Samsung Blu-ray players bricked because of an XML config file(theregister.com) |
Samsung Blu-ray players bricked because of an XML config file(theregister.com) |
In some ways, this is even more disturbing than the bricking.
Only corporate greed can create a media player that watches you and needs constant firmware updates.
I have a VCR and DVD player which still work, and things like this are the reason I'm not buying any newer standalone players.
It reminds me of this old meme (I'm not aware of a Blu-ray version): https://files-cdn.sharenator.com/pirate-dvds-s800x825-43988....
https://www.adexchanger.com/ad-exchange-news/the-marketers-g...
I pressed the meta data company manager we were working with about how they could make such accurate predictions about who was viewing based off just zip code and the content and he replied with "you would be amazed at what people will tell you about themselves for 5$ off netflix".
My productivity dropped and I had a hard time coming into work after that. (This was around the Snowden era).
LG got busted shortly after for not actually stopping the screen grabbing once a second and uploading it to a server even if you turned the option off in the UK. Not surprised.
Your digital cable boxes have been doing this for even longer.
The internet connectivity is sold as an additional feature so that you can use your blu-ray player to watch Netflix. I agree that I don't want logging on a device like this, but if I was going to connect one of these to the internet, I would at least want regular security updates.
All it takes is for a visiting family member or friend who wants to watch Netflix while you're in another room/asleep/etc to click okay.
Unfortunately this is only a temporary solution IMO. Within the next decade I think you'll see these smart devices shipping with built in connectivity that's difficult or impossible to disable, especially if Starlink or other satellite based services really take off.
You still get the best experience (and quality) going through BitTorrent.
... which you'll automatically give by approving a tome-sized privacy policy
... that you have to accept if you want to use any kind of internet feature, such as watching Netflix.
I love the world we're living in...
The phones have major international data hoarder apps, their equivalent in India and their Samsung equivalent with its own app downloading services which masquerades as system updates to force the gullible into downloading Samsung apps even if you disable them.
The phones are very much subsidised for data hoarding.
I used to think consumer PCs were bad but holy cow, the way android enables malware out of the box is insane! And in the name of protecting the user from malware they have no tools to deal with it.
Go read up about the Cheka, Mao, and the Stasi.
I use Fastmail, eschew most social media, and run a PinePhone. I'm not a fan of corporate surveillance.
But they're amateurs compared with the murderous surveillance states of years past.
Firmware updates are good. They can patch security issues and they can improve different aspects of the device. The security being the best plus obviously.
Wholeheartedly agree that there is no reason for a company like Samsung to track your every move despite you paying them hundreds for said devive. I'd be very surprised if they don't make a hefty profit from such devices. So why then, do they need to track us in addition to making us fork over our money.
I understand Google tracking us. I don't agree with it, but I understand it. Same with Facebook. But Samsung? Apple? No. They're even going to certain lengths to prevent you from fully enjoying your devices (such locked bootloader, making it hard to repair etc).
The point is that there are no "security issues" in a dumb media player like the DVD player I have. Suppose an "attacker" (and that is stretching the definition a lot...) can create a disc that can overflow a buffer somewhere and crash the player or cause it to do something "interesting", and I have been somehow tricked into attempting to play this disc --- so what? It's not connected to the Internet, the firmware is read-only, there's literally nothing of value to attack. I'll just eject the disc (manually if necessary) and not play it again.
Instead this stupid "update culture" has created horribly buggy software that's barely functional "because we can always change it", and now we somehow need an Internet-connected media player,along with all the downsides --- including security --- that brings, just so they can (try to) silently attempt to fix some bugs that should never have gotten out in the first place? My experience tells me that they will fix one thing and break something else in the process, so there's overall no real improvement.
Emphasis mine - updates also remove features and introduce security issues. It's not cut-and-dry "updates are good"
I am pretty sure my Samsung fridge update removed 3 of the limited ~12 or so apps it had in the first place.
Other than allowing the player to read pirated BluRays, I guess, but that's not the user's problem.
https://www.techdirt.com/articles/20190114/08084341384/vizio...
Now I’d imagine that Samsung are making a hefty profit on the 75” 4K all singing sets (and still spying on you) but the cheaper ones seem to be priced so there isn’t much profit.
Everyone assumes you'll lose your settings during a factory reset, but what isn't as clear cut: Does it revert the firmware to whatever it was shipped with (bugs and all)? Some vendors do, but most vendors do not.
A legitimate factory reset (inc. firmware) mechanism or USB boot/reflash would have likely saved Samsung considerable amounts of money here (relative to mailing all of them two ways, they could have e.g. sent out free USB keys with the firmware).
Hotglue the ethernet port?
Packets in the transport stream include the necessary firmware.
I don't know how useful that was. Most people hook up TVs to cable boxes.
I never hooked up my Sony to an antenna for exactly that reason. There were reports of people being unsatisfied with firmware updates. E.g. the motion interpolation algorithm changed.
The worst part about that was if your signal quality wasn't great. You'd see blocks fail, and it'd take ages for them to come up again.
The boxes now ship with usable firmware preloaded, and will update in the background in the first few days usually.
I searched for "DVB firmware", but didn't find much.
Warranty is not any part of the issue if you come into my house and break a thing I own and is my property.
Read the EULA. It almost certainly specifies that what you think you own, has in fact just been licensed to you.
Nobody has read the Eula. Nobody has knowingly and willingly agreed to those terms (if they exist). No vendor has expected those terms to be read (if they even exist). No vendor has explained those terms to a customer.
There is a contract for exchange of ownership. You can't actually break that contract with unconscinable means such as fine print that nobody reads nor is expected to read nor has had explained.
Read a EULA if you like but it will do absolutely nothing for you nor will it alter the law and the application of the law. Maybe you'll enjoy the read though?
It is an item, purchased in a shop in exchange for money. There's rather a lot of established law about that.
We once almost bricked our devices (electronic magnifier/OCR for low vision people) with an update that added automatic calibration for the cheap crappy OEM touchscreen we used in some devices. It was so crappy all the screens we had in our company had the same serial numbers and returned different coordinates when you clicked in the same spot :)
Fortunately libev has calibration - you can provide a matrix to transform all touchscreen events with. We added calibration step - the software asked user to touch 4 corners on the screen, calculates inverse matrix and saves it to configuration for better touchscreen accuracy. We tested it extensively, and uploaded the version to our update server.
The next day customers started calling :) turns out libev (which reads the configuration during booting) had a "feature" that parsed the numbers in the configuration using the default system locale.
German locale uses . as thousands separator and , as fraction separator.
So, when you did the calibration and restarted the device with German locale your screen transformed the touschscreen events multiplying them by thousands - so you couldn't click on anything, so you couldn't use the device or click "update software".
It was even worse if you used german locale, saved the calibration configuration and then changed locale to English - then it simply crashed during boot because of wrong number format :)
Fortunately we left one usb port accessible so users could attach usb mouse and click "update" if they had the first situation, or download the whole firmware on an usb pendrive and update from it.
BTW the libev bug is fixed, now it always reads the configuration using C locale. Guess what happened when we updated the linux on our systems half a year later and that change was included :)
We have a few Samsung products and each one has a particularly annoying problem.
The worst part is the support, I post a polite request on their website and always get a very concise unhelpful answer.
I no longer buy Samsung products.
I think that's the only reasonable thing to do. Have the original firmware either as an actual rom, or only writable with an enable jumper flipped; use a power on key sequence to boot from the original firmware, copy to normal firmware and reboot into normal firmware (which is now the original firmware). Run through that process during manufacturing to confirm it works.
Regularly test that all released firmware images, especially those in the original firmware slot can successfully upgrade (or at least not crash). Preferably include current firmware version in all requests so you can give workaround responses as needed when you figure out you broke something -- in the hostname is ideal, as you can use that to work around version specific certificate issues.
The reason a Blu-Ray player (or a video game console) might not let you go back to original firmware is to prevent reverting to earlier firmwares that allowed copied media, etc. For those, you probably want to have a 'safe' firmware slot (or two, ideally) that drives the factory reset process, and only reflash those slots on some updates (to reduce testing needs)
But that'd also mean you need double the flash capacity, which drives up the BOM cost.
I think if it doesn't revert to the firmware it had when shipped by the factory, it shouldn't be considered a factory reset.
Wouldn't Samsung and the rest have stopped this if people just returned the TV?
Factory resetes that reset the EEPROM basically usually means that the hardcoded values form the ROM/Firmware will be used on the next boot.
However you usually have another tier today which is flash storage which isn’t a mechanism that can be easily reset with a “factory reset” because it involves a file system.
If the bad config files are on the flash you need a factory reset mechanism that basically tells the main firmware or boot loader to recreate the file system on the next boot.
The OS itself then initializes it all from scratch on the first boot.
They way I understood it, the write up in the article says that the XML is downloaded and parsed during boot.
Edit: I guess if you disabled network access you could boot. Derp
Then you just keep it offline until Samsung fixes the file on their server so you don't have to reset it again. They fixed it a few days later so it is safe now, so even old firmware should be safe to go online.
This could be avoided by using your own PKI for updates (and bundle your own root), but I assume most devices out there are using Web PKI for updates.
Unfortunately no language or other framework or system can completely do away with programming logic errors.
(I used to work at a company where people checked in code, asked someone else to test it, and it was clear it had never even been run!)
If smart devices will have build in connectivity in the next decade, I think 5g will be a more likely candidate. But I don't see that happening either. Why would a company pay for the data of its users when most people will just connect it to their wifi?
I. Couldn't find a source on "pizza box sized", but I remember Elon Musk has said that. Also here is a picture of one of the antennae: https://www.reddit.com/r/Starlink/comments/hruzck/new_photo_...
With modern cameras even darkness is no guarantee.
Im also doing some research before upgrading. Never the first to upgrade, i hate autoupdating software
So, these local manufacturers are going to have free run shipping crap embedded phones for a long time.
[1]https://www.pine64.org/2020/07/15/july-updatepmos-ce-pre-ord...
There is also no Netflix playback, which is a very common use case for consumers.
BTW, the internet connection can be used for key revocation as a way to combat piracy and consumer choice. So, it's "worse" than "just" tracking.
EDIT Here are the standards you want to read: https://dvb.org/?standard=specification-for-system-software-...
You shouldn't be able to, but I think in most jurisdictions you most certainly can.
https://en.wikipedia.org/wiki/End-user_license_agreement#Enf...
Those two platforms probably only use the best 20-30% core functionality of what was built. And they're still second tier...
There are tools as the ecosystem is open and the community is extraordinarily talented, but it largely depends upon the device, whether the kernel source, driver blobs are available and boot loader can be unlocked; these were generally true for most devices from high profile manufacturers, but now things are changing as those manufacturers have ventured into $1000 smartphones and don't care for their enthusiast population.
Then again, new breed of pure Linux smartphones are available now. IMO, this should be the long term focus for any enthusiast wanting a free, open, secure mobile computing experience.
The only consumer electronic in my house I allow to talk to the internet is the AppleTV. Nothing else is allowed on the router. Not the TV. Not the disc player. Not the refrigerator. Not even the "smart" thermostat.
This only works if the player is connected to the internet, which shouldn't be necessary to begin with.
Besides that though, firmware updates require an internet connection, and those updates contain keys for newer AACS versions. So if you want to play a just-released movie, you may need a player capable of AACS 72 (or whatever it’s at now), but yours may only support AACS 52 (out of the box).
MakeMKV does require an update for each new AACS version.
All is not lost.
1. current operating system
2. previous operating system (and next, on upgrade)
3. data partition, shared across both current and previous OS
4. factory reset partition
That means if we needed to do a factory reset we could just load the firmware archive from the fourth partition onto the second partition and execute a normal upgrade, albeit to an older version. Since upgrade packages were small, maybe 500MB?, we could easily cut a little space from the rest of the partitions to make it fit without having to increase the flash capacity.
1. The recovery partition takes up some space, and
2. You (or malware) can mess up the recovery partition, and
3. The recovery partition doesn't exist if just upgraded the storage (e.g. replace the HDD with an SSD).
Macbooks have other failings (e.g. increasingly hard to upgrade/replace hardware yourself) but the operating system recovery works better than anything I've seen for Windows or Linux. Chromebooks have a factory reset key sequence, but that requires a working ChromeOS on the drive.
I wrote a guide years ago on blocking them via DNS which loads of people found useful. These days a PiHole is probably a better option.
https://gist.github.com/peteryates/b44b70d19ccd52f62d66cdd4b...
Or, if you have the time and opportunity, sue the manufacturer in small claims court.
Better yet, tell your friends and family about how the ads start after the return period closed, and encourage everyone not buy that garbage in the first place.
Best solution is to "air gap" your TV by not connecting it your wifi or ethernet.
How long will it be before TVs embed a cellular modem with manufacturer-paid service to keep the smart features connected? “No setup, works straight out of the box” has to have at least some marketing value, after all.
As for image quality it is miles ahead of crufty CRT displays, Sony Triniton or the like.
It works for me, but I don’t know if it is yet well known what the effect of developer UX on error rate is.
TV prices have been falling for decades[1], long before manufacturers could truly benefit from the data provided by smart TVs. So other factors are probably much more important - such as cheaper materials, automated production, economies of scale etc.
Also, ad revenue wouldn't explain why "stupid" computer monitor prices have also fallen greatly during the same time period.
[1] https://u.osu.edu/zagorsky.1/2014/05/18/why-are-television-s...
Screens are actually that cheap. Take a look at the monitor size/resolution price curve (for non-gaming monitors) and you'll see TVs fit perfectly on it.
Here's a random 55 inch LG panel available on Alibaba. $145 each for a minimum order of 15. That was just the first I found - I'm sure you can get cheaper (especially in bulk!)
Things like high refresh rate, GSync etc add to the cost of the monitor.
https://www.alibaba.com/product-detail/LG-full-color-FHD-mod...
I bought a 75” 4K TV with HDR for $750 recently. I paid that much for my first 15” LCD computer monitor.
If I connect it to the internet I know it’s spying on me.
C and C++ programs tend to crash in the presence of an error, but so do rust programs (panic), C# and java and js and python programs (unhandled exception). Some languages make it harder to footgun yourself for certain types of errors, but never all types of errors.
I have seen js programs (and similar stuff in other languages) crash because of something like
JSON.parse(response).list[0].string.length
Does rust protect from such mistakes (because I know some people on here like to claim rust is the answer to everything)? Verbatim from their docs:
let v = vec![0, 2, 4, 6];
println!("{}", v[6]); // it will panic!
I have written such code myself because I was lazy or distracted or "need performance" or "this can never be empty per spec" or "oops, my range calculation was off by one", tho luckily I didn't outright brick anything, yet.
In Samsung's case, if they put the parsing of the telemetry config xml file in a separate thread the default Rust behaviour is not to kill the entire thing. Sending the telemetry back to servers sounds like something you would do in a separate thread, so perhaps it would have saved them.
Other languages with similarity strong memory models like Java / Python / Haskell could do the same thing of course. And in those languages programmer could just emulate it in any case. C / C++ with their weak memory models could not sanely do it. A programmer could emulate it in those languages by using separate processes if the OS supported it, but they would have to forgo shared memory.
Not a huge difference perhaps - but Rust's strong memory model does buy you something.
That is impossible to guarantee. It isn't even possible to completely generally[†] test for - what you have there is a variant of the halting problem (https://en.wikipedia.org/wiki/Halting_problem).
[†] added "generically" there as it is possible, using formal methods from the start, to prove that a program is correct so will not error (in an unexpected manner) on any input, but such methods are time-consuming so outside of certain specific fields you'll not find them used
The choice of programming language only gets you so far - it's up to the developers to actually handle errors in a meaningful way.
UX things in some languages guide me to idiomatic code that is safer. And as engineers, we know there is no guarantee, only shades of improvement. But again, if language choice does not affect your program quality, so be it.
TV Manufactures may not sell 1B units (maybe they do), but it's still a large enough number that it will not be unnoticed in a balance sheet
But that $20 price difference would probably mean that less people buy Samsung, so the maths isn't going to be that straightforward.
Yeah, uninstall it and install Linux ;)
(and besides, most TVs have other ways of watching Netflix that ought to be more convenient for a visitor. A $30 Roku stick is all you need)
https://www.walmart.com/ip/Sceptre-55-Class-4K-UHD-LED-TV-HD...
You can also find other brand 4K dumb TVs on Amazon.
A guest might not see it plugged in and not know to try all the HDMI inputs before selecting the easy, built-in option on the TV.
You're not going to find IPS or OLED panels on those large form factor monitors for a sensible price, so do consider that.
Also keep an eye open for NEC digital signage displays on eBay, they're quite common coming from liquidated businesses. I bought a few of them for the office on the cheap and they're solid as long as you avoid the really old plasma models.
With LCD monitors being available in sizes as large as TVs and with the same resolutions, I suspect there won't be much difference but perhaps panels intended for TVs may still have more allowable defects.
It's a truly disgusting trend.