Blocking Samsung TV firmware updates using Zyxel's 'Eircom f1000' VMG8324-B10A

runswithascript

Please note to fix Wi-Fi in the past, using Dermot McDonnell's guide I have previously unbranded this router to remove the Eircom firmware and it now runs the latest (at least at the time) Zyxel officially released stable firmware.

On my new Samsung J series TV I cannot let it update from factory firmware or I will not be able to sideload apps from USB, which would restrict me to having only apps from one country installed at a time, basically it is RTÉ, TG4, 3Player OR iPlayer, All4, ITVHub - not both sets.

Samsung made a change in this series of television so that disabling updates from the normal and service menus does not stop updates fully, and the firmware will still update. The only way around this is to block updates at the network level.

The domains I need to block are the following:

msecnd.net
samsungotn.net

I am testing for success by attempting to block just the first domain, first on my PC, which has the hostname roadrunner and the MAC address you will see in the screenshot. I have been testing by trying to load this link in a new browser tab:

https://az833301.vo.msecnd.net/

What I have tried so far:

1. Using Security >> Parental Control.





Just in case the settins were phrased badly, I tried sliding the bar so that no access was from '00:00 - 24:00' but this made no difference. Also, I am not able to select '00:01 - 24:00', the earliest next available is '00:30 - 24:00'.



I tried with an without a network service setting configured as above. The input box for site/URL keyword would not accept the asterisk when I tried to enter *.mscend.net.

2. Using Security >> Firewall.



The IP below was in the output of ping msecnd.net yesterday, but now there is no reply, even from other devices on the network. Also, blocking by IP may be risky - if the TV is configured to look for updates by host@domain, and they change the IP, it will update.



I know it says destination IP address below, but just in case I tried entering msecnd.net but it would not accept it. It also would not let me enter a port range 1-65535, so I left it without a port setting.





Definition of the 247 scheduler rule. I experimented with changing the time from '00:00 - 00:00' to '00:00 - 23:59' but this made no difference:

---

Neither of my two attempts above to block access to the domain msecnd.net worked, although when I experimented with the ACL set to ICMP instead of TCP/UDP - it did stop ping replies from the IP before I removed it.

Please advise, am I missing something in my settings or is the config on this Zyxel just bugged or not able to block domains? Is there anything I can do? I really want to hook the new TV up to the network so I can stop using the Roku 3 for on demand media!

Paul Thomas Rowland

Do you have TR-069 protocol switched On for your active WAN interface? It is the usual protocol for remote device management of the sort you describe. If On, turn it Off to block all traffic using that protocol. Please let us know how you get on.

In general, you should only switch On the protocols you need. Better security.

ED E

Rather than trying to use parental controls you should give it bogus DNS. Right now the Zyxel will relay DNS calls from the ISP/User Set DNS server, if you add manual entries to redirect the required domains then the TV will never be able to connect (make sure to flush DNS while testing).

runswithascript

Paul Thomas Rowland wrote: »

Do you have TR-069 protocol switched On for your active WAN interface? It is the usual protocol for remote device management of the sort you describe. If On, turn it Off to block all traffic using that protocol. Please let us know how you get on.

In general, you should only switch On the protocols you need. Better security.

Hi, thank for coming back to me on this.

I found in maintenance >> TR-069 it was disabled. I can enable it but when I try to select VDSL it asks for an IP address for ACS:



Just to clarify, are you saying that the reason the parental control rules I put in place have had no affect is because this is disabled? I am curious as to why it would affect that, and not saying configuring the WiFI, or entering dynamic DNS, etc.?

runswithascript

ED E wrote: »

Rather than trying to use parental controls you should give it bogus DNS. Right now the Zyxel will relay DNS calls from the ISP/User Set DNS server, if you add manual entries to redirect the required domains then the TV will never be able to connect (make sure to flush DNS while testing).

That is something I was looking at, but there are many options and I did not really know what I was doing to be honest.

Could you please talk me through it? If you do not have access to the same router I can upload screenshots of the options.

Also, please note that it is important the Samsung still uses the DNS server I have entered into the router, for everything other than these two domains, as it is how I get around the geo-blocking of BBC iPlayer etc.

Paul Thomas Rowland

dusf wrote: »

Hi, thank for coming back to me on this.

I found in maintenance >> TR-069 it was disabled.

Nope, wrong menu. That is the TR-069 client to remotely manage your F1000.

You need to disable the tr-069 protocol on the WAN interface. Not at work now, but Network -> Broadband edit VDSL interface. I think its there.

V12 firmware might help your only approach. Released last week.
ftp://certified:zyxel@ftp.zyxel.it/firmware/VMG8924/

runswithascript

Paul Thomas Rowland wrote: »

Nope, wrong menu. That is the TR-069 client to remotely manage your F1000.

You need to disable the tr-069 protocol on the WAN interface. Not at work now, but Network -> Broadband edit VDSL interface. I think its there.

V12 firmware might help your only approach. Released last week.
ftp://certified:zyxel@ftp.zyxel.it/firmware/VMG8924/

Definitely not there, unless the option goes by another name, same applies to the advanced tab of broadband. Thanks for the link.

ED E

Forget TR069, it wont do anything as it doesnt have a master slave pairing to a CPE management node, its totally idle.


I've used branded F1000s but never bothered to unbrand so the UI was slightly more limited.

See section 11.2 in the manual, that has steps to add a DNS entry. Just add the two domains you want, then point them to say 10.0.0.1 say. Boom, blocked.

runswithascript

ED E wrote: »

Forget TR069, it wont do anything as it doesnt have a master slave pairing to a CPE management node, its totally idle.


I've used branded F1000s but never bothered to unbrand so the UI was slightly more limited.

See section 11.2 in the manual, that has steps to add a DNS entry. Just add the two domains you want, then point them to say 10.0.0.1 say. Boom, blocked.

This seems a step in the right direction but it is not completely blocking it.

In Network Setting >> DNS >> DNS Entry I selected add new DNS entry, and then entered msecnd.net as the host and the IP 10.0.0.1.

When I try to ping msecnd.net in now attempts to ping 10.0.0.1, but when I load the test website https://az833301.vo.msecnd.net/ in a new tab in Firefox it is still loading. I tried entering ipconfig /flushdns into the command prompt but this made no difference, the website still loads. I then tried entering a wildcard *.msecnd.net but the router would not accept this.

Any ideas?

runswithascript

I also added .msecnd.net with the IP 10.0.0.2, and rebooted both PC, router, and then flushed the DNS again - no change, the website is still loading.

runswithascript

I read elsewhere the DNS route would only work if the router was setup as the DNS server. So on my PC, I changed the Ethernet adapter DNS settings from automatically obtain (which normally passes the customer DNS I get around geoblocking from the router to the PC) to preferred 192.168.1.1 (the router's IP). I then rebooted the PC, the router, and flushed the DNS on the PC. Unfortunately the test website is still loading

runswithascript

If it matters I have Unotelly DNS configured in Network Settings >> Broadband >> VDSL >> preferred and alternate. I mention this as there appears to be other places it can be entered.

ED E

dusf wrote: »

When I try to ping msecnd.net in now attempts to ping 10.0.0.1

This means its working, mostly. You dont need a hierarchical change.

Try *.mscend.net maybe

s8n

interesting thread

runswithascript

ED E wrote: »

This means its working, mostly. You dont need a hierarchical change.

Try *.mscend.net maybe

I think you may have missed my attempt at that earlier:

dusf wrote: »

I then tried entering a wildcard *.msecnd.net but the router would not accept this.

We are so close!

To be honest I wish I could just load OpenWRT, tomato, or DD-WRT firmware onto this router but as far as I am aware this is not possible.

Anything else you can think of? Perhaps something with a static route etc? I can post some screenshots of all of the DNS and routing options if you think it would help...

runswithascript

dusf wrote: »

I think you may have missed my attempt at that earlier:



We are so close!

To be honest I wish I could just load OpenWRT, tomato, or DD-WRT firmware onto this router but as far as I am aware this is not possible.

Anything else you can think of? Perhaps something with a static route etc? I can post some screenshots of all of the DNS and routing options if you think it would help...

For instance, there are options as below. I messed around with it but it did not help. I was thinking, as I am able to create interfaces, perhaps I could attempt to route traffic from the domain out some bogus interface. Along with that I also tried routing it out the 3G (dongleless) interface but it still loaded the website, perhaps because it falls back to some other interface, because I entered it wrong, or because here it also will not catch anything *.msecnd.net with msecnd.net as the parameter.