History of DSS Hacking Pt. 2

May 31


Don G. Halbert

Don G. Halbert

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

The following article is Part 2 of a two part series. Due to the original article size, the article was broken up in to two separate articles.This article is told by the original author, Don Halbert, and does not condone satellite piracy of any kind. It is merely for entertainment and nostalgia purposes only!


History of DSS Hacking Pt. 2

P2 Dtastream

On Monday June 23,History of DSS Hacking Pt. 2 Articles 1997, a day which some call “Black Monday” Directv and News Datacom implemented the P2 datastream.  Directv had been sending new access cards out to subscribers for over a year. The new card, dubbed the P2 or “H series” was developed to increase security of their conditional access system. The original P1 or “F series” card had been fully hacked, with many different cards available, some available for free. The P2 card looked similar to the old one, however it had been significantly designed internally different. Along with nearly doubling the EEPROM memory, it now had a intel-based internal Siemens processor, rather than the Motorola based processor that the F series had. This cards claim to fame however was the addition of another component called an ASIC, or Application Specific Integrated Circuit.

Several hackers had been working on cracking the EEPROM of the new card for some time now. One of the major problems that the F series hacks had was that they could not duplicate the Motorola processor perfectly, so they had to emulate it with an intel based one. This difference was one of the reasons that the cards were ECM’d so often. Another reason was that the software was often freely released on to the internet. Once released to the masses via the internet, its open season for DTV and NewsDatacom. So the processor problem was good news, however they still had to “dump” the EEPROM (Electronically, Erasable, Programmable, Read, Only, Memory) and extract the microcode out so they could begin on a testing solution.

Some of the developers of the F series cards such as AXA seemed to have underestimated the security of the new cards, as they expected to have the answer within a couple of weeks. There were several major problems. 1) Capital. Reverse engineering is very expensive, costs can easily soar to over $100 000. 2) Technical Knowledge. The developers had experience compiling bootstraps, however they lacked the technical experience or equipment to extract the microcode from the EEPROM, so it was necessary to send it to an outside lab in most cases. 3) Cost Effectiveness. The ASIC was a big problem. It was soon discovered how the ASIC worked, however because it was application specific, it was not available on the market and it would have to be manufactured from scratch. The cost of such a venture would be formidable.

Over a month and a half had passed since the datastream was switched, and AXA and other developers still had nothing. At this point we saw the emergence of the East 3M card. The 3M developers had begun the project of dumping the code a lot sooner than the others and so they had a big head start. Because they used the P2 access card, the ASIC problem was solved. The initial cards were quite expensive, most were selling for $500 US+ . Because of the extensive code modifications, many people were hesitant of paying such a large amount for a card that could go down at any time. They were counting on the other developers to come through with a less expensive option.

But it was not to be, at least not right away. The combination of talents from AXA, PGM and Tornado proved to be insufficient against the security of the P2. Over 2 months had passed and they were not able to dump the EEPROM. Without it, a solution would not be possible. More and more people had been giving into the temptation of having no TV and were purchasing the 3M card in large numbers. Shortly after, a new 3M card was developed in western Canada. This would be dubbed the West 3M. Many people were hoping that the competition would cause the prices to drop significantly. They did not. Prices came down slightly and settled around $400 US.

For about 2 months, the East and West 3m cards were the only options available and sales flourished. Then a new option was introduced. It had no official name, but soon came to be known as the Combo Card. However the price was very high, up to $650 U.S.  A lot of dealers were claiming that it could not be ECM’d and so many were sold. Short

ly after a new knock off product known as the DDT was introduced. The price was still high, but less expensive than the combo card. Both the Combo card and the DDT worked in conjunction with a P2 access card. The major difference was that the combo card would work with a virgin, unactivated access card and the DDT required a small subscription in order to work. It had now been over 5 months since he datastream switch, no ECMs had occurred.

The first ECM occurred on November 21, 1997. It was targeted against the 3M cards. It was speculated that a member of the East 3M group has sent in a copy of their software after making a bunch of money and leaving the group. This is where some interesting things happened and the East group lost a lot of their popularity. Both the East and West 3M cards were ECM’d with a massive 99 loop, causing the cards to lock up and be neither readable or writeable. Almost immediately, the East 3M group issued a statement claiming that the cards were not able to be repaired and they required the user to pay $100 US plus send in their old card. Many people were enraged about this as they were promised free support. What enraged people most however was that the West 3M group was claiming that the cards could be fixed. The west group’s offer was a lot more appealing. They offered to reprogram a new card for $50 Cdn.(cost of new card) and the user would have the old card returned when repaired, or the user could wait and receive a FREE unlooping and reprogramming. Further they also offered to extend the offer to East 3M customers except they would keep the old access card. New software was available about 2 weeks after the ECM and most people who paid the $50 were playing within a month. Many were holding off for a free unlooping as it looked promising that a solution would be found. The initial unlooping was not entirely successful. The first attempts were engineered by Eddie from North Sat Technologies in Winnipeg, Manitoba. They first attempted to glitch it out of the 99 loop by applying low voltage to the card. Some cards were fused permanently. After some tinkering, it seemed that they had it, it was unlooped and they could now read the card, they were sent off to be tested for reprogramming. It was soon found that they could not be written to however and so it was necessary to try again. About a week later North Sat was successful and he began to unloop cards and send them on to the programmer. The sheer number of cards proved to be the Achilles heel as only so many cards could be reprogrammed in a day. Most people were playing again with unlooped cards 2 months after the ECM.

So things slowly began to return to normal. Some new cards began to emerge. Most were constructed by non-programmers looking to make a quick buck. The DDT card had been dumped and people were selling the software to virtually anyone that wanted it. A flurry of new products meant that prices would come down, it also meant that a lot of people were selling cards that they had no hope in supporting. There were still only a few people capable of writing a program. Most of these cards were copies of the DDT card.

A new card called the DAT emerged among the copies. The DAT had similar appearance to the others, it also had a packet generator and a blocker built in. The DAT was hacked and cards such as the BOSS emerged. With no hope of writing a software patch themselves, copies of the mainstream cards relied on the hopes that if the cards were ECM’d, that the developers of the mainstream cards like the combo card would release a patch which then could be copied.

The ECM happened on January 15. 1998. The target was old 3m cards that were still being sold for low prices, and all the wedge cards. The combo cards and DDT cards were specifically targeted and many DDT and Combo card users had their P2 cards 992d. DTV had begun a major code write to their cards in the hopes of closing the security hole which allowed the wedge type cards to operate. The hole was dubbed the “093 hole. Cards that were written to or “updated” by DTV would no longer work with the wedge cards. A few cards were spared. Although not immune to the update procedure, they were put on to life support due to the blocker that was built into some cards, like the DAT. The blocker would block the updates and allow the card to continue to operate. Cards without initial blockers now had to add them to their cards and they needed a new virgin access card in order to make them work. Around this time some freeware “Activation” software was released, such as CBA or CL5005. These programs would activate the tiers on a new virgin access card and allow normal programming minus the PPV to be viewed in the open. These cards were limited to 25 PPV. A non virgin card could not be programmed with this software.

The wedge cards and 3m and some of the activation programs were ECM’d again on March 27, 1998. Directv had previously been sending regular access card updates through the 42nd packet. Wedge cards were effectively blocking these updates. Cards that did not block it were down as it patched the holes which the cards were using to turn on the channels. Directv now began sending 5 new updates through the 40th packet, one that blockers were not designed to block. In some wedge cards, these 5 new updates would turn off the dynamic tiers (PPV) and the regular channel tiers would continue to run as long as the first 18 updates were being blocked. On some other cards, all channels were down. 3M West and 3M East were both being 992d and being deactivated due to some updates interfering and corrupting the 3M software in the card. Directv would now be in a position to 99 any cards that were not updated if they chose to. Some of the newer programs were not affected, such as the Blazer, 4M and some newer versions of the West 3M and SuperV.

Shortly thereafter the West developed the Wildthing! unlooper.  This unlooper was designed and engineered by a fellow out of Bulgaria.  This unit could do cards that normally took up to 20 mins in Eddie’s unit in seconds.  There has never been a finer unlooper to date than the Wildthing!  Now, the Wildthing! unloopers are duplicated by almost every DSS related site on the internet.  The unloopers have gone from Wildthing!, to Wildthing! 2, and finally Wildthing! X.

October 6,1999 there was an ECM directed at one of the more popular freeware programs available.  Known now as the Oct.6 Magic ECM.  This ECM damaged the jump table and fuse bytes within the card.  Many people underestimated DTV and shrugged it off that a fix would be available asap.  Well time will tell us that this didn’t happen.  Throughout Oct. no one had a solution for this ECM.  Finally, in November, Eddie at Northsat developed a repair for this ECM.  His repair involved the cloning of all cards with a good image.  His success rate was rather shady and slow.  The unit did the job but not exactly efficiently.  End of December the Wildthing! 2 was released.  This unit repaired Magi and Euro ECM’d cards in seconds like it predecessor the Wildthing! Finally a unit for the masses.

Now today’s status of the P2 has taken a turn for the worse.  H cards are now very difficult to find due to DirecTV’s move in issuing the P3 or HU card with new systems.  And if you intend on subscribing to an H card you better check again as DTV will tell you to courier your H card to them and they will courier you out an HU or P3 card.  Unfortunately, the only way you are running wide open viewing right now is if you apply the CAM ID of an actively running subscribed card and then 3M it.  This is currently the only way to avoid the “7453 issue unless you choose to run freeware spoofing software which uses F card CAM ID’s.  These freeware spoofer files are not lasting long so the best is to get yourself and active sub image and 3M with your flavor of the month 3M.

The P2 is so wide spread that literally everywhere on the net or next door, someone is hacking it.  Freeware is running wild with the P2.

Leading up to the fateful day, DirecTV had been regularly updating their cards, which had the entire hacking community confused as to why and why so regularly. Well…

Like the final piece of a puzzle, the final updates made all the useless bits of computer code join into a dynamic program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the programming, but DirecTV had not pulled the trigger of this new weapon until…

January 21,2001 the H card users got the shock of a lifetime. Once again, DirecTV ECM’d the cards damaging the memory range 8000, which is the write once, area of the card rendering them useless. This day was dubbed “Black Sunday” and caused many pirate viewers to stare at a black screen for the much anticipated Super Bowl the following Sunday.

Some estimate that in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities’ ability to steal their signal. To add a little twist to the operation, DirecTV personally “signed” the ECM. The first 8 computer bytes of all hacked cards were rewritten to read “GAME OVER”.

Just when DirecTV thought they had successfully accomplished their mission of eliminating the hacking community a solution was found. The hacking community succeeded in developing a “boot board” which emulated the damaged 8000 area of the card and acted like a protector or sheath. Now the hacking community was back on track for only suffering a bit of a delay. To date, June 2002, these “boot boards” are still in operation.

The most important factor is that people should realize that the P3 will NOT be hacked via some basement hacker and then offered for free on the net.  If you believe that it will happen outside a lab then you best be reading this story again.  Nope, we expect the P3 hack to come from a commercial source who can afford to pay the engineers required to dump the processor.  Once commercial 3M is being loaded for a few months then maybe, only maybe, the lesser expensive alternatives will arrive. Of course they will time has shown us this game before.

PART III – The New Horizon

Early in November of 2001 there was much ado about an apparent hack for the P3 or HU card. People claiming it was a sting or a fraud were everywhere. The original dump of this card was performed in a Russian laboratory funded by a fellow known for arranging the sale of the Magic ECM glitch points to Triton. Don represents Brian, the brains behind the coding. Brian took the dump from the Russian engineers and developed the first program for HU cards labelled HUPro. This file was built off original code from Triton, whichexchanged hands in the sale of the Magic glitches. Thus the likeness in appearance. The following months saw dealers from Winnipeg and Ontario loading HU cards with HUPro. In a very short time trouble began to stir within the group and rumors of inside corruption began.

In January, a few dealers began to advertise “HU Loaders” for sale. Behind the scenes what originally occurred was this…

Brian and Don decided to sell the technology. Now between them they decided that Triton would never have this technology nor would they sell it to them for reasons still yet unknown. So they sold their wares to a fellow nicknamed JT who at the time owned a website. JT reportedly purchased the product for a large sum of cash and returned to the states to begin marketing his new product. And at the tail end of January, JT began selling the “HU Loader”.

Within a week of JT marketing his product Triton began marketing the same product for a considerable less amount of money. For weeks many people doubted Triton had anything to sell meanwhile collecting pre orders for sales of the item. The original loader device was shipped by Triton to the UK and completely reverse engineered and dumped by Cambridge engineers.

By the end of February Triton released the Wildthing! Piggyback chip for current loaders. This chip combined with HUPro would allow users to program HU cards. Within three weeks after the release of the piggyback chip purchasers found themselves with another bonus, the Wildthing! XS the world’s smallest unlooping device to hit the streets.

On March 11,2001 a website released the source code for the Atmel on the “HU Loader” on the net. This infuriated many as they had just paid thousands for their devices and suddenly someone releases it for free on the Internet. This stunt was completely orchestrated by Don and Brian to potentially damaged Triton’s reputation in a vengeful attempt at getting back at them for dumping their code.

With the mass market on sites selling H and HU products DirecTV decided enough was enough and began an anti hacking campaign within the United States. They successfully shut down operations of many US based web sites and prosecuted many individuals involved in the hacking or assistance in hacking of their property. War was staged.

By March 2001, many dealers were beginning to advertise HU3M options to their clients for sale. With the public release occurring so quickly on the loader people began questioning where they would get 3M support from. Thus the market saw an opportunity and seized it. Soon plenty of sites were offering script support for HU3M files. The first ECM on HU cards occurred on January 23,2001 and the following on March 29,2001. This second one was anticipated by many due to the release of the atmel code and source for HUPro. Both ECM’s looped thousands of cards. In early April 2001 “Eddie” formally of NorthSat began unlooping HU cards. For many months he monopolized on this technology until March 18, 2002 when an individual nicked “unatester” released the unlooper code on the Internet for FREE before any dealers had any hope of recouping their investments.

During the hacking melee another storm was brewing. Rumors of former hacking personalities rolling over on their peers, turning leaf and working for DirecTV/NDS, and the biggest rumor of all…NDS responsible for the release of the hack on their competitor’s smart cards, Nagravision.

In filings connected to its lawsuit on News Datacom, Canal Plus identified Von as Chris Tarnovsky, the NDS employee. Von, also known as “Big Gun” or BG, was mentioned earlier in this writing. Tarnovsky, like Floricic,the now infamous deceased hacker, was anexpert in smart card technology who lived in Germany until he was recruited by NDS and became an employee of theirs living in the United States. Reportedly on March 26,1999, Von released Secarom.zip on DR7.com unleashing a wave of conspiracy theories and immense scrutiny aimed at his employer NDS.

At any rate, with the secret codes to both NDS and Nagra smart now public, the playing field in the smart card business was level. By August of 1999, NDS had a new four-year contract with DirecTV. However, the contract contained an important escape clause — that DirecTV could develop its own in-house smart card technology and dump NDS at any time. Well they did just that in April 2002 and now there is the release of the NEW series smart card for DirecTV systems…the P4.

Enjoy and happy television!

Compiled with information from various sources to numerous to mention