Blocking firmware updates using Zyxel's 'Eircom f1000' VMG8324-B10A

This is general talk area for things that NOT RELATED WITH TV! Instead, about internal works like web site, forum, wiki, or talking, etc...
Post Reply

User avatar
dusf
SamyGO Project Donor
Posts: 102
Joined: Thu Jan 15, 2015 11:19 pm

Blocking firmware updates using Zyxel's 'Eircom f1000' VMG8324-B10A

Post by dusf » Thu Dec 24, 2015 7:30 pm

Okay guys, so I already thought I had updates blocked only to discover firmware 1412 running on my new J Series TV - I luckily was able to get the supplier to give me a replacement and I will not be connecting it to the network again until I am absolutely certain updates are blocked!! :lol: :lol:

The main reason I want to do this is so I can sideload apps from USB, so I am not restricted to having only apps from one country installed at a time, basically it is Irish RT?, TG4, 3Player OR British iPlayer, All4, ITVHub - not both sets. I am also guessing the factory firmware version will be the first to be rooted.

The domains I need to block are the following:

Code: Select all

msecnd.net
samsungotn.net
I am testing for success by attempting to block just the first domain, first on my PC, which has the hostname roadrunner and the MAC address you will see in the screenshot. I have been testing by trying to load this link in a new browser tab:

https://az833301.vo.msecnd.net/

What I have tried so far:

1. Using Security >> Parental Control.

Image

Image

Just in case the settins were phrased badly, I tried sliding the bar so that no access was from '00:00 - 24:00' but this made no difference. Also, I am not able to select '00:01 - 24:00', the earliest next available is '00:30 - 24:00'.

Image

I tried with an without a network service setting configured as above. The input box for site/URL keyword would not accept the asterisk when I tried to enter *.mscend.net.

2. Using Security >> Firewall.

Image

The IP below was in the output of ping msecnd.net yesterday, but now there is no reply, even from other devices on the network. Also, blocking by IP may be risky - if the TV is configured to look for updates by host@domain, and they change the IP, it will update.

Image

I know it says destination IP address below, but just in case I tried entering msecnd.net but it would not accept it. It also would not let me enter a port range 1-65535, so I left it without a port setting.

Image

Image

Definition of the 247 scheduler rule. I experimented with changing the time from '00:00 - 00:00' to '00:00 - 23:59' but this made no difference:

Image

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Neither of my two attempts above to block access to the domain msecnd.net worked, although when I experimented with the ACL set to ICMP instead of TCP/UDP - it did stop ping replies from the IP before I removed it.

Please advise, am I missing something in my settings or is the config on this Zyxel just bugged or not able to block domains? Is there anything I can do? I really want to hook the new TV up to the network so I can stop using the Roku 3 for on demand media!
UE32H5500 - firmware: 2130
UE32J

User avatar
dusf
SamyGO Project Donor
Posts: 102
Joined: Thu Jan 15, 2015 11:19 pm

Re: Blocking firmware updates using Zyxel's 'Eircom f1000' VMG8324-B10A

Post by dusf » Fri Dec 25, 2015 12:32 pm

I have read saying up a 'bogus' DNS for the two domains so they cannot resolve may be what Iv should do. Do any of you know how to do this? I tried the options but have not been able to figure out out.

I can post screenshots of the DNS and routing options if that helps?
UE32H5500 - firmware: 2130
UE32J

User avatar
dusf
SamyGO Project Donor
Posts: 102
Joined: Thu Jan 15, 2015 11:19 pm

Re: Blocking firmware updates using Zyxel's 'Eircom f1000' VMG8324-B10A

Post by dusf » Sat Dec 26, 2015 6:25 pm

Update:

3. Bogus DNS entry

In Network Setting >> DNS >> DNS Entry I selected add new DNS entry, and then entered msecnd.net as the host and the IP 10.0.0.1.

When I try to ping msecnd.net in now attempts to ping 10.0.0.1, but when I load the test website [url=http://"https://az833301.vo.msecnd.net/"]https://az833301.vo.msecnd.net/[/url] in a new tab in Firefox it is still loading. I tried entering ipconfig /flushdns into the command prompt but this made no difference, the website still loads. I then tried entering another DNS entry as wildcard *.msecnd.net with the IP 10.0.0.2 but the router would not accept this. Instead, just in case it worked, I entered .msecnd.net 10.0.0.2. Router rebooted, PC rebooted, DNS flushed - no change, website loads fine. I read online this may only work if the router is set up as the DNS server for the PC, so in the LAN config on Windows 10 I changed DNS automatically detect to preferred to 192.168.1.1 (Router's IP) and alternate to 192.168.1.2 as I had to enter something. Everything rebooted again, DNS flushed, no change. I also read that Chrome has its own DNS settings, so it does not use the Windows set DNS - I have been testing with Firefox and IE, so unless they also have their own DNS settings this is not working.

Image

If it matters I have Unotelly DNS (to get around geoblocking) configured in Network Settings >> Broadband >> VDSL >> preferred and alternate. I mention this as there appears to be other places it can be entered. To be honest I wish I could just load OpenWRT, tomato, or DD-WRT firmware onto this router but as far as I am aware this is not possible.

Perhaps the domain could be blocked with a static route or some other routing settings? For instance, there are options as below. I messed around with it but it did not help. I was thinking, as I am able to create interfaces, perhaps I could attempt to route traffic from the domain out some bogus interface. Along with that I also tried routing it out the 3G (currently dongleless) interface but it still loaded the website, perhaps because it falls back to some other interface, because configured it wrong, or because here it also will not catch anything *.msecnd.net with msecnd.net as the parameter.

Image
UE32H5500 - firmware: 2130
UE32J

emarcin
SamyGO Project Donor
Posts: 10
Joined: Fri Aug 22, 2014 6:13 pm
Location: Poland

Re: Blocking firmware updates using Zyxel's 'Eircom f1000' VMG8324-B10A

Post by emarcin » Tue Dec 29, 2015 12:01 pm

How to block updates the Smart Hub for the E series (ES6800)?

zoelechat
Official SamyGO Developer
Posts: 8375
Joined: Fri Apr 12, 2013 7:32 pm
Location: France

Re: Blocking firmware updates using Zyxel's 'Eircom f1000' VMG8324-B10A

Post by zoelechat » Tue Dec 29, 2015 12:16 pm

emarcin wrote:How to block updates the Smart Hub for the E series (ES6800)?
No known way, except to block all URLs visited by Smarthub, but you can't use it then :)
I do NOT receive any PM. Please use forum.

Post Reply

Return to “General”