Researched and written by Darren Ingram, author of Satnews
- Satnews.. the latest and non-Commercial satellite news -
Version 1.31 - 06.05.91
Introduction
Videocrypt is a pay-tv scrambling system jointly developed by Thom-
son Consumer Electronics and News Datacom. Over one million users
receive Videocrypt encrypted signals and this system, has to date,
remained secure from illicit decoder manufacturers, protecting the
revenue of Videocrypted television channels.
Requirements
Videocrypt is a multi-standard encryption system which is suitable
for PAL, NTSC and SECAM transmissions. Language is no barrier for
Videocrypt with its capacity for multi-lingual transmissions and
broadcasts utilising a comprehensive on-screen instruction menu.
Features and applications
A smart card is the central key to the Videocrypt system, and the
card can be used for a variety of diverse applications. The card
is pre-coded to determine a users requirements and it can subse-
quently be addressed utilising the decoders logic to amend the users
services at the broadcasters will.
There are a number of broadcasting modes which the smart card can be
used within including:
Clear Mode
Signals sent in the clear are recognised by the decoder and
passed to the display without further processing.
Free Access
Pictures transmitted with an encryption key are delivered
directly to the display through the decoder.
Controlled Access
Access to encrypted pictures is determined by the level
of access authorised to the users smart card. No signals
will be transmitted in an unencrypted state without prior
authorisation.
Programmes can be tailored to usage with the Videocrypt system and
the system offers a flexible way for pay-tv operators. There are a
number of operations mode offered as standard including:
* Single or multiple subscriptions with many tier levels in one
channel
* Pay Per View (PPV) and impulse purchasing
* Thematic selection (enable all arts programming)
* Geographic limitation (restrict to a country/area)
* Single-event (throwaway cards)
* Parental Control (reception with card only)
* Pre-determined time period
Videocrypt enables smart cards to be pre-programmed to suit the
specific programming requirements.
Smart card - providing the revenue security
Security can be addressed on a multitude of levels when using the
smart card. These include:
Chaining
An existing customer would receive a new card which contains part of
the new code, the remainder of the code would be transmitted when
the card is inserted into the decoder and the subscriber compiles
with the instructions contained within the on-screen graphics.
Over-the-air addressing
Systems operators can now address individual subscribers, which is a
vast improvement over other scrambling systems. The operator can
provide additional services, reduce service entitlements, send
individual messages, blacklist and/or whitelist viewers.
Cloning
A number of steps have been taken to stop smart cards being copied
or cloned. A physical deterrent is the first line of defence, and
the integrated circuit contained within the card makes "probing"
very difficult as the IC is likely to become damaged in the process.
Cost is a second factor which is likely to deter manufacturers of
illegal decoders. A considerable amount of time, trouble and
expensive resources would be required to clone the card.
The manufacturers of Videocrypt recommend that the cards are re-
placed every six months, and each time this is done a "secret en-
crypting algorithm" will be changed. Any pirate decoders manufac-
tured during this time would be relatively useless.
And should a pirate decoder be manufactured, it will contain a
unique security code, which could be blacklisted by the systems
operator once the code has been discovered - leading to calls of
complaint by angry customers.
Video taping
Videocrypt offers an simple method of tracking down pirates who
video high-value programming and then distribute it.
The customers unique number can be displayed on the unencoded screen
for reference and future litigation. Although an on-the-screen
code can be generated for signals piracy in a public place, the
codes can be hidden in the picture - and retrieved by a technician
at a later stage.
Videocrypt-your flexible friend?
Videocrypt can be used in a number of applications other than tv
signals protection. They include:
Messaging, messages can be transmitted to individual subscribers or
to a group, so target messaging is now a potential. Messages like:
"Satellite owners in LONDON call 081 XXX XXXX now for a great bar-
gain".
Selling, sales over the air can be utilised with the unique identity
number which verifies an owner and their registered address. Data
can be matrixed with a user personality during ad-breaks to tailor-
make the advertisement.
A unique transaction alphanumeric can be displayed on the TV screen,
and the subscriber will telephone a given number and quote the
alphanumeric - and the deal can then be completed in total security.
Scrambling
The majority of scrambling systems currently on the market are
dependent on analogue processing circuitry, and it is a hard task to
get a secure system without picture deterioration.
Videocrypt can encode and decode a picture without degradation.
The crux of the scrambling system evolves around a patented develop-
ment of Active Line Rotation (Cut and Rotate principle).
Every line of the signal is cut at a number or points along its
length, and this is chosen at random by a 60 bit psuedo random
binary sequence generator (PRBS). As each cut point differs from
the next the signal has no viewing value to an unauthorised recipi-
ent, but authorised recipients decoders recode the picture so that
the true state of the unscrambled line is always first out for
display.
The PRBS is re-seeded at times too, to enhance the security of the
system even more.
Before this ALR process can take place, the decoder needs to be
aware of the cut point on each of the transmitted lines, this is
provided within the encryption process. Each decoder utilises an
PRBS which reflects the characteristics of the system so that the
two halfs can be synchronised and a viewable picture displayed.
Data is transmitted in a series of over-the-air packets, which looks
like:
SYSTEM-----SMART or BLACKLIST
The system comprises of system data included Flat-Shamir identifica-
tion information, on-screen display messages, fingerprinting and
blacklisting data.
The smart card packet comprises of:
HEADER-----ENCRYPTED DATA-----CHECKSUM
The Videocrypt encryption system is based around a tightly-guarded
secret which has defeated system hackers throughout the world. A
final control algorithm is central to the systems security and this
can be changed at will if the system has been hacked.
Complex calculations are performed within the system in order not to
compromise its security.
But hackers who have attempted to hack the decoder will be disap-
pointed - as there are no secrets held within the system.
Smart Cards
The smart card offers great flexibility to the programme controller
and the viewer alike, and is the key to the Videocrypt system.
The Integrated circuits incorporated within the smart card have a
lot of power and contain EPROM elements which are partially burned
during their manufacture. The ICs are buried within the design to
make the system harder to penetrate.
Smart card block diagram
------- ------- -------
VCC -> - RAM - - ROM - -EPROM-
------- ------- -------
^ ^ ^
TO AND FROM
-------------------------------
GND -> - INTERNAL BUS -
-------------------------------
TO AND FROM
------- ------- -------
-8 BIT- -ANTI - -S/WRE-
RST -> -CPU - -FRAUD- -CNTRL-
- - -DVCES- -I/FCE-
------- ------- -------
CLK VPP I/O
Over the air addressing
Algorithmic information is transmitted to the viewer over the air,
encrypted within the Videocrypt system.
This data is transmitted within the Vertical Blanking Interval (VBI)
and four lines are employed for active data and two others, one
white and one black (for test purposes).
An application of Non Return To Zero (NRZ) with an constant energy
spectrum maximises the systems characteristics.
Four picture-sustaining techniques are used to ensure a high quality
picture. Bit interleaving, hamming codes, quadruple repetition and
check sums are used within the process.
The system can cope with fringe reception areas and will still
function correctly with high levels of noise.
Picture quality
Picture quality is paramount for any scrambling system and due to
the standard being of a digital origin, integrity of the signal is
maintained throughout the encryption and de-encryption process.
Amplitude sampling is conducted by the decoder and a 14MHz internal
clock ensures jitter-free pictures and unstable framing. A digi-
tally derived Automatic Gain Control (AGC) is also included within
the receiver.
Scrambling Sound
Videocrypt also has the capability of encrypting sound sources to
enhance the security of premium events. To date this level of
security has not been utilised by broadcasters.
The system of spectrum inversion renders the sounds received without
authorisation worthless. Videocrypt transposes the frequencies
transmitted and this in turn removed distortion of the sound.
Technical Data
(supplied by Thomson Consumer Electronics, 1991- subject to change)
VIDEOCRYPT BASEBAND DECODER
* Stand alone video decoder
* On screen display
* De emphasis switch
* Authorise button
* Integrated smart card reader
* Power indicator
PAL MODEL
Video input level IV +/- 3dB flat and clamped
Baseband input level 250 mV +/- 3dB, unclamped level
measured at pre-emphasised transition
frequency
Suitable de-emphasis CCIR 405-1
Video output level IV p.p. into 75 ohms
Video bandwith 50Hz - 4.8 Mhz -3dB typical
Line tilt <_ 1% typical
Luma/Chroma Delay +/- 50nS typical
S/N ratio: 50dB typical weighted
CONNECTIONS
AV Peritel (Scart)
Audio loopthrough Left and right
Pin 8 High with scrambled video input
Low with clear video input
Pin 16 5v 50mA maximum for external
modulator (OPTION)
MISCELLANEOUS
Standards Designed to IEC 65
Operating Temperature Range 5-40 C
Mains Input 216-255 V AC 50 Hz
Power Consumption 15W
Weight 2.5Kg
VIDEOCRYPT ENCODER (PAL/SECAM/NTSC)
* 19" rack mounting
* Active line cut and rotate
* Twin or single scrambler
* Separate power supply
* Integrated cooling unit
* Data for control access in the VBI
* RS232 interface
Video input level IV 75 ohm
Video output level IV peak to peak +/- 2% 75 ohm
Line tilt 0.5% typical
Base line distortion 0.5% typical
Chrominance to luminance 3% typical
2T/Bar ratio 2% typical
Synchro level 1% typical
S/n ratio RMS weighted >_ 67dB
Chrominance luminance:
intermodulation <_ 2%
differential gain 1% typical
differential phase 1" typical
luminance non-linearity 1% typical
chrominance/luminance delay +/- 10nS typical
video bandwith at 3dB >_ 5.8 Mhz
Output DC level 300 mV +/- 50 mV
Sampling frequency rejection >- 50dB at 14 Mhz
Number of bits per sample 10
CONNECTIONS
Connections to security comp RS232
Local VT100 terminal ditto
Video in BNC 75 ohm
Scrambled video out BNC 75 ohm
MISC
Local terminal functions are to
show working parameters
give warnings
control local
remote
autonomous
Select scrambling mode
clear
free access
control access
When the VideoCrypt system was launched, the press releases
claimed that it was the most pirateproof system yet devised. Some
of the people involved in the design of the system claimed that it
would take billions of years to break the codes used by the
system. The usual media journalists swallowed this hook line and
sinker. The hackers knew otherwise.
The VideoCrypt system is the mainstay of the BSkyB satellite
television empire. It is the means by which BSkyB makes its money
from the subscribers. The basic theory is that they pay a
subscription for the premium channels and they receive a smart
card. This smart card, when inserted into the VideoCrypt decoder
will allow the decoder to descramble the channels paid for. It is
also possible for BSkyB to turn off the cards of those subscribers
who have not paid.
Hacking scrambling systems such as VideoCrypt is a multi-million
pound industry. Due to the present legal situation it is perfectly
legal to hack a channel that originates outside the UK. However
for someone in the UK to hack a UK originated channel is illegal.
Such mere facts as illegality have never bothered pirates.
In the last few weeks the impossible has happened. The VideoCrypt
system has been conclusively hacked. It is now possible to
purchase a pirate smart card or chip which will allow the viewer
to descramble Sky Movies Plus, The Movie Channel, Sky Gold, Sky
Sports and TV Asia. The cost of this pirate card is �99. The price
in itself is lower than the subscription for the channels.
Other channels using the VideoCrypt system. Are worried. According
to the latest reports, The Adult Channel and JSTV have been
compromised as well. This means that all of the channels currently
using the VideoCrypt system as a fee gathering system have just
lost control of the market. It is now, well for the moment anyway.
a pirate's market.
This hack is, like all hacks, colourfully named. It is known as
the "Ho Lee Fook" hack. The joke being that this is generally the
exclamation uttered by people when told of the hack. There are two
forms of the hack; a card and a chip.
The card version of the hack is about sixteen millimetres longer
than the official BSkyB card. Essentially it is a single chip
mounted on a printed circuit board that plugs directly into the
VideoCrypt decoder's card socket. This is the more user-friendly
version as it does not require any modification to the decoder.
The chip version does require some modification to the decoder.
The official VideoCrypt name for the chip in the decoder is "The
Verifier". This chip has to be removed and replaced with the
pirate chip. The decoder will then decode the scrambled channels
without the need for the BSkyB smart card.
The pirate cards and the chips are on sale. It is believed that
a number of them are already in the UK. Indeed I received one, in
a brown paper envelope, on June the eighth. It is still working.
The problem for BSkyB and other users of the VideoCrypt system is
not one of containment. Things have progressed too far for that.
The problem is more serious. Unless they can come up with a quick
fix for the system that will render the Ho Lee Fook hack inactive,
they have to replace the smart cards.
BSkyB initially set out to replace their smart cards every three
months. This continual update was, so the theory went, meant to
deter hackers from trying to hack the system. Fiscal reality has a
crushing effect of such business school theories.
VideoCrypt suffered its first real disaster when someone
discovered that by limiting the programming voltage to the card,
it was possible to stop the card being switched off. This hack was
known as the "Infinite Lives" hack. It was an old computer term
for a modification to a games program that gave the player
unlimited lives. Since BSkyB could not turn off the cards it
seemed an apt name. This hack was followed by a new issue or batch
of cards. The "Infinite Lives" hack did not work on the new cards
but a new hack did.
The KENtucky Fried Chip upped the ante. It was the first time that
the actual internal operation of the VideoCrypt decoder was
interfered with. It was a rewritten "Verifier" chip that was
programmed to stop the cards being turned off. It did not work at
full efficiency so it was not marketed by the pirates. After this
hack, BSkyB issued a new batch of cards which was more resilient
to this hack.
The current card issue is issue 07. The Ho Lee Fook hack is
working on this batch. If BSkyB introduce issue 08 cards, then
there is the possibility of the hack ceasing to work. At this
stage there is the terrible spectre of the hack being updated to
work with the 08 cards. It is the thing of which BSkyB's
nightmares are made of.
The issue of new card batches occurs mainly in Spring or Autumn. A
Summer launch of the new 08 cards would be unusual. As VideoCrypt
will be going to a tiered channel structure in the Autumn, it
would seem that they have planned an Autumn update. The Ho Lee
Fook hack may force them to bring their plans forward by some
three months or so.
The confidence in a system is not based on how well a system
repels hacks but rather on how well a system recovers from hacks.
This will be a true test of the VideoCrypt system and its smart
card based philosophy. The philosophy is that of the detachable
secure controller. Basically what this means is that if the system
is hacked then all that needs to be done to stop the hack is to
issue a new card.
The effects on the confidence of present and prospective users of
VideoCrypt is more difficult to gauge. The smart card is the core
of the VideoCrypt system. Seeing it replaced by a pirate smart
card contradicts every claim made in favour of VideoCrypt. It was
not supposed to be possible. One thing is certain, channels will
now have to look at a scrambling system as only being a temporary
form of protection that has to be frequently updated. Failure to
do so will be fatal.
John McCormac
Author of "European Scrambling Systems 3" ISBN 1-873556-02-0
Editor of Hack Watch News.---
*** Latest ***
There is no such thing as coincidence - or is there? On the day that
the film "Sneakers" was released on video, I received an actual working
hack for the scrambled Sky channels. The film "Sneakers" is about
events surrounding a piece of equipment that can hack any cryptosystem.
The piece of equipment that I received is essentially a chip that can
hack the Sky VideoCrypt channels.
This latest hack on the VideoCrypt system has been labelled the "Ho
Lee Fook" hack. The reason for this name is more to do with people's
reaction to the hack rather than its origin, which incidentally is
Central Europe.
This is perhaps the most dangerous hack to have occurred on VideoCrypt
- it replaces the smart card. In effect it is a new smart card that
gives access to all the Sky channels. Of course the problem for Sky is
that it is not a genuine Sky card.
The card is approximately sixteen millimetres longer than the official
Sky card. It is a blue printed circuit with a single surface mount
chip, and five connector pads. The identification numbers on the chip
have been scrubbed.
The standard check for a card of this nature is to look for a wafer
from an official smart card. In the early days, a fairly common scam
was to take the chip and connector pad from a valid Sky card, trim away
the plastic and then put the chip in a DIL header. The DIL header would
then be blobbed in a lump of black resin so that it looked like an IC.
The decoder would then have its card reader replaced with an ordinary
DIL IC socket. Then the decoder and chip would be shown or sold to some
unsuspecting, if greedy, punter.
The chip appeared to be real, with no wafer underneath the body of the
chip. The actual stubs of the chip die were just visible at the end of
the chip. It was a genuine chip.
It has been working steadily for the last few days and there appears
to have been no kill messages sent to it. If it had been a direct
clone, Sky would have been able to kill it over the air - or would
they?
Since the people who developed this hack obviously understand the
operation of the over the air addressing, they may well have designed a
filter to stop the kill message from having any effect of the pirate
card. There are of course more devastating implications here. The card
itself may only contain the data and algorithms necessary to descramble
the signals.
The chip version of this hack is based on the 8752. This Ho Lee Fook
chip will replace the official 8052 in the decoder. A selling price of
ninety nine pounds has been mentioned in Germany.
Nobody is sure what the people in News Datacom are doing about this
hack. Sky are more than likely very upset that someone has hacked their
pirateproof system yet again. This is the fifth hack and the image of a
pirateproof system now only exists in the minds of PR people.
