The Real Story: How Samsung Blu Ray Players Were Bricked

In June, many owners of Samsung Blu Ray players found that their devices were no longer usable. Stuck in a boot loop, speculation was rife as to the cause of the issue. Now it seems that the issue has become clear – a badly formatted XML file may be responsible for the problems (via The Register).

The problem stems from the logging system that stores user data and passes it back to Samsung over the Internet. Which data is logged and sent back is managed by an XML file which contains the policy settings that control this behaviour. According to a source known only as “Gary” “Gray”, the XML file posted on Samsung’s servers on June 18 featured a malformed list element. This caused a crash in the player’s main software routine, leading the player to reboot.

The failure was exacerbated by the fact that the XML file is parsed very early in the boot sequence, even before checking for firmware updates or a new XML file. This has prevented Samsung from rolling out an update or fix over the air, and is why the player gets stuck in a loop of continuous reboots.

Reportedly, the file can be found at this URL, though is now an updated version that shouldn’t brick players. Samsung have had to resort to a mail-in repair scheme, wherein technicians with service tools can manually remove the offending XML file from the player’s storage, allowing it to boot cleanly once again. While this shows our initial assumptions were off the mark, we’re glad to see a solution to the problem, albeit one that requires a lot of messing around.

[Thanks to broeckelmaier for the tip!]

80 thoughts on “The Real Story: How Samsung Blu Ray Players Were Bricked

    1. For BD Live content, apps for YouTube, Netflix and other services. There are a lot of older “smart” Blu-Ray and DVD players out there that have no longer usable apps due to back end protocol and format changes, which the player manufacturers and/or internet services neglected to produce updated apps for those older players.

      For a BD Live enabled disc, you plug in a USB storage device and the disc will download stuff to it. Availability of the DLC is of course dependent on the company keeping it available. Dunno if BD Live DLC is portable between players or if it’ll still work from local storage when the online site goes away.

      Seems pretty gimmicky to me, so I’ve never bothered trying the feature.

      1. I have an older Samsung blu ray player and I can attest as stated none of the on line features work anymore. Oddly enough it will not pass it’s network connection test, even though I can see it reach out to the NTP servers and update the time and date. I don’t have any blu ray disks, though I suspect it will still play most of them. I found one old regular DVD and it took off with that. You may ask why I have this paperweight. That is a good question but there is a simple but stupid answer. It has a USB jack on the front in an easy to get to place. My TV can play off of USB sticks too but they put the port on the back. Great idea there. This just makes it a lot easier to stick a USB stick in and go. It was a curbside find, so I have nothing into it, and it does what I want it to.

          1. Yup, and take less power too, but it would be a loose wire that would without question fall back behind the TV and that is next to impossible to get to. This sits right where I put it.

          2. You could easily stick the connector to the side of the TV with some foam tape, if you want. Or just have a small USB hub on the table. I already glued magnets to some USB hubs to stick them to a steel computer case or steel furniture parts.

    1. Indeed, all that phoning home with who knows what data exactly is infuriating. Even more so if they don’t let you opt-out.. I wonder if that is still legal in the EU with those data protection laws that make websites fire up annoying consent boxes all the time now…

      Not even sure in many of these devices I would call it convenient – many of them are just duplication of effort.

          1. Hmmm.. special characters do things here.
            Should have been Freedom vs Security and Security vs Freedom with greater than and less than symbols as the conjuctives.

    2. “quite frankly I’m sick of all these companies collecting data on everyone”

      I paid an extra ~$50 for a “dumb” TV, and I’m still buying DVD because I own the disk until it rots, instead of until the player is updated.

  1. DRM? So the BD you bought can stop working if someone pulls the plug of a server on the other side of the world. Having such “protections” encourages piracy (usually, pirated media already have all the bs removed).

  2. Wait, didn’t the bug also affect players not connected to the internet? How would a malformed XML file on some Samsung server start the boot loop on such a player then?

  3. Appalling that critical system files were not under some form of validation testing process to prevent this happening.

    Also appalling that the firmware code just failed when parsing the file instead of applying minimal/default settings and continuing.

    1. The poor software (and firmware) produced by the (paid) scripting kiddies these days makes we want to get out of the professional software development business. Or maybe having a reputation for not producing junk is a guarantee of a job, dunno.

      1. If you have a choice of paying peanuts to script kiddies and the software you get sort of works 90% of the time or paying real money to a real programmer to give you real code that really works what do you think a company will do? The only reason they don’t use chimps to make software is because they’re afraid of snakes so won’t learn python.

        1. You also forget they don’t want to give anybody the time to do the job properly either.. Fit this feature yesterday!! Skip the testing we can’t miss out on when somebody else has it..

          Last place my Dad worked was hilarious for that rather than letting the higher level support folk keep working to identify/fix the serious long term bugs – throw them on the phones, make them reset passwords type crap. All while expecting the serious scripting/programing work to get done in a time that was barely reasonable in the first place, so as soon as a script was written that *might* work it would be deployed live – none of this testing first…. Don’t actually know how they kept any clients at all from what I heard.. But then if the users are not aware of the trainwrecks that make them call in for support being their tech contractors fault and its ‘fixed’ back to its previous state I guess maybe they are happy…

    2. After many years of owning products made by Korean companies, its not appalling, its status quo. Kia LG Samsung had them all in various parts of the house and life, not even 10 years later they don’t exist in my life … for a reason

      1. This.

        The 10 year warranted motor in my nice LG washing machine is going strong still BUT the machine’s metal chassis surrounding the plastic input where you add bleach started rusting out at about year 2.

        Likewise, a close friend was all Kia for several years until all his cars started having major problems just outside of the warranty periods.

        1. Forgot to mention my high end Samsung fridge whose compressor failed completely at year 6, and no local repair shop would touch it as parts were nearly impossible to get.

          1. That is not unique to Samsung. Back when I sat on top of a companies IT it was amazing how tuned they got the disks to croaking within a couple of months of the warranty periods expiring. It was like they figured how to tune some part or parameter. For decades we had disks that would last past when they were obsolete and all of the sudden we started having them die in droves not long after the warranty periods were up. I suspect SSD’s are better for now, but tech companies learn fast, so I would bet that within a couple years they will be the same.

            It was interesting at one point, HP offered disks with a 5 year warranty, and a lot of people thought they were built better. I did not bite, and I think my reasoning was sound and correct. 3 years down the line, the size back than was obsolete. Most of the disks, HP and other brands went for 5 years or longer if, and that was the big if, you did not get rid of them because you could not justify a slot for such a small drive. And if one of the HP’s died say after 4 years there was little chance of your even bothering to replace it. And if you did, you got a “re certified” piece of crap back that was not the same as the disk you sent them. Lots of fun for some mirroring controllers back in the day. In the end I think that whole thing was just a really well played con. Pay near 2X as much, if they have to put out, put out with crap they got back as a return, but most of the time they were not even worth sending back.

        2. On the other hand, my family’s Hyundai Elantra lasted 18 years before rusting to pieces this year. If it hadn’t been parked outside or if we had bothered to wash the undercarriage, it would have lasted much longer. I wouldn’t think Korean companies make any more crap than other companies– it’s just that companies make a whole lot of crap these days.

    1. Nope – despite what the hackaday summary says, the XML file was entirely valid XML. The problem (according to the analysis posted on El Reg) was that it contained an empty “list” element, and for reasons known only to Samsung whatever code they have that parses the XML did not like that….

  4. Ironic that a system implemented for DRM and privacy violations (or as marketing would say: telemetry) ended up bricking them due to being aggressively integrated into the boot sequence.

    I’m totally not filled with schadenfreude, nope, not at all.

  5. A good sign of improper error handling.
    Or rather, total lack of error handling…

    Generally it is good to have some “fail safe” for handling unsuspecting edge cases.
    Though, from a security standpoint, fail safes can also later be discovered to be efficient back doors. So I can understand if one can be hesitant about including one…

  6. This is what happens when we let them get away with tethering to the mothership. They feel like they Own it, that it’s theirs to do whatever they want, whenever they want. And they get lazy about testing their crap before they push it into the Things We Paid For, bc they start thinking that, well, if this update has a bug, we can just fix it on the next go around.

    And don’t buy into the argument that they need to be able to push updates bc ‘security’. Half the reason these security issues exist is bc the corporations expect you to leave your devices connected 24/7, and put these back doors in them in the first place. It’s like the ‘caution! This sign has sharp edges’ gag, but not as funny.

    What we need is devices where you cannot change firmware without physically touching the device. So that the device You paid for, continues to be the thing you paid for. Unfortunately this seems to be incompatible with certain profit models.

    1. I wish I could buy one of those sound directing weapon trucks from the military, and scream at the top of my lungs what you just said into a recorder, and use the truck to play the message back pointed directly at Samsung’s window outside their CEO and shareholder meetings. On a neverending “reboot” loop, of course.

      Stupid asinine stuff like this is why I research my electronics heavily before buying (though that wouldn’t have caught this flaw), refuse to buy Sony anything at all (yes, I remember your optical disk rootkit you worthless scum), and why I use no internet connected devices to my TV- except a single Chromecast. I stream only from a phone *I* control.

      I still don’t trust Google, but I trust their evil a hell of a lot more than the integrated apps and smart browsers in the TV and other devices. It’s all designed to report what you view or search for back to the companies. Specifically got an LG smart TV since it was the only one that would still function without agreeing to the monitoring agreements.

      To hell with all of this bullsh*t as a business model.

    2. “What we need is devices where you cannot change firmware without physically touching the device.”

      No thank you. Seems like you and a bunch of the other comments want to be stuck in the 80s.

      1. One of the pluses of electronics in the 80s, you expected hardware to work. Firmware had to function. There was no buying the game and then downloading massive patches as soon as the makers decided they needed to update the anti-piracy or fix a bug they introduced with insufficient testing.

    1. BluRay players are required to have internet connectivity to become licenced. (It is in the specification.)

      They also contain a Java VM and code from the discs can (and will) get executed.
      This code is able to update firmware, fix intentionally corrupted data, etc…
      This is probably not how config changes are done.

      Most bluray players are connected to TV’s by HDMI.
      HDMI is able to transfer data other than video data: Ethernet over HDMI, etc…

      If your (smart) TV is connected to a network, your bluray player is able to access this network over HDMI as well.

      So, if even if you think it is “air-gapped” it might not be.

      (In fact, Bluray revocation keys will get distributed and cached by a TV connected with HDMI.)

      1. interesting, I have never connected my BR player to the internet (its a older model and only has a wired connection) and my TV is dumber than a brick, its never asked to be on the internet unless you click on the grossly old nextflix application baked into it

  7. OK, So I have three of these things (the model 5100), one on each of three monitors in the home. For me It was a cheap ($60) streaming device that didn’t need wifi (I have a situation where wired is better than wifi – long story)

    I had two of the three brick themselves, one, which didn’t get used much because it’s in front of an exercise bike, still runs fine. I called Samsung, and figuring the third one was not long for this world, asked for 3 RMA numbers. Does this mean that the problem is fixed and I only have to send in two units?

  8. Initial reports about this problem suggested that a crypto certificate had expired. A couple days after that my Samsung laser printer stopped taking jobs. Thinking about the blu-ray player problem, my first thought was that my printer probably had the same issue. And that turned out to be true, and a brand new firmware update was available that solved the problem. Soo…. weird.

  9. I’ve posted this before, but here I am again.

    CD, DVD, and BD are obsolete, awaiting only the shelves to empty.

    “Is Blu-ray Safe from Disc Rot?

    It seems less prevalent than for CD, DVD and LaserDisc, but it would be unwise to rule out Blu-ray disc rot. There are a few reports of disc rot on Blu-ray which has been described as ‘small mould blooms’ below the surface, rendering the disc unplayable.”
    The link: https://blog.discogs.com/en/say-no-to-disc-rot-how-to-look-after-cds/

    1. Until we come up with a way to make hard drives that never get bit rot, disk backups are still a thing dude.

      I really would pay for a rotless format. I took a bunch of video in Japan when I lived there for about 3 years around 15 years ago, and many of my videos, saved to a WD IDE HDD in external enclosure already are not openable.

      The only thing I’ve never seen callouts of bit rot on were LightScribe dvds, but Im sure “litho” layer be damned, they probably have it too.

      This constant idiotic insistence that “x y z physical media is obsolete” is utter bull. Every file is eventually stored on some physical item somewhere, even the cloud is made of servers. Physical media is needed in somd form, period. You just sound like yet another pundit proclaiming the flying car future, convinced that because you can stream everything you personally happen to want, that makes it somehow universal reality.

      It’s not.

  10. if a smartphone has had it’s simcard removed, AND ALL FORMS OF COMMUNICATION SETTINGS DISABLED, then why on earth would the internet activity indicator indicate an increase of activity when there is suddenly an increase in room sound andor visual activity?

    and why does this stop when you open up the phone and remove the camera and microphone (and speaker for good measure) ???

    PS: there was only ONE app downloaded, and ONE google search preformed, no browsing per-se.

    anybody want an almost new 400$ smartphone? free with just one catch…

    when homeless people get an anonymous donation of an ipad and end up dead a few days later, i wonder why (sarcasm)

    1. A cell phone without a SIM card still has service. How do you think they say emergency calls only when you turn on a cell phone with no sim?Also likely a modern LTE phone has limited packet data service even with no sim, Since VoLTE is basically VoIP but over LTE data packet switched network. Your sim probably basically authenticates you through a “captive portal” if you will. Can’t get outside the cell providers internal tcp/ip network till you’re authenticated. Also likely with newer esims some sort of limited data service is required to initially authenticate it and set it up on the network, push encryption keys/certs since you can’t just pop a sim card in and out anymore.

  11. >The problem stems from the logging system that stores user data and passes it back to Samsung over the Internet.

    Why is a set top box sending user data to Samsung again?

  12. None of my players are ever connected online. I don’t care what features are offered. Bad enough my old tv reported back to google and my current tells roku what I watch.

Leave a Reply to Gérald Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.