Slashdot Mirror
DirecTV's Secret War On Hackers
"Allow me to give you some background.
"One of the original smart cards, entitled 'H' cards for Hughes, had design flaws which were discovered by the hacking community. These flaws enabled the extremely bright hacking community to reverse engineer their design, and to create smart card writers. The writers enabled the hackers to read and write to the smart card, and allowed them to change their subscription model to receive all the channels. Since the technology of satellite television is broadcast only, meaning you cannot send information TO the satellite, the system requires a phone line to communicate with DirecTV. The hackers could re-write their smart cards and receive all the channels, and unplug their phone lines leaving no way for DirecTV to track the abuse. DirecTV had built a mechanism into their system that allowed the updating of these smart cards through the satellite stream. Every receiver was designed to 'apply' these updates when it received them to the cards. DirecTV applied updates that looked for hacked cards, and then attempted to destroy the cards by writing updates that disabled them. The hacking community replied with yet another piece of hardware, an 'unlooper,' that repaired the damage. The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card. DirecTV could only send updates to the cards, and then require the updates be present in order to receive video. Each month or so, DirecTV would send an update. 10 or 15 minutes later, the hacking community would update the software to work around the latest fixes. This was the status quo for almost two years. 'H' cards regularly sold on eBay for over $400.00. It was apparent that DirecTV had lost this battle, relegating DirecTV to hunting down Web sites that discussed their product and using their legal team to sue and intimidate them into submission.
"Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were simply trying to annoy the community into submission. The updates contained useless pieces of computer code that were then required to be present on the card in order to receive the transmission. The hacking community accommodated this in their software, applying these updates in their hacking software. Not until the final batch of updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the programming, but DirecTV had not pulled the trigger of this new weapon.
"Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their new dynamic code ally, that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost not only their ability to watch TV, but the cards themselves were likely permanently destroyed. Some estimate that in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities' ability to steal their signal. To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER".
"For more information, visit http://www.hackhu.com."
Most of the comments see to be along the lines of "kudos to Hughes/DTV for beating the hackers at their own game and not resorting to lawyers"
. ht ml
Well, That may not be how it actually went down.
In October the guy who ran Northsat in Canada got raided. There was a consent decreee, and as part of his plea bargain he agreed to act as a consultant to DirecTV.
Although DTV had already been busy implementing the dynamic code, many old timers claim that they see dean's hand in the 4 (that's right 4, not one) ECM's that came down starting last sunday.
So it would seem that the legal system allowed DTV to force a hacker to destroy part of his own creation. Not a clear cut case of DTV defeating pirates with their own engineers. Guess he shouldn't have have a bunch drugs and cash in his house when they raided him hehe.
http://www.legal-rights.org/northsat.html
http://www.legal-rights.org/newspapers/northsat
In fact since most of us DONT get DirectTV and are STILL constantly bathed in its RF emissions Hughes is in the wrong, if anyone is. Mind you, I don't have a problem with them sending the bits to their own subscribers. The fact they they chose a CHEAPER method of distribution to increase their own profits opens them up to this.
Anything being broadcast non-interactively(not two-way like say, a cordless phone), whether tv, radio, or otherwise, is like air as far as I'm concerned. i.e. Not any company's but the peoples.
If the company doesn't like that, make their own customers use over priced less effective measures, like cable, spread spectrum, or other methods.
If the cost of that makes it unprofitable, so be it. The Constitution (Sorry, US centric) gives the right to the PURSUIT of happiness, not the right to it. THere is a difference. Similarly, Hughes can try to make money by giving a service worth paying for. They're not entitled to just because they spent a lot of money.
Think about it. If I fire radiation at your home 24/7 without you asking for it (paying subscribing whatever, and that IS what radio/broadcast energy is) you should have the ability to do whatever you want with it.
They are NOT STEALING. Stealing implies taking something away from someone else. As in they no longer have an object they previously did. These peeople went out and bought their own satellites, smartcards and gizmos. They can fdo anything they want with them.
Xerox did not have to pay all the scribes who were put out of work by copiers, nor did the guy who came up with carbon paper. Just because you used to be able to make money doing something once does not mean you are entitled to keep making money off it forever.
Riiiiiiight....
Sooo...
You wouldn't care if I set up a listening post to hear any wireless stuff going on in your house, right? You probably don't care about Echelon and various Internet-based listening posts monitoring your e-mail and where you surf, right?
After all, you are sending your data out over shared space, and if I feel like manipulating it *however I want*, that should be my right.
Rob and the gang,
Congratualations on a well-written, engaging news story. Clear, concise, interesting with thrilling narrative, factually informative. This entry is a model for all good Slashdot entries.
Thanks.
Wordnik, a dictionary project which aims to collect
Alright, while the story above is 'correct', it's something like reading chapter 6 of a 12 chapter novel, and claiming to understand everything. Alot more has been going on than is shown here. In the beginning, as it were, was the F card. This card was a dumb eeprom, and was hacked so fast it must have made DTV's head spin. The video stream at this time was un-encrypted, and you merely had to convince your receiver to show the channels. This lasted about a year or two, and then a new card began appearing, this was the H series card. This card had a dedicated ASIC on it for decryptiing scrambled content. It was also a 'smart' smartcard, in that it tried to think about commands that were sent to it, and had some basic functions (read, write, compare, etc) that could be called on. Eventually, DTV mailed out new cards to all valid F card owners, and completely removed the older card from service. They also switched to an encrypted video stream, and that was the end of the F card. This new H card was trickier to deal with, but at this time Hughes, who owned DTV, had made another mistake. This was the same card used in some european digital satellite systems, and a great deal of information was alreayd available on it. Hacking it (and these people were hackers, in that they had to reverse engineer a 'black box' device only by watching how DTV interacted with it, even if they used their knowledge for less than stellar purposes.) took less time than DTV would have thought. This is what went on for the years leading up to this story, in that the hackers would enable some new security hole, and DTV would send down an update to close it. Eventually though, DTV realized that there were an unlimited number of holes that could be opened, due to a flaw in the memory checking on the card, (large values would roll back over to zero) and that the programming hardware needed to work with these card had become cheap enough to be a mass market. About this time, DTV went quiet, and the community that hadgrown up around priating DTV satellite signals began to get fat and lazy. When DTV started up again, this time patching the firmware in the receivers to test the H cards unique ID against a list of known bad ID's, and to lock out bad cards if they were found, alot of people were caught by surprise. It was easy enough to overcome this problem, in that you could copy a valid, subscribed cards ID onto an unsubscribed card. Called cloning, this technique had definciecies that had been known for some time, in that part of the cards unique ID was stored into a write once area of the cards EPROM, and couldn't be changed, only masked. Since DTV seemed to have stopped sending down card updates, cloning became popular. In fact, it became the way of doing things. Looking back, it is easy to see how DTV set everyone up for this, allowing cloning to become rampant, because they knew how to kill it. When DTV started up the updates again, some of the original hackers warned heavily against cloning, saying this was tge beggining of the end. Most people, however, were content to simply update to the latest way of activating their cloned card, and content to ignore the number of updates piling up on their card. Once the updates were complete, those early hackers really began to scream about what was going to happen, but still no one listened. And, in the end, it did happen. What DTV did was send down a packet of information, that said: Take this address, and store it in this new location. Then, using the basic features of the card, compare that adress we just stored to an adress at this memory location. If they match, do nothing. If they don't match, set this memory pointer to location X, instead of location Y, where X is a specific part of WRITE ONCE memory. Another packet came along, and said, write some stuff to this memory location (the 'GAME OVER' in this case). If the memory pointer had changed to a write once area, too bad. If not, it was harmless. What was the card comparing? the ID reported by the card and the ID actually valid for the card. This type of kill was instant and deadly. It was also 100% safe, in that anyone using a clonned card was garunteed to be priating the service, and the packet would not, under any circumstance, hurt a valid subscribers H series card. It was so deadly because the area written too is part of the cards boot process. When it first receives power, the card no longer starts in a valid state, instead spitting out useless garbage. There is no way to write to this memory location again, and there is no way to change the cards boot process, because it happens before the interface comes up. I don't believe a magic bullet killed kennedy, but this magic bullet certainly killed all these cards. Well, all is not lost, because a while back, DTV ran out of valid ID's for a H series card, and had to make a new card, dubbed HU. This card is much trickier and much smarter than the H card, but it may also have flaws that can be exploited. Only time will tell, but in a sort of ironic twist, this is again a card from europe. Maybe the american hackers will get another helping hand from oversees, and maybe not. Primitive hacks for it have already started appearing, and the game of tit for tat is already being played out, as DTV shuts down early HU hacks. Don't hold your breath though, the card has remained unhacked in europe for some time. I hope this clears up some mystery. AS DTV did well this time, but they've made huge mistakes int h past that onlye ncouraged hackers to use their knwoledge to priate the system, it was, if you will, a sort of contempt. It was so easy, it was like DTV was daring you to do it.
On one side, you have folks who hack the hardware to get free service.
:-)
On the other side, you have a company that sells a dish and programming, at pretty reasonable prices compared to cable rates, and wants to get paid for their goods.
Given that's it's at an interesting intellectual game at best to figure out how to hack a DTV smart card system, and theft of service at worst, it just appears that DirecTV has figured out how to win the cat and mouse game once and for all. Good for them. If DirecTV was the only form of television service available (ie., a monopoly), I'd look on theft of service a little more tolerantly, but there's all sorts of TV alternatives out there - broadcast, cable, and other satelite providers.
This is different from, say, the i-Opener hack because the i-Opener hack was fundamentally about hardware. Buying the box did not incur an obligation to use the service (due to a mistake on Netpliance's part), and the hack didn't allow you to steal their service - it allowed you to re-purpose the hardware. That would be like hacking a DirecTV box to work with Dish Network instead. A cool, "because it's there" hack.
So if DirecTV won the war, more power to them. There may be a fine line between hacking and theft at times, but hacking a DTV smart card for free service is definitely on the wrong side of that line.
Besides, stuff like descramblers and smartcards are usually what spammers are filling my emailbox with, and I hate spammers!
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Damn but it's nice to see a company that's willing to fight on the technical ground rather than running to its lawyers at the first sign of trouble. That's downright brave and honourable, there.
Say what you may about the real and supposed sins of DirecTV and its crackers, they were fighting the war on its technical merits rather than with hordes of lawyers. That's good stuff. It's nice to see a company with the integrity to defend itself within its market and its product rather than look for protection from above.
--G
...it is a thing of beauty... Not because of who won or lost, but because of the elegance with which it was done!
[someone should forward this article to the "Beautiful code" guy!]
Yesterday, we were discussing how we can hack new DirecTV tuners to allow HDTV resolution on analog ports.
Does anyone else appreciate the irony of both events happening in the same week?
I'm curious as to how this is really a theft of service. When that term is applied to spam, for instance, the theft occurs when spammers use up the bandwidth of their relays and the time and hardware of the targeted ISPs. In that case you can point to the extra costs that were required based on the actions of the thieves.
However, this satellite broadcast is streaming through all of us all the time. Does just possessing the knowledge to decode these ambient bits somehow make a person a thief? I'll agree that it's unfair to the legit DirecTV subscribers to have to pay for a service that some are getting for free, but I don't agree that decoding bits that are normally present in the environment is theft.
Your right to not believe: Americans United for Separation of Church and
You have no right to make a profit.
Nobody can steal that which you have given them for free.
Just because you came up with some "clever" business model that involves charging people money for services, that does not entitle you to compensation from people who figure out how to provide this service for themselves.
I am deeply disturbed to see this bullshit perpetuated by someone outside the US. Previously, I had been operating on the assumption (obviously false) that "the right of a business to make money" was confined to the US.
Once again, for the slow ones: you do not have a right to make a profit, no matter how clever you may think you are, and no matter how long you've been making a profit in the past. If someone out there catches on to your scheme and bypasses it, you lose.
(With all that said, I have to applaud the hackers who work for DirecTV. Unlike certain other industries, they didn't resort to dirty tricks or underhanded legislation -- they simply used what they had, and ingeniously too. I'm not ranting against DirecTV here -- I'm ranting against all those who thought that the H-card hackers were "stealing".)
For all the noise that /. makes over the user of Hacker vs. Cracker, one would think that stealing services would fall into the latter category. While I think that the reverse engineering and cleverness involved in cracking the smartcards is quite impressive, I see no noble motivation, just stealing a service that is quite expensive to develop and provide. The real Hackers in this story work for Hughes.
Ignorance is the root of all evil.
Sorry... I have to draw a line here. Perhaps it's my Canadian blood talking.. but...
I respect that they put up the satellite, and started the TV service.. however....
THey are broadcasting signals over PUBLIC airspace, including INTO MY YARD. If I feel like putting up a dish to capture that signal and manipulate it *however I want* within my own property, that should be my absolute right (though the law may not agree). If they don't want me to receive the signal, don't broadcast it into my yard. PERIOD.
THe airwaves are PUBLIC.
Honestly, DirecTV is very cool about this situation. They even have a guy on alt.dss.hack that TALKS to the hackers and actually goes about in conversation with them. They truly look at this as a game of chess, and I was always intrigued by the complexity of the "war" at times.
To show you how cool things have become... The latest trend in DSS is using emulation software on a PC to intercept the signal and then sending it to your reciever. It truly is an innovative solution!
I swear, words like ECMs (Electronic Counter Measures) that literally destroy cards, and Unloopers (thinks that fix "looped" or destroyed cards") really make this feel like some hollywood hacker movie. But it's not. It's for real! Damn, that is just too cool!
-Nick
This is the perfect solution to a nagging problem.
Direct TV sells a service. They make money from
the sale of this service, and they provide the
infrastructure, the broadcast, the hardware, etc.
Then, a bunch of kids decide that they want what
DirectTV has, but not at their terms. So they steal
the service. Yes, they stole it. Hell, they
admit it in the article.
So what does DirectTV do? They beat the hackers at their
own game. They outplay, outsmart, and outfox them.
Bravo. They protected themselves and their market
share in the best way possible. In the end, we
can all appreciate the beauty of this particular hack.
if you read a lot, you will see that there is a way around this, emulation, basically what happens is that a PROM gets written to, by using emulation to emulate that PROM, we can reverse all the bits DirecTV's toggled back to the original, it is not theortical, it is already out there, those who were smart to get it early are not crying now. But I am sure DirecTV will come up with a smart idea, in the console world, it is possible to write game that can detect different kind of emulators. So they might write code that can detect an emulator. i.e, Emulators usually don't emulate bugs in hardware. ;) It is amazing how a bug in hardware can be used for useful things. :D
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
At one time in America, it was legal for you to hack and decode any signal that was sent onto your property. I can't remember the name of the act that allowed this, but if an electronic signal was sent onto your property, and you could decode it, listening/watching it was your right.
This is why the old C-band dishes never had prosecutions for descrambling, or why you could listen in to Cellular Telephone conversations. And this would apply to DirecTV too, except it didn't exist when this law did.
Sometime in the mid 90's, a new Radio Telecommunications Act was passed which banned the eavesdropping on cellular telephones and any other signal entering your property that needed to be decoded. Thus, now the old C-Band hackers had become pirates, and the new DirecTV decoding was illegal.
The question is this - do you have the right to translate signals that are travelling onto your property - signals which you did not request?
The old law said yes. The new one says no.
Linux - Because Mommy taught me to Share.
Secondly, the new HU card has recently been hacked to allow for the "3M" scripts that open all channels. DirecTV launched their first attack against hacked HU cards this past week as well, but the community actually learned quite a bit about the HU card from this attack. This HU hack is only available through "dealers" for several hundred dollars, but I'd expect the necessary scripts to become freeware over the next few months. DirecTV will have their hands full once an emulation script is created for the HU.
Lastly, DirecTV also hit many, many paying subscribers running legit cards with their attack on Sunday. You can be certain that this attack cost them quite a few dollars in terms of cards needing to be replaced as well as the loss of subscribers that they have managed to piss off once again.
I mean it must have been a pisser if you were getting free TV but still, that was quite a cool plan.
Can we set-up an interview with the techie that planned it?
This is the way to "defend" against software piracy. Defeat the hackers in a struggle through technology. Litigation in the courts is just not the way to stop people in the end. I have no problem with people wanting to have their customers pay for their product. I like how DirectTV responded to the piracy. Corporations (RIAA, MPAA, etc): BEAT US TECHNICALLY, NOT IN COURT! It means SO much more.
I think there a substantial differences between DirecTV and DeCSS.
With DeCSS I paid for the signal and it is illegal for me to decode it myself.
With DirecTV the hackers have not paid for the signal and they have been techincally outsmarted by the company.
With DeCSS, the company have attempted to encrypt their signals from people who have the right to view them, technically they failed and now they are suing all who know how to decrypt them.
With DirecTV the company is attempting to enrypt their signals from those who haven't paid for them, and they've come up with a technical solution and won [for the time being].
DirecTV are not attempting to run over the legal rights of consumers, they are attempting to prevent piracy. CSS attempts to destroy legal rights under the guise of preventing piracy.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
- Hackers will find a way around the new system. They always find a way, and they will have fun doing it.
Doubtful... if you read the article correctly, this last act effectively destroyed the smart cards.What would be cool is if someone found a way to actually revers-engineer and manufacture smart cards that recieved the regular updates, and acted exactly like legit ones, except they didn't dial into DirecTV.
This is the way companies should combat hackers that are "stealing" or "bypassing access control methods"... not tracking them down and suing them, and getting laws put in place to ban things that are useful to the community at large. DirecTV was able to attack hackers without infringing on their paying customers!
"Evil beware: I'm armed to the teeth and packing a hampster!"
Lex orandi, lex credendi.
You're missing the point. I'm actually one of those people who downloaded DeCSS to see how CSS worked. I find this sort of thing (encryption, access control mechanisms, etc.) interesting. I don't have time to hack the damn thing myself, but reading the source code or other information about how a hacker went about attacking the problem. This helps ME learn. What would have happenned if this hacker kept the secret for him and his small group of underground friends? DirecTV would have never found out about it, and never fixed the problem, and never been able to fight back. The widespread distribution of the methodologies used to circumvent the encryption meant that DirecTV would eventually have to hear about it, and have the power to stop it.
"Evil beware: I'm armed to the teeth and packing a hampster!"
Lex orandi, lex credendi.
It looks to me like DirectTV (better known to the a.d.h members as "Dave", and not to be confused with "SuperDave", one of the newsgroup regulars) played an ace they've had up their sleeve for a long time. Apparently the boot code (in ROM) of the 8051 in the chip checks one bit in a 32-bit region of PROM (as in you can program it but you can't reset it) and goes into an infinte loop (I think this is what is being referred to as a "looped" card) early during the boot process. Since this is in ROM where it can't be re-programmed, you can't bypass it.
It seems there's also an ASIC in the card that is crucial to the decoding process. I'm guessing that it has to be enabled by the 8051. And if the 8051 "loops" before you can talk to it, you're hosed.
It also seems that there was a recent move to "emulators", which emulated the 8051, but passed commands to the ASIC through to the real card. That way, as long as the card was alive enough to tell it what to do, you would esentially firewall off the card from any nasty code that wanted to do stuff like program write-once bits in the CPU chip. Some people were arguing recently that emulators were overkill, but it seems they have been proven wrong. The only people with hacked cards that still work either had emulators or were lucky enough to pull their cards in time (or the decoder box was unplugged).
Apparently for a couple of weeks now "Dave" has been downloading code to detect illegal cards and test it (by locking up assorted cards and seeing what kind of results they got) before sending down the "ECM" code which caused the card to kill itself.
As to the timing, it is suspected they chose one week before Super Bowl to allow enough time for legitimate users (or those illegitimate users who wanted the better signal in time for The Big Game) to receive new cards.
Here are two messages I found on the newsgroup about all this: (line art removed from the first one because of /.'s lame filter)
From: ump25@aol.com (Ump25)
Newsgroups: alt.dss.hack
Date: 22 Jan 2001 05:38:13 GMT
Subject: EVERYONE READ THIS! INFO FROM MAGICIAN ET. AL.
Message-ID: <20010122003813.16538.00000761@ng-bj1.aol.com&g t;
From Magician and Hypertek comes the following...
As most everybody is aware, the ability of the dynamic code to execute a kill-type ECM was displayed today on "Black Sunday".
First, the bad news: the ECMs wrote 4 bytes to "write once" area of the EEPROM, 8000h-8003h. Unfortunately, one of the bytes that is changed is 8000h, which is checked extremely early in the ROM startup code (003Fh) to see if it contains "33h". These ECMs re-wrote this byte to "00h", which means that it very quickly enters an infinite loop because "P1.7" is not set. Since this area of the H card is "write once", there is no way to reset this byte back to "33h" to allow normal startup to continue, even by way of an unlooper.
Second, for those interested, here are all the EEPROM addresses that were tested to see if they contained modified bytes. Each byte was tested in its own packet (i.e., one address at a time):2 ,8 D24,8D25,8D32 Ins54 code
code:
- - -
8243 Vector for setting DPTR to ZKT secret vector
8246,8247 Vector for Cmd09 vector
8255 Vector for Ins58 patch vector
8258 Ins44 preprocessing vector
825B Ins44 extras vector
825E Find tier or PPV vector
8264 "EndInsHandling" vector
8273 Cmd1F vector
827C,827D Ins54 vector
8282,8283 Ins18/Ins1A vecotr
8440 First byte of channel blackout data (checked if non-zero)
8582,858C,8593 Cmd60 code
85B7 B7 nano vector
85BE BD nano vector
85C0,85C1,85C2 C0 nano vector
85C3 C3 nano vector
85C6,85C7 C6 nano vector
85E2,85E6,85ED,85EF,85F6 B5 nano code
8606,8608,8611 AddAToDfdNanoBufIfFlOpn code
8630 Deferred Cmd60 processing code
86DD Never-executed portion of old C6 nano code
87A1 Old CF nano jump table
8800 Hash algorithm code
8955 Main loop vector code
8973 Ins18/Ins1A code
8975 Ins54 check code
8982 Setup for Ins38 code
89A0,89A3 Setup for Ins44 code
89A6,89B2,89B9 Setup for Ins4C code
89DF End of main loop vector code
8BFE Cmd0C code
8CC7,8CCA,8CCB Preprocess deferred Cmd60 code
8CD9,8CDE Cmd0B for non-virgin cards code
8CF2,8CFE Ins58 patch code
8D04,8D09,8D0D,8D11,8D14,8D178D1A,8D1D,8D20,8D2
8D66,8D6A,8D72,8D76 Add ASIC bytes to signature hash code
8DD0,8DD3,8E68 Do 1 hash iteration code
8F2F Preprocess Cmd09 code
8F53 Cmd0C patch 1 code
- - -
Here is an example dynamic code packet (for the 8D1Ah address; all of the addresses were tested using similar packets, except for 8440h which used a JNZ instead of JZ):
code:
- - -
C3 nano used to preset RAM locatiosn 10h-1Fh:
C3 0A 00 20 99 03 AF 01 00 04 00 09 | Seed hash only (using 9 data bytes) results in these bytes at 10h-1Fh:
20 99 03 AF 01 00 04 00 09 CB 29 71 06 19 74 D0
Fourth byte loaded in EEPROM write register
Third byte loaded in EEPROM write register
Hi byte of 1st loop return address and second byte loaded in EEPROM write register
Lo byte of 1st loop return address and first byte loaded in EEPROM write register
Hi byte of 2nd loop return address
Lo byte of 2nd loop return address
Hi byte of 3rd loop return address
Lo byte of 3rd loop return address
What 8D1Ah is compared to
The C9 nano looked like this:
C9 10 20 90 8D 1A E0 47 60 08 90 | Write 15 bytes+RET, execute and hash
80 00 78 15 75 81 16 :
which caused this code to be executed:
893C mov DPTR,#8D1Ah
893F movx A,@DPTR
8940 xrl A,@R1
8941 jz 894Bh
8943 mov DPTR,#8000h
8946 mov R0,#15h
8948 mov SP,#16h
894B ret
- - -
Remember, R1 starts equal to 10h. So the above code does the following:
Compare 8D1Ah to @10h (which contains #20h)
If they match, simply return
Otherwise, set DPTR to 8000h
Set R0 to 15h
Reset the stack to 16h and RET, to resume execution at 0400h to load "00 04 00 09" into EEPROM write register which RETs to 01AFh to enable EEPROM write mode
which RETs to 0399h to write 00 04 00 09 to 8000-8003h.
In addition, there was an ECM to detect an H cards running with non-H CAM IDs, although this packet did not loop the card but simply "locked it up" until the next reset:
code:
- - -
C3 nano used to preset RAM locatiosn 10h-1Fh:
C3 0B 00 FE FC 32 00 00 04 AC 01 68 14 | Seed hash only (using 10 data bytes) results in these bytes at 10h-1Fh:
FE FC 32 00 00 04 AC 01 68 14 8A DF A3 AA 81 34
Hi byte of 1st loop return address
Lo byte of 1st loop return address
Hi byte of 2nd loop return address
Lo byte of 2nd loop return address
Hi byte of 3rd loop return address
Lo byte of 3rd loop return address
Hi byte of 4th loop return address
Lo byte of 4th loop return address
The C9 nano looked like this:
C9 12 20 90 83 74 81 60 07 57 70 | Write 17 bytes+RET, execute and hash
05 09 B9 12 F6 22 75 81 19 :
which caused this code to be executed:
893C mov DPTR,#8374h
893F movx A,@DPTR++
8940 jz 8949h
8942 anl A,@R1
8943 jnz 894Ah
8945 inc R1
8946 cjne R1,#12h,893Fh
8949 ret
894A mov SP,#19h
894D ret
- - -
Remember, R1 starts equal to 10h. So the above code does the following:
If first byte of CAM ID is 00, return (everything OK).
Otherwise, AND first CAM ID byte with byte @10h (#FEh)
If result is non-zero (meaning first CAM ID byte is not 01h), go to ECM routine
Otherwise, AND second CAM ID byte with @11h (#FCh)
If result is non zero, go to ECM routine
Otherwise, return (everything OK)
The ECM routine resets the SP to cause the RET to resume execution at 1468h, which RETs to 01ACh, which RETs to 0400h, which RETs to the infinite loop at 0032h...
From: Spacemonkey Gleep <Fictitious@Dont.Bother.Its.invalid> .com>
Newsgroups: alt.dss.hack
Subject: How Write-Once memory works, or "Why H cards hit by the ECM are never going to be fixed"
Date: Mon, 22 Jan 2001 10:56:12 -0800
Message-ID: <Fictitious-402BA7.10561222012001@news.primenet
In response to the umpty-nine-dozen "Why can't we just..." questions about the corrupted write-once area on the card, here's an explanation that may shed some light. (Note to those "in the know": Yes, I'm simplifying things ridiculously. Not everybody playing in this little sandbox is an EE with the knowledge to understand the inner workings of a chip)
A byte of RAM memory is a set of 8 cells that can hold a one or a zero. Which cells have 1s in them determines the value of the byte when you read it. With RAM, you can change the values any time you like. You can think of that byte as 8 switches that can be turned on or off in different combinations to give you various values.
A byte of ROM is similar, in that it's 8 cells that can each hold a 1 or a 0. Unlike RAM, these 1s and 0s are fixed. Instead of the "switches" that RAM has, you can think of ROM as having either a wire (for a 1) or no wire (for a zero). They can't be changed once made. The wire (or lack of one) is a permanent thing.
A byte of Write-Once memory (Also known as "PROM", or "Programmable Read Only Memory") has characteristics of both RAM and ROM. Like RAM, you *CAN* write to it, under certain circumstances. Like ROM, once written, it's **FOREVER**. Think of a byte of PROM as being 8 microscopic fuses.
When the chip is made, all the fuses are "good". If you could see it at the microscopic level, it would look something like this: ( each | is a fuse that isn't blown )
| | | | | | | |
and would have the value FF, or 255 in decimal.
Now, let's say you want the byte to have the value B7 (That's 183 in decimal, and in binary, it's 10110111) To write that value to it, you deliberately burn out two fuses in the byte, leaving it looking like this: (| = unblown fuse, : = blown fuse)
| : | | : | | |
From that point, it would be possible to write to it again, and change the value, *BUT* there's a catch. You can only "blow" more fuses. You can't "un-blow" fuses that are already blown. This means that a number that needs one of the fuses that's already blown out is going to be impossible to write.
So why is this a problem?
Normally, byte 8000 of the H card holds the value 33 (in Decimal, 51. In binary, 00110011) and the byte looks like this:
: : | | : : | |
But after being hit by DTV's ECM last night, the byte is set to 00 - it looks like this:
: : : : : : : :
There's no fuses left to blow out. They're all gone. That means that forever and always, byte 8000 of your ECMed card is going to say "I'm holding the value 00" when asked.
Why this means the card is permanently dead:
VERY early after the card gets powered up and reset, a check is done:
Does byte 8000 hold the value 33?
If the answer to that question is yes, then all is right with the world, and things start happening. The card gets initialized, spits out the ATR string, and then goes into "wait for a command from the IRD" mode. If, on the other hand, the answer is no, then the card goes into an infinite loop that does nothing. If you program in BASIC, it's the equivalent of the line
10 GOTO 10
NOTHING gets done until the next time the card is reset. And then the same thing happens all over again.
This check is in the card's ROM, so it can't be bypassed or changed.
Reprogramming the card won't do anything useful, since the ROM doesn't even get looked at, let alone messed with, by programmers (or unloopers, for that matter) and even if it did, it wouldn't do anything useful, since ROM can't be changed (short of actually damaging it).
So how can it be fixed?
The simple answer: It can't. Congratulations. Your H card is now an ice scraper. Get used to it. Life sucks.
The more extended answer:
If you've got the micro-tools to "rebuild" the blown fuses on the chip, you could go that route, but unless you're a chip manufacturer, or have access to that type of equipment somehow, you ain't got a prayer. We're talking about electron microscopes, tools for depositing single atoms onto the silicon wafer itself, that sort of thing. In other words, trying to do it is going to mean more money, knowledge, equipment, and effort than most any of us are capable of applying to the problem.
In short, last nights ECM was the ECM to end all ECMs. Any card hit by it is toast, and barring someone developing a cheap way to rebuild chips mat the wafer level (which isn't even remotely likely to happen anytime soon) there isn't a thing that can be done about it. Enjoy your new ice scraper.
Or get in touch with me about shipping it to me. I want to dissect it to get the ASIC out of it for some experimenting I want to do.
--
GLEEEEEP!!!!
PGP KeyID: 0x016B6B53 on the keyservers.
http://www.megsinet.net/~kayo/index.html
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft