JPL's Wireless Communication Reference Website

Chapter: Network Concepts and Standards
Section: Broadcast Systems, Digital Video Broadcasting (DVB).

Hardware for cryptographic protection in de-scrambler boxes

Introduction
Smart Cards
Microcontrollers

Introduction

From the pay tv systems overview page it appears that most hackers do not try to build a complete new decoder. They only try to modify the existing decoder boxes to add new services to services they already pay for or modify the decoders in such a way that they do not have to pay at all. Most hacks were not caused by cryptanalysis, but by implementation errors. This happens in most cryptosystems [20]. So, the hackers are not only examining the scrambled signals, but also the decoder boxes and Smart Cards. The Smart Card is the most secure part of the cryptosystem. Some information about Smart Cards is given in the first paragraph.

It is easier to derive the scrambling algorithms from the program code stored somewhere in the decoder than to derive the algorithms directly from the signals. The most common way to get such code is extracting programs from microcontrollers and EPROM's. The most attacked hardware is located close to the interface with the smart card. This is the weakest place in the existing scrambling systems, almost all hacks are focused on this interface (Mac Cormac, PC-driven Smart Cards, cardless decoders, etc.). To avoid these hacks the newer microcontrollers are equipped with a protection mechanism, that should prevent people from reading out the code. However, some mechanisms fail. In this paragraph some hacks on this kind of hardware are described.

Smart Cards

General description and architecture of Smart Cards

Smart Cards are already in use in most TV scrambling systems. They are also widely used for pay telephone applications. There are basically two classes of Smart Cards [21]; contactless and contact. The contact type Smart Card requires direct electrical connection to the decoder. It is the cheapest format. The non-contact type Smart Card has not been used in decoder applications yet. It uses oscillators running at different frequencies to supply power to the card. A filter and rectifier arrangement circuit on the card picks up the signal generated by the de-scrambler and produces a DC voltage. Data can be transferred in a similar fashion. This type of card may be used in the future but the cost is prohibitive.

The connector specifications for the contact Smart Card have been established as an ISO 7816 standard. The ISO standard specifies eight connections of which only six are actively used as can be seen in table 1.

Tabel 1. Layout of the connectors

Contact Designation Contact Designation

C1 VCC (Supply Voltage) C5 GND (Ground)

C2 RST (Reset) C6 VPP (Programming Voltage

C3 CLK (Clock Signal) C7 I/O (Input/Output)

C4 Reserved C8 Reserved

Due to the difficulties involved in reverse engineering a card, it is very difficult to extract the data from the card without destroying the card. The fact that the structure of the card is known does not imply that the actual program in the card is known. It should be stated that extracting the program from a smart card is not impossible.

The structure of the card is basically simple. It consists of a microprocessor and memory. This description fits the microcontrollers used to control receivers and video recorders. The type of memory used can vary. It generally involves:

Read Only Memory (ROM)
Erasable Programmable Read Only Memory (EPROM)
Electrically Erasable programmable Read Only Memory (EEPROM)
Random Access Memory (RAM)

The information stored in the ROM is fixed and cannot be altered without changing the design of the Smart Card. The information in the EPROM generally has to be erased with ultra violet light. This would imply that once the card has been programmed, the information cannot be erased in the card. The EEPROM is more usable in Smart Cards for one specific reason - it can be reprogrammed in the card. The manner in which the VideoCrypt cards can be turned on and off seems to indicated that the VideoCrypt Smart Card uses EEPROM memory rather than EPROM. In table 2 some configurations are listed of available Smart Cards.

Table 2. Microprocessor / memory configurations of Smart Cards

Manufacturer
Type CPU RAM ROM EEPROM

Siemens
SLE 44xx 8 Bit
8051 derivative 128 Byte 4 kByte 2 kByte

Motorola
68HC05xx 8 Bit
6805 128 Byte 6 kByte 3 kByte

SGS
ST9 8 Bit
6805 derivative 256 Byte 20 kByte 1.5 kByte

Toshiba
TOSMART 8 Bit
Z80 derivative 512 Byte 8 kByte 8 kByte

Hitachi
H8/310 8 Bit
H8 256 Byte 10 kByte 8 kByte

Philips
83C852 8 Bit
80C51 derivative 256 Byte 6 kByte 2 kByte

OKI
MSM627xxx 8 Bit
8051 derivative 448 Byte 14 kByte 16 kByte

The Smart Card's Microcontroller is fabricated on one chip. This chip contains EEPROM. If any attempt is made to scan the chip with an electron microscope, the EEPROM will be wiped. Since the design is all on a single chip the data flow between the memory areas cannot be directly examined.

The ROM area of the card is not accessible. It cannot be read out by pumping the card. For this reason it holds the most critical information. The programs held in ROM are used for all services or channels that use the card. The algorithms will be identical but the keys will be totally different. This section will also hold the routine for decryption the data in the EEPROM area of the memory. The EEPROM contains the enabling data for each channel that the card user has paid for. The data entry for each channel would consist of a channel identifier, a billing period, a regional identifier, key data and authorisation data for the channel. The RAM section is used by the decryption algorithm and other programs as a temporary storage area.

Design of Smart Cards

The design of a Smart Card is complex and prototyping can take a few months. The ROM in the card has to be mask programmed. This essentially means that the programs to be stored in the ROM are designed as part of the chip. The procedure is straightforward.

The programs to be included in the ROM are developed on a Smart Card emulator. This is a microprocessor development system that is configured to imitate a Smart Card. It is hooked to a personal computer. The program developer will write the programs on the computer, test them, and if they run successfully, load them into the Smart Card emulator. The Smart Card emulator will then be plugged into a decoder to ensure that the programs work.

The programs will then be supplied on floppy disc to the chip manufacturer. The manufacturer will program an EPROM with the programs and send it to the card issuer for verification. Once the EPROM is checked, the manufacturer will then produce the chips in sample quantity. These chips will also be tested for correct operation. The chips can then be mass produced. The chips are glued to a printed circuit board substrate with epoxy resin. The connection pins on the chip are wired to the connections on the substrate. The substrate connections are then wired to the connector array. The actual plastic card is injection moulded with an indent for the chip. The chip is then glued into the indent. The card is then tested to ensure that it is operational.

The Smart Card at this stage will only have the bare minimum of data. There will be no service data in the EEPROM. This data is programmed into the card by the card issuer. In VideoCrypt's case, the programming and card assembly would be carried out at the Gemplus factory in Scotland.

Operation of a Smart Card

The SMART card is essentially a partial computer on a card. It is a partial computer because it requires other circuitry and inputs to operate. The first requirement is supply voltage. This is generally a 5 Volt DC supply. The second requirement is a clock signal. This is a stable frequency square wave of 5 volts amplitude. This frequency is derived from a crystal in the de-scrambler. The frequency used in the VideoCrypt card is 3.5 Mhz. The third requirement is a reset line. This is used to initiate the programs and routines in the card when the card is inserted into the socket. The fourth requirement is the EEPROM voltage. The EEPROM programming voltage is high, typically over twenty volts. This voltage is only on for a few milliseconds every three seconds. The chip would generate too much heat if it was continually fed with high voltage. The fifth requirement is the data port.

The data flows to and from the card on one line. It is serial data. This port would be connected to the RAM in the card. The serial data would be clocked into the RAM. The microprocessor on the chip would then read the data in a parallel format. The data flows at 9600 Baud or at 9600 bits per second. The serial data line makes the card more secure. When the card is inserted into the de-scrambler, the reset pin is activated. This zeroes the RAM and causes the microprocessor to select the boot-up program. This program will verify that the card is valid for the period and not on the blacklist.

The card will then read the data from the de-scrambler. This data, along with service data from the EEPROM, will be used in the decryption algorithm stored in the ROM. The product of the decryption algorithm will then be passed back to the de-scrambler.

In the VideoCrypt system, the information flowing to and from the card is not useful on its own. The data is not the actual key used to de-scramble the picture. This data is passed via the 8052 Housekeeper microcontroller to a secure microprocessor, the ZC404044 or ZC404047, where it is then used in a further algorithm to generate the seed for cutpoint generator. The secure microprocessor is actually a Mask ROM version of the 6805 microcontroller.

Pay Per View is extremely easy to implement with a Smart Card. The card user will purchase a number of credits or tokens each billing period. A typical number would be 99 tokens. The Smart Card would be programmed so that the token counter would read 99 tokens. When ever the user wanted to watch a PPV film or event, a message would be shown on screen stating the number of tokens that the event is valued at. To watch the programme, the user would press the authorise or pay button on the front of the de-scrambler. The de-scrambler would then decrease the token register by the correct amount. Each service could have a token register. The actual operation of the counting mechanism would be more complex. It would be too easy to intercept the taken count value and substitute a continual 99 tokens. This type of hack is commonly used in computer games and is known as an "Infinite Lives POKE". At present the actual PPV algorithm for VideoCrypt lies mainly in the 8052.

Smart Card security and addressing

The VIdeoCrypt cards are valid once they leave the subscription centre. This means that they can be used in any VideoCrypt de-scrambler. They can be deactivated over the air by Sky. When this occurs, a section of the EEPROM in the card is overwritten so that when the card is inserted into the de-scrambler, it will not work. In order to reactivate the card, the program providers Sky send out a message to the de-scrambler to reprogram the overwritten section of EEPROM. This weakness was actually used to hack the VideoCrypt system though it was quickly discovered and countered.

Other systems using Smart Card use over the air enabling. In this case, the cards cannot be used immediately. They have to be inserted into the de-scrambler and the subscription centre has to be informed. The subscription centre will then activate the card. This method of addressing is more time consuming and thus less economical. it is basically a trade off between medium security and very high security.

Reverse engineering a Smart Card is not an economically viable hack. The chip on the Smart Card is covered in epoxy resin. Trying to remove this resin can sometimes destroy the chip. If the memory and the microprocessor are on different chips, it would be barely possible to attack the connecting wires and monitor the data flow. if the memory and the microprocessor are on the same chip it is impossible. Using an electron microscope to read the memory may partially work on EPROM type Smart Cards. Smart Cards using EEPROM memory are reasonably secure against this hack. The scanning electron beam erases the EEPROM.

It is possible that a method for reprogramming the EEPROM on a Smart Card could be developed. Using such a method, the EEPROM contents of a valid card could be copied and loaded on to an old Smart Card. There is virtually no problem in obtaining old Sky Smart Cards. This hack has one fatal flaw. The ROM data on Smart Cards is changed from billing period to billing period. Therefore the algorithms and the EEPROM data decrypting algorithm are different. One potential weakness on a multi service card would be a cloning of a fully authorised card using a Smart Card with the minimum authorisation. This hack relies on the development of an EEPROM reading and writing method.

It would appear that the Smart Card is the most difficult aspect of the system to hack. It is certainly not economically viable to hack it. The use of a Smart Card does not confer immunity to hacking upon a system. There are usually fatal flaws in the descrambler that the hacker can exploit. The VideoCrypt system has become a rather lucrative target after the Sky / BSB merger.

Microcontrollers

PIC microcontrollers

The PIC16C84 is a relatively recent addition to Microchip Technology Incorporated's range of microcontrollers (for which they coined the name Peripheral Interface Controllers or PICs) [21,22]. The 16C84 is particularly interesting because its program memory is implemented in EEPROM technology. This gives the 16C84 a marked advantage over EPROM. The ESD protection method (using a fuse) is implemented to prevent people reading out the code in the chip. Many hackers used this chip in their piracy smart cards. However, this protection failed. The top of the chip could be removed and the fuse could be re-engineered. Also other hacks are known to read out the programming code.

8052 chips

It is also possible to hack Futuretron 8052 chips used for Videocrypt de-scramblers [21]. Unprotection of Futuretron chip is based on possibility to read the 8052 having the two security bits set with help of the instruction MOV a,@DPTR, if that instruction will be executed by internal EPROM. If the 8052 will be run in a particular mode, the instruction can be called via an external EPROM.

Microcontroller of the DSS system

In the DSS IRD, the microcontroller that controls the card-decoder interface is a custom microcontroller [22]. It is also protected. The European Videocrypt microcontroller was not protected. Hackers dumped out the code and rewrote it into an EPROM version (PIC). Of course the card-decoder microcontroller would have been the first chip in the DSS IRD to have been reverse engineered. The reverse engineering of a customized microcontroller is not, in most cases, as difficult as a smart card. There is a hack known as "Vampire hack", which can dump the contents of the ROM.

Contact	Designation	Contact	Designation
C1	VCC (Supply Voltage)	C5	GND (Ground)
C2	RST (Reset)	C6	VPP (Programming Voltage
C3	CLK (Clock Signal)	C7	I/O (Input/Output)
C4	Reserved	C8	Reserved

Manufacturer Type	CPU	RAM	ROM	EEPROM
Siemens SLE 44xx	8 Bit 8051 derivative	128 Byte	4 kByte	2 kByte
Motorola 68HC05xx	8 Bit 6805	128 Byte	6 kByte	3 kByte
SGS ST9	8 Bit 6805 derivative	256 Byte	20 kByte	1.5 kByte
Toshiba TOSMART	8 Bit Z80 derivative	512 Byte	8 kByte	8 kByte
Hitachi H8/310	8 Bit H8	256 Byte	10 kByte	8 kByte
Philips 83C852	8 Bit 80C51 derivative	256 Byte	6 kByte	2 kByte
OKI MSM627xxx	8 Bit 8051 derivative	448 Byte	14 kByte	16 kByte