In this post I’ll be taking an in-depth look at the Arris VIP2250 DVR. The VIP2250 is one of the DVR models AT&T is currently using for their U-verse digital TV service.
You may notice that some of the VIP2250 boxes carry the Motorola logo, which newer versions are Arris branded. The reason for these discrepancies is because Motorola Home division was acquired by Arris.
Rear Panel Connections
Below is the complete list of input / output connections available on the VIP2250. In my U-verse fiber installation the DVR is connected to the AT&T gateway via ethernet.
- Coax Digital Video Input
- 10/100Mb RJ45 Ethernet Port
- eSATA Port
- Optical Audio Output Toslink S/PDIF
- S-Video Output
- Component Video Output (Pb/Y/Pr)
- 2 x Composite Video Output
- 2 x RCA Stereo Audio Output
- Coax Video Output
- HDMI Digital Output
- USB 2.0 Port
- Power Input (+12V DC)
Under the Hood
Unlike most of other cable boxes I’ve disassembled the VIP2250 requires only a screwdriver to remove the cover. There are 3 phillips screws on the back of the box which secure the cover.
The first thing you’ll see inside is the hard drive. The drive mounting bracket in this unit acts has a heatsink for the CPU.
Behind the Front Panel
In the center of the unit is a bank of 3 status LEDs (link, HD, and record). Just to the right of the record LED is the IR receiver. If you are using an IR extender with this box you should place the infrared transmitter near this location.
Main Circuit Board
Removing the three screws holding the hard drive mounting bracket in place exposes the main board.
The main chip on the board is the Broadcom BCM7405DFKFEBB01G. The BCM7405 is a complete IP DVR system on a chip. The chip has an onboard DDR2 memory controller and support for two SATA-2 storage interfaces.
The chip is designed to support Ericson Mediaroom (formerly Microsoft Mediaroom). Mediaroom is a complete IPTV delivery platform which is very popular among cable companies.
UART Serial Port
Near the lower right side of the board I discovered a 5 pin header labeled UART. Typically serial ports are not this easy to find but this one was clearly labeled.
Since this serial port could provide access to the boot loader I sought out to determine if it was an active port. I found a very useful guide to reverse engineering serial ports which assisted in the process of determining the pinout and other characteristics.
My fluke multimeter proved to be very useful in the process of assessing the UART pins. A logic analyzer would have been helpful as well but I didn’t have one on hand.
Using continuity mode on the meter I started searching for ground pins by connecting one lead to the chassis and probing each pin one at a time. I found that pins 1 and 5 were directly connected to ground.
Next I switched my meter into DC voltage mode and started searching for VCC. With one lead of the meter on ground I probed each of the pins. Pins 2 and 3 measured +3.3 volts, making each a possible candidate for VCC. Although each of them could also be the TX pin.
In TTL serial TX is constant at VCC (logic high) is pulled low for a 0 (logic low). Pin 4 measured 0 volts which lead me to believe this was probably the RX pin. At this point I had enough information to start testing.
Through some research I learned that the VIP1710 used a baud rate of 115200 so I suspected the VIP2250 would probably be the same (testing later confirmed this).
TTL serial vs RS232 Serial
The TTL serial used by most embedded devices is different than the RS232 port found on computers. The two types of serial differ at the hardware level. In TTL serial the different between a logic high (1) and a logic low (0) is the different between VCC and 0 volts. In RS232 serial a logic high is a negative voltage (usually -13) and a logic high is a positive voltage (usually +13). The range can actually be anywhere between -3 to -25 and +3 to +25 respectively.
This means that in order to connect an RS232 serial port to the TTL serial port on the VIp2250 an adapter must be used. I already had a RS-232 to TTL adapter on hand that I bought from TCNISO a long time a go.
These adapters are fairly easy to build but the easiest solution is a prebuilt MAX232. Broadcom actually provides a schematic diagram for a UART serial adapter circuit that uses the MAX3232CSE chip in the BCM97405 schematic (page 23).
Since most computers don’t have serial ports anymore you may also need a USB to serial adapter.
USB serial adapter connected to an RS-232 to TTL adapter.
Serial pinout for the VIP2250:
- Pin 1 – GND
- Pin2 – TX (confirmed)
- Pin 3 – VCC (+3.3V)
- Pin 4 – RX (suspected but unconfirmed)
- Pin 5 – GND
Serial Port Settings: 115200-8-N-1
After connecting all of the adapters together I figured up PuTTY and connected power to the cable box.
The serial output shows that when the box initializes it starts the BCM97405B1_B2 Motorola 1st stage boot loader. The motorola boot loader then starts the Microsoft IPTV boot loader which then starts the Windows CE operating system.
I was hoping it would be easy to interrupt the boot loader to get a shell but so far my attempts have been unsuccessful. The article I found for the VIP1710 suggested that pressing CTRL + C would interrupt the boot loader but I wasn’t able to get this to work. I also tried several other key commands with no success.
This leads me to believe that either I haven’t correctly identified the RX serial pin or the boot loader is not configured to allow an interrupt.
If anyone has any thoughts on how to interrupt the boot loader please leave a comment.
The main board also has a clearly labeled 14 pin EJTAG TAP port. A pin header needs to be soldered onto the board before a JTAG cable can be connected though.
Supported Debugging Features
- MIPS-standard software debugging with software breakpoints
- Non-intrusive hardware single stepping
- Non-intrusive hardware breakpoints on virtual addresses, physical addresses, and data values: two instruction breakpoints, two data breakpoints, and two data value breakpoints.
- The EJTAG debugging facility is performed on one TP at a time
I haven’t done any testing to with the JTAG port yet so I cannot confirm it’s status. The Broadcom documentation suggests using either the Wind River Vision Probe or the Green Hills JTAG. Based on what I’ve read in the documentation it seems apparent that Broadcom’s BroadBand Studio program plays some role in the debugging process.
If anyone is aware of a cheap USB EJTAG cable that supports the BCM7405 please leave a comment.
Internal Hard Drive
The VIP2250 contains a 500GB Seagate SATA hard drive (model ST3500414cs). This drive provides about 170 hours of HD video storage. This drive was designed specifically for video storage and runs very cool and quiet.
File System Structure
The hard drive contains 2 small FAT16 partitions, and one large FAT32 partition. I was able to successfully mount all of the partitions on a Linux system and examine the files. Since the partitions are formatted with FAT the drive can also be accessed using Windows.
The 126MB partition contains files for the operating system (Windows CE 5.0.1400). The small 32MB partition contains event logs, and subscriber activity logs in XML format.
The largest partition contains many 1GB SLC files which are used for video storage. These SLC files appear to function as filesystem on top of a filesystem (Probably providing encrypted storage for the video).
Another blogger has done some analysis on these files and came up with a procedure to upgrade the hard drive in the VIP1216.
I have tested his procedure and I can confirm it also works on the VIP2250. The only caveat is the DVR can only utilize up to 1TB of space. If you install a drive that is larger than 1TB you will need to follow the procedure on Slumbuddy’s blog to resize the size of the data partition so it is less than 1TB in size.
Upgrading to a 1TB drive will increase the HD video storage capacity from 170 hours to about 380 hours. I would recommend using a hard drive specifically designed for DVR usage such as the 1TB Western Digital AV-GP drive.
Operating System Structure
The 126MB OS partition contains a variety of files including the primary Windows CE operating system image file nk.bin, as well as etc.bin.
The contents of these image files can be extracted using nkbintools and CreateDump.bat. To extract the contents of nk.bin place the file in a directory where you have extracted the contents of nkbintools.zip. Place the CreateDump.bat batch in the same directory. Then run the CreateDump.bat file from a command prompt. If the extraction was successful the contents will be extracted to a new folder called dump.
You can use the same process to extract etc.bin but since the batch file references nk.bin it’s easiest to rename etc.bin to nk.bin to avoid having to modify the script.
Using nkbintools it should also be possible to insert modified files (such as registry files) back into the nk.bin image. I haven’t attempted to do this yet though.
Inside the nk.bin image file there are 3 main registry files, boot.hv, default.hv and user.hv. The HVEdit utility can be used to decode the hive files into text files (.hvm) which can be modified and then converted back to .hv format.
BCM97405 Reference Design
Broadcom provides a full reference design platform based on the BCM7405 chip which they identify as the BCM97405. The BCM97405 is a fully functional set top box that exposes all of the different input/output ports provided by the chip.
The BCM97405 schematic diagram provides a wealth of information on the platform design including block diagrams of various circuits as well as pinouts for the chips.
I suspect these are provides to hardware manufacturers to assist in designing their own platform based on the BCM7405 SOC. These boxes are probably also useful for software developers writing code to run on this platform.
These reference design units can often be found for sale on eBay but the prices are not cheap.
As I continue testing the VIP2250 I’m curious if anyone else has done any further testing with the serial port. If you have any information or comments on interrupting the bootloader to obtain a shell please let me know. I’m also interesting in obtaining a full image of the firmware for the BCM7405.