The present invention relates in general to forcing a terminal to perform an action, in particular to forcing a decoder in a broadcast digital television system to download software.
The term “decoder” as used herein may refer to a decoder physically separate from a receiver, a combined receiver and decoder, such as in a set-top box, or a decoder having additional functions, for example recording devices, displays or web browsers.
A broadcast digital television system provides a service packet, which may comprise not only a bouquet of channels among which a user can choose to subscribe depending on the system provider's offer, but also Pay Per View (PPV) programmes, and different interactive services, such as for example e-mail handling, shopping, games, betting, and so on.
In a broadcast digital television system, particularly of the conditional access kind, the decoder is of paramount importance, since it is the module that controls access to the service packet; a user should only have access to the parts of the service packet that are free or to which he has subscribed. This is important not only because it provides due revenue for the system provider, but also because of issues like parental guidance et cetera.
There are however people who try to access part or the entire service packet fraudulently. In doing so, a hacker often tries to “crack” his decoder, so that it can be used to access at least part of the service packet not subscribed to. Once a hacker has succeeded in doing this, he often spreads his knowledge to other hackers, for example by posting the knowledge on special Internet web sites.
System providers are obviously aware of this and for one thing constantly try to improve the security of the decoder in general and a more secure version of the software in particular. The decoders are then updated with the software via the broadcast network (satellite, cable, earth).
Most, if not all, existing decoders perform an automatic verification of the version of at least part of its software after a power-up, such as when being switched on again after having been put in stand-by mode. The loader software inspects a particular zone in a non-volatile memory to see if an update is necessary. In this zone, the decoder, having detected in the broadcast signal identifiers and versions of software that is broadcast, stores information that a new version of this or that software is to be downloaded and installed. If there is new software to download, the decoder connects to a dedicated frequency, acquires the new version of the software, installs it over the old version of the software, and reboots in order to start the new software.
A problem that arises is that many decoders are never put in stand-by mode, for any number of reasons, such as for example: (1) many users only switch off their television sets, but never their decoders, (2) in certain places, for instance bars and waiting rooms, the decoder is tuned indefinitely to the same programme, and (3) hackers may intentionally keep their decoders from going into the stand-by mode in order to avoid an update of the software to a more secure version.
It is well known in the art to force a decoder to perform an action, such as download applications via the network. WO 01/45387, for example, describes forcing the decoder to take an action, such as change channel, go into standby mode, and, as mentioned, download newer versions of the operating system. To achieve this, the system provider broadcasts an Entitlement Management Message (EMM) that is received by the decoder. The EMM comprises an identifier of the specified action (e.g. changing channel) and necessary parameters (e.g. the channel to change to is channel “X”). Upon reception, the decoder verifies that the EMM emanated from a proper source, extracts the action identifier and parameters, if any. It then calls the appropriate function in order to perform the action. While this way of forcing an action works very well in most situations, it does have its drawbacks. The system provider is obliged to keep lists of commands to ensure that each command on the system end corresponds to the proper command in the decoder. Since the commands are transmitted in the form of an identifier, only predefined commands can be sent and only with predefined types of parameters, which in some instances makes the forcing inflexible.
It is also well known in the art to download applications to decoders. To achieve this, the code is invariably broadcast in private tables in what is known as private sections of the digital flow. However, a pirate can block the access of these private sections to his decoder, which means that downloading code in this manner is relatively easy to circumvent by pirates.
It can therefore be appreciated that there is a need for a flexible solution that provides a way of forcing a decoder to perform one or more actions, in particular downloading new software to the decoder and the subsequent update of the downloaded software. This invention provides such a solution.
According to one aspect of the present invention, there is provided a method of forcing a terminal in a digital television system to perform at least one action. The digital television system further comprises a transmission system that transmits a public table with a private descriptor comprising code, which when executed by the terminal will perform the at least one action. The terminal then receives the public table, extracts the code from the private descriptor, and executes the code, thus performing the at least one action.
In this way, a terminal may be made to automatically perform an action, without user intervention.
The public table is advantageously a Programme Map Table (PMT) or a Conditional Access Table (CAT). As will be seen further on, these tables have particularly advantageous properties for use in the method.
It is advantageous that the public table comprises the entire code necessary for the terminal to perform the at least one action. This way, the method is easier to implement as there is only one table for the terminal to treat, and it is also more difficult for a pirate to circumvent the invention.
The terminal may also verify that the table comes from an authorised source before executing the code. This improves security in that it is assured that the code comes from the proper source.
It is further advantageous that the digital television system is a broadcast system. This way, it is easy to force an action in many terminals with a single table.
In a second aspect, the invention extends to a terminal in a digital television system. The terminal that allows the forcing of at least one action comprises a receiver for receiving a public table with a private descriptor comprising code, which when executed by the terminal will perform the at least one action. The terminal also comprises a memory for storing code and a processor for extracting the code from the table, storing the code in the memory, and executing the code.
As detailed hereinbefore with reference to the first aspect of the invention, this allows the terminal to be made to automatically perform an action, without user intervention.
As before, it is advantageous that the terminal's actions are performed on the hardware level.
In a third aspect, the invention extends to a public MPEG table that has a private descriptor comprising code destined to be executed by a terminal in the MPEG system.
The public table allows the method of the first aspect of the invention to be performed.
Preferred features of the present invention will now be described, purely by way of example, with reference to the accompanying drawings, in which:
An overview of a digital television system 1000 according to the present invention is shown in
A MPEG-2 compressor 2002 in a transmission system 2030 (also called transmission centre, broadcast centre or broadcast system) receives a digital signal stream (typically a stream of video signals). The compressor 2002 is connected to a multiplexer and scrambler 2004 by linkage 2006. The multiplexer 2004 receives a plurality of further input signals, assembles one or more transport streams (TSs) and transmits a MPEG-2 bit stream comprising compressed digital signals to a transmitter 2008 of the transmission centre 2030 via linkage 2010, which naturally can take a wide variety of forms including telecommunications links. The transmitter 2008 transmits electromagnetic signals via uplink 2012 towards a satellite transponder 2014, where they are electronically processed and broadcast via notional downlink 2016 to earth receiver 2018, conventionally in the form of a dish owned or rented by the end user. The signals received by receiver 2018 are transmitted to a decoder 2020 owned or rented by the end user and connected to a display 2022, which often is the end user's television set. The decoder 2020 decodes the compressed MPEG-2 signal into a television signal for the display 2022.
A security module 2024, commonly in the form of a smart card, capable of deciphering messages relating to commercial offers (that is, one or several television programmes sold by the broadcast supplier), can be inserted into the decoder 2020. Using the decoder 2020 and the security module 2024, the end user may purchase commercial offers in either a subscription mode or a pay-per-view mode. The decoder also comprises a processor (CPU) 2040, a memory 2044 and an input unit 2042 for receiving signals from the receiver 2018.
Referring to
Apart from the tables listed hereinbefore, there are other kinds of public tables that are or may be broadcast in the digital television system 1000, such as Conditional Access Tables (CATs), Network Information Tables (NITs), and Service Description Tables (SDTs), Event Information Tables (EITs), Time and Date Tables (TDTs), and Time Offset Tables (TOTs). The PAT, CAT, PMT and NIT are defined in the Program Specific Information (PSI) extension to the MPEG-2 standard, and the SDT, EIT, TOT, and TDT are optional tables defined in the Specification for Service Information (SI) in DVB systems. In addition to the public tables described hereinbefore, there are also private tables, indicated by a private marker in the table, that can be used for virtually anything that the system operator desires. However, being private, these tables are available only within the system and pirates can relatively easily block them, due to their private markers.
When a decoder connects to a digital television service, it monitors the MPEG-2 bit stream and extracts a number of tables from it, notably the PAT, but also other tables that enable it to select audio and video components. Once connected, it continues to extract and analyse these tables to detect any changes in them owing for instance to: appearance/disappearance of a language for audio and/or subtitles, appearance/disappearance of views in a programme, and changes in access rights. It is easy to appreciate that this monitoring is essential for the functioning of any decoder.
According to the invention, in order to make sure that some or all of the active decoders perform one or more actions, such as downloading the latest version of at least part of the software in them if this is necessary, the system provider regularly broadcasts a Decoder Action Table (DAT) through the transmission centre 2030. The DAT advantageously takes the form of a public table, modified with a private descriptor that comprises executable code, which appears as a string of octets of private data.
The decoder extracts this table and analyses it just like any other table of the kind. The code, preferably a number of consecutive machine language instructions, is extracted and copied into the memory 2044 of the decoder, and executed, either immediately or after a specified delay, although it is conceivable to specify a time at which the action should be performed.
In the case of making sure that the software in a decoder corresponds to the latest version, the code is written to perform the following steps:
All public tables to which a private indicator can be added can be used as a DAT, although some public tables are preferred. All the MPEG2 PSI tables mentioned hereinbefore—with the exception of the PAT, to which, according to the standard, a private indicator cannot be added—and some of the SI tables, for example the SDT and the NIT, can be used as a DAT. In the preferred embodiment, however, the PMT and the CAT are chosen over the NIT and the SDT, as the latter are indispensable, and thus acquired by the decoder, only during the installation procedure when the decoder establishes a list of services and programmes available to it, while the former are mandatory and acquired by the decoder at each programme change. The decoder also uses the PMT to manage video, audio and subtitle streams, even without a change of channel.
According to an embodiment of the invention, as will be further described hereinafter, the DAT 300 is created by putting the private descriptor in the CAT in the descriptor loop 324. It should be noted that the DAT 300 will normally also act as a CAT, i.e. it comprises both the code 328 and the “normal” CAT information.
According to further embodiments of the invention the DAT 400 is created by putting the private descriptor in the PMT either in the program descriptor loop 431, i.e the first descriptor loop in the PMT, or in the stream descriptor loop (the descriptor loop for each stream) 446. It should be noted that the DAT 400 will normally also act as a PMT, i.e. it comprises both the code and the “normal” PMT information.
In the MPEG-2/PSI standard, the maximum length for PMTs and CATs is 1024 bytes. Normally, the length of these tables, without the private descriptor according to the invention, do not exceed 200 bytes, which leaves ample room—at least 800 bytes—for the code. This is enough to enable a very wide range of applications for the code.
The choice of where to include the private descriptor—in a CAT, or in the first descriptor loop 431 or in the stream descriptor loop 446 of a PMT—enables the system operator to control when the code will be acquired by a decoder:
In the preferred embodiment, the private descriptor takes the following form:
If any part of the private descriptor has been encoded, the scrambled mode indicator and the encrypted data are forwarded to the security module 2024 that decrypts the information using the decryption key indicated by the scrambled mode indicator and returns them to the decoder.
The data, if necessary decrypted, is forwarded to the module of the decoder that is responsible for the verification of the validity of the signature. If the validity is verified, the code is extracted and stored (minus the authentication data) before execution.
It should once more be noted that it is possible to have the decoder execute virtually any combination of assembler instructions.
It is preferable to have the instructions of the code act directly with memory addresses and not via symbols and/or variables, as is the case in for instance the programming language C. To ascertain that a code is compatible with a plurality of software versions (that may use different mappings or memory addresses for a given variable), an embodiment comprises a table stored in a predefined place in the memory 2044 of the decoder. The table contains the addresses for the variables used by the code, defined by the system operator. A person skilled in the art will appreciate that this makes the code more generic. However, in a preferred embodiment, the address of the table is provided as a parameter in the broadcast code. It should be further noted that other parameters can be included in the broadcast code to make it even more portable and versatile, such as for example a table of addresses of functions that can be used by the code (for instance functions for reading/writing in a flash file system.
The decoder according to a preferred embodiment of the invention is mostly a conventional decoder. There are however a few modifications to it:
It is preferred that the decoder extracts and executes the code on the hardware level upon reception of the table, as this make it even more difficult for a pirate to circumvent the invention. If the code is signed, authentication of the code is preferably performed before the code is extracted and executed.
The description hereinbefore has in most cases made use of forcing the download of software as an example, but a person skilled in the art will appreciate that the invention may be used to have the user perform other actions, such as for example:
It will be understood that the present invention has been described purely by way of example, and modifications of detail can be made without departing from the scope of the invention.
Each feature disclosed in the description and (where appropriate) the claims and drawings may be provided independently or in any appropriate combination. Features described as being implemented in hardware may also be implemented in software, and vice versa.
The number N herein is used simply to denote that a value is variable; it should not be taken to understand that two or more Ns share the same value, except when they clearly refer to the same item.
Reference numerals appearing in the claims are by way of illustration only and shall have no limiting effect on the scope of the claims.
Number | Date | Country | Kind |
---|---|---|---|
04300507.3 | Aug 2004 | EP | regional |