).
Note that brackets are not included in any of the options.  If you are aliased,
the . and * options will use the aliased ppn.  For example:
would tell you when DON last logged out (and from which of his directories),
list all directories for you (or for whomever you're aliased to) with logout
times, give the latest logout for [S,SYS], and finally tell you when ME last
logged out.
If one or more of the directories being listed happens to be logged in at the
moment, a note will be  printed to that effect.  If you have asked for the
latest from among all of someone's directories (including your own, which is
the default), then you will be told if that user is logged in on ANY of his
directories.  (In the other cases, such as "*,PRG" or "PRJ,PRG" or "." options,
you are told  only if the specific directory is logged in.)
Note that, even if you are not interested in the logout information, you can
use WHEN *,FOO to get a list of all of FOO's directories.      The other
command for doing this is DIR [*,FOO]/Q/F.   It turns out that WHEN is
significantly faster and uses fewer disk ops.  WHEN is also much faster than
FINGER for finding out logout times or for finding out whether a specific person
is currently logged in (though WHERE)

FINGER for finding out logout times or for finding out whether a specific person
is currently logged in (though WHERE)

References relating to the VideoCrypt Pay-TV System (February 18, 1995)

References with information relating to the VideoCrypt pay-TV system

Markus Kuhn -- 1995-02-18

A book (known as the 'Black Book 4') with some of information about
Videocrypt and other pay-TV systems is available from:

  Swift Television Publications, 17 Pittsfield, Crickdale, Swindon, Wilts,
  UK.  Tel +44 793 750620, Fax +44 793 752399:

  "European Scrambling Systems 4"
  by John McCormac  (32pounds + postage)  ISBN 1-873556-03-9.  
  Waterford University Press, Ireland, voice/fax: +353-51-73640.

John McCormac <mc2@cix.compulink.co.uk>, the author of the above book
also operates a bulletin board system, but you have to pay for access:

  phone: +353 5150143

Reference about the Fiat-Shamir identification/signature system used
in the protocol:

  Amos Fiat and Adi Shamir, "How to prove yourself: Practical solutions to
  identification and signature problems", in Advances in Cryptology --
  CRYPTO '86, A.M. Odlyzko (editor), Springer-Verlag, 1987

The following Internet servers provide collected information about

- ftp protocol: ftp.uni-erlangen.de, login: anonymous,
  contact: mskuhn@cip.informatik.uni-erlangen.de

- ftp protocol: utelscin.el.utwente.nl, login: anonymous,

- FSP protocol (NOT ftp!):, port 1994,
  contact: geirh@idt.unit.no

The following BBS contains also some interesting related files:

  ALTMARK-BBS, +49 3935 213550

USENET discussions about technical details of Videocrypt take place
in alt.satellite.tv.europe. A close mailing-list tv-crypt exists
for more technical and advanced topics of pay-TV security. Subscription
to tv-crypt is only by invitation in order to keep the technical level
of discussion high.

Some publications about Videocrypt are:

        1) Jonathan Hashkes and Michael Cohen, "Managing Smart Cards for Pay
           Television, The VideoCrypt Approach", News Datacom, Jerusalem,
           Seminar on Conditional Access for Audiovisual Services, Rennes,
           France, 12-14 June 1990 (ACSA `90).

        2) Michel Leduc, "Systeme de Television a Peage a Controle d'Acces
           Pleinement Detachable. Un Example d'Implementation: VideoCrypt",
           Thomson Lerea, Illkirch, France.
           Seminar on Conditional Access for Audiovisual Services, Rennes,
           France, 12-14 June 1990 (ACSA `90).

        3) Patrice Peyret, Gilles Lisimaque, T.Y. Chua, " Smart Cards Provide
           Very High Security and Flexibility in Subscribers Management",
           Gemplus Card International Corp., Rockville, USA.
           IEEE Transactions on Consumer Electronics, vol. 36, No. 3,
           pp. 744-752, August 1990.

        4) G. Morgan, "Smart Cards for Subscription Television: VideoCrypt
           - a Secure Solution", News Datacom, London, UK.
           Smart Card `91 International Exhibition, London, UK, 12-14 Feb.
           1991 (Peterborough, UK: Agestream Ltd. 1991), 8pp.

        5) European Patent EP 0 428 252 A2: A system for controlling
           access to broadcast transmissions.

        6) International Standard ISO 7816: Identification cards --
           Integrated circuit cards with contacts, Geneva, 1988.

This list was compiled by Markus Kuhn <mskuhn@cip.informatik.uni-erlangen.de>
and valuable information was contributed by

  Mike Pringle <mpringle@martin.qub.ac.uk>
  Rolf Michelsen <Rolf.Michelsen@delab.sintef.no>
  B. Markus Jakobsson <markus@cs.ucsd.edu>

and other whose names I've forgotten to notate or who don't want to be
mentioned. Further contributions are very welcome!

Some Technical Details about Videocrypt (August 2, 1994)

Some technical details about Videocrypt

Markus Kuhn -- 1994-08-02

In this file, I'll collect some of the details known or assumed about
the Videocrypt pay-TV access control system. Consider it as some kind
of frequently asked questions list with answers about the system.

1  Basic principle

Videocrypt encodes the TV image by cutting each line of the image in
two pieces at some cut point and then exchanges these two line
fragments in the broadcasted pictures. E.g. if a line like


passes the encoder, the output might look like


where the digits represent the pixels of the image. There are 256
possible cut points and there are no cut points directly near the image
border (the miniumum distance from the margin is about 12-15% of the
image width) which is the reason why you sometimes still can see
vertical patterns even on an encrypted image. The sound is currently
not encrypted.

Several times per second, a computer at the broadcasting station
generates a 32 byte long message which is broadcasted encoded together
with forward error correction information in the first invisible lines
of the TV signal similar to teletext. About every 2.5 seconds, one of
these 32-byte messages is processed in the encoder by a secret hash
algorithm which transforms the 32-byte message into a 60-bit value.
These 60 bits are then used by a second algorithm in order to determine
the 8-bit cut point coordinates for each line for the next 2.5 seconds.
No details about this second algorithm are known, but think of it just
as some kind of 60-bit pseudo random number generator (PRNG) were the
60-bit output from the secret hash function is used as a start value

The decoder receives the 32-byte messages and other data together with
the TV signal, applies some error correction algorithms and passes all
32-byte packets to the smart card in the decoder's card slot. The smart
card implements the same secret hash function and answers with the same
60-bit value as the one which is used in the encoder. By using this
60-bit answer from the card, the decoder hardware can generate with the
same PRNG the same cut point sequence as the encoder and can so
reconstruct the original image by again exchanging the two line
fragments. The secret hash function is a cryptographically strong
system which is designed so that it is extremely difficult to guess the
algorithm of this function by looking at many pairs of 32-byte/60-bit

Apart from being the source for the generation of the 60-bit PRNG seed,
the 32-byte messages from the broadcasting station contain card numbers
so that individual cards can be addressed and they contain commands
like activation, deactivation and pay-per-view account modification. In
addition, the 32-byte packets contain a digital signature (currently 4
bytes) that allows the card to test whether the 32-byte messages really
originate from the encoder and have not been generated by someone
analysing the card. Again, this digital signature like the hash
function has been designed so that it is difficult to find out how to
generate a correct signature by looking at enough examples. This
prevents choosen-text attacks, where someone tries to probe the secret
hash function with very carefully selected 32-byte messages and this
prevents hackers to generate new activation commands for the card.

In early 1993, someone managed to get access to the secret hash
functions of several stations which use Videocrypt (e.g., British Sky
Broadcasting, Adult Channel, JSTV, BOB, Red Hot TV). Most of these
systems used the same hash and signature algorithm and the only
difference between the stations was a 32-byte secret key table. It is
not known, how it was possible to get this information. Either someone
from the company who manufactured the cards (News Datacom Ltd.)
released this information or it was possible for someone to read out
the EEPROM contents of the card processor (very difficult, but
theoretically possible). With this knowledge it was then quite easily
possible for the original hackers to produce 'clone cards'. These are
simple PCBs with a cheap microcontroller (e.g. one of Microchip's PIC
family), which implements only the secret hash function and serial I/O
procedures in its EPROM and answers with the correct 60-bit values to
32-byte messages just as the real cards do. For several channels, clone
cards are still available, but BSkyB distributed new 09 series cards in
spring 1994 and switched on 1994-05-18 to a new secret hash ans
signature function. Consequently, all clone cards stopped to work.

The clone cards didn't implement any interpretation procedures for card
activation, deactivation and pay-per-view functions, so their software
is considerably simpler than the one in the real cards. This resulted
in some tiny differences between the reaction of the clone card
software and the reaction of the original card software on pathological
32-byte messages. These differences were used in counter measures
(commonly referred to as ECMs) against clone cards several times in
1993 and 1994 by BSkyS and News Datacom in order to deactivate clone
cards, but it was quite easy each time to find out these tiny bugs in
the clone card software and correct it.

There are two microprocessors in a typical Videocrypt decoder. An Intel
8052 microcontroler manages the communication between the smart card
and the rest of the system. As the software of this processor is not
read protected, it was also possible to reprogram this chip (by using
the EPROM version 8752BH) so that the hash algorithm is performed
inside the decoder. Then no external card is needed at all for the
channels for which the hash algorithm was implemented in the 8752. The
second processor is a Motorola 6805 variant and its internal ROM
contents can't be read out easily. The Motorola decodes the data that
comes with the TV signal, applies error correction algorithms to this
data, exchanges the 32-byte messages and 8-byte answers with the Intel
processor and controls the PRNG and the on-screen display hardware.

There are also Videocrypt II decoders available. These work almost like
the Videocrypt decoders and the only important difference is a new
software in the Intel and Motorola processor. Videocrypt II decoders
get their data from other invisible TV lines than Videocrypt, and it is
possible to broadcast a signal encrypted in a way that allows both
Videocrypt and Videocrypt II to decode it with different smart cards.

More detailed basic information about Videocrypt has been published in
the European patent EP 0 428 252 A2 ("A system for controlling access
to broadcast transmissions"). You can order a copy for little money
(about 10 DM) from the European Patent Office (Schottenweldgasse 29,
A-1072 Wien, Austria) if you are interested.

2  Security of the Videocrypt system

The system is very secure, because all secret parts that are essential
to a successful decryption are located in the smart card and if the
card's secret hash algorithm/key becomes known, it can easily be
replaced by just sending new cards to the subscribers. This card
exchange can also be used if details about the format of the commands
hidden in the 32-byte sequences sent to the card become known which
allows together with the knowledge of the signature algorithm to
generate new activation messages and to filter out deactivation

There are however at least two obvious security flaws of the system
which can't be removed by new smart card generations:

  - The dialog between the card and the decoder is the same synchronously
    for all Videocrypt decoders switched to this channel. I.e., the decoder
    doesn't add any card specific or decoder specific information to the
    traffic. This makes it possible to use one card for several decoders.
    E.g. it is possible to record the 32-byte messages broadcasted by
    the station during an evening with a PC, then send these messages to
    someone else with an original card who asks his card for the 60-bit
    answers to all the recorded messages. If this person then sends
    these 60-bit answers back, then you can use this data in order
    to descramble the VCR recorded program of this evening (delayed data
    transfer). However, decoding VHS recorded encrypted signals produces
    minor color distortions and a few VCRs don't preserve the Videocrypt
    data stream in the first invisible lines that accompanies the TV
    signal. It is also possible to distribute the 60-bit answers from
    one card in real-time with cables to many decoders in a house or
    with radio signals to many decoders in a larger region.

  - The simple cut-and-exchange encryption method and the fact that two
    consecutive lines in an image are almost always nearly identical
    makes it possible to try all 256 possible cut points and to select
    the one which causes both lines to fit together best. This method
    has alreday been implemented on fast PC's with framegrabbers which
    load the image into the memory and display it corrected on the computer
    screen (many seconds per frame), on parallel supercomputers which
    allow almost real-time decryption and with special hardware that
    achieves real-time decryption. Howevery, with this decoding method,
    there are severe image quality losses and many additional problems
    which together with the high hardware costs required (much higher
    than a regular subscription) don't make this approach very practical
    for every day usage.

Both these security gaps in the videocrypt systems don't allow
comfortable and easy high quality decryption like using a card, but the
described methods have already been successfully used by a few
technically skilled peoples for watching encrypted program.

3  ISO card protocol

The card and the protocol used to cummunicate with it conform exactly
to the international standard ISO 7816. The options used from this
standard are: T=0 asynchronous halfduplex character transmission
protocol, active low reset and inverse convention. Only a few basic
principles of the ISO protocol will be explained here. For much more
detailed information, please read the ISO standard which you can order
from your national standards body (e.g. DIN, ANSI, AFNOR, BSI, DS,
etc.). There are three parts of the standard: ISO 7816-1 describes
physical characteristics of the card and quality tests a card has to
survive, ISO 7816-2 describes the location and meaning of the contacts
and ISO 7816-3 (most important) describes the electrical
characteristics, the answer-to-reset message and the protocol. 

The data format is an asynchronous 9600 bit/s serial format similar to
that used on RS-232 lines with 8 data bits, 1 parity bit and two stop
bits. The parity is even (but if inverse bit meaning convention is
used, a RS-232 interface has to be programmed for odd parity in order
to produce the correct bit). There is also an error detection and
character repetition mechanism in the protocol which is not supported
by RS-232 interfaces: If the receiving device (card or decoder) detects
a parity error, it sends an impulse during the stop bit time. This will
tell the sender to retransmit one byte.

After a reset impulse to the card, the card answers with an
answer-to-reset message with some information about the requirements of
the card. If the first byte is 3fh, then this means that in order to
read the bytes with a RS-232 interface, you'll have to invert and
reverse all bits. A typical answer-to-reset looks e.g. like the
following one:

     3f fa 11 25 05 00 01 b0 02 00 00 4d 59 00 81 80 
         |  |  |  |  | | 'historic characters' with|
         |  |  |  |  | | information about chip and|
         |  |  |  |  | | software version, etc.    |
         |  |  |  |  |
         |  |  |  |  +- low nibble: protocol type T=0,
         |  |  |  |     high nibble: end of ISO part
         |  |  |  |
         |  |  |  +- requests 5 additional stop bits  
         |  |  |
         |  |  +- encodes programming voltage and max. programming
         |  |     current (here: 5V, 50mA)
         |  |
         |  +- clock freq.: 11h=3.5 MHz, 31h=7 MHz
         +- the 0ah low nibble means: 10 'historic characters' which
            are not defined in the ISO standard are appended to
            the reset answer

The answer-to-reset message has a variable length format. Some bits
specify whether certain bytes are present or not. If the lowest bit in
the high nibble of the second byte is 1, then the above shown third
byte is present and determines the relation between the bit rate and
the clock frequency after the reset answer. E.g., 11h means that 372
clock cycles are one bit duration (default), i.e. with a clock
frequency of 3.5712 Mhz, the bit frequency is 9600 Hz. In the
Videocrypt system, the bit rate is always 9600 bits/s, but a value of
31h (= factor 744) in the third byte requests a doubled clock frequency
(~7MHz) from the decoder. Other values are not supported by the
Videocrypt decoder. 

The Videocrypt decoder supports several programming voltages (5 V, 12.5
V, 15 V and 21 V, max. 50 mA current) and different numbers of stop
bits (>= 5) sent to the card. All these parameters can be selected in
the answer-to-reset. Of the 'historic characters' part, the decoder
only verifies that it is at least 7 characters long and that the values
4dh und 59h are at the positions as in the example, otherwise the card
is rejected. No more details about the information in the historic
characters part of a Videocrypt card is currently known. For the
detailed format of the answer-to-reset message, please consult ISO

The T=0 protocol is a half duplex master slave protocol. The decoder
can send commands to the card followed by a data transmission either to
or from the card. The card can do some limited flow control and can
request or deactivate the programming voltage VPP selected in the
answer-to-reset using "procedure bytes". If the decoder initiates a
command, it sends five header bytes to the card, e.g.

     53 78 00 00 08

The first byte (CLA) is the command class code and is always 53h in the
Videocrypt system. The second byte (INS) is the instruction code. Its
lowest bit is always 0 and instruction codes have never a 6 or 9 high
nibble (you'll see below, why). The following 2 bytes (P1 and P2) are a
reference (e.g. an address) completing the instruction code and a
Videocrypt decoder sets them always to 00 00. The final byte (P3) codes
the number of data bytes which are to be transmitted during the
command. P3=0 has a special meaning: In data transfers from the card,
it indicates 256 data bytes, in data transfers from the decoder, it
indicates 0 bytes. The direction of the data transfer is determined by
CLA and INS and must be known in advance by both the card and the

After transmission of such a 5-byte header, the decoder waits for a
'procedure byte' from the card.

The following procedure bytes are possible:

  60h             Please wait, I'll send another procedure byte soon,
                  don't timeout.

  INS             Now let's transfer all (remaining) data bytes, I don't
                  need programming voltage.

  INS+1           Now let's transfer all (remaining) data bytes and please 
                  activate VPP.

  INS xor ffh     Now let's transfer another single data byte,
                  I don't need programming voltage.

  (INS+1) xor ffh Now let's transfer another single data byte, and please
                  activate VPP.

  6Xh or 9Xh      This byte SW1 indicates an end of the data transfer
                  and requests to deactivate VPP. A second status byte SW2
                  follows from the card. SW1 SW2 = 90 00 indicates a
                  normal termination, other values report e.g. an error.

After each data transfer, the decoder waits for another procedure byte.
E.g., a typical decoder<->card dialog looks like this (command 78h
requests the 60-bit answer as 8 bytes from the card):

     decoder sends header
       53 78 00 00 08
     card sends procedure byte (all at once, no VPP)
     card sends P3 data bytes
       80 52 02 79 f5 39 7c 0e
     card closes with SW1 and SW2
       90 00

4  Videocrypt protocol

The newer Videocrypt smart cards don't require any programming voltage
(the VPP pin isn't even connected). Although, the ISO standard requires
only 2 stop bits after each transfered byte, Videocrypt decoders seem
to require more than 5 stop bits. As PC serial ports don't support more
than 2 stop bits directly, a card emulator software has to wait for
about 0.5-1.5 ms after each byte. Cards can announce in the
answer-to-reset message, how many stop bits they require and Videocrypt
cards also do require more than 2 stop bits.

A videocrypt decoder knows the following 10 commands (all with CLA=53h
and P1=P2=00h):

     INS     length (P3)      direction        purpose
     70h         6            from card        serial number, etc.
     72h        16            to card          message from previous card
     74h        32            to card          message from station
     76h         1            to card          authorize button pressed
     78h         8            from card        60-bit answer
     7ah        25            from card        onscreen message
     7ch        16            from card        message to next card
     7eh        64            from card        ??? \
     80h         1            to card          ???  > perhaps Fiat-Shamir 
     82h        64            from card        ??? /  authentication?

The following things are known about the data bytes of these commands:


In BSkyB cards, the 70h data contains the card issue number (e.g. 07 or
09) in the low nibble of the first byte. The high nibble of the first
byte seems to be always 2. The next 4 bytes form an 32-bit bigendian
integer value which corresponds to the decimal card number without the
final digit of the card number (which is perhaps a check digit,
algorithm unknown). The meaning of the final byte is unknown.

72h and 7ch:

Several times per second, the decoder requests with 7ch 16 bytes from
the card. If a card is removed and a new card is inserted in the
decoder without switching off the power of the decoder, then shortly
after the card reset, the decoder sends the latest 7ch data bytes from
the previous card in a 72h message to the new card. In this way, 16
bytes information (e.g. the status of a pay-per-view account or a list
of activated channels?) can be transfered from one card to the next.

74h and 78h:

The 74h command transfers the 32-byte messages from the broadcasting
station to the card. If the third bit (value 8) in the first byte is
set, then the decoder will ask with a 78h command for the 60-bit
answer. This happens about every 5th 74h packet every 2.5 seconds. The
high nibble of the final byte in the 78h data is ignored by the decoder
(only 60 bits are needed). The high nibble of the first 74h byte seems
to have the value eh or fh in normal encrypted operation and ch or dh
in the 'soft scrambled' mode where the decoder can descramble the image
even without any card. 

The following information is valid for the 07 and 09 BSkyB card and need not
necessarily be true for future smart cards, because these data bytes
don't seem to be interpreted in the decoder and so their meaning can be
exchanged. A typical BSkyB 74h packet for the 09 series card looks like

  e843 0a888261 0c 29e403f6 20202020202020202020202020202020 fb54ac02 51

The second byte indicates the current date and counts the months since
January 1989. In the 07 card, this month code selects one of several
32-byte secret key tables that are used by the hash function. When the
switch from the 07 hash algorithm to the new 09 algorithm happened on
1994-05-18, this value jumped from 40h (1994-05) to 43h (1994-08) which
might indicate that the activation of the 09 algorithm was originally
planned for August. In the 07 card, this value was only interpreted to
find an offset into a table with various 32-byte secret keys.

The third byte seems to be a random number. This byte together with the
month code is used to generate with a quite simple algorithm four XOR
bytes which are necessary to decode the command byte and the card
number prefix (described below). If you XOR these four bytes with bytes
8 to 11 and if you the XOR only the first of the four bytes with byte
4, then you have decrypted the card number and the command code.

The fourth byte is an encrypted command code. Some decrypted known
values are:

.0x00.Deactivate whole card (message: 'PLEASE CALL 0506 484777')
.0x01.Deactivate Sky Movies (message: 'THIS CHANNEL IS BLOCKED')
.0x02.Deactivate Movie Channel
.0x03.Deactivate Sky Movies Gold
.0x06.Deactivate Sky Sports
.0x08.Deactivate TV Asia
.0x0c.Deactivate Multichannels
.0x20.Activate whole card (remove 'PLEASE CALL 0506 484 777')
.0x21.Activate Sky Movies (remove 'THIS CHANNEL IS BLOCKED')
.0x22.Activate Movie Channel
.0x2c.Activate Multichannels
.0x40.Pay-per-view account management command
.0x81. \   perhaps 09 card ECM
.0xf0. /   commands

Packets with incorrect command bytes and correct signatures can
irreversibly kill a card (it doesn't even answer the reset).

The fifth and sixth byte seem to be parameters for pay-per-view account
management (program number and number of tokens) and don't seem to have
a meaning for enabling and disabling commands.

The lower 7 bits of the seventh byte contain a channel ID.

A card number is represented by a 5 byte card address consisting of a 4
byte prefix and a 1 byte suffix. The five bytes for a card are
identical to the first 5 bytes of the 70h answer, only the high nibble
of the first address byte seems to have a different purpose (unknown).
Up to 16 cards with the same card address prefix can be addressed with
one single 32-byte 74h message. The bytes 8-11 might contain the common
prefix to the addressed cards and the bytes 12-27 the various suffixes.
If there are less than 16 different cards to be addressed, then the
same suffix byte is repeated several times in order to fill the space.
The 4-byte prefix is encrypted like the command byte by XORing it with
the four bytes generated using the bytes 2 and 3.

The 4 bytes 28-31 contain the digital signature which is simply an
intermediate result of the iterations of the hash algorithm. If the
checksum, the digital signature, or some of the values in the first 7
bytes of a 74h command aren't correct, then the 78h answer will only
contain 8 00 bytes or in some cases 01 00 00 00 00 00 00 00. The final
byte 32 is a simple checksum that makes the sum of all 32 bytes a
multiple of 256.

The 07 card (and also cards used by Sky New Zealand) have an
interesting security hole: The card sends to the decoder as many data
bytes as specified in P3. By sending a higher length value in the
command header to the card, one can get up to 256 data bytes back which
seem to be values from the card's RAM that allow some insight into the
internal data structures of the card software.


If the authorize button on the decoder is pressed for a few seconds,
then the decoder will send a single 76h message with a 00 data byte to
the card.


This command requests from the card an ASCII text which is then
displayed on the TV screen. The display field is 12 characters wide,
one or two lines high and no lowercase letters are supported. The lower
5 bits in the first byte indicate, how long the text is which is to be
displayed: 0 for no display, 12 for a single line and 24 for 2 lines.
The highest 3 bits of the first byte seem to be some kind of display
priority. The number there (0-3) must be high enough if standard
decoder messages have to be suppressed. The remaining 24 bytes contain
the ASCII test.

The meaning of the other commands is unknown, some of them are never
used currently. Perhaps these commands are used for the Fiat-Shamir
identification exchange described in the patent. Some cards understand
also additional instruction codes which can't be issued by a normal
decoder. E.g. a BSkyB 09 card understands also 12h, 86h, 88h, 8ah and
8ch. These commands are perhaps used in order to test or configurate
the card at the factory, etc.

Please contact me if you find out anything new. My e-mail address is

5  VCL File Format

The Videocrypt Card Logfile format (VCL) is used by some peoples for
performing the delayed data transfer procedure described in section 2.
Person A with a valid card can record the dialog between the decoder
and the card for a certain program P and transmit this information as a
VCL file to person B who has no card and has recorded with a VCR only
the encrypted signal of program P. Person B now connects the Videocrypt
decoder between the VCR and the TV set and connects the card slot of
the decoder to a PC. Using the information in the VCL file, B's
computer can now also decrypt program P. This is of course only
possible for the few hours which are covered by the information in the
VCL file.

Not all of the information exchanged between the card and the decoder
is necessary for descrambling the TV signal. The VCL format uses this
fact in order to save a lot of storage space. Only 12 bytes of high
entropy (that means: almost uncompressable) are stored every 2.5
seconds. So a VCL file of a 1 hour program is only about 17 kbytes
large. In addition, VCL files don't contain any information about the
card owner (especially not the card serial number), which appears in
normal full log files. (The only potential security hole is the
remaining nibble in the 78h data, consequently it should be cleared in
order to avoid card specific information to leak into the VCL file.)

VCL files have a very simple binary format consisting of a 128 byte
header and arbitrarily many 12 byte records. At the end, VCL files may
be padded with zero bytes to a multiple of the operating system's disk
sector size, so that no RAM contents can leak in there out of an
unsecure system like MS-DOS. Don't forget to use a binary mode if you
transfer VCL files or their contents will be rendered unusable.

The 128 byte header has the following format:

      byte number       purpose

.0 -  3..ASCII String 'VCL1' which identifies the file
                        type and version of the format.
        4 -  7          The number of 12-byte records stored in this
                        file encoded as a bigendian (most significant
                        byte first) 32-bit unsigned integer value.
        8 - 23          Date and time when the recording started.
                        Format: yyyymmddThhmmssZ, where yyyymmdd are
                        year, month and day (e.g. '19940618'), hhmmss
                        are hour, minute and second (e.g. '235959'),
                        T ist just the ASCII letter T, and Z is
                        the ASCII letter Z if the time is UTC or
                        a zero byte, if the time is local time. The 
                        digits are ASCII characters.
       24 - 55          Name of the satellite or cable system from
                        which the recording was done. This is a zero
                        terminated ASCII string with only characters 
                        between 20h and 7eh. As many zero bytes are
                        appended as necessary for filling up the 32
                        bytes. The same format is also used for the next
                        two text fields. Example: 'Astra'.
       56 - 63          Name/number of the transponder from which
                        the recording was done. Example: '08' for
                        Sky One on Astra.
       64 -127          Description of what has been recorded.
                        Example: 'Star Trek: TNG, episode 123'

After the first 128 bytes follow as many 12 byte records as announced
in bytes 4-7. Each record represents a 74h/78h Videocrypt protocol pair
and constists of two fields: The first 4 bytes are the final 4 bytes of
the 74h data part, the remaining 8 bytes are the data part of the
corresponding 78h command. Four bytes of each 74h packet are enough to
allow a card emulator to quickly and reliably synchronize with the
queries of the decoder. The final four bytes of the 74h commands have
been selected because of their high entropy (signature and checksum).