Hollywood Snob

Posts: n/a/0

Threads:

You can go to google or any search engine & plug in the words you wrote, with parenthesis " " around all the words as a group. example: "Pansat 2500" Many sites are out there. I belong to an fta site that has been reliable, but will not endorse any for you. If you're interested further, P.M. me.

MikeBury

Hello, i'm new here, i have a RCA receiver 1st generation model DRD102RW, how I can see the DirectTV channels, how i crack the card, I'm in Cuba, here we can't pay to the company, waiting replies, thanks like advance

MikeBury

Sorry, i again, my receiver is RCA brand, bye

Juana!

you meanie

forgot to said that besides being one of the best testing sites... that is the place where you found that precious and sensual creature on earth...me

Hollywood Snob

Posts: n/a/0

Threads:

Meanie? Who me? I was trying to protect BOTH sites, by not not posting a link. If it's ok to do that, then I will be happy to post it.
To answer MikeBury, there is no hack for the P4/P5/D1 cards. Most likely, there never will be. The greatest hacking minds in the world have failed to get any fix to last or to unlock PPV's. The sites that offered files for HU cards have either folded , switched to FTA receiver support or are simply stringing along their members with future promises they can never meet.
And yes Juana, you ar indeed the coolest chick I have never met! You are special beyond the comprehention of 99.9% of the population! And I mean that!
NOW, will you give me those little green reputation buttons? :happycow:

wineconnoisseur

I've given up looking. It was much too depressing.

chingon

i prefer the pci cards, theyre jsut more flexible. replay pause etc etc , if you have a nice puter you can make a mega tivo.

green1974

may you help me ? i have a Techview TDR -8800 satellite receiver , how can i find a new program for this receiver ( new patch ) ?

ohelmy

may you help me ? i have a Techview TDR -8800 satellite receiver , how can i find a new program for this receiver ( new patch ) ?

iseau

what does any of this have to do with a p4 hack?

robnader

click on one of our sponsors! OR REMOVE ADS

my reciver is techview
tdr 8800 i lost my remote control
i need it`s code..
how and where??
plz hlp

badklan

ok,look guys a p4 card can be hacked, I just got out of prison in texas on wednesday. I don't have my equipment any more,i went down when the p4 card had just came out. around... I got my frist p4 card 1/1/2003. went down 5/6/2003. I was watch tv.using my p4 card. I was truly hoping ya'll had made the easy for me before I got out. i'll need to get every thing before I can be of help.. I use to be apart of anothe board. I can't find them now. any body know what happen to bbsdss dot (i can't remember) p4 card will work with a emulater or has anybod tried a jumperless (3m)#@%%... I"m sorry I need to do a lot of catching up. read read and read some more..

bzg

WHY A P4 HACK IS IMPOSSIBLE

First, the background:
To watch a particular channel, the receiver needs to receiver a DES key, 80 bits in length, every 8 seconds.
Random data, generated (from a strong random source) at DTV headquarters, and sent to a card with all the tiers at dave headquarters. The result from that golden card is used as the DES key -- Even DTV can't predict the key. The tiers are added to that card through local communication -- not on the public stream.
The core of the encryption is the ASIC, which implements a seeded psuedo-
random number stream in hardware. Only a few designers know how this works.
When a new generation of card is added, DTV runs those cards in PARALLEL, takes the XOR of their results, and sends that in the compatibility packets (CMD7F) - so there is no relation between the ASICs in each generation.


So.. how to attack this:
The IRD?
The IRD is worthless from the hacking perspective. It just relays packets to and from the data stream to the card. Without the card, the IRD has no way of knowing what a golden card would return.
Note that one DBS board, iso reader and subbed card, along with (unwritten?) software could give you an IRDless setup.
Finally, many different manufacturers make IRDs. Anyone who can talk a good story could probably get the specifications under NDA from DTV.

DTV itself:
There is a reluctance to this, as most people like to consider collecting signals as not a moral offense, but actually intruding into a foreign system with intent to acquire data is a different story. That said, there has been at least one court document which detailed the security precautions taken by DTV with access card data. These precautions, assuming they are followed, include air gaps between sensitive systems and internal machines. If you were capable of getting into DTV's internal network, you would also be capable of finding much more lucrative targets with more of a chance of reward...

That leaves the card....

The obvious target is the ASIC, which historically has been designed by NDS. NDS is a company with a large degree of cryptographic experience. Adi Shamir, one of the fathers of public key cryptography (and the S in RSA) is one of the founders of NDS. Since the H card, the ASIC has never been compromised -- not even with attacks discovered after their designs, such as Kocher's timing attack. And that's even if I can GET at the ASIC.

So, what about the old standbys...

First, software attacks. Dishnet has been very susceptible to these, as was the H card. During the design of the HU card, DTV instituted line-by-line code reviews, and common error handling via Trap #9. These resulted in COMPLETE success -- no exploitable software bugs were found in the HU card even after a complete disassembly.
Conclusion - there is unlikely to be any exploitable software bugs in the P4 family...

Protocol Weakness...

The next question might be, is there something in the protocol that can be repeated, dropped, or otherwise missused. DTV's protocol has been very strong from the beginning -- using Zero Knowlege tests for the CAMID and public key encrypted and digitally signed packets. The card swap mechanism was strongly designed to avoid weaknesses -- and,even if there were holes, the liability would be limitted. Nor does the card have any concept of a "channel" -- its all in the encrypted packet which results in the DES key. Finally, the P4 card will disable itself through a write-once area if you sent too many bad packets to it.

Information extraction (using passive means)

Timing, power analysis, or even "listening" to the card reveals nothing except for possibly ZKT information (if you wanted to scam people with a CAMID/ZKT pair....). Getting timing information from the ASIC requires executing code on the card -- and there are techniques to prevent this, such as random loops, redundant calculation and normalization (always do the operation and then throw away the results that aren't needed).
So, that doesn't help.

Glitching... our old friend..
Glitching will be defined as ANY attack which varies any physical parameter of the card, be it the old standards (power, clock) or new (light, targeted magnetic fields) or absurd (alpha particle bombardment).
There are three defenses to overcome....
1. a capacitor provides for a steady current -- nix the voltage glitching and there are detectors should you bypass (fib edit) or destroy the capacitor. So even if you COULD bypass the capacitor on your card -- how do you package a very expensive FIB (focused ION beam) machine with every loader?!...
2. An internal clock so no clock glitching, and synchronizing your glitches is very, very tricky...
3. Finally, the last measure of protection -- software tricks against glitching... even with the ROM dump, these tricks are hard to get around, as was seen with the Hu. With the P4, these are improved. Examples include reading a random number from a hardware RNG, dividing it by a constant (variable amount of time), and remultiplying and checking the result. Since each divide/multiply takes a random amount of time, based on the random number, you won't know how to time a glitch to get past the jump on the incorrect result -- and if you glitch early, you muck up either the divide or multiply, and the software has caught you!

Together these defenses make glitching into this card practically impossible.
(if you know a good way around the divide/multiply method.. please let me know)

Physical security...
So, giving up on all the non destructive attacks, lets say I rip apart my card, take out the chip, remove layers with incredibly hazardous chemicals (shortening my lifespan in the process). Northsat did this on the Hu, and DTV doesn't make mistakes twice. For the P4 and later, there are physical tamper protections. There are thin wires in the protective metal layers above the processor which, if dissolved, result in the card not powering up. Manually patching all of these will be tedious. FUrther, the P4 has light sensitive areas, so you have to do all this in the dark! Finally, the core layout of key chips is spaghetti because of cell-based design and better layout software (poor mask designers...) so you'll need a electron microscope (or better) and a laser voltage probe to even figure out what is going on.. and a lot of time, patience and money..

So the most accessible approach is to make very good friends with the janitor at a well equipped college campus, or sleep with a very well connected DTV employee and con them out of the documents...

Assuming that you get the complete ROM dump (by either means) and you have the Opcodes, and you find, miracle of miracles, an unchecked buffer overflow. Glitching still won't work, so this is your only chance.

Now, the parts that make this really tough:

Non-executable EEPROm -- (can anyone confirm?) This means that even if you found a bug, you have to apply your patch every time the card resets. This means an interposer or IRD modification to send down the exploit. On the other hand, it means that dynamic updates are less likely..

Less safe space to store code --
Since the P4 is split into multiple cores, there is very little general purpose RAM for a complicated 3M -- copying code from eeprom (assuming you can find space) into ram is going to make writing any sort of code for this card a real nuisance.

fatal ECMs:
Since glitching is impossible, the first ECM you get hit with is the last. Since the supply of new P4s is still limitted, 3M writing is going to be like breakdancing in a minefield...Activation and PPV wipes will be tough to hit, although anything out of the ordinary - like incorrect dates, unknown tiers, or corrupted group keys, and you have another ice scraper.

...

And, the final reasons why no one would bother with any of the above:
The internet:
As soona s you start selling a means to do this, it will be ripped off. Unless you program every card individually (high, high risk), you'll find out how quickly a serial logger can open "encrypted" WinExplorer scripts. And as soon as someone figures out your bug, it will be on EVERY dss site within an hour. If you make custom hardware, it will be reverse engineered, since your security budget is less than DTV's....

DerEngel

Posts: n/a/0

Threads:

bzg: How many bits are used for the ASIC input function?