Ok, so the state of things right now is this: (and please correct me if I am wrong)

- other than the few major network channels, most, if not all, of the HD channels that you get over your digital cable are flagged (by 5c) as copy once or copy never. This means that they will only output in full resolution to a valid DTCP device (your new TV, for instance).

- some "premium" HD digital cable channels are still not flagged by 5c, and theoretically you can dump them over firewire. But this is shaky beccause the provider can (and does) flag them at any time, and further, automated channel changing is a black art with this solution.

- alternatively, you can dump a component (lousy, downgraded) signal right into a capture card. This is also a bad solution as it involves expensive hardware that can compress into MPEG a full, uncompressed analog stream. And once again, the automated channel changing is a black art.

Summary:

- all of the recipes for HD capture and HD myth systems and HD sageTV, etc., all fall over on their face when it comes to "premium" HD channels.

- Firewire dumping is a bad solution. Maybe it will work for you, maybe it won't, but over time it will go away as more and more channels get flagged with 5c.

- Any method that involves out of band, or IR blasted channel changing is _for suckers_. IR blasting is a total hack and the out of band (firewire ?) channel changing takes too much time and special ordered equipment (and often cooperation from your cable company) to work.

Solution:

I want to take the coax that comes out of the wall and plug it into a cap card, and dump full-resolution "premium" HD channels, onto totally unprotected MPEG files.

I want to change channels over the coax, just like I used to with my Hauppage pvr-350 and plain old analog cable.

I want to buy 4 cap cards and split my cable 4x, and record 4 channels at a time. Blah blah blah. Basically I want to record HDTV channels just like I used to record SDTV channels with a Haup card and _NO_ cable box. The end.

So the question is, what is required for this to happen ?

Here is what I _think_ is required:

1. a break of the DTCP DRM scheme

2. A HDTV cap card that can take a digital cable input and grab data over it _even if it thinks it can't_ and successfully change digital channels over the coax.

#1 is not _that_ far-fetched - I believe that a researcher cracked it but did not publish due to the DMCA. Further, I believe I have read that a cryptography conference a few years ago successfully broke it as a proof of concept.

#2 ... am I correct that any old HDTV cap card that I go buy can successfully deal with digital cable channels (grab them, decode them, etc.) ? Where would I have to employ a DTCP cracker with a card like this ? Does the card successfully capture protected channels, but the resulting mpeg stream is just gibberish ? Or does it refuse to even attempt to capture a protected channel ?


I guess the final summary of my question is this:

- is a (publicized) DTCP crack all that is needed ?
- if a (publicized) DTCP crack was available, would it work with current, off the shelf HD cap cards ?
- if not, what else is needed ?

Please comment - all comments and suggestions appreciated.

Just to clarify ... I am indeed discussing a STB-Free solution.

No set top box. Coax cable comes out my wall and plugs into my computer. Computer does the decoding of digital cable, does the decoding of 5c/DTCP, and does what it wants with the input (changes channels, etc.)

What's required for that, and will existing HD cap cards work if the encryption was just broken ?

5C/DTCP is only used on the 1394 connection. The actual QAM channels that you want to capture are encrypted with a different method.

Ron

5C/DTCP is only used on the 1394 connection. The actual QAM channels that you want to capture are encrypted with a different method.

Really ? Ok, what method is used to encode the digital cable signal on the coax, and in addition, what method(s) are used to encrypt that signal ?

Is it different for every provider ?

I am happy to entertain other solutions than the one I proposed - the bottom line is, it needs to be _sensible_ (ie., no IR blasting, no sketchy methods of channel changing).

I just want the good old days back, where I would plug the coax straight into my cap hauppage pvr-350 and it would do everything for me - and I wonder what pieces of software and what encryption breaks are required for such functionality.

Hmm...I would have thought this would spark a lively discussion - isn't this topic (recording full resolution premium HD channels) of high interest for everyone ?

Just a summary - I am looking for a way to do _sensible_ recording of premium HD at full resolution - and by sensible, I mean, no firewire dumping and out of band channel changing, no methods that are precarious and can be wrecked by the cable company at any moment ... I mean a real method that will work, totally automated, with no IR blasting blah blah blah, no matter what.

Here are some candidates:

- breaking DES in real time and just plugging your coax cable directly into your capture card. I have learned that cable providers across the board have adopted DES as the encryption standard for digital cable.

- breaking (X) that is used for the upcoming PCI cable card cards, and using them in a liux system instead of a vista system, and dumping non-DRM'd files.

Either way, no set top box is required - you are just plugging cable right into your computer, and there is no out of band channel changing which is such a joke.

So which is easier ? My assumption (which may be totally wrong) is that currently, right now in the real world, I can plug my coax into my HD cap card and tell it to change channels and record, etc., I will just be recording 30 and 60 minute blocks of gibberish because the "premium" channels are encrypted. Is this correct ? Or can existing HD cap cards only tune non-digital cable ?

Any comments on the existing cable-card-cards that will go into windows vista machines ? Any comments on what (X) is that needs to be broken so that one of them can be stuck into a linux system ?

Anything ?

It would seem that what you are asking about.... ie: cracking digital TV encryption for channels you have not paid for.... Is outside rule 6 of this forums "fair-use" policy!

If this is the case, you'll get no help from anyone here!

I have from the beginning made it clear that this is for cable TV channels that _I have paid for_. That is fair use in its most basic form. Obviously I would get no digital signal _at all_ if I were not a paying subscriber. It is not my wish to steal cable or any cable channels, but rather to do what I wish with the programming I have purchased.

Right now I pay ... something like $15 or $20 per month for 8 or 10 "premium" HD channels that I have no way of permanently archiving at full resolution, and this is the problem I am hoping to solve.

Obviously if your mind and thought processes have already been castrated by the DMCA, you will be of no help.

EDIT: oops - I can see that I did not, in my original post, make it clear that this is for TV channels _I have paid for_. I beg your pardon. Let me make it clear - I am not trying to save $15/mo or whatever the HD pack costs in your neighborhood. I am trying to archive, in full resolution, channels I am already paying for.

But let me also say that I am surprised to get the knee-jerk "I'm afraid of the DMCA" response on doom9 ... certainly I expected it from all of the windows kiddiez at avsforum, but not here.

I have from the beginning made it clear that this is for cable TV channels that _I have paid for_. That is fair use in its most basic form. Obviously I would get no digital signal _at all_ if I were not a paying subscriber.
Unlikely. Even if you didn't pay for it, I doubt the cable company would come around and put a blocking filter on your tap as they did in the old analogue days. The digital signal would still be available at your outlet but you would have no way to watch it without a valid subscription.

Brute forcing DES/3DES is within the capabilities of most new home computers, but you can bet that your cable operator regularly changes the keys that are being used, probably in the order of at least every 20 seconds. Given that the interval between a new key being advertised and then being put into use would be in the order of 250ms or so, what computer do you know of today that you could afford could brute force DES let alone 3DES in 250ms?

Right now I pay ... something like $15 or $20 per month for 8 or 10 "premium" HD channels that I have no way of permanently archiving at full resolution, and this is the problem I am hoping to solve.
You pay to be able to watch the channels, not to be able to create a library of permanent recordings.

First off, thank you very much - this is the kind of theoretical talk/comment I was hoping to get. I _realize_ that this may be very difficult/impossible at the present time, BUT I want to at least nail down the problems involved, even if surpassing them is a long way off and/or unlikely.


Unlikely. Even if you didn't pay for it, I doubt the cable company would come around and put a blocking filter on your tap as they did in the old analogue days. The digital signal would still be available at your outlet but you would have no way to watch it without a valid subscription.

Eh. Not my problem. I pay for it, and that's the only ethical question to resolve on my part. I'm not trying to be obtuse here, but if the results of such an endeavour make it possible for a non-paying user to get free TV, that's not my problem.

Brute forcing DES/3DES is within the capabilities of most new home computers, but you can bet that your cable operator regularly changes the keys that are being used, probably in the order of at least every 20 seconds. Given that the interval between a new key being advertised and then being put into use would be in the order of 250ms or so, what computer do you know of today that you could afford could brute force DES let alone 3DES in 250ms?

It does not sound like 3DES is being used - from this document:

http://www.cablelabs.com/news/pr/1996/1996_10_03.html

It looks like it is just plain DES, which was adopted in 1996. With that in mind, I think you could indeed brute force DES in _real time_ with a normal CPU, and perhaps achieve even greater success with a GPU ...

So one question that comes to mind - will a CATV HD cap card successfully capture the encrypted signal, leaving you with large MPEG files full of gibberish ? Because if this is the case, you would not even need to decrypt in real time - you could just record TV and batch decode it on your computer at your liesure...

You pay to be able to watch the channels, not to be able to create a library of permanent recordings.

We'll see. In general, I think it's good to assume that I'll do whatever I please with what I have paid for. There is no greater price bracket, no additional fee I can pay - I am paying them 100% of what they demand, and it is a price that they set. Once that provision has been satisfied...

Ok, so a few questions have been answered:

1. Yes, an off the shelf HD CATV capture card can indeed tune and channel change on digital cable - the cards I see advertise several forms of QAM compatibility (64, 256, etc.)

2. That digital signal contains "premium" channels that are encrypted with a fairly weak cipher - DES, to be exact.

So is that it ? Can I just go home right now and plug my digital cable coax into a cap card, and tell it to capture premium channels, and then it's up to me to decrypt those large digital files ? Or will the cap card refuse to capture the encrypted channels ?

Whether the strategy is to decode on the fly, or batch decode later, are there any other pieces to this puzzle ? Or is it really that simple - DES ?

It looks like it is just plain DES, which was adopted in 1996. With that in mind, I think you could indeed brute force DES in _real time_ with a normal CPU, and perhaps achieve even greater success with a GPU ...
Clearly you are failing to understand the implications of having to attempt 2^64 key tests against a 204 (192) byte block in real time to get clear content within ~250ms.

In attempting to brute force the content protection you will be in direct violation of your country's DMCA.

We'll see. In general, I think it's good to assume that I'll do whatever I please with what I have paid for.Really? I guess you haven't read the terms and conditions that you signed against when you got the cable serviced turned on. You pay to watch. That's it. You do not pay to make a permanent copy. If you did, you would be paying a considerable amount more than you are.

Anyway, this is the limit of what I'm going to contribute to this thread. Quite clearly there are legal implications with what you are attempting to do and I have no doubt that Doom9 will flush this thread down the toilet, where it belongs, during the course of the day.

Sorry it's not getting through - I'll say it again:

I realize that the methods we are brainstorming here may not be currently feasible.

Once more for good measure:

I realize that the methods we are brainstorming here may not be currently feasible.


Clearly you are failing to understand the implications of having to attempt 2^64 key tests against a 204 (192) byte block in real time to get clear content within ~250ms.

Well, actually, I believe that real time DES cracking is in fact reasonable with consumer grade equipment. But your point is well taken - it's hard.

That is why I brought up the notion of batch-decrypting after the fact. You tell your HD cap card to record channels that are encrypted, and it gives you a bunch of large files of junk (because it's encrypted). Then you batch decrypt those large files.

One possible hurdle is that you wouldn't want these to be in MPEG form, because that would make decrypting them much harder - so you would need a cap card (and a computer setup) that can dump non-compressed digital video data to a file, and not to an MPEG file.

Comments ?

In attempting to brute force the content protection you will be in direct violation of your country's DMCA.

Are you kidding ? The doom9 forums are based upon dvd decrypting - did you miss that ? Decrypting, or ripping a DVD is a violation of the DMCA. Period. This thread is no more or less contrary to the DMCA than every single post that deals with how to run dvd decryptor, or how to dump to ISO, etc.

Really? I guess you haven't read the terms and conditions that you signed against when you got the cable serviced turned on. You pay to watch. That's it. You do not pay to make a permanent copy. If you did, you would be paying a considerable amount more than you are.

I WISH I COULD. If I could pay an extra $100 or $200 per month to get full resolution recording to my unix fileserver I would do it in a _heartbeat_. I could save all the time and aggravation of writing on forums and building systems and playing with IR blasters, blah blah blah - I would do it IN A SECOND.

But I can't. It's not an option. And last time I checked, I have a fair use right (regardless of the contract I sign) to record TV that I pay for.

Anyway, this is the limit of what I'm going to contribute to this thread. Quite clearly there are legal implications with what you are attempting to do and I have no doubt that Doom9 will flush this thread down the toilet, where it belongs, during the course of the day.

You only have the rights that you demand and exercise, and clearly you don't demand or exercise much. You don't even have your free speech anymore. How sad.

If you're on a Motorola (GI) based cable system.

http://www.nextcomwireless.com/r5000/cableinfo.htm

Ron

thank you.

This seems to fall under the category of solutions that the cable company can just destroy at their whim. Either they won't allow a customer owned STB, or they don't use that kind of box or ... you know how it is.

I appreciate the info, but I am looking for a solution that is totally independent of their ability to mess with.

The one question I am unsure of is if a HD cap card will capture encrypted channels and you just end up with garbage (encrypted) files OR if they refuse to capture encrypted channels at all ?

thank you.

This seems to fall under the category of solutions that the cable company can just destroy at their whim. Either they won't allow a customer owned STB, or they don't use that kind of box or ... you know how it is.

I appreciate the info, but I am looking for a solution that is totally independent of their ability to mess with.

The one question I am unsure of is if a HD cap card will capture encrypted channels and you just end up with garbage (encrypted) files OR if they refuse to capture encrypted channels at all ?
A QAM capture card like the MDP-130

http://www.digitalconnection.com/products/video/mdp130.asp

will capture a Transport Stream for each QAM channel. Individual programs within that 38 Mbps (QAM-256) stream may or may not be encrypted.

Ron

Thanks.

So, word on the street is, a card like this will indeed record an encrypted signal to a "garbage" file, but it can only record the scrambled video, audio, PAT, PMT pid (those 4, only).

"That means, it does not provide a way to descramble the signal (no ECM pid, no EMM, or any other method that is used to carry decryption keys/commands that are sent to cablecard(?) or smartcard to decrypt." (from timecop@avsforum)

So ... even if you had a DES cracker (real time or batch) you wouldn't be able to break the files because all of the data of the digital "file" is not there.

Comments ?

Is the raw digital signal coming out of the coax cable _already_ in MPEG2 ?

If so, it would seem that this card is only grabbing the portions of the MPEG-2 stream that it needs to display unencrypted channels. If my interpretation is correct, than not only would you need a DES cracker, but you would need a new firmware for the card that does not discard the "unnecessary" parts of the mpeg2 stream...

Is that a reasonable interpretation ?

Thanks.

So, word on the street is, a card like this will indeed record an encrypted signal to a "garbage" file, but it can only record the scrambled video, audio, PAT, PMT pid (those 4, only).

"That means, it does not provide a way to descramble the signal (no ECM pid, no EMM, or any other method that is used to carry decryption keys/commands that are sent to cablecard(?) or smartcard to decrypt." (from timecop@avsforum)

So ... even if you had a DES cracker (real time or batch) you wouldn't be able to break the files because all of the data of the digital "file" is not there.

Comments ?

Is the raw digital signal coming out of the coax cable _already_ in MPEG2 ?

If so, it would seem that this card is only grabbing the portions of the MPEG-2 stream that it needs to display unencrypted channels. If my interpretation is correct, than not only would you need a DES cracker, but you would need a new firmware for the card that does not discard the "unnecessary" parts of the mpeg2 stream...

Is that a reasonable interpretation ?

The MDP-130 will capture the entire 38 Mbps stream, including the CA information.

Ron

The MDP-130 will capture the entire 38 Mbps stream, including the CA information.

Ron

Thanks for that information. Is that just a theoretical capability of the card, or does the standard driver/firmware/software support that ?

Thanks again.

Thanks for that information. Is that just a theoretical capability of the card, or does the standard driver/firmware/software support that ?

Thanks again.

sigh.... 5 seconds in google will answer all your questions.

or go to their site and READ the whitepaper on the 130.

BTW - i own the 120

5C/DTCP must be pretty brutal to break because I see virtually nothing about it on the net. Seems like they really got their ducks in a row when came up with it.

5C/DTCP must be pretty brutal to break because I see virtually nothing about it on the net. Seems like they really got their ducks in a row when came up with it.

Part of the problem is that there isn't any hardware for the PC that decodes DTCP clips. Somebody would need to not only do a software hack, but a hardware hack to a D-VHS or digital cable receiver to see whats going on. Hardware circuit hackers are very few. The only ones I know are guys who hacked old Capcom CPS2 arcade machines to break the encryption so that people could play ROM's in emulators. It took them a couple years to figure out how to do it. Keep in mind that DTCP is probably light years better than whatever these old Capcom arcade machines used.

Part of the problem is that there isn't any hardware for the PC that decodes DTCP clips. Somebody would need to not only do a software hack, but a hardware hack to a D-VHS or digital cable receiver to see whats going on. Hardware circuit hackers are very few. The only ones I know are guys who hacked old Capcom CPS2 arcade machines to break the encryption so that people could play ROM's in emulators. It took them a couple years to figure out how to do it. Keep in mind that DTCP is probably light years better than whatever these old Capcom arcade machines used.

But I thought the main conclusion of this thread is that you _don't_ need to break 5c/DTCP, since that is just how it is encrypted in firewire.

The real (and exciting) conclusion is that you can just throw the cable set top box out, get a card like a MDP-130 and just grab the entire QAM encoded stream.

You would then be left with DES-encrypted files on your hard drive, and at that point all you need to do is batch-decrypt DES, which gets easier every day.

Now, the caveats as I see them are:

- cracking DES is one thing, but who knows what kind of implementation of DES is coming out of your coax and what other "salt" it might be combined with.

- cracking DES still takes some time to do ... but if you could get some code to have your GPU(s) and CPU(s) all working together it could be very reasonable for a home user.

And the best part is, it's really not reasonable to think of it as a DMCA violation because the EFF had broken DES prior to its use in digital cable standards - and well before the DMCA took effect. Certainly you could (and should) be in trouble if you use it to blatantly steal cable, but just to save stuff you already paid for ... IANAL, of course.

So am I off my rocker here ? Any reason why this is not reasonable ?

But I thought the main conclusion of this thread is that you _don't_ need to break 5c/DTCP, since that is just how it is encrypted in firewire.

The real (and exciting) conclusion is that you can just throw the cable set top box out, get a card like a MDP-130 and just grab the entire QAM encoded stream.

You would then be left with DES-encrypted files on your hard drive, and at that point all you need to do is batch-decrypt DES, which gets easier every day.

Now, the caveats as I see them are:

- cracking DES is one thing, but who knows what kind of implementation of DES is coming out of your coax and what other "salt" it might be combined with.

- cracking DES still takes some time to do ... but if you could get some code to have your GPU(s) and CPU(s) all working together it could be very reasonable for a home user.

And the best part is, it's really not reasonable to think of it as a DMCA violation because the EFF had broken DES prior to its use in digital cable standards - and well before the DMCA took effect. Certainly you could (and should) be in trouble if you use it to blatantly steal cable, but just to save stuff you already paid for ... IANAL, of course.

So am I off my rocker here ? Any reason why this is not reasonable ?

Well, I haven't used a MyHD card, so I'm not sure how it works with QAM. I can't, however cap any QAM signals with my DVICO Fusion Gold card. Perhaps the drivers aren't good enough.

Where are these sites that you know of that talk about DES encryption?

Well, first off, you can find the official spec for the encryption on digital cable here:

http://www.cablelabs.com/news/pr/1996/1996_10_03.html

And I am sure there are plenty more helpful docs on that site.

Then, refer to this whole discussion under this topic where it was confirmed that there are indeed cards that can grab everything coming out of the coax.

Finally, note:

http://www.copacobana.org/

Where you can buy a $10k DES cracker that will do an exhaustive key search in 9 days - on average you would break any given DES encrypted ciphertext in half that time. So maybe a couple of GPUs and a couple of CPUs all working in the same consumer PC would get you 20 days (on average) ? Maybe you could write some new drivers for SSL acceleration cards and get some more speed with, say, 4 of those in a system.

This is all speculation with no math to back it up - the main thing I want to know is, can it _really_ be done ? I know the DES cracking can, and I know grabbing the full signal off the coax can, but .... what pitfalls do I not see ?

Remember that very few (if any) encrypted systems use the same key for any long period of time. Lots of them use a different key every few seconds. So while you may be able to brute force a few seconds of content with a few days of hard computing, multiply that by the length of a typical programme - 40 minutes - and it very quickly becomes a very very lengthy process.

Go buy the DVD. :D

well...for me it's not about stealing something, or getting some HD movie, it's about newscasts and sportscasts and television shows that are not on DVD. Sporting events, live events, etc.

So, unfortunately, I cannot buy the DVD.

However you are correct - I did not connect the dots and realize that I would have to crack DES multiple times per file.

But even still - let's say you have 2 GPUs, 4 CPUs and 4 SSL-offload cards ... and let's say that there is some problem (any problem) in their cryptosystem implementation that makes things partly easier ... you could batch decode things in 1 day per show, etc.

It's not unthinkable...

So let me pose the question again, with a twist - _aside_ from time/cpu constraints, are there any technical reasons that this cannot be done ?

While brute force decrypting the raw data should be possible at least in theory (at least assuming there is some unrecognizable piece of the stream in the decrypted portion of the stream i.e. a mpeg2 header and/or ac3 header) it would be very processor intensive and time consuming to do this with any useful length of video. It would seem to me to be much more efficient to attack the transport that the DES keys are sent to your cablecard/cablebox in. from reading the specs @ Cable labs it seem that PowerKey and DigiCipher are the two methods used to send the DES keys to the end device.

From the descriptions of cable card installation and what details of the two methods are available through a quick googleing it seems that a publickey/privatekey scheme is used to send the keys to the cablecard. My guess is that the card is programed with the public key corresponding to the cable providers private key for each package since if the cable company got a private key to the card and broadcast the des keys encrypted in the corresponding public key it would require the cable company to broadcast one key for each subscriber.

Assuming my guesswork and understanding is correct the best solution would seem to be to get the public/private key from a cable card you own (cable company provided cableboxes communicate bidirectionally which could complicate things greatly) and obtain the des keys for the trasport stream from there. This would also mean that you'd only have access to channels/packages that you actually subscribe to, but since you don't want to steal content you have not paid for, it would work for your needs assuming it is possible to obtain the public/private key from the cable card at all.

Yes, all else being equal that would be easier...

Are you suggesting that one would get the key pair off of the cablecards, but then just throw the cable cards away and plug the coax right into their cap card, and using that keypair just decrypt the signal in real time ?

That would certainly be elegant ... and best of all, no vector with which to steal channels you don't pay for ...

That wouldn't work. The keys on the cards are periodically changed. A lot of pay systems are quite secure, you'd be wasting your time if you think you can get at the contents of your cable card's memory any time soon (if ever).

Yes, the keys stored on the cards could be/are changed, but since cable cards are a one way medium a new key would have to be pushed to the card in a format that the card could read (if it's pushed in an ecrypted format then it must be able to be decrypted by the card too otherwise the card couldn't update itself) so you'd have to emulate the cable card in software adn go through the same process. While this would by no means be easy, it should be possible assumeing you had access to the cablecard specs (you'd need to be a cablelabs member or get the documentation from one) and knew the base key it started with.

A lot of pay systems/content protection systems are quite secure but I've never seen one that couldn't be broken or gotten around in some manner. As the recent AACS hack/workaround recently proved there is no way to give someone both the content and the key and not have them be able to decrypt it. Reading the memory from hardware is not as easy as software but it is by no means impossible for someone with the right background. In my opionion it would be easier then brute force DES cracking ~180 keys (assumeing a 1 hour show an da 20 second use of each DES key.

you'd need to be a cablelabs member or get the documentation from one
OK, so we can more or less discount that avenue of pursuit. Documentation regarding the inner workings of pay TV systems are heavily guarded secrets (by this I don't mean general info such as is available for DVB, I mean the inner workings of the content protection systems). Key encryption algos are especially guarded. Only a select few have access to that sort of info. Who here would give up their well paid job just so someone can breach cable card security?

As the recent AACS hack/workaround recently proved there is no way to give someone both the content and the key and not have them be able to decrypt it.
The AACS workaround is just that. The system hasn't been broken and if it wasn't for poorly written PC players, people still wouldn't have access to the decrypted content.

Reading the memory from hardware is not as easy as software but it is by no means impossible for someone with the right background.
You are assuming you can actually get physical access to the memory at all. The memory being referred to is entirely internal to a single secure micro. There is no way to read the contents from the outside unless whoever wrote the program wants you to. Anyone that has played with certain PICs will know what I'm talking about. Sure you might work out how to load your own code onto whatever device is being used in the cable card systems, but odds on doing so would blank any stored data in eeprom / flash. Even if it didn't blank the storage your own code would only allow you access to a single periods key as you'd be erasing the very code that allows the cable card to be updated. Not only that, in replacing the original code, you no longer know what the algo did in order to reveal the content keys by using the keys stored in the card.

Brute forcing the DES would be a considerably easier path and bruce force is going to take a looooong time.

RE: brute forcing

the looong time for brute forcing assumes a perfect implementation of DES ... if there are any problems in that implementation that can be exploited, cracking it (even 180x per hour show) could be perfectly reasonable.

All speculation, of course, but just want people to be clear - cracking a perfect implementation of DES is simply the absolute worst case scenario - in reality it could be much faster and simpler than that...

How does D-VHS via firewire work? The STB recognizes that the D-VHS is secure (DTCP), does it then send the video data unecrypted? I'm thinking mostly about 'Copy-Once' type programs. I assumed the D-VHS would then not allow you to send 'Copy-Once' programming out of it's firewire port unless it's to another DTCP enabled device. My question is more about whether the data itself is transmitted unencrypted if the devices recognize the other device as DTCP, or does it encrypt it regardless and the DTCP device somehow decrypts it upon playback?

That's more of the type of method that would make sense to me. Somehow emulate a valid firewire connection, so it pushes the signal out unencrypted. (If that's what it does.)

Aren't there some televisions that will take firewire as a video source which STB's allow? Could there be a way to emulate that with a PC?

capturing in the old days was fun, nothing could stand in my with my bt878 based card. Looks like the current problem is real time des cracking. I don't think a pc exists that could crack des in 1/24th of a second. A solution around the problem would be to capture the encrypted stream first, then decrypt it later once you've got all that lovely data on the hard drive.

yeah but the reason the firewire route is a dead end is because you are either stuck in IR-blaster land, or you depend on the grace of your cable co to give you an up to date STB that not only supports firewire properly, but supports firewire channel changing, etc.

Further, one FW port gets you one channel at a time recording ability ... so you need multiple STBs, etc.

That is why I don't think firewire is part of any "final solution" that is in any way elegant.

The final, elegant solution is one that involves plugging your coax into a cap card _and that's it_. So somebody needs to find a weakness in their DES implementation (surely exists) that will allow on the fly descrambling.

OR:

a multi-cable-card HTPC or s3tivo would also be a viable, elegant option, provided that the saved shows could be unlocked/de-DRM'd.

The point is, the solution cannot involve multiple STBs or any kind of IR blasting (or other out of band signalling)

It'd have to be a stellar weakness to allow real time brute forcing. Think about it. If the protection is so weak that it can be done in real time, it'd be reasonable to assume that everyone would be doing it right now. DVB's CSA which is a DES implementation has been round for years. I have no doubt that whatever system implemented with cable cards is at least as secure as CSA. Do you see people mass brute forcing CSA?

Let's assume that the content encryption is so weak (highly improbable!) that a PC can brute force it in, on average, an hour per key. Assume also that the pay TV operator changes their key every 10 seconds (not unreasonable at all). For a typical 40 minute long show with ads (you can't remove the ads before you decrypt since you can't tell what is ad and what isn't) you end up with around 1 hour of content to decrypt.

That comes out at around 360 hours on average while being very optimistic about the weakness of the content scrambling.

I've been contemplating a solution to this issue: An SD3250HD emulator, running on a PC.

There is architecture emulation for advanced systems like x86 (and its peripherals), game consoles, etc, so why not an HD STB? The host PC would have a QAM capable card, and the private key (assuming STB's use public key cryptography) would be copied from the STB somehow. The PC wouldn't have to render the av stream after decryption, only dump it to firewire or some other data channel that can be handled by a media center.

Is anyone familiar enough with HD STB architecture and components to speculate if this is possible?

creating an emulator is extremely difficult. you basically have to be able to know (or predict) what the response to any input would be that way you could emulate it. unlike game consoles that are entirely self contained where you could in theory generate the signals and then record the output, the cable box receives signals from the cable company and there is no way to predict what those signals are going to be at any given time. Also, most cable companies require you to register the box with them via a mac address from the box. If you have ever gone away for a prolonged period of time and left the box off/unpluged when you get back the box says you have to call and tell them to reactivate it. You would obviously have to already have a registered box and be able to emulate this mac address (not very complicated, just another obstacle)

the cable box is also immensely more complicated b/c of all of the encryption thats in it plus a dozen other things that i probably have no idea exist or how they even work.

while yes your idea has merit and given the proper equipment it would be doable and create something that could solve this little issue...it may unfortunately be on the wrong side of the possible vs feasible line.

your idea did however give me an idea. the cable box has a mac address in it as i noted before to handle the data communications between the cable providers server and the box itself. if one could modify a cable modem in some fashion to emulate that part of the cable box rather then the whole thing and then send some sort of a raw data stream into a computer (possibly over a network interface?), then it would in theory be possible to capture the data sent to that address. now im not entirely sure about how the cable box receives its encryption codes for the channels from the provider, but i'd like to believe that the cable box operates under similar principles as other data communications sent over a cable line. in theory, while you wouldnt need the QAM capable card or anything like that, you would be able to capture the data packets sent to the box.

While I have a significant amount of experience in computer networks and computer science (i have a degree in it), I don't know if any of that is even remotely correct in this situation. I do however hope that it may stir someone an idea elses brain.

The complications with game console emulation are mostly with audio & video subsystems. With almost every project like this, it starts with the CPU, which is relatively simple... it's always the first "alpha release" of any emulation project... and typically the final release due to the complexities of the additional systems.

If emulation is done at the purest level, cable company updates should be received & processed (firmware updates for instance) just like the real stb.

Since we're after the MPEG stream only, we don't have to worry about audio or video rendering, eliminating the harshest parts of emulation, reducing them to a "null device". I suspect decryption is handled by a dedicated subsystem, which will probably be the most difficult portion to reverse-engineer.

I think it is safe to assume that digital cable is using more of a networking approach to delivering their content to the STB's. Addressing MAC's and ARP'ing the keys over the wire seems like a reasonable assumption. Sort of like DHCP and BOOTP broadcasts on a LAN. I think emulating the MAC address of your STB on your PC and pulling the keys off the line is a more sane approach than trying to brute force the decryption. Am I wrong?

Am I wrong?

More than likely. I doubt that many of the cable providers in the USA are using IP to carry their programming. More than likely they are something similar to a DVB-c broadcast.

I agree with DrP on that. them using IP is HIGHLY unlikely.

Another idea, if someone is willing to give this a whirl, is to try to get the software off of the box that the cable company uploads to it. My 8300HD has a sata drive in it which I know you can connect to any of a dozen different type of external bays (my personal favorite is a bay made from bytecc which used to be penguin gear), however I'm about to return my box since im moving and I dont want to violate any of those "do not rip or void blah blah blah" stickers at this point. One approach to at least extract the data for use on a computer would be to use knoppix or something similar. while i know that the partition system that it uses is not anything normal, you could use dd to do a direct dump of the data on the drive to an image (id suggest doing a format on the box first that way there is no other data left on the box that could be mistakenly confused when reading the file). to do this on the 8300HD (make sure the box is on when you do this, i find it works better) you hold the pause button on your remote until the mail icon comes up, hit page down (the - key) once, and then the list button 3 times. power down the box, and then when you power it back up the drive will be formated. an even better approach if you can get the drive out before hand, would be to again use knoppix/dd and completely 0 out the drive so that we know that there is nothing left from before hand on the drive should the box's format be similar to a standard quick format which only redoes the partition table but leaves the data alone.

I have to assume that the software is in the beginning of the drive for several reasons. When it comes down to it, the box must use some things that are considered standard since I am sure the boxes do not use anything thats not a standardized processor or anything like that. If we could go through the drive bit by bit, decipher the partition table, and then in turn extract the software that would give us a substantial step forward in being able to emulate the STB on a computer or something else.

given the software (assuming we can read/decrypt/possibly even decompile it if we can figure out what kind of processor the box has), that should allow us to see how the box works very well.

I think you'd find that the software for the box is stored in flash, not on the hard disk. Older boxes tend to have their firmware stored in the clear and can be easily read. Newer ones keep it encrypted with the decryption routines being held inside the 'do everything' micro where you can never see them. With the next generation of 'all in one' decoder chips, I imagine that even the flash will be moved into the CPU so getting access to it at all just won't be possible.

while id agree that normally software is in the flash, i think im right on this one. I know when i format the drive on my 8300HD it has to redownload the most current software to the box. It may be a 2 step type of thing similar to how a regular computer works. a smaller os similar to our CMOS which looks to the HDD for a larger os similar to windows or w/e.