How to Decrypt DirecTV
by Clovis
The folks at DirecTV would have liked it if their broadcast signal were directional but, at least for North Americans it isn't.
So you too can listen in on these encrypted radio waves being beamed down from geosynchronous orbit. There are some purchases that first need to be made.
A house with an open view of the southern sky. We all wish we were in Dixie and so do our signals. Be wary of trees in the winter. They always seem to grow leaves by summer and block our view.
A DirecTV dish and receiver system. You will want to purchase a system that uses an H card. (At the time of this writing, the HU card will pose some serious problems to extracurricular viewing.)
A television set will probably help.
With these items you can purchase normal service through DirecTV (www.directv.com) but the readers of this publication want more and more is what you will get.
How to Bust Root on Your H Card
There are a few sites that sell this particular hardware. You might want to start your search by going to some of the websites mentioned in this article. Back to the action.
You will need some hardware to get this job done:
Integrated Receiver-Decoder (IRD) Interface: This is a device that resembles your DirecTV H card but it has a serial port connection added to it. For the real enthusiast, it allows you to watch the communication from the receiver to the H card.
Card Programmer: This programmer will need to read and write the H card. You want an ISO-2 programmer that can read and write the ISO/IEC 7816 chip on the H card. This programmer will also need to work via serial port for the process of emulation.
Computer: A 486 50 MHz or higher with two serial ports. Recommended is a classic Pentium 75 MHz (or higher) and the serial ports should have 16550 UARTs (or better). Some of the 32-bit receivers outpace the 486-50s.
H Card: An H card and a valid binary image of an H card.
For educational purposes, you will also need some software:
BasicH: This program is a hex editor that works with your ISO programmer and has some enhancements specifically for the DirecTV enthusiast. The package will allow you to backup your valid binary image. If things go wrong, you can always restore from that image. The current version is: BasicH v3.2 (BasicH v2.7)
WinExplorer: This program allows for third-party scripts to interact with the ISO programmer. A quality program that has source examples for those interested in how ISO card programming gets done. Your WinExplorer installation may require Windows Scripting Files sct10en.exe and ste51en.exe to run properly. The current version is: WinExplorer v4.51 (WinExplorer v4.4, Manual)
TurboAUX: This script works with WinExplorer to AUX the card in order for the card to work with the emulator software. It also allows the user to deAUX the card if need be. As a script, the source is available and can teach the astute more about the H card. The current version of TurboAUX is: TurboAUX v3.0
SLE44C4xS Processor Emulator: This is the emulation software. It acts as the go-between for the H card, the IRD interface, and a local binary of your H card. This program prevents your H card from being directly written to while keeping your receiver happy with the decryption information it wants to hear. "Lie to me and tell me that you love me." The current version of SLE44C4xS Processor Emulator is v3.0: SLE44PE v3.0
Setting Up Your Brute-Force Attack
You might be thinking, "That is a lot of stuff you just put in my living room." Well, no one said this hack was going to be easy.
If you want an easy hack, go find the garbage file on a Gibson. In reality, this is an easy hack - you will not have to think much, just follow instructions. My hope is that some of you bright lads and lasses will pick up on how this works and contribute to the DSS community with your thoughts and ideas.
Everyone has to start somewhere and if the motivation is getting free pr0n, that is O.K. with me. We have to set our moral standards somehow. It is notable that a lot of hackers started in the world of w4r3z before using their skill for the powers of good.
But this does not answer "Why all this stuff?" Well, the TV, dish, et. al. are self-explanatory. The programmer, IRD, and computer are needed to fool the receiver.
You see, no one has cracked the encryption system that DirecTV uses. It seems those folks spent a nickel or two on a real engineer. So the H card is needed for its brains i.e., the ability to decrypt the hashes sent to it. The receiver sends a message to the card, the IRD sends the signal to the computer, and the emulator sends the data to the programmer with the H card for decryption.
When DirecTV sends updates or other items from space for the H card, those updates are put in the local binary image by the emulator and nothing is written to the H card. This prevents DirecTV from sending naughty naughty things (I'm not talking about Cinemax after dark) that could damage your card, like the now infamous Electronic Countermeasures (ECM) of January 2001.
Recipe for the Iron Chef
Here is the step-by-step guide for getting things running.
I am not sure how many of you are into the culinary arts, but on the Food Network, the Iron Chef will wow. Many cable systems do not carry the Iron Chef, but with the chef you will be home free. So let's start cooking.
Connect all of your hardware for action. Connect your IRD and programmer to your computer's serial ports. Put your H card in the programmer.
Run BasicH and connect to the EPROM reader (programmer) and save the EPROM file as h2600.bin. If it is a blacklisted card you will get a 745 error. Don't despair if past card hacking has failed you - we can still help.
Make a second copy of that file in a new directory. You will want to keep the original copy in case things do not work out.
Next, you want to open the backup file h2600.bin in BasicH. You will want to clean the image to 63 updates. Then you will need to do some hex editing to the card.
Put BasicH into Enable mode and look at address location 0x8000.
Check to make sure it reads starting at 0x8000: 33 15 03 4A
According to the good folks at www.hackhu.com, this will help ensure that binaries taken from Black Sunday ECM'ed cards will be able to emulate.
For the record, the 0x8000 - 0x8007 address range is often referred to as the "common card data." At boot, the receiver first checks to see if address 0x8000 is 0x33.
Next, go to address 0x8384 and enter starting at address 0x8384: 5C 04 1F 68
According to the TV-Fix.com hdump.txt file, this is part of the "card number" address.
Once complete, edit address 8415 for the time zone you wish to be considered part of. These bits set your receiver's clock to the correct time zone, but do what you want. Time zone bits are:
- 0xA9 Daylight or 0x29 Standard Newfoundland Time
- 0xA8 Daylight or 0x28 Standard Atlantic Time
- 0xA6 Daylight or 0x26 Standard Eastern Time
- 0xA4 Daylight or 0x24 Standard Central Time
- 0xA2 Daylight or 0x22 Standard Mountain Time
- 0xA0 Daylight or 0x20 Standard Pacific Time
For those who might have gone all out and purchased a "Plus" receiver, you will want to edit starting at address 0x83C8 and enter: 55 3x 3x 3x 3x 3x 20 20
You will want to put your ZIP Code where the x are. So for a New York City ZIP, you would put: 55 31 30 30 30 31 20 20 or ZIP Code 10001.
Once completed, save the EPROM file as h2600.bin. Remember, this needs to be from a valid H card since the emulator will verify from this binary. The H card inserted into the programmer does not need to be valid from here on out, since its only purpose is for decryption.
Before we AUX the H card, we will want to use BasicH to "one step clean" the card to 28 updates. Once this is done, you are done with BasicH until you decided to further experiment.
Now, on to creating the AUX card. This further conditions your H card to act as a go-between in the emulation process.
You will need to install WinExplorer first and then you will be able to open the TurboAUX30.xvb script.
USL (Use the Source Luke) on this one. The XVB (WinExplorer VB Script) file has instructions and information commented at the beginning. Using the program is not difficult, but sometimes being informed is, so read it.
Go ahead and execute the TurboAUX30.xvb script using WinExplorer. A small window will open up.
For those Tcl/Tk fans, you will not be disappointed. For the rest of you, expect to be disappointed with the GUI. From the new window you will want to click the AUX button. The AUXing process is the most time sensitive of them all. So be sure you have nothing running in the background if you have a slower system.
Finally, you will need to create a DOS boot disk. Under Windows 95/98 it is easy to do from the Control Panel. You are on your own here though. Once the disk is created, you will want to copy the modified binary h2600.bin to this disk. Following that, copy the emulator software to the disk from the SLE44 archive.
You need to copy the SLE44E_P.EXE file to the boot floppy. You will also want to read the newin30.txt file in the ZIP archive to see what other command line switches there are and some things you can do to troubleshoot timing issues.
Now boot your computer from the boot floppy. You can automate the next steps with an AUTOEXEC.BAT if you are so inclined. For this example, we will assume your IRD card is plugged into COM1 and the ISO programmer is connected to COM2.
Your boot floppy should contain system files for boot, the h2600.bin binary, and the SLE44E_P.EXE emulator application. Thanks to Pierre G. Martineau (PGM), the dirty work of the communication between programmer, computer, and receiver is squared away. You will want to power off your DTV receiver at this point. Make sure the AUXed H card is in the programmer.
Once you are booted, type:
Give it a moment, and then power on your receiver and change to channel 100. Give it a little bit so that the emulator can sync with channel 100.
I am not sure if syncing with 100 is necessary. There are mixed reviews on this and there is some information saying that 100 sends initial seed information. True or not, I have found that channel 100 has fixed things in the past. So it is recommended.
Also, some IRD card jingling might be required. You're a hacker, figure it out.
If things are working, because of the /s command line switch, you will see the communication between the computer and the receiver. Spend some time and watch what is going on.
If you check the forums on alt.dss.hack or some of the other online forums, you will find commentary about some of the more interesting streams. These forums usually discuss DirecTV's attempts to kill modded H and HU cards.
In this case, you should be just fine. Because the emulator traps the signals being written to the card and just updates them in the h2600.bin binary in memory, your H card is safe.
You will want to type Q in order to quit the SLE44E_P application so that updates are saved to the disk for the next time you boot.
Some Notes
From the EMU-FAQ: "Thus far, the only universally emulator-incompatible IRD known is the Hughes B1 series. However, some emulators have reportedly not been able to work with Hughes B2 series IRDs and RCA222 series IRDs."
For those looking for something that will run under Linux, look for a file named pitou-0.01-build101.tar.gz on the net. If you have trouble finding this on the web, you might want to read to the end of this article.
The HU card is the next version of the H card. Currently emulation is not possible for HU cards. These cards are susceptible to the ECMs sent from on high.
Additional Resources
At the time of writing this article, a post to Slashdot about a version of the emulation software for Linux allowing for distributed network sharing of a single H card by many receivers brought a firestorm of legal attention to the DSS enthusiast community.
The application of note is called Pitou written by nerg343. He has discontinued his work on the project due to legal threats under the DMCA.
Also, the moderator, because of threats of litigation, took one of the best resources for the DSS enthusiast (www.hacku.com) down. Oddly, this site is hosted in Canada by a Canadian but likely due to (((NAFTA))) trade partner status, the specter of legal threats from the United States is able to affect the Canadian citizen.
In addition, many of the text files and binaries mentioned in this article are becoming harder to find. As consumers, there are reasons for fair use of this technology.
For the terminally curious, access to how this equipment works is invaluable to the psyche. I myself recommend anyone playing with this technology get a subscription to DirecTV, if not the most basic package.
We as hackers are not here to cheat. We are curious and our desire to investigate and discuss this curiosity should not be a crime.
Anyhow, you can still find more resources on this topic at www.dssunderground.com and www.dsschat.com.
One of the best resources I found while constructing this document was: pitou-research.zip
This file has a hodgepodge of articles, text files, tech sheets, and other documentation that nerg343 used to develop his application.
People have made calls to post all of these files and information on the distributed P2P net made possible by Gnutella.
Enjoy your television and try to learn something about television by hacking DSS.