Could you be loved?

Arris vip-1853 (aka Motorola) TV Set-Top box, STB

Well, they fooled me into buying this, and now they fooled me into buying a newer box!

-Cable TV provider that is.

I wanted to see if it could be hacked / reverse engineered and I thought is was too bad to just toss it as garbage allthough my Cable provider bricked the use of it once I bought a new box. (Multicast /TFTP booting)

After fumbling around for a while I am now able to run it with my own modded firmware despite it having signed flash memory.

The bootloader is encrypted with a cert and tolerates only the correct cert or it will not boot.

Now its just a matter of coding a decent html page for the different streams and sources.

This German/Netherlands forum was of great use: (google translate those)


Notes to self and likemided:

Key notes on the IR controller after pressing menu button when booting are the following unlocking codes for “advanced mode”
7532 and 3257

In advanced mode you are able to clear the flash, and change splash and kernel modes.
Possible codes for boot order means:

212 -tftp, local boot, tftp
313 – bootcast, local, bootcast

313 is default, but 212 is my preference because you can’t enter letters with the ir remote controller. You want to tell the unit what the bootfile name is, -or you can use the DHCP option 67.

Furthermore key info is to setup a DHCP providing TFTP server info (DHCP option 66) and Bootfile name (DHCP option 67)

To wipe text (backspace) you need to hold the red “back” while pressing “fast rewind” 4 times.

Get the right bin file from the site menitioned, (vip-19×3 is running the same firmware) user “Claude” contribution is working for me.

A nice TFTP server for Windows with some expanded options is

Also get a hold of the Windows logger and run it as logclient.exe “IPaddress of Arris”

Another option is to compile your own with the use of KreaTV: (caveat: this GCC needs older ver. of Perl, I suggest Ubuntu 14 (x86)) and perl 5.20

But from what I gather you need to first export the rootcert.pem from the working image and compile it in.

When running, telnet in and use toish to be able to write to flash,  (updates via file flash/settings2.xml)

toish is used to invoke some Ipc calls to the vendor userland software stack


toish is setobject cfg.portal.whitelisturls “<PortalURLs><PortalURL></PortalURL></PortalURLs>” permanent

Flash is write protected and no executable. You can however save to flash with toish, (flash2 is about 4MB) and to execute you must first run it through sh.

Scripts must be executed by sh /flash/
scripts must contain #!/bin/bash at startup

/usr/applications/ekioh/ekioh.cfg must be edited
ekioh must be killed by “killall ekioh”

Your html page should then load


Here are the IR codes:

The IR remote control rx is started with the following command:
read-irdriver PROTOCOL=kreatvir,ID=18

(you can see your IR ID with: vi /etc/irmap.conf

This page even describes how to hack the hardware:
This German is making a GameBoy emulator of it:
Yes its still usable, but it was a pain in the butt 🙂

-Those old Germans are naughty boys!

More articles