Project Headend And Then ST16CF54

In November of 1998, David Mordinson wrote the Headend Report on exploiting an ST16CF54 television smart card from Nagra and Dish Network. Years later, this brilliant and secret report was made public through a lawsuit. In this talk, I'll explain how how to modernize this report's exploit for USB smart card readers, and how the exploit abuses mirrored (ghosted) memory ranges to smash the call stack by writing past the end of SRAM. My first draft of an exploit was hand-written 6805 machine code in NASM, with DB directives and comments but no 6805 language support. I later wrote my own 6805 assembler, with source code building a Golang byte array with comments of the original assembly language instructions and their comments. Exploitation tricks include using an undocumented mirroring behavior of memory to clobber the return stack after the end of SRAM, calling back into ROM to reduce the shellcode size, and the lazy continuation trick of letting the card crash and reboot between packets. The application works on Windows and Linux to dump the EEPROM of any vulnerable card. While these cards no longer have any commercial importance, they are an excellent case study for students to learn smart card hacking and for exploit writers to learn the history of their craft.