I just found out that Time Warner has finally started to deploy the new Samsung SMT-3270 DVR units here in the midwest. As usual my region seems to be the last place to receive any new products or features from Time Warner. We are still waiting for Docsis 3.0 cable modems to get rolled out, hopefully we’ll see that happen this year. Apparently the east coast has had access to these boxes for quite a while. From what I understand the Samsung units will be replacing the current Scientific Atlanta (Cisco) boxes. I’ve had an SA 8300HDC for quite a while now and its been fairly reliable. Although ever since TW deployed their new software I’ve been noticing several bugs.
Since I love checking out new devices I decided to see if I could get my hands on one of the new DVRs. After going to a couple of different TW locations I finally found got a hold of one. I decided to write this post to share some of my initial thoughts and findings about the device. I’m curious if anyone else has done any hacking on these devices yet. From the few posts I read over at AVSForum.com it doesn’t sound like anyone has found much yet.
Overall I like the design of the unit, I’ve always preferred black over silver so I’m glad that fad is passing. The front does have a high gloss finish to it that catches fingerprints though. The first thing I noticed was the ethernet port which is very exciting! According to the users guide this is for connecting another DVR to. I’m guessing this will be how Time Warner will be providing the multi-room DVR they keep talking about. The store rep that I spoke with said they are still “testing” this feature, who knows when it will be released.
This unit has a nice selection of ports available
To open the DVR up you’ll need to remove three screws on the back and one on each side.
It takes a secure torx bit (T-10H) which is like a normal torx bit with a hole in the center. You can get an awesome security bit set on Amazon for 6 bucks, so far its been able to open everything I’ve ran into.
Samsung manufactured the board and holding up to their normal standards the board is very high quality. The mainboard uses all sold state capacitors. On the left side next to the cable card slot you’ll see
the dual digital tuner. Right above that is a Broadcom BCM3254KPBG, this is a QAMLink Set-Top box single-chip front end. Essentially this is the cable modem part of the box that allows it to be managed and to retrieve data as well.
In the middle of the board is a chip with a heat-sink on it. I didn’t pop the heatsink off to identify the chip because I was going to have to disassemble the entire unit to get to the back of the board. I’m pretty sure this is the process that handles the video encoding/decoding which is CPU intensive and would necessitate a passive cooling device. Scattered throughout the board some some Samsung RAM chips and a couple of flash chips. There is a solder pad on the lower left next to the cable card that is labeled “MOCA” which stands for Multimedia over Coax, apparently this model does not have that feature.
There are a couple of 14-pin solder pads which could be JTAG ports, I probably won’t solder a pin header onto this unit since TW owns it but I may try to find one on eBay to do some testing with. Broadcom doesn’t usually release spec sheets for their parts unless you’re a customer so trying to track down JTAG ports usually requires a oscilloscope and patience.
To remove the front panel take of the main cover, then disconnect the ribbon cable that attaches the front panel to the main board. Then carefully remove the front panel cover by lifting up on the black plastic clips. There are a few standard phillips screws that secure the circuit board to the front panel cover, then it just snaps out.
The IR sensor is located just to the right of the power button, there is a small circle where it is located.
The power supply isn’t very big but it really doesn’t need to be. I’m guessing the power draw of this box is pretty low, I’ll have to put a watt meter on it to confirm that though. It uses liquid filled caps like you typically see in cheap power supplies. There is one set of leads going directly to the main board and another is a SATA power connector for the hard drive.
For storage this model has a 320GB Seagate Pipeline SATA 2 hard drive (ST3320311CS). The drive has an 8MB buffer which is nice but only spins at 5900RPM which is odd because typically you see either 54K or 72K. According to Seagate’s website the Pipeline product line is specifically designed for use in DVRs.
The docs also mention that they are designed to run cool and quite with an annual failure rate as low as .55%. AFR is calculated by dividing the number of hours in a year by the MTTF (mean time to failure). So basically this means you have a .55% of your drive failing each year. I can say that it is one of the quietest mechanical drives I have ever heard.
I’ll probably be replacing this with a 1 or 2TB drive, I’ll post the procedure when I do.
Since I had the box opened up I decided to remove the hard drive and connect it to my PC to see if it had a recognizable file system on it. The Scientific Atlanta boxes I have examined in the past have either used disk level encryption or some obscure file system that only they can mount.
I used a USB to SATA adapter to connect the drive to my Linux box. I ran fdisk on the drive and to my surprise it was a standard linux file system! This was a very nice surprise to find. There were three partitions, one small partition, a swap partition, and a large partition. The small partition contained some folders with program guide information and some other interesting files. The larger partition is used to store the recorded programs. The OS is not stored on the hard drive, it is most likely located in flash and mounts the hard drive for storage.
I connected the box up and recorded a show so I could take a look at the format of the recorded data. Since its using a standard linux filesystem you can mount the partitions easily. Each recording creates four files. The file without the extension is the video itself which is either encrypted or in some format I can’t identify. The other files contain a few strings but are mostly unreadable. If you’re interested in taking a look at the files let me know and I’ll upload them.
4209672536921 – Main Video File (no extension)
4209672536921.drm – Probably contains copy protection information
4209672536921.inf – Information?
4209672536921.nav – Navigator guide info?
This DVR is running STB Linux and since its GPL software Samsung has posted the source code on their website. This could be helpful in gaining shell access to the device.
The source package includes the following files
- busybox.bz2 (Unix utilities optimized for embedded devices)
- dhcpcd.bz2 (DHCP client)
- fdisk.bz2 (Disk partitioning utility)
- stblinux.bz2 (Core operating system)
- tftpd.bz2 (TFTP server)
- uClibc.bz2 (C library optimized for embedded systems)
- xfsprogs.bz2 (Utilities for managing the XFS filesystem)
You can find lots of interesting information in the diagnostics screens. To get to these screens hold in the select button on the remote for 10 seconds then press the up directional key. A couple of the screens are password protected. I attempted guessing the code but I didn’t have any luck. Its a four digit code so there are 10,000 possible combination which would take some time to brute force. The bottom option on the main diagnostics page ‘REBOOT STB’ is a convenient way to reboot the DVR without having to unplug the power cord.
Onkyo Compatibility Issues
I discovered a very annoying bug while testing this unit. After connecting it to my Onkyo receiver via HDMI and booting up the box the guide would not open. It apparently had booted up into a very basic state where the navigator was not running. Earlier I had connected the DVR to one of my old monitors using a composite cable and the guide worked just fine so I suspected it was an HDMI issue. I tried disconnecting the reconnecting the cable without any luck. I was able to get the guide to come up by disconnecting the HDMI cable, powering off the box and letting it completely boot up. I then powered on the DVR and reconnected the HDMI cable and the guide loaded just fine. There must be some kind of HDCP handshake problem between these two devices.
When I get some more time I plan to do some more experimenting with this box. I would like to check out the Firewire and E-SATA ports to see if they are enabled. If the E-SATA port doesn’t work I will probably swap out the internal drive for a larger one. If you have any information about this DVR that you would like to share please leave a comment.
Update – 2.21.2011
Last week I went to pick up another 3270 box so I could do some more tinkering without having to disconnect my primary DVR. The first two TWC stores said they were out of the boxes and couldn’t seem to understand why I wouldn’t accept a different box. Finally at the third location the clerk said she had one, success! As soon as I got home I realized I didn’t get the same box, they had given me a Samsung SMT-H3272. The 3272 looks identical to the 3270 other than the different model number on the front of the box.
So what is difference between the 3270 and the 3272?
There are a few key features that make the SMT-H3272 a better box than the 3270.
1. The SMT-H3272 has a MOCA module soldered onboard
MoCA (Multimedia over Coax Alliance) is a standard for home networking over coax. This allows the DVR to communicate with any other MoCA enabled device in your home using the existing coax cabling. You can check the MoCA device status using the diagnostic menu, its found under Home Network on the main menu. From what I’ve read basically MoCa means multi-room DVR capability.
2. 500GB Internal Hard Drive
I was thrilled to see the 3270 had a 320GB drive but finding a 500GB drive installed is awesome! Like the drive in the 3270 it is also a Seagate pipeline SATA drive. More space is better when it comes to HD recordings.
3. The Ethernet port is enabled
I was very excited to see that the 3272 had a functional Ethernet port! Having network access could be a huge factor when it comes to exploiting this device. The box pulled an IP address from my DHCP server after it finished booting. The first thing I did after I found its IP was run a port scan using Nmap. To my surprise there are a variety of TCP and UDP ports open to play with.
Great Suggestion From “B”
PS: don’t forget to use the -A -p 1-65535 options with nmap
I opened up Wireshark to do some testing and noticed this the DVR was sending out a ton of SSDP (Simple Service Discovery Protocol) packets. The box seems to be aggressively advertising itself as a UPNP server. Below is some of the data contained in the packets its sending out. I’m not sure how to interface with it yet but I’m assuming this has to do with DLNA. It sounds like this would allow you to stream video’s from the DVR to another device.
Linux/2.6.18-5.0 UPnP/1.0 MediabolicUPnP/1.8.225
Some poking around at port 8888 shows that it is running a Mediabolic web server.
All of the TCP ports seemed to connect when I tested with telnet which is a good sign. Things really started to get interesting when I looked at the UDP side . Both SNMP and TFTP are open as well as a couple of RPC ports.
4. The Firewire port is enabled
More great news, unlike the 3270 the Firewire port is active on the 3272! As soon as I connected my laptop to the Firewire port windows recognized a new device has been connected. Three new items showed up in device manager as you can see in the screenshot below. A quick google search didn’t turn up any drivers for it though. I looked on Samsung’s site and couldn’t find them either. If anyone has them or knows where to find them please let me know. I’ll certainly be doing more searching to locate the drivers. Having access to a working Firewire port would be a great way to record TV or shows off the device in high quality.
As you can see the list of things to experiment with just got a lot longer. The 3272 is a lot more open as far as connectivity is concerned. My hope is that with the additional features enabled on the 3272 I will be able to uncover some information that will be useful for both the 3270 and 3272 models.
To Do List
- Enumerate TCP and UDP services
- Look into uPNP DLNA service
- Test the eSATA port on the 3272
- Pinout and test serial / JTAG ports
Update – 2.26.11
I was able to gather some information via snmp from the box. It turns out that it will respond to a snmp community string of public. You could use SolarWinds on Windows or just the standard snmp utilities included with Linux.
To do this linux run the command below, insert the ip of your own cable box.
snmpwalk -c public -v2c 192.168.10.192 .1
You can download the complete SNMP walk and check it out if you’re interested.
There was quite a bit of hex in the SNMP output so I ran it through a hex to string converter and out came some HTML. I copyied the HTML code into a file and opened it up with Firefox. It appears to be a bunch of diagnostic output for the cable card.
Some interesting OID’s
.184.108.40.206.4.1.44220.127.116.11.18.104.22.168.0 = STRING: “10.2.X.X”
.22.214.171.124.4.1.44126.96.36.199.188.8.131.52.0 = STRING: “smtH3270_twc_v4510_0902_RLS.img”
.184.108.40.206.4.1.316220.127.116.11.18.104.22.168 = STRING: “br0”
22.214.171.124.4.1.44126.96.36.199.188.8.131.52.184.108.40.206.0 = STRING: “Cisco CableCARD CA Screen”
220.127.116.11.4.1.4418.104.22.168.22.214.171.124.126.96.36.199.1 = STRING: “Cisco CableCARD/Host ID Screen”
188.8.131.52.4.1.44184.108.40.206.220.127.116.11.18.104.22.168.2 = STRING: “Cisco CableCARD IP Service”
22.214.171.124.4.1.44126.96.36.199.188.8.131.52.184.108.40.206.3 = STRING: “Cisco CableCARD DAVIC Info”
220.127.116.11.4.1.4418.104.22.168.22.214.171.124.126.96.36.199.5 = STRING: “Cisco CableCARD CP Info”
188.8.131.52.4.1.44184.108.40.206.220.127.116.11.18.104.22.168.6 = STRING: “Cisco CableCARD Diag Screen”
22.214.171.124.4.1.44126.96.36.199.188.8.131.52.184.108.40.206.7 = STRING: “Cisco CableCARD ASD Info”
220.127.116.11.4.1.4418.104.22.168.22.214.171.124.126.96.36.199.8 = STRING: “Cisco CableCARD DSG Info”
Nmap showed that RPC bind was listening on a few ports. By running a few commands with rpcinfo you can see there are a couple of interesting processes listening.
rpcinfo -p 192.168.x.x
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
302520656 1 udp 744
302520656 1 tcp 746
rpcinfo -u 192.168.x.x 100000 2
program 100000 version 2 ready and waiting
rpcinfo -u 192.168.x.x 302520656 1
program 302520656 version 1 ready and waiting