I recently upgraded my satellite service to the Direct TV HD+ and a HD DVR receiver. Upon receiving my new receiver, I discovered in order to access the On Demand content, the receiver had to be connected to a network, and have internet access. The network setup was simple, connect it to the switch and it grabbed it’s network info from DHCP. This is where the security geek in me got curious: what exactly is this fancy new receiver sending/receiving on the wire?

I started with a simple tcpdump capture. I was really curious to see what type of network traffic was being transmitted. Everything initially looked standard: arp requests, dhcp, etc; then it began broadcasting out UPnP data and this is where I got really interested.

Looking into the full packet of the dvr’s UPnP broadcast revealed some interesting information about the device itself:

11:18:33.158243 IP 10.0.0.7.49152 > 239.255.255.250.1900: UDP, length 350
E..z..@…{r
……….l.fB.NOTIFY * HTTP/1.1
Host: 239.255.255.250:1900
Cache-Control: max-age=1800
Location: http://10.0.0.7:49152/virtual/description.xml
NT: upnp:rootdevice
NTS: ssdp:alive
Server: Linux/2.4.29-uclibc-brcm, UPnP/1.0 DIRECTV JHUPnP/1.0 DLNADOC/1.00 DIRECTV VIIV devices INTEL_NMPR/2.1
USN: uuid:29bbe0e1-1a6e-47f6-8f8d-005094f8340d::upnp:rootdevice

Based on this one single packet alone, I’ve learned a lot about what makes my DVR tick. First we can ascertain that it runs μClinux and is booting the 2.4.29 kernel. We can also make an educated guess that it is using μClibc, which is a small C standard library intended for embedded Linux systems. The next piece of information we can gather about the dvr, is that it possibly has an internal media server. I gathered this from the references to VIIV and INTEL NMPR 2.1 in the server string; which are key components of the Netgear Digital Entertainer.

This concludes my initial analysis of the Direct TV HD DVR network traffic. I plan to do some further research into this subject, and will post more later .. for now I would like to attempt to do a full packet capture of a download of On Demand content, to see if I can reassemble the media file and play it on a device other then the DVR itself. I would also like to see if i can exploit the device and gain root access, or cause any kind of abnormal behavior.

Hope you enjoyed reading this post, comments are always welcome. Have fun with this information, nerd it up and don’t blame me if you break something :)

This entry was posted on Wednesday, May 21st, 2008 at 9:47 am and is filed under direct tv, geek stuff, network sniffing. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.