Video encryption (was: Re: Dragon 64 fixing...)

From: Philip Pemberton <philpem_at_dsl.pipex.com>
Date: Tue Jul 27 11:17:19 2004

In message <40FEF41E.8030804_at_soulwax.co.uk>
          Dennis Smith <m1dlg_at_soulwax.co.uk> wrote:

> i hear this is what made the old encryption / decryption method work for
> analogue SKY boxes.......
No. What you had with the Sky (well, actually News Datacom, now NDS - both
Sky and NDS are part of News Corp) cards was:
  - A data packet that was transmitted in the Vertical Blanking Interval of
    the video, i.e. the first 30 or so image lines. This contained control
    commands for the smartcard - "enable Sky Movies", "Enable SkySports",
    "Disable everything", ECMs (countermeasures against pirate cards), etc.
    The packet also contains the "seed" that decrypts the video.
  - A CPU in the smartcard (allegedly based on an 8051) that decodes the
    commands, executes them, generates the cut points and stuff like that.
  - A CPU and some video storage circuitry in the decoder
  
Now, when the decoder powers up, it communicates with the card and asks it to
prove that it is a real Sky smartcard - this is done with a Fiat-Shamir
zero-knowledge proof. NDS didn't implement all of the algorithm - one of the
hacks exploited that.
If the card passes the initial check, the decoder starts feeding it data
packets and asking it for encryption seeds. The seed is used to set the
cutpoints for each video line. Basically, the box switches between two FIFOs
once per line. For example:

   |-\ /-----\ /\
---| \- X ||| |_|-----

Let's assume the X represents a cutpoint. Next we take that video line and
swap over the two segments:

   |---\ /\ |-\ /--
---| ||| |_|-------| \-

OK, this is the encrypted video. The decoder does the same thing again - it
loads half of the video line (up to the cutpoint) into one FIFO buffer, then
switches over to the other. Data is pumped out of the second FIFO at the end
of the line, then the output is switched back to the first FIFO. This
rotates the image line around the cutpoint - hence the name "cut and rotate".
This happens every single line until the keys rotate - the decoder picks up a
VideoCrypt packet that basically means "Rotate the keys - give this to the
card, it'll give you the next key seed". If the card has disappeared, the box
no longer has the keys, so it can't decode the video.

IIRC NDS also used "Spectrum Inversion" audio scrambling, too. This was
enabled and disabled by the card - the card sent a command to the decoder to
switch the spectrum-inversion descrambler on or off.
  
This is incredibly oversimplified. Markus Kuhn did a lot of work on breaking
Videocrypt - IIRC his website is somewhere on cl.cam.ac.uk - a Google search
will reveal its current location.
  
> one chip was in the card and the other 2 was
> in the box - apparently the same 3 chips as in the dragon (don't ask me
> how though - i don't know- i've never understood)
Actually, the card chip was a secured 8051 derivative. The one in the decoder
was a Motorola secure controller in most decoders.

What surprises me is that I recited this lot from memory. I think I've got
most of it right, but I'm not sure. There's bound to be an error somewhere :)

Later.
-- 
Phil.                              | Acorn Risc PC600 Mk3, SA202, 64MB, 6GB,
philpem_at_dsl.pipex.com              | ViewFinder, 10BaseT Ethernet, 2-slice,
http://www.philpem.dsl.pipex.com/  | 48xCD, ARCINv6c IDE, SCSI
... Wanted a pair of watch dogs, named the pups Timex and Rolex.
Received on Tue Jul 27 2004 - 11:17:19 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:36:52 BST