Philips Blu-ray player running Linux.

Linux on a Blu-ray Player

Linux In The Internet Of Things

The pricing model for some home entertainment equipment like DVD players has reached the point where the majority of the price you pay has gone toward the software licensing fees bundled into the cost of the item — MP3, MPEG, and other codecs, plus an embedded operating system.

Blu-ray Disc logo

The last few home entertainment devices I've purchased have been from Philips. The Dutch do good work, I have found Philips players to be more agile than most about playing DivX and Xvid movie files and interacting with USB-connected storage.

The Dutch do good design, the specification of what to build. But these aren't coming out of factories in Holland. They're built in China, and they connect home when they get the chance.

When I bought my first Blu-ray player, a Philips BDP2105, I noticed that it included some rather bulky paperwork describing the software licenses. There was a software end user agreement, which, as usual, said that in the case of the Windows components I don't own anything even though I paid money. I just get to use it for a little while in a very restricted way.

The paperwork went on to say that the system may include some open-source software, and if so, there were no restrictions beyond adhering to the open-source licensing.

The larger document unfolds into a 60×84 cm sheet with tiny printing covering both sides. This listed the open-source software involved:

  1. U-boot
  2. Linux kernel
  3. Busybox, SquashFS, sysvinit, module-init-tools, util-linux-ng, procps, psmisc, coreutils, gawk, grep, findutils, bash, tar, sed, gzip, inetutils, Fusion, UBIFS, mtd-utils, cairo (GPL licence), Freetype (GPL license), libgcrypt (GPL licence), libgpg-error (GPL license)
  4. DirectFB, glibc, libusb-compat, libusb, QT, SaWMan, libmtp, libjavascriptcoregtk, libwebkitgtk, cairo (Lesser GPL licence), libgcrypt (Lesser GPL license), libgpg-error (Lesser GPL license) glib (Lesser GPL license), LiTE, enchant
  5. IJG
  6. WPA Supplicant
  7. Unicode Bidirectional Algorithm
  8. OpenSSL
  9. Zlib
  10. cURL
  11. Freetype (Lesser GPL license)
  12. International Components for Unicode
  13. Expat
  14. DNS Resolver from BIND
  15. getnameinfo, getaddrinfo
  16. libpng
  17. SQLite
  18. ncurses
  19. glib (BSD license)
  20. HarfBuzz
  21. Lua interpreter
  22. zziplib
  23. gcc libgcc, gcc libstdc++
  24. libjavascriptcoregtk-3.0, libwebkitgtk-3.0
  25. cairo (Mozilla license)
  26. fontconfig
  27. icu (IBM license)
  28. icu (Unicode license)
  29. libxslt
  30. pixman
  31. sqlite
  32. Apache Media Source

The setup menu can show you the Ethernet MAC address. Mine was 00:1C:50:AC:72:1E. I connected its Ethernet port to a 100 Mbps switch, and assigned it a specific IP address in /etc/dhcpd.conf on my server. 

option domain-name "kc9rg.org";
option domain-name-servers 10.1.1.100;
default-lease-time 21600;
max-lease-time 43200;
ddns-update-style none;

# No service on these subnets!
# comcast.net IP address changes once in
# a while, so reference /8 blocks.
subnet 24.0.0.0 netmask 255.0.0.0 {
}
subnet 98.0.0.0 netmask 255.0.0.0 {
}
# Ensure that this DHCP server not interfere with VMware
subnet 192.168.199.0 netmask 255.255.255.0 {
	# Note: No range is given, vmnet-dhcpd will deal with this subnet.
}

# Internal network, run a server.
subnet 10.1.1.0 netmask 255.255.255.0 {
	# This is the server for this subnet.
	authoritative;
	# Default gateway and netmask:
	option routers 10.1.1.100;
	option subnet-mask 255.255.255.0;
	# 24 hours by default, 48 hours max:
	default-lease-time 86400;
	max-lease-time 172800;

	range dynamic-bootp 10.1.1.50 10.1.1.69;

	# Make some clients appear at a fixed address,
	# needed for IPsec to define identity.
	host laptop {
		hardware ethernet 2c:27:d7:c5:d3:7b;
		fixed-address 10.1.1.230;
	}
	host bluray {
		# Philips BDP2105
		hardware ethernet 00:1c:50:ac:72:1e;
		fixed-address 10.1.1.231;
	}
	host raspberry {
		hardware ethernet b8:27:eb:69:be:bb;
		fixed-address 10.1.1.232;
	}
	host wireless {
		# Exterior side of wireless router, it does its own
		# NAT and DHCP on 192.168/12 on its wireless side
		hardware ethernet  00:1b:11:43:c4:f1;
		fixed-address 10.1.1.252;
	}
}

I also set up DNS records so bluray resolves to 10.1.1.231 and vice-versa.

Now this appears in the syslog soon after I power up the Blu-ray player: 

Feb 11 11:35:19 server dhcpd: DHCPDISCOVER from 00:1c:50:ac:72:1e via eth1
Feb 11 11:35:19 server dhcpd: DHCPOFFER on 10.1.1.231 to 00:1c:50:ac:72:1e via eth1
Feb 11 11:35:19 server dhcpd: DHCPREQUEST for 10.1.1.231 (10.1.1.100) from 00:1c:50:ac:72:1e via eth1
Feb 11 11:35:19 server dhcpd: DHCPACK on 10.1.1.231 to 00:1c:50:ac:72:1e via eth1

And within six seconds it is trying to resolve www.ecd.interface.philips.com. That resolved to 162.13.31.14, which had been allocated to Rackspace in the UK.

Let's scan the Blu-ray player with Nmap: 

Starting Nmap 6.40 ( http://nmap.org ) at 2014-02-11 11:09 EST
Nmap scan report for bluray (10.1.1.231)
Host is up (0.00034s latency).
rDNS record for 10.1.1.231: bluray.kc9rg.org
Not shown: 999 closed ports
PORT     STATE SERVICE     VERSION
8080/tcp open  http-proxy?
1 service unrecognized despite returning data. If you know the service/version, please
submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port8080-TCP:V=6.40%I=7%D=2/11%Time=52FA4B5D%P=x86_64-mageia-linux-gnu%
SF:r(GetRequest,12E,"HTTP/1\.1\x20301\x20Moved\x20Permanently\r\nAccept-Ra
SF:nges:\x20bytes\r\nContent-Type:\x20text/plain\r\nContent-Length:\x200\r
SF:\nLocation:\x20http://interfacepay\.voole\.com/\?uid=106549189&hid=001C
SF:50AC721E&oemid=208\r\nDate:\x20Tue,\x2011\x20Feb\x202014\x2017:09:59\x2
SF:0GMT\r\nServer:\x20VS/1\.0\r\nPragma:\x20no-cache\r\nCache-Control:\x20
SF:no-cache,\x20no-store\r\nExpires:\x200\r\n\r\n")%r(FourOhFourRequest,FC
SF:,"HTTP/1\.1\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\nContent-Type:\x2
SF:0text/html\r\nContent-Length:\x2094\r\nDate:\x20Tue,\x2011\x20Feb\x2020
SF:14\x2017:10:14\x20GMT\r\nServer:\x20VS/1\.0\r\nConnection:\x20close\r\n
SF:\r\n<html>\n<head>\n</head>\n<body>\nURL:\x20/nice\x20ports,/Trinity\.t
SF:xt\.bak\x20Not\x20Available\.\n</body>\n</html>\n");
MAC Address: 00:1C:50:AC:72:1E (TCL Technoly Electronics(Huizhou)Co.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.24 - 2.6.36
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.81 seconds

So yes, it is running Linux of a late 2.6 kernel.

Only listening on TCP/8080, huh? Directing Firefox to http://bluray:8080/ yields an immediate "301 Moved Permanently" redirection to a curious XML page:
http://interfacepay.voole.com/?uid=106549189&hid=001C50AC721E&oemid=208 

<?xml version="1.0" encoding="UTF-8"?>
<url version="1.0" uid="106549189" spid="20120629" epgid="100110" balance="0" policyid="100002" skyworth="0">
<urllist key="paylist" name="收费EPG片单接口"><![CDATA[http://interfacepay.voole.com/itv/pay.php?spid=20120629&epgid=100110&is3d=1&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="voole_recommenended" name="优朋今日推荐-仅限优朋C/S使用"><![CDATA[http://interfacepay.voole.com/itv/pay.php?spid=20120629&epgid=100110&ctype=3&column=B2CSTBOX_recommenended&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="account" name="账户接口"><![CDATA[http://account.voole.com/tv/playauth.php?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="product" name="产品接口"><![CDATA[http://interfacepay.voole.com/products/service.php?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="resume" name="续播读接口"><![CDATA[http://interfacepay.voole.com/resume/pay.php?spid=20120629&epgid=100110&is3d=1&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="resume_write" name="续播写接口"><![CDATA[http://interfacepay.voole.com/resume/pay.php?spid=20120629&epgid=100110&is3d=1&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="favorite" name="收藏读接口"><![CDATA[http://interfacepay.voole.com/favorite/pay.php?spid=20120629&epgid=100110&is3d=1&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="favorite_write" name="收藏写接口"><![CDATA[http://interfacepay.voole.com/favorite/pay.php?spid=20120629&epgid=100110&is3d=1&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="system" name="系统消息接口"><![CDATA[http://interfacepay.voole.com/message/getinfo/?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="push" name="推荐内容接口"><![CDATA[http://interfacepay.voole.com/push/?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="alert" name="提示信息"><![CDATA[http://interfacepay.voole.com/resource/alert/?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="payalert" name="收费提示信息"><![CDATA[http://interfacepay.voole.com/resource/payalert/?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="arealist" name="地域信息"><![CDATA[http://interfacepay.voole.com/resource/arealist/?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="nettype" name="网络类型"><![CDATA[http://interfacepay.voole.com/resource/nettype/?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="pay" name="预扣费"><![CDATA[http://coocanew750.voole.com:8822/manager]]></urllist>
<urllist key="searcharea" name="通过IP查所属地域"><![CDATA[http://mcs.voole.com/ipaddr.php?&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="agreement" name="订购协议"><![CDATA[http://interfacepay.voole.com/message/agreement/?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="voole_topview" name="优朋观看排行-仅限C/S使用"><![CDATA[http://interfacepay.voole.com/itv/pay.php?spid=20120629&epgid=100110&ctype=3&column=B2CSTBOX_topview&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="movieprice" name="单点价格查询"><![CDATA[http://interfacepay.voole.com/b2c/skyworth/movieprice.php?spid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="4444" name="老年桌面接口"><![CDATA[http://desk.voole.com/android/desktop?act=filmlist&oemid=679&hid=&uid=&deskcode=69886119&classid=444&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="3333" name="中年桌面接口"><![CDATA[http://desk.voole.com/android/desktop?act=filmlist&oemid=679&hid=&uid=&deskcode=69389923&classid=441&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="2222" name="幼儿桌面接口"><![CDATA[http://desk.voole.com/android/desktop?act=filmlist&oemid=679&hid=&uid=&deskcode=69389896&classid=438&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="1111" name="家庭桌面接口"><![CDATA[http://desk.voole.com/android/desktop?act=filmlist&oemid=679&hid=&uid=&deskcode=1368779509&classid=435&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="search" name="全文索引接口"><![CDATA[http://search.voole.com/?serachtype=2&ispid=20120629&epgid=100110&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="livetv" name="电视直播"><![CDATA[http://interfaceclientzhibosy.voole.com?&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="repeattv" name="轮播接口"><![CDATA[http://interfaceclientlunbosy.voole.com?&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
<urllist key="uni_pay" name="统一支付接口"><![CDATA[http://wappay.voole.com/&uid=106549189&hid=001C50AC721E&oemid=208]]></urllist>
</url>

Where is this voole.com domain? China. 

$ whois voole.com
[...]
Registrant Name: huailiang zhao
Registrant Organization: Unionvoole technology co.ltd
Registrant Street: G.T International Center 25B,Jia 3 Yong An Dong Li,Jian Guo Men Wai Avenue,Chao Yang District,Beijin
Registrant City: BeiJing
Registrant State/Province: BeiJing
Registrant Postal Code: 100022
Registrant Country: CN
Registrant Phone: +86.01065698000
Admin Organization: HiChina Web Solutions (Hong Kong) Limited
Admin Street: 3/F., HiChina Mansion,No.27 Gulouwai Avenue Dongcheng District,Beijing, China
Admin City: Beijing
Admin State/Province: Beijing
Admin Postal Code: 100011
Admin Country: CN
Admin Phone: +86.01064242299
Tech Organization: HiChina Web Solutions (Hong Kong) Limited
Tech Street: 3/F., HiChina Mansion,No.27 Gulouwai Avenue Dongcheng District,Beijing, China
Tech City: Beijing
Tech State/Province: Beijing
Tech Postal Code: 100011
Tech Country: CN
Tech Phone: +86.01064242299
[...]

Directing a browser to those URLs returns some very simple all-ASCII messages in faulty English. At http://desk.voole.com/ we get: 

Was not authorized to use!

Trying http://interfacepay.voole.com/ returns: 

Please check uid,oemid,hid.They are must no empty.

Using just the hostname for the URL http://account.voole.com/ yields a standard error message: 

Forbidden
You don't have permission to access / on this server

Adding the full path http://account.voole.com/tv/playauth.php gets us a snippet of XML: 

<response>
 <reqno>1392146492885</reqno>
 <status>-94</status>
 <resultdesc>参数异常!</resultdesc>
</response>

Finally, http://mcs.voole.com/ gets a login screen.

The obvious URL http://www.voole.com suggests that voole.com is some sort of on-demand movie provider, something like Netflix.

I turned the player off, started Wireshark to capture just those packets sent to/from the Blu-ray player's MAC address, and turned the player back on.

Once I had captured the startup sequence, I did another Nmap scan but this time with the -p0-65535 parameter to scan all possible TCP ports. 

# nmap -sS -sV -O -p0-65535 -T4 bluray

Starting Nmap 6.40 ( http://nmap.org ) at 2014-02-11 12:37 EST
Nmap scan report for bluray (10.1.1.231)
Host is up (0.00025s latency).
rDNS record for 10.1.1.231: bluray.kc9rg.org
Not shown: 65534 closed ports
PORT      STATE SERVICE VERSION
33682/tcp open  http    Mongoose httpd
35182/tcp open  http    Mongoose httpd
MAC Address: 00:1C:50:AC:72:1E (TCL Technoly Electronics(Huizhou)Co.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.24 - 2.6.36
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.76 seconds

It was no longer listening on TCP port 8080 with an automatic redirect, now it was listening on TCP ports 33682 and 35182.

Both of those TCP ports 33682 and 35182 now return: 

Error 404: Not Found
Not Found

Let's look at the Wireshark capture of just those packets to/from the Blu-ray player's MAC address:

Wireshark capture of Blu-ray network communication. 
  1 0.000000000      0.0.0.0 -> 255.255.255.255 DHCP 590 DHCP Discover - Transaction ID 0x6fdce022
  2 0.000162000   10.1.1.100 -> 10.1.1.231   DHCP 342 DHCP Offer    - Transaction ID 0x6fdce022
  3 0.001085000      0.0.0.0 -> 255.255.255.255 DHCP 590 DHCP Request  - Transaction ID 0x6fdce022
  4 0.001145000   10.1.1.100 -> 10.1.1.231   DHCP 342 DHCP ACK      - Transaction ID 0x6fdce022
  5 0.002034000 TclTechn_ac:72:1e -> Broadcast    ARP 60 Who has 10.1.1.231?  Tell 0.0.0.0
  6 4.958783000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
  7 5.231426000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
  8 5.505342000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
  9 7.367226000 TclTechn_ac:72:1e -> Broadcast    ARP 60 Who has 10.1.1.100?  Tell 10.1.1.231
 10 7.367245000 Micro-St_b2:f8:41 -> TclTechn_ac:72:1e ARP 42 10.1.1.100 is at 6c:62:6d:b2:f8:41
 11 7.367358000   10.1.1.231 -> 10.1.1.100   DNS 88 Standard query 0x5001  A www.ecdinterface.philips.com
 12 7.417125000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB WORKGROUP<1d>
 13 7.433040000   10.1.1.100 -> 10.1.1.231   DNS 294 Standard query response 0x5001  A 162.13.31.14
 14 7.456544000   10.1.1.231 -> 162.13.31.14 TCP 74 46575 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=4294688218 TSecr=0 WS=8
 15 7.571484000 162.13.31.14 -> 10.1.1.231   TCP 78 http > 46575 [SYN, ACK] Seq=0 Ack=1 Win=4140 Len=0 MSS=1380 WS=1 TSval=570552562 TSecr=4294688218 SACK_PERM=1
 16 7.571721000   10.1.1.231 -> 162.13.31.14 TCP 66 46575 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=4294688333 TSecr=570552562
 17 7.603171000   10.1.1.231 -> 162.13.31.14 HTTP 897 POST http://www.ecdinterface.philips.com:80/perl/ecdav HTTP/1.0  (application/octet-stream)
 18 7.603217000   10.1.1.100 -> 10.1.1.231   ICMP 590 Destination unreachable (Fragmentation needed)
 19 7.603558000   10.1.1.231 -> 162.13.31.14 TCP 590 [TCP Out-Of-Order] [TCP segment of a reassembled PDU]
 20 7.603589000   10.1.1.231 -> 162.13.31.14 HTTP 373 [TCP Retransmission] POST http://www.ecdinterface.philips.com:80/perl/ecdav HTTP/1.0  (application/octet-stream)
 21 7.696242000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB WORKGROUP<1d>
 22 7.728594000 162.13.31.14 -> 10.1.1.231   TCP 66 http > 46575 [ACK] Seq=1 Ack=832 Win=4971 Len=0 TSval=570552718 TSecr=4294688365
 23 8.014024000 162.13.31.14 -> 10.1.1.231   TCP 495 [TCP segment of a reassembled PDU]
 24 8.014052000 162.13.31.14 -> 10.1.1.231   HTTP 66 HTTP/1.1 200 OK  (application/octet-stream)
 25 8.014299000   10.1.1.231 -> 162.13.31.14 TCP 66 46575 > http [ACK] Seq=832 Ack=430 Win=6912 Len=0 TSval=4294688776 TSecr=570553004
 26 8.054238000   10.1.1.231 -> 162.13.31.14 TCP 66 46575 > http [ACK] Seq=832 Ack=431 Win=6912 Len=0 TSval=4294688816 TSecr=570553004
 27 8.245240000   10.1.1.231 -> 162.13.31.14 TCP 66 46575 > http [FIN, ACK] Seq=832 Ack=431 Win=6912 Len=0 TSval=4294689006 TSecr=570553004
 28 8.245514000   10.1.1.231 -> 162.13.31.14 TCP 74 46576 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=4294689007 TSecr=0 WS=8
 29 8.245803000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB WORKGROUP<1d>
 30 8.382520000 162.13.31.14 -> 10.1.1.231   TCP 66 http > 46575 [ACK] Seq=431 Ack=833 Win=4971 Len=0 TSval=570553373 TSecr=4294689006
 31 8.388817000 162.13.31.14 -> 10.1.1.231   TCP 78 http > 46576 [SYN, ACK] Seq=0 Ack=1 Win=4140 Len=0 MSS=1380 WS=1 TSval=570553380 TSecr=4294689007 SACK_PERM=1
 32 8.389004000   10.1.1.231 -> 162.13.31.14 TCP 66 46576 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=4294689150 TSecr=570553380
 33 8.389651000   10.1.1.231 -> 162.13.31.14 TCP 590 [TCP segment of a reassembled PDU]
 34 8.389680000   10.1.1.231 -> 162.13.31.14 HTTP 373 POST http://www.ecdinterface.philips.com:80/perl/ecdav HTTP/1.0  (application/octet-stream)
 35 8.518780000 162.13.31.14 -> 10.1.1.231   TCP 66 http > 46576 [ACK] Seq=1 Ack=832 Win=4971 Len=0 TSval=570553509 TSecr=4294689151
 36 8.545750000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB WORKGROUP<1b>
 37 8.729011000 162.13.31.14 -> 10.1.1.231   TCP 594 [TCP segment of a reassembled PDU]
 38 8.729054000 162.13.31.14 -> 10.1.1.231   HTTP 66 HTTP/1.1 200 OK  (application/octet-stream)
 39 8.729277000   10.1.1.231 -> 162.13.31.14 TCP 66 46576 > http [ACK] Seq=832 Ack=529 Win=6896 Len=0 TSval=4294689491 TSecr=570553719
 40 8.729837000   10.1.1.231 -> 162.13.31.14 TCP 66 46576 > http [FIN, ACK] Seq=832 Ack=530 Win=6896 Len=0 TSval=4294689491 TSecr=570553720
 41 8.730411000   10.1.1.231 -> 162.13.31.14 TCP 74 46577 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=4294689492 TSecr=0 WS=8
 42 8.818971000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB WORKGROUP<1b>
 43 8.852169000 162.13.31.14 -> 10.1.1.231   TCP 66 http > 46576 [ACK] Seq=530 Ack=833 Win=4971 Len=0 TSval=570553843 TSecr=4294689491
 44 8.858429000 162.13.31.14 -> 10.1.1.231   TCP 78 http > 46577 [SYN, ACK] Seq=0 Ack=1 Win=4140 Len=0 MSS=1380 WS=1 TSval=570553848 TSecr=4294689492 SACK_PERM=1
 45 8.858609000   10.1.1.231 -> 162.13.31.14 TCP 66 46577 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=4294689620 TSecr=570553848
 46 8.859467000   10.1.1.231 -> 162.13.31.14 TCP 590 [TCP segment of a reassembled PDU]
 47 8.859500000   10.1.1.231 -> 162.13.31.14 HTTP 411 POST http://www.ecdinterface.philips.com:80/perl/ecdav HTTP/1.0  (application/octet-stream)
 48 8.987799000 162.13.31.14 -> 10.1.1.231   TCP 66 http > 46577 [ACK] Seq=1 Ack=870 Win=5009 Len=0 TSval=570553978 TSecr=4294689621
 49 9.091803000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB WORKGROUP<1b>
 50 9.266296000 162.13.31.14 -> 10.1.1.231   TCP 716 [TCP segment of a reassembled PDU]
 51 9.266613000 162.13.31.14 -> 10.1.1.231   HTTP 66 HTTP/1.1 200 OK  (application/octet-stream)
 52 9.266620000   10.1.1.231 -> 162.13.31.14 TCP 66 46577 > http [ACK] Seq=870 Ack=651 Win=7144 Len=0 TSval=4294690028 TSecr=570554256
 53 9.267413000   10.1.1.231 -> 162.13.31.14 TCP 66 46577 > http [FIN, ACK] Seq=870 Ack=652 Win=7144 Len=0 TSval=4294690029 TSecr=570554257
 54 9.274243000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB <01><02>__MSBROWSE__<02><01>
 55 9.391083000 162.13.31.14 -> 10.1.1.231   TCP 66 http > 46577 [ACK] Seq=652 Ack=871 Win=5009 Len=0 TSval=570554381 TSecr=4294690029
 56 9.550176000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB <01><02>__MSBROWSE__<02><01>
 57 9.844484000   10.1.1.231 -> 10.1.1.255   NBNS 92 Name query NB <01><02>__MSBROWSE__<02><01>
 58 12.445125000 Micro-St_b2:f8:41 -> TclTechn_ac:72:1e ARP 42 Who has 10.1.1.231?  Tell 10.1.1.100
 59 12.445267000 TclTechn_ac:72:1e -> Micro-St_b2:f8:41 ARP 60 10.1.1.231 is at 00:1c:50:ac:72:1e

There are three connections to www.ecdinterface.philips.com/80, in which POST uploads 220 bytes each time. The tail end of the packet with the 220 bytes of data contains the following. Nothing really jumps right out at me: 

0090                              fc:0d:7d:e3:10:d1:25              ..}...%
00a0  82:63:c5:a5:de:11:50:46  1f:88:ff:6c:9f:f0:a5:eb    .c....PF ...l....
00b0  90:9f:b8:59:a0:86:57:ed  5e:9d:26:a4:05:76:d6:c3    ...Y..W. ^.&..v..
00c0  3e:d3:5c:1a:2f:07:04:f6  bc:be:24:91:90:4b:15:ee    >.\./... ..$..K..
00d0  85:20:f7:6c:b6:95:40:29  44:70:59:4c:3c:7c:11:f7    . .l..@) DpYL<|..
00e0  4e:ff:48:5a:55:40:30:74  4b:34:fb:73:52:f8:31:a0    N.HZU@0t K4.sR.1.
00f0  9c:47:6b:88:8e:b1:e5:95  d9:64:c4:49:7a:49:9e:b7    .Gk..... .d.IzI..
0010  44:15:18:d5:e5:74:38:75  5c:3d:1f:25:4e:0d:55:16    D....t8u \=.%N.U.
0011  a0:cf:2d:49:d8:cc:44:38  38:95:3e:7d:3b:10:d1:cf    ..-I..D8 8.>};...
0012  e7:67:33:6a:00:66:fa:25  cc:14:be:c4:a6:16:93:79    .g3j.f.% .......y
0013  34:b1:12:24:60:fb:c5:df  36:53:81:19:ac:3a:ce:de    4..$`... 6S...:..
0014  63:8d:26:1b:98:60:5e:8d  0a:8c:75:a9:3f:dc:d7:21    c.&..`^. ..u.?..!
0015  77:b3:b0:80:9d:8d:55:1f  df:9c:74:7c:ad:38:48:93    w.....U. ..t|.8H.
0016  84:e5:6e:20:31:4d:f5:e4  94:e1:3e:87:7c:ce:cb:f9    ..n 1M.. ..>.|...
0017  54:19:67:e7:36                                      T.g.6

I did another Nmap scan with the -sO -p0-255 parameters requesting a protocol scan, trying all 256 possible IP protocol types.

ICMP as I would expect, and TCP which I already knew about, but also UDP and possibly IP protocols 136 and 152. 

# nmap -sO -p0-255 bluray

Starting Nmap 6.40 ( http://nmap.org ) at 2014-02-11 17:10 EST
Warning: 10.1.1.231 giving up on port because retransmission cap hit (10).
Nmap scan report for bluray (10.1.1.231)
Host is up (0.00018s latency).
rDNS record for 10.1.1.231: bluray.kc9rg.org
Not shown: 251 closed protocols
PROTOCOL STATE         SERVICE
1        open          icmp
6        open          tcp
17       open          udp
136      open|filtered udplite
152      open|filtered unknown
MAC Address: 00:1C:50:AC:72:1E (TCL Technoly Electronics(Huizhou)Co.)

Nmap done: 1 IP address (1 host up) scanned in 265.62 seconds

But, nothing obvious was spotted in a UDP scan with -sU: 

# nmap -sU -T4 bluray

Starting Nmap 6.40 ( http://nmap.org ) at 2014-02-11 17:21 EST
Nmap scan report for bluray (10.1.1.231)
Host is up (0.00021s latency).
rDNS record for 10.1.1.231: bluray.kc9rg.org
All 1000 scanned ports on bluray (10.1.1.231) are closed (959) or open|filtered (41)
MAC Address: 00:1C:50:AC:72:1E (TCL Technoly Electronics(Huizhou)Co.)

Nmap done: 1 IP address (1 host up) scanned in 1036.84 seconds

It seems that out of the box it was running a web server at TCP port 8080 which redirected to the interfacepay.voole.com URL that returned the XML file containing several other URLs.

But then once it had communicated with the server at www.ecdinterface.philips.com, it must have received an update telling it not to do that.

I don't know if it was listening on TCP ports 33682 and 35182 at first, as I just did a default TCP SYN scan which only checks the 1,000 most commonly used ports.

What is it checking?

To see if an upgrade is available. After I had owned it for a few months, one evening it told me that software updates were available. Should it download and install it?

Once I got Wireshark to listening, I had it go ahead. It downloads a file with a name like /firmware/BDP2105/223/BDP2105.BIN from fds.cpp.philips.com.

Wireshark capture of Philips Blu-ray firmware download.

BDP2105 is the model, I would assume that 223 is a firmware version number.

I used the wget command to download a copy of the firmware.

This specific firmware file has 103,016,496 bytes. It starts with the characters PHILIPSBDP210500000.

Once the firmware is downloaded, the on-screen dialog asks if you want to install the upgrade.

You do that, and then you're cautioned to wait until the upgrade is finished.

The system then restarts, which you see as the screen briefly going blank and then restarting with the introductory screen.

The player listens on TCP ports 34465 and 52641 after the upgrade, versus 33682 and 35182 before. Connecting to either with a browser yields a very simple 404 error message.

Back to the Linux page