An idea.

[majestyk]

Don't want to waste anyone's time but I had an idea (probably a crap one but here goes).

The Sly card is uncrackable. But what about attacking the system at the point where it dials the call centre to notify it of PPV credit limit being reached etc.

Could we fool the box into thinking it has connected to the call centre when it's actually attached to some clever bugger's modem/pc?

I have an old gadget somewhere which emulates a dialtone (it was a way of using a fax as a printer/scanner) and I'll gladly donate it to anyone who wants to experiment.

Sorry if it's a useless idea. But anything to dent Sly's armour must be worth talking about. Cheers.

 

[pinkhelmets]

Hi m8, well I firstly need to put you right, Sly is definately not uncrackable!! Now guys dont bother asking me for proof and free ** etc because I cant give it. <img src="frown.gif" border="0"> <br />There will be a hack and Sly/NDS know it. The system is complex, but not without flaws and the hardware used is also a weakness as it uses common parts that are not specifically manufactured. The release of Sly plus boxes is an attempt to create future probs. And new Sly cards have new microprocessors that act differently because they know of the weakness of originals. The NDS system has been pulled apart by Americans and it just needs us to catch up a little to find our own flaws.<br />Back to your original idea, this is an old line of thought that doesn't work. Sometimes called 'the battery trick' and can also be acheived by changing telephone number that the box dials. There has been progress with understanding ppv and the system used. However, the fact remains that ppv is stored on the card to a limit of £50 and there is not yet a successful way to delete or clear the tier. <img src="frown.gif" border="0">

 

[digidude]

L-Mitz, you sure know your stuff, just a thought on clearing cards.

The info has to be sent to sly at some point or another or the card stops responding to ppv requests, right?

What if you put your fully loaded card into someone elses box and did an automated callback?

The info is taken off the card and sent to sly but when they recieve it none of the numbers match up. What would they do?

 

[pinkhelmets]

Hi Digidude, thanks 4 confidence boost, I'm no expert just learning and passing knowledge on m8. Never believe all you read, and remember this board is for discussion so I'm just tryin to help.

Regards you question, I've never tried that one but the 'numbers' would definately include the card serial number which is how they track owner/subscriber. So the bill would still go out to whoever card belongs to. Also, the card is not cleared when connected to Sly's system. What happens is that the outstanding bill is registered and a signal will follow some time after that contains the command to clear ppv tier.

Now that does give us an idea. What if you had reached £50 limit then allow box to call. Then you could do some logging, log your own individual card and the command that it receives (with a valid signature) and you will always be able to clean the ppv tier? This may work but tbh don't want to have to explain how I ran up £50 bill in first place.

There are further experiments to do with box connections to Sly and time will tell if exploit exists.

 

[digidude]

One of the boys used to be a bench tech when we had branches, is sh*t hot with his electronics and he's managed to get his pc to connect to a digibox through the modem port and the box waits for a code before he can get any further. He hasn't tried too much though cos hes really paranoid.

 

[pinkhelmets]

You can easily connect to digibox serial port and some config files are available but they are only for engineer testing / fault checking, etc. There is no way of altering the cpu code or anything of much use.<br />Inside the box are the connections to access the cpu. I know of some recent success in reading the flash image, but its veeeeeery complex. This aint my strength. It totals 2mb and is gonna take some time to disassemble and then understand. <img src="frown.gif" border="0"> This option of reprogramming the code is goin to be a long way off yet, me thinks.<br />While on subject of reading flash and also ppv, I do know that box links to Sly's system via [email protected] then a password of ........ because this has been read from the flash, but not sure how that will help us yet?

 

[digidude]

Do you know the number that the box dails?

 

[pinkhelmets]

Well I cant remember number for call center off hand, and funny thing is I dont have sly at home (which is where I am at mo) so I'll have to check. But maybe some other kind member can post the answer? I am sure the number is displayed in the installers menu?<br />Try pressing 'services' '4' (system setup)<br /> '0' '1' 'select' (installer setup)<br /> '3' (telephone settings)

Thats from memory so could be wrong, but if any members have sly boxes please try and post number.

Thanks <img src="smile.gif" border="0">

 

[digidude]

I'm a sly installer and have disected all the menu's, all you can do in the telephone settings in add a dialing prefix, 9 for a line etc.

 

[Spectre]

This is starting to sound familiar <img src="biggrin.gif" border="0">

I had a thought/post a while ago concerning replicating the STB/Sly server conversation to clear PPV events.

Phone lines can be simulated using null exchange test boxes...Some seriously complex logging needed, but that reset must have something to do with the cards' still unknown command set and embedded info.

Copy the Sly server <img src="confused.gif" border="0"> ,how secure is their encryption (Now I do assume they use encryption lol) during these transactions ?

Just trying to throw ideas into the pot... <img src="smile.gif" border="0">