The glory days of satellite TV hacking

The glory days of satellite TV hacking

Back in 2002, my 15-year-old self was super excited that we finally got satellite TV installed at home. Since we lived in the middle of nowhere and there was nothing to do (and our overly strict parents wouldn’t let us play outside), satellite TV was awesome, even though our overly strict parents put a parental lock on the receiver so anything rated higher than PG was off limits. I guess you could say this was my first dive into hacking..

Getting the lock code

Guessing the 4-digit pin was going to take too long, and being a genius I looked for another way. Even if it would take longer, exposing a vulnerability is more satisfying than bruteforcing. Realizing the single point of vulnerability here is the infrared signal from the remote that my dad used to unlock the good stuff, I ended up setting up an old Compaq Armada 4120 laptop in the living room. I wired an infrared receiver diode to a 3.5mm cord and plugged it into the Mic input on the laptop, and hit record just before his show started. Being the only person in the household who knew anything about computers, my actions weren’t questioned as I was “probably making another dumb qbasic game”.

So I captured a mess of button presses, stopped the recording, and started converting the waveform – by hand on paper – into 1s and 0s. The next time I had the house to myself, I started another recording and pressed the buttons on the remote in sequence to learn what the digits 0 through 9 would look like. After a simple match game, I had the code. Now I can finally watch Family Guy!

Wait there’s more

Now that I had access to the entirety of our tiny programming package, I wanted to know what else I could get into. There are a LOT of pay-per-view channels, and some really interesting looking adult-only channels. We only had 56k dialup at this point so my exposure to on-screen nudity was severely limited, except for the few times I found my dads stash on the family computer (again, I was the only one in the house with a working knowledge of the Windows operating system, browser history was hardly thought of, and the Temporary Internet Files folder was always loaded with juicy thumbnails). Hey if you have a teenager who isn’t allowed to play outside, and you give him access to a computer, this is what you get. Of course now in 2018 every 6-year-old knows how to ‘hack’.

Anyway, I tried in vein for months to figure out how to get into the good stuff, and I was never able. It was like a puzzle that you try and try and can never solve. Like a boss fight in your favorite video game that you could never beat. The year was 2003, and I had heard through the grapevine that you could just buy a fake smartcard, and plug it into the receiver, and it would give you all the channels.

Iiiiiiinteresting. After much research I learned how the setup worked, and how the system works (step one in hacking something: learn how the system works).

How Satellite TV encryption worked in the 2000s

The provider (in this case, at the time, Bell Express Vu), broadcasts a wide array of MPEG2 streams, encrypted using an 8-byte codeword (calculated from a combination of instructions from the stream, the public keys, and the Maps hidden in the card, using a scheme called the Common Scrambling Algorithm). Every channel has its own codeword, and every codeword changes roughly every 20 seconds. Inside the receiver is an MPEG2 decoder chip that takes the stream of whatever channel you want to watch, mixes in the codeword, and sends the video out to your TV. The receivers operating system decides what part of the stream to send to the decoder chip, and is responsible for providing the codeword at the same time, as well as running other checks such as which channels you are allowed to view, and maintaining system information such as time, software updates, etc.

The satellite stream contains encrypted video, and the occasional control packet. Control packets contain instructions for the smart card, and some other information like time, and which channels you are allowed to view (called tiers, strings of numbers that represent channel permissions).

Tiers and getting free channels

Satellite TV is a one-way signal. The satellite has to broadcast everything, and because every single receiver receives the exact same signal, things have to get a little complicated. The provider knows the serial number of your receiver, and the serial number of your smart card. These are used to send encrypted account information to your receiver to tell it what channels you paid for, and for how long they will be valid. For example, every once in a while the provider will send a tier update downstream, like “receiver #11050929 tier 87645018734563416254626583415”. If it matches your receiver, your smartcard decodes the string of numbers and generates a message for the receiver like “you have the basic package and no pay-per-view channels were ordered, this will expire in 30 days”. Every month or so your receiver has to receive one of these messages or the channels will stop working. Thats why if you leave your receiver unplugged for too long, it can take up to a month to get your channels back (or you can call your provider and they will send a tier update for you, called ‘channel synchronization’). This is the basis for free TV. Intercept the command from the card and tell the receiver what channels you want.

The receiver sends instructions to the smartcard via a simple serial interface, (back then these commands were encrypted using the marriage, that is, the pairing of the receiver and card, nowadays its much more complex) and if the smartcard decides everything is okay, will return a result to the operating system, which could use the result to issue more instructions. The smartcard performs a minimal amount of math to figure out the keys to decode the control word and unlock the video. In the beginning, the math was simple and easy to figure out just by looking at the packets (by intercepting the smartcard commands and decoding them with the marriage). This is where the first fake card system came into play – the AVR.

The AVR was a fake card that you inserted into the receiver, and it had a slot so you could plug your actual card into the AVR. The receiver would talk to your smartcard as normal, and the AVR was programmed to intercept certain commands (such as tier commands) and fool the receiver into thinking you had access to all the channels. They were called AVRs because they ran on AVR chips, most notably, the Atmel AT90S8515. It was not a very powerful chip, and the programming was relatively basic, so rather than have the chip attempt to decode the keys from the stream (and since the keys didnt change all that often, because of the strain on older receivers), the keys were programmed onto the chip, and the chip simply had to be reprogrammed every time the keys changed.

The coders, a loose group of hackers across the internet, were responsible for announcing the keys to the world every time they changed, so people could reprogram their cards (or pay someone to reprogram their cards). They used AVRs with special emulation software attached by a parallel cable to a computer full time to monitor the stream and detect key changes. Some of us adopted a similar setup with combination software that could let you monitor the stream and also control the receiver, which didn’t require a smart card at all. I built such a system for myself, and began learning the various commands and was able to generate keys and unlock the video without relying on others. At this time, key changes happened every couple weeks and also almost always before (or during) a large sporting event. Everyone was happy, and I watched the first Pirates of the Caribbean movie on pay-per-view probably a dozen times, just because I could. The providers played some tricks around this time, like forcing software updates to the receivers that could detect the presence of AVRs, and neutralize the receiver. A message would appear on screen saying theres a problem with your receiver and to call the provider. If you did, well, they know you are pirating their service. Resetting the receiver without the AVR would allow you to resume legal TV viewing. A lot of us simply flashed an older software version to our receivers, but since the upgrade is automatic, it would have to be done every few days. Some of us installed flash interrupts, that render the receiver read-only so new software couldn’t be installed. Then the receiver learned how to detect the lock, so we installed a switch that could lock or unlock. Then the receiver started checking more, so we installed smart locks that could detect the check… what a game of cat and mouse it was. This was short-lived though because…

Nagra 2

Because the smartcards were already using every trick up their sleeve, the providers realized that the only way to defeat the hackers was to change everyones smartcards for more powerful ones. This was done late 2004-early 2005, and effectively stopped satellite TV hacking. This is the point at which I have to stop referring to myself as a Satellite TV Hacker, because even though I had the technical knowhow and was able to decode a lot of commands for myself, I couldn’t unlock a video stream without referencing other peoples work.

The Nagra 2 cards were a massive improvement over the first implementation. These cards could support much, much more complicated math, had onboard cryptography coprocessors called MAPS, plus the ability to execute ECMS and receive remote updates to change which MAPS are being used. Uh oh. The coders have a LOT of work to do. Luckily, early versions of the Nagra 2 cards were glitchy and vulnerable to certain attacks, which hackers can use to fool the card into leaking its secrets or allow them to be reprogrammed. Later versions of the cards had a lot more powerful security features, and were considered impractical to attack. For example, they could detect an attack and permanently disable themselves. Spooky!

Since the receivers didn’t change, the cards had no choice but to use the same communication methods to talk to the receiver, so it was relatively easy to see what the card was saying. The receiver uses information and commands from the stream to send commands to the smart card. The smart card does some super secret processing and spits out a response. The receiver uses that response to do the things it needs to do, like decode the video, decide what channels you are allowed to watch, or send more commands to the smart card. There are a theoretical maximum of 255 commands ($00 ~ $FF) though most were just empty and not used. The most important ones were $07, which asks for permission to view a channel, and $1C, which delivers the control words to the receiver. These commands use a multitude of maps in specific orders to correctly calculate everything. If something doesn’t add up, the control words wont decode the video. In the early days of Nagra 2, the IDEA and RSA Maps were being used. Once the hackers figured out these Maps, the provider simply switched to another Map that still hadn’t been figured out. The hackers eventually figured out those too, and the provider would switch to yet another set. Once all the Maps were solved, the provider enacted a scheme to regularly switch the Maps around, and so the game of cat and mouse continued on and on. Every time the hackers figured something out, the provider would just change it.

FTA Receivers

It was around this time that Viewsat and other popular FTA receivers flooded the market. These companies made a killing selling perfectly legal equipment that could easily be reprogrammed to decode Nagra 2 streams. All of the juicy information the hackers had been working on could now be written to one of these ‘Free-to-air’ receivers (satellite receivers whose purpose is to view streams that arent encrypted at all), to basically replace a Bell or Dishnet receiver. Whenever the providers changed something (which at this point was a couple times a week) the end user only needed to pop a fresh program onto their receiver and continue watching TV.

The hackers, being hobbyists with nothing to gain, were particularly angry over this. For them it was a hobby, not unlike a jigsaw puzzle. Something is being beamed at your house and you can’t see what it is unless you solve these complicated riddles. You solve the riddles and share the results freely, only to have a company in South Korea earn millions of dollars because of your work. Too late, though, its such a lucrative business that now they have their own hackers to keep them going. I’m not going to lie, I made a good deal of money installing boxes and dishes for people who wanted to get in on the free TV craze (this is a grey area, I can sell you a box and install the dish but I can’t put the hacked firmware for you). They knew the game, so when they eventually got zapped I wouldn’t be at the arse end of a lot of angry phone calls.

By this time corporate corruption and backdoor deals were rampant. I remember watching Map57 enter the stream, effectively killing all piracy, only to see it disappear from the stream a few days later, allowing everything to work again. Word around the water cooler is that someone at Viewsat payed off an employee of one of the providers to lift it from the stream for a bit, so they could unload their inventory before everything went dark for good. Said employee was dismissed, and Map57 started to creep back into the stream, but due to security concerns (because Map57 was also cracked by the same FTA manufacturer) it was complimented with even more Maps. The freelance hackers and coders had all abandoned the game, choosing instead to sit by and watch like I did after the card swap. But money talks, so these FTA manufacturers and their hackers-for-hire played the game pretty hard, and kept things going for a good while. Until…

Nagra 3

Due to the rampant financial success of overseas FTA manufacturers, the providers decided to perform another card swap. The third generation of Nagravision was incredibly powerful, combining all previous encryption and security schemes. The providers also took this opportunity to upgrade their systems from MPEG2 to MPEG4, and replaced older receivers that wouldn’t support the newer format. Because the majority of the hackers and coders no longer wanted to have other people profit from their work, no hacks were released. Some unreliable internet card-sharing schemes were set up in an attempt to continue sales of FTA boxes, but most people would rather pay a monthly fee to a provider than a group of flaky crooks overseas. The transition to Nagra 3 effectively marked the end of Satellite TV hacking. Because the internet is such a powerful thing in the world today, most piracy is being done online. There are hundreds of copies of every episode of every TV show and every movie ever made online at any given moment. Easy-to-use programs scan the internet looking for them and provide a simple list for the end user, who needs only click an item on-screen to watch free TV. Even TV streams are being re-broadcast online for others to see. This is especially tricky to target because literally anyone with a paid subscription can broadcast a stream to the world, and the providers have no way to know whose it is.

Nagra 4 and the future

Nagra 4 is now being released through yet another card swap, this time it mainly adds features to combat illegal IPTV streaming. This is a complex automated system that scans the internet for illegal video streams, and systematically embeds hidden data into the video signal one subscriber at a time until it’s detected in the internet stream, and automatically cuts off that subscriber, thus also disabling the internet stream. There is no doubt that the streamers (especially those who charge for their illegal service) will figure out a workaround, and yet another game of cat and mouse will begin.

But lets go back to the CSA. The single 8-byte control word that unlocks the entire satellite stream. This is a random 64-bit word that is different for every channel and now changes every few seconds. The smart card is basically just a super secure and super secret list of instructions for decoding the control word. What if we could decode the control word without needing a smart card? Basically every satellite TV system would be wide open. 15 years ago, decoding a 64-bit word in realtime was unheard of, but todays computers are exponentially faster. Considering the weaknesses of the control word (the fact that only 56 bits are unknown, and the fact that the result MUST be an MPEG4 header) and the massive computing power of todays consumer hardware (not to mention hardware used for crypto mining), I think it’s in the realm of possibility to just attack the CSA directly…



More reading

North America MPEG2 Information:

The Common Scrambling Algorithm:

Breaking the CSA:


Comments are closed.