# TiVo Stream 4k - Suspicious Secondary Network Interface



## ArrJay (Dec 16, 2021)

I noticed a suspicious device on my network. The MAC address company was AMPAK Technology. It appeared and disappeared faster than I could investigate. After 2 weeks it re-appeared and I was able to scan it with NMAP. Per NMAP, SSL certificate common name was "Shenzhen SEI Robotics TV SEI400TV Amlogic AMLS905Y2 Cast." The TiVo Stream 4K was off and its primary network interface was not connected yet this suspicious secondary connection was active. I unplugged the TiVo and the suspicious connection instantly went away.

I think TiVo has some explaining to do. It appears to have a secondary network connection that goes in and out of activity even when the device is turned off. I cannot find any explanation within TiVo's documentation as to why this connection exists.


----------



## slick1ru2 (Apr 24, 2021)

Could that be a background update check?


----------



## ArrJay (Dec 16, 2021)

slick1ru2 said:


> Could that be a background update check?


Possibly but I can't imagine why it would need a separate network interface complete with a unique MAC address to do that.


----------



## Chris Fox (Oct 11, 2002)

Not sure what the use case would be, but any sort of virtualization could result in the creation of the interface. You could try blocking the MAC to see if it complains, which could give some insight into what it was doing...


----------



## socrplyr (Jul 19, 2006)

What do you mean by the primary network connection is was not connected? Also, what do you mean by the device is turned off?
What is the difference in MAC addresses between the two?


----------



## ArrJay (Dec 16, 2021)

socrplyr said:


> What do you mean by the primary network connection is was not connected? Also, what do you mean by the device is turned off?
> What is the difference in MAC addresses between the two?


On my router the MAC address assigned to the TiVo was not connected. However the MAC address assigned to AMPAK was. The device was turned off, i.e., I pressed the power button on the remote.

The MAC addresses are 100% different. One has a company ID within the MAC (first 6 characters) of AMPAK and the other is TiVo.

As has been said, it definitely appears the hardware MAC address is AMPAK and that the TiVo / Android OS virtualizes a new MAC address with TiVo's company ID.


----------



## socrplyr (Jul 19, 2006)

That is an interesting behavior. You really aren't turning the TS4k off, but maybe putting it into a standby mode (at best). Mine doesn't have that behavior at all when I hit the power button. I do have my power button configured to do IR TV Off though, so that might be the difference there. I wonder if something about the way it handles that standby causes the TiVo part of the OS to turn over control of the hardware to the base loader software. SEI is the company that makes the devices for TiVo. It seems like TiVo might have been lazy in their design and allows you to see some of the underlying system. Seems like a poor design, especially because that device is retaining access to your Wi-Fi. I will play around with mine tonight and see if they have a similar behavior. I will also see if my Onn device behaves the same way.


----------

