In this post I’ll be taking an in-depth look at the Arris VIP2250 DVR. The VIP2250 is one of the DVR models AT&T is currently using for their U-verse digital TV service.
You may notice that some of the VIP2250 boxes carry the Motorola logo, which newer versions are Arris branded. The reason for these discrepancies is because Motorola Home division was acquired by Arris.
Rear Panel Connections
Below is the complete list of input / output connections available on the VIP2250. In my U-verse fiber installation the DVR is connected to the AT&T gateway via ethernet.
- Coax Digital Video Input
- 10/100Mb RJ45 Ethernet Port
- eSATA Port
- Optical Audio Output Toslink S/PDIF
- S-Video Output
- Component Video Output (Pb/Y/Pr)
- 2 x Composite Video Output
- 2 x RCA Stereo Audio Output
- Coax Video Output
- HDMI Digital Output
- USB 2.0 Port
- Power Input (+12V DC)
Under the Hood
Unlike most of other cable boxes I’ve disassembled the VIP2250 requires only a screwdriver to remove the cover. There are 3 phillips screws on the back of the box which secure the cover.
The first thing you’ll see inside is the hard drive. The drive mounting bracket in this unit acts has a heatsink for the CPU.
Behind the Front Panel
In the center of the unit is a bank of 3 status LEDs (link, HD, and record). Just to the right of the record LED is the IR receiver. If you are using an IR extender with this box you should place the infrared transmitter near this location.
Main Circuit Board
Removing the three screws holding the hard drive mounting bracket in place exposes the main board.
The main chip on the board is the Broadcom BCM7405DFKFEBB01G. The BCM7405 is a complete IP DVR system on a chip. The chip has an onboard DDR2 memory controller and support for two SATA-2 storage interfaces.
The BCM7405 product brief contains a general overview of the features supported by this chip. Much more detailed information about this chip can be found in the schematic diagram.
The chip is designed to support Ericson Mediaroom (formerly Microsoft Mediaroom). Mediaroom is a complete IPTV delivery platform which is very popular among cable companies.
UART Serial Port
Near the lower right side of the board I discovered a 5 pin header labeled UART. Typically serial ports are not this easy to find but this one was clearly labeled.
Since this serial port could provide access to the boot loader I sought out to determine if it was an active port. I found a very useful guide to reverse engineering serial ports which assisted in the process of determining the pinout and other characteristics.
My fluke multimeter proved to be very useful in the process of assessing the UART pins. A logic analyzer would have been helpful as well but I didn’t have one on hand.
Using continuity mode on the meter I started searching for ground pins by connecting one lead to the chassis and probing each pin one at a time. I found that pins 1 and 5 were directly connected to ground.
Next I switched my meter into DC voltage mode and started searching for VCC. With one lead of the meter on ground I probed each of the pins. Pins 2 and 3 measured +3.3 volts, making each a possible candidate for VCC. Although each of them could also be the TX pin.
In TTL serial TX is constant at VCC (logic high) is pulled low for a 0 (logic low). Pin 4 measured 0 volts which lead me to believe this was probably the RX pin. At this point I had enough information to start testing.
Through some research I learned that the VIP1710 used a baud rate of 115200 so I suspected the VIP2250 would probably be the same (testing later confirmed this).
TTL serial vs RS232 Serial
The TTL serial used by most embedded devices is different than the RS232 port found on computers. The two types of serial differ at the hardware level. In TTL serial the different between a logic high (1) and a logic low (0) is the different between VCC and 0 volts. In RS232 serial a logic high is a negative voltage (usually -13) and a logic high is a positive voltage (usually +13). The range can actually be anywhere between -3 to -25 and +3 to +25 respectively.
This means that in order to connect an RS232 serial port to the TTL serial port on the VIp2250 an adapter must be used. I already had a RS-232 to TTL adapter on hand that I bought from TCNISO a long time a go.
These adapters are fairly easy to build but the easiest solution is a prebuilt MAX232. Broadcom actually provides a schematic diagram for a UART serial adapter circuit that uses the MAX3232CSE chip in the BCM97405 schematic (page 23).
Since most computers don’t have serial ports anymore you may also need a USB to serial adapter.
USB serial adapter connected to an RS-232 to TTL adapter.
Serial pinout for the VIP2250:
- Pin 1 – GND
- Pin2 – TX (confirmed)
- Pin 3 – VCC (+3.3V)
- Pin 4 – RX (suspected but unconfirmed)
- Pin 5 – GND
Serial Port Settings: 115200-8-N-1
After connecting all of the adapters together I figured up PuTTY and connected power to the cable box.
The serial output shows that when the box initializes it starts the BCM97405B1_B2 Motorola 1st stage boot loader. The motorola boot loader then starts the Microsoft IPTV boot loader which then starts the Windows CE operating system.
I was hoping it would be easy to interrupt the boot loader to get a shell but so far my attempts have been unsuccessful. The article I found for the VIP1710 suggested that pressing CTRL + C would interrupt the boot loader but I wasn’t able to get this to work. I also tried several other key commands with no success.
This leads me to believe that either I haven’t correctly identified the RX serial pin or the boot loader is not configured to allow an interrupt.
If anyone has any thoughts on how to interrupt the boot loader please leave a comment.
The main board also has a clearly labeled 14 pin EJTAG TAP port. A pin header needs to be soldered onto the board before a JTAG cable can be connected though.
A wealth of information regarding the EJTAG port can be found in the schematic diagram and the preliminary hardware data module documents.
Supported Debugging Features
- MIPS-standard software debugging with software breakpoints
- Non-intrusive hardware single stepping
- Non-intrusive hardware breakpoints on virtual addresses, physical addresses, and data values: two instruction breakpoints, two data breakpoints, and two data value breakpoints.
- The EJTAG debugging facility is performed on one TP at a time
I haven’t done any testing to with the JTAG port yet so I cannot confirm it’s status. The Broadcom documentation suggests using either the Wind River Vision Probe or the Green Hills JTAG. Based on what I’ve read in the documentation it seems apparent that Broadcom’s BroadBand Studio program plays some role in the debugging process.
If anyone is aware of a cheap USB EJTAG cable that supports the BCM7405 please leave a comment.
Internal Hard Drive
The VIP2250 contains a 500GB Seagate SATA hard drive (model ST3500414cs). This drive provides about 170 hours of HD video storage. This drive was designed specifically for video storage and runs very cool and quiet.
File System Structure
The hard drive contains 2 small FAT16 partitions, and one large FAT32 partition. I was able to successfully mount all of the partitions on a Linux system and examine the files. Since the partitions are formatted with FAT the drive can also be accessed using Windows.
The 126MB partition contains files for the operating system (Windows CE 5.0.1400). The small 32MB partition contains event logs, and subscriber activity logs in XML format.
The largest partition contains many 1GB SLC files which are used for video storage. These SLC files appear to function as filesystem on top of a filesystem (Probably providing encrypted storage for the video).
Another blogger has done some analysis on these files and came up with a procedure to upgrade the hard drive in the VIP1216.
I have tested his procedure and I can confirm it also works on the VIP2250. The only caveat is the DVR can only utilize up to 1TB of space. If you install a drive that is larger than 1TB you will need to follow the procedure on Slumbuddy’s blog to resize the size of the data partition so it is less than 1TB in size.
Upgrading to a 1TB drive will increase the HD video storage capacity from 170 hours to about 380 hours. I would recommend using a hard drive specifically designed for DVR usage such as the 1TB Western Digital AV-GP drive.
Operating System Structure
The 126MB OS partition contains a variety of files including the primary Windows CE operating system image file nk.bin, as well as etc.bin.
The contents of these image files can be extracted using nkbintools and CreateDump.bat. To extract the contents of nk.bin place the file in a directory where you have extracted the contents of nkbintools.zip. Place the CreateDump.bat batch in the same directory. Then run the CreateDump.bat file from a command prompt. If the extraction was successful the contents will be extracted to a new folder called dump.
You can use the same process to extract etc.bin but since the batch file references nk.bin it’s easiest to rename etc.bin to nk.bin to avoid having to modify the script.
Using nkbintools it should also be possible to insert modified files (such as registry files) back into the nk.bin image. I haven’t attempted to do this yet though.
Inside the nk.bin image file there are 3 main registry files, boot.hv, default.hv and user.hv. The HVEdit utility can be used to decode the hive files into text files (.hvm) which can be modified and then converted back to .hv format.
BCM97405 Reference Design
Broadcom provides a full reference design platform based on the BCM7405 chip which they identify as the BCM97405. The BCM97405 is a fully functional set top box that exposes all of the different input/output ports provided by the chip.
The BCM97405 schematic diagram provides a wealth of information on the platform design including block diagrams of various circuits as well as pinouts for the chips.
I suspect these are provides to hardware manufacturers to assist in designing their own platform based on the BCM7405 SOC. These boxes are probably also useful for software developers writing code to run on this platform.
These reference design units can often be found for sale on eBay but the prices are not cheap.
As I continue testing the VIP2250 I’m curious if anyone else has done any further testing with the serial port. If you have any information or comments on interrupting the bootloader to obtain a shell please let me know. I’m also interesting in obtaining a full image of the firmware for the BCM7405.
25 thoughts to “An In-depth Analysis of the Arris VIP2250 DVR”
Hi can you tell me if I purchase a DVR box used by At&t or any other program supplier can I record on them? I currently have an antenna which gets me several channels but I want to be able to record some of my shows. thank you for your assistance
No, the DVR units provided by the cable companies will only record content from their networks. In your case you would be looking for a stand alone DVR. You might want to take a look at the Channel Master DVR system, it may work for you.
is there a quick and EASY way to off load content from this hard drive ? i’ve got lots-o-stuff that i would like to view in other circumstances and would hope there is a nice, and again, easy way to do so.
thanks in advance.
oh, and i do have the older (i guess) motorola VIP2250
Unfortunately there is currently no known way to pull the recordings off of the internal hard drive. The boxes utilize an encrypted file system making the task quite difficult to do.
Which is it; no known way, or quite difficult?
Currently no known way.
Thanks for trying to help.
Can you merely swap your hard drive from an existing Vip2250 into another VIP2250 to save the recordings?
No; I want to copy to USB drive to view on a different device.
I have the same question as TOM BART; don’t see a response.
There is currently no known way to extract the recordings off of the box. It’s designed using an encrypted file system making the task quite difficult to do.
Hi Sam, Can the ethernet port be used to support internet TV or a Wi-Fi?
I had an ATT tech here and he suggested the ethernet port should just be used for input, instead of co-ax, if I was running ethernet to the box instead of co-ax. My thinking it can be used for internet TV hardwire or to provide another wireless node. I havent heard of ‘input-only’ ethernet. My TV is pretty far from my primary wireless node, so I want to hardwire for Netflix, etc. It seems to work, but the tech said “No-no”, I guess because the box may consider the TV an input device. Thanks!
Hi Sam, great job on the reverse engineering. Can you tell me what might cause a Red x on the output? Would this be a failed Motorola bootloader? If so, is said bootloader on a ROM chip somewhere on the board? I don’t want to have to swap boxes with AT&T because I would lose my recordings.
I just upgraded the home theater receiver from an LG to the Samsung ht-j5500. Now with digital and surround, I get a popping sound when changing channels. Does the VIP2250 have a service menu I can change the audio output from?
I had a very hard time finding the infrared sensor on my U-verse vip2250 box. No matter how much light I shined at it, I couldn’t see an obvious spot to place my IR repeater. I had read here and other places that it was just to the right of the record indicator. It was a painstaking process trying to find a sweet spot to the right of the Record button when it turns out that my infrared repeater needed to be taped just right of the USB connector where that big round circle is in the picture on your website. That is 2″ to the left of the record indicator.
Curious if anyone has found the programming configuration in the OS? I’d like to back up my existing recording schedule.
Hello Sam, Thank you for the valuable in-depth information. My question is a simple one. Do you know of the Arris VIP 2250 has PIP (picture in picture) capability? It is quite difficult to get a straight answer to this whether calling AT&T tech support, sales, or their web site.
Many thanks! – Peter
Rgarding upgrading to a 1tb drive. Could I use one of my WD 1tb SSD drives in there. (Sure run cooler! [And Faster!] )
Can I bit copy the data the take out HD to the new 1 tb drive and would it retain any of the saved programs in the 2250?
Excellent Article, well done !
What are the functions of the eSata, and front and rear USB Ports ?
Input only ?
I was wondering the same thing and called ATT. The agent said the USB and eSATA ports are for technicians’ use. The USB ports enable the technician to use a flash drive to upgrade the firmware on the spot. The eSATA port is to upgrade the HD.
Sam, Bless you for your help. There are USB ports on the front and back of the VIP2250 Motorola unit. Do they have any functionality?
Sam, Thank you again
Any update on how getting to the CEF shell?
Can you use an external eSATA drive on the Arris box to increase the storage of DVR? I have an eSATA 1 TB Western Digital PN: WDBABT0010HBK-00 / If not do you know of any external drives I can use to boost the storage capacity of the DVR?
External eSATA drives will work only if the provider has enabled that feature. The best thing to do is borrow a drive from someone and try it out. If it’s active you should see your storage capacity increase after the drive is formatted. Some providers software will display a message that an external drive has been connected.