Writing

Software, technology, sysadmin war stories, and more. Feed
Saturday, October 8, 2011

Exploring satellite TV with only stock equipment

There was a point when a certain satellite TV service only used a single cluster of satellites at one orbital spot: 101 degrees west. Then, a few years after they launched, they picked up licenses to transmit from 119 degrees west. There was a somewhat-functional satellite up there just waiting to be used, and I figured they were running tests. I wanted to see what was up there, but didn't have access to any sort of illegal tools. I still wound up finding a way to watch.

The trick was that I could see the metadata for channels I could not receive. At the time, I was using a Sony receiver which had a series of debug commands which could be used to dump info about the service. You'd key in 8888x [exit] where x was a number between 1 and 9 and it would display something which occasionally resembled real channel numbers seen in the guide.

Service Paradigm Information

I had seen what this looked like for the normal service at 101, so the first thing I decided was that I needed to try it at 119. Luckily, we had another dish pointed at 119 for Dish Network service, and the actual dish/LNB technology was compatible back then, so I just moved my receiver to the other cable and started poking around.

Things got interesting. While they only had a couple of transponders at 119, they definitely were doing things out there that early in the game. My receiver was able to lock on, showing a good signal strength, and it even started showing stuff in the debug screens! The problem is, I'd go to bring up the guide, and it would show it for a second, then it would pause to "think", and then it would all disappear.

Obviously, my receiver was realizing that I wasn't authorized to receive any of those channels and so it was hiding all of them from me. Still, even that didn't stop me. Somehow, perhaps by looking at my notepad with scribbles of transponders, channel numbers, and weird things like VSCID and ASCID numbers, it occurred to me: they recycled them.

What do I mean by recycled? Well, imagine that MTV is on channel 966 at 101 west. It's on transponder 30, and its video is #X in the stream, and its audio is #Y in the stream. I assume it's one big MPEG stream for each transponder, and these are just identifiers which will match the packets for MTV within that stream.

So anyway, normally, you call up 966, your receiver looks it up, gets 30, X, and Y, twiddles the LNB to get even transponders, sets up its tuner for whatever frequency it is (call it Z MHz), and then starts snagging frames for X and Y from the decoded feed. Then it turns them back into actual video and there's your show. It's probably not a music video, but what can you do?

My idea was simple: what if one of their test channels on 119 west was also transponder 30, video at #X, audio at #Y? I bet the receiver would decode that just as well as MTV itself. I'd just have to get it "primed" on the real thing and then switch the cables before it realized what had happened.

I proceeded to do exactly that. I wound up working "backwards", which is to say I found interesting channels from 119, noted their transponder, VSCID and ASCID numbers, then dug around on 101 to see if there was a match. If so, I'd tune to it, wait for it to come up, and then it got interesting.

Remember that I had both 101 and 119 available simultaneously on two different coax feeds. All I had to do was loosen the F connector, pull the 101 cable, and then hot-plug the 119 cable. If I did it quickly enough, it looked like the kind of blip you get when a storm is rolling in, and it kept on going!

What did I see? Nothing too special. I saw a couple of movies which were playing on the PPV service down in the 100s at that point, only with a time code overlay. That was about it. I suppose if I had really stuck with it and kept poking around on multiple days, I might have seen something more, but it didn't seem worth the trouble.

I think the most amazing thing about this whole experiment is that the receiver had no problems just hopping over to a completely different transmission which just happened to match the parameters. I'm not sure if the crypto stuff just didn't care, or if they were using the same kind of encoding on both sides, or what, but it Just Worked, and that was strange.

I would be surprised if these sorts of shenanigans were still possible today, given that it's been over 12 years since my original experiment.