Skip to main content

Looking back on DirecTV Black Sunday

In a Discord chat, a link came up to an article from 2008 looking back on the 2001 “Black Sunday” countermeasure against DirecTV satellite pirates. I wanted to tell a bit of what I remember of the background to Black Sunday for some additional context.

Screenshot of blog post titled "Revisiting the Black Sunday Hack"

(note: This story was originally posted on Twitter Oct 16, 2018.)

In the late 90s and early 2000s, satellite TV piracy was a big business. Online streaming, at least anything practical for home users, didn’t exist yet. 56K dialup modems were standard. Satellite TV was unbeatable both for selection as well as quality.

A thriving pirate business existed, in which pirate dealers would sell modified smartcards that enabled access to all the TV channels on the satellite.

DirecTV’s security system was based on encryption keys inside smartcards, so that when they were inevitably pirated, DirecTV could replace all their smartcards with new versions to update the security - the satellite receiver itself wouldn’t have to be updated.

The smartcards were the obvious attack point for the pirate hackers - the smartcard held the keys to the system. By 2001, DirecTV had swapped out the smartcards once already. The original series 1 “F cards” had been replaced with updated series 2 “H cards”.

Within months of support for the “F card” being discontinued, pirate dealers were selling hacked “H cards”. The security update that had looked like a dead end for pirates turned out to be a speed bump.

Pirate hackers attacked the H card. First, commercial pirates extracted the ROM and EEPROM code from the card, then they used the bugs they found to create tools (card programmers) to easily modify original smartcards.

These tools were sold through a network of pirate dealers across North America and the Caribbean. Over time, secrets leaked from the dealers and were discovered by amateur pirates, who by this point were growing in numbers and creating online communities on web forums and IRC.

To shut down the first wave of pirate H cards, a software update was sent by DirecTV to the smartcard over the satellite. Hackers were waiting for this, and seeing the software update allowed the hackers to break the H card wide open. A wave of new pirate tools and info appeared.

Months of cat and mouse games followed, with pirates finding and exploiting bugs in the H card software, and new software updates applied to the cards to patch the security holes.

The pirates now had access to the internal memory in the smartcard (8051 microcontroller with ROM, RAM, EEPROM), so they were able to modify the software inside the smartcard to allow decryption of channels whether or not a subscription was paid.

But, pirates still needed to have an original H card smartcard to modify - it was hard to replace the card entirely, because there was more in it than just the 8051 microcontroller. It had two chips, wire bonded to each other underneath the little gold-coloured contact pad.

Beside the microcontroller was a custom ASIC chip designed specifically (and only) for DirecTV. Reverse engineering an ASIC is an entirely different process than extracting and disassembling software from a microcontroller. This wasn’t software, it was silicon.

So for the most part, the pirates’ solution to the ASIC was simply to use a real H card with the ASIC chip inside. As long as the pirates could reprogram the microcontroller, they could modify the software to allow it to decrypt all the TV channels.

But, the pirates were limited in access to the microcontroller - no direct programming interface was exposed, all interfacing with the smartcard was done through an ISO-7816 serial interface.

As long as the pirate hackers were able to find bugs in the H card software (stored in ROM and EEPROM), they could use these exploits to reprogram the smartcards and create pirate cards.

A bug existed that allowed an attacker to create a message to send to the card, then append a valid message to the end of that, and the smartcard would process it all as though it all had a valid cryptographic signature, even after it had been modified. (The “09 hole”)

Another bug could be a buffer overflow that overwrote the stack in RAM, allowing the attacker to setup a sequence of return addresses on the stack to control program execution. Return-oriented programming (ROP) techniques, though I don’t recall that name being used at the time.

In some cases a malformed message could be sent to the card that, when processed by the buggy software, would allow the attacker to cause a jump to any arbitrary address of their choosing. (ie: “E3 hole”)

Over time, countermeasures against the pirates were targeted in a couple ways. Software bugs were found as pirates exploited them and patched in the H card via over-the-satellite updates - locking pirates out of the smartcards as holes were closed.

Another type of countermeasure was “looping” the pirate cards. Cards would be identified as having modified (hacked) code on it, and based on this check, a flag would be set in EEPROM indicating the card should be permanently disabled.

Once disabled, the smartcard would refuse to boot up. Hackers needed the card to be operational in order to exploit software bugs and reprogram EEPROM.

The first way the pirate cards were “looped” would trigger the boot routine to enter an endless loop that only sent the byte “99” out the serial port, forever. Inserting a smartcard into a programmer and seeing only 99 99 99 ... was a clear sign that the card had been looped.

Another possibility was for the H card to be “looped” in a way that it sent nothing out the serial port. Instead of sending a 99 in an infinite loop, the boot routine simply entered an infinite loop and did not respond in any way to a card programmer interface.

There were bytes in the EEPROM that controlled the “looped” behaviour. Once the byte was written in EEPROM, it was difficult to change back because now the card was looped and so the hacker had lost access to the microcontroller and couldn’t reprogram EEPROM to repair the card.

The pirates had a problem - their smartcards were getting looped and they were running out of new smartcards to create pirate cards from. Black market prices for H cards increased as availability decreased.

Pirate hackers came up with a solution - use a “glitch” (disturbance of voltage or clock) to bypass the “looped” condition of the card, allowing it to boot up normally, then they could reprogram EEPROM to remove the mark indicating the card was looped. It was an unlooper.

There was more than one unlooper developed, independently. (name redacted) in Winnipeg was a pirate dealer and hacker and first on the unlooping scene. He tended to keep his unlooper design private, to hold a monopoly on unlooping.

This wasn’t the first time satellite pirates had used glitching as an attack against security chips - the technique was in use by the late 80s, as a method to extract secret keys from decoders for C-band (6’ or even bigger dish) systems.

The “F card”, the first smartcard used by DirecTV, had also been hacked by pirates and then pirate cards had also been “looped” (99’d) as a countermeasure. (name redacted) in Winnipeg had developed an unlooper, as had the original “west group” engineer.

Typically the tools (programmers, unloopers) started in the hands of the large pirate dealers and gradually the supply increased and price decreased and they became more widespread. From time to time a tool would be leaked publicly on the internet, basically becoming free.

Atypically, one day an unknown hacker appeared on IRC and offered schematics and build instructions for an unlooper he designed. He had designed, tested, and documented his unlooper and shared it for free online.

Not only did his unlooper work - it worked better than the commercial dealers unloopers. Later on, more hacks would be shared online in this style, but for a long time most of the new hacks started from the commercial dealers and spread from there.

Back to the looped H cards - there was another unlooper developed, by (name redacted) in Bulgaria. The “west group” started offering H card unlooping using this unlooper.

Once a second group has a working fix (now the west group, and (name redacted) in Winnipeg), unloopers start being offered for sale to other dealers, a price war ensues, and within months unloopers are available for a few hundred dollars or less.

The unlooper from (name redacted) in Bulgaria was special though. It wasn’t designed in such a limited and specific way as most pirate devices. It was a very flexible and programmable voltage and clock glitching tool for smartcards.

It worked more reliably than any other unlooper. It worked far quicker than any other unlooper had ever worked. It was faster at unlooping AND programming pirate cards than any other device could even program a card, by a lot.

The pirate dealers saw the unlooper and named it what they saw- the WildThing. As the market for unloopers grew, it became well known and later it was cloned and the schematics and firmware posted online. It became the gold standard of unloopers.

The pirates were unlooping their H cards as fast as DirecTV could loop them. With unloopers a standard item in every pirates toolbox, it looked like the pirates had gained complete control over the H card for good.

Then the pirate cards were looped again. But now it was different - even the WildThing couldn’t unloop them. (redacted) in Bulgaria wouldn’t rescue the pirates this time - he had been hired by the security company to provide them with technical insight, instead of the pirates.

Due to the flexibility of the WildThing, an American hacker came up with new software that worked with the WildThing to unloop the H cards again. Pirates all over North America were using the new software and unlooping and fixing their pirate cards. The H card was doomed again.

(The same American hacker would later crack the next DirecTV smartcard, the “HU card”.)

For maximum effect, DirecTV often planned countermeasures against pirate cards to occur before, or during, large events. As a big boxing match begins, or during a Las Vegas event for satellite dealers, or in this case - shut down the pirates at their Super Bowl party.

Pirates saw their TV go dark and had their unloopers ready. But they found a new problem - again the unloopers couldn’t repair the cards. Super Bowl Sunday became Black Sunday.

Instead of just writing a flag in EEPROM to loop the cards, now the One Time Programmable (OTP) area had been marked. Even an unlooper couldn’t erase OTP the way EEPROM was previously.

Black Sunday was a big hit to pirates, they had gotten cocky as DirecTV’s ability to disable their pirate cards had seemed to dominish. Now they were embarrassed by their TV stopping during their Super Bowl party, and their unlooper unable to unloop their pirate cards.

The piracy, and the “Black Sunday” countermeasure, were high profile enough that articles were written in mainstream media about it. Today it’s probably one of the most remembered points of the 1990s-2000s DirecTV piracy era.

The pirates weren’t done yet though. They found the mark in OTP and determined that a properly timed glitch would allow the smartcard to boot up and operate normally, until the next time the card was reset when the OTP mark would be checked again.

Within weeks of Black Sunday, pirates were back, using glitcher circuits on small shim PCBs that wedged between the satellite receiver and the smartcard that had been looped. “Boot boards”

Every time the card was reset, the shim would count clock cycles until a precise time when a glitch would be triggered, allowing the smartcard to boot up as though it had never been damaged.

The pirates kept unlooping their cards, and using “boot boards” to bypass OTP marking, and DirecTV kept making changes to interrupt the pirates. It wasn’t long before DirecTV switched to new smartcard, the “HU card”, and then the H card was obsolete.

Bonus background - DirecTV wasn’t the first to be targeted by satellite pirates. Before DirecTV began operation there were networks of pirate dealers selling chipped boards for VideoCipher II (VC2), the system used on the C-band satellite systems (6 foot dishes, or even larger).

In 1994, Wired published a fairly long, and interesting, article about commercial satellite TV pirates. It’s a good read.

Bonus story related to Black Sunday:

Who was watching the Super Bowl on DirecTV in 2001 with a pirate card and got hit with the Black Sunday countermeasure? A lot of people, including OJ Simpson apparently.

Here’s an article from 2005 about the outcome of OJ Simpson’s legal trouble over DirecTV pirate devices found in his home in 2001. ($25,000 fine)

The “bootloader” devices referred to are the same type of boot boards I wrote about above being used to revive H cards shut down on Black Sunday.

There were different versions of the bootloader design manufactured by dealers after Black Sunday. By then, hackers had been studying the WildThing and the power of glitching, so many of them went straight to the idea of using a glitch to bypass the OTP loop from Black Sunday.

I wonder what OJ’s bootloader boards looked like? If the glitch doesn’t fit, you must reset! (sorry)