DirecTV's Secret War On Hackers

Belch writes "4 or more years ago DirecTV launched its service. DirecTV was one of the very first large distributors of smart card technology in their product. So much so, that Hughes corp. (the primary owner of DirecTV) decided to create their own smart cards. Each receiver has a smart card located inside that is keyed to the subscriber, and actively participates in the decryption of the digital satellite video stream. However, considering Hughes decided on this technology when it was virtually in its infancy, they made several mistakes. The hacker community caught onto these mistakes, and there has been a war between DirecTV and the hacking community ever since. For the past two or more years, it was apparent the hacking community would win this war, completely opening the DirecTV signal. However, over the last 6 months, DirecTV has fought back with a vengeance, displaying the most extensive technical campaign against the hacking of their product..." Click through for the rest of the story.

"Allow me to give you some background.

"One of the original smart cards, entitled 'H' cards for Hughes, had design flaws which were discovered by the hacking community. These flaws enabled the extremely bright hacking community to reverse engineer their design, and to create smart card writers. The writers enabled the hackers to read and write to the smart card, and allowed them to change their subscription model to receive all the channels. Since the technology of satellite television is broadcast only, meaning you cannot send information TO the satellite, the system requires a phone line to communicate with DirecTV. The hackers could re-write their smart cards and receive all the channels, and unplug their phone lines leaving no way for DirecTV to track the abuse. DirecTV had built a mechanism into their system that allowed the updating of these smart cards through the satellite stream. Every receiver was designed to 'apply' these updates when it received them to the cards. DirecTV applied updates that looked for hacked cards, and then attempted to destroy the cards by writing updates that disabled them. The hacking community replied with yet another piece of hardware, an 'unlooper,' that repaired the damage. The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card. DirecTV could only send updates to the cards, and then require the updates be present in order to receive video. Each month or so, DirecTV would send an update. 10 or 15 minutes later, the hacking community would update the software to work around the latest fixes. This was the status quo for almost two years. 'H' cards regularly sold on eBay for over $400.00. It was apparent that DirecTV had lost this battle, relegating DirecTV to hunting down Web sites that discussed their product and using their legal team to sue and intimidate them into submission.

"Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were simply trying to annoy the community into submission. The updates contained useless pieces of computer code that were then required to be present on the card in order to receive the transmission. The hacking community accommodated this in their software, applying these updates in their hacking software. Not until the final batch of updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the programming, but DirecTV had not pulled the trigger of this new weapon.

"Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their new dynamic code ally, that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost not only their ability to watch TV, but the cards themselves were likely permanently destroyed. Some estimate that in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities' ability to steal their signal. To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER".

"For more information, visit http://www.hackhu.com."

Re:finally

but stealing tv is wrong

I am so sick of this attitude! It is not "stealing TV". When you steal something, the person that you stole it from no longer possesses it. An example of stealing TV would be smashing a shop window, grabbing a television set under your arm, and running. This is by no means the same thing.

DirecTV are broadcasting their signal over satellite. Whether you pay for their service or not, it gets beamed into your property. If you have a dish, you will pick up the signal. If you happen to have the means of decoding this signal, you can watch their TV shows. How is this stealing? This is no more stealing that watching the Superbowl at a friend's place because he has DirecTV and you don't. Are you "stealing TV is wrong" advocates suggesting that DirecTV should send agents round to their subscribers houses to issue them with an extra pay-per-view bill for any of their friends who happen to be parked on the couch with a bag of doritos watching the game?

No, this is an outrageous abuse. If DirecTV don't have a business model which can earn them a profit as they beam their signal into EVERYONE'S airspace, then they shouldn't be in business, end of story. Or, as they would say, "game over".

not stealing

I'm noticing a distinct pro-Hughes sentiment here. Personally, I see nothing wrong in recieving signals from the air and decrypting them.

Please consider this for a moment: Hughes is bombarding us with their electromagnetic emissions... why shouldn't we be allowed to receive and decrypt them?

I really don't see how this is much different than DeCSS, which seems to enjoy the support of the Slashdot community.

So... stealing motion picture studios' work is OK, but it's wrong to intercept and decrypt electromagnetic signals broadcast through the air? Signals that are being absorbed by our bodies, with still unknown effects.

I'll buy the idea that people shouldn't 'steal' DirecTV's signal when DirecTV allows me a way to opt out of being hit with their sattelite beams. (Please don't suggest that I wear a tinfoil hat. ;)

LASTLY, I haven't seen any mention of how these counter measures have affected paying customers. I know several legit DirecTV subscribers who had their cards stop working after Black Sunday. How does anyone feel about that?

Is it OK for DirecTV to inconvenience paying customers in the course of their battle with the hackers? How many 'civilian casualties' will be tolerated? And is DirecTV going to be giving these people refunds? Probably... if they spend an hour or two on the phone. The customer's time isn't important anyways, right? As long as they're paying their bill...

NorthSat and DTV

Most of the comments see to be along the lines of "kudos to Hughes/DTV for beating the hackers at their own game and not resorting to lawyers"

Well, That may not be how it actually went down.

In October the guy who ran Northsat in Canada got raided. There was a consent decreee, and as part of his plea bargain he agreed to act as a consultant to DirecTV.

Although DTV had already been busy implementing the dynamic code, many old timers claim that they see dean's hand in the 4 (that's right 4, not one) ECM's that came down starting last sunday.

So it would seem that the legal system allowed DTV to force a hacker to destroy part of his own creation. Not a clear cut case of DTV defeating pirates with their own engineers. Guess he shouldn't have have a bunch drugs and cash in his house when they raided him hehe.

http://www.legal-rights.org/northsat.html
http://www.legal-rights.org/newspapers/northsat. ht ml

Agree - Re:It's not wrong to figure it out...

In fact since most of us DONT get DirectTV and are STILL constantly bathed in its RF emissions Hughes is in the wrong, if anyone is. Mind you, I don't have a problem with them sending the bits to their own subscribers. The fact they they chose a CHEAPER method of distribution to increase their own profits opens them up to this.

Anything being broadcast non-interactively(not two-way like say, a cordless phone), whether tv, radio, or otherwise, is like air as far as I'm concerned. i.e. Not any company's but the peoples.

If the company doesn't like that, make their own customers use over priced less effective measures, like cable, spread spectrum, or other methods.

If the cost of that makes it unprofitable, so be it. The Constitution (Sorry, US centric) gives the right to the PURSUIT of happiness, not the right to it. THere is a difference. Similarly, Hughes can try to make money by giving a service worth paying for. They're not entitled to just because they spent a lot of money.

Think about it. If I fire radiation at your home 24/7 without you asking for it (paying subscribing whatever, and that IS what radio/broadcast energy is) you should have the ability to do whatever you want with it.

They are NOT STEALING. Stealing implies taking something away from someone else. As in they no longer have an object they previously did. These peeople went out and bought their own satellites, smartcards and gizmos. They can fdo anything they want with them.

Xerox did not have to pay all the scribes who were put out of work by copiers, nor did the guy who came up with carbon paper. Just because you used to be able to make money doing something once does not mean you are entitled to keep making money off it forever.

Oooo.

So, the big nasty corporation solves its problem with hacks of fiendish ingenuity whereupon the 'hackers' bury them in lawyers? *g*

Riiiiiiight....

Re:Stealing? No.

Sooo...

You wouldn't care if I set up a listening post to hear any wireless stuff going on in your house, right? You probably don't care about Echelon and various Internet-based listening posts monitoring your e-mail and where you surf, right?

After all, you are sending your data out over shared space, and if I feel like manipulating it *however I want*, that should be my right.

It's not whether you win or lose...

It's how you play the game. Hughes deserves props for doing this the right way - by outsmarting the pirates. Unlike some other industries who combat piracy by buying laws that take away everyone's freedoms just to protect themselves, or force everyone to sell crippled hardware so that their precious media can't be used in a way they don't approve of, these guys stayed with an existing technology and made it work in the face of rampant piracy. My hat's off.

Nice! Enthralling, Well-written, Engaging Story

Rob and the gang,

Congratualations on a well-written, engaging news story. Clear, concise, interesting with thrilling narrative, factually informative. This entry is a model for all good Slashdot entries.

Thanks.

Re:"Hackers"?

I disagree.

As others have pointed out Hughes is sending the signal to hackers. In fact, they want to send it to nearly everyone, ideally. Furthermore they're sending it as a broadcast radio signal, and that's a public resource.

If you proceed with your logic, you imply that it would be illegal to read billboards on the side of the road (ideally for this argument in the state-owned right of way) if the whim of the owner was that you weren't allowed.

Just as there is a right to free speech, there MUST be in order to actually have such a right function, an equally absolute right to listen. Otherwise you're supporting the opinion that you have a right to free speech, but if the government finds it inconvenient, people who listen can be arrested. (despite the speaker going free) This is a nonsensical propisition you're making, I think we'll all agree.

If a communication is privileged or there is an expectation of privacy (e.g. whispering, talking in a way that cannot reasonably be intercepted outside your home, lawyer-client discussions) I can see making that a minor crime. Generally one that's worse for the government (e.g. tapping w/o a warrant) than individuals.

But sending data across a public medium to virtually the entire continent does not strike me as private. Even the Internet is not private - it's a network of other, smaller networks, and it's hardly possible to believe that communications across it are automatically private. Certainly the most esteemed privacy/encryption experts on the net don't think so.

Once someone recieves such a stream - particularly if it was sent so that they, their neighbors and their countrymen could recieve it - I don't see how it's Hughes' business what's done with it. If they wish to prevent people from seeing it, the best way is to not send it to them at all. The second best way is to heavily encrypt it, but encryption is not a guarantee. It also means that Hughes' business is not TV but decryption software. If someone manages to put out an RE'd version w/o infringing on patents, then that's their right too. We rely on that right to have microcomputers that aren't all sold by IBM.

And furthermore, in Canada, which is what we're discussing, the people there explicitly DO have the right to watch broadcast signals. There's just no two ways about it there. If the law in Pottsylvania were that TV broadcasters had to give out free TV sets to people in order to have a license to broadcast then Hughes would have to either stop broadcasting to them, or start handing out the sets; it doesn't matter if the law is different than US law, sovereign states have the right to have different laws.

This story is very incomplete....

Alright, while the story above is 'correct', it's something like reading chapter 6 of a 12 chapter novel, and claiming to understand everything. Alot more has been going on than is shown here. In the beginning, as it were, was the F card. This card was a dumb eeprom, and was hacked so fast it must have made DTV's head spin. The video stream at this time was un-encrypted, and you merely had to convince your receiver to show the channels. This lasted about a year or two, and then a new card began appearing, this was the H series card. This card had a dedicated ASIC on it for decryptiing scrambled content. It was also a 'smart' smartcard, in that it tried to think about commands that were sent to it, and had some basic functions (read, write, compare, etc) that could be called on. Eventually, DTV mailed out new cards to all valid F card owners, and completely removed the older card from service. They also switched to an encrypted video stream, and that was the end of the F card. This new H card was trickier to deal with, but at this time Hughes, who owned DTV, had made another mistake. This was the same card used in some european digital satellite systems, and a great deal of information was alreayd available on it. Hacking it (and these people were hackers, in that they had to reverse engineer a 'black box' device only by watching how DTV interacted with it, even if they used their knowledge for less than stellar purposes.) took less time than DTV would have thought. This is what went on for the years leading up to this story, in that the hackers would enable some new security hole, and DTV would send down an update to close it. Eventually though, DTV realized that there were an unlimited number of holes that could be opened, due to a flaw in the memory checking on the card, (large values would roll back over to zero) and that the programming hardware needed to work with these card had become cheap enough to be a mass market. About this time, DTV went quiet, and the community that hadgrown up around priating DTV satellite signals began to get fat and lazy. When DTV started up again, this time patching the firmware in the receivers to test the H cards unique ID against a list of known bad ID's, and to lock out bad cards if they were found, alot of people were caught by surprise. It was easy enough to overcome this problem, in that you could copy a valid, subscribed cards ID onto an unsubscribed card. Called cloning, this technique had definciecies that had been known for some time, in that part of the cards unique ID was stored into a write once area of the cards EPROM, and couldn't be changed, only masked. Since DTV seemed to have stopped sending down card updates, cloning became popular. In fact, it became the way of doing things. Looking back, it is easy to see how DTV set everyone up for this, allowing cloning to become rampant, because they knew how to kill it. When DTV started up the updates again, some of the original hackers warned heavily against cloning, saying this was tge beggining of the end. Most people, however, were content to simply update to the latest way of activating their cloned card, and content to ignore the number of updates piling up on their card. Once the updates were complete, those early hackers really began to scream about what was going to happen, but still no one listened. And, in the end, it did happen. What DTV did was send down a packet of information, that said: Take this address, and store it in this new location. Then, using the basic features of the card, compare that adress we just stored to an adress at this memory location. If they match, do nothing. If they don't match, set this memory pointer to location X, instead of location Y, where X is a specific part of WRITE ONCE memory. Another packet came along, and said, write some stuff to this memory location (the 'GAME OVER' in this case). If the memory pointer had changed to a write once area, too bad. If not, it was harmless. What was the card comparing? the ID reported by the card and the ID actually valid for the card. This type of kill was instant and deadly. It was also 100% safe, in that anyone using a clonned card was garunteed to be priating the service, and the packet would not, under any circumstance, hurt a valid subscribers H series card. It was so deadly because the area written too is part of the cards boot process. When it first receives power, the card no longer starts in a valid state, instead spitting out useless garbage. There is no way to write to this memory location again, and there is no way to change the cards boot process, because it happens before the interface comes up. I don't believe a magic bullet killed kennedy, but this magic bullet certainly killed all these cards. Well, all is not lost, because a while back, DTV ran out of valid ID's for a H series card, and had to make a new card, dubbed HU. This card is much trickier and much smarter than the H card, but it may also have flaws that can be exploited. Only time will tell, but in a sort of ironic twist, this is again a card from europe. Maybe the american hackers will get another helping hand from oversees, and maybe not. Primitive hacks for it have already started appearing, and the game of tit for tat is already being played out, as DTV shuts down early HU hacks. Don't hold your breath though, the card has remained unhacked in europe for some time. I hope this clears up some mystery. AS DTV did well this time, but they've made huge mistakes int h past that onlye ncouraged hackers to use their knwoledge to priate the system, it was, if you will, a sort of contempt. It was so easy, it was like DTV was daring you to do it.

Re:finally

If you want to design and build your own DirecTV-compatible dish and receiver from components, and write software for it that decodes the video stream, then hooking it up to your TV set and watching for free is not theft in my book. The signals are, as you point out, passing through your property, and you were smart enough to figure out how to do something with them. Enjoy. Hell, get Dish Network too, while you're at it.

But taking DirecTV's own receiver, only made for the purpose of viewing their service by subscription, and then modifying it for free service is theft, plain and simple. By your standard, there should only be free broadcast service (over-the-air commecial TV), because anything else is and should be open for the taking to anyone who can hack a receiver or get their hands on a modded card.

If that's the case, forget pay-per-view (what - life without Wrestlemania?), forget all the premium commercial-free services like HBO - and forget pretty much any reception at all anywhere other than in and near urban areas.

There's a big difference between fair use and theft of service. I should be able to record off my DTV, time-shift as I like with my VCR or Tivo, and not rely on analog streams to do so if everything I have is digital. But there's nothing inherently wrong with paying to get that signal into my house to begin with, so long as I can re-use what I paid for. A different point entirely.

- -Josh Turiel

You know, I think I'm with DirecTV on this

On one side, you have folks who hack the hardware to get free service.

On the other side, you have a company that sells a dish and programming, at pretty reasonable prices compared to cable rates, and wants to get paid for their goods.

Given that's it's at an interesting intellectual game at best to figure out how to hack a DTV smart card system, and theft of service at worst, it just appears that DirecTV has figured out how to win the cat and mouse game once and for all. Good for them. If DirecTV was the only form of television service available (ie., a monopoly), I'd look on theft of service a little more tolerantly, but there's all sorts of TV alternatives out there - broadcast, cable, and other satelite providers.

This is different from, say, the i-Opener hack because the i-Opener hack was fundamentally about hardware. Buying the box did not incur an obligation to use the service (due to a mistake on Netpliance's part), and the hack didn't allow you to steal their service - it allowed you to re-purpose the hardware. That would be like hacking a DirecTV box to work with Dish Network instead. A cool, "because it's there" hack.

So if DirecTV won the war, more power to them. There may be a fine line between hacking and theft at times, but hacking a DTV smart card for free service is definitely on the wrong side of that line.

Besides, stuff like descramblers and smartcards are usually what spammers are filling my emailbox with, and I hate spammers! :-)

- -Josh Turiel

Re:Three Cheers for Hughes!

As a DirecTV subscriber (who pays for the stuff) I agree 100%. Obviously the Hughes engineers are some damn smart guys, and the TV pirates (let's use the right terminology here - /. gets caught up about "hackers" not being evil enough that it's ridiculous to call the pirates that) are not as smart.

I have zero respect for these pirates. They could be applying their skills to the next piece of free software, while instead they're just trying to get free TV. What a waste.

Nice to see, for a change

Damn but it's nice to see a company that's willing to fight on the technical ground rather than running to its lawyers at the first sign of trouble. That's downright brave and honourable, there.

Say what you may about the real and supposed sins of DirecTV and its crackers, they were fighting the war on its technical merits rather than with hordes of lawyers. That's good stuff. It's nice to see a company with the integrity to defend itself within its market and its product rather than look for protection from above.
--G

If this is true...

...it is a thing of beauty... Not because of who won or lost, but because of the elegance with which it was done!

[someone should forward this article to the "Beautiful code" guy!]

Three Cheers for Hughes!

First of all, let's point out here that what this little story refers to as "hackers" are actually "pirates".

Secondly, what the Hughes technicians did was far more worthy of the term "hack". It stands out simply because it was the "big nasty corporation" who turned the technical tables on the crackers, and defeated them.

The whole thing smacks of genius - the subtlety, (in sending out the updates in a fragmented manner), the timing (ambushing the pirates a week before one of the biggest US TV events), the technical brilliance - all these are trait too often missing in so-called "hackers".

Respect to the Hughes guys.

D.

Good job, but we're still pissed about HDTV-CP!

It's interesting. This morning's prevailing opinion of Hughes/DirecTV is that they engineered a cool hack and beat TV pirates at their own game.

Yesterday, we were discussing how we can hack new DirecTV tuners to allow HDTV resolution on analog ports.

Does anyone else appreciate the irony of both events happening in the same week?

Re:For hackers its just a game

Ummm... bullshit! I know more than one legitimate DirecTV subscriber who was knocked off by these ECMs.

Taking out the hackers in only one of Hughes goals with these ECMS. The other was to destroy ALL H-cards, thus forcing their paying customers into upgrading to the HU cards.

But I'm sure they're _real_ sorry for whatever inconvenience they've caused people.

I don't know where you get your information, but they did not destroy all H cards last Sunday. My trusty old Sony SAT-B2 receiver came with an H card, and it still works fine. But I'm a legitimate paying DirecTV customer. Are you sure your friends were really legit?

As soon as I can convince my wife to allow it, I'm gonna upgrade to the Sony SAT-T60 receiver with TiVo -- recording the MPEG streams straight off the satellite is very cool, and I'm dying for that 14-day advance program guide. (I was very annoyed with DirecTV for cutting the guide from 3 days to under 2!) Maybe I'll sell the old Sony receiver after that; the remote codes may conflict with the new Sony, plus the SAT-T60 actually has two DirecTV tuners in it! (But the second one won't work until TiVo gets their act together and updates their software to handle it...)

Re:"Hackers"?

The point is that the signal is broadcast to *everyone*, not just paying customers.
You're not /stealing/ it, you're merely using a signal in a way that goes against what the originator intended.
I don't see this as 'theft' in any way - denying *potential* profits, yes, but not theft.

IMO, Hughes did the Right Thing.
The crackers cracked their signal, so they cracked the crackers cracks. I think that's pretty nifty.

--K

Re:It's not wrong to figure it out...

It's true that DirecTV doesn't have as much money as they otherwise would; but it does not necessarily follow that anything has been stolen from them. Many other events could result in them not getting as much money - an economic slowdown, a competitor with a better product, or even a nasty rumor that their satellites are really being used to track people for the sinister purposes of Major League Baseball. Just the fact that they don't have as much money doesn't make it stealing.

In the normal understanding of a "theft of service", somebody is still out of some physical quantity that they would otherwise have charged for and that they do not just hand out to all and sundry. Theft of cable TV service, for example (and according to the TV industry at least) steals from your neighbors by degrading their picture quality (a measurable, quantifiable thing). Spam is a theft of network resources and hardware resources on a mail server that your ISP charges you to maintain. Trojans or worms are thefts of service in almost the same way, by consuming network bandwidth and host processing power which somebody paid for and somebody else is getting charged for.

But receiving unauthorized satellite broadcasts doesn't deprive anyone of something they are being charged for. Your neighbor's signal is not any more degraded, DirecTV doesn't have to spend any more money than they would have otherwise to achieve national coverage, and the producers of the TV content are already getting paid by DirecTV under terms that were mutually agreeable to both of them. From all of these people's perspective, things are just the same as if you didn't have a DirecTV at all.

This doesn't mean that I disapprove of Hughes' actions in this case - I think they are entirely within their rights to police their hardware under any means that are permissible under the contracts they have with DirecTV subscribers, assuming that they have such contracts (although I don't think they have the right to modify the customer's lawfully purchased software or hardware without the customer's permission in the absence of a contract allowing it). I just don't think Hughes should be surprised when other individuals make use of the bits that DirecTV is flinging around so profligately, considering that those bits would just "go to waste" anyway.

I have to add, though, that it's nice to see a company whose initial response was not "send in the lawyers". Duking it out hacker a hacker is the way to go on this, and so much more entertaining for the rest of us without DirecTV or the inclination to hack one.

Re:It's not wrong to figure it out...

I'm curious as to how this is really a theft of service. When that term is applied to spam, for instance, the theft occurs when spammers use up the bandwidth of their relays and the time and hardware of the targeted ISPs. In that case you can point to the extra costs that were required based on the actions of the thieves.

However, this satellite broadcast is streaming through all of us all the time. Does just possessing the knowledge to decode these ambient bits somehow make a person a thief? I'll agree that it's unfair to the legit DirecTV subscribers to have to pay for a service that some are getting for free, but I don't agree that decoding bits that are normally present in the environment is theft.

Re:If this is true...

Exactly! DirecTV did fall back to lawyers for a bit, but in general they did the absolute correct thing--fix the damned problem. Mad props to the proigrammer/team that handled the multipart code. If only more companies would respond to security threats and other flaws by fixing them instead of legally snuffing out their discoverers.

Re:"Hackers"?

You have no right to make a profit.

Nobody can steal that which you have given them for free.

Just because you came up with some "clever" business model that involves charging people money for services, that does not entitle you to compensation from people who figure out how to provide this service for themselves.

I am deeply disturbed to see this bullshit perpetuated by someone outside the US. Previously, I had been operating on the assumption (obviously false) that "the right of a business to make money" was confined to the US.

Once again, for the slow ones: you do not have a right to make a profit, no matter how clever you may think you are, and no matter how long you've been making a profit in the past. If someone out there catches on to your scheme and bypasses it, you lose.

(With all that said, I have to applaud the hackers who work for DirecTV. Unlike certain other industries, they didn't resort to dirty tricks or underhanded legislation -- they simply used what they had, and ingeniously too. I'm not ranting against DirecTV here -- I'm ranting against all those who thought that the H-card hackers were "stealing".)

"Hackers"?

For all the noise that /. makes over the user of Hacker vs. Cracker, one would think that stealing services would fall into the latter category. While I think that the reverse engineering and cleverness involved in cracking the smartcards is quite impressive, I see no noble motivation, just stealing a service that is quite expensive to develop and provide. The real Hackers in this story work for Hughes.

Actually, I *can* do most of those things perfectl

To answer your questions.
YES.

1) yes. Actually, I am 100% allowed by law, in Canada, to listen to your analog cellular calls. Cellphone companies tried to change this, but the crtc was firm: you have no reasonable expectation of privacy by transmitting on public airwaves using standard modulation.
Now.. with Digital phones, and specifically, with Encryption this changes. Under Canadian law, encryption wrapping the conversation indicates that you have a reasonable expectation of privacy, and someone violating that woudl be violating your rights.
Note that the only reason it's protected is because it is encrypted AND because it is a conversation. Satellite broadcast is not the same thing.

Taking photographs, again. If what I see is visible from somewhere I'm legally allowed to be, I'm allowed to take photographs of it. I can photograph anything that can be seen from somewhere I'm allowed to be, especially a public street or my own property.

And regarding 'shotgun' mikes, it depends. If I can hear the conversation of you yelling at your wife, and I'm simply using the mike to amplify it, then I am within my rights to record it. If I can't hear you at all, and use the mike to snoop on you, then that's illegal, because you have a reasonable expectation of privacy.

Stealing? No.

Sorry... I have to draw a line here. Perhaps it's my Canadian blood talking.. but...

I respect that they put up the satellite, and started the TV service.. however....

THey are broadcasting signals over PUBLIC airspace, including INTO MY YARD. If I feel like putting up a dish to capture that signal and manipulate it *however I want* within my own property, that should be my absolute right (though the law may not agree). If they don't want me to receive the signal, don't broadcast it into my yard. PERIOD.

THe airwaves are PUBLIC.

Re:Stealing? No.

Actually, no, I wouldn't care. Seriously.

I firmly believe that if you broadcast something on public airwaves, then you have no right to expect privacy. I *know* when I use my cordless phone that anyone who wants can listen in.

I also know that when I transmit cleartext data over the internet (like this slashdot post), it is going into a network that I have *no control* over, because I don't own it. I *assume* that someone is listening in. If I want nobody to listen to my conversations, I use encryption, hoping that deters them somewhat, though I'm still aware someone could be intercepting it and decrypting it if they are capable.
As for manipulation...

If I'm broadcasting through your network, and you want to sniff my info and manipulate/decrypt it, and there is no standing agreement that you won't ever do this... go right ahead. If you *DO* anything with that information outside your own brain/house.. THEN I'll have a problem with it, but not because you intercepted it.

Re:"Hackers"?

In Canada it is completely legal to decrypt the DirecTV signal. Because of antiquated laws governing the sale of content in Canada, we are not allowed to purchase the programming from Hughes. Instead we are forced to purchase from one of two local companies that offer a smaller selection and that force us to pay for unwanted Canadian content.

In Canadian law however, it is legal to decrypt a satelite signal provided that it cannot be legally paid for. We cannot legally purchase and pay for the DirecTV stream and thus we are legally and morally entitled to decrypt and watch the DirecTV stream.

So whereas Americans who attempt to decrypt the signal can indeed be considered "crackers", the Canadians that have been victimized by the Canadian government and Hughes are "Hackers". We have done nothing wrong and are being punished for it.

-

DirecTV is very cool about this whole situation.

Honestly, DirecTV is very cool about this situation. They even have a guy on alt.dss.hack that TALKS to the hackers and actually goes about in conversation with them. They truly look at this as a game of chess, and I was always intrigued by the complexity of the "war" at times.

To show you how cool things have become... The latest trend in DSS is using emulation software on a PC to intercept the signal and then sending it to your reciever. It truly is an innovative solution!

I swear, words like ECMs (Electronic Counter Measures) that literally destroy cards, and Unloopers (thinks that fix "looped" or destroyed cards") really make this feel like some hollywood hacker movie. But it's not. It's for real! Damn, that is just too cool!

-Nick

So the hackers got hacked.

This is the perfect solution to a nagging problem.
Direct TV sells a service. They make money from
the sale of this service, and they provide the
infrastructure, the broadcast, the hardware, etc.

Then, a bunch of kids decide that they want what
DirectTV has, but not at their terms. So they steal
the service. Yes, they stole it. Hell, they
admit it in the article.

So what does DirectTV do? They beat the hackers at their
own game. They outplay, outsmart, and outfox them.

Bravo. They protected themselves and their market
share in the best way possible. In the end, we
can all appreciate the beauty of this particular hack.

Re:finally

Actually, you *are* taking something from them. If you subscribe to thier service, they know what channels you are capable of watching, and can tell the actual HBO people (for instance) that they have 18 million viewers and want to be billed as such (I can only think that as the number of viewers increases the actual cost to the provider decreases due to an increase in effectiveness of advirtising). So its not JUST your monthly billing statement that they are losing out on.

So if they increase thier profits by having more subscribers, you *are* stealing from them, in a very real sense.

Dirk

And so it begins.

It appears that hackers are now considering a piece of hardware that sits between the DSS receiver and the smart card [hackhu.com]. It would emulate the damaged area of memory and, presumably, prevent that area from being written to again. You didn't really think the game was over, did you?

Re:So the hackers got hacked.

what if this happened in the software world? Where ID did this to quake, and somehow quake had an update, and they end up updating in such a way that the pirate/cracked versions are destroyed. Would people be screaming about their privacy being violated?

Re:For hackers its just a game

if you read a lot, you will see that there is a way around this, emulation, basically what happens is that a PROM gets written to, by using emulation to emulate that PROM, we can reverse all the bits DirecTV's toggled back to the original, it is not theortical, it is already out there, those who were smart to get it early are not crying now. But I am sure DirecTV will come up with a smart idea, in the console world, it is possible to write game that can detect different kind of emulators. So they might write code that can detect an emulator. i.e, Emulators usually don't emulate bugs in hardware. ;) It is amazing how a bug in hardware can be used for useful things. :D

Recent Law has Changed

At one time in America, it was legal for you to hack and decode any signal that was sent onto your property. I can't remember the name of the act that allowed this, but if an electronic signal was sent onto your property, and you could decode it, listening/watching it was your right.

This is why the old C-band dishes never had prosecutions for descrambling, or why you could listen in to Cellular Telephone conversations. And this would apply to DirecTV too, except it didn't exist when this law did.

Sometime in the mid 90's, a new Radio Telecommunications Act was passed which banned the eavesdropping on cellular telephones and any other signal entering your property that needed to be decoded. Thus, now the old C-Band hackers had become pirates, and the new DirecTV decoding was illegal.

The question is this - do you have the right to translate signals that are travelling onto your property - signals which you did not request?

The old law said yes. The new one says no.

Poetry in code

This is true hacker war at its best. The DirecTV hackers vs. the DirecTV programmers. I bet both sides had a great time, and enjoyed the game. The "GAME OVER" message was an especially nice touch.

Someone said that they're within their rights to "illegally" descramble DirecTV's content, because it's broadcast over public airwaves. True, but then, isn't DirecTV also entitled to broadcast whatever they want? If you just happen to be foolish/1337 enough to be running a hacked card, well, thanks for coming out, better luck next time. DirecTV didn't physically destroy the cards, so I don't think the hackers have any grievance in that respect...

Nicely done, on both sides. I think this deserves an entry into the hacker hall of fame.

Re:Agree - Re:It's not wrong to figure it out...

Xerox did not have to pay all the scribes who were put out of work by copiers, nor did the guy who came up with carbon paper. Just because you used to be able to make money doing something once does not mean you are entitled to keep making money off it forever.

Unless the people currently making money out of a specific business model can get their business model made the "law of the land". Which is the same root issue surrounding Napster, DeCSS, etc. Large corporate interests trying hard to make sure their business model doesn't become obsolete. (With their relatives such as the iopener and cue cat, where a business thinks it is the job of the law to protect their, unproven, business model.)
The "scribes" are probably wishing they had considered political lobbying...

Re:Stealing? No.

Point of interest. I recall following a news story awhile back where RCMP (under pressure from the land below the 49th) tried to crack down on DirectTV pirates. IIRC, and it wasn't appealed 18 times, it was ruled that since the service is not available for sale in Canada, (and DTV goes through some serious hoops to insure it isn't) that selling and using electronic parts to circumvent security measures on it is perfectly legal.

Canada also has some different views on the RF spectrum. IE: last I checked it was illegal to manufacture a scanner that could scan 800MHz (non-digital Cell) in the US, but not Canada.

FWIW,

--
Remove the rocks to send email

Re:I'm afraid I found this v funny

Absolutely brilliant! Kudos to the DirecTV engineers who devised this fantastic plan. They're worthy of the true hacker title in this particular war.

Re:Uh yeah.

The card might say that on it, but I'd certainly be interested to see if this claim would stand up in court. The user pays for this card anytime they want a new one, it is not given or "loaned" to the user. When you buy a receiver, you're essentially also buying the smart card also. When your card is somehow damaged, DirecTV charges anywhere from $39 to $89 for a new one. In fact, many subscribers that had their legit H cards hit this past weekend are being forced to pay $89 for a new HU card directly from DirecTV, and DirecTV will refund $50 when they receive the damaged H card. Of course, looking at some recent court cases such as DeCSS and DCMA, I wouldn't at all be surprised to see the courts side with the corporation yet again.

The "Game" is far from "Over"

First off, several months ago the gurus in the DirecTV "hacking" community predicted the exact events that happened this past, and anyone paying attention changed over to a technology that hasn't been defeated yet, called Emulation. Emulation is basically allows the H card and receiver to process correctly while insulation the H card from any write packets that DirecTV sends. The EMU setup consists of a board that is the same width as the H card that slides into the card slot on the receiver. This board has a serial connection that then connects to the serial port of a PC. This PC is running a small DOS program. The H card is then inserted into the smart-card programmer, which is connected to the 2nd serial port on the PC. Emulation has survived all attacks that DirecTV has launched against "hacked" cards for the past few months, and likely will stay up as long as DirecTV continues the data stream for the H card.

Secondly, the new HU card has recently been hacked to allow for the "3M" scripts that open all channels. DirecTV launched their first attack against hacked HU cards this past week as well, but the community actually learned quite a bit about the HU card from this attack. This HU hack is only available through "dealers" for several hundred dollars, but I'd expect the necessary scripts to become freeware over the next few months. DirecTV will have their hands full once an emulation script is created for the HU.

Lastly, DirecTV also hit many, many paying subscribers running legit cards with their attack on Sunday. You can be certain that this attack cost them quite a few dollars in terms of cards needing to be replaced as well as the loss of subscribers that they have managed to piss off once again.

Cool or what?

I mean it must have been a pisser if you were getting free TV but still, that was quite a cool plan.

Can we set-up an interview with the techie that planned it?

It's not wrong to figure it out...

...but I wouldn't make the claim that it's RIGHT to watch their content for free. Just because it's digital does't make theft of service (or whatever you want to call it) moral.

Evan

Re:Recent Law has Changed

The question is this - do you have the right to translate signals that are travelling onto your property - signals which you did not request?

According to the law, no, you don't have that right. I don't agree with that; I still feel you should have the right to do whatever you want with the signals that are sent to your property. But this really doesn't matter one way or another in this particular case, because it doesn't sound like Hughes tried to press legal charges on those who did hack/crack the signal.

Here's the rub: Hughes made the cards, and Hughes "leased" or "licensed" the cards to real customers with EULAs. Hughes has the right to damage their own cards, even in your home, through the use of their FCC-licensed class and power of signals.

If you were a legit customer who had an old (and now burnt) H card, it dropped your service for a day or two while you stop by a service center. If you were a thief who got pay-to-view entertainment for free, then that burnt card is useless to you.

I have absolutely NO problem with the way that Hughes handled this.

About Time

This is the way to "defend" against software piracy. Defeat the hackers in a struggle through technology. Litigation in the courts is just not the way to stop people in the end. I have no problem with people wanting to have their customers pay for their product. I like how DirectTV responded to the piracy. Corporations (RIAA, MPAA, etc): BEAT US TECHNICALLY, NOT IN COURT! It means SO much more.

Re:Uh yeah.

They'd be opening themselves to a lawsuit from everyone who was willing to say "I hadn't modified my card, honest" otherwise.

Sorry, but you're wrong. Do you think a bank robber can sue a bank who puts a dye pack in his bag of money to render the money useless? Do you think that people who put razor bars around their stereo equipment can be sued by the theif who loses a finger?

Thirdly the destruction of the cards would force Hughes to replace them. Not a cheap move.

What do you think is cheaper: letting people take $30 or $40 per month out of Hughes' pocket by not paying for the service, or replacing a single smart card. I'm not an authority on the subject, but I think making these people pay for 2 months of service would make up for the cost of a new smart card. BTW, is "thirdly" a word?

Finally, the site Michael linked to requests financial support by clicking a paypal link. Sounds like an elaborate setup to fleece the /. community.

We're glad Shoeboy is looking out for our interests. Slashdot requests financial support by displaying banner ads, and so do 99% of all other sites on the web. The one in question uses PayPal for its financial support instead of banners. What's the problem?

Re:"Hackers"?

The distinction between hacker and cracker has nothing to do with the skill involved. IT's based on the motivation and the result. Someone who does damage, who steals services (be it TV, telephone or something else) or who steals information is a cracker.

Crackers are not always script kiddies
Hackers are never script kiddies
Hackers are not Crackers

Hackers have my respect. The hacking involved in duping an entire community of crackers (no matter how intelligent they are) for long enough to build a program in their machines, little piece by little piece, then pull the trigger, whilst having the flair and style to leave the message "GAMEOVER" in the first 8 bytes of the code is fantastic, and the credit goes to directv.

Of course, since I pay for services and end up subsidising people who think they've a right to the same services for free because they happen to have the skills necessary to steal them probably makes me a little biased.

ATTENTION Dept Information warfare!

Possible new recruits at DirecTV!

I think the bit I like best about this is that DirecTV managed to upgrade their software remotely without cuasing an interruption to the service. THAT was a ballsy thing to do before the Superbowl!

Re:not stealing

I think there a substantial differences between DirecTV and DeCSS.

With DeCSS I paid for the signal and it is illegal for me to decode it myself.

With DirecTV the hackers have not paid for the signal and they have been techincally outsmarted by the company.

With DeCSS, the company have attempted to encrypt their signals from people who have the right to view them, technically they failed and now they are suing all who know how to decrypt them.

With DirecTV the company is attempting to enrypt their signals from those who haven't paid for them, and they've come up with a technical solution and won [for the time being].

DirecTV are not attempting to run over the legal rights of consumers, they are attempting to prevent piracy. CSS attempts to destroy legal rights under the guise of preventing piracy.

I subscribe

In the almost two years we've had DirecTV, the bills have gone up almost ten dollars. I do admit that five of those dollars go to get the local (Orlando) channels.

My wife and I are pretty happy with the service (other than rain fade margins-- they don't exist!) and think that we made the right choice over going with TWC. One of her teacher colleagues has TWC digital cable, and the picture is awful compared to DirecTV. (Except in those summer monsoons when DirecTV doesn't work at all!)

I have never been comfortable with people getting these kinds of services without paying for them. That monthly bill not only pays for the programming, but also on infrastructure and maintenance. Hughes played a HUGE gamble by launching its DirecTV bird. Unlike cable, satellite systems must have their entire infrastructure in place before they can sign their first subscriber. Cable systems can roll out a piece at a time, and early adoptors help pay to expand into new areas.

The only thing I'd like Hughes to add is a non-Windows bidirectional link for DirecPC and a dual-subscriber discount like TWC has with RoadRunner.

Re:Physically destroyed?

Check here [freeservers.com] for exactly how the cards were 'destroyed' and for a possible way that they could be repaired... but why would you want to do that?

Tit for Tat, etc.

To a vary large extent, the hacking of the Direct TV system has been a game. Sortof like the "Spy vs Spy" comic you "used" to read in Mad Magazine (maybe you still do)

Now Obviously, alot of folks are going to be pissed off because they "lost" the game.

And I am sure that the fine folks at DirectTV are gleeful about the gnashing of teeth and their own clever victory.

Somehow I think this has to been kept quite separate from the other issues dealing with digital media.

People providing a service deserve enough to be able to cover the costs of their operation and to make a reasonable profit. Let those who are without sin cast the first stone. Who has not had dotcom phantasies of obscene wealth? Well how did you expect you would do this? by giving away the homeplanet? or do you want them to spent millions of dollars so that you can enjoy your right to the superbowl and free pr0n?

That being said there is ALSO the issue of fair and reasonable exchange for goods and services. DirectTV certainly has been on the wrong side of the issue as far as some aspects of copy protection, etc.

Some people would rather spend extraordinary effort and money to not not pay for goods and services. In the past, these people were called the 'rich'; it was part of their culture. and now this attitude has dribbled into the rest of society

In the past, much of what has passed for morality has been an effort to help keep people in their place, to help mold them into sheeple. This has been the main thrust of modern education since the education "reforms" at the beginning of the 20th century. All those immigrants had to be educated to be good workers, etc. NOT competitors to the status quo.

This ties in with the DirectTV game because the company, as such, naturally, and perhaps unwittingly, takes advantadge of the situation to impose conditions that are not fair exchange.

People instinctively react, at first, to situations that are not fair. They get mad. and they use this to justify their own attempts to get what they think they are due, and maybe a little bit more. It becomes a viscious circle.Unfortunately, some poeple will never be happy.

I'm afraid I found this v funny

This looks like poetic justice to me. All credit to DirecTV.

Re:For hackers its just a game

• Hackers will find a way around the new system. They always find a way, and they will have fun doing it.

Doubtful... if you read the article correctly, this last act effectively destroyed the smart cards.

What would be cool is if someone found a way to actually revers-engineer and manufacture smart cards that recieved the regular updates, and acted exactly like legit ones, except they didn't dial into DirecTV.

This is the way companies should combat hackers that are "stealing" or "bypassing access control methods"... not tracking them down and suing them, and getting laws put in place to ban things that are useful to the community at large. DirecTV was able to attack hackers without infringing on their paying customers!

"Evil beware: I'm armed to the teeth and packing a hampster!"

Re:It's not wrong to figure it out...

You're missing the point. I'm actually one of those people who downloaded DeCSS to see how CSS worked. I find this sort of thing (encryption, access control mechanisms, etc.) interesting. I don't have time to hack the damn thing myself, but reading the source code or other information about how a hacker went about attacking the problem. This helps ME learn. What would have happenned if this hacker kept the secret for him and his small group of underground friends? DirecTV would have never found out about it, and never fixed the problem, and never been able to fight back. The widespread distribution of the methodologies used to circumvent the encryption meant that DirecTV would eventually have to hear about it, and have the power to stop it.

"Evil beware: I'm armed to the teeth and packing a hampster!"

Info from the newsgroup

This sounded like a pretty cool hack on the part of DirectTV (whether you agree with them or not), so I decided to take advantage of my ISP's one month news spool of alt.dss.hack to see what was up.

It looks to me like DirectTV (better known to the a.d.h members as "Dave", and not to be confused with "SuperDave", one of the newsgroup regulars) played an ace they've had up their sleeve for a long time. Apparently the boot code (in ROM) of the 8051 in the chip checks one bit in a 32-bit region of PROM (as in you can program it but you can't reset it) and goes into an infinte loop (I think this is what is being referred to as a "looped" card) early during the boot process. Since this is in ROM where it can't be re-programmed, you can't bypass it.

It seems there's also an ASIC in the card that is crucial to the decoding process. I'm guessing that it has to be enabled by the 8051. And if the 8051 "loops" before you can talk to it, you're hosed.

It also seems that there was a recent move to "emulators", which emulated the 8051, but passed commands to the ASIC through to the real card. That way, as long as the card was alive enough to tell it what to do, you would esentially firewall off the card from any nasty code that wanted to do stuff like program write-once bits in the CPU chip. Some people were arguing recently that emulators were overkill, but it seems they have been proven wrong. The only people with hacked cards that still work either had emulators or were lucky enough to pull their cards in time (or the decoder box was unplugged).

Apparently for a couple of weeks now "Dave" has been downloading code to detect illegal cards and test it (by locking up assorted cards and seeing what kind of results they got) before sending down the "ECM" code which caused the card to kill itself.

As to the timing, it is suspected they chose one week before Super Bowl to allow enough time for legitimate users (or those illegitimate users who wanted the better signal in time for The Big Game) to receive new cards.

Here are two messages I found on the newsgroup about all this: (line art removed from the first one because of /.'s lame filter)

From: ump25@aol.com (Ump25)
Newsgroups: alt.dss.hack
Date: 22 Jan 2001 05:38:13 GMT
Subject: EVERYONE READ THIS! INFO FROM MAGICIAN ET. AL.
Message-ID: <20010122003813.16538.00000761@ng-bj1.aol.com&g t;

From Magician and Hypertek comes the following...

As most everybody is aware, the ability of the dynamic code to execute a kill-type ECM was displayed today on "Black Sunday".

First, the bad news: the ECMs wrote 4 bytes to "write once" area of the EEPROM, 8000h-8003h. Unfortunately, one of the bytes that is changed is 8000h, which is checked extremely early in the ROM startup code (003Fh) to see if it contains "33h". These ECMs re-wrote this byte to "00h", which means that it very quickly enters an infinite loop because "P1.7" is not set. Since this area of the H card is "write once", there is no way to reset this byte back to "33h" to allow normal startup to continue, even by way of an unlooper.

Second, for those interested, here are all the EEPROM addresses that were tested to see if they contained modified bytes. Each byte was tested in its own packet (i.e., one address at a time):
code:
- - -
8243 Vector for setting DPTR to ZKT secret vector
8246,8247 Vector for Cmd09 vector
8255 Vector for Ins58 patch vector
8258 Ins44 preprocessing vector
825B Ins44 extras vector
825E Find tier or PPV vector
8264 "EndInsHandling" vector
8273 Cmd1F vector
827C,827D Ins54 vector
8282,8283 Ins18/Ins1A vecotr
8440 First byte of channel blackout data (checked if non-zero)
8582,858C,8593 Cmd60 code
85B7 B7 nano vector
85BE BD nano vector
85C0,85C1,85C2 C0 nano vector
85C3 C3 nano vector
85C6,85C7 C6 nano vector
85E2,85E6,85ED,85EF,85F6 B5 nano code
8606,8608,8611 AddAToDfdNanoBufIfFlOpn code
8630 Deferred Cmd60 processing code
86DD Never-executed portion of old C6 nano code
87A1 Old CF nano jump table
8800 Hash algorithm code
8955 Main loop vector code
8973 Ins18/Ins1A code
8975 Ins54 check code
8982 Setup for Ins38 code
89A0,89A3 Setup for Ins44 code
89A6,89B2,89B9 Setup for Ins4C code
89DF End of main loop vector code
8BFE Cmd0C code
8CC7,8CCA,8CCB Preprocess deferred Cmd60 code
8CD9,8CDE Cmd0B for non-virgin cards code
8CF2,8CFE Ins58 patch code
8D04,8D09,8D0D,8D11,8D14,8D178D1A,8D1D,8D20,8D22 ,8 D24,8D25,8D32 Ins54 code
8D66,8D6A,8D72,8D76 Add ASIC bytes to signature hash code
8DD0,8DD3,8E68 Do 1 hash iteration code
8F2F Preprocess Cmd09 code
8F53 Cmd0C patch 1 code
- - -
Here is an example dynamic code packet (for the 8D1Ah address; all of the addresses were tested using similar packets, except for 8440h which used a JNZ instead of JZ):
code:
- - -
C3 nano used to preset RAM locatiosn 10h-1Fh:
C3 0A 00 20 99 03 AF 01 00 04 00 09 | Seed hash only (using 9 data bytes) results in these bytes at 10h-1Fh:
20 99 03 AF 01 00 04 00 09 CB 29 71 06 19 74 D0
Fourth byte loaded in EEPROM write register
Third byte loaded in EEPROM write register
Hi byte of 1st loop return address and second byte loaded in EEPROM write register
Lo byte of 1st loop return address and first byte loaded in EEPROM write register
Hi byte of 2nd loop return address
Lo byte of 2nd loop return address
Hi byte of 3rd loop return address
Lo byte of 3rd loop return address
What 8D1Ah is compared to

The C9 nano looked like this:
C9 10 20 90 8D 1A E0 47 60 08 90 | Write 15 bytes+RET, execute and hash
80 00 78 15 75 81 16 :
which caused this code to be executed:
893C mov DPTR,#8D1Ah
893F movx A,@DPTR
8940 xrl A,@R1
8941 jz 894Bh
8943 mov DPTR,#8000h
8946 mov R0,#15h
8948 mov SP,#16h
894B ret
- - -
Remember, R1 starts equal to 10h. So the above code does the following:
Compare 8D1Ah to @10h (which contains #20h)
If they match, simply return
Otherwise, set DPTR to 8000h
Set R0 to 15h
Reset the stack to 16h and RET, to resume execution at 0400h to load "00 04 00 09" into EEPROM write register which RETs to 01AFh to enable EEPROM write mode
which RETs to 0399h to write 00 04 00 09 to 8000-8003h.
In addition, there was an ECM to detect an H cards running with non-H CAM IDs, although this packet did not loop the card but simply "locked it up" until the next reset:
code:
- - -
C3 nano used to preset RAM locatiosn 10h-1Fh:
C3 0B 00 FE FC 32 00 00 04 AC 01 68 14 | Seed hash only (using 10 data bytes) results in these bytes at 10h-1Fh:
FE FC 32 00 00 04 AC 01 68 14 8A DF A3 AA 81 34
Hi byte of 1st loop return address
Lo byte of 1st loop return address
Hi byte of 2nd loop return address
Lo byte of 2nd loop return address
Hi byte of 3rd loop return address
Lo byte of 3rd loop return address
Hi byte of 4th loop return address
Lo byte of 4th loop return address

The C9 nano looked like this:
C9 12 20 90 83 74 81 60 07 57 70 | Write 17 bytes+RET, execute and hash
05 09 B9 12 F6 22 75 81 19 :
which caused this code to be executed:
893C mov DPTR,#8374h
893F movx A,@DPTR++
8940 jz 8949h
8942 anl A,@R1
8943 jnz 894Ah
8945 inc R1
8946 cjne R1,#12h,893Fh
8949 ret
894A mov SP,#19h
894D ret
- - -
Remember, R1 starts equal to 10h. So the above code does the following:
If first byte of CAM ID is 00, return (everything OK).
Otherwise, AND first CAM ID byte with byte @10h (#FEh)
If result is non-zero (meaning first CAM ID byte is not 01h), go to ECM routine
Otherwise, AND second CAM ID byte with @11h (#FCh)
If result is non zero, go to ECM routine
Otherwise, return (everything OK)
The ECM routine resets the SP to cause the RET to resume execution at 1468h, which RETs to 01ACh, which RETs to 0400h, which RETs to the infinite loop at 0032h...

From: Spacemonkey Gleep <Fictitious@Dont.Bother.Its.invalid>
Newsgroups: alt.dss.hack
Subject: How Write-Once memory works, or "Why H cards hit by the ECM are never going to be fixed"
Date: Mon, 22 Jan 2001 10:56:12 -0800
Message-ID: <Fictitious-402BA7.10561222012001@news.primenet .com>

In response to the umpty-nine-dozen "Why can't we just..." questions about the corrupted write-once area on the card, here's an explanation that may shed some light. (Note to those "in the know": Yes, I'm simplifying things ridiculously. Not everybody playing in this little sandbox is an EE with the knowledge to understand the inner workings of a chip)

A byte of RAM memory is a set of 8 cells that can hold a one or a zero. Which cells have 1s in them determines the value of the byte when you read it. With RAM, you can change the values any time you like. You can think of that byte as 8 switches that can be turned on or off in different combinations to give you various values.

A byte of ROM is similar, in that it's 8 cells that can each hold a 1 or a 0. Unlike RAM, these 1s and 0s are fixed. Instead of the "switches" that RAM has, you can think of ROM as having either a wire (for a 1) or no wire (for a zero). They can't be changed once made. The wire (or lack of one) is a permanent thing.

A byte of Write-Once memory (Also known as "PROM", or "Programmable Read Only Memory") has characteristics of both RAM and ROM. Like RAM, you *CAN* write to it, under certain circumstances. Like ROM, once written, it's **FOREVER**. Think of a byte of PROM as being 8 microscopic fuses.

When the chip is made, all the fuses are "good". If you could see it at the microscopic level, it would look something like this: ( each | is a fuse that isn't blown )

| | | | | | | |

and would have the value FF, or 255 in decimal.

Now, let's say you want the byte to have the value B7 (That's 183 in decimal, and in binary, it's 10110111) To write that value to it, you deliberately burn out two fuses in the byte, leaving it looking like this: (| = unblown fuse, : = blown fuse)

| : | | : | | |

From that point, it would be possible to write to it again, and change the value, *BUT* there's a catch. You can only "blow" more fuses. You can't "un-blow" fuses that are already blown. This means that a number that needs one of the fuses that's already blown out is going to be impossible to write.

So why is this a problem?

Normally, byte 8000 of the H card holds the value 33 (in Decimal, 51. In binary, 00110011) and the byte looks like this:

: : | | : : | |

But after being hit by DTV's ECM last night, the byte is set to 00 - it looks like this:

: : : : : : : :

There's no fuses left to blow out. They're all gone. That means that forever and always, byte 8000 of your ECMed card is going to say "I'm holding the value 00" when asked.

Why this means the card is permanently dead:

VERY early after the card gets powered up and reset, a check is done:

Does byte 8000 hold the value 33?

If the answer to that question is yes, then all is right with the world, and things start happening. The card gets initialized, spits out the ATR string, and then goes into "wait for a command from the IRD" mode. If, on the other hand, the answer is no, then the card goes into an infinite loop that does nothing. If you program in BASIC, it's the equivalent of the line

10 GOTO 10

NOTHING gets done until the next time the card is reset. And then the same thing happens all over again.

This check is in the card's ROM, so it can't be bypassed or changed.

Reprogramming the card won't do anything useful, since the ROM doesn't even get looked at, let alone messed with, by programmers (or unloopers, for that matter) and even if it did, it wouldn't do anything useful, since ROM can't be changed (short of actually damaging it).

So how can it be fixed?

The simple answer: It can't. Congratulations. Your H card is now an ice scraper. Get used to it. Life sucks.

The more extended answer:

If you've got the micro-tools to "rebuild" the blown fuses on the chip, you could go that route, but unless you're a chip manufacturer, or have access to that type of equipment somehow, you ain't got a prayer. We're talking about electron microscopes, tools for depositing single atoms onto the silicon wafer itself, that sort of thing. In other words, trying to do it is going to mean more money, knowledge, equipment, and effort than most any of us are capable of applying to the problem.

In short, last nights ECM was the ECM to end all ECMs. Any card hit by it is toast, and barring someone developing a cheap way to rebuild chips mat the wafer level (which isn't even remotely likely to happen anytime soon) there isn't a thing that can be done about it. Enjoy your new ice scraper.

Or get in touch with me about shipping it to me. I want to dissect it to get the ASIC out of it for some experimenting I want to do.
--
GLEEEEEP!!!!
PGP KeyID: 0x016B6B53 on the keyservers.
http://www.megsinet.net/~kayo/index.html

Re:Stealing? No.

I respect that they put up the satellite, and started the TV service.. however....

THey are broadcasting signals over PUBLIC airspace, including INTO MY YARD. If I feel like putting up a dish to capture that signal and manipulate it *however I want* within my own property, that should be my absolute right (though the law may not agree). If they don't want me to receive the signal, don't broadcast it into my yard. PERIOD.

THe airwaves are PUBLIC.

...and by this same reasoning, DirecTV has every right to send signals that will disable Hughes chips. If you don't want to receive these signals, you shouldn't be listening for them in the first place. It isn't DirecTV's fault if your self-hacked hardware doesn't react properly to their signal.

The airwaves are public, after all.

information wants to be expensive...nothing is so valuable as the right information at the right time.

For hackers its just a game

Hackers will find a way around the new system. They always find a way, and they will have fun doing it.

Beautiful!

This may get me modded down as a troll, but what DirectTV did was a hack and a beautiful one no less. I actually feel that I need to tip my hat to the engineers involved. If companies are going to try and prevent hackers from using their product then this is the way to go. I have respect for this as opposed to the "send in the lawyers" approach. Sure, DirectTV did that as well, but this was elegant. They hacked the hackers.

I personally believe that any signals that happen to cross the boundaries of my property are mine to do with as I wish, but I also believe that the senders of those signals have the right (and in the case of a commercial enterprise, the necessity) to try and protect those signals.

This should be listed as one of the Top Ten Hacks of all time.