PowerVu encryption hacked?

User Colibri (I do not know who this is, but he apparently also hacked BISS encryption and is well known among American sat enthusiasts) revealed that he managed to crack PowerVu encryption. In Europe there are a few frequencies on 4.8e, 0.8w, 4w and 9e that have PowerVu encrypted channels. They are used by cable TV companies, normal users cannot watch these channel as subscription cards cannot be bought. Please use search option on kingofsat if you want to get detailed list of channels. Please don’t ask me for more information because I don’t have it.

More information about hack is available here: Forum will be opened soon here:

Short information from this page:

Indicates Frequency has been logged and keys are being brute forced. Finding the keys for nearly 1000 channels will take many months, so please be patient. Once keys are discovered, the community will be updated here.

We kindly ask hobbyists to scan every satellite and update us on any new PowerVu transponders you find (including periodic feeds that use PowerVu). We also need help with logging PowerVu EMMs in Europe and Asia.

And here is text from Wikipedia (text was deleted):

In November 2014, rumors of a PowerVu hack started circulating on various internet forums. The owner of a well known American satellite forum ( claimed to have seen proof of a PowerVu hack, including descrambled video of Fedex Corporate broadcasts which are PowerVu encrypted on the American communications satellite AMC 1 (103W).

On Friday December 05, 2014 at 9:44 am, the hacker Colibri posted a link to his Magnum Opus (the culmination of nearly a decade of original cryptographic research on PowerVu) on a little known North American satellite forum ( It is unknown why Colibri chose this forum for his announcement, but some have speculated that he chose this forum because it specializes in North American C-band satellite backhauls, the majority of which are encrypted using the PowerVu conditional access system.

In his Magnum Opus, Colibri identifies a critical security flaw in the PowerVu encryption of Entitlement Management Messages (EMMs) which can be used in a brute force attack to discover the unique 56 bit key assigned to each authorized Scientific Atlanta IRD. Once this key is found, it can be used to decrypt Entitlement Control Messages (ECMs) which contain the needed keys for video and audio decryption.

Unfortunately, the key space (2^56 keys) for such an attack is too large to be carried out on ordinary computer hardware. Instead, Colibri suggests that hackers log over 131,000 (2^17) different EMMs (if available) and brute force a much smaller key space (2^39), which he has shown can be done in several days with a GeForce GTX 470 CUDA card.

The only PowerVu broadacasts that are known to have over 131,000 authorized IRDs are the American Forces Network (AFN on Eutelsat9A-9.0E) which issues Scientific Atlanta receivers to American military service members around the world. The majority of C-band satellite broadcasts (e.g., Discovery Channel, CNN, etc.) which are secured by PowerVu utilize no more than a few hundred authorized IRDs (issued mostly to cable headends) and some specialty channels use less than a dozen, rendering a brute force attack (2^48 key space at best) extremely difficult, if not impossible, even with parallel computing. For example, it would take nearly 2 years to brute force the EMM key for a single IRD (and thus a single channel), using Colibri’s GeForce GTX 470 CUDA setup and assuming 256 EMMs were logged that belonged to 256 unique and authorized IRDs.

Even if keys could be brute forced in a reasonable time frame, such keys could easily be blacklisted by PowerVu if they were ever made public.

As of the time of writing (December 18, 2014), PowerVu has not yet issued any stream updates to close the exploit discovered by Colibri and no practical hardware hack has been released to allow unauthorized viewing of C-band satellite backhauls, but for the first time in nearly twenty years, this is the closest hackers have come to pirating C-band satellite transmissions since Videocipher II was hacked in the 1990s.

Powered by