Skip to main content

Some of the story of the Battery Card

Some of the story of the “battery card” - the first pirate card sold for hacking DirecTV in the mid 1990s. #tvpiratehistory

(note: This story was originally posted on Twitter Oct 18, 2018.)

The battery card was a PCB slightly longer than a credit card, with chips on it to emulate a smartcard. Visible on the top of the card when inserted in a satellite receiver was a coin cell-type 3V battery.

Because the chips are thicker than a smartcard, the board would extend out of the cardslot to make room for the chips. Inside the satellite receiver, the battery card emulated an original smartcard. The satellite receiver wouldn’t know the difference.

Even before the launch of DirecTV, pirates had plans to hack the system to get free TV. Dealers had a business selling chipped boards for C-band VideoCipher II (VC2) systems, but a new VC2+ system had slowed their business.

When DirecTV was announced, pirates saw it as a new opportunity. As soon as the satellite receivers were on the market, pirate hackers were at work reverse engineering the receiver and smartcard. It was not long before the first pirate cards started being advertised.

At this time there were small businesses all over North America focused on selling and installing satellite dishes. While not all of these satellite dealers were interested in piracy, some of them made it part of their business.

The satellite dealers had started setting up business in the early 80s, when signals had not yet started to be encrypted. Customers would buy their own satellite dish and receiver, and they would be able to tune into any channel they could pick up the signal from.

Satellite dishes were TV antennas that reach out into space. This was a time when many areas didn’t even have cable TV yet - a couple local or regional broadcast TV stations might be the only TV available.

In the mid 80s some of the TV signals started to be encrypted. Home users didn’t like this - now they had to get a decoder and pay a monthly subscription fee, for something they already paid a lot to buy the dish and it was working just fine before encryption.

Captain Midnight was one man who was unhappy with encryption and the high subscription costs that had followed. One night in 1986, he overpowered HBO’s signal to the satellite, transmitting a message complaining about the high cost of HBO subscriptions.

There was demand for a way to watch encrypted satellite TV without paying the full cost of a subscription, so hackers looked for ways to bypass the security.

By the late 1980s most satellite TV watched in homes was encrypted by the VC2 system, and there were networks of pirate satellite dealers all across North America and the Caribbean selling hacks. For a lot of people, using a hack to pirate satellite TV seemed completely normal.

So by the mid 1990s when DirecTV started operating, there were networks of pirate satellite dealers and dialup BBSs (this is just before and during the time the internet was becoming ubiquitous) and even magazines. When a new pirate device came on the market, word spread fast.

Satellite Watch News was one magazine from that era, it included satellite industry news as well as articles about pirate hacks. I’d be interested to hear about others that people remember.

The battery card used by DirecTV pirates wasn’t the first battery card. In Europe, pirates had also created a battery card of their own that was used to hack Sky TV from the UK.

Both battery cards used the DS5002 microcontroller and so both also had SRAM and a battery. The euro card had two SRAM chips and 16 MHz oscillator, the North American version had one SRAM chip, 12 MHz oscillator, and a second microcontroller - an AT89C51.

The North American battery card had electrical contact “fingers” at one end of the card, and was reprogrammed by plugging it into an edge connector socket.

Although it might seem that one of the battery cards inspired the other, that wasn’t the case. They were independent designs created by hackers familiar with security failings in microcontrollers, based on one of the most secure chips available at the time.

The hacker behind the battery card hack of DirecTV had previously used the DS5000 in a decoder they designed (the SUN board). DS5002 was a logical choice for the next project, the DirecTV hack.

The SUN board from Dec-Tec was on the market in the early 1990s. It was a decoder board made by a hacker, it was more flexible than existing decoders and it could also decrypt the C-band VC2 signals.

(If anybody knows about the SUN board I would love to hear about it!)

To break the security of the DirecTV smartcard (later known as the “F card”), hackers extracted the ROM and EEPROM contents and analyzed them.

Inside the F card smartcard was a MC68HC05SC21 microcontroller - 6805 CPU, a couple hundred bytes RAM, a few KB ROM and a few KB EEPROM. The microcontroller wasn’t particularly hardened against invasive attacks.

The opcodes used by the F card differed from regular 6805 opcodes - some bits were swapped and inverted. But after swapping and inverting the opcode bits, the ROM and EEPROM code could be disassembled like standard 6805.

The hackers analyzed the F card software, and found bugs they could exploit, allowing them to read from and write to the EEPROM by inserting the smartcard in a serial interface connected to the computer.

All the subscription information, encryption keys, and some of the software was contained in the EEPROM. The pirates could copy the EEPROM from a subscribed card onto another smartcard, making a clone that would decrypt all the same channels as the original.

Another technique was to modify the software inside the smartcard to ignore the list of subscribed channels (or “tiers”), and instead of authorizing only some channels, authorize every channel. This was known as a “3M” hack. The Three Musketeers - all for one and one for all.

The pirates didn’t just start selling hacked smartcards - instead they developed their own replacement for the original smartcard, the battery card.

This allowed the pirates to control the production, and in case of a countermeasure against them, the pirates could reprogram the card and continue. They couldn’t be locked out by updates to the original smartcards and the pirates had their own security to protect their market.

When a smartcard is used in a DirecTV receiver, it becomes “married” to that receiver. The card records the receiver’s serial number and if the card is then inserted in a different receiver, it will refuse to operate.

Inside the battery card was a copy of a subscribed smartcard’s EEPROM. This was known as the “master”. To match the master, the satellite receiver would have to be opened up and have an EEPROM chip inside it reprogrammed to change the serial number.

At that time there was only one model of DSS satellite receiver available, made by RCA. Pirates would connect a test clip over the DIP EEPROM to change the serial number to match the master.

Later there were more models of satellite receiver from RCA and others including Sony, Toshiba, Hughes. By then the pirates had updated the battery card so it could work in any receiver, instead of marrying to one. The receivers no longer needed any modification for the hack.

In the early days the satellite system was known as DSS, and DirecTV wasn’t the only TV service. A second company, USSB, shared the system. Later on, USSB was merged with DirecTV. Both DirecTV and USSB shared the same smartcard and were hacked by pirates at the same time.

When the pirate cards were shut down by the satellite company, it was known as an ECM - electronic countermeasure. After an ECM, the pirates would have to figure out a new fix to get their hacks working again.

When the battery cards were updated after an ECM, they were programmed with a file like MAIN02.ENC or MAIN03.ENC, containing an encrypted update. A programmer interface connected the battery cards edge connector to a PC parallel port.

Encrypting updates and securing their pirate card was a priority for pirates for two important reasons - preventing competitors from cloning their product, and making it more difficult for the satellite companies to find weaknesses in the pirate cards and shut them down.

The updates for the battery card were encrypted with a secret key: “Have a nice day, RCA”.

With the success of the pirates and the battery card came attention from the company tasked with securing the DirecTV signals - News DataCom (NDC, later NDS). As well as attempting countermeasures against the battery card, legal action was started against some of the pirates.

In June of 1996 several pirates were sued by DirecTV, including the engineer behind the battery card. As legal pressure mounted and countermeasures against the battery card continued, support for the battery card slowed.

There had also been another variant of the battery card, known as the “L card” due to its shape. The L card had a DS5000 module instead of DS5002 but operated the same as the battery card.

Another less common variant was the “T card” - shaped that way due to the DS5000 SIP module used. Functionally it was also the same as a battery card.

During mid 1996 when support was slow from the “west group” (the original battery card dealers), some fixes were released by the group behind the L card. Due to accelerated countermeasures from DirecTV, the fixes were short-lived.

The fall of 1996 was looking bleak for pirates with battery cards. On the Internet, pirates were starting to ask when dealers would finally call in the big gun to fix the hack properly and save the day.

Satellite Watch News website Oct 96, archive.org

In late October 1996, the new Big Gun answered the call for help and released a new MAIN.ENC file for the battery cards. The file quickly spread through IRC and BBSs and pirates were watching TV with their battery cards again.

The satellite pirates had started connecting with each over the internet as it had become more widespread. Dialup BBSs were replaced with web pages and IRC chat. #satellite on EFnet became a hot spot.

Big Gun himself would sometimes appear on IRC to supply the latest fix for the battery cards and to ensure the dealers and end users were suitably impressed.

During the summer of 1996, the “plastic” hack became more widespread - this was what the pirates called the hacked original smartcards, reprogrammed with clone and 3M code to decrypt all the channels.

During the time without support for the battery card, some pirates switched to the plastic cards (hacked original smartcards). Also, the original clone and 3M hack developed by the west group had been copied by a competing group who sold it as their own hack. (CL12, CL45)

In addition to the 3M hack, there was a “3D” hack for the original smartcard. Inside the smartcard EEPROM was a list of channel tier codes authorized for that card. Each tier code corresponded to one or more TV channels (a package).

Instead of modifying the software inside the card, an entry was added to the list of subscriptions, for channel tier 33 3D. This was a special tier - it was authorized for every channel transmitted by DirecTV. Premium channels, pay-per-view, everything.

The pirates enjoyed the 3D hack for a while - eventually DirecTV removed the 33 3D channel tier from its system. The 3D cards were left capable of decrypting a smaller set of channels, limited to any other channel tiers that happened to be listed in the EEPROM.

After the 3D hack, the pirates reprogrammed the smartcards and switched to a 3M hack. During the rest of the lifetime of the F card, 3M hacks were used by pirates. 3M-type hacks would continue to be used against later series of smartcards (H and HU cards).

The battery card was designed so the exposed part sticking out of the satellite receiver could be enclosed. Molded plastic shells snapped together around the end of the battery card. Some battery cards were sold with the plastic covers, many were sold without.

The battery cards, with support from Big Gun, were used until the F card was made obsolete when DirecTV swapped to a new smartcard - the “H card”.

Battery cards weren’t used by pirates to hack later DirecTV cards after the F card, one reason being that the later smartcards included ASIC chips that the battery card couldn’t emulate.

This is a battery card programmer. It connects to PC via parallel port to update the card with a MAINxx.ENC file when fixes are needed. This could also program the EEPROM in the satellite receiver using the blue test clip (a ground clip on the white wire was lost over the years).

This programmer belongs to one of the pirate dealers raided by police in June 1996 in “operation ECM”. It was seized by the RCMP, then later in a legal win for the pirates, a judge ordered the seized equipment to be returned. It programmed a lot more pirate DSS cards after that.

In an unusual twist, a while later and for a short time, the battery cards could be programmed with a new file and used as a pirate card on the Dish Network system. But that’s a whole other story.