Satellite TV Hacker Tells His Story

Wired is running a story about Christopher Tarnovsky, the man who was accused of working for NDS, a company owned by Rupert Murdoch's News Corp., to sabotage a competitor's satellite TV system. Wired had a chance to speak with Tarnovsky and get his description of how the smart-card hacking war developed. Quoting: "Tarnovsky, who was known online as 'Big Gun,' says Ereiser offered him $20,000 to fix cards that were killed by ECMs, and he agreed. Each time NDS created a countermeasure, Tarnovsky would analyze the code and find a way to circumvent the countermeasure. He did it while working full-time as a software engineer for a semiconductor company in Massachusetts. 'I'd be at work and I'd check the IRC (channel) to see if they'd launched their Thursday countermeasure yet,' he says. 'It was like a chess game for me. I couldn't wait for them to do a countermeasure because I would counter it in minutes.' It wasn't long before NDS came courting. Tarnovsky had a contact at the company to whom he'd begun passing information about holes in its software, even supplying patches to fix them."

Other uses for his techniques?

[Doppler00]

Wow, can we get this guy to decode some of the Bluray keys used? Break HDCP? His method is pretty straight forward, easy to follow, and looks fool proof. Expose layers in the chip and read the data directly. I don't see how manufactures can stop this. As long as the key is physically somewhere in the hardware, it should be possible to access it. I guess the reason this isn't done more often is because of the expense of the high powered microscope, toxic chemicals, and fume hood.

Re:Who wants to track down which company

[az1324]

Yeah cause there's no tech schools there or anything.

The Video Shows the Holy Grail of Sat Hacking

I spent years hacking satellite television, from the early days, the glory days of the H and HU cards and then left the scene when DTV killed with the P4 card and lawsuits. I've written my own 3Ms and emulators. What Chris has done in this video really is the ultimate holy grail of smart card hacking. The security layer he is referring to, at least on NDS cards, is sort of a sticky layer that when you attempt to pull off the coating to access the bus, it simply rips up many of the thin wires on the chip and you're SOL. This is enough to discourage casual hackers and those without good resources. It also, as he mentions late in the video, eliminates the need for using "glitching", which was accomplished using a specially programmed Atmel chip and some software, to attempt to oscillate the voltage in such a manner that allows you to read/write to the card without having a properly signed packet. Dumping ROMs is exceptionally difficult to do, even with the thoroughly hacked HU cards, and he can just casually do it with his setup. Makes me think he could also dump the ASIC, something even in the heyday of DTV hacking, was never accomplished. This would eliminate the need for an access card at all- once you've dumped the ROMs, got a valid EEPROM, all you need to do is emulate the ASIC and opcodes for the processor (which on the HU card was a Texas Instruments TMS370 chip with a modified instruction set).

Re:The Video Shows the Holy Grail of Sat Hacking

[Dun+Malg]

Makes me think he could also dump the ASIC, something even in the heyday of DTV hacking, was never accomplished. You can't dump an ASIC--- that's the very reason they exist in this application. It's not code, it's an Application Specific Integrated Circuit. It's essentially an unknown array of logic gates. The best you can do it try to reverse engineer it, and short of an electron microscope, you probably couldn't.

Re:Accountability?

[Free+the+Cowards]

That's pretty much the whole idea of having a corporation.

Re:Motivation

[donweel]

Using a hacker of this caliber is a double edged sword. If you don't keep him busy and entertained he's going to start looking for something else to do.