Digicipher 2 Cracked

[okidokios]

Hello I read that someone cracked dc2 and posted some docs and video about how he do it, if some of the smart guys here can check it out and see if is possible to emulate and get the keys will be awesome, here are the links.

https://www.dropbox.com/s/6fkpn97x3...o I Crack Satellite and Cable Pay TV.pdf?dl=0

https://media.ccc.de/v/33c3-8127-how_do_i_crack_satellite_and_cable_pay_tv

 

[capsmvp]

I'm very curious about this.

 

[-=UMAIR=-]

If digicipher 2 gets hacked then R.I.P Pay Tv In North America

 

[darence]

then what will be??

what channels wil be watching

 

[Stefan2k16]

If digicipher 2 gets hacked then R.I.P Pay Tv In North America

They'll simply switch to something else more secure. Digicipher II was getting really old anyway, as is Powervu. It's probably no surprise this has happened. In fact, I suspected that it had already happened and that the smart folks were just keeping it quiet until this whole powervu thing comes to an end. With powervu being so easy to defeat, it's days are now numbered and providers will be switching to something else. My guess is there were those who already knew how to attack digicipher II but they may have chosen to keep it quiet until many providers switched from powervu to something else, suspecting that many of them would have chosen Digicipher II. Now, they might look at other more secure options instead.

 

[Stefan2k16]

After watching the video, it looks like it's a little more complicated. From this someone could probably make a softcam emulator but to get keys is going to be the problem. What he did was extract the keys from ram. You need the 3 seed keys from a unit with an active subscription. Without a STB to read those from you'd have to brute force them. Wonder if there's a relationship between those and the unit ID or if they are randomly generated? You would think there must be so the provider can generate the keys to encrypt the EMM. Anyway, If i understand it correctly the seeds keys are used to decrypt the EEM95 to get the category key, which then is used to derive the program and working keys. Anyway, it would seem that until there's a way to brute force the 3 seed keys or derive the seed keys from a unit ID, it's not really cracked. So, even if we had a softcam at this point you would be able to do nothing without the seed keys or the unit ID of an authorized unit. On the other hand, a softcam might be useful for channels that are fixed key encrypted. Since Fixed key channels can be decrypted by any previously authorized box and the keys are stored in rom, it must mean there's only one key and it's never changed. It's also in every digicipher ii receivers rom and this guy should have it since he read the rom. In the video he talks about this but never says exactly what the key is.

 

[kebien]

The problem for digicypher 2is not only to make a softcam.

The transport stream is way different,tables and such,and you must,first,be able to scan channels and make a channel list.

You can only do this in Tsreader,but no other device is able to understand the stream.

For free preview or zero key mode,there is still the question if the ECM packets change or not.
if it doesn't change,you could simply set this channel as a constant control word.It happens the same with powervu in 58w.

For any testing,Tsreader can be used as starting point,but if nobody add this scan rutines to other devices would be the only one.

And all this given you are able to get keys.

 

[harshy]

Seems to be no channels in the European region using this either :-(

 

[Stefan2k16]

The transport stream is way different,tables and such,and you must,first,be able to scan channels and make a channel list.

I know there are differences in the tables and such, and older DCII even used different modulation methods that DVB receivers couldn't lock. However, the newer DCII signals are using DVB-S2 and appear almost the same as regular DvB-s2 signals except for the encryption. I may be wrong about this because I do use Tsreader most of the time but I believe most DVB-S2 set top boxes can scan in these channels.

For free preview or zero key mode,there is still the question if the ECM packets change or not.
if it doesn't change,you could simply set this channel as a constant control word.It happens the same with powervu in 58w.

Zero key mode is not encrypted at all. These were the channels you could get with the genpix and similar devices. FP channels were still encrypted. Therefore a simple tuner device can't decrypt them. To get FP signals you need a real DCII receiver. One thing he says in the video that I have questions about is that the keys in ram aren't needed for FP channels. I think that may be incorrect. I think he's right that the "fixed key" for these channels are stored in rom because any previous authorized DCII receiver can get them and most newer DCII receivers seem to not need to be "previously authorized" and seem to work for FP out of the box. However, a unit that has a dead battery and therefore has lost it's unit ID and the seed keys doesn't seem to be able to decrypt FP signals. So, I believe the "fixed key" is used to decrypt keys that come down the pipe and not directly decrypt the payload. I know this because I use to own a few DCII receivers I picked up off ebay. Years ago there were some PBS channels in the US that were Digicipher II and in FP mode. As long as you had a previously used DCII receiver, you could get them. However, if the units had dead batteries they were useless for anything but zero key, which were all but nonexistent.

 

[Ragnarok]

You defiantly need a key from the provider a working receiver judging from that video.

It may be really hard to get that from a feed supplier.

It's clearly a well thought out system relatively free from bugs, and crypto holes like powervu. The downfall is quite simply the age of the chip in use . Designed well in advance of glitching techniques and the thought of any need to encrypt the rom or software the chip runs on.

I'm actually pretty impressed with Motorola on this one.

 

[drhans]

Seems to be no channels in the European region using this either :-(

but there are quite a lot of those at 40W, 43W, 55W and perhaps also 58W, and these can be received in Europe, it's almost all those channels that are incorrectly marked as "director" encrypted, they're digicipher really

anyway the info we have about digicipher now reminds me of what colibri release about powervu in 2006, then it took 8 more years to release a real powervu hack to public... so see you everyone in 2025?

 

[paytv]

Digcipher2 its hacked?

 

[iq180]

This was 2 years ago.
He is not the first one to hack DCII, there was a working DCII hack
3 years ago, it all went away, the web site is gone the hacker or the site owner are nowhere to be found.