Close
0%
0%

Shenanigans with Directv and Dish Satelitte DVRs

This project is in an ongoing state, and it is also in a research state. The end goal Besides a FW Dump, is to load a custom OS
with desktop

Public Chat
Similar projects worth following
I have already run some file recovery software on the drives, in hopes of finding the firmware, and was met with nothing of extrodinary interest but M2ts files that are audio , flv files that are audio, a very large TIF file, and a few other interesting things.

08/5/2024 I have successfully created .img files of the partitions, and managed to extract some data from one. I found quite a bit of interesting sutff, between drivers, and standard linux stuff, to some custom scripts. Unfortunately, my capabilities are limited as I use windows as my daily driver, and linux is just something i use on occasions. But along the road, i have learned quite a bit about these boxes. They arent arm, or risc v, or power pc even. We're talking MIPS. With a 1 TB hard drive.

Note : this is for the directv Box.

I have a MEGA archive of some of the dish stuff, as well. nothing exciting there.

Disk Image of sdb1 (2024-08-05 2012) SWAP.txt

Text file of the .IMg of the swap Partition.

plain - 1.46 MB - 08/07/2024 at 17:50

Download

a.7z

This folder contains NMAP scans, and all ports found to be open

x-compressed - 15.07 kB - 08/05/2024 at 17:30

Download

  • 3 × Dish/Echostar/Bell Express ViP 722K DVR/Reciever
  • 2 × Dish/Echostar ViP 612 DVR/Reciever
  • 1 × DirecTV HR44-500 (Humax)
  • 1 × DirecTV HR44-200 (Samsung)
  • 1 × DirecTV HR54-500

View all 6 components

  • Another Brick in the wall

    Julian R08/31/2024 at 16:26 0 comments

    At this point, without SPI or something sort of hardware, there's not much more I can do, at least at the software level. I have to get down to the hardware level and physically interrupt the boot process to even get a boot loader screen. If anyone would like to donate the hardware necessary for it, I would be more than grateful. Unfortunately, I do not have the monetary resources at this time to get JTAG and UART things, nor do I posses the knowledge Necessary for doing this. This Project has Public chat enabled, so feel free to engage there, and pursue this on your own!

    But, yes, I have hit a stone wall so to speak as I am unsure where to go from here.

  • This is interesting, very interesting indeed

    Julian R08/11/2024 at 04:09 1 comment

    So, Digging through another drive, i thought i saw a folder i hadnt seen before, Turns out, -I have seen it before, i just enver opened it.
    If we open this folder we a refrence to a bunch of  stuff related to Ucentric. Upon doing some research, it appears the company no longer exists, and I found a SEC document on the interwebs.

    http://www.sec.gov/Archives/edgar/data/1088825/000119312505077754/d10k.htm


    There's a link to it, for anyone who wants to laminate their eyes with this small print text and legal jargon.

    The only particularly interesting thing ive seen is that the ucentric contract ended and they went to NDS ...
    "Our current development agreement with DIRECTV expires in February 2007. Afterwards, while DIRECTV will have the option to continue to service the existing DIRECTV receivers with TiVo service without further payment to us, it will not be able to add new DIRECTV receivers with TiVo service unless DIRECTV elects either to purchase a royalty-bearing technology license from us or to renew or replace our current agreement.

    DIRECTV has recently announced that its core initiatives and new customer acquisition will focus on its new DVR from NDS. We expect that our DIRECTV subscription growth rate may decline in the future."

     
    I then on a forum found this gem of info :
    https://web.archive.org/web/20240811035349/https://www.dbstalk.com/threads/directv-nds.116372/

    NDS did the work on the R15/16

    DirecTV did the work on the HR20/21

    And They have just renewed thier contract with NDS as well. Well, I say Just renewed.. it was renewed back in 2011, and i have learned that they use a system called NDS VideoGuard, which is so "secure" it has never been fully hacked.
    https://web.archive.org/web/20221018233539/https://blog.solidsignal.com/tutorials/what-is-videoguard/


    I hate to burst their bubble, nothing is secure. Everything made by man will fail.

    I figure with enough research , we could possibly breakthrough this system, not to recover the video files, but to see what filesystems are used on these DVRs


  • What in the name of mike?

    Julian R08/10/2024 at 03:38 0 comments

    Ok, now im stumped. I plopped in one of the other drives, expecting it to be identical , because they run the same software at a basic level,  whatever the software that they run is.. it wasnt the same. at least not the exact same. They were for sure similar in terms of files and folder structure.

    But digging through both of the DirecTV hard drives i have mounted in windows using some special software, we see this file which is a cipher key if I did my research properly.Ive tried using imHex, notepad++ , and notepad to try and tell me what it might be for, but im not sure. Especially since it was in "shef\archivein ita_data\apps\4176_1
    we find the guide banners for ads
    and here is the JPGs  from the raven folder within the assets folder  * actually they were PNG , but hackaday doesnt like PNG for some reason.


  • Good News Everyone!

    Julian R08/09/2024 at 05:17 0 comments

    We believe we have found the firmware. It appears to be cleverly disguised as something else. Bin walk confirms our suspicions. About to load it into a hex editor to see what secrets it holds. This likely is not the full install of the OS, very likely just the basic firmware for the board itself.

    Digging through these folders at the ungodly hour of 1224 AM, we find a interesting folder that holds diagnostic logs, these could be potentially useful, lets make note of the location and continue delving through this drive
    Diagnostic files

  • OO VERY SCARY

    Julian R08/08/2024 at 05:05 0 comments

    You want to login properly right?

    well you have two options, use the hard coded Root password OR run john . You could also just UART and/or JTAG into the system, but that just gives you a busy box shell with no ability to interact with the system.

    WIll update this page when there is more information to be shared. If you've made it this far, congrats!

  • WooHoo!

    Julian R08/08/2024 at 01:53 5 comments

    Woohoo! finally managed to mount the elusive XFS partition on one of the many Directv hard drives I own. We managed to mount the following path :  
    Z:\backup\viewer\indexfile\Rcrd-01-15-2020-0059-30-11698880TransportMPEG-DIRECTV_A3_MPEG4_AC3-ch38-min0-0.mpg

    Upon doing some more digging in the drive, we find all sorts of potentially exciting things. however, we havent figured out what that Main filesystem is , or what the very last partition on the disk  file system is.

    There's a couple other folks ive reached out too and they're attempting to restring together the M2TS files from a drive, just for the sheer sake of it. Due to DMCA, we obviously wont post those files, as we again dont want layers coming after us, not that we have anything against lawyers.. The lawyers just deserve to deal with better more exciting things rather than something as petty as copyright issues. patents, DMCA, royalties, is just a bunch of bahumbug .. its pointless.
    Digging back through that root directory of the parition we find a folder named bob that has a payload folder in it. No idea what it does, but it has "file" files in it, so it has to be something. Whether or not it is of use to us remains to be seen .


  • We Dig Dig Dig Dig Dig Dig Dig...

    Julian R08/07/2024 at 03:33 0 comments

    I finally managed to load that swap partition .img into an editor that wont crash when i try to view the .img file. 7ZIp didnt like it , so i had to use the best alternative i had, VS Code. Found loads of interesting stuff. there was a lot of gibberish in there, but saw some plaintext that i recognized.

    I have pasted some of the code below.
    Keep in mind this is raw data, so theres going to gibberish. I know some folks on reddit have had some luck accessing the busybox shell via JTAG/UART, but i am not so equipped, so I am doing this the in my opinion rather fascinating way. I've removed most of the code here below so i dont get a herd of lawyers coming after me... but then agian.. linux is open source. And I do own these DVRs so I mean it is kinda a grey area. But yea, read on if you like, you have been forewarned.

    I also changed the RID in the text as well in case some one didnt de activate thier reciever  before donating it to the local thrift shop.

    Read more »

  • Oops. Forgot the link to the archives

    Julian R08/06/2024 at 02:09 0 comments

    Forgot to link to the Mega.nz archive.
    https://mega.nz/file/JYoDTapL#FybHQer4TsYxazRPNYuO54Z5Wi-S4hBhdArceToOiAo
    I have a secondary link in case this gets taken down. Note : this for a dish Network 722K with the partions that are able to mounted.

  • An Update

    Julian R08/06/2024 at 01:58 0 comments

    08/5/2024 I have successfully created .img files of the partitions, and managed to extract some data from one. I found quite a bit of interesting sutff, between drivers, and standard linux stuff, to some custom scripts. Unfortunately, my capabilities are limited as I use windows as my daily driver, and linux is just something i use on occasions. But along the road, i have learned quite a bit about these boxes. They arent arm, or risc v, or power pc even. We're talking MIPS. With a 1 TB hard drive.
    Note : this is for the directv Box.
    I have a MEGA archive of some of the dish stuff, as well. nothing exciting there.

View all 9 project logs

  • 1
    Instructions for DirecTV Systems

    1. Obtain a DirecTV DVR , preferably one thats no longer in service.

    2. Crack that sucker open, you'll need some torx drivers, and some patience, I've managed to get into these without tools at least for getting the cover off that is. I have been able to pry them apart with just sheer force, and of course having leverage. I recommend doing this on a soft surface, such as a rug or couch, or something to absorb the blowback so to speak hitting your elbows on something is not a pleasant experience.

    The process is pretty much the same for all units, and please note the project itself is only for the DVR units, I do not know if this applies to the other units, such as the D10, H10,H20,h24, etc. You know you have a DVR based model if its got "HR" in the name . This could potentially apply to the genie server 2 as well, ( i believe that model # is HS-17 but don't take my word for it haha)

    3. Once you're in, power it back up again, just to verify functionality as a sanity check. If it still boots you're good to go, just let it finish the boot process and once you see a 775, or 771 or similar error message, power 'er down and lets get digging.

    3a. Dont discard the unit , you'll need it if you want to run a custom OS on it.

    3b. The metal catches in the plastic cover may fall depending on age of the unit , and other vairables, dont worry about them, they're to keep folks like us out of them. Little do they know, if someone wants inside it, someone will find a way in.

    4. Use your torx or phillips bits depending on the model to unscrew the hard drive caddy and remove the hard drive.

    BEFORE REMOVING THE HARD DRIVE FROM THE DVR, TAKE A PICTURE OF HOW IT FITS WITHIN THE UNIT FOR REFERENCE PURPOSES SO YOU CAN "PROPERLY" RE ASSEMBLE THE UNIT. DON'T BE LIKE ME AND FAIL TO DO SUCH A THING AND HAVE THE DRIVE JUST FLOATING AROUND IN THE DVR, COMPLETELY UNSECURED.

    You see those nice big heat sinks? keep them, they'll be great for any other projects you may have, such as aiding a passively cooled AV Receiver in cooling. Or you can take them off for now, so you can clone the drive if you're simply wanting to plop an SSD into there or backup your drive. You'll of course need something like a HDD docking station with at least two bays.

    5. Once done with the above, you can take this over to your linux box or windows box and run a program called disk digger, or use some opther forensics software if you want if you want to modify the original drive. If you find .tar.gz files those are firmware likely, and if using disk digger it'll show the size as zero and ask you what you want to recover.
    I have not been able to successfully figure out what size it is.

    6. with all the basics out of the way, feel free to have fun, and report back any particularly useful information. IM here for support if you need it, i even have a disocrd server setup, in case this project sparks interest.  I do plead of you to report back any info you may find interesting with these systems.



    _________________________________________________________________________



  • 2
    Instructions for Dish

    1. The instructions are roughly the same for the dish ViP systems...

    2. Remove the cover by unscrewing the black screws on the back of the box

    3. Open it up, and marvel at how much dust  there may or not be, and those big SOC's (usually Broadcomm 7430's or STI Chips)

    4. Remove the hard drive and fan assembly.

    - IMPORTANT! WEAR BASIC WORK GLOVES FOR THIS STEP, THERE ARE SHARP EDGES THAT CAN CAUSE 'MYSTERY CUTS' TO YOUR HANDS, FINGERS, AND KNUCKLES.
     - USE COMMON SENSE, DE ENERGIZE (UNPLUG) THE APPLIANCE AND ENSURE YOU ARE ELECTROSTACIALLY GROUNDED ( if you really want to be picky , i personally didnt ESD ground myself when opening these up, and they still work) 


    5. There are a total of four screws holding this brakcet that hangs the HDD and fan in both units. No need to worry about which way it goes in, its pretty self explanatory.

    You have two on the back, and two on the front behind the faceplate.

    You will need to remove the faceplate to gain access to the other screws.

    6. Gently remove the faceplate by pushing the plastic clips or legs from inside the machine out, or put it on its side, and gently pry with #1 flat head or pry tool at the plastic clips therye pretty obvious as they are black on silver , but here is a picture or two to help . https://imgur.com/a/1phIgln - has all the images

    7. BEWARE LOCKING POWER AND SATA CONNECTORS PRESS METAL CLIP TO DISCONNECT, DONT BE A DUMMY!

    8. Dont worry about that warranty void sticker, if it falls off, it falls off. Gently lift the Bracket assembly out of the dvr, undo the four screws holding in the HDD, and gently take it out. Dont drop it, as you likely Already know that Hard drives DO NOT like being dropped. Id reccomend doing this in a powered off state, doing this process in a powered on state, well lets just say you might be lucky if you still have your vision or a house. Simply put, dont do this with the thing plugged into the wall, we don't need any sparky sparky. Sparky Sparky + Sensitive electronics does not equal a fun time.

    9. The rest is pretty straight forward, post your findings in the chatroom or discord server (TBA)

View all instructions

Enjoy this project?

Share

Discussions

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates