BEGINNING OF DSSFAQ98 TEXT FILE - Size: 107,550 DSS TEST CARDS BUYER'S FAQ Version 1.0 May 15th, 1998 Compiled by TJ, with help from many people. READ THIS FIRST: If you are in the United States, it is illegal to use or be in possession of any devices that will assist you in the decryption of any satellite signals without authorizations. The penalty, if caught can be $10,000 or more for a single test card plus jail time. DirecTV currently does not have any licenses to charge for their American programming outside the United States. But since their satellite signal covers most of the North American continent, countries like Canada, Mexico, or the Atlantic islands, can also receive the DSS broadcast signal. DirecTV does not have the legal jurisdiction to prosecute test card users outside the United States, for now. However, these countries might still have laws prohibiting uses of similar devices. You should always operate within the laws of your country and local government. If you can legally subscribe to DTV, don't...get Dish Network instead. :) HAHAHAHA! Information is meant to be shared, this text file may be freely distributed electronically as long as the distributor agrees on the following conditions: There will be no fees charged for distributing this file, this file will not be modified in any way and this file must be distributed in it's entire and complete form. The only thing I ask in return is that you make sure you have the latest revision of this FAQ, as DSS hacks keep changing, any outdated information form an older version of this file will just add to the confusion among the users. This file is Copyrighted 1998(C) by T.J. of TCUP, and yes, we checked with our lawyers, this copyright claim is valid! This text will remain the property of TJ and all other usage of this file requires written permission from the author. The latest version of this text is available at The DSS Test Card Users Page or call it TCUP for short. Our web site's current URL is at http://angelfire.com/ca/dsscards You can always get our latest URL by sending an email to whereisthesite@yahoo.com, just send any email to the address and you'll get an auto-respond email telling you the latest location of our web site. -------------------------------------------------------------------------- The purpose of this FAQ is to inform the first time test card buyer with some basic knowledge of the technical terms in DSS test cards, and to give you some background information on the various hacks for the DSS access card. It will also help you avoid some common problems with dishonest dealers or bad hacks. Our FAQ is not intended to teach you how to "do-it-yourself". We are not experts in this area. This FAQ is NOT intended to replace Agent_89's DSS Test FAQ (last known revision: v1.17, April 8, 1997) which has much more details on the technical side of hacking on the old F series cards. Agent_89, if you are still around, drop us a line, we would like to hear from you. First, let's be honest, the term "testcard" is a euphemism to describe any cards that will get you free TV, either legal or not. It's not for testing anything, most DSS receivers have built-in testing menus and do not need these cards to do basic diagnostics or repair work. There is no such thing as a free lunch, most test cards have cost the users more money due to all the ECM problems than it would have cost for a legitimate subscription. There is also no such thing as a perfect test card, DirecTV is capable of shutting down any test cards or making them useless with a new card swap. Before you purchase any of these devices, you should ask yourself if you can afford to loose your entire investment, and are you prepare to loose it. Then ask yourself if you can put up with all the waiting and downtime when you have to send it in for repair. Waiting for repair from dealers can last anywhere from 2 weeks to eternity. I have gotten countless emails from people that regretted spending over $2000 in the last 12 months buying test cards. The said if they knew how quickly the cards get shut down or become obsolete, they would have chosen another method of getting DSS programming. While there are qualified and reliable dealers out there, they are far outnumbered by the dishonest dealers with the flashy web sites. They will deceive you with unsubstantiated claims and entice you with the word "free". These dealers will not only convince you to part with your hard earn money, they will continue to squeeze more money out of you each time your card goes down after an ECM. The dishonest dealers will charge to a high price to repair cards under their "free" guarantee program. -------------------------------------------------------------------------- OK, now that you have read the warnings, and still decides to throw away your money, here's the rest of the FAQ. Please take the time to read the basic information on a DSS system before you jump to the hack description area. THE DSS BROADCASTING SYSTEM DirecTV's digital broadcast systems consist of 3 satellites orbiting above the earth's equator at 101 degrees West. Their 3 satellites transmit in high powered Ku-Band: DBS-1 has a total of 16 transponders. DBS-2 and DBS-3 has 8 transponders each. With these 32 transponders, DirecTV, USSB, and a few private networks broadcast their signals over most of the North American continent. Any owner of a satellite system with the DSS logo is capable of receiving and viewing their broadcast if they subscribe to DirecTV or USSB's programming services. In the mainland United States, most systems can pick up their signal clearly with the standard 18 inch dish. If you are further away, like in Canada, you can pick up the signal at a lower strength, or can substitute the 18 inch dish with a larger dish to boost the signal strength. The 3 Satellites creates a large one-way communication network with the 4 millions DSS systems in North America. Only owners of the DTV/USSB DSS systems can receive the signals from the satellites, a typical home system is not capable of transmitting information back up to the satellites. In order for DirecTV to track your Pay Per View (PPV) usage, you must hook up a phone line to the back of your receiver, this is the only way you can send information about your receiver or access card to DirecTV. DirecTV's uplink station is located in Castle Rock, Colorado. This is where they gather broadcasts from all the program providers like HBO, CNN, etc. and process their video before sending them up to the 3 satellites. DirecTV owns the 3 satellites, and leases 5 transponders to USSB. DirecTV Inc. is a unit of Hughes Electronics Corp., Hughes Electronics Corp. is owned by General Motor. News Datacom Ltd., owned by Rupert Murdock, is the company that is contracted by DirecTV to maintain the security of their satellite signal. News Datacom designs and owns the access card that is in your receiver. They are also responsible for creating ECMs (Electronic Counter Measures) to shut down any unauthorized devices that access their satellite signal. The 3 satellites communicate with your receiver and access card via the datastream. The datastream is a constant stream of digital data packets that is sent down from the satellites, somewhat similar to the Internet data communication method where each packet has an assigned address to the intended recipient, so DirecTV can address your card or receiver individually, but can also send out commands with global or group addresses to reprogram multiple cards at the same time. The serial number from your card plus the serial number from your receiver forms a unique ID. Under normal operation , your receiver will filter out any packets that does not have your unique ID, and will only pass commands to your card if the packets have the right address. THE ACCESS CARDS The plastic access card in your DSS receiver is commonly refer to as a H series card, or P2. It's serial number should be at 0000 4000 0000 or higher, the range of serial numbers have been reported to be over 0012 0000 0000. Older series such as the E, F and G cards or the P1's have been phased out by DirecTV and is no longer fully functional on DSS systems. Those cards will have a serial number of 0000 3999 9999 or lower. The latest H cards have the letter "c" printed on them, it means that a minimum of 18 update codes are preprogrammed on them. Cards that were already in use received the 18 update codes via DirecTV's satellite transmission. Five new additional updates codes are being sent to regular subscribed cards, so a total of 23 updates should have been written to your H card if it is used under a normal subscription. The term "virgin" is used to describe a new plastic access card that has not been inserted into the receiver yet. When a card is inserted into the receiver, it "marries" that particular receiver by storing the receiver's unique ID number on the H's EEPROM. Once a card is married to a receiver, it will not function normally when inserted into a receiver with a different ID number. Cards can be wiped clean or reset back to virgin with the right software. An "expired" card is a card that once had an active subscription but has been canceled. An expired card will show only the 3 preview channels (100, 267, 999) The H access card consist of a Seimens 8501 microprocessor, several forms of memory: ROM, RAM, and EEPROM, an ASIC, and a few minor electronic components. The ASIC or Application Specific Integrated Circuit is a co-processor that helps the main CPU process the decryption algorithm at a much faster rate than the older F series card, thus making all older F cards/hacks/emulators useless for the video decryption of the satellite signal. The ASIC is the main reason why there is no full hardware emulator out there for the H right now. It is very difficult and expensive to manufacture a replacement ASIC at small quantities, and to utilize or "enslave" the existing ASIC in a H card puts the card at a risk of getting damaged by an ECM. The EEPROM (Electronic Erasable Programmable Read Only Memory) stores the most important information about your card and the decryption algorithms, it is also the only part of the card that can be changed, other than the temporary RAM area. The ROM (Read Only Memory) stores your card's serial number, which is not changeable. This is why there is no true clones for the H access card. The DSS access card communicates with your receiver via protocols that complies to the ISO 7816 standards for smartcard communications. Electronic Counter Measures or ECMs can be defined as any changes in the datastream in an attempt to disable unauthorized devices from decrypting the satellite transmission. This can be in the form of changing the speed or the format of the packets, withhold crucial packets that the hacks need to function, adding new commands or software in the packets to change the operations of the H access cards, or other creative methods that we have not seen yet. You cannot avoid the ECMs, most ECMs are permanent changes on the datastream. If you pull your card out of the receiver, it will delay your card form getting hit, but as soon as your put your card back in the receiver, it will be affected. The only benefit for pulling your card out is to avoid permanent damages to card until you contact your dealer for further instructions or update your card with new software to make it compatible with the ECM before it is exposed to the datastream. But repeated pulling and re- inserting your card in your receiver increases the chances of it being damaged by wear and tear. Your receiver continues to receive the datastream even when the power button is off. It still reads the datastream and writes to your card. So the only way to avoid the datastream is to unplug the power cord or disconnect the coax cable from the back of the receiver. ECM can come in a thousand different ways, no "blockers" can anticipate what future ECMs will come or when they will come, so it is not 100% effective. Blockers are mostly useful on past ECMs, where it is intended to block known packets that will be harmful to your card, but people who make blockers can never anticipate all future ECMs. ECMs are usually launched on days when DirecTV feels it will "frustrate" a large number of test card users. Historically, ECMs are sent right before a popular or expensive PPV event, or on Thursday nights, when the TV audience is at it's highest. Other past ECMs were launched before popular family holidays or on just regular weeknights when people least expected them. In other words, it can hit at anytime with no warning. Results of ECM can range from your card simply resetting back to expired status showing only the 3 preview channels, to the more serious looped condition, or commonly referred to as 99. The H access cards has many "fuse" bytes. During an ECM, DTV can send out hash code checks in the datastream to "test" the cards, a legitimate card will respond correctly and continues to run, a card with modified codes might respond differently, and writes to the fuse bytes, or "blows" the fuse, which will put the card's microprocessor in a tight permanent loop. A looped card will not respond to any commands from the receiver or a card programmer, usually returning just a series of 99 99 99 99's or FF FF FF FF's. This is where the user gets the dreaded "Please Insert a Valid Access Card" message on their TV screens. Only a handful of people is capable of unlooping H cards right now, and the cost for such service is high, unless the service is included as part of your purchase of your test card. A regular H access card replacement from DirecTV is about $125, slightly lower if you buy them from a test card dealer ($75 to $120). Unlooping a card can cost as much as $75, and the success rate is not 100%. If your access card gets looped, it's going to cost you money. So do everything you can to avoid getting your cards looped! There is currently no public information on unlooping H access cards, most of the Net's information on unlooping cards is for the old F series cards and is not usable on the H cards. ------------------------------------------------------------------------- THE HACKS All currently working hacks can be put in 2 categories: Plastic Software and Hardware Wedges THE PLASTIC SOFTWARE HACKS A plastic software hack uses software to modify the programming codes on a regular H plastic card, making it operate differently than what DirecTV intended. Software hacks such as the 3M, 4M, Blazer, T3, Activator, CL5005, and others, are changing the bytes in the EEPROM of the H to get video on your receiver. There are 2 methods of software hacks. The safest method, used by Activator, Blazer1, CL5005, CBA, Volcano and others add normal tiers to your cards. A tier is a set of codes that is embedded in the datastream packets sent by DirecTV that authorizes your access card to decrypt the channels. You can also send these packets to your card with a ISO-7816 compatible card programmer via your PC's serial port. It simulates the method that DirecTV uses to grant authorizations to a legitimately subscribed card. In theory, this method will result with the least damage to your access card in the event of an ECM. However, DirecTV can easily send a reset command or a rehit to all cards via their serial numbers, resetting any cards that's not in their subscriber's list back to the 3 preview channels, wiping out any unauthorized tiers. A normal tier consists of an expiration date, so even if you keep your card out of the receiver to avoid being shut down, it will still expire on it's own. Normal tiers will have an expiration date less than 2 months. If DirecTV really wants to get dirty, they can send out 99 commands also, but it's difficult (not impossible) to do without affecting some legitimate user. Normal tiers in the hacks will only authorize your cards for the regular channels, the PPV channels requires additional tiers that change often. It is difficult to get PPV tiers on a timely basis, so you are forced to use the PPV purchase on your card to view the PPV channels. A normal access card has a limit of 25 PPV events, once the 25 PPV is used, you are either stuck with a card that can't buy anymore PPVs, or need to have PPV cleaned, either by a card programmer or by sending it back to dealer. Currently, there is no PPV cleaning software available to the general public that will work on updated cards without changing the 23 update codes The second method of software hacks, consider to be more aggressive, changes some crucial operation codes on the EEPROM, making the card perform very differently than a subscribed card. Software such as 3M, 4M, Blazer 2, Blazer 3, T3, etc. alters the card to show all channels, including the PPVs, and in doing so, their codes occupies a larger area of the EEPROM. EEPROM code changes is easier to be detected and exploited for an ECM. These cards have a higher chance of being put a in loop, or 99, from an ECM. The term "3M" is derived from the 3 Musketeer movies' phase "One for all and all for one" It is reference to an old videocrypt hack that turns on all channels from a subscription to only one channel. The term "3M" is now use loosely that describe any hacks that gets all channels, including the PPVs without making a user use the "buy" option on the remote control. Modern DSS 3M hacks does not require the user to subscribe to any channels at all. The company that makes Scotch tapes and Post-It notes has nothing to do with the 3M hacks, so DO NOT go to 3M's web site asking for test cards! Out of these 2 methods of software hacks, they are available in 2 different ways. The commercial software (3M,4M,Activator,Blazers,Predator,T3) are tightly controlled by the original authors, and are not released to the public. They usually require you to send in your regular access card and dealer will reprograms it with their software, average turn around time is 1 to 3 weeks. The freeware or shareware (Volcano, CL5000, CL5005, Explorer, Merlin, Pegasus) is available for download on the internet, usually via IRC. You then use these freeware to program your H access card with a ISO-7816 card programmer. Popular card programmer includes Paul Maxwell King's MK12 and Haku's HAKU-3. Average price of a card programmer will cost about $100 USD pre-built, or you can build it yourself if you have the technical expertise and tools with electronic parts for about half the price. The main thing to remember is that a card programmer is only as useful as the software that you can get your hands on. Without the right software, a card programmer can not add any codes to your access cards. Up to date tiers and programming scripts are not always available on the internet. Here's a few things to keep in mind when using the freeware. Some of these software came from unknown sources, so it's not fully known what the software will do to your cards, or what kind of long term effect it will have on your card's stability. It can leave your card wide open to an ECM attack. It can also be a Trojan horse release by somebody that wants to damage your card. There is usually no support from the original authors. Some freeware are formal commercial software that's been released on the internet because the author feels it has lost it's commercial value or is expected to be shut down soon by an ECM. Keep in mind that there's no control of naming a program, so if you hear a freeware with the same name as a commercial product, don't get too excited. It is most likely not the same software codes that are being use on the commercial products. It could just be a disgruntle group of hackers renaming some dangerous codes to undermine the name of a competing product. The shareware such as CL5005, Merlin, and Pegasus are a step up from the freeware files. They are supported by the original authors, if you can find them. They have more regular updates and is slightly easier to use. Regardless of which software you choose, you can still damage your card if you don't know what you're doing. Because freeware and shareware can easily be downloaded by DirecTV and News Datacom, an ECM can be created to target these software at a much quicker time frame than the normal development time for the commercial products. It was the freeware and shareware's wide spread use that finally forced DirecTV to start a card swap in the fall of 1996. The card swap was completed by June 1997, and made all hacks for the F series useless overnight. THE HARDWARE WEDGE HACKS The Hardware wedge cards surfaced in the fall of 97, about 3 months after the first 3Ms were released. Initially, it resembled the old battery card of the F series, and gave people a false sense of reliability. Unlike the old battery card, which emulates the entire F series access card via a Dallas microprocessor, the modern wedge card does not fully emulate the processor in the H plastic card. A modern hardware wedge card is a circuit board that is inserted into the card slot of your receiver, it has a piggyback slot that sticks out of the receiver and requires a H access card to be inserted to form the complete hack. It operates by capturing packets in the datastream, makes any necessary changes to it, then passes it to your H to decrypt the video. The January 15th ECM have demonstrated that DirecTV can still put your H card in a loop even if it is isolated or protected by a wedge. The Combo card was the first wedge to be released by the hackers. It's programming was stored in an EEPROM chip. The DDT came out about a month after it, it was about 25% less in price than the COMBO but was not capable of generating the entire authorization packets by itself, so it required the users to subscribe to DirecTV or USSB with a small programming package. It takes authorized packets from the subscriptions and modifies it to grant access to the non-subscribed channels. The DDT's code was dumped by one of their competitions and the file got circulated on the internet. Soon, everybody was making DDT knock-offs, calling them DDT II, DDT III, DDT Next Generation, etc. The original DDT group disappeared after the Jan 15th ECM due to a lack of knowledge to repair the cards correctly. Most customers were abandoned when their DDTs and knock-offs died after less than 2 months of usage. Some customers got less than 1 week of use on their DDT before it died. The DATS came out about a month after the DDT. It had some obvious advantages over the DDT. It can generate the full authorizations packets without a subscription. It had a built-in blocker function to filter out any harmful packets that were previously detected. It was compatible with both subscribed and virgin cards. It also uses a less expensive Atmel microprocessor instead of the DDT's Dallas chip. The card's street price was about half of the DDT. According to the DATS group, the Atmel chip company betrayed them when the company decided to join in on the hack business, they dumped the DATS's codes and sold it to other hackers. This allowed many dealers to come out with various knock-off models selling at below the $200 street price, but without full understanding of how the card worked. Shortly after, tens of thousands of knock-off DATS flooded the market under various names: BOSS, Blue Baron, Blackjack, Bandit, Anonymous card, Wildcard, Red Devil, and many others. The only authorized reproduction of the DATS was the Red Baron, which received support from the original group. On January 15th, DTV launched a large ECM that wrote 17 new update codes to the H access card, 1 important one is the 09 command that closed the 09 "hole" that all wedges were using to add tiers to the H. The Combo and DDT cards stopped working, some DATS survived if it had their blocker running. Soon, all wedges were only working if it was using a non-updated H card with the blocker running to prevent the updates from closing up the hole on the H. A conversion chip later came out that converted a DDT into an unauthorized DATS knock-off. On March 27th, DTV launched another ECM, this time with 5 new update codes, plus the original 17 codes were sent via another command that the wedges were not capable of blocking. All currently working wedges use some kind of modified H card where it is programmed with the 23 updates but has the 09 hole reopened to allow the wedge to program the plastic cards. This hack method put the H at risk of being looped. The genuine DATS are the only ones we know of that doesn't use this technique. ------------------------------------------------------------------------- EVALUATING THE DEALERS So after reading all this and you still decide to get a test card, here are some ways to find a reliable dealer. Ask around, and then ask some more, and then ask some more again. The main problem we have observed from "victims" of bad hacks/dealers is that the users were too lazy to do the research and dealer comparisons. If you have friends that owns test cards, ask them about their dealers, but don't jump at the first name or phone number they throw at you. We get a lot of emails from our site's visitors telling us they found their dealer through a friend, and now they are both screwed because the dealer disappeared. Coming across a name just means you can then start the evaluation process to judge the dealer's performance. Compare him with other contacts that you will come across. Other ways to find dealers is via the search engines on the Internet, but dishonest dealers are also listed on the search engines. We find the best method to find dealers is join the IRC satellite chat channels and ask other live on-line test card users about them, because it's difficult for a dishonest dealer to hide their reputation when there are 200 critics or former customers online. Also, don't believe everything you hear about the dealers, some dealers paid their employees or pretend to be a customer to suggest their services to new unsuspecting victims. If you come across the exact same comments over and over again, like "he's the best, very honest", chances are it was pre-scripted. If somebody gives you a recommendation, ask them to back it up. Ask him why he recommended the dealer. Ask him to cite specific cases of how the dealer provided service. Ask them how he has dealt with the dealer. If you are just getting vague response, then don't take that recommendation too seriously. After you have gathered a couple dozen of names and URLS, then you can start the evaluation process. Don't be lazy and base your purchasing decision on only 1 or 2 factors. Any hasty decision will cost you in the long run. Here are some of the WRONG things people use to base their dealer's decision on. These are actual cases that were reported to us via email by our web site's visitors. "I picked my dealer because..." ...he was the first one listed on the search engines ...he said he's been in business for over 10 years ...he said his cards won't get ECM and he offered me a guarantee ...he was the only one I can find that takes credit cards ...he lives in my town ...he had a "@"sign in front of his nickname on an IRC channel ...his web site looks really cool with the animated graphics ...everybody said they heard of him ...his purchase price was the lowest ...his purchase price was the highest, and he must offered the best service. ...he has a scams page listing dishonest dealers ...he said there is only 1 fix and it is available only from him ...his cards have real cool names All these sentences were followed by "I got screwed by him after an ECM, now it's going to cost me more money to get my card fix". Anybody can make his site come up first on the search engines if he spends enough time and money. A dishonest dealer can continue to operate for over 10 years if there's a constant supply of new customers to scam from, just as a Vampire bat can live for 10 years if there's a new supply of blood every night. I know, it's not fair to compare vampires to bad dealers, at least the vampires stop biting after they suck you dry. Every test cards CAN and WILL get ECM, a guarantee is worthless if he can't or won't honor it. Even if he puts it in writing, you'll just have a piece of paper to remind you how gullible you were. One dishonest dealer uses small fine prints to state that his guarantee is on his software, not the plastic card. This guarantee has little value since the software is intangible and it doesn't cost him to re-copy it on your card, but you wind up paying a hundred dollars for a new plastic card every time after an ECM because his weak software got your card 99. You wind up taking all the risk and paying for that risk. Dishonest people takes credit cards too, that's why there is such a thing called credit card fraud on the Internet. If you think your credit card company will help you with an easy refund from a bad dealer, you're in for a bad surprise. Some real despicable dealer will post your real name, address, phone and credit card numbers on the internet for everyone to use if you try to reverse your charges. Some even threaten to report you to the authorities since they have written proof that you purchased an illegal card. One dishonest dealer even blackmailed his customers by making various charges on his customer's credit card after the initial purchase, threatening to turn them in to the FBI if they protested the charges to their credit card companies. So think long and hard before you give out your credit card number, because it might wind up costing even more than sending a blank money order to other dealers. Geographic location is not the best way to judge a dealer's honesty. It will be more convenient to return cards for repair after and ECM, but that's only if your local dealer can get access to the fix quickly, otherwise, you'll just wait as long as everybody else. Stop by your local police station or jail to remind yourself that dishonest people lives in your town too. Just because a person has a "@" in front of his nickname in the IRC channels doesn't mean he's any better or worse than the people without the OPs status. A flashy web site means the dealer is very talented at writing HTML codes or can afford somebody to write them, it doesn't reflect his services to his customers. A dealer that is well known doesn't mean he's a honest dealer, most people know their neighborhood crack dealer, but not many would sent him their hard earn money. One dealer was very well known and liked by many IRC users, that was because he told the best jokes on the channel. A clown is not what you need when your cards go down after an ECM. Free jokes won't get your TV back. If you do come across people that claims to know him, inquire more information about that dealer, ask probing and detail questions. If a dealer has loyal customers because of his good service, they won't mind spending the time to tell you about him. If they don't want to spent that time, then they probably don't have enough respect for that dealer. Do not equate a dealer's popularity with his honesty. Don't be tempted by a low initial purchase price, it is not the total cost of a test card, make sure you find out how much it will cost you to repair a card after each ECM, count the shipping charges also, because all cards will get hit sooner or later, and they will get hit more than once. To find out the real cost to fix a card, don't ask a dealer, because what he tells you in an email and what he actually charges can be very different amounts. Instead, look at his web page or old news section to see if he posted any prices to fix cards from the last ECM. If he's charging $100 plus shipping to fix cards to his existing customers, you can probably expect to pay the same amount when your card goes down in the future. You can expect to pay this price more than once because there will be more than 1 ECM coming. A dealer that charges the highest prices doesn't mean he offers the best service, or he is selling "The Best" cards. It could just mean he is more greedy than the others and is preying on lazy customers that didn't do enough comparative shopping. A dishonorable thief will betray his own mother, so he should have no problems betraying his enemies. So just because he list a bunch of competition in his scams page doesn't mean he's any better than the people on that page. There are a few legitimate sites out there that do a good job listing real scams, you can easily distinguish them because they are just information sites and does not have anything to sell, so their motives for listing these scams are most likely to warn their readers. How many times have you heard the old line, "You can't get this anywhere else, so you must buy it from me today"? It's impossible to keep a hack secret in this business, so if 1 dealer has it, it's certain that somebody else will have it too. Hackers will hack each other's work when they are desperate enough. Sometimes the second hack might be even better, but most of the time, it's worse since they don't have the full understanding of the original product. Never buy a card base on the name, no matter how "cool" it sounds, there is just no valid reason to make such a decision. Also, don't be too impressed by a hack that bears a suffix like version 10 or Model III, it doesn't mean it's any better than the previous models, it just means all previous models have failed. If the hack was that great to begin with, there wouldn't have been a need for a sequel! All the points that I just mentioned is to remind you not to base your decision lightly, it does not necessarily mean a dealer is bad if he fits some of the profiles above, he still could be a good dealer, good dealers takes credit cards too, and they might have flashy web sites. You should evaluate a dealer on many factors, like his treatments to his existing customers. EVALUATING THE HACKS Here are some things to remember about all hacks that changes the access card's EEPROM codes. They will all die, it's just a matter of time before DTV gets around to writing an ECM for them. DTV is capable of killing all plastics, with or without a blocker. Average run time for any hacks is 3 to 4 months before it goes down with an ECM. DTV targets card in the order that they are released. So if you buy the latest hack, chances are it will survive a few ECMs while earlier hacks gets 99d, until it's your card's turn to get hit. There is no such thing as a "Best" hack. The main thing to look for in any hack is the SUPPORT from the dealer or group, all cards will die, but it's the dealer that will help you get it back up after an ECM. So when you read all the products on the web sites with their claim of superiority, ignore them. You should be evaluating a dealer's performance instead. Look at their pass ECM record and see what kind of responses did the dealers offer to their customers after an ECM. Look at their news section on their web sites and ask around in IRC to find out how long it really took them to return cards back to their customers and were the cards repaired properly? Find out how much they charge for the repair and consider any shipping charges that you might incur in the event of an ECM. Now multiply this 3 to 12 times to figure out the total operation cost of your test card after it's been purchased. Your REAL cost is the total operation cost plus your initial purchase price, plus your time and energy that you will spent dealing with the ECMs and waiting for instructions from your dealers. Now compare that to a normal legitimate subscription package for 1 year plus a realistic number of PPVs that you will watch. Then ask yourself which option is the smarter choice. The best time to evaluate a dealer is after an ECM, when the truth will come out on how he treats his customers. Any dealer that ask their customers to "Do not email us for the next 3 weeks, all emails will be trashed" is not the type that you want to buy from. While there is a huge logistic problems handling 2000 return cards from their customers after an ECM, they should be prepare to answer 2000 emails if they were capable of taking money from 2000 people in the first place! Even if a customer is asking a question that is already answered on the web page, the dealer should still respond to all emails when their time permits. I got an email from one small dealer that has a time stamp of 3:45 A.M. because he stayed up that late to reply to his customers emails even after a long day of processing cards. Another thing you can make your own judgment on is some dealer will tell you that they are under staff to handle all the phone calls or emails, so don't contact them, and yet on the same web page, they are asking new customers to "Place your order now, our operators are standing by". This tells you where the dealer's loyalty lies, you're only important to them until they have your money, then it's "No fix yet, stop calling!" Not all dealers are bad, there are many out there breaking their backs to return cards to their customers as quickly as they can. Some are driving cards across the border to avoid getting seized by US Custom. Some dealers are giving freeware substitutes to their customers to ease the long wait of over a month for the commercial cards to get reprogrammed. You should be understanding to your dealer since sometimes it's out of their control on the fix process, but you should also be smart enough to take your business elsewhere if your dealer is not making an effort to repair your card. If all this sounds like it's too much work or hassle to buy a hack, then you're getting the point. Unless you are willing to commit some time and money in researching your purchase, you will probably be more happier just getting a legitimate subscription or stick with your cable service. If all the hack choices doesn't appeal to you or impress you, there is always the option of waiting for a better hack to come out. But don't hold your breath, because that wait can be long. There is wisdom in subscribing until a better hack comes along. If you are outside the US, the gray market dealers can help you get a "paying" subscription using a valid US address for your monthly billing. ADDITIONAL ADVICE FROM RICKSON: If you are in market of buying a DSS test card please be on alert of scammers who are out there to take your money, not only once but again and again. There are dealers out there who are giving 1 year "free guarantee" when the time comes to honor it they will charge you dearly by saying this and that. Some dealers will give you false hope by saying to use a credit card and credit card company would back you up in case of any screw ups, It is true in some instances but most of the time the scammers will have it delayed over 30 days and you are back to square 1 , Credit card company will not back you up for any purchase after 30 days and you have to take it to small claims court which is not a good idea for lots of people. There are some dealers who will make you sign a waiver of "no refunds" before they charge on your card and send you product, This should be obvious to you that if there is going to be a problem you will not get your money back anyway. Please don't be discourage by all this, There are lots of good dealers out there who will go an extra mile to help their customers all you have to do is find one of those guys. Don't be fooled by fancy web pages, guarantees and BS , do your home work and get lots of information from Chat lines like MIRC and you will do fine. Here are a few things to keep in mind when you come across a new web site on the Internet. There are many web sites out there that have been abandoned by their operators, either because they retired, got arrested, decided to move on to other things, etc. Unsuspecting people are sending money to P.O. Boxes or Addresses that no longer exist. They wind up waiting forever for a product that will never come. Many sites are paid for 1 year to 2 years in advance, some are on free servers like Geocities, Tripod, FortuneCity, Angelfire, FreeYellow, etc. These sites can be online forever if they continue to get hits. Just because a site's counter shows 200 new hits a day doesn't mean it is still in business, it can mean 200 people is loosing their money. My suggestion is to always send an email and a regular postal letter to the people you're planning to buy from, asking them to confirm that they are still in business and have working products in stock, and also get the latest prices. Don't send in your money order until they respond back to your first letters. This is also a good way to gauge how fast they responds to their customer's needs. Another good sign that a site is outdated or abandon is if they mention the Battery cards, Emulators, L-Cards, T-Cards, I-SYS, and other F series hacks as if they are still working, which they are not. ---------------------------------------------------------------------- Below is a list of common questions and answers that many hack buyers have asked us on our site: How do I know if my receiver is compatible with a particular hack. All software hacks are compatible with all brands of receivers. Some hardware wedges, like the DDT might not be compatible with a few newer 3rd generations receivers from Sony and RCA. The compatibility problem is usually caused by the software codes, not the actual board design, so as software gets updated, compatibility gets better. You should always ask your dealer to confirm his hack is compatible with your particular model before you place a purchase. Be sure to give him your exact brand and model number at the back of the receiver. If he doesn't know and tells you to purchase a card to find out, ask him to agree to take card back and give a full refund if it is not compatible. Do not be shy and ask for the agreement in writing. What other problems can I expect with a hardware hack? Most hardware hacks will work just as well as the software hacks. Main thing to keep in mind is because the board extends 4 to 6 inches out of the slot to accommodate the card socket for the plastic access card, make sure you have the space clearance in front of your receiver, especially if it is in an enclosed cabinet. Some wedges have the card socket straight out, while others have the socket at a 90 degree angle, so if you are using a wedge with a side socket, make sure the H card will not get in the way of operational buttons or infra red sensors on your receiver. I paid over $600 for a battery card during the F series run time, is there any thing I can use this card for? Ice scraper...sorry, old joke. As of now, only useful thing people have used the old bats for is to get audio on their receivers. The audio is not encrypted in the satellite signal, some receiver will broadcast the audio without checking for permission from the access card, so you can actually listen to the sounds on all channels, not just the music channels in the 500s. This features is dependent on your receiver brand, we have confirmed that Sony, Hughes, and Hitachi models get all audio if used with a bat card that is programmed with an older main08x file. Sometimes, the engineer channels in the 800s will broadcast PPVs for testing purposes without any encryption, so you can view those broadcast with an old bat card, but this is rare and on non regular times schedules. We did find 1 dealer that will convert your old bat to a wedge card by adding a card socket and new software, but the cost was higher than the price of a completely new Wedge that's design for the H. What about the battery card programmer that plugs into the back of my PC's parallel port, can I use it to program any of these new wedges? Most modern wedge hacks are a combination of hardware codes on the board and software on the plastic. We have not found any dealers that is releasing ECM fixes to his customers for self programming, due to a lack of security on the new codes and a fear of the competition getting hold of it, so for now, card programmers are not being utilized by the wedge dealers. Also, most wedge boards that uses a Atmel chip for the main processor is not self programmable. In the last few ECMs, dealers required their customers to send both the wedge and plastic in to have it reprogram. The only person we found that utilizes the old parallel port programmer is 99King with his card condom blocker. His new codes are posted at his web site, but the file will only work on his own blocker boards, it will NOT work on any other wedges or bat cards. I have a plastic card programmer that plugs into the serial port of my PC, this was purchased for the old F series access cards, are they compatible with the H series cards? Yes, any card programmer that is ISO-7816 compatible will work with the H series cards, this includes the Haku-2, Haku-3, MK10, MK11, MK12, and many others. I have a PC emulator board that I used during the old F series, can I upgrade it to work with the H series. No, because there is no working H emulator board for the PC. The F series emulator is not compatible with the H series because it lacks an ASIC on the board, which is needed to help decrypt the H datastream. If and when a emulator board comes out for the PC, most likely, it will be a new board design and the developers will not waste their effort coming out with an upgrade path for your old board. The cost of manufacturing a new board will be far less than the cost of labor to convert your old board. Just like the bat card, you can probably still use the emulator as a digital radio if you have the right brand of receivers. What about all the rumors that I heard about my old bat or emulator can be converted to use as a Dish Network hack? That's just it, they are RUMORS. Until you see it with your own eyes, or a dealer or group makes an official announcement in writing, it's just wishful thinking. Is there anything that I can recycle or reuse form my old F hacks? If you have a F hardware card that uses a socketed Dallas microprocessor, you can pop it out and reuse it on some new boards. This situation depends on your dealer. If you have any left over F series access cards, some dealers will give you about $5 each for them. They are using the old F cards to upgrade to H series from DirecTV. You can also do that yourself, but DirecTV will charge you a lot more than their authorized dealers. On some F emulator boards, you might be able to use it to log the datastream if it is used with the right software. ---------------------------------------------------------------------- I am NOT an expert on the DSS systems. Just an average users. If you feel there are any inaccuracies on this FAQ, please email me and give me the corrections. I will welcome all suggestions or additions to this FAQ, so if you feel you have something that will be useful to other test card users, you can submit it via email at dsscards@yahoo.com or visit our web site at http://angelfire.com/ca/dsscards Future versions of this FAQ will or might include: More buyer's advice (how to read the fine prints) Test Card Reviews (If they get reliable enough) A detailed index for this FAQ (if it gets long enough) Some useful URLs for DSS informational web sites Specific things you can do with your particular model of receiver, such as hidden menus, data ports, etc. ...and anything else you can suggest. ========================================================================== Below is the an addition to this FAQ written by a TCUP contributor. It reveals the technical side of programming your H access card. ========================================================================== "'H' cards and you" By the Unknown TCUP member 5/15/95 Version 1.0 THIS PORTION OF THE FAQ IS BEST VIEWED WITH A FIXED SPACE FONT LIKE COURIER BECAUSE OF THE ALIGNMENT OF PROGRAMMING CODES. Introduction Okay...first off, there's going to be a fair number of people who're going to wonder why I wrote and released this file. It's because it realy bugs me to see people just sort of blindly poking away at fairly expensive stuff without really understanding what they're doing, and putting the equipment at risk while they do it. Although I won't be revealing the deepest, darkest secrets of the 'H' card in this file, I will be explaining how the card's instruction, command, and nanocommand interpreters work, discussing a few of the instructions, and generally trying to provide a primer on H-card hacking. If you're reading this file hoping to find a ROM dump, a disassembly, a full list of instructions/commands/nanos, or anything of that nature, then you're going to be very disappointed, and you should probably skip to the last section, which I've titled, "Why people who know how the cards work are so stingy with information." What you WILL find, however, is a list of terms that are commonly thrown around in reference to DSS cards in general, a short tutorial on how the instruction, command, and nanocommand interpreters work, and details on a few of the commands available to a would-be 'H' card hacker. In addition, I've thrown in a few warnings about some freeware script files that worry me because of the ease with which they would allow DTV to 99 a card to which they've been applied. --------------------------------------------------------------------- Glossary (in non-alphabetic order) 'H' card, P2 card: A series 'H' DSS smartcard. 'H' cards contain a RISC micro-controller core which emulates an 8051 microcontroller, 8K bytes of masked ROM, 4K bytes of EEPROM, and 256 bytes of RAM. In addition, 'H' cards contain an ASIC (Application Specific Integrated Circuit) which is used by the microcontroller to calculate decryption seeds, validate mess- ages, and so forth. All 'H' cards will have a serial number greater than or equal to 0000 4000 0000 (see CAM ID, below). 'F' card, P1 card: A series 'F' DSS smartcard. 'F' cards contained a Motorola 68HC05SC21 microcontroller core with 6K bytes of ROM, 3K bytes of EEPROM, and 128 bytes of RAM. This is the series of DSS cards that preceded the 'H' card. All 'F' cards will have a serial number less than or equal to 0000 3999 9999 (see CAM ID, below). 'J' card: The rumored replacement for the 'H' card. We don't yet know what kind of microcontroller core or ASIC this card might have. ISO Reader/ISO Programmer: A device capable of interfacing to an ISO7816 compatible smartcard (such as a DSS card). For most of you, this will probably mean an MK10, MK11, MK12, etc. For some, it will mean something else, but it's a generic term. See also MK12/MK11/MK10/MKnn, below. MK12/MK11/MK10/MKnn: A MK series ISO reader/ISO programmer. A specific model of ISO reader/programmer designed by Paul Maxwell-King, for which the schematics, PCB layout, BOM (Bill of Materials), and docs are available as freeware on the internet. In this document, I'll probably use the term "MK12" to generically mean "ISO reader/ISO programmer". .XPL file: A script file containing commands to be sent to a smartcard via the ISO reader/ISO programmer. .XPL is a file extension for the program EXPLORER, which is a DOS-based program popular for communicating with smartcards. In this file, however, it could also generically refer to any similar script file, such as a .SCR file, which would be a script file compatible with Merlin and/or Pegasus, two WIN32-based programs for communicating with smartcards. EXPLORER, Merlin, and Pegasus: Three programs often used for communicating with smartcards. EXPLORER is a DOS-based program, and Merlin and Pegasus are WIN32-based programs. All three have the ability to use predefined script files to perform repetitive functions, such as card activation. ISO7816: The specification for smartcard ICs, as set down by the International Standards Organization. Note that the ISO7816 spec is actually defined in 3 parts. ISO7816-1 defines the physical characteristics of the card (susceptibility to X-rays, UV radiation, static discharge, magnetic fields, etc., minimum bendability before breakage, and so forth). ISO7816-2 defines the physical interface to the card (contact positions and assignments, contact size, and so on). ISO7816-3 defines the communication protocol (how to select baud rates, how to determine MSB-first or LSB-first communication, an so on). A full description of the ISO7816 spec is beyond the scope of this document, but it does make slightly interesting reading, so if you're REALLY interested in how these things work, I'd suggest locating a copy (it should be on the web SOMEPLACE). DTV: DirecTV. Some of the guys who want you to pay for your DSS satellite service. USSB: United States Satellite Broadcasting. Some more people who want you to pay for your DSS satellite service. Hughes: The corporation that first developed the DSS system and, as it happens, the corporation that builds the satellites that the DSS system uses. NDC: News DataCom. The company that ostensibly owns your DSS 'H' card (check the fine print...it's not yours, it's theirs, and they could ask for it back any time they want). In addition to owning the actual card, they're also the company that wrote the code inside the card. 99'd: A term used to describe cards that are no longer functional in a specific way. When DSS smartcards are first reset, they check a pair of bytes in their EEPROM to verify that the card is OK for use. If the check fails, the cards go into a tight code loop, doing nothing but sending the hex value 0x99 out their serial port until they are powered down or reset. See also the "99ing a card" section, below. If a 99'd card is inserted into an IRD, the IRD will usually display a message to the effect of "Insert a valid access card". FF'd: A term used to describe cards that are no longer functional in a way that differs from that of 99'd cards. An FF'd card is actually probably worse off than a 99'd card. It usually isn't sending 0xFF out its serial port, rather, its code is hanged with its serial port in a non-idle state, which many UARTs will misinterpret as a 0xFF (although, technically speaking, it's actually a BREAK condition). If an FF'd card is inserted into an IRD, the IRD will usually display a message to the effect of "Insert a valid access card". ECM: Electronic Counter-Measure. A code update or change in the datastream that is intended to disrupt programming for those persons who are not paying full price. An ECM can be as benign as a loss of video decoding ability (like the loss of channel 248 et. al. that's recently been a problem for cards with certain versions of 3M code), or as malignant as an attack directed against cards with specific code changes that causes those cards to be 99'd (like the 99ing of cards with certain other versions of 3M code that recently happened). ECCM: Electronic Counter-Counter-Measure. A device or code change designed to prevent or reduce the effectiveness of an ECM. Card King's Card Condom is an example of a hardware ECCM, as are the blockers that are built into many wedge boards. Early blockers weren't really very effective, because of the limited amount of knowledge available about the various instructions, commands, and nano commands and how they can affect the card. More recent blockers are more effective, but I'd still be reluctant to trust them. If any of the 3M groups have software ECCMs in their cards, they're keeping quiet about it (as I'd expect them to), but I'd guess that at least one of the groups has a software-based ECCM included with their 3M code. IRD: Integrated Receiver-Decoder. Your DSS decoder box. Lots of different companies make IRDs, but they all function the same way. In fact, most IRDs have identical assemblies in them for functions such as the down conversion and demodulation of the received satellite signal and so forth. IRD number: Each IRD has a unique 4-byte ID number programmed into it at the factory, allowing DTV to send a command to whatever card happens to be in your decoder, if they know the decoder's ID number. If you subscribe to DTV, you have to tell them your IRD's serial number (it's on a little sticker on the back or bottom of your IRD) when you first sign up. The IRD serial number is often referred to as the IRD number. In addition, the IRD number is used to "marry" a given CAM (see below) to a specific IRD; when the CAM is first inserted, the IRD queries it for its married IRD number. If the IRD determines that the CAM is not yet married, it sends an instruction to the CAM, writing its own IRD number to the CAM's EEPROM, "marrying" that CAM to that IRD. From that point on, the CAM is married to that IRD, and will not work in any other unless it is unmarried. If the IRD determines that the CAM is married to another IRD, it will usually display a message to the effect of "Insert another access card". Transport IC: An integrated circuit inside the IRD that sifts through the entire available DSS datastream and outputs only that data that is relevant to its IRD. The transport ID does this by monitoring headers within the datastream for matches on either the IRD number or the CAM ID, or for messages that are tagged as public. Most IRDs currently use a transport IC manufactured by SGS/Thompson. CAM: Controlled Access Module. Your DSS access card. CAM ID: Controlled Access Module ID. The serial number programmed into your DSS access card. Each DSS access card has a unique four-byte serial number programmed into it at the factory. This serial number is sometimes used by DTV (or freeware activators) to send a command to your card without affecting any other. The CAM ID is printed on the back of the CAM, with a corresponding bar code. The CAM ID is always in the format XXXX XXXX XXXC, where XXXXXXXXXXX (the first eleven digits) is the decimal representation of the four-byte CAM ID, and C is a check digit that is based on the other 11 digits of the CAM ID. The only time the check digit is used is when you call DTV to subscribe and they ask you what your card number is. In addition to the CAM ID, each CAM has several keys with varying levels of uniqueness programmed into it at the factory. These keys are used to verify the authenticity of messages received by the card. The varying levels of uniqueness allow DTV to send commands addressed to all DSS cards, to a group of 256 or 65536 DSS cards, or to a single DSS card, without allowing an attacker who can view a message intended for a card or group other than his own to derive a valid signature for that message for his card or a group of cards that includes his card. Valid sub card/Stock card: A card which is operating with a valid subscription. DTV and USSB like valid sub cards and the people who use them. Virgin card: A card which has no updates on it whatsoever. Virgin cards are pretty hard to find these days. Most 'H' cards coming from the factory these days have at least the 18 updates from the 15 January, 1998 ECM already applied to them. Those cards that came from the factory with the 18 updates already applied can be identified physically because they have a little 'C' printed on them, all by itself, near the ISO contact pads. It stands to reason that cards will start to come from the factory with the 23 updates that resulted from the 26 March, 1998 ECM, but I've neither seen one like that nor heard of one like that. I have, however, seen ones with the 'C', and despite rumors and rumblings to the contrary, I can say with certainty that those cards have 18 updates in them, not 23. 3M: An approach to free programming that typically involves making a code change to the DSS card's code so that if the card has at least one activated program tier, all channels can be viewed. The term 3M is derived from the longer name for this approach, which is the "Three Musketeers" approach- one for all and all for one. Several variations of 3M code have appeared for the 'H' cards, with the Blazer-3 and the T-3 being among the most recent. A freeware 3M script file was released, but I'd strongly recommend against using it; it contains debug code that DTV could use to 99 any card that's programmed with it, with no danger of affecting valid sub cards (see 3M4M.XPL/3M.XPL/4M.XPL/4M1.XPL in the "Dangers of some of the common freeware scripts" section, below). The fact that they haven't is an indication that they're being kind or that they're stupid. I suspect the former. Also, the corporation that brought you sticky notes which, for my money, are the most significant technological innovation of the last 15 years. Wedge: A device which plugs into an IRD and into which a CAM is plugged. Typically, a wedge will intercept the data going to the card and either temporarily add a program tier for the channel to which the IRD is tuned, or fudge the data in some other way so as to provide free programming. Some common wedges are the DATS, DDT, Combo, and BOSS cards. All wedges stopped working after the ECM of 15 January, 1998, because they all relied on the 09 hole in the card's security to function. Various new versions of the DATS, DDT, and BOSS card have been released, some of which stopped functioning shortly after they were released. Usually, this was because they required a new "virgin" card that still had the 09 hole open, and they (the wedges) attempted to protect the card with a hardware ECCM (a blocker). With the ECM of 26 March, 1998, DTV managed to get the updates around pretty much every blocker that was running at the time, closing the 09 hole in all those formerly virgin cards and again rendering the wedges inoperable. More recently, the wedge groups have come up with new solutions that require modified H cards be places in their wedges to work. The BOSS card group has recently introduced an update to their cards which they claim includes advanced ECCM technology (most likely, a semi-intelligent blocker that blocks all 40, 42, 44, and 46 nstructions that include a nanocommand that could modify the card's EEPROM. The vaporous and much-discussed PASS card from Axa, though much more advanced than the others, is a form of wedge also. Emulator: A device which plugs into an IRD and which acts like a genuine DSS card even though it isn't one. When the 'F' cards were in service, a freeware software-based emulator was released which would run on an IBM-PC compatible computer (which would have to be plugged into the IRD). Because of the lack of information on the ASIC, so far, no emulator has been released for the 'H' card. The PASS card from Axa is a form of emulator, in addition to being a wedge; it has a microcontroller that emulates most of the functions of the DSS card, but for those functions that depend on the ASIC, the PASS card uses an 'H' card that is plugged into it as a slave to get data from the ASIC when necessary. At least, that's what Axa says, and he's the only one who would really know, since the card isn't available yet. Attacker: A person or device attempting to breach some form of security. In this case, that of the smartcard. Probably you. ATR: Answer To Reset. This is part of the ISO7816-3 spec. When a smartcard is first activated, and any time it is reset, it has to send a data stream out its serial port so that its host device can determine the card's requirements relating to communication, programming voltages, and so forth. The ATR allows a card to specify whether it will communicate with inverted or normal polarity data (and in addition, whether the data will be send MSB or LSB first), what baud rate it will use, what programming voltage it requires, how much current it requires in order to perform a programming operation, whether it will use synchronous or asynchronous communication, and so forth. Any ISO7816 compliant host must be able to decode the ATR properly and adjust its communication to suit the card, since it is given that the amount of processing power available to the card is negligible compared to that of the host device. USW: Update Status Word. An internal counter in the 'H' card that allows the card to accept only the next intended update packet from DTV. If the USW is currently equal to 0x0017, then an update packet must have a sequence number of 0x0018 in order to be accepted by the card. The goal here is twofold: First, DTV wants to make sure that legitimate updates are never taken "out of context". Secondly, DTV can send fake update packets that have USW values that are out of sequence from the USW in valid sub cards to attack cards that have had illegitmate updates written to them. CLA or Class byte: The first byte of an ISO7816-compliant message. For a DSS card, the class byte is 0x48 (ASCII 'H', for "Hughes", presumably). INS or Instruction byte: The second byte of an ISO7816-compliant message. This byte can be any value, although only some values are processed as valid instructions by the smartcard. Note that in the case of an 'H' card, almost any value for the instruction byte will result in a response from the card, but most of them are garbage responses intended to slow an attacker attempting locate real instructions by brute-force hacking. P1 and P2: The third and fourth bytes of an ISO7816-compliant message, respectively. These are parameter bytes for an ISO7816-compliant message. Sometimes they're used, sometimes they're not, but they must always be present. If they're not going to be used, they're usually both 0x00. LEN, ILEN, Length byte, or P3: The fifth byte of an ISO7816-compliant message. Strictly speaking, this byte tells the card how many total bytes will make up the transaction, but for a DSS card, this byte is primarily used to tell the smartcard how many more bytes will be sent to it to complete the message. Note that this value can, in some cases be larger than the actual number of bytes to follow, but it can never be smaller. According to the ISO7816-3 spec, this byte should equal the total number of bytes to be sent and received as part of the entire transaction (ie., if 6 bytes are to be sent to the card after the header and the host expects 3 bytes back (not counting the SW (see below)), then LEN should be 09). ACK: When an ISO7816-compliant smartcard receives a valid 5-byte header from its host, it is required to send back an acknowledgement based on the value of the INS byte to inform the host that it is ready to receive the remainder of the message. For any given value for INS, there are four possible values for the ACK byte, as follows: ACK value Meaning ------------------------------------------------------------------------- INS Vpp is idle, card requests that the entire packet be sent at one time INS xor 01 Vpp is active, card requests that the entire packet be sent at one time INS xor FF Vpp is idle, card requests that only the next byte of the packet be sent. After each byte, the card can either send another ACK (which is based on INS, not the packet bytes), send the SW to terminate the packet, or become unresponsive. INS xor FE Vpp is active, card requests that only the next byte of the packet be sent. After each byte, the card can either send another ACK (which is based on INS, not the packet bytes), send the SW to terminate the packet, or become unresponsive. Note that the host device controls the application of Vpp, so the value of the ACK is actually also a request from the card to the host device to either turn Vpp on or off. Vpp: Programming voltage. Some smartcards may use a form of EEPROM or PROM that requires a voltage other than 5 volts to program it. The DSS'H' card, however, does not. SW: Status word. After an ISO7816-compliant smartcard has finished processing a packet, it must send a two-byte status word to the host device, informing the host device of the outcome of the transaction. Although many combinations are valid here (all of them will start with 6x or 9x), the ones that most 'H' card hackers will usually see are 90 00 and 90 80. 90 A0 is also somewhat common. Instruction: A function that is accessed by a particular value in the INSbyte. See below for examples. Command: A function that is accessed by a particular value sent as data to the card as part of the execution of an instruction. See below for examples. Nanocommand or Nano: A function that is accessed by a particular value sent as data to the card as part of the execution of a command. See below for examples. --------------------------------------------------------------------- How the card handles instructions, commands, and nanocommands: As an ISO7816-compatible device, the DSS smartcard is required to adhere to certain procedures regarding communication with its host device. First, it must receive and parse a 5-byte header packet which includes a byte that the card must use to determine if it is the intended target of the message (the class byte), a byte that tells the card what type of action is going to be requested (the instruction byte), two parameter bytes whose values will vary depending on the instruction byte (the P1 and P2 bytes), and a byte that tells the card how many more bytes of data to expect the length byte). After receiving the 5-byte header, if the card determines that the class byte is indicative of a message that it should process (ie., if the class byte is 0x48), it checks the remaining bytes of the message. If the card decides that the remaining bytes all make sense together, it sends an ACK to the IRD, and the IRD sends the remainder of the packet. If, for any reason, the card decides that the header is invalid, it may either not respond to the IRD or it may spew out garbage data to confuse an attacker. Once the card has sent its ACK, the IRD will usually send the entire remainder of the packet at one time. The card will deal with the data on an as-needed basis. As the packet is processed, if any commands or nanocommands are received that would result in a change in the programming provided by the card or in the amount of money perceived by the card to be owed to the programming providers, a direct modification to the card's EEPROM memory, or a request for the seed keys for the next few seconds of video on a given channel, the card will buffer the incoming data, and once it is all received, it will calculate a 5- byte value based on the received data and one of the various authentication keys stored within the card. If the card receives a command with a signature that matches its calculated 5-byte value, the card will process the commands that it has buffered. This process is the "authentication" or "signature" process, and it involves the 09 and 0C commands. The 09 command is used to tell the card which key it should use to calculate the valid signature, and is usually sent as the first command of a given 40/42/44/46 instruction. The 0C command is used to send the card a signature for comparison against the value that it has calculated, and is usually sent as the last command of a given 40/42/44/46 instruction. See "Examples of instructions, commands, and nanocommands", and "The '09 hole'", below. * Note that not all instructions require a signature. --------------------------------------------------------------------- Examples of instructions, commands, and nanocommands: An instruction is the lowest level of operation normally available in an 'H' card. An instruction may or may not require additional bytes to complete its processing. Example: 48 3E 00 00 00 This is the 3E instruction. It requires no additional data, and does not have any commands associated with it. Note that length byte is 00, because no additional data is forthcoming for this command. There are two independent instruction interpreters in the 'H' card, one ROM-based,and one EEPROM-based. Both perform the same basic function, and only one of the two is ever active at a time (ie., if the ROM-based routine is used, the EEPROM- based one isn't). In almost all cards, the EEPROM-based routine is the one that's used, because it provides a small amount of preprocessing that the ROM-based one doesn't, but it eventually ends up in the ROM-based routine, which is where the majority of instructions are handled. A command is a level 2 operation available in an 'H' card. Only some instructions access the command interpreter. Among these instructions are 40, 42, 44, and 46. In some cases, a command byte will be followed by a length byte so that the command interpreter knows how many bytes to receieve in association with that command. Example 1: 48 42 00 00 0F 09 12 00 00 31 12 34 56 78 0C 11 22 33 44 55 This is the 42 instruction. It is commonly used to access the 'H' card's command interpreter. Note that there is only one command interpreter in the 'H' card, and any instruction that has associated commands uses that command interpreter. However, not all commands are valid for all instructions. In this case, there are three commands embedded in the 42 instruction. The first is 09 12 00 00, the second is 31 12 34 56 78, and the third is 0C 11 22 33 44 55. Note that the length byte is 0F, which is the total number of bytes that made up the three commands. Note also that all three of these commands are fixed-length, and so do not have an associated length byte (remember-the length byte always follows the command byte, so if any of these commands were variable length, the packet wouldn't have enough bytes in it to satisfy any of them: the 09 and 31 commands would want 12 bytes, and the 0C command would want 11). Lastly, note that almost all command sequences will end with a 0C command. This is because the 0C command is the "signature" command, which the card uses to determine whether or not the message it just received was authentic, and if so, it performs the operations that were requested by that message. Example 2: 48 42 00 00 10 09 12 00 00 08 04 12 34 56 78 0C 11 22 33 44 55 As before, this is the 42 instruction. Again, as before, there are three commands embedded in the 42 instruction. The first and third are the same as in the example above. The second, however differs. In this case, the second command is 08 04 12 34 56 78. This is an example of a variable-length command. In this case, four bytes of data are to follow, as defined by the 04 that follows the 08. Note that the 08 command doesn't actually do anything, but make a good example of a variable-length command. A nanocommand is a level 3 operation available in an 'H' card. To the best of my knowledge, only the 60 command has associated nanocommands. A nanocommand always has an associated length byte. In a virgin, unupdated 'H' card, any value from 0x00 to 0xFF is valid as a nanocommand although using non-standard values is very dangerous). In addition, completely virgin cards only have certain nanocommands enabled. The first two packets sent by DTV during the 15 January, 1998 ECM enabled the remaining nanos. As of March 26, 1998 nanocommands below 0xAA were disabled, because they allowed a breach in the 'H' card's security to be exploited. Example: 48 42 00 00 1C 09 12 00 00 31 12 34 56 78 60 C0 08 00 01 80 20 FF FF FF FF BB 00 0C 11 22 33 44 55 Again, this is the 42 instruction, which is commonly used to access the 'H' card's command interpreter (this is necessary, because the nanocommand interpreter is available only through command 60). Note that this time, however, 4 commands are included for the 42 instruction: 09 12 00 00, 31 12 34 56 78, 60, and 0C 11 22 33 44 55, with 60 being the command that activates the nanocommand interpreter. This packet includes two nanocommands: C0 08 00 01 80 20 FF FF FF FF, and BB 00. All valid nanocommand sequences will probably end with BB 00, since BB 00 is the nanocommand that means "no more nanocommands coming, so restore all the pointers and return". Note that both the C0 and BB nanos include a length byte. The length of 08 for the C0 nano indicates that 8 bytes are to follow. The length byte of 00 for the BB nano indicates that no additional bytes should be expected. In addition, note that the nanocommands are between the 60 command and the 0C command. Again, because the 0C command is used to authenticate the entire message, it is sent last. --------------------------------------------------------------------- 99ing a card: When an 'H' card is first activated or reset, there is a routine in ROM which checks a pair of EEPROM bytes (the 'fuse' bytes) to ensure that the card is valid. If the two 'fuse' bytes XORed together do not equal 0xFF, the card enters a tight loop where it does nothing other than send the value 0x99 out the serial port over and over and over. A card that is in this state is said to be '99d'. Placing such a card into an IRD will result in a 'please insert a valid access card' message. A card in this state is basically useless, because it does not respond to any commands. There are a few individuals and groups that have the capability to 'un-99' a card. The operation involved in un-99ing a card is quite complex and isn't something that's likely to be divulged to the general public anytime soon. --------------------------------------------------------------------- The '09 hole': Virgin 'H' cards had a hole in their security which could be exploited using the 09 command. Basically, the way the cards work is, when an 09 command is received, the parameters of the 09 command are used to determine which encryption key should be used to authenticate the message being received, and the ASIC is initialized to begin calculation of what the valid signature should be. The card contains some keys that are "public" keys (the same for all cards), some that are "group" keys (the same for a group of 256 or 65536 cards), and some that are "private" keys (unique to that individual card). In addition, some commands are restricted so that they will only work if a group or private key is selected. Once a key is selected, the signature calculation hardware in the ASIC is initialized, and each additional byte in the message is put through the authentication algorithm. If a modification to the card (either a raw EEPROM change, a PPV addition or removal, or a program tier addition or removal) would result from a received command, that command is buffered for later processing pending receipt of a valid signature. Once the signature command (0C) is received, the received signature is compared to the calculated signature. If the two match, any buffered commands are executed. The problem with this was that it was possible to send a message containing a valid 09 command (usually 09 12 00 00), followed by a series of commands to perform some desired operation (for example, adding a programming tier), followed by a 09 command to select a public key (usually 09 10 00 00), followed by the known valid public signature for an empty message. What would end up happening is that the signature calculation hardware would get reinitialized by the second 09 command, and because the received key was valid for an empty message, the card would then process the commands that had been buffered following the first 09 command. This is the premise by which freeware activators such as CBA, DSSBUST, and CL5005 operate, as well as the means by which early wedge cards accomplished their goal. On January 15, 1998, DTV closed the 09 hole with an update to the 'H' card's EEPROM-based code. What the update did was not only reset the signature calculation algorhithm when an 09 command is received, it also reset the internal "pending command" buffer pointers, so if a second 09 command is received, all pending commands are lost. A common trick for many of the freeware scripts that are available is to put the 09 hole back by changing DTV's update to munge the code that checks the command byte to see if it's 09 to decide whether or not to reinitializea ll the buffer pointers. Usually, they change it to FE or FF. This isn't a particularly smart thing to leave in your card...for an explanation, see "Dangers of some of the common freeware scripts" section, below. The nano hole: Virgin 'H' cards and 'H' cards with only 18 (12 hex) updates had a second hole in their security. Although one of the updates on January 15th closed the 09 hole, enough information was gleaned from the actual update packets to allow many individuals and groups to dump the ROM and EEPROM of the 'H' card, disassemble it, and understand how much of it works. As a result, a new hole was found which could be exploited using nanocommand values that NDC hadn't originally intended to be used. On March 26, 1998, DTV closed the nano hole with a second round of updates to the 'H' card's EEPROM-based code. Other holes that exist: As of this writing, there are at least two additional security holes that exist in 'H' cards with 23 (17 hex) updates (the total number currently sent by DTV). I'm not going to go into details about how many holes are known, nor about how they work. For an explanation of why, see the "Why people who know how the cards work are so stingy with information" section at the end of this file. --------------------------------------------------------------------- Some interesting instructions/commands/nanocommands: In this section, I'll be listing a few of the instructions, commands,and nanocommands that work with the 'H' card. Lines that begin with a '>' indicate data sent back from the card. ---Card type and ROM version: This command dumps information as to the ROM version of the card, the application for the card, and so forth. 48 02 00 00 00 >02 ;INS as ACK >48 55 54 56 ;Hughes ID: "HUTV" >02 00 ;ROM version (02.00) >48 ;Class required for this card >33 ;unknown >90 00 ;Status word: normal execution EXPLORER script: 48 02 00 00 00 R01 R04 R02 R01 R01 R02 ---Card status dump: This command dumps further ID information about the card, including the date on which the card was activated (if any), the USW, the CAM ID and IRD ID, the first 12 program tiers (in some cases, the first 16 program tiers may be dumped), and PPV provider information. 48 2A 00 00 00 >2A ;INS as ACK >00 11 22 33 44 55 66 77 ;CAM's internal ID >25 ;Value of fuse byte #1 >00 ;unknown >00 00 00 00 ;unknown >11 19 97 ;Card activation date >40 B0 03 ;ATR historical bytes >00 11 22 33 ;CAM ID >00 11 22 33 ;IRD number XORed with CAM ID >00 17 ;USW >00 00 ;unknown >00 00 00 00 00 00 00 00 ;Program tiers 1+2 >00 00 00 00 00 00 00 00 ;Program tiers 3+4 >00 00 00 00 00 00 00 00 ;Program tiers 5+6 >00 00 00 00 00 00 00 00 ;Program tiers 7+8 >00 00 00 00 00 00 00 00 ;Program tiers 9+10 >00 00 00 00 00 00 00 00 ;Program tiers 11+12 >00 00 00 00 00 00 00 00 00 00 00 00 ;PPV provider slot 1 >00 00 00 00 00 00 00 00 00 00 00 00 ;PPV provider slot 2 >00 00 00 00 00 00 00 00 00 00 00 00 ;PPV provider slot 3 >00 00 00 00 00 00 00 00 00 00 00 00 ;PPV provider slot 4 >90 00 ;Status word: normal execution EXPLORER script: 48 2A 00 00 00 R01 R08 R01 R01 R04 R03 R03 R04 R04 R02 R02 R08 R08 R08 R08 R08 R08 R0C R0C R0C R0C R02 ---Wipe card: This command is used to reset the card. It will not work if there are any unprocessed PPV entries present in the card. It will clear all program tiers, all PPVs, unmarry the card, and reset the USW to 0000. 48 3E 00 00 01 >3E ;INS as ACK >90 00 ;Status word: normal execution EXPLORER script: 48 3E 00 00 01 R01 R02 ---Set password: This command allows you to change the password stored in the card (not the keys that are used to calculate signatures...the 4-digit code that your IRD uses to allow parental lock-out, spending limit changes, and so forth). Changing the password to a value larger than 0x270F may cause unpredictable results with your IRD, since the password is stored in the card as the hex equivalent of the 4-digit decimal value. For example, a value of 0x0010 for the password would result in a password of 0016. 48 48 00 00 02 >48 ;INS as ACK 00 00 ;Set password to 0000 >90 nn ;Result will vary depending on ; whether command succeeded or not EXPLORER script: 48 48 00 00 02 R01 00 00 R02 ---Get password: This command allows you to read the password stored in the card. 48 52 00 00 00 >52 ;INS as ACK >04 D2 ;Current password is 1234 (the sort ; of combination an idiot would ; have on his luggage) >90 00 ;Status word: normal execution EXPLORER script: 48 52 00 00 00 R01 R02 R02 ---Dump PPV purchase list: This command dumps the PPV purchase list. Each PPV purchase has a 3-byte entry (actually, PPV purchases internally have 8-byte entries, but the other 5 bytes are used to authenticate "PPV processed" commands. The first two bytes of each entry are the PPV ID, and the third byte is the status byte for that entry. 48 5E 08 0E 4B >5E >11 22 20 ;This is a paid-for PPV, the slot ; may be re-used. This PPV will not ; affect the card's ability to ; execute a 48 3E 00 00 00 packet. >33 44 21 ;This is a pending or not-paid-for ; PPV. This PPV will prevent ; the 48 3E 00 00 00 packet from ; cleaning the card. >00 00 00 ;This is a clear PPV slot >00 00 00 00 00 00 00 00 00 00 00 00 ;PPV buys 4-7 >00 00 00 00 00 00 00 00 00 00 00 00 ;PPV buys 8-11 >00 00 00 00 00 00 00 00 00 00 00 00 ;PPV buys 12-15 >00 00 00 00 00 00 00 00 00 00 00 00 ;PPV buys 16-19 >00 00 00 00 00 00 00 00 00 00 00 00 ;PPV buys 20-23 >00 00 00 00 00 00 ;PPV buys 24-25 EXPLORER script: 48 5E 08 0E 4B R01 R03 R03 R03 R0C ;Note: These R0C's could each be R0C ; replaced by four R03's to cause R0C ; each PPV buy to be output on its R0C ; own line. R0C R06 ;Replace with two R03s to get each ; PPV buy on its own line. ---Select public encryption key, sign packet: 48 42 00 00 09 >42 ;INS as ACK 09 10 00 00 ;Select public key 0C 11 22 33 44 55 ;Sign packet (no, 11 22 33 44 55 ; isn't really the correct signature ; for this packet) >90 00 ;Status word: normal execution EXPLORER script: 48 42 00 00 09 R01 09 10 00 00 0C 11 22 33 44 55 R02 ---Select non-public encryption key, sign packet: 48 42 00 00 09 >42 ;INS as ACK 09 12 00 00 ;Select non-public key 0C 11 22 33 44 55 ;Sign packet (no, 11 22 33 44 55 ; probably isn't really the correct ; signature for this packet, although ; it might be, depending on the ; keys in your card) >90 00 ;Status word: normal execution EXPLORER script: 48 42 00 00 09 R01 09 12 00 00 0C 11 22 33 44 55 R02 ----- DTV's updates and what they affected: Update date: 15 January, 1998 Number of update packets: 18 (12 hex) First update's sequence number: 0001 Last update's sequence number: 0012 Total distinct modifications: 20 (two of the packets modified two areas each) Relevant changes: 09 hole closed Nanocommands other than C6 enabled Modify EEPROM nanocommand modified to narrow range of valid addresses allowed if global key selected Modify EEPROM nanocommand modified to allow between 1 and 12 bytes of EEPROM to be modified with a single command, rather than requiring exactly 4 bytes to be modified every time Modify EEPROM nanocommand modified to handle bug in 09 command which caused card to use the global key to calculate the signature, but Modify EEPROM nanocommand to believe that a non-global key had been selected, allowing access to all EEPROM areas using globally-signed packets 57 command removed, now makes card hang rather than 99ing card Added some security to the modify EEPROM nano buffering routine Update date: 26 March, 1998 Number of update packets: 5 (5 hex) First update's sequence number: 0013 Last update's sequence number: 0017 Total distinct modifications: 7 (two of the packets modified two areas each) Relevant changes: Nanocommands less than AA disabled Command 57 fixed to not hang card if received, still doens't 99 --------------------------------------------------------------------------- Dangers of some of the common freeware scripts: There are a lot of scripts that are available to the public, either via the IRC or various web pages scattered liberally throughout the 'net. Unfortunately, if these scripts are available to the public, they're also available to DTV. DTV, however, unlike most persons who might be downloading and using those scripts, understands exactly what the scripts are doing and how they're doing it. They also can see what kind of security holes are left in cards that have had freeware scripts added to them, and devise ECMs to either kill those cards (example: the 3M cards that got 99'd because of the 26 March, 1998 ECM) or data stream changes that will cause those cards to lose video (example: all the cards and wedges that have lost channel 248 and others recently). Remember, any script that changes the code in your card so that it doesn't match what's in a valid sub card opens your card up to an attack. I should probably mention that it's always safe to apply a script to a card as long as the following conditions are met: 1: The card isn't put into an IRD and exposed to DTV's datastream. As long as the card remains in your MK12 or whatever programmer you happen to be using, DTV can't attack it. 2: The script can't intentionally modify the fuse bytes in the card. If it does, care must be taken to ensure that the fuse bytes are both modified at the same time, and that they're modified properly. Im- proper fuse byte modification results in a 99'd card. 3: The script can't upload bad code to the card. If bad software is uploaded to the card, it's very possible that the card could run amok and destroy various areas of its EEPROM (and there are several that are critical to the function of the card), or not accept or execute instructions, commands, or nanocommands properly. 4: The script can't modify any of the vectored entry points within the card to point to an address at which there is no valid code. This is an easy way to FF a card or get a card into a state where it does nothing but ATR after every command. There are a number of scripts available right now that I consider to be particularly dangerous because they leave large security holes that DTV could use to 99 any card to which they've been applied. Below is a list (in no particular order) of freeware scripts that I wouldn't put in one of my own cards on a bet (at least, not if the bet also involved putting the card into an IRD). 3M4M.XPL/3M.XPL/4M.XPL/4M1.XPL: These scripts (and possibly others) are all renamed versions of the same basic script file, which was either leaked by someone to whom is was given in confidence or siphoned from the original author's hard drive. Although it's true that these scripts add 3M capability to a card, there are a couple of problems with them. First, DTV has already modified their datastream for several channels to prevent cards that have had the 3M portion of this code applied from receiving the them. Secondly, these scripts include some debug code that was never intended for public release which would allow DTV to 99 any card with these scripts applied by sending the following packet: 48 44 80 20 FF This packet will unconditionally 99 any card that's had one of these scripts applied to it, and will not affect any valid subscription card in any way. Basically, this would be a zero-downside way for DTV to whack a bunch of cards. If you're thinking that I'm being foolish by stating in public the exact procedure for killing these cards, keep in mind that it's impossible that DTV didn't know how to do this within 2 hours of the public release of these scripts. UN0918.XPL: Another example of a stolen script. This was a script that was written by Axa to allow cards that had taken the 15 January, 1998 update to be activated using the 09 hole. The first thing it does is clean all PPVs from the card, then it puts the 09 hole back by changing DTV's update. The remainder of the script, for the most part, is only concerned with setting up the USW to a value that will allow it to take future DTV updates without having them out of context. The danger of this script is that it leaves the 09 hole open, so DTV could 99 any card with this script applied with the following packet: 48 42 00 00 19 09 1A 00 00 30 60 C0 05 00 12 80 20 FF BB 00 09 10 00 00 0C 71 3C 6B 7D FF This packet would 99 any card that still has the 09 hole open but whose USW is 0011. Alternatively, DTV could send a series of packets with sequential sequence numbers starting at 0002, and any card with the 09 hole still open would be killed. Again, legitimate subscription cards would not be affected by this attack, only those with the 09 hole open. MAGIC1.SCR/MAGIC2.SCR: The MAGIC1 and MAGIC2 scripts that are intended to clean PPVs from activated cards have a problem similar to that of UN0918: they would put the 09 hole back in the card and leave the USW at a non- standard value. In this case, the following packet would kill cards with MAGIC1 and MAGIC2 applied: 48 42 00 00 19 09 1A 00 00 30 60 C0 05 00 34 80 20 FF BB 00 09 10 00 00 0C 71 3C 6B 7D FF Note that in the case of both UN0918 and MAGIC1/MAGIC2, the danger _may_ be avoidable if, after applying the scripts, you send a 48 3E 00 00 00 packet to the card (which will reset the USW to 0000), then apply the DTV update simulator scripts that're available. Currently, ^T23.XPL and ^T23.SCR, although claiming to add all 23 updates actually only add the five updates sent on 26 March, 1998. To fully update the card, you need to use the following procedure: 1: Send a 48 3E 00 00 00 packet to clear the USW to 0000 2: Use Axa's UPD8.XPL script, which will add the 18 updates that DTV sent on January 15, 1998. 3: Send another 48 3E 00 00 00 packet to again clear the USW to 0000 4: Send either ^T23.XPL or ^T23.SCR to add the 5 updates that DTV sent on 26 March, 1998 OTHER SCRIPTS: Recently, one or more persons have been handing out scripts on the IRC channel that will 99 any card that they're applied to. The best rules to follow are: 1: Never use any script you didn't write yourself. 2: Failing that, never use any script that didn't come from a reputable source, and even then, examing the script carefully before using it. Even the reputable sources on the IRC are still distributing the 3M scripts with debug code in them. 3: If you _should_ happen to use a script that kills your card, then be sure to warn others about it. Allowing people to find out for themseleves is just plain mean-spirited. --------------------------------------------------------------------- Why people who know how the cards work are so stingy with information: Finally, I'm going to wrap this whole thing up with a short explanation of why those of us who know a lot about how these cards work are so stingy with the information. A lot of people will tell you that there's several motivating factors, some of them being: -Money. Some of the people who've spent the time to figure out how the 'H' cards work want to profit by their effort and sell either modified 'H' cards, or "wedge" boards into which a modified or unmodified 'H' card can be inserted. -Power. Still others who've spent the time to figure out how the 'H' cards work seem to get a rush from the fact that they have a secret that few other people share. What's odd is that there's a lot of people who get this same rush, even if they didn't figure the information out for themselves, but either were told by someone else, or, worse, siphoned it from someone else's hard drive. -Fear. There are those who're afraid that if they reveal everything they know about the 'H' card, they'll be ostracized from the DSS 'elite', or, worse, have the DTV/NDC police show up at their house with a search warrant or a bazooka or something. When it comes right down it it, however, almost ALL of the individuals and groups that have knowledge about how the cards work are reluctant to share it for one simple reason, no matter what anyone else says. It's not because we're cruel or greedy. It's because we don't want DTV to update the cards and make us have to figure out how to get back in all over again. It gets old. Speaking for myself, I don't divulge everything I know for the simple reason that I've got better things to do than figure out how to get around DTV's latest round of changes. In addition, those individuals and groups who are selling fixes don't want DTV knowing what they did because then they'd have unhappy customers when they lose programming because DTV comes up with an ECM. And no matter how shiftless and scummy any given dealer may be, NO dealer wants to have his customers pissed at him, if for no other reason than a constantly ringing phone or a constantly full mailbox is annoying. When DTV decides that they want to make an update to the cards, they've got several options open to them: They can send an EEPROM update (they've done this twice already, and I'd expect another before the end of May, 1998), they can change their program tier masks (it's unclear as to whether they're currently in the process of doing this or not), or, worst case, they can do a card swap. Obviously, a card swap costs them a lot of time and money, but once the swap happens, it'll probably take about 6 months before the first reliable fix is available. And with what they've learned from doing the 'F' card and the 'H' card, the 'J' card may just be impervious. A couple of good examples of what can happen when DTV knows what someone is doing to get free programming are fairly recent. The first is the blackouts that were (and are again) happening on channel 248 and others. These channels aren't working for people who are using certain versions of 3M code, because DTV has modified the datastream for those channels to include a requirement that an area of the 'H' card's EEPROM that those versions of 3M code use be unmodified in order for the seed keys for the video data to be returned. Again, DTV has been kind here. They could have sent a packet that just kills cards that have modified code in a particular area. I'm sure that in the near future, more, if not all, channels will have their video blacked out using this method, since it's a zero-cost, zero-downside operation for DTV. The second example is the recent deactivation of cards that were activated using freeware activators such as CBA, DSSBUST, and CL5005. Although this due to a routine month-end tier expiration, DTV could just as easily have sent a packet to each and every card for which they don't have an activation on record that would've removed the known freeware tiers. If you're thinking that DTV couldn't do this, arguing that there are millions of cards out there, keep in mind that the bandwidth of the DSS signal is measured in megabits per second. Only a fraction of that bandwidth needs to be taken to send deactivation packets to one million cards, if DTV is willing to spend a week or so on the effort. For the most part, up until now, DTV's object has not been to kill cards. They've just wanted to create a hassle for people who bought fully activated cards from a dealer rather than from DTV...they want people to get so frustrated with having to send their card back to be reactivated that they'll just give up on trying to get programming for free and subscribe, but I'd bet that that philosophy isn't going to last forever. --------------------------------------------------------------------- Well, that's about it. If you happen to see me on the IRC and I seem to be bashing freeware stuff, keep in mind that the reason I'm doing it is because for most people, adding any freeware solution to their card is just an invitation to get their card killed by DTV, and because I really don't want to have to go to the effort of figuring out how to get around yet another ECM. And remember...DTV has been nice so far, but sooner or later, they're going to get pissed off and just start killing cards. END of "'H' cards and you" ========================================================================= This FAQ was not a one person project. Many people have contributed their time and knowledge to this. I want to thank everyone that helped, especially the visitors of the TCUP web site. It is from your unfortunate mistakes that others will learn :) Thanks to all the experts who gave up their time to proof read this FAQ. You provided many valuable feedbacks and suggestions. Thanks also to the people that setup and maintain the SZ/NET IRC network, it is you that provided us a safe place to gather and discuss our test cards and experiences. IRC provides a democracy to this community, everyone can have a voice. Thanks especially to Acidflash, the GOD of SZ/NET because he would have killed me if I didn't mention his name. :) but thanks to all the channel OPs, you guys keep the chaos in order. LEGAL DISCLAIMER: BLAH BLAH BLAH BLAH DON'T BREAK THE LAW! BLAH BLAH BLAH BLAH BLAH DON'T BE STUPID BLAH BLAH BLAH BLAH USE AT YOUR OWN RISK BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH BLAH VIVA GORDITAS! BLAH BLAH BLAH. COPYRIGHT(C)1998 BLAH BLAH. END OF DSSFAQ98 TEXT FILE