Profile picture
, 59 tweets, 11 min read
My Authors
Read all threads
A thread with some of the story of the “battery card” - the first pirate card sold for hacking DirecTV in the mid 1990s.

#tvpiratehistory
The battery card was a PCB slightly longer than a credit card, with chips on it to emulate a smartcard. Visible on the top of the card when inserted in a satellite receiver was a coin cell-type 3V battery.
Because the chips are thicker than a smartcard, the board would extend out of the cardslot to make room for the chips. Inside the satellite receiver, the battery card emulated an original smartcard. The satellite receiver wouldn’t know the difference.
Even before the launch of DirecTV, pirates had plans to hack the system to get free TV. Dealers had a business selling chipped boards for C-band VideoCipher II (VC2) systems, but a new VC2+ system had slowed their business.
When DirecTV was announced, pirates saw it as a new opportunity. As soon as the satellite receivers were on the market, pirate hackers were at work reverse engineering the receiver and smartcard. It was not long before the first pirate cards started being advertised.
At this time there were small businesses all over North America focused on selling and installing satellite dishes. While not all of these satellite dealers were interested in piracy, some of them made it part of their business.
The satellite dealers had started setting up business in the early 80s, when signals had not yet started to be encrypted. Customers would buy their own satellite dish and receiver, and they would be able to tune into any channel they could pick up the signal from.
Satellite dishes were TV antennas that reach out into space. This was a time when many areas didn’t even have cable TV yet - a couple local or regional broadcast TV stations might be the only TV available.
In the mid 80s some of the TV signals started to be encrypted. Home users didn’t like this - now they had to get a decoder and pay a monthly subscription fee, for something they already paid a lot to buy the dish and it was working just fine before encryption.
Captain Midnight was one man who was unhappy with encryption and the high subscription costs that had followed. One night in 1986, he overpowered HBO’s signal to the satellite, transmitting a message complaining about the high cost of HBO subscriptions.

en.wikipedia.org/wiki/Captain_M…
There was demand for a way to watch encrypted satellite TV without paying the full cost of a subscription, so hackers looked for ways to bypass the security.
By the late 1980s most satellite TV watched in homes was encrypted by the VC2 system, and there were networks of pirate satellite dealers all across North America and the Caribbean selling hacks. For a lot of people, using a hack to pirate satellite TV seemed completely normal.
So by the mid 1990s when DirecTV started operating, there were networks of pirate satellite dealers and dialup BBSs (this is just before and during the time the internet was becoming ubiquitous) and even magazines. When a new pirate device came on the market, word spread fast.
Satellite Watch News was one magazine from that era, it included satellite industry news as well as articles about pirate hacks. I’d be interested to hear about others that people remember.

anarchivism.org/w/Satellite_Wa…
The battery card used by DirecTV pirates wasn’t the first battery card. In Europe, pirates had also created a battery card of their own that was used to hack Sky TV from the UK.
Both battery cards used the DS5002 microcontroller and so both also had SRAM and a battery. The euro card had two SRAM chips and 16 MHz oscillator, the North American version had one SRAM chip, 12 MHz oscillator, and a second microcontroller - an AT89C51.
The North American battery card had electrical contact “fingers” at one end of the card, and was reprogrammed by plugging it into an edge connector socket.
Although it might seem that one of the battery cards inspired the other, that wasn’t the case. They were independent designs created by hackers familiar with security failings in microcontrollers, based on one of the most secure chips available at the time.
The hacker behind the battery card hack of DirecTV had previously used the DS5000 in a decoder they designed (the SUN board). DS5002 was a logical choice for the next project, the DirecTV hack.
The SUN board from Dec-Tec was on the market in the early 1990s. It was a decoder board made by a hacker, it was more flexible than existing decoders and it could also decrypt the C-band VC2 signals.

(If anybody knows about the SUN board I would love to hear about it!)
To break the security of the DirecTV smartcard (later known as the “F card”), hackers extracted the ROM and EEPROM contents and analyzed them.
Inside the F card smartcard was a MC68HC05SC21 microcontroller - 6805 CPU, a couple hundred bytes RAM, a few KB ROM and a few KB EEPROM. The microcontroller wasn’t particularly hardened against invasive attacks.
The opcodes used by the F card differed from regular 6805 opcodes - some bits were swapped and inverted. But after swapping and inverting the opcode bits, the ROM and EEPROM code could be disassembled like standard 6805.
The hackers analyzed the F card software, and found bugs they could exploit, allowing them to read from and write to the EEPROM by inserting the smartcard in a serial interface connected to the computer.
All the subscription information, encryption keys, and some of the software was contained in the EEPROM. The pirates could copy the EEPROM from a subscribed card onto another smartcard, making a clone that would decrypt all the same channels as the original.
Another technique was to modify the software inside the smartcard to ignore the list of subscribed channels (or “tiers”), and instead of authorizing only some channels, authorize every channel. This was known as a “3M” hack. The Three Musketeers - all for one and one for all.
The pirates didn’t just start selling hacked smartcards - instead they developed their own replacement for the original smartcard, the battery card.
This allowed the pirates to control the production, and in case of a countermeasure against them, the pirates could reprogram the card and continue. They couldn’t be locked out by updates to the original smartcards and the pirates had their own security to protect their market.
When a smartcard is used in a DirecTV receiver, it becomes “married” to that receiver. The card records the receiver’s serial number and if the card is then inserted in a different receiver, it will refuse to operate.
Inside the battery card was a copy of a subscribed smartcard’s EEPROM. This was known as the “master”. To match the master, the satellite receiver would have to be opened up and have an EEPROM chip inside it reprogrammed to change the serial number.
At that time there was only one model of DSS satellite receiver available, made by RCA. Pirates would connect a test clip over the DIP EEPROM to change the serial number to match the master.
Later there were more models of satellite receiver from RCA and others including Sony, Toshiba, Hughes. By then the pirates had updated the battery card so it could work in any receiver, instead of marrying to one. The receivers no longer needed any modification for the hack.
In the early days the satellite system was known as DSS, and DirecTV wasn’t the only TV service. A second company, USSB, shared the system. Later on, USSB was merged with DirecTV. Both DirecTV and USSB shared the same smartcard and were hacked by pirates at the same time.
When the pirate cards were shut down by the satellite company, it was known as an ECM - electronic countermeasure. After an ECM, the pirates would have to figure out a new fix to get their hacks working again.
When the battery cards were updated after an ECM, they were programmed with a file like MAIN02.ENC or MAIN03.ENC, containing an encrypted update. A programmer interface connected the battery cards edge connector to a PC parallel port.
Encrypting updates and securing their pirate card was a priority for pirates for two important reasons - preventing competitors from cloning their product, and making it more difficult for the satellite companies to find weaknesses in the pirate cards and shut them down.
The updates for the battery card were encrypted with a secret key: “Have a nice day, RCA”.
With the success of the pirates and the battery card came attention from the company tasked with securing the DirecTV signals - News DataCom (NDC, later NDS). As well as attempting countermeasures against the battery card, legal action was started against some of the pirates.
In June of 1996 several pirates were sued by DirecTV, including the engineer behind the battery card. As legal pressure mounted and countermeasures against the battery card continued, support for the battery card slowed.

upi.com/Archives/1996/…
There had also been another variant of the battery card, known as the “L card” due to its shape. The L card had a DS5000 module instead of DS5002 but operated the same as the battery card.
Another less common variant was the “T card” - shaped that way due to the DS5000 SIP module used. Functionally it was also the same as a battery card.
During mid 1996 when support was slow from the “west group” (the original battery card dealers), some fixes were released by the group behind the L card. Due to accelerated countermeasures from DirecTV, the fixes were short-lived.
The fall of 1996 was looking bleak for pirates with battery cards. On the Internet, pirates were starting to ask when dealers would finally call in the big gun to fix the hack properly and save the day.

web.archive.org/web/1999022019…
In late October 1996, the new Big Gun answered the call for help and released a new MAIN.ENC file for the battery cards. The file quickly spread through IRC and BBSs and pirates were watching TV with their battery cards again.
The satellite pirates had started connecting with each over the internet as it had become more widespread. Dialup BBSs were replaced with web pages and IRC chat. #satellite on EFnet became a hot spot.
Big Gun himself would sometimes appear on IRC to supply the latest fix for the battery cards and to ensure the dealers and end users were suitably impressed.
During the summer of 1996, the “plastic” hack became more widespread - this was what the pirates called the hacked original smartcards, reprogrammed with clone and 3M code to decrypt all the channels.
During the time without support for the battery card, some pirates switched to the plastic cards (hacked original smartcards). Also, the original clone and 3M hack developed by the west group had been copied by a competing group who sold it as their own hack. (CL12, CL45)
In addition to the 3M hack, there was a “3D” hack for the original smartcard. Inside the smartcard EEPROM was a list of channel tier codes authorized for that card. Each tier code corresponded to one or more TV channels (a package).
Instead of modifying the software inside the card, an entry was added to the list of subscriptions, for channel tier 33 3D. This was a special tier - it was authorized for every channel transmitted by DirecTV. Premium channels, pay-per-view, everything.
The pirates enjoyed the 3D hack for a while - eventually DirecTV removed the 33 3D channel tier from its system. The 3D cards were left capable of decrypting a smaller set of channels, limited to any other channel tiers that happened to be listed in the EEPROM.
After the 3D hack, the pirates reprogrammed the smartcards and switched to a 3M hack. During the rest of the lifetime of the F card, 3M hacks were used by pirates. 3M-type hacks would continue to be used against later series of smartcards (H and HU cards).
The battery card was designed so the exposed part sticking out of the satellite receiver could be enclosed. Molded plastic shells snapped together around the end of the battery card. Some battery cards were sold with the plastic covers, many were sold without.
The battery cards, with support from Big Gun, were used until the F card was made obsolete when DirecTV swapped to a new smartcard - the “H card”.
Battery cards weren’t used by pirates to hack later DirecTV cards after the F card, one reason being that the later smartcards included ASIC chips that the battery card couldn’t emulate.
This is a battery card programmer. It connects to PC via parallel port to update the card with a MAINxx.ENC file when fixes are needed. This could also program the EEPROM in the satellite receiver using the blue test clip (a ground clip on the white wire was lost over the years).
This programmer belongs to one of the pirate dealers raided by police in June 1996 in “operation ECM”. It was seized by the RCMP, then later in a legal win for the pirates, a judge ordered the seized equipment to be returned. It programmed a lot more pirate DSS cards after that.
In an unusual twist, a while later and for a short time, the battery cards could be programmed with a new file and used as a pirate card on the Dish Network system. But that’s a whole other story.
Writing these stories down has brought back a lot of memories, leading to more stories to share.

I have been telling other stories from the satellite piracy days of the 90s/2000s - you can find links to other stories in this thread:
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Chris Gerlinsky

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#tvpiratehistory #satellite

More from @akacastor see all

Profile picture
Chris Gerlinsky
@akacastor
The pirate business isn’t always friendly - November 30 1996, RON.EXE released by pirate DirecTV hacker “Fast Eddie” included a rant directed at competing Canadian pirate Ron Ereiser. It was also the first “freeware” hack shared on the internet for DirecTV.

#tvpiratehistory
This was a significant release for DirecTV hackers. At the time of RON.EXE, there were not many options available to the public for programming DirecTV smartcards - pirate dealers kept a tight grip on the few hacks developed.
RON.EXE was released during the “F card” DirecTV smartcard era. For many pirates on the internet, it was the first software they could download and use with an inexpensive smartcard programmer to hack DirecTV cards - an alternative to the battery cards.

Read 26 tweets
Profile picture
Chris Gerlinsky
@akacastor
A thread about a small piece of hacking history - memories of the DirecTV “HU card” and the pirates that hacked the smartcard to watch free satellite TV.

#tvpiratehistory
The smartcard used by DirecTV after the “H card” became known by pirates as the “HU” card. This was the third smartcard series for DSS (P3 card - period 3). Sometimes referred to as “the football card” because of the artwork on the back of the card.
Oddly enough, the “football card” was not the one OJ Simpson was busted for pirating. That was the previous generation of smartcard, the “H card”.

Read 45 tweets
Profile picture
Chris Gerlinsky
@akacastor
In a Discord chat, a link came up to an article from 2008 looking back on the 2001 “Black Sunday” countermeasure against DirecTV satellite pirates. I wanted to tell a bit of what I remember of the background to Black Sunday for some additional context.

blog.codinghorror.com/revisiting-the…
In the late 90s and early 2000s, satellite TV piracy was a big business. Online streaming, at least anything practical for home users, didn’t exist yet. 56K dialup modems were standard. Satellite TV was unbeatable both for selection as well as quality.
A thriving pirate business existed, in which pirate dealers would sell modified smartcards that enabled access to all the TV channels on the satellite.
Read 58 tweets

Related threads

Profile picture
Rocky Rocket
@VillageRocket
PONDER ON THE WORD BELOW (A #THREAD):

God created this world and brought man, a living being unto which He bestowed life, into it. Next, the man came to have parents and kin and was no longer alone.
Ever since man first laid eyes on this material world, he was...

#Thread
1/
destined to exist within the ordination of God. The breath of life from God supports each and every living being throughout growth into adulthood.

During this process, no one feels that man is growing up under the care of God; rather, they believe that man is...

#Thread
2/
doing so under the loving care of his parents, and that it is his own life instinct that directs his growing up. This is because a man knows not who bestowed his life, or from whence it came, much less the way which the instinct of life creates miracles. He knows...

#Thread
3/
Read 41 tweets
Profile picture
Manuela Tobías
@manuelatobiasm
#THREAD on how this @FresnoBee story came together.

This is an issue that is rarely talked about but gets in the way of advancing out of poverty. bit.ly/32kWPI5
@FresnoBee During reporting, I learned that some people pull out their own teeth; dentures are stolen; and some dentures are so painful people ditch them and chew with their gums. After a house fire, a man lost his ID and his chance to get dentures.
bit.ly/32kWPI5
@FresnoBee I dug up Gina’s story on @gofundme. Her teeth are yellow, crooked and browning. Some crumbled off like chalk, and others are decaying. She considers herself an extrovert and dreams of opening her own business, but shame pushed her into the shadows. bit.ly/32kWPI5
Read 7 tweets
Profile picture
Ali Hashem علي هاشم
@alihashem_tv
#Thread on the alleged Israeli strikes on #PMU bases in #Iraq
First Israeli strikes on #Iraq since 1981 major assault on Iraqi #nuclear facility Tammuz that ended the Iraqi nuclear program
The announced strikes or incidents are 3 till the moment, yet it's unknown whether there were more during the past few months. The Iraqi government seem to prefer ignoring the whole thing, yet the PMU deputy commander Abu Mahdi AlMuhandes was pushing for a clear stance
PMU commanders had a decision not to speak till yesterday, they were expecting a statement by the PM
@AdilAbdAlMahdi over the incidents, when this didn't happen #AlMuhandes issued his statement that infuriated the PM
Read 9 tweets
Profile picture
The Columbia Bugle 🇺🇸
@ColumbiaBugle
#Thread Why President Trump Should End Birthright Citizenship for Illegal Immigrants:

First we begin with the brilliant @KrisKobach1787 in 2011 on the O'Reily Factor, laying out the legal case to End Birthright Citizenship for Illegal Immigrants 1/
"The notion that simply being born within the geographical limits of the United States automatically confers U.S. citizenship is an absurdity — historically, constitutionally, philosophically and practically." - Michael Anton 2/ washingtonpost.com/opinions/citiz…
"Some will argue that the Supreme Court has already settled this issue, establishing birthright citizenship in United States v. Wong Kim Ark. But this is wrong. The court has ruled only that children of LEGAL residents are citizens." - Michael Anton 3/ washingtonpost.com/opinions/citiz…
Read 11 tweets
Profile picture
Srikanth ஸ்‌ரீகாந்த்
@logic
QR code option may be must for shops toi.in/AkXzyY66/a24gk via @TOIBusiness | This take over of cash by a lobby is suicidal for the economy. #Thread time #CashlessConsumer
The above story starts from 29th @GST_Council meeting where GoM on digital payments discussed incentivising digital payments. The minutes are at gstcouncil.gov.in/sites/default/…

Start at Page 29.
The incentive is restricted to @NPCI_BHIM and @RuPay_npci cards - casually mentioned in 8.13 as "Government·oflndia owned cards i.e. RuPay (Debit card) and tlle BHIM application"

Plain lies being used to divert sovereign tax to a private company. If this is not scam, what is?
Read 6 tweets
Profile picture
Jikku Varghese Jacob
@Jikkuvarghese
#Thread Here's an incredible story about a young man who was busy with loading and unloading in #KeralaFloods relief centres. Only days later people came to know that he was none other than, Kannan Gopinathan, the Collector of Dadra & Nagar Haveli! (1/n)
He travelled in KSRTC buses and covered 5 districts in 10 days without revealing identity. He took leave for serving his homeland in the time of crisis. Kannan is a native of Kottayam. Even his relatives were not aware of his unofficial visit! (2/n)
It was only after Eranakulam Collector Y.Safirulla's visit to centre at KBPS press, the volunteers of the camp came to know that the guy who was helping in loading goods was an IAS officer! (3/n)
Read 9 tweets

Trending hashtags

#Cloud #SalvadorDonoso #India #Rathyatra #Jamal_Khashoggi #Tech #MondayMotivaton #documentation #Buddha #Senate #payday #Rancagua #WTO #MANUFACTURING #Tesla #AvenidaRamonFreire #UN #UMC #Agriculture #escopetas #NXIVM #chipmakers #Curico #VictorJara #Bangladesh
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!