There have been many hacks on the Videocipher II system, one of these
involved cloning or copying the ID of another Descrambler enabling authorization of both descramblers
at the same time, also another method was to subscribe to one channel then used pirate
software to enable the opening up of all channels this was known as the 'Three Musketeer Hack'.
Another hack was the use of seed keys & wizzard codes (See my seed keys & wizzard codes section
to understand how these work).
Cloning A VCII Descrambler
To clone a VCII descrambler certain data from the IC's (Integrated Circuits) of the descrambler must
be copied and or modified.
The first step is to backup the seed keys & the ID number in the 'virgin' board before making any changes.
This way if anything goes wrong you can still revive the unit. The Key's'R'Us software can be used to backup
these keys. Although the software only works in 010 boards for reading & writing it will work for writing only
on 018 / 019 (A5 Series) boards. (Not sure about 032 (77) Series boards.
Once your ID & keys are backed up your ready to go.
The next step usually involved clearing away the epoxy around U30 (right now you really love the 010 boards :) )
and removing the chip completely, now I've seen ALOT of boards which simply clear the epoxy around the pins of
U30 and simply apply the socket right on top of the stock chip. This will work but not alwayz recommended since
the stock chip is still in the circuits' path it's still 'live' and voltage values may differ. The proper way
would be to completely remove the stock chip and solder in the 28 pin IC socket.
Next, you would install a chip burnt with software that contains the data to change the ID & seed keys to that
of another descrambler.
Once this has been done the now 'clone' unit will be authorized for the same services as the 'master' unit.
So what ever services are purchased on the master service any descrambler that is cloned with this set of
seed keys & ID number will receive the same services.
This operation can and has been done in multiples resulting in numerous descramblers running off of one
set of keys & ID.
There is one major drawback to this method since once the master unit ID is discovered by GI that it is used
for cloning then the unit will be turned off (De-Authorized) once this happens all units which were cloned
by this unit's keys are instantly shut off also.
One way to get around this is to limit the use of keys in units to a minimum. Thus if one unit goes down then
only some units will go down also, but others will remain on simply because the keys & ID number are totally
different. In other words use more than one board to make clones from.
The Three Musketeer Hack
"All For One & One For All"
This hack consisted of a legal descrambler authorized for the cheapest programming package. A great example
would have been the hackers choice (CNN). A pirate chip would need to be installed so once one service was
authorized then all services would then open up and allow unauthorized viewing of all channels.
The Wizzard Hack
This attack uses data extracted out of the U7 decryption IC and modified to
decode the authorization subkeys in which the descrambler uses when being
authorized.
This hack does not use the seed keys of another descrambler nor an ID#. The authorization data
is received through a legitimate descrambler and then entered into the modified descrambler
through the software which enables 'code' entry through either a remote or more commonly the
front keypad of the decoder. Since this method contains no Unit ID # or seed keys, theorectically
the unit can not be turned off.
Soon after GI discovered this the pirates began putting 2 sets of seed keys and 2 ID#'s in case
one was discovered and de-authorized then the 2nd would still be running. These units could now
receive 'hits' from the data stream and generate there own wizzard codes. Onec calculated the
codes could be displayed on the tv screen so this data could be used to turn on other modified
wizzard boards.
In Use Today
As of this writing, there is still working VCII descramblers reeciving unauthorized programming.
This method consists mainly through the use of seed keys (Cable Company ID's) which generate the
wizzard codes and produce audio on 'some' VCII channels.
Currently, the wizzard codes change every 4-6 hours and most at various times
such as a portion of Galaxy 5 (G5) change at 12 AM/PM,4 AM/PM,8 AM/PM in a continuous loop.
There still are some channels still running month to month such as most of the sports channels
and a few others such as Fox Sports & W1-24 (CBS-East).
To keep audio on these channels there is a fair amout of work to be done since the codes change
so often you would have to be selective to which channels you want to watch and be sure to
receive the hit for your next code to keep your audio for that channel. The autoroll software
is favored main because of it's simplicity and is easily updated without reprogramming another
EPROM if a seed key set goes down.
This software enables the user to test various sets of seed keys by first encrypting them with
encoder software and then entering this encoded data into the descrambler, once entered this
data is entered (If the seed keys entered are still alive or being authorized) the unit can then
be used to generate a working wizzard code to produce audio on that VCII channel, ONLY if the
Seed key set and ID# used is also authorized for that channel.
