Je vais écrire en anglais, car Google Translate ne le fera pas correctement. Si quelqu’un peut traduire le texte ci-dessous correctement, il sera beaucoup plus facile à comprendre
Over the past year or so, there have been efforts to crack Syster VBI. The idea was to create a real functioning Syster encoder. The same thing has already been done with Videocrypt, which was tricky but in the end it’s a 100% working system. This was achieved by taking an old recording from an old Sky UK channel, taking VBI, cleaning it up and activating the Videocrypt decoder. Once the decoder is « activated », the image could be brute-forced to find cut points. These can then be used to encrypt the video in HackTV and sent via HackRF.
Here’s the original Videocrypt VBI as seen from VHS tape:
youtube.com/watch?v=7Lv9xSQ-YPA
This contains teletext as well as Videocrypt VBI. After cleaning it up, here’s what we end up with:
youtube.com/watch?v=Ezm_hFen6Uo
And here’s the final result:
youtube.com/watch?v=FgoNPRX53zY
For Syster, it has proven quite tricky to do the same due to lack of available data and especially VHS tapes. I could find Syster decoders and keys easily enough on eBay and other classified advert sites but getting decoders to kick in has proven tricky.
I was quite lucky to obtain two recordings from a guy on YouTube last year and this gave us a glimpse into what Syster VBI looked like:
youtube.com/watch?v=sig0-tCNBp4
As you can see, it’s a lot busier than Videocrypt - the data rate is much higher. But again, it needs to be cleaned up from teletext data etc.
Running the tape through a decoder did manage to kick it in but it was very rare and very unreliable. And this was with a good m’scope with time base correction. It was very tricky to see what data was valid and what wasn’t. With some initial work, it was found that some of the data was completely irrelevant and not needed:
145: 7: .......QUSSVQS.QUSSVQ.. (23)
145: 8: .'.......&.......&.&nx. (23)
145:24: I.(..............DUMMY. (23)
145:25: .EMMDUMMYEMMDUMMYEMMDU. (23)
Are we all DUMMies?!
A saving grace came from a French document, which describes VBI data in some very good detail. However, it was still missing certain pieces, like how CRC was generated for each line, and what each of the values in the lines meant. Through some assumptions and brute-forcing, CRC was eventually figured out. This allowed the creation of valid VBI lines. The structure is like this:
[Sync] [Data] [16-bit CRC]
[AA 0B 18 36] [85 A2 B2 B2 22 AA B2 B2 9A A2 B2 B2 22 AA B2 B2 9A A2 B2 B2 22 AA] [08 68]
This still didn’t really make the decoder do anything with either Premiere or Canal+ keys but combining the above with some of the data retrieved from Premiere’s VBI and zeroing out most of the data part allowed the decoder to kick in - at least sometimes.
Here’s part of the data that is sent by HackTV:
[Sync] [Data] [16-bit CRC]
[AA 0B 18 36] [A8 4E 20 AF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00] [A1 C3]
There is more but the sequence is essentially repeated. Here’s what the VBI data looks like now:
dropbox.com/s/xwv3tofppgj7w … i.mp4?dl=0
And here is the result:
youtube.com/watch?v=7WxN7ALxn_s
It’s nowhere near 100% as it loses lock - clearly some of the data is still missing or invalid - but it’s getting there.
As you can see from the video, it ONLY works with Premiere keys. Inserting keys from Canal+ Poland, France or NTV+ Russia does not make the decoder do anything. However, you can use a decoder from any country.
One thing that was found is that the permutation table used by the French decoder in the video is that used by Premiere. This suggested what was suspected anyway - permute tables were kept inside the decoder. And it’s being selected by the second byte in the data sequence (4E).
From the French document, it lists different modes of encryption (they are bit-reversed):
0x12: Canal+ clear
0x4E: Canal+ old code (and Premiere)
0x5E or 0x5F: Canal+ new code, free access
0xDE: Canal+ new code, conditional access
We need to try other codes in place of 4E and see what they produce. Not quite sure what « free access » means. I think you still need a key to actually get the decoder to scramble.
One major piece of the puzzle still missing is what make it work with Premiere key only and not, say, France Canal+ key. This is why we are still looking for VHS recordings from Canal+ France to compare the data.