by

Nagravision 3 Hacked Fta Receivers

Software emulation of the Nagravision system has been implemented in many Free-To-Air Satellite receivers, allowing unauthorized viewing to those who do not own an official card. As of the summer. Only 1 manufactured FTA receiver is so far able to make use of this new technology to circumvent Nagravision 3 on the Bell ExpressVU provider network. Is Dish Network using Nagravision 3? All subscribers to Dish Network have been informed that they will need to upgrade their conditional access cards with new purple Nagravision 3 version cards.

Q: What is nagravision 3 (nagra 3 for short) ?
Nagravision is an encryption method used by both satellite providers.
This locks and secures their channels so that only subscribers who have authorization can view.
Nagravision 1 and nagravision 2 (nagra 1 & nagra 2) have been compromised and exploited, allowing unauthorized access via hardware and or software to view their channels. Naturally when this happens the providers must find a way to lock their signals again, if only as a way to inconvenience you momentarily in hopes you find an easier way. (Just pay them monthly). Remember, if no one paid for the birds in the sky you wouldn't be watching them.its always a very very good idea to pay for their services. If only for a basic subscription.
Q: What about new software?
No one knows this information besides the coders. They will not disclose to much info before hand.
Q: If it does get cracked, how long will it take?
Again, the same thing applies. We simply do not know.
We do know however, the switchover from nagra 1 to nagra 2 was only a matter of a few weeks. But this may not be as easy as last time. Only skilled coding teams will know what it takes. Most of the upper/common coders,or spokesman's for them have already stated that they are working on it. As soon as the files are finished we will have it posted. And yes, we will have it posted before or in the same time as other websites.
Q: What channels have already switched over to nagra 3, thus resulting in a black screen?
B** is currently making the switch now, shutting off the lights to nagra 2 and only using nagra 3 as their encryption method.
Many channels such as HD and some premium movie channels have been reported down, it is only a matter of time before is completely dark.
DN will follow latter as well, they have to be sure all their subscribers receive their new access cards first.
Remember,there is a whole sky up there full of channels that in many cases are free and clear,using 0% encryption.that's why your receivers are 100% legal. Of course I only recommend buying and using your fta receivers for their intended use,and any other information as always is for educational use only. More info here:
So in short the dark days are ahead and only coders releasing new software for nagra 3 will turn the lights back on.
We recommend that you start recording some of the shows in case of prolonged blackout.
The N3 switch, what to do & what you should not do...
Except for old timers, most of you have never seen a nag switch.
There is no need to keep posting (I lost channel xxx, how do I get it back?)
We all know the providers are switching to N3. You will lose more & more channels until they are all gone. You will get scrambled channels, sound but no video, ect. All that is to be expected during a switch, there is nothing you can do about it except making sure the channel loss is not on your end.
As time goes on, rumors will surface like you have never seen. You will also see many scams.
Example:
N3 was hacked by a monkey in China, he has the hack for sale, we need money..
The monkey opened a private site , only $500.98 to join..
We almost have the fix, we just need to tweak it, but ran out of money..
Your receiver won't work for N3, buy this one...
Keys will work...
My friend's uncle's sisters, cousin has the fix, all channels wide open...
Keep your old receivers, we don't know what will work & what won't. If you have to have a new unit, buy a $100 one until this is over..
We have experienced staff, the seniors have been thru these changes from the F card to N1, N2 & now N3.
We know where to look for bins & info, We have enough experience to know fact from rumors & scams.
The staff will be very busy, searching for info to keep you up to date. We will not have time to correct useless post by ppl who have no idea what they posted.
Please, let the staff do their job & all will Be Fine.
All we can do now is ride it out, & watch for new developments.
More info on N3:
Nagravision is a company of the Kudelski Group that develops conditional access systems for cable and satellite television. The name is also used for their main products, the Nagravision encryption systems.
Three versions of Nagravision are in common use for digital satellite television, known as Nagravision, Nagravision Cardmagedon, and Nagravision Aladin. Nagravision Cardmagedon and Aladin are often confused with each other. Nagravision Cardmagedon is however, a complicated combination of Nagravision Aladin and Mediaguard SECA 2 encryption.
The decryption unit is either integrated into a receiver, available as a conditional access module (CAM), or as one of many encryption schemes supported on a CAM emulator.
Nagravision has been adopted all over the world as a conditional access system, with providers like Virgin Media in the UK and Dream Satellite TV Philippines (on Nagravision 1), Polsat of Poland, Digital+ Spain (now on Nagravision 3), TV Cabo Portugal, Premiere Germany, Digi TV Romania, B** TV and and Dish USA (On Nagravision 2).
The original Nagravision 1 is now almost obsolete after it was originally compromised in 1999, although Dream Satellite maintain relative security by changing keys several times throughout the day, causing great inconvenience to unauthorized viewers.
The Nagravision Aladin providers have been confronting the issue of satellite signal piracy and smart card piracy, since the system was publicly compromised in summer 2005. At first, security of the system was regained, with software revisions, manipulation of the Nagravision encryption algorithm, along with the phasing out of older cards, like the ROM101, ROM102, ROM103 in USA and ROM110,ROM120,ROM130 in Europe, in favor of the newer ROM142/ROM180.
Card hackers have, however, continued to compromise the encryption system, with continued software and key releases being made available to the public. Software emulation of the Nagravision system has been implemented in many Free-To-Air Satellite receivers, allowing unauthorized viewing to those who do not own an official card. As of the summer of 2008, the next version of Nagravision, nagra3, has been compromised in Europe.
Nagra 3 will be the same Nagra 3 here as there. There will be changes in map calls & timers like there is now. If Nagra 3 is cracked in Europe it will be cracked here as well. That does not mean there will not be upgrades to the code. There will always be that.
The real question is , will your current FTA unit handle the upgraded code?
The reason we have to wait is because our providers will adjust the ECMS so that it takes longer to hack, and so the coders cant just use the Euro coders work.
Best Regards,
The Fta Professionals Team

Back in 2002, my 15-year-old self was super excited that we finally got satellite TV installed at home. Since we lived in the middle of nowhere and there was nothing to do (and our overly strict parents wouldn’t let us play outside), satellite TV was awesome, even though our overly strict parents put a parental lock on the receiver so anything rated higher than PG was off limits. I guess you could say this was my first dive into hacking..

Getting the lock code

Fta

Guessing the 4-digit pin was going to take too long, and being a genius I looked for another way. Even if it would take longer, exposing a vulnerability is more satisfying than bruteforcing. Realizing the single point of vulnerability here is the infrared signal from the remote that my dad used to unlock the good stuff, I ended up setting up an old Compaq Armada 4120 laptop in the living room. I wired an infrared receiver diode to a 3.5mm cord and plugged it into the Mic input on the laptop, and hit record just before his show started. Being the only person in the household who knew anything about computers, my actions weren’t questioned as I was “probably making another dumb qbasic game”.

So I captured a mess of button presses, stopped the recording, and started converting the waveform – by hand on paper – into 1s and 0s. The next time I had the house to myself, I started another recording and pressed the buttons on the remote in sequence to learn what the digits 0 through 9 would look like. After a simple match game, I had the code. Now I can finally watch Family Guy!

Nagravision 3 Hacked Fta Receivers Youtube

Wait there’s more

Now that I had access to the entirety of our tiny programming package, I wanted to know what else I could get into. There are a LOT of pay-per-view channels, and some really interesting looking adult-only channels. We only had 56k dialup at this point so my exposure to on-screen nudity was severely limited, except for the few times I found my dads stash on the family computer (again, I was the only one in the house with a working knowledge of the Windows operating system, browser history was hardly thought of, and the Temporary Internet Files folder was always loaded with juicy thumbnails). Hey if you have a teenager who isn’t allowed to play outside, and you give him access to a computer, this is what you get. Of course now in 2018 every 6-year-old knows how to ‘hack’.

Anyway, I tried in vein for months to figure out how to get into the good stuff, and I was never able. It was like a puzzle that you try and try and can never solve. Like a boss fight in your favorite video game that you could never beat. The year was 2003, and I had heard through the grapevine that you could just buy a fake smartcard, and plug it into the receiver, and it would give you all the channels.

Iiiiiiinteresting. After much research I learned how the setup worked, and how the system works (step one in hacking something: learn how the system works).

How Satellite TV encryption worked in the 2000s

The provider (in this case, at the time, Bell Express Vu), broadcasts a wide array of MPEG2 streams, encrypted using an 8-byte codeword (calculated from a combination of instructions from the stream, the public keys, and the Maps hidden in the card, using a scheme called the Common Scrambling Algorithm). Every channel has its own codeword, and every codeword changes roughly every 20 seconds. Inside the receiver is an MPEG2 decoder chip that takes the stream of whatever channel you want to watch, mixes in the codeword, and sends the video out to your TV. The receivers operating system decides what part of the stream to send to the decoder chip, and is responsible for providing the codeword at the same time, as well as running other checks such as which channels you are allowed to view, and maintaining system information such as time, software updates, etc.

The satellite stream contains encrypted video, and the occasional control packet. Control packets contain instructions for the smart card, and some other information like time, and which channels you are allowed to view (called tiers, strings of numbers that represent channel permissions).

Tiers and getting free channels

Satellite TV is a one-way signal. The satellite has to broadcast everything, and because every single receiver receives the exact same signal, things have to get a little complicated. The provider knows the serial number of your receiver, and the serial number of your smart card. These are used to send encrypted account information to your receiver to tell it what channels you paid for, and for how long they will be valid. For example, every once in a while the provider will send a tier update downstream, like “receiver #11050929 tier 87645018734563416254626583415”. If it matches your receiver, your smartcard decodes the string of numbers and generates a message for the receiver like “you have the basic package and no pay-per-view channels were ordered, this will expire in 30 days”. Every month or so your receiver has to receive one of these messages or the channels will stop working. Thats why if you leave your receiver unplugged for too long, it can take up to a month to get your channels back (or you can call your provider and they will send a tier update for you, called ‘channel synchronization’). This is the basis for free TV. Intercept the command from the card and tell the receiver what channels you want.

The receiver sends instructions to the smartcard via a simple serial interface, (back then these commands were encrypted using the marriage, that is, the pairing of the receiver and card, nowadays its much more complex) and if the smartcard decides everything is okay, will return a result to the operating system, which could use the result to issue more instructions. The smartcard performs a minimal amount of math to figure out the keys to decode the control word and unlock the video. In the beginning, the math was simple and easy to figure out just by looking at the packets (by intercepting the smartcard commands and decoding them with the marriage). This is where the first fake card system came into play – the AVR.

The AVR was a fake card that you inserted into the receiver, and it had a slot so you could plug your actual card into the AVR. The receiver would talk to your smartcard as normal, and the AVR was programmed to intercept certain commands (such as tier commands) and fool the receiver into thinking you had access to all the channels. They were called AVRs because they ran on AVR chips, most notably, the Atmel AT90S8515. It was not a very powerful chip, and the programming was relatively basic, so rather than have the chip attempt to decode the keys from the stream (and since the keys didnt change all that often, because of the strain on older receivers), the keys were programmed onto the chip, and the chip simply had to be reprogrammed every time the keys changed.

Nagravision 3 Hacked Fta Receivers Images

The coders, a loose group of hackers across the internet, were responsible for announcing the keys to the world every time they changed, so people could reprogram their cards (or pay someone to reprogram their cards). They used AVRs with special emulation software attached by a parallel cable to a computer full time to monitor the stream and detect key changes. Some of us adopted a similar setup with combination software that could let you monitor the stream and also control the receiver, which didn’t require a smart card at all. I built such a system for myself, and began learning the various commands and was able to generate keys and unlock the video without relying on others. At this time, key changes happened every couple weeks and also almost always before (or during) a large sporting event. Everyone was happy, and I watched the first Pirates of the Caribbean movie on pay-per-view probably a dozen times, just because I could. The providers played some tricks around this time, like forcing software updates to the receivers that could detect the presence of AVRs, and neutralize the receiver. A message would appear on screen saying theres a problem with your receiver and to call the provider. If you did, well, they know you are pirating their service. Resetting the receiver without the AVR would allow you to resume legal TV viewing. A lot of us simply flashed an older software version to our receivers, but since the upgrade is automatic, it would have to be done every few days. Some of us installed flash interrupts, that render the receiver read-only so new software couldn’t be installed. Then the receiver learned how to detect the lock, so we installed a switch that could lock or unlock. Then the receiver started checking more, so we installed smart locks that could detect the check… what a game of cat and mouse it was. This was short-lived though because…

Nagra 2

Because the smartcards were already using every trick up their sleeve, the providers realized that the only way to defeat the hackers was to change everyones smartcards for more powerful ones. This was done late 2004-early 2005, and effectively stopped satellite TV hacking. This is the point at which I have to stop referring to myself as a Satellite TV Hacker, because even though I had the technical knowhow and was able to decode a lot of commands for myself, I couldn’t unlock a video stream without referencing other peoples work.

The Nagra 2 cards were a massive improvement over the first implementation. These cards could support much, much more complicated math, had onboard cryptography coprocessors called MAPS, plus the ability to execute ECMS and receive remote updates to change which MAPS are being used. Uh oh. The coders have a LOT of work to do. Luckily, early versions of the Nagra 2 cards were glitchy and vulnerable to certain attacks, which hackers can use to fool the card into leaking its secrets or allow them to be reprogrammed. Later versions of the cards had a lot more powerful security features, and were considered impractical to attack. For example, they could detect an attack and permanently disable themselves. Spooky!

Since the receivers didn’t change, the cards had no choice but to use the same communication methods to talk to the receiver, so it was relatively easy to see what the card was saying. The receiver uses information and commands from the stream to send commands to the smart card. The smart card does some super secret processing and spits out a response. The receiver uses that response to do the things it needs to do, like decode the video, decide what channels you are allowed to watch, or send more commands to the smart card. There are a theoretical maximum of 255 commands ($00 ~ $FF) though most were just empty and not used. The most important ones were $07, which asks for permission to view a channel, and $1C, which delivers the control words to the receiver. These commands use a multitude of maps in specific orders to correctly calculate everything. If something doesn’t add up, the control words wont decode the video. In the early days of Nagra 2, the IDEA and RSA Maps were being used. Once the hackers figured out these Maps, the provider simply switched to another Map that still hadn’t been figured out. The hackers eventually figured out those too, and the provider would switch to yet another set. Once all the Maps were solved, the provider enacted a scheme to regularly switch the Maps around, and so the game of cat and mouse continued on and on. Every time the hackers figured something out, the provider would just change it.

FTAReceivers

It was around this time that Viewsat and other popular FTA receivers flooded the market. These companies made a killing selling perfectly legal equipment that could easily be reprogrammed to decode Nagra 2 streams. All of the juicy information the hackers had been working on could now be written to one of these ‘Free-to-air’ receivers (satellite receivers whose purpose is to view streams that arent encrypted at all), to basically replace a Bell or Dishnet receiver. Whenever the providers changed something (which at this point was a couple times a week) the end user only needed to pop a fresh program onto their receiver and continue watching TV.

The hackers, being hobbyists with nothing to gain, were particularly angry over this. For them it was a hobby, not unlike a jigsaw puzzle. Something is being beamed at your house and you can’t see what it is unless you solve these complicated riddles. You solve the riddles and share the results freely, only to have a company in South Korea earn millions of dollars because of your work. Too late, though, its such a lucrative business that now they have their own hackers to keep them going. I’m not going to lie, I made a good deal of money installing boxes and dishes for people who wanted to get in on the free TV craze (this is a grey area, I can sell you a box and install the dish but I can’t put the hacked firmware for you). They knew the game, so when they eventually got zapped I wouldn’t be at the arse end of a lot of angry phone calls.

By this time corporate corruption and backdoor deals were rampant. I remember watching Map57 enter the stream, effectively killing all piracy, only to see it disappear from the stream a few days later, allowing everything to work again. Word around the water cooler is that someone at Viewsat payed off an employee of one of the providers to lift it from the stream for a bit, so they could unload their inventory before everything went dark for good. Said employee was dismissed, and Map57 started to creep back into the stream, but due to security concerns (because Map57 was also cracked by the same FTA manufacturer) it was complimented with even more Maps. The freelance hackers and coders had all abandoned the game, choosing instead to sit by and watch like I did after the card swap. But money talks, so these FTA manufacturers and their hackers-for-hire played the game pretty hard, and kept things going for a good while. Until…

Nagra 3

Due to the rampant financial success of overseas FTA manufacturers, the providers decided to perform another card swap. The third generation of Nagravision was incredibly powerful, combining all previous encryption and security schemes. The providers also took this opportunity to upgrade their systems from MPEG2 to MPEG4, and replaced older receivers that wouldn’t support the newer format. Because the majority of the hackers and coders no longer wanted to have other people profit from their work, no hacks were released. Some unreliable internet card-sharing schemes were set up in an attempt to continue sales of FTA boxes, but most people would rather pay a monthly fee to a provider than a group of flaky crooks overseas. The transition to Nagra 3 effectively marked the end of Satellite TV hacking. Because the internet is such a powerful thing in the world today, most piracy is being done online. There are hundreds of copies of every episode of every TV show and every movie ever made online at any given moment. Easy-to-use programs scan the internet looking for them and provide a simple list for the end user, who needs only click an item on-screen to watch free TV. Even TV streams are being re-broadcast online for others to see. This is especially tricky to target because literally anyone with a paid subscription can broadcast a stream to the world, and the providers have no way to know whose it is.

Nagra 4 and the future

Nagra 4 is now being released through yet another card swap, this time it mainly adds features to combat illegal IPTV streaming. This is a complex automated system that scans the internet for illegal video streams, and systematically embeds hidden data into the video signal one subscriber at a time until it’s detected in the internet stream, and automatically cuts off that subscriber, thus also disabling the internet stream. There is no doubt that the streamers (especially those who charge for their illegal service) will figure out a workaround, and yet another game of cat and mouse will begin.

But lets go back to the CSA. The single 8-byte control word that unlocks the entire satellite stream. This is a random 64-bit word that is different for every channel and now changes every few seconds. The smart card is basically just a super secure and super secret list of instructions for decoding the control word. What if we could decode the control word without needing a smart card? Basically every satellite TV system would be wide open. 15 years ago, decoding a 64-bit word in realtime was unheard of, but todays computers are exponentially faster. Considering the weaknesses of the control word (the fact that only 56 bits are unknown, and the fact that the result MUST be an MPEG4 header) and the massive computing power of todays consumer hardware (not to mention hardware used for crypto mining), I think it’s in the realm of possibility to just attack the CSA directly…

More reading

North America MPEG2 Information: http://www.coolstf.com/mpeg/

The Common Scrambling Algorithm: https://en.wikipedia.org/wiki/Common_Scrambling_Algorithm

Nagravision 3 Hacked Fta Receivers List

Breaking the CSA: https://www.researchgate.net/publication/262345767_Breaking_DVB-CSA