The New Card Up DirecTV's Sleeve
by Mangaburn (mangaburn @ziplip.com)
By now, it is old news to the DirecTV hacking community, but the uninformed or unconcerned may find it interesting to learn that DirecTV is currently in the process of a "card swap."
This swap entails contacting each current DirecTV programming subscriber and replacing their older, currently "insecure" access card with a new "secured" access card. It is an expensive undertaking on DirecTV's part and, judging from past "swaps," ultimately ineffectual in stemming what is laughingly referred to as "signal theft." But try they will and, from the looks of it, there is change in the wind.
During this current "swap," the incoming new card has been dubbed the "P4" (Period 4, which follows the P3, P2, and Pl - or HU, H, and F cards respectively), and it is an interesting creature indeed.
Of course, development of a hack is already underway worldwide, but after getting my hands on one of these new cards, I immediately began to wonder about a very different feature of this particular card.
Printed on the front of the card is the following phrase, as part of the graphic: "Access Card: 4." This phrase is intriguing to me for two reasons:
- The average, normal subscriber wouldn't know or care that this is DirecTV's fourth access card version. Most, I am sure, haven't any clue as to what the "4" stands for on their card.
- Any variation, even slight, of the DirecTV graphic on the front of the card would be more than enough of an identifier for any retailers or DirecTV Customer Service phone reps that would need to identify a particular card.
Keeping these points in mind, there is another perplexing thing to consider: the absence of a specific "P4" identifier on the reverse of the card, as has been the case with past access cards. Here is a quick breakdown of the history of DirecTV's past access cards' unique identifiers:
Period 1 - "F" Card: P1, also known as F cards, were used until 1997. F cards have a picture of a satellite and the DSS logo on the front. Reverse side shows Conditional Access Module (CAM) ID XXXX XXXX XXXX and a unique identifier: FXXXXXXXXXXX
Period 2 - "H" Card: P2, also known as H cards, were introduced in 1996 and eventually replaced F cards. H cards look the same as F cards. H cards were in use until 2002. Reverse side shows CAM ID XXXX XXXX XXXX and a unique identifier: HXXXXXXXXXXX
Period 3 - "HU" Card: P3, also known as HU cards, were introduced in 1999 and were used until April 2004. HU cards have a picture of a football player, a basketball, a clapperboard, and a film canister on the front. HU cards originally shipped with receivers with serial numbers above 0001 700 000. These were removed from circulation because piracy plagued the system. Reverse side shows CAM ID XXXX XXXX XXXX, a unique identifier: H or A, then XXXXXXXXXXX, and a card-type identifier: HUXXXXXB
Period 4 Card: P4 cards were introduced in 2002 and are currently still in use. P4 cards are labeled "Access Card: 4". Reverse side shows CAM ID XXXX XXXX XXXX and a unique identifier: AXXXXXXXXXXX
D1 cards were introduced in 2004 following compatibility problems with the P4 cards in some receivers. These cards can be identified by the silver edges, and simply bear the word "DirecTV" on the front (no number). Usually found on DirecTV TiVo Series2 DVRs (DirecTiVos), the D10 and H10 series receivers.
D2/P12 cards were introduced in 2005. D2 cards can be identified by a two-toned blue dot pattern resembling the DirecTV logo in addition to the DirecTV logo and the words "DirecTV Access Card," while the P12 card has a picture of a satellite on the front. The P12 card is the only card that will work with R15, H20, and HR20 series receivers. O cards are the current "standard issue" card. They can be identified with the words "Now part of the AT&T family."
Note that the HU card has a card-type identifier, in which the letters "HU" were incorporated.
Additionally, the H card has the letter "H" in its unique identifier, as did the now defunct "F" card.
The P4 lacks any such reverse identifier, since the reverse side unique identifier, beginning with an "A," could just as well be an "HU" card. With no differentiation on the reverse, the P4's unique identifier is, in effect, the "Access Card: 4" phrase on the front side of the card. Believe it or not, this may be a significant change in DirecTV's "anti-signal theft strategy.
I know it's getting convoluted, so I'll get on with establishing my theory.
I think that DirecTV has finally sorted out how it produces and identifies access cards. In essence, we are looking at a new, standard approach to DirecTV access card security revisions. Without a reverse side identifier, the only obvious thing that sets this card apart is its front side graphic, and I think this new card's design is more than just an elimination of extraneous data on the reverse side of the card, and even less likely a change for aesthetic differentiation.
I believe this is DirecTV's new access card format, with a functional, variable identifier that from here on out will be found on the front of the card, specifying security revisions in the event of a future "swap" with a change in the numerical character.
If you look at the front of a P4, compare the font that is used for the words "Access Card:" and the font used for the number "4." They are obviously different fonts.
Now, at first glance this could seem to mean nothing. But my theory is that should, at any point in the future, new security measures be needed, such changes could be made to this very same style of card, and the "4" would be changed to a "5." And so on, as needed.
A major design change is no longer necessary, just a change to the numerical identifier. Thus, this "Access Card:" style card becomes the new basis for all DirecTV access cards, and any changes "security-wise" will be noted by a change of the number on the front of the card, i.e.., "Access Card: 5", "Access Card: 6", et al.
Furthermore, I think this method is saving DirecTV some cash in the long run. Rather than warehousing boxes of "Access Card: 4" cards, I believe that they are stockpiling "Access Card: _" cards.
By only manufacturing as many of the "4" version as is needed, they are able to keep from being stuck with millions of "4" cards if and when they decide to perform another "swap." With this new method, the moment a new card version is needed, the very same cards can be used, and no overstock of outmoded cards are left as a result.
DirecTV can simply continue manufacturing cards on an as needed basis, simply changing the security measures and filling in the blank after "Access Card: _" with a corresponding version number. Not that this is something they would particularly want to do, considering the exorbitant cost of a "swap," but it certainly is an avenue that they have apparently left open for themselves.
Of course all of this amounts to mere speculation, but it would seem to me that DirecTV has in effect "standardized" their access cards, and any future smart card implementations will probably look just like the P4, only with a different numerical identifier. Simply put, I can think of no other reason to print the number "4" on the front of the card, unless the plan is to change the number in the future.
Considering the breakup between DirecTV and their former access card producer NDS Ltd., and DirecTV's decision to move its smart card manufacturing "in-house," this theory on their card production and identification seems to fit right in. What does this mean for DirecTV testers? Well, nothing at the moment.
The authorization packets for the HU and H cards are still flying down from the birds, and with those cards sufficiently hacked (for the time being) there is really no cause for concern.
The word from DirecTV themselves is that the "P4 card swap" won't be completed until August of 2003. Yet, with the advent of this current card swap, the ground beneath the average DirecTV tester is beginning to look shaky.
With this new access card production system now in place, we could be looking at DirecTV being able to implement new card versions with more speed and responsiveness than ever before. As per the current "hacked" status of this new "P4," I don't think I'd like to speculate.
Considering the money involved in this game, I would not be surprised if someone didn't already have it hacked. Holding on to such a development until the day the "H" and "HU" authorization packets disappear from the data-stream could prove to make someone very rich. Timing is everything, after all.
Considering the latest rash of threatening letters, lawsuits, and raided fulfillment houses that have been plaguing the scene, marinating on this little revelation will be a lark at best for my fellow DirecTV testers (at least until the next ECM comes down to rattle our nerves a bit!).
Nonetheless, the game isn't over just yet, but it is getting hard not to notice that dark cloud on the horizon.