Satellite TV Hacking in the 2000’s

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys uh maybe i didn't pick the best weather for camping but uh at least i think it's not going to rain so the topic of this video is satellite television and a particular era in uh the reception of satellite television in australia and right now in the bush if you wanted television you'd have a satellite meter right here in a dish somewhere remote for me there's the satellite meter but that'll be set up later with a bigger monitor 10 inch monitor on a thing i made will also i guess explain why i haven't been on youtube lately um i'll get into that in a sec but yeah your dish you'd have somewhere like this on a with a clear view to the sky which i don't have but it's good enough satellite meters or satellite finders aren't what they used to be thanks to specialized ics which are totaled all in one dv bs2 solutions which provide a set-top box of television and specialized satellite finding software all in a simple small package vast set-top boxes are locked to vast content so if you've got one of those sandy to have one of these satellite meters with hdmi output to plug into a larger screen and have a look at what's out there on other satellites so it's an ordinary satellite decoder well it's actually vast certified and vast being the service in australia the main uh free to wear service for regional australia 10 inch monitor there's a little amplifier hidden behind there everything's basically bolted onto a box nice strain relief for power and some bracketing for the cable there but to elaborate on the free part it is registered and it is uh does have a conditional access system employed presumably to make sure that uh the right people see the right advertisements and licensing for material for particular states so when you register you tell the government what state you're in and you get a bouquet uh presumably specific to your state i'm quite new to the whole youtube video story time format but there is a story to tell and uh it's interesting that i can tell it now because at the time going back nearly 20 years ago i was only vaguely aware of the information that i can convey to you in this video i'm going to put together some of the tools that were commonly used for satellite television piracy and in australia that was foxtel which is still around ostar which is gone now and before i entered the scene galaxy which uh the the latter two i couldn't say that they're not around because of piracy or widespread piracy you never know but there are a lot of reasons why a pay tv company might go bust trying to encourage piracy of the smart card made by nds's major rival in australia a company called odetto i suppose a pay tv company could just send the plain key to decrypt its encrypted content to the customer in a packet of course addressed to the customer's card but it wouldn't be long till someone else fished out that key and put it in a an artificial packet addressed to their card and things did work that way for a while in especially analog cable systems for example a very over simplified explanation for the purposes of making a video of course is that your pay tv provider will send an encrypted key to your card which contains a card key known to your provider so therefore it can be predicted to decrypt the plain key which in turn will decrypt your television hacking odetto is so easy all you need is and he rattled off the details was it easy though comments like that tend to get under my skin because they're made from the perspective of someone who already has the advantage of someone else's tutorials software and hardware designs rather than someone who's doing the work from scratch and taking an interest themselves in terms of what was needed it began with an original subscriber card that was provided to you and these were modified and eventually cloned so you could make two perfect copies and share subscriptions but it looks like i've got a dud it's an engineering sample and doesn't provide a usual answer to reset like a card of its type should so i was going to demonstrate the process of killing and reanimating and in that process erasing an original subscriber card but i don't think i'm going to find another one in a hurry so i'm going to move straight on to pick wafers the stage where the original subscriber card was emulated for those who know what i'm talking about i did give this a whole night to try and reanimate it but first the phoenix interface which is the only interface you really need for an original smart card essentially a serial interface and i've made one especially for this video because my stuff's long gone but essentially it'll transform one wire serial communication between the card and the cam usually to a two-wire communication to interface to a pc and also level shift between rs232 and ttl required by the card and that's your phoenix interface generally it's just a method to talk to the card the phoenix interface got its name because aside from just sending scripts to cards to send it more channels or to send a new updated encrypted key it was also used to kill and reanimate cards and this was done by glitching the power and reset lines so i've added a five five five circuit to mine to do the same pretty i won't be able to demonstrate it and i've also got a manual reset button the software could control the reset line so the manual one is just extra and before all these electronic implementations the solution was simply to wank the card and this was called card wanking the the later devices were called electronic wankers when you didn't have to physically insert and re-insert the card um but yeah no luck with this one i've tried it a lot but that's where the phoenix interface name comes from when a card was killed it simply appeared dead and broken wouldn't respond to anything and when reanimated through the same procedure it would reply with a proper answer to reset and all of its details would be zeroed ready for rewriting a secret unit within rupert murdoch's news corporation promoted a wave of high-tech piracy in australia and on to pick wafer cards these are microchip pick 16 f-84a chips with built-in 24 lc-16b e-proms which are 2k pretty cheap and easy to come by now especially j-car still stock them at a heavily discounted price since this system became obsolete similarly with their uh programmer they were selling at the time prior to such a refined solution as a pick wafer card people also manufactured pick pcb cards which would fit in a card slot just the same with a little chip hanging out this one was actually manufactured for a particular decoder from a particular tv provider where the chip would hang out of a little thumb slot so it would fit in with the flap still closed i might as well throw in this image of the 16f84a card that i took back in the day i don't know how i got it so good back then um this was just the chip carefully peeled back from the plastic part of the wafer and in contrast this one is a genuine card as far as any sort of pick card goes the pick has to be programmed before you can communicate with that software serially and most of that works done in the pic programmer nowadays the pick kit too so the programmer for the pic initially can be pretty simple and i did a a pretty simple job of it the card's e-prom isn't directly connected to the card contacts so any pick program generally included a loader to program the eeprom it was a systematic campaign from with inside news corporation to hack into the systems of its commercial rivals i don't want to give away the key to crypt algorithm completely here because someone out there could still be sensitive about it even though it is obsolete but i think there is some merit in having a vague understanding of it i'll give a bit of time explaining a key rotation here which is similar to a bit shift or a shift in your favorite programming language and it's a shift right except the bit that falls off the right most uh position is inserted back into the leftmost position and also we're dealing with an entire array rather than just a single variable so if we take the spacing out of this key and put all the bytes together in a single stream of bits and we take the right most bit and shove it in the left you can see that each step gives us a pattern where we can easily see that the bits are being shifted right this example being a 10 byte card key having 80 bits if we bit shifted this key 80 times we'd end up with the same 10 bytes again beginning with the 10 byte card key and the 8 byte encrypted key both expressed as hexadecimal bytes the card key bytes are indexed sequentially throughout every step of the algorithm but the encrypted key bytes aren't always for the first step rotate the card key take the first byte of each key and xor them because the currently indexed card key byte is now even the result of the xor is used to retrieve a value from the second of two lookup tables of random byte values the retrieved table value is then xored with the encrypted key byte that will be indexed next at the beginning step of the algorithm this is the second encrypted key byte and so it goes the encrypted key has been transformed into a plain key this was all part of a corporate strategy to financially the competition making them right for takeover at reduced prices in practice a newly created card might be without plain keys so it would have to be issued an encrypted master key so that it can decrypt its own plain master key so let's uh have a look at that process in a program called fm card this still shot is just a better view of what the answer to reset should look like because we missed out on that with the dud original card were it working i'd have used it for this segment uh but uh i'm using an emulator instead so i'm going to open a script to extract a plain key just to make sure that uh we can show you that it's all zeros to begin with an original card wouldn't support uh the direct extraction of a plain key but an emulator has these uh commands to read directly from eeprom to make some things easier and this is a sub program in fm card called fm calc which can also decrypt keys and produce a card which is a script crd file that can send the the encrypted key we want uh which will result in the plain key we want and we can see that that's all twos the same as in the previous uh decrypt demo segment and having sent that to the card uh everything's okay it'll reset and read uh the the common details again and uh lastly i'll extract the plane key again so we can see that that has changed to the the plane key that we want which we should be able to read on the screen about now the card's reply will contain 16 eeprom bytes but the key that we can see is there b7 c3 93 b2 dbaof6e7 which could be checked against the previous segment nds declined to be interviewed but in a statement they told us that they never authorized or condoned the posting of any code belonging to any competitor on any website just a bit of a distraction i've got some unfinished business with roman black's pick sound algorithm that i was playing around with back in the day and i always had an idea to get it working on a wafer card um here's a mother's day card i actually made for my mother back in the day as well which was a talking greeting card and this will require a bit of actual software debugging so i've gone and made a proper pick programmer for the cards and uh neatened up the first guy so i had to buy some new card slots which are seriously marked down at j car as well i might actually keep this one that turned out so nice and the card slots are really high quality as well they've got a real tactile locking sort of a mechanism in them speaking of back in the day here's my pick programmer with built-in phoenix interface and back in the day a really handsome man made this mobile uh card maintainer uh this little demo will show an emk encrypted master key being encrypted after encrypting the plain key that you want this device should go ahead and send that in a command to the card in its slot directly the earliest stage of the pic sound player hardware it should be a little simpler than this but because i'm limited to 16 f84a which has no internal clock i've got to drive it externally i do have an emerald card on the way which is 16f628 and 24lc64 eeprom so it does have an internal clock and heaps more eeprom memory so the gold card i'm going to start with only has two k of e problems so we can only get a real short sample out of it and that's going to be space invaders shot which is really just the and that's like a part of the panel when you blow one up um so it's pretty poor quality sound and always has been you can fix it up with filtering but um yeah i haven't really bothered too much but i have got an lm386 amplifier before the inserted news clips are telling the story that i'm thinking they are they're in support of what i believe and which is that the system in question which i've never mentioned by name in this clip uh was professionally hacked uh it was a paid job by nds in another country in australia and other places around the world by the time it became a thing in australia we could already get our information from germany for example who had been doing it previously admittedly i've grossly oversimplified a lot in this video like the fact that your playing key is really another master key which is used to further decrypt more keys for decrypting video and i've largely ignored the existence of conditional access modules which can either be a separate pcmcia card or just built into a decoder embedded which is becoming far more common now a cam mainly filters out packets that aren't being issued to your card and initially interrogates your card to make sure it's genuine one of them ran a hacker's website from a house in cornwall he says the site was bought and then controlled by nds's operational security in the very early 2000s there was a website called the house of ill compute sometimes in australia it was mistaken for the home of internet communication because it was known as stoic rumor has it and the evidence suggests that it was paid for by nds as a way to proliferate uh the uh i won't say the name but the particular satellite encryption hack around the world and uh it was always denied by lee gibling on his actual site but later on in news articles he came clean and then always admitted that this was going on and uh emails would be sent from the site back to nds so they knew what was going on with every sort of hack they were keeping up with uh not only the one in question the subject of this video but others as well it blew up one day because the emails on his personal computer leaked and a word of this got back to the site as well as the actual cds themselves so that moderators could go fishing through the emails and i've actually got html snapshot of the entire thread where it all blew up in the moderator's lounge which pretty hard thing uh fluky thing to have in my possession and uh lee gibling his very last post he denied it in that very thread here's the thread in the moderator's lounge which was also accessible to nds where a bunch of people have found their own communications on a cd which has been passed on to nds so you can imagine the shock and uh lee gibling's last post still denies it well there you go i hope you enjoyed that one it was a bit of a long one for me uh about a week all up from start to finish in in real time don't forget if you like any of my videos to check the description later on because sometimes i add additional unlisted videos with links in the description of the public relevant video and i mention it now because that's likely to happen to this one anyway i'm off camping and then i'll have a shave see you next time
Info
Channel: Brek Martin
Views: 49,554
Rating: undefined out of 5
Keywords:
Id: CmAnCzquo64
Channel Id: undefined
Length: 19min 23sec (1163 seconds)
Published: Sun Jan 03 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.