Some technical analysis of 106 provider and full EMU, Nov2, 2007


Bronze Member
Username: Bushdaman

Post Number: 13
Registered: Nov-07

Very interesting read // 2007-12-02

This is a copy and paste from an other site.

With every ECM there is always a fair bit of misinformation about regarding the "new" encryption techniques used, and how it may portend the death of FTA.

With the present difficulties, for instance, the following items of interest have been repeated around the net on various sites:

* This ECM is specifically targeted at FTA
* Multiple MAP call are being used
* A dynamic code is being used
* There is a new timer function

This ECM is specifically targeted at FTA
This is likely true! Card based hacks like plastic, card-sharing, and IKS (Internet Key Sharing, another form of card sharing) access video encryption differently than the emu in FTA firmware. Card solutions simply send encrypted VPID (video packets) to the descrambler chip where the included CW (control word) packets are sent right away to the CAM (conditional access module/card), the answer is sent back and then applied to the video packet. The actual CAM values, apart from definitions and order of the CW gathering commands (i.e., MAP calls) need not be known, as it is all done automatically when requests are sent to the card. FTA firmware on the other hand must know the precise CAM locations and thus order and routine of MAP calls, and this has to be patched into each bin; when this changes a new bin is required where relevant portions of the CAM are emulated.

Multiple MAP calls are being used
This is true, however this is nothing new either. Providers routinely use at least 4 or 5 MAP calls at any given time. MAP calls are intense arithmetic equations that request CWs from the CAM to be sent back to the descrambler. We now have 4e and 4d; there are others in play, but apparently these particular ones are the difficulties (i.e., CAM location unknown).

A dynamic code is being used
"Dynamic" implies changing according to some input. It sounds scary, like a mutating virus, lol. In actuality, "dynamic" is little different that "random" at the level of intense mathematics as the functions and outputs are extremely difficult or impossible to be predicted. By definition, control words are random numbers.

There is a new timer function
Each channel uses different CWs, and this is how now for instance some locals may be viewable and other pay channels remain scrambled. CWs change every few minutes, and this in itself is as secure as practically can be: even an NSA super-cryto computer could not solve an 8-byte algorithm in 2 minutes, lol. CWs have always changed this fast, and all TV providers, even cable, use the same system.

So what is going on?
Nothing radically new, likely. Coders are not crytologists, and even if they were, it would be senseless to attempt decryption on something that changes as quickly as CWs, as mentioned above. And neither can card data be read with any apparent ease (remember all the baloney a year ago about peeling the cards and reading with an electron microscope, hahahahaha, if you believed that one, well, I have some swamp land you may be interested in....). Some CAM locations are known, some are not. ALL of the MAP calls CW answers are currently in the cards and are not changeable, this requires a card swap. What can be changed are the specific MAP calls and their order. These can be read and defined, and even used for card hacking (why IKS is up and running), but FTA is a different story, as mentioned.

Coders must be given specific CAM locations which can be patched into or emulated for FTA binary files. Saying a bin has the "full emu" is ridiculous, as it can't by sheer size limitations, as it would have to run in non-decompressed format. What is needed is a MAP map, as it were, lol. Or at least someone to give directions, like a navigator.

Most of this information is purchased rather than hacked, at least initially. When a group says they have the "full emu", what should be understood is that they have access to the information, and it may be purchased as a service over a period of time. This is rather like calling up customer service plan: you call to say your widget isn't working, and being told to press buttons 1, 2, 3, then A, B, C in that order, you do, it works, but you have no idea why. It seems Viewsat had an arrangement like this after MAP57, they bought a 1 year plan, lol. Others can purchase information on a one-off basis. Or once a bin is released, the bin can be dumped and reverse engineered for patching to different boxes, but this takes a little extra time.

A fix will be forthcoming, the question is: who will cough up the dough first......

credits, dead tired....

Bronze Member
Username: Josemiami

Post Number: 15
Registered: Jul-06
Exelent Explanation.

Silver Member
Username: Doreenakadj

Post Number: 790
Registered: Dec-06
thank you for the great info John

Silver Member
Username: Pulp_fiction

Post Number: 440
Registered: Nov-07
Glad to see U around Doreen....U have always been one of the better sides of this place... U always up beat...
« Previous Thread Next Thread »

Main Forums

Today's Posts

Forum Help

Follow Us