p4 HACK is not here just wanted to see how many others are like me looking all around for it like me. :dancefawk

There is no public P4 hack.....
That is why you can't find it...
I have switched over to Charlie, suggest you do the same...
http://www.anchoredbygrace.com/smileys/icon_bolt.gif

I've been reading the threads here and it sounds like a good idea. Any FAQ's on how to get started with "charlie"?

any idea when this might happen i starting to get use to reg. TV

I've been reading the threads here and it sounds like a good idea. Any FAQ's on how to get started with "charlie"?

This should help..... http://www.kickinchicken.org/files/files.php?page=Dish

any idea when this might happen i starting to get use to reg. TV


It does not look very good at the moment, may be a very long wait....

Ok guys, I've been doing some research and there is a product called PanSat 2500A. Does anyone have this and does it work to get charlie? Also, I've read in some places that you have to get update keys, what are these?

Yes it will pick up Charlie, but you must read a little... :)
Getting the update keys is the easy part.. :wiggle:
http://www.dssrookie.com/forums/showthread.php?t=35057&highlight=PanSat+2500A

http://www.dssrookie.com/forums/showthread.php?t=32823&highlight=PanSat+2500A

ty for links.

get a fta reciever that can be modded. the fortec lifetime is a nice little unit. :)

yeah i got 12 p4 cards, a 911 loader and no decent hack...fuck that.

and on the subject of dssrookie...the hacks usually only last a few days...most only hours.....hackedscripts was a great site till it went down...fucking cubans running off.

is there any updats on the new cards yet I hate having basic cable!

Ok guys, I've been doing some research and there is a product called PanSat 2500A. Does anyone have this and does it work to get charlie? Also, I've read in some places that you have to get update keys, what are these?


Charlie knocked out the Pansat the other day. People are working on ways to fix this as we speak. Should be back up in a day or so with a little work.

Very true. I finally had my Pansat up and running and then they hit it. I guess I'll just wait since all I want is HBO.

p4 and p5 still down? rumors about a hack are starting again

wtf are you guys talking about

wtf are you guys talking about


I'll never tell... :eek3:

is the FTA still working?

I think it went down with pansat....Not positive..

Its funny how it seems like you guys are talking in another language. Geek out! Haha

Pity the person that has no clue what is being said in this thread.

FTA = Free to Air. Many of these units come with the ability to be flashed with fixes that allow you to receive ch@rl!e. Nice thing is, if you get a D1sh500 D1shPr0 LNB, you can get both the 1!0 and 1!9 birds and get all the d1sh channels.

Ch@rl!e has been working ruthlessly to disabled the FTA people, but in the process have affected many of their own customers with glitches and pauses in broadcasts. It's pretty interesting. They hit all of the FTA's quite recently and fixes were out and about with a week for most FTA receivers. P@nsat took the longest, but 2 weeks is hardly a problem when you think about getting something to "test" for free.

D@v! was much easier to mess with because one you had a valid tier list and a valid bin or modded reciever, you were in business. However; ch@rl!e is actually easier once you learn what you need to get rolling. Best of all, you typically don't need to do anything.

Now, this all works fine and dandy for N@grav!sion. However, ch@rl!e has N@grav!sion2 out and it will only be time before it goes across all transponders. The hopeful part is that these FTA's will be able to accommodate a newer h@cked bin to work with N2.

Ok, so what's with the @ and 1's and !'s? D@v! and Ch@rl!e both monitor websites. While this doesn't prevent it, it helps reduce it.

Hope this helps. -Jessica.

rep points for you jessicaq... very well informed


for the guys intersted on fta... stay away from the enforcer receivers... some kind of internal fight is going on and they already freaked a lot of customers... go for pansat or ultra lifetime

where a good website with updates

new to all this.... is there classes i can take..lol..
where to get started from scratch??

Check out www al7bar tk (put dots between the spaces). They are the most reputable as of now. There were a few other sites, but they've disappeared into the world wide wonder. P@nsat and L1fetime Ultr@ are both the same machines with different exteriors and flashes. But, the hardware/chipset is the same. When p@nsat was hit 3-4 months ago, a fix came out for the Ultra first. People were able to flash with the ultra patch and get up and running until the p@nsat patch came.

BTW, today, ch@rl!e changed their keys. the new key for key number 01 is:
01 C5 FB 21 37 B6 C0 5E

Punch it in and you're good to go.

Check out www al7bar tk (put dots between the spaces). They are the most reputable as of now. There were a few other sites, but they've disappeared into the world wide wonder. P@nsat and L1fetime Ultr@ are both the same machines with different exteriors and flashes. But, the hardware/chipset is the same. When p@nsat was hit 3-4 months ago, a fix came out for the Ultra first. People were able to flash with the ultra patch and get up and running until the p@nsat patch came.

BTW, today, ch@rl!e changed their keys. the new key for key number 01 is:
01 C5 FB 21 37 B6 C0 5E

Punch it in and you're good to go.
u better come to vegas jessica

Thanks Waldo.
I've had a Pansat 2300, Free To Air, since before 2500's were available. I programed the code in this time it went down, with my remote control & it took right off again. By the way, that's only the 2nd time it went down in quite a few months. I'm sure by now this fix all over the web, in bin form, but it was an easy fix this time. For those reading this, who don't understand it all, you can intercept the programming signals that D!sh Network puts up, but the majority of the cheaper sets don't have program guide listings. You don't know what you're watching, who's in it, when it started, when it's over, etc. Beats no tv though. Most are waiting impatiently for a hack for p4/p5, but nothing that works well, or lasts is available.

Thanks Waldo.
I've had a Pansat 2300, Free To Air, since before 2500's were available. I programed the code in this time it went down, with my remote control & it took right off again. By the way, that's only the 2nd time it went down in quite a few months. I'm sure by now this fix all over the web, in bin form, but it was an easy fix this time. For those reading this, who don't understand it all, you can intercept the programming signals that D!sh Network puts up, but the majority of the cheaper sets don't have program guide listings. You don't know what you're watching, who's in it, when it started, when it's over, etc. Beats no tv though. Most are waiting impatiently for a hack for p4/p5, but nothing that works well, or lasts is available.
what would be the most cost effective fta to buy ?

I am thinking about getting a FORTEC LIFETIME ULTRA.where could i get some information and some free hacks.

You can go to google or any search engine & plug in the words you wrote, with parenthesis " " around all the words as a group. example: "Pansat 2500" Many sites are out there. I belong to an fta site that has been reliable, but will not endorse any for you. If you're interested further, P.M. me.

Hello, i'm new here, i have a RCA receiver 1st generation model DRD102RW, how I can see the DirectTV channels, how i crack the card, I'm in Cuba, here we can't pay to the company, waiting replies, thanks like advance

Sorry, i again, my receiver is RCA brand, bye

You can go to google or any search engine & plug in the words you wrote, with parenthesis " " around all the words as a group. example: "Pansat 2500" Many sites are out there. I belong to an fta site that has been reliable, but will not endorse any for you. If you're interested further, P.M. me.


you meanie :ughslap:

forgot to said that besides being one of the best testing sites... that is the place where you found that precious and sensual creature on earth...me

Meanie? Who me? I was trying to protect BOTH sites, by not not posting a link. If it's ok to do that, then I will be happy to post it.
To answer MikeBury, there is no hack for the P4/P5/D1 cards. Most likely, there never will be. The greatest hacking minds in the world have failed to get any fix to last or to unlock PPV's. The sites that offered files for HU cards have either folded , switched to FTA receiver support or are simply stringing along their members with future promises they can never meet.
And yes Juana, you ar indeed the coolest chick I have never met!:naughty: You are special beyond the comprehention of 99.9% of the population! And I mean that!
NOW, will you give me those little green reputation buttons? :happycow:

I've given up looking. It was much too depressing. :sadwavey:

i prefer the pci cards, theyre jsut more flexible. replay pause etc etc , if you have a nice puter you can make a mega tivo.

may you help me ? i have a Techview TDR -8800 satellite receiver , how can i find a new program for this receiver ( new patch ) ?

may you help me ? i have a Techview TDR -8800 satellite receiver , how can i find a new program for this receiver ( new patch ) ?

what does any of this have to do with a p4 hack?

my reciver is techview
tdr 8800 i lost my remote control
i need it`s code..
how and where??
plz hlp

ok,look guys a p4 card can be hacked, I just got out of prison in texas on wednesday. I don't have my equipment any more,i went down when the p4 card had just came out. around... I got my frist p4 card 1/1/2003. went down 5/6/2003. I was watch tv.using my p4 card. I was truly hoping ya'll had made the easy for me before I got out. i'll need to get every thing before I can be of help.. I use to be apart of anothe board. I can't find them now. any body know what happen to bbsdss dot (i can't remember) p4 card will work with a emulater or has anybod tried a jumperless (3m)#@%%... I"m sorry I need to do a lot of catching up. read read and read some more..

ok,look guys a p4 card can be hacked, I just got out of prison in texas on wednesday. I don't have my equipment any more,i went down when the p4 card had just came out. around... I got my frist p4 card 1/1/2003. went down 5/6/2003. I was watch tv.using my p4 card. I was truly hoping ya'll had made the easy for me before I got out. i'll need to get every thing before I can be of help.. I use to be apart of anothe board. I can't find them now. any body know what happen to bbsdss dot (i can't remember) p4 card will work with a emulater or has anybod tried a jumperless (3m)#@%%... I"m sorry I need to do a lot of catching up. read read and read some more..


WHY A P4 HACK IS IMPOSSIBLE

First, the background:
To watch a particular channel, the receiver needs to receiver a DES key, 80 bits in length, every 8 seconds.
Random data, generated (from a strong random source) at DTV headquarters, and sent to a card with all the tiers at dave headquarters. The result from that golden card is used as the DES key -- Even DTV can't predict the key. The tiers are added to that card through local communication -- not on the public stream.
The core of the encryption is the ASIC, which implements a seeded psuedo-
random number stream in hardware. Only a few designers know how this works.
When a new generation of card is added, DTV runs those cards in PARALLEL, takes the XOR of their results, and sends that in the compatibility packets (CMD7F) - so there is no relation between the ASICs in each generation.


So.. how to attack this:
The IRD?
The IRD is worthless from the hacking perspective. It just relays packets to and from the data stream to the card. Without the card, the IRD has no way of knowing what a golden card would return.
Note that one DBS board, iso reader and subbed card, along with (unwritten?) software could give you an IRDless setup.
Finally, many different manufacturers make IRDs. Anyone who can talk a good story could probably get the specifications under NDA from DTV.

DTV itself:
There is a reluctance to this, as most people like to consider collecting signals as not a moral offense, but actually intruding into a foreign system with intent to acquire data is a different story. That said, there has been at least one court document which detailed the security precautions taken by DTV with access card data. These precautions, assuming they are followed, include air gaps between sensitive systems and internal machines. If you were capable of getting into DTV's internal network, you would also be capable of finding much more lucrative targets with more of a chance of reward...

That leaves the card....

The obvious target is the ASIC, which historically has been designed by NDS. NDS is a company with a large degree of cryptographic experience. Adi Shamir, one of the fathers of public key cryptography (and the S in RSA) is one of the founders of NDS. Since the H card, the ASIC has never been compromised -- not even with attacks discovered after their designs, such as Kocher's timing attack. And that's even if I can GET at the ASIC.

So, what about the old standbys...

First, software attacks. Dishnet has been very susceptible to these, as was the H card. During the design of the HU card, DTV instituted line-by-line code reviews, and common error handling via Trap #9. These resulted in COMPLETE success -- no exploitable software bugs were found in the HU card even after a complete disassembly.
Conclusion - there is unlikely to be any exploitable software bugs in the P4 family...

Protocol Weakness...

The next question might be, is there something in the protocol that can be repeated, dropped, or otherwise missused. DTV's protocol has been very strong from the beginning -- using Zero Knowlege tests for the CAMID and public key encrypted and digitally signed packets. The card swap mechanism was strongly designed to avoid weaknesses -- and,even if there were holes, the liability would be limitted. Nor does the card have any concept of a "channel" -- its all in the encrypted packet which results in the DES key. Finally, the P4 card will disable itself through a write-once area if you sent too many bad packets to it.

Information extraction (using passive means)

Timing, power analysis, or even "listening" to the card reveals nothing except for possibly ZKT information (if you wanted to scam people with a CAMID/ZKT pair....). Getting timing information from the ASIC requires executing code on the card -- and there are techniques to prevent this, such as random loops, redundant calculation and normalization (always do the operation and then throw away the results that aren't needed).
So, that doesn't help.

Glitching... our old friend..
Glitching will be defined as ANY attack which varies any physical parameter of the card, be it the old standards (power, clock) or new (light, targeted magnetic fields) or absurd (alpha particle bombardment).
There are three defenses to overcome....
1. a capacitor provides for a steady current -- nix the voltage glitching and there are detectors should you bypass (fib edit) or destroy the capacitor. So even if you COULD bypass the capacitor on your card -- how do you package a very expensive FIB (focused ION beam) machine with every loader?!...
2. An internal clock so no clock glitching, and synchronizing your glitches is very, very tricky...
3. Finally, the last measure of protection -- software tricks against glitching... even with the ROM dump, these tricks are hard to get around, as was seen with the Hu. With the P4, these are improved. Examples include reading a random number from a hardware RNG, dividing it by a constant (variable amount of time), and remultiplying and checking the result. Since each divide/multiply takes a random amount of time, based on the random number, you won't know how to time a glitch to get past the jump on the incorrect result -- and if you glitch early, you muck up either the divide or multiply, and the software has caught you!

Together these defenses make glitching into this card practically impossible.
(if you know a good way around the divide/multiply method.. please let me know)

Physical security...
So, giving up on all the non destructive attacks, lets say I rip apart my card, take out the chip, remove layers with incredibly hazardous chemicals (shortening my lifespan in the process). Northsat did this on the Hu, and DTV doesn't make mistakes twice. For the P4 and later, there are physical tamper protections. There are thin wires in the protective metal layers above the processor which, if dissolved, result in the card not powering up. Manually patching all of these will be tedious. FUrther, the P4 has light sensitive areas, so you have to do all this in the dark! Finally, the core layout of key chips is spaghetti because of cell-based design and better layout software (poor mask designers...) so you'll need a electron microscope (or better) and a laser voltage probe to even figure out what is going on.. and a lot of time, patience and money..

So the most accessible approach is to make very good friends with the janitor at a well equipped college campus, or sleep with a very well connected DTV employee and con them out of the documents...

Assuming that you get the complete ROM dump (by either means) and you have the Opcodes, and you find, miracle of miracles, an unchecked buffer overflow. Glitching still won't work, so this is your only chance.

Now, the parts that make this really tough:

Non-executable EEPROm -- (can anyone confirm?) This means that even if you found a bug, you have to apply your patch every time the card resets. This means an interposer or IRD modification to send down the exploit. On the other hand, it means that dynamic updates are less likely..

Less safe space to store code --
Since the P4 is split into multiple cores, there is very little general purpose RAM for a complicated 3M -- copying code from eeprom (assuming you can find space) into ram is going to make writing any sort of code for this card a real nuisance.

fatal ECMs:
Since glitching is impossible, the first ECM you get hit with is the last. Since the supply of new P4s is still limitted, 3M writing is going to be like breakdancing in a minefield...Activation and PPV wipes will be tough to hit, although anything out of the ordinary - like incorrect dates, unknown tiers, or corrupted group keys, and you have another ice scraper.

...

And, the final reasons why no one would bother with any of the above:
The internet:
As soona s you start selling a means to do this, it will be ripped off. Unless you program every card individually (high, high risk), you'll find out how quickly a serial logger can open "encrypted" WinExplorer scripts. And as soon as someone figures out your bug, it will be on EVERY dss site within an hour. If you make custom hardware, it will be reverse engineered, since your security budget is less than DTV's....

bzg: How many bits are used for the ASIC input function?

what are the new cdes for key 00 01