Go Back   Eurocardsharing > General Discussions > General Discussions > Chat

Chat Discussion, Satellite Video Decryption - HOW IT ALL WORKS at General Discussions forum; Satellite Video Decryption - HOW IT ALL WORKS HOW IT ALL WORKS Part I Management Keys Every card has MKs, ...

LinkBack Thread Tools Display Modes
Satellite Video Decryption - HOW IT ALL WORKS
Warez Master
munna's Avatar
Posts: 1,207

Level: 30 [♥ Bé-Yêu ♥♥ Bé-Yêu ♥♥ Bé-Yêu ♥♥ Bé-Yêu ♥♥ Bé-Yêu ♥]
Life: 0 / 731
Magic: 402 / 23636
Experience: 26%

Thanks: 0
Thanked 674 Times in 220 Posts
Join Date: May 2007
Age: 32
Thumbs up Satellite Video Decryption - HOW IT ALL WORKS - 03-March-2008, 17:21

Satellite Video Decryption - HOW IT ALL WORKS


Part I

Management Keys

Every card has MKs, which are hard to decrypt due to DES. They never change, are different for each card, and are used to decrypt operational keys.
Operational Keys (Op-Keys)
Can be changed every few hours (s*x-View), days (SCT) or every month (Seca). These are encrypted using a method known as DES. Every card for a given provider has the same op key. Op keys are used to decrypt the CW.

The CW

This is used to decode the video signal in real time. The video signal is encoded using a simple algorithm
Encoding/Decoding - weak scrambling system used on the video data
Encryption/Decryption - strong scrambling systems used for keys


video signal (weakly encoded) is decrypted by CW(Code Word).
Op- keys (strongly encrypted in DES) are used to decrypt the CW
management keys (strongly encrypted in DES) used to decrypt the op keys.

Full explanation

To prevent unauthorized viewing of a channel, the service provider has to encode the video signal. However they can't use a very strong encoding algorithm to do this because they would not be able to encode the video signal fast enough, and your receiver would not be able to decode fast enough, for you to watch it. Remember the video signal contains megabytes of data every second!!

So they encode the video signal by a very basic method. One such basic method is to use the logical operation XOR which stands for eXclusive OR.
XOR operates on ever single bit of the video signal (a bit is a binary digit - either a zero or a one) It works like this.

If the data bit is 0 and the key bit is 0 then the result bit is 0 
If the data bit is 0 and the key bit is 1 then the result bit is 1 
If the data bit is 1 and the key bit is 0 then the result bit is 1 
If the data bit is 1 and the key bit is 1 then the result bit is 0
For example this is how we encode data using XOR

01101000 = clear video data 
10101011 = encoding key 
11000011 = result (encoded video data)
To understand the above example, read the ones and zeros in each vertical column, a one and a zero in a column produce a one in the result , two zeros or two ones in a column produce a zero in the result.

Decoding is just a matter of applying the same key to the encoded video data like this:

11000011 = encoded video data 
10101011 = decoding key 
01101000 = result - which you will see is the same as the original clear video data!
Using a method such as logical XOR is a very quick way of encoding a lot of data, but it is not a very secure way of doing it. One easy way to break XOR encoding for instance, is to look for parts of the data that would have originally been a long sequence of zero's. When you encode all zero data with XOR this is what happens:
00000000 = clear data
10101011 = key
10101011 = result which is the same as the key!

Please remember that these above examples are not necessarily the actual technique used for Viaccess encoding, In fact as of yet I have been unable to determine the exact method used. However they do demonstrate the basic principle. Also the above examples used a key that was only 8 bits long - in reality we use one which is 64 bits long. In other words a sequence of 64 ones and zeros!

Also remember that the decoding of the video signal itself takes place in the CAM/Reciever - NOT in the smartcard.

Part II

The problem with these simple encoding methods is that it would be fairly easy to devise special hardware that could determine the key used for XOR encoding almost in real time. Although they used a different method than the one I've demonstrated here, old scrambling systems such as Filmnet/Teleclub/RTL4 are a good example of decoders that were able to decode the video signal without needing the encoding key.

To prevent the current systems being hacked in this way the encoding key used is changed very often, usually every 5 to 10 seconds! This key (according to various different documentation) is called the "Control Word", "Check Word" or "Command Word". We will simply call it "CW". In order for your receiver to decode the video signal, it needs to know the correct CW to use and it has to receive a new CW every 5 seconds or so. In Viaccess this CW is sent to the receiver in a message called an "Entitlement Control Message" or ECM. To prevent unauthorizedusers from intercepting the ECM (and the CW it contains) the CW is encrypted using a powerful encryption technique called DES(Data Encryption Standard). DES itself is the topic of another FAQ, all we need to say here is that it is very difficult to break DES encryption without knowing the key used.

The ECM is passed by the receiver to the smart card, which contains the DES algorithm, and the necessary key to decode it. A smart card can easily handle using DES to decrypt one CW every five or ten seconds The smart card takes the encrypted CW contained in the ECM, decrypts it using a key, and passes the decrypted (or clear) CW back to the receiver to decode the video signal. The key used to decrypt the CW is called an operational key, or op-key.

Some documentation also refers to this key as SOK, or service operators key. We'll use the term "op-key". These op-keys are the ones you see posted on boards such as Vkeys - key 08: 09; etc.

There a couple other points about ECMs that are worthy of note:
Firstly the smart card actually contains a whole set of op-keys, and the ECM tells it which one to use to decode the CW.

Secondly the ECMs actually contain two CWs. The one being used now, and the one to be used next, this allows the card enough time to decrypt the next CW (using DES) before it is required to be used. This prevents any breakup of the video signal when it switches to the new CW.

Obviously there is only one video data stream being transmitted on one channel at a time, so all receivers have to use the same CW to decode it. Because there is not enough time to transmit different encrypted ECMs to different receivers every 5 seconds, it also stands to reason that each receiver gets the same encrypted CW and needs the same key to decrypt. So all smart cards for a given channel contain the SAME SET of op-keys!

But there is a problem with this. If all cards have to contain the same set of keys, then once pirates have access to those keys the service is hacked, and the service operator would have to replace all the cards it has issued, which is very costly and time consuming.

So to get around this problem the op-keys are sent to the smart card in a message called an EMM, or Entitlement Management Message. This means that the op-keys can be changed without replacing all the cards. The EMM containing the op-keys is again encrypted with DES, and in this case it is decrypted using a key called a Management Key or MK.

Because new op-keys only need to be sent to the card periodically (say every month, week, or in the case of Sexveiw, every 8 hours), it is perfectly feasible to have a different MK in each card, and to address a specific EMM to each card that can only be decrypted with that cards MK. In fact this is exactly what is done. Each card has a specific unique address UA and a specific set of Master keys MK00 - MK07.

The EMM tells the smart card which MK it needs to use to decrypt the op-key contained in the EMM, and the EMM is also addressed to a specific card using the UA. In practice some large service provides who have lots of cards use groups of 256 or 4096 cards which have the same shared address (SA) and the same master keys.

The EMMs containing the new op-keys are sent out over and over again during the days/hours before an op-key change so that each card has chance to receive the new key at least once before that key is used.

The idea behind the above system was that if pirates broke into a card and found the MKs, as soon as those keys became public the service operator could "kill" the official card using those MKs and at the same time "kill" all the clones of that card. If the pirate cards just contained the op-keys then those cards would only last until the next op-key update, which could be only a few hours away.

The current weakness in this system is of course the Internet. At the time it was designed, no one imagined we would have boards such as Vkeys instantly accessible to thousands of people and containing the current op-keys, which of course are the same for all cards. And of course thanks must go to all the kind people who log those channels for EMMs and kindly post the op-keys for the rest of us!
Reply With Quote
The Following 7 Users Say Thank You to munna For This Useful Post:
DeMoN-Z (04-April-2008), DHolroyd (22-January-2011), Librarian (20-March-2008), masta f 101 (29-April-2009), on1atfphilip (02-May-2010), optip (19-October-2010), snakie (03-March-2008)


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Forum Jump

ECS on RSS ECS on Twitter ECS on Facebook ECS on Youtube
Follow us on:

Powered by vBulletin
Copyright 2002 - 2010, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.