UnderGround Information










UnderGround Information






                        ***  The Videocrypt System ***



     An Overview



     Researched and written by Darren Ingram, author of Satnews



     - Satnews.. the latest and non-Commercial satellite news -





     Version 1.31 - 06.05.91





     Introduction



     Videocrypt is a pay-tv scrambling system jointly developed by  Thom-

     son Consumer Electronics and News Datacom.   Over one million  users

     receive  Videocrypt encrypted signals and this system, has to  date,

     remained  secure from illicit decoder manufacturers, protecting  the

     revenue of Videocrypted television channels.



     Requirements



     Videocrypt  is a multi-standard encryption system which is  suitable

     for  PAL, NTSC and SECAM transmissions.  Language is no barrier  for

     Videocrypt  with  its capacity for multi-lingual  transmissions  and

     broadcasts utilising a comprehensive on-screen instruction menu.



     Features and applications



     A  smart card is the central key to the Videocrypt system,  and  the

     card  can be used for a variety of diverse applications.   The  card

     is  pre-coded  to determine a users requirements and it  can  subse-

     quently be addressed utilising the decoders logic to amend the users

     services at the broadcasters will.



     There are a number of broadcasting modes which the smart card can be

     used within including:



     Clear Mode

     Signals sent in the clear are recognised by the decoder and

     passed to the display without further processing.



     Free Access

     Pictures transmitted with an encryption key are delivered

     directly to the display through the decoder.



     Controlled Access

     Access to encrypted pictures is determined by the level

     of access authorised to the users smart card.  No signals

     will be transmitted in an unencrypted state without prior

     authorisation.



     Programmes can be tailored to usage with the Videocrypt system and

     the system offers a flexible way for pay-tv operators.  There are  a

     number of operations mode offered as standard including:



     * Single or multiple subscriptions with many tier levels in one

     channel



     * Pay Per View (PPV) and impulse purchasing



     * Thematic selection (enable all arts programming)



     * Geographic limitation (restrict to a country/area)



     * Single-event (throwaway cards)



     * Parental Control (reception with card only)



     * Pre-determined time period



     Videocrypt  enables  smart cards to be pre-programmed  to  suit  the

     specific programming requirements.



     Smart card - providing the revenue security



     Security  can be addressed on a multitude of levels when  using  the

     smart card.  These include:



     Chaining



     An existing customer would receive a new card which contains part of

     the  new code, the remainder of the code would be  transmitted  when

     the  card is inserted into the decoder and the  subscriber  compiles

     with the instructions contained within the on-screen graphics.



     Over-the-air addressing



     Systems operators can now address individual subscribers, which is a

     vast  improvement over other scrambling systems.  The  operator  can

     provide  additional  services,  reduce  service  entitlements,  send

     individual messages, blacklist and/or whitelist viewers.



     Cloning



     A  number of steps have been taken to stop smart cards being  copied

     or cloned.   A physical deterrent is the first line of defence,  and

     the  integrated  circuit contained within the card  makes  "probing"

     very difficult as the IC is likely to become damaged in the process.



     Cost  is a second factor which is likely to deter  manufacturers  of

     illegal  decoders.    A  considerable amount of  time,  trouble  and

     expensive resources would be required to clone the card.



     The  manufacturers  of Videocrypt recommend that the cards  are  re-

     placed  every six months, and each time this is done a  "secret  en-

     crypting  algorithm" will be changed.  Any pirate decoders  manufac-

     tured during this time would be relatively useless.



     And  should  a  pirate decoder be manufactured, it  will  contain  a

     unique  security  code, which could be blacklisted  by  the  systems

     operator  once  the code has been discovered - leading to  calls  of

     complaint by angry customers.



     Video taping



     Videocrypt  offers  an simple method of tracking  down  pirates  who

     video high-value programming and then distribute it.



     The customers unique number can be displayed on the unencoded screen

     for  reference  and future litigation.   Although  an  on-the-screen

     code  can  be generated for signals piracy in a  public  place,  the

     codes  can be hidden in the picture - and retrieved by a  technician

     at a later stage.



     Videocrypt-your flexible friend?



     Videocrypt  can  be used in a number of applications other  than  tv

     signals protection.  They include:



     Messaging, messages can be transmitted to individual subscribers  or

     to a group, so target messaging is now a potential.  Messages  like:

     "Satellite  owners in LONDON call 081 XXX XXXX now for a great  bar-

     gain".



     Selling, sales over the air can be utilised with the unique identity

     number which verifies an owner and their registered address.    Data

     can be matrixed with a user personality during ad-breaks to  tailor-

     make the advertisement.



     A unique transaction alphanumeric can be displayed on the TV screen,

     and  the  subscriber  will telephone a given number  and  quote  the

     alphanumeric - and the deal can then be completed in total security.



     Scrambling



     The  majority  of  scrambling systems currently on  the  market  are

     dependent on analogue processing circuitry, and it is a hard task to

     get a secure system without picture deterioration.



     Videocrypt can encode and decode a picture without degradation.



     The crux of the scrambling system evolves around a patented develop-

     ment of Active Line Rotation (Cut and Rotate principle).



     Every  line  of the signal is cut at a number or  points  along  its

     length,  and  this  is chosen at random by a 60  bit  psuedo  random

     binary  sequence generator (PRBS).   As each cut point differs  from

     the next the signal has no viewing value to an unauthorised  recipi-

     ent,  but authorised recipients decoders recode the picture so  that

     the  true  state  of the unscrambled line is always  first  out  for

     display.



     The  PRBS is re-seeded at times too, to enhance the security of  the

     system even more.



     Before  this  ALR process can take place, the decoder  needs  to  be

     aware  of  the cut point on each of the transmitted lines,  this  is

     provided  within the encryption process.  Each decoder  utilises  an

     PRBS  which reflects the characteristics of the system so  that  the

     two halfs can be synchronised and a viewable picture displayed.



     Data is transmitted in a series of over-the-air packets, which looks

     like:



     SYSTEM-----SMART or BLACKLIST



     The system comprises of system data included Flat-Shamir identifica-

     tion  information,  on-screen display messages,  fingerprinting  and

     blacklisting data.



     The smart card packet comprises of:



     HEADER-----ENCRYPTED DATA-----CHECKSUM



     The  Videocrypt encryption system is based around a  tightly-guarded

     secret  which has defeated system hackers throughout the world.    A

     final control algorithm is central to the systems security and  this

     can be changed at will if the system has been hacked.



     Complex calculations are performed within the system in order not to

     compromise its security.



     But  hackers who have attempted to hack the decoder will  be  disap-

     pointed - as there are no secrets held within the system.



     Smart Cards

     The smart card offers great flexibility to the programme  controller

     and the viewer alike, and is the key to the Videocrypt system.



     The  Integrated circuits incorporated within the smart card  have  a

     lot  of power and contain EPROM elements which are partially  burned

     during their manufacture.   The ICs are buried within the design  to

     make the system harder to penetrate.



     Smart card block diagram





     -------     -------     -------

     VCC  ->       - RAM -     - ROM -     -EPROM-

     -------     -------     -------

     ^           ^           ^

     TO AND FROM

     -------------------------------

 GND ->        -    INTERNAL BUS             -

     -------------------------------

     TO AND FROM

     -------     -------     -------

     -8 BIT-     -ANTI -     -S/WRE-

 RST ->        -CPU  -     -FRAUD-     -CNTRL-

     -     -     -DVCES-     -I/FCE-

     -------     -------     -------





     CLK        VPP           I/O



     Over the air addressing



     Algorithmic  information is transmitted to the viewer over the  air,

     encrypted within the Videocrypt system.



     This data is transmitted within the Vertical Blanking Interval (VBI)

     and  four  lines are employed for active data and  two  others,  one

     white and one black (for test purposes).



     An  application of Non Return To Zero (NRZ) with an constant  energy

     spectrum maximises the systems characteristics.



     Four picture-sustaining techniques are used to ensure a high quality

     picture.  Bit interleaving, hamming codes, quadruple repetition  and

     check sums are used within the process.



     The  system  can  cope with fringe reception areas  and  will  still

     function correctly with high levels of noise.



     Picture quality



     Picture  quality is paramount for any scrambling system and  due  to

     the  standard being of a digital origin, integrity of the signal  is

     maintained  throughout  the encryption  and  de-encryption  process.

     Amplitude sampling is conducted by the decoder and a 14MHz  internal

     clock  ensures jitter-free pictures and unstable framing.   A  digi-

     tally  derived Automatic Gain Control (AGC) is also included  within

     the receiver.



     Scrambling Sound



     Videocrypt  also has the capability of encrypting sound  sources  to

     enhance  the  security  of premium events.  To date  this  level  of

     security has not been utilised by broadcasters.



     The system of spectrum inversion renders the sounds received without

     authorisation  worthless.   Videocrypt  transposes  the  frequencies

     transmitted and this in turn removed distortion of the sound.



     Technical Data

     (supplied by Thomson Consumer Electronics, 1991- subject to change)



     VIDEOCRYPT BASEBAND DECODER

     * Stand alone video decoder

     * On screen display

     * De emphasis switch

     * Authorise button

     * Integrated smart card reader

     * Power indicator



     PAL MODEL

     Video input level             IV +/- 3dB flat and clamped

     Baseband input level          250 mV +/- 3dB, unclamped level

     measured at pre-emphasised transition

     frequency

     Suitable de-emphasis          CCIR 405-1

     Video output level            IV p.p. into 75 ohms

     Video bandwith                50Hz - 4.8 Mhz -3dB typical

     Line tilt                     <_ 1% typical

     Luma/Chroma Delay             +/- 50nS typical

     S/N ratio:                    50dB typical weighted



     CONNECTIONS

     AV Peritel (Scart)

     Audio loopthrough             Left and right

     Pin 8                         High with scrambled video input

     Low with clear video input

     Pin 16                        5v 50mA maximum for external

     modulator (OPTION)



     MISCELLANEOUS

     Standards                     Designed to IEC 65

     Operating Temperature Range   5-40 C

     Mains Input                   216-255 V AC 50 Hz

     Power Consumption             15W

     Weight                        2.5Kg



     VIDEOCRYPT ENCODER (PAL/SECAM/NTSC)

     * 19" rack mounting

     * Active line cut and rotate

     * Twin or single scrambler

     * Separate power supply

     * Integrated cooling unit

     * Data for control access in the VBI

     * RS232 interface



     Video input level             IV 75 ohm

     Video output level            IV peak to peak +/- 2% 75 ohm

     Line tilt                     0.5% typical

     Base line distortion          0.5% typical

     Chrominance to luminance      3% typical

     2T/Bar ratio                  2% typical

     Synchro level                 1% typical

     S/n ratio RMS weighted        >_ 67dB

     Chrominance luminance:

     intermodulation              <_ 2%

     differential gain            1% typical

     differential phase           1" typical

     luminance non-linearity      1% typical

     chrominance/luminance delay  +/- 10nS typical

     video bandwith at 3dB        >_ 5.8 Mhz

     Output DC level               300 mV +/- 50 mV

     Sampling frequency rejection  >- 50dB at 14 Mhz

     Number of bits per sample     10



     CONNECTIONS

     Connections to security comp  RS232

     Local VT100 terminal          ditto

     Video in                      BNC 75 ohm

     Scrambled video out           BNC 75 ohm



     MISC

     Local terminal functions are to

     show working parameters

     give warnings

     control local

     remote

     autonomous

     Select scrambling mode

     clear

     free access

     control access



     Mains input low pass filtering

     Audio scrambling using spectrum

     inversion 0dB/600 ohm (optional)



     ENDS





                **** Sky card hacking info 26/06/1993 ***





 



     When  the  VideoCrypt  system was  launched,  the  press  releases 

     claimed that it was the most pirateproof system yet devised.  Some 

     of the people involved in the design of the system claimed that it 

     would  take  billions  of years to break the  codes  used  by  the 

     system.  The usual media journalists swallowed this hook line  and 

     sinker. The hackers knew otherwise. 



     The  VideoCrypt  system  is the mainstay of  the  BSkyB  satellite 

     television empire. It is the means by which BSkyB makes its  money 

     from  the  subscribers.  The  basic theory  is  that  they  pay  a 

     subscription  for  the premium channels and they receive  a  smart 

     card.  This smart card, when inserted into the VideoCrypt  decoder 

     will allow the decoder to descramble the channels paid for. It  is 

     also possible for BSkyB to turn off the cards of those subscribers 

     who have not paid.



     Hacking  scrambling systems such as VideoCrypt is a  multi-million 

     pound industry. Due to the present legal situation it is perfectly 

     legal  to hack a channel that originates outside the  UK.  However 

     for someone in the UK to hack a UK originated channel is  illegal. 

     Such mere facts as illegality have never bothered pirates.



     In the last few weeks the impossible has happened. The  VideoCrypt 

     system  has  been  conclusively  hacked. It  is  now  possible  to 

     purchase  a pirate smart card or chip which will allow the  viewer 

     to  descramble Sky Movies Plus, The Movie Channel, Sky  Gold,  Sky 

     Sports and TV Asia. The cost of this pirate card is �99. The price 

     in itself is lower than the subscription for the channels.



     Other channels using the VideoCrypt system. Are worried. According 

     to  the  latest  reports, The Adult Channel  and  JSTV  have  been 

     compromised as well. This means that all of the channels currently 

     using  the VideoCrypt system as a fee gathering system  have  just 

     lost control of the market. It is now, well for the moment anyway. 

     a pirate's market.



     This  hack is, like all hacks, colourfully named. It is  known  as 

     the "Ho Lee Fook" hack. The joke being that this is generally  the 

     exclamation uttered by people when told of the hack. There are two 

     forms of the hack; a card and a chip. 



     The  card version of the hack is about sixteen millimetres  longer 

     than  the  official BSkyB card. Essentially it is  a  single  chip 

     mounted  on a printed circuit board that plugs directly  into  the 

     VideoCrypt  decoder's card socket. This is the more  user-friendly 

     version as it does not require any modification to the decoder.



     The  chip version does require some modification to  the  decoder. 

     The  official VideoCrypt name for the chip in the decoder is  "The 

     Verifier".  This  chip  has to be removed and  replaced  with  the 

     pirate  chip. The decoder will then decode the scrambled  channels 

     without the need for the BSkyB smart card.



     The  pirate cards and the chips are on sale. It is  believed  that 

     a number of them are already in the UK. Indeed I received one,  in 

     a brown paper envelope, on June the eighth. It is still working.



     The problem for BSkyB and other users of the VideoCrypt system  is 

     not  one of containment. Things have progressed too far for  that. 

     The problem is more serious. Unless they can come up with a  quick 

     fix for the system that will render the Ho Lee Fook hack inactive, 

     they have to replace the smart cards.



     BSkyB  initially set out to replace their smart cards every  three 

     months.  This continual update was, so the theory went,  meant  to 

     deter hackers from trying to hack the system. Fiscal reality has a 

     crushing  effect of such business school theories. 



     VideoCrypt   suffered  its  first  real  disaster   when   someone 

     discovered  that by limiting the programming voltage to the  card, 

     it was possible to stop the card being switched off. This hack was 

     known  as the "Infinite Lives" hack. It was an old  computer  term 

     for  a  modification  to  a games program  that  gave  the  player 

     unlimited  lives.  Since  BSkyB could not turn off  the  cards  it 

     seemed an apt name. This hack was followed by a new issue or batch 

     of cards. The "Infinite Lives" hack did not work on the new  cards 

     but a new hack did.



     The KENtucky Fried Chip upped the ante. It was the first time that 

     the  actual  internal  operation of  the  VideoCrypt  decoder  was 

     interfered  with.  It  was a rewritten "Verifier"  chip  that  was 

     programmed to stop the cards being turned off. It did not work  at 

     full efficiency so it was not marketed by the pirates. After  this 

     hack,  BSkyB issued a new batch of cards which was more  resilient 

     to this hack.



     The  current  card  issue is issue 07. The Ho  Lee  Fook  hack  is 

     working  on  this batch. If BSkyB introduce issue 08  cards,  then 

     there  is  the possibility of the hack ceasing to  work.  At  this 

     stage  there is the terrible spectre of the hack being updated  to 

     work  with  the  08  cards.  It is  the  thing  of  which  BSkyB's 

     nightmares are made of.



     The issue of new card batches occurs mainly in Spring or Autumn. A 

     Summer launch of the new 08 cards would be unusual. As  VideoCrypt 

     will  be  going to a tiered channel structure in  the  Autumn,  it 

     would  seem  that they have planned an Autumn update. The  Ho  Lee 

     Fook  hack  may force them to bring their plans  forward  by  some 

     three months or so.



     The  confidence  in  a system is not based on how  well  a  system 

     repels hacks but rather on how well a system recovers from  hacks. 

     This  will be a true test of the VideoCrypt system and  its  smart 

     card  based philosophy. The philosophy is that of  the  detachable 

     secure controller. Basically what this means is that if the system 

     is  hacked then all that needs to be done to stop the hack  is  to 

     issue a new card.



     The effects on the confidence of present and prospective users  of 

     VideoCrypt is more difficult to gauge. The smart card is the  core 

     of  the  VideoCrypt system. Seeing it replaced by a  pirate  smart 

     card contradicts every claim made in favour of VideoCrypt. It  was 

     not  supposed to be possible. One thing is certain, channels  will 

     now have to look at a scrambling system as only being a  temporary 

     form  of protection that has to be frequently updated. Failure  to 

     do so will be fatal.



     John McCormac

     Author of "European Scrambling Systems 3" ISBN 1-873556-02-0

     Editor of Hack Watch News.---

 

                                *** Latest ***





     There is no such thing as coincidence - or is there? On the day that

     the film "Sneakers" was released on video, I received an actual working

     hack for the scrambled Sky channels. The film "Sneakers" is about

     events surrounding a piece of equipment that can hack any cryptosystem.

     The piece of equipment that I received is essentially a chip that can

     hack the Sky VideoCrypt channels. 

     This latest hack on the VideoCrypt system has been labelled the "Ho

     Lee Fook" hack. The reason for this name is more to do with people's

     reaction to the hack rather than its origin, which incidentally is

     Central Europe. 

     This is perhaps the most dangerous hack to have occurred on VideoCrypt

     - it replaces the smart card. In effect it is a new smart card that

     gives access to all the Sky channels. Of course the problem for Sky is

     that it is not a genuine Sky card.



     The card is approximately sixteen millimetres longer than the official

     Sky card. It is a blue printed circuit with a single surface mount

     chip, and five connector pads. The identification numbers on the chip

     have been scrubbed. 

     The standard check for a card of this nature is to look for a wafer

     from an official smart card. In the early days, a fairly common scam

     was to take the chip and connector pad from a valid Sky card, trim away

     the plastic and then put the chip in a DIL header. The DIL header would

     then be blobbed in a lump of black resin so that it looked like an IC.

     The decoder would then have its card reader replaced with an ordinary

     DIL IC socket. Then the decoder and chip would be shown or sold to some

     unsuspecting, if greedy, punter. 

     The chip appeared to be real, with no wafer underneath the body of the

     chip. The actual stubs of the chip die were just visible at the end of

     the chip. It was a genuine chip.



     It has been working steadily for the last few days and there appears

     to have been no kill messages sent to it. If it had been a direct

     clone, Sky would have been able to kill it over the air - or would

     they? 

     Since the people who developed this hack obviously understand the

     operation of the over the air addressing, they may well have designed a

     filter to stop the kill message from having any effect of the pirate

     card. There are of course more devastating implications here. The card

     itself may only contain the data and algorithms necessary to descramble

     the signals. 

     The chip version of this hack is based on the 8752. This Ho Lee Fook

     chip will replace the official 8052 in the decoder. A selling price of

     ninety nine pounds has been mentioned in Germany.



     Nobody is sure what the people in News Datacom are doing about this

     hack. Sky are more than likely very upset that someone has hacked their

     pirateproof system yet again. This is the fifth hack and the image of a

     pirateproof system now only exists in the minds of PR people.







                *** -=Y_HS=- all (c)'s acknowledged ***