==Phrack Magazine==



                 Volume Five, Issue Forty-Six, File 10 of 28



****************************************************************************



                   /**************************/

                   /* A Guide to Porno Boxes */

                   /*     by Carl Corey      */

                   /**************************/





Keeping with tradition, and seeing that this is the first article in

Phrack on cable TV descrambling, any illegal box for use in descrambling

cable television signals is now known as a PORNO BOX.



There are many methods that cable companies use to insure that you get

what you pay for - and _only_ what you pay for.  Of course, there are

always methods to get 'more than you pay for'.  This file will discuss

the most important aspects of these methods, with pointers to more

detailed information, including schematics and resellers of equipment.





Part I.  How the cable company keeps you from getting signals

   A brief history



---Older Systems---



Most scrambling methods are, in theory, simple.  The original method

used to block out signals was the trap method.  All traps remove signals

that are sent from the CATV head end (the CATV company's station).  The

first method, which is rarely used anymore was the negative trap.

Basically, every point where the line was dropped had these traps, which

removed the pay stations from your signal.  If you decided to add a pay

station, the company would come out and remove the trap.  This method was

pretty secure - you would provide physical evidence of tampering if you

climbed the pole to remove them or alter them (sticking a pin through

them seemed to work randomly, but could affect other channels, as it

shifts the frequency the trap removes.)  This was a very secure system,

but did not allow for PPV or other services, and required a lot of

physical labor (pole-climbers aren't cheap).  The only places this is

used anymore is in an old apartment building, as one trip can service

several programming changes.  Look for a big gray box in the basement

with a lot of coax going out.  If you are going to give yourself free

service, give some random others free service to hide the trail.



The next method used was termed a positive trap.  With this method, the

cable company sends a _very_ strong signal above the real signal.  A

tuner sees the strong signal, and locks onto the 'garbage' signal.  A

loud beeping and static lines would show up on the set.  For the CATV

company to enable a station, they put a 'positive' trap on the line,

which (despite the name) removes the garbage signal.  Many text files

have been around on how to descramble this method (overlooking the

obvious, buying a (cheap) notch filter), ranging from making a crude

variable trap, to adding wires to the cable signal randomly to remove the

signal.  This system is hardly used anymore, as you could just put a trap

inside your house, which wouldn't be noticed outside the house.



---Current Systems---



The next advent in technology was the box.  The discussion of different

boxes follows, but there is one rather new technology which should be

discussed with the traps.  The addressable trap is the CATV's dream.  It

combines the best features of the negative trap (very difficult to tamper

with without leaving evidence) with features of addressable boxes (no

lineman needs to go out to add a service, computers can process Pay Per

View or other services).  Basically, a 'smart trap' sits on the pole and

removes signals at will.  Many systems require a small amp inside the

house, which the cable company uses to make sure that you don't hook up

more than one TV.  I believe that the new CATV act makes this illegal,

and that a customer does not have to pay for any extra sets (which do not

need equipment) in the house.  Of course, we all know that the cable TV

company will do whatever it wants until it is threatened with lawsuits.



Cable boxes use many different methods of descrambling.  Most are not in

use anymore, with a few still around, and a few around the corner in the

future.  The big thing to remember is sync suppression.  This method is

how the cable companies make the picture look like a really fucked up,

waving Dali painting.  Presently the most popular method is the Tri-mode

In-band Sync suppression.  The sync signal is suppressed by 0, 6, or 10

dB.  The sync can be changed randomly once per field, and the information

necessary for the box to rebuild a sync signal.  This very common system

is discussed in Radio-Electronics magazine in the 2/87 issue.  There are

schematics and much more detailed theory than is provided here.



The other common method currently used is SSAVI, which is most common on

Zenith boxes.  It stands for Sync Suppression And Video Inversion.  In

addition to sync suppression, it uses video inversion to also 'scramble'

the video.  There is no sync signal transmitted separately (or reference

signal to tell the box how to de-scramble) as the first 26 lines (blank,

above the picture) are not de-synched, and can be re-synched with a

phased lock loop - giving sync to the whole field.  The data on inversion

is sent somewhere in the 20 or 21st line, which is outside of the

screen.  Audio can be scrambled too, but it is actually just moved to a

different frequency.  Radio Electronics August 92 on has circuits and

other info in the Drawing Board column.



---Future Systems-



For Pioneer, the future is now.  The system the new Pioneers use is

patented and Pioneer doesn't want you to know how it works.  From the

patent, it appears to use combinations of in-band, out-band, and keys

(also sending false keys) to scramble and relay info necessary to

descramble.  These boxes are damn slick.  The relevant patents are US

#5,113,411 and US #4,149,158 if you care to look.  There is not much

information to be gained from them.  Look for future updates to this

article with info on the system if I can find any :)



Other systems are the VideoCipher + (used on satellites now - this is

scary shit.)  It uses DES-encrypted audio.  DigiCable and DigiCipher are

similar, with Digi encrypting the video with DES also  (yikes)...  And

they all use changing keys and other methods.  Oak Sigma converters use

similar methods which are available now on cable.  (digital encryption of

audio, etc...)



Part II.  How the cable company catches you getting those signals



There are many methods the CATV company can use to catch you, or at

least keep you from using certain methods.



Market Code:   Almost _all_ addressable decoders now use a market code.

                This is part of the serial number (which is used for pay

                per view addressing) which decodes to a general geographic

                region.  Most boxes contain code which tell it to shut

                down if it receives a code (which can be going to any box

                on the cable system) which is from a different market area.

                So if you buy a converter that is say, market-coded for

                Los Angeles, you won't be able to use it in New York.



Bullets:        The bullet is a shut down code like above - it will make

                your box say 'bAh' and die.  The method used most is for

                the head end to send messages to every box they know of

                saying 'ignore the next shutdown message' ... and once

                every (legit) box has this info, it sends the bullet.

                The only boxes that actually process the bullet are ones

                which the CATV system doesn't know about.  P.S.  Don't

                call the cable company and complain about cable if you

                are using an illegal converter - and be sure to warn

                anyone you live with about calling the CATV co. also.



Leak Detection: The FCC forces all cable companies to drive around and

                look for leaks - any poor splice jobs (wiring your house

                from a neighbors without sealing it up nice) and some

                descramblers will emit RF.  So while the CATV is looking

                for the leaks, they may catch you.



Free T-Shirts: The cable company can, with most boxes, tell the box to

                display a different signal.  So they can tell every box

                they know of (the legit box pool) to display a commercial

                on another channel, while the pirate boxes get this real

                cool ad with an 1800 number for free t-shirts... you call,

                you get busted.  This is mostly done during PPV boxing or

                other events which are paid for - as the company knows

                exactly who should get that signal, and can catch even

                legit boxes which are modified to receive the fight.



Your Pals:      Programs like "Turn in a cable pirate and get $100" let

                you know who your friends _really_ are.





Part III:  How to get away with it.



I get a lot of questions about opening a box that you own.  This is not

a good idea.  Most, if not ALL boxes today have a tamper sensor.  If you

open the box, you break a tab, flip a switch, etc...  This disables the

box and leaves a nice piece of evidence for the CATV co. to show that you

played with it.



I also have had questions about the old "unplug the box when it is

enabled, then plug it back in later"...  The CATV company periodically

sends a signal to update all the boxes to where they should be.  If you

want to do this, you'll need to find out where the CATV sends the address

information, and then you need to trap it out of the signal.  So as soon

as the fraudulent customer (let's call him Chris) sees his box get the

signal to receive the PPV porn channel, he installs the trap and now his

box will never get any pay per view signals again...  but he'll always

have whatever he was viewing at the time he put the trap in.  Big problem

here is that most _newer_ systems also tell the box how long it can

descramble that channel - i.e.  "Watch SPICE until I tell you not to, or 3

hours have passed"...



Where to make/buy/get porno boxes:



You can order a box which has been modified not to accept bullets.  This

method is pretty expensive.  You can also get a 'pan' descrambler - it is

a separate piece that takes whatever goes in on channel 3 (or 2 or 4) and

descrambles it.  These boxes can't be killed by the bullets, and work

pretty well.  There are some pans which are made by the same company as

your cable box and are sensitive to bullets, so beware.



There are two basic ideas for modifying a box (provided you get detailed

instructions on how to get it open, or how to fix it once you open it).

You can change the S/N to something which is known as 'universal' or

disassemble the code and remove the jump to the shutdown code.

The universal codes are rare, and may be extinct.  Besides, if the cable

company finds out your code, they can nuke it.  This happens when someone

who makes (err made) 'universal' chips gets busted.  The modification of

the actual code is the best way to do it, just forcing a positive

response to permission checks is the easiest way.



A 'cube' is not a NeXT, it's a device which removes the data signal from

the cable line, and inserts a 'nice' data signal which tells your box to

turn everything on.  A 'destructive' cube actually re-programs all the

boxes below it to a new serial number and gives that number full

privileges, while a 'non-destructive' cube needs to know your boxes

serial number, so it can tell your box (without modifications) that it

can view everything.  You have to get a new IC if you change boxes, but

the plus is that you can remove the cube and the box functions as

normal.  Then again, you have to trust the place you are ordering the

cube from to not be working for the cable company, as you have to give

them your box serial number - which the CATV cable has in their records.

Cubes have been seen for sale in the back of Electronics Now (formerly

Radio Electronics).



Of course, you could check in the above mentioned articles and build

circuitry, it would be a lot cheaper.  The only problem is that you have

to be good enough not to fuck it up - TV signals are very easy to fuck up.



Then there is the HOLY GRAIL.  Most scrambling systems mess with the sync

pulse.  This pulse is followed by the colorburst signal on NTSC video.

Basically, the grail finds the colorburst and uses it as a reference

signal.  In theory, it works wonderfully (but does not fix the video

inversion problems found on SSAVI systems).  However, with the sync pulse

whacked, the colorburst method may give weak color or color shifts.  The

schematics are in the May 1990 Radio-Electronics.  I have also received

email from aa570@cleveland.Freenet.Edu about his colorburst kit, which is

a modified (supposedly higher quality) version of the R-E schematics.

The schematic and parts list is 5 bucks, 16 bucks for a pre-drilled and

etched board.  A little steep, but not too bad.  E-mail the above for

more information.





Anyway, that's all for now.  Remember, information (including XXX movies)

wants to be free!



Carl Corey / dEs