|
|
 |
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
|
Update on DSS satellite hacking/piracy 2/2
Subject: Scrambling News: DBS Hackers Encounter CODE 99 (Part 2)
Date: Sun Jul 16 08:53:09 1995
[This is the second of a two part update on DSS piracy. It is
copyright 1995 David Lawson ([email protected]) and
Scrambling News. All rights reserved. E-mail or voice
716.874.2088 for a free product catalog of hacker books.
Your corrections and constructive criticisms are appreciated.]
DSS Hackers Encounter Code 99
The DSS System
The DSS system rolled out nationally last September and in
less than a year it has acquired about 650,000 subscribers.
There are two more DBS systems ready to launch. The dish
size, ease of installation, low maintenance and up-front cost
of the systems are major reasons for the faster sales of DSS.
The DSS scams have started. It is July 6, 1995 and there are
no fixes for the system available other than gray marketing
as we have discussed. A business callled Test Card is how
ever, advertising that they are looking for dealers and
distributors for a DSS test card. Someone else has a package
for $29.95 which describes how to get $1000 worth of program
ming for $50/yr. "Don't miss out on this hot new information
package." No one we know who has responded to these ads
has received anything back yet. There may also appear in
the next few months DSS bibles, software packages which will
likely consist of the various pirate programs and source code
used to break the European version of Videocrypt. They will
probably originate from Johm Mc Cormac's Special Projects
BBS which is a repository for Videocrypt information. There
may also be bogus DSS reader/writer software and a PC
interface. The data structure is non-standard. A working PC
interface for this system is complex and very expensive.
The DSS system employs a digital and far more secure version
of the Videocrypt encryption system which is used in Europe. It
is a smartcard system which employs a detachable secure
processor. If security is breached, the smartcard is replaced.
The European system has just issued its tenth series of smart
cards. All previous series have been hacked. Europeans can
walk into shops and purchase the latest pirate smartcard or
order by mail. Services using Videocrypt are only authorized for
specific countries so those in other countries can purchase
pirate smartcards with impunity. They typically work for 6
months or a year and cost $150. Inevitably they are shut off
and the users wait a month or so until the next version is ready.
A rumour is that John Grayson's chief engineer at Dectec has
been hired by a Western Canadian group working on DSS.
He designed the SUN board. Supposedly there are 10
members of the group and each has contributed $50,000 to
the project. John Grayson was recently spotted at a Cable
Show in Europe and has moved on to other projects. This
means there are now two separate groups working to
develop a marketable fix for DSS. The existing work done
on the system has involved a consortium of U.S. and
European engineers. The Europeans have years of
experience with Videocrypt and there are now several
groups with expertise to work on the system..
Anyone trying to reverse engineer the smartcard will encounter
the nefarious code 99. The card developed by RCA and
Motorola can be rendered useless by hi-frequency, low
voltage, temperature and other types of probing. Any type of
tampering results in erasure of the micro code in the EEPROM
and sets the card to code 99, rendering it absolutely useless.
The smartcard which has been developed for the DSS system
is, at this moment in time, impervious to all known methods of
hacking. In addition, code can be reprogrammed on-the-fly,
every 29 seconds. Reprogramming was used in the 09 series
smartcards in Europe which increased their longevity, although
they eventually had to be replaced anyway.
Just as hacking the Videocipher II system never involved
breaking the DES, hacks for the DSS system do not necessarily
involve being able to reverse engineer the smartcard. The fix to
be released will probably involve reprogramming the card to
add existing services to those already being paid for, including
pay-per-view credits, sports etc. An earlier plan to offer 4
different cards with different tiers of programming has been
abandoned because it has been found that the card cannot be
duplicated. Any DSS receiver can be cloned to work with any
smartcard. It can also be shut off independently of the
smartcard. A benefit for users of reprogrammed smartcards is
that they will have to maintain some level of subscription so they
will not lose all programming when the card is shut off and has
to be reprogrammed. A huge problem with making a business
of any hack for the DSS system involves the massive security
which is in place. Current plans involve distribution of
programming software to 500 sites. The software will only be
able to program 100 cards, then new software must be
purchased. This ensures that the deveopers will be paid
frequently. The software will not be generally distributed or
posted on BBS's. We do not know more about the distribution
system. Each card being reprogrammed requires a separate
program. A better distribution system would involve the internet
and would allow individuals to reprogram their cards directly
using the phone line, which is DirecTV's own backdoor into
the box. In the short term, piracy of the DSS system may be
of the gray market variety and may exclusively involve use of
the DBS Dialer which has just been developed.
Gray Market Piracy - The Dialer Systems
Some non U.S. residents subscribe to DirecTV programming
by simply obtaining a U.S. billing address. Any phone book
lists Mail Receiving Services which provide a street address.
Many telephone answering services also provide this service
as well as private phone lines. When they subscribe they
simply say they do not have a phone. This precludes them
from ordering sports packages like NFL Sunday Ticket,
NBA League Pass, the NHL Center Ice package or the regional
sports networks. They must also order special events manually
at an additional charge of $2. Since many foreign subscribers
do want access to sports and PPV events it was natural for a
variety of call forwarding services to be established.
The two dialer systems which are the subject of the press
release from DirecTV have been operating in Canada for
several months. One system is based in Ontario and the other
is in British Columbia. The Ontario system was diverting
monthly calls from the DSS boxes to a Western NY number while
the B.C. system diverted its calls to Blaine Washington.
Canadians have been purchasing thousands of DSS systems and
they are even being sold in major consumer electronics stores.
The head of the CRTC which is the Canadian equivalent of the
FCC has said on the national news that Canadians will not be
prosecuted for subscribing to DirecTV. At the same time DirecTV
has no legal right to extend subscriptions to Canadian residents.
Those complaining about DSS are the cable companies and
Expressvu, a Canadian based DBS service which is almost ready
to launch. With their dismal raster of Canadian programming they
cannot possibly compete with gray market DirecTV programming
even though Canadians must pay the high subscription prices
charged by DirecTV and USSB with Canadian dollars which are
worth $.70 U.S.
The dialers currently being used by the Canadians are Equal
Access dialers which were used at one time to dial the prefix to
connect to Sprint. They are now surplus and the operators of
these dialer services have been purchasing quantities of them
for $30 each and then charging Canadians $150 apiece with a
subscription to their redialer service. That only involves
establishing U.S. phone numbers to route the calls through.
Some operators only had one or a few U.S. numbers so
hundreds of DSS systems were connected to Canadian
phone lines and routing their monthly PPV billing calls
through the same U.S. phone number. The dialers pass ANI
data from the originating phone number as call forwarding
systems do. In addition, the systems are not secure. To
exacerbate the situation, the phone numbers being used
were posted on BBS's so many individuals piggybacked
on the system. Some foreign subscribers even plugged
their DSS boxes directly into the phone line, essentially
requesting that their systems be shut off. The problem is
that ANI (actually ANAC: Automatic Number Announcement
Circuit) data is transmitted with phone calls. This data identifies
the billing phone number including area code. Businesses like
DirecTV which rent 800 numbers receive ANI data along with
other caller information and callers to 800 numbers give up that
data whether they know it or not, and regardless of whether
their phone number is unlisted or not.
The DBS Dialer
This is a newly engineered gray market product intended for
use by those in offshore countries where DirecTV is not
licensed to operate. It is available from New Advanced
Technologies at 514.458.3063. The system consists of two
units. The dialer is connected between the DSS unit and the
phone line. It intercepts the 800 number call made by the unit
and routes it to whatever U.S. number it has been programmed
to call. The call is received by the diverter unit which strips out
ANI data associated with the true phone number and substitutes
the ANI of the billing phone number the diverter is connected to.
The diverter must be connected to a line with three way calling
capabilities.
The DBS Dialer system has many desirable features. It allows
users to operate their own system independently without having
to subscribe to someone's service. It is not necessary to reveal
phone numbers to anyone who might piggyback or otherwise
compromise the system. Users are not reliant on the supplier
and need not pay subscription fees.. Both dialer and diverter(s)
are password protected and the password of the the dialer(s)
must match that of the diverter. Anyone wanting to piggyback
on the system would have to know the password as long as it
is changed from the default value of 1234. The system is
completely field programmable and there is a separate
password allowing access to programming functions. The
system has been designed so that in case of a power failure
the dialer unit shuts down rather than pass ANI data about
the location of the system. DirecTV uses several 800 numbers
and DSS units store them in both the "smart" modem and in
EEPROM. The DSS modem can be programmed to execute
a wide variety of countermeasures. Designers of the DBS
Dialer have taken this into consideration. The code in the
diverter may be updated if it is necessary. The designers
are now adding capture, store and forward technology to the
dialer so it won't matter what number the DSS unit calls. The
Canadian dialers were shut off when DirecTV changed the
number the DSS units called. They can be reprogrammed
but a simple command in the data stream will shut them off
again and they will have to be reprogrammed again. .
DBS Dialer - Programming
The dialers have two RJ11 jacks. Ordinarily the DSS unit
is connected to the jack marked DSS. For programming
purposes a telephone is connected to this jack. A standard
telephone line is plugged into the other.
We received a beta version of the dialer and diverter for test
purposes. We began our test by changing the programming
password to 2198. We changed the dialer and diverter pass
words to 9299. They must be the same. In a case where
more than one diverter is used in a network, the diverter
passwords must match as well. We programmed the dialer
to call the number where the diverter was located. We left
the trigger sequence at the default value of 1-800 but If we
were on a phone system where we had to dial 9 to call out
then we would have programmed it in place of 1-800. Call
capture store and forward capability is being added to the
system so the programming instructions we included in the
hard copy version of this report are now redundant. We also
stated that in the New Advanced Technologies advertisement
that it supplies U.S. addresses and phone numbers. It does
not.
Telephone companies maintain regional ANI circuits to assist
line technicians with testing and line identification. Dialing
one of these numbers connects the caller with a computer
which reads back his ANI data. We used 1-800-MY-ANI-IS
which is an MCI service. Another service is at 10732-1404988
9664. It is also a toll free number. We connected a phone in
place of the DSS receiver and made the call. The dialer
intercepted the number we dialed, forwarded the call to
diverter, and the diverter called 1-800-MY-ANI-IS. The
ANAC computer reported the phone number and area
code where our diverter box was located and not the
actual phone number we were calling from. Individuals
from Canada, Mexico and the Caribbean have also tested
the system and found it to work. The DBS Dialer worked
perfectly. It does the job it was designed to do.
The footprint of the DirecTV signal covers the continental
U.S.and most of Canada We have heard of reception as
far south as Mexico City (with a 3 foot dish) and throughout
the Caribbean. The DBS Dialer allows individuals in those
countries to subscribe to programming and receive pay-per-
view events. A very low profile system would have only one
DSS system connected to a diverter box located at a U.S.
address but some individuals may establish small networks.
We have no knowledge of the laws regarding the reception
of DirecTV programming in the various countries where the
signal is available. Since the system passes voice as well
as data calls it could conceivably be used to make use of
800 numbers in the U.S. or possibly to reduce long distance
charges. It could also be used by networks of cautious
individuals to manually order PPV events. The common
phone number could easily be that of a business with
several employees who have DSS systems.
The system could also be used by U.S. residents or
commercial establishments to obtain locally blacked out
sports events by misleading DirecTV about the true location
of the system. Using the DBS Dialer in the U.S. is a serious
crime and subjects users to the variety of criminal and civil
actions mentioned in DirecTV's press release. The units
could also be used by individuals who obtain the deluxe
system and take advantage of the reduced subscription
rates available to additional units. We have heard that
DirecTV is now insisting that all units in a deluxe system
be connected to the same phone number.
Appendix
DIRECTV PREPARES LEGAL ACTION AGAINST
UNAUTHORIZED DISTRIBUTORS
Complaints Seek to Prevent Illegal Reception of DIRECTV
Service Within Canada
Los Angeles, CA. June 19, 1995 - DIRECTV, inc., a unit of
Hughes Electronics Corporation, took action against
individuals and entities in Canadawho have facilitated the
illegal reception of the DIRECTV programming service in
Canada. Cease and desist letters were issued to five potential
civil defendants, four of whom are located in Canada.
DIRECTV is also preparing to file civil claims against the
potential defendants in U.S. federal courts.
In addition, DIRECTV is deactivating the accounts of more
than 600 known "grey market" Canadian subscribers whose
accounts with DIRECTV had been activated by the defendants.
These steps by DIRECTV are part of its ongoing broader
effort to actively protect its programming rights and to secure
the signal integrity of the direct broadcast satellite (DBS)
service.
A civil complaint was delivered with the cease and desist letters
sent to David A. Diebert of Echo Communications and/or Dragon
Pacific, Vancouver, B.C.; Mike McAllister of Version II Marketing,
Waterloo, Ontario; National Computers and Supplies, also of
Waterloo, Ontario; Digital DTH Distributors, Edmonton, Alberta;
and Propack Inc., Blaine, Washington. The complaints are to be
filed shortly in U.S. District Courts in the states of
Washington and New York if the defendants do not meet the
demands contained in the letter.
The civil claims are a result of investigations by the
DIRECTV Office of Signal Integrity, which is headed by
former FBI Special Agent Larry Rissler. Rissler's
investigation revealed that the defendants, through the
distribution of equipment and attempts to manipulate the
DIRECTV customer service system, facilitated the reception
of DIRECTV programming by residents
of Canada. These actions were detected by DIRECTV
through its sophisticated security systems and procedures.
Further, the complaint alleges that the defendants assisted
individuals in obtaining programming by attempting to disguise
the location of the installed DSS(tm) system through electronic
devices and other schemes. These actions violate several U.S.
federal statutes, all of which also carry substantial criminal
penalties.
"We're committed to the identification and, where
appropriate, the prosecution of those individuals and entities
who foster the unauthorized receipt of DIRECTV
programming," said Rissler. "These actions are the first
visible results of an aggressive on-going campaign by
DIRECTV to protect its service and attack all types of
unauthorized use, including Canadian grey market activities,
as well as any residential or commercial misuse
within the United States," Rissler added.
The federal statutes cited in the complaints are the Federal
Communications Act, which prohibits the unauthorized receipt
and use of satellite communications, including commercial
television programming; the Federal Wiretap Statute, which
proscribes the use of electronic or mechanical devices for the
surrepetitious reception of satellite programming; and the
Computer Fraud and Abuse Act, which addresses the
transmission of false information through sophisticated
computer systems.
According to DIRECTV, the filing of the civil complaints
would mark the first known use of the Computer Fraud
and Abuse Act to address satellite signal theft. Because of
the sophisticated nature of the computerized DIRECTV
authorization and billing system, the elctronic devices used by
the defendants resulted in telephone calls from the DSS
receivers to the DIRECTV computer system which were
detected and traced to the DSS units authorized by the
potential defendants.
The civil complaints also cited Washington and New York
state causes of action, including wrongful interference with
DIRECTV programming contracts and wrongful interference
with prospective business advantage.
In all instances, DIRECTV has demanded that the defendants
immediately cease and desist the illegal action. Failure to
comply could lead to the issuance of injunctions ordering the
defendants to stop the illegal activities and the assessement of
monetary damage awards. In the case of the Federal
Communications Act, damage awards can be as much as
$110,000 for each violation.
DIRECTV and DSS are trademarks of DIRECTV Inc., a unit of
Hughes Electronics Corporation. The earnings of Hughes
Electronics Corp., a wholly owned subsidiary of General Motors
Corporation, are used to calculate the earnings per share
of General Motors Class H Common Stock (NYSE:GMH).
For more information, please contact:
DIRECTV, Inc.
Linda F. Brill
Director, Public Relations
(310) 535-5062
Resources
American Hacker BBS.Access is included with a subscription to
the hardcopy version of this newsletter. There is a free bulletin
section which is free to all. If there are any radical
developments we will post news there. We also post to
various Usenet news groups. 716.871-1915
Bomarc Services has some schematics for the RCA receiver
(see their ad in this issue). They are contract reverse engineers
and they have thousands of schematics available for all kinds
of electronic devices including most cable boxes. A catalog of
their 22 product categories costs 4 stamps. The catalog of
cable and satellite descramblers, converters etc. costs $5.
The following DSS schematics are available: Full Signal
Modulator w/RF switch (Alps 3N0110A-US. $2. DSS Tuner
Module (Sharp B5532). $4.Dual Polarity Single Channel
Ku Band LNB for DSS Systems. $1. Dual Polarity Dual
Channel DSS LNB. $2. Bomarc Services,Box 1113,
Casper, WY, 82602.
Triangle Products is the major supplier of Oak decoders. They
are available in VCII card cages for those who don't wish to
use free-standing units. New Oak encrypted channels include
Mandarin and Filipino. They also carry SureWrit 9, which is a
diagnostic test device for those studying VCII or 029 PLUS
technology. They have raw B-MAC's as well. 616.399.6390.
Hack Watch News is the foremost hacker newsletter in Europe. It
is available by electronic delivery or by mail. It is written by
John Mc Cormac who is the author of the "European
Scrambling Systems" series. They are comprehensive texts
on scrambling. John's Special Projects BBS is a repositary for
Videocrypt information, smartcard programs with source code
etc. Voice 011-353-51-73640 voice. BBS 011-353-5150143.
E-mail [email protected]. He has an article in the August issue of
Electronics Now entitled "Has DSS been Hacked ?" That article is
available at http://www.iol.ie/~kooltek/hasdss. We have greater
quantity and more current information on the U.S. system
in our zine American Hacker.European Scrambling
Systems Volume 4 is 500 pages long and concentrates
on Videocrypt. It is available from Baylin
Publications, 1-800-483-2423.
New Advanced Technologies manufactures and distributes DBS
Dialer Systems. They invite inquiries for single units or networks.
Voice 514.458.3063. FAX 514.458.0798.
END PART 2 OF 2 PARTS
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|
