VCII Hacks & Hacking

There have been many hacks on the Videocipher II system, one of these involved cloning or copying the ID of another Descrambler enabling authorization of both descramblers at the same time, also another method was to subscribe to one channel then used pirate software to enable the opening up of all channels this was known as the 'Three Musketeer Hack'. Another hack was the use of seed keys & wizzard codes (See my seed keys & wizzard codes section to understand how these work).

Cloning A VCII Descrambler
To clone a VCII descrambler certain data from the IC's (Integrated Circuits) of the descrambler must be copied and or modified.

The first step is to backup the seed keys & the ID number in the 'virgin' board before making any changes. This way if anything goes wrong you can still revive the unit. The Key's'R'Us software can be used to backup these keys. Although the software only works in 010 boards for reading & writing it will work for writing only on 018 / 019 (A5 Series) boards. (Not sure about 032 (77) Series boards.

Once your ID & keys are backed up your ready to go.

The next step usually involved clearing away the epoxy around U30 (right now you really love the 010 boards :) ) and removing the chip completely, now I've seen ALOT of boards which simply clear the epoxy around the pins of U30 and simply apply the socket right on top of the stock chip. This will work but not alwayz recommended since the stock chip is still in the circuits' path it's still 'live' and voltage values may differ. The proper way would be to completely remove the stock chip and solder in the 28 pin IC socket.

Next, you would install a chip burnt with software that contains the data to change the ID & seed keys to that of another descrambler.

Once this has been done the now 'clone' unit will be authorized for the same services as the 'master' unit. So what ever services are purchased on the master service any descrambler that is cloned with this set of seed keys & ID number will receive the same services.

This operation can and has been done in multiples resulting in numerous descramblers running off of one set of keys & ID.

There is one major drawback to this method since once the master unit ID is discovered by GI that it is used for cloning then the unit will be turned off (De-Authorized) once this happens all units which were cloned by this unit's keys are instantly shut off also.

One way to get around this is to limit the use of keys in units to a minimum. Thus if one unit goes down then only some units will go down also, but others will remain on simply because the keys & ID number are totally different. In other words use more than one board to make clones from.

The Three Musketeer Hack
"All For One & One For All"

This hack consisted of a legal descrambler authorized for the cheapest programming package. A great example would have been the hackers choice (CNN). A pirate chip would need to be installed so once one service was authorized then all services would then open up and allow unauthorized viewing of all channels.

The Wizzard Hack

This attack uses data extracted out of the U7 decryption IC and modified to decode the authorization subkeys in which the descrambler uses when being authorized.

This hack does not use the seed keys of another descrambler nor an ID#. The authorization data is received through a legitimate descrambler and then entered into the modified descrambler through the software which enables 'code' entry through either a remote or more commonly the front keypad of the decoder. Since this method contains no Unit ID # or seed keys, theorectically the unit can not be turned off.

Soon after GI discovered this the pirates began putting 2 sets of seed keys and 2 ID#'s in case one was discovered and de-authorized then the 2nd would still be running. These units could now receive 'hits' from the data stream and generate there own wizzard codes. Onec calculated the codes could be displayed on the tv screen so this data could be used to turn on other modified wizzard boards.

In Use Today

As of this writing, there is still working VCII descramblers reeciving unauthorized programming. This method consists mainly through the use of seed keys (Cable Company ID's) which generate the wizzard codes and produce audio on 'some' VCII channels.

Currently, the wizzard codes change every 4-6 hours and most at various times such as a portion of Galaxy 5 (G5) change at 12 AM/PM,4 AM/PM,8 AM/PM in a continuous loop.

There still are some channels still running month to month such as most of the sports channels and a few others such as Fox Sports & W1-24 (CBS-East).

To keep audio on these channels there is a fair amout of work to be done since the codes change so often you would have to be selective to which channels you want to watch and be sure to receive the hit for your next code to keep your audio for that channel. The autoroll software is favored main because of it's simplicity and is easily updated without reprogramming another EPROM if a seed key set goes down.

This software enables the user to test various sets of seed keys by first encrypting them with encoder software and then entering this encoded data into the descrambler, once entered this data is entered (If the seed keys entered are still alive or being authorized) the unit can then be used to generate a working wizzard code to produce audio on that VCII channel, ONLY if the Seed key set and ID# used is also authorized for that channel.

> Go BACK To The VideoCipher II Menu <

[ H o m e ]