September 5th, 2001, 06:34 AM
Hacking DirecTV Lesson 1
I would like to contribute to this wonderful site so I thought I would introduce this thread to anyone who has (or is interested in getting) DirecTV.
The following is a cut and paste from a newbie FAQ. It gives some basic understanding of DTV hacking and how it works. It's a little outdated but the basics still apply.
Basicly, any script kiddie can do it. The elders have made it very easy through the use of VB scripts and loading proggy's.
Anyway, I'll post this. If anyone shows an interest, I'll go on to lessons 2 and 3 with more detail.
Post any questions and I'll try to answer the best I can.
Many people have heard that there is a way to program their access card to be able to receive all the channels on your satellite receiver, and wondered if they can do it too. The answer is YES YOU CAN! And we're here to help.
I decided to write this as a starting point to those just getting into this hobby. I say hobby, because this is not just a matter of getting your card "fixed" and move on. If that's what you want, go find somebody to program your card, pay his fee, and get it over with. This is more of a hobby where we learn about smart cards, how they work, and how to program them in ways that just happens to open up all the channels for viewing. The learning process never ends, and when new challenges arise, we as a team put our collective heads together to overcome them.
The access cards, after they are altered, are referred to as "test cards". The purpose of the test card is to test your receiver to make sure it works. The card does allow reception of all the available channels, and can be used for watching free satellite programming, but this is illegal and you do this at your own risk. I don't encourage anyone to anything illegal.
CAN I GET LOCAL CHANNELS TOO?
Yes! On 4th generation receivers and below, and on some of the 5th generation receivers, all of the available local channels can be received. To determine the generation of the receiver, look at the model number. A 1st generation receiver is designated with an A and follow sequential lettering up to the 5th generations, designated by the letter E. A model DRD222RD would be a 4th generation receiver.
WHICH CARDS CAN BE USED FOR TESTING?
Presently, the only cards that can be used for testing are the H cards. UPDATE:Around the end of November, 2000, the HU hack has been introduced. Oh my things change so fast. HU loaders are available now. Please study the HU forum and feel your way around with this. The HU has some pitfalls (Alas, as does the H card, so do your homework!!!)
WHAT ABOUT THOSE WHITE SMARTCARDS?
Nope, they wont work either. Continue reading.
SO, HOW CAN I TELL IF I HAVE AN H or HU CARD?
An H card is the blue card with a picture of a satellite on it. The card numbers range from 0000 4000 0000 to 0001 6999 9999. Cards numbered 0001 7400 0000 and up are HU cards, which have a sports picture on it. Cards in between those number ranges are special purpose H cards that were supposedly not issued to the public. A scam has gone around where cards are silkscreened to look like the H card. So if you're buying a card, make sure you know who you're buying from. You can go to the dealer recommendations forum and do some research.
WHAT IS A CAM NUMBER?
A CAM is a Conditional Access Module.
WHAT'S IN THOSE CARDS?
Now that we know that the ONLY card that will work is the H card And, as things have evolved the HU card as well, we need to know a little bit about it. Inside the card is some rom memory for storing the instruction set, and an ASIC chip (which stands for Application Specific Integrated Circuit), and is used for decrypting the satellite signal. Also on the card is an area where the PPV purchases are stored which are reported to your satellite provider on a monthly basis. This area is sometimes used to store instructions used to alter the behavior of the card, which basically, was an area commonly used for "jump" instructions to authorize satellite programming. These methods were common up to the end of summer in 2000, before the interactive instruction set was put on the card by Dave. (not considered safe anymore).
Because regular "off the shelf" smart cards do not contain these asic chips, these cards won't work for receiving satellite programming. You may find some of these "white cards" for sale on E-Bay, but they wont work, no matter what they promise you.
WHAT IS AN IRD?
It is the receiver.
WHAT IS THE USW?
USW is the Update Status Word. Simply stated, the USW number indicates the number of updates that are on the card. At this writing, a current subscribed card is at USW67.
WHAT ARE THE FUSE BYTES?
The fuse bytes reports the status of the card. Here is a partial list of the numbers:
00 = virgin
05 = not married and activated
20 = virgin and married
24 = married and deactivated
25 = married and subscribed
WHAT IS THE ATR?
The ATR is the answer to reset. When the card receives a reset command, it responds with this "answer" The ATR for an H card is 3F 78 12 25 01 40 B0 03 4A 50 20 48 55
WHAT IS A SUBBED CARD?
It is a card which is subscribed to the satellite company
WHAT IS A PROGRAMMED CARD?
A programmed card is one that has a stealth program installed. (see below) Again, the stealth routines are a thing of the past. forget them as they do not apply to todays testers A card that comes out of the box and ready to activate is not programmed. When it is activated, it is STILL not programmed. (at least, not in the sense that we use the terminology for)
WHAT IS AN IMAGE?
An image is a "snaphot" of the eeprom contents in the card
WHAT IS A SCRIPT?
A script is a set of instructions which alters the eeprom image.
WHAT IS A STEALTH?
It is a script, usually referred to as a "stealth script" or just "stealth" which alters the eeprom image on the card to allow it to receive programming. It is designated a stealth because it "hides" from routines designed to detect them. It is usually protected with a "lock code" referred to as the "back door key". This lock, when in place, prevents all known holes from being opened so the card cannot be programmed (or shut off or ecm'd by the satellite company). A hole is an entry way into the card. By closing the hole (and locking it) you prevent anyone from changing the contents of the card. It is interesting to note that some of these "holes" are just bugs in the card that are exploited by the test card programmer, and were never intended by the card issuer to be a means of getting into the card. Currently, the satellite company has fought back and updated the instruction set on the card to defeat the effectiveness of the "stealth" scripts. Generally, they are NOT recommended as a safe way for testing anymore
WHAT IS A 3M?
The 3M were talking about has nothing to to with the 3M company (or the M&M's company, either) It refers to the method the script uses to "authorize" access to the channel you tune into. Example: You select channel 501. The ird goes to the card and asks for authorization. When requesting authorization, the ird goes to a location on the card and receives instructions to a jump to another location where the authorization code resides, then jumps back. In effect, everything is authorized. Lucent and X-2000 scripts (amongst others) are considered to be 3M scripts.
Lastly, the following is contributed by Begonia, one of the moderators here, on the origin of the "3M" designation:
The name stems from The Three Musketeers and their motto, "all for one and one for all." Meaning, of course, One set of instructions to authorize All programming. Again, since the recent code sent by your satellite provider can now destroy cards that employ these jumps, it is not recommended to use 3M's anymore
ARE THERE OTHER TYPES OF SCRIPTS?
Yes, there are scripts used for removing updates, adding updates, "forcing" or attempting to force a hole to open to name a few. These are not usually required unless an unusual circumstance arises.
WHAT IS A LOOPED CARD?
A looped card is one that is programmed into a loop, either by the satellite company, or by errors made while programming. Simply stated, if you send instuctions on line 1 of a program to goto line 2, and line 2 to goto line 1, these instructions would run forever, as there is nothing to stop this process. With instructions to go back and forth between these two lines of code, none of the other code can be processed, and therefore the card will not do anything. To unloop a card requires a process known as cleaning (or unlooping), which requires an unlooper to erase this code so that programming the card again is possible. As the price of unloopers has come down, most people choose to own their own unlooper, rather that send the card out to an unlooping service. You should become familiar with the process before attempting to use an unlooper, as it is possible to destroy the access card if the process is not done correctly. Lastly, I'd like to add that besides looping a card, the satellite company can destroy the card by writing to an area of the card that can only written to once. For this reason, 3M/Stealh cards can be killed. Scenerio: suppose the satellite company is looking for a popular jump on a card. They could use a CRC checksum to detect it's presence, and IF the CRC matches, they would instruct the overwriting of that "Write Once" area of the card. Then, they could effectively hash the card (more on hashing, later), which would result in loss of picture and/or sound. On January 21st a massive ecm was sent to destroy the boot sector of the cards. This ecm wrote the first 4 bytes of the card, and prevented the card to be able to be booted. Testers began to use devices to initiate the boot of the card, then jump into the card just past the boot sector damage. Read more about the Black Sunday, or "BS" ECM around the forums
WHAT IS HASHING?
Hashing is using a crc to determine the presence of code on the card. It has been used to insure that your card has all the updates on it, (the ones that will give them the ability to kill it, amongst other things) If your card does not match the CRC of the location they are hashing, then there is no picture and/or sound.
WHAT IS CLEANING?
Cleaning a card and cleaning an image means two different things. Cleaning a card is required for a looped card, or a card that the backdoor key is unavailable. Cleaning a card image is part of the normal process of programming. Read the programming guides for further information.
WHAT IS CLONING?
Cloning is the process of copying an image from one card, and putting on another card. You can read more about cloning in this forum for more information, and be sure you understand the risks of cloning before you decide to clone.
WHAT IS AN ECM?
An ECM is an Electronic Counter Measure, used by the satellite company to (they think) shut us down, but (we think) keeps this hobby challenging.
WHAT IS EMULATING?
Emulating is using a computer to emulate a smart card. Instructions are processed by the computer, and passed along to an H card, which is used only for the asic chip. This is considered to be the safest form on testing today
This info does not even begin to cover the beginnings of programming. There are newbie guides that will give you good instructions for programming. This is available in the file section of this board, which is available to premium members. Also available are all the scripts, and the programs used to process the scripts. Another good resource is the Constantly Asked Question forum, which I recommend that anyone getting started read ALL the posts there. The best advice I can give anyone is to read, read, read. After that, read some more. We like to help, but sometimes people just come on board and ask "How do I program my card?" without looking through the resources that we have available to us. As you can see, there are many issues we need to deal with, and the answer will usually be a referral to the resources already out there. (You can see how long this post is already, and I haven't really told you any procedures of manipulating your card). Don't be offended if someone tells you to read some more. It's because we feel that you haven't demonstrated even a basic understanding of this hobby. You need to read some more so you don't screw up. Lastly, if you do have a question, give us enough information so we can help you. Questions like "I programmed my card and it don't work, what should I do now?" doesn't give us any clue as to what you did, how you did it, what are the symptoms, what messages you got along the way, what scripts you tried, and so on.
Lastly, as many times as I attempted to keep this post current, the "rules" change constantly. It's always best to do your homework and read the current state of the hobby, the current "how to's" and read what the knowledgable people advise in the forums.
Lastly, I'd like to tip my cap to the many people who have been instrumental in keeping the hobbiest happy, those who selfishlessly provided us with the tools of the trade:
Thanks to the DSSU and the many members who helped us have some fun and solved some problems along the way.
And Dave? We love you too.