The Videocrypt System by Darrn Ingram of SATNEWS (June 5, 1991)

ÜÛÛÛÛÛÛÛÜ THIS FILE WAS LEECHED FROM…
ÛÛÛÛÛÛÛÛÛ
ÛÛÛÝ ÞÛÛÛ
ÛÛÛ ÛÛÛ
ÛÛÛ ß Ü ÜÜ ÜÜ Ü Ü Ü
ÛÛÛÛÛÛÛÛÜ ÛÛÛ ÜÛÛÛÛÜÛÛÛÛÜ ±±±±±±± ÛÛÛ ÛÛÛ ÛÛÛ
ÛÛÛÛÛÛÛÛÛ ÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ ±±± ±±± ÛÛÛ ÞÛÛÛ ÛÛÛÝ
ßÛÛÛÛÛÛÛÛ ß ÛÛÛ ÛÛÛ ÛÛÛ ±±± ±±± ÛÛÛ ÞÛÛÛ ÛÛÛÝ
Ü ÛÛÛ ÛÜÛ ÛÛÛ ÛÛÛ ÛÛÛ ±±± ±±± ÛÛÛ ÞÛÛÛ ÛÛÛÝ
ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ±±± ±±± ÛÛÛ ÛÛÛÝÞÛÛÛ
ÛÛÛÝ ÞÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ±±±±±±± ÛÛÛ ßÛÛÛÛÛÛß
ÛÛÛÛÛÛÛÛÛ ÛÛÛ ÛÛÛ ß ÛÛÛ ±±± ÛÛÛÛÛÛÛÝ ßÛÛß
ßÛÛÛÛÛÛÛß ÛÛÛ ÛÛÛ ÛÛÛ ±±± ÛÛÛÛÛÛÛ ÛÛ
ß ß ß ÞÛ
Ü Ü ±±±±±± Ü Ü Û ÜÜ ÜÜ Ü Ü
R ÜÛÛÛÛÛÜ ÛÛÛ ±±± ±±± ÛÛÛ ÛÛÛ ÛÛÛÜÞÞÛ ÛÛÛÛÜÛÛÛÛ ÛÛÛ ÛÛÛ
E O ÛÛÛÛÛÛÛ ÛÛÛ ±±± ±±± ÛÛÛ ÛÛÛ ÛÛÛ ßÛ ÛÛÛÛÛÛÛÛÛÛÛ ÛÛÛ ÛÛÛ
A F ÛÛÛ ÛÛÛ ÛÛÛ ±±± ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
L ÛÛÛ ÛÛÛ ÛÛÛ ±±± ÛÛÛ ÛÛÛ ÛÛÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛÝÞÛÛÛ
M ÛÛÛ ÛÛÛ ÛÛÛ Ü ±±± ±±± ÛÛÛÛÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ßÛÛÛÛÛÛß
S ÛÛÛÛÛÛÛ ÛÛÛÛÛÛÛ ±±± ±±± ÛÛÛ ÛÛÛ ÛÛÛ ÜÛ ÛÛÛ ß ÛÛÛ ßÛÛß
ÛÛÛ ÛÛÛ ÛÛÛÛÛÛÛ ±±±±±± ÛÛÛ ÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛ ÛÛÛ ÛÛ
ß ß ßßßßß ß ß ßßßßß ß ß ÞÛ
ßÛÛÛÛÛÛÛÛß Û
ÜÛÛÜ ÛÝ Û ÞÛÝ ÛÛÝ ÛÛÛ ÞÛÝÞÛÝ ÜÛ Üßß ÜÛÛÜ Û Û ÛÛÜ Þ
ß ÜÛ ÛÛ Û Û Û ÛÞÛ Û Û Û Û ÛÛÛÜ Û Û ÛÞÛ Û Û
ÜÛß ÛÞÛÛ Û Û Û Û ÛÛÝ ÞÛÝÞÛÝ Û Û Û ÞÛÛÝ ÛÛÝ Û Û Ü
ÞÛßÞ Û ÞÛ Û Û ÛÞÛ Û ÜÛÛÛÛÛÛÛÛÜ Û Û Û Û Û ÛÞÛ Û Û ÜÛ
ÛÛÛÛ Û Û ÞÛÝ ÛÛÝ ÛÛÛÝ ÛÛÛ ßÛÛß Û ßÛÛß Û Û ÛÛßÜÛ
24 HOURS ÜÛ ÜÛÜ
Û Û ß
Û Û Û Û ± ÜÛÛÜ Û ± ÜÛÛÜ Û Û ÛÛÛ Û Û ÛÛÛ ÛÛÜ ÜÛÛÜ ßÛÜ
± Û Û Û Û ± Û Û Û ± Û Û Û Û Û Û Û Û Û Û Û Ü Û
±Û± ÛÛÛ ÛÛÛ ± ÞÛÛÝ Û ± ÞÛÛÝ ÛÛÛ ÛÛÜ ÛÛÛ Ûß Ûß ÞÛÛÝ ßÛß
± Û Û ± Û Û Û ± Û Û Û Û Û Ûß Ûß Û Û
Û Û ± ßÛÛß Û ± ßÛÛß Û ÛÛß Û Û ÛÛÛ ßÛÛßÛ
Inflating: skycard.txt

*** The Videocrypt System ***

An Overview

Researched and written by Darren Ingram, author of Satnews

– Satnews.. the latest and non-Commercial satellite news –

Version 1.31 – 06.05.91

Introduction

Videocrypt is a pay-tv scrambling system jointly developed by Thom-
son Consumer Electronics and News Datacom. Over one million users
receive Videocrypt encrypted signals and this system, has to date,
remained secure from illicit decoder manufacturers, protecting the
revenue of Videocrypted television channels.

Requirements

Videocrypt is a multi-standard encryption system which is suitable
for PAL, NTSC and SECAM transmissions. Language is no barrier for
Videocrypt with its capacity for multi-lingual transmissions and
broadcasts utilising a comprehensive on-screen instruction menu.

Features and applications

A smart card is the central key to the Videocrypt system, and the
card can be used for a variety of diverse applications. The card
is pre-coded to determine a users requirements and it can subse-
quently be addressed utilising the decoders logic to amend the users
services at the broadcasters will.

There are a number of broadcasting modes which the smart card can be
used within including:

Clear Mode
Signals sent in the clear are recognised by the decoder and
passed to the display without further processing.

Free Access
Pictures transmitted with an encryption key are delivered
directly to the display through the decoder.

Controlled Access
Access to encrypted pictures is determined by the level
of access authorised to the users smart card. No signals
will be transmitted in an unencrypted state without prior
authorisation.

Programmes can be tailored to usage with the Videocrypt system and
the system offers a flexible way for pay-tv operators. There are a
number of operations mode offered as standard including:

* Single or multiple subscriptions with many tier levels in one
channel

* Pay Per View (PPV) and impulse purchasing

* Thematic selection (enable all arts programming)

* Geographic limitation (restrict to a country/area)

* Single-event (throwaway cards)

* Parental Control (reception with card only)

* Pre-determined time period

Videocrypt enables smart cards to be pre-programmed to suit the
specific programming requirements.

Smart card – providing the revenue security

Security can be addressed on a multitude of levels when using the
smart card. These include:

Chaining

An existing customer would receive a new card which contains part of
the new code, the remainder of the code would be transmitted when
the card is inserted into the decoder and the subscriber compiles
with the instructions contained within the on-screen graphics.

Over-the-air addressing

Systems operators can now address individual subscribers, which is a
vast improvement over other scrambling systems. The operator can
provide additional services, reduce service entitlements, send
individual messages, blacklist and/or whitelist viewers.

Cloning

A number of steps have been taken to stop smart cards being copied
or cloned. A physical deterrent is the first line of defence, and
the integrated circuit contained within the card makes “probing”
very difficult as the IC is likely to become damaged in the process.

Cost is a second factor which is likely to deter manufacturers of
illegal decoders. A considerable amount of time, trouble and
expensive resources would be required to clone the card.

The manufacturers of Videocrypt recommend that the cards are re-
placed every six months, and each time this is done a “secret en-
crypting algorithm” will be changed. Any pirate decoders manufac-
tured during this time would be relatively useless.

And should a pirate decoder be manufactured, it will contain a
unique security code, which could be blacklisted by the systems
operator once the code has been discovered – leading to calls of
complaint by angry customers.

Video taping

Videocrypt offers an simple method of tracking down pirates who
video high-value programming and then distribute it.

The customers unique number can be displayed on the unencoded screen
for reference and future litigation. Although an on-the-screen
code can be generated for signals piracy in a public place, the
codes can be hidden in the picture – and retrieved by a technician
at a later stage.

Videocrypt-your flexible friend?

Videocrypt can be used in a number of applications other than tv
signals protection. They include:

Messaging, messages can be transmitted to individual subscribers or
to a group, so target messaging is now a potential. Messages like:
“Satellite owners in LONDON call 081 XXX XXXX now for a great bar-
gain”.

Selling, sales over the air can be utilised with the unique identity
number which verifies an owner and their registered address. Data
can be matrixed with a user personality during ad-breaks to tailor-
make the advertisement.

A unique transaction alphanumeric can be displayed on the TV screen,
and the subscriber will telephone a given number and quote the
alphanumeric – and the deal can then be completed in total security.

Scrambling

The majority of scrambling systems currently on the market are
dependent on analogue processing circuitry, and it is a hard task to
get a secure system without picture deterioration.

Videocrypt can encode and decode a picture without degradation.

The crux of the scrambling system evolves around a patented develop-
ment of Active Line Rotation (Cut and Rotate principle).

Every line of the signal is cut at a number or points along its
length, and this is chosen at random by a 60 bit psuedo random
binary sequence generator (PRBS). As each cut point differs from
the next the signal has no viewing value to an unauthorised recipi-
ent, but authorised recipients decoders recode the picture so that
the true state of the unscrambled line is always first out for
display.

The PRBS is re-seeded at times too, to enhance the security of the
system even more.

Before this ALR process can take place, the decoder needs to be
aware of the cut point on each of the transmitted lines, this is
provided within the encryption process. Each decoder utilises an
PRBS which reflects the characteristics of the system so that the
two halfs can be synchronised and a viewable picture displayed.

Data is transmitted in a series of over-the-air packets, which looks
like:

SYSTEM—–SMART or BLACKLIST

The system comprises of system data included Flat-Shamir identifica-
tion information, on-screen display messages, fingerprinting and
blacklisting data.

The smart card packet comprises of:

HEADER—–ENCRYPTED DATA—–CHECKSUM

The Videocrypt encryption system is based around a tightly-guarded
secret which has defeated system hackers throughout the world. A
final control algorithm is central to the systems security and this
can be changed at will if the system has been hacked.

Complex calculations are performed within the system in order not to
compromise its security.

But hackers who have attempted to hack the decoder will be disap-
pointed – as there are no secrets held within the system.

Smart Cards
The smart card offers great flexibility to the programme controller
and the viewer alike, and is the key to the Videocrypt system.

The Integrated circuits incorporated within the smart card have a
lot of power and contain EPROM elements which are partially burned
during their manufacture. The ICs are buried within the design to
make the system harder to penetrate.

Smart card block diagram

——- ——- ——-
VCC -> – RAM – – ROM – -EPROM-
——- ——- ——-
^ ^ ^
TO AND FROM
——————————-
GND -> – INTERNAL BUS –
——————————-
TO AND FROM
——- ——- ——-
-8 BIT- -ANTI – -S/WRE-
RST -> -CPU – -FRAUD- -CNTRL-
– – -DVCES- -I/FCE-
——- ——- ——-

CLK VPP I/O

Over the air addressing

Algorithmic information is transmitted to the viewer over the air,
encrypted within the Videocrypt system.

This data is transmitted within the Vertical Blanking Interval (VBI)
and four lines are employed for active data and two others, one
white and one black (for test purposes).

An application of Non Return To Zero (NRZ) with an constant energy
spectrum maximises the systems characteristics.

Four picture-sustaining techniques are used to ensure a high quality
picture. Bit interleaving, hamming codes, quadruple repetition and
check sums are used within the process.

The system can cope with fringe reception areas and will still
function correctly with high levels of noise.

Picture quality

Picture quality is paramount for any scrambling system and due to
the standard being of a digital origin, integrity of the signal is
maintained throughout the encryption and de-encryption process.
Amplitude sampling is conducted by the decoder and a 14MHz internal
clock ensures jitter-free pictures and unstable framing. A digi-
tally derived Automatic Gain Control (AGC) is also included within
the receiver.

Scrambling Sound

Videocrypt also has the capability of encrypting sound sources to
enhance the security of premium events. To date this level of
security has not been utilised by broadcasters.

The system of spectrum inversion renders the sounds received without
authorisation worthless. Videocrypt transposes the frequencies
transmitted and this in turn removed distortion of the sound.

Technical Data
(supplied by Thomson Consumer Electronics, 1991- subject to change)

VIDEOCRYPT BASEBAND DECODER
* Stand alone video decoder
* On screen display
* De emphasis switch
* Authorise button
* Integrated smart card reader
* Power indicator

PAL MODEL
Video input level IV +/- 3dB flat and clamped
Baseband input level 250 mV +/- 3dB, unclamped level
measured at pre-emphasised transition
frequency
Suitable de-emphasis CCIR 405-1
Video output level IV p.p. into 75 ohms
Video bandwith 50Hz – 4.8 Mhz -3dB typical
Line tilt <_ 1% typical Luma/Chroma Delay +/- 50nS typical S/N ratio: 50dB typical weighted CONNECTIONS AV Peritel (Scart) Audio loopthrough Left and right Pin 8 High with scrambled video input Low with clear video input Pin 16 5v 50mA maximum for external modulator (OPTION) MISCELLANEOUS Standards Designed to IEC 65 Operating Temperature Range 5-40 C Mains Input 216-255 V AC 50 Hz Power Consumption 15W Weight 2.5Kg VIDEOCRYPT ENCODER (PAL/SECAM/NTSC) * 19" rack mounting * Active line cut and rotate * Twin or single scrambler * Separate power supply * Integrated cooling unit * Data for control access in the VBI * RS232 interface Video input level IV 75 ohm Video output level IV peak to peak +/- 2% 75 ohm Line tilt 0.5% typical Base line distortion 0.5% typical Chrominance to luminance 3% typical 2T/Bar ratio 2% typical Synchro level 1% typical S/n ratio RMS weighted >_ 67dB
Chrominance luminance:
intermodulation <_ 2% differential gain 1% typical differential phase 1" typical luminance non-linearity 1% typical chrominance/luminance delay +/- 10nS typical video bandwith at 3dB >_ 5.8 Mhz
Output DC level 300 mV +/- 50 mV
Sampling frequency rejection >- 50dB at 14 Mhz
Number of bits per sample 10

CONNECTIONS
Connections to security comp RS232
Local VT100 terminal ditto
Video in BNC 75 ohm
Scrambled video out BNC 75 ohm

MISC
Local terminal functions are to
show working parameters
give warnings
control local
remote
autonomous
Select scrambling mode
clear
free access
control access

Mains input low pass filtering
Audio scrambling using spectrum
inversion 0dB/600 ohm (optional)

ENDS

**** Sky card hacking info 26/06/1993 ***

When the VideoCrypt system was launched, the press releases
claimed that it was the most pirateproof system yet devised. Some
of the people involved in the design of the system claimed that it
would take billions of years to break the codes used by the
system. The usual media journalists swallowed this hook line and
sinker. The hackers knew otherwise.

The VideoCrypt system is the mainstay of the BSkyB satellite
television empire. It is the means by which BSkyB makes its money
from the subscribers. The basic theory is that they pay a
subscription for the premium channels and they receive a smart
card. This smart card, when inserted into the VideoCrypt decoder
will allow the decoder to descramble the channels paid for. It is
also possible for BSkyB to turn off the cards of those subscribers
who have not paid.

Hacking scrambling systems such as VideoCrypt is a multi-million
pound industry. Due to the present legal situation it is perfectly
legal to hack a channel that originates outside the UK. However
for someone in the UK to hack a UK originated channel is illegal.
Such mere facts as illegality have never bothered pirates.

In the last few weeks the impossible has happened. The VideoCrypt
system has been conclusively hacked. It is now possible to
purchase a pirate smart card or chip which will allow the viewer
to descramble Sky Movies Plus, The Movie Channel, Sky Gold, Sky
Sports and TV Asia. The cost of this pirate card is œ99. The price
in itself is lower than the subscription for the channels.

Other channels using the VideoCrypt system. Are worried. According
to the latest reports, The Adult Channel and JSTV have been
compromised as well. This means that all of the channels currently
using the VideoCrypt system as a fee gathering system have just
lost control of the market. It is now, well for the moment anyway.
a pirate’s market.

This hack is, like all hacks, colourfully named. It is known as
the “Ho Lee Fook” hack. The joke being that this is generally the
exclamation uttered by people when told of the hack. There are two
forms of the hack; a card and a chip.

The card version of the hack is about sixteen millimetres longer
than the official BSkyB card. Essentially it is a single chip
mounted on a printed circuit board that plugs directly into the
VideoCrypt decoder’s card socket. This is the more user-friendly
version as it does not require any modification to the decoder.

The chip version does require some modification to the decoder.
The official VideoCrypt name for the chip in the decoder is “The
Verifier”. This chip has to be removed and replaced with the
pirate chip. The decoder will then decode the scrambled channels
without the need for the BSkyB smart card.

The pirate cards and the chips are on sale. It is believed that
a number of them are already in the UK. Indeed I received one, in
a brown paper envelope, on June the eighth. It is still working.

The problem for BSkyB and other users of the VideoCrypt system is
not one of containment. Things have progressed too far for that.
The problem is more serious. Unless they can come up with a quick
fix for the system that will render the Ho Lee Fook hack inactive,
they have to replace the smart cards.

BSkyB initially set out to replace their smart cards every three
months. This continual update was, so the theory went, meant to
deter hackers from trying to hack the system. Fiscal reality has a
crushing effect of such business school theories.

VideoCrypt suffered its first real disaster when someone
discovered that by limiting the programming voltage to the card,
it was possible to stop the card being switched off. This hack was
known as the “Infinite Lives” hack. It was an old computer term
for a modification to a games program that gave the player
unlimited lives. Since BSkyB could not turn off the cards it
seemed an apt name. This hack was followed by a new issue or batch
of cards. The “Infinite Lives” hack did not work on the new cards
but a new hack did.

The KENtucky Fried Chip upped the ante. It was the first time that
the actual internal operation of the VideoCrypt decoder was
interfered with. It was a rewritten “Verifier” chip that was
programmed to stop the cards being turned off. It did not work at
full efficiency so it was not marketed by the pirates. After this
hack, BSkyB issued a new batch of cards which was more resilient
to this hack.

The current card issue is issue 07. The Ho Lee Fook hack is
working on this batch. If BSkyB introduce issue 08 cards, then
there is the possibility of the hack ceasing to work. At this
stage there is the terrible spectre of the hack being updated to
work with the 08 cards. It is the thing of which BSkyB’s
nightmares are made of.

The issue of new card batches occurs mainly in Spring or Autumn. A
Summer launch of the new 08 cards would be unusual. As VideoCrypt
will be going to a tiered channel structure in the Autumn, it
would seem that they have planned an Autumn update. The Ho Lee
Fook hack may force them to bring their plans forward by some
three months or so.

The confidence in a system is not based on how well a system
repels hacks but rather on how well a system recovers from hacks.
This will be a true test of the VideoCrypt system and its smart
card based philosophy. The philosophy is that of the detachable
secure controller. Basically what this means is that if the system
is hacked then all that needs to be done to stop the hack is to
issue a new card.

The effects on the confidence of present and prospective users of
VideoCrypt is more difficult to gauge. The smart card is the core
of the VideoCrypt system. Seeing it replaced by a pirate smart
card contradicts every claim made in favour of VideoCrypt. It was
not supposed to be possible. One thing is certain, channels will
now have to look at a scrambling system as only being a temporary
form of protection that has to be frequently updated. Failure to
do so will be fatal.

John McCormac
Author of “European Scrambling Systems 3” ISBN 1-873556-02-0
Editor of Hack Watch News.—

*** Latest ***

There is no such thing as coincidence – or is there? On the day that
the film “Sneakers” was released on video, I received an actual working
hack for the scrambled Sky channels. The film “Sneakers” is about
events surrounding a piece of equipment that can hack any cryptosystem.
The piece of equipment that I received is essentially a chip that can
hack the Sky VideoCrypt channels.
This latest hack on the VideoCrypt system has been labelled the “Ho
Lee Fook” hack. The reason for this name is more to do with people’s
reaction to the hack rather than its origin, which incidentally is
Central Europe.
This is perhaps the most dangerous hack to have occurred on VideoCrypt
– it replaces the smart card. In effect it is a new smart card that
gives access to all the Sky channels. Of course the problem for Sky is
that it is not a genuine Sky card.

The card is approximately sixteen millimetres longer than the official
Sky card. It is a blue printed circuit with a single surface mount
chip, and five connector pads. The identification numbers on the chip
have been scrubbed.
The standard check for a card of this nature is to look for a wafer
from an official smart card. In the early days, a fairly common scam
was to take the chip and connector pad from a valid Sky card, trim away
the plastic and then put the chip in a DIL header. The DIL header would
then be blobbed in a lump of black resin so that it looked like an IC.
The decoder would then have its card reader replaced with an ordinary
DIL IC socket. Then the decoder and chip would be shown or sold to some
unsuspecting, if greedy, punter.
The chip appeared to be real, with no wafer underneath the body of the
chip. The actual stubs of the chip die were just visible at the end of
the chip. It was a genuine chip.

It has been working steadily for the last few days and there appears
to have been no kill messages sent to it. If it had been a direct
clone, Sky would have been able to kill it over the air – or would
they?
Since the people who developed this hack obviously understand the
operation of the over the air addressing, they may well have designed a
filter to stop the kill message from having any effect of the pirate
card. There are of course more devastating implications here. The card
itself may only contain the data and algorithms necessary to descramble
the signals.
The chip version of this hack is based on the 8752. This Ho Lee Fook
chip will replace the official 8052 in the decoder. A selling price of
ninety nine pounds has been mentioned in Germany.

Nobody is sure what the people in News Datacom are doing about this
hack. Sky are more than likely very upset that someone has hacked their
pirateproof system yet again. This is the fifth hack and the image of a
pirateproof system now only exists in the minds of PR people.

*** -=Y_HS=- all (c)’s acknowledged ***

Syndicated Hack Watch (October 1993) Piracy Covered by Mainstream Press

******************************************************************
*—————- Syndicated Hack Watch – 10:1993 —————*
******************************************************************
*————– Special Projects BBS +353-51-50143 ————–*
*————– SysOp: John McCormac ————–*
******************************************************************
*————- (c) 1993 MC2 (Publications Division) ————-*
*————— 22 Viewmount, Waterford Ireland —————-*
******************************************************************
******************************************************************

Syndicated Hack Watch is copyrighted material. All unauthorised
reproduction whether in whole or in part, in any language will be
suitably dealt with.

******************************************************************
Contact Numbers:

Voice: +353-51-73640
Fax: +353-51-73640
BBS: +353-51-50143 HST – Special Projects BBS
E-mail: mc2@cix.compulink.com.uk
FidoNet: 2:263/402
******************************************************************

Piracy Covered By Mainstream Press

It would appear that the mainstream press has finally copped on to
the fact that piracy is happening. The Financial Times, the
English eqivalent of the Wall Street Journal, has covered the
matter though the topic had a curiously Anglo-Australian flavour.

Apparently there is a dealer in Offaly, Ireland selling pirate
smart cards into the UK. The initial Finacial Times article
featured a photograph of Mr David Lyons of Satellite Decoding
Systems (Offaly and Warrington) with a a legitimate card and a
pirate card. The day after, the Financial Times had a small piece
on how they received a pirate smart card with a Cheshire, UK,
postmark.

Basically what Satellite Decoding Systems is doing is marketing
the pirate card into the UK from Ireland. The card is not illegal
in Ireland but it is illegal in the UK. But the problem was that
the cards were being shipped into the UK from Ireland and then
distributed in the UK. The UK side of the operation was slightly
illegal. Sky’s lawyers have served a writ on the UK operation but
Mr Lyons is fighting it.

Sky are faced with a tricker problem in Ireland. The hacking of
non-Irish satellite channels is not illegal under the Irish
Broadcast Act 1990. The only option sky would have is to take
Satellite Decoding Systems to court for copyright infringement.

EC Legislation On Piracy?

The Motion Picture Experts Group has drafted an anti-piracy
proposal with which to lobby the EC. They want to make piracy
illegal in all the states of the European Community. They may be
movie experts but their knowledge of piracy is appears to be in
the realm of the fictional.

The draft proposal would make piracy of satellite and cable
signals illegal throughout the EC. The most likely implementation
would be as a Directive which would be law throughout the EC.

The approach is American and the thinking on appears to be
federalist. Except in this case the federalist approach is not the
correct one. Each country in the EC has its own particular
framework and problems. To try to implement a standard catch-all
piece of legislation will cause more problems than it solves.

There is legislation extant in various EC countries to protect the
signals. Though the downside is that the legislation is inward
looking. The laws of each country protect that country’s channels.

In most states in the EC, the legislation protecting satellite and
cable channels is a compromise. Protecting cable signals with
legislation is a fairly straightforward matter. Protecting
satellite signals is a trickier proposition. Normally the
legislation covers the channels uplinked from that country but
does not extend to satellite channels that originate outside the
country. The legislation in some countries have provisions that
extend protection on a reciprocal basis.

Of course the problem with piracy is that it rarely respects
legality. It can operate underground when necessary. Where it has
been forced underground it has prospered.

General Instruments Sues Magazine

General Instruments, the maker of that greatly hacked system,
VideoCipher II, are to sue a magazine over adverts. The adverts in
question were for third party cable decoders.

The action is being taken because GI believe that the adverts
contravene the 1984 US Cable Act which makes it a criminal offence
to assist piracy. The magazine, “Nuts And Volts” has a circulation
of 80,000.

The US constitution protects the right to free speech. Commercial
and editorial speech is also protected to a lesser degree. The US
Supreme Court upheld a decision that the US magazine “Soldier Of
Fortune” could be liable for criminal acts committed by
mercenaries who advertise in its pages.

Some in the industry see the lawsuit as a form of harassment by
GI. However the situation will be watched closely here in Europe
by Sky.

A Faster Update For Pirate Cards

According to some sources, Sky are about to face a more versatile
and lethal threat. Some of the newer designs for pirate smart
cards will be updated by telephone. In this respect are becoming
more like Sky. Except in this case the pirate cards will be
updated to cope with Sky’s countermeasures.

The technology involved is similar to that used in the USA for the
VideoCipher key updates. The basic dealer equipment will be a
modem, a computer and a chip programmer. The update codes will be
delivered via modem to dealers throughout Europe. They will then
have to program the pirate cards using the delivered codes. This
essentially involves plugging the pirate card into a socket on the
programmer and downloading the updated set of codes.

Of course the full chip program will not be sent. The newer
versions of the cards will have two chips. One chip will hold the
main card program. This chip will be protected. The second chip
will be unprotected. This chip will hold the alterable
information.

Such a change in operation will give the Blackbox industry an edge
on Sky as they will be able to bring the update time down to a few
hours. Whereas before it was a question of returning the card and
waiting perhaps a few days, pirate users will now be able to walk
in to a dealers and have the card updated on the spot.

FilmNet and VideoCrypt 2

The system used by FilmNet on the low Astra transponder is
VideoCrypt. It is not the same type of VideoCrypt as that
currently in operation on the Sky Multichannels.

The new type of VideoCrypt has been given a working title of
VideoCrypt 2. Others have called it VideoCrypt Europe. Some
hackers have pointed out the ominous similarity of its acronym –
VC2.

The need for VideoCrypt- 2 has become evident over the last few
months. Some of the more European channels in the Sky
Multichannels package have sizable European potential. The Ireland
– UK constriction of the Sky Multichannels package tends to limit
their financial outlook somewhat. The European market is far more
lucrative in terms of cablenet deals.

According to a source, FilmNet have already ordered 100,000
VideoCrypt-2 IRDs from Thomson. The use of the system by FilmNet
is not particularly unusual. However it is an indication of a
clever strategy on FilmNet’s part. It is a case of
compartmentalised operations. A separate system for each area of
operation. The strategy would tend to limit the effects of a hack
on any of the systems. As things stand, FilmNet on Astra is hacked
and VideoCrypt is hacked. Unless there is some major upgrade in
VideoCrypt-2 then the system will also be hacked.

The use of a separate transponder by some of the channels that use
VideoCrypt-2 to access the European market is out of the question.
Therefore VideoCrypt-2 must be able to coexist with VideoCrypt-1
on the same channel.

There may be some evidence for the VideoCrypt-2 being in operation
on channels other than FilmNet. Some official card users have been
reporting slow lock-up times on various channels. Other problems
such as intermittent drop-out have been observed.

These are exactly the kind of symptoms to be expected if
VideoCrypt-1 and VideoCrypt-2 are sharing a channel’s datastream.
The VideoCrypt datastream is robust in that it has a very slow
data rate. The 1 kilobit per second rate gives it a good
resistance to sparklies. The disadvantage is that the slow data
rate makes updates and addressing tedious.

Normally the VideoCrypt system requires a new seed key every 3.5
seconds or so. To multiplex VideoCrypt-1 and VideoCrypt-2
datastreams would be possible. The problem would be that some
areas of the datastream would double in size and take as long to
transmit.

Other areas of the datastream would have to be expanded as well.
As some of the Sky Multichannels package are not yet cleared for
European rights they would have to transmit a secondary channel
identifier. This would ensure that a European Discovery smart card
would decode only Discovery and not the rest of the Sky
Multichannels package. This would mean that the channel identifier
bytes would be transmitted on an alternating basis hence the
delayed lock-up.

At this stage it is only possible to speculate on the circuitry
used on the VideoCrypt-2 decoder. Most of the VideoCrypt designs
on the market at the moment are based on the 1989 design. The
8052, 6805, custom logic chip have made this particular decoder
design vulnerable. The 8052 was not even protected. Over the last
few years there has been a tendency to go for surface mount
componentry but the main chipset appears the same.

The most logical areas for updating would be the 8052 and the
6805. In the VideoCrypt-2 decoder the functions of these chips
would probably be taken care of by one chip. This would give a
higher security to the decoder as the compromised programs could
be rewritten and perhaps given a few new twists and turns.

The question at this point relates to FilmNet’s risk. Are they
walking into another ambush? VideoCrypt-1 is already totally
hacked. VideoCrypt-2 may not last very long unless there has been
some intense re-engineering of the software and the card-decoder
protocols.


Syndicated Hack Watch (September 1994) Phoenix Program Kills Sky’s Access Control

******************************************************************
*—————- Syndicated Hack Watch – 09:1994 —————*
******************************************************************
*————– Special Projects BBS +353-51-50143 ————–*
*————– SysOp: John McCormac ————–*
******************************************************************
*————- (c) 1994 MC2 (Publications Division) ————-*
*————— 22 Viewmount, Waterford Ireland —————-*
******************************************************************
******************************************************************

Syndicated Hack Watch is copyrighted material. All unauthorised
reproduction whether in whole or in part, in any language will be
suitably dealt with.

******************************************************************
Contact Numbers:

Voice: +353-51-73640
Fax: +353-51-73640
BBS: +353-51-50143 V32bis & V.Fast Special Projects BBS
E-mail: mc2@cix.compulink.com.uk
FidoNet: 2:263/402 HackWatch
******************************************************************

Phoenix Program Kills Sky’s Access Control

It looks like the VideoCrypt system has suffered yet another hack.
This one is far more dangerous than previous hacks because it can
attack the access control system in a manner that is virtually
invisible and perhaps undetectable by Sky.

Unlike the American Viet-Nam war project of the same name, Phoenix
is concerned with the giving of life rather than taking it. To be
more precise it is concerned with the resurrection of dead Sky 09
smart cards. The cards so resurrected are known as Lazarus cards.

The reactivation of Quickstart and dead Sky cards has long been
the subject of experimentation. It was not as relevant during the
lifetime of the 07 Ho Lee Fook hack. Then it was possible to
obtain a very cheap pirate card anywhere in Europe. With the 09,
things are different.

With the killing of the released 09 code on 28/06/94, Sky and News
Datacom may well have thought that the hackers had been defeated
for good. Of course this was a view that only had currency among
those who watched Sky One for a bit too long.

The 09 code release gave away too much information. In fact it
produced enough information to completely cripple the 09 Sky card
issue. If this indeed was a plausible deniability operation by Sky
and News Datacom then it is more than certain that News Datacom
Research in Israel were not consulted on the code release. Indeed
a release of this much code was fatally stupid.

The VideoCrypt system was never designed to handle a code release
of this magnitude. In fact I do not think that it was ever
designed to handle a code release. The one thing that was always
made clear in the VideoCrypt brochures was that the cards would be
replaced in the event of a hack.

The release of a replacement for the 09 has not happened yet.
There are no visible indications that there will be an 0A issue
this year. Unless Sky and News Datacom can switch in some
alternate and more secure card addressing encryption the 09 card
issue is effectively dead. At best it would now appear that Sky
and News Datacom are back in the old ECM – ECCM cycle.

The workhorse of the VideoCrypt access control system is the 32
byte packet. This packet carries all of the card addressing
information in addition to being the seed data for the decryption
key generation hash function.

The last five bytes of this packet are the checksums. The last
byte ensures that the sum of all the bytes is an even multiple of
256. The other four bytes are the packet checksum. If these bytes
are incorrect then the card will reject the packet as being
tampered with and it will not act upon the instructions carried in
the packet. This ensures that thirty one of the bytes in the
packet cannot be altered. The card would test to see if the last
byte brings the sum to a multiple of 256 by adding the bytes and
checking the end result. In an byte wide register the correct
result would be zero.

Without a valid keytable and algorithm it is not possible to
generate a correctly checksummed 32 byte packet.

Regardless of whether the algorithm and keytable produce the
correct decryption key, one valid keytable (not necessarily the
one in use) and the algorithm are all that is needed.

VideoCrypt Access Control

The VideoCrypt system is based on the 32 byte 74h packet. This
packet is used to carry the addressing information for the smart
cards. It is also used by the hash function to generate the 8 byte
decryption key for the decoder. This key is returned in the 78h
packet.

The system is based on the Exclusion Principle. Each card stays
working until it gets a kill signal. The cards sent to authorised
subscribers are pre-authorised and will work immediately. Any
additional channels that the customer wants can be activated on
the card by Sky in the same manner. The Quickstart cards have to
be activated over the air by Sky.

The problem with the VideoCrypt system is that the cards already
have the code tables for each channel. It is just the tiering
mechanism that stops the subscriber from getting the channels that
he is not entitled to.

Phoenix takes advantage of this and one other important factor.
The release of the 09 codes in June is perhaps the one aspect that
allowed Phoenix to occur. Without those codes, it is probable that
the best attack would have been a modified form of the KENtucky
Fried Chip. This would of course rely on the prospective user
getting a fully validated and active Quickstart card.

The main difference here is that the Phoenix does not require the
Quickstart to be active or validated. It just requires any 09
issue smart card.

Ramifications

The most obvious ramification of the Phoenix hack is that Sky has
once more lost control over its access control system. They cannot
ensure that the average multichannel (minimum tier) subscriber is
not also watching the premium channels free of charge.

In financial terms, the person using a Phoenix activated card and
a blocker only has to pay for the minimum tier – roughly seven
pounds per month as opposed to the twenty pounds for the full
subscription.

Of course the person could also be using a 09 Quickstart and
therefore would not have to pay anything to Sky.

Whereas Sky’s problems with the 07 Ho Lee Fook hack were highly
visible, this new hack is far more dangerous. It is not strictly
quantifiable. This should give the statisticians a few headaches.
Of course on the other hand it will allow the hack to be played
down in the mainstream satellite press.

Many of the figures spouted in the satellite press over the last
few months may well be totally inaccurate. According to one report
in the Observer, a UK Sunday newspaper, Sky were multiplying the
dish sales figures by three based on the average family in the UK
having three members. It is impossible that all of the systems
sold were new Sky subscribers. Perhaps the purchasers of many of
these systems were merely upgrading to new systems and as such
were not first time buyers.

The only measure of the hack is the number of missing Quickstart
and Official 09 Sky cards. The main sources of information on
these numbers would be Sky and News Datacom.

Of course they are not likely to divulge such information, even if
they knew. Indeed some of the statistics on dish sales being
produced by Sky have been questioned in UK national newspapers.

The legal aspect is also murkier than before. Whereas the 07 Ho
Lee Fook cards were definitely illegal to manufacture in the UK,
the legality of the Phoenix is more questionable.

The Phoenix is a program that can be used for theft of copyright.
The origin of the information that allows it to activate cards is
suspect. If the 09 codes were indeed sold by Sky and News Datacom
in an attempt to sting the pirates, then it could be argued that
the Phoenix was a development of the codes that were purchased by
the pirates and therefore the program is not Sky’s property. It
was not developed by Sky.

Undoubtedly the Phoenix could not work without the 09 algorithm.
The keytable used is that that was operational up to June 28th.
The backdoor in the 09 VideoCrypt card is that it recognises any
packet generated with a valid 09 keytable. It is not necessary
that the keytable used is the one in use at the present time.

The problem now is that the Phoenix program is spreading like
wildfire. Indeed there are already reports that the hack has been
stolen by more than one pirate company. Naturally retribution will
follow in true hacker fashion.

The hack will probably circulate for a few thousand pounds
initially but the key section is the blocker. Without the blocker,
the Lazarus cards will be killed in a few hours. There are a few
possibilities for blockers though many initial attempts will draw
heavily on the KENtucky Fried Chip design of 1992. The more
elegant devices will use PIC16C84s though in their case, the
device will be an external solution rather than the internal 8752
KFC solution.

Black Book 4 Now Available

The Black Book is now back from the printers and orders are being
shipped. The Black Book is also known as European Scrambling
Systems. It is the bible of the Blackbox Industry.

The new version concentrates on the smart card hacks and how they
operate. Details of smart cards and computer monitoring circuitry
are provided. The majority of the systems in Europe are now
hacked. Perhaps more importantly it shows how the present hacks
will develop in the near future.

The chapter on cryptology has been expanded to cover message
digests, hash functions and one way functions. The Fiat Shamir
Zero Knowledge Test, allegedly used in VideoCrypt is fully
explained. A datasnatch of the Fiat Shamir Test in VideoCrypt
being spoofed is also included – the decoder did not lock out the
‘card’ with the implication being that the Fiat Shamir Test in
VideoCrypt does not work properly. It also shows how the Ho Lee
Fook hack on the VideoCrypt crypto system operates, complete with
worked examples in psuedo code and C. A description of the 09 Sky
code is given complete with structure.

The official price of the book is 32.00 plus postage but to those
electronically aware people reading this via a bbs, fidonet or
usenet, I have decided that the price of the book will be 25.00
pounds Including postage.

This special offer price includes postage in the EC. Payment can
be made by UK or Irish cheque or draft. Alternatively payment by
credit card is possible. Visa and Mastercard / Access acceptable.

Either fax the order to the phone number below or use the
mc2@cix.compulink.co.uk e-mail address. Alternatively telephone
(voice) after 1400 Hrs to order.

————————————————————————-
| John McCormac | Hack Watch News |
| Editor – Hack Watch News | MC2 (Publications Division) |
| Voice & Fax: +353-51-73640 | 22 Viewmount, Waterford |
| BBS: +353-51-50143 | Ireland |
| e-mail: mc2@cix.compulink.co.uk |——————————-
| john.mccormac@f402.n263.z2.fidonet.org | Black Book 4 Available Now |
————————————————————————-


Syndicated Hack Watch (September 1993) “Red Hot TV Makes a Comeback”

******************************************************************
*—————- Syndicated Hack Watch – 09:1993 —————*
******************************************************************
*————– Special Projects BBS +353-51-50143 ————–*
*————– SysOp: John McCormac ————–*
******************************************************************
*————- (c) 1993 MC2 (Publications Division) ————-*
*————— 22 Viewmount, Waterford Ireland —————-*
******************************************************************
******************************************************************

Syndicated Hack Watch is copyrighted material. All unauthorised
reproduction whether in whole or in part, in any language will be
suitably dealt with.

******************************************************************
Contact Numbers:

Voice: +353-51-73640
Fax: +353-51-73640
BBS: +353-51-50143 HST – Special Projects BBS
E-mail: mc2@cix.compulink.com.uk
FidoNet: 2:263/402
******************************************************************

Red Hot TV Makes A Comeback

With apologies to Mark Twain, it would seem that the rumours of
Red Hot Television’s death were greatly exaggerated. The channel
has made a comeback. The transponder and the satellite have
changed. It now transmits via the HTV transponder on Eutelsat 2-F3
at 16 Degrees East. The transmission times are roughly the same
but the programming has improved – if that is the correct word.

Prior to the channel returning there were promotional tapes
running on the transponder that Red Hot Television was to use. The
adverts featured a lady doing suggestive manoeuvres with a banana
and cream. The transmissions were in the clear.

Apparently the channel had to go on the air without their main
programming. The broadcast facilities were almost non-existent.
The link was done from what appeared to be a back garden. Contact
numbers were written on pieces of card board. All in all it was a
tribute to the determination of the channel to get back on the
air.

The programming manager explained that the tapes for the opening
night’s transmission were lost in transit. He referred to the
situation as a “cock up”. A colloquial English expression that
proved an unfortunate choice of words given the nature of the
channel. As a direct result of the lack of programming, he went on
to explain, they had to use some of the old programming tapes that
they transmitted previously.

These old programming tapes were encoded with the Enigma-1
scrambling system. Unfortunately they were not gen-locked. As a
result the VideoCrypt decoders could not decode the signals. They
were intermittently triggered and the contact number of Red Hot
Television’s Dutch office was displayed after the channel
identifier.

During the link on the opening transmission, the pattern of
scrambling systems was outlined. They would alternate the
scrambling systems between SAVE and Enigma-1. A number of red
smart cards were waved on the screen. When all of the subscribers
to the channel have their cards, the channel will switch over to
Enigma-1.

The pirate SAVE descramblers still work. It was possible to watch
the SAVE scrambled signals with the same descramblers that worked
before the channel went off the air. Of course there are probably
a few people who sent their descramblers into some of the more
questionable offers published in the satellite television press in
the last few months.

The programming on the channel has taken on a more coherent form
in that there are now more advertising tie-ins. Viewer’s home
videos are being screened regularly. An contact service for the
particularly broad minded is offered with photos, blurbs and box
numbers. Every so often the contact telephone numbers for the
national subscription agents scroll across the screen.

Red Hot Television is still banned in the UK. It is legal to
receive the channel in virtually every other country in Europe. In
Ireland, the subscription rate per annum is œ165. The fact that
the channel is going to use a smart card based system that is
compatible with the VideoCrypt system makes the proscription order
into a bad joke.

A smart card is a very easy piece of equipment to move through the
post. The telephone numbers are shown on screen, often in the
clear. All the information that is required to subscribe to the
channel is there. Sending smart card into the UK has not been
difficult. It is now a commonplace occurrence.

The problem now for Red Hot Television is to convince people to
subscribe to the service. The fact that some so-called journalists
claimed that the channel was dead has not helped matters. The
satellite viewing public has been burned by porn channels that
never started. The consumer satellite television press has adverts
from a number of channels who propose to broadcast. Some claim
that they will use VideoCrypt. Others offer a discount to Red Hot
Television subscribers. They are encouraged to send their SAVE
descrambler for an upgrade that will allow them to receive this
new channel. It would seem that this channel never expected Red
Hot Television to make it back on the air.

According to some sources there are pirate cards available for Red
Hot Television. This is rather an unfortunate state of affairs as
Red Hot Television has not even supplied all of its subscribers
with cards yet.

Active Logic – Treading On Thin Ice.

It would seem that old habits die hard. PR Technology’s method are
once more being employed. Though this is not surprising. The
advert in the September issue of the consumer satellite television
magazine, “What Satellite” enticed many to call and a few to
foolishly purchase.

One of the main products that Active Logic are selling is a
version of the Ho Lee Fook chip. This is the replacement for the
8052 in the official decoder. Its only use is to hack the Sky pay
channels. But according to the purple prose of the Active Logic
promotional material it is a Universal VideoCrypt Scrambling
Detector. It will tell the user whether the signal is soft-
encrypted, hard-encrypted or clear.

As a get-out clause they went on to say that they had been told by
some customers that the chip had enabled the descrambling of
scrambled channels after their subscriptions had expired. Active
Logic of course advised that the programme providers should be
paid. They also said that Active Logic accept no liabilities. Its
kind of strange. Here they were selling a device with only one
function but claiming it was for a different purpose.

Perhaps the final indictment is that Active Logic claim that all
of the orders are processed through their German office. The
points are made that UK law cannot be enforced there and that the
customer is technically buying from abroad.

What is amazing is that Sky and News Datacom have not moved
against them. They would have a good case as the 8752 Ho Lee Fook
chip is illegal in the UK. Perhaps they have not moved because
they think that Active Logic will damage the Blackbox Industry in
the UK by sewing the seeds of distrust.

Sky And Pay Per View.

Sky’s plans for Pay Per View have been affected by the Ho Lee Fook
hack. They had intended to introduce PPV but the fact that the
source code from the card and the 8052 are known stopped them. The
danger of a pirate PPV card with infinite tokens was far more
worrying than the Ho Lee Fook hack because the price of the
programming would be higher.

The datastream for the PPV signal would be different to that of
the official subscriber card. The primary difference would be that
the programming would be allocated a token value. When the
“Authorise Button” on the front of the decoder was pressed, the
token value would be deducted from the token reservoir available
in the PPV card.

The original plan may involved using a token resevoir on the
actual Sky subscriber card. This meant that viewers would be
allocated a specified number of tokens. When they had used them
all, they could ring up Sky’s subscriber management centre and
order more.

Most of the PPV routines are in the 8052. This 8052 has been
dumped and the source code has been in circulation for the last
few years. Therefore it would be a very serious mistake for Sky
and News Datacom to use this initial approach to PPV.



The Start of the Skybox Cable War

Syndicated Hack Watch 08:93

The Start Of The War

Sky had suffered its most devastating hack to date. Its security
was demolished and the MultiChannels package was about to be
introduced. They had to do something fast or it would all slip
away.

The Blackbox industry was beginning to move the pirate cards for
Sky in volume. There were talks of quantities of ten thousand
being sold. Cards were beginning to filter into the UK. At this
stage Sky had no option but to move. The pirates were attacking on
the home front. This was economic war and Sky was losing.

The Grey Market piracy of a card for a card was an essential
factor in Sky’s growth. As long as it wasn’t too overt then it did
not seem to matter. Sky were benefiting from the arrangement as
was the other channels such as FilmNet.

With the advent of the Ho Lee Fook hack the Grey Piracy market
took a bit of knock. The Ho Lee Fook card and chip allowed access
to all VideoCrypt scrambled channels. The prices varied but the
lowest quoted figure was œ99.00. Considerably less than what Sky
were charging for the whole package.

As if by some miracle, Sky and News Datacom came up with a fix for
the hack. Yes it was not really Sky’s responsibility to fix the
hack. News Datacom, the designers of the security architecture had
to try and stop the Ho Lee Fook hack. It seemed that the had found
a solution.

As with all events in the Blackbox industry, it has been assigned
a catchy name. The name of solution is the “Zombie Fix”. No, this
is not the name for the continual brainwashing adverts on Sky
One. The reason for the name is that old cards have recently
started to work again on this 3.5 Second on – 3.5 Second off
cycle. Cards that have been authorised for Sky’s movie channels
are working on TV Asia. Other cards such as those for the Adult
Channel are working on the same basis on the Sky channels.

The Blue card that I had received started to act funny. At first
it happened on only Sky Movies and The Movie Channel. Sky Gold and
TV Asia were unaffected. It could have been a problem on the Sky
channels but experience and instinct proved otherwise. It was a
countermeasure. After a few days, the same sort of effect occurred
on TV Asia and Sky Gold. The upgrade to VideoCrypt was complete.

The program in the Ho Lee Fook card and chip apparently contained
enough to decode the scrambled channel but not enough to respond
to the over the air switch off codes. This limited implementation
meant that the hack was a very powerful one. It was not possible
for Sky and News Datacom to actually send out a command for the
card to switch off. What this implies is that the card had enough
information and data to decode the channels. The hack had
separated the access control from the decryption aspect.

Of course the fact that the Ho Lee Fook hack was not a full
implementation may well have provided a weak spot for Sky and
News Datacom.

This is the point at which the hack was attacked. The datastream
on the VideoCrypt system appears to have been altered. The
alteration did not affect the official Sky cards but the pirate
cards and chips started to malfunction.

Essentially the Zombie Fix caused the pirate card to return a
fixed key every second time. This is the standard response when a
bad card is inserted. The card cannot match the challenge and it
jumps to a sub-routine that returns a fixed key.

The standard response to the wrong card being inserted is hidden
from the viewer. Ordinarily when the wrong card is inserted the
on-screen graphics will make the fact clear. Sky and News Datacom
were a little clever here.

The data for “Wrong Card Inserted” may well be passed to the on
screen graphic display chip. A signal is being sent out over the
air to this chip to switch it off during this operation. One of
the effects of the countermeasure is that the channel identifier
message does not come up on the screen either.

ECM Meets Electronic Counter Counter Measure

At this stage the war between the pirates and Sky is growing
complex. The Zombie Fix has been met with a new card and chip
issue. The new card and chip work on the Sky channels and the
other VideoCrypt scrambled channels.

According to sources the hackers only took ten minutes to come up
with the solution to the Zombie Fix. It was, apparently, a rather
simple one but it did require the replacement and upgrading of all
the pirate cards and chips on the market. It appeared that Sky had
hit the pirates.

The problem for Sky and News Datacom is that they are not dealing
with a FilmNet type situation. When FilmNet’s analogue SatPac
system was being pirated, the market was at its most expanded.
Every Tom Dick and Harry was involved and there was very little
organisation. The current pirate market is better organised and
the buy in price is high financially and technologically.

The main problem of getting the updated hack into the market now
seems to have been solved. Some dealers in Holland were promising
a one week turn around on the chips and cards. From information
received this time schedule has been followed.

The Blackbox Industry has recovered from the Zombie Fix at a rate
that has alarmed Sky and News Datacom. The recovery appears to be
just in time for the introduction of the Sky MultiChannel package.

The Next Move

With the imminent introduction of Sky MultiChannels, a compromised
VideoCrypt is a very big problem. It remains to be seen what will
happen. Sky and News Datacom will have to make a move on the
situation soon.

Assuming they have another fix up their sleeves they can wait
until the market is saturated with pirate cards and then
introduce the electronic counter measure (ECM). It would naturally
have the most effect as it would deter a larger number.

However pressure from other users of the VideoCrypt system may
force the situation. There are two options here: the immediate
introduction of the ECM or the introduction of a new card series.
Both options hinge on availability. If there is no ECM now or
likely within the next few months, Sky and News Datacom will be
forced into bringing the 08 series of cards. Again if there is not
a sufficient number of the 08 cards available they will have to
maintain the 07 issue and with it the pirate market.

Normally the smart cards are changed in the Spring or Autumn.
Introducing the 08 issue card over the next few months would
conform to the pattern but the logic is flawed. The Sky
Multichannels is coming into operation over the same time period.
The subscriptions and card administration will place a strain on
Sky’s operation and the hassle from new cards would only
complicate things.

If Sky do introduce a new card issue then it may occur anytime
from October onwards. Some sources favour April 1994 for the new
issue.

The question of Pay Per View still remains unanswered. The 07 card
issue was to have handled this facility. The P000 T000 was the
indication. With the Ho Lee Fook hack it would seem that the idea
was stalled for the moment. Hypothetically the Sky Gold
transponder might be the ideal path for a PPV service. Of course
if the hack is as dangerous as everyone thinks then it is possible
that the PPV routines will have been compromised as well.

A hack on the PPV routines would in some senses be more severe
than the hack on the VideoCrypt system. The PPV channel would be
carrying premium programming and would be far more costly than the
movie or sports channels. Therefore a pirate card that would give
infinite tokens or credits would be extremely valuable.

Hi-Tech’s Card Trick

The Hi-Tech Card Tricks card is a reality and it works. The card
is black and uses a PIC processor. When tested it worked on
FilmNet. It seems that once again FilmNet are in trouble. The
EuroCrypt-M system is now compromised.

The reason that the card handles only FilmNet is the legality of
the situation. If the card actually decoded the TV3/Tv1000
channels then it would be just as illegal in the UK as a pirate
Sky card.

The problem has to do with the uplink or origination of
TV3/TV1000. Since it is being uplinked from the UK it is
technically a UK originated channel and is therefore protected by
the UK Copyrights Patents And Designs Act – just like Sky. The
tricky question of the porn is neatly sidestepped. They uplink
that from outside the UK.

The cost of the card is œ150 and it is available from Hi-Tech. It
is the only card that descrambles D2-MAC EuroCrypt-M signals at
the moment.

Active Logic – Cannot Recommend A Purchase – Yet

A company called Active Logic has been advertising heavily in What
Satellite and claiming to supply pirate smart cards for D2-MAC
channels such as FilmNet. The advert is cause for concern as it
promises a lot but is too cleverly worded to make coherent sense.
It assures the reader that the cards are Unique Clone Designs.
This is a bit of a contradiction in terms. Other factors such as
the wording of the advertisement have given brought back memories
of PR Technology’s brash style. Now they may be totally
unconnected.

The hints at the cards for other D2-MAC channels being available
are decidedly dodgy. If they have pirate cards for TV3/TV1000,
then they are in violation of the Copyright Patents And Designs
Act. The advert also mentions that there is a German address. If
they are clever then they may try to use the German address to
ship these cards from. Even so it would still put the UK operation
in trouble as they would be supplying information and a product in
breach of the act.

Red Hot Television To Make A Comeback

It appears that despite the rumours floating about, Red Hot
Television is not dead yet. What appears to have happened was that
the operation in Denmark was closed down but not the channel
itself. The channel was busy arranging alternative finance.

According to some reports they have arranged the new financing and
will be back on Eutelsat 2-F1 within the next few weeks. The test
bar transmissions on the same Eutelsat transponder (11.181 GHz
Horizontal) are scheduled to start on August 24th with a full
service resuming on August 29th.

The scrambling system that they will use for the next few weeks
will be the SAVE system. This means that the present array of SAVE
descramblers will not have to be upgraded just yet.

The tests of the Enigma-1 system just before the channel went off-
air were successful and it is believed that the smart card for the
channel was into the prototype stage.

The hack on the VideoCrypt system threw up an unexpected problem
in that the JSTV smart card actually descrambled the Enigma-1
scrambled signal. There were no doubt a lot of happy JSTV viewers
except that there was a “Wrong Card Inserted” graphic over a
rather strategic part of the screen. Both the new and old JSTV
cards appeared to work on the system. Of course the channel will
eventually, according to the information received, switch to
Enigma-1.

There are other porn channels who claim to be starting up soon.
TV69 apparently has the backing of some ex-Red Hot Television
people and VTO. It will, so the claim, use VideoCrypt with cards
supplied via the Adult Channel. This is only one of a few channels
that may or may not start transmitting over the next few months.
After 12 Europe is also one of those mooted. It remains to be seen
which will actually start transmitting.

******************************************************************
Syndicated Hack Watch – Copyright (c) 1993 All Rights Reserved

MC2 Publications Division
22 Viewmount, Waterford,
Ireland

Red Hot Television is Banned

Red Hot Television Is Banned

In a debacle that mirrors the “Spycatcher” case of a few years
ago, Red Hot Television’s attempt at stopping the UK Heritage
Secretary’s proscription order coming into effect has failed. It
is now illegal to purchase or sell subscriptions or decoders for
the channel in the UK.

Red Hot Television had hoped to get an injunction restraining the
Heritage Secretary, Peter Brooke, from proscribing the channel in
the UK. The case in favour of Red Hot Television was convincing
and perhaps as a result, the judges on the judicial review decided
to refer the matter to the European Court.

To those of us who live in democracies with actual written
constitutions, the UK has always been somewhat of a mystery. The
law is supposed to be, for the most part, common sense. Yet here
is a decision that effectively says that Red Hot Television is
guilty until proven innocent.

The problem is not that the channel is banned in the UK. It is
that the UK court decided to refer the matter to the European
Court. Apparently the points of law raised pertained to whether
the UK Heritage Secretary, Peter Brooke, could legally make an
order banning the channel under European law.

The argument against the UK government decision is more convincing
and it has been boosted in an illogical way. An EC commissioner
has said that it is ok for the UK government to do so. The
commissioner involved was Commissioner De Pinhero. The grounds
cited were that the transmissions might be damaging to minors.

Right, I know what you are thinking. The Red Hot Television
transmissions are scrambled and are on after midnight. Apparently
the kids that de Pinhero and Brooke know are up at this time and
have their own decoders.

Historically, the EC policy on satellite television has been
little short of a comedy of errors. The last great screw-up was
D2-MAC. The commissioner there was stupid enough to mention in an
interview that he was taking advice from Philips and Thomson on
the subject. Well D2-MAC is presently not seen in the same light
by the EC. The European Court may well take a similar view of the
UK Government proscription order.

The problem with the UK Government’s position is that it totally
ignores reality. Perhaps in former times when society was tightly
controlled a proscription order would have an effect. The avenues
of getting equipment and information into a country are wide.
Unless the UK Government gets the Customs and Excise to examine
every letter and parcel coming into the country then there is no
possible way the ban can be enforced. The Grey Market operations
of the last few years are a testament to that.

There is a flourishing Grey Market for subscriptions in the UK.
The standard trade is a Sky Movies subscription for a FilmNet
subscription. The Grey Market operator picks up a commission on
the deal. It is logical to expect that the subscriptions to Red
Hot Television will be handled the same way.

There are legal penalties for those in the UK who handle such
operations. Even UK controlled magazines are not allowed to
publish the schedules or subscription details for the proscribed
channel.

Luckily in Ireland, Red Hot Television is not banned. Though
incidentally a bishop, not the famous one, was reported in a
Dublin newspaper to be calling for the channel to be banned.
Ireland is a prime location for such Grey Market operations due to
the proximity. Of course it will be the Irish pirates who will run
them.

According to some interpretations, the Black Book – European
Scrambling Systems 3 may also be proscribable as it contains
circuits that can be used to descramble the channel.

SAVE But Soon Enigma

At present, scrambling system used by Red Hot Television is SAVE.
The SAVE system is rather primitive and can easily be defeated
with about five pounds worth of parts. Indeed there are many
circuit designs and descramblers floating around. Old BBC and
Premier descramblers are being modified.

Red Hot Television have announced that they will change to their
more secure Enigma system. Initially it was hoped that the
transition would begin in late March and would be completed by
May.

There were a few problems in the encoder section that forced tests
to be suspended for a few weeks. It now looks like the changeover
will not occur for some time.

The system that Red Hot Television will upgrade to is a clone of
VideoCrypt. This fact has sent shockwaves through the industry.
Former lackeys of BSkyB and News Datacom in the press, are said to
be re-evaluating their position. But then they couldn’t tell SAVE
from SATPAC without a press release. I never believed that the
system was as secure as they made out. The fact that it could be
cloned has proven the point.

The fact that Red Hot Television are to use a clone of VideoCrypt
has obviously jeopardised the position of VideoCrypt. The
proscription legislation refers specifically to decoders. The
existing VideoCrypt decoders can be used, with a Red Hot
Television card to descramble the channel. Does this not mean that
the sale of VideoCrypt decoders is banned?

Certainly if the Enigma system goes into operation before the case
reaches the European Court, the UK government will have to, by
the terms of their legislation, stop people from selling
VideoCrypt decoders. After all it is the VideoCrypt decoder that
will be used to decode the channel.

Will this mean that the manufacturers will be stopped? Amstrad and
Pace will not be pleased to hear that their IRD sales can be
stopped. BSkyB and the other users of the system would also suffer
as a result. VideoCrypt is the de-facto English language
scrambling system. Perhaps in their zeal to be seen to act, the UK
government has managed to act in the wrong way.

It would seem that the move to proscribe the channel was a knee
jerk reaction. The channel went largely unnoticed by terrestrial
television viewers. The fact that there was a court action against
the channel, drew in some four thousand subscriptions in the space
of a few days. If anything, the attention has increased the
audience. The fact that it is now banned will serve to mushroom
the viewer figures.

Syndicated Hack Watch (April 1994)

******************************************************************
*—————- Syndicated Hack Watch – 04:1994 —————*
******************************************************************
*————– Special Projects BBS +353-51-50143 ————–*
*————– SysOp: John McCormac ————–*
******************************************************************
*————- (c) 1993 MC2 (Publications Division) ————-*
*————— 22 Viewmount, Waterford Ireland —————-*
******************************************************************
******************************************************************

Syndicated Hack Watch is copyrighted material. All unauthorised
reproduction whether in whole or in part, in any language will be
suitably dealt with.

******************************************************************
Contact Numbers:

Voice: +353-51-73640
Fax: +353-51-73640
BBS: +353-51-50143 HST – Special Projects BBS
E-mail: mc2@cix.compulink.com.uk
FidoNet: 2:263/402
******************************************************************

The OMIGOD Hack

It was a long time coming and News Datacom and Sky seemed to
ignore every sign. Perhaps they were too concerned with the Ho Lee
Fook hack. This latest hack, coming as it does in the twilight of
the issue 07 is perhaps the death knell for Sky’s 07 smart card.

The OMIGOD hack is simply a computer program that allows you to
use your IBM Compatible computer as a glorified smart card. You
connect a small interface circuit between the serial port on the
computer and the VideoCrypt decoder’s card slot. Then you run the
program. It decodes all of the BSkyB encrypted channels.

The present version of the hack works on IBM compatible computers
and an Apple MAC version will be available within the next week or
so. Amiga and Atari versions may also be created.

The program was created in Germany so that those outside of the UK
and Ireland could watch Star Trek. The title of the program is
Season 7 after the current season of Star Trek – The Next
Generation. Sky have repeatedly refused to give subscriptions to
those outside of the UK and Ireland so therefore something had to
be done.

As it turns out many hackers are also fans of Star Trek and Deep
Space 9. It was only logical that the hack was pursued. Some
actually tied up mainframe computers doing real-time descrambling
of the VideoCrypt signal. It was not a viable solution as most
hackers did not have access to mainframe computers. However many
of them had access to IBM compatible personal computers.

The PC VC Emulator program is perhaps the most dangerous thing
ever to have happened to Sky and News Datacom. The fact that this
program even exists contradicts the publicity claims made about
VideoCrypt. It appears that News Datacom completely misunderstood
what a hack on VideoCrypt would consist of. As a direct result of
this the Ho Lee Fook and the OMIGOD hack can operate freely.

The program is intended to be used and distributed outside of the
UK. It may well be illegal in the UK under the Copyright Patents
and Designs Act 1988. Of course the problem with the law is that
it technology leaves it standing in quicksand.

Since the program is a DOS executable, it can be stored in Zipped
form on any bulletin board system. Theoretically anyone with a
modem and a computer could download this program from a bulletin
board outside of the UK. Nothing short of cutting all of the UK’s
international telephone lines will stop its importation to the UK.
Of course it may already be there.

The interface for the computer to decoder link is actually a
simple two chip design. A MAX232 integrated circuit converts the
RS232 signals to TTL and also the TTL signals to RS232. A 74LS07
hex open collector buffer is used to allow the connection of the
received data line and transmitted data line on the computer’s
RS232 interface to the DATA line on the smart card interface.

The most troublesome aspect of the hack is the dummy smart card.
While a directly wired connection to the VideoCrypt decoder is
possible, it is a messy and potentially dangerous option. The
dummy smart card option is the more elegant of the two.

As with most experimentation with smart cards, the printed circuit
board material is too thick. With typical thicknesses of 1.6
millimetres, ordinary PCB material is too thick for the decoder’s
smart card socket. The easiest solution is to sand down the PCB
material to the 0.78 millimetre thickness required.

A text file is included with the release version of the OMIGOD
hack. All of the necessary details required to build the interface
are contained therein. No doubt there will be some versions of the
interface on sale in the very near future.

The cost of this interface is in the region of five pounds. The
potential hacker has the essential piece of equipment – the
computer. So for a fiver it is possible to watch all of the Sky
channels. Of course the alternative view is that you are using a
thousand pound computer as a glorified smart card. That is a
rationalisation worthy of Sky’s publicity department.

Naturally when the new issue 09 smart card is put into operation,
this hack and all of the other hacks on the 07 smart card will be
affected. The problem is that nobody is completely sure when the
switchover to the 09 smart card will occur.

Three Cards On VideoCrypt?

According to sources, there are currently three version of the Sky
card in operation. Issues 07, 08 and 09 are in use on the
VideoCrypt system. This is an unprecedented event and points to a
major loading of the VideoCrypt over the air addressing system.

The current batch of cards is issue 07. This batch of cards was to
have been replaced by an issue 09 card. Issue 08 was apparently
abandoned as it was based on similar technology and algorithms to
the hacked 07 card.

Over the last few months, we received some vague reports of issue
08 cards turning up in commercial premises such as pubs and cable
companies. These reports now seem to have been accurate. Though in
Ireland, more pubs have been opting for the pirate cards as they
are cheaper than an official subscription.

The launch of the 09 smart card has naturally disturbed the
Blackbox market for pirate smart cards. Prices have nose-dived
over the last few months as the news of the 09 smart card
gradually filtered into the market.

The 09 launch has not been smooth. Many customers have still not
received their issue 09 smart card and are still running on 07
cards. Some magazines have had reporters selected to receive free
cards. Even that august bastion of JAFAdom, Satellite Trader, has
received one. Not unexpectedly, Hack Watch News received nothing.

This kind of operation is smart. It targets what the marketing
people consider to be opinion formers. It is effectively a perk of
the job or what hackers would refer to as a bribe. The idea is
that the people who get the complimentary subscriptions write
glowing praise and nice things about Sky.

The rumours about the slow and sporadic delivery of the 09 smart
cards have been rife. One such rumour claimed that there was a
problem in the pay per view routines of the 09 card. This problem
was only discovered after about one hundred thousand cards had
been shipped. Though apparently this problem has been solved with
the latest cards.

The present situation means that the current datastream has to
work with three versions of the Sky smart card. It would have the
knock-on effect of making any electronic countermeasure, (ECM), a
very risky affair. Therefore from Sky’s point of view, the sooner
the 09 goes into full operation the better.

One factor that linked some of the people who were first to
receive issue 09 smart cards was that at one time they had
requested a second smart card from Sky. However the distribution
of the official cards in the UK seems to be gathering pace.

Strangely, the only people to have received the 09 smart cards in
Ireland are ASA dealers. Some of them are actually selling pirate
cards as well.

Key TV – Better Than The Real Thing

It was more impressive than any of the digital video
demonstrations at the Cable And Satellite Show. Key TV, the
VideoCrypt compatible scrambling system from Chris Carey, was
being displayed to an deeply interested industry.

Many of the channels currently on the hacked Sky card no doubt
showed an interest in the system. After all the Key TV option was
a lot more secure than VideoCrypt.

Whereas VideoCrypt uses a known architecture smart card, Key TV
uses an ASIC. A smart card is easier to reverse engineer because
it is a largely known architecture. With the ASIC architecture, a
potential hacker has to figure out the function of every gate in
the chip. This is a far more difficult task and would take an
estimated nine months to carry out. The only company ever to have
undertaken such an operation is the company responsible for Key
TV.

Perhaps in the next few months, there will be a number of channels
using this system instead of going to Sky and News Datacom. Many
in the industry have expressed reservations about the monopoly
that News Datacom holds over the English language satellite
television market. Somehow there is the feeling that channels
would feel a lot safer using a system developed by experts who
know where the weaknesses that allow a system to be hacked lie.

Black Book 4 To Be Published In April

In late April, the fourth Black Book will be published. The Black
Book is also known as European Scrambling Systems. It is the bible
of the Blackbox Industry.

The new version concentrates on the smart card hacks and how they
operate. Details of smart cards and computer monitoring circuitry
are provided. The majority of the systems in Europe are now
hacked. Perhaps more importantly it shows how the present hacks
will develop in the near future.

The chapter on cryptology has been expanded to cover message
digests, hash functions and one way functions. The Fiat Shamir
Zero Knowledge Test, allegedly used in VideoCrypt is fully
explained. Details of how crypto systems are hacked are also dealt
with in detail. In the Irish High Court, Sky and News Datacom
claimed that they had developed a one way function.

This chapter examines that claim and shows both how a one way
function works. It also shows how the Ho Lee Fook hack on the
VideoCrypt crypto system operates, complete with worked examples
in psuedo code and C.

The official price of the book is 32.00 plus postage but to those
electronically aware people reading this via a bbs, fidonet or
usenet, I have decided that the price of the book will be 25.00
pounds Including postage.

This special offer price includes postage in the EC. Payment can
be made by UK or Irish cheque or draft. Alternatively payment by
credit card is possible. Visa and Mastercard / Access acceptable.

Either fax the order to the phone number below or use the
mc2@cix.compulink.co.uk e-mail address. Alternatively telephone
(voice) after 1400 Hrs to order.

————————————————————————-
| John McCormac | Hack Watch News |
| Editor – Hack Watch News | MC2 (Publications Division) |
| Voice & Fax: +353-51-73640 | 22 Viewmount, Waterford |
| BBS: +353-51-50143 | Ireland |
| e-mail: mc2@cix.compulink.co.uk |——————————-
| john.mccormac@f402.n263.z2.fidonet.org | Black Book 4 Available April |
————————————————————————-