| How To Guides | Files | Links | Toplists | Forums |
|
|
 Syndrome Nagra2 cards, AVR-X Nagra2 cards Newby Dictionary : 00'd: A term used to describe a card that may be looped and sending 0x00 out its serial port, but more likely, it is a card that has been damaged in such a way that it isn't sending anything out its serial port. Many com port UARTS report such an absence of data as 00 rather than as nothing at all. If 00'd card is merely looped, it should be easily glitched out of the loop by present technology unloopers, but if the card does not pop after repeated glitching attempts, it is probably an ice scraper. 3M: Literally translated, 3M stands for "Three Musketeers." The term is used to describe the "all for one and one for all" ethos of the purist hacker/hobbyist. It's origins go back to satellite decoder/descrambler box days when the hacks those units used would get the owner "all" the channels so long as they were subscribed to at least "one" channel. Hence, the "all for one" analogy. 3M script: Scripts that are generally released to the public to use freely. Early 3M scripts were especially hazardous to use because DTV also had quick access to them and could easily target them with ECMs. Later 3M scripts employed stealth and spoofing methods that protected the cards from being looped or damaged by ECMs which resulted in DTV deploying other ECM methods like the black list and frequent updates. 745: Short for the infamous "Call ext. 745" screen message which came to mean that a card's .BIN had made DTV's dreaded blacklist. 752: Short for the latest dreaded screen message "Card not compatible" which indicates that an H-card has been inserted into a 5th generation receiver that has taken the "Wink" firmware upgrade that rejects all H-cards (unless the H-card has an HU CAM ID and ZKT tables written to it). 99'd: A term used to describe a card that has gone into a loop due to failing an initial check performed when the card is first reset. Present technology unloopers easily pop 99'd cards. Activation: The most basic type of script. Activation scripts essentially replicate the tier loading process DTV uses to activate cards. The advantage of activation scripts is that most of them didn't alter the card in ways which DTV could use to discern the card from a normally subscribed card. The disadvantage of such scripts is that the tiers quickly fall off the cards so the card needs to be reprogrammed often. You also have to go through the motions of purchasing PPVs when using such scripts. Atmel: A major manufacturer of microprocessor chips. In DSS hacking, the term "Atmel" has become a generic reference to the Atmel 90s2313 chip found on most unloopers. ATR (Answer To Reset): A process not unlike the handshaking/negotiation process that modems use to establish communications with one another. In DSS application, the ATR is a data string the smart card sends out to a programmer in response to a reset attempt. The data string tells the programmer the operating parameters the card requires to communicate so the programmer can make the necessary adjustments to accommodate those parameter requirements. The ATR string for any normally functioning H-card should always be 3F 78 12 25 01 40 B0 03 4A 50 20 48 55. AUX Card: An H card that is enslaved in an emulation setup. It is isolated from the data stream and DTV's wrath and only its ASIC is being used. BasicH: Windows-based program used to save, clean, edit and load .BIN files. One of the two essential tools for DSS hacking, the other being WinExplorer. The predecessor of BasicH was Viyada. .BIN file: A file created by reading a smart card via a programmer which contains both the card's CAM ID and ZKT table as well as the contents of the card's EEPROM. In the past, .bin files could only be loaded and saved by programmers and programmer-specific software directly and had to be converted to .IMG format files before they could be used by unloopers and unlooper-specific software. Present technology software and hardware now make it possible to use .bin files with unloopers as well. Black list: An ECM deployed by DTV which effectively rendered any non-subscribed/never-subscribed H-card useless unless it was cloned by applying the CAM ID and ZKT table from a legitimately subscribed card to it. DTV accomplished this hacker's nightmare by literally cycling the CAM IDs of the vast majority of non-subscribed/never-subscribed H-cards in the datastream. If an IRD detected a match between a CAM ID in the datastream and the card inserted in it, the IRD was instructed to reject the card. Black Sunday: January 21, 2001. The day DTV played real hardball with hackers by making use of the dynamic code writing capabilities they placed on all H-cards via the USW31 through USW63 updates. DTV deployed an ECM that checked a wide range of addresses on the H-card for data that would only appear on hacked cards. If the IRD detected such questionable data, it was instructed to write to the boot sector of the card which sent the card into a loop that, for all intents and purposes, is a permanent corruption of the card. Although hackers quickly developed hardware and software that made it possible to bypass the loop and use the cards again, the damage to the card was, again, for all intents and purposes, permanent. Bootloader: A hardware device that resembles the old wedges/card condoms of early DSS hacking days which uses a programmable chip to bypass the boot sector loop on H-cards that were hit by the Black Sunday ECM. Much to the chagrin of DTV, these devices were developed and made available for purchase a scant few weeks after Black Sunday. Boot loop: The permanent boot sector loop placed on H-cards by the Black Sunday ECM rendering the cards unusable without the aid of hardware and firmware/software to bypass or glitch through the loop. BS: Short form of "Black Sunday." BS Card (BSed Card): An H-card permanently looped by the "Black Sunday" ECM. CAM: Conditional Access Module. The technical name for any DSS smart card/access card. CAM ID: Conditional Access Module ID. A unique serial number programmed on your DTV smart card. This serial number is 4 bytes in size and is also printed on the back of the smart card along with it's bar coded equivalent. The CAM ID is appears in the form XXXX XXXX XXXC. The first eleven digits (shown as Xs) are the CAM ID in decimal form. The 12th number (shown as C) is used to authenticate the CAM ID and its value is based upon the 11 digits proceeding it. Card condom: A hardware device similar in appearance to today's bootloader boards. It consists of a printed circuit board (PCB) with a card socket/receptacle at one end to house the smart card and solder contact points on the other end to match up with the card socket/receptacle inside the IRD. These devices contained programmable microprocessor chips and were designed to prevent ECMs from writing damaging code to the smart card. They enjoyed very short useful life spans however, because DTV quickly deployed ECMs that rendered them useless. These devices also were called blocker boards and wedges. Clean: To remove all non-standard data from a DSS smart card. This is accomplished by using software and programmer to load the card's EEPROM into memory, clean it of any data that does not match the software's predefined parameters for a virgin status card and then writing the resulting cleaned EEPROM file from memory back onto the card. Cleaning can also be accomplished by using an unlooper to write a non-clone image (.IMG) file of a card cleaned to virgin status to a DSS smart card. Cleaners: An individual or company that unloops cards. Clone: The process of writing the CAM ID and ZKT tables from one DSS smart card to another. This process became not only very popular, but downright essential to large numbers of DSS hackers when DTV deployed the blacklist ECM because so many cards were being used by hackers that had either never subscribed the cards or had cancelled their subscriptions when they started hacking. Datastream: The signal beamed down from DTV's satellite to your dish. COR FILE : The same as a BIN file simply renamed so the the emulator software recognize it. It is essentially a modifies BIN that lately contains a 3M program that is activated by using the /n0 switch on the command line of the sle44e_p.exe file. Dave: Nickname e for DTV. DTV: DirecTV. The enemy... ECM: Electronic Counter-Measure. Any alterations to either the data stream or to DSS hardware that DTV periodically deploys which are designed to thwart hackers. Most early ECMs were targeted at specific hacks and took the form of updates to the access cards which closed holes the hacks were exploiting. More recent ECMS such as the black list, Wink and Black Sunday ECMS targeted all hacked H cards in general. ECCM: Electronic Counter-Counter-Measure. A largely unused and archaic term used to describe virtually every type of hack from wedge and blocker boards to public and private scripts designed to evade ECM damage by preventing DTV from being able to write to access cards at will. EEPROM: Acronym for electrically erasable programmable read-only memory. An EEPROM is a special type of PROM that can be erased by exposing it to an electrical charge. Like other types of PROM, EEPROM retains its contents even when the power is turned off. Also like other types of ROM, EEPROM is not as fast as RAM. EEPROM is similar to flash memory (sometimes called flash EEPROM). The principal difference is that EEPROM requires data to be written or erased one byte at a time whereas flash memory allows data to be written or erased in blocks. This makes flash memory faster. EEPROM DUMP: The contents of a smart card read off by a utility and saved as HEX or BIN files Emulator: Most commonly, a term used to describe a system consisting of a PC, an emulator board, a programmer or programmer/unlooper, an H-card and less commonly, a bootloader board. When the aforementioned devices are connected together and used with emulation software, they enable the PC to create a faux access card in memory which interacts with the IRD just as a real access card would. At the same time, the actual access card's EEPROM is totally isolated from direct interaction with the IRD and only the actual card's ASIC is used strictly for video decryption. As a result, any EEPROM writes the IRD is instructed by the datastream to perform are written to the EEPROM in the computer's memory rather than to the actual card's EEPROM. The most bulletproof DSS hack available, the emulator was the last hack running when the F (P1) datastream was shut down and will likely be the last hack standing when the H (P2) datastream ends... (see figure below)
"F" card: (a.k.a. P1 card) The predecessor to the H-card, F series cards look just like H cards but they contained a Motorola 68HC05SC21 microcontroller core, 6K bytes of ROM, a 3K EEPROM, and 128 bytes of RAM. F cards have serial numbers less than or equal to 0000 3999 9999. Although they can no longer be hacked for watching TV, F cards can still used to receive the music channels by using the Vortex script with WinExplorer on them. FF'd: A term used to describe a card that may be looped and sending 0xFF out its serial port, but more likely, it is a card that has been damaged in such a way that it isn't sending anything out its serial port. As is the case of 00'd cards, Many com port UARTS report such an absence of data as FF rather than as nothing at all. If an FF'd card is merely looped, it should be easily glitched out of the loop by present technology unloopers, but if the card does not pop after repeated glitching attempts, it is probably an ice scraper. Flash (flashing): In DSS hacking, the process whereby programmable chips on unloopers and bootloader boards are programmed or reprogrammed either in-circuit (on the unlooper itself) or via a stand-alone chip programmer. In the case of in-circuit programming on older unloopers, usually the process requires using a flash module (an executable file run under DOS) to program the chip and then physically removing the chip and isolating a pin (usually by bending it outward so it does not make contact with the chip socket) and reinserting the chip into the socket. On newer unloopers, it isn't necessary to remove the chip or bend any pins as switches and/or jumpers have been provided to perform the necessary chip pin isolation. If a stand-alone chip programmer is used, depending upon the design, the flash modules may be used directly or an interface program may be required and .bin or .hex format files may need to be used instead of the flash modules. Flash upgradeable: In DSS hacking, an unlooper which can be upgraded (reprogrammed) via the commonly available flash modules without any physical alterations to the unlooper being necessary. This term became part of the DSS hacking lexicon because some older unloopers required capacitor substitutions before they would accept a flash upgrade. Glitch (Glitching): The H card is actually a computer. If it has good +5v power, and a nice stable clock, it will do whatever it is supposed to do. Sometimes that's not what we want.... An unlooper can selectively glitch (reduce the power) for a very short period at exactly the right time to corrupt a single program step. It can also briefly change the clock speed to accomplish the same end. The idea is to glitch the card at a known point where it is doing something it wants to do, and cause the on-card program to progress on to code that you want to run. Most always this will be code that will then talk to the i/o line and accept further commands from it. Finding good glitch points usually means studying the disassembly of the rom and eeprom code, figuring out the exact branchs that the code is making, and counting the number of clock cycles each step is taking to get there. Then, the unlooper software sends a command to reset the card, and starts counting real clock cycles. When the calculated count is reached, glitch the card. If this seems complicated, it is. Actually it's worse. (definition courtesy of Zeromedic) "H" card: (a.k.a. P2 card) The predecessor to the HU-card, H series cards look just like F cards but they contain a RISC microcontroller emulating an 8051 microcontroller, 8K bytes of masked ROM, a 4K EEPROM, and 256 bytes of RAM. The big difference between the old F cards and the H card is that H cards also contain an ASIC (Application Specific Integrated Circuit) which is used for video decryption. H cards will have a serial number between 0000 4000 0001 and 0001 7000 0000. "Hashing: An ambiguous term generally applied to any deliberate interruption of channel reception by DTV as either a prelude to an ECM or as a result of an ECM. In the prelude form, DTV will intermittently interrupt channel reception to test the effect a new modification of the datastream will have on legitimate subscriber's cards. If the hashing proves successful (no negative subscriber feedback), then DTV will deploy the modification in the datastream continuously (result form) which results in total channel blackout for those using cards targeted by the ECM. A good example of this kind of hashing occurred a few times when DTV was adding the 31st through 63 updates to the H-cards in small increments of a few updates at a time over a period of several months. When an update packet was deployed and DTV was sure that all legitimate subscribed cards had taken the updates, DTV would first momentarily send down the datastream modification and those using stealthed cards that had not taken the updates due to being write-protected by the stealth code on them would see periodic brief blackouts or pixelization on their TV screens. Usually, within 24 hours of the first signs of hashing, cards without the updates on them would see nothing but the "Please insert a valid access card" message on their TV screens. Sometimes, false alarms of hashing are raised by the uninitiated because of the effects of "rain fade." Hex: Specifically, short for hexadecimal. In DSS hacking terms, the standard Intel HEX file format used to load and save code to an access card's EEPROM with an unlooper. Though unlooper files have .IMG extensions, they are identical to files bearing the .HEX extension used with such applications as chip programming software. The file format is a standard ASCII text file composed of lines of text in the Intel HEX file format. Every line contains a single HEX record. Records are made up of hexadecimal numbers that represent machine language code and/or constant data. Every record is made up of five fields that are arranged in the following format: :llaaaatt[dd...]cc Each group of letters corresponds to a different field, and each letter represents a single hexadecimal digit. Each field is composed of at least two hexadecimal digits-which make up a byte-as described below: : is the colon that starts every Intel HEX record. HU Card: From what I understand, the HU card was a last minute substitution for the J card that DTV had originally planned on issuing as a replacement for the much-compromised H cards. Supposedly, security weaknesses were discovered in the prototype J cards so the HU was developed and issued instead. It is my understanding that the most notable differences between the H and HU card is that the HUs contain dual ASICs and come from the factory with dynamic code writing capability. HU cards will have serial numbers greater than or equal to 0001 7400 0000. Hughes: The corporation founded by eccentric billionaire Howard Hughes that was a pioneer in aircraft and space technology. Hughes Corp. developed the first American satellite-based TV transmission network. Ice scraper: Term used to describe an access card that is so completely dead that the only use its owner might be able to make of it is to use it to scrape ice off his or her windshield. The saddest term in the DSS hacking lexicon... .IMG file: A file created either by reading a smart card via a programmer or unlooper and converting the resulting .BIN file into a standard Intel hex file which can then be loaded onto an access card via an unlooper. Unlike .BIN files which contain both the card's CAM ID and ZKT tables as well as the contents of the card's EEPROM, .IMG file content can be selectively controlled by either using conversion process options or simply by selective editing. The conversion options method produces the two most commonly used .IMG formats. Those two formats are known as clone and non-clone images. A clone .IMG file contains the same code a .BIN file contains (i.e. the contents of the card's EEPROM including the CAM ID and ZKT tables). A non-clone .IMG file contains all of data from the EEPROM except the CAM ID and ZKT tables. This makes it possible to use .IMG files to make complete copies of cards (clone) or to simply transfer the hack from one card to another without altering the target card's CAM ID or ZKT tables (non-clone). With selective editing, it is also possible to create .IMG files which contain nothing but updates so that an unlooper can add updates to a card without changing any other data on the target card. IMG files can only be applied to a card with an unlooper. IRD: Integrated Receiver-Decoder. Any make or model DSS receiver. Actually, a more accurate name for a DSS receiver would be an Integrated Receiver-Decoder-Programmer because an integral part of every receiver is the on-board programmer which adds programming tiers and updates to subscribed cards. IRD number: A unique 4-byte ID number programmed into every IRD/receiver at the factory. The IRD number enables DTV to send instructions to any single IRD via the datastream without affecting any other IRD. The IRD number is also used in a process known as marrying where a new or unmarried access card inserted into the IRD is immediately programmed by the IRD with the IRD number. From that point on, that card will only work in the IRD that it is married to. The marriage process was designed to prevent people from using a legit subscription card in more than one receiver thus forcing people with multiple receivers in their homes to subscribe them all. It also prevents someone with a premium subscription to take their card over to a friend or relative's home who subscribes at a lower level and using it in their receiver. Most hacks overcame the marriage process by implementing code that allows a card to marry every receiver it is inserted in. ISO7816: A standardized set of specifications for smart cards defined by the International Standards Organization. The kinds of specifications which are defined are things such as X-ray sensitivity, static discharge vulnerability, physical flexibility, size, assignment and position of contacts and communication parameters. I once attempted to read the specifications (they are on the web) but my head exploded... "J" card: The once-rumored replacement for the H-card. Keys: In addition to the CAM ID and ZKT tables, each access card has things called keys programmed into them at the factory. These keys are used to check if messages/commands received by the card are authentic. There are three varieties of keys on each card. The first type of key is known as a public key which is used to authenticate messages/commands sent to all cards. The second type of key is known as a group key and is used to authentic messages/commands addressed to groups of cards. The target groups can be either groups of 256 cards or 65536 cards. The last type of key is known as a private key and is used to authenticate messages/commands to a single card. These keys permit DTV to selectively target cards for messages or modifications. Loop (looped): A deliberate or accidental corruption of the code on a card's EEPROM that causes it to go into a constant cycle of repetitive code execution causing the card not to accept any further queries or commands. Marry: When an access card is first inserted in an IRD, it is immediately programmed by the IRD with the IRD number. From that point on, that card will only work in the IRD that it is married to. The marriage process was designed to prevent people from using a legit subscription card in more than one receiver thus forcing people with multiple receivers in their homes to subscribe them all. It also prevents someone with a premium subscription to take their card over to a friend or relative's home who subscribes at a lower level and using it in their receiver. Most hacks overcame the marriage process by implementing code that allows a card to marry every receiver it is inserted in. Master Clone: The source card that is copied onto other cards. Merlin: An early Windows-based program used for applying scripts to access cards. It used script files bearing the .SCR file extension. NDC: News DataCom. The company owns your access card (their claim of ownership is printed on each card). NDC also created the code on the cards. Pegasus: An early Windows-based program used for applying scripts to access cards. It used script files bearing the .SCR file extension. Pixelization: Frozen and distorted video frames which are most often caused by weather interference somewhere in the line-of-sight signal path between the DTV satellite(s) and your home dish. Less often, you may experience pixelization due to heavy solar flaring (sunspots). You may also experience pixelization as a result of hashing. PPV: Pay Per View Programmer: A device used to read code from and write code to an ISO7816 compatible smart card. Sometimes also referred to as a Phoenix reader/writer. It is one of the two most common hardware devices used in DSS hacking (unloopers being the other). Programmers write code to cards in segments and require verifications of each segment from the card before proceeding onto the next segment. Rain fade: Intermittent or total loss of channel quality or reception due to heavy rain (and sometimes snow) blocking the line-of-sight signal from the DTV satellite(s) to your dish. In lighter rains, you may just experience periodic pixelization (frozen and distorted video frames), while heavier rains may totally block your reception and result in the "Searching for satellite" message on your TV screen. Script: A file that contains instructions to load or remove code on a card on a line-by-line basis. Scripts must be executed from within an interface program such as WinExplorer. Scripts were mostly used for loading hacks onto a card, but with the advent of Black Sunday, nowadays scripts are mostly used to clean and AUX or deAUX cards for emulator systems. Spoof: A hacking method that fools the IRD/receiver by making a card look like it contains valid data when it actually does not. "Spoofer" type scripts redirected IRD CAM ID queries to a different area on the card than where the real CAM ID is normally stored so that it would see a valid CAM ID that had been placed there while allowing the card to retain it's original CAM ID even though it may have been blacklisted. This method of hacking was implemented to protect cards from an ECM that might be deployed against cloned cards. Stealth script: A script containing code that closes the read/write holes normally used by DTV so the card becomes essentially write protected and therefore protected from ECM damage. Stealth scripts were especially susceptible to hashing as soon as DTV deployed a new update because the cards they were on would not take the updates. Test Card: A programmed DSS access card. Rumor has it that they came to be called "test cards" because DTV installers would use cards that got all the channels available when "testing" new DTV customer setups. DTV dealers also used to have such cards in their display units in their showrooms. Tier A tier is a group of channels that have been activated (turned on) on the card. There are 12 tiers on a card. Tier Wipe: DTV’s method of deleting unauthorized channels from cards. Transport IC: A chip inside the IRD that filters the data stream and passes only the data that is targeted for general distribution or for that particular IRD number and/or CAM ID of the card in the IRD. UART: (Universal Asynchronous Receiver-Transmitter) A computer chip that handles asynchronous serial communication. The newer 16550 UART contains a 16-byte buffer, enabling it to support higher transmission rates than the older 8250 UART. This is especially important to DSS hackers who are using emulator systems because the 16550 may enable slower PCs to sustain emulation more reliably. Unlooper: The Swiss Army knife of DSS hacking hardware!! Put simply, a device used to read code from and write code to an ISO7816 compatible smart card. However, unlike programmers which are designed to do the same thing, unloopers write code to cards in a single continuous stream. This makes them much faster than programmers. Also, unlike programmers, unloopers have an on-board programmable Atmel microcontroller which make them dynamic devices capable of ongoing adaptation to the ever-changing requirements of DSS hacking. Programmers, on the other hand, have no such on-board programmability, thus they have remained static devices which are rendered useless by any card not operating within the constraints of the ISO7816 operating parameters. The on-board programmable Atmel microcontroller has allowed the unlooper to quickly adapt to DTV's ECM inflicted damage to access cards including the permanent damage done to them by the Black Sunday ECM. Unloopers have been able to repair or bypass such ECM damage via their ability to "glitch" cards. Nowadays unloopers are also referred to as SCRTs (smart card repair terminal), All-In-Ones, SCGs or programmer/unloopers. At present, they are the only devices capable of loading code onto HU cards. Update: New data periodically sent down the datastream by DTV to add to, change or eliminate the code on a card's EEPROM. In a few instances, updates cam merely be bug fixes to the existing code on the cards. However, even if not immediately apparent, the overwhelming majority of updates have been ECMs designed to counter the ongoing adaptations hackers have made. USW: Update Status Word. A counter built into the access card that indicates the number of updates the card has taken. This makes it easy for DTV to update cards that have not taken the latest updates and can also be used by DTV as a checking method to see if a card is a legitimate subscribed cad or not. Since "stealthed" scripts prevent writes to a card, if DTV deploys an update, stealthed cards will not allow the update to be written to the card and as a result, the USW counter on the card will not be properly incremented to reflect the new update. DTV can then send out instructions to all IRDs to hash any card that is not at the correct USW and thereby hit hacked cards without interfering with the operation of legitimate cards. Valid bin file: Strictly speaking, a .BIN file from a programmer or unlooper that was created by reading a currently subscribed H card. Loosely speaking, any .BIN file that is not on DTV's blacklist which may include F-card bins, H-card bins that were somehow not included on the blacklist or H-card .BIN files containing an HU CAM ID and ZKT tables. Valid sub card: A currently subscribed card. Virgin card: Another archaic DSS hacking term that was used to describe an H-card that had never been placed in the datastream and contained no updates whatsoever. Over time, the term "virgin" has also come to mean any card that has never had a hack applied to it. Viyada: BasicH's predecessor. It has proven useful even today in cases where cards have had their USW accidentally corrupted to a value less than 26. Wedge: An early DSS hacking device which plugged into an IRD and was equipped with a card socket to hold an access card (a similar physical configuration to today's bootloader boards). It was designed to temporarily add the appropriate tier to the card whenever the IRD was tuned to a channel requiring that tier. Some wedges also incorporated so-called "blocker" features that prevented DTV from writing to the cards. Like blocker boards, wedges proved to be short-lived hacks that DTV quickly shut down. WinExplorer: A Windows-based program which is used to load scripts onto cards. It is one of the two premiere tools of the DSS hacking hobbyist, BasicH being the other. Wink: Initially designed as a firmware upgrade for IRDs that would allow DTV subscribers to request additional information about advertiser's products, DTV saw it as an opportunity to augment the phase out of H-cards by tacking on additional code that caused 5th generation RCA receivers to reject any H-card placed in them. .XPL file: A script file containing commands to write or remove code on a smart card. The .XPL file extension was created for the early DOS-based DSS program Explorer. The .XPL extension has subsequently been replaced by the .XVB extension and the newer scripts are designed to work with the Windows-based WinExplorer program that replaced the old Explorer program. .XVB file: A script file containing commands to write or remove code on a smart card. The .XPB file extension was created for the newer Windows-based DSS program WinExplorer. The .XVB extension replaced by the .XPL extension that was used with scripts written for the old DOS-based Explorer program. .XVBENC An encrypted script file containing commands to write or remove code on a smart card. Used by dealers to protect their codes from copying. ZKT: Acronym for "Zero Knowledge Test". Encryption
tables on every card which proves the authenticity of the CAM ID to the
IRD. |