From: davidl6587@aol.com (DavidL6587) Newsgroups: alt.satellite.tv.crypt Subject: Scrambling News- U.S. DBS Hackers Encounter Code 99: Part 1 Date: 16 Jul 1995 08:53:09 -0400 [This is the first of a two-part update on DSS Piracy. It is Copyright 1995 by David Lawson (dlawson@localnet.com) and Scrambling News. All rights reserved. If you would like a copy of our catalog of video hacker books, simply E-mail or voice 716.871.1915. Your corrections and constructive criticism are appreciated.] Background We have entered a new era of digital satellite piracy as acknowledged by DirecTV's press release of June 16 which is included in this issue. Many of our new subscribers are interested in DBS (Direct Broadcast Satellite) and may consider becoming involved in pirating DBS signals so we will discuss the dynamics of satellite piracy in this article. The satellite piracy which most are familiar with is that of Videocipher II and we will concentrate on that system because there are many lessons to be learned from it. This is not intended to be a complete history. It is not our intent to promote piracy,but rather to provide information for the benefit of our readers. HBO was a pioneer in the satellite delivery of cable programming. In 1975 it began transmitting its feeds to cable companies around the country. Conventional distribution involved shipping videotapes back and forth. The signals transmitted from communications satellites at that time had a strength of about 5 watts, which is the signal strength of a CB band radio, yet those signals had to travel 23,300 miles to earth. By that time they were so weak and noisy that they had to be amplified thousands of times to be strong enough to be processed by a satellite receiver. It soon became obvious to other programmers that satellite delivery was cost efficient and additionally, it allowed them to offer live events. The first satellite systems purchased by cable companies cost $120,000+ but by 1977 imrovements in technology caused the price to decrease to the $15,000 range. The first satellite hackers attempted to construct homebrew systems to intercept HBO's signals and in 1976, using military surplus and homemade dishes and homemade electronics they were able to receive HBO. As more programming became available on satellite more individuals became interested in obtaining it and businesses began to manufacture equipment. Improvements in the technology of the components lead to radical reductions in their cost. A new cottage industry called TVRO (television receive-only) was born. By the late '70s "mom and pop" satellite dealerships started opening up around the country, especially in rural areas not serviced by cable. Most of the programming available on satellite at that time was "in the clear." Homeowners who could afford to spend $6,000-7,000 on a system could receive free, the same programming being received by the largest cable companies around the country. They received HBO, Showtime, TMC, Cinemax, A&E, CNN, WTBS and other superstations from all around the country and more. The sales of satellite systems for 1984 were estimated at approximately 750,000. Dish owners had more entertainment than time to enjoy it but their benefactors, the programmers, had a problem. They had invested in satellite delivery of their programming to the approximately 8,000 cable headends around the country because it was the most economical means of doing so. Many cable companies were receiving the programming and charging their subscribers for it but they were not paying for it themselves. The programmers decided to secure their signals in order to prevent the cable companies from pirating them. At that time there were more than 50 million cable subscribers in the country and fewer than one million dish owners. Securing the signals from dishowners was of secondary importance. The Videocipher II satellite encryption system was designed by M/A-Com LINKABIT. Designing an encryption system is an expensive and time consuming proposition. Engineers must trade off the security features they would like to provide with all the costs and risks of providing them. In this case M/A-Com opted to appropriate some of the access control architecture being employed by the Oak Orion system in Canada. They were later successfully sued for patent infringement. The VideocipherII encryption system which they produced was described by M/A-Com as a state-of-the-art system which was tamperproof and undefeatable. The VCII (Videocipher II) was touted as the "only decoder you'll ever need." It employed the "unbreakable" DES (Data Encryption Standard). In early January of 1986 dishowners were horrified and dish sales plummeted as HBO and then the other programmers scrambled their signals. Most had invested in a satellite system in the first place because of the free programming which was available. Now they had to purchase a $300 decoder and pay for programming. In addition, the subscription rates being charged were almost double what cable companies were charging their customers and cable rates reflected the cost of building a cable plant, running cable to the house and maintaining the system. Dishowners supplied and maintained their own equipment. The signals were already being transmitted for the benefit of the cable companies, the scrambling system had been designed for cable use and the only additional expense for programmers in serving the home dish market was in administration. Some programmers did not even offer subscriptions to dishowners because they didn't think it was a market worth bothering with. Speculation about vulnerabilities in the VCII encryption system started in March and appeared in the form of a paragraph or two in each monthly issue of Coop's Satellite Digest which was a technical magazine for cable and wireless operators. It was also a monthly chronology of technical improvements in electronic components, dish construction, etc. Bob Coop was one of the original satellite hackers and he was one of the founders of TVRO. Once a credible source started reporting details of the weaknesses of the VCII system the scams started. Suddenly it seemed as if everyone knew someone who had seen a fix though they had not seen it themselves. A friend drove 600 miles to a remote farmhouse in the middle of the night. He was going to see a demonstration of a fix that would turn on all the scrambled channels except the pay-per- view movie services and he would purchase 100 for $150 each and pay cash. He would not be allowed to buy only one. One of the individuals selling the fix soldered the leads of a small epoxied add on board to the legs of some of the critical chips on the decoder. It seemed credible. My friend was told that in a few minutes the channels would be descrambled. In the quietness and suspense as they waited for the channels to be unscrambled he heard someone in a distant room calling in a credit card number to subscribe to all the available channels. Several minutes later the sound and picture appeared on the TV screen my friend was watching. The fix was bogus. They simply had the decoder authorized legally by subscribing to programming. The add-on board was a ruse. My friend found an excuse to leave. Another scam was perpetrated by an electronics store in the Bronx. They had a box which was connected between the decoder and receiver. It restored audio and video to the encrypted channels. They had a working demo in their store. It cost $150 and was sold without a warranty. Observers of the fix noted that it restored video on all VCII encrypted channels but audio was only available on the channels which just happened to be offered by the local cable company. They were actually obtaining the audio from their local cable company in the Bronx and piping it into the TV. What they were actually selling was a sync generator which restored only the video signal. Descrambling the video was relatively easy. It was the audio that was "hard" encrypted. The first of three attacks on the VCII system involved an unsuccessful attempt to duplicate the critical proprietary IC's through the use of a chip stripper. Then a group euphemistically referred to as DESUG (Data Encryption Standard Users Group) attempted to reverse the DES (Data Encryption Standard) algorithm. This was time consuming and it was not a valid option. The third attempt involved disassembling the decoder control program which is stored in the system's EPROM. This approach proved successful and lead to three major hacks on the system. The first hack lead to a marketable fix. It was discovered that the pointer could be redirected to enable decoding on all channels if at least one channel was subscribed to and this only involved a change of from one to six bytes, depending on the version of the VCII board. This hack was known as the three musketeer hack (3M) because it provided all channels for the cost of one. "One for all and all for one. " The three musketeer fix was first demonstrated in September of 1986 and it was put on the market in December. It did not decode all services or any PPV channels. It was only necessary to replace or reprogram the system EPROM in order to 3M a box (decoder). The response of the decoder manufacturer was to epoxy the printed circuit board making it harder to tamper with. Hair dryers were used to soften the epoxy and a utility knife was used to chisel it away. During the period from January of 1986 to December only 40,000 VCII decoders were sold. In the first two weeks after the musketeer fix was released, another 80,000-100,000, the entire inventory of VCII's in the country were sold and dish sales picked up again. The second hack on the system involved cloning. There are 32 bytes of information which make each decoder unique. This consists of four 7 byte seed keys numbered from 0-3 and 4 bytes of unit ID. It was discovered that if the unique identification information from a subscribed decoder was programmed into an unauthorized unit, it would decode all the programming subscribed to by the master. This meant that hundreds or even thousands of unauthorized decoders could be cloned to receive the same programming as one decoder which was subscribed to programming. About a year after the introduction of the 3M chips, the "wizard" hack, which irrevocably destroyed the system was discovered. One of the early chips which featured this hack was aptly called Doomsday. In addition to the 32 bytes which provides a unique identity for each VCII decoder, there are another 28 bytes transmitted in the data stream which are critical to the decoding function. These bytes are often referred to as public data. Included is a unique service ID and channel identifier for each channel, and a period indicator which indicates the month the data is valid for. Seven bytes are the authorization mask which identify which services are subscribed to. The VCII does a series of calculations involving unit ID information and the public data to obtain a working key. We detailed the math in our manual entitled "The Compleat Wizard". It was discovered that this working key was the same for all VCII's of the same series and that this common key turned on all services except the pay-per-view channels. The most amazing thing about the VC II system was that all non-PPV services would be decoded if the correct working key was entered into the correct RAM addresses, and none of the calculations mattered, and it didn't matter whether the VCII was authorized or not or even if the unit ID data was valid. The wizard software which was developed as a result of these discoveries calculated the working key automatically for the current and next month. It's operation was essentially transparent to the user,though it was necessary to enter keys for the pay-per-view movie services like Request TV, First Choice and Action Pay-Per-View manually because their working keys required different calculations.. The keys were entered through the keypad on the satellite receiver's remote control. During the period from 1986 to 1992 dishowners engaged in piracy would install various fixes on their boards and sooner or later they would be ECM'd (electronic countermeasures) so their decoder would be shut off and they would have to purchase new hardware/software. On average, they might have spent anywhere from $100-250/year for all programming including pay-per-view and special events. Subscribing to all the programming would have cost several times that amount. There was an-going ECM program which was operated by G.I. (General Instrument) after they bought out M/A-Com. When the first 3M fixes were used in 1986 it was not known that the box ID was stored in two locations. A message was sent in the data stream to decoders to compare the ID's in both locations. If they did not match the box was shut off. VCII's suspected of being clone masters would be shut off on the grounds that they were oversubscribed. When wizard technology became predominant ECM's involved changing channel ID information, assigning multiple services to the same tier bit, etc. The commercial decoders used by cable companies could recognize the difference but residential models could be shut off. Hackers monitored the datastream on certain channels and they were able to observe ECM's being tested. This often allowed them to modify software and hardware fixes and have them ready to sell before an ECM was actually employed. Most dishowners had their dishes installed and their decoders modified by a satellite dealer who kept their system running so they did not have to be aware of the latest ECM's or fixes. They didn't have to rely on any satellite dealer though and they didn't have to be an electronics expert to keep their VCII descrambling satellite delivered programming. An entrepreneur started a magazine callled the Blank Box Newsletter. The sole purpose of that magazine was to provide advertising space for those selling the latest fixes because they could not buy space elsewhere. It was devoid of editorial content. Every month the advertisers featured the latest pirate products and services. The pirate products available ranged from how-to videotapes to seed key pullers, hardware/software fixes for all models of VCII boards, DES calculator software, VCII emulator software, etc. A list of the advertisers in the magazine was a list of who had been busted. Anyone capable of plugging in a chip or soldering could follow the instructions which accompanied the latest chip or hardware fix. If they couldn't do it themselves, there were a half- dozen businesses they could overnight their descrambler to, and most of them provided excellent service. The name Blank Box Newsletter was discovered to be a copyright infringement so the name was changed to Satellite Watch News. Dishowners did not even have to subscribe to a magazine to be kept abreast of the latest techniques for pirating satellite television.They could watch it on their satellite systems. The patron saint of satellite dealers is the late Shawn Kenny. He used the medium itself. From a makeshift studio located at his New Jersey satellite dealership he produced a weekly show called Boresight and he rented time on whatever satellite had space available. It wasn't very expensive. He was another of the pioneers. He hated scrambling and considered the VCII to be a piece of junk. His motto was "a (decoder) module in every home." His show included satellite news, tech tips for dish dealers some kibitzing and a segment called "Yellow Rain (Piss on the VCII)." He had an encyclopedic know ledge of satellite equipment and when he was demonstrating components he considered inferior he would place them on a block and smash them to pieces. In the Yellow Rain segment he delighted in showing programmers the latest means by which their programming was being stolen. Fixes were demonstrated and guests explained in exquisite detail how to pull seed keys from a decoder or adapt certain fixes to different versions of the decoder. Someone found a set of schematics and technical information about the VCII allegedly in a dumpster behind General Instrument's manufacturing facility. They were marked confidential. Shawn was ecstatic. He copied and sold them as a package every week along with his other products. At one point G.I. sued him and got a $625,000 judgment against his company but they were never able to collect. One of the more amazing hacks which was shown on Boresight was the Parasite board. It illustrated just how completely the Videocipher II was understood by the hackers. It was a Videocipher II clone built with non-proprietary components. To make it function it was only necessary to load it with unit ID data. It was a precursor of the SUN (Secure Universal Norm) decoder. Unlike the Videocipher II which uses an embedded secure processor, the SUN used a detachable secure processor. It was a plain vanilla decoder which could be programmed to emulate a VCII, Oak, or B-MAC and it could be reprogrammed in case of a security breach. When SUN boards were first introduced they were 2 years ahead of pirate VCII technology. They stored two clone ID's and had wizard back up for 8 different working keys and they countered a variety of ECM's years before they were actually employed. The only crime worse than using a Videocipher II decoder to steal satellite delivered programming was to steal it without using a Videocipher II decoder. General Instrument sued Dectec,manufacturer of the SUN, on the grounds that the SUN used the Videocipher II operating system.Dectec denied it. Their operating and data transfer system was encrypted using a Dallas SIP Stik which provides the same level of security used by the banking industry to protect their data. G.I. was not able to prove their case in Canadian courts though they did effectively cripple the company. By 1992 General Instrument started to take control of its system. It established a swap out program to issue VCII PLUS units to legitimate subscribers with untampered decoders. Instead of a common key which turned on all services except the PPV's each service now had its own unique working key but it was still a common key which worked in all residential decoders. Instead of entering a 20 digit monthly key which would turn on all the basic services, it became necessary to enter 20 digits for each of the 60 or so channels available. Then the keys started changing more frequently, with some changing weekly and then daily. This led to the development of modem based fixes which would allow the user to simply press a button on their remote control which would cause the modem to call a BBS and download the latest working keys into the RAM of the Videocipher board. This worked for a while but other ECM's made it necessary to make frequent software and hardware changes. In addition, many individuals were paying for long distance charges to a BBS in order to download the keys. When the movie channels like HBO and Showtime moved to the VCII PLUS system, most dishowners abandoned piracy because they could no longer get the channels they really wanted and the cost of piracy was higher than the cost of subscribing to the channels which were still available. The pirates established a sophisticated computer network in order to obtain and distribute working keys. It consisted of a central computer connected in real time to a number of satellite dishes around the country. The dishes were program med to receive monthly hit data and then move to another channel. That data was then sent from the central computer, again in real time, to several nodes positioned around the country. Local satellite dealers received their monthly data from the node computers so consumers in many cases only had to make a local phone call to a BBS operated by a local satellite dealer. The working keys for some services were obtained from the commercial VCII decoders installed at cable companies around the country by the technicians who maintained them.Data necessary to calculate the working key was only sent occasionally, so decoders dedicated to one service like those at cable headends did not miss it. Once obtained, the keys would be posted on BBS's across the country. G.I. tried to determine the location of these compromised commercial decoders by sending bogus data and watching the working keys posted on the BBS's. They could take that informatiion, calculate the box ID from it and they would know which cable headend it was installed at. This lead to co-operation among the various BBS's to stop posting working keys until they were verified, so they would not jeopardize the individuals who obtained them. Some individuals were charged, nevertheless. When G.I. did finally start to shut off massive numbers of pirate decoders they did so with almost mathematical precision. They knew what fixes were available for each model of their decoder and how many dishowners were using each. They shut them down sequentially so their production facilities and pipeline were not overloaded because they also knew how many VCII PLUS boards they would sell to those who had been shut off. It is interesting that the devastatingly effective rounds of ECM's which occurred at the very end of VCII piracy could have been done years before. The era of Videocipher II piracy has ended. The "de facto" encryption standard was also the world's most hacked scrambling system. Until very recently it was possible to pirate two dozen or so services. In the last few weeks the working keys have been changing every few hours. The fatal flaws in the encryption system are not lost on those designing today's systems. The access control system was left in the open where it was easily accessed. It employed an embedded secure processor which could not be changed when there was a breach of security and the the control data could be modified. It took General instrument 7 years to secure its encryption system. An article in one of the satellite trade magazines a couple of years ago estimated that over the years General Instrument had made a profit of about $800,000 million strictly from piracy. Many believe that G.I. itself released details of its system so it would be hacked. With all the security features the system employed it had a wide-open back door. In 1987 G.I. claimed it had manufactured 300,000 decoders but independent sources with access to information from omponent suppliers claimed that 1.3 million had been produced. The number of authorized decoders was only ever a small fraction of the production figures. It was discovered that over 400,000 had been shipped to Canada at a time when it was illegal for Canadians to own them. Hundreds of thousands more were illegally shipped to Mexico and the Caribbean. Today, there are 2.3 million subscribed VCII PLUS decoders in the country. HBO has well over a million paying subscribers. Some speculate that VCII piracy was tolerated in order to sustain the growth of the satellite business. They believe that if the system had not been hacked it is unlikely the industry would have achieved the growth it has had.To the best of our knowledge no dishowner in this country has ever been charged with pirating satellite delivered programming but those who mod- ified the decoders were. Hundreds of satellite dealers lost their businesses, families, homes and liberty. During the heyday of VCII piracy it was so pervasive that dealers who were selling satellite systems and subscription programming simply could not compete with dealers who sold systems with free programming. By the same token it is difficult for a secure encryption system to compete against one which is hacked when the public has the choice of which system to purchase. We have now entered the age of digital compressed satellite programming and all analog systems are converting. Because of compression it is possible to put several channels on a transponder which now only carries one. The savings for programmers far outweigh the astronomical cost of the necessary equipment. For some consumers, a pirate smart card which would provide access to all DirecTV programming would be a dream come true. It may happen, despite what now appears to be a fortress of security features built into the system. [In part two we focus on existing DSS piracy DSS hackers discover Code 99.] END PART 1 OF 2 PARTS From: davidl6587@aol.com (DavidL6587) Newsgroups: alt.satellite.tv.crypt Subject: Scrambling News: U.S. DSS Hackers Encounter Code 99 Part 2 Date: 16 Jul 1995 08:53:09 -0400 [This is the second of a two part update on DSS piracy. It is copyright 1995 David Lawson (dlawson@localnet.com) and Scrambling News. All rights reserved. E-mail or voice 716.874.2088 for a free product catalog of hacker books. Your corrections and constructive criticisms are appreciated.] DSS Hackers Encounter Code 99 The DSS System The DSS system rolled out nationally last September and in less than a year it has acquired about 650,000 subscribers. There are two more DBS systems ready to launch. The dish size, ease of installation, low maintenance and up-front cost of the systems are major reasons for the faster sales of DSS. The DSS scams have started. It is July 6, 1995 and there are no fixes for the system available other than gray marketing as we have discussed. A business callled Test Card is how ever, advertising that they are looking for dealers and distributors for a DSS test card. Someone else has a package for $29.95 which describes how to get $1000 worth of program ming for $50/yr. "Don't miss out on this hot new information package." No one we know who has responded to these ads has received anything back yet. There may also appear in the next few months DSS bibles, software packages which will likely consist of the various pirate programs and source code used to break the European version of Videocrypt. They will probably originate from Johm Mc Cormac's Special Projects BBS which is a repository for Videocrypt information. There may also be bogus DSS reader/writer software and a PC interface. The data structure is non-standard. A working PC interface for this system is complex and very expensive. The DSS system employs a digital and far more secure version of the Videocrypt encryption system which is used in Europe. It is a smartcard system which employs a detachable secure processor. If security is breached, the smartcard is replaced. The European system has just issued its tenth series of smart cards. All previous series have been hacked. Europeans can walk into shops and purchase the latest pirate smartcard or order by mail. Services using Videocrypt are only authorized for specific countries so those in other countries can purchase pirate smartcards with impunity. They typically work for 6 months or a year and cost $150. Inevitably they are shut off and the users wait a month or so until the next version is ready. A rumour is that John Grayson's chief engineer at Dectec has been hired by a Western Canadian group working on DSS. He designed the SUN board. Supposedly there are 10 members of the group and each has contributed $50,000 to the project. John Grayson was recently spotted at a Cable Show in Europe and has moved on to other projects. This means there are now two separate groups working to develop a marketable fix for DSS. The existing work done on the system has involved a consortium of U.S. and European engineers. The Europeans have years of experience with Videocrypt and there are now several groups with expertise to work on the system.. Anyone trying to reverse engineer the smartcard will encounter the nefarious code 99. The card developed by RCA and Motorola can be rendered useless by hi-frequency, low voltage, temperature and other types of probing. Any type of tampering results in erasure of the micro code in the EEPROM and sets the card to code 99, rendering it absolutely useless. The smartcard which has been developed for the DSS system is, at this moment in time, impervious to all known methods of hacking. In addition, code can be reprogrammed on-the-fly, every 29 seconds. Reprogramming was used in the 09 series smartcards in Europe which increased their longevity, although they eventually had to be replaced anyway. Just as hacking the Videocipher II system never involved breaking the DES, hacks for the DSS system do not necessarily involve being able to reverse engineer the smartcard. The fix to be released will probably involve reprogramming the card to add existing services to those already being paid for, including pay-per-view credits, sports etc. An earlier plan to offer 4 different cards with different tiers of programming has been abandoned because it has been found that the card cannot be duplicated. Any DSS receiver can be cloned to work with any smartcard. It can also be shut off independently of the smartcard. A benefit for users of reprogrammed smartcards is that they will have to maintain some level of subscription so they will not lose all programming when the card is shut off and has to be reprogrammed. A huge problem with making a business of any hack for the DSS system involves the massive security which is in place. Current plans involve distribution of programming software to 500 sites. The software will only be able to program 100 cards, then new software must be purchased. This ensures that the deveopers will be paid frequently. The software will not be generally distributed or posted on BBS's. We do not know more about the distribution system. Each card being reprogrammed requires a separate program. A better distribution system would involve the internet and would allow individuals to reprogram their cards directly using the phone line, which is DirecTV's own backdoor into the box. In the short term, piracy of the DSS system may be of the gray market variety and may exclusively involve use of the DBS Dialer which has just been developed. Gray Market Piracy - The Dialer Systems Some non U.S. residents subscribe to DirecTV programming by simply obtaining a U.S. billing address. Any phone book lists Mail Receiving Services which provide a street address. Many telephone answering services also provide this service as well as private phone lines. When they subscribe they simply say they do not have a phone. This precludes them from ordering sports packages like NFL Sunday Ticket, NBA League Pass, the NHL Center Ice package or the regional sports networks. They must also order special events manually at an additional charge of $2. Since many foreign subscribers do want access to sports and PPV events it was natural for a variety of call forwarding services to be established. The two dialer systems which are the subject of the press release from DirecTV have been operating in Canada for several months. One system is based in Ontario and the other is in British Columbia. The Ontario system was diverting monthly calls from the DSS boxes to a Western NY number while the B.C. system diverted its calls to Blaine Washington. Canadians have been purchasing thousands of DSS systems and they are even being sold in major consumer electronics stores. The head of the CRTC which is the Canadian equivalent of the FCC has said on the national news that Canadians will not be prosecuted for subscribing to DirecTV. At the same time DirecTV has no legal right to extend subscriptions to Canadian residents. Those complaining about DSS are the cable companies and Expressvu, a Canadian based DBS service which is almost ready to launch. With their dismal raster of Canadian programming they cannot possibly compete with gray market DirecTV programming even though Canadians must pay the high subscription prices charged by DirecTV and USSB with Canadian dollars which are worth $.70 U.S. The dialers currently being used by the Canadians are Equal Access dialers which were used at one time to dial the prefix to connect to Sprint. They are now surplus and the operators of these dialer services have been purchasing quantities of them for $30 each and then charging Canadians $150 apiece with a subscription to their redialer service. That only involves establishing U.S. phone numbers to route the calls through. Some operators only had one or a few U.S. numbers so hundreds of DSS systems were connected to Canadian phone lines and routing their monthly PPV billing calls through the same U.S. phone number. The dialers pass ANI data from the originating phone number as call forwarding systems do. In addition, the systems are not secure. To exacerbate the situation, the phone numbers being used were posted on BBS's so many individuals piggybacked on the system. Some foreign subscribers even plugged their DSS boxes directly into the phone line, essentially requesting that their systems be shut off. The problem is that ANI (actually ANAC: Automatic Number Announcement Circuit) data is transmitted with phone calls. This data identifies the billing phone number including area code. Businesses like DirecTV which rent 800 numbers receive ANI data along with other caller information and callers to 800 numbers give up that data whether they know it or not, and regardless of whether their phone number is unlisted or not. The DBS Dialer This is a newly engineered gray market product intended for use by those in offshore countries where DirecTV is not licensed to operate. It is available from New Advanced Technologies at 514.458.3063. The system consists of two units. The dialer is connected between the DSS unit and the phone line. It intercepts the 800 number call made by the unit and routes it to whatever U.S. number it has been programmed to call. The call is received by the diverter unit which strips out ANI data associated with the true phone number and substitutes the ANI of the billing phone number the diverter is connected to. The diverter must be connected to a line with three way calling capabilities. The DBS Dialer system has many desirable features. It allows users to operate their own system independently without having to subscribe to someone's service. It is not necessary to reveal phone numbers to anyone who might piggyback or otherwise compromise the system. Users are not reliant on the supplier and need not pay subscription fees.. Both dialer and diverter(s) are password protected and the password of the the dialer(s) must match that of the diverter. Anyone wanting to piggyback on the system would have to know the password as long as it is changed from the default value of 1234. The system is completely field programmable and there is a separate password allowing access to programming functions. The system has been designed so that in case of a power failure the dialer unit shuts down rather than pass ANI data about the location of the system. DirecTV uses several 800 numbers and DSS units store them in both the "smart" modem and in EEPROM. The DSS modem can be programmed to execute a wide variety of countermeasures. Designers of the DBS Dialer have taken this into consideration. The code in the diverter may be updated if it is necessary. The designers are now adding capture, store and forward technology to the dialer so it won't matter what number the DSS unit calls. The Canadian dialers were shut off when DirecTV changed the number the DSS units called. They can be reprogrammed but a simple command in the data stream will shut them off again and they will have to be reprogrammed again. . DBS Dialer - Programming The dialers have two RJ11 jacks. Ordinarily the DSS unit is connected to the jack marked DSS. For programming purposes a telephone is connected to this jack. A standard telephone line is plugged into the other. We received a beta version of the dialer and diverter for test purposes. We began our test by changing the programming password to 2198. We changed the dialer and diverter pass words to 9299. They must be the same. In a case where more than one diverter is used in a network, the diverter passwords must match as well. We programmed the dialer to call the number where the diverter was located. We left the trigger sequence at the default value of 1-800 but If we were on a phone system where we had to dial 9 to call out then we would have programmed it in place of 1-800. Call capture store and forward capability is being added to the system so the programming instructions we included in the hard copy version of this report are now redundant. We also stated that in the New Advanced Technologies advertisement that it supplies U.S. addresses and phone numbers. It does not. Telephone companies maintain regional ANI circuits to assist line technicians with testing and line identification. Dialing one of these numbers connects the caller with a computer which reads back his ANI data. We used 1-800-MY-ANI-IS which is an MCI service. Another service is at 10732-1404988 9664. It is also a toll free number. We connected a phone in place of the DSS receiver and made the call. The dialer intercepted the number we dialed, forwarded the call to diverter, and the diverter called 1-800-MY-ANI-IS. The ANAC computer reported the phone number and area code where our diverter box was located and not the actual phone number we were calling from. Individuals from Canada, Mexico and the Caribbean have also tested the system and found it to work. The DBS Dialer worked perfectly. It does the job it was designed to do. The footprint of the DirecTV signal covers the continental U.S.and most of Canada We have heard of reception as far south as Mexico City (with a 3 foot dish) and throughout the Caribbean. The DBS Dialer allows individuals in those countries to subscribe to programming and receive pay-per- view events. A very low profile system would have only one DSS system connected to a diverter box located at a U.S. address but some individuals may establish small networks. We have no knowledge of the laws regarding the reception of DirecTV programming in the various countries where the signal is available. Since the system passes voice as well as data calls it could conceivably be used to make use of 800 numbers in the U.S. or possibly to reduce long distance charges. It could also be used by networks of cautious individuals to manually order PPV events. The common phone number could easily be that of a business with several employees who have DSS systems. The system could also be used by U.S. residents or commercial establishments to obtain locally blacked out sports events by misleading DirecTV about the true location of the system. Using the DBS Dialer in the U.S. is a serious crime and subjects users to the variety of criminal and civil actions mentioned in DirecTV's press release. The units could also be used by individuals who obtain the deluxe system and take advantage of the reduced subscription rates available to additional units. We have heard that DirecTV is now insisting that all units in a deluxe system be connected to the same phone number. Appendix DIRECTV PREPARES LEGAL ACTION AGAINST UNAUTHORIZED DISTRIBUTORS Complaints Seek to Prevent Illegal Reception of DIRECTV Service Within Canada Los Angeles, CA. June 19, 1995 - DIRECTV, inc., a unit of Hughes Electronics Corporation, took action against individuals and entities in Canadawho have facilitated the illegal reception of the DIRECTV programming service in Canada. Cease and desist letters were issued to five potential civil defendants, four of whom are located in Canada. DIRECTV is also preparing to file civil claims against the potential defendants in U.S. federal courts. In addition, DIRECTV is deactivating the accounts of more than 600 known "grey market" Canadian subscribers whose accounts with DIRECTV had been activated by the defendants. These steps by DIRECTV are part of its ongoing broader effort to actively protect its programming rights and to secure the signal integrity of the direct broadcast satellite (DBS) service. A civil complaint was delivered with the cease and desist letters sent to David A. Diebert of Echo Communications and/or Dragon Pacific, Vancouver, B.C.; Mike McAllister of Version II Marketing, Waterloo, Ontario; National Computers and Supplies, also of Waterloo, Ontario; Digital DTH Distributors, Edmonton, Alberta; and Propack Inc., Blaine, Washington. The complaints are to be filed shortly in U.S. District Courts in the states of Washington and New York if the defendants do not meet the demands contained in the letter. The civil claims are a result of investigations by the DIRECTV Office of Signal Integrity, which is headed by former FBI Special Agent Larry Rissler. Rissler's investigation revealed that the defendants, through the distribution of equipment and attempts to manipulate the DIRECTV customer service system, facilitated the reception of DIRECTV programming by residents of Canada. These actions were detected by DIRECTV through its sophisticated security systems and procedures. Further, the complaint alleges that the defendants assisted individuals in obtaining programming by attempting to disguise the location of the installed DSS(tm) system through electronic devices and other schemes. These actions violate several U.S. federal statutes, all of which also carry substantial criminal penalties. "We're committed to the identification and, where appropriate, the prosecution of those individuals and entities who foster the unauthorized receipt of DIRECTV programming," said Rissler. "These actions are the first visible results of an aggressive on-going campaign by DIRECTV to protect its service and attack all types of unauthorized use, including Canadian grey market activities, as well as any residential or commercial misuse within the United States," Rissler added. The federal statutes cited in the complaints are the Federal Communications Act, which prohibits the unauthorized receipt and use of satellite communications, including commercial television programming; the Federal Wiretap Statute, which proscribes the use of electronic or mechanical devices for the surrepetitious reception of satellite programming; and the Computer Fraud and Abuse Act, which addresses the transmission of false information through sophisticated computer systems. According to DIRECTV, the filing of the civil complaints would mark the first known use of the Computer Fraud and Abuse Act to address satellite signal theft. Because of the sophisticated nature of the computerized DIRECTV authorization and billing system, the elctronic devices used by the defendants resulted in telephone calls from the DSS receivers to the DIRECTV computer system which were detected and traced to the DSS units authorized by the potential defendants. The civil complaints also cited Washington and New York state causes of action, including wrongful interference with DIRECTV programming contracts and wrongful interference with prospective business advantage. In all instances, DIRECTV has demanded that the defendants immediately cease and desist the illegal action. Failure to comply could lead to the issuance of injunctions ordering the defendants to stop the illegal activities and the assessement of monetary damage awards. In the case of the Federal Communications Act, damage awards can be as much as $110,000 for each violation. DIRECTV and DSS are trademarks of DIRECTV Inc., a unit of Hughes Electronics Corporation. The earnings of Hughes Electronics Corp., a wholly owned subsidiary of General Motors Corporation, are used to calculate the earnings per share of General Motors Class H Common Stock (NYSE:GMH). For more information, please contact: DIRECTV, Inc. Linda F. Brill Director, Public Relations (310) 535-5062 Resources American Hacker BBS.Access is included with a subscription to the hardcopy version of this newsletter. There is a free bulletin section which is free to all. If there are any radical developments we will post news there. We also post to various Usenet news groups. 716.871-1915 Bomarc Services has some schematics for the RCA receiver (see their ad in this issue). They are contract reverse engineers and they have thousands of schematics available for all kinds of electronic devices including most cable boxes. A catalog of their 22 product categories costs 4 stamps. The catalog of cable and satellite descramblers, converters etc. costs $5. The following DSS schematics are available: Full Signal Modulator w/RF switch (Alps 3N0110A-US. $2. DSS Tuner Module (Sharp B5532). $4.Dual Polarity Single Channel Ku Band LNB for DSS Systems. $1. Dual Polarity Dual Channel DSS LNB. $2. Bomarc Services,Box 1113, Casper, WY, 82602. Triangle Products is the major supplier of Oak decoders. They are available in VCII card cages for those who don't wish to use free-standing units. New Oak encrypted channels include Mandarin and Filipino. They also carry SureWrit 9, which is a diagnostic test device for those studying VCII or 029 PLUS technology. They have raw B-MAC's as well. 616.399.6390. Hack Watch News is the foremost hacker newsletter in Europe. It is available by electronic delivery or by mail. It is written by John Mc Cormac who is the author of the "European Scrambling Systems" series. They are comprehensive texts on scrambling. John's Special Projects BBS is a repositary for Videocrypt information, smartcard programs with source code etc. Voice 011-353-51-73640 voice. BBS 011-353-5150143. E-mail jmcc@wizardr.ie. He has an article in the August issue of Electronics Now entitled "Has DSS been Hacked ?" That article is available at http://www.iol.ie/~kooltek/hasdss. We have greater quantity and more current information on the U.S. system in our zine American Hacker.European Scrambling Systems Volume 4 is 500 pages long and concentrates on Videocrypt. It is available from Baylin Publications, 1-800-483-2423. New Advanced Technologies manufactures and distributes DBS Dialer Systems. They invite inquiries for single units or networks. Voice 514.458.3063. FAX 514.458.0798. END PART 2 OF 2 PARTS