Walking around the neighbourhood one day, I come across a pile of discarded technology. Another salvage opportunity. I’m so excited … and I just can’t hide it!
In the pile of junk, I find an Optus Fetch Mighty DVR. It seems to be a common tactic amongst telecommunications companies to try and bundle as many services into a bill as possible on the appearance that it helps the consumer by offering them a more competitive deal. But in reality, it’s also a tactic that is used to try and ensure that the customer doesn’t take parts of their business elsewhere by ensuring that the cost of unbundling makes it uneconomical. As a result, most of the larger telcos have gone even to bundle “over-the-top” services (e.g. Foxtel Go, Stan, Fetch TV, Netflix, Vodafone TV). This often means providing hardware as well.
I suspect the DVR is a remnant of a contract that had run its course and been terminated. As much of the hardware is restricted to work with an active account of a particular provider, it becomes quite useless once you’re not a customer anymore. As a result, this Fetch Mighty sat on the kerbside in the cold.
I have absolutely no interest in getting the unit to work. After all, I don’t even watch pay TV in any form at all and even free-to-air doesn’t get much of my attention anymore. But what did get my attention was the weight of the unit. I could tell from the weight alone that it would mean a free hard drive.
In my haste to clean up and throw out any unnecessary bits, I decided to take apart the unit destructively and without documenting it. I only realised my mistake when I started investigating the drive …
The drive was a Western Digital GreenPower series drive of 1Tb capacity. The WD10EURX belongs to the WD AV family, optimised for video applications. The manufacture date was 1st September 2015, making it under three years old. It could have conceivably still been under warranty had it been provided as a retail unit. A free 1Tb hard drive? That would be nice.
A standard SATA interface, and nothing particularly unremarkable about the mounting holes. It’s just like any other hard drive.
Shoving it into my USB dock, the drive came up just fine with about 11,000 hours on the clock and no negative indications in the SMART data. It’s probably healthy enough to re-use.
The drive had an MBR partition table, but the filesystem used is XFS starting at sector 1 (which would make it technically unaligned with the 4K Advanced Format sector format). I didn’t even know about this filesystem, so I had to look it up. The fact it was related to Silicon Graphics Incorporated and their IRIX operating system was rather unexpected. I’ve never met anything that used this filesystem, nor a drive with the filesystem on it. One interesting relevant feature is the support for guaranteed-rate I/O which might be vital for a system which might be recording a number of streams simultaneously while playing back another.
Luckily, most Linux distributions do support reading it, so I can see what’s inside. Unfortunately, it seems the permissions are also enforced by default and stops you from doing much without either remounting it specially or (crudely) changing the permissions for everything recursively. I decided to just copy off all the data and look at it elsewhere.
The directory tree gives us a few clues. First of all, there is likely an SQL database of sorts as there are text files with SQL commands in them. The recordings are all in PVOD, with ads in VASTads. The unit probably supports DLNA. The rwtest folder may be for drive benchmark temporary files. The takincookies folder is a cookie jar for various services that can be accessed via the Fetch unit. TMP_DOWNLOADS seems only to hold historical firmware update files. The total amount of data was only about 20Gb … so it seems whoever previously owned it didn’t record much or deleted most of their recordings.
Playing back any of the recordings isn’t possible, instead, it results in corruption on the screen. Clues are not found in MediaInfo which seems to imply the metadata for the file is “normal” with the exception that it is a transport stream file.
General ID : 0 (0x0) Complete name : 22938.LetMeIn_Feature_25_Stereo_SD.ts.VPP.mpg Format : MPEG-TS File size : 1.90 GiB Duration : 1 h 55 min Overall bit rate mode : Variable Overall bit rate : 2 354 kb/s FileExtension_Invalid : ts m2t m2s m4t m4s tmf ts tp trp ty Video ID : 2064 (0x810) Menu ID : 1 (0x1) Format : AVC Format/Info : Advanced Video Codec Format profile : [email protected] Format settings : CABAC / 4 Ref Frames Format settings, CABAC : Yes Format settings, RefFrames : 4 frames Codec ID : 27 Duration : 1 h 55 min Width : 720 pixels Height : 576 pixels Display aspect ratio : 16:9 Frame rate : 25.000 FPS Standard : PAL Color space : YUV Chroma subsampling : 4:2:0 Bit depth : 8 bits Scan type : Progressive Color range : Limited Color primaries : BT.601 PAL Transfer characteristics : BT.470 System B, BT.470 System G Matrix coefficients : BT.470 System B, BT.470 System G Audio ID : 2068 (0x814) Menu ID : 1 (0x1) Format : AAC Format/Info : Advanced Audio Codec Format version : Version 2 Format profile : LC Muxing mode : ADTS Codec ID : 15-2 Duration : 1 h 55 min Bit rate mode : Variable Channel(s) : 13 channels Channel positions : , Side: 6, Back: 6, LFE Sampling rate : 48.0 kHz Frame rate : 46.875 FPS (1024 SPF) Compression mode : Lossy Language : English
But analysing it properly with TSreader seems to show that the data streams are encrypted with a conditional access system – likely Verimatrix. The packets don’t have the encrypted flag set, explaining why media players still attempt to play it.
The ads however, are not encrypted and can be watched just fine. But who wants to watch those?!
I didn’t work out the format of the firmware files – they’re about 45Mb a piece, but the header at the beginning was rather interesting. M605T refers to the model number, but the firmware seems to be written by a Beijing Yuxing Software CO., Ltd. Its rather interesting given the large amount of push-back with Chinese equipment in the telecommunications sector (e.g. US vs Huawei and ZTE) that this may well be a trojan horse. It seems they’re responsible for a number of other set-top boxes for Huawei and PCCW as well. The name wangnuo may refer to the user who built the firmware, dated 4th April 2017 at 18:37:50 CST (presumably China Standard Time).
I salvaged a Fetch TV DVR off the side of the road to gut it for its hard drive, but ended up learning about a filesystem I never heard of, the folder arrangement, the encryption used on recordings and the company responsible for making the unit.