Analysis: Optus Fetch Mighty DVR Hard Drive

Walking around the neighbourhood one day, I come across a pile of discarded technology. Another salvage opportunity. I’m so excited … and I just can’t hide it!

In the pile of junk, I find an Optus Fetch Mighty DVR. It seems to be a common tactic amongst telecommunications companies to try and bundle as many services into a bill as possible on the appearance that it helps the consumer by offering them a more competitive deal. But in reality, it’s also a tactic that is used to try and ensure that the customer doesn’t take parts of their business elsewhere by ensuring that the cost of unbundling makes it uneconomical. As a result, most of the larger telcos have gone even to bundle “over-the-top” services (e.g. Foxtel Go, Stan, Fetch TV, Netflix, Vodafone TV). This often means providing hardware as well.

I suspect the DVR is a remnant of a contract that had run its course and been terminated. As much of the hardware is restricted to work with an active account of a particular provider, it becomes quite useless once you’re not a customer anymore. As a result, this Fetch Mighty sat on the kerbside in the cold.

I have absolutely no interest in getting the unit to work. After all, I don’t even watch pay TV in any form at all and even free-to-air doesn’t get much of my attention anymore. But what did get my attention was the weight of the unit. I could tell from the weight alone that it would mean a free hard drive.

The Drive

In my haste to clean up and throw out any unnecessary bits, I decided to take apart the unit destructively and without documenting it. I only realised my mistake when I started investigating the drive …

The drive was a Western Digital GreenPower series drive of 1Tb capacity. The WD10EURX belongs to the WD AV family, optimised for video applications. The manufacture date was 1st September 2015, making it under three years old. It could have conceivably still been under warranty had it been provided as a retail unit. A free 1Tb hard drive? That would be nice.

A standard SATA interface, and nothing particularly unremarkable about the mounting holes. It’s just like any other hard drive.

Shoving it into my USB dock, the drive came up just fine with about 11,000 hours on the clock and no negative indications in the SMART data. It’s probably healthy enough to re-use.

A smooth transfer rate curve averaging 117.3MB/s suggests the drive is indeed healthy.

It passes a surface scan as well. The surprise came when I tried to analyze the data on the drive.

The drive had an MBR partition table, but the filesystem used is XFS starting at sector 1 (which would make it technically unaligned with the 4K Advanced Format sector format). I didn’t even know about this filesystem, so I had to look it up. The fact it was related to Silicon Graphics Incorporated and their IRIX operating system was rather unexpected. I’ve never met anything that used this filesystem, nor a drive with the filesystem on it. One interesting relevant feature is the support for guaranteed-rate I/O which might be vital for a system which might be recording a number of streams simultaneously while playing back another.

Luckily, most Linux distributions do support reading it, so I can see what’s inside. Unfortunately, it seems the permissions are also enforced by default and stops you from doing much without either remounting it specially or (crudely) changing the permissions for everything recursively. I decided to just copy off all the data and look at it elsewhere.

The directory tree gives us a few clues. First of all, there is likely an SQL database of sorts as there are text files with SQL commands in them. The recordings are all in PVOD, with ads in VASTads. The unit probably supports DLNA. The rwtest folder may be for drive benchmark temporary files. The takincookies folder is a cookie jar for various services that can be accessed via the Fetch unit. TMP_DOWNLOADS seems only to hold historical firmware update files. The total amount of data was only about 20Gb … so it seems whoever previously owned it didn’t record much or deleted most of their recordings.

Playing back any of the recordings isn’t possible, instead, it results in corruption on the screen. Clues are not found in MediaInfo which seems to imply the metadata for the file is “normal” with the exception that it is a transport stream file.

General
ID : 0 (0x0)
Complete name : 22938.LetMeIn_Feature_25_Stereo_SD.ts.VPP.mpg
Format : MPEG-TS
File size : 1.90 GiB
Duration : 1 h 55 min
Overall bit rate mode : Variable
Overall bit rate : 2 354 kb/s
FileExtension_Invalid : ts m2t m2s m4t m4s tmf ts tp trp ty

Video
ID : 2064 (0x810)
Menu ID : 1 (0x1)
Format : AVC
Format/Info : Advanced Video Codec
Format profile : [email protected]
Format settings : CABAC / 4 Ref Frames
Format settings, CABAC : Yes
Format settings, RefFrames : 4 frames
Codec ID : 27
Duration : 1 h 55 min
Width : 720 pixels
Height : 576 pixels
Display aspect ratio : 16:9
Frame rate : 25.000 FPS
Standard : PAL
Color space : YUV
Chroma subsampling : 4:2:0
Bit depth : 8 bits
Scan type : Progressive
Color range : Limited
Color primaries : BT.601 PAL
Transfer characteristics : BT.470 System B, BT.470 System G
Matrix coefficients : BT.470 System B, BT.470 System G

Audio
ID : 2068 (0x814)
Menu ID : 1 (0x1)
Format : AAC
Format/Info : Advanced Audio Codec
Format version : Version 2
Format profile : LC
Muxing mode : ADTS
Codec ID : 15-2
Duration : 1 h 55 min
Bit rate mode : Variable
Channel(s) : 13 channels
Channel positions : , Side: 6, Back: 6, LFE
Sampling rate : 48.0 kHz
Frame rate : 46.875 FPS (1024 SPF)
Compression mode : Lossy
Language : English

But analysing it properly with TSreader seems to show that the data streams are encrypted with a conditional access system – likely Verimatrix. The packets don’t have the encrypted flag set, explaining why media players still attempt to play it.

The ads however, are not encrypted and can be watched just fine. But who wants to watch those?!

I didn’t work out the format of the firmware files – they’re about 45Mb a piece, but the header at the beginning was rather interesting. M605T refers to the model number, but the firmware seems to be written by a Beijing Yuxing Software CO., Ltd. Its rather interesting given the large amount of push-back with Chinese equipment in the telecommunications sector (e.g. US vs Huawei and ZTE) that this may well be a trojan horse. It seems they’re responsible for a number of other set-top boxes for Huawei and PCCW as well. The name wangnuo may refer to the user who built the firmware, dated 4th April 2017 at 18:37:50 CST (presumably China Standard Time).

Conclusion

I salvaged a Fetch TV DVR off the side of the road to gut it for its hard drive, but ended up learning about a filesystem I never heard of, the folder arrangement, the encryption used on recordings and the company responsible for making the unit.

About lui_gough

I'm a bit of a nut for electronics, computing, photography, radio, satellite and other technical hobbies. Click for more about me!
This entry was posted in Salvage and tagged , , , , , , . Bookmark the permalink.

7 Responses to Analysis: Optus Fetch Mighty DVR Hard Drive

  1. rasz_pl says:

    You got lucky!
    Most DVRs (and game consoles like Xbox) use ATA security password, or even proprietary firmware DVR mods (locked HPA access, locked translator, spindown on boot etc), all on top of encryption making harddrives mostly useless. ATA security can be bypassed with working unit using hot swap trick (power up in the unit=hdd gets unlocked, hot swap signal cable into computer, permanently remove password on unlocked drive) or sniffer(https://prezi.com/k1xduox30soj/open-sesame/). Then you have expensive forensic toys like Atola/Sediv/PC3000 (>couple $K) or hacks for specific models https://github.com/BlackLotus/seaget or ZU unlocker http://www.hddoracle.com/viewtopic.php?f=95&t=166. Some read raw hdd platters using undocumented ATA commands(Vendor Specific Commands), while others talk to disk over serial debug console like that github project. Example of undocumented ATA commands for accessing/writing locked drives http://forum.hddguru.com/viewtopic.php?t=8374 http://yura.puslapiai.lt/files/wd/mhdd/

    HDD recovery is a a fascinating subject ;o)

    • lui_gough says:

      I suppose you’re right – I never even thought about ATA Security when I pulled the drive, as most DVRs I’ve dealt with haven’t used such features. That being said, if all I was looking for was to reuse the drive, an ATA Security Erase should release the drive at the cost of destroying all the data onboard. I suspect with this type of DVR, they may feel that the application of a CA system to the content data (which probably uses the industry standard CSA algorithm much like digital satellite TV does) would be enough to protect the rights of the content and keep the licensor happy.

      – Gough

      • rasz_pl says:

        Its not that trivial, secure ease requires you to know user password 😉
        Dont even get me started on OPAL SSDs, some of those are sold without PSID (oem samsungs for example) and cant be unlocked _at all_ if password is lost, forget password = expensive paperweight.

        Locking drives with ATA Security or even proprietary firmware mods is not , at least not primarily, for data security. HDD vendors offer preferential bulk discounts for OEM clients willing to take steps preventing drive reuse.

  2. David Sutherland says:

    If the adverts could be cleanly bundled, say, with metatagged witg date and channel recorded, saving a constant week’s recording of them would make for a nice time capsule. Ironically ithe ubiquitous free stuff no one in the future seems to save a lot of. If Pandora NLA wouldn’t archive them due to copyright I’m sure Internet Archive would. Sounds like a neat find.

    • lui_gough says:

      Also very true. I do like watching some of the old ads – it’s like having a time capsule. Copyright is a big issue though. The Fetch VASTads folder contains unencrypted files but of varying lengths and resolutions – it suggests they are all served over IP as “interstitial” ads rather than recorded off the air and tagged. As a result, they’re not exactly the same ads you might find on FTA television that most people might remember, and the quality is oddly awful for some of them (360p or thereabouts).

      – Gough

      • rasz_pl says:

        oh this is evil, like smart TV(lg/samsung do this) spying on you and arbitrarily injecting vendor advertising on top of your content.

      • William says:

        I would suppose that high resolution and bitrate aren’t so important for the erm… “appreciation” of commercials.

        Just look at OTA digital television; shop-at-home channels (at least here in the US) are run at really nasty low quality, yet it’d appear that they continue making enough sales to justify keeping the channel running 24/7.

        As long as you can talk the product up and run some sparkly lights or something to hold attention, even a bleary visual representation of the product is apparently enough.

Error: Comment is Missing!