Nagravision Syster VBI (en anglais!)

Je vais écrire en anglais, car Google Translate ne le fera pas correctement. Si quelqu’un peut traduire le texte ci-dessous correctement, il sera beaucoup plus facile à comprendre :slight_smile:

Over the past year or so, there have been efforts to crack Syster VBI. The idea was to create a real functioning Syster encoder. The same thing has already been done with Videocrypt, which was tricky but in the end it’s a 100% working system. This was achieved by taking an old recording from an old Sky UK channel, taking VBI, cleaning it up and activating the Videocrypt decoder. Once the decoder is « activated », the image could be brute-forced to find cut points. These can then be used to encrypt the video in HackTV and sent via HackRF.

Here’s the original Videocrypt VBI as seen from VHS tape:

youtube.com/watch?v=7Lv9xSQ-YPA

This contains teletext as well as Videocrypt VBI. After cleaning it up, here’s what we end up with:

youtube.com/watch?v=Ezm_hFen6Uo

And here’s the final result:

youtube.com/watch?v=FgoNPRX53zY

For Syster, it has proven quite tricky to do the same due to lack of available data and especially VHS tapes. I could find Syster decoders and keys easily enough on eBay and other classified advert sites but getting decoders to kick in has proven tricky.

I was quite lucky to obtain two recordings from a guy on YouTube last year and this gave us a glimpse into what Syster VBI looked like:

youtube.com/watch?v=sig0-tCNBp4

As you can see, it’s a lot busier than Videocrypt - the data rate is much higher. But again, it needs to be cleaned up from teletext data etc.

Running the tape through a decoder did manage to kick it in but it was very rare and very unreliable. And this was with a good m’scope with time base correction. It was very tricky to see what data was valid and what wasn’t. With some initial work, it was found that some of the data was completely irrelevant and not needed:

145: 7: .......QUSSVQS.QUSSVQ.. (23) 145: 8: .'.......&.......&.&nx. (23) 145:24: I.(..............DUMMY. (23) 145:25: .EMMDUMMYEMMDUMMYEMMDU. (23)
Are we all DUMMies?! :slight_smile:

A saving grace came from a French document, which describes VBI data in some very good detail. However, it was still missing certain pieces, like how CRC was generated for each line, and what each of the values in the lines meant. Through some assumptions and brute-forcing, CRC was eventually figured out. This allowed the creation of valid VBI lines. The structure is like this:

[Sync] [Data] [16-bit CRC] [AA 0B 18 36] [85 A2 B2 B2 22 AA B2 B2 9A A2 B2 B2 22 AA B2 B2 9A A2 B2 B2 22 AA] [08 68]
This still didn’t really make the decoder do anything with either Premiere or Canal+ keys but combining the above with some of the data retrieved from Premiere’s VBI and zeroing out most of the data part allowed the decoder to kick in - at least sometimes.

Here’s part of the data that is sent by HackTV:

[Sync] [Data] [16-bit CRC] [AA 0B 18 36] [A8 4E 20 AF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00] [A1 C3]
There is more but the sequence is essentially repeated. Here’s what the VBI data looks like now:

dropbox.com/s/xwv3tofppgj7w … i.mp4?dl=0

And here is the result:

youtube.com/watch?v=7WxN7ALxn_s

It’s nowhere near 100% as it loses lock - clearly some of the data is still missing or invalid - but it’s getting there.

As you can see from the video, it ONLY works with Premiere keys. Inserting keys from Canal+ Poland, France or NTV+ Russia does not make the decoder do anything. However, you can use a decoder from any country.

One thing that was found is that the permutation table used by the French decoder in the video is that used by Premiere. This suggested what was suspected anyway - permute tables were kept inside the decoder. And it’s being selected by the second byte in the data sequence (4E).

From the French document, it lists different modes of encryption (they are bit-reversed):

0x12: Canal+ clear 0x4E: Canal+ old code (and Premiere) 0x5E or 0x5F: Canal+ new code, free access 0xDE: Canal+ new code, conditional access
We need to try other codes in place of 4E and see what they produce. Not quite sure what « free access » means. I think you still need a key to actually get the decoder to scramble.

One major piece of the puzzle still missing is what make it work with Premiere key only and not, say, France Canal+ key. This is why we are still looking for VHS recordings from Canal+ France to compare the data.

jolis travail il viens de faire comme dreambox59 qui a su convertir un decodeur discret 12 en codeur discret 11 mais la ç est du nagra bravo il me tarde de creuser le sujet bravo!

Hello Captain Jack,

« free access » could be a mode similar to the old descrambler « discret 11 », where at the end of the month there was a brief moment (2~3 days) where the owner of a discret11 descrambler could see canal+ France for free, the image was still scrambled (« audience level 7 ») but no need to have a valid key, the discret11 descrambler automatically decodes the image,

so perhaps a similar mode exists for nagravision syster ?

earliest syster descramblers had also the ability to manage « discret11 » system, they used VBI info instead of the keyboard code, 0x5E or 0x5F could refer to this discret11 mode

Yes, I suspect that’s the case. Sky used to do exactly the same thing - like an advert.

How early? Has anyone managed to get Syster decoder to decode Discret11 here? Might a project for the future for HackTV…

there was a transitional period in France, between 1993 and 1995, where in some areas the syster system had not yet arrived, it was the old « discret11 » system that was used, the subscribers in these regions were receiving the new syster decoder and this decoder had to manage the 2 systems, in order to avoid the black screen,

maybe all syster decoders can have the ability to manage discret11, not easy to check it

Hmm, if VBI data can be generated and sent - can it be checked then? I thought Discret11 VBI was very well known.

countries like Belgium, Finland used a discret12 decoder without keyboard in the front, the VBI infos are used for checking subscribers’ rights, I don’t know exactly how this vbi management works, but the 310 and 620 lines still blink at the screen in discret12, like discret11, the blink of these lines will « wake-up » the decoder, and VBI infos authorize the descrambling

That was part of the spec from day 1.
Maybe this capability which was useless after 2 or 3 years has been removed by later software updates in order to simplify the software and/or make room for additional functions :question:

Similarily, the first Canal+ digital terrestrial decoders (which were MPEG-2 because that was the initial plan of the govt and the CSA for FTA and pay-DTT) had the capability to receive analog TV and decode syster.
The card reader could accept either a standard ISO card or a syster key.
Very few of these decoders have been produced since it was decided later (under pressure of the HD forum) that pay channels would use MPEG-4 (SD in a first step, then HD) before the pay-DTT service was started.

I do have one of the combined Syster/DVB-T boxes but I couldn’t get it to work very much. In DVB-T, it’s asking for some weird code for TNT that I don’t have. I need to try it with the new VBI data.

On my side I have a combined SAT/DTT HD decoder from Canal which also asks for a code to activate DTT reception.
This receiver seems to have never been used …

Bonjour,
J’ai déjà du mal à y trouver un intérêt en français mais quel besoin avez-vous de continuer cette conversation en anglais?

Par pur snobisme?
Par jeu?
Pour emmerder ceux qui ne comprennent pas l’anglais?

Probably to let Captain Jack understand their messages !

bonsoir, oui, n’oublions pas que captain jack est anglais

ce sujet en particulier n’étant pas suivi par tout le monde , il me semble qu’il est possible
de faire une dérogation pour ce fil en particulier
à condition que quiconque désirant y prendre part puisse bénéficier de traductions (tr google)

que personne ne se sentent gêné de poser une question , on répondra !

et j’en profite pour demander à captain jack s’il a des schémas de déco vidéocrypt …

La moindre des choses serait de s’exprimer dans la langue du forum.

Quand je poste sur des forums anglais, je le fais en anglais…

La raison pour laquelle j’ai posté en anglais est parce que Google Traduction n’est pas bon pour traduire des sujets en profondeur. Je pourrais facilement passer en GT, mais le contexte ne serait probablement pas aussi clair.

Quoi qu’il en soit, tout était juste pour l’information - vous pouvez continuer dans la langue que vous voulez.

I have seen it with my own eyes in 1994.

Syster was not deployed everywhere yet, some areas were still broadcasting D11.
But D11 descramblers were not distributed anymore, starting to be replaced with Syster. [TDA4565]

Pour ceux qui sont gênés:

translate.google.fr/translate?s … edit-text= [TDA4565]

Si tu n’y trouves pas d’intérêt en Français, je ne vois vraiment pas pourquoi l’Anglais te gêne (c’est annoncé dans le titre que ce fil est en Anglais).

Je crois que tu n’as pas compris, c’est le principe qui m’interpelle…
Mais apparemment, je suis le seul à ne pas être d’accord, alors je m’incline…

Have a good day.
Regards.

Bonjour,

Vous avez aussi la solution de mettre vos textes en anglais « original » en en Français pour les personnes qui ne comprennent pas l’anglais
Un peu plus de travail, mais cela pourrait contenter tous le monde
Cdt,
Francois