a companion discussion area for blog.codinghorror.com

Revisiting the Black Sunday Hack


But the super bowl is on regular TV…so their timing isn’t that significant.


bar: “The whole stealing satellite/cable thing is kind of pointless nowadays, with internet connections fast enough to torrent all the TV we want.”

Translated: “The whole stealing thing is pointless. With torrenting we can still steal all we want.”

I am convinced that 99% of all hackers/torrenters have never made a SINGLE DIME for themselves or anyone else or any company writing code.

Great interview question: “Have you ever bit-torrented anything?”


[quote Alexandros]
A truly amazing hack. I wonder how come the Hacking community had not modified their boxes to somehow virtualize the card completely. Perhaps they got complacent with their successes.

There was the emu setup that allowed you place a computer between the reciever and the H/HU card. This was the better config as a majority of these updated wouldn’t bring you down (Black Sunday did though).

It makes me wonder if the hacking/cracking scene will ever bring us something that will circumvent an everyday utility again.

It is facinating on so many levels. Economics plays just as big part as the hacking aspect. If DTV had been in Canada, or the Canadians had ever criminalized accessing the signal, would we have ever had the great hacks of DTV?


PaulG: Great interview question: “Have you ever bit-torrented anything?”

That’s ridiculous. Using that logic, anybody who plays Warcraft no longer can be hired by your company. Torrent is a technology, nothing more. There is nothing illegal about torrents in and of themselves. The fact that people violate laws using it is irrelevant.

You know what, people use cars in the commision of crimes. Let’s ban cars! Same logic. Flawed.


“but apparently the war rages on even today”

With Dish and Echostar (and probably some Euro sat providers) but not so much with DirecTV. Ever since the HU/P3 card was taken out of service, they have been pirate free…that was 3 or 4 years ago now.

“A truly amazing hack. I wonder how come the Hacking community had not modified their boxes to somehow virtualize the card completely. Perhaps they got complacent with their successes.”

Not really…complete virtualization never happened because no one was able to reverse engineer the ASIC that was part of the decryption key generation. A lot of effort was put in this direction since it would have provided interruption free pirated service…but since partial hacks were readily available (partial emulation and modifying the cards directly) it just wasn’t worth it to invest the time and money. And now with the 4th/5th generation (probably later too, I stopped paying attention) cards in service, the pirates are so far behind that they’ll probably never catch up unless Dave makes another blunder with card security.

The architecture of the DirecTV transmission system was very smart. From the beginning they acknowledged that their cards would be compromised. So, they designed the system such that the cards could be phased out…this capability was clearly by design and not bolted on.

I don’t know if this was true before the P3 cards, but during the P3 cards (post Black Sunday) the decryption key would be generated based on output that resulted from dynamic code that was sent via the data-stream to be run on the cards. Typically this code would checksum various memory locations on the card and the result of that checksum would be fed into the card’s ASIC to generate the decryption key. If you modified the code on the card to do things like always allow viewing of certain channels…well then the checksum would be wrong sometimes and you’d get a blank picture.

Various attempts were made to combat this technique…the most populate one was the ‘WD-40’ method…it would consist of a checksum of the dynamic code itself, and said codes desired result. This way, the card would not have to execute the code but could just retrieve the correct result for that code from a lookup table. Many variations of this were present. Some variations allowed the user to update the lookup table themselves via the receiver by changing the parental code (or something like that…I can’t remember exactly).

It might interest people to know as well that this community also had its own ‘free software’ movement…there were three camps. First you had dealers, who wanted to keep all developments secret so they could make a profit. Second you had leeches who just wanted free TV (even if they had to pay a dealer for it…heh)…and third you had the freeware guys who just wanted to battle Dave/DirecTV.

It was very fun to be involved in the whole thing back then when DirecTV was still a game, but the whole landscape has changed since Dish doesn’t fight back as often and on the whole doesn’t have as interesting of an architecture IMHO.


I remember back in the day when we built a circuit board that would go inbetween the cards and the receiver, it would not go out as much but, none the less it still went out. I remember when all of this was going on, my folks had a receiver for that reason. It was nice to have all the channels for the basic price.


“GAME OVER”. Brilliant!

The video sums it all up quite nicely. The effort and creativity that went into getting something so lame as stealing is astounding. No wonder “geeks” have such a funny reputation and “hackers” are looked upon with such disdain in most of society.


The whole stealing satellite/cable thing is kind of pointless nowadays, with internet connections fast enough to torrent all the TV we want.


Sending the info in small packets was a social hack that the hackers fell for. I think that the cards were made read only by the hackers, and they would only allow code to be on the card if it didn’t disable the security defeating measures. They did allow innocuous code changes that were only meant to change the check sum verifications. The Black Sunday changes were all small changes. When the code was combined, it caused the problem. There’s a more technical explanation in the original wired article.


I also agree that DirecTV had a right to pull off this hack. While I am not a fan of the often intrusive and abusive tactics of the DRM that is being used to control what I can do with data that I paid for, it is very reasonable for a company to expect compensation for providing a service.

The people who were engaging in these hacks were by and large just stealing content, and that is not fair to anyone.


I remember this day and time very well. In canada you could not get DTV and the canadian version sucked. Living on a border town, there were so many illegal dishes and most people just wanted to pay a dealer to have a working card and programming the card was the easiest way to do this, and even after black sunday, about 2 weeks the bootblockers started to show up on the market so the cards would continue to work. Nothing was ever really free, you had to buy the equipment, either pay a dealer to unlock/unloop your card or get the code and do it your self with an unlooper or writer. It was an exciting time as people would talk about the lastest ECM’s. For lots of people it was about getting HBO and movies for free, others it was sort of an interesting game of technology and engineering.


Good job Jeff, keep on it!


you readers are down, althought this is a good blog


nice hack where do you find nice ideas like that ?


beautiful story. usually you would expect only bad code coming from major companies, since they treat their smart guys either like slaves, or they only employ cheap dorks. I think this changed with the advent of google, where the employees are actually treated like humans.

so for this story the question would be: was Christopher Tarnovsky an employee of DirecTV? I guess not, he must have been a well paid contractor.


Never heard of this before! Masterful!


Welcome to the crackig game :slight_smile: In the past, our licensing scheme was rather simple. It was broken. Not just broken, someone could reverse egineer it up to the point he could create arbitrary licenses - a keygen. When we first saw, it was a shocking discovery. We thought we had such a clever method, nobody can ever guess that by stepping throught assembly code - we were wrong. No matter how smart you are, someone is probaby smarter than you.

No time to sit around and cry - we replaced our licensing code with a completely new one. The code itself which is still the best code we have ever written IMHO, zero bugs found so far (afer years of usage), robust to the ground, not a single byte memory leakage has been written in only two weeks (actually it was done in one weak, one week was just fine tuning and adding a couple of desired features to it). We consider this code unbreakable and so far it has been unbreakable (okay, every code can be broken in theory, but this one is really a hard nut to crack).

Great, we had an (almost) unbreakable licensing scheme, so we won, didn’t we? - Nope. Crackers came and said “Hey, why breaking the licensing code itself - it’s way too hard. Let’s break the code around it”. Unfortunately we can’t secure all the rest of our code as perfectly as we did with the licensing code. So instead of serials, crackers started releasing binary patches.

And that’s where the real game starts. We release updates frequently, so writing a patch for every minor update would have killed the crackers. Instead, they wrote universal cracks. Cracks that try to identify certain code patters and work around them. These cracks keep woring, even if 60% of the whole code has changed between two updates, as long as they can still find the patters they are looking for. So we try to break their pattern matching and they try to identify new patters.

It’s a game neither side can win, unless either side gives up completely. We won’t give up, we earn our living that way. Crackers earn nothing but reputation, nobody pays them for it, but they seem to have their fun. Right now we are on top. We recently did something rather clever (I had to think about it, when I read your blog post) and so far this seems to give crackers some headache. At least no cracks floating around for quite a while now (months). However, we are realistic. It is only a matter of time till someone will spot the trick and work around it. Sometimes this game is annoying, but sometimes it’s fun. I love to read discussions of crackers discussing our code and how to break it. It’s so funny if you listen to what they assume and how they think stuff works, if you in fact knows what’s really going on :stuck_out_tongue:


Good thing that the code DirectTV sent to the cards worked. Otherwise, “GAMEOVER” could have become a slogan for hackers worldwide representing what happens to you if you try to beat them at their own game.


black sunday will always be remembered but there is new tech already there its hard to stop hackers undergrond conn.



They already did that: http://www.engadget.com/2007/12/27/windows-home-server-bug-corrupts-files/