# Open ports on your TiVo



## eboydog (Mar 24, 2006)

I'm figured out that doing a port scan against my Roamio's can cause them to reboot. Now I'm trying to figure out which port causes this.

I have odd results so far, as just doing a port scan doesn't always cause my Roamio to reboot but in the one times that I did, my scanner utility showed port 3791 open however other times when the scan completes, I'm not showing it open so I believe it has something to do with that port or a port after it.

These are the ports I show open on my Roamio PLus and Pro, port 3791 only shows up when the box reboots:

80,443,1390,1393,1400,1410,1413,2190,2191

Any thoughts? My utility (AngryIP) default starts at port 1 and ends at port 6100


----------



## telemark (Nov 12, 2013)

I don't see on the AngryIP website the type of scan it's doing.

The web detection column though might mean it's doing an HTTP request which could cause undesirable behavior for other protocols.

I suggest switching to NMAP so you can be sure what it's doing.

http://nmap.org/book/man-port-scanning-techniques.html

If you have crashing still, going from High to Low should give you a different result at least.

As a first glance, your list is missing 31339, do you have network remotes turned off?


----------



## wmcbrine (Aug 2, 2003)

telemark said:


> As a first glance, your list is missing 31339, do you have network remotes turned off?


He noted that it only scans up to 6100.


----------



## telemark (Nov 12, 2013)

wmcbrine said:


> He noted that it only scans up to 6100.


Oops, well, there's another reason to switch scanners.

This is what I get on 2 tuner Premiere running 20.4.2

```
# nmap -p1-65535 -sS $IP
Not shown: 65520 filtered ports
PORT      STATE  
80/tcp    open   
443/tcp   open   
1390/tcp  open   
1393/tcp  open   
1400/tcp  open   
1410/tcp  open   
1413/tcp  open   
2190/tcp  open   
2191/tcp  open   
8430/tcp  open   
9080/tcp  closed 
31339/tcp open   
50184/tcp open   
56789/tcp open   
56790/tcp open
```


----------



## eboydog (Mar 24, 2006)

I downloaded the win gui version and oh boy I think I broke something as on the first scan a few minute into it, the tivo in question rebooted but came up with green screen stating "the TiVo box has detected a serious problem and now attempting to fix it" NEVER seen that before....

I was tried an intense scan, *"nmap -p1-65535 -T4 -A -v192.168.50.80"*

This is the output of the scan results:

*"Completed Service scan at 22:23, 106.25s elapsed (14 services on 1 host)" was when the TiVo rebooted*



> 22:19 Central Daylight Time
> 
> NSE: Loaded 118 scripts for scanning.
> 
> ...


----------



## eboydog (Mar 24, 2006)

The green screen state it would take up to four hours but it came back up in about 5 minutes, the TiVo appears to be ok?

Tried another scan and it again, caused the TiVo to reboot....

Think I should turn this over to TiVo and see if I can find someone there who might make more sense of this? Granted port scanning is something that one typically does on their network but doing such should reboot your TiVo should it?


----------



## telemark (Nov 12, 2013)

Tivo's will reboot as a reaction to when certain software components crash or has a logic error. So that safety mechanism is working properly, but it's not suppose to have such a bug in the first place.

It would be kinda odd to say it as, I want my box to be happy while being probed... but sure normal computers are suppose to be stable no mater what comes at them from the network, otherwise we'd have DOS attacks that were reboots.

Tivo's are a bit different as they're not equipped for public (hostile) environments. If someone were to put a Tivo on a public network, then someone in Russia would be controlling the remote.


----------



## wmcbrine (Aug 2, 2003)

I'm pretty sure my TiVos never rebooted when I did a scan. Granted, it's been a while...


----------



## kdmorse (Jan 29, 2001)

wmcbrine said:


> I'm pretty sure my TiVos never rebooted when I did a scan. Granted, it's been a while...


I've never seen it reboot under either a Syn scan, or a TCP Connect scan, or anything else that I would consider a simple port scan.

But both angryip, and adding -A to nmap do a wee bit more than a 'port scan'. It connect to each port, and runs a series of tests designed to get the service to identify itself. ie, it's mean.

And I can report -A -T5 -p1-65535 did indeed crash my box nastily.

A strategic search of the port range could probably narrow down the sensitive service fairly quickly.


----------



## eboydog (Mar 24, 2006)

It's not a Roamio thing either, ran intense scan against my Premiere and it rebooted too, including the green serious error has occurred when it came back up.

Not shown: 65516 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http TiVo To Go httpd 20.4.4.J3-01-2:746:alpha
443/tcp open ssl/http TiVo To Go httpd 20.4.4.J3-01-2:746:alpha
1390/tcp open iclpv-sc?
1393/tcp open ssl/iclpv-nls?
1400/tcp open cadkey-tablet?
1410/tcp open hiq?
1413/tcp open ssl/innosys-acl?
1500/tcp open vlsi-lm?
2190/tcp open tcpwrapped
2191/tcp open tvbus?
2410/tcp open unknown
2411/tcp open unknown
2412/tcp open unknown
8430/tcp open unknown
9080/tcp closed glrpc
31339/tcp open unknown
50184/tcp open unknown
56789/tcp open tcpwrapped
56790/tcp open tcpwrapped

As it made it to port 56790, can one assume the offending port was after that somewhere?


----------



## telemark (Nov 12, 2013)

So, I'm not recommending to run this, since you got a Green screen... but if you're going to do it.

You would run one pass, that's non probing. That gives you the list of ports of interest but with no traffic transferred. This is not suppose to reboot yet.

Then you would run the probe test on each of the discovered ports, one at a time. Ideally, exactly one of the ports will cause the crash, but nothing prevents more than one having the same symptom except luck.

What you're doing is called fuzz testing btw.
http://en.wikipedia.org/wiki/Fuzz_testing

Edit:
And when vendors don't do it as QA, Hackers will use it to mess with / get into systems.


----------



## eboydog (Mar 24, 2006)

I opened an incident with TiVo esp after seeing the same behavior with the premiere. This should be interesting to see what they say as I assume they will either dismiss it and say "don't port scan" or advance the issue to a higher tier support.

There is a another thread in the Roamio section about reboots, were someone posted a vague reply that port scanning can cause reboots which I was hoping they would respond back with more details of what they knew but so far they haven't.


----------



## eboydog (Mar 24, 2006)

Wow, that was fast... This is TiVo support reply:
_
Thank you for contacting TiVo Customer Support. I would be glad to help you with your rebooting issues. If the Roamio box only reboots when you are doing the IP scan we would recommend not running the scan on the TiVo box. The TiVo box only connects to the TiVo Service to pull Guide Data and only connects to your network while streaming, this is an unnecessary process for you to continually scan your TiVo box._

I'm going to push it a little and see if I can get a better reply.


----------



## telemark (Nov 12, 2013)

Hmm and on a Sunday too. I wonder if it's one of their common responses.

If you really want to pester them, you could say you're on open Wifi or Internet and someone else is probing your box, causing it to reboot. But you're going to have to explain how you figured that out and why you can't secure the Internet.

Some but few apartments and dorms are run that way.


----------



## eboydog (Mar 24, 2006)

telemark said:


> Hmm and on a Sunday too. I wonder if it's one of their common responses.
> 
> If you really want to pester them, you could say you're on open Wifi or Internet and someone else is probing your box, causing it to reboot. But you're going to have to explain how you figured that out and why you can't secure the Internet.
> 
> Some but few apartments and dorms are run that way.


I was surprised too as I didn't expect an answer until at least Monday!

I'm not a i hi-tech security analyst but given what I do know about port scanning and how many of the early port scanning allowed malicious access when other steps and data injection was included, if I was a.crafty person, knowing the proper port to attack could possibly offer a backdoor into the TiVo. Now granted there isn't a lot of sensitive data in my TiVo but being compromised is being compromised. What's the worse that could happen? I don't know, buying a bunch of ppv video?

Simply stated, something isn't responding well. An aggressive port scan should not reboot a TiVo and such indicates there is more to this than just rebooting.


----------



## eboydog (Mar 24, 2006)

I tried turning off network remote and disabling home apps with no change. Any thing else that might be optional to disable?

The reboot occurs after all ports have been scanned and open one are detected, then the scanner is queires the open ports to determine the services running so the reboot is an effect of the scanner attempting to see what services are being offered on the open ports.

I'm baffled why the reboot causes the green screen?










(Not mine pic but one I googled, it's the same one I'm getting word for word)


----------



## telemark (Nov 12, 2013)

Have you looked at the Tivo logs? It should explain quite a bit.


----------



## innocentfreak (Aug 25, 2001)

eboydog said:


> Wow, that was fast... This is TiVo support reply:
> _
> Thank you for contacting TiVo Customer Support. I would be glad to help you with your rebooting issues. If the Roamio box only reboots when you are doing the IP scan we would recommend not running the scan on the TiVo box. The TiVo box only connects to the TiVo Service to pull Guide Data and only connects to your network while streaming, this is an unnecessary process for you to continually scan your TiVo box._
> 
> I'm going to push it a little and see if I can get a better reply.


Might be worth an email to Margret, she is more aware than support.


----------



## bradleys (Oct 31, 2007)

eboydog said:


> I'm figured out that doing a port scan against my Roamio's can cause them to reboot. Now I'm trying to figure out which port causes this.


Out of curiosity, what is the reason you are doing an open port scan of the TiVo anyway? Are you trying to diagnose the reboot issue some people have reported?


----------



## eboydog (Mar 24, 2006)

bradleys said:


> Out of curiosity, what is the reason you are doing an open port scan of the TiVo anyway? Are you trying to diagnose the reboot issue some people have reported?


I have a larger than typical network and I assign static addresses to tivo devices and other main hosts by assigning addresses at the router. I just upgraded my router and had to set everything up from scratch.

i did get the attention of a couple TiVo engineers and they are looking into it.

Yes, I was looking at the reason for rebooting and stumbled across the port scan issue by accident, the majority of rebooting issues that others are having is most likely not due to scanning. But who knows, if someone's home network was compromised by the NSA it could just be big brother watching you.


----------

