 So coming over to our next talk tonight If you switch off your deck phone If you're full of different impressions Full of different impressions of this day you maybe want to watch TV But it would be cool to have pay TV unencrypted prey TV So Chris Galinsky asks himself the same and how to achieve unencrypted pay TV But the heck away So Chris reverse engineered nothing less than the signal and the encryption Foreign standard that remains unencrypted since the late 90s Please welcome with an anniversary edition applause applause for Chris Galinsky, welcome Hello together my name is Chris Galinsky. I come from Canada and I I want to talk about how I knocked down set top boxers and pay TV There are these set top boxers that will be used in North America That will also be used for satellite TV From the two largest Canadian providers It is certainly since the 80s And I was interested if I could understand this system If I can understand this system through the old boxes that have been there for 15 years And that's how I started to look at how the system works So before I get into digital television Before I get into the digital television These are actually pretty similar But there are different signal modulating modes There are two modes There are these 8 PSG and QPSG There is also an auto band channel That is QPSG, that is 2 megabits per second There is this management information for companies And while you are doing things and looking for different things This auto band can be used to manage the channels The video will be sent as MPEG 2 or as H246 That is a standard format for video streams That can be connected by any software decoder or hardware decoder The solution that is used here is DigiCypher 2 That is not a DVB standard The Transport Stream consists of 180 byte packages Each package has different properties And the information goes from 0 to 0XFF And I am in an MPEG Stream Or even more service information tables The service information tables have a 8-bit table ID And are up to 1024 bytes And the table ID identifies the data that no one can expect in the table And the tables also contains which programs And the program association Each has this mark table And this is where the control messages are sent And the keys are kept The system uses two ECMM types The ECMM 40 and ECMM 41 And there are additional tables that identify the ECMM stuff These messages are used for individual set-top boxes For individual boxes, for example Here is a hardware interface This QQPSG is not possible here And this QQPSG is also... And the Broadcom device provides the modulator What different modulations are supported It works relatively well The Linux drivers have to be recompiled And have to be patched But they were published For cables, there is this QAM modulation With this converter But the AutoBand channel is not supported In the cable boxes there is a chip set Because you have to use the data And you don't have to use the hardware This would only be used for pay-tv services For satellite and cable interfaces There is a lot of information here It's difficult to understand This DigiBus can't understand all the DigiCypher 2 tables Because it's not completely understood It was still quite helpful for me To understand this information better These different tools are built for this DVB standard But these things are not always standardized And we use this SCTE65 as our standard There is a virtual channel tab This is not a DVB standard Another adapter for cable TV Is this set-top box that I studied These cable cards are built earlier And this homeland As always, it has the Outrun cable To get to the data We put a cable card in I analyzed it with an inserted cable card And I did software for it To read it and randomize it And for output, there is an MPEG 4 stream To run the software, the open family is a 2 megabit And inside are the conditional access management messages And in this stream are all the access management information So in each package there are two bits They say if something is capsulated or not And these different DCs were DC1 The oddities in use while the even keys are updated And then the same keys are used And the same are renewed And it is chased by a descrambler And the result is an MPEG stream The descrambler uses a 65-bit desk key And it changes from 30ms to 1s The function key is used to increment the packages Of the program key And this is connected to the category key And the program key is unique for every channel And for everything you look at And all the set-top boxes that have the authorization have this key The category is sent to each top box And this category key changes every month Some don't change in the week To use these AMMs for unclosed seed keys Each set-top box has three 56-bit seed keys They are manufactured and use this set-top box All of these seed keys are manufactured All of these key changes are used Inside each set-top box you can see all of these different tools There is a real transport stream This transport stream comes through this ACP Through this MPEG decoder to the TV There is an ACP bus that is used With ACP and MPEG decoder to speak And even if this set-top box doesn't have a stream You can still, there are so many bundles between the two There is also a TV pass-lot where you can upgrade everything But the newer set-top boxes don't have this TV pass-lot They won't be used anymore It's very similar to a cable It's really similar to a satellite set-top box It comes through a Broadcom chip for demodelling And also for MPEG decodering There is a 68k main controller That also speaks to ACP and STB through this MPEG And also to this non-volatile storage system There is also a second tuner where you can get out-of-band And it will be used separately as a main tuner And that's why you can get program guides System information Here we see the ACP chip It's a 100 pin chip From the description We can see that it's an industrial chip All the connections are from this chip The newer boxes use newer versions I studied this chip here As long as the... This has always been a relevant target Because if these chips are used And the newer set-top boxes don't have this chip And we don't know if there is new security control Or something else Maybe cost control or something The pin 1 is on the left And the battery backup pin There is a transfer stream input That gets the data from the demodulator And then there is the output from 27 to 32 That sends the data to the MPEG decoder And then to the TV At one point I wrote a software for it Not for this grade, but for another similar one It supports send and receive data from 32 Mbit stream My implementation was a bit ugly But instead of cleaning it up I was able to use it It has a few limitations like 64 kilobits for the demodulation But it was enough for my research You showed me that this transport stream Through this ACP gate But some chips are unblocked And then this output is all The demodulation is decapsulated Later on when I did more thorough research Later on when I did more thorough research Where I made the whole thing with a breakout board And the whole time I used it It was easier to use this chip So that you had the whole thing Here you can see what I used for the SPI To see this data pass Through this STP and ACP On this development board I made two slave ports One is connected to the MPEG The other is connected to an input And the other is connected to an output port If I have to do it directly to the ACP or STP controller I just have to talk to one interface If I wanted to keep this STP in reset I could talk to this MPEG with ACP By cutting the data flow You could read the whole thing The whole thing is transferred to the SPI The events are filtered to the addresses That the box itself has The box contains only messages That means the keys that are used And the addresses that are used And which subscriptions are free Additionally via the SPI interface With this SPI interface It says which pins have to be unclogged And it only receives category keys That are encrypted within EMM SPI It only receives category keys That are connected to the STP chip And it has to be connected to the SPI So next I started a deep study Of this chip with a micro-scope That cost $100,000 to $100,000 And the electron micro-scope cost more than $100,000 This is the midi-teuer FS70 micro-scope That I own That are used for micro-pro and other things But I didn't use a micro-scope But I used this micro-scope You could also use more basic technology It would be better to use more advanced technologies And I also used this electron micro-scope It's good to develop for WAV But you could always pay more money for it I paid about $10,000 for it For all my devices To see this chip under the micro-scope I had to develop this chip You never use a nitro acid To remove the package Then you clean the whole thing And use cleaning alcohol To clean the whole thing The gas is very aggressive And you have to be very careful How you start it Most people probably didn't want to do it at home So you should probably go to the university And do it there After the decision What was common were the chips with the cable And as you can see in the picture You can see the larger structures of the chip Half of it is covered with a metal plate And the other one is an electronic switch This is a picture of it From different smaller pictures When you look at it You see the bond pads on the outside A metal plate on the top And this pasteuric logic on the bottom There are some structures That may be in the storage zone To understand more You have to do different layers You can use hydrofluoric acid And also rustain removal This is a hydrofluoric acid solution And then it is heated And then you put this dye And then it is a little bit burnt The result is not perfect But some places are deeper than the others But it works quite well You don't want to dampen it So be really careful with it After a short time You could see the whole thing After you cleaned it and washed it The top metal plate is gone You can see some visual effects That we saw That the thing is not smooth anymore But you could sort it out quite well The top left is the big right cover It is in RAM And then there is logic That pulls it all into the logic I was interested in finding How the bits were encoded in ROM And then I had to Take a layer from it So I took another layer Then you can see more effects Of the etching Which is still too bad After a third dip in the link After a third de-layering process It is still a little bit Not perfect About half of the top Is still there It is almost completely taken away At the time I did the project I didn't have the polisher available So I was relying only on the wet Some of the areas were wrong I couldn't smooth it out And I had only this method available So I continued to add further The etching was wrong So I continued to add further layers To make it better Now you can see the bits better And here you can see When the black is a 1 And when the white is a 0 The better the photograph The better you can see the bits But it doesn't have to be perfect You can add some image processing And you can do that more With more chips To photograph these And then you have the whole frame Clean and you can see it With the photographs And now you can Take it out Like a manual or with a software It's 162,000 bits So manuals would be A bit of work It's not impossible But a lot of work So software was a better solution So I wrote a bit of software To recognize the 0, 0, 1 The blue are 1 The yellow are 0 And then I have The whole thing With a manual And after the extraction After the extraction I made a vinyl version Here is a picture Of this This picture Is black for 1 And white for 0 And I made it And then you can See it And that means That this room is not closed Or scrambled And here you can see The end of the room Due to a repeated pattern Of philip bytes That are the next Used part Of this room These things Are on the reset address And The whole thing is a philip byte And The numbers are fff6 Ff6 to fff And then you can Give the whole thing as a hex dump That you can look at What it is And there is a ASCII string What is very nice Because then you can See if you have The right decoding And now It is quite simple You just have to do the bytes And go on With the ROM dump You could run the software analysis On it The first thing you have to do Is to see the process architecture To see if you can Look at the RAM On an 8-bit structure And slowly I tried to do that With an IEU556 And With the other I took the whole thing Of the same manufacturer The The On this old chip Of the NWC Copyright You can see it on this chip In the microscope That would be a very good Something I should have noticed earlier I used Ideas Because it is a very strong disassembler You can Surely read 6500 Sets Under this simulation I used it To understand it better Because 6500 Is quite well understood It is quite simple To find a simulator It is usually in Also like Commodore 64 And Atari used it There is a lot for it As I understood it better I have Some more Capability That you found in ACP In the simulator What you first noticed In this disassembler There are two modes For that There is A personalization mode Or an application mode If it is normal For example In a setup box First made In a power plant What I noticed Is that this is not Simple disassembling It was a Task switching To handle processing Process switching There are 8 tasks That run At the same time And there are 2 To process the ECM 40 message 2 to process the 41 One Task for EMM Processing And one for TVPASS And one for the SPI interface There is a 7th Task for SPI Messages to Unlocked There is no documentation There is no documentation For all these Different systems And you have to Understand all the Register Random And then a signal That indicates That the transfer is Complete There is a desktop That registers the key And When the key is Complete you can read it There is a TS Discrambler That Is on the serial Transport interface Discrambler These main controllers Make the PID filter That Means Which things are Unlocked The ECMs are Set in frame And then The main processor Is one of them Now I understand a bit better How this system is connected I analyzed this MPEG SPI bus Also I made a A whole room Domped for this Simulation I have Some The keys That are always In the room Every Set up box Unlocked That are already Unlocked At this point Now I don't understand The Seed keys Categories and programs That are only In RAM Made And so I can't Watch other programs Demo programs A Work key Is Three different ECM 40 Messages There is A service ID frame count And A lock mode Frame count Is 24 bits And one bit That is A special lock mode Key The ECM 41 Is a lock program key That is used to Unlock the package The provider ID Of Which ECM Should be processed There is a service ID And then there is a category epoch That identifies Which category key is used And how long the whole Is still valid The whole thing is used Several Subscription Levels That are written on the ECP And they are also There is a Crypto and closing select Byte that I will tell you later Here is what you can see In a half second The ECM 41 channel Will show The ECM First A ECM 40 To build a key With this Another ECM 41 Message Without To make these two steps It is not possible To close A short period of time And all that Would happen in a half second These ECM Are built in four different parts Each Each part has a bit of information For this Set-top box This category lock Is built by all four Parts And if they do not Are allowed If this first ECM The first part Is for this Reset information And then put in a new one And if this second part Is Is made a hash Of this input Of this first and second part And then This information is Stuck in the ACP And if it does not Write it Is Unnulled In this way These four messages are connected And if one does not arrive This is an example of the EMM All the four EMM parts Have information Like the EMM Address And the EMM Can keep two categories For now And for the next If the category changes That's why the next key Is ready The seed keys Are used By the ACP The cinema interface Is installed EMMs are not In-band But they are exactly the same Like satellite And cable systems Now we can Do channels That are made With fixed keys The fixed keys Are known Because they are contained in ROM Fixed keys are made in ROM There is The possibility That we did not have The right key Because maybe we have A process But there was a checksum That showed That the key was right If I try A fixed key Cannot be used Or something else I did not do that I noticed That this bit That ACM 40 Was not Made In my simulation And so now I thought That maybe there is another connection That is To understand What is in ACM I had to try to glitch this chip A little bit I would Write the speakers And Check another Condition Check time And So I There was an internal Internal ear That we could not Do a timing glitch attack The The stronger attacks Against such attacks are Newer That is why I built this on this Breadboard I used the X Mega To try to get this chip To glitch And I I looked If I If I switch between Changes the glitch So I used these two Voltage mode A glitch mode And a normal voltage I also used an oscillator To To increase the time And to To To To To To To To To To To To To It has to be a glitch or to have a different voltage, then glitch, and then a response from the ACY. I sent two different information, my strategy was only to use less and less voltage to see what's going on or not. So then I could change ACP back information. If something is strange from ACP, information from Valid checksum is, it will always go back to normal voltage. Here we can see that the later the glitch comes, the behind bytes will change. At this point it looks as if the glitch would work and we could use it. Since I had an effective glitch, since I had a functioning glitch, I just built a board that has the same function as the glitcher so that I can make it more reliable. Now my goal is to have my code to run there. All code and memory share the same address space. All code and memory are the same memory space. The software in ROM, as I could read the DSM code, there was no paging feature. The RAM will never be used in order to be stored in the exe. In fact, it wasn't clear if there's anything to do with it. It wasn't clear if something prevents the exe from being stored in the RAM. So I sent a message via SPI to know that this thing is stored in the RAM. It has the assembler code that would send me a message. So I would make this a payload, then I could get information from the SPI to improve it. Do I need an opcode that would send me my destination code? That led to the fact that there were several functions. Every unnatural program flow would have been a possibility to access it. Every chip without memory management is a very good starting point for remote code execution of some RAM jumps. The ECPs are from NTRU, which I know that you're having uncertainty. But my glitch is that there's a little bit of time and uncertainty. Then I have to try it again, a lot of times. There's a lot of things that I'm not so sure I can reach my destination so I have to do it a lot of times. But sometimes it's good. I got an ACP from ACP pretty quickly. That means I made a good glitch. After a few hours I could do it in just minutes or seconds. Then I could run code in RAM and send new code to RAM. Now I can do other things. I would leave all the operations that are available on a chip. I wrote a simple application to look for such glitches. This program allows me to enter a data reader and give me the data back. There's also the support that you can write a key. I noticed a few things at this point. There's 2 kilobytes of RAM. If I try to read this, the RAM resets. These are the initialization methods of the manufacturer. They're not used after the initialization. If you want to save something, you can't do anything with it. There are some addresses in RAM that you can't read. Some keys are in there and some unreadable keys are in there. When a chip is resetted, you have to glitch again. My hacking code is only in temporary RAM. Because we can send something to the ACP without anything. Comparing the results of the optical ROM extraction with proper dump. If I dump something from my optical ROM to my software glitching routine. Many of the errors were clear. At the beginning when I was reading the software, I could repair it with a bitflip. I could probably find half of the RAM errors while disassembling. The interesting keys are only stored in the RAM. These are the program keys, the seed keys. If the keys disappear from the RAM, we could never work with it again. If the ACP is used, the connection with the other components is impossible. Because the ACP has to be connected to the other components. You have to make sure that you don't lose the power. You lose the RAM. I tried to take the ACP because it still gets power. So I made it with RASIR and Dremel. You can put it under a pin. And then with hot air, it will be removed slowly. Then I made the battery. And then I connected an external battery. After I connected an external battery, the chip can be removed from the box. And then it can be glitched and then brought back into the box. The interesting thing about this is that if you extract the keys, you don't have to replace the chip. The chip will be placed on the breakout board and transferred to the glitcher. We only need a few pins. The glitcher is in between the project box. The functionality is the same. The timing of the chip is different. The timing of the chip is different. Now we can read the RAM content. We can even connect the carderies and the seed keys that are used to connect to the AMM. With a valid carderie key, you can build keys for each channel. Now I can run my own code on the ACP. Now I have to analyze this transport stream and connect it. You can see that there is a bit where you can either use a different block CBC or normal DES connection mode. Now I thought I might have to do a gate level analysis. But I don't want to do a reverse analysis because it's not particularly good. So I would like to understand how to solve all these things better. By flipping one bit in encrypted input, ECB, TDC, or OFD modes, it's differentiated. So now if I only have one bit changed, I can see which DES mode will be used. And then I can be sure that either the CBC or something else is used. Then I have noticed what the clock times are, whether it is changed in my normal mode and my glitch mode. And that's not particularly necessary because it actually has to be made in real time. Also by using ACP as a decryption oracle, I have used this ACP as an unforeseen oracle. Next, I tested the software using desktops. I used the software to test weaker keys because the properties are weaker than the cryptography. And the encryption and decryption are the same result. So I can test this and give the same result. And I can see if I can understand these weak properties of the keys. And if I use a weak key, I will see that the closed information and the unclosed information has completely changed. And that means that the normal desktops can be seen as a normal desktops. But there is something that is customized, something to do with data and something to do with the key. So two different things. But now I think that it might only have to do with the key. So now I thought maybe it's an XOR mask or something like that. That might only need a gate with desktops hardware. If I... The more changed bits I have, I wrote this before, I wrote this before, I wrote the 16 bits. They are different bit flips in the key to test the results. It would have been possible in a short time, but it was the best thing that I liked. And some of these blocks I have only flipped three bits. build a few seconds to verify the software and all that. This simple brute force method worked, it worked for a few days, but after that you could see the pattern. This technique would have been faster in less than a second. After my first customization, I thought that one or more Actors or Gate is the name of each bit of the 8-bit hardware register. The individual XOR gates are controlled by a hardware key and there are several XOR gates that are controlled by these hardware regressors. And you could verify the whole thing and it worked just as expected. I have already seen the whole thing, the whole thing against pirates who know how to use it, but it was never necessary until now. In order to implement a soft cam, a software-used unforeseen law, but now I have all the tools to do that. We have the initialization vector, which we can notice pretty quickly. With all this information, we can make a software model. And the transport stream controller can also be implemented in software. You could implement a discriminant software and the hardware customization but overall, the whole thing is the same. Now it's all working. I think it will test it and then it will work. It will bring that broad cams before the review event goes live. The review is all on their channel. The standard picture that you see when a page event goes online, like a UFC fight, or a set top box, any level of offer, I could read out any seed-key, no matter with which territory, and I could broadcast every channel of this provider. There are a few things, the weakness of this system. One is really old technology, more than almost 20 years. That's why it was a bit easier to analyze. This TQFP100 package is pretty easy to analyze. It's a little bit of a fail for voltage glitching. It has a new architecture that doesn't prevent you from getting remote code as a solution. There's no way to get code updates. And the crypto is completely in hardware and you can't update it in the field. The hardware crypto was basically able to get the hardware customization. And you could practically rate the hardware without looking at the chip. I was impressed with the design of the system. I think it was stronger than I anticipated when I started the project. All the key handling is on top of the single chip, which makes it impossible to get it out of some of the hardware systems. I do these keys and want to read them out. The keys are changed very quickly. 103 milliseconds is damn fast. And the short lifetime of the keys can't be knocked out in real time. And there's no way to save your time on the back door. I listed this also as a weakness. Because there's no way to change the system. The system works on its own clock, which prevents you from getting a clock text. It's pretty difficult to notice. If you try to read a key, if you read a dead address, then this key will be reset. So it's a canary. There's a personalization space where you can write or not read. The keys are only in RAM, and then you always have to use batteries for it. You can't simply get these keys. There's no group built key. You can only get this key from an active setup box. But if you have a key from a used channel, you can get an AMM key so that you can read all the channels. So if you only have access to one channel. The software is generally well written. I don't have a real flaw. Although that is used, several rounds of that are done with three keys. The part is not as easy as a 56-bit key. You need a working key, a program key, a category key, and a seed key. You might wonder how many setup boxes it took for me to read. The truth is, I only needed one. I only needed one wagon full. A few of the boxes have different board layouts and different chips. The cost of the setup boxes was low, around $20 per box. I had three years by focusing on the cost of the dirty and dirty parts on how I read the setup features from the expensive setup boxes. I don't recommend you pirate cable or satellite cable. I don't recommend you pirate cable or satellite cable. I don't recommend you pay for a... There is nothing interesting about what's going on. Do we have questions from the room? Questions, please use the microphones. I know there is one question from the interwebs. Please use the microphone. Okay, that's working. The first question from the internet is, how many chips did you destroy or make unusable and how did you get all those setup boxes? How many chips did you use? I think the set boxes were quite low. Because the boxes were quite cheap, I broke several chips in the process. It didn't take as much as I thought at the beginning. I needed two or three chips for the decapulation and the de-layering effect. I ended up extracting the wrong chips. I could be glitching to learn three or four chips that you moved the erase app from to build the glitch. I talked about the point where I was extracting the keys from a valid chip, the very first chip that I tried to work with and they were recapable. Thank you. Microphone 3 was the first one, please. How many years did this project take? How many years did this project take? I worked on it for a few weeks, took a break, took a break and came back to it. Most of it was over one or two years. Thank you. Microphone 2, please. Hi, thank you for a great lecture. The content description was DES and not DVB-CSA. Why didn't they use DES, not DVB-CSA? The American don't believe in standards. In North America, we didn't stand out. Thanks. The timing was also a part of it. The system was being developed at the same time as DVB was being standardized. The time was also a difference when DVB was standardized. That's why they took it. Thank you. And another one from CyberCyber. Another question from the internet is your question of the internet. How were you able to afford that? How was it possible? Could you all get these very expensive things? How much did it cost? I'm really interested. I'm doing it professionally. I've collected the time. If possible, I use the money from some customer to buy cool things for my lab. But to do the work, because it was cheaper, you could take cheaper things. For example, a microscope for 1,000 to 2,000 euros. It's not easy, but it's not too much money for a lab. What do you do other than reverse engineering? Reverse engineering. Thank you. And the internet, again. Okay, next question is somebody wants to know how, well, which software did you use for the automated image analysis? And how can you use it? And how can you find it? Like everybody else who I know who did something like that, I wrote my own software. For image processing, it was quite simple. It didn't require any higher algorithms. I used my own software which I haven't released so far. And how did you keep the boxes subscribed? How many of you can use these set-up boxes? How many of you have a good valid subscription? For most research, I don't need an active box. That's why I first figured it out and I knew how to keep from that one box. And when I had the process out, I used one of them. Did you hear something about the microphone? No, I didn't. Thank you very much for this lecture. And the question is how does the glitching affect the glitching attack? For the glitcher, I dropped the voltage for a very brief period of time. It caused the glitch on instruction to not execute properly, but it caused the time to function correctly. I noticed an instruction, but the chip is not resetted. I'm not actually sure. But I'm not sure how I got the code into the Rambler. I just found out how to do it. I got the code, but that's enough for me. Thank you, Chris. A round of applause for Chris Glinski.