How Star Trek Breached The Defences Of A Major Broadcaster

Back in 2020 in the brief lull between COVID lockdowns in the UK, I found myself abruptly on the move, with a very short time indeed to move my possessions into storage. As I was going through the accumulated electronic detritus of over four decades, I happened upon a grey box with some wires hanging out of it, and more than a few memories. This was a Sky VideoCrypt decoder, and the wires were part of the so-called “Season” interface to attach it to the serial port of a PC. It had this modification in the hope of catching some unauthorised free satellite TV, and in its day this particular hack caused some headaches for the broadcaster.

When More Than 4 Channels Was A Novelty

Patrick Stewart, as Captain Jean-Luc Picard. Composite image, via Wikimedia commons.
Break encryption? This man can make it so. Stefan Kühn, CC BY-SA 3.0.

In the 1980s and early 1990s, there was very little in the way of digital broadcasting on either satellites or terrestrial networks, almost everything on TV was sent out as standard definition analogue video. The four terrestrial channels where I grew up were all free-to-air, and if you had a satellite dish you could point it at any one of a variety of satellites and receive more free-to-air channels if you didn’t mind most of them being in German. Premium satellite programming was encrypted though, either through a range of proprietary analogue schemes, or for the British broadcaster Sky’s offering, through their VideoCrypt system. This used a 64 kB buffer to store each line of video, and rotate it round any one of 256 points along its length, resulting in an unintelligible picture.

Sky was the UK’s big gorilla of premium broadcasters, a role they kept for many years, and which was only eroded by the advent of streaming services. As such they snapped up exclusive first access to much of the most desirable content of the day, restricting it to only their British pay-to-subscribe customers. A viewer in the UK who grumbled about Star Trek Next Generation not being on the BBC could at least cough up for Sky, but if they didn’t have a British address they were out of luck. It was in this commercial decision, whether it was based upon business or on licensing, that Sky unwittingly sowed the seeds of Videocrypt’s demise.

 

How Trekkies Broke An Encryption System

Star Trek is a very popular program in our community. And it’s popular not just among British hackers, but also among Germans, who sadly couldn’t get a Sky subscription to watch it. This provided all the motivation needed for one of them to set to work, and from that was born the interface I had inside my hacked VideoCrypt box. It was called Season7 after TNG season 7, and it worked by having the PC emulate the smart card supplied to subscribers by Sky.

A scrabled TV picture
VideoCrypt in action. Zcooger, CC BY-SA 4.0.

At this point it’s worth explaining from memory some of the workings of a VideoCrypt decoder. Hardware-wise it had the video interfaces and that 64 kB line buffer, controlled by a processor which matched the sequence of line flips to that transmitted. The encryption itself was determined by a piece of software running on a microcontroller in the smart card, which talked via a serial link to another microcontroller in the decoder. This then fed the codes to the main processor. The Season7 code ran on a PC and emulated the smart card, and the “hack” was a MAX232 level shifter between the smart card serial pins and a PC serial connector.

In the early 1990s there was not a lot in the way of home internet usage in the UK, so the Season software would arrive passed around on floppies that some lucky person with USENET access had downloaded. The mystery German Star Trek fan soon found himself in a battle of wills with Sky, who changed the cards and tweaked the algorithm in an arms race that meant trying to watch Sky with Season was a patchy affair at best. There were a few of us in my local radio club who played around with it, but it’s fair to say that as a TV service, it was cumbersome and unreliable. Eventually Sky released a new card that couldn’t be cracked by Season, then moved to an all-digital system, and this particular chapter in hacker history drew to a close.

Our Mystery Hacker Went On To Great Things

Thirty years later and having a nose around the Internet, I’m pleased to find that not only does the mystery German hacker have a name, he also posted a Season FAQ back in the day. He’s now an academic at Cambridge University, his name’s Markus Kuhn, and his FAQ can be found in his university website. It’s a trip down memory lane for me, and a realisation that had I had an internet connection of my own back in 1994 my Season usage might have been more successful.

This is a thirty year old tale of a long-gone technology, but it’s a little piece of hardware hacker culture from that decade that’s worth recording. I’m sorry to say I didn’t have the room for my VideoCrypt decoder, so it went into the e-waste. Meanwhile, after Sky’s first broadcast rights to TNG season 7 expired it aired on the BBC and other terrestrial channels, so I, and presumably the Germans too, were able to watch it legally.

Header image: Riton99, CC BY-SA 4.0.

40 thoughts on “How Star Trek Breached The Defences Of A Major Broadcaster

  1. My parents have just cleared out the attic, and as such, I’d imagine the VideoCrypt box and its associates have gone to the bin.

    Among them though, was an unusual card. It was a “smart card”, but the contacts led out to a socketable chip. I’m going to assume the code to hack videocrypt was eventually put on microcontrollers and the point of this was that you could just get a new chip when Sky updated the encoding?

    While we’re on sky hacking. One I’ve heard, but not seen in action, is that if you canceled your subscription, sky would have to wipe the actual card which was sent OTA. However the issue was this required either a larger voltage or current than was needed to read the card. This meant you could modify a Sky box so it wouldn’t be able to wipe cards. People would sign up for a while, cancel and still get their channels!

    1. Similarly, one of my family members had a specific sky digital box which would give all the PPV events for free with the application of a 9V battery across the phone line terminals. Really weird glitch that I have barely seen anyone else talk about since.

      1. The socketed chip was likely a PIC16C84, they were reprogrammable so your friendly local card dealer would probably exchange the card or you could as you say, swap the chip

        There were also Atmel alternatives and some other variants but the PIC ones were most common.

        The 9V battery trick worked to fool the boss into thinking it was connected to a telephone line.

        The people who designed the system built in that particular “glitch” so that your Sky box would authorise PPV and call home later in case their dialup servers ran out of capacity.

        So while you could watch a number of PPV events, if you ever connected it back to a real phone line your next Sky bill would be a shocker.

  2. DirectTV free per view with an emulated smart card.

    It was great, but there was a downside.

    If you fell asleep watching a movie, the channel you were watching sometimes switched to porn. Sometimes gay porn. Wake up screaming like Kinison. I’m a _victim_! Give me free stuff!

    1. People can find stuff disgusting or offensive without being bigoted. It’s no different than disliking pea soup for the bitter taste – while other people don’t mind it at all. That point is just rejected by people who adhere to theories of social determinism and conclude that anyone who doesn’t agree with their habits must be a victim of outdated normative conditioning.

  3. Reminds me of that time in the 2000 where you could get Sat boxes that could break DirectTV and Bell TV Nagravision II encoding, that lasted until they switched to Nagravision III.

  4. One system in LA inverted the video and sync pulse. So the fix was to add a sync pulse and reinvert the video. Had such a box, but the system went bankrupt soon after.

    1. That was the old old analog cable scramble.

      You could unscramble it with a t and a cutoff length of coax. The trick was to tune the length so the reflection of the synch pulse landed at ‘close enough’.
      Wasn’t great, putting a new rom in the box was much better.

    2. If I recall correctly, there were 2 OTA analog encrypted TV channels in Los Angeles circa 1985. One inverted the video every few seconds. The other added a sine wave at the horizontal frequency to the video, timed so that horizontal sync couldn’t be detected. That second system used a Signetics PLL chip in the decoder; they bought exclusive rights to the chip so that nobody else could use it.

  5. You know what I find interesting about this is that the Sky satellite receivers were often manufactured by Amstrad. The scrambling scheme seems, in a way, to be quite similar to the anti piracy measure incorporated into the Amstrad (CPC) 464+, 6128+ and GX4000 computers/consoles. The cartridges had a chip called the ACID chip that would skew timings of the data read from the EPROM which would prevent a pirate game cartridge from running. The gate array in the machine would unscramble the data by synchronising with the ACID chip in the cartridge, so you couldn’t (easily) burn copies of games to a ROM and run them on the console or computer. Probably just the way it was always done back then, but I find it fun to think that maybe the two things were related.

    1. I’ll have to disagree. VideoCrypt and the ACID protection are nothing alike. ACID just takes address bits from the bus and uses them to derive a single-bit pseudorandom signal. If that ever differed to what the system ASIC generated internally, the reset line would be asserted – there’s no scrambling or timing changes at all.

  6. I remember a similar system with DirecTV back in the late 90s/early 2000s. The decryption key was sent along with the video stream but it was hashed. The smart card contained a lookup table and a hashing algorithm, when you tuned a channel, the box would query the card, if the lookup table showed it was a subscribed channel, the card would spit out a hash that the box would use to decrypt the video stream. (I think in the earlier ones, the card was just a lookup table but later ones the card contained some processing as well, since when something got hacked they’d send out new cards).. So this thing you could build plugged into the smart card slot of the box and was connected to a PC via serial port, since the hash was something like 32 bits you could brute force it with an average desktop CPU, and then it would spit whatever back at the box and you could watch the channel.

    I want to say that up into the mid-2000s maybe even the 2010s one could get a DVB-S tuner card for a PC and the appropriate key file (if one didn’t want to just brute force the keys) and then watch Dish or DirecTV for free, but the advent of streaming services dropped the demand for satellite piracy to the point that nobody has bothered to crack any of the newer systems.

    1. It was called “tiers” . The tiers were a 16bit table that determined what your channel access rights were. There were a few different methods to circumvent the system: The first smartcards (F-Cards) were Motorola processors which had hardware debugging left in which allowed full access. The next gen (H-card) had 8051 processor with crypto coprocessor that handled the video decryption. The exploit was a simple buffer overflow; coding standards were not that great so you could overflow an input function on the smartcard and run code on it which allowed you to reprogram the tiers to give you everything. The satellite guys countered by downloading hashing code to check the cards for changes and brick them. We countered by developing voltage glitching to get back into the card to reprogram it again. It was cat and mouse: the cards would go down and we would counter with some new code to defeat their code. The card after that (Hu card) was TMS370 processor with crypto coprocessor and encrypted rom. We managed to get and read the rom encryption, get into the card, all through voltage and clock glitching and did the same; tier reprogramming, decryption command bypass and emulation. Also I built my own personal exploit which ran on a reprogrammed card with a reprogrammed set top box that ran undetected until they changed out the card.

      Eventually we started writing emulators to just emulate the smartcard processor altogether and uploaded separate code to the smartcard to control the crypto-coprocessor to handle the decryption. I think it was a 56bit DES key every 8 seconds. The emulators couldn’t be stopped because they looked just like a normal card to the set top box for the most part except when it came to the instruction that was pass/no pass for video decrypt the emulator always passed the instruction. Any code they wrote to check the integrity of the smartcard would look like it was a genuine smartcard. There was no brute force. That’s the device you are thinking about: computer emulating a smartcard with a smartcard adapter that fit in the slot of the set top box and then a smartcard reader for the original card which was now reprogrammed to just handle the key decryption.

      (old school for-reals hacker popping their head up to share this fun bit of history)

      1. Haha, cool and thanks for sharing the stories and history. I never got involved with the scene but I really enjoyed learning about it. It would be fun to see a podcast interview with both the DTV engineers and hackers who were active at that time!

        I worked for an electrical contractor that had me doing some work at a DTV uplink facility for a few months. I really enjoyed taking to the microwave technicians at lunch and learning all about RF and how satellite worked. I made the mistake of asking specific questions about how their encryption worked, they just went silent and ended the conversation. I think that was shortly after the ‘game over’ update, hahaha!

      2. please, what was the difference between VideoCrypt 1 and VideoCrypt2 (for Multichoice)? Was a different decoding algorithm used?

        I was most interested in the D2-mac era. How did the hackers get to the algorithm and the keys? Even AU keys, was there such a weak protection of the processor security in the cards?

  7. The story of the Sky hack is indeed fascinating but there’s so *SO* much more to it and the back story of how NDS (essentially Sky TV’s security company) in Israel were linked to THOIC BBS and Lee Gibling is just incredible, then there’s also the stories of how somebody hacked and essentially destroyed the business model of Sky’s only UK competitor subscription TV service.

    Fascinating stories of piracy and counter piracy as well as industrial sabotage and subterfuge.

  8. The old days of satellite hacking, I remember those times with a smile. As a 17-year-old, I was in school and had to do an internship. My internship was at an electronics store where the old “founder” was still the director of four stores and had a few rules. One of them was “you must know what you sell!” The director allowed us to take things apart, study them, take them home, etc. This way, when a customer was interested, you KNEW what you were selling.

    In the early 2000s, we were selling everything from electronics to loose components like resistors and semiconductors, CCTV, PA equipment, and… satellite receivers. In those early days in the Netherlands, there was symulcrypt, a combination of IRDETO and SECA. Most channels, like FilmNet, were still on IRDETO, and with a gold card (PIC16F84 and Eeprom), it was possible to program your own card and watch these “for free”. It was during this time that I got my first satellite receiver, a Pace 600 if I recall correctly. It was a receiver brought in with a broken F connector, and the customer wanted a replacement with SECA.

    The Pace was IRDETO only, had about 6 or 8 “bouquets” (starting channels), but it was mine! After installing a satellite dish, I went experimenting and eventually modified the “fat IRDETO module” that was sticking in the back with another processor so it could also descramble SECA. One thing led to another, and at that time, I was interested in “getting the channels,” not because I needed them… but because I could :-)

    During this time, SECA was becoming “a thing”, and several other providers like SKY, etc., were possible to decode with a FunCard (AVR). At this time, we were “shop hacking” the Humax receivers 5400Z to the “non-Z” version. I think Humax got complaints or something; it was the “Rolls Royce” for satellite hacking. We built a JTAG Z board for these so they became “regular 5400’s again”. Multiple satellite setups with a positioner were the playground.

    At this time, the “official” CanalDigitaal receivers from Philips (6072/6071) became interesting. A firmware was written so it would accept FunCards, not only the legal CD cards. The first install was nerve-wracking; it was over a serial connection and took about 9 hours on the private receiver of a colleague (also a tinkerer). After exploring and playing with this, we showed it to “the boss”; he was interested and funded the JTAG programmer, instead of 9 hours of programming, it was done in 5 minutes. At this time, symulcrypt was ending / ended. No more IRDETO, SECA only.

    The Humax and patched Philips receivers were fun. Parallel to this, there was this thing from Dream Multimedia, the Magic Module. A programmable CI module for different encryptions (when loaded with the right firmware). There were rumors that Dream was making its own receiver, a LAN-connected Linux-based receiver. As of this moment, I knew it… I wanted it… badly :-) This made me contact “some grey paths”; while not yet available through official resellers, I got one! No more “cards burning,” just a BIN file. Some scripting, and you had an auto-updating satellite receiver. The support and scene grew instantly, and many tools, firmware updates (official and alternative), were available. I have used the Dreambox for many years until there was the end of SECA(1), and SECA2 became a thing. In the early years, there was some tinkering, and at times, it was possible to decode SECA2. There were closed-source “pirate cards” selling for way too much money, and people reverse-engineering these cards. Cardsharing became a thing; why hack it when you can share your card with friends? I’ve connected to several servers, but the fun was gone. I really enjoyed “hacking” the system, experimenting, etc., not just connecting to a server…

    After moving abroad, I started the hobby once over, using the Dreambox sat-finder to install the dishes at the new place. At this time, I was in my early 30s and enjoyed a parallel hobby, XBMC. Knowing XBMC from the original XBOX days, it came and went. XBMC provided a multi-room setup for movies and series (on an NAS and different… um… alternative sources), and I started the hobby with satellite again. This time streaming the satellite to XBMC. The backend was a server with TVHeadend, a 2-port DVBS card, and… yes… an official CanalDigitaal card in a USB-connected reader.

    The fun was back, playing with my own “cardserver”, scraping the EPG, and providing streaming TV throughout the house without the need for coaxial cables and several satellite receivers. This solution, a thin client with XBMC at the TVs and the server with TVHeadend, worked flawlessly. CanalDigitaal kept pushing the monthly fees and shrinking the bandwidth. Where once digital satellite TV was quality, it became shoddy. The problem, no internet connection besides an ADSL line with 20K download (that is Kilobytes….). The solution eventually was a directional antenna, pointed to the Netherlands (~2.5 km) and a business, unlimited internet GSM subscription. About 700K instead of 20… I was in heaven!

    About 5 years ago, the town was fitted with fiber, a stable 100/100 connection, so the GSM link went away. The costs of watching CanalDigitaal and the poor quality made me do a sidestep to streaming TV over the internet, with better quality and much better price. Having small kids, a job with irregular hours, and several other influences made the switch complete. IPTV was the new SatTV, but… we weren’t watching live TV as before… With Netflix, Prime, and all other sources of TV on demand, we only used it to watch some programs and the news…

    In 2024, satellite and streaming IPTV have ceased to exist, leaving only a few (of course shared :-) ) IPTV on-demand services. As I write this, I find myself reminiscing about the past, when hacking was still a hobby rather than just connecting to a server. It involved using your soldering skills, and devouring countless articles and posts to stay ahead or in line with the countermeasures from the provider. That’s what I miss—the cat and mouse game, not the multitude of TV channels.

      1. It doesn’t. I viewed it over a multiple-hundred-megabit-per-second cable that costs me a fraction of what people pay in first world countries. But I do care for unnecessary web bloat.

  9. “You really need to rengeotiate that data plan if 16MB screws you over”

    Said by someone in a 1st world country with low cost cell plans.
    (vs the other half of the world)

    Just Saying……………….

    1. Other peoples lack of bandwidth is not my problem.

      I’d go so far as to say it’s unlikely to be their concern either.
      There are lots of places in the world where they can’t even buy ammunition. Priorities, Maslow etc.

  10. Animated PNG: https://hackaday.com/wp-content/uploads/2024/03/Videocrypt_scrambled_frame.png (16 MBytes)
    Webm: https://josuah.net/paste/R25PICH0lz2A0dVdDw9X/Videocrypt_scrambled_frame.webm (2.3 MBytes)
    Gif (poor quality w/ dithering): https://josuah.net/paste/8p9InxdDGOWeVhXgzZis/Videocrypt_scrambled_frame.gif (4.3 MByes)

    Interesting! :)

    > but if they didn’t have a British address they were out of luck

    That reminds me of NHK: only available to the Japan residents due to a private contract with the broadcast company. And all expats are stuck out of their daily morning news to stay in touch with their culture the way they used to.

  11. German speaking countries had their own scrambled satellite channels that sparked the pay tv hacker scene. First there was the Swiss Teleclub channel that used the Payview III scheme to scramble the signal. In the early 90’s Teleclub spawned the German channel Premiere and both channels continued to use Nagravision Syster until analogue tv died.

    Payview III didn’t use a key. According to the internet it just messed up the sync signals.

    Syster permuted the lines of the picture and required a chip card or statistical analysis to undo the permutation. Markus Kuhn wrote a paper in 1998 about the algorithm.

  12. This has been going on a bit longer than Jenny suggests, although with a bit of social hacking. It’s well described in the movie “The Duke” which is a very fun movie. Hint: Helen Mirren costars.

  13. Thanks for that article, a real blast from the past!

    By the way, if anyone here still finds in their attic a VHS cassette of a scrambled VideoCrypt programme, I would be quite interested in digitizing it, just out of historic curiosity, to answer a few questions about how exactly VideoCrypt operates on the TV signal.

Leave a Reply to slaxCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.