TiVo Community
TiVo Community
TiVo Community
Go Back   TiVo Community > Underground Playground > TiVo Underground
TiVo Community
Reply
Forum Jump
 
Thread Tools
Old 08-07-2014, 11:06 PM   #1
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
Open ports on your TiVo

I'm figured out that doing a port scan against my Roamio's can cause them to reboot. Now I'm trying to figure out which port causes this.

I have odd results so far, as just doing a port scan doesn't always cause my Roamio to reboot but in the one times that I did, my scanner utility showed port 3791 open however other times when the scan completes, I'm not showing it open so I believe it has something to do with that port or a port after it.

These are the ports I show open on my Roamio PLus and Pro, port 3791 only shows up when the box reboots:

80,443,1390,1393,1400,1410,1413,2190,2191

Any thoughts? My utility (AngryIP) default starts at port 1 and ends at port 6100
__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere

eboydog is offline   Reply With Quote
Old 08-08-2014, 03:16 AM   #2
telemark
Registered User
 
Join Date: Nov 2013
Posts: 805
I don't see on the AngryIP website the type of scan it's doing.

The web detection column though might mean it's doing an HTTP request which could cause undesirable behavior for other protocols.

I suggest switching to NMAP so you can be sure what it's doing.

http://nmap.org/book/man-port-scanning-techniques.html

If you have crashing still, going from High to Low should give you a different result at least.

As a first glance, your list is missing 31339, do you have network remotes turned off?
__________________
Premiere 2 tuner & SiliconDust
on Comcast-CableCard + OTA

Last edited by telemark : 08-08-2014 at 04:56 AM.
telemark is offline   Reply With Quote
Old 08-08-2014, 04:22 AM   #3
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,113
Quote:
Originally Posted by telemark View Post
As a first glance, your list is missing 31339, do you have network remotes turned off?
He noted that it only scans up to 6100.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 08-08-2014, 04:54 AM   #4
telemark
Registered User
 
Join Date: Nov 2013
Posts: 805
Quote:
Originally Posted by wmcbrine View Post
He noted that it only scans up to 6100.
Oops, well, there's another reason to switch scanners.

This is what I get on 2 tuner Premiere running 20.4.2
Code:
# nmap -p1-65535 -sS $IP
Not shown: 65520 filtered ports
PORT      STATE  
80/tcp    open   
443/tcp   open   
1390/tcp  open   
1393/tcp  open   
1400/tcp  open   
1410/tcp  open   
1413/tcp  open   
2190/tcp  open   
2191/tcp  open   
8430/tcp  open   
9080/tcp  closed 
31339/tcp open   
50184/tcp open   
56789/tcp open   
56790/tcp open


Last edited by telemark : 08-08-2014 at 12:08 PM.
telemark is offline   Reply With Quote
Old 08-08-2014, 11:19 PM   #5
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
I downloaded the win gui version and oh boy I think I broke something as on the first scan a few minute into it, the tivo in question rebooted but came up with green screen stating "the TiVo box has detected a serious problem and now attempting to fix it" NEVER seen that before....

I was tried an intense scan, "nmap -p1-65535 -T4 -A -v192.168.50.80"

This is the output of the scan results:

"Completed Service scan at 22:23, 106.25s elapsed (14 services on 1 host)" was when the TiVo rebooted

Quote:
22:19 Central Daylight Time

NSE: Loaded 118 scripts for scanning.

NSE: Script Pre-scanning.

Initiating ARP Ping Scan at 22:19

Scanning 192.168.50.80 [1 port]

Completed ARP Ping Scan at 22:19, 0.08s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 22:19

Completed Parallel DNS resolution of 1 host. at 22:19, 0.04s elapsed

Initiating SYN Stealth Scan at 22:19

Scanning 192.168.50.80 [65535 ports]

Discovered open port 443/tcp on 192.168.50.80

Discovered open port 80/tcp on 192.168.50.80

SYN Stealth Scan Timing: About 22.80% done; ETC: 22:22 (0:01:45 remaining)

Discovered open port 8430/tcp on 192.168.50.80

Discovered open port 1400/tcp on 192.168.50.80

Discovered open port 56790/tcp on 192.168.50.80

Discovered open port 2190/tcp on 192.168.50.80

Discovered open port 2191/tcp on 192.168.50.80

Discovered open port 1410/tcp on 192.168.50.80

Discovered open port 56789/tcp on 192.168.50.80

SYN Stealth Scan Timing: About 58.95% done; ETC: 22:21 (0:00:42 remaining)

Discovered open port 31339/tcp on 192.168.50.80

Discovered open port 50184/tcp on 192.168.50.80

Discovered open port 1390/tcp on 192.168.50.80

Discovered open port 1393/tcp on 192.168.50.80

Discovered open port 1413/tcp on 192.168.50.80

Completed SYN Stealth Scan at 22:21, 88.27s elapsed (65535 total ports)

Initiating Service scan at 22:21

Scanning 14 services on 192.168.50.80

Service scan Timing: About 71.43% done; ETC: 22:23 (0:00:35 remaining)

Completed Service scan at 22:23, 106.25s elapsed (14 services on 1 host)

Initiating OS detection (try #1) against 192.168.50.80

Retrying OS detection (try #2) against 192.168.50.80

NSE: Script scanning 192.168.50.80.

Initiating NSE at 22:23

NSE Timing: About 45.10% done; ETC: 22:24 (0:00:38 remaining)

NSE Timing: About 68.63% done; ETC: 22:24 (0:00:32 remaining)

NSE Timing: About 76.47% done; ETC: 22:25 (0:00:32 remaining)

NSE Timing: About 80.39% done; ETC: 22:26 (0:00:33 remaining)

NSE Timing: About 84.31% done; ETC: 22:26 (0:00:31 remaining)

NSE Timing: About 84.31% done; ETC: 22:27 (0:00:38 remaining)

Completed NSE at 22:27, 231.29s elapsed

Nmap scan report for 192.168.50.80

Host is up (0.0012s latency).

Not shown: 65520 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http TiVo To Go httpd 20.4.2-USA-6:848

443/tcp open ssl/http TiVo To Go httpd 20.4.2-USA-6:848

1390/tcp open iclpv-sc?

1393/tcp open ssl/iclpv-nls?

1400/tcp open cadkey-tablet?

1410/tcp open hiq?

1413/tcp open ssl/innosys-acl?

2190/tcp open tcpwrapped

2191/tcp open tvbus?

8430/tcp open unknown

9080/tcp closed glrpc

31339/tcp open crestron-control TiVo DVR Crestron control server

50184/tcp open unknown

56789/tcp open tcpwrapped

56790/tcp open tcpwrapped

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port50184-TCP:V=6.46%I=7%D=8/8%Time=53E593D1%P=i686-pc-windows-windows%

SF:r(RPCCheck,1C,"\x01\0\0\(\x08\xed&Y\x80\0\0\0\x18\xed&Y\x cc\x14\xe7v@C\

SF:x91v\x03\x02\0\0")%r(DNSVersionBindReq,1C,"\0\x1e\0\x06\x 02\xed&Y\x80\0

SF:\0\0\x18\xed&Y\xcc\x14\xe7v@C\x91v\x02\x02\0\0")%r(SSLSes sionReq,54,"\x

SF:01\x03\0\0\x08\xed&Y\x80\0\0\0\x18\xed&Y\xcc\x14\xe7v@C\x 91v\xd2\0\0\0\

SF:x01\x82{\xb9\x08\xed&Y\x80\0\0\0\x18\xed&Y\xcc\x14\xe7v@C \x91v\xd2\0\0\

SF:0\0\x13\0\n\x02\xed&Y\x80\0\0\0\x18\xed&Y\xcc\x14\xe7v@C\ x91v\xd2\0\0\0

SF:")%r(FourOhFourRequest,38,"\x01ET\x20\x08m\x90Y\x80\0\0\0 \x18m\x90Y\xcc

SF:\x14\xe7v@C\x91v\xd2\0\0\0\x016Ei\x08m\x90Y\x80\0\0\0\x18 m\x90Y\xcc\x14

SF:\xe7v@C\x91v\xd2\0\0\0")%r(SIPOptions,FC,"\x01PTI\x08m\x9 0Y\x80\0\0\0\x

SF:18m\x90Y\xcc\x14\xe7v@C\x91v\xd2\0\0\0\x01ia:\x08m\x90Y\x 80\0\0\0\x18m\

SF:x90Y\xcc\x14\xe7v@C\x91v\xd2\0\0\0\x01h=f\x08m\x90Y\x80\0 \0\0\x18m\x90Y

SF:\xcc\x14\xe7v@C\x91v\xd2\0\0\0\x01;ta\x08m\x90Y\x80\0\0\0 \x18m\x90Y\xcc

SF:\x14\xe7v@C\x91v\xd2\0\0\0\x01nm2\x08m\x90Y\x80\0\0\0\x18 m\x90Y\xcc\x14

SF:\xe7v@C\x91v\xd2\0\0\0\x01eq:\x08m\x90Y\x80\0\0\0\x18m\x9 0Y\xcc\x14\xe7

SF:v@C\x91v\xd2\0\0\0\x01ard\x08m\x90Y\x80\0\0\0\x18m\x90Y\x cc\x14\xe7v@C\

SF:x91v\xd2\0\0\0\x01:\x200\x08m\x90Y\x80\0\0\0\x18m\x90Y\xc c\x14\xe7v@C\x

SF:91v\xd2\0\0\0\x01>\r\n\x08m\x90Y\x80\0\0\0\x18m\x90Y\xcc\ x14\xe7v@C\x91

SF:v\xd2\0\0\0")%r(NotesRPC,38,"\x01\0\0\0\x08\xed&Y\x80\0\0 \0\x18\xed&Y\x

SF:cc\x14\xe7v@C\x91v\xd2\0\0\0\0\0\0\0\x07\xed&Y\0\0\0\0\0\ 0\0\0\xcc\x14\

SF:xe7v@C\x91v\xd2\0\0\0");

MAC Address: 00:119:63:02:01 (TiVo)

OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU

No OS matches for host

Network Distance: 1 hop

Service Info: Device: media device



TRACEROUTE

HOP RTT ADDRESS

1 1.24 ms 192.168.50.80



NSE: Script Post-scanning.

Read data files from: C:\Program Files (x86)\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 434.23 seconds

Raw packets sent: 131266 (5.782MB) | Rcvd: 82 (3.616KB)

__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere


Last edited by eboydog : 08-08-2014 at 11:28 PM.
eboydog is offline   Reply With Quote
Old 08-08-2014, 11:21 PM   #6
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
The green screen state it would take up to four hours but it came back up in about 5 minutes, the TiVo appears to be ok?

Tried another scan and it again, caused the TiVo to reboot....

Think I should turn this over to TiVo and see if I can find someone there who might make more sense of this? Granted port scanning is something that one typically does on their network but doing such should reboot your TiVo should it?
__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere


Last edited by eboydog : 08-08-2014 at 11:30 PM.
eboydog is offline   Reply With Quote
Old 08-09-2014, 12:05 AM   #7
telemark
Registered User
 
Join Date: Nov 2013
Posts: 805
Tivo's will reboot as a reaction to when certain software components crash or has a logic error. So that safety mechanism is working properly, but it's not suppose to have such a bug in the first place.

It would be kinda odd to say it as, I want my box to be happy while being probed... but sure normal computers are suppose to be stable no mater what comes at them from the network, otherwise we'd have DOS attacks that were reboots.

Tivo's are a bit different as they're not equipped for public (hostile) environments. If someone were to put a Tivo on a public network, then someone in Russia would be controlling the remote.
telemark is offline   Reply With Quote
Old 08-09-2014, 12:41 AM   #8
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,113
I'm pretty sure my TiVos never rebooted when I did a scan. Granted, it's been a while...
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 08-09-2014, 01:14 AM   #9
kdmorse
Registered User
 
kdmorse's Avatar
 
Join Date: Jan 2001
Location: Germantown, MD
Posts: 4,225
Quote:
Originally Posted by wmcbrine View Post
I'm pretty sure my TiVos never rebooted when I did a scan. Granted, it's been a while...
I've never seen it reboot under either a Syn scan, or a TCP Connect scan, or anything else that I would consider a simple port scan.

But both angryip, and adding -A to nmap do a wee bit more than a 'port scan'. It connect to each port, and runs a series of tests designed to get the service to identify itself. ie, it's mean.

And I can report -A -T5 -p1-65535 did indeed crash my box nastily.

A strategic search of the port range could probably narrow down the sensitive service fairly quickly.
__________________
"I disapprove of what you say, but I will defend to the death your right to say it"
"Stop slouching! It's two O'clock in the afternoon, PUT PANTS ON!"
"Statistically speaking, there are two Popes per square kilometer in Vatican City..."
kdmorse is offline   Reply With Quote
Old 08-09-2014, 04:10 PM   #10
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
It's not a Roamio thing either, ran intense scan against my Premiere and it rebooted too, including the green serious error has occurred when it came back up.

Not shown: 65516 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http TiVo To Go httpd 20.4.4.J3-01-2:746:alpha
443/tcp open ssl/http TiVo To Go httpd 20.4.4.J3-01-2:746:alpha
1390/tcp open iclpv-sc?
1393/tcp open ssl/iclpv-nls?
1400/tcp open cadkey-tablet?
1410/tcp open hiq?
1413/tcp open ssl/innosys-acl?
1500/tcp open vlsi-lm?
2190/tcp open tcpwrapped
2191/tcp open tvbus?
2410/tcp open unknown
2411/tcp open unknown
2412/tcp open unknown
8430/tcp open unknown
9080/tcp closed glrpc
31339/tcp open unknown
50184/tcp open unknown
56789/tcp open tcpwrapped
56790/tcp open tcpwrapped

As it made it to port 56790, can one assume the offending port was after that somewhere?
__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere

eboydog is offline   Reply With Quote
Old 08-09-2014, 04:51 PM   #11
telemark
Registered User
 
Join Date: Nov 2013
Posts: 805
So, I'm not recommending to run this, since you got a Green screen... but if you're going to do it.

You would run one pass, that's non probing. That gives you the list of ports of interest but with no traffic transferred. This is not suppose to reboot yet.

Then you would run the probe test on each of the discovered ports, one at a time. Ideally, exactly one of the ports will cause the crash, but nothing prevents more than one having the same symptom except luck.

What you're doing is called fuzz testing btw.
http://en.wikipedia.org/wiki/Fuzz_testing

Edit:
And when vendors don't do it as QA, Hackers will use it to mess with / get into systems.

Last edited by telemark : 08-10-2014 at 12:25 PM.
telemark is offline   Reply With Quote
Old 08-10-2014, 01:39 AM   #12
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
I opened an incident with TiVo esp after seeing the same behavior with the premiere. This should be interesting to see what they say as I assume they will either dismiss it and say "don't port scan" or advance the issue to a higher tier support.

There is a another thread in the Roamio section about reboots, were someone posted a vague reply that port scanning can cause reboots which I was hoping they would respond back with more details of what they knew but so far they haven't.
__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere

eboydog is offline   Reply With Quote
Old 08-10-2014, 11:44 AM   #13
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
Wow, that was fast... This is TiVo support reply:

Thank you for contacting TiVo Customer Support. I would be glad to help you with your rebooting issues. If the Roamio box only reboots when you are doing the IP scan we would recommend not running the scan on the TiVo box. The TiVo box only connects to the TiVo Service to pull Guide Data and only connects to your network while streaming, this is an unnecessary process for you to continually scan your TiVo box.



I'm going to push it a little and see if I can get a better reply.
__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere

eboydog is offline   Reply With Quote
Old 08-10-2014, 12:22 PM   #14
telemark
Registered User
 
Join Date: Nov 2013
Posts: 805
Hmm and on a Sunday too. I wonder if it's one of their common responses.

If you really want to pester them, you could say you're on open Wifi or Internet and someone else is probing your box, causing it to reboot. But you're going to have to explain how you figured that out and why you can't secure the Internet.

Some but few apartments and dorms are run that way.
telemark is offline   Reply With Quote
Old 08-10-2014, 01:02 PM   #15
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
Quote:
Originally Posted by telemark View Post
Hmm and on a Sunday too. I wonder if it's one of their common responses.

If you really want to pester them, you could say you're on open Wifi or Internet and someone else is probing your box, causing it to reboot. But you're going to have to explain how you figured that out and why you can't secure the Internet.

Some but few apartments and dorms are run that way.
I was surprised too as I didn't expect an answer until at least Monday!

I'm not a i hi-tech security analyst but given what I do know about port scanning and how many of the early port scanning allowed malicious access when other steps and data injection was included, if I was a.crafty person, knowing the proper port to attack could possibly offer a backdoor into the TiVo. Now granted there isn't a lot of sensitive data in my TiVo but being compromised is being compromised. What's the worse that could happen? I don't know, buying a bunch of ppv video?

Simply stated, something isn't responding well. An aggressive port scan should not reboot a TiVo and such indicates there is more to this than just rebooting.
__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere

eboydog is offline   Reply With Quote
Old 08-11-2014, 05:34 PM   #16
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
I tried turning off network remote and disabling home apps with no change. Any thing else that might be optional to disable?

The reboot occurs after all ports have been scanned and open one are detected, then the scanner is queires the open ports to determine the services running so the reboot is an effect of the scanner attempting to see what services are being offered on the open ports.



I'm baffled why the reboot causes the green screen?



(Not mine pic but one I googled, it's the same one I'm getting word for word)
__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere

eboydog is offline   Reply With Quote
Old 08-11-2014, 05:37 PM   #17
telemark
Registered User
 
Join Date: Nov 2013
Posts: 805
Have you looked at the Tivo logs? It should explain quite a bit.
__________________
Premiere 2 tuner & SiliconDust
on Comcast-CableCard + OTA
telemark is offline   Reply With Quote
Old 08-15-2014, 01:01 AM   #18
innocentfreak
Registered User
 
Join Date: Aug 2001
Location: Florida
Posts: 8,556
Quote:
Originally Posted by eboydog View Post
Wow, that was fast... This is TiVo support reply:

Thank you for contacting TiVo Customer Support. I would be glad to help you with your rebooting issues. If the Roamio box only reboots when you are doing the IP scan we would recommend not running the scan on the TiVo box. The TiVo box only connects to the TiVo Service to pull Guide Data and only connects to your network while streaming, this is an unnecessary process for you to continually scan your TiVo box.



I'm going to push it a little and see if I can get a better reply.
Might be worth an email to Margret, she is more aware than support.
__________________
1 - TiVo Roamio Pro
2 - TiVo Premiere XL

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
innocentfreak is offline   Reply With Quote
Old 08-15-2014, 11:42 AM   #19
bradleys
It'll be fine....
 
Join Date: Oct 2007
Posts: 2,103
Quote:
Originally Posted by eboydog View Post
I'm figured out that doing a port scan against my Roamio's can cause them to reboot. Now I'm trying to figure out which port causes this.
Out of curiosity, what is the reason you are doing an open port scan of the TiVo anyway? Are you trying to diagnose the reboot issue some people have reported?


__________________
TiVo S2 (Retired)
TiVo Series 3 (Sold)
TiVo HD (Sold)
TiVo Premier (2 TB Upgrade)
TiVo Roamio Plus
TiVo Mini
iPad TiVo app
TiVo Stream (Sold)
Personal Video Share powered by PyTiVo
bradleys is offline   Reply With Quote
Old 08-15-2014, 11:28 PM   #20
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
Quote:
Originally Posted by bradleys View Post
Out of curiosity, what is the reason you are doing an open port scan of the TiVo anyway? Are you trying to diagnose the reboot issue some people have reported?

I have a larger than typical network and I assign static addresses to tivo devices and other main hosts by assigning addresses at the router. I just upgraded my router and had to set everything up from scratch.

i did get the attention of a couple TiVo engineers and they are looking into it.

Yes, I was looking at the reason for rebooting and stumbled across the port scan issue by accident, the majority of rebooting issues that others are having is most likely not due to scanning. But who knows, if someone's home network was compromised by the NSA it could just be big brother watching you.
__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere

eboydog is offline   Reply With Quote
Reply
Forum Jump




Thread Tools


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Advertisements

TiVo Community
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skins by: Relivo Media

(C) 2013 Magenium Solutions - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not owned or operated by TiVo Inc.
All times are GMT -5. The time now is 03:16 PM.
OUR NETWORK: MyOpenRouter | TechLore | SansaCommunity | RoboCommunity | MediaSmart Home | Explore3DTV | Dijit Community | DVR Playground |