How do I know which HEX file goes where?
|
Satellite TV is broadcast from an "uplink" to a satellite, where the signals are bounced back towards earth. The transmission can be focused on a specific part of earth. The Scandinavian Channels for example have a footprint targeted at Scandinavia. Receiving these channels in say Italy, requires a bigger dish and/or a LNB with a better value (0.5 dB is good, and the lower the better). (LNB is the actual "antenna" component of a dish. The dish itself merely reflects the antenna signals onto the LNB.
Earlier, many channels broadcasted in the clear, which means that only a satellite dish and a matching receiver was needed. For us interested in free English-speaking channels, the best option is to buy a Eurocrypt receiver, and insert a pirate card into its smartcard slot. All Scandinavian channels broadcast using the Eurocrypt system, and all of those channels can be viewed with a low-cost pirate card. Because of this, channels are planning to go digital in the future, which means viewers would have to buy a completely new satellite dish system. But pirate card solutions are on their way for the digital system as well. This document will only handle the regular "analog" system.
Here is an overview of the Eurocrypt channels. Some shows are in Swedish but many talk shows and most series and movies are in English.
TV3 Sweden, TV3 Denmark, TV3 Norway - allround channel (similar to Sky One)
Femman (Swedish for "number 5") - youth-minded allround channel, with horror movies, mild striptease and creative reality shows.
The CTV channels - Eurosport, MTV Nordic (English-languaged), Discovery, etc...
Playboy
Animal Planet
National Geographics
TV1000, TV1000 Cinema - Movie channels
Canal+, Canal+ Gul - Movie channels with "triple-DES" encryption. If you want to view this channel, you'll find that you need to update the card with the 28-digit code as often as 3 days! The other channels only update once every 20-50 days, and some never do...
If you own a pirate card, it is important that you can find the update codes immediately as soon as you need them. Make a bookmark to The Hex Files - this page will always link you to pages with the current update codes. No more surfing around forever to look for codes!
Most pirate cards are PIC cards. They are not cloned from original cards - they just work (almost) the same way. These generic programmable microcontroller cards can be bought legally at 3-10 USD, depending on the type. Those of main interest today (March 2001) are single-PIC16F84 (program this with the latest (version 4) Nordic HEX file) and MM2 (PIC16F84 + 24LC16) - program this with the latest Multimac3 HEX files (when this was written, MM3.03 was the latest). HEX files are distributed as very small data files which can be downloaded on many Internet web sites. To program a HEX file into a PIC card, you need your PC and a PIC smartcard programmer. Best prices & best service here. The HEX files contain the computer program that makes the smartcard emulate a real access card, such as issued by the TV companies. It also contains the latest keys (commonly called "codes").
The HEX files are continously being improved. A few years ago, some HEX files didn't work well on certain types of decoders, typically Macab or Luxor Mac 3. (Also, Amstrad and Philips STU had hardware problems with all MM2 cards of Lithium type where C4/C8 were not taped after programming). Nowadays, compatibility problems have been solved and all HEX files seem to work with all decoders. However, a small problem occurs due to the two variants of Eurocrypt - M and S. Some channels use the M version and Canal+, Canal+ Gul, Femman and Animal Planet uses S (or S2). HEX files which handle both variants are called "autoswitching". Autoswitching doesn't always work - you might need two cards, one programmed to decode the Eurocrypt-M channels and another for the Eurocrypt-S channels. Most decoders have two card slots but if you have a simple single-card Eurocrypt unit, you might have to swap cards. This is inconvenient but acceptable...
Encryption is a mathematical function. The encrypted data (in this case, the TV show) needs a secret codeword (in this case, the 56-bit "key") to be decoded. This secret key is known by original TV access smartcards. To make hacking more difficult, TV channels can "download" new keys into the original cards and then start using them. This download data is bundled with the TV channel data, similar to how text-tv (videotext) information is transmitted. To make sure all original cards have received a new key before they start using it for encryption of the TV channel, the download has to be active for a month or so. A fun thing that sometimes happens, is that if a viewer with an original card has had his satellite receiver turned off for the entire download period, he too will be unable to view the channel, even though he has an original card! When the key is broadcast, it is encrypted with another key (a so called "management key"), because it's easy for any hobby hacker to view what's broadcast from the uplink - all that is needed is a Season interface / Data Logger. Cool hackers have these management keys (or "man keys"). Those hackers who have these man keys, they can immediately see the key which is being uploaded, and the same second the TV channel starts using an encryption key which has been uploaded, thus creating the channel to fall out from the PIC pirate card, the hacker can create the "multimac" style update code which the home user needs to enter in order to view the channel decrypted again. There are several management keys and the TV companies (Canal Digital and Viasat) don't know which management keys are known. As soon as they learn about that, they can stop using this key (this is called to "kill a management key"), and instead use one which is not known. This means they have to send out new cards to 1/256 (?) of their customers, but it could be well worth it in order to make use of pirate cards more difficult. Therefore, hackers are careful not to reveal which management keys that are known.
Many management keys are known, thanks to the Keyblitz project and other "brute force" attacks. Thousands of home hackers run DES-searching software (DES-56 is the most common name for this encryption system) on their home PC's. Each member is assigned a key space where to search. After say 1000 hours on a PC, that space is searched and the member reports back to the project coordinator whether a key was found. The Swedish Government has contributed more than anyone else in the key search, by providing free (tax-paid) university educations for all, so that hackers can use university supercomputers to join the search. There is also a DES-cracking machine built by EFF (the organization for privacy & free speech on Internet) to show how weak the DES system is. The reason why this weak system is still being used, is a regulated political policy which prohibits US export of strong encryption. This machine is expensive to build but affordable by organized crime, and cracks (finds) a DES-56 encryption key in a few days.
Those cool hackers who are lucky to have man keys, why do they publish keys instead of putting the man key in the HEX file so that the card could update itself? The reason for this is that HEX files for PIC cards can be reversed-engineered. If Viasat or Canal Digital finds an auto-updating HEX file on Internet, they just disassemble it and see which of the management keys that were used. Then they kill that key. Then, all autoupdating cards using that man-key, would stop working! For now, the cool hackers have decided that the best solution is to keep the man keys and to provide just the update codes instantly. There are however a HEX file out which is autoupdating on some channels (TV1000 etc). But since this man key is thereby known, it could be killed at any time, so time will tell whether this HEX file is better just because it's autoupdating. So instead of auto-updating cards, hackers are looking at other solutions to make PIC cards even more convenient to use.
WHY AREN'T ALL PIRATE CARDS AUTO-UPDATING?
The intention with encrypted channels is so that noone except for the paying customer can view the encrypted channel. The paying customer is given a cheap-to-manufacture smartcard by the TV channel. However, the functionality of a genuine smartcard can be emulated with a "pirate" smartcard (though it isn't really "pirated" because it's not a cloned genuine card but simply a card that works in the same way as a genuine card).
Encoded TV channels broadcast a digital explaination to the decoder how to display the scrambled TV images. This explaination is encrypted - only the original smartcards supposedly know the ENCRYPTION KEY and can decrypt this message. The encryption changes every 10 seconds or so (that's why the picture remains unscrambled for a few seconds even if you remove the card). Every 10 seconds, the decoder sends 7 bytes at 9600bps to the smartcard which decodes them and sends them back to the decoder. The encryption key remains the same for several months, but for anti-pirate-card reasons, they change it sometimes (a so called "Electronic Counter Measure" - ECM). The official Eurocrypt cards contain 8 keys for each channel. When the TV company wants to make it difficult for pirate card users, they send a message via the satellite which is received by all original cards. This message tells the smartcard to change one of the eight keys to something else. Because not all subscribers have their cards inserted and decoders turned on at the same time, this message is repeated for about a month. Then when the update message has been broadcasted long enough to be certain that 99.9% of all subscribers have received it, they send another message to tell the original cards to change into the new key. All of these messages are encrypted with the MANAGEMENT ENCRYPTION KEY, because if it was sent in the clear, then everyone would know what the new key was.
- Why don't pirate cards understand the code-change message?
Since ordinary pirate cards haven't understood the code update message, pirate cards must be updated manually by the user. The update codes are generated by someone who has knowledge of a MANAGEMENT ENCRYPTION KEY. With the update code, the user can either reprogram the PIC pirate card in his PIC programmer, or he can enter a 28-digit update code using his remote control. However, some pirate cards understand the code-change-messages and update themselves just like genuine cards. Those are called auto-updating pirate cards. The difference between auto-updating cards and regular cards, is that auto-updating cards contain a MANAGEMENT ENCRYPTION KEY. The TV companies really would like to know which management keys are known by hackers, because then they could stop using them. Therefore, hackers don't want to put the management key inside a low-security smartcard where it can be easily read out. PIC smartcards have a low security and if a hacker made a self-updating card based on PIC, the TV channels could buy such a card and find out which management key is inside. Then they could replace the cards that this management key is used with, and never use it again.
-Why can't the TV channel just change all the management keys all the time?
Well - there are a few different management keys used on different genuine cards. If they stop using a management key used on 4000 cards, they have to replace those cards with other cards because the management keys can not be changed by sending a message via the satellite. So you see they would have to replace all the cards to be certain that all management keys are unknown by hackers!
- How do hackers find out what the management key is?
Because the encryption method used (DES 56-bit) has only 72057594037930000 combinations, it is possible to count through all the combinations and see which one works - a so called "brute force" attack. On a single PC this would take a hundred years but if 1000 people with PC's join the search, splitting up the code space between them, it's possible to start finding keys within months. There are different projects like this, for example The Keyblitz Project that hunts for keys for the Eurocrypt channels - currently Canal+. Also, some people have access to supercomputers on universities and large companies. And there are special DES-cracking machines (costing 250000 USD) that can crack the code in a week.
- Why are update codes available so quickly?
Because the hacker with the management key can decrypt the update message, and therefore see the new key in clear text. This means that the hacker knows the new code BEFORE it's taken into use! But he would be stupid if he told people the new key before it's taken into use. Why? Because it would be possible for the TV channel to send out a DUMMY update message, encrypted with that management key, which they wouldn't use. Then when they see on Internet that someone has decoded it, they know that it's this management key that is known, and then they kill it.
Most pirate cards use the function "change secret code" in the Eurocrypt decoder, to update the code. This allows the user to enter seven 4-digit codes here, to update the pirate card when the encryption key has changed. NORDIC and MULTIMAC2 support remote updating, which can save the user the trouble of having to reprogram the card using a PIC programmer.
How do I know which HEX file goes where?
|
* One PIC1684 with the I/O pad (C7) wired to RB7 (this is the most common type of single-PIC1684 card). Example: the classic wafer card.
* Two PIC1684. The first chip is called MASTER and the second SLAVE. I/O on RB6. This "twin-PIC" card allowed for larger (thereby better?) software, but nowadays the program is optimized (smaller) and this card type is seldom used.
* One PIC1684 with the I/O pad (C7) wired to RB6 - this single-PIC1684 card is usually made out of a PCB for a double-PIC card, but with only the left PIC chip. (Since the I/O is wired to RB6 instead, you need the RB6 version of NORDIC or whatever software you use)
* One PIC1684 and one 2416 extra memory chip (also called "Multimac2-card") with the 2416 connected to the pads C4 and C8. PIC wired to RB7. (Named after the software Multimac 2, originally by Michael Stegen). Because of the way of connecting C4 and C8, these pads need to be sealed by tape after the chips on the card have been programmed, if the card should be used on a Pace 500/1000, Philips STU or Amstrad. Example: The Lithium wafer card or Galaxy-1 card (production has stopped, use Gold card instead!)
* One PIC1684 and one 2416 extra memory chip (also called "Multimac2-card") with the 2416 just connected to the PIC, not to the pads. PIC wired to RB7. (This connection requires that the programmer is capable of "through-PIC programming"). Unlike the above card, this version of the Multimac2-card doesn't require C4 and C8 to be sealed. Example: Gold card or Galaxy-2 card.
* Two PIC1684 and two 2416 (also called "Quadra Card"). PIC wired to RB6. This card is very uncommon, since cards don't need this much program memory. It is the data memory (2416) which is important.
B. The look
The card can be either
* a soldered card (a printed circuit board with the chip(s) soldered on).
* a "wafer" card (meaning it's a "real smartcard" in plastic and with the computer molded-in inside). The only PIC1684 cards which exist as wafer cards, are single-PIC RB7 cards and Multimac2-cards. Some decoders have a lid in front of the smartcard slot. You can't close this lid unless the card is a wafer type card.
* 16C84 is the old version - production was phased out 1998 and this PIC is now incompatible with the latest Nordic.
* 16F84 or 16F84A are the new versions - fully backwards compatible, except the fuse "power up timer" has to be reversed when the card is programmed in the PIC programmer. 16F84 has a slightly bigger memory, but so far no HEX files are 16F84-optimized so that these extra 32 bytes can be utilized. No special programmer, no special PCB or no special HEX files are required.
Development of PIC programmers over the years:
Generation 1 - NO SMARTCARD SOCKET! Did not have a smartcard slot. Therefore, it could only program soldered cards, where the IC chip had to be removed and put in a socket on the programmer, whenever the card was going to be reprogrammed.
Generation 2 - NO SWITCH! Had smartcard slot but no switch, so only single-PIC cards with RB7 could be programmed.
Generation 3 - ADDED COMPATIBILITY FOR TWO-CHIP CARDS! Had smartcard slot and a switch between MASTER and SLAVE, so only double-PIC cards and single-PIC cards with RB6 could be programmed. The first AD-Teknik programmer, for example.
Generation 4 - ADDED COMPATIBILITY FOR BOTH SINGLE AND DOUBLE CHIP CARDS! Had smartcard slot and a switch to select both RB6 and RB7, so all single-PIC and double-PIC cards can be programmed.
Generation 5 - ADDED COMPATIBILITY FOR "EEPROM" CARDS! Same as above but with a IC slot for 2416 chips, so that Multimac2-cards with removable 2416 chip can be programmed. Programmer III, for example.
Generation 6 - FULL COMPATIBILITY! Same as above, but can program the 2416 via the smartcard slot, which means that all Multimac2-cards with standard connections (even wafers and others where the 2416 can't be removed) can be programmed. Programmer IV, for example, which is the most sold programmer in Scandinavia!
Generation 7 - MICROPROCESSOR-CONTROLLED! Same as above, but with automatic through-PIC-programming, so that also such Multimac2-cards with non-standard connections can be programmed. Keymaster, Microprog or Multiprogrammeraren, for example.
Up to generation 7, the same freeware programming utilities (PIP-02, PIX, PIC24C etc) have been used for all programmers. Microprocessor controlled programmers come with a specially-made Windows utility.
(The "programming utility" is the PC program for the PIC-programmer, that allows you to load the HEX file(s) of your choise into the program, and then program them into the chip(s) on the smartcard).
Is it legal? Yes, as long as you don't do it with a commercial interest. For more legal info, read here.
DIMICO ONLINE - online ordering of the cheapest programmers & smartcards in Scandinavia
European Pirate TV card alphabetical word-list - read this encyclopaedia if you want to know what a word means
Published by Doctor Elvis who has this as a hobby. This page does not contain ads and is not commercial in any way.
