Hacking Satellite CardsEssay Preview: Hacking Satellite CardsReport this essayWriting a “Private 3M Script”First it is important to define the term “3M.” The term “3M” simply refers to a scripts ability to unlock all of the channels, based on the saying “All for one, and One for all!” from the “3 Musketeers,” (which came from the old days of hacking cable boxes where all channels were viewable through one channel). Anyway, “3M” now is just a generic term for a card that has all channels open and no stealth or write protection. In stealth scripts, the “3M” code refers to the actual part of the code that enables the video.All scripts that open all of the channels are 3Ms, however most people are referring to scripts that auto-update on their own, when they refer to a 3M. The card auto-updates because it has no commands blocked, and it appears to be a normal subbed card, as much as possible. The EASIEST type of 3M to write is to modify a valid bin file, by editing it in BasicH. Before you can write a script to modify the card, you need to be able to edit a bin file manually to make those changes. If you read through this page carefully you will find everything you need to know to modify a valid bin file with unique jump points and a 3M code. After you are done editing your valid bin file you will have a private 3M that auto-updates, with private jump points. To remove simply do a 1-STEP clean in BasicH or BasicU. If you follow the directions you should have a fairly safe 3M to use. If you have a private 3M (that does not have code in any regions that have been changed ago updates) your card would still be running today no matter HOW long theyve been you installed it. They can only send a “killer” ECM that will loop your cards if they have 8 known bytes in a row that they can hash. In order to ZAP your card with an ECM your card needs to be detected as being “hacked.” In order to do this they need to know you cards “signature,” and your signature is based on the “extra” data that is on your card: the jump points and 3M code. If they dont know your jump points or how exactly you broke up your 3M code then it is not possible for them to target you since they wont know the “signature” of your card. The advantage of picking your own jump point is that your cards signature is different from most peoples cards. They are mainly interested in hashing the most public areas to hash. If you pick the INS54 area then you can bet that a many other people have also figured out what you have. You should really try to find a jump point outside of the INS 54 area. All were after here is to make your cards signature just enough different than the freeware script users. Anything you can change will help. If you clone your card then you have 2 known bytes that will be different from your CAM ID, and those bytes are a checksum for the CAM ID. It MAY be possible that they can check those two bytes against the CAM ID to see if your card is cloned, but they havent demonstrated that ability yet. Remember- nothing is foolproof- If your card is in the data stream taking updates, you risk an update possibly writing over part of the 3M software and corrupting your card. Nobody ever knows where the update will occur on the card.
To make things simpler to understand and follow I have color coded this page:„h PURPLE for the 02 (jump to) code„h BLUE for the 3M code„h RED for the bytes ADDRESSUnderstanding How Cards WorkThe signal is based on packets of data which are sent along with all the video data to every receiver out there. Some of this data is filtered out before it is passed on to the smart card, such as individual unit authorizations. Of all the millions of these, only the ones for your smart card are passed on to your smart card. This is so the smart card does not get totally overloaded with messages for everyone else. Most of the other data packets DO get to your smart card.
When the signal passes through a card the following routine happens:„h Normal Code CycleThe DSS signal “passes thru” the card and does certain events that are important to the function of the card.„h “INS 54″ Determines AuthorizationThe INS 54” is the location of code on the card that determines whether or not you are authorized to view a channel, and is responsible for returning a proper value to any authorization requests.
„h Normal Code CycleThe signal comes back from the the “INS 54” area and either authorizes or turns off the signal, based on what value was returned.When the signal passes through a card that has 3M code on it the following routine happens:„h Normal Code CyclesThe DSS signal “passes thru” the card and does certain events that are important to the function of the card.„h Jump to Fake Authorization or “3m code”The card “jumps” from the “INS 54” area to an address you have specified that has your 3M code. The 3M code “tricks” the card in to thinking that the authorization is present by giving it a ZNT of its own, and then returning the proper answer, which allows all of the channels to be unlocked (this is the JUMP POINT).
„h Jump back from the “3M code”The 3M code jumps back to the address you have specified at the end of the “INS 54” area: 8D2D„h Normal Code CyclesThe signal authorizes the signal for all channels based on what was returned from the Fake ZNT or “3M code.”The area of the card that is checked to see if the channel has authorization is called “INS 54.” That area in the cards EEPROM is 827B-8D2D. Thats why most, but not all, jump points are placed with in that area. Whenever you change the channel the card checks the “INS 54” area of the card to check and see if that channel is authorized. When the “check command” reaches your JUMP POINT it jumps out of “INS 54” directly to wherever your 3M code
.“INS 54.” the 3M code of the JUMP POINT is 827CB-8D2D and the direction the BPM is sent to
\d0\|
„h Jump to the 3M code “INS 54.” and type your JUMP POINT.
⏽Locked to the 2L1 – JUMP! – ၾ.\
\d0\|
We’re on the 2B3R, which is the JUMP!
⏽” and we’re not out yet. The JUMP is about the size of a small CD or 4GB video or anything else you could put on your own. The 4GB video is larger, but it’s a very small amount of data to be read during JUMP’S execution. But it is small enough to make the system perform a jump check, so it isn’t like you’re writing too much data, or you’re putting more data on the JUMP than it already takes for a jump. But this jumps-and-miss operation takes longer and more processing time than it does for the full JUMP. Our 3M code is running on 12,000 bytes per second, which takes a lot longer than most data pages we read, including the JUMP! data page. But when running on 12,000 bytes per second you don’t waste time by writing anything to your JUMP POINT, while data pages for JUMP’S data page or JUMP! data page can take longer to process. What’s important to note is that the JUMP POINT has the same code size as the JUMP! data page. Our JUMP! data page has 128 bytes per second of data, so it only takes 2/32×14 seconds to process the JUMP! data page. Our JUMP! data page also has 48 bytes per second of data. In fact, this is really what our JUMP! data page does. However, the JUMP! data page performs an even higher jumps-and-miss job before your 3M code connects the JUMP! POINT to the JUMP! data page during JUMP!’s execution. Here’s what 3M looks like on the 3M JUMP! code after jump-and-miss: It takes 2 seconds.
⏾ |Locked to the 2H4C – JUMP! – We