How Does That DSS Card Really Work?

by Phredog

All of the information in this article has been obtained from public domain sources and is accurate to the best of my knowledge.  This information is far from complete, however it should provide a start for the curious hackers out there!

Your DSS card contains a microprocessor, ROM, EEPROM, and RAM.  The EEPROM may be updated by DirecTV at any time or changed by a skilled hacker.  The receiver communicates with the card via eight pads on the card.  The pads are numbered counter-clockwise, starting in the upper-left corner:

  1. VCC
  2. R/W
  3. CLOCK
  4. RESET
  5. GND
  6. NOT USED
  7. DATA I/O
  8. NOT USED

Your card receives and transmits data packets at 9600 bps.  Some packets are filtered out before they reach your card, such as individual authorizations.  Many data packets are global in nature and do make it to your card.  There are dozens of types, however, most are beyond the scope of this article.

The most important data packet is the "4840" packet.  This packet is used to give your receiver information about the channel you are tuned to and to test if you are authorized to view the channel.  The most important commands contained in this packet are the "09" command and the "0C" command.

The "09" command tells the card to select one of its factory loaded encryption keys to be used to seed the hashing algorithm.  Once the command is issue every byte that the card receives is passed to the algorithm.  A new key and checksum are generated with each byte.  If any byte in the data packet is changed, the wrong key and and checksum will be generated.

The "03" or "06" commands are used to test to see of the current channel is authorized.  If the channel is authorized, the status is saved as a flag on the card.  "03" is used for most channels.  "06" is used for pay-per-view.

The "0C" command is used to test the integrity of all the received data against a calculated checksum.  Remember that everything that the received after the initial "09" command was used to generate a new key and checksum.  If one byte was changed, the current key and the checksum will be incorrect.

A short time later, the "4854" packet instructs the card to return the status flag, crunch the most recent key through the ASIC encryption chip, and return the computed key to the receiver.  The status flag will turn on the sound and video decoder, and the crunched key will be applied to the MPEG decoder.  Assuming that the key is correct, video will appear.

Sometimes DirecTV will instruct the DSS card to apply eight bytes of code from the cards' EEPROM to the hashing algorithm.  DirecTV knows what the code at that location should read.  However, if a skilled hacker has applied a change to the card's EEPROM, the wrong key will be generated.  The video will go black or freeze.

That is, in its most basic form, how the DSS system works.
Return to $2600 Index