/**************************/
                   /* A Guide to Porno Boxes */
                   /*     by Carl Corey      */
                   /**************************/


Keeping with tradition, and seeing that this is the first article in
Phrack on cable TV descrambling, any illegal box for use in descrambling
cable television signals is now known as a PORNO BOX.

There are many methods that cable companies use to insure that you get
what you pay for - and _only_ what you pay for.  Of course, there are
always methods to get 'more than you pay for'.  This file will discuss
the most important aspects of these methods, with pointers to more
detailed information, including schematics and resellers of equipment.


Part I.  How the cable company keeps you from getting signals
   A brief history

---Older Systems---

Most scrambling methods are, in theory, simple.  The original method
used to block out signals was the trap method.  All traps remove signals
that are sent from the CATV head end (the CATV company's station).  The
first method, which is rarely used anymore was the negative trap.
Basically, every point where the line was dropped had these traps, which
removed the pay stations from your signal.  If you decided to add a pay
station, the company would come out and remove the trap.  This method was
pretty secure - you would provide physical evidence of tampering if you
climbed the pole to remove them or alter them (sticking a pin through
them seemed to work randomly, but could affect other channels, as it
shifts the frequency the trap removes.)  This was a very secure system,
but did not allow for PPV or other services, and required a lot of
physical labor (pole-climbers aren't cheap).  The only places this is
used anymore is in an old apartment building, as one trip can service
several programming changes.  Look for a big gray box in the basement
with a lot of coax going out.  If you are going to give yourself free
service, give some random others free service to hide the trail.

The next method used was termed a positive trap.  With this method, the
cable company sends a _very_ strong signal above the real signal.  A
tuner sees the strong signal, and locks onto the 'garbage' signal.  A
loud beeping and static lines would show up on the set.  For the CATV
company to enable a station, they put a 'positive' trap on the line,
which (despite the name) removes the garbage signal.  Many text files
have been around on how to descramble this method (overlooking the
obvious, buying a (cheap) notch filter), ranging from making a crude
variable trap, to adding wires to the cable signal randomly to remove the
signal.  This system is hardly used anymore, as you could just put a trap
inside your house, which wouldn't be noticed outside the house.

---Current Systems---

The next advent in technology was the box.  The discussion of different
boxes follows, but there is one rather new technology which should be
discussed with the traps.  The addressable trap is the CATV's dream.  It
combines the best features of the negative trap (very difficult to tamper
with without leaving evidence) with features of addressable boxes (no
lineman needs to go out to add a service, computers can process Pay Per
View or other services).  Basically, a 'smart trap' sits on the pole and
removes signals at will.  Many systems require a small amp inside the
house, which the cable company uses to make sure that you don't hook up
more than one TV.  I believe that the new CATV act makes this illegal,
and that a customer does not have to pay for any extra sets (which do not
need equipment) in the house.  Of course, we all know that the cable TV
company will do whatever it wants until it is threatened with lawsuits.

Cable boxes use many different methods of descrambling.  Most are not in
use anymore, with a few still around, and a few around the corner in the
future.  The big thing to remember is sync suppression.  This method is
how the cable companies make the picture look like a really fucked up,
waving Dali painting.  Presently the most popular method is the Tri-mode
In-band Sync suppression.  The sync signal is suppressed by 0, 6, or 10
dB.  The sync can be changed randomly once per field, and the information
necessary for the box to rebuild a sync signal.  This very common system
is discussed in Radio-Electronics magazine in the 2/87 issue.  There are
schematics and much more detailed theory than is provided here.

The other common method currently used is SSAVI, which is most common on
Zenith boxes.  It stands for Sync Suppression And Video Inversion.  In
addition to sync suppression, it uses video inversion to also 'scramble'
the video.  There is no sync signal transmitted separately (or reference
signal to tell the box how to de-scramble) as the first 26 lines (blank,
above the picture) are not de-synched, and can be re-synched with a
phased lock loop - giving sync to the whole field.  The data on inversion
is sent somewhere in the 20 or 21st line, which is outside of the
screen.  Audio can be scrambled too, but it is actually just moved to a
different frequency.  Radio Electronics August 92 on has circuits and
other info in the Drawing Board column.

---Future Systems-

For Pioneer, the future is now.  The system the new Pioneers use is
patented and Pioneer doesn't want you to know how it works.  From the
patent, it appears to use combinations of in-band, out-band, and keys
(also sending false keys) to scramble and relay info necessary to
descramble.  These boxes are damn slick.  The relevant patents are US
#5,113,411 and US #4,149,158 if you care to look.  There is not much
information to be gained from them.  Look for future updates to this
article with info on the system if I can find any :)

Other systems are the VideoCipher + (used on satellites now - this is
scary shit.)  It uses DES-encrypted audio.  DigiCable and DigiCipher are
similar, with Digi encrypting the video with DES also  (yikes)...  And
they all use changing keys and other methods.  Oak Sigma converters use
similar methods which are available now on cable.  (digital encryption of
audio, etc...)

Part II.  How the cable company catches you getting those signals

There are many methods the CATV company can use to catch you, or at
least keep you from using certain methods.

Market Code:   Almost _all_ addressable decoders now use a market code.
                This is part of the serial number (which is used for pay
                per view addressing) which decodes to a general geographic
                region.  Most boxes contain code which tell it to shut
                down if it receives a code (which can be going to any box
                on the cable system) which is from a different market area.
                So if you buy a converter that is say, market-coded for
                Los Angeles, you won't be able to use it in New York.

Bullets:        The bullet is a shut down code like above - it will make
                your box say 'bAh' and die.  The method used most is for
                the head end to send messages to every box they know of
                saying 'ignore the next shutdown message' ... and once
                every (legit) box has this info, it sends the bullet.
                The only boxes that actually process the bullet are ones
                which the CATV system doesn't know about.  P.S.  Don't
                call the cable company and complain about cable if you
                are using an illegal converter - and be sure to warn
                anyone you live with about calling the CATV co. also.

Leak Detection: The FCC forces all cable companies to drive around and
                look for leaks - any poor splice jobs (wiring your house
                from a neighbors without sealing it up nice) and some
                descramblers will emit RF.  So while the CATV is looking
                for the leaks, they may catch you.

Free T-Shirts: The cable company can, with most boxes, tell the box to
                display a different signal.  So they can tell every box
                they know of (the legit box pool) to display a commercial
                on another channel, while the pirate boxes get this real
                cool ad with an 1800 number for free t-shirts... you call,
                you get busted.  This is mostly done during PPV boxing or
                other events which are paid for - as the company knows
                exactly who should get that signal, and can catch even
                legit boxes which are modified to receive the fight.

Your Pals:      Programs like "Turn in a cable pirate and get $100" let
                you know who your friends _really_ are.


Part III:  How to get away with it.

I get a lot of questions about opening a box that you own.  This is not
a good idea.  Most, if not ALL boxes today have a tamper sensor.  If you
open the box, you break a tab, flip a switch, etc...  This disables the
box and leaves a nice piece of evidence for the CATV co. to show that you
played with it.

I also have had questions about the old "unplug the box when it is
enabled, then plug it back in later"...  The CATV company periodically
sends a signal to update all the boxes to where they should be.  If you
want to do this, you'll need to find out where the CATV sends the address
information, and then you need to trap it out of the signal.  So as soon
as the fraudulent customer (let's call him Chris) sees his box get the
signal to receive the PPV porn channel, he installs the trap and now his
box will never get any pay per view signals again...  but he'll always
have whatever he was viewing at the time he put the trap in.  Big problem
here is that most _newer_ systems also tell the box how long it can
descramble that channel - i.e.  "Watch SPICE until I tell you not to, or 3
hours have passed"...

Where to make/buy/get porno boxes:

You can order a box which has been modified not to accept bullets.  This
method is pretty expensive.  You can also get a 'pan' descrambler - it is
a separate piece that takes whatever goes in on channel 3 (or 2 or 4) and
descrambles it.  These boxes can't be killed by the bullets, and work
pretty well.  There are some pans which are made by the same company as
your cable box and are sensitive to bullets, so beware.

There are two basic ideas for modifying a box (provided you get detailed
instructions on how to get it open, or how to fix it once you open it).
You can change the S/N to something which is known as 'universal' or
disassemble the code and remove the jump to the shutdown code.
The universal codes are rare, and may be extinct.  Besides, if the cable
company finds out your code, they can nuke it.  This happens when someone
who makes (err made) 'universal' chips gets busted.  The modification of
the actual code is the best way to do it, just forcing a positive
response to permission checks is the easiest way.

A 'cube' is not a NeXT, it's a device which removes the data signal from
the cable line, and inserts a 'nice' data signal which tells your box to
turn everything on.  A 'destructive' cube actually re-programs all the
boxes below it to a new serial number and gives that number full
privileges, while a 'non-destructive' cube needs to know your boxes
serial number, so it can tell your box (without modifications) that it
can view everything.  You have to get a new IC if you change boxes, but
the plus is that you can remove the cube and the box functions as
normal.  Then again, you have to trust the place you are ordering the
cube from to not be working for the cable company, as you have to give
them your box serial number - which the CATV cable has in their records.
Cubes have been seen for sale in the back of Electronics Now (formerly
Radio Electronics).

Of course, you could check in the above mentioned articles and build
circuitry, it would be a lot cheaper.  The only problem is that you have
to be good enough not to fuck it up - TV signals are very easy to fuck up.

Then there is the HOLY GRAIL.  Most scrambling systems mess with the sync
pulse.  This pulse is followed by the colorburst signal on NTSC video.
Basically, the grail finds the colorburst and uses it as a reference
signal.  In theory, it works wonderfully (but does not fix the video
inversion problems found on SSAVI systems).  However, with the sync pulse
whacked, the colorburst method may give weak color or color shifts.  The
schematics are in the May 1990 Radio-Electronics.  I have also received
email from aa570@cleveland.Freenet.Edu about his colorburst kit, which is
a modified (supposedly higher quality) version of the R-E schematics.
The schematic and parts list is 5 bucks, 16 bucks for a pre-drilled and
etched board.  A little steep, but not too bad.  E-mail the above for
more information.


Anyway, that's all for now.  Remember, information (including XXX movies)
wants to be free!

Carl Corey / dEs