[sci.electronics] Cable

amigo@milton.u.washington.edu (The Friend) (06/03/91)

     I read an article on basic cable scanning - the "how they figure out
if you're getting pay channels for free"... It left me with a few questions
though - first I'll run down what it presented:

     1> Cable descramblers on the cable line are tuned to a FM sub-band
        (typically 106.5 Mhz) that carries programming instructions for
        it. If a pay-per-view or subscription change occurs, it runs down
        the line to your specific descramblers address (each is addressable).
        If you where to use the descrambler for a time without the 
        carrier (block it somehow) - either the cable company's computer would
        send a de-activation signal or it (by default) would shut down
        since it wasn't recieving a signal to resume from the cable company.

     2> The cable technician can walk around your house with a RF detector
        to find out where TVs are located (for multiple hookups & cable
        "leaks"). 

     In the above two, the questions arise - if you have a non-addressable
descrambler, filter, etc. what happens ? I mean those devices which don't
care about what's on the FM sub-band wouldn't be picked up by the cable
company's computer (they don't have addresses).. 
     Also in #2, can the technician actually see what channel a TV is on?
The spec sheet on a RF detector only says it can pick up "mid band TV" - 
meaning it (I think) finds only leakage (bad connections, extras, etc).
   

     NOTE: I'm not receiving anything I'm not authorized to... I'm just
           wondering how far into cable snooping they've got. I mean I
           know they have to find out who's cheating on their bills - but this
           appears to be a major challenge. 


-- 
                                      ///
       Scott Rowin                   ///  amigo@milton.u.washington.edu
       ***********                  /// 
 - SPACE OPEN FOR LEASE -      \-\_///    Amigas really do it better...

jeh@cmkrnl.uucp (06/04/91)

In article <1991Jun3.044218.16908@milton.u.washington.edu>,
 amigo@milton.u.washington.edu (The Friend) writes:
>      Also in #2, can the technician actually see what channel a TV is on?
> The spec sheet on a RF detector only says it can pick up "mid band TV" - 
> meaning it (I think) finds only leakage (bad connections, extras, etc).

there are several ways this can be done in theory.  

For example, when a tv set is tuned to a particular channel, the local 
oscillator in its tuner will be set to about 4.5 MHz higher (assuming 
that tv tuners still work the way they used to, and that the IF is still 
4.5 MHz).  

Another interesting idea is to pick up the hash that is radiated by the 
set's scanning circuits.  The 60 Hz vertical scan is well-modulated into
this hash (put an ordinary AM radio near an operating tv set and you'll 
get a sample).  Now, the different stations carried on the cable are
NOT gen-locked to one another.  One could pick the 60 Hz out of the set's
leakage and compare its phase with that of each signal on the cable to tell
which station was being watched.  

	--- Jamie Hanrahan, Kernel Mode Consulting, San Diego CA
Chair, VMS Internals Working Group, U.S. DECUS VAX Systems SIG 
Internet:  jeh@dcs.simpact.com, hanrahan@eisner.decus.org, or jeh@crash.cts.com
Uucp:  ...{crash,scubed,decwrl}!simpact!cmkrnl!jeh

lrk@k5qwb.lonestar.org (Lyn R. Kennedy) (06/04/91)

amigo@milton.u.washington.edu (The Friend) writes:

> 
> 
>      I read an article on basic cable scanning - the "how they figure out
> if you're getting pay channels for free"... It left me with a few questions
> though - first I'll run down what it presented:
> 
> 
>      2> The cable technician can walk around your house with a RF detector
>         to find out where TVs are located (for multiple hookups & cable
>         "leaks"). 
> 
>      Also in #2, can the technician actually see what channel a TV is on?

Most super-het receivers radiate enough of the local oscillator to be
picked up outside the house. I read years ago about England using this
with mobile units to find out who was not paying the TV receiver tax.
Some cable companies may have people good enough to do this but I doubt
it. Besides they would have to come on your property to determine which
rooms the TVs are in.

This trick is a good way to check around your neighborhood to see who
has police scanners. The older ones radiate well on a freq 10.7 below
the rx freq.


-------------------------------------------------------------------------
                 lrk@k5qwb.lonestar.org        lrk@k5qwb.UUCP
73,              utacfd.utarl.edu!letni!kf5iw!k5qwb!lrk
Lyn Kennedy      K5QWB @ N5LDD.#NTX.TX.US.NA
                 P.O. Box 5133, Ovilla, TX, USA 75154

-------------- "We have met the enemy and he is us."  Pogo --------------

amigo@milton.u.washington.edu (The Friend) (06/05/91)

jeh@cmkrnl.uucp writes:

>In article <1991Jun3.044218.16908@milton.u.washington.edu>,
> amigo@milton.u.washington.edu (The Friend) writes:
>>      Also in #2, can the technician actually see what channel a TV is on?
>> The spec sheet on a RF detector only says it can pick up "mid band TV" - 
>> meaning it (I think) finds only leakage (bad connections, extras, etc).

>there are several ways this can be done in theory.  

>For example, when a tv set is tuned to a particular channel, the local 
>oscillator in its tuner will be set to about 4.5 MHz higher (assuming 
>that tv tuners still work the way they used to, and that the IF is still 
>4.5 MHz).  

>Another interesting idea is to pick up the hash that is radiated by the 
>set's scanning circuits.  The 60 Hz vertical scan is well-modulated into
>this hash (put an ordinary AM radio near an operating tv set and you'll 
>get a sample).  Now, the different stations carried on the cable are
>NOT gen-locked to one another.  One could pick the 60 Hz out of the set's
>leakage and compare its phase with that of each signal on the cable to tell
>which station was being watched.  


     Yeah - I can see how that could work.. but typical cable companies
run junction boxes every pole or so (for multiple houses). Unless they
specifically were at the pole and tapped into your line it'd be impossible
to tell what exact house is doing what. 
     It doesn't work so nicely for descramblers though that "tune" to the
FM carrier for their programming information. These have to bounce back
information I believe (an ID code) to be recognized by the cable computer.
If the ID doesn't match, I'd guess the cable computer would alert someone
that there's an illegal box on-line. They'd still have a tough time finding
it.. it'd just be an illegal ID coded box that kept getting turn-off
 notification from the cable computer.
     One thing that would be interesting though is to tap into the FM carrier
with a PC (using a A/D converter of course). After sequential sampling,
I'd think you could draw some kind of picture as to how the system works. You
could pull a dirty one on the cable company by then rebroadcasting information
on the FM carrier (with a FM broadcaster & a D/A from the PC)... such that
you could allow full access to yourself/everyone on the cable line 
(there's little security about it if you get it working right). I got the
 idea for this one off the cable article - but the hassel of doing it isn't
 worth it in the long run... 



     
-- 
                                      ///
       Scott Rowin                   ///  amigo@milton.u.washington.edu
       ***********                  /// 
 - SPACE OPEN FOR LEASE -      \-\_///    Amigas really do it better...

csmith@plains.NoDak.edu (Carl Smith) (06/06/91)

In article <FaiZ31w164w@k5qwb.lonestar.org> lrk@k5qwb.lonestar.org (Lyn R. Kennedy) writes:
>Most super-het receivers radiate enough of the local oscillator to be
>picked up outside the house. I read years ago about England using this
>with mobile units to find out who was not paying the TV receiver tax.
>Some cable companies may have people good enough to do this but I doubt
>it. Besides they would have to come on your property to determine which
>rooms the TVs are in.

One thing to consider with this method of detecting what channel someone is
watching is that most cable subscribers tune with a supplied cable box, or
with a cable compatible VCR.  Their TV's stay on channel 3.  So this would
work only with people with cable compatible TV who actually tune with the
TV and not a cable box or VCR.

The question is if the local oscillators in the cable box tuner or VCR tuner
can also be picked up.   Then if you pick one up on ch 3, check for another
on some other channel.  If you don't find one, then they must actually be
watching channel 3.  If you find a second local oscillator then they are
watching that channel with a VCR or cable converter, and the TV on channel 3.


>-------------------------------------------------------------------------
>                 lrk@k5qwb.lonestar.org        lrk@k5qwb.UUCP
>73,              utacfd.utarl.edu!letni!kf5iw!k5qwb!lrk
>Lyn Kennedy      K5QWB @ N5LDD.#NTX.TX.US.NA
>                 P.O. Box 5133, Ovilla, TX, USA 75154
>
>-------------- "We have met the enemy and he is us."  Pogo --------------


-----------------------
Carl D. Smith Jr.
csmith@plains.nodak.edu
-----------------------

john@zygot.ati.com (John Higdon) (06/07/91)

In article <1991Jun3.132526.67@cmkrnl.uucp> jeh@cmkrnl.uucp writes:

>For example, when a tv set is tuned to a particular channel, the local 
>oscillator in its tuner will be set to about 4.5 MHz higher (assuming 
>that tv tuners still work the way they used to, and that the IF is still 
>4.5 MHz).  

Not to pick nits, but let us at least get the numbers in the right
order of magnitude. TV IF frequencies are in the 40 to 50 MHz range,
not 4.5 Mhz. Hell, that is the same ball park of frequency that you are
trying to communicate (video= DC to 5 Mhz). What you probably meant was
that 4.5 Mhz is the offset between the video and audio carriers of a
broadcast television signal. 4.5 Mhz is known as "intercarrier", and 
there is a SOUND IF strip that terminates in an FM detector for the
audio tuned to that offset of 4.5 Mhz.
-- 
        John Higdon         |   P. O. Box 7648   |   +1 408 723 1395
    john@zygot.ati.com      | San Jose, CA 95150 |       M o o !