|
New member Username: Dpomega23Post Number: 1 Registered: Apr-04 | The p3 is dead, and the P4 is yet to be hacked. Do any of you have any ideas on where we would even begin to crack into this new problem? We need to think out of the box on this one guys. And this is a great place to start. THANKS to PCNUT from nerdbrains.com for this entry: The P4/D1 Hack (Past, Present and Future) I'm writing this document in order to clarify a few things that I keep seeing posted on the message boards regarding the P4/D1 card hack. OK, with that out of the way lets look at why we even need to use the DTV issued card in the first place? Why can't we just hack the receiver to always give us the video signal? It's because of the ASIC that's on every one of DTV's access cards. An ASIC is an (A)pplication (S)pecific (I)ntegrated ©ircuit. It does just what it's name implies: it's dedicated circuitry (supplemental to the main processor chip) that is designed to do one thing, and one thing only. In our case it's set up to generate the key values that are used by the receiver to decrypt the satellite signal. Without going into great boring detail, the satellite signal is extremely secure (using public key encryption) and is actually decrypted inside the receiver, not inside the access card. The access card only starts the decryption process by using certain specific, but sometimes randomly chosen, EEPROM values found on all valid subscriber cards to create a "seed" value to send to the card's ASIC. The ASIC mathematically crunches this seed value into another value, the key, which is transmitted back to the receiver and then sent to its decrypt circuitry, which obviously decodes the satellite signal for clear video. This happens roughly every 8 seconds while the satellite signal is encrypted using a different value for each 8-second period. Without going into any more detail, the ASIC is designed in such a way that it is EXTREMELY hard to duplicate and that is why it is not possible to do away with the access card. By the way, the ASIC is the reason why people running emulation must use a card to decrypt the signal when using a computer. The card is "auxed" which means it's EEPROM is loaded up to run code which simply acts as communication middleware that only sends the proper seed value to the ASIC from the computer, then retrieves the generated key value and transfers it back to the computer for further processing. The computer can only be set up to emulate the EEPROM code that handles the stream packets, tier wipes, cmd 82's and other basic card functions, but never the ASIC functions. The card is needed for it's ASIC circuitry. Now that we understand why the card is required, let's go over a brief explanation of the HU card "hack." First, the HU (or P3, Period Three, football) card was NEVER hacked in the strictest sense of the term. The "glitching" process by which you are all now so familiar merely BYPASSES the security code that was placed on the card to keep intruders out and the secrets it contains, safe. This bypassing is done by *glitching* either the voltage or the clock signal going to the card when it's placed into one of the available loaders flashed with the proper atmel code. Without getting into great detail, these glitches drop the voltage to some unusually low level momentarily (1/2 a clock cycle) or send multiple clock cycles (up to 4X) during the time that ONE should have been sent. These glitches must be done at *exactly* the right time during the card boot process in order to create malfunctions in the security code execution. These "malfunctions" cause very specific errors, which alter the original program flow in a desirable way and eventually enable the atmel flash code to jam in some code that YOU want the card to execute. This code is called the "bootloader." At this point, the bootloader has hijacked the card and you can now do essentially anything that you want through the bootloader code that is executing on the card (read or write to the EEPROM addresses). A smartcard is designed such that once it is reset, powered up and is getting a good clock signal, it begins executing code at a specific, hard coded, EEPROM memory address. This is very similar to the way your personal computer boots up: once the BIOS tests are complete, your computer is instructed by the motherboard BIOS ROM code to go to a specific permanent location and begin executing whatever it finds there (track 0, sector 0 of your hard drive). In most cases this would be initialization code belonging to Windows, Linux or whatever OS, and is responsible for getting the rest of the operating system up and running. However, it could also be nothing (new hard drive) or maybe even a boot sector virus. Anyway, on the HU card, the code located at the startup address is mostly security code designed to keep you out. So, by resetting the card and then counting how many clock signals have been sent to it after the reset (the HU uses an external clock), it is possible to determine exactly which instruction the card is performing and then send it a clock or voltage glitch at the perfect moment to alter the flow of the original code in a way that allows you to load your own code (bootloader from the atmel flash). A very important point to note is the fact that you *must* know EXACTLY what the card is doing BEFORE it's possible to glitch into it. It requires studying an EEPROM dump beforehand. THAT is the catch! It's actually a little more complicated than that, but that's enough information for us to continue. Basically, glitching is only possible because of oversights that were made during the development of the HU card. Also, the HU card does not have provisions to monitor what you are doing to it from the outside. It can't detect your attempts at voltage or clock glitching. The new P4 card (period 4) can, however. I might also mention at this point that the P4 and D1 cards are essentially the same card. They both definitely use the same data packet format and while there are rumors that the D1 is a version of the P4 that has some "security holes" fixed, this has not been verified publicly. One thing is for sure though, the D1 (D*V's first in-house card) came about because of D*V's "divorce" with NDS who has up until this point been the manufacturer of all D*V's smart cards. Suffice it to say that the P4 is functionally equivalent to the D1 and from this point forward I will refer to both of them as the P4 card. Something to keep remembering is the fact that the glitching process was developed AFTER analyzing the code the HU card was executing after a reset. The glitches must occur at specific known decision or branching points within the code. Without this prior knowledge, glitching is USELESS! I am unsure of the history of how the HU EEPROM was initially dumped in order to gain this EEPROM information. It could have been through an insider at NDS (the HU card manufacturer) leaking the code or by some other physical intrusion method (most likely). This is important to remember as we get further into what is required to hack the P4 card because getting the EEPROM dump is always step one. So, what is required to break into the newer P4 card? First off, to all you people who say you are "experimenting" and "trying stuff" by placing their P4 cards into their HU loaders flashed with UL4S, some other HU compatible code or even some of the so called "P4 scripts"...FORGET IT! It is NOT going to happen, I promise you. The most likely result is that you will ruin your P4 card. I'm sure your efforts are much appreciated by those drooling for the P4 hack, but rest assured, an armchair "tester" WILL NOT break it by simply sticking their P4 into the same setup used for the HU and randomly glitching. I don't mean to sound nasty or negative, your intentions are to be applauded, but if you don't understand why it's not possible, then you won't understand what you are looking at even if you were to crack the card (which again, is NOT going to happen). Even if by some infinitesimally remote chance that you were to "break" in (and it would require a miracle of biblical proportions), there is nothing about the HU EEPROM that is compatible with the P4. OK, so you got in, *now* what do you load onto it? An HU bin file? Isn't going to work. Oh, so you dumped the P4 EEPROM code? You've still got to disassemble it to figure out how it works! Where and how do you 3M it? Once somebody finally sees the P4 EEPROM dump, it will take WEEKS to analyze it and even begin to understand how it functions (it's all in machine language mind you). Then, and only then, will it be possible to come up with ways to load activation or 3M code onto a P4. Furthermore, the P4 incorporates glitch detection (it is a Siemens Infineon SLE66P based on the ECO2000 processor). That means if you try to use the same methods of getting into the P4 as were used with the HU, you run the risk of it shutting down completely (permanently?). Remember, glitching ONLY works when you know and understand the original code that is executing. You MUST have prior knowledge of at least a portion of what is on the card before you can even begin. Also, smartcards can be designed in such a way that if they detect ANY form of tampering, they completely self-destruct (erase the contents of EEPROM). That way even if you do get in, there is little, if any, information to be gained. Without the original, unaltered, DTV specific EEPROM of a P4, just getting into a blank card is next to useless. I do not know whether or not the P4 utilizes such powerful countermeasures, but future access cards most definitely will. I see posts where somebody gets an ATR (answer to reset) from a P4 and they think they've done something miraculous. Sorry again, but getting an ATR doesn't mean sh*t other than the card is executing valid instructions internally (meaning it still works, not looped). The ATR is a requirement of the smart card specification and all smart cards are designed to give an ATR. The ATR is simply a string of characters returned from the smart card in response to a reset signal sent by the reader. Its primary purpose is to indicate the status of the smart card power-up sequence and also convey information which the reader requires in order to optimise the speed of communication between the reader and the card. Simple as that. Now, the ATR is useful during unlooping because of the way the ATR string is "built up" by the program code on the card. Unlooping scripts can look at the ATR (or a partial ATR) and get a rough idea of what is happening with the card. That's how you know if you are using good DAC values with your loader during unlooping - by watching the ATR. This is getting into advanced territory so suffice it to say that ANY properly operating smart card is going to give you an ATR. Seeing one or analyzing one doesn't mean a thing other than what was just mentioned. The reason a lot of people get excited when they see one is because HU related scripts and programs are programmed to look for the HU specific ATR string (ATR's are different for each type of card). HU programs will always say that the P4 ATR is invalid. However, some of the so called "P4 scripts" floating around will recognize the P4 ATR and when someone doesn't understand what the ATR is, they get excited and think they have accomplished something. I REPEAT, GETTING AN ATR FROM A P4 CARD DOESN'T MEAN SH*T! This seems to get posted a lot: "anything that one man can create, another man can hack" implying that the P4 card has been or will be hacked eventually. And yes, this is very true. However, what is not considered, is *HOW* the P4 is compromised. Just because someone spent 9 months and 3 million dollars at a microprocessor lab at Intel and dumped the EEPROM of a P4 card does not automatically make it possible to create a Mikobu P4 loader with an accompanying atmel flash that will allow you to program it in your living room with a notebook computer. I don't intend to sound like a naysayer, and there probably will be a compact software hack for these new cards someday, I just don't think most people can even begin to understand the massive undertaking that is involved with defeating modern smartcard security! And just because it is compromised once does not mean it's possible for the masses to do it with plain software and a serial port loader. There are only a HANDFUL of people on this planet with the desire, will, time, financial backing and equipment required to break into the P4 cards. Tom Friendly next door is NOT going to do it with his HU loader in one hand and a beer in the other... Yes, all the cards leading up to the P4 card have been compromised extensively and they were all done with a portable hack. However, just because it's been that way in the past, does not automatically make that true for the future. D*r*ct TV is losing money because of piracy. They will curb this current trend. Make no mistake, given enough time they will come up with a tamper proof card. No, it won't be so secure that it's unhackable, it will just require so much effort and so much money that nobody will want to touch it. Game over... So how does one begin hacking a modern smart card? All attacks on smartcards can be classified as social, logical or invasive (or even combinations of each): 1.) Social attacks involve getting information from an insider at D*V or NDS. These are not exactly hacks since the only thing gained is information about what is on the card. Now it is most definitely useful info to have, but it is only the beginning of the battle. You still must develop a way to defeat the hardware security features of the card and be able to read and write to the EEPROM. Furthermore, no insider in his right mind would leak information about the P4 cards! Considering what happened to that retard Igor Serebryany in March 2003. He leaked some documents about the P4 that were at his uncle's law firm that was handling the litigation between D*V and NDS. He got busted and they FRIED his butt and charged him with violating the 1996 Economic Espionage Act which, not surprisingly, is a felony. By the way, there are very few people that have ever been charged with this violation. It's considered one of the "big guns" and they only break it out for very special people and circumstances. We won't be hearing from Igor for quite some time... 2.) Logical attacks involve analysis of signals emitted from the card while it is in operation or measuring the micro current it draws from a power supply while it is operating, or a multitude of other parameters. How this information is analyzed to gain useful information is FAR beyond what I wish to get into here. Suffice it to say that it requires very sensitive, expensive lab equipment, and an incredible amount of detailed knowledge about integrated circuits and cryptography to pull off. And again, it only yields information about the code that is executing, it still doesn't put into your hands the ability to arbitrarily read and write to the EEPROM. 3.) Invasive or physical attacks involve destructive analysis of the actual microprocessor chip that is embedded into the plastic card. The chip is extracted and examined under very powerful microscopes (scanning electron) and to the trained eye, can reveal how the chip works and make it possible to reverse engineer it. It also can provide the ability to probe different sections of the chip while it is operating to gain knowledge of how it functions and possibly even dump the contents of the EEPROM. Of course, there are plenty of countermeasures that smartcard manufacturers take to shield the chip from these techniques, such as light sensors or wire mesh shields, but given enough time even those protection methods can usually be defeated. This type of attack tends to be the most successful. However it is extremely difficult to get access to the required equipment that is typically only found at chip manufacturers (Intel, AMD, etc.) or maybe at a university. Not too many people are going to have one in their garage as the cost for such equipment easily runs into the millions. You would also have to have a hefty set of balls to stroll into your local microprocessor company's laboratory with a P4 card to "do some work." Even if one of the methods above yields valuable information about the card, a huge task still remains. How do you make it possible to arbitrarily read and write to it on a regular basis? Now, if the card only contained the access codes for a bank vault that had millions of dollars within it, there is no longer a problem. The chip is probed to the point where it pukes out the desired access codes, the money is stolen and the hack is done. The problem with the D*V cards is that whoever hacks it, wants to be able to easily REPRODUCE the hack, preferably with software so that it can be distributed and others can do the same thing whenever and wherever they want, for a fee of course! THAT IS THE PART THAT WILL NEVER BE GUARANTEED FOR FUTURE CARDS AND THEIR ASSOCIATED HACKS. "One man can make it, another man can break it" says nothing about being able to "break it" using a personal computer and a loader the size of a deck of cards! Remember this as we move towards the future... OK, now let's assume that the P4 has been compromised and it's possible to repeatedly read and write to it using a loader and an atmel flash. "Will my current loader work with the P4?" The P4 is not glitchable by the current loaders (and most likely not any glitching type loader) due to all the anti-glitching security it contains. Even if it were glitchable, the standard clock crystal in an HU loader is not even close to being able to deliver the required number of clock glitches to a P4 chip (not enough resolution). Remember when we discussed glitching into the HU at the beginning? Well, the speed of the crystal in your loader MUST be able to deliver up to 4 times the clock pulses as what the card's processor chip is normally running at in order to clock glitch or even voltage glitch because both are time dependent. The Infineon spec sheet indicates that the P4 is running at 12 Mhz which is about three times as fast as the HU. If the P4 hack requires *glitching* of any kind then the currently available loaders will not work...period, their clocks are too slow to glitch. Now that's not to say that the hack won't involve some other means of gaining access. If the entry method involves some other design flaw besides glitching then yes, I'm almost certain that current loaders or any ISO-7816 card reader for that matter will work. The P4 atmel flash will just basically turn your loader back into a semi-standard ISO-7816 reader. Now, I know I've seen posts where people say "well, if my receiver can read both an HU card and a P4 card it stands to reason that my HU loader will work with the P4." That is FALSE. It must be remembered that the way the pirate loaders and a legitimate card slot in a receiver access a card ARE ENTIRELY DIFFERENT. The HU loaders GLITCH into the card by sending erroneous signals to it, but the receiver passes legitimate signed data packets from D*V to the card using a standard ISO compliant reader (inside your receiver). At this point, we cannot send signed packets to the card. In order to understand why, you need to read up on how public key encryption works. Breaking public key encryption involves math algorithms well beyond what the average person can understand and more processing power to break than is available in a supercomputer or even distributed computing using the Internet. Some people have suggested that the communication between the receiver and card be "recorded" and played back later to reprogram the card. This is not possible because part of the digital signature that's used on the data packets involves a timestamp and is only valid for a very short period of time. Good idea, but that won't work either. I personally don't know if the P4 has been compromised yet or not. It's really anyone's guess. I know that reliable sources say that it has been hacked, but I'll have to witness it myself to believe it. One thing is for sure, the public will not know about it until after the HU stream is completely turned off. That's when we'll see some action if it exists! ANY IDEAS?!?!?!? LETS GET GOING!! IT STARTS RIGHT HERE! |
|
Anonymous | Good reading materal and facts, you put out good job. I bow to you sir |
|
jdog Unregistered guest | the information you have giving out is great, it's good of you to take the time to write this and let as all know. Thanx man. |
|
Unregistered guest | VERY interesting info. You make much more sense than some posts I've read. Thanks for taking the time to write and post this.... |
|
JetSetSatellite Unregistered guest | I know of a way to bypass the entire access card process. I have a chip installed in my RCA420 receiver that is similar to the new Dishnetwork receivers that use a remote to manually enter access codes. The only code I need to use is one that is like a "skeleton key" code if you will. It is used by DTV test/repair department but was only to be used to test cards. This info was passed to me by my uncle, a former DTV sales rep who "inherited" this info through years of service. Him and his partner created this "chip" over 2 years ago but just now do they feel that there is a demand for it as the HU cards were to easy to crack but now that the p4 is out and isn't as "accessible", they feel it is the right time. They want to market it ASAP but don't know the right channels. If anyone has any advice then please respond. I can assure you that it works as I've been using it for apx 10 months now without need for a new "fix" |
|
Bronze Member Username: BluezPost Number: 57 Registered: Dec-03 | if what you are saying is true then it is worth a million bucks to the right people and it would have come out long time ago sorry dude but i think your full of s h i t |
|
Anonymous | anyone looking for cheap p4 cards...120.oo dollars canadian..please visit |
|
Anonymous | What can anyone tell me about the Blackbird cardless receiver? Does it work and is it worth it, or just another fad?? |
|
JSS Unregistered guest | Bluez, the reason that it didn't come out earlier is that there wasn't a big enough demand with the HU's running so smoothly. Now that there is doubt as to the ability to crack and maintain the crack of the P4 is why they want to capitalize now. I am not here to prove anything to you. If you do not have interest in this project or lack the funds then so be it. This is the right time for this product in order to maximize the return. Any serious feedback is appreciated. |
|
Mgs Unregistered guest | JSS. Have an email or AIM or MSN account for me to talk with you? |
|
Ghost Unregistered guest | JSS. If you're serious in trying to market such a device then, I'd be willing to help. I know the channels that you need to go through to get such a product off the ground. drop me a email ghostly_presence_boo(at)yahoo.com |
|
kdg4191 Unregistered guest | you should just be a great guy and post a link to buy this chip or (ha ha)some diagrams so we could build our own.but im interested either way e-mail me if you would at steele4191@msn.com any info would be appreciated. |
|
New member Username: Dpomega23Post Number: 2 Registered: Apr-04 | JetSetSatellite (JSS) you really need to leave us some way to get in contact with you. I think we would all like to give you some kind of feedback!! How are you just going to tease us like that!?! haha. I think everyone that had read this thread would be interested in seeing what your product is. Help us help you! |
|
Unregistered guest | I'd be interested if it's been proven. Please advise. Thanks |
|
dupont24 Unregistered guest | JSS is full of sh!t...nuf said |
|
dupont24 Unregistered guest | damon pridgen I hope you don't mind but i copied and posted your post at the site i mod at....it is a great post... stop by let me know your there and i will open a thread for you in the p4/5/d1 section. dupont |
|
guy2004 Unregistered guest | jss if its the funds you need let me know.the interest is denfinetly there. How do i get hold of your product. |
|
HU Hacked Unregistered guest | I figured out the portable hack for the HU card!!!! I took a sharpee marker, and wrote "P4" on my HU card. I stuck in the reciever and now it works!!! LOL |
|
New member Username: Dpomega23Post Number: 3 Registered: Apr-04 | dont mind at all dupont! going to stop by your site right now. |
|
Camelion Unregistered guest | Why can a blackbird/Fortec/DVB boards decrypt dish keys without a access card, but to this point nothing has been able to decrypt Dave without a card? Should this not be our approach here going forward? Why spend all our resources on cracking what apprears to be a heluva secure P4 card when there is the possiblity of Hacking Dave's signal without a card??? What am I missing here? |
|
New member Username: Dpomega23Post Number: 4 Registered: Apr-04 | Read my first post Camelion, do a little research on encryption and the blackbird and you will know why it cannot be done (yet). Also here is a possible new P4 hack, not sure though. ftp://68.228.59.251/ |
|
New member Username: 6double5Post Number: 4 Registered: Apr-04 | if you got the keys to the door your in, dssdbs is the biggest site left so i'm sure you'll get some offers, but if your lying you'll get more than that, the groups willing to pay dont 'play' if you get my meaning. |
|
Bronze Member Username: BluezPost Number: 58 Registered: Dec-03 | ok then assuming you are telling the truth why would you post here to have one of daves spies trace back your info and find out who your uncle is and track him down and charge him because after all companies get you to sign a form saying you wont devulge company secrets and a secret wort a million is pretty important |
|
New member Username: Moneybags180Post Number: 6 Registered: Apr-04 | What cards are direct tv handing out with new purchase |
|
oneg Unregistered guest | Beleive it or not there is a team of programmers working 12 hour a day trying to hack this thing. This is a multi billion dollar industry with many owners having over 50,000 clients at over $100.00 a year. And there are thousands of us like this. We are not in the game of loosing, DAVE will be defeated. We have already been able to stay up and average of 4 hours then card goes blank, and we have to reflash. We will be releasing beta code soon. |
|
Rooter Unregistered guest | Will the P4 or P5 cards be able to work with old recievers like the HU or P3 recievers?? |
|
dupont24 Unregistered guest | dssbbs is the biggest and oldest on the net...never sold support and that is why it still stands....the owner however has compromised the p4 somehow....we are waiting for the word....it has been verified and i have close peeps that are testing it as we type....the future looks good... and rooter yep they will. dupont |
|
dupont24 Unregistered guest | Frank Sanders they are sending out p5/d1 |
|
Anonymous | There is no way, as yet, to programme a p4 or p5 - only rumours of a "secret" hack (supposedly being withheld until after the 27th.) This shite is spread by people who sell the cards online and on e-bay. Invariably they claim that the time to grab 'em is "NOW" when they are $200 plus. They claim that the price is sure to skyrocket once HUs go down after the 27th. Beware of those who have something to gain by your rush to buy. What goes up always comes down. With demand will come plenty of cards for sale. With plenty for sale the price will go down. Its a princple as old as capitalism. Many people I know are temporarily taking advantage of discount cable packages and will be biding their time until the mania subsides. |
|
Anonymous | There are more rip-offs than honest people on the internet... that's for sure!! |
|
dupont24 Unregistered guest | Anonymous....say what you want i will be back here in 7-10 days and we will see.BTW I have about 8 cards only will use 2 and I won't be selling after I know what I know......To my knowledge this is not a hack...simply a hole in dtv security...and remember this is not an nds card...there name is on the back only to satisfy contractual obligations at the time of making.Now they are bed folk again seeing that murdoch owns nds and has now bought dtv....So in order to drive up revenue at an under performing company like nds...one needs a big fat contract....which has been signed by nds and dtv.Now that company needs to get the cash rolling in...how do they do that...simple dump the p4 and release non holes...p4 becomes hackable...nds profits and dtv never loses cuz the upgrade to a p5 is the cost of doing biz.Also dtv never has to worry about paying royalties to stations/networks that hackers watch cuz they just don't have to pay... there is company that had some ties to a known scammer,they are called 3moffshore they also have there own work around,,,not a hack...go to there site and see.I am one who really gives scammers a hard time...so far the claims from customers are that it works.. and I personally no that the owner of the site i mod at has compromised the card somehow....trust me when i say is no small time dealer in the industry,he brought the dss hack industry hobby,to the commercial level that it is today.He has dedicated servers hosted offshore(many)to host his sites...He had 10 - 20 store fronts selling dss products....he has the funds and motivation to get it done....see you all soon. This is the last week for the hu card,as reported by the owner 1 week before the shut down started....oh ya he also gave the day the shut down would start....I think they call that inside info....so for those that doubt that the card has been compromised you will see this week....amazing what peeps will spend for free tv....lmao |
|
dupont24 Unregistered guest | damon pridgen i have tried that ftp and it is unresponsive....could you email what you have thanks. lowesfortyeight@hotmail.com |
|
jayman Unregistered guest | binary,such a canary,enug check over eeprom minus 1 guest speaker 0 and remove data and ad split thx jayman |
|
jayman Unregistered guest | enug,you there?!! jayman no likey play alone. when you log tap crystal and respond. |
|
enug Unregistered guest | didnt work, try 11 and let it hang |
|
jayman Unregistered guest | good call on 4 clock your 5 at 9.37 mhz |
|
enug Unregistered guest | we be found at this site respond layout at plan seventy three bye bye 87804hu4 enug |
|
jayman Unregistered guest | 87804hu5 salutes you! ciao jayman |
|
Lurker Unregistered guest | dupont24, What I find a little odd is that you guys(S@tan) started a thread saying the P4/D1 hack coming soon..NUFF SAID. What I get from your post above is that you guys have a "work around" also. If that's the case and it is in fact a work around why promote a "hack" when you don't really have the card hacked? |
|
mrgoodwrench Unregistered guest | Lurker, the work around is a no 745 type board using a once subbed p4, will "supposively" work for a few months till tiers drop from what i hear.. damon pridgen nice read, i read that post several weeks ago on a few other sites, most people dont understand the undertaking to decompile the code from a microscopic extremely secure chip.. |
|
Lurker Unregistered guest | Thanks for the reply mrgoodwrench. I do know how the units work. And they do in fact work, but I have already gotten reports of tiers dropping off of people cards within a few days. My real question is why promote hack if you havent really hacked the card. Dupont, if I have misread your post my apologies, but thats what I got from it. |
|
Unregistered guest | when will the p4 be active |
|
newbie_123321 Unregistered guest | "reports of tiers dropping off of people cards" Can someone explain what that means? |
|
Fux_Dave Unregistered guest | Lets not forget about this little piece of information, hehe "Understanding the ATR (Answer to Reset) Here are the ATRs for the P1 thru P4 Cards. P-1 card ATR 3F 76 13 25 04 21 B0 11 4A 50 03 P-2 card ATR 3F 78 12 25 01 40 B0 03 4A 50 20 48 55 P-3 card ATR 3F 7F 13 25 03 38 B0 04 FF FF 4A 50 00 00 29 48 55 55 00 00 P-4 card ATR 3F 78 13 25 03 40 B0 20 FF FF 4A 50 00 First thing to know is that right after reset the card transmits data at 372 clocks per bit, the data in the ATR then will contain information as to how many clocks per bit to use after the ATR. The general form of the ATR is; TS T0 TA1 TB1 TC1 TD1 TA2 TB2 TC2...TK1 TK2 TKn The first byte received is the TS byte. This is the start byte. The start byte tells us the signaling convention to used for all bytes that follow (including those in the ATR) _____HiZ_S_D_________P__________________________ TS_=_(H)_L_HHLLLLLL___H means use inverse convention TS_=_(H)_L_HHLHHHLL__H means use direct convention HiZ = State of line as both devices are in read mode or idle S = Start Bit D = 8 Data Bits P = Parity Bit As we can see all our ATRs have 3F (inverse convention signaling) for the start bit. This is unfortunate for us as this is inverse to the signaling characteristics for RS-232 communications, both the bit state and bit order is reversed. Had the TS been 23 (Direct signaling convention) then we would not have to invert and reverse the order of the bits in order to decode the information. Also, note that the parity bit would appear to be incorrect in inverse convention mode. The next byte of the ATR is the T0 byte or format byte. The T0 byte comprises of two fields of 4 bits each. The upper nibble (Y1) contains a bit mask of what additional bytes are present in the ATR. The lower nibble contains how many historical characters appear at the end of the ATR. Px___T0__________Y1_________K_ATR length __________td__TC__TB__TA P-1__76____0__1___1___1_____6__2+3+6=11 P-2__78____0__1___1___1_____8__2+3+8=13 P-3__7F____0__1___1___1_____F__2+3+15=20 P-4__78____0__1___1___1_____8__2+3+8=13 We see here that all the ATR's include the TA,TB and TC bytes. Had the td been set, then the td byte would have been present. The td byte takes the same form as the T0 byte, with the upper nibble indicating additional TA,TB and TC bytes. The lower nibble of the TD byte would indicate what protocol (T=0 or T=1) the card supports. Lack of a td byte means T=0 protocol. The K field tells us that there is xx number of historical bytes at the end of the ATR. There is a maximum of 15 historical bytes allowed. The historical bytes are implementation specific. The next byte transmitted is the TA byte, this is probably the most important byte for us as it defines the speed of communications after the ATR. The TA byte is divided into 2 fields, the upper nibble (FI) is the clock conversion rate, and the lower nibble (DI) gives us the bit rate adjustment. Px___TA__FI_____DI P-1__13__0001__0011 P-2__12__0001__0010 P-3__13__0001__0011 P-4__13__0001__0011 Using the tables below we can decode the values to calculate the post ATR communication rate. ______FI_|_0000_0001_0010_0011_0100_0101_0110_0111 -------------+------------------------------------------------------ _______F_|_IntCk_0372_0558_0744_1116_1488_1860_ RFU -------------+------------------------------------------------------ _MaxClk__|_-----____5____6____8___12___16___20___---- ******************************************** _FI___|_1000_1001_1010_1011_1100_1101_1110_1111 ---------+---------------------------------------------------------- _F____|_ RFU_0512_0768_1024_1536_2048__RFU___RFU ----------+--------------------------------------------------------- MaxClk_|_----___5___7.5___10___15___20__----___---- ******************************************** ____DI_|_0000_0001_0010_0011_0100_0101_0110_0111 ----------+---------------------------------------------------------- ____D__|__RFU____1____2____4____8___16__RFU__RFU ******************************************** _____DI_|_1000_1001_1010_1011_1100_1101_1110_1111 ------------+-------------------------------------------------------- ____D__|__RFU__RFU__1/2__1/4__1/8__1/16__1/32__1/64 ETU = (1/D) * (1/9600) is the equation used for internally clocked cards. ETU = (1/D) * (F/Clk) is the equation used for externally clocked cards. So far all the Cards are externally clocked, and use a clock conversion rate of 372 also, that also means all the cards have a maximum clock rate of 5MHz. All the cards with the exception of the H use a bit rate adjustment of 4, the H has a bit rate adjustment of 2. We can use the following equations: ETU= 0.25 * 372/Clk for all cards except the H ETU= 0.50 * 372/Clk for the H card We need the rate of the clock to the card in order to complete the calculations. Based on the ISO programmer 3.579545MHz crystal we would get the following. ETU=0.00002598 Sec/bit or 38489 Bits per second for all cards except the H ETU=0.00005196 Sec/bit or 19244 bits per second for the H card. If we use the default rate of 372 for the ATR, we get the following: ETU= 1 * 372/Clk = 0.00010392 Sec/bit or 9622 bits per second. For coding, we alter the equation to see the bit in terms of clocks to the card. ETU = 1/D*F-card ETU = 1/4*372 = 93 HU-card and P-4 card ETU = 1/2*372 = 186 H-card ETU = 1/1*372 = 372 as the ATR rate. The next byte is the TB byte. The TB byte gives information about the voltage and current requirements for the Vpp pad. All 4 cards use the same value. The TB is broken into 2 fields. Bits 0 thru 4 are a 5-bit field that defines the programming voltage in volts. Bits 5 and 6 form a 2-bit field to define the programming current in mA. (Milliamps). Bit 7 of this byte is ignored. Px_TB_x_II_VPP P-1 25 0 01 00101 (5) P-2 25 0 01 00101 (5) P-3 25 0 01 00101 (5) P-4 25 0 01 00101 (5) With this table below, we decode the value for II _____II_|_00__01___10__11 -----------+----------------------- __I(mA)_|_25__50__100__RFU We see that all cards are specifying a programming voltage of 5 volts and a programming current of 50mA. The final defined ATR byte sent is the TC byte. The TC byte specifies the guard time between characters. This tells the host how long to wait before sending the next character in a transmission. By default, the rate is 2 ETU. Px_TC_N_Guard Time P-1 25 04 6 ETU P-2 25 01 2 ETU P-3 25 03 5 ETU P-4 25 03 5 ETU N = additional guard time, calculated as 2+N ETU Note N=255 reduces the default guard time by 1 ETU. The TC byte is followed by K historical bytes. The meaning of these bytes is application specific, and may be ignored. With this information you can setup WinExplorer and create a script to try and read the P-4 card. I like to gather information and compile it so I can get a firm understanding of things. Believe me when I say "I have a thick head!". I have to take everything apart just to see how it works and once I learn it I like to share it. Thanks to the people who share with me! ------------------------------------------------------------------------ ------------ KEY OF CARDS -- P1 = F Cards = Died in 1996 or 97' P2 = H Cards = Died in 2002 P3 = HU Cards = Still working P4 = P4 Cards = Still working "ReSpEcT My MiNd Or Fall Prey To It" |
|
Fux_Dave Unregistered guest | "P4 Security breakdown" Hint on 'How To' OK... here we ya go. There is a number of ways to get any card to give you what you want, or parts there of. The knowledge is to know what your seeing and how to make it work for you. I will give a couple ways we use to gain responses from cards. 1. RSA Attacks. A card computes an RSA signature S on a message M modulo n = pq by computing it modulo p and q separately and then combining them using the Chinese Remainder Theorem, and if an error an be induced in (say) the latter computation, then we can factor n at once as p = gcd(n,S^e-M) where e is the public exponent. This is absolutely ideal for a glitch attack. As the card spends most of its time calculating the signature mod p and mod q, and almost any glitch that affects the output will do, we do not have to be at all selective about where in the instruction sequence the glitch is applied. Since only a single signature is needed, the attack can be performed online. 2. DES Attacks. When we can cause an instruction of our choice to fail, then attacking DES is simple. Thus DES can be attacked with about one correct and eight faulty ciphertexts. But how realistic is it to assume that we will be able to target particular instructions? In most smartcards, the manufacturer supplies a number of routines in ROM. Though sometimes presented as an `operating system', the ROM code is more of a library or toolkit that enables application developers to manage communications and other facilities. Its routines usually include the DES algorithm (or a proprietary algorithm), and by buying the manufacturer's smartcard development toolkit (for typically a few thousand dollars) an attacker can get full documentation plus real specimens for testing. In this case, individual DES instructions can be targeted. When confronted with an unfamiliar implementation, we may have to experiment somewhat (we have to do this anyway with each card in order to find the correct glitch parameters) However the search space is relatively small, and on looking at a few DES implementations it becomes clear that we can usually recognize the effects of removing a single instruction from either of the last two rounds. (In fact, many of these instructions yield almost as much information when removed from the implementation as the key xor instructions do.) 3. ROM Overwrite Attack. Often thought to be impossible, we know it is not. Where the implementation is familiar, there is yet another way to extract keys from the card - the ROM overwrite attack. Single bits in a ROM can be overwritten using a laser cutter, and where the DES implementation is well known, we can find one bit (or a small number of bits) with the property that changing it will enable the key to be extracted easily. The details will depend on the implementation but we might well be able, for example, to make a jump instruction unconditional and thus reduce the number of rounds in the cipher to one or two. Where the algorithm is kept in EEPROM, we can use two microprobing needles to set or reset the target bit. Where we have incomplete information on the implementation, ROM overwriting attacks can be used in other ways. For example, if the DES S-boxes in ROM, we can identify them using an optical microscope and use our laser cutter to make all their bits equal. This turns DES into a linear transformation over GF(2), and we can extract the key from a single plaintext / ciphertext pair. Although ROM overwrite (unlike the other attacks suggested here) involves access to the chip surface, it can be carried out using tools that are relatively cheap and widely available. So it may be used by attackers who do not have access to the expensive semiconductor test equipment that professional pirates use to extract keys directly from smartcards. 4. Non-Invasive Attacks. We can always apply clock and power glitches until simple statistical tests suddenly show a high dependency between the input and output of the encryption function, indicating that we have succeeded in reducing the number of rounds. This may be practical even where the implementation details are unknown. There is a good number of other methods to hack smart cards... but this should give you a basic understanding of how it is done, and the time involved in developing new hacks for new cards. So do not get excited when you do not see a fix for a new card the day they are introduced. There is a great deal involved in getting to the point of writing a code for it. Gaining entry is priority, and dumping specifics of the card are a must, before we can get to the point you all want. Seems I have taken too much of your time already. Terms and Facts To be better able to understand what is looked for and/or at with Smart Cards, I have compiled a list of Terms used and what they mean. I have done this in hope when you read a post stating a particular method of routing or application for your cards. Or a problem which has arose during a potential development. It might make more sense to you, and perhaps you might be able to offer a solution or thought. Do not be intimidated by lack of knowledge. Even the simplest of minds come up with good thoughts, and some of the highest minds forget to look at the simple ways of thinking, by getting too technical to see the answers. So offer what you can, and learn from what is responded. I have also decided that due to the some of the ATR information out there is incorrect and/or technical, I have included a disassembly of the P4 ATR so you can understand it a bit better. You can learn a great deal from an ATR. Have a look and remember or print this post. It will come in handy in learning how to develop fixes, and future works. P4 ATR 3F 78 13 25 03 40 B0 20 FF FF 4A 50 00 Checkbyte TCK = 135 expressed in decimal (only valid for a non T=0 ATR) ---------------------------------------------------------------------- [3F] TS byte announces inverse convention ---------------------------------------------------------------------- [78] FORMAT byte announces 8 HISTORICAL bytes ---------------------------------------------------------------------- [13] TA1 byte is present and indicates the following: Maximum CLK frequency is 5 MHz D = 4 F/D ratio is 93 Max baud rate at 3.58 MHz is 38494 (etu = 25 us) ---------------------------------------------------------------------- [25] TB1 byte is present and indicates the following: a programming voltage of 5 V ---------------------------------------------------------------------- [03] TC1 byte is present and indicates the following: Extra guard time N = 3 etu ---------------------------------------------------------------------- TD1 byte is absent - Negotiable mode ---------------------------------------------------------------------- The ATR consists of the following: Number of bytes in ATR is 13 1 TS byte, 4 interface bytes, 8 historical bytes, Total number of bytes expected = 13 Term and Definitions Algorithm: A mathematical routine used to perform computations (often used for cryptography). APDU: (Application Protocol Data Unit) The basic command unit for a smart card. An APDU contains either a command message or a response message, sent from the interface device to the smart card or from the card to the device. ASIC: (Application-Specific Integrated Circuit) An integrated circuit that has been custom-designed for a particular device. ATR: (Answer To Reset) A message that is returned by a smart card when it is powered up or when its reset pin is activated. The ATR indicates the card type, communication protocol and other basic information. Authentication: The process whereby a card, terminal or person proves who they are. A fundamental part of many cryptography systems. Internal Authentication: The procedure used to prove that the card is genuine by means of an algorithm, a random value and a secret key. The authentication process can be further distinguished between passive authentication in which the same values are used each time (e.g., PIN) and active authentication in which an algorithm and variable values are used. Checksum: (also called Hash) A count of the number of bits in a transmission unit so that the recipient can make sure the correct number of bits arrived and that the message is intact. DES: (Data Encryption Standard) The most widely used secret key encryption algorithm (56-bit key). A strengthened version of DES called triple DES (or 3DES) is commonly used in bank cards. DF: (Dedicated File) Memory organization for microprocessor cards: A DF is a logical entity that holds a number of elementary files (EF). In multi-purpose cards each DF will normally correspond to a distinct application. Encryption: A cryptographic procedure whereby a legible message is encrypted and made illegible to all but the holder of the appropriate cryptographic key. Filtered: Set of data or functions that are loaded into the memory of a smart card. Masked data and functions, by comparison, are hardwired into the card's chip. Key: A value that is used with a cryptographic algorithm to encrypt (or sign data). The longer the key, the more secure the encryption. Mapping: (also called memory map) A functional representation of the different blocks in the memory of a chip. MF: (Master File) Memory organization for microprocessor cards: This file is unique and obligatory. It has its own security attributes and may contain DFs and/or EFs. Protocol: A set of rules and procedures governing interchange of information between a smart card and a reader. The ISO defines several protocols, including T=0, T=1 and T=14. Public Key: A cryptographic system that uses two different keys (public and private) for encrypting and signing data. The most well known public key algorithm is RSA. RSA: (Rivest-Shamir-Adleman) The most widely used public key encryption algorithm, named after its creators. Secret Key: A cryptographic system that uses a single key for encrypting and signing data. T1 - T1C - T2 - T3 - T4 A digital carrier system introduced in the 1960s. T-series speeds include: T1: 1.544 megabits per second (Mbps) T1C: 3.152 Mbps T2: 6.312 Mbps T3: 44.746 Mbps T4: 274.176 Mbps. XOR: The XOR algorithm is a very simple form of encryption that offers little protection against intrusion." "ReSpEcT My MiNd Or Fall Prey To It" |
|
Sensei Unregistered guest | JetSetSatellite (JSS), I have quite a few different avenues of marketing ONLY IF you are serious about this skeleton key. Contact me by sending an email to senseis@hotmail.com (MSN as well). I am an engineer with much experience designing HU products and having them sold by my offshore marketers. |
|
becks Unregistered guest | I got a p4 for on EBAY about a year ago, for $65. I saw something about fake ones. how can I check to see if I have a real p4 card. I tried it in the receiver and got a message insert valid card.hope the hack comes soon. I can only talk to the wife for so long. |
|
starman Unregistered guest | If it is a real P4 and it says IVAC, "insert valid access card", more than likely someone attempted to read the card and is now in a loop. |
|
becks Unregistered guest | would I be able to unloop it with my hu loader? |
|
Testing days are over Unregistered guest | Its been said here already. Your HU loader will not work with a p4 card. Never. |
|
The Edge Unregistered guest | Although the HU loaders will not work with a P4 card, is there any chance that a simple soldering of a chip, compatible with P4 cards, into existing loaders will work? And would this be cost effective? |
|
Missing the HU Unregistered guest | This is a big "WHAT IF" 1) suppose that one can get an EEPROM dump, then if there are no flaws that can work to our advantage with the p4 or p5 then what if someone could make a clone card that is capable of being reprogrammed when necessary by us. This clone card would work exactly like the p4 or p5 card except that we can reprogram it. An example of such a card could be the dssrev card or the rom 10X card. |
|
jaded parrot Unregistered guest | Soooooooooo., where is that pesky p4 card solution that has been held back until after the 27th? By my calander its the 28th today. Seems that all those earnest assurances were all bunk after all. Surprise, surprise. |
|
Missing the HU Unregistered guest | Like anyone actually thought "they" were going to release something that they don't have on the 28th. HAHAHAHAHA Also JJS has not posted anything about his skeleton key, so that could be another fake, or DTV trying to trap ppl. But seriously what about a clone card as I stated earlier. Could that work??? |
|
Unregistered guest | I have this idea and i want to share it with you guys.... DAVE can program the card right there in the reciver (the reciver programs the card), tru the phone line and tru the signal itself, erase ppv, change the package you subscribe to, and so on, isnt posible to fool the reciver (make a phone call to the reciver) and program the P4 card, or any other card??? what do you think about this? |
|
JSS Unregistered guest | Deal finalized, item will be marketed within 6 weeks for a cardless option. |
|
Missing the HU Unregistered guest | Wow! I guess I was wrong. Sorry JSS, is there anyway I can get in on this thing? Without my DTV all I can do is sit and home and whack off. I'm getting pretty good at it, I prong my anus while I strangle the pink dragon. But I really want to apologize for being an idiot to you. Sorry. |
|
JSS Unregistered guest | Hey, no problem. We all make mistakes...onward Christian soldier! |
|
Bronze Member Username: BluezPost Number: 59 Registered: Dec-03 | ya right put it on the market and dave will change the code on ya |
|
Anonymous | dupont24 I saw that you said you C/P'ed damon pridgen's post to your site and I thought I should mention that it's a c/p from packetstorm. I noticed at the top of the thread that credit was given to pcnut, I don't mean to be a dick but I hate seeing people take credit for someone elses work. |
|
Thanx4freeTVdave Unregistered guest | Dont you think direct TV would have a different method of testing receievers. Soldering a chip and entering a skeleton key code to simply test a receiever seems a little to uneconomicle for dave. Wouldn't you think Dave would just subscribe a card through the stream for his receiever testers? I will believe this DTV cardless solution only after I see it with my own eyes. |
|
JSS Unregistered guest | I don't even know Dave. He ain't the partner. Anyways...nice talking to you guys. I'm out for good! |
|
Unregistered guest | I have this bin... and i havent try it, but it may work , you write it to you HU card with your regular loader, and then with a new P4/P5 card you make the swap in the reciver acording to chanel 222, i dont know if it works, but if you want it e-mail me, luisfveloz@hotmail.com |
|
Cristian Soldier Unregistered guest | Deal finalized. Item will be marketed within 6 weeks. The check (cheque, Czek?) is in the mail. Bill did not have sex with Monica. George really did think that there were WMDs in Iraq. I will pull out before I come (sp). Etc., etc. zzzzzzzzzzzzzzz |
|
Missing the HU Unregistered guest | Hey someone was using my name. I did not write this message "Wow! I guess I was wrong. Sorry JSS, is there anyway I can get in on this thing? Without my DTV all I can do is sit and home and whack off. I'm getting pretty good at it, I prong my anus while I strangle the pink dragon. But I really want to apologize for being an idiot to you. Sorry." Maybe JSS really is full of it. |
|
Sircapone_2k4 Unregistered guest | Posted on Thursday, April 29, 2004 - 4:00pm -------------------------------------------------- I would just inform some of you newbies that Direc4U is currently running a special as far as equipment. Since the Hu Cards are out, and we may need all NEW P4 or P5 cards, I went and subscribed to the Dtv and they are sending me all NEW equipment, 1 Dish, 4 Receivers, 4 New CARds FREE DVD Player, FREE Installation. Now the monthly plan is $45 dollars for a 4 room setup with a 1 year contract, however you can downgrade your receivers to just one active reciever and pay only $29.99. I found it very wise to subscribe and then hopefully soon when they Hack the P4's I will already have new cards/new receiver's as opposed to buying NEW P4 or P5 cards via internet or ebay. Just a freindly suggestion since as of now there is NO resolution in sight. The local cable companies are going to charge anywhere from 30 to $40 dollars monthly, why not subscribe and get free equipment. Upon the Hack on the P4's you/we can use the original dish setup to run the burned P4 or P5 cards off of. Just thought I'd inform some of you!!! Ok, some of you may say F**k paying for a subscription but $30 bucks shouldn't break many of us, especially when you get the 4 NEW cards!! Just my opinion........ |
|
dvorak Unregistered guest | That'd be great, but for those of us living in Canada we need the P4 hack |
|
Dont know sh!t Unregistered guest | anyone checked this site out? |
|
NewGuy Unregistered guest | Sircapone_2k4 u must work for DAVE. pay for it yea right lol |
|
Unregistered guest | Also all the people that live in Mexico, like mayself, we need the hack. I did try to subscribe, but they cann't provide the service out side of the US, and i know what you are thinking, you have DirecTV Latino... well ... kind of crapy and expensive, the cheapest is like $35 (only one TV any extra add $16 each) and if you upgrade can be up to $140, and still crapy, old movies... no to good |
|
Dont know sh!t Unregistered guest | This site has files for download. Anyone ever been there? |
|
DSSDevl Unregistered guest | Sircapone_2k4, Sry, but you have to subscribe those irds AND keep all four active for 12 months. If you unsubscribe, they will charge your credit card 200 dollars per ird that you unsubscribe. |
|
New member Username: Stopmenot2002Unknown, Texas US Post Number: 2 Registered: Apr-04 | Check This OUt GUy http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=11726&item=3094337525&rd= 1 |
|
Anonymous | "I would just inform some of you newbies that Direc4U is currently running a special as far as equipment. Since the Hu Cards are out, and we may need all NEW P4 or P5 cards, I went and subscribed to the Dtv and they are sending me all NEW equipment, 1 Dish, 4 Receivers, 4 New CARds FREE DVD Player, FREE Installation. Now the monthly plan is $45 dollars for a 4 room setup with a 1 year contract, however you can downgrade your receivers to just one active reciever and pay only $29.99." Sircapone_2k4 Makes a good point I just did a little math with this and with 4 recievers and 4 cards free with a 1 year contract at $45 thats $540 for the year now lets say you goto ebay or any site you get your stuff from and purchase 4 cards at $50 each and also purchase 4 recievers at $50 each your looking at $400 and $50 each is well right now priced very low your gona spend alot more than that also subscribing will get you tv for a year while where waiting for the so called fix if any |
|
dumbasses Unregistered guest | ok dave...first off you have to activate each of the receivers for additional charges. [with 4rec. thats a little more than $45 monthly.] secondly thats the most DUMBASS thing i have ever heard of. i will wait for the cheap fix like the millions of other poor souls!!!!!!!!!!!!!!! |
|
Anonymous | What kind of sharpee marker are you using, because a have a scripto marker and doesn't work with my HU card. Thanks |
|
dumbasses Unregistered guest | scripto? read what i said dumbas$$ "waiting like all the millions of other poor souls" has nothing to do with markers. key word of the day "WAITING" .................. get the scripto outaa your a$$ and pay attention!!!!! |
|
Bronze Member Username: BluezPost Number: 60 Registered: Dec-03 | hey there jss if you dont know who dave is then when you bring out your cardless reciever you will find out real quick.If your story is true then he knows who you are and he has looked up the info on your uncle and is just waiting to pounce |
|
JSS Unregistered guest | No idea who Dave is but I don't really care. anyways, the finished product is ahead of schedule and should be available to the masses by June 1 possibly late April. Its cost is relatively cheap to produce($25-30_ but with demand it will probably go for $250ish with self install directions. NO SAULDERING NECESSARRY ON NEW MODEL(mine has sauldering). Someone asked earlier about my uncle,being a former DTV associate, revealing company secrets. Anyways, I asked him and nowhere in his hiring agreement did it state anything about him not being able to do anything with his acquired info. His lawyer agrees 100% with this, just the "technicality" of "borrowed" signals has to be addressed. There are loopholes with this item. My uncles just looking for one big enough for him to fit through. I don't know why some of you get angry and suspicious. I am only letting you guys know what options are available. When its done I'll post a link to the site and you guys can choose to look/purchase,not look, whatever you want. Its a free country(s). Do what you like and be it with a P4 fix or another way...I wish you all the best. |
|
lurker Unregistered guest | lmfao at JSS Sorry bud, if you even had half a clue about the DirecTV satellite testing community you would know who Dave is. You are obviously just a scammer who found out about a group of people that you might be able to take advantage of. You cannot make a cardless IRD because you need the ASIC. The ASIC is what crunches the seed values that generate the decrypt keys...but I guess you already knew that. |
|
lurker Unregistered guest | By the way, ask your uncles lawyer if he has ever heard of the Economic Espionage Act of 1996. |
|
New member Username: NotvformePost Number: 1 Registered: May-04 | im sooo bored without my channels dammm you dave all to hell someone help! |
|
New member Username: NotvformePost Number: 2 Registered: May-04 | Is their a hack for the p4 yet or no? is this site full of shittt? |
|
JSS Unregistered guest | Actually, I probably know more about this stuff than anyone in here. I can't believe how many of you actually believed me. As to the smarter ones who had some clue..kudos. I was just fooling with you guys to weed out the morons...quite a few in here. See you losers. |
|
wherever-i-may-roam Unregistered guest | oh kudos, dave we all share the same love for you too!!!! |
|
Anonymous | NO SAULDERING NECESSARRY ON NEW MODEL(mine has sauldering). JSS...If you had a clue, you would know how to "solder", and not "saulder". |
|
Obiselects Unregistered guest | This is my first post here and I have some info. I live in Canada and there if a fellow here that says for $1500.00 he will give u a wide open p4 the loader/looper and show u how to do everything. Now I am about to contact this guy because for me and the research I have done this seems a little to good to be true |
|
New member Username: Stopmenot2002Unknown, Texas US Post Number: 8 Registered: Apr-04 | $1500.00 I'll go for Dave And PAy dave that amount of money so I dont have to worry 'bout fixing this CHip for at least year and 1/2 all channel wide open.. You Go ahead and get SCREW. Not everyone in here want or even touch that amount. Thank You. |
|
Bronze Member Username: BluezPost Number: 63 Registered: Dec-03 | got po rn back on c-band with a black caged videochiper modded with autoroll chip,you get quite a few channels and lots of feeds f u c k you dave and jss hey jss are you joe blow also the dick head from another thread |
|
Gherkin Unregistered guest | The new P4 hack will be coming out next week. It also cures baldness and helps you lose 20 pounds. |
|
New member Username: ManwithfingerPost Number: 1 Registered: May-04 | Does the hack also cure erectile dysfunction? I'd pay $2500 for a real cure to the p4 dilema. Hell, I'd be better off growing pot and selling it then paying for the service. ahahhahha |
|
New member Username: ManwithfingerPost Number: 2 Registered: May-04 | Does the hack also cure erectile dysfunction? I'd pay $2500 for a real cure to the p4 dilema. Hell, I'd be better off growing pot and selling it then paying for the service. ahahhahha |
|
New member Username: ManwithfingerPost Number: 3 Registered: May-04 | Gherkin, I bet you tell the girls all that blow too. |
|
Unregistered guest | What I see is that you guys are putting a lot of effort into this. Hopefully we will come out shinning stars, I paid 130(canadian) for my unit 3 years ago. It's been a great ride while it lasted. HBO title shots, WWF sorry WWE and lets not forget TITO. Guys the sooner we find a means the sooner we can get back to what we miss the most. FREE TV !!!!!!!!!! I'm a newbie when it comes to this s*#t and I would like if it works like the HU put it in the loader, load a new script (3M or Act) and of you go. I can't speak for everybody but I can say this with confidence, I pay someone for " my fix " right now he has my money and I not getting my monies worth..... To quote the best band in the world "The Song Remains the Same " will we ever what hacked DTV again ????? |
|
Unregistered guest | Sorry watch |
|
Anonymous | Hey there everyone.. I was reading through this thread and noticed someone saying your HU loaders will not work with P4... This is verry untrue.... Some of them wont but for those of you lucky guys who purchased a T911 with compatibility with H and HU cards there is hope. The reason HU loaders will not work with p4 cards is because the p4 can not be glitched or it will loop and you will be screwed... However the P4 card CAN be read by an ISO programmer... All you gotta do with your T911 loader is look on the back at all the dip switches.. There will be 6. Turn them all off an voila! ISO PROGRAMMER which IS compatible with the P4 card. As for the rest of you who do not have T911 programmers or other programmers compatible with programming H cards as an iso progammer sorry to tell you this guys but you need new hardware... |
|
bulwyick Unregistered guest | All I hear is a lot a babble about the P4 ..s%&t any1 thought about the P5 |
|
Anonymous | The P4 and the P5 are realativly the same... NDS developed the P4 Dave developed the P5 to accomodate some security holes in the P4. The best guess on anything will be the same hole that is found to get into the P4 cards will get into the P5 cards however there is always a question of which hole will we find and which hole did dave find, patch, and what will happen to the P5 card when we try to get into it using the same method as the P4... The P4 has glitching security so we can't glitch into it so there is bound to be another way using an ISO reader/writer but the hole we find into the P4 may not hold to be the same with the P5/D1 card. If said hole was descovered by dave we may run into the issue of us basically doing an ECM to our own cards. In my opinion I think it would be best to find a way to get into the card while its in the receiver... Develope a program that can duplicate daves commands in the stream and send it to the card as if it were the stream itself... This would be near impossible so the best hope we have right now is anything anyone comes up with however I would definatley not post anything here if I found the holes.. This site is monitored by dave and remember Having the knowledge is not illegal... it's what you do with that knowledge... Always think of that while posting to this site with dave crawling all around it. |
|
New member Username: Ape33Post Number: 1 Registered: May-04 | damon pridgen : How can I conntact you. |
|
Anonymous | If you want to convert your existing loader to a ISO programmer... just reflash it.. with the OLd hu or wt2plus or wtx.., you will get into your P4. So there is still hope for those who have unloopers and loaders with the ulcs4 code. There is also a p4 flash too..I have played with it and was able to glitch an ATR from the p4 card. and still get previews.. without looping.. many mysterys on this p4, |