History of DSS Hacking Pt. 1

May 31


Don G. Halbert

Don G. Halbert

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Due to the size of this article I've broken it up in to two separate parts.
Originally written in 1999 and finished in 2001, I was the original writer of this article and felt it would be a good idea to reprint it in it's original form.
The author of this article does not condone satellite piracy and any and all references to people, emails and links, have long been part of public domain. For entertainment purposes only!


History of DSS Hacking Pt.1

Shortly after release of the magazine article,History of DSS Hacking Pt. 1 Articles the “Canadian Battery Card” made it’s debut and ever since then has caused DirecTV® to play “keep up”, trying to take out the Battery Card’s and their successors by sending ECMs or Electronic Counter Measures designed to effectively shut down the pirate cards and render them useless.

McCormac’s article began by telling how the Digital Satellite System was on the verge of being “hacked” and went on to say that the pirate’s would be releasing smartcards that would provide the owner of a DSS® system with access to programming through the use of an altered original card.

The article made mention of how “signal pirates” planned on making pirate cards available that would incorporate four tier’s with different programming options made available to the user. The first tier was to cost $150 and would provide access to only the basic programming. The second tier would add the subscription movie channels. The third tier would include the sports channels and lastly, the fourth tier would provide the user with access to all service’s as well as a $500.00 PPV credit.

There was actually no release of a tiered program that this author is aware of except for the one offered by the now defunct Cyber 1 operation based from the Cayman Islands. It has been rumored to be a scam, however, I cannot comment on the validity but will say that in the beginning it was the “Battery Card” that was being heavily distributed throughout Canada and not the plastic card as mentioned in the McCormac article. Plastic cards or original issue cards did not surface until later in the game and are now plug and play compatible and will work in any IRD (Integrated Receiver-Decoder).

Mr. McCormac says that the most valuable piece of information concerning the hack came from the smartcard itself and the text that is printed on the back of all card’s:

“This card is the property of News Datacom Ltd. and must be returned upon request. Incorporates Videoguard(TM) security system. Provided for reception of authorized 101°W longitude satellite services. Protected by U.S. Patent 4,748,668 and others.”

The patent that is referred to on the back of the smart card’s is known as the “Fiat-Shamir” or zero-knowledge test and is an authentication algorithm that is run by the decoder to check that the smartcard inserted is genuine. The authentication algorithm is the same one that is used in the analog Videocrypt system in Europe.

It was reported also that after the compromise of the Sky 07 card in early 1994, that the source code became widely distributed via the Internet and many BBSs(Bulletin Board System’s) throughout Europe. This was only month’s before the DSS® system was slated for release in America and I’d be willing to bet that DTV was shaking in their boot’s after seeing this just happen in Europe and where now wondering how long it would take before the American system was also compromised to the American best Hacker’s.

Not long after, the press began to tell of the new DSS® system, that was to be soon released, but they made absolutely no mention of what had happened in Europe. They did not mention the estimated 500,000 pirate Videocrypt cards and the Videocrypt emulator program’s that were in use.

All of this was in fact very real and had literally forced Sky to force a card reissue ten month’s ahead of schedule. It is said that the 08 card had to be scrapped because it was too similar to the Sky 07 and instead Sky opted to release the 09 issue.

The 07 and 09 cards went to a different algorithm as well as architecture. Sky started to distribute the 09 card in February of 1994 but did not switch to the new datastream until May 18, 1994. That day is known as “Dark Wednesday” by the European hacking community for obvious reason’s. The connection between those event’s and DSS is coincidental, but the timing is said to have been very convenient for News Datacom Ltd® to rely heavily on the design of the 09 card for the DSS® system, the main change’s would be made to the EEPROM where the cryptographic routine’s are stored.

Rumor has it that the 09 card took the European Hacker’s a few month’s to remove the code. It is rumored that the smartcard had been completely reverse engineered to “dump the code”. Some preliminary code was also sold at an auction in London in 1994 that may have given the hacker’s extra help. Approximately 4 month’s later the system was totally compromised. One of the most significant part of the operation was the discovery of a “back door” in the smart card’s code.

When the Videocrypt system was designed, the overall structure was simplistic compared with other system’s such as VideoCipher II, but it was thought to be reliable. and uncrackable. However, News Datacom apparently never imagined the customer base to grow so rapidly and had to implement levels of access control into the system. This was a good solution but also turned out to be very “stupid” and may be what started their very downfall.

The system News Datacom chose to implement, involved a method of programming the card’s over the air. The instructions that were sent looked liked a card identity number’s to the untrained eye. To the hacker’s they represented “nanocommands” or small commands and this was not good for News Datacom. This scheme that was once thought of as just so clever, but because the cards issuer had more control over the card and could issue ECMs (Electronic Counter Measure’s) and update the card’s EEPROM, which in turn would be able to change the channel authorization codes indicates now that it was a bad choice.

The downside to all of this is that that hacker’s could do nothing without the core algorithm of the card and a knowledge of the card addressing schemes. However they had already purchased part of the code at the auction and it was only a matter of time before it all came together.

Over time, the hacker’s slowly learned the function of each the commands and used it to there advantage. One command was found to read a byte from the EEPROM and input it as a “round” for the algorithm. Another was found that would act as a “break” command that could dump the results from the decryption key. The hacker’s had the main component’s for the DSS hack and only needed to put them to work and began by starting the algorithm from the first result and then stepping through with the input byte’s 0 to 255. This hack became known as the “Vampire Hack” in Europe.

The data that was first extracted did not appear to be related to the processor in the 09 card which is based on the 6805 microprocessor core until the hacker’s cracked the encryption scheme and it all began to make sense. It is rumored that the same technique’s described here were also use on the DSS 01 card issue.

In short it appears that News Datacom was aware of the potential security risk of releasing the same card for the DSS® ND upon it’s initial release. Now, it must now pay the ultimate price and will have to release a new card for the DSS® system. As far as I know, around the early fall of 1995 just after the Electronics Now® article, various dealer’s began offering the Canadian Battery Card which are also referred to as “test card’s”.

These card’s would enable anyone with a DSS® Digital Satellite System to get all programming offered on the system for a one time fee of approximately $700-$900 CDN dollar’s. This was a “God send” for many Canadian’s who had been denied the satellite programming by DTV (DirecTV)® as well as there own government. I effect saying that the dish did not provide the content that Canadian’s sought. Even stranger was the fact that the Canadian Government allowed the decoder box’s to be sold in Canada by dealer’s even though it was not legal for Canadian’s to purchase programming.

Go figure. The card’s enabled Canadian’s to effectively receive the programming they desired without having there own government make there programming choices for them. A government need not decide a man’s like’s and dislikes when it comes to television. Before these cards many Canadian’s had to rely on “Grey market” provider’s as well as “redialer systems” to get the programming they desired. The redialer trick did not take off too well and many people were disconnected after using them.

The Grey Market on the other hand continues to flourish in Canada and is it very simple to get a U.S. address to enable the programming. Many Canadian’s used this method as well as the battery card to obtain programming. A Canadian Judge made a ruling that you “cannot steal what you can’t buy” and such is the case with the DSS® Digital Satellite System. Canadians are allowed to buy the system or IRD (Integrated Receiver\Decoder) within Canada but we are not legally allowed to subscribe.

The cards have suffered many ECMs and each time they have returned with a new update and has been kept alive. There was also a split of the original engineer’s in the beginning that it, effectively, introduced two other pirate card’s: The “L” and “T” card’s that use the less secure Dallas 5000 to hold the master program.

On June 28th 1996, a massive raid was launched against some of the satellite dealer’s within Canada. It was not good and the following news report tells the details. Since this happened, the RCMP have been ordered by the judge in the case to return all properties seized from the defendants. Turns out the police seized property from many dealer’s that was not even related to the DSS card’s.

In coordinated raids in four countries, the bootleg smart card cops netted 26 people. Only 22, some of them Canadian, were named in a civil suit filed in Seattle, Washington and charged with the “unauthorized reception of DirecTV and USSB.” DirecTV said the raids were the result of a seven-month long investigation which was conducted coast-to-coast in Canada and the U.S. but also in Bermuda and Grand Cayman Island.

In Canada the raids were carried out by the Royal Canadian Mounted Police (RCMP). They obtained search warrants under Section 20 of the Canadian Radio communications Act. This section states in essence that it is illegal to sell, promote or possess a device that allows the unauthorized display of programming that is not distributed in Canada, or is owned by a Canadian distributor who has not been paid.

The raids took out several well known members of the hacker underground, including Norman Dick of Victoria, British Columbia. Mr. Dick is “alleged” to be the major inspiration behind the break of the News Datacom conditional access system that is used on the USSB and DirecTV signals. Dick’s nickname is “Ground Zero”. However, like the other Canadians named in the U.S. civil case, unless they are also charged in Canada, they may avoid the jurisdiction of the U.S. court by not traveling there because they will be listed as a fugitive from justice.

The same Norman Dick gained notoriety in hacker circles when he designed the Secure Universal Norm (SUN) board that was a knock-off of the General Instrument VideoCipher II decoder. Experts said the SUN was a cheaper and better design than GIs. For this Dick was also raided in 1988 and had over $150,000 worth of inventory impounded. An RCMP officer in Halifax, who refused to be identified, said they confiscated several of the bootleg cards in the raids and had gotten others in a sting several weeks ago when they bought bootleg cards to obtain the evidence for search warrants.

Another source said one defendant bought a new truck with $60,000.00 cash and this alerted authorities. The RCMP refuse to say if there will be charges filed in Canada. Fines are up to $100,000.00 on each count for a corporation. Also notorious in the hacker underground in Canada is another two defendants, Doug and Troy Stewart of Nanaimo, BC, Gary Tocholke of Victoria, BC, Ron Ereiser of Kerobert, Saskatchewan, Karen Bradford of Westmount, P.Q., Kevin MacMillen of Woodstock, N.B. and Bill Mitten and Ron King of Halifax, N.S. In a strange twist, Mitten, King and McMillen are not named in the Seattle case. In the same press released DirecTV said it will begin a full card swap in August.

Shortly after the raid’s the Battery card seemed to be lacking support and the original programmer who was writing the “main.enc” file’s needed by the battery card was under such heavy surveillance by the Canadian R.C.M.P that he could no longer support the battery card without causing himself more trouble’s in upcoming court case’s, shortly after the battery card’s incurred a downtime of about two month’s because “NOBODY” had the skill’s to produce files for the battery card or cared not too.

During this downtime it is known that a European engineer, with the brain’s to accomplish the feat, entered the scene and literally saved the battery card. Since the arrival of the “Big Gun”, he has won the support of battery card user’s throughout North America as well as providing a new bootstrap named the V3 that is performing perfectly at this time. Not much is known to the public of Big Gun, only that he is the person that provides the file and obviously knows the system well and was the “ONLY” support for the battery card at that time. Other’s have claimed they have the skill’s, but none have proven the way the Big Gun has.

It should also be noted that the renowned hacker, AXA, has provided support time and time again for the L-card as well as the T-card and the old bootstrap. The L-Group who originally made these cards has been long gone for some time now and has left there customershigh and dry and have left many end users without support had it not been for the intervention of the AXA as well as the occasional help from the BG.

AXA deserves many thanks for all his help also. AXA had the I System which is an “L” card which has been modified and has the atmel chip removed and therefore the I-system card after conversion looks very similar to the battery card. Other systems in use include the Emulator systems released by Pierre aka (PGM) as well as various plastic software released by authors such as Tornado and Castor.

Source: Free Guest Posting Articles from ArticlesFactory.com

Popular Articles