Some TV models are not working about samsungctl HOT 259 OPEN

yea its some custom encryption thing. i have a new theory of how they all do it and im pretty confident. None of them figured out the encryption. after looking into it I am now almost 100 percent sure the reason they all do it on private servers isnt to stop us from figuring it out. its because they have no idea how the encryption works and are are using this

https://github.com/timelery/Samsung-RemoteControl

the same thing they just pulled the encryption dll from the windows sdk and are making calls directly to it on a server and supplying the commands back to the mobile apps. ill keep looking but maybe we should be considering taking the compiled dll or so files and finding out how to just call it directly from python

something like this
https://docs.python.org/3/library/ctypes.html

from samsungctl.

Newer models need to authorize the device first no? Do we have the new protocol, sounds like someone normally does :)

https://github.com/timelery/Samsung-RemoteControl

Although .net, i tried it and it can control my t.v. perhaps you can look at the code?

from samsungctl.

Seconded. I have a H6670, probably in the same boat as #38 - would love to debug this further just don't know what I should be looking for. My gut feeling is that (at least in my case) the problem is that remote control needs to be PIN authenticated first, which samsungctl doesn't seem to handle.

from samsungctl.

@riemers @timelery
just made this proof of concept here:
https://github.com/eclair4151/samsung_encrypted_POC/tree/master

its pretty rough right now but it pairs and send the volume down key

from samsungctl.

We can start by asking people to report their 'nmap -T5 -F --top-ports 65535 ' so we get an indications which ports are used per models. We can then add that to the wiki here, i have a new t.v. and 2 old ones (i doubt they even work their old) but its a start.

Only need model number, people can use http://en.tab-tv.com/?page_id=7123 as reference.

Some information that might be of help https://community.smartthings.com/t/samsung-smart-tv-support/741/81 (https://github.com/timelery/Samsung-RemoteControl) see some talks about models here too imbrianj/switchBoard#55

Anyways, my nmap on UE55HU7500 (so we should just say HU7500 as model, rest is not important)

PORT     STATE    SERVICE
6000/tcp filtered X11
7011/tcp open     talon-disc
7676/tcp open     imqbrokerd
8000/tcp open     http-alt
8001/tcp open     vcom-tunnel
8080/tcp open     http-proxy
8443/tcp open     https-alt
8889/tcp open     ddi-tcp-2

from samsungctl.

I am testing on a JS6900 and here is my nmap.

PORT     STATE SERVICE
7676/tcp open  imqbrokerd
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
8002/tcp open  teradataordbms
8080/tcp open  http-proxy
9999/tcp open  abyss

Method 1: Samsungctl
When I run samsungctl --websocket everything runs fine with no error, but no response from the TV. After looking at the response from the TV i get this error:

{"event":"ms.error","data":{"message":"unrecognized method value : ms.remote.control"}}

I tried changing the command line to just send the key command and this is the response I am getting from the TV:

{"event":"ms.error","data":{"message":"unable to handle message : Cannot set property 'clientIp' of undefined"}}

@Ape How did you determine the 'method' for sending the commands? I am wondering if it is as simple as that, but I doubt it.

Method2: Pairing
The only app that I was able to get TV commands to send to my TV was the 'myTifi' app from my iPhone. I tried sniffing the network activity and this is what I saw. (I am a noob using wireshark)

Step 1: GET - http://<TVIP>:7676/rcr/
Step 2: GET - http://<TVIP>:8080/ws/apps/CloudPINPage
Step 2 appears just to check whether or not the device is already connected to the TV, if it is it will skip to the last step.

Step 3: GET - http://<TVIP>:8080/ws/pairing?step=0&app_id=<some_app_id>&device_id=<some_device_id>&type=1

Step 3 initiates the PIN screen on the TV to pair with the device

Step 4: POST - http://<TVIP>:8080/ws/pairing?step=1&app_id=<some_app_id>&device_id=<some_device_id>

Step 4 Posting Parameters : {"auth_Data": {"auth_type": "SPC", "GeneratorServerHello": <pin_something_hash>}}

Step 5: POST - http://<ip>:8080/ws/pairing?step=2&app_id=<some_app_id>&device_id=<some_device_id>

Step 5 Posting Parameters: {"auth_Data": {"auth_type": "SPC", "request_id": <some_number>, "ServerAckMsg": <some_ack_msg>}}

Step 6: DELETE - http://<TVIP>:8080/ws/apps/CloudPINPage/run

Than finally the actual communication is done through this link:
http://<TVIP>:8000/socket.io/1/websocket/

There appears to be some token generated. This script (tested on JU6400) is a request to http://<TVIP>:8000/socket.io/1/websocket/ to get the token and I am assuming uses that to communicate, but I was unable to get this working on my TV.

Method 3: uPnP
I am thinking that we might be able to send key commands via uPnP. If I look at http://<TVIP>:7676/rcr I think that I might be able to use the controlUrl to send these commands. Looking at the XML response from that link i see that the one action is "SendKeyCode". From what I have been able to google so far is that for the control link it is expecting a SOAP response (assuming where the key command would go).

I am unfamiliar with this so currently doing more investigation. I hope this helps, and hopefully get this working soon!

from samsungctl.

I will, but i do notice something. That guy that made the windows app, at some point i found this post of his: timelery/Samsung-RemoteControl#1 (comment) that means he is using a dll from the smartview app so he doesn't have the protocol itself it seems. So if i read it correctly it would be impossible to implement since your tool needs to create/decrypt etc. (nothing is impossible, but it would be more tricky then initially thought off)

from samsungctl.

@johntdyer nope i asked the developer of myTifi and the developer of this app on android
https://play.google.com/store/apps/details?id=wifi.control.samsung&hl=en
which also supports the pin encrytpion.

Both said the wouldn't share anything with me. I ran MITM on both their apps and the both go as far as running all encryption for the app on their own server to avoid users decompiling thier apps to figure our how they do it. for example on myTifi it makes requests like these

POST https://tvpairing.azure-mobile.net

{"id":"eebd7b00a22f4f018fc62d8122ed504e","auth":"010100000000000000009E00000006363534333231FF5834E835A9A8E674CBAB066B762A9F663A5BB73B03941F445207AB5B72B3AAE795CFE162363F024B4C0FD4A654C371539DA1697E7787D44E73E1829AEC77B71A288C6A94E1A11B33B35A93CECFFADAEDC684F573E251F3E144CC4289111AC4D699F62218FC2B89AFC81FC82B515BC25BABEDCD5E2FE29039347862D6FA8044AF4995F2D830BC1C1E3845A721307555FE0A43E60000000000","step":2}

{"pin":"5307","step":2,"udid":"666AB1A7-C764-4CB6-A42D-F1B6A968B722","auth":"010100000000000000009E00000006363534333231FF5834E835A9A8E674CBAB066B762A9F663A5BB73B03941F445207AB5B72B3AAE795CFE162363F024B4C0FD4A654C371539DA1697E7787D44E73E1829AEC77B71A288C6A94E1A11B33B35A93CECFFADAEDC684F573E251F3E144CC4289111AC4D699F62218FC2B89AFC81FC82B515BC25BABEDCD5E2FE29039347862D6FA8044AF4995F2D830BC1C1E3845A721307555FE0A43E60000000000","id":"eebd7b00a22f4f018fc62d8122ed504e","__version":"AAAAAARLiyw=","__createdAt":"2017-11-12T22:50:56.163Z","__updatedAt":"2017-11-12T22:50:58.601Z"}

the other app does basically the same thing. I am currently trying to reverse engineer the official app which handles all encryption locally to figure out how they do it. but they have self signed ssl certs on the tv and the apps are doing ssl cert pinning to make sure you arent doing a MITM attack to see what it is doing. i am currently trying to modify the APK to disable ssl pinning and see how they the do all the encryption stuff. its taking a while though haha will update you as i figure stuff out.

from samsungctl.

He was using the dll from the windows samsung remote.

from samsungctl.

If only we could find a samsung dev that would just say the magic ;) And hi there SamMote 👍

from samsungctl.

damn. i was able to decompile their arm c libraries from the android app and even they are obfuscated beyond belief
https://pastebin.com/gugVHEMp

i can export it all but i imagine you would need someone amazing at c to understand wtf is going on this is just part of step 1

from samsungctl.

sure. ill do that later tonight

from samsungctl.

Hello!

I have H series TV too (H6500) and it doesn't work for me. No error message is shown and nothing is displayed on the TV.

Best regards,
Davor

from samsungctl.

Have you tried using the --method websocket parameter?

from samsungctl.

Sadly H and J series TVs are using websockets, but a different protocol.

from samsungctl.

@riemers Which TV models did you test? I would be happy to merge new protocol support to samsungctl.

from samsungctl.

My tv is a UE55HU7500 above .net repo did seem to work with my t.v. i tried all combo's with your library but i never got a pincode. Perhaps yours has the 'authorize' only button and the pincode is newer? Just speculation here. But ofcourse, more then happy to help with testing on this particular model.

from samsungctl.

Hello,

@riemers Thanks a lot for the link for remote control app! It works for my UE50H6400 model. However I need some more commands like the source changing (HDMI1, HDMI2...). Did you succeed to send such commands to your TV ?
@Ape I confirm that unfortunately your app doesn't work with my TV, with any parameter (port, protocol). If I can support in any way, feel free to contact me.

Friendly

Philippe

from samsungctl.

Is there any progress on this?
Browsing to my TV http://192.168.5.91:8001/api/v2/ outputs :
{
"id": "09896801-00a0-1000-b47c-fc8f9080e621",
"name": "[TV]Samsung LED40",
"version": "2.0.24",
"device": {
"type": "Samsung SmartTV",
"duid": "09896801-00a0-1000-b47c-fc8f9080e621",
"model": "14_NT14U_2D_BT",
"modelName": "UE40HU6900",
"description": "Samsung TV RCR",
"networkType": "wired",
"ssid": "",
"ip": "192.168.5.91",
"firmwareVersion": "Unknown",
"name": "[TV]Samsung LED40",
"id": "09896801-00a0-1000-b47c-fc8f9080e621",
"udn": "09896801-00a0-1000-b47c-fc8f9080e621",
"resolution": "1920x1080",
"countryCode": "GB",
"msfVersion": "2.0.24",
"smartHubAgreement": "true",
"developerMode": "1",
"developerIP": "173.230.139.54"
},
"type": "Samsung SmartTV",
"uri": "http://192.168.5.91:8001/api/v2/"
}

from samsungctl.

Hi,

Anyone have any updates or ideas on this, the Windows .NET works on my TV too and I am 99% sure it is due to the PIN request for authentication, so is there any method to replicate that PIN input within this application.

I don't want to have to use a Windows system to do this, when i have multiple Pis setup that should be able to.

Any assistance greatly appreciated. my model is UE55H6200

from samsungctl.

I tried both protocols (legacy/websocket), but no way of communicating with my UE55JU6000. I haven't had the chance of trying the .NET library, but it would be great if support could be added!

from samsungctl.

I'm hijacking this issue for all the cases where there is some random TV model that nobody has been able to get working.

There is no way for me to support all possible TV models. Some might not just support TCP/IP control at all, some probably use a different protocol, and there are probably some issues reported here that are just user errors and could be fixed with a correct configuration. The point is I cannot really help unless you can debug the issue to some specific cause. In that case, please open a new issue with technical details.

from samsungctl.

I don't mind giving you more debug details, i just don't know what type or how to get the correct debug information you need. If you can give any pointers on that i would be more then happy to supply you with any information i can gather.

from samsungctl.

thirded but the same i dont know how to debug this. but using openhap's implementation of Samsung remote i get pin prompt and can control the tv

from samsungctl.

@Ape i think that most cases here is due to the pin code, if you can tell us what we need to do the be able to debug/get this to work then let us know. I can even give you ssh access to a box which has a samsun t.v. on the network if needed. (although the pin code thingy might be hard to do without actually seeing the t.v.) heck, i can even put a webcam in front of the tv if that is what it takes.

from samsungctl.

I appreciate your offer to help. However, I'm afraid I cannot implement and maintain new features for TV models I don't have and use myself, but with your help we can get this done.

First, it would help if somebody with the hardware could capture and reverse engineer the protocol using the official remote app (if there is any). With that we can write a proof-of-concept remote software and ultimately merge the functionality to samsungctl.

from samsungctl.

There is the Samsung Smart View App which is connecting via the local network to my UE55KU6079UXZG.

I'll capture the packets from first connection to sending keys to the tv with Wireshark and hope to find out some information about the used way of communication.

from samsungctl.

One problem is also that there are so many different TV models out there using so many protocols. We need to somehow detect the protocols and categorize the TV models.

from samsungctl.

nmap from a H6670 (2014 version with PIN-based auth):

PORT      STATE SERVICE
7676/tcp  open  imqbrokerd
8000/tcp  open  http-alt
8001/tcp  open  vcom-tunnel
8080/tcp  open  http-proxy
8443/tcp  open  https-alt
15500/tcp open  unknown

With samsungctl==0.7.0 when I send any command (e.g. samsungctl --host tv --method websocket -v KEY_VOLDOWN) I get Error: Operation now in progress and nothing happens on the tv. With version 0.6.0 I don't get any error (it just says Sending control command) but again nothing happens on the tv.

from samsungctl.

Not sure if this helps but my JS9000 has the following ports open

💥  samsungctl  (master)  nmap -Pn -p1-65535 192.168.100.213

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-05 11:59 EST
Nmap scan report for localhost.home.local (192.168.100.213)
Host is up (0.021s latency).
Not shown: 65521 filtered ports
PORT      STATE SERVICE
7236/tcp  open  display
7237/tcp  open  pads
7676/tcp  open  imqbrokerd
7677/tcp  open  sun-user-https
7678/tcp  open  unknown
8000/tcp  open  http-alt
8001/tcp  open  vcom-tunnel
8002/tcp  open  teradataordbms
8080/tcp  open  http-proxy
8187/tcp  open  unknown
9090/tcp  open  zeus-admin
9197/tcp  open  unknown
9999/tcp  open  abyss
15500/tcp open  unknown

Results

  samsungctl  (master)  samsungctl --host 192.168.100.213 -v KEY_VOLDOWN
Error: Connection refused
  samsungctl  (master) 

from samsungctl.

I got the following for my JS8000, hope it gives something:
(2015 version with PIN-based auth)

@Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-07 22:48 Rom, normaltid
Nmap scan report for XX.X.X.XX
Host is up (0.0038s latency).
Not shown: 8285 closed ports
PORT     STATE SERVICE
7236/tcp open  display
7237/tcp open  pads
7676/tcp open  imqbrokerd
7677/tcp open  sun-user-https
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
8002/tcp open  teradataordbms
8080/tcp open  http-proxy
9080/tcp open  glrpc
9197/tcp open  unknown
9999/tcp open  abyss

Also get a Error: Connection refused

from samsungctl.

@Ape perhaps you can setup a discord channel, so that we can combine resources there. I don't mind creating a wiki with the supported models, what type and what ports are open etc etc.

from samsungctl.

@riemers Please collect the data here: https://github.com/Ape/samsungctl/wiki

from samsungctl.

I found samsung sdk with support for I think most of 2014+ samsung tvs, but they only provide android , iOS and JS libs.

http://developer.samsung.com/tv/develop/extension-libraries/smart-view-sdk/introduction

from samsungctl.

@riemers but the app myTifi on iOS is able to connect to my tv that has a 4 digit pin. i asked the developer and he said he reverse engineered it himself. i think the best bet is to decompile this app on android : https://play.google.com/store/apps/details?id=com.samsung.smartviewad&hl=en
the official samsung smart view app and see how that does it. im looking into it now to see if i can figure some things out

from samsungctl.

@eclair4151 The developer won’t share the protocol ?

from samsungctl.

Can the openhab implementation not be used as that's seems to work?

from samsungctl.

Hmm I’ve never heard/tried that before. Does it work for you?

from samsungctl.

It works for me, but it also prompts for pin Auth

from samsungctl.

jeeze, We’re talking about paring with a tv from 2015, why the secrecy on this protocol for a free app... anyways... thanks for your work, hopefully you crack it

from samsungctl.

@jonny190 I don't think it works. i tried it and no success. it even says in the notes on the github page:

"Note: New models (H-Series TV´s like e.g. UEH5570 ) use a different (encrypted) protocol; they are not yet supported by this binding."

from samsungctl.

Update: well this is going to be a bit more complicated. i decompiled and see whats going on in the app. if you decompile the samsung smart view app and go to class /com/sec/android/app/qwertyremocon/rccore/TvRemoconApi.java

thats where they are doing everything with websockets and connections. unfortunately in that class to handle all encryption they call methods that they wrote in c++ using the JNI in these files

Binary file ./lib/armeabi/libpairinglib-jni.so
Binary file ./lib/armeabi/libRemoteApi.so

In these classes are compiled c++ which handle all encryption. im no expert at c++ and assembly so im going to need more help to get any farther from someones who knows that stuff better. the only thing i can tell from it is that its use 128 bit AES encryption scheme for all communication

Update 2: i found this one line that looks pretty promising.
EncryptedMessage = PairingObj.EncryptHttpBodyMsg(getPairingResponse().session_key.getBytes(), mMessage.getBytes(), mMessage.getBytes().length);

this calls a c function called EncryptHttpBodyMsg but we know it just involves encrypting the message with the session key. after more debugging the message format is this:
Normal,KEY_0,false

then it sends it as an http command to
http://" + TV_IP + ":" + Integer.toString(TV_PORT) + "/ws/remote/keys
with the session id and device id in the header and the the post data as the encrypted message.

im trying to see if i can debug to get the session_key and see if i cant just try a bunch of standard encryption protocols so see if i get lucky and can figure out what they are doing (hopefully its just aes 128)

from samsungctl.

I am no pro coder or anything but i can do a MITM on any ios app, assuming you tried android apps so far. I'll see if i can find any apps on ios that can do remote to the t.v. too. See if i can help in that part.

JustABlip but i cannot test that really since you can only find it in the u.s. store. (nvm read on the site that H is not supported)

@eclair4151 See https://github.com/aclytle/samsung_tv_ip_remote perhaps its of some use to you.
SmartRemote for IOS does have pin support too for all newer models.
Remotie 2 for IOS also pin support.

I tried to use Charles proxy on the mac but it cannot find the t.v. anymore if i sit in between, still trying some things.

from samsungctl.

I have updated the wiki with supported models, i only added the series, if there is some difference in it, let me know but i just checked some pages openhab, home assistant, domoticz etc to find a list of devices that did and didn't work. See https://github.com/Ape/samsungctl/wiki/Supported-Models

from samsungctl.

@eclair4151 i managed to get in between and see some information back and forth.
samsung-H.zip its a Charles export. Perhaps its of some use (its from start to pairing to clicking on the remote)

As far as i can tell it uses port 7676 to check what services the device has. On port 8080 it does the pin pairing and on port 8000 it has a json polling connecting on which it sends the information to talk to the t.v. Sadly i cannot see those commands over the line.. either way similar to what #22 (comment) said.

Update: i did the same for mytifi just to check, but i could see all the calls they did (to their server) i have added the export of that too. Perhaps its of some use for someone.
tvpairingmytifi.zip

from samsungctl.

@riemers Thanks. i have these network requests from Charles already. The biggest problem is that in the post to http://:8080/ws/pairing?step=1&app_id=<some_app_id>&device_id=<some_device_id>

its already hashed or encrypted in some way so network requests arent really helping me haha. we need to dig down into the source to see how they are generating these codes. As for the commands sent. they are sent over web sockets which my Charles instance cant see either. i was able to view it in just plain wire shark though. which makes me confused because in the java it looks like its somehow sending the commands over http... but when i run it its sent over WS. very confusing

from samsungctl.

Doesn't that fall under http upgrades, that upgrade the http call to WS:// call instead? In your browser it would be a ws:// call instead of http. (as far as i know, i could be wrong) so bottom line is that we need to know how that is encrypted.

But are you referring to the socket.io call like this one:

3i9rfqHwDixfa5C7AQFH:60:60:websocket,htmlfile,xhr-polling,jsonp-polling

That encryption?

from samsungctl.

well thats not the encryption. thats just the token i think. in order to send the pin back to the tv it makes a call post to
http://:8080/ws/pairing?step=1&app_id=<some_app_id>&device_id=<some_device_id>

with the data like this. this is the pin that has been hashed or encrypted in some way

{"auth":"010100000000000000009E00000006363534333231FF5834E835A9A8E674CBAB066B762A9F663A5BB73B03941F445207AB5B72B3AAE795CFE162363F024B4C0FD4A654C371539DA1697E7787D44E73E1829AEC77B71A288C6A94E1A11B33B35A93CECFFADAEDC684F573E251F3E144CC4289111AC4D699F62218FC2B89AFC81FC82B515BC25BABEDCD5E2FE29039347862D6FA8044AF4995F2D830BC1C1E3845A721307555FE0A43E60000000000"}

from samsungctl.

I see now.. the only thing that we can see is that "010200000000000000008A00000006363534333231" is always at the start also ends with 0000000000. Only need to know what is in the middle, i tried online https://www.onlinehashcrack.com/hash-identification.php but nothing came up sadly. Running the pairing again always gives you a new hash.

I mailed Smart Remote, Remotie 2 and SamMote asking if they could give a hand. Doesn't hurt to try right? 👍

from samsungctl.

Did you check the gist from the other thread? https://gist.github.com/imbrianj/77c51bf029148ec166b9f74b4e7a9160 ? He tried base64, but i doubt that is the one..

And indeed, it might be that simple. Although some apps don't use external tools. I did see in the MITM that another one was using a amazon server to get the string but others didn't so perhaps there is still some small hope. (Samsung smart view app works, perhaps somewhere there?)

Update: had a reply from sammote (quick) and they also use the same trick. They had no luck in reversing. He indicated that most others also use the same thing.

from samsungctl.

Yea that js file is only for the new 2017 WS stuff. as for the smart view app thats the one im working on but its the one that has the .so files which are just compiled C which it calls so its very hard to reverse engineer unless someone has hex rays and the ARM add on handy which is like a couple grand haha. yea i imagine every one is doing that trick. did he say if he is using that dll from the other library

from samsungctl.

Ok. I’m going to see if I can quickly get A POC working from the dll in python

from samsungctl.

If you can do that, i just always thought dll's is just windows and a no-no to work with linux

from samsungctl.

I think it’s possible. I’m going to see i can figure it out. I highly doubt all the servers everyone is using are windows servers

from samsungctl.

It's possible to use the DLL on linux with mono, as we do

from samsungctl.

Ok this is what we do (i'm looking our source code, maybe i will miss something, tell me if it's the case)

• Generate a TVID (you will need it later). (UUID format)

Step 1: GET - http://<TVIP>:8080/ws/apps/CloudPINPage
-> Test if the PIN Page is already displaying on TV. Close if needed (as we re-open it later)

Step 2: POST - http://<TVIP>:8001/ms/1.0/
POST: {"method":"ms.device.getInfo", "id":"<TVID>", "jsonrpc":"2.0", "params":{}}
-> You will get some infos, like capabilities, model (...): You will need it, as some models don't have the 'smart' capabilities (and, btw, no remote)

Step 3: POST - http://<TVIP>:8080/ws/apps/CloudPINPage
POST: pin4
-> You will get the PIN on the TV screen.

Step 4: GET - http://<TVIP>:8080/ws/pairing?step=0&app_id=<some_app_id>&device_id=<TVID>&type=1
-> Init the crypto, will reply with empty {"auth_data":""}

Step 5 (DLL): Call GenerateServerHello(pincode) -> Get CODE1

Step 6: POST - http://<TVIP>:8080/ws/pairing?step=1&app_id=<some_app_id>&device_id=<TVID>
POST: "auth_Data":{"auth_type":"SPC","GeneratorServerHello":"CODE1"}

Step 7 (DLL): Extract, from the reply of STEP 6, requestId and GeneratorClientHello.
Call ParseClientHello(pincode, GeneratorClientHello)
Call GenerateServerAck()
You will now have requestId and the result of GenerateServerAck()

Step 8: POST - http://<ip>:8080/ws/pairing?step=2&app_id=<some_app_id>&device_id=<TVID>
POST: "auth_Data":{"auth_type":"SPC","request_id":"<requestId>","ServerAckMsg":"<GenerateServerAck>"}"
-> You will get session_id, it's for the Websocket session !

Step 9 (DLL): Concatenate "<requestId>,<serverAckMsg>" in a String (note the comma)
Call ParseClientAck(concatenatedString)
call GetKey() -> Hey ! This is the key for the websocket encryption !

Step 10: DELETE - http://<TVIP>:8080/ws/apps/CloudPINPage/run

You are now logged and have all you need for the Websocket session.
You can send commands and get services, like EPG infos or list of channels.

Note, it's not finished for you, but a last hint: The websocket session are encrypted with AES128. You will get the key for the AES encryption in the step 9.

Good luck !

from samsungctl.

Thanks that’s very helpful. For the aes I think I already found that out but I’m not sure I think it’s Normal,KEY_0,false
Encrypted with the key. But it could be something else

from samsungctl.

@eclair4151 You mean for sending remote key via websocket ?

from samsungctl.

Yea. Although from that response I’m guessing I was looking at the wrong thing haha

from samsungctl.

Yes i think too :)

This is what i send (before encryption) for the mute key:

{"method":"POST","body":{"plugin":"RemoteControl","param1":"ZPCNHA5IU7SK4","param2":"Click","param3":"KEY_MUTE","param4":false,"api":"SendRemoteKey","version":"1.000"}}

from samsungctl.

Btw, the Remotie2 app does the same, also use that dll (got reply back)

from samsungctl.

Are there any other apps/dll's you can decompile, that might be 'easier' ? I'll ask around in my network if someone has knowledge about it. (as in, can decrypt C)

from samsungctl.

The only option are the dlls which are even worse, those arm libraries from android or the iOS libraries. I pulled the app file off my jailbroken iPhone and am trying to run it the the hopper disassembled to see if I can get anywhere. Other than that I can’t think of any other app or program that we could access. The best bet for us would have been if they had some c library that was compiled for x86. Then we could just call that, but the mobile apps are compiled for ARM and the dlls use .net so we would need mono on any computer that wanted to use it. Do we know of any other application that has access to it that we could try?

from samsungctl.

Is there any official channel / SDK from Samsung we could explore ? Where did the original dll come from ?

from samsungctl.

Im not sure. i asked the guy who originally got them but he hasnt responded.

maybe he got it from here
http://developer.samsung.com/tv/develop/tools/tv-extension/archive/

but these have options for mac/ linux so im not sure.

from samsungctl.

just downloaded this
http://developer.samsung.com/tv/develop/tools/tv-extension/download
the ubuntu version. just started looking around but maybe we will get lucky

from samsungctl.

@johntdyer i found where the drivers are from.
http://www.samsung.com/us/apps/smart-view-2/

its from their windows remote control app. available on windows only :(

from samsungctl.

I asked a friend who has a contact at Samsung if he could help. Can't hurt to try.

from samsungctl.

Update: i was able to pull the decrypted ipa of my jailbroken phone and run it through the hopper disassembler. its just of obfucated...
https://pastebin.com/DqJi1EL5

but its funny because it has this hard coded reference
/Users/a.shvetsov/Desktop/DEV-SecurePairing-a.shvetsov/SecurityLib/libSource/Src/SPCApi.cpp

if only this a.shvetsov guy could help us :)

im starting to think our best bet is to just use one of the existing encryption apis from one of the remotes already out there. and hopefully they just dont mind us using it lol

from samsungctl.

https://www.linkedin.com/in/artem-shvetsov-66860087/

from samsungctl.

not sure if this is any help on port 8081 instead mmende/homebridge-samsungtv-control#1 (comment)

from samsungctl.

Awesome to see this effort here. Let me know if there is anything I can do to help. I am not afraid to try stuff on my TV even if there is risk of bricking it. Been developer for past 25 years and have a lot of experience so maybe I can help out here. TV model is 'UN40H5203'.

• Mobile app attempts sound just like others... iOS app 'myTifi' finds my TV, asks for PIN at which I am stuck
• Based on the ports I have open, it seems like I need to go into service menu and enable some stuff, will be trying this later.
• I see <sec:Capability name='samsung:multiscreen:1' port='8001' location='/ms/1.0/'></sec:Capability> but port 8001 is not active.
• Have not tried the above steps yet to see if I can get PIN screen to show up on TV
• Hitting IP under port 9080 returns json with 'status=ok'. I'm curious what this port is used for, seems like some type of status communication but not sure.
• I'm open to trying to factory reset my TV and downgrading my firmware if that is possible
• With samsungctl==0.7.0 when I send any command I get Error: Operation now in progress
• Do these links help at all? Looking at the authentication part it is using the older 55000 port...
  https://community.smartthings.com/t/samsung-tv-support-in-smartthings/22364
  https://github.com/SmartThingsCommunity/SmartThingsPublic/blob/master_old/smartapps/smartthings/samsung-tv-connect.src/samsung-tv-connect.groovy

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-20 15:12 EST
Nmap scan report for tv (192.168.1.17)
Host is up (0.021s latency).
Not shown: 65529 closed ports
PORT     STATE SERVICE
4443/tcp open  pharos
7011/tcp open  talon-disc
7676/tcp open  imqbrokerd
8080/tcp open  http-proxy
8443/tcp open  https-alt
9080/tcp open  glrpc

from samsungctl.

@raydog153 Hey, thanks for your interest. at this point there is not much to be done. We know how everything works, and the blocker is figuring out their encryption scheme. we would need someone who is amazing at low level C to figure out what they are doing. If anyone wants i can export the full decompiled libraries from the windows dll, Android ARM c libraries, or the iOS c code. You can see some samples of what it looks like here:

iOS: https://pastebin.com/DqJi1EL5
Android: https://pastebin.com/gugVHEMp
Windows dll: https://pastebin.com/vNFtxwtk

My next step is this weekend im going to try and add compatibility by using the existing servers that use mono to directly call the dll's encryption library.

from samsungctl.

@eclair4151 if you can paste the full too, and friend of mine wanted to take a look but was asking for IPA? Don't know all the parts.

from samsungctl.

Sure. Does he want the full IPA that was decrypted with Clutch, or just the dumped disassembly once its run through Hopper.

from samsungctl.

That is a good question, perhaps you can chuck it both onto a dropbox or something similar.

from samsungctl.

I've done a lot of low-level c programming back in the day...thou encryption is not my one of my strengths...still I'll take a look. I would assume they are using standard encryption algorithms and handling for which I am familiar with. Are they using SSL/HTTPS ports at all? I ask because I see that 2 of my ports open are for SSL. Usually with encryption thou you need a secret key and sometimes they even combine that with a salt. This is probably one reason for needing a server....so long as you know how the encryption is done and is the same on client/server.

So we know they use AES128 for encryption. Anything else we know? They must be passing base64 encoded values for the encryption...or is that only for the non-encrypted code path? Do we know what the AES encryption mode (CBC ECB CTR OCB CFB) being used is? I would assume these are using CBC.

from samsungctl.

@raydog153 SSl looks to be supported by some calls but is not required. all calls we have been making are without ssl and they have been working fine. As for the encryption we really have no idea. If they are using standard encryption they must be using a salt or something crazy because when you send the 4 digit pin it gets turned into a 200 character string. As far as i can tell they arent using base64 anywhere in the encrypted communication.

from samsungctl.

@riemers here are the files :
https://drive.google.com/open?id=1UmflFlh6dBLQ0en4f6RnOgECIgO85qN6

in there is the ipa as well as the extracted app that goes into hopper

i only have the demo version of hopper so i cant export anything. but he just get the demo of hopper and import it

from samsungctl.

Running step 1 'GET - http://<TVIP>:8080/ws/apps/CloudPINPage' results in XML response:

<?xml version="1.0" encoding="UTF-8"?><service xmlns="urn:dial-multiscreen-org:schemas:dial" xmlns:atom="http://www.w3.org/2005/Atom"><name>CloudPINPage</name><options allowStop="true"/><state>stopped</state><atom:link rel="run" href="run"/></service>

Indicating something is stopped and has href to 'run'. Wouldn't 'GET - http://<TVIP>:8080/ws/apps/CloudPINPage/run' make more sense as step 1? I take the verb 'run' to mean enable/execute/invoke something, like pin modal. Doesn't work thou as I get 400 status.

Seems like I need to enable something first. There is header returned 'API-Version: v1.0'.

from samsungctl.

A get 'http://<TVIP>:8080/ws/1.0' returns 401 authorized.

from samsungctl.

I got the PIN page on TV to display by manually running step 4...but none of the mobile apps invoke the PIN page on TV....why is that?

If I add query param '&type=1' then the PIN page is not shown on TV, but if I change to '&type=0' PIN page is again displayed. Why are we using type=1 in step 4?

from samsungctl.

If you look at my post, the app does ask for a pin. Make sure you delete your old keys on the tv too, I always got the pop up as long as you use one of the apps that use the dll trick.

from samsungctl.

@riemers As I said, the app asks for a PIN, but I never see PIN page on TV...no app has ever triggered that, not even any version of Smart View. Only manually running step 4 with or without other steps gets PIN page on TV to show. If I run it again it closes and opens new PIN page with a new PIN.

Also there is no place in my TV menu that allows me to delete old keys.

from samsungctl.

Hmm thats odd. what model tv do you have? maybe its some network config thing? i have no idea.

from samsungctl.

TV model is 'UN40H5203'. As I noted above, using type=1 for step 4 does not show the PIN page on TV, but using type=0 does. Perhaps the type is for PIN vs Allow/Deny page and depends on which model?

I'm sure people have seen this, not sure it helps: http://developer.samsung.com/tv/develop/legacy-platform-library/art00030/index
There is comment in there 'When the user selects Allow , the TV sends an Authentication Success response message to the mobile device'. Hence indicating authentication support PIN vs Allow/Deny which most likely is based on model.

from samsungctl.

I keep getting step number wrong in my comments, updated my comments, but had mentioned step 3 by mistake and meant step 4. I'm only doing GET request and that invokes the PIN page on TV. i.e....
Step 4: GET - http://:8080/ws/pairing?step=0&app_id=<some_app_id>&device_id=&type=1

Oh....there are 2 sets of steps and I must be referring to wrong set from time to time....as I jump around the comments. I'm sure this is confusing depending on which set one is also viewing.

from samsungctl.

Hello everyone. I spent some time reading through this thread and it sounds like everyone is beginning to reach the same conclusion I did back in 2016. The encryption is not open source and for that I relied on the dll that shipped with smart view 2. Its definitely wrapped c++ and for that we will never get to the source. Last time I researched it back in 2016 Samsung did not open this up and release it. I spent a significant amount of time decompiling various mobile apps before ultimately using the dll. Nothing I found had the magic sauce.

Wrapping the dll for use by python, Java, and other languages should assist in accomplishing the various goals for the time being.

If there is anything I can do to expand on the command line app I built please let me know. I am glad to see it is proving useful.

Happy holidays!

https://github.com/timelery/Samsung-RemoteControl

Tim

from samsungctl.

Aside from using the dll in the old smart view app, maybe Samsung has provided more insight with newer apps such as,

https://www.samsung.com/us/explore/connect/

Has anyone decompiled this or similar?

Tim

from samsungctl.

also @timelery i tried looking into the samsung connect app. it actually only supports 2016 tvs and newer so it doesnt have any of the encrypted stuff in it.

from samsungctl.

From this link: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&cad=rja&uact=8&ved=0ahUKEwj1pbLc5d7XAhXjc98KHcL7AQQQFghcMAc&url=http%3A%2F%2Ftvisted.com%2Fde%2Fsupport%2Ftopic%2Fbetaversion-1-65-6-ab-heute-im-playstore%2F&usg=AOvVaw0hxWbPn_4o3lDss9CdNUYw

Background: Samsung has equipped the H and J devices in part with Tizen, the new platform generation. Officially this is done since September. We are now seeing a mix of different generations of devices at home, with many devices supporting more than one version.

There are 2 Apis (plus one Api for F-Series and earlier), which used to run parallel on the H and J series. It seems that they have now been separated and each series supports only one of the two Apis - each one different. With the H-series Samsung has switched off with the update of the firmware from 26xx to 27xx one of the Apis, which is why Smartview 2 with the H series then no longer works. Smartview 2.0 is now only with the J-series.

from samsungctl.

@eclair4151 That proof of concept helps a lot...

• If I run it as is except with my IP and details, then I see no pin modal on TV
• If I change the 'type=1' to 'type=0' in the requests, then I get pin modal, and looks like I get valid session_key and session_id
• However there is no active port 8000 from my TV, hence I am stuck here. There are other ports and they respond to some attempts. Like using port http://9080/socket.io/1/?t=xxx I get 'c3RhdHVzPW9r' returned which is interesting, but cannot get any farther.

Does anyone understand the different values for 'type'?
Based on my earlier comment, I feel like after I authenticate my session I should be using a different API/port based on the tv model. Is there a different version of the websocket API that one runs on either port 7676, 8080, or 9080?

from samsungctl.

I can confirm that it works on UE32H4500.
can you share with us the server part ?

from samsungctl.

@marius1968 its not actually mine. i just am using the one from this app i got from wireshark
https://itunes.apple.com/us/app/remotie-2-samsung-tv-remote/id1250882919?mt=8

All they are doing is using this app
https://github.com/timelery/Samsung-RemoteControl
on the backend and calling the dll using mono to run the encryption parts

from samsungctl.

@eclair4151 , @timelery, guys,
Can you help us with a server-side script implementation?

from samsungctl.

I can also confirm eclairs4151's script pairs up and works great with my UE65JU6500. Amazing work, guys!

from samsungctl.

I confirm too that it work with my UE48H6200, great!
But I have to wait about 1 minutes after power ON to send commands. seems that ioserver is not immediatly available :-/ ... Do you have the same problem?

from samsungctl.

As long as we cannot make something locally it would not have much use in a library since it would require internet. (and it would require a always on server) the latency between commands with having to go to a external server doesn't make this any faster too. (just my 2 cents)

from samsungctl.

@riemers Thanks for your response, but I have 'cut' gateway ip address and DNS ip address to block internet access on my TV. Eclair4151 's script works in local mode then you have 'registered' once a valid key on internet.

from samsungctl.

@kitsen13 still requires you to have internet and need something to be online forever. Perhaps we can use a tiny free server somewhere but i prefer to just use a docker image to do something locally.

from samsungctl.