advice on descrambler
Achyutram Bhamidipaty
I have decided to tackle a new project and I would like some advice on some
points. What I would like to do is build a descrambler for my cable system.
I am sure that this is not entirely legal, but the engineer part of me can't
pass up a challange like this.
What information I would like from people on the net:
1. Pointers to books or articles that have techincal explanations of
TV signals. Information like how many scan lines are in a field,
how often is the screen refreshed, etc. I did get some books but
most of them basically said that an electron beam is used to draw
the image on the screen and didn't go any deeper.
2. Any articles or books that deal specifically with descrambling
cable signals. I would prefer to invent the descrambler rather
than just copy some one else's design.
3. Opinions on how complex this task might be. Do you think that not
having access to a digital scope, storage scope, or frequency
analyzer would be a major handicap.
4. Pointers from people who have tried this.
5. Any other suggestions.
Thanks in advance.
-Rom
r...@xor.sun.com
Gary Bourgois
>
> I have decided to tackle a new project and I would like some advice on some
> points. What I would like to do is build a descrambler for my cable system.
> I am sure that this is not entirely legal, but the engineer part of me can't
> pass up a challange like this.
Cable piracy is quite illegal. Signal theft can (and often WILL) result in
fines and/or imprisonment. If everyone stole cable premium signals, the
services would cease to exist for economics.
That disclaimer out of the way.....
Many engineers construct descramblers for the challenge of it, or for other
experimental reasons.
There are 525 lines per frame and 59.94 fields per second in the standard
NTSC television image. This, however does not have much to do with
descrambling, i.e. it is NOT the key (exactly)..
Your first mission is to determine which encription scheme is being used
at YOUR site. Common systems include:
Gated Sync
Oak
Orion
And several variations.
A more common method of signal encryption, which is most economical for
the cable company is to insert a pulse modulated signal BETWEEN the
audio and video carriers. You can determine if this is in use because
the signal pulses and beeps at a fast rate. A simple resonant frequency
filter is all that is needed to remove this signal.
As for the rest of the scrambling systems, they employ variations on the
theme of "sync confusion" most often by inserting an out of phase sync
component at the vertical rate, or by stripping off one of the synch
signals (vertical always as far as I know) and "hiding it" in the fm band
or somewhere else.
Without a scope, it is pretty hard to see just which system your company
is using. A trained eye can hazard a guess though.
As to constructing your own descrambler... I refer you to Radio Electronics
Magazine, available in most grocery stores. Actually all Electronics
magazines I know of have ads for companies that offer theory books,
construction plans and even kits for the experimenter.
I am posting this because most of the mail I send in reply mode bounces.
Also thought others on the net might be curious.
--
| Gary Bourgois fl...@lopez.UUCP ..rutgers!mailrus!sharkey!lopez!flash |
| Great White North UPLink, Marquette Michigan |
| NATIONWIDE AMATEUR RADIO (1500 watts on 3950) --- nightly after 0200z |
|___________________WB8EOH - The Eccentric Old Hippie____________________|
Henry Spencer
>... What I would like to do is build a descrambler for my cable system.
How practical this is depends on what scrambling system is in use (yes, there
is more than one -- a lot more than one). The DES-based encryption scheme
used by the major satellite video companies these days is effectively
impossible for an amateur to break.
--
NASA is to spaceflight as the | Henry Spencer at U of Toronto Zoology
US government is to freedom. | uunet!attcan!utzoo!henry he...@zoo.toronto.edu
Mark Robert Thorson
Several years ago, channel 26 in San Francisco was broadcasting scrambled
transmissions in which the horizontal sync pulse was inverted. I opened
up my set, and found a single pc trace going from the video amp section
to the horizontal sweep section.
I cut this trace and hooked up the input to the horz sweep to the pole
of the switch. I hooked one side of the switch to the signal from the video
amp section. The other side of the switch was hooked to a signal I found
by experiment.
First, I hooked it to the other side of the same transistor which generated
the signal going to the "normal" side of the switch. Didn't work. Then,
I traced the base input to that transistor back to another transistor in
the video section. My first connection there didn't do anything, either.
Then, I moved the connection to the other side of that same transistor.
Bingo! I had found an inverted form of the video signal, and it worked
just fine for receiving the scrambled transmissions.
I still couldn't get the sound, because it was scrambled in some obscure
fashion, but that really didn't matter, because channel 26 only broadcasted
pornography :-)
BTW, this can be dangerous. My set was isolated from the line by a
transformer. Don't assume that because I lived to tell this story, that you
will too.
[copyright 1989 Mark Thorson; all uses of this document are allowed, except
for republication in moderated new services, such as that provided
by Anterior Technology.]
Isaac S Wingfield
student?), it's useful to note that *all* the sync signals
in NTSC TV are harmonically related - you can do the division
yourself, but from the color subcarrier at 3.579545 MHz, which
is available from the phase-locked oscillator in the set, you
can derive both HSync and VSync using digital divide chains.
You have to do a little manual cycle skipping to get things
lined up, but once it's locked, it's good for the evening...
(Don't ask me how I know).
Innocent question - they're sending that scrambled signal
uninvited into my house. Exactly why is it illegal to use
it for my own reasons? If they don't want me to have it.
they can keep it out (some cable systems do just that, with
bandstop filters outside the house). I know it's not
nice to sell decoders, or kits, or plans, but exactly
why is it illegal for me to make use of signals within
the privacy of my own home?
Isaac i...@cup.portal.com
Charles Cain
systems in use today use the MA/COM Videocipher II system, with the rest being
a conglomerate of OAK ORION, SA B-MAC, and CBS Network uses VideoCipher I.
This being stated, VCII is probably the widest used in consumer applications.
The system is quite secure as it uses the DES algorithm for encryption purposes
and DIGITAL AUDIO. Therefore, one could unscramble the video easily but the
audio is a whole different matter.
The video is stripped of all H sync and V sync information and it is digitized
and transmitted with the 56 bit 'key' for descrambling. The audio is digitized
also and is transmitted where the H Sync used to be. The color subcarrier is
also done this way. For purposes of transmission, a replacement H Sync pulse
is generated and transmitted and this is the gated sync pulse. On dark scenes
it might lock up to an ordinary TV set but when a lightly colored scene comes
up it will get scrambled up REAL good.
If someone is lucky enough to guess the 56 bit key, then he might think he has
the system beat. Not quite. There are 2 modes of operation, fixed key and
individually addressable. Fixed key is used mostly during testing. When the
system is fully operational, IA is used. Each uplink site that is transmitting
scrambled material has a computer that transmits the next months key and the
address of those descramblers authorized to receive the program. The computer
is capable of authorizing or deauthorizing up to 2.5 million descramblers a day.
Hope this helps some.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DOMAIN: c...@raider.mfee.tn.us | From NASHVILLE, TENNESSEE
Satellite Engineer, TNN | Home of the Grand Old Opry!
PHONE: (615-459-9449) |
-----------------------------------------------------------------------------
Disclaimer: These words do not reflect or express the views of The Nashville
Network in any way. The words and the way they are used is solely MY FAULT!!!!!!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Chris Torek
writes:
>Innocent question - they're sending that scrambled signal uninvited
>into my house. Exactly why is it illegal to use it for my own reasons?
>If they don't want me to have it. they can keep it out (some cable
>systems do just that, with bandstop filters outside the house). I know
>it's not nice to sell decoders, or kits, or plans, but exactly why is
>it illegal for me to make use of signals within the privacy of my own
>home?
The legal basis is called `theft of services'. As an analogy, it is
supposed to be similar to (e.g.) a broken pay phone that thinks it
has an infinite supply of quarters. Although the phone company has
(accidentally) provided this free source for long distance calls,
someone making calls would be acting illegally.
You can, however, have fun with this. If your TV will (perhaps with
a bit of judicious hardware hacking) `accidentally' receive the pay
channels, you could---and note that I am not actually encouraging anyone
to go out and do this---call up the cable company and have the following
sort of conversation:
You: <dial> <ring>
Them: Calumnious Cable Company, hello, may I help you?
You: Uh, yeah. I'm Joe Everyman and I subscribed to your
service a while ago. I don't get the pay channels,
but I just got a new TV set and when I plugged it in
I discovered that it gets them anyway. Well, I
don't want 'em, and I demand you stop sending them.
My brother's kids come over occasionally and I don't
want 'em watching X-rated stuff, and I don't want
you suing me for theft of services.
Them: Er, ah, please hold <pause> <click> <muzak> <click>
Hello?
You: Yes?
Them: Mr. Fubar would like to speak to you. I will transfer
you. <click> <click>
Fubar: Hi, Mr. Everyman? What seems to be the problem?
You: <explain again>
Fubar: Oh. Someone must have accidentally authorized your
descrambler box. We'll disable those channels again.
<usual goodbye noises>
Now you wait a day or two. If Calumnious Cable Co. calls back and
says it is `fixed', tell them otherwise. If they say they never
enabled the pay channels, play dumb and say `well, I'm getting 'em
and I don't want em. You gotta turn 'em off.' If they do not call
back, call them yourself and harrass them. You can escalate this
as far as you dare, or until someone actually puts a filter on the
pole to keep the signal out of your home. At that point, you can
suddenly `change your mind' and decide you want *some* of the pay
channels.
Keep up the pressure, and eventually *something* will break. And
as long as the pressure is in the direction the system is *supposed*
to work, what breaks is usually the system. Bureaucracies are
well reinforced against direct attacks, but `turning the crank the
way it goes, only more so' . . . well, the crank tends to snap off
with the bureaucracy thoroughly entangled in its own red tape.
--
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163)
Domain: ch...@mimsy.umd.edu Path: uunet!mimsy!chris
Henry Spencer
>uninvited into my house. Exactly why is it illegal to use
Basically, because the government says so. Need you ask? :-)
Kenny Crudup
>If someone is lucky enough to guess the 56 bit key, then he might think he has
>the system beat. Not quite. There are 2 modes of operation, fixed key and
>individually addressable. Fixed key is used mostly during testing. When the
>system is fully operational, IA is used. Each uplink site that is transmitting
>scrambled material has a computer that transmits the next months key and the
>address of those descramblers authorized to receive the program. The computer
Well, it seems they give you the stuff you need right there! I assume that
of course you would need to know the key at least once, but after that, hey!
A place I used to work for used to have EPROMS that would go in VCII modules
in Tracker Systems home units that replaced the original code, and would
first lock in, and then continue to recieve programming.
--
Kenneth R. Crudup, Contractor, Interactive Systems, Cambridge MA
StarTrekV 3'rd favorite line: "Oh yeah?! Beam THIS up, pal!!" - D. Letterman
E-Mail, (which tends not to be delivered :-( ) Phone (617) 661 7474 x238
{encore, harvard, spdcc, think}!ima!haddock!kencr ke...@haddock.ima.isc.com
Bill Mayhew
Unfortunately, the Videocipher II is not a terribly secure system,
eventhough it uses the DES algorithm to encode the digital audio
stream. The problem lies in the fact that the key updating is done
via the over-the-air data stream.
I don't know the specifics of the methods used to attempt to
compromise videociphers, but I've heard that pirates modify the ROM
controlling the housekeeping CPU (an 8048). It is possible to
spoof the audio subsystem by sending it bogus control messages from
the CPU, then trapping key updates illegally.
After General Instruments bought the Videocipher business from
MA/Com, there was a mass recall of the original vcIIs, where GI put
in new motherboards that had green epoxy dumped all over the
vulnerable parts of the board (ROM, CPU, slave CPU for the audio
subsystem, etc.) to discourage unauthorized modifications for
reception. The latest vcIIs apparently are using macrocell ASICs
that do away with the separate ROM chip, as enterprising prirates
were still grinding off the epoxy to change the ROMs.
I do say illeagally. There are heavy fines and/or jail in the US
for theft of service.
A new vcII+ has been announced that will make use of key cards
that are distributed via surface mail, which is what they should
have done all along. More "tier" bits will be added too, which
will allow more scrambled services to be supported. In the current
vc technology, all the available tier bits have already been sold
to various broadcasters, thus preventing any new separate services
from being added. The new vcII+ is also rumored to be desinged
such that it will be able to support high definition TV in the
future. Exactly how the new vcII+ is going to affect the market is
unclear, as there are a lot of the older model in the field that
should need continued support. It would be very unkind for GI to
welch on its promise to the US government that the original vcII
would be the only encoding system the world would ever need.
Bill
w...@neoucom.UUCP
Charles Cain
>In article <1...@raider.MFEE.TN.US> c...@raider.UUCP (Charles Cain) says:
>>If someone is lucky enough to guess the 56 bit key, then he might think he has
>>the system beat. Not quite. There are 2 modes of operation, fixed key and
>>individually addressable. Fixed key is used mostly during testing. When the
>>system is fully operational, IA is used. Each uplink site that is transmitting
>>scrambled material has a computer that transmits the next months key and the
>>address of those descramblers authorized to receive the program. The computer
>>is capable of authorizing or deauthorizing up to 2.5M descramblers a day.
>
>Well, it seems they give you the stuff you need right there! I assume that
>of course you would need to know the key at least once, but after that, hey!
The only flaw that I see with that logic is that in the standard for the DES
algorithm, using a 56 bit key gives you a little bit over 72 MILLION to 1
odds against finding the right key. Then, all the earth station has to do
is change the key. I don't know all the particulars about the keys but I do
know that each earth station cannot use the same keys at the same time. So
although it may look simple on paper, in reality it would seem it is a little
"bit" more difficult. :-)