dudek@utai.UUCP (08/11/87)
I've been wondering about this for a while. How is pay TV
encoded? It's a screwy scheme since it let's the sound get
through undamaged, but the picture portion of the signal is a mess.
Occassionally the picture looks okay for a few seconds (it seems to
depend on the picture content), then is will get wild (as if the horiz.
hold was twisted with a vengence), sometimes the color (intensities)
are inverted. I think the encoding must have been chosen to tantalize
non-subscribers since you can hear & see what's happening occasionally.
I have heard claims that it is done differently in different places,
but from what I can see it looks the same with several companies
in both Toronto & Montreal.
Do they do this in the US? Here in Canada cable is *very* common,
additional TV channels (for an extra cost) come encoded this way. It also
happens to be illegal to build your own decoder, I think.
My apologies if this has come up before.
Greg Dudek
--
Dept. of Computer Science (vision group) University of Toronto
Usenet: {linus, ihnp4, allegra, decvax, floyd}!utcsri!dudek
CSNET: dudek@ai.toronto.edu ARPA: dudek%ai.toronto.edu@csnet-relay
DELPHI: GDUDEK
Paper mail: Dept. of Comp Sci, Univ of Toronto, Toronto, Canada ron@topaz.rutgers.edu.UUCP (08/11/87)
Well, there are several methods. From what you describe it sounds like the most common (and for good reason, it is the cheapest) method of messing with the sync pulse so TV's don't know when to start the trace. They just sweep at random or by other components of the signal that look enough like the sync pulse they have been missing. Also, sometimes the sound carrier center frequency is shifted so that you can not hear it when the TV is locked on the video signal. Another method is to superimpose a signal that generates effectively superfluous sync pulses. Decoders to correct this are also cheap and hence are fairly commonly available. Frequently, your Cable TV box already has the capability to do this and is programmed with jumpers. For sattelite transmission, they now usually opt for better protection in the way of the MA/COM Video Cipher. The VC encrypts the audio portion (the video being to much data for it's little mind) and screws with the picture sync. It's fairly easy to get the picture back, but the industry gambled that not being able to restore the sound would deter people from even wanting to just look at the pictures. The enabling of the subscriber boxes is done remotely. Lauren Weinstein can probably give you the best The only sure fire way, which is used for a number of cable channels in my area and HBO only in the place I previously lived, is to block the signal from appearing in the customers house at all. This also has the advantage (or disadvantage depeding on your view) of the subscriber not having to have special equipment to decode the signal. Hence I can use my "cable-ready" VCR and TV set to the fullest of their capabilities rather than having to use the piece of junk box the cable company supplies. I don't have HBO right now, and the signal just plain isn't there. The AFC control in my VCR hunts on to the channel below it since it can't find anything on the HBO channel. -Ron
wtm@neoucom.UUCP (Bill Mayhew) (08/12/87)
There are very many ways that cable systems scramble pictures ranging from unbelievably simple to bafflingly complex. In the early days, pay channels were denied to non-subscribers by simply installing traps for the pay channels in series with the cable dropping into the scbscribers' premises. It wasn't long before pirates learned that all they need do was to climb the pole and remove the trap. This system was amusing since it actually cost the cable company more to not give you premium channels (in terms of equipment, at least). The next development was sine wave scrambling. (At least, that's what I think it is called.) With this method, a continuous unmodulated (CW) carrier is placed on the cable near the desired channel. The idea is that the noxious carrier would mix with the real signal in the TV recieiver's IF stage, resulting in an annoying beep. In this system, the picture looks normal coming from the coverter box, but the audio is goofed up. I'm pretty sure that this system is/was being used by Magnavox. This scrambling method is easily defeated by inserting a narrow band filter in the converter box`s ch 3 or 4 output to the set. Pioneer uses a gated sync system where the phasing of the color burst and timing of the sync pulse is goofed up. I'm pretty sure that the video is usually NOT inverted. The local cable co. here uses pioneer, and the audio is in the clear-- sort of an enticement to egg you on to subscribe. I think the box does have the ability to do frequency hopping on the audio in the 88-108 MHz band. Very nasty, as you'd have to know the algorithm they're planning to use, if you expected to stay in sync with the audio. This system can be cracked by genlocking the video. "The Black Box Solution", unfortunately no longer avialable due to a law suit pending from Ma/Com - Scientific Atlanta cold handle this, provided frequency hopping audio was not used. The Pioneer Decoder Box is nasty too. It is keyed at the cable co office to tell what you are allowed to receive and the keys are held for up to two weeks by a battery. There is a kill switch that dumps the key RAM if you take the cover off. If you unplug the box too long (like while on vacation), the box will loose the keys and you'll have to go back to the cable office for a re fill. The box receives digital control on cable chan 54-55 for PPV and shutting down non-paying customers. Sony makes a box that I've seen in use on Satellite, but not on a cable system yet. It is pretty neat. It uses normal video sync, but an inverted picture (easy to get back with a couple of transistors). The audio is very tricky. If any of you governmental types have ever heard "parkhill" voice scrambling, you'll know what the Sony sounds like. The Sony appears to use PCM sampling which is diddled with, then clocked out of the delay line at faster than original rate giving a slightly Alvin & the Chipmunks effect puctuated with a stacatto click at about a 10 Hz rate. Apparently the receiver double buffers the delay line and clocks out back at the original rate, filling in the click. Neat, but effectively uncrackable for all but the most determined hacker. Scientific Atlanta uses a number of different scrambling techniques. Most seem to employ some sort of gated sync. Some boxes I've seen seem to use frequcy-agile audio decoders that receive in the 88-108 MHz band. Scientific Atlanta also makes B-MAC encoders that use bandwidth compression to provide superior picuture quality. As far as I know, B-MAC is limited to satellite transmissions. Ma/Com's home satellite division was bought out by Scientific Atlanta about 6 months ago. There has been much nastyness directed at the Videociper II descrambler aimed for home dish subscribers. Several antitrust lawsuits popped up when SA bought Ma/Com. The basic problem is sour grapes now that home viewers (ostensibly) have to pay for the plethora of stuff they used to get for free on their dishes as of about a year ago. The VC-II uses gated sync with digital 12-bit compandered audio, sampling rate is ~19 KHz per channel, I think. The nasty part is that the audio is DES encrypeted, suppoesedly sealing out hackers. Well, almost. The VC II gets in sync from seed keys stored in RAM. There is also a 56 bit authorization mask that says what services the subscriber is allowed to decode from the seed. There are several duplicates, so that in the future, the VC might support more than 56 services. The common way to beat the VC II is to alter the control ROM program so that the user can add bits to the authorization mask. That way, subsribing to one cheap service will enable everything. Unfortunately, SA learned that it was pretty easy to cheat with the VC, so war to rival the Persain Gulf conflict has erupted between the hackers and SA. The typical method that SA uses to wage war on hackers is to alter the duly authorized service. If the hacker has fiddled with the authoriztion mask, she/he won't realize that his/her authorization has been changed from, say CNN news to HBO. A legitimate user would call up CNN and gripe, at which point SA would reprogram the user's box to the correct service. If the hacker doesn't complain within a set amount of time, SA sends a kill signal to the hacker's box and dumps the seed keys, at which point the only recourse is to send the box back to the SA factory to be re keyed, for which they charge $200. Unfortunately, SA has been rummored to be shutting down boxes that are duly authourized, even when hacking is not suspected, and is supposedly even collecting a fee to repair the boxes ($50) eventhough only a few seconds of re keying is needed. At the same time, they dump the box full of epoxy in attempt to keep the user from monkeying with the ROM. The newer model of the VC, the 2100, is epoxied, contiains fine wires in the epoxy to thwart removal, and some even have a kill switch that dumps the RAM when the cover is removed. Supposedly, there are even hacking methods that defeat the 2100. I think satellite hacking wouldn't be such a problem if software fees were reasonable. HBO charges about double the cable retail price for their services to individual viewers. HBO and others are also uncooperative in lining up deals with third parties that want to package services similar to cable MSOs (Multiple Service Operators). I don't have a Videocipher or a Black Box, but do enjoy watching the battle escalate. There seems to be a lot of political lobbying weight behind calbe distributors that allow them to squeeze out small guys! By the way, please don't try to rip off your cable co. In general these are nice guys and fees are pretty resonable for the programming you get. The above is not intended to be a tutorial for getting free pay cable, and specific technical details have been omitted for that reason. The main point that I'd like to make is that today's privacy methods have a long way to go to be really effective. Hackers can also be very determined. Organized crime also has a part in this, as the "black box" business can be very lucrative. The many illegally authorized Videociphers in use in Canada where US law does not apply are an example. --Bill (wtm@neoucom.UUCP)