Hi all, exciting news! After more research, digging, and tinkering, it’s become clear to me that these DVRs and receivers can run just about any OS you throw at them—well, sort of.
For example, We recently got our hands on a Scientific Atlanta box running a TiVo‑skinned OS. I hooked it up to a Suddenlink cable CMTS and managed to get it running in Cisco’s SARAH environment. Before that, of course, we scanned the drive to see what we could uncover. Unfortunately, our host machines didn’t play nicely with the drive and kept crashing whenever the TiVo data from that Scientific Atlanta box was accessed.
This was all done in coordination with my good friend Mixer, whom I’ve known for a couple of years. Together we’ve tackled many interesting projects—switching between our emulation project (currently shelved due to technical constraints that require further research to make it work as a JIT compiler) and reverse‑engineering ISP cable systems on the firmware side, using publicly available resources.
Along the way, we’ve come across boxes running Flash Player, Opera browser, and other unexpected software. All very fascinating details! I can’t share too much just yet—I have to keep you on your toes—but I promise there’s more to come.
So for any whom may be wondering, the project is not dead. Im currently working on attempting to build a program that translates the MIPS code into a x64 version, and vice versa. It also aims to emulate the UVerse CMTS, and RDK CMTS. It is believed to be all docsis. I have no experience actually making a program to do this, so ive used some hand coding with some friends, AI, and some of my own code from other projects, and what little bit of C# I know from highschool. Processor-Emulator/ at dev · julerobb1/Processor-Emulator julerobb1/Processor-Emulator: Win 32 To arm, mips, RIsc, PPC emulator
Ok, since the dumb post creator deleted what i had the first time, here's an update.
1. We got the Menus from the firmware and the whole implementation is quite weird. They use .mpg for the menu and guide, and panel components.
2. We have the firmware images
3. The Viewer folder is a very Large folder as it houses the segments folder. The segments folder houses what i believe to be all the recordings for the DVR.
now, all this is hosted on a single 15GB partition on the drive. But yet that segments folder amounts to 695 GB,
4. We have the bong sound , yes. The directv "no" bong sound. 5. the swdl folder contains our firmware, in a .CSW file format. You can view the contents by utilizing winrar or 7 zip and using the Open Archive > "# " flag in the context menu, 6. In that .csw file the opt and etc folders are full of fun and fascinating goodies, between weird file names, .sh files, .pcm files, and so much more. I wont spoil the fun for you, after all you chose to take the time to join me in this adventure. 7 - A side note, dont go publishing this stuff all around the interweb posting that you 'hacked' something when really all you did was mount the partition of a hard drive, in your home, that you use - indirectly.
8. I am not responsible for your actions, if you get yourself sued, well buddy, thats on you. Im only doing this because I wanted to know how these boxes work, and if i could turn them into something useful like say a pi Hole ad blocker, or a very janky home media server. Forget using it for sattelite TV , use it for NAS instead!! 9. the drive uses a JFFS 2 File system , and it cant be easily mounted in my experience.
10. i am writing this at 12:15 am before my body says "no more" and i pass out from needing sleep>
Just wanted to share this exciting update with you.
Ill leave some images here for PoC , and I wont spoil the fun of letting you hunt through your own DVR
*Disclaimer- I Cannot gurrantee every file will be exactly the same, due FW revision, OEM, drive size, etc. Every drive and box is unique, so some will be the same, some wont. Based on experience.
DTV, and DISH, Xfinity, If you're seeing this, Please do not take legal action against me, I am simply doing this as I cannot get a job no matter where I apply. This is the only thing keeping me sane with my Job hunt. Besides, I am quite certain you would appreciate free pentesting on your IoT devices you give to consumers.
So I have an update.. a rarther interesting one. These boxes are running on Vxworks 5.52 Kernel version 2.11. Vx works is a OS made by wind River systems, and iirc, this was one of a handful of multiple versions that had some major vulns.
At this point, without SPI or something sort of hardware, there's not much more I can do, at least at the software level. I have to get down to the hardware level and physically interrupt the boot process to even get a boot loader screen. If anyone would like to donate the hardware necessary for it, I would be more than grateful. Unfortunately, I do not have the monetary resources at this time to get JTAG and UART things, nor do I posses the knowledge Necessary for doing this. This Project has Public chat enabled, so feel free to engage there, and pursue this on your own!
But, yes, I have hit a stone wall so to speak as I am unsure where to go from here.
So, Digging through another drive, i thought i saw a folder i hadnt seen before, Turns out, -I have seen it before, i just enver opened it. If we open this folder we a refrence to a bunch of stuff related to Ucentric. Upon doing some research, it appears the company no longer exists, and I found a SEC document on the interwebs.
There's a link to it, for anyone who wants to laminate their eyes with this small print text and legal jargon.
The only particularly interesting thing ive seen is that the ucentric contract ended and they went to NDS ... "Our current development agreement with DIRECTV expires in February 2007. Afterwards, while DIRECTV will
have the option to continue to service the existing DIRECTV receivers with TiVo service without further payment to us, it will not be able to add new DIRECTV receivers with TiVo service unless DIRECTV elects either to purchase a royalty-bearing
technology license from us or to renew or replace our current agreement.
DIRECTV has recently announced that its core initiatives and new customer acquisition will focus on its new DVR from NDS. We expect that our DIRECTV subscription growth rate may decline in the future."
I hate to burst their bubble, nothing is secure. Everything made by man will fail.
I figure with enough research , we could possibly breakthrough this system, not to recover the video files, but to see what filesystems are used on these DVRs
Ok, now im stumped. I plopped in one of the other drives, expecting it to be identical , because they run the same software at a basic level, whatever the software that they run is.. it wasnt the same. at least not the exact same. They were for sure similar in terms of files and folder structure.
But digging through both of the DirecTV hard drives i have mounted in windows using some special software, we see this file which is a cipher key if I did my research properly.Ive tried using imHex, notepad++ , and notepad to try and tell me what it might be for, but im not sure. Especially since it was in "shef\archivein ita_data\apps\4176_1 we find the guide banners for ads and here is the JPGs from the raven folder within the assets folder * actually they were PNG , but hackaday doesnt like PNG for some reason.
We believe we have found the firmware. It appears to be cleverly disguised as something else. Bin walk confirms our suspicions. About to load it into a hex editor to see what secrets it holds. This likely is not the full install of the OS, very likely just the basic firmware for the board itself.
Digging through these folders at the ungodly hour of 1224 AM, we find a interesting folder that holds diagnostic logs, these could be potentially useful, lets make note of the location and continue delving through this drive
well you have two options, use the hard coded Root password OR run john . You could also just UART and/or JTAG into the system, but that just gives you a busy box shell with no ability to interact with the system.
WIll update this page when there is more information to be shared. If you've made it this far, congrats!
Woohoo! finally managed to mount the elusive XFS partition on one of the many Directv hard drives I own. We managed to mount the following path : Z:\backup\viewer\indexfile\Rcrd-01-15-2020-0059-30-11698880TransportMPEG-DIRECTV_A3_MPEG4_AC3-ch38-min0-0.mpg
Upon doing some more digging in the drive, we find all sorts of potentially exciting things. however, we havent figured out what that Main filesystem is , or what the very last partition on the disk file system is.
There's a couple other folks ive reached out too and they're attempting to restring together the M2TS files from a drive, just for the sheer sake of it. Due to DMCA, we obviously wont post those files, as we again dont want layers coming after us, not that we have anything against lawyers.. The lawyers just deserve to deal with better more exciting things rather than something as petty as copyright issues. patents, DMCA, royalties, is just a bunch of bahumbug .. its pointless. Digging back through that root directory of the parition we find a folder named bob that has a payload folder in it. No idea what it does, but it has "file" files in it, so it has to be something. Whether or not it is of use to us remains to be seen .
Julian R
and here is the JPGs from the raven folder within the assets folder * actually they were PNG , but hackaday doesnt like PNG for some reason.
Digging through these folders at the ungodly hour of 1224 AM, we find a interesting folder that holds diagnostic logs, these could be potentially useful, lets make note of the location and continue delving through this drive 
Digging back through that root directory of the parition we find a folder named bob that has a payload folder in it. No idea what it does, but it has "file" files in it, so it has to be something. Whether or not it is of use to us remains to be seen . 