huh...

CobraBoy (tbyars@earthlink.net)
Sat, 5 Apr 1997 19:07:59 -0800


what does all this tecnickel stuff mean?

~~~

DSS Test FAQ v.1.10
Release Date: 03/21/97
Looking for the new stuff? Search for *NEW*

NOTICE: This document is Copyright (C) 1997, by Agent_89
(Agent89@nym.alias.net). All rights reserved. Permission is granted
to duplicate this document if and only if the following three
conditions are met:

1. This document cannot be modified in any way.
2. This document cannot be sold for profit nor included as a part
of any publication sold for profit.
3. This notice must be included. Any other use requires the written
consent of the author.
===================================================================
ATTENTION!!! WARNING!!! ATTENTION!!! WARNING!!! ATTENTION!!!
-------------------------------------------------------------------
Disclaimer:

The information contained in this document is for educational
purposes only, and is in no way intended to assist anyone to break
any laws. It is your reponsibility to obtain proper authorization
from DTV/USSB before using any type of test device on your DSS
Receiver!

The author makes no guarantee as to the accuracy of any information
provided in this document and is not responsible for any
consequences of its use. Most of the items in this faq have been
tested and are known to work. But in short, if you toast your
receiver by following any instructions in this document you've
got no one to blame but yourself!

Oh yeah! And DIRECTV, DSS, DIRECT TICKET, DIRECTV Sports Choice,
and "Satellite TV at its Best" are official trademarks of DIRECTV,
Inc., a unit of Hughes Electronics Corp. NDC and News DataCom is an
official trademark of News DataCom Ltd. and Rupert Murdock.
Motorola is a registered trademark of Motorola Corp. Intel, Pentium,
Overdrive are all registered trademarks of Intel Corp. Siemens is a
registered trademark of Siemans Corp. Sony is a registered
trademark of the Sony Corporation and RCA is a registered trademark
of the RCA Electroncs Corporation and GE. Uniden is a registered
trademark of the Uniden America Corporation.
-------------------------------------------------------------------
ATTENTION!!! WARNING!!! ATTENTION!!! WARNING!!! ATTENTION!!!
===================================================================
DSS Test FAQ Table of Contents:
-------------------------------------------------------------------
0.0 Current Test Devices available for the DSS
1.0 DSS Access Card Emulator Test Devices
-
1.0.1 The Battery Card
1.0.1.1 Battery Card's v3 System Info
1.0.1.2 Battery Card's v3 Remote Code Entry Info
1.0.2 L-Card
1.0.2.1 L-Card's I-System Info
1.0.2.2 L-Card's I-System Remote Code Entry Info
1.0.3 T-Card
-
1.1.2.0 Battery Card Problems and Solutions
1.1.3.0 L-Card Problems and Solutions
1.1.3.1 L-Card Sony 2nd Generation Receiver Problem

---
2.0 Original DSS Access Card Hacks
2.1 Types of Plastic Hacks and Descriptions
-
2.1.1 Clones
2.1.2 3M's
-
2.1.3 Plastic Software
2.1.3.1 CL10
2.1.3.2 CL12
2.1.3.3 CL45
2.1.3.4 CL45-4
2.1.3.5 CL50
2.1.3.6 RON
2.1.3.7 Cyclone
2.1.3.8 Tornado
2.1.3.9 Plastic4
2.1.3.10 Card Blaster
2.1.3.11 NO3M
2.1.3.12 DSS97
2.1.3.13 TRIX
-
2.1.4 Steps for making a Clone with CL45 & an MK11
2.1.4.1 Using your DSS/01 card after swapping to a DSS/04 card
-
2.1.5 Plastic Software Hacking Information
2.1.5.1 Changing Access Card Serial Number Information
2.1.5.2 Changing Receiver IRD Serial Number Information
2.1.5.3 Changing Timezone Information
2.1.5.4 Changing Sports Blackouts
2.1.5.5 Changing Country Codes
2.1.5.6 Changing Zip Codes
2.1.5.7 Changing Receiver Lock Code
2.1.5.8 Changing Receiver Guide Display
2.1.5.9 Adding PPV Buy Option
2.1.5.10 Removing Watched PPV's
-
2.2 Code 99 Information
-
2.3 MKx Series ISO 7816 Compatible Serial Programmers
2.3.1 MK10/11 Serial Programmer Quick Solutions
---
3.0 PC Based DSS Access Card Emulator
3.1 PC Based DSS Access Card Emulator Quick Solutions
---
4.0 Electronic Counter Measures (ECM's)
---
5.0 Receiver Hardware Problems
-
5.1 RCA Receivers
5.1.1 1st Generation RCA Soft-Reboot procedure
5.1.2 1st Generation RCA Hard-Reboot procedure
5.1.4 2nd Generation RCA Hard-Reboot procedure
-
5.2 Sony Receivers
5.2.1 How to tell which Generation Sony Receiver you have
5.2.2 1st Generation Sony Soft-Reboot procedure
5.2.3 1st Generation Sony Hard-Reboot procedure
5.2.4 2nd Generation Sony Soft/Hard-Reboot procedure
-
5.3.1 Sony Service Test
5.3.2 Sony User Options
5.3.3 Sony Channel Information
5.3.4 Sony Service Paradigm Information
5.3.5 Sony Transponder Information
5.3.6 Sony Purchase Information
5.3.7 Sony OSD Debug Information
5.3.8 Sony Verifier Stack Information
5.3.9 Sony Stack Information
5.3.10 Sony Download Information
5.3.11 Sony Thank You
5.3.12 Sony RS-232 Port Hacking
-
5.4 Uniden/Memorex Receivers
5.4.1 Uniden/Memorex Soft-Reboot procedure
---
6.0 Sources
6.0.1 Good Sources
6.0.1.0 Good Sources for ISO-7816 Card Slots
6.0.2 BAD sources
6.0.2.1 BAD Cableman
6.0.2.2 BAD VCipher Technologies
---
7.0 Greets and Thanks and Things...
---
8.0 Document Copyright Info
===================================================================
0.0 Current Test Devices available for the DSS
-------------------------------------------------------------------
There are currently 3 types of DSS test devices available.

In order, these are:

1. DSS Access Card Emulator 2. Original DSS Access Card Hacks 3. PC Based DSS Access Card Emulator

These are covered in detail below. =================================================================== 1.0 DSS Access Card Emulator Test Devices ------------------------------------------------------------------- There are 3 different types of DSS Access Card Emulators. The Battery Card, the L Card, and the T Card. These cards are also refered to as 'Green Cards' sometimes due to their green circuit board color.

The Battery Card came out first and was the original DSS Hack. It was introduced in Late Summer of 1995 and was developed in Canada by the Battery Group.

The Battery Card was never supposed to be sold into the United States. It was to be sold only in Canada and other countries which could get the DSS signal but could not legally subscribe to the DSS services. There were a few Battery Cards sold in the US however.

Then the knock-offs came out in the United States. The L-Card arrived in the Winter of 1995 and the T-Card showed up in Early Spring of 1996. The L and T cards were developed from the Original Battery Card design and software supposedly stolen by disgruntled employees/partners of the original Battery Group. ------------------------------------------------------------------- 1.0.1 The Battery Card ------------------------------------------------------------------- The Battery Card got its name from the large round battery it utilizes. It uses the Dallas 5002 secure microprocessor, Atmel 89C51, and SRAM (usually Hyundai). It is usually just refered to by it's shortened name a 'batt card'.

This is the Original DSS Fix. The L and the T Cards have spawned off from it much to the chagrin of the Battery Card developers. Not widely sold in the US.

The original Battery Card group no longer exists as of 9/01/96 and instead a new one has been formed and is headed up by RonSilver et al. and a new programmer from Europe known only as Big Gun. Big Gun is sometimes refered to as biggun or just bg. ------------------------------------------------------------------- *NEW* 1.0.1.1 Battery Card's v3 System Info ------------------------------------------------------------------- Big Gun has recently came up with a new encryption scheme loaded into the bootstrap (B/S) portion of the cards which is called v3 or Version 3. This new v3 boot strap has been much more stable but still seems to have bugs that need to be worked out and has went down due to ecm's a few times now.

Upgrading to the v3 bootstrap is only done by a couple of select dealers and your card *MUST* be sent into one these dealers to have the v3 bootstrap added to your card. There is no software available to do this yourself. ------------------------------------------------------------------- *NEW* 1.0.1.2 Battery Card's v3 Remote Code Entry Info ------------------------------------------------------------------- The latest Battery Card v3 main allows for remote updates of program code after an ECM and the changing of timezones. This means that after an ECM instead of needing to take your card back to your dealer or hooking it up to your computer and putting a new file in it all you require is a series of codes that can be easily entered using your receivers remote control.

To enter these codes you need to first have the codes. Once you have them you need to go to your receivers system lock and limits screen and then in the PPV Spending Limit screen/box you will enter your codes.

The codes are normally in the format of XXX XXX XXX XXX or 4 sets of 3 numbers. When entering these in the Spending Limit screen you need to enter the three digits, then press select. Or you may enter a 0 before each set of 3 digits and then pressing select isn't neccesary. If you are entering the 0 the entry format would be 0XXX 0XXX 0XXX 0XXX. Once all four sets of number have been entered just exit out to your main screen and you should be set!

The time zone is entered the same way using the remote and the Spending Limit screen. The time zone format is: XXX and the select key or just 0XXX if using the 0 before the code. The timezones are as follows: PST:000, MST:002, CST:004, EST:006, AST:007. Add or subtract 1 for each 30 minutes. ------------------------------------------------------------------- 1.0.2 L-Card ------------------------------------------------------------------- The L-Card got its name from its shape. It simply looks like a large L.

It was the second card to be released and uses a Dallas 5000 secure microprocessor, and an Atmel 89C51, like the Battery Card, the L-Card can be reprogrammed through an 18-pin edge connector. This device was widely sold in the US.

The L-Group as of 11/1/96 has pretty much dissapeared. Everybody suspects they took the money and ran off to the bahamas or some such thing to enjoy their ill gotten gains and bask in the sun.

The L-Card has been upgraded a couple a times by the L-Group to try and combat being shut down but nothing has really helped much.

These cards are currently being shut down weekly along with the non upgraded (v3) Battery Cards. ------------------------------------------------------------------- 1.0.2.1 L-Card's I-System Info ------------------------------------------------------------------- Lately AXA has said he will continue to support the older L-Cards in Mexico, Canada and other non-US countries using his new L-System software which is very similar to the v3 code for battery cards.

AXA has recently provided more details on his L-Card update called the I-System. Here it is.

I-System feature summary:

Updates by remote control! - No more annoying "Main" files to load every week!

No sports blackouts - All games available for viewing in all areas!

Full function parental control - Set rating limits or channel blocks!

Timezone change by remote control - no need to reload card for your area.

All-new powerful algorithms to prevent security breaches and protect firmware.

Expansion socket available on the board for possible H-series upgrade!

No more annoying picture/sound hiccups of freezes.

... And more for only $30 US!!! ($40 Canadian)

Note: The I-system is only available for L/T cards in Canada & Mexico only!

What is needed for the I-System: -------------------------------- The I-System will require your entire L or T card for the conversion.

In most cases, any firmware problems your card has now will be corrected at no additional charge during the conversion process. Any electrical problems or physical damage to the card cannot be repaired. Please do not waste our time and yours by sending defective cards to us. "Firmware problems" mean that your existing bootstrap has been erased or corrupted, which will cause the card to not "load" or will generate a "Please insert a valid access card" message.

Availability for the I-System: ------------------------------ The first site in Eastern Canada is now ready to accept shipments. Due to expected heavy volume there may be slight delays on return, especially in small quantities. If you can, please gather as many cards as possible for shipment in bulk, or return your card to your dealer who might be able to ship larger quantities at one time. Quantity shipments will be given higher priority than smaller shipments.

Shipping info for the I-System: ------------------------------- There are three options available for shipping your card; Post Canada Priority mail, Fedex, or UPS. The costs are listed below. You *MUST* include return shipping costs with your conversion fee in order to get your card back!!! The I-System is *NOT* available in the United States, and we can not process units received from the United States!!!

Please pack your card(s) carefully to avoid shipping damage, as we are not responsible for any damage during shipping!

YOUR CARD(S) CAN NOT AND WILL NOT BE RETURNED TO A UNITED STATES ADDRESS!!!

East Canadian Site:

>>>>>>>>> CUS I-System <<<<<<<<< >>>>>>>>> P.O. Box 139 <<<<<<<<< >>>>>>>>> 7515 Taschereau Blvd. <<<<<<<<< >>>>>>>>> Brossard, Quebec J4Y1A2 <<<<<<<<<

Return Shipping costs: $US $CDN Total: $US $CDN ---------------------- --- ---- --- ---- Post Canada Priority Mail ---- $7.00-$10.00 ------ $37.00-$50.00 Federal Express (Fedex) ------ $11.00-$15.00 ------ $41.00-$55.00 United Parcel Service (UPS) -- $11.00-$15.00 ------ $41.00-$55.00

Note: Costs are typical and are subject to change.

Payment info for the I-System (the yecchy part): ------------------------------------------------- US funds are accepted as it is considered international currency. You may choose either US or Canadian funds as long as you choose a liquid form. Personal or Company cheques are NOT accepted! Cash is preferred, Money orders or Bank drafts/Cashier cheques are acceptable. Cards will not be returned if the correct amount (listed above as total) is not enclosed in liquid funds!

Money received will be put to good use, and will enable us to do research and development on the H-Series (04) system. Please do not ask, we will post any news as it becomes available on the #SATELLITE IRC channel on EfNet.

Frequently Asked Questions on the I-System: ------------------------------------------- Q: Is the I-System the same as V3?

A: No. The I-System is a totally new implementation with new features. It is not compatible with the older "MAINxx.ENC" or "MAINxx.BIN" files.

Q: How does the "Remote control" update work, and do I need a phone line to use this feature?

A: The remote control update feature works by allowing you to update your card using the remote control of your satellite receiver to enter a short sequence of numbers. This will be able to replace (in most cases) the need to return to your dealer, or load files in with a PC & Programmer. A phone line connection to the IRD (satellite receiver) is NOT needed!

Q: Does the I-System have the "stealth" feature I have been hearing about?

A: No. It is not possible to engineer a "self-healing" fix for ANY "green" card. (BAT/T/L) DTV/NDC shuts these cards down by physically obtaining a working green card, then "attacking" it electronically with a slew of nasty codes. Once they find a way to shut it down they generate instructions for all cards on their system called an ECM, or Electronic Counter-Measure. The ECM will be handled by all (hopefully for them) legit US cards and will produce the correct "answer" to keep the cards running, but the green cards will not be able to interpret this code, and will produce incorrect answers, which will result in loss of video on all green cards. V3 attempted to automatically "guess" these codes to restore video by itself, but DTV/NDC saw in their lab that the green card running this would come back up after a short time, and finally produced a "whammy" ECM that changes it's code every few seconds- Which is faster than V3 could "guess" the new answer! By the time it could even figure out a portion of the answer, the code would change, rendering the "auto-fixer" useless! All this did was force DTV/NDC into a corner to make a better ECM for this system. Just as we can ALWAYS find a way to make our green cards work, they can ALWAYS find a way to shut them off! :(

Q: What neat technology does the I-System have to keep it "up"?

A: No neat technology here! The I-system was engineered to do one thing, let you watch the most TV with the least down time! The major triumph in the I-System is the remote control update feature. We didn't try to make a card that is impossible for DTV/NDC to knock down, as if we tried, they would keep hitting us with nasty stuff until cards finally give out. This strategy might keep the cards up for a little longer, but when they do go down, it might take a LOT longer to fix!!! Just as we can ALWAYS find a way to make our green cards work, they can ALWAYS find a way to shut them off! Our strategy is "Don't fix what isn't broken", in other words, we only correct the code as necessary to get the cards back up right away!!! However, these "short" blocks of code are usually small enough to allow you to enter them with your remote control! Who cares if your card goes down, when you can turn it right back on without even leaving your easy chair!!! The numbers will usually be available on the net within a few minutes, and your dealer will be able to set up a voice-mail system to announce the numbers. All you need is a piece of paper and a pen to write the numbers down, then key them in! Just one simple call, and you could be up in seconds, not days!!! Now that is neat!!! :)

Q: I have heard the Dallas 5000 chip on my L/T card is not secure, does this make it easy for DTV/NDC to "dump" these cards and shut them down?

A: The Dallas processors were chosen for the green cards for the incredible security they offer. It is true that the Dallas 5002 used on the BAT cards has more built-in security than the Dallas 5000 does, but we have added on to it internally with extra-tough security algorithms!!! We believe this puts the I-System right at the top in terms of security!

DTV/NDC do not need to "dump" the codes inside the Dallas processor to generate an ECM. To shut the cards down, they simply need a currently working green card. Since they "build" the datastream in the first place, they have sole control over what goes on in there! They are able to get working cards just by ordering them from careless dealers, such as people like CableMan or Vcipher, which is the real security problem! They then throw many code permutations at it in their lab until they find some code that the green cards cannot process, then they use this to build the next ECM!!! But we are ready for them, We are WATCHING!!! :)

Q: What is the "swapout", and will the I-System still work after it?

A: The "Swapout" refers to the Access card swap that is currently underway in the United States. This is the "Ultimate ECM" they can possibly throw at us. The older cards, called the F-Series (or 01, 02 ,03...) are being slowly phased out. DTV/NDC believe that this will help their position. They also scrapped the G-Series cards and went straight to the H-Series because of the similarities to the older F were too great. The H-Series cards are based on a totally different processor, and also have a special "secret" chip inside called an ASIC (Application- Specific Integrated Circuit) which is a "helper" chip to make it possible to use a lot more encryption than the processor could handle by itself. What this really means is we are starting the game all over again, all-new code is being engineered for this system, and we will most likely have to add a chip to your card to work on this new system when they switch to it. This is many months away, because before they can turn off the data that the green cards are using, they must swap out cards for EVERY subscriber & dealer in the United States! At this time there is over 2.2 million subscribers! There is also a rumor circulating that the Swapout has been stalled for the second time, due to technical, supply, or financial considerations.

The money that we receive from the I-System and all donations will be used to help us develop the H-Series test card, and we will announce any significant progress as news becomes available. Please do not worry about this, as it is still a long time off, and we are hard at work! :)

Q: I still am confused and have other questions, how do I get answers?

A: Connect to The EfNet IRC Channel #SATELLITE for more information.

---
Jack Daniels has said he will be able to upgrade the L-Cards to v3
code by replacing the L-Card's Dallas 5000 chip to a plugNplay
DS2522 sipstick module.  Price to be around 100.00 USD + freight
and your atmel in trade. It will accept the v3 .bin files and run
like a bat.
-------------------------------------------------------------------
*NEW* 1.0.2.2 L-Card's I-System Remote Code Entry Info
-------------------------------------------------------------------
The latest L-Card's I-System main allows for remote updates of
program code after an ECM and the changing of timezones. This means
that after an ECM instead of needing to take your card back to your
dealer or hooking it up to your computer and putting a new file in
it all you require is a series of codes that can be easily entered
using your receivers remote control.

To enter these codes you need to first have the codes. Once you have them you need to go to your receivers system lock and limits screen and then in the PPV Spending Limit screen/box you will enter your codes.

The codes are normally in the format of XXX XXX XXX XXX XXX or 5 sets of 3 numbers. When entering these in the Spending Limit screen you need to enter the three digits, then press select. Once all five sets of numbers have been entered just exit out to your main screen and you should be set!

The time zone is entered the same way using the remote and the Spending Limit screen. The time zone format is: XXX and the select key or just 0XXX if using the 0 before the code. The timezones are as follows: PST:600, MST:602, CST:604, EST:606, AST:607. Add or subtract 1 for each 30 minutes. ------------------------------------------------------------------- 1.0.3 T-Card ------------------------------------------------------------------- The T-Card, the latest to be released, again so named because it looks like a T uses a Dallas Sip Stik due to an anticipated shortage of Dallas 5000 and 5002 micros. The Sip Stiks provide a high level of encryption. It also utilizes an Atmel 89C51. This Card can also be reprogrammed through the 18-pin edge connector if the need arises. Not widely sold anywhere due to reliability problems.

T-Cards were made by the L-Group and are currently facing the same fate as the L-Cards.

---
These cards (like ALL the others) can NOT be made at home. They
are ALL made by pros at a site where the proper equipment can be
used. These are not basement lab projects. Even if you could make
a card at home, the MASTER software that is loaded onto the card
at the "factory" is NOT attainable by the public, and without this
software loaded onto a new card, it is unable to be used.

All of the above test devices have the ability to decode and test ALL of the DSS channels available. ------------------------------------------------------------------- 1.1.1 Re-Programming DSS Access Card Emulator Test Devices ------------------------------------------------------------------- The above test devices (Battery, L, T Cards) can all be reprogrammed using a simple parallel programmer which the end contacts of the card fit into. ------------------------------------------------------------------- 1.1.2.0 Battery Card Problems and Solutions ------------------------------------------------------------------- In this section we will try to provide some problem solving tips on the Battery Card test device. ------------------------------------------------------------------- 1.1.3.0 L-Card Problems and Solutions ------------------------------------------------------------------- In this section we will try to provide some problem solving tips on the L-Card test device. ------------------------------------------------------------------- 1.1.3.1 L-Card Sony 2nd Generation Receiver Problem ------------------------------------------------------------------- L-Card will not run properly in 2nd generation Sony Receivers. The solution to this problem is to: Remove all Electrolytic Caps from the board (there may be 1 or 2). The Electrolytic Caps look like small Blue or Black "cans" with a silver top. Simply cut them off the board, and you will have a 2nd gen sony compatable L-Card! =================================================================== 2.0 Original DSS Access Card Hacks ------------------------------------------------------------------- Original DSS Access Cards are usually called Plastic Cards, Plastic or The Blues due to their plastic (credit card like) construction and the blue Access Card logo on the top of the card.

The Original DSS Access Cards use a conditional security system designed by News Data Com Ltd. (NDC). They were contracted by DirecTV to handle the security system on the DSS Receivers. NDC are the ones responsible to make sure the system stays secure and develop ECM's and newer technology to counter pirates.

There are two series of plastic cards available now. The DSS/01 also known as "E", "F", "G" series cards and the DSS/04 or "H" series cards.

The easiest way to tell the two apart is to turn the cards over and look at the serial numbers on the back.

DSS/01 series cards will have a serial number of 0000 3999 9999 and below. They also have a manufacture number below and to the right of the barcode which starts in Exxxxxxxxxx, Fxxxxxxxxxx, or Gxxxxxxxxxx hence the cards "E", "F", or "G" designation.

DSS/04 series cards will have a serial number of 0000 4000 0000 and above. DSS/04 cards also have DSS printed just below the serial number in the middle underneath the bar code. They also have a manufacture number below and to the right of the barcode which starts in Hxxxxxxxxxx hence the cards "H" designation.

The DSS/01 cards use a Motorola 6805SC21 microprocessor, 6144 bytes of ROM, and 3008 bytes of EEPROM memory and 128 bytes of RAM.

The DSS/01 series cards have been fully hacked and can be reprogrammed to test all of the DSS channels available by using a simple serial programmer which can be had for about $120 (USD). Plans to build a serial programmer for these cards as well as software to reprogram the cards is available from the addresses below in Section 2.3 of the FAQ

The DSS/04 cards use an modified Siemens 8051 microprocessor, an ASIC, ROM, EEPROM and RAM.

The DSS/04 cards have only been partially hacked at this time. Software is available to read the cards only. Nothing yet to actually program the new cards. Cards similar to the DSS/04 cards have been hacked in Europe and so it is likely only a matter of time until the newer cards are fully hacked.

If you are looking for detailed info on Smartcards in general you can visit this website:

http://design-net.com/csic/SMARTCRD/smartcrd.htm

The above test cards have the ability to decode and test ALL of the DSS channels available. ------------------------------------------------------------------- 2.1 Types of Plastic Hacks and Descriptions (Clones and 3M's) ------------------------------------------------------------------- There are two 'types' of plastic card hacks available. Clones and 3M's. ------------------------------------------------------------------- 2.1.1 Clones ------------------------------------------------------------------- Clones are just exact copies of someone else's card called a 'MASTER' that has been copied to another card making it a 'Clone of the Master' or just 'Clone' for short.

Cloned cards of a Master will recieve any programming being paid for on the Master cards including pay per views (ppv's) and any other special events or regular programming. If a Master card does not have ppv on it, the Clone of the Master will not either and so on with the rest of the programming. ------------------------------------------------------------------- 2.1.2 3M's ------------------------------------------------------------------- 3M's start out as a clone but only need to have one channel being subscribed to on the Master Clone. After this special software called 3m is added to the card which allows ALL of the channels to be viewed normally.

The term 3M comes from an old VideoCipher II hack. The term itself means '3 Musketeer' as in the 'One for all and all for one' quote from the old 3 Musketeer movie.

3M software changes a Cloned card into thinking that just because it's actually only subscribing to one channel it's really subscribing to them all and so they all just come in normally.

Lately the 3M'd plastic cards have been getting ECM'd quite alot and when they have been ECM's they usually end up Code 99'd. Code 99 info is contained in Section 2.2 below.

Once 3M software is placed on your card it requires special software to remove it. Several such software programs are described in the section 2.1.3 below.

Most 3M software placed onto a plastic card will make it work like a Battery type card as it will receive all channels and will tune them in immediately without having to push anymore buttons. (Like ppv's require you to do on a normal plastic or clone.) ------------------------------------------------------------------- 2.1.3.0 Plastic Software ------------------------------------------------------------------- Several types of plastic software are known to exist. In short order here are their names and a short description of each. ------------------------------------------------------------------- 2.1.3.1 CL10 ------------------------------------------------------------------- This was supposedly the first version of widely used and widely available plastic clone software. Had a few bugs nothing big. Would let you read a card, modify the memory of the card, and save it to disk for later use, and copy data to a card. Simple to use. Fairly good looking. This software could not make exact duplicates of cards since it only copied needed info to make clones and nothing more.

This software has been known to destroy cards when running on fast pc's such as high end 486's and Pentiums. Use on a slower 286/ 386/486 is recommended. This software runs in DOS. ------------------------------------------------------------------- 2.1.3.2 CL12 ------------------------------------------------------------------- This was supposedly the second version of widely used and widely available plastic clone software. Fixed several bugs and problems with CL10. No new features though.

This software has been known to destroy cards when running on fast pc's such as high end 486's and Pentiums. Use on a slower 286/ 386/486 is recommended. This software runs in DOS. ------------------------------------------------------------------- 2.1.3.3 CL45 ------------------------------------------------------------------- This was supposedly the third version of widely used and widely available plastic clone software. Fixed several bugs and problems with CL12. Lots of new features including the ability to completely wipe a card clean for removal of 3M software or pay per view data or other strange bits that had been changed inadvertantly. And the ability to add tiering data to the card. The look and feel was changed for the better as well as a password protection system implemented for some special features.

This software has been known to destroy cards when running on fast pc's such as high end 486's and Pentiums. Use on a slower 286/ 386/486 is recommended. This software runs in DOS. ------------------------------------------------------------------- 2.1.3.4 CL45-4 ------------------------------------------------------------------- CL45_4 is the rumored version of CL45 with the ability to clone new DSS/04 "H" series cards.

No one has admitted to actually seeing this software yet so not much is known about it. ------------------------------------------------------------------- 2.1.3.5 CL50 ------------------------------------------------------------------- CL50 is supposedly the real version of the new CL software that will be able to work with DSS/04 series cards.

As above no one has actually admitted to seeing this software yet so at this point in time it is still just a rumor. ------------------------------------------------------------------- 2.1.3.6 RON ------------------------------------------------------------------- Ron.exe is some software released by Fast Eddies programmer which is a 2nd generation 3M program with a built in clone (eddie's).

This software is pretty much plug and play. You just run the Ron software on a card and walla it works!

Version 2 of 3m software and up 3m has anti-code 99 routines in it, but some cards have been known to go code 99 when running it.

Where did the name come from? Supposedly Eddie stole the software from Ron Silver to get back at him for some reason and hence the name Ron...

This software should work fine on faster pc's such as Pentiums. This software runs in DOS. ------------------------------------------------------------------- 2.1.3.7 Cyclone ------------------------------------------------------------------- Cyclone is a newer card programming software that is available. Features of Cyclone are the clearing of ppv's on card, cleaning of a card, card time zone changes, adding of tiering information to a card, adding 3M to a card, removal of sports blackouts on a card. Ability to change card password. Turn on pay per view buy option. Complete card copies to make exact duplicates of cards. Improved user interface.

This software should work fine on faster pc's such as Pentiums. This software runs in DOS. ------------------------------------------------------------------- 2.1.3.8 Tornado ------------------------------------------------------------------- Tornado is a neat new card enabling software from Tornado. It will allow you test a DSS ACCESS CARD by giving you access to time zone correction, activation of all channels, including all PPV, engineering channels, and blackout channels.

The author includes a reverse feature which make this software unique in that it will undo anything you ask it to change on a card. The author has also included a new feature of unmarrying a card. This will make the card able to work in multiple receivers without first reprogramming it.

The latest version of Tornado (2.0 and up) requires that it be installed on a freshly cleaned card. To see how to CLEAN a card before placing Tornado on it please see Section 2.1.5.10 of the faq.

This software is *DONATIONWARE* and is well worth the money in my opinion! Support the author by sending him a donation! The author has also stated that he will not be releasing new software publically anymore and that only people who have sent him donations will receive the latest versions.

This software should work fine on faster pc's such as Pentiums. This software runs in DOS. ------------------------------------------------------------------- 2.1.3.9 Plastic4 ------------------------------------------------------------------- Plastic4 software is a new Windows based DSS/01 card programming software that has a unique feature in that it allows you to read a card and save a .cor image file to disk that can then be used with the PC Based DSS Access Card Emulator described in Section 3.0 of the FAQ below. Plastic4 can also read/write the older CL12 (.pat) files. Another neat feature is the use of patches which gives you the ability to patch in features like tornado or 3m to a plastic4 card file.

This software is slower than most of the other non-windows card programming soft's. But as with any Windows program the faster the PC the faster this software should run for you!

This software should work fine on faster pc's such as Pentiums. This software runs in Windows. ------------------------------------------------------------------- 2.1.3.10 Card Blaster ------------------------------------------------------------------- Card Blaster is a DSS/01 card cloning software only. The software will read a card, save an image to disk, read an image from disk and copy an image to a card. This software due to it's changeable wait loop will safely program cards using a fast pc such as a pentium. Several people have said that this software allowed them to clone cards that they could not previously with other software. This software comes from Fast Eddie's programmer.

This software should work fine on faster pc's such as Pentiums. This software runs in DOS. ------------------------------------------------------------------- 2.1.3.11 NO3M ------------------------------------------------------------------- no3m.exe is some software released by Fast Eddies programmer which is a 3M program remover or a card cleaner if you will.

This software is extremly slow in use, but is thorough and does the job at hand well enough. Personally I would use CL45's cleaner.exe and CLEAN file combo as it's much faster and accomplishes the same thing.

This software should work fine on faster pc's such as Pentiums. This software runs in DOS.

------------------------------------------------------------------- *NEW* 2.1.3.12 DSS97 ------------------------------------------------------------------- DSS97 is a new software out that is rumored to allow you to read your DSS/04 "H" Series cards. In reality it looks like it will only read older DSS/01 cards and give you some technical info on the status of the card. ------------------------------------------------------------------- *NEW* 2.1.3.13 TRIX ------------------------------------------------------------------- trix.exe is a new software out that is rumored to allow you to read your DSS/04 "H" Series cards. In reality it looks like it will only read older DSS/01 cards and give you some technical info on the status of the card.

It does provide some rather detailed information on the card status that some may find interesting. ------------------------------------------------------------------- 2.1.4 Steps for making a Clone with CL45 & an MK11 ------------------------------------------------------------------- The computer you use should be a 386 or slower 486. For faster 486 computers be sure to turn off the turbo. If you use a faster computer, turn off turbo (if possible) and disable all caching.

Use a Pentium at your own risk!

All programming should be done in DOS with a clean boot (ie. bypass your config.sys & autoexec.bat). DO NOT USE A DOS WINDOW UNDER WINDOWS TO PROGRAM.

Setting up the MK9, MK10, MK11

1. Set sw1, sw2, & sw3 to on 2. Set sw4 to off 3. Set sw5 (the metal switch) towards the power connection 4. Remove jp1 (the jumper on the bottom of the board) 5. Connect a power supply to the MK11. CAUTION: It must be POSITIVE on the center connection! It should be 5-30VDC @ 500mA. 6. The communication cable should be connected to COM1 on your computer.

Cloning a Card

1. Start CL45 (CL45.EXE) 2. Insert the "master" card into the card slot on the MK11 3. Press R to read the card 4. Press S to save the image to a file 5. Remove the master from the card slot 6. To activate all services on the clone you must set the tiers. a. Press A to activate the data areas b. It will request a password, usually MEXICO (all caps) c. The program will reply "Activate data Select (1-6)", press 1 d. Press A again, this time press 2 e. Press T, to set the tiers 7. Insert the clone card into the card slot on the MK11 8. Press C to copy the buffer to the card. 9. Remove the card from the card slot, you now have a clone.

Please note, some cards must be cleaned before using them as a clone.

Here are the steps to clean a card.

1. start CLEANER (CLEANER.EXE) 2. Press L to load CLEAN. CLEAN should be located in the same directory as CLEANER.EXE and CL45.EXE. 3. Press C to clean the card.

Step 3 should be repeated a couple of times to insure that the card is cleaned.

When reactivating after the card swap: Either use the cleaning process above, or use CL45 and the file CLCLEAN.

If you receive a clone file it may be in one of three formats: CLONE, CL12 or CL45. These files are *NOT* interchangable.

CLONE files have a size of 3072. CL12 and CL45 files have a size of 6913. If you are not sure whether a file is for CL12 or CL45, try loading it with CL45. If you get the message "v1 file. Convert Y/N" then it is a CL12 file and may either be converted or used with CL12.

For com2 and other ports use "CL45 c2" (or the appropriate port number). Same for CL12.

You should do a soft boot on the IRD before you insert the clone. A clone, just like all plastics, "marry" the first IRD it is inserted in.

All programs (CLONE, CL12 and CL45) will unmarry the image before writing the clone. ------------------------------------------------------------------- 2.1.4.1 Using your DSS/01 card after swapping to a DSS/04 card ------------------------------------------------------------------- How to use your old card after the swap

Reading in your current programming

1.Run CL12 or CL45 or whatever software you happen to be using. 2.Press "R" to read the card in. 3.Save that file to disk. Call it something MYCARD (You don't have to, but I will refer to it as that from now on). 4.Exit from CL12.

You now have a copy of your programming. Do the card swap as per DTV's instructions. You should now have a perfect new card and an old card that says it has expired.

Restoring the backup

1.Back into CL12! 2.Load the CLCLEAN file 3.Copy it to the card 4.Check the card - It should show no channels available if you go into the guide. 5.Load the MYCARD file 6.Copy it to the card 7.Exit from CL12

That should do it!

Another simpler way to do this was recently brought to our attention.

By loading the old card used in the swap in CL45 and changing the byte at 0069 from 0f 0d will accomplish the same thing much quicker with less effort!

*NOTE* If you are using this process and you have ppv activated and your phone line plugged in you should *ONLY* purchase ppv's when your new DSS/04 card is in and *NOT* when your old DSS/01 card is in. *NOTE* ------------------------------------------------------------------- 2.1.5 Plastic Software Hacking Information ------------------------------------------------------------------- Much is known about the inside memory structure of the DSS/01 Original DSS Access Cards. This section will list memory locations of things you can change for the hobbiest out there who like to experiment with such things.

Most of these items can be changed on the cards using the cl45 software. Some will require the use of the cloner software (included with cl45) and a text editor capable of modifying hex addresses. This will be mentioned if needed.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!WARNING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Any of these modification (ESPECIALLY THE SPORTS BLACKOUTS) can set your card up to Code99'd by DTV. You use this info at your own risk! YOU HAVE BEEN WARNED! !!!!!!!!!!!!!!!!!!!!!!!!!!!!WARNING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ------------------------------------------------------------------- 2.1.5.1 Changing Access Card Serial Number Information ------------------------------------------------------------------- Access card serial number is located in 3 locations on the card. All three locations contain the same information, but all 3 must be changed to properly change the cards serial number.

002D, 0899,and 089D are the locations. The first 3 bytes of info starting at those locations convert from HEX to decimal to give you the serial. Format is 0000 XXXX XXX. The last number is a check and is not stored on the card.

To properly convert the number to something understandable and back here is the info you will need. Let's say we had an access card number of 0000 1111 1111, you drop the first four 0's for a number of 1111 1111, then you drop the last number 1 for a number of 1111 111. Finally you convert this number to hex which would be: 10F447 or 10 F4 47 (3 bytes). This is the number you would find in the memory locations mentioned above. The same works in reverse to convert the hex number located on the card to decimal. ------------------------------------------------------------------- 2.1.5.2 Changing Receiver IRD Serial Number Information ------------------------------------------------------------------- IRD Serial number information is located at bytes 00A8-00AB in the card. This is the number that is married to a receiver when you put a card into a machine for the first time.

This hex data that appears on the card is xor'd with the card's serial number info to get the info stored on the card.

Changing these bytes to all 00's will unmarry any card from a particular receiver.

NOTE: Most clone software does this for you automatically everytime you re-copy the card! ------------------------------------------------------------------- 2.1.5.3 Changing Timezone Information ------------------------------------------------------------------- Timezone information is used to tell the reciever what time to display on it's onscreen displays. Timezone is a one byte hex code located at: 0068. A0 would be Pacific Standard Time, A6 would be Eastern Standard time. Add or subtract a 1 (half hour increment) from these to get your correct time zone. A0=PST, A2=MST, A4=CST, A6=EST, A8=AST. ------------------------------------------------------------------- 2.1.5.4 Changing Sports Blackouts ------------------------------------------------------------------- Sports Blackout Information is used to blackout sports in your area if the broadcaster has asked DTV to do so. This is a geographical location code and changing to all 00's will normally remove all sports blackouts on a plastic card. Blackout locations go from: 0080-0090. ------------------------------------------------------------------- 2.1.5.5 Changing Country Codes ------------------------------------------------------------------- Country Code Information is not currently used by DTV for anything. The country code info was added so that if DSS were to go international they could use this information similar to the sports blackout information above. Country Code location is: 00A0 and is currently set to U for USA. This doesn't seem to be currently used. ------------------------------------------------------------------- 2.1.5.6 Changing Zip Codes ------------------------------------------------------------------- Zip Code Information is used for targeted marketing info based on the dss electronic mail system as well as in conjunction with the Sports Blackout information above to tell where you live and setup the proper Blackout region for your system. Zip Code info is 7 bytes located at: 00A1-00A7. Usually for complete Sports Blackout removal you need to change the above Sports Blackout info to 00's and the Zip Code information to 00's as well. ------------------------------------------------------------------- 2.1.5.7 Changing Receiver Lock Code ------------------------------------------------------------------- Password Information is the location of the card where the receivers security system password is located. It is a 2 byte code starting at: 007E. Changing these two bytes to all 00's will set the system password to 0000. At this point in time you can go into your receivers setting and change it to whatever you like. The System can also be locked and unlocked using the location: 007C. Putting 80 in this byte will lock the receiver and 00 will unlock the receiver. ------------------------------------------------------------------- 2.1.5.8 Changing Receiver Guide Display ------------------------------------------------------------------- Guide Display information is used to tell the receivers onscreen Program Guide to display different things. Guide Display info is located at: 0090. Changing this to a 01 will show DirecTV's guide only. Changing to a 02 will show USSB's guide only and changing to an 03 will display all guides. ------------------------------------------------------------------- 2.1.5.9 Adding PPV Buy Option ------------------------------------------------------------------- PPV Buy option. Adding the PPV Buy option to a card requires changing the four bytes starting at location: 00AC to 00 01 00 66. This will allow a card that didn't normally get pay per view movies to get them. ------------------------------------------------------------------- 2.1.5.10 Removing Watched PPV's ------------------------------------------------------------------- STEPS TO CLEAN AND REMOVE WATCHED PPV's

Step 1. Using CL45, Read and Save your current card info.

Step 2. Using CL45, press Alt-C, then press 6 for Clean option, then L to load Clean file, then C to copy to card. Once the cleaner program says REDY at the bottom go to Step 3.

Step 3. Using CL45, load in the file saved in step one, then copy this info back to the card.

ALL DONE! NO MORE ACCESS CARD FULL MESSAGE!

Another way:

Step 1. Using CL45, press Alt-C, then press 5 for Clone option, then R to read card, then W to write card data to disk.

Step 2. With a Hex text editor (i.e UltraEdit, HexEdit, HexWizard, etc.) go to:

Address Was Change To ------------------------ 02C0 0D 6F 02E0 E6 84 0B18 code 00 thru 0BDF code 00

Note: What ever the code is from 0B18 thru 0BDF change to 00

Step 3. Using CL45, press Alt-C, then press 5 for Clone option, then L to Load data from disk, then C to copy the info to card.

ALL DONE! NO MORE ACCESS CARD FULL MESSAGE!

An even simpler way than the above two methods:

Copy the card using CLONE.EXE when it has no PPVs on it. Save it to disk and then just reload the saved file and copy it to the card whenever you want to clear the PPVs. ------------------------------------------------------------------- 2.2 Code 99 Information ------------------------------------------------------------------- Code99 cards are cards that have been fried or 'locked up' due to an ecm by dtv. Only the original reprogrammed Blue 'plastic' access cards exhibit this problem after an ecm. Green cards (batts, l's, t's) do not suffer from this problem.

There is code in the ROM of the original DSS access cards that allows DirecTV to put the cards into a tight loop so that no programming instructions will be recognized. Due to the fact that this routine is in ROM it is nearly impossible to bypass. DTV placed this routine in the card so that if they detected the cards programming had been modified and was not original, DSS access card code (like 3m or 3d code), they could lock them up so they would not only stop working, but could no longer be reprogrammed either.

Lately this has been the pirates holy grail. Anyone who has had a reprogrammed plastic card in the past either has or knows of someone with a code99's plastic card. There are MANY out there. Since there is only one person so far who seems to be able to fix them and at a cost of $50 per card, everyone is biting on any rumors about anything regarding this topic...

Most of the rumors surrounding this topic include the european code99 fix software. Older european access cards could be code99'd as well but since this routine was a software one and not in the cards unchangable ROM programming a simple serial programmer software program could be used to fix the problem. This is not the case with the DSS access cards.

None of the euro software works with our cards at all without modifications. Not even the card reader software works properly on DSS access cards.

Some people have been saying they sent in their code99's cards to be fixed and did not receive the same cards they sent in to be fixed back. The reason for that is this:

When you've got a pile of several hundred to do you usually just grab a couple already fixed and send them out to make the customers happy. Then you worry about fixing the ones you got in later... ------------------------------------------------------------------- *NEW* 2.2.1 Code 99 Repair Information ------------------------------------------------------------------- Several people have been asking me where to get their Code 99'd cards repaired. Here are a few people who have contacted me telling me that they are offering the service.

*NOTE* I have not personally dealt with any of these people so if you make a decision to send your cards off to them you do so at your own risk! I will NOT be responsible if you loose your cards to these people!

---
Discount Satellite
208-14975, Stony Plain Rd.
Edmonton Alberta Canada
T5P-4W1

Email: discsat@compusmart.ab.ca Phone: 403-448-1787

Pricing: $50.00 (CDN), $38.00 (USD) per card plus return shipping.

From: Jack Daniels (JDaniels) Turnaround should stay secure at about 7 days Or better. We are working on Safer routines to avoid the 99 syndrome. And We will help anyone!

---
Deeder
54 Ruby St.
Winnipeg MB Canada
R3G 2C8

Email: Phone: 204-775-0095

Pricing: $50.00 (CDN), $35.00 (USD) per card plus return shipping.

Dealers please call for details on quantity pricing.

---
Vcipher Technologies

Email: regs@total.net Phone: 514-451-5704

Pricing: Unknown at this time. ------------------------------------------------------------------- 2.3 MKx Series ISO 7816 Compatible Serial Programmers ------------------------------------------------------------------- This is a series of programmers designed and built by an Englishman by the name of Paul Maxwell-King also known as PMK for short.

These programmers are very well built and are available in a variety of forms including fully built versions, components only, and others. Free plans are available over the Internet to build this device yourself for do-it-yourselfers! For people wishing to purchase their own programmer this is the least expensive known source.

The first known version of this programmer to work with the DSS Access Cards is the MK8. Then later the improved MK9 and MK10 devices were designed and now the MK11 is available. There is little difference in the designs from a DSS Access Card user perspective and any of these devices will work well for you. The MK11 is the only device currently being sold.

---
What is the difference between MK10 and MK11 ?

The difference is the power supply that you can apply. The MK10 could only accept a smooth DC supply from 6 to 30 Volts but will give out 5 volts DC to the main interface components. This I found out on the American and Canadian system (DSS) was not good enough, they do not have a good DC supply, it was even hard to obtain an AC to DC transformer, and when they got a transformer it was still very noisy (spiky), yes you could use a 9 volt battery but we then also found problems of connecting the supply to the interfaces, in some cases the wrong way by mistake, thus blowing the voltage regulator, this was very annoying and costly to send another interface all that way.

With the MK11 you can apply AC or DC supply to the interface using the 2.1mm socket in any direction you want, the voltages must be between 6 and 30 volts, but it has its own smoothing circuit and of corse bridge rectifier plus voltage regulator, so the interface does not get any more than the requested 5 volts DC to the components.

---
The MK series of programmers have the ability to read/write to a
variety of ISO 7816 Smartcards including Phone Cards, and DSS
Access cards.

The MK device can also function as a DSS to PC Serial interface for those of you out there interested in checking out the datastream info being transmitted or to use the DSS Access Card emulator software mentioned below in Section 3.

The MK device is available without the programming hardware to be used as a PC serial interface device only for about half the cost of the full device.

Plans, Information, and ordering instructions for these programmers is available from:

Email: paul@maxking.demon.co.uk (technical information) Email: karen@maxking.demon.co.uk (order details)

Web Sites: http://www.paulmax.eng.net (UK) http://www.demon.co.uk/paulmax/index.html (UK) http://www.maxking.demon.co.uk/index.html (UK) http://dss.compusource.net/maxwell/index.html (USA) http://www.eurosat.com/paulmax/index.html (USA) http://uplift.df.lth.se/defiant/paulmax/index.html (SE)

24 HR BBS Site (0044) 01302 873330 (FREE no subscription charges)

The programmer is also available fully built from these sites for about $120 (USD) including shipping. ------------------------------------------------------------------- 2.3.1 MK10/11 Serial Programmer Quick Solutions ------------------------------------------------------------------- Want to see if your MK device is working properly?

An easy check is to hook the serial cable up to a computer, run a terminal emulator program, set the baud rate at 300 in the terminal emulator, and hit some keys on the keyboard. At 300 baud the data LED on the MK device will flash slowly and brightly if operating properly. =================================================================== 3.0 PC Based DSS Access Card Emulator ------------------------------------------------------------------- This is a relative new comer on the DSS Test Device scene, but it has quickly garnered it's share of the market!

Pierre G. Martineau (PGM) is the author of the DSS Access Card Emulator software and we all thank him for his efforts! (Thanks Pierre!)

The emulator software flawlessly emulates the DSS Access Card (DSS/01 series) using a PC, a PC to DSS Serial Access Device such as an MK8,9,10,11 (info on MK devices above in Section 2.3) or a modified L or T card. The minimum PC requirements for this so far seem to be a 486 DX 33Mhz processor with 1 meg of RAM, a floppy drive, a serial port and little else! Newer versions of the emulator software might run more effeciently and not need as fast of a processor. Although it's unlikely the processor requirement will drop below a 486 one never knows!

The emulator will allow you to run a variety of original DSS Access Cards by copying the information from an original card using the software provided. It will also let you run an emulation out of the box so to speak with the access card image provided with it.

The Emulator mentioned above has the ability to decode and test ALL of the DSS channels available. ------------------------------------------------------------------- 3.1 PC Based DSS Access Card Emulator Quick Solutions ------------------------------------------------------------------- - Be sure your computer is a 486 DX or faster (and it is on!) - If you are using a Pentium, try the /s switch to slow it down. - Run it from DOS with no drivers loaded - If you do not know if you have drivers, rename your CONFIG.SYS and AUTOEXEC.BAT - If your machine runs Win95, press the F8 key when you get the "Starting Windows 95..." message and choose "Command Prompt Safe Mode". - Start the emulator BEFORE you put the interface into the IRD - You should be watching with your plastic inserted before starting the emulator. - Switch settings for MK9/MK10 are 1234 off, JP1 pulled, Switch 5 toward the power jack - The IRD supplies the power - do not give power to the interface - The proper command line is: 6805sc21 /p1 /u sample.cor This assumes COM1. Change the number after /p to the port you are using. - If none of this is working, hard boot the IRD

Note: The .cor file is a snapshot of a card. You should use the MK9/MK10/MK11 to snap a picture of your own card using DSSSNAP.EXE so that if the card is shut down you do not lose your emulator. The card image is patched with 3M software by default.

In the event of an ECM that 99s the 3M cards there is a routine in the emulator to reset the bytes and continue on. If DTV lucks out and really does a job on the 3M you can stop the patching by using the /f switch. In this case you can reset the emulator when you run out of PPVs. You can also modify the card with CL45 and take a new snapshot. =================================================================== 4.0 Electronic Counter Measures (ECM's) ------------------------------------------------------------------- When the programming center decides to shut down the cards, they send out Electronic Counter Measures (ECM's for short). There is no warning for these ECM's and people in possession of these cards are almost completely at the mercy of them. They can come out at ANY time of the day or night, but are most often sent at times where DTV feels the hardest impact will be made. An ECM was once sent on a day where most of the developers were at a big satellite convention, and therefore they were not present to handle all the calls and problems their clients were having.

Holidays and special events are usually targets for ECM's too although they have happend at other un-expected times as well. The last ECM that was sent was actully not just one, but a combination of at least SIX sent in series. This would knock out virtually all cards that were put into the reciver at that time. This will probably be how most ecm's will be sent out in the future...

In response to the ECM's the software developers put up "updates" or "fixes" (usually called main files as in main22.enc) for the cards. These "fixes" re-activate the cards, and get them going again. These updates are distributed through BBS's for the most part to the dealers/suppliers only, and are not generally released to the public. This is done for a couple reasons. One, to keep it underground, and a secret as long as possible. Normally when an update is out though, everyone hears about it quite fast. And two, the suppliers/dealers sometimes charge cash to people to update the cards. This area can be quite appealing to the suppliers, but most suppliers are cool, and give their clients at least a year of updates for free, and only charge a few bucks to upgrade after that.

Anyone can now program their own cards as long as they have their own programmer, and a source for the updates. Many people are now doing this as it is far more easy for them to do that, than to mail their cards away, or drive way across town to get it fixed. =================================================================== 5.0 Receiver Hardware Problems ------------------------------------------------------------------- Several people keep asking what the soft and hard reboot procedures are for the various DSS receivers.

Here are the ones I know of: ------------------------------------------------------------------- 5.1 RCA Receivers ------------------------------------------------------------------- 5.1.1 1st Generation RCA Soft-Reboot procedure ------------------------------------------------------------------- Pull out the Access Card. Hold down the Power button and the Down Arrow button on the receiver at the same time. Hold for 15 seconds. Turn on the receiver. Press Select button twice. Re-Insert Access Card when prompted. If it says card has expired, reinsert it. The receiver should now be turned on. It may be necessary to do this over again. You may also try it with the card in instead of removed. ------------------------------------------------------------------- 5.1.2 1st Generation RCA Hard-Reboot procedure ------------------------------------------------------------------- Pull out the Access Card. Hold down the Power button and the Down Arrow button on the receiver at the same time. Hold for 15 seconds. Unplug the receiver from the wall while holding down the buttons. Hold for 15 seconds. Plug the receiver back in while still holding down the two buttons. Hold for 15 seconds. Turn on the receiver. Press Select button twice. Re-Insert Access Card when prompted. If it says card has expired, reinsert it. The receiver should now be turned on. It may be necessary to do this over again. You may also try it with the card in instead of removed. ------------------------------------------------------------------- 5.1.3 2nd Generation RCA Soft-Reboot procedure ------------------------------------------------------------------- Pull out the Access Card. Hold down the Power button and the Down Arrow button on the receiver at the same time. Hold for 15 seconds. Turn on the receiver. Press Select button twice. Re-Insert Access Card when prompted. If it says card has expired, reinsert it. The receiver should now be turned on. It may be necessary to do this over again. You may also try it with the card in instead of removed. ------------------------------------------------------------------- 5.1.4 2nd Generation RCA Hard-Reboot procedure ------------------------------------------------------------------- Turn receiver power off. Remove the access card. Unplug the receiver. Allow unit to sit overnight (approx. 6 hours) Insert the access card, reconnect to AC power, and turn receiver power on.

*OR*

It has been found that by pushing the TV/DSS and Down Arrow on the front of the receiver and then navigating to the TEST button on screen and then pushing select. The test will run for a minute or two and then give you option to select STOP on screen. Select STOP. At this point the receiver will do a hard reboot. ------------------------------------------------------------------- 5.2 Sony Receivers ------------------------------------------------------------------- *NEW* 5.2.1 How to tell which Generation Sony Receiver you have ------------------------------------------------------------------- How to tell if you have an older (1st Generation) or newer (2nd Generation) Sony DSS Receiver.

If you still have the box it came in on the outside will be a model number. If you don't have the box look on the metal plate on the back of the receiver. If the model number goes something like: SAS-BS1 (note the 1 in the series) then you have a first Generation unit. If the model number goes something like: SAS-BS2 (note the 2) then you have a Second Generation unit. ------------------------------------------------------------------- 5.2.2 1st Generation Sony Soft-Reboot procedure ------------------------------------------------------------------- Push and hold the Exit and Down Arrow button on the receiver at the same time. Receiver will soft-reboot at this point and restart. Power off and then back on. ------------------------------------------------------------------- 5.2.3 1st Generation Sony Hard-Reboot procedure ------------------------------------------------------------------- *NEW* 5.2.3 2nd Generation Sony Soft/Hard-Reboot procedure ------------------------------------------------------------------- To do a hard reboot on a second generation Sony push and hold the TV/DSS and Down Arrow at the same time. A Menu will come up at this point and you want to select TEST on the screen. Once the test is complete select STOP on the screen and the system will do a hard reboot and restart. ------------------------------------------------------------------- NOTE: The below Sony Hacking Info generally works on 1st and 2nd generation Sony receivers. The serial hacking info as well. Some does, some doesn't. Give it a try! ------------------------------------------------------------------- 5.3.1 Sony Service Test ------------------------------------------------------------------- Press the TV/DSS and DOWN ARROW buttons at the same time on the unit (not the remote). You will be presented with a screen where you can test the DSS unit and see what software versions and similar things the unit is currently using. You can also enter a dialing prefix to the number the unit uses to dial out. (if you have to dial 9 for an outside line) You can also enter a number in a series of boxes across the top of the screen. I heard the unit will dial out to the number placed there but this is unconfirmed. ------------------------------------------------------------------- 5.3.2 Sony User Options ------------------------------------------------------------------- Using the number keypad on the remote, type 9999999 (that's seven 9s) then press the power button off and on right after the last 9. Then go to the main menu, click on system menu, click on custom setup menu. You will see a new option in the top left box. Here you can allow your remotes joystick to change channels (like the channel up/down buttons), turn the ENTER button into a MUTE function, turn the EXIT button into a freeze-frame button (doesn't work), Turn off the MAIL icon in the menu (when you have mail), turn off the centering of the cursor in menus (will leave the cursor in the box last selected when going through multiple menus), and enter the LOGO TEST MODE (this will cycle through all the channel icons loaded in the system everytime you call up the channel display. The icon will NOT match the actual channel when in this mode). ------------------------------------------------------------------- 5.3.3 Sony Channel Information ------------------------------------------------------------------- Using the number keypad on the remote, type 88881 and hit the EXIT key. You will see the Channel Information screen. It will give you a list of the channels along with the transponder it is on, vscid, ascid, diptrans, and piptrans data. Use the CHANNEL UP/DOWN buttons on the remote to scroll. Any other key will return to regular mode. ------------------------------------------------------------------- 5.3.4 Sony Service Paradigm Information ------------------------------------------------------------------- Using the number keypad on the remote, type 88882 and hit the EXIT key. You will see the Service Paradigm Info screen. Use the CHANNEL UP/DOWN buttons on the remote to scroll. Any other key will return to regular mode. ------------------------------------------------------------------- 5.3.5 Sony Transponder Information ------------------------------------------------------------------- Using the number keypad on the remote, type 88883 and hit the EXIT key. You will see the Transponder Information screen. Use the CHANNEL UP/DOWN buttons on the remote to change transponders. Any other key exits. This will display all the channels on the listed transponder, whether the transponder is high or low rate, and various data about each channel on the transponder. ------------------------------------------------------------------- 5.3.6 Sony Purchase Information ------------------------------------------------------------------- Using the number keypad on the remote, type 88884 and hit the EXIT key. This will display all the data concerning PPV events you have purchased. Use the CHANNEL UP/DOWN buttons to scroll. Any other key exits. On the purchase info screen the status fields are:

10=Purchased, but not viewed. 21=Purchased, viewed, but not downloaded to DTV. 25=Purchased, viewed and downloaded to DTV. ------------------------------------------------------------------- 5.3.7 Sony OSD Debug Information ------------------------------------------------------------------- Using the number keypad on the remote, type 88885 and hit the EXIT key. This will display a box that says OSD debug messages enabled.

Since it never says it's disabled, you have to enter it twice to disable it. ------------------------------------------------------------------- 5.3.8 Sony Verifier Stack Information ------------------------------------------------------------------- Using the number keypad on the remote, type 88887 and hit the EXIT key. This will display a list of verified stack information. ------------------------------------------------------------------- 5.3.9 Sony Stack Information ------------------------------------------------------------------- Using the number keypad on the remote, type 88888 and hit the EXIT key. This will display the Stack Information. It shows each task the unit performs and it's status. Any key will exit. ------------------------------------------------------------------- 5.3.10 Sony Download Information ------------------------------------------------------------------- Using the number keypad on the remote, type 88889 and hit the EXIT key. This will display the Download Info screen. I have no idea what the codes mean. Any key will exit. ------------------------------------------------------------------- *NEW* 5.3.11 Sony Thank You ------------------------------------------------------------------- Using the keypad on the remote, press 5551212, then quickly turn the power off then back on using the POWER button on the remote. You will get a list of people responsible for the design and construction of the Sony DSS unit. Any key returns you to normal mode.

OR

The Thanks/Credits screen can be brough up by entering 5551212 and then EXIT on the remote. There is no need to use the front panel or switch the power on and off quickly. ------------------------------------------------------------------- 5.3.12 Sony RS-232 Port Hacking ------------------------------------------------------------------- Here is some information on even more stuff hidden in Sony DSS boxes.

*NOTE* The information in this section seems to work on certain 1st and 2nd generation Sony receivers with certain software revisions and not on others. We are trying to figure out a pattern, but at this time if it works, great! If not, your out of luck!

I have discovered that there is a diagnostic program running all the time (even while you are watching TV) which lets you do all sorts of fun stuff to your box:

The diagnostic program was probably meant to be used by Sony's testing/repair people. It lets you test RAM, play with the front panel LEDs, muck with your box's EEPROM, etc.

In order to use it, you will need to hook the serial port of your computer to some pins on the wide-band data port.

Here's what you do:

Look at the back of your box. Locate the 15 pin "wide band data" connector.

In addition to supplying wide band data, this connector also has some serial data pins on it.

The pins you need to mess with are: 7 (ground) 14 (TxD) 6 (RxD)

You need to connect them as follows to your computer's serial port (assuming a DB25 connector)

Sony DB25 7 --------- 7 (ground) 14 --------- 3 (RxD) 6 --------- 2 (TxD)

Set your terminal to 9600 bps, 8 data bits, no parity and hit a few returns on the keyboard. If all is well, you will get:

DiagPrompt >

Type a question mark, and you will get some help:

DiagPrompt > ? 1 rom - Test ROM checksum 2 tram - Read/Write Test Transport IC SRAM 3 vram - Read/Write Test MPEG video DRAM 4 eprm - Read/Write Test EEPROM 5 ntsc - Show color bars 6 mpeg - Test MPEG video chip 7 tic - Test Transport IC 8 cam - Read access card 9 aud - Test audio IC 10 mdm - Test modem 11 led - Test front panel LEDs 12 butn - Test front panel buttons 13 rmt - Test remote control 14 exit - Exit diagnostics 15 ser - Set IRD serial number 16 ver - Set IRD model number 17 locks - Set Lock/Unlock/Skip/Unskip channels 18 fav - Set favorite stations 19 dch - Set default channel 20 eep - Initialize EEPROM 21 dump - Dump data from memory 22 probe - Go to probe 23 sniff - Enable Sniffer Output 24 pis - Simulate PI 25 camid - Display CAM ID number 26 fend - Set the Front End type 27 lsdr - Read from the low speed data port 28 lsdw - Write to the low speed data port 29 lsdb - Set the low speed data port baud rate 30 rf - Set RF/IR remote state 31 sec - Set RF security code 32 hss - Write to the high speed data port 33 ? - Display list of commands

Syntax: [r rptCnt] {cmdName | cmdNum} [options] [- {cmdName | cmdNum} [options]]

rptCnt = 0 means repeat forever (default = 1)

Numeric values default to decimal. Use 0x before numbers for hex values.

For help on specific commands, type command name followed by ? Diag > OK

NOTE: some of these functions are very dangerous!!!! (look at #20 for instance) So BE CAREFUL unless you know what you are doing.... ------------------------------------------------------------------- 5.4 Uniden/Memorex Receivers ------------------------------------------------------------------- 5.4.1 Uniden/Memorex Soft-Reboot procedure ------------------------------------------------------------------- Make sure you Access Card is out of the receiver while doing this! Push and hold the TV/DSS and Down Arrow button on the receiver at the same time and a hidden menu will pop up on the screen. Use the remote or front panel arrows to navigate to the RESET button on screen and then push select. The receiver will power itself off. Wait a few seconds and power it back on and re-insert your Access Card. =================================================================== 6.0 Sources ------------------------------------------------------------------- 6.0.1 Good Sources ------------------------------------------------------------------- Either none exist or no one wants to have their name in lights! Can you blame them? If you'd like to be listed as a good source in the faq please send me some email telling me of your qualifications and I'll add you.

If I get bad reports on you, you go in the list below in section 6.0.2... ------------------------------------------------------------------- 6.0.1.0 Good Sources for ISO-7816 Card Slots ------------------------------------------------------------------- Trying to build your own smartcard reader/writer but having a few problems trying to find a source for the ISO-7816 card slots?

Give these a try:

Sterling Electronics at 1-800-745-5500 or Newark Electronics at 1-800-463-9275.

You are looking for Amphenal Connector Part Number C70210M0082014.

Sterling has these for $1.64 (USD) each in a 100 lot and Newark has them for $2.90 (USD) each in a 100 lot. ------------------------------------------------------------------- 6.0.2 BAD Sources ------------------------------------------------------------------- Here we will try to list the dealers that have consistently screwed their customers over.

Sort of like a scam watch if you will.

If you have been screwed numerous times (not just simple mistakes like mailing delay's, etc) please send me email and I will research the subject further and perhaps add the particular dealer in question to this section of the faq. ------------------------------------------------------------------- 6.0.2.1 BAD Cableman ------------------------------------------------------------------- So far most dealers seem to have their good and bad days, but lately the dealer with the most unhappy customers seems to be Cableman from Las Vegas, NV. Many, many, many bad reports have come in on this dealer (which is what it takes to get in this portion of the faq) and so here is some info on him you might need if you've been screwed by this dealer!

CABLEMAN (aka: DIAMOND VISION) BIO INFO

Cableman is David Balmes (alias?) of Las Vegas, NV. Also known as: Dave Dajoran and Dave Hanson.

Business Addresses are: 1000 Dumont #107, Las Vegas, NV 89109 3965 S. Maryland Pkwy #162, Las Vegas, NV 89119

Home Address is: 1000 Dumont Street #220, Las Vegas, NV 89109

Phone Numbers are:

Work: 702-892-9183 Pager: 702-667-9151

Web Domain Names are:

Diamondvision.com and Cableman.com

Email Addresses are:

dave@diamondvision.com, dave@cableman.com, cableman@ix.netcom.com ------------------------------------------------------------------- *NEW* 6.0.2.2 BAD VCipher Technologies ------------------------------------------------------------------- We have been hearing some rumblings about some bad business deals with Reg Scullion at VCipher Technologies. We have not yet got detailed info on either Reg and his company or these dealings yet, but for now be wary of dealing with VCipher. Buyer Beware!

And if you have detailed bad dealing with VCipher, please send them in! =================================================================== 7.0 Greets and Thanks and Things... ------------------------------------------------------------------- Thanks and greets to everyone in the #satellite channel on EFNET IRC!

Most of this information came from various sources. Much is my own original work... If there are mistakes or changes you'd like to see please email me at: Agent89@nym.alias.net and let me know!

This document is continually evolving and will grow in size quite rapidly! Check weekly for new versions. It will be available on the above IRC channel as well as the satellite newsgroups.

And don't forget what Castor sez: heh, in the words of the big gun (not relating to this subject, though).. "Good job! You did something I couldn't. Well, I could, but I didn't... You know!" :) =================================================================== 8.0 Document Copyright Info ------------------------------------------------------------------- I was hoping that this part of the faq would never be neccesary but due to certain individuals misuse if the faq who shall remain nameless (NOT! Try Cableman!) I am adding it.

NOTICE: This document is Copyright (C) 1997, by Agent_89 (Agent89@nym.alias.net). All rights reserved. Permission is granted to duplicate this document if and only if the following three conditions are met:

1. This document cannot be modified in any way. 2. This document cannot be sold for profit nor included as a part of any publication sold for profit. 3. This notice must be included. Any other use requires the written consent of the author. ------------------------------------------------------------------- THE END! (Not really the end, just the end for now!)

-

Lets put the *fun* back in dysfunctional...

<> tbyars@earthlink.net <> 888-257-4272/message 310-934-5104/pager