satellite hacking

Document Sample
satellite hacking Powered By Docstoc
					Another Newbie Guide
Q. What is a test card?

A. A test card is special software loaded to a satellite access card to
open up all channels wide open. This site focuses on DirecTV and Dish
Network for the North American market only.


Q. Is it easy to make a test card?

A. Yes, it is very easy to make a test card. All you need is a Windows
based computer with a free 9 pin serial connection. No programming
experience is necessary. If you can follow instructions and have basic
Windows skills you will have no problem making a test card.


Q. What types of cards are there?

A. For DirecTV there are H and HU cards. They are pictured below. The H
cards came out in 1998 and now all new receivers (if activated) receive
an HU card. Dish Network have what are called S cards. There are
different versions of S cards called ROM1 thru ROM10.


Q. What is an ECM?

A. ECM stands for Electronic Counter Measure. DirecTV and Dish Network
occasionally send a signal to shut test cards down. We sell devices that
will allow you to clean the older ECM'd software off and reload new
software to turn the card back on with all channels wide open.


Q. What is hashing?
A. This is a common type of ECM when the picture on your TV freezes. All
the is required is new software to be loaded onto the access card and the
freezing will go away. This new software is available in a few hours
through the forum once the hashing is analysed.


Q. What does 3M mean?

A. 3M is a type of software loaded to to an access card   to give all
channels wide open. It's referred to as 3M because it's   a short form for
3 Musketeers and their slogan, "...all for one, one for   all". Meaning,
software loaded to the satellite access card giving all   channels.


Q. What is an IRD?

A. An IRD is a shortform for the satellite receiver.


Q. What is flashing?

A. Flashing is a simple process of running an automatic program on your
computer that we provide. This program will load a set of instructions
onto the main chip of your programmer to load a certain card with test
code. Once again, no experience needed. The software is all automatic.
Lets say you want to load a DirecTV HU card. You would connect the T6 HU
Loader to your computer and run the Flash program. The program gives a
few options. The one you select is HU because you want to load an HU
card. "Once the program has completed flashing the chip on the T6 HU
Loader, usually 10 seconds, the device is ready to program as many Hu
cards as you have. " If you wanted to do a different type of card, like
an H card, then you would run the flash program and select H card. It
really is that easy...


Q. What does is mean when a card is looped?

A. A looped card is when it becomes invalid or is unable to be cleaned
back to a virgin condition. When a card gets looped, it needs to be
unlooped so it can usable again. A looped card has no value until it's
unlooped back to it's original virgin condition. Then it can have some 3M
test code loaded to it and then all channels will be wide open again.


Q. How do cards get looped?

A. DirecTV and Dish Network can send a severe ECM down and loop cards.
Also, experimenting with the access card and loading all different types
of software to the card can loop it. We recommend that you follow the
instructions and you'll have no problems.


Q. What is a Bootstrap Loader?

A. A bootstrap loader or as its also referred to as a DPBB or Dead
Processor Blocker Board, is used exclusively for H cards that were hit on
Black Sunday, January 21, 2001

This device bypasses the bad sector of the H card and allows it to bootup
(like a computer) and
then function normally.


Q. What is a Black Sunday H card or BS card?

A. On Sunday, January 21, 2001 DirecTV sent a severe ECM down to target
all modified H access cards. They were successful and looped all the
cards. To this date, the hacking community is unable to unloop a Black
Sunday H card. The way to make the card work is to use a bootstrap


Q. Can you use any access card to get all channels wide open?

A. The answer is no. DirecTV in North American has 2 types of cards. H
and HU cards. The HU cards are backwards compatible so they will work in
any generation of DirecTV receivers. Dish Network have their own access
card, different than DirecTV. All other countries have their receiver and
specialized access card for their system exclusively. You cannot use an
HU card in a Dish Network receiver or vice-versa.

Q. Will I get all my local channels?

A. DirecTV and Dish Network have local channels available in all major
markets. Since the test cards are loaded by timezone and zipcode, you
will get the locals in that area. All the major networks are available to
all customers.


Q.What is emulation?

A. Emulation is another method of testing all channels on your satellite
system. It is a little more complicated process than loading 3M software
to a card. In emulation you need to make a computer run fulltime with
similar 3M software. No software is loaded to the card, it runs on a
computer, but the H card is required for the emulation setup to work.
Emulation is usually a more advanced testing method for people who have
mastered 3M and Activation type software.


Q. What is Activation?

A. Activation is a type of software that is loaded to an access card and
works like an actual paid card. It appears to the satellite company that
the card gets all channels. The person that uses Activation for their
card will have to buy the pay-per-views (with the remote) just like a
subscriber would. The difference is the phone line is not connected to
the receiver so the satellite company has no idea any pay-per-views were
viewed. Some folks like this method of testing. Pay for a very basic
service ($20 a month) but boost the card with Activation software and
then all the other channels will be turned on including the pay-per-

There are many more terms in this hobby but that is bulk of the more
popular ones. Once you become a member here, you will have access to a
massive database of information to learn as much as you want about this
hobby or you can keep it simple and load your own card and mind your own
business...the choice is yours!

I get confused by all the terms, is there a handy reference for them all?

Activation is a way to test your DSS system by simulation programming
authorization that would normally have come from DTV. Under normal
conditions, your CAM (conditional access module [card]) is sent commands
that tell it what channels you are allowed to watch. With activation, we
will be using our PC to be "uploading" these commands to the CAM. Its
important to note that our commands will be "wiped" now and then via
commands coming down from DTV. When this occurs, we will have to "upload"


Stands for Answer to Reset. Anytime a smartcard is activated or reset, it
must send data out its serial port in order for its hosts device to
determin the cards' requirement, such as communication, programming
voltages etc. The ATR allows the card to specify what polarity to use,
the baud rate, programming voltage etc.


Means the heading from a particular location on Earth to the transmitting
satellite. Because geographical North and Magnetic North differ in
location, directions to a satellite must be corrected for magnetic


A bootstrap is the main program that drives a test card. Without it, the
card won't work. A bootstrap is programmed in the factory.


Controlled Access Module ID. The serial number programmed into your DSS
access card. Each DSS access card has a unique four-byte serial number
programmed into it at the factory. This serial number is sometimes used
by DTV (or freeware activators) to send a command to your card without
affecting any other. The CAM ID is printed on the back of the CAM, with a
corresponding bar code. The CAM ID is always in the format XXXX XXXX
XXXC, where XXXXXXXXXXX (the first eleven digits) is the decimal
representation of the four-byte CAM ID.

Card Looping:

This effects re-programmed access cards usually with 3M type software. A
program is imbedded in the ROM of each DSS Access Card that leaves the
factory. This allow them some control should the card be compromised. A
program is sent down the datastream and it looks for information or code
where there normally would not be any. If it finds something that should
not be there, it puts the card into a loop, Common loop types include 99,
00 and FF.

Card Programmer:
This is a device that interfaces with your PC in order to read and write
to smartcards similar to the MiniMax.

Clone program:

A clone program uses special software to clone a legally authorized
access card, which creates multiple copies of the original card and all
the copies receive all the programs that the original card is subscribed

Datastream Updates:

This usually affects re-programmed access card with activation type
software. It involved datastream patches or updates that are designed to
close read/write holes in the access cards' architecture. This usually
results in loss of programming only. Cards can usually be re-programmed
again. This began when it was discovered that there was "holes" that
could be used to write to the access card to authorize programming.
Patches were sent down to hopefully close up the holes and make it more
difficult to re-program cards. This action was a double edged sword as it
also provided "hackers" with more insight on how to write to cards. While
some holes were patched, others were found.


DirecTV Satellite Television AKA: Dave

Dish Network

AKA: Echostar or Charlie.


Refers to a procedure to cause an access card to empty out its code. A
dump is necessary to learn about a code in order to create a test card


Electronic Counter Counter Measure is a device or software designed to
block or reduce the effectiveness of an ECM targeted against it. A card
blocker is an example of an ECCM.


Electronic Counter-Measure. A code update or change in the DataStream
that is intended to disrupt programming for those persons who are not
paying full price. An ECM can be as benign as a loss of video decoding
ability (like the loss of channel 248 et. al. that's recently been a
problem for cards with certain versions of 3M code), or as malignant as
an attack directed against cards with specific code changes that causes
those cards to be 99'd (like the 99ing of cards with certain other
versions of 3M code that recently happened).

Stands for Electronically Erasable Programmable Read Only Memory. The
EEPROM is another key component on the access card and is usually heavily
shielded with electronic barriers to help prevent unauthorized access.
The EEPROM holds the main program or code that operates it.

EEPROM Corruption:

This also effects re-programmed access cards usually with 3m type
software. A program is sent down the DataStream that looks for holes or
irregularities that would not be present in a legitimate subscribers
cards, such as open read/write holes etc. If detected, the program can
permanently corrupt your card's Electronically Erasable Programmable Read
Only Memory (EEPROM) beyond repair.


Simply the angle at which you point your dish in order to receive the
satellite signal.


A device which plugs into an IRD and which acts like a genuine DSS card,
The emulator is designed for test purposes and usually is connected to a

'F' card, P1 card:

A series 'F' DSS smartcard. 'F' cards contained a Motorol68HC05SC21
microcontroller core with 6K bytes of ROM, 3K bytes of EEPROM, and 128
bytes of RAM. This is the series of DSS cards that preceded the 'H' card.
All 'F' cards will have a serial number less than or equal to 0000 3999


"Hashing" is a term used to describe a technique used by DTV to thwart
changes to the code in EEPROM on the access card.

'H' card, P2 card:

A series 'H' DSS smartcard. 'H' cards contain a RISC micro-controller
core which emulates an 8051 microcontroller, 8K bytes of masked ROM, 4K
bytes of EEPROM, and 256 bytes of RAM. In addition, 'H' cards contain an
ASIC (Application Specific Integrated Circuit) which is used by the
microcontroller to calculate decryption seeds, validate mess- ages, and
so forth. All 'H' cards will have a serial number greater than or equal
to 0000 4000 0000.

The corporation that first developed the DSS system and, as it happens,
the corporation that builds the satellites that the DSS system uses.


Integrated Receiver-Decoder. Your DSS decoder box. Lots of different
companies make IRDs, but they all function the same way. In fact, most
IRDs have identical assemblies in them for functions such as the down
conversion and demodulation of the received satellite signal and so

IRD number:

Each IRD has a unique 4-byte ID number programmed into it at the factory,
allowing DTV to send a command to whatever card happens to be in your
decoder, if they know the decoder's ID number. If you subscribe to DTV,
you have to tell them your IRD's serial number (it's on a little sticker
on the back or bottom of your IRD) when you first sign up. The IRD serial
number is often referred to as the IRD number. In addition, the IRD
number is used to "marry" a given CAM (see below) to a specific IRD; when
the CAM is first inserted, the IRD queries it for its married IRD number.
If the IRD determines that the CAM is not yet married, it sends an
instruction to the CAM, writing its own IRD number to the CAM's EEPROM,
"marrying" that CAM to that IRD. From that point on, the CAM is married
to that IRD, and will not work in any other unless it is unmarried. If
the IRD determines that the CAM is married to another IRD, it will
usually display a message to the effect of "Insert another access card".


The specification for smartcard ICs, as set down by the International
Standards Organization. Note that the ISO7816 spec is actually defined in
3 parts. ISO7816-1 defines the physical characteristics of the card
(susceptibility to X-rays, UV radiation, static discharge, magnetic
fields, etc., minimum bendability before breakage, and so forth).
ISO7816-2 defines the physical interface to the card (contact positions
and assignments, contact size, and so on). ISO7816-3 defines the
communication protocol (how to select baud rates, how to determine MSB-
first or LSB-first communication, an so on).


Stands for Low Noise Block Amplifier with Integrated Feed. The LNBF is a
key component of your system. Its function is to convert and amplify the
radio signals received from the satellite.


News DataCom. The company that ostensibly owns your DSS 'H' card (check
the fine's not yours, it's theirs, and they could ask for it
back any time they want). In addition to owning the actual card, they're
also the company that wrote the code inside the card.

Status word. After an smartcard programmer has finished processing a
packet, it must send a two-byte status word to the host device, informing
the host device of the outcome of the transaction. Although many
combinations are valid here (all of them will start with 6x or 9x), the
ones that most 'H' card hackers will usually see are 90 00 and 90 80. 90
A0 is also somewhat common.

Tier Wipes:

This usually affects access cards re-programmed with activation type
software. It is a command sent down the datastream and it recognized non-
authorized card numbers and "wipes" channel tier information that was
programmed into it. This results in loss of programming only and card can
still be re-programmed again.

Transport IC:

An integrated circuit inside the IRD that sifts through the entire
available DSS DataStream and outputs only that data that is relevant to
its IRD. The transport ID does this by monitoring headers within the
DataStream for matches on either the IRD number or the CAM ID, or for
messages that are tagged as public. Most IRDs currently use a transport
IC manufactured by SGS/Thompson.


Update Status Word. An internal counter in the 'H' card that allows the
card to accept only the next intended update packet from DTV.

Virgin card:

A card which has no updates on it whatsoever. Virgin cards are pretty
hard to find these days. Most 'H' cards coming from the factory these
days have at least the 29 updates from the 15 January, 1998 ECM already
applied to them.


A device which plugs into an IRD and into which a CAM is plugged.
Typically, a wedge will intercept the data going to the card and either
temporarily add a program tier for the channel to which the IRD is tuned,
or fudge the data in some other way so as to provide free programming.


This is a windows 32 based program designed by Dexter. It was designed to
replace DOS card explorer programs. Winexplorer can read, interpret and
execute DSS scripts (.xpl files) that are designed to perform functions
on DSS Access cards like auctivate programming tiers.

.XPL file:
A script file containing commands to be sent to a smartcard via the ISO
reader/ISO programmer. .XPL is a file extension for the program


Stands for "Zero Knowledge Test". It is an encryption table used by DTV
to protect their cards.

00 Loop:

Simular to 99 loop as it is also designed to take card out of service. It
causes the access cards' code to hang in an idle state, causing a "no
data transfer" condition.


Refers to a test card program. Stands for 3 musketeers motto that is "one
for all and all for one." Uses special software to reprogram a card that
turns on all channels including Pay per View.

09 Hole:

Virgin 'H' cards had a hole in their security which could be exploited
using the 09 command. Basically, the way the cards work is, when an 09
command is received, the parameters of the 09 command are used to
determine which encryption key should be used to authenticate the message
being received, and the ASIC is initialized to begin calculation of what
the valid signature should be.

99'd & FF'd:

A term's used to describe cards that are no longer functional in a
specific way. When DSS smartcards are first reset, they check a pair of
bytes in their EEPROM to verify that the card is OK for use. If the check
fails, the cards go into a tight code loop, doing nothing but sending the
hex value 0x99 or FF out their serial port until they are powered down or
reset. If a 99'd Or FF'd card is inserted into an IRD, the IRD will
usually display a message to the effect of "Insert a valid access card".

Description: understanding satellite and hack into it backbone