TUCoPS :: TV, Cable, Satellite :: skycard.txt

VideoCrypt hacking info


                        ***  The Videocrypt System ***

     An Overview

     Researched and written by Darren Ingram, author of Satnews

     - Satnews.. the latest and non-Commercial satellite news -


     Version 1.31 - 06.05.91


     Introduction

     Videocrypt is a pay-tv scrambling system jointly developed by  Thom-
     son Consumer Electronics and News Datacom.   Over one million  users
     receive  Videocrypt encrypted signals and this system, has to  date,
     remained  secure from illicit decoder manufacturers, protecting  the
     revenue of Videocrypted television channels.

     Requirements

     Videocrypt  is a multi-standard encryption system which is  suitable
     for  PAL, NTSC and SECAM transmissions.  Language is no barrier  for
     Videocrypt  with  its capacity for multi-lingual  transmissions  and
     broadcasts utilising a comprehensive on-screen instruction menu.

     Features and applications

     A  smart card is the central key to the Videocrypt system,  and  the
     card  can be used for a variety of diverse applications.   The  card
     is  pre-coded  to determine a users requirements and it  can  subse-
     quently be addressed utilising the decoders logic to amend the users
     services at the broadcasters will.

     There are a number of broadcasting modes which the smart card can be
     used within including:

     Clear Mode
     Signals sent in the clear are recognised by the decoder and
     passed to the display without further processing.

     Free Access
     Pictures transmitted with an encryption key are delivered
     directly to the display through the decoder.

     Controlled Access
     Access to encrypted pictures is determined by the level
     of access authorised to the users smart card.  No signals
     will be transmitted in an unencrypted state without prior
     authorisation.

     Programmes can be tailored to usage with the Videocrypt system and
     the system offers a flexible way for pay-tv operators.  There are  a
     number of operations mode offered as standard including:

     * Single or multiple subscriptions with many tier levels in one
     channel

     * Pay Per View (PPV) and impulse purchasing

     * Thematic selection (enable all arts programming)

     * Geographic limitation (restrict to a country/area)

     * Single-event (throwaway cards)

     * Parental Control (reception with card only)

     * Pre-determined time period

     Videocrypt  enables  smart cards to be pre-programmed  to  suit  the
     specific programming requirements.

     Smart card - providing the revenue security

     Security  can be addressed on a multitude of levels when  using  the
     smart card.  These include:

     Chaining

     An existing customer would receive a new card which contains part of
     the  new code, the remainder of the code would be  transmitted  when
     the  card is inserted into the decoder and the  subscriber  compiles
     with the instructions contained within the on-screen graphics.

     Over-the-air addressing

     Systems operators can now address individual subscribers, which is a
     vast  improvement over other scrambling systems.  The  operator  can
     provide  additional  services,  reduce  service  entitlements,  send
     individual messages, blacklist and/or whitelist viewers.

     Cloning

     A  number of steps have been taken to stop smart cards being  copied
     or cloned.   A physical deterrent is the first line of defence,  and
     the  integrated  circuit contained within the card  makes  "probing"
     very difficult as the IC is likely to become damaged in the process.

     Cost  is a second factor which is likely to deter  manufacturers  of
     illegal  decoders.    A  considerable amount of  time,  trouble  and
     expensive resources would be required to clone the card.

     The  manufacturers  of Videocrypt recommend that the cards  are  re-
     placed  every six months, and each time this is done a  "secret  en-
     crypting  algorithm" will be changed.  Any pirate decoders  manufac-
     tured during this time would be relatively useless.

     And  should  a  pirate decoder be manufactured, it  will  contain  a
     unique  security  code, which could be blacklisted  by  the  systems
     operator  once  the code has been discovered - leading to  calls  of
     complaint by angry customers.

     Video taping

     Videocrypt  offers  an simple method of tracking  down  pirates  who
     video high-value programming and then distribute it.

     The customers unique number can be displayed on the unencoded screen
     for  reference  and future litigation.   Although  an  on-the-screen
     code  can  be generated for signals piracy in a  public  place,  the
     codes  can be hidden in the picture - and retrieved by a  technician
     at a later stage.

     Videocrypt-your flexible friend?

     Videocrypt  can  be used in a number of applications other  than  tv
     signals protection.  They include:

     Messaging, messages can be transmitted to individual subscribers  or
     to a group, so target messaging is now a potential.  Messages  like:
     "Satellite  owners in LONDON call 081 XXX XXXX now for a great  bar-
     gain".

     Selling, sales over the air can be utilised with the unique identity
     number which verifies an owner and their registered address.    Data
     can be matrixed with a user personality during ad-breaks to  tailor-
     make the advertisement.

     A unique transaction alphanumeric can be displayed on the TV screen,
     and  the  subscriber  will telephone a given number  and  quote  the
     alphanumeric - and the deal can then be completed in total security.

     Scrambling

     The  majority  of  scrambling systems currently on  the  market  are
     dependent on analogue processing circuitry, and it is a hard task to
     get a secure system without picture deterioration.

     Videocrypt can encode and decode a picture without degradation.

     The crux of the scrambling system evolves around a patented develop-
     ment of Active Line Rotation (Cut and Rotate principle).

     Every  line  of the signal is cut at a number or  points  along  its
     length,  and  this  is chosen at random by a 60  bit  psuedo  random
     binary  sequence generator (PRBS).   As each cut point differs  from
     the next the signal has no viewing value to an unauthorised  recipi-
     ent,  but authorised recipients decoders recode the picture so  that
     the  true  state  of the unscrambled line is always  first  out  for
     display.

     The  PRBS is re-seeded at times too, to enhance the security of  the
     system even more.

     Before  this  ALR process can take place, the decoder  needs  to  be
     aware  of  the cut point on each of the transmitted lines,  this  is
     provided  within the encryption process.  Each decoder  utilises  an
     PRBS  which reflects the characteristics of the system so  that  the
     two halfs can be synchronised and a viewable picture displayed.

     Data is transmitted in a series of over-the-air packets, which looks
     like:

     SYSTEM-----SMART or BLACKLIST

     The system comprises of system data included Flat-Shamir identifica-
     tion  information,  on-screen display messages,  fingerprinting  and
     blacklisting data.

     The smart card packet comprises of:

     HEADER-----ENCRYPTED DATA-----CHECKSUM

     The  Videocrypt encryption system is based around a  tightly-guarded
     secret  which has defeated system hackers throughout the world.    A
     final control algorithm is central to the systems security and  this
     can be changed at will if the system has been hacked.

     Complex calculations are performed within the system in order not to
     compromise its security.

     But  hackers who have attempted to hack the decoder will  be  disap-
     pointed - as there are no secrets held within the system.

     Smart Cards
     The smart card offers great flexibility to the programme  controller
     and the viewer alike, and is the key to the Videocrypt system.

     The  Integrated circuits incorporated within the smart card  have  a
     lot  of power and contain EPROM elements which are partially  burned
     during their manufacture.   The ICs are buried within the design  to
     make the system harder to penetrate.

     Smart card block diagram


     -------     -------     -------
     VCC  ->       - RAM -     - ROM -     -EPROM-
     -------     -------     -------
     ^           ^           ^
     TO AND FROM
     -------------------------------
 GND ->        -    INTERNAL BUS             -
     -------------------------------
     TO AND FROM
     -------     -------     -------
     -8 BIT-     -ANTI -     -S/WRE-
 RST ->        -CPU  -     -FRAUD-     -CNTRL-
     -     -     -DVCES-     -I/FCE-
     -------     -------     -------


     CLK        VPP           I/O

     Over the air addressing

     Algorithmic  information is transmitted to the viewer over the  air,
     encrypted within the Videocrypt system.

     This data is transmitted within the Vertical Blanking Interval (VBI)
     and  four  lines are employed for active data and  two  others,  one
     white and one black (for test purposes).

     An  application of Non Return To Zero (NRZ) with an constant  energy
     spectrum maximises the systems characteristics.

     Four picture-sustaining techniques are used to ensure a high quality
     picture.  Bit interleaving, hamming codes, quadruple repetition  and
     check sums are used within the process.

     The  system  can  cope with fringe reception areas  and  will  still
     function correctly with high levels of noise.

     Picture quality

     Picture  quality is paramount for any scrambling system and  due  to
     the  standard being of a digital origin, integrity of the signal  is
     maintained  throughout  the encryption  and  de-encryption  process.
     Amplitude sampling is conducted by the decoder and a 14MHz  internal
     clock  ensures jitter-free pictures and unstable framing.   A  digi-
     tally  derived Automatic Gain Control (AGC) is also included  within
     the receiver.

     Scrambling Sound

     Videocrypt  also has the capability of encrypting sound  sources  to
     enhance  the  security  of premium events.  To date  this  level  of
     security has not been utilised by broadcasters.

     The system of spectrum inversion renders the sounds received without
     authorisation  worthless.   Videocrypt  transposes  the  frequencies
     transmitted and this in turn removed distortion of the sound.

     Technical Data
     (supplied by Thomson Consumer Electronics, 1991- subject to change)

     VIDEOCRYPT BASEBAND DECODER
     * Stand alone video decoder
     * On screen display
     * De emphasis switch
     * Authorise button
     * Integrated smart card reader
     * Power indicator

     PAL MODEL
     Video input level             IV +/- 3dB flat and clamped
     Baseband input level          250 mV +/- 3dB, unclamped level
     measured at pre-emphasised transition
     frequency
     Suitable de-emphasis          CCIR 405-1
     Video output level            IV p.p. into 75 ohms
     Video bandwith                50Hz - 4.8 Mhz -3dB typical
     Line tilt                     <_ 1% typical
     Luma/Chroma Delay             +/- 50nS typical
     S/N ratio:                    50dB typical weighted

     CONNECTIONS
     AV Peritel (Scart)
     Audio loopthrough             Left and right
     Pin 8                         High with scrambled video input
     Low with clear video input
     Pin 16                        5v 50mA maximum for external
     modulator (OPTION)

     MISCELLANEOUS
     Standards                     Designed to IEC 65
     Operating Temperature Range   5-40 C
     Mains Input                   216-255 V AC 50 Hz
     Power Consumption             15W
     Weight                        2.5Kg

     VIDEOCRYPT ENCODER (PAL/SECAM/NTSC)
     * 19" rack mounting
     * Active line cut and rotate
     * Twin or single scrambler
     * Separate power supply
     * Integrated cooling unit
     * Data for control access in the VBI
     * RS232 interface

     Video input level             IV 75 ohm
     Video output level            IV peak to peak +/- 2% 75 ohm
     Line tilt                     0.5% typical
     Base line distortion          0.5% typical
     Chrominance to luminance      3% typical
     2T/Bar ratio                  2% typical
     Synchro level                 1% typical
     S/n ratio RMS weighted        >_ 67dB
     Chrominance luminance:
     intermodulation              <_ 2%
     differential gain            1% typical
     differential phase           1" typical
     luminance non-linearity      1% typical
     chrominance/luminance delay  +/- 10nS typical
     video bandwith at 3dB        >_ 5.8 Mhz
     Output DC level               300 mV +/- 50 mV
     Sampling frequency rejection  >- 50dB at 14 Mhz
     Number of bits per sample     10

     CONNECTIONS
     Connections to security comp  RS232
     Local VT100 terminal          ditto
     Video in                      BNC 75 ohm
     Scrambled video out           BNC 75 ohm

     MISC
     Local terminal functions are to
     show working parameters
     give warnings
     control local
     remote
     autonomous
     Select scrambling mode
     clear
     free access
     control access

     Mains input low pass filtering
     Audio scrambling using spectrum
     inversion 0dB/600 ohm (optional)

     ENDS


                **** Sky card hacking info 26/06/1993 ***


 

     When  the  VideoCrypt  system was  launched,  the  press  releases 
     claimed that it was the most pirateproof system yet devised.  Some 
     of the people involved in the design of the system claimed that it 
     would  take  billions  of years to break the  codes  used  by  the 
     system.  The usual media journalists swallowed this hook line  and 
     sinker. The hackers knew otherwise. 

     The  VideoCrypt  system  is the mainstay of  the  BSkyB  satellite 
     television empire. It is the means by which BSkyB makes its  money 
     from  the  subscribers.  The  basic theory  is  that  they  pay  a 
     subscription  for  the premium channels and they receive  a  smart 
     card.  This smart card, when inserted into the VideoCrypt  decoder 
     will allow the decoder to descramble the channels paid for. It  is 
     also possible for BSkyB to turn off the cards of those subscribers 
     who have not paid.

     Hacking  scrambling systems such as VideoCrypt is a  multi-million 
     pound industry. Due to the present legal situation it is perfectly 
     legal  to hack a channel that originates outside the  UK.  However 
     for someone in the UK to hack a UK originated channel is  illegal. 
     Such mere facts as illegality have never bothered pirates.

     In the last few weeks the impossible has happened. The  VideoCrypt 
     system  has  been  conclusively  hacked. It  is  now  possible  to 
     purchase  a pirate smart card or chip which will allow the  viewer 
     to  descramble Sky Movies Plus, The Movie Channel, Sky  Gold,  Sky 
     Sports and TV Asia. The cost of this pirate card is œ99. The price 
     in itself is lower than the subscription for the channels.

     Other channels using the VideoCrypt system. Are worried. According 
     to  the  latest  reports, The Adult Channel  and  JSTV  have  been 
     compromised as well. This means that all of the channels currently 
     using  the VideoCrypt system as a fee gathering system  have  just 
     lost control of the market. It is now, well for the moment anyway. 
     a pirate's market.

     This  hack is, like all hacks, colourfully named. It is  known  as 
     the "Ho Lee Fook" hack. The joke being that this is generally  the 
     exclamation uttered by people when told of the hack. There are two 
     forms of the hack; a card and a chip. 

     The  card version of the hack is about sixteen millimetres  longer 
     than  the  official BSkyB card. Essentially it is  a  single  chip 
     mounted  on a printed circuit board that plugs directly  into  the 
     VideoCrypt  decoder's card socket. This is the more  user-friendly 
     version as it does not require any modification to the decoder.

     The  chip version does require some modification to  the  decoder. 
     The  official VideoCrypt name for the chip in the decoder is  "The 
     Verifier".  This  chip  has to be removed and  replaced  with  the 
     pirate  chip. The decoder will then decode the scrambled  channels 
     without the need for the BSkyB smart card.

     The  pirate cards and the chips are on sale. It is  believed  that 
     a number of them are already in the UK. Indeed I received one,  in 
     a brown paper envelope, on June the eighth. It is still working.

     The problem for BSkyB and other users of the VideoCrypt system  is 
     not  one of containment. Things have progressed too far for  that. 
     The problem is more serious. Unless they can come up with a  quick 
     fix for the system that will render the Ho Lee Fook hack inactive, 
     they have to replace the smart cards.

     BSkyB  initially set out to replace their smart cards every  three 
     months.  This continual update was, so the theory went,  meant  to 
     deter hackers from trying to hack the system. Fiscal reality has a 
     crushing  effect of such business school theories. 

     VideoCrypt   suffered  its  first  real  disaster   when   someone 
     discovered  that by limiting the programming voltage to the  card, 
     it was possible to stop the card being switched off. This hack was 
     known  as the "Infinite Lives" hack. It was an old  computer  term 
     for  a  modification  to  a games program  that  gave  the  player 
     unlimited  lives.  Since  BSkyB could not turn off  the  cards  it 
     seemed an apt name. This hack was followed by a new issue or batch 
     of cards. The "Infinite Lives" hack did not work on the new  cards 
     but a new hack did.

     The KENtucky Fried Chip upped the ante. It was the first time that 
     the  actual  internal  operation of  the  VideoCrypt  decoder  was 
     interfered  with.  It  was a rewritten "Verifier"  chip  that  was 
     programmed to stop the cards being turned off. It did not work  at 
     full efficiency so it was not marketed by the pirates. After  this 
     hack,  BSkyB issued a new batch of cards which was more  resilient 
     to this hack.

     The  current  card  issue is issue 07. The Ho  Lee  Fook  hack  is 
     working  on  this batch. If BSkyB introduce issue 08  cards,  then 
     there  is  the possibility of the hack ceasing to  work.  At  this 
     stage  there is the terrible spectre of the hack being updated  to 
     work  with  the  08  cards.  It is  the  thing  of  which  BSkyB's 
     nightmares are made of.

     The issue of new card batches occurs mainly in Spring or Autumn. A 
     Summer launch of the new 08 cards would be unusual. As  VideoCrypt 
     will  be  going to a tiered channel structure in  the  Autumn,  it 
     would  seem  that they have planned an Autumn update. The  Ho  Lee 
     Fook  hack  may force them to bring their plans  forward  by  some 
     three months or so.

     The  confidence  in  a system is not based on how  well  a  system 
     repels hacks but rather on how well a system recovers from  hacks. 
     This  will be a true test of the VideoCrypt system and  its  smart 
     card  based philosophy. The philosophy is that of  the  detachable 
     secure controller. Basically what this means is that if the system 
     is  hacked then all that needs to be done to stop the hack  is  to 
     issue a new card.

     The effects on the confidence of present and prospective users  of 
     VideoCrypt is more difficult to gauge. The smart card is the  core 
     of  the  VideoCrypt system. Seeing it replaced by a  pirate  smart 
     card contradicts every claim made in favour of VideoCrypt. It  was 
     not  supposed to be possible. One thing is certain, channels  will 
     now have to look at a scrambling system as only being a  temporary 
     form  of protection that has to be frequently updated. Failure  to 
     do so will be fatal.

     John McCormac
     Author of "European Scrambling Systems 3" ISBN 1-873556-02-0
     Editor of Hack Watch News.---
 
                                *** Latest ***


     There is no such thing as coincidence - or is there? On the day that
     the film "Sneakers" was released on video, I received an actual working
     hack for the scrambled Sky channels. The film "Sneakers" is about
     events surrounding a piece of equipment that can hack any cryptosystem.
     The piece of equipment that I received is essentially a chip that can
     hack the Sky VideoCrypt channels. 
     This latest hack on the VideoCrypt system has been labelled the "Ho
     Lee Fook" hack. The reason for this name is more to do with people's
     reaction to the hack rather than its origin, which incidentally is
     Central Europe. 
     This is perhaps the most dangerous hack to have occurred on VideoCrypt
     - it replaces the smart card. In effect it is a new smart card that
     gives access to all the Sky channels. Of course the problem for Sky is
     that it is not a genuine Sky card.

     The card is approximately sixteen millimetres longer than the official
     Sky card. It is a blue printed circuit with a single surface mount
     chip, and five connector pads. The identification numbers on the chip
     have been scrubbed. 
     The standard check for a card of this nature is to look for a wafer
     from an official smart card. In the early days, a fairly common scam
     was to take the chip and connector pad from a valid Sky card, trim away
     the plastic and then put the chip in a DIL header. The DIL header would
     then be blobbed in a lump of black resin so that it looked like an IC.
     The decoder would then have its card reader replaced with an ordinary
     DIL IC socket. Then the decoder and chip would be shown or sold to some
     unsuspecting, if greedy, punter. 
     The chip appeared to be real, with no wafer underneath the body of the
     chip. The actual stubs of the chip die were just visible at the end of
     the chip. It was a genuine chip.

     It has been working steadily for the last few days and there appears
     to have been no kill messages sent to it. If it had been a direct
     clone, Sky would have been able to kill it over the air - or would
     they? 
     Since the people who developed this hack obviously understand the
     operation of the over the air addressing, they may well have designed a
     filter to stop the kill message from having any effect of the pirate
     card. There are of course more devastating implications here. The card
     itself may only contain the data and algorithms necessary to descramble
     the signals. 
     The chip version of this hack is based on the 8752. This Ho Lee Fook
     chip will replace the official 8052 in the decoder. A selling price of
     ninety nine pounds has been mentioned in Germany.

     Nobody is sure what the people in News Datacom are doing about this
     hack. Sky are more than likely very upset that someone has hacked their
     pirateproof system yet again. This is the fifth hack and the image of a
     pirateproof system now only exists in the minds of PR people.



                *** -=Y_HS=- all (c)'s acknowledged ***


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH