Here's why your Samsung Blu-ray player bricked itself: It downloaded an XML config file that broke the firmware

Network-connected gear stuck in boot loop needs replacing


Analysis Since the middle of last month, thousands of Samsung customers found their older internet-connected Blu-ray players had stopped working.

In the days that followed, complaints about devices caught in an endless startup boot loop began to appear on various internet discussion boards, and videos documenting the device failure appeared on YouTube.

To fix the issue, Samsung eventually advised customers to return their inoperable video players for repairs. There is no software fix.

"We are aware of the boot loop issue that appeared on certain 2015 Samsung Blu-Ray players and are offering free mail-in repairs to customers who have been impacted," a representative of the mega-manufacturer said in a Samsung forum post.

It was speculated by netizens and some media reports that a HTTPS certificate error was to blame. However, it's been suggested to The Register that the cause of the failure was an XML file downloaded by the network-connected devices from Samsung servers during periodic logging policy checks.

This file, when fetched and saved to the device's flash storage and processed by the equipment, crashed the system software and force a reboot. Upon reboot, the player parsed the XML file again from its flash storage, crashed and rebooted again. And so on, and so on, and so on. Crucially, the XML file would be parsed before a new one could be fetched from the internet, so once the bad configuration file was fetched and stored by these particular Samsung Blu-ray players in the field, they were bricked.

Drilling in

A Register reader who is savvy with low-level hardware, and asked to be identified simply as Gray, provided us a detailed technical analysis of Samsung's blunder.

One thing you have to understand is that these internet-connected Blu-ray players in question are programmed to log their activities and send copies of this information to Samsung. This telemetry is sent to the tech giant's servers when the player's firmware is told to check for a software update. These logs include things like when you opened, say, the Netflix app and when you closed it on the player.

Exactly how much the device should log and transmit back to HQ is defined by Samsung in an XML logging policy file regularly fetched from this URL:

https://configprd.samsungcloudsolution.net/openapi/dict/logpolicyconfig

The affected Blu-ray players, we're told, do not transmit their logs until a privacy notice has been accepted by the user. The privacy notice comes into play when the customer connects the device to the internet and tries to use a network service like Netflix. After that notice is accepted, these Blu-ray players no longer bug their users with privacy notices, and simply quietly send the telemetry while the system checks for software updates.

And even if you don't use something like Netflix, or don't accept the privacy notice nor download a software update, but do connect the device to the internet, your player will still routinely fetch the logging policy file. That's why, our source tells us, Samsung Blu-ray players that have never connected to the internet were not affected by the flawed file. Also, it explains why players that never performed a software update nor used a network service, and were simply connected to the internet, were bricked. The firmware routinely automatically fetches, stores, and parses the logging policy file regardless of anything else.

"Players were bricked even though the users never performed a network update. It was enough for the player to be connected to the internet. Samsung never asked the user if it was OK to download the bomb," said Gray, referring to the dodgy XML policy file.

The problem with the XML file, sent out on June 18, 2020, is that it wasn't formatted in a way compatible with the device's code. Though a valid XML file, it contained an empty list element, we're told:

<?xml version="1.0"?> <Policy>

<period val="2020-06-18T17:00:01"/> <server type="operating"/>
<list/>

</Policy>

"Unfortunately for Samsung, the code which handles the processing of the log policy XML file has not been tested for such an empty <list/> element and causes a crash," Gray explained. The device code appears not to have been designed to handle that possibility because the empty list produces an invalid memory reference in the device's main program, called bdpprog, which causes the kernel to terminate it.

Crashing the main program results in a reboot, but since the logging policy XML file is always processed early on after startup, the crash simply reoccurs before a fixed version of the file can be fetched. Gray suggested this XML file was sent to the Blu-ray players without proper verification.

"After the crash, the main program, bdpprog, is terminated by the kernel," said Gray. "Since bdpprog is the main program, its termination results in a reboot by init. Even less fortunately for Samsung, the code for parsing the logging policy XML file is hard-coded to run at every boot. The result is that the player is stuck in a permanent boot loop as has recently been experienced by thousands of users worldwide."

Gray continued:

Because of the monumentally stupid idea of parsing a downloaded XML file unconditionally at every boot, there seems to be no way to recover the devices from the boot loop using normal means – such as a USB stick, CD or network – because the crash happens too early in the boot sequence.

The only ways to revive the player are: erase the invalid policy file from the flash partition, or update the firmware of the player with a version in which the XML parse bug has been corrected. At the time of writing this, no such updated firmware exists.

Unfortunately, both of these fixes require low-level access to the serial debug port of the player, soldering wires to the motherboard, proprietary hardware and software tools as well as deep knowledge of the player’s architecture. This is not something that an average user can do. Hence, the best solution that Samsung can and is offering its customers is a prepaid label for sending the player to an authorized repair center.

Samsung, we're told, replaced the file on its servers on June 27, 2020, thereby preventing the problem from affecting Blu-ray players that hadn't already ingested it. But a server-side fix does nothing for devices already locked in an endless reboot loop. Hence the mail-in repair program.

The Register asked Samsung whether it could confirm Gray's claims and provide more specific details about the number of devices ultimately affected by the snafu. A spokesperson acknowledged the request, and promised a reply if the manufacturer has anything to share. We've not yet received any response beyond that. ®

Bootnote

If you try to fetch the policy file from Samsung's services, you'll probably run into a certificate error. But that's because it's using a Samsung-issued HTTPS certificate your browser or operating system doesn't trust. However, the Blu-ray players do trust the certs, which expire in 2069. "This problem has nothing to do with expiring SSL certificates as has been speculated," noted Gray.

PS: Got some inside analysis or tips, too? Send them to us via strong encryption: details and PGP key here.


Biting the hand that feeds IT © 1998–2020