-
33C3 preroll music
-
Herald: So… coming over to our next talk.
-
Tonight, if you switch off
your DECT phone, and
-
if you’re full of different impressions
-
– full of different impressions of this
day you maybe want to watch TV.
-
But it would be cool to have pay-TV
– unencrypted pay-TV.
-
So Chris Gerlinsky asks himself the same.
And how to achieve unencrypted pay-TV
-
– but the Hacker way. So Chris
reverse-engineered nothing less
-
than the signal and the encryption for
a standard that remains unencrypted
-
since the late 90s. Please welcome with an
Anniversary Edition applause Chris Gerlinsky!
-
applause
-
Chris Gerlinsky: Hello everyone.
My name is Chris Gerlinsky.
-
I am a hacker from Canada and I’m here
today to talk about how I cracked
-
digital cable and satellite TV security.
I studied an Access Control Platform (ACP)
-
that’s widely used across Canada and the
USA. It’s one of the two common platforms
-
that’s used in cable TV,
and it’s also used in satellite TV
-
by one of the two Canadian satellite TV
operators. As far as I know the system
-
has remained secure since it was
introduced in the 1990s and I was curious
-
if I could understand the system based on
the older set-top-boxes. Some of them
-
are 15 years old – and they are still in
use. So these devices haven’t received
-
upgraded security hardware in that time and
I started looking at how the system works.
-
Before I get into the reverse engineering
I’ll start with a brief description of how
-
digital television is sent over satellite
or cable. Satellite and cable digital TV
-
are pretty similar for the most part. There
are a variety of signal modulations used.
-
The relevant ones here are QPSK at about
27 MBit/s and 8PSK Turbo FEC at about
-
38 MBit/s for satellite and QAM256 at about
38 MBit/s for cable. There is also an
-
out-of-band channel used by cable
which is QPSK modulated at 2 MBit/s.
-
This out-of-band channel carries the
subscription-management, program guide
-
information, firmware upgrades, etc. And
while you change channels and the cable
-
box tunes to different frequencies this
out-of-band channel remains tuned
-
so that the box continuously receives the
state, and no matter what TV channel you’re
-
tuned to. In the satellite TV this type of
data is included within the main transport
-
stream (TS) instead of in a secondary
out-of-band TS. The video is sent
-
as MPEG2 or H.264 TS. This is a standard
format for carrying video streams.
-
So it can be played by any hardware video
decoder or software decoder, e.g. VLC.
-
And the encryption system used here is
called DigiCipher 2 (DC2), which does not
-
follow the DVB standards that are used
in the rest of the world. The MPEG-TS
-
is made out of packets of 188 bytes.
Each packet has a PID. This is used
-
to differentiate different types of data.
PIDs range from 0 - 0x1FFF.
-
Each PID carries an MPEG Packetized
Elementary Stream (PES).
-
That’s a video or audio stream.
Or the PID may carry one or more
-
Service Information Tables. The Service
Information Tables have an 8-bit table ID
-
and a length of up to 1024 bytes
including a CRC32 for error detection
-
and this table ID identifies the type of
data that you can expect within the table.
-
Table 0 is the Program Association Table,
containing a list of programs carried
-
in this TS and the PMT PID for each
program. The Program Association Table
-
is always on PID 0. Table 2 is the Program
Map Table which contains the list of PES
-
and the PID for each as well as an ECM
PID. There is Program Map Table
-
for each MPEG program or TV channel
that’s found in the stream.
-
The ECM PID is where ‘Entitlement Control
Messages’ are sent containing information
-
that’s used to generate the key that
decrypts the Packetized Elementary
-
Streams. This system uses two types of
ECM. Table 40 I call ECM40, and Table 41
-
I call ECM41. On PID1 there may be
one or more conditional access tables,
-
table ID No.1. These tables identify a PID
that carries EMMs, ‘Entitlement Management
-
Messages’. These messages are used to set
access rates for individual set-top-boxes.
-
The subscription information, like, what
channels are available is carried inside
-
of EMMs. This is a hardware interface to
receive satellite data, a Genpix SkyWalker-1.
-
The DC2 QPSK modulation isn’t widely
supported in USB or PCI DVB-S devices.
-
And the 8PSK Turbo FEC modulation support
is even less common. And one of the devices
-
that does support these signals is this
Genpix device which is using a Broadcom
-
BCM4500 demodulator. And it supports both
the DC2-QPSK and the 8PSK modulations.
-
It works well, the Linux drivers need to
be re-compiled to include the support
-
for these modes, and patches for this were
published by updatelee. There’s a link
-
on the slide. For cable there’s a variety
of adapters supporting QAM256 de-modulation.
-
I used a USB HVR 950Q tuner. Unfortunately,
to tune the out-of-band channel is generally
-
not supported by the off-the-shelf
interfaces. Inside the cable box
-
it’s handled within the integrated chip
set. And for the ClearQAM consumer
-
devices such as USB interfaces access to
the out-of-band data isn’t actually required
-
so they don’t include it inside of the
hardware. This out-of-band data is used
-
only for pay-TV services.
-
With the satellite and cable interfaces
DVBsnoop can be used to view a lot of
-
information about the transport stream.
It’s enough information to be
-
quite overwhelming. So the trick to using
it is being able to sift through the output
-
for the relevant information. DVBsnoop
also doesn’t recognize all of the
-
DigiCipher 2 tables because it’s a non-
standard system, and DVBsnoop is targeted
-
towards the standard systems. So DVBsnoop
may not be able to tell you everything
-
about the transport stream but it was
still a very useful tool for all the
-
information that it can provide.
-
DVBsnoop and most other tools and
documentation are designed for the DVB
-
standard or other recognized standards
such as ATSC. DigiCipher cable
-
and satellite systems use a lot of
non-standard tables to carry
-
the system information. For cable TV some
of these tables are standardized by
-
the document SCTE 65.
There is no BAT or SDT
-
as you’d expect in DVB. Instead there
is a virtual channel table that maps
-
the transport streams and programs the
channel numbers. The electronic program
-
guide is also not DVB standard. So you
don’t even get the current and next
-
program information in any
kind of a standard format.
-
Another cable TV adapter is the HDHomeRun
Prime. This one is a network-connected
-
three-tuner device with cable card
support. The set-top-boxes I studied
-
pre-date the cable cards. Although the
newer boxes do use the cable cards,
-
and they support the DigiCipher 2.
But cable card support does also mean
-
that this HDHomeRun Prime includes the
tuner and QPSK demodulator for the
-
out-of-band channel. So it is able to pass
this data to the cable card, as necessary.
-
However, even the HDHomeRun doesn’t
make this out-of-band data available
-
other than the cable card interface. So
to access the demodulated out-of-band data
-
I tapped in to the HDHomeRun Prime with
a cable card inserted, and connected
-
a logic analyzer to the Data and Clock
signals. I wrote software using the
-
Saleae SDK to capture the QPSK demodulated
data. Then, in software, I performed
-
de-interleaving, de-randomization,
and the forward error correction.
-
And the output is an MPEG transport
stream. So using an HDHomeRun Prime
-
connected to the logic analyzer, connected
to the PC running the software
-
the output finally is a 2Mbit/s transport
stream. And this transport stream
-
looks like a standard transport stream,
and inside are the conditional access
-
management messages, program guide
information etc. Everything that was
-
missing from the main
QAM transport stream.
-
Two bits in each packet will indicate if
the packet is scrambled with the even key,
-
odd key, or not scrambled at all.
The key is changed at short intervals.
-
DVB systems typically will change every
5 .. 30 seconds. DC2 every 133 ms
-
or 1 second. The key used for decryption
alternates between even and odd.
-
The odd key is in use while the even key
is updated; and then the even key is
-
in use while the odd key is updated.
An encrypted transport stream is sent
-
via the cable or satellite, and it’s passed
through the descrambler in the ACP.
-
And the result is a decrypted transport
stream that is played by the MPEG decoder.
-
The descrambler uses a Working Key.
This is a 56-bit DES key that changes
-
every 133ms, or in some cases they have it
slowed down to changing every 1 second.
-
This Working Key is generated by
encrypting the frame count from ECM40
-
packets with the Program Key. The Program
Key, again DES, comes from the ECM41
-
message, and is encrypted with the
Category Key. The Program Key
-
is unique to each channel, and it changes
daily or for every pay-per-view event.
-
The Category Key, also DES, is shared
by all the set-top-boxes that authorize
-
for any channel from this provider. The
Category Key is sent to each set-top-box,
-
individually, inside the EMM95 message.
And this Category Key typically changes
-
monthly, but many cable operators change
keys much less frequently. Some of them
-
are using the same key for years at
a time. To decrypt the EMM, in order
-
to get the Category Key Seed Keys are
used. Each set-top-box has a set of
-
56 bit DES Seed Keys inside of
battery-backed RAM. These are
-
initialized during manufacturing. For the
lifetime of the set-top-box these keys
-
are used to secure EMMs. So this
forms a chain from the Seed Keys,
-
initialized during manufacturing and never
changing, to the decryption of the MPEG
-
transport stream.
-
Inside the satellite
set-top-box we can see the main
-
components of the system. The signal
enters the tuner and is passed
-
through the demodulator which
outputs a serial transport stream.
-
This transport stream passes through
the ACP – Access Control Processor –
-
and is then sent to the MPEG decoder
to output a video signal to the TV.
-
A 68k microcontroller acts as the set-top
box main controller. It communicates
-
with the MPEG decoder as well as
with the ACP via an SPI bus.
-
A battery provides backup power to the
ACP. So it will retain RAM contents
-
even when the set-top-box is unplugged.
There’s a TVpass slot near the power
-
supply. This is an upgrade slot with
a card edge connector to allow
-
for security upgrades. The system
-
stayed secure, so the TVpass slot was
never used. And the newer set-top-boxes
-
don’t actually include a TVpass slot
inside. So at this point it seems
-
quite unlikely that this TVpass card
will ever actually be used.
-
Inside the cable set-top-box… it’s
very similar to a satellite set-top-box
-
but the cable boxes tend to be more
tightly integrated. The signal enters
-
the tuner and passes through a Broadcom
chip that handles demodulation.
-
And the same chip will also handle MPEG
decoding after the transport stream’s been
-
decrypted by the ACP. A 68k microcontroller
acts as the set-top-box’s main controller.
-
Again, talking to the ACP via SPI.
And a battery provides backup power
-
to the ACP, and also to the non-volatile
RAM used by the main controller.
-
A TVpass slot is underneath the main
board, it’s not visible in this photo.
-
The cable set-top-boxes include a second
tuner that’s used to receive
-
the out-of-band data. This OOB tuner
operates independently of the main tuner
-
and on a separate frequency range. And
it’s used to provide a transport stream
-
containing the system information, with
the program guide, firmware updates,
-
EMMs etc.
-
Here we see the ACP chip. It’s a 100-pin
TQFP package. From the markings
-
we can see it’s a custom System-On-Chip
made for General Instrument Corp. (GIC).
-
All the decryption is performed by the
ACP, and all decryption keys are kept
-
only within this chip. The newer set-top-
boxes use newer versions of the ACP.
-
I studied the original ACP chip
that’s seen in this photo.
-
As long as the set-top-boxes using this
chip are actively used it remains
-
a relevant target. Whether the newer ACPs
include more advanced security features
-
or if they exist only for cost-savings
due to shrinking the die size
-
I don’t really know.
-
Some of the interesting pins on the ACP
are labeled here. Pin 1 is marked
-
at the top left corner of the chip.
There’s an SPI slave controller
-
on Pins 1 - 5, used for communication
with the set-top-box main controller.
-
There’s a battery backup pin that’s
connected to a 3V battery to keep
-
the RAM contents of the ACP intact
at all times. There’s a serial transport
-
stream input on pins 88 - 92 which
receives the data from the demodulator.
-
And there’s a serial transport stream
output on pins 28 - 33 which sends
-
the decrypted transport stream to the
MPEG decoder to be output to the TV.
-
At one point I had written software for
an AVR32 device, not the one that’s
-
shown here, that has a synchronous serial
peripheral, that supports sending and
-
receiving data at the 27 MBit/s rate of the
transport stream. My AVR32 implementation
-
turned out a bit ugly. But rather than
cleaning up I was able to use it as it was.
-
It had some limitations like only accepting
64kB of data for replay logging.
-
Which was just barely good enough for my
studies. What the transport stream
-
logging in-circuit digital mean was
-
that the transport stream passes through
the ACP with selected PIDs being decrypted.
-
And then the output is the full transport
stream but a selected program has been
-
decrypted. The AVR32 logging interface
had rather limited use for me.
-
Later on when I did more thorough research
I did so using an ACP that I’d removed from
-
the box and I put on a breakout board.
And then I could control the clock, and
-
at that point it was much easier to use an
XMEGA AVR platform to send and receive
-
the transport stream through the ACP
at a much slower bit rate. Shown here
-
is the XMEGA platform I settled on using
-
for SPI and also the transport stream
interfacing. To honor the data
-
passed between the set-top-box main
controller and the ACP on the SPI bus
-
I used the XMEGA development board. Two
SPI ports acted as slave with Master Out -
-
Slave In (MOSI) signal connected to 1 and
Master In - Slave Out (MISO) signal
-
connected to the Master Out - Slave In
input of the second port. So from one port
-
Bytes sent by the set-top-box
controller are received.
-
From the other port it receives
-
bytes from the ACP. In case I want to talk
directly to the ACP or the set-top-box
-
main controller it’s only necessary to
connect both the MOSI and MISO signals
-
on one of the SPI interfaces. By holding
the main controller in Reset my XMEGA
-
was able to act as the SPI Master and then
talk to the ACP. So this setup works for
-
passively monitoring the SPI communications
in the set-top-box and can also act as
-
the SPI Master for interrogating the chip
directly.
-
By logging the SPI bus between
-
the main controller and the ACP we see
that information about the current access
-
levels are sent from the ACP. The ACP
also receives EMMs via the SPI bus.
-
EMMs have been filtered by the Unit Address
number, or the set-top-box serial number.
-
So the ACP only receives messages
that are intended for that specific unit.
-
Command 04 includes the current Category
Key epochs and Keyselects in use.
-
Command 05 includes the Unit Address
number. Command 13 returns the authorized
-
Subscription tiers for this unit. Commands 7
and 87 provide information about the channel
-
being currently decrypted. Additionally,
via the SPI interface the set-top-box
-
main controller tells the ACP which PIDs
to decrypt and which is the ECM PID.
-
The ACP doesn’t send any keys on the bus,
and it only receives Category Keys that
-
are encrypted within EMMs via the SPI.
So all of the really interesting data is
-
contained within the ACP chip itself, and
it’s never sent out on any kind of a bus.
-
So next I started an invasive study of the
chip – studying it under a microscope.
-
And the cost of microscopes can range from
hundreds of Dollars to tens of thousands
-
of Dollars, or even higher for things like
electron microscopes or other specialized
-
equipment. I have a couple of microscopes
that I use. This one is a Mitutoyo FS70
-
microscope. These Mitutoyo are often used
for microprobing, but you can also use it
-
for other uses. For this project I didn’t
do any microprobing but I used this
-
microscope because it was what I had. For
studying this kind of technology you could
-
use even more basic equipment but,
of course, if you have the higher-end
-
equipment it’s a lot nicer to work with.
-
Another microscope I use is the Zeiss
Axiotron. This microscope is designed
-
for inspecting wafers and has really good
optical quality. I said that more basic
-
equipment could be used and it’s true.
But when you get into this kind of thing
-
you might find yourself again and again
investing in more equipment.
-
I've owed $10.000 in this setup including
the microscope and the camera and the
-
scanning stage and other parts. To look at
the chip under the microscope requires
-
that the chip is de-capsulated.
Fuming Nitric Acid is used for this.
-
The chip is immersed in heated red Fuming
Nitric Acid which reacts with the plastic
-
packaging and removes it. The chip is then
rinsed in acetone, and cleaned with
-
isopropyl alcohol in an ultrasonic bath
which leaves the die bare and clean.
-
The Nitric Acid is quite aggressive,
and it’s important to handle it carefully.
-
But the process is really straight-forward.
Most people probably wouldn’t want
-
to do this in their home.
-
So you should go out to the garage
and use your fume hood there.
-
After the decapsulation the bare
chips are left with bonding wires attached
-
to them. So these wires will be plucked
off using tweezers to get them
-
out of the way. Already in this photo we
can see some of the larger structures
-
on the chip. Half of it is covered with
a metal plane, and the other half
-
shows some kind of visible circuitry.
-
This is an image of the chip under the
microscope. It’s been stitched together
-
from several smaller images,
to give an overview of the chip.
-
Looking at the decapsulated chip we see
the bond pads around the outside,
-
a metal plane covering the top part of the
chip and wires on the bottom of the chip,
-
the spaghetti logic running all ov er the
place. With a couple of structures
-
that look like they could be a type of
memory. There’s a lot still hidden
-
from us. To see more of the chip
it will be necessary to delayer it.
-
To delayer the chip I used hydrofluoric acid
to perform a wet etch. I used the Whink
-
Rust Stain Remover product. It’s available
in hardware stores all over the USA.
-
It’s a dilute HF solution that works
really well for delayering ICs.
-
I put a small amount of the Whink liquid in
a beaker and heated it on the hot plate.
-
Then I dropped the decapsulated die in.
Using a pipette I agitated the liquid
-
to disturb the bubbles that form on the
surface of the chip. So the acid can
-
actually chip more evenly. The etching
result isn’t perfect. Some parts of the chip
-
will be etched deeper than other parts.
But I’ve gotten quite useful results using
-
this technique. You really don’t wanna
breathe in these fumes, so do this
-
in a fume hood in your garage, also.
-
After a short time immersed in the heated
Whink solution the chip was rinsed and
-
put back under the microscope.
Now the top metal plane has been removed
-
so we can see what’s below. There are
some visual effects that we start to see
-
in the photo from the etching being
a little bit uneven. But overall
-
the delayered chip looks quite good and
able to start studying it. At the top left
-
the tall rectangles are RAM. The four
blocks at the top right are ROM.
-
And then there’s logic that tie
these into the logic area below.
-
I was interested in finding how the bits
were encoded in ROM. So I continued
-
delayering the chip. This was another dip
in the Whink – and another metal layer
-
has been removed. Bits in the ROM
were not visible yet so I continued
-
the delayering process. At this point
we’re starting to see more of the visual
-
effects from the uneven etching but
it’s still not too bad. After a third dip
-
in the Whink more metal has been removed.
At this point the delayering is becoming
-
more and more uneven. We can see the
ROM blocks have been half-etched
-
to a lower layer while half of the upper
layer is still remaining. The wet etching
-
process can be quite difficult to perform
completely consistently without adding
-
additional steps such as polishing. And
at the time I did this project I didn’t have
-
the polisher available so I was relying
only on the wet etch. Some of the areas
-
of the ROM are now showing visible bits.
The other areas haven’t been etched
-
deeply enough. So I continued to etch
further to try and get a clean ROM.
-
We can see the ROM bits quite clearly now.
They’re arranged in rows and columns, and
-
in this image if a black dot is visible
that indicates that the bit is a One.
-
Image quality is important. The better the
photographs the more consistently the bits
-
will be visible. But it doesn’t have to be
really perfect. You can do some image
-
processing on it, you can even repeat the
process on multiple chips, delayer them
-
and photograph them, and at some point
you’ll be able to have the entire ROM
-
clean and consistently visible. With the
visible bits exposed and photographs taken
-
the bits can be extracted using a software
image analysis tool. Or the bits could be
-
extracted manually. The ROM here is 32 kB
or over 260.000 bits. So manual extraction
-
would be a bit labor-intensive but it
isn’t impossible. A software tool is
-
more efficient. So I wrote some software
to analyze the images and identify
-
the 1 and 0 bits. There are bits marked
with a yellow box for 0 bits or a blue box
-
for 1 bits. I use a software to analyze
the image and then I can quickly review
-
the results manually, and identify any
errors that I can see. After extracting
-
the bits from the photographs I have
a binary version of the ROM data.
-
This is a visual representation of the
bits extracted from this piece of ROM.
-
Little black boxes signify 1 bits,
and the white boxes signify 0 bits.
-
In this image I’ve overlayed the extracted
bottom 13 rows of bits over the photograph.
-
You can see some visual patterns inside
this, also. And these visual patterns
-
are a good indicator that this ROM
is probably not scrambled.
-
This image shows the end of the ROM where
you can see a pattern covering most of
-
the image due to a repeated pattern of
filler bytes that occupy unused space
-
at the end of the ROM. At the very end of
ROM the pattern is interrupted. This is
-
where the vectors table exists at the top
end of memory indicating the reset address
-
and the addresses of interrupt handlers.
The ROM has unused space, the filler bytes
-
at the end. And the vectors table
address is 0xFFF6 through 0xFFFF.
-
After extracting the bits and decoding them
into bytes the hex dump can be studied.
-
There is a “Copyright 1997 CHCC” ASCII
string in ROM which is helpful to identify
-
when the ROM has been decoded correctly.
laughter
-
If you can read the ASCII text then
surely the bits are in the correct order.
-
The decoding in this case was just a matter
of organizing the bits into bytes, it’s quite
-
straightforward, there was no scrambling
or anything else that was complex.
-
With the ROM contents extracted the
software can be disassembled and analyzed.
-
The first step was to identify the CPU
architecture. Studying the binary dump
-
it appeared to be an 8-bit CPU
but wasn’t 8051 or 6805
-
or any of the processor types I tried
first. Eventually, I tried disassembling
-
it 6502 and the code made sense. Later
I had remembered that I had looked at
-
a previous version of the Access
Controller from the same manufacturer.
-
Which was used in another system,
VideoCipher 2+, an ancestor of DigiCipher.
-
On the older chip was a Copyright notice
from WDC who licenses the 6502 core IP.
-
It was visible directly on the chip die
under the microscope.
-
So this would have been a great clue
for the CPU architecture if I had actually
-
noticed it earlier. For disassembly I used
IDA. It supports 6502 and is of course
-
a very powerful disassembler. In addition
to disassembly I used 6502 simulation
-
software to study the software in
a virtual CPU. The simulation is really
-
helpful when disassembling the software.
It provides a lot of insight into what’s
-
going on. Since 6502 is a very well-known
architecture it was not at all difficult
-
to find an existing simulator. Even free,
with source code. The 6502 is used
-
in 8-bit computers, like the Apple II,
in Commodore 64. So there’s really
-
a lot of enthusiasts and a great deal of
information about this architecture.
-
As I gained understanding of the System
On Chip through disassembling the software
-
I began adding some other features into
the simulator to emulate some of the
-
hardware peripherals that were found
inside the ACP, the device itself.
-
One of the first things I saw in the
disassembly was that there are two
-
operating modes. During startup values
in RAM are checked. And if the ACP
-
hasn’t been initialized it enters
a personalization mode used during
-
manufacturing to assign the Unit Address
and Seed keys. In normal conditions,
-
after the set-top-box has left the
factory this personalization software
-
is bypassed and the ACP will always run
its main application. The next thing
-
I found was the application wasn’t very
simple. This 6502 actually runs
-
a task switching operating system. Eight
tasks are run supporting decryption
-
of up to two channels at the same time.
There are two tasks to handle processing
-
of ECM40 messages and generation of the
Working Keys used to decrypt the transport
-
stream. And two tasks to handle processing
of ECM41 messages to generate
-
the Program Keys that are used to process
the ECM40. One task for handling
-
EMM processing. And there’s also a task to
communicate with the TVpass interface
-
for security upgrades. With another task
to handle the messages that are coming in
-
over the SPI interface. Since the ACP
is a custom System On Chip
-
there is no documentation available
describing the hardware capabilities.
-
So the disassembly was studied and the
input/output registers had to be guessed
-
based on the software usage. There’s an
SPI slave peripheral for communication
-
with the main controller. The SPI
peripheral sends and receives data
-
directly to RAM. And then a signal is set
indicating that the transport has been
-
completed. There’s a DES crypto peripheral;
-
key, data and operating mode are set in
registers. And when the decryption
-
has been completed the result can be
read from additional registers. There’s
-
a transport stream descrambler. The Working
Key is set in hardware registers.
-
And the descrambler will then output the
decrypted transport stream on the serial
-
transport stream interface. There are PID
filters set by the set-top-box main
-
controller over the SPI bus. These filters
select which video and audio streams
-
to descramble and which ECM packets should
be received by the ACP. The received ECMs
-
are placed in RAM, and the 6502 is notified
of a new ECM via a register bit.
-
So at this point I’m starting to get an
idea of how the system works.
-
I have studied the MPEG transport stream
and logged ECM and EMM data.
-
I’ve logged the SPI bus, and understand
messages between the set-top-box
-
main controller and the ACP. I was able to
extract the entire ROM contents optically.
-
And I’ve disassembled the software and run
it in simulation. There are some keys
-
that are found in ROM. Fixed keys which
never change and are used when a channel
-
has a “free preview weekend” or something
of the sort. Any set-top-box that has ever
-
had any kind of authorization in the past
is allowed to decrypt channels that are
-
encrypted using the “fixed key” mode. So
now the focus is on understanding the ECM
-
and EMM algorithms within the ROM
software. At this point I’m still missing
-
some important information from the ACP.
All the Seed Keys, Category Keys and
-
Program Keys exist only within RAM.
So to decrypt any of the channels
-
not in free preview isn’t possible yet at
this point. The ECM40 message
-
is used to generate the Working Key, used
to descramble the MPEG streams.
-
There’s a Service ID, used to identify
each channel, and a frame count
-
that’s used with the Program Key
to calculate the Working Key.
-
The crypt mode identifies if the channels
are operating unencrypted, with a fixed
-
key, or with the normal secure keys
which are typically used.
-
The frame count is simply a 24 bit counter
that increments each time the Working Key
-
changes. There’s a byte I’ve labeled
‘Hardware’ that has one bit set in it.
-
This selects a special decryption mode
that I’ll come back to a little bit later.
-
The ECM41 contains encrypted Program Key
that’s needed to correctly decrypt the ECM40.
-
There’s a Provider ID that indicates which
TV operator subscribers this ECM should
-
be processed by. And there’s the same
Service ID that will be found within
-
the ECM40 messages. The Category epoch
identifies which Category Key is in use.
-
There’s also information about how long
this Program Key will be valid for.
-
ECM41 contains one or more subscription
tiers that must be found within
-
the customer’s ACP to allow this message
to be processed. The subscription tiers
-
are written to the ACP when the EMM
containing authorization details is received.
-
There is, again, a hardware crypto select
byte that I will get back to.
-
This slide shows what a half of a second
of ECM40 and ECM41 activity might
-
look like. To be able to descramble the
program the ACP must process a current
-
ECM41 to get the Program Key and then
process an ECM40 to get the Working Key.
-
The Working Key is then used by the
descrambler to decrypt MPEG stream.
-
Until the ACP receives the ECM41 with the
current key as well as an ECM40 with
-
the frame count it’s not yet possible
to decrypt the transport stream.
-
The Working Keys have a short life time,
only 133 ms. The series of ECMs shown here
-
all would happen within a period of a half
of a second.
-
The EMMs are split into
-
four parts. Each part contains a portion
of the subscription information for this
-
set-top-box. A Category Key is calculated
from each of the four parts and the key
-
that is calculated for each part has to
match the others, or the EMM will be
-
rejected, and all authorization in Category
Key will be wiped from this ACP.
-
When the first EMM, part Zero, is received
the authorization data inside the ACP
-
is reset and will be replaced with
authorization data from the EMM.
-
When the next part, part One, is received
the existing authorization data within
-
the ACP from part Zero is hashed along
with the data in part One. If the result
-
is correct then the authorization from
part One is copied into the ACP
-
alongside the existing data from part
Zero. If the result is incorrect then
-
the ACP’s authorization is erased. In this
way the four EMM messages are linked
-
together, and if anything is modified
within any of the EMM messages
-
the authorization will fail.
-
This is an example of an EMM. Each of the
four EMM parts contains some common
-
information, like the Unit Address, and
which Category epoch this EMM contains
-
information for. The EMM can contain two
Category Keys. One for the current epoch
-
and also for the next so that when there’s
the change of the Category Key the ACP
-
already has the next key available.
To decrypt the Category Key from the EMM
-
the Seed Keys contained in the ACP are
used. The Seed Keys are unique to each ACP
-
and are assigned during manufacturing.
EMMs are transmitted out-of-band
-
for cable systems but they’re passed to
the ACP in the same way as for satellite
-
systems. So at the ACP level, there’s no
difference between the satellite and
-
the cable systems.
-
At this point it should be possible to
decrypt channels that are using
-
a fixed-key mode. Analysis of the ROM
has shown the algorithms used to process
-
the ECMs and generate the Working Key.
-
The fixed keys are known because they’re
contained in ROM. There could have been
-
some question about the possibility of
bit errors from the optical ROM extraction
-
process. But the fixed keys can be
confirmed as correct because the ROM
-
software performs a checksum of this
256 byte area that contains the keys.
-
Successfully running the checksum on
the extracted ROM data indicates that
-
the extracted keys seem to be correct.
But when I attempted to decrypt
-
a fixed-key channel there was
a problem, it did not work.
-
Whether it was a bug in my decryption
implementation or something else
-
was unclear. However, I had noticed the
bit in ECM40 was set that causes a bit
-
within the ACP hardware peripherals to be
set. The purpose of the bit was unclear.
-
But its address was suspiciously close to
the transport stream descrambler key.
-
So I started to suspect that there might
be some encryption other than just
-
standard DES.
-
To be able to learn more about the ACP
I started to look at glitchers.
-
If I can succeed to glitch the chip I may
be able to find a way to read and even
-
write memory. And possibly a way to run
my own software directly on the chip.
-
This will allow me to control the hardware
peripherals and be able to observe
-
the chip’s operation under different
conditions. Timing tests of the ACP
-
suggest that the 6502 is running from an
internal clock source. So this will allow
-
a clock glitch attack. A VCC glitch makes
sense, and with the age of this chip
-
it seemed reasonable to expect that it
would be susceptible to VCC glitches.
-
The stronger protections against this
type of attack are relatively recent.
-
My glitcher design is quite simple. It’s
based on an XMEGA development board
-
and breadboard. I use the XMEGA to
communicate with the ACP over SPI
-
and to control the glitch. A 74xx series
4053 analog switch is used to quickly
-
switch the ACP VCC between two voltages,
a normal operating voltage, and a lower
-
glitch voltage. I use a bench top DC power
supply and two outputs so I can easily
-
adjust both the normal VCC and glitch VCC
levels. Other parts on the breadboard
-
are an oscillator to provide some clock
inputs necessary for the ACP to operate
-
and an inverter and NAND gate to cut out
the clock during the time of the glitch.
-
To simplify the test setup as much as
possible the ACP was removed from
-
the set-top-box and soldered to
a break-out board. In this process
-
the battery-backed RAM was disconnected
and all the keys were lost.
-
But for the purpose of developing a
working glitch this was okay. The simple,
-
breadboard-based glitcher is quite
flexible. The breadboard can be modified
-
to test different ideas, and reconfigured
quickly. More complex and advanced
-
glitcher wasn’t necessary.
-
To test the glitcher, to find out if it
will work and what voltage levels
-
are successful we can send a command
to the ACP, then glitch, and then see
-
the response from the ACP. The general
strategy is to lower the voltage just
-
to the point where the chip sometimes
resets due to the glitch.
-
By adjusting voltage levels and glitch
length and timing when the glitch will end
-
I succeeded to cause ACP responses to be
altered. The checksum on SPI packets
-
is very convenient. When unusual data is
received from the ACP chip with a valid
-
checksum it’s a pretty good sign that the
glitch caused a temporary fault within
-
the CPU, but their normal operation was
resumed. Depending when the glitch
-
is delivered different effects are seen.
We can see that generally, as the glitches
-
moved later, it’s the later bytes of the
response packets that change.
-
So at this point it looks like the glitcher
works, and is able to cause a pretty fault.
-
Since I had an effectve glitch I took
the circuit from the breadboard
-
and etched a simple PCB that I could plug
directly on the XMEGA development board.
-
This performs exactly the same function
as the breadboard glitcher but
-
I’m a bit less likely to accidently unplug
a wire from the breadboard and
-
have to repair things. The circuit was
simple enough that I could create
-
a one-sided PCB, so it was very easy
for myself to etch at home.
-
Now my goal is to have the ACP execute
the code of my choice. Because the 6502
-
is a von-Neumann architecture all code and
data memories share the same address space.
-
From software disassembly I saw that there
didn't appear to be any paging or MMU
-
features. The software in ROM is fully
self-contained. There is no EEPROM
-
and RAM is never used to hold executable
code. So there aren’t jumps into
-
these areas to exploit and, in fact, it
wasn’t clear if there’s anything preventing
-
code execution outside of ROM. I decided to
take a chance and test if RAM is executable.
-
So I sent a message via SPI, knowing that
this message will be stored in RAM.
-
The message contained 6502 executable code
that will copy itself to an unused area
-
of RAM, execute from this area and send
an ACK indicating it was successful.
-
Because I studied the use of the SPI
interface and the ROM code I’m able
-
to create this executable payload that
will continue to receive commands via SPI
-
after it’s taken control over the ACP.
-
To try to maximize chances of success
I looked through the ROM code for
-
multi-byte instructions, which, if broken
up, would have contained within them
-
a jump op code with a destination that
should lead to where my executable
-
payload was placed at RAM. Since the ACP
has a single address space this gives
-
a lot of opportunities for glitching to
cause execution to reach the payload.
-
There are multiple scenarios possible in
addition to my selected glitch target.
-
Stack corruption is a possibility, and
really any abnormal program flow has
-
some possibility that it could eventually
land in my code. The von-Neumann
-
architecture, without strong memory
management, is a very fertile ground
-
for glitching. Anything in RAM
potentially could be executed.
-
So at this point there are several
uncertainties, but so far nothing
-
totally rules out the possibility of
success. The ACP operates from
-
an internal clock source. And the
interrupt-driven task switching
-
does add some further timing uncertainty.
So I’ll send the code payload,
-
delay, then glitch, and see the result.
When it’s unsuccessful I change
-
the delay and I try again.
I tried to aim for the instruction
-
that I’ve identified as possibly
corruptible into a jump.
-
But there are a lot of unknowns, so,
really, the processor is like fishing:
-
throw the line and hope. I have
a target but no way to know if I can
-
hit it, or if it will have
the expected result.
-
But sometimes fishing is good.
Relatively quickly the ACP returns
-
an ACK indicating a successful glitch. The
first successful glitch took some hours
-
to find. And then, after this it was
possible to make it work repeatedly
-
in a matter of minutes or even seconds.
So now I have my code executing
-
in RAM, I’m able to send the ACP
additional pieces of code to be executed.
-
This allows me to read any memory address,
write any memory address, and perform
-
any other operations
possible with the 6502.
-
I wrote a simple application to perform
glitch surges, and then to interact
-
with the code payload backdoor installed
in RAM. And this program allows me
-
to enter an address and length and have
data returned. Or write memory etc.
-
There’s also support for setting the key
and data, and performing DES encrypt
-
or decrypt using the DES hardware that’s
inside the ACP. A few things I noticed
-
at this point: there’s a 2 kB area of ROM
that, if I attempted to read it, caused
-
the chip to reset. This area of ROM
contains the personalization routines
-
that are never normally used
after the device leaves the factory.
-
There’s also protection against modifying
the Seed Keys in RAM. Trying to store
-
a value in these memory locations
appeared to do nothing.
-
There are specific addresses within RAM
that can’t be read or the chip will lock up.
-
These are clever traps put in place
as a security measure. The 7-byte
-
56 bit keys stored in RAM stride all these
dead addresses. So a potential exploit
-
that could cause a linear dump of memory
will be stopped before a complete key
-
is ever read. When the chip is reset it
means having to glitch it again, because
-
my code payload exists only in RAM, and
there is no way to hook in a permanent
-
backdoor.
-
Since we can execute code on the ACP the
receiver responds, we can read the ROM
-
to have its contents without any of the
errors that were introduced during
-
the optical extraction process. Comparing
the results of the optical ROM extraction
-
with the proper dump we can see how many
errors were in the optical extraction.
-
Overall the optical extraction was quite
good. It was, after all, good enough
-
to understand the software and get us to
this point. There is only one byte with
-
more than a single incorrectly flipped
bit. Many of the errors that existed
-
were quite obvious from disassembling the
software. If an instruction is out of place
-
but flipping a single bit would make it
sensible then it was probably a bit error.
-
I didn’t keep detailed records but I think
I probably caught about half of the ROM
-
errors during the disassembly process
before I started glitching.
-
The interesting keys in the ACP are all
stored in RAM only. This includes
-
Working/Program/Category and Seed Keys.
The RAM is battery-backed.
-
If the Seed Keys are ever lost from RAM
this ACP can no longer process EMMs
-
and so is useless. It’s possible to glitch
the ACP and read memory, but the glitcher
-
works on an ACP removed from their
set-top-box. When the ACP is in-circuit
-
the connections to other components and
16 VCC-connected pins pose the problem.
-
To glitch the ACP in-circuit we’ll require
some modifications to the set-top-box
-
disconnecting the ACP from other parts.
Or, another alternative is to remove
-
the ACP from the set-top-box and place it
on a breakout board without loosing
-
the battery power and wiping RAM. Rather
than modify the set-top-box, where each
-
of several different models would have
required unique modifications I decided
-
to try to remove the ACP with the battery
still attached. The plan is to carefully
-
lift the Battery and Ground pins while the
set-top-box is powered on providing VCC.
-
I use a small tool I made from a razorblade
using a Dremel tool, then attached
-
the handle of a screw driver. This tool
can be wedged under a pin, then with
-
some hot air the solder will melt and
a single pin can be lifted straight up
-
without damaging any of the other pins.
-
With the pins lifted an external battery
can be attached.
-
After attaching an external battery…
-
applause
-
After attaching an external battery the
set-top-box is unplugged, and the ACP
-
can be removed from the set-top.box using
hot air. The ACP can be removed from
-
the set-top-box, glitched, and can even be
placed back in the set-top-box, if desired.
-
To do this I just use hot air and a lot of
flux. Additionally, once the interesting
-
keys have been extracted it may not even
be necessary to replace the ACP
-
in the set-top-box. The ACP is now placed
on a breakout board and connected
-
with the glitcher. Not all the pins need
to be connected. Only a handful of pins
-
are actually used by the glitcher. You can
also see at this point the glitcher is
-
in a project box. The aesthetics greatly
improved since the breadboard-based
-
glitcher. But the functionality is
identical. The timing of ACP responses
-
is different on a chip with valid RAM
compared to the previous chips
-
that I had glitched before. I didn’t
confirm whether the cause of the timing
-
difference was due to a different
oscillator configuration or just
-
a different software path. But by
adjusting the timing of the glitches
-
the executable code payload runs as it did
on the previous chips. So now we can read
-
the RAM contents of a valid ACP, including
the Category Keys, if the set-top-box had
-
current authorization, as well as the Seed
Keys that are used by this ACP to decrypt
-
EMMs. With a valid Category Key ECMs can
be decrypted, and a cracked Working Key
-
can be calculated for any channel. Now,
with the capability of running my own code
-
of the ACP it’s time to look at the
transport stream descrambling.
-
There’s a hardware register bit that
is set or cleared, based on a byte
-
in the ECM40. When this bit is cleared
standard DES decryption is used.
-
When the bit is set the transport stream
descrambler acts differently. Additionally,
-
there’s an 8-bit hardware register in the
DES peripheral area. When it’s Zero
-
the peripheral operates the standard DES.
For any other value the peripheral acts
-
differently. At this point I started to
think I might be looking at doing
-
a Gate-level reverse engineering of the
chip to understand this functionality.
-
The chip is using technology that’s older.
So reverse-engineering should be feasible.
-
But, if possible, I’d like to avoid all
this extra work. It would be quite
-
time consuming, and might give imperfect
results, similar to the optical ROM
-
extraction. So I started with trying to
characterize descrambling modes.
-
The transport stream packet is made up
of a 4-byte header and 23 blocks of
-
8 bytes each. The DES operates
on these 8 byte (64 bit) blocks.
-
By flipping one bit in encrypted input ECB,
CBC or OFB modes can be differentiated.
-
Flipping one bit causes an 8-byte block
to be corrupted, and the corresponding bit
-
in the following block to be flipped.
This indicates CBC mode is in use.
-
Timing of the input compared to the
decrypted output was measured with
-
the descrambler and standard DES,
and in the custom hardware mode.
-
No timing difference was seen. This
suggests the internal properties of DES
-
haven't changed. Which makes sense
because the decryption has to be done
-
in realtime. So this suggests that crypto
customizations are not affecting
-
some DES internals like the number of
rounds. Also by using ACP as a decryption
-
oracle I determined that the customization
affects each of the 23 blocks of the
-
transport stream differently. Next
I tested the software using DES ‘weak keys’.
-
These are certain keys not recommended
for use with DES because their properties
-
weaken the cryptographic strength.
A key of all Zero or all One bits
-
will cause DES decryption and encryption
to be identical. That is running the same
-
data through Encrypt or Decrypt will give
the same result. I can test this on an ACP
-
configured for standard DES decryption
and see the expected ‘weak key’ behavior.
-
When tested with the descrambler in custom
mode the ‘weak key’ behaviour changes.
-
Using a key of all Zero or all One didn’t
produce the same results in Encrypt
-
and Decrypt modes. Looking at the other
hardware register, testing the DES
-
peripheral with different values in the
8-bit register, and using ‘weak keys’,
-
shows that the standard DES ‘weak key’
behaviour still exists. So my hunch
-
at this point is that one customization
affects the key, and the other customization
-
affects the data. At this point I can’t be
certain, but I have a good feeling about
-
the theory, so I continue to investigate.
-
Based on the idea that the hardware
customization affects only the key
-
and decryption is static I thought the
simplest customization will be an XOR
-
mask that’s applied to the key before it’s
used for DES decryption. XOR requires
-
only a single gate in series of the DES
engine so it fits the requirements of
-
fast and very simple implement in
hardware. A change of even a single bit
-
in the key could cause the observed
effects. Flipping more than 28 bits
-
will be pointless. That’s the same as
inverting a key and flipping fewer bits.
-
More flipped bits means more gates
necessary for the customization, so
-
it makes sense to flip a minimal number
of bits. So I wrote this wonderful FOR loop,
-
nested 16 levels deep, to test decryption
results after flipping one bit of the key,
-
then flipping two bits, then three bits
etc. of the 16 bits. To test all the
-
possible keys will take a long time. But
if only a few bits are flipped then it
-
might be possible to run it in a shorter
period of time. And promising results
-
did come quickly. It turns out the theory
held up. And some of the blocks have
-
as few as three bits flipped. This takes
only seconds for the software to identify.
-
After verifying that these work for XOR
masks, for these logs the software then
-
was left running to find all 23 masks.
-
The simple brute-force method worked,
it ran for a couple of days to identify
-
all the 23 masks. By more carefully
analyzing which bits were being flipped
-
in the early results a pattern can
actually be found. So the search could
-
have been more limited. Using this
technique the software cracker could have
-
completed it in under a second.
-
After successfully solving the first
hardware customization the theory
-
that the second customization is
a Data XOR looks promising. It makes sense
-
that one or more XOR gate is enabled by
each bit of the 8-bit hardware register.
-
Using the ACP as a decryption oracle
a known key in Data were decrypted
-
with all values of the 8-bit register.
Software attack of this function
-
was successful, and 255 XOR masks were
identified, behavior matching what was
-
expected. I haven’t actually seen this
customization in actual use. Presumably,
-
they’re saving it to be used as
a countermeasure against pirate devices
-
when necessary. But it hasn’t been
necessary since the system never had
-
a security breach.
-
laughs
applause
-
In order to implement a Softcam, a software
implementation of the descrambler,
-
a few cryptographic details need to be
identified. But at this point I have
-
all the tools to do so. The initialization
vector used for CBC mode can be found
-
through simple XOR. And the handling of
short blocks – those less than the
-
64 bit DES block size can be identified
likewise. With all these details
-
a software implementation of the
EMM decryption of Category Key and
-
ECM decryption of Program Key and Working
Keys can be made and the transport stream
-
descrambler can also be implemented in
software. The rapid key changes and the
-
use of DES with h/w customizations makes
it a bit different to implement, compared
-
to a Softcam for typical DVB systems,
but overall the concept is the same.
-
And now it’s all working! I was able to
test it, and it’s fully working on both
-
the satellite and cable systems. This
is a screen that’s broadcast before
-
a pay-per-view event goes live. The
pay-per-view, like all other channels,
-
can be decrypted with the Softcam using
the algorithms learned in these keys that
-
were extracted. With the ECM and EMM
algorithms and Seed Keys for a set-top-box
-
with any level of authorization the
Category Key can be decrypted
-
and then used to decrypt any and all
of the channels that are broadcast
-
by this provider.
-
applause
-
A few of the weaknesses that I identified
in this system were that the ACP I studied
-
is relatively old technology, almost
20 years old. So this makes it a lot
-
easier for invasive analysis today
than one that was brand new.
-
The TQFP100 package is quite easy to deal
with compared to modern alternatives.
-
The chip is susceptible to voltage
glitching. It’s a van-Neumann architecture
-
without strong MMU protection preventing
code to be executed from RAM.
-
They didn’t leave any possibility for code
update or dynamic code execution
-
for countermeasure purposes. The software
for the ACP is contained entirely in ROM
-
with no mechanism for software updates in
the field. The hardware customizations
-
to the crypto were quite simple and
required no reverse-engineering
-
of the chip logic. I was basically able to
guess the hardware customizations.
-
I was impressed with the design of the
system. It was actually stronger than
-
I anticipated when I started the project.
All the key handling and decryption
-
is contained within a single chip which
makes it impossible to do key sharing
-
that’s being done with some of the
smartcard systems. The fast Working Key
-
change interval – only a 133 ms – also
makes key sharing more difficult.
-
And the short lifetime of the key makes
cracking it in realtime quite unrealistic.
-
The lack of code in any rewritable memory
means there’s nowhere to write code for
-
a permanent backdoor to disable the
access controls. I listed this also as
-
a weakness but in fact this is a strength
as it limits the attacker’s capability
-
to install any kind of persistent
backdoor. The chip operates
-
on an internal clock eliminating clock
glitch attack and making timing
-
a voltage glitch a lot more difficult.
These dead addresses in the middle
-
of DES keys prevent linear readout of
keys. If one were to cause a loop reading
-
data to go out of bounds and reach the
area of RAM where keys are stored
-
the chip will reset before an entire key
is read. After the first couple of bytes
-
a dead address will be accessed that
causes the chip to reset.
-
The personalization ROM appears to be
inaccessible so it can’t easily be used
-
to modify the keys and Unit Address
within the ACP. The Seed Keys
-
aren’t easily changed so the
set-top-boxes can’t easily be cloned.
-
The keys exist only in RAM so you have to
maintain a battery backup at all times.
-
This rules out a lot of invasive attacks
to retrieve the keys. And there are
-
no group keys used for EMMs. All the
unit addressing is to individual units.
-
So you have to pull keys from an actively
subscribed box in order to get active keys.
-
That said if you have keys from a box
that is subscribed to any channel
-
you’ll receive an EMM containing the
Category Key which is capable of
-
decrypting all channels. So you don’t need
to have a subscription to all channels
-
you want to decrypt as long as you’re
authorized for at least one channel
-
on the system.
-
The software is generally well designed
and written. I didn’t notice any glaring
-
bugs within it. Although DES is used the
EMM decryption requires using three
-
DES keys, and multiple rounds are
performed when decrypting EMM and ECMs.
-
So this part isn’t as simple as
cracking a single 56-bit key.
-
Brute-forcing, starting from the encrypted
transport stream requires cracking
-
Working Key, then Program Key,
then Category Key and, finally,
-
the three Seed Keys.
-
You might wonder how many set-top-boxes
it took for me to complete this project!
-
laughter and applause
-
The truth is I only needed the one…
…truck load!
-
laughter
-
Some of the boxes had different versions
of the ACP chip. Many of the boxes had
-
different PCB layouts. So it was
interesting to be able to look at
-
a variety of boxes. The cost of used set
top boxes was low, ca. $20. And for
-
this research I was focusing on the signal
security and didn’t need the PVR
-
functionality or any of the advanced
features from the expensive set-top-boxes.
-
So at this point I have a brief anti-piracy
message: I don’t recommend you pirate
-
cable or satellite TV. There is never
anything good on. It doesn’t matter
-
how many channels you can decrypt.
Believe me – I looked!
-
It’s not worth the effort!
-
laughter and applause
-
Herald: Do we have questions
from the room?
-
Questions – please use the microphones.
-
I know there is one question
from the interwebs.
-
Signal Angel: Okay, hello.
This is working? Good.
-
So the first question from the internet
is: how many chips did you destroy
-
or make unusable, and how did you
get all those set-top-boxes?
-
Chris: Because the cost of the used
set-top-boxes was quite low I wasn’t
-
afraid to destroy several chips in the
process. It didn’t take as many
-
as I would have expected in the beginning.
Two or three chips were used for the
-
decapsulation and the delayering process.
I ended up extracting the ROM
-
from a single chip. And then, when
it came to glitching, there were
-
three or four chips that I removed and
erased the RAM from to develop the glitch.
-
When I finally got to the point where
I was extracting keys from a valid chip
-
the very first chip that I tried worked.
So there were few casualties involved!
-
Herald: Thank you! Microphone 3
was the first one, please!
-
Mic3: How many years
did this project take you?
-
Chris: I would work for a few weeks at
a time and then get burned out and
-
take a break, and then come back to it.
Most of the work for the project
-
was completed over about a 2-year period.
-
Herald: Thank you. And…
Microphone 2, please!
-
Mic2: Hi, thank you for a great
lecture. How comes that
-
the content decryption was DES and
not a DVB-CSA because we're used
-
that content is encrypted
with DVB-CSA in these DVB systems.
-
Chris: In North America we
don’t believe in standards!
-
laughter
-
Mic2: Thanks!
-
Chris: The timing was also a part of it.
The system was being developed
-
at the same time as DVB was being
standardized. So General Instrument
-
rather than going along with the Standards
Group and waiting for the standardization
-
they went with DES, directly.
-
Herald: Thank you. And another one
from Cyber-Cyber… space!
-
Signal Angel: Okay. Another question from
the internet is: you have all this fancy
-
like lab equipment stuff. How were you
able to afford that?
-
Chris: I’ve been quite interested in this
for a long time. So I’ve collected
-
this equipment over a period of years.
And I do some work, professionally,
-
in reverse-engineering. So whenever
possible I use our client’s money
-
to buy another piece of
equipment for the lab.
-
To do this actual work, though, you could
even use more basic equipment
-
because of the age of the chip. You could
use a microscope that you could find
-
easily for $1.000 .. $2.000 or even less
and have quite good results.
-
So it’s not trivial but it’s not a huge
amount of money for a lab equipment!
-
Herald: Not that huge!
Microphone 2, please!
-
Mic2: What do you do for a living
besides reverse-engineering?
-
Chris: Reverse-engineering!
laughs
-
Herald: Thank you. And the internet!
Again.
-
Signal Angel: Okay. Next question is…
somebody wants to know how…
-
…which software did you use for the
automated image analyzing, and
-
is it available somewhere?
-
Chris: Like everybody else that I’ve known
that’s done optical ROM extraction
-
I developed it myself. Everybody seems
to develop their own tools from scratch
-
for that. The image processing I used was
really quite simple. So it didn’t take
-
a lot of advanced algorithms or anything
like that. So I’m using some software
-
I developed personally, and
it hasn’t been released.
-
Herald: Microphone 2, please!
-
Mic2: And how did you keep the boxes
subscribed? So did you call them
-
every week “Oh, my box broke down,
I got another one”, or how is this done?
-
Chris: For most of the research that
I did I didn’t need an active box. I did
-
all the research just on previously
activated boxes that had lost their
-
authorization. And by the time I had the
process figured out, that I knew how
-
to extract keys from a valid box
I only needed the one box.
-
Mic2: And had you heard back
from the cable provider about this?
-
Chris: No.
-
Herald: Okay, thank you.
Microphone 3, please!
-
Mic3: Hello, thanks very much for the
lecture and ‘well done’ on all the work!
-
My question is: how does the glitching
work, the glitching attack?
-
Chris: The glitcher was quite simple.
I drop the voltage for a very brief period
-
of time. And it’s enough time that it
causes at least one instruction to
-
not execute properly. But it’s too short
of a time to cause the chip to reset.
-
So essentially I’m corrupting one
instruction. It is for the specific target
-
that I hit that led to my code in RAM.
I’m not actually sure. I found that
-
if I glitch it this time then the code
ends up executing my code –
-
good enough for me!
-
Herald: Okay. Thank you, Chris!
Please, dear audience,
-
give an Anniversary Edition
applause to Chris Gerlinsky!
-
Anniversary Edition applause
-
postroll music
-
subtitles created by c3subtitles.de
in the year 2018
