Archive for December, 2014


PowerVu encryption hacked?

User Colibri (I do not know who this is, but he apparently also hacked BISS encryption and is well known among American sat enthusiasts) revealed that he managed to crack PowerVu encryption. In Europe there are a few frequencies on 4.8e, 0.8w, 4w and 9e that have PowerVu encrypted channels. They are used by cable TV companies, normal users cannot watch these channel as subscription cards cannot be bought. Please use search option on kingofsat if you want to get detailed list of channels. Please don’t ask me for more information because I don’t have it.

More information about hack is available here: Forum will be opened soon here:

Short information from this page:

Indicates Frequency has been logged and keys are being brute forced. Finding the keys for nearly 1000 channels will take many months, so please be patient. Once keys are discovered, the community will be updated here.

We kindly ask hobbyists to scan every satellite and update us on any new PowerVu transponders you find (including periodic feeds that use PowerVu). We also need help with logging PowerVu EMMs in Europe and Asia.

And here is text from Wikipedia (text was deleted):

In November 2014, rumors of a PowerVu hack started circulating on various internet forums. The owner of a well known American satellite forum ( claimed to have seen proof of a PowerVu hack, including descrambled video of Fedex Corporate broadcasts which are PowerVu encrypted on the American communications satellite AMC 1 (103W).

On Friday December 05, 2014 at 9:44 am, the hacker Colibri posted a link to his Magnum Opus (the culmination of nearly a decade of original cryptographic research on PowerVu) on a little known North American satellite forum ( It is unknown why Colibri chose this forum for his announcement, but some have speculated that he chose this forum because it specializes in North American C-band satellite backhauls, the majority of which are encrypted using the PowerVu conditional access system.

In his Magnum Opus, Colibri identifies a critical security flaw in the PowerVu encryption of Entitlement Management Messages (EMMs) which can be used in a brute force attack to discover the unique 56 bit key assigned to each authorized Scientific Atlanta IRD. Once this key is found, it can be used to decrypt Entitlement Control Messages (ECMs) which contain the needed keys for video and audio decryption.

Unfortunately, the key space (2^56 keys) for such an attack is too large to be carried out on ordinary computer hardware. Instead, Colibri suggests that hackers log over 131,000 (2^17) different EMMs (if available) and brute force a much smaller key space (2^39), which he has shown can be done in several days with a GeForce GTX 470 CUDA card.

The only PowerVu broadacasts that are known to have over 131,000 authorized IRDs are the American Forces Network (AFN on Eutelsat9A-9.0E) which issues Scientific Atlanta receivers to American military service members around the world. The majority of C-band satellite broadcasts (e.g., Discovery Channel, CNN, etc.) which are secured by PowerVu utilize no more than a few hundred authorized IRDs (issued mostly to cable headends) and some specialty channels use less than a dozen, rendering a brute force attack (2^48 key space at best) extremely difficult, if not impossible, even with parallel computing. For example, it would take nearly 2 years to brute force the EMM key for a single IRD (and thus a single channel), using Colibri’s GeForce GTX 470 CUDA setup and assuming 256 EMMs were logged that belonged to 256 unique and authorized IRDs.

Even if keys could be brute forced in a reasonable time frame, such keys could easily be blacklisted by PowerVu if they were ever made public.

As of the time of writing (December 18, 2014), PowerVu has not yet issued any stream updates to close the exploit discovered by Colibri and no practical hardware hack has been released to allow unauthorized viewing of C-band satellite backhauls, but for the first time in nearly twenty years, this is the closest hackers have come to pirating C-band satellite transmissions since Videocipher II was hacked in the 1990s.


XBMC (Kodi) for Vu+ coming soon!

XBMC or Kodi for Broadcom based satellite receivers is something that satellite community is anxiously waiting to finally appear. XBMC on its own is still not mature enough to be complete substitute for Enigma 2. Vu+ has done some work here (do you remember prismCube?) for ARM architecture but I guess they decided for different approach. Why putting lots of hours into XBMC to create Enigma 2 substitute if you can adapt XMBC to works on MIPS architecture that Vu+ is using in their satellite receivers!

Vu+ decided to do some concrete steps into the right direction. OpenATV teams recently released two videos that are revealing how the alpha XBMC version for Vu+ Solo 2, Vu+ Duo 2 and Vu+ Solo SE works in real life. Vu+ Zero sadly will not support XBMC due to weaker hardware. XBMC can be started like any other E2 plugin. Release date is not known. Check these videos:

EDIT (30.12.2014): BlackHole team announced that they will release first beta image with working XBMC on 30.12.2014. More information here:

VTi beta image is already available on their forum:


Free Formuler F1 and F3 receivers

Formuler and OpenPLi announced a kind of a sweepstake where you can have a change to win a free satellite receiver. What you need to do is to post a message with your wishes for 2015 in this thread:

Sweepstake will end at the 24th of December and two users will be chosen randomly.



New Vu+ kernel and drivers now available also for OpenPLi

OpenPLi announced today that they now supports newest kernel and drivers for Vu+ receivers. Original news:

We are glad to announce that VU+ has been added to our line-up of manufacturers that support OpenPLi with a so-called BSP layer. This means amongst others: up to date DVB drivers / Linux kernels on VU+ receivers and official OpenPLi images for the SoloSE and Zero models. Due to the vast amount of changes to the VU+ images, we strongly recommend, for every VU+ model, to do a clean flash with an image from today or newer. We cannot give support on VU+ receivers that only have heen upgraded after today.

You can download their images here:

There are also images for Vu+ Zero and Solo SE which haven’t been available before.

Powered by