Hacking Satellite Cards

Writing a "Private 3M Script"

First it is important to define the term "3M." The term "3M" simply refers to a script's ability to unlock all of the channels, based on the saying "All for one, and One for all!" from the "3 Musketeers," (which came from the old days of hacking cable boxes where all channels were viewable through one channel). Anyway, "3M" now is just a generic term for a card that has all channels open and no stealth or write protection. In stealth scripts, the "3M" code refers to the actual part of the code that enables the video.All scripts that open all of the channels are 3M's, however most people are referring to scripts that auto-update on their own, when they refer to a 3M. The card auto-updates because it has no commands blocked, and it appears to be a normal subbed card, as much as possible. The EASIEST type of 3M to write is to modify a valid bin file, by editing it in BasicH. Before you can write a script to modify the card, you need to be able to edit a bin file manually to make those changes. If you read through this page carefully you will find everything you need to know to modify a valid bin file with unique jump points and a 3M code. After you are done editing your valid bin file you will have a private 3M that auto-updates, with private jump points. To remove simply do a 1-STEP clean in BasicH or BasicU. If you follow the directions you should have a fairly safe 3M to use. If you have a private 3M (that does not have code in any regions that have been changed ago updates) your card would still be running today no matter HOW long they've been you installed it. They can only send a "killer" ECM that will loop your cards if they have 8 known bytes in a row that they can hash. In order to ZAP your card with an ECM your card needs to be detected as being "hacked." In order to do this they need to know you card's "signature," and your signature is based on the "extra" data that is on your card: the jump points and 3M code. If they don't know your jump points or how exactly you broke up your 3M code then it is not possible for them to target you since they won't know the "signature" of your card. The advantage of picking your own jump point is that your card's signature is different from most people's cards. They are mainly interested in hashing the most public areas to hash. If you pick the INS54 area then you can bet that a many other people have also figured out what you have. You should really try to find a jump point outside of the INS 54 area. All were after here is to make your card's signature just enough different than the freeware script users. Anything you can change will help. If you clone your card then you have 2 known bytes that will be different from your CAM ID, and those bytes are a checksum for the CAM ID. It MAY be possible that they can check those two bytes against the CAM ID to see if your card is cloned, but they haven't demonstrated that ability yet. Remember- nothing is foolproof- If your card is in the data stream taking updates, you risk an update possibly writing over part of the 3M software and corrupting your card. Nobody ever knows where the update will occur on the card.

To make things simpler to understand and follow I have color coded this page:

„h PURPLE for the 02 (jump to) code

„h BLUE for the 3M code

„h RED for the byte's ADDRESS

Understanding How Cards Work

The signal is based on packets of data which are sent along with all the video data to every receiver out there. Some of this data is filtered out before it is passed on to the smart card, such as individual unit authorizations. Of all the millions of these, only the ones for your smart card are passed on to your smart card. This is so the smart card does not get totally overloaded with messages for everyone else. Most of the other data packets DO get to your smart card.

When the signal passes through a card the following routine happens:

„h Normal Code Cycle

The DSS signal "passes thru" the card and does certain events that are important to the function of the card.

„h "INS 54" Determines Authorization

The INS 54" is the location of code on the card that determines whether or not you are authorized to view a channel, and is responsible for returning a proper value to any authorization requests.

„h Normal Code Cycle

The signal comes back from the the "INS 54" area and either authorizes or turns off the signal, based on what value was returned.

When the signal passes through a card that has 3M code on it the following routine happens:

„h Normal Code Cycles

The DSS signal "passes thru" the card and does certain events that are important to the function of the card.

„h Jump to Fake Authorization or "3m code"

The card "jumps" from the "INS 54" area to an address you have specified that has your 3M code. The 3M code "tricks" the card in to thinking that the authorization is present by giving it a ZNT of it's own, and then returning the proper answer, which allows all of the channels to be unlocked (this is the JUMP POINT).

„h Jump back from the "3M code"

The 3M code jumps back to the address you have specified at the end of the "INS 54" area: 8D2D

„h Normal Code Cycles

The signal authorizes the signal for all channels based on what was returned from the Fake ZNT or "3M code."

The area of the card that is checked to see if the channel has authorization is called "INS 54." That area in the card's EEPROM is 827B-8D2D. That's why most, but not all, jump points are placed with in that area. Whenever you change the channel the card checks the "INS 54" area of the card to check and see if that channel is authorized. When the "check command" reaches your JUMP POINT it jumps out of "INS 54" directly to wherever your 3M code