After a complain from Broadcom we have had to remove the picture of the schematic from our Blog….

Sorry for the inconvenince…

We will strike back soon

In a joint effort to combat the recent hack of the Austrian DTH platform, the technical platform operator ORS and Irdeto are implementing ECMs to stop pirate satellite tuners to receive the signals. As a result, over 1.3 million smart cards need to be replaced.

At the same time, the two parties are actively pursuing closure of websites and forums that openly advertise and instruct viewers on how to hack the signal.

ORS has taken the first electronic counter measures (ECMs), that should make illegal reception impossible. Every week, a new code will be sent to all official smart cards. But further measure are needed in order to secure the system for the future. This will in volve exchanging older generation smart cards during the next few months.

ORS is the Austrian facilities company that operates the DTH platform of public broadcasters ORF. The recently launched AustriaSat platform from the M7 Group also makes use of the same technical infrasture and is also believed to be affected by the hack.

When the first reports about the hack surfaced, ORS denied the system was compromised. Now, the operator has confirmed the leak. “It is true that ORF Digital system was attacked by hackers,” ORS spokesperson Michael Weber told the online news service Futurezone.at. “They have illegaly counterfeited the key of a customer card.”

Three older generations of the Irdeto Cryptoworks (formerly Philips Cryptworks) smarts cards are affected by the hack. They are the Cryptoworks generation 4, 5 and 6. These are cards that were sold in reatil in the period between 2003 and 2006.

In order to secure the signal again, these cards need to be replaced since they will no longer work after the necessary security update of the system. It is not unusual for smart cards to become obsolete after a couple of years and a period of 5 – 6 years is actually quite good.

Newer generations of the card will be able to continue to receive the signals. About 1.8 million of these newer cards have been sold. Irdeto acquired Cryptoworks from Philips in January 2006. The technology is completely different from Irdeto’s core technology used in the company’s other smart cards

UPDATE - At our request, Irdeto has sent us the following statement: “Irdeto has over 40 years experience protecting some of the world’s most recognized digital brands. Our industry-leading anti-piracy team is dedicated to staying ahead of would-be hackers and quickly and efficiently shutting down any potential threat to the sustainability of our customers’ digital business models.

Irdeto has well-established processes for investigating and combating issues such as those currently being experienced by ORS with Irdeto’s Cryptoworks technology. Our Anti-Piracy & Fraud Group works tirelessly to identify and mitigate threats to our customers through both technical and legal measures. We respond immediately and with the utmost vigor upon learning about any threat, launching a full investigation and enacting countermeasures designed to minimize business impact for our customers.

In this specific instance, we are working closely with ORS to develop a swift and permanent solution to combat the problem. The cards affected have already delivered excellent return on investment to ORS, having been in the field for more than 5 years, which is higher than the industry average. The cards affected use the Cryptoworks technology that Irdeto acquired from Philips in 2006. Cards that are based on Irdeto’s own technology are completely different and not impacted by this attack.”

Next week we will publish all the secrets about the DM500HD in terms of security and how DMM intended to protect their design against cloning of the DM500HD…

Will be that enough? We will see

This is an Internet Sharing dongle. We got this dongle from an unknown manufacturer. This dongle also uses the Twin Protocol to communicate with the Receiver via RS-232.

This dongle is normally activated for 1 year period and grants the service to the main providers out there.

The “subscription” is normally around 25/30 USD per year.

Many of you are asking what the Satellite dongle looks like.

Here we put one of the most famous satellite dongles out in the market on show.

This is the Microbox one of the really first satellite dongles. It fetches the Control Word from 3W and 6W and communicated with any receiver via RS-232 using the Twin Protocol.

This Dongle is done by Global Sat (chinese company) partner of Jozhu.

The antagonist is called MoreBox my by Sandmartin Group aka SMT also well known for the famous pirate card called Abracadabra.

The main chipset for Microbox is a modified version of a National Chipset for DVB. This special version has been done especially for Globalsat to protect their business and finding an anti-cloning solution.

MoreBox is using a cheap Ali DVB-Chip combined together with a crap low cost MCU to protect the design.

Both of this boxes are nowadays hacked and the “secrets” are now more or less public for all those who wish to implement a satellite sharing solution on a twin tuner receiver.

Added 2 more Viaccess cards on the gallary.

Welcome to BIS in Viaccess 4.0 and TAS in Viacccess 2.5

Many rumors are echoing around in these days about an OSN pairing system Hack.
People reporting magic PC software capable to get the Control Word in clear… Magic receivers opening in sharing OSN.

This is mainly bullshit as far s we can understand from the BCM structure look here:

As you can see in the pink marked area of the Broadcom the Control Words never comes out in clear IN/OUT of the OSN NDS Smartcard. This means that every “magic” logging software cannot work in that way.

The only possible way to hack the system is an invasive attack to extract the pairing keys.

Have a look at the tech specs regards the BSP (Broadcom Security Processor). Taken from official Datasheet of Broadcom

BROADCOM SECURITY PROCESSOR (BSP)

The Broadcom Security System enables Set-Top Box (STB) chips with strong security for high performance multimedia
applications that deal with high-quality video and audio. These applications can range from single-purpose conditionalaccess
(CA) for watching-TV-only STB to multi-purpose copy-protection (CP) for Personal Video Recorder (PVR) STB and
digital right management (DRM) for multimedia gateway system. Broadcom Security system implements various security
components required in satellite and cable STBs and various CA and CP standards, such as CP for CableCard and Secure
Video Processor (SVP), but its orientation around a powerful Broadcom Security Processor (BSP) makes it capable of
implementing a variety of security algorithms, whether open or proprietary. More than just an integration of STB security
components together, Broadcom Security System design is an integrated security system controlled by BSP with a small
real-time OS kernel that runs on its own master processor. The Broadcom Security Processor (BSP) supports various
security features in an integrated STB SoC system such as:
• BSP includes One-Time Programmable Non-Volatile Memory (OTP NVM) security module. This module allows unique
keys and various security features and restrictions to be permanently programmed into a chip.
• BSP can provide key generation and management to the conditional access descramblers, e.g. DVB, DES
descramblers for removing conditional access encryption from incoming transport streams.
• BSP can provide key generation and management to the mem-to-mem scramblers/descramblers, for PVR copy
protection and other applications.
• BSP can provide protection to keys required by the interface security modules, e.g. High bandwidth Digital content
Protection (HDCP) engine for high-bandwidth secure interface to digital displays.
• BSP can provide access control of various interfaces, e.g. REMUX interface.
• BSP can provide a secure environment and hardware acceleration for scrambling and descrambling the external data
with algorithm such as DES/3DES, AES, RS, and DH algorithms, etc.
• BSP can provide a secure environment for generating and verifying digital signatures, e.g., using RSA and DSA.
• BSP can perform external memory data validation. For example, BSP can verify the signature of the codes stored in, for
example, the off-chip program memory before the host CPU is authorized to execute these codes

Any software attack via JTag (not connected will not sort any effect. Software guy reverse engineering cannot compromise this system. So please do not talk about magic software.

But… We will keep you updated on this.

Today we updated our smartcard gallery with over 70 different smartcards from almost all the conditional accesses.

Your help in giving us more cards will be strongly appreciated

IN THIS ARTICLE WE EXPLAIN HOW A SATELLITE DONGLE WORKS IN GENERAL

Since a couple of years now the satellite market has completely changed his fighting weapons against the more and more secure Smartcards in the Market now.

After the McCormack Hack better known as Card Sharing revealed in late 90′s the real Internet card sharing started in late 2002 with the sharing of the official Smartcard. This basically based on the sharing of the 8 Bytes of the Control Word (6 Bytes+Checksum) that descrambles the channel through the Common Scrambling Algorithm.

This 8 Bytes can be propagated and used by many users at the same time as their are valid for some variable period of time from 4 seconds up to 30 seconds sometimes.

Via Internet using some servers and client softwares like CCCam, Oscam, NewCamD etc the CW are shared on request by the user who sends the ECM to the the server and the official smartcard answers back with the 8 Bytes of the Control Word like it is in the smartcard slot of the un-legitimated watcher.

This works more or less like this diagram:

1. The Receiver gets the ECM from the streaming for a certain channels
2. Sends the ECM via internet to a server
3. The hosting server will pass-through the request to an original subscribed smartcard
4. The official smartcard answers with Control Word (8Bytes)
5. The Control Word is now sent back to the user
6. The Receiver gets the Control Word and give to the internal Common Scrambling Algorithm
7. The CSA decrypts the MPeg streaming

When the Common Scrambling Algorithm was designed in the far 1994 internet was not a threat and nobody could ever imagine what was going to happen almost 15 years later.

Some encryption systems like NDS are really smart because the ECM is sent to the card and the CW is expected in less than 600 milliseconds so if the internet connection is weak or suffers of latency the CW does not come on time and generates a so called “Freeze”.

Almost all the other systems like Viaccess, Irdeto, Conax, Mediaguard, Nagravision are based on a EVEN and ODD control word. This means that the EVEN Control Word is used after 4 to 30 seconds after to ODD Control Word and each time the EVEN ECM comes many seconds before the ODD Control Word is expired.

Long story short the result is under everybody’s eyes.

Based on this simple but tricky principle some chinese companies introduced a couple of year ago a so called Satellite Sharing system based on the McCormack Hack.

It works slightly differently from the Internet Sharing but the principle is almost the same propagating the CW real time.

Here is described how it works:

1. The Chinese company subscribes for an Internet via satellite service normally on W3 or W6 satellite.

2. They receive the “internet pack” that includes a Satellite Internet card. Here the easy part pauses. Let’s see what happens on Server side from point 3.

3. On their offices they have a dedicated card server a little different from Internet sharing.
This server is made by a lot of official Smartcards and a lot of Set Top Boxes
Each STB is tuning a specific Transponder which they have the Smartcard to descramble

4. Each STB is receiving ALL the ECMs for the TP where it tuning

5. The STB sends the ECM to the Smartcard and the smartcard return the CW for each ECM on the transponder

6. They extend this STB/Smartcard/TP solution to every TP on the satellite they want to share

7. At this point on time they have a real time list of Control Words that will expire in 4 to 30 seconds depending on the Encryption system.

8. Back from point 2 they activate the Internet via Satellite service and they request to a remote server located in the word a certain web page where … what a magic … the Control Words on point 7 are always refreshed

9. In theory a the Chinese user is receiving through is Satellite Internet Card an updated list of the CW real time with a little latency of 2/3 seconds. This “web page” containing the list of CW is filtered using the MAC address of the Satellite Internet Card otherwise all users using this Satellite ISP should receive the same contents broadcasted down the satellite.

10. Now let’s pretend that we have a Satellite Internet Card with the same MAC address of this Chinese people?!@?! What would happen?

11. Simple you receive the same Web Page they are requesting…

12. Now comes the funny part… The Satellite Dongle.

13. The satellite dongle operates exactly like an Satellite Internet Card because it is a Satellite receiver and it filters exactly the same packets as the subscribers card (by filtering the correct PID and MAC Address)

14. This Satellite Dongle now is receiving the the CW almost in real time from the Satellite ISP (W3 or W6)

15. The Satellite Dongle is now connected to a cheap receiver via RS-232 port.

16. The STB using a dedicated protocol called Twin Protocol is asking to the Satellite Dongle to provide the CW for the channel that the user is watching in that moment.

17. The smart Satellite Dongle returns to the receiver the Control Word…

18. Game Over

This is the simple but working principle on which the Satellite Dongles are based on.

There is a little problem… NDS…

NDS is requesting the CW after 600ms from the ECM and the Satellite uplinking latency is much higher around 2 to 3 sometimes 4 seconds and this will kick out dongles from working on NDS encryption based systems.

The next part of this funny story will follow soon….

I hope you liked it!

Satellite Dongle?!@#? No more a mistery thanks to Sat Press

Many people in the hobbyist market are buying cloned Set Top Boxes of the popular DreamBox 500 Standard Definition, DreamBox 800HD and DreamBox 8000HD

Due to a leak of security last Standard Definition DreamBox made by Dream Multimedia was having no protection on the design to prevent from being copied.

Chinese manufactures are always behind the corner and they made the copy of DM500 100% identical to the original boxes and selling millions of cloned boxes.

The DM500 is based on the IBM 02500 Vulcan DVB Chipset and no action has taken in place to prevent the design to be clones by stripping the PCB of the DM500 and making the same copy of it. This process is quite complicated and takes time and resources but the chinese cloners has no mercy!

Later on Dream Multimedia made the DM800HD as first High Definition receiver based on Broadcom Chipset BCM7401 and this time they thought they were smart by placing a security smartcard to make an authentication challenge at the startup to authenticate the box an prevent the cloning.

Despite it all …NO LUCK and NO MERCY this time either!

We did not mention the middle stage where Dream Multimedia also released the DM600 with the security smartcard embedded as this receiver was not a cutting edge receiver.

Let’s go on with the story…

Chinese made some smartcards based on the reverse engineering of the firmware to be compliant with the DreamBox images originals and not!

One of such popular Smartcards is called Ferrari Card and it is based on the reverse engineering from the receiver side of what the DreamBox is checking on the original Smartcard.

This “hack” is based still on reverse engineering as I said before and every each time Dream Multimedia releases a countermeasure to stop this cloning the DM800HD clone’s images must be patched to work with the so called “Second Stage” update.

This “hack” is a bit tricky, but just a bit because every update that is made the receiver must be patched with a patched image to make it run.

Some users do not really care about that as long as they know they have a cloned DM800HD.

There are rumors out there about a new smartcard (unnamed yet) capable to get also the “Second Stage” update because it is based on the reverse engineering of the original security smartcard placed on the DM800HD.

We will keep you updated once this rumor becomes more concrete… we hope soon.