An In-depth Analysis of the Arris VIP2250 DVR

In this post I’ll be taking an in-depth look at the Arris VIP2250 DVR.  The VIP2250 is one of the DVR models AT&T is currently using for their U-verse digital TV service.

You may notice that some of the VIP2250 boxes carry the Motorola logo, which newer versions are Arris branded.  The reason for these discrepancies is because Motorola Home division was acquired by Arris.

Motorola VIP2250 DVR
Motorola VIP2250 DVR

Rear Panel Connections

Below is the complete list of input / output connections available on the VIP2250.  In my U-verse fiber installation the DVR is connected to the AT&T gateway via ethernet.

Motorola VIP2250 Ports
Rear panel input / output connections
  • Coax Digital Video Input
  • 10/100Mb RJ45 Ethernet Port
  • eSATA Port
  • Optical Audio Output Toslink S/PDIF
  • S-Video Output
  • Component Video Output (Pb/Y/Pr)
  • 2 x Composite Video Output
  • 2 x RCA Stereo Audio Output
  • Coax Video Output
  • HDMI Digital Output
  • USB 2.0 Port
  • Power Input (+12V DC)

Under the Hood

Unlike most of other cable boxes I’ve disassembled the VIP2250 requires only a screwdriver to remove the cover.  There are 3 phillips screws on the back of the box which secure the cover.

The first thing you’ll see inside is the hard drive.  The drive mounting bracket in this unit acts has a heatsink for the CPU.

Motorola VIP2250 Inside View
VIP2250 DVR with the top cover removed

Behind the Front Panel

In the center of the unit is a bank of 3 status LEDs (link, HD, and record).  Just to the right of the record LED is the IR receiver.  If you are using an IR extender with this box you should place the infrared transmitter near this location.

VIP2250 IR Sensor Location
Behind the front panel cover

Main Circuit Board

Removing the three screws holding the hard drive mounting bracket in place exposes the main board.

VIP2250 Main Circuit Board
Main circuit board
VIP2250 Broadcom Processor
BCM7405 system on a chip

The main chip on the board is the Broadcom BCM7405DFKFEBB01G.  The BCM7405 is a complete IP DVR system on a chip.  The chip has an onboard DDR2 memory controller and support for two SATA-2 storage interfaces.

The BCM7405 product brief contains a general overview of the features supported by this chip.  Much more detailed information about this chip can be found in the schematic diagram.

The chip is designed to support Ericson Mediaroom (formerly Microsoft Mediaroom).  Mediaroom is a complete IPTV delivery platform which is very popular among cable companies.

UART Serial Port

Near the lower right side of the board I discovered a  5 pin header labeled UART.  Typically serial ports are not this easy to find but this one was clearly labeled.

VIP2250 UART port
VIP2250 UART serial port header

Since this serial port could provide access to the boot loader I sought out to determine if it was an active port.  I found a very useful guide to reverse engineering serial ports which assisted in the process of determining the pinout and other characteristics.

My fluke multimeter proved to be very useful in the process of assessing the UART pins.  A logic analyzer would have been helpful as well but I didn’t have one on hand.

Using continuity mode on the meter I started searching for ground pins by connecting one lead to the chassis and probing each pin one at a time.  I found that pins 1 and 5 were directly connected  to ground.

Next I switched my meter into DC voltage mode and started searching for VCC.  With one lead of the meter on ground I probed each of the pins.  Pins 2 and 3 measured +3.3 volts, making each a possible candidate for VCC.  Although each of them could also be the TX pin.

In TTL serial TX is constant at VCC (logic high) is pulled low for a 0 (logic low).  Pin 4 measured 0 volts which lead me to believe this was probably the RX pin.  At this point I had enough information to start testing.

Through some research I learned that the VIP1710 used a baud rate of 115200 so I suspected the VIP2250 would probably be the same (testing later confirmed this).

TTL serial vs RS232 Serial

The TTL serial used by most embedded devices is different than the RS232 port found on computers.  The two types of serial differ at the hardware level.  In TTL serial the different between a logic high (1) and a logic low (0) is the different between VCC and 0 volts.  In RS232 serial a logic high is a negative voltage (usually -13) and a logic high is a positive voltage (usually +13).  The range can actually be anywhere between -3 to -25 and +3 to +25 respectively.

This means that in order to connect an RS232 serial port to the TTL serial port on the VIp2250 an adapter must be used.  I already had a RS-232 to TTL adapter on hand that I bought from TCNISO a long time a go.

RS-232 to TTL adapter created by TCNISO
RS-232 to TTL adapter created by TCNISO

These adapters are fairly easy to build but the easiest solution is a prebuilt MAX232.  Broadcom actually provides a schematic diagram for a UART serial adapter circuit that uses the MAX3232CSE chip in the BCM97405 schematic (page 23).

Since most computers don’t have serial ports anymore you may also need a USB to serial adapter.

USB serial adapter connected to an RS-232 to TTL adapter.

USB serial adapter connected to an RS-232 to TTL adapter.

 Serial pinout for the VIP2250:

  • Pin 1 – GND
  • Pin2 – TX (confirmed)
  • Pin 3 – VCC (+3.3V)
  • Pin 4 – RX (suspected but unconfirmed)
  • Pin 5 – GND

Serial Port Settings: 115200-8-N-1

After connecting all of the adapters together I figured up PuTTY and connected power to the cable box.

boot
Boot loader output messages from the serial port

The serial output shows that when the box initializes it starts the BCM97405B1_B2 Motorola 1st stage boot loader.  The motorola boot loader then starts the Microsoft IPTV boot loader which then starts the Windows CE operating system.

I was hoping it would be easy to interrupt the boot loader to get a shell but so far my attempts have been unsuccessful.  The article I found for the VIP1710 suggested that pressing CTRL + C would interrupt the boot loader but I wasn’t able to get this to work.  I also tried several other key commands with no success.

This leads me to believe that either I haven’t correctly identified the RX serial pin or the boot loader is not configured to allow an interrupt.

If anyone has any thoughts on how to interrupt the boot loader please leave a comment.

EJTAG Port

The main board also has a clearly labeled 14 pin EJTAG TAP port.  A pin header needs to be soldered onto the board before a JTAG cable can be connected though.

A wealth of information regarding the EJTAG port can be found in the schematic diagram and the preliminary hardware data module documents.

VIP2250 EJTAG Port
14 PIN EJTAG TAP port without header pins soldered on

 

 

 

 

 

 

 

 

 

 

 

 

 

Supported Debugging Features

  • MIPS-standard software debugging with software breakpoints
  • Non-intrusive hardware single stepping
  • Non-intrusive hardware breakpoints on virtual addresses, physical addresses, and data values: two instruction breakpoints, two data breakpoints, and two data value breakpoints.
  • The EJTAG debugging facility is performed on one TP at a time

I haven’t done any testing to with the JTAG port yet so I cannot confirm it’s status.  The Broadcom documentation suggests using either the Wind River Vision Probe or the Green Hills JTAG.  Based on what I’ve read in the documentation it seems apparent that Broadcom’s BroadBand Studio program plays some role in the debugging process.

If anyone is aware of a cheap USB EJTAG cable that supports the BCM7405 please leave a comment.

Internal Hard Drive

The VIP2250 contains a 500GB Seagate SATA hard drive (model ST3500414cs).  This drive provides about 170 hours of HD video storage.   This drive was designed specifically for video storage and runs very cool and quiet.

VIP2250 500GB Hard Drive
Seagate ST3500414CS 500GB SATA hard drive

File System Structure

The hard drive contains 2 small FAT16 partitions, and one large FAT32 partition.  I was able to successfully mount all of the partitions on a Linux system and examine the files.  Since the partitions are formatted with FAT the drive can also be accessed using Windows.

VIP2250 Hard Drive Filesystem
Hard drive partition layout viewed from Linux

The 126MB partition contains files for the operating system (Windows CE 5.0.1400).  The small 32MB partition contains event logs, and subscriber activity logs in XML format.

The largest partition contains many 1GB SLC files which are used for video storage.  These SLC files appear to function as filesystem on top of a filesystem (Probably providing encrypted storage for the video).

Another blogger has done some analysis on these files and came up with a procedure to upgrade the hard drive in the VIP1216.

I have tested his procedure and I can confirm it also works on the VIP2250.  The only caveat is the DVR can only utilize up to 1TB of space.  If you install a drive that is larger than 1TB you will need to follow the procedure on Slumbuddy’s blog to resize the size of the data partition so it is less than 1TB in size.

Upgrading to a 1TB drive will increase the HD video storage capacity from 170 hours to about 380 hours.  I would recommend using a hard drive specifically designed for DVR usage such as the 1TB Western Digital AV-GP drive.

Operating System Structure

The 126MB OS partition contains a variety of files including the primary Windows CE operating system image file nk.bin, as well as etc.bin.

VIP2250 OS Partition Files
VIP2250 OS Partition Files

The contents of these image files can be extracted using nkbintools and CreateDump.bat.  To extract the contents of nk.bin place the file in a directory where you have extracted the contents of nkbintools.zip.  Place the CreateDump.bat batch in the same directory.  Then run the CreateDump.bat file from a command prompt.  If the extraction was successful the contents will be extracted to a new folder called dump.

Using nkbintools and CreateDump.bat to extract the contents of nk.bin
Using nkbintools and CreateDump.bat to extract the contents of nk.bin

You can use the same process to extract etc.bin but since the batch file references nk.bin it’s easiest to rename etc.bin to nk.bin to avoid having to modify the script.

Using nkbintools it should also be possible to insert modified files (such as registry files) back into the nk.bin image.  I haven’t attempted to do this yet though.

Registry Structure

Inside the nk.bin image file there are 3 main registry files, boot.hv, default.hv and user.hv.  The HVEdit utility can be used to decode the hive files into text files (.hvm) which can be modified and then converted back to .hv format.

BCM97405 Reference Design

Broadcom provides a full reference design platform based on the BCM7405 chip which they identify as the BCM97405.  The BCM97405 is a fully functional set top box that exposes all of the different input/output ports provided by the chip.

The BCM97405 schematic diagram provides a wealth of information on the platform design including block diagrams of various circuits as well as pinouts for the chips.

BCM97405 reference design powered on
BCM97405 reference design model for the BCM7405 SOC

I suspect these are provides to hardware manufacturers to assist in designing their own platform based on the BCM7405 SOC.  These boxes are probably also useful for software developers writing code to run on this platform.

BCM97405 - Back Panel
Input / Output connections on the BCM97405

These reference design units can often be found for sale on eBay but the prices are not cheap.

 

 

Further Testing

As I continue testing the VIP2250 I’m curious if anyone else has done any further testing with the serial port.  If you have any information or comments on interrupting the bootloader to obtain a shell please let me know.  I’m also interesting in obtaining a full image of the firmware for the BCM7405.

Sam Kear

Sam graduated from the University of Missouri - Kansas City with a bachelors degree in Information Technology. Currently he works as a network analyst for an algorithmic trading firm. Sam enjoys the challenge of troubleshooting complex problems and is constantly experimenting with new technologies.

17 thoughts on “An In-depth Analysis of the Arris VIP2250 DVR

  1. Hi can you tell me if I purchase a DVR box used by At&t or any other program supplier can I record on them? I currently have an antenna which gets me several channels but I want to be able to record some of my shows. thank you for your assistance

  2. is there a quick and EASY way to off load content from this hard drive ? i’ve got lots-o-stuff that i would like to view in other circumstances and would hope there is a nice, and again, easy way to do so.
    thanks in advance.
    oh, and i do have the older (i guess) motorola VIP2250
    -t

    1. Unfortunately there is currently no known way to pull the recordings off of the internal hard drive. The boxes utilize an encrypted file system making the task quite difficult to do.

    1. Hi Craig,

      There is currently no known way to extract the recordings off of the box. It’s designed using an encrypted file system making the task quite difficult to do.

  3. Hi Sam, Can the ethernet port be used to support internet TV or a Wi-Fi?

    I had an ATT tech here and he suggested the ethernet port should just be used for input, instead of co-ax, if I was running ethernet to the box instead of co-ax. My thinking it can be used for internet TV hardwire or to provide another wireless node. I havent heard of ‘input-only’ ethernet. My TV is pretty far from my primary wireless node, so I want to hardwire for Netflix, etc. It seems to work, but the tech said “No-no”, I guess because the box may consider the TV an input device. Thanks!

  4. Hi Sam, great job on the reverse engineering. Can you tell me what might cause a Red x on the output? Would this be a failed Motorola bootloader? If so, is said bootloader on a ROM chip somewhere on the board? I don’t want to have to swap boxes with AT&T because I would lose my recordings.

  5. I just upgraded the home theater receiver from an LG to the Samsung ht-j5500. Now with digital and surround, I get a popping sound when changing channels. Does the VIP2250 have a service menu I can change the audio output from?

  6. I had a very hard time finding the infrared sensor on my U-verse vip2250 box. No matter how much light I shined at it, I couldn’t see an obvious spot to place my IR repeater. I had read here and other places that it was just to the right of the record indicator. It was a painstaking process trying to find a sweet spot to the right of the Record button when it turns out that my infrared repeater needed to be taped just right of the USB connector where that big round circle is in the picture on your website. That is 2″ to the left of the record indicator.

  7. Hello Sam, Thank you for the valuable in-depth information. My question is a simple one. Do you know of the Arris VIP 2250 has PIP (picture in picture) capability? It is quite difficult to get a straight answer to this whether calling AT&T tech support, sales, or their web site.
    Many thanks! – Peter

Leave a Reply

Your email address will not be published. Required fields are marked *