The system works by cutting the video at one of 256 points. The cut video is then rotated around
this point. To de-scramble the video it must be rotated around this same point and as it is done
with digitised video we are simply dealing with large numbers.
As there are 256 possible cut points, the cut point can be defined as a byte. The byte is
generated by a pseudo random number generator. The start point for this generator is transmitted
in the vertical blanking interval. The information in the card along with information transmitted
over the air decrypts the start point and allows the descrambler to operate. Individual cards
can be addressed and if necessary switched off or upgraded.
The data rate of the information in the vertical blanking interval is much slower than that of
teletext (which has a clock speed of 6.9 MHz). This means that it is slow enough to be recorded.
The smart card itself contains an 8052 processor from Intel which has an on chip ROM and RAM and a masked ROM and a 2K EEPROM which is what enables Sky to modify your card as they please.
Okay. Cryptology is highly mathematical. That's one of the reasons I'm no good at it. :-) Within,
there are two categories. You have your cryptography (making code systems) and then you have your
cryptoanalysis (hacking code systems).
It has been said that VideoCrypt was cobbled together in a weekend by two Unix hackers who barely
understood crypto. Be that as it may, it was touted as unbreakable, and regularly got broken.
Even so, it stood up fairly well. I've been with Sky a while and only have three viewing cards
to show for it.
There are political issues at play here. The german channels on Astra (analogue) are all in the
clear (ie, not scrambled). Sky is, and Sky will only supply cards to UK addresses. This,
instantly, makes them a target. Either for english language material (as dubbing can, sometimes,
be so bad as to put you off forever), or for the anti-establishment 'Murdoch is a money-grabbing
git' point of view.
The system used to 'protect' their material should be secure in that it can validate the data as
being genuine, while at the same time making it economically impossible for a hacker to extract
valid code keys from the data source.
VideoCrypt was immediately hampered in two ways. Using a standard 'smart card', the pin-outs and
protocols were already established. It was originally possible to prevent your card from being
deactivated by limiting the reprogramming voltage. They worked around that one... Secondly, the
older equipment was faulty in that a fairly critical built-in test to validate fake cards didn't
work. If this test was called, probably half the older decoders would tell you that your card
was invalid.
When we approach VideoCrypt with a view to hacking it, we do not think of the maths involved. This is an interesting, but ultimately unproductive way. Instead, we examine the technology used and figure out how to exploit it. Any system is only as secure as it's weakest point.
A document I have explains...
Sky's VideoCrypt system uses the Fiat - Shamir Zero Knowledge Transfer proof. I have not yet acquired the paper but as soon as I do it will be covered.That text was written sometime around 1994-1995.
The VideoCrypt descrambler has to authenticate the card every few seconds. The subscriber centre will have the Secret Key (S), the Public Key (P) and the Address (N). Of these elements, the card will only know the Public Key (P) and the Address (N).
Every few seconds. the subscriber centre will request each (S), the Public Key (P) and the Address (N). Of these elements, the card will only know the Public Key (P) and the Address (N).
Every few seconds, the subscriber centre will request each card to authenticate that it is a valid card. The message data can be encrypted using the signature system described above. The message data can be the input for a function F(x). Each valid card will have the algorithm for this function F(x) in ROM. The data for the function will be held in the card's EEPROM. When the authentication message is decrypted, it will give the message data. The card will then subject this data to verification possibly in the following manner. When the function is applied to the message data it should give a certain product. This product should correspond to the data held at an address in EEPROM on the card. If the card fails the check it is invalid. To wipe a card, Sky only has to send an instruction wiping a certain area of the card's EEPROM.
Since neither the function F(x) or the EEPROM's data is known, there is virtually zero knowledge transfer. Maintaining a fixed block of message data over a card change would render the system insecure if the address is the card validation address. The EEPROM overwrite signal could be interrupted and thus the lifetime of the card can be maintained. Something similar to this occurred in 1990 but Sky defeated it easily. The system was in its testing period and as such fixed keys were being used to speed the implement- ation and testing. The current cards cannot be hacked in this manner because the architecture changes from card to card.
[...]
Let's assume far the sake of argument that VideoCrypt uses a single hash algorithm. Also for the sake of this hypothetical situation, the structure of Sky's blacklist and card activation procedure are known. The algorithm is present in the smart card and the secure processor.
The hack procedure would run something like this. A subscription to Sky Sports would be taken out. The card switch on would be monitored. Then, when cards are being authorised for the other Sky channels such as Sky Movies, the card's identifier would be inserted in the block in place of a legitimate card's identifier. Of course a new checksum or hash value would be calculated and attached to the data. What originally was a Sky Sports card is now a Sky Sports and Sky Movies card.
Well since this is a hypothetical situation, let's continue with the hack. The first thing that Sky would try to do is to turn off cards. They would effectively send the card's identifier in the blacklist sequence in the datastream. Since the blacklist location is known, it would be replaced and a new hash value calculated or the card identifier Could be removed and a new hash value calculated.
The use of a single hash algorithm in the VideoCrypt system would be disastrous. What is more logical is that there is a multiple hash structure.
The main constraint on smart card based hash routines is speed. It is no use having the most secure hash algorithm if it takes a few hours of calculation to process the data. The smart cards typically run a speeds below 5 MHz. They are also eight bit processors.
There are reports from reliable sources that there is now issue 09 smart cards and are in use already from the same producers of the old issue 07 cards. The algorithm is getting better as the issue 09 card took four days to crack instead of the few hours it use to take in the old days.
The VideoCrypt system is more secure on the crypto side than the technological side. To date nobody has hacked the card or the ZKT The same cannot be said of the D2-MAC EuroCrypt system.
Finally, from the same source, we have:
VIDEOCRYPT
==========
VideoCrypt is without doubt a resilient system. It has been hacked in the past eighteen months and it has recovered successfully. The fact that it has been hacked illustrated that it is not pirate proof or indeed hacker proof.
When the system was launched, some of the public relations people claimed that it was the most pirate proof system yet devised. This pirate proof attribute was a myth. A myth is an attempt to explain a reality with the mental tools available. Therefore since the public relations people neither understood the abilities of hackers or security of the system it would be, to them at least, pirate proof.
The philosophy of the VideoCrypt system is that of the Detachable Secure Processor. The decoder itself is merely a dumb terminal. detachable secure processor is the smart card. Theoretically smart card contains the Critical data and the decoder contains nothing of significance. This "dumb terminal' idea has been echoed by News Datacom and Sky executives.
The scrambling technique used in VideoCrypt is line cut and rotate. The video is digitised and then cut at one of 256 possible points. the digitised video segments are then rotated about this point and the digital video is converted back to analogue.
The fact that the cut point is one of 256 points means that it can be defined as an eight bit word. This byte is supplied by a Pseudo Random Number Generator. The PRNG is sixty stages long and is reset approximately every two and a half seconds. The seed is sent in an encrypted format in the vertical blanking data.
VideoCrypt transmits addressing and access control data in a few lines of the VBI. The data rate is slower than that of teletext. Each of the packets of data has a checksum. This checksum is a product of the active data in the packets.
The checksum is apparently not a standard one. It is, according to sources, some sort of message digest or hash function. The data is fed into a routine that generates a fixed length output. This output block is attached to the data packet. If any of the bits in the data are changed, the change will be detected. The decoder will run the data through the same routine. The output block should be the same as that transmitted with the data packet. If the comparison check fails then the data has been altered.
Only 585 lines or so in each frame are scrambled. This is to enable the VBI signals to be checked without descrambling the video. The reason for this is so that the signal quality can be checked on SMATV and cablenets without having to descramble the signal. It is a standard feature on most scrambling systems.
Decoder Architecture
====================
The VideoCrypt stand alone decoder is a hybrid design. It uses both discrete components and surface mount components. This is necessary to reduce the size of the board. The board type used in the early stand alone decoders is SRBP or synthetic resin bonded paper. It is not the most reliable of board materials but it is one of the cheapest. It does reject the television manufacturing industry as most of the boards in television receivers are SRBP.
In the IRD version, the power supply is part of the main receiver PSU. There are four voltage rails in the decoder: +21V, +12V5, +15V and +5V. The main part of the circuitry runs off of the +5V rail.
The House Keeper microcontroller
================================
The main processor in the descrambler is the 8052 from Intel. This is a microcontroller and has an on-chip ROM and RAM. There are also two types of this microcontroller available; the BASIC ROM version and the Mask programmable version. It is probable that the version used in the descrambler is the Mask version. This means that there is an 8K program running the descrambler. The 8052 can be forced to disgorge the control program.
Many veteran hackers who examined the Sky decoder were suspicious of the ease with which the 8052 could be forced to disgorge the control program. By putting a finger across pins on the ICs, some very strange messages came up on the screen. One of these was "FALSE CUT POINT". The control program when disassembled proved to be little more than house keeping with a few card zap routines.
The incriminating text proved that the ZC404044 was a secure Microcontroller. There was one other way of getting confirmation - phone Motorola, the manufacturers of the chip, and ask them about the IC.
Of course the fact that the program in the 8052 could be read and examined meant that the whole card to secure processor interface could be monitored and where necessary the data could be modified. This has led to the most devastating hack on VideoCrypt - The KENtucky Fried Chip.
The Secure Processor
====================
The real heart of the Sky decoder is the ZC404044 or in later versions the ZC404047. The earlier decoders have an eight pin EEPROM. The later versions incorporate the EEPROM data on the ZC404047. The control program is held in masked ROM and as such is very difficult to read. Ordinary attempts to disgorge it failed and there are rumours that the ICs are being reversed in the Far East.
The Custom Logic
================
TCllOG03AP is custom logic. It handles the control of the video descrambling circuitry. This is also the most likely area for the PRNG. On same of the later versions of VideoCrypt decoders this part is labelled TCE mV-2. The TCE possibly standing for Thomson Consumer Electronics. This IC also handles the clock generation for the whole decoder. The IC's clock is derived from a 28 MHz crystal.
The Video Descrambler
=====================
The video section of the VideoCrypt decoder is elegantly simple. The scrambled video is digitised by a TDA8703 ADC. This turns the video into a sequence of 8 bit words. The digitised video is then fed to a set of two FIFO memories. FIFO stands for first in first out. These ICs are capable of storing 910 8 bit words each.
Each FIFO holds one segment of the line so that reassembling the video is merely a question of switching between the two FIFOs when clocking out the data. The descrambled digitised video, with the segments in the correct order, is fed to a TDA8702 DAC. The multiplexing and latching is controlled by the custom logic IC. The analogue video is then fed to the output stage. This stage is a discrete transistor design. The video signal is clamped and the on screen graphics are added. The resulting signal is filtered before being routed to the SCART connector or back into the receiver.