Digital satellite TV platform

Back to research

{ PoC Codes }

Last update: May-28-2012

Characteristics of the Proof of Concept (PoC) code developed during the research of digital satellite TV platform's security:

  • 145 Java classes,
  • 34000 lines of source code,
  • 345 kb of compiled jar file,
  • implementation of over 70 commands,
  • compatibility with ITI5800S, ITI5800SX, ITI2850ST, ITI2849ST digital satellite receivers and STi7100 / STi7111 processors.

Commands implemented by Security Explorations' proof of concept code illustrate the following:

  • ability to escape Java security sandbox,
  • ability to escape OS security sandbox,
  • full read/write access to file system (sample)
  • privilege elevation to OS admin,
  • full read/write kernel and I/O space access (arbitrary system call installation)
  • smart card interface interception (sample)
  • runtime firmware interception of STi7111's embedded crypto processor,
  • firewall disabling,
  • java and system level directory tree listing (sample),
  • java and system level file/directory tree transfer (sample)
  • access to information about system configuration (serial number, software version, hardware type, network configuration) (sample)
  • access to information about MPEG services (sample)
  • access to information about various cryptographic keys (Conax, chipset, hdcp and upgrade) (sample)
  • access to Push Video on Demand (PVOD) movies and its properties (sample)
  • access to Electronic Program Guide (EPG) (sample)
  • access to information about user's subscription's status (sample)
  • Digital Video Recorder (DVR) control (scheduling recording, management of existing recordings and PVOD files),
  • playing of arbitrary user provided video content fetched from Internet (MPEG files),
  • Xion web browser control (opening arbitrary URL's, stealth URLs redirection, http and https requests sniffing),
  • graphic screen capture (sample)
  • control over the TV remote (imitation of the keyboard input),
  • displaying arbitrary messages on a user's TV screen,
  • access to other subscribers' broadcasted invoice data (billing information),
  • download and decryption of device's upgrade image (sample)
  • DSMCC carousels mounting,
  • simple MPEG sniffing by PID value (sample)
  • access to SI MPEG sections (PAT, PMT) (sample)
  • MPEG stream capture of arbitrary programming (including HD programming) (sample)
  • Video on Demand ECM decryption and sharing of programming protected with Conax conditional access method with chipset pairing,
  • reuse of Video on Demand access rights (beyond rental period of 48 hours),
  • Control Words sharing via network between arbitrary decoders protected with Conax conditional access method and chipset pairing,
  • persistent and stealth backdoor installation,
  • automatic backdoor execution upon system startup.