Juzis28: Created page with "Here is an example of reversing network remote protocol on LE32D550 and an application for iPhone and Android smartphones to control TV through WiFi. If you check open ports o..."

2013-01-21T13:11:43Z

Created page with "Here is an example of reversing network remote protocol on LE32D550 and an application for iPhone and Android smartphones to control TV through WiFi. If you check open ports o..."

New page

Here is an example of reversing network remote protocol on LE32D550 and an application for iPhone and Android smartphones to control TV through WiFi. If you check open ports on TV with nmap, you`ll see some of them are open:
nmap -p 1-65535 tv.lan

Starting Nmap 5.21 ( http://nmap.org )
Nmap scan report for tv.lan (192.168.1.102)
Host is up (0.0016s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
52235/tcp open unknown
52396/tcp open unknown
55000/tcp open unknown
55001/tcp open unknown
MAC Address: 60:6B:BD:AB:FC:95 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds

55000 port is used for remote control over network.
=Authentication=
When connection on port 55000 is established, remote control must be authenticated. It sends datagram.
0000 00 13 00 69 70 68 6f 6e 65 2e 69 61 70 70 2e 73 ...iphone.iapp.s
0010 61 6d 73 75 6e 67 38 00 64 00 14 00 4d 54 6b 79 amsung8.d...MTky
0020 4c 6a 45 32 4f 43 34 78 4c 6a 45 77 4d 41 3d 3d LjE2OC4xLjEwMA==
0030 10 00 5a 32 52 7a 4e 7a 4d 30 64 47 64 30 5a 41 ..Z2RzNzM0dGd0ZA
0040 3d 3d 0c 00 63 32 4d 77 64 48 6b 75 63 47 77 3d ==..c2MwdHkucGw=
And the meaning of this bytes.
offset value and description
------ ---------------------
0x00 0x00 - datagram type?
0x01 0x0013 - string length (little endian)
0x03 "iphone.iapp.samsung" - string content
0x16 0x0038 - payload size (little endian)
0x18 payload
It is unknown the meaning of the string above, TV can accept any string in here.
Payload starts with 2 bytes: 0×64 and 0×00, then comes 3 strings encoded with [http://en.wikipedia.org/wiki/Base64 base64 algorithm]. Every string is preceded by 2-bytes field containing encoded string length. These three strings are as follow:
:*remote control device IP,
:*unique ID – value to distinguish controllers,
:*name – it will be displayed as controller name.
TV replies with giving us following datagram:
0000 02 0c 00 69 61 70 70 2e 73 61 6d 73 75 6e 67 06 ...iapp.samsung.
0010 00 0a 00 02 00 00 00 .......
It means:
offset value and description
------ ---------------------
0x00 don't know, it it always 0x00 or 0x02
0x01 0x000c - string length (little endian)
0x03 "iapp.samsung" - string content
0x0f 0x0006 - payload size (little endian)
0x11 payload
String content is always ''iapp.samsung or iphone.livingroom.iapp.samsung''. Meaning of these strings is unclear, I suggest to not compare it with any specific value during response parsing (maybe other devices using another values).

Payload is one of the following:
:*0×64, 0×00, 0×01, 0×00 – access granted, you can now send key codes and it will be executed by TV,
:*0×64, 0×00, 0×00, 0×00 – access denied – user rejected your network remote controller,
:*0x0A, 0×00, 0×02, 0×00, 0×00, 0×00 – waiting for user to grant or deny access for your app,
:*0×65, 0×00 – timeout or cancelled by user.
Access is granted only during current TCP connection, when your app or TV disconnect, you have to repeat the authentication process.
=Sending key codes=
Now you can send simple datagrams containing key codes.
0000 00 13 00 69 70 68 6f 6e 65 2e 69 61 70 70 2e 73 ...iphone.iapp.s
0010 61 6d 73 75 6e 67 11 00 00 00 00 0c 00 53 30 56 amsung.......S0V
0020 5a 58 31 5a 50 54 46 56 51 ZX1ZPTFVQ
It means:
offset value and description
------ ---------------------
0x00 always 0x00
0x01 0x0013 - string length (little endian)
0x03 "iphone.iapp.samsung" - string content
0x16 0x0011 - payload size (little endian)
0x18 payload
And the payload is:
offset value and description
------ ---------------------
0x18 three 0x00 bytes
0x1b 0x000c - key code size (little endian)
0x1d key code encoded as base64 string
TV response will be similar to authentication response, but with different payload data. I will not describe this data detailed because I wasn’t investigated it much.
Key codes list is published in [[D-Series_Key_Codes | SamyGO wiki]]<br>
Useful information can be found also in [https://github.com/tomquist/SamyGo-Android-Remote/tree/master/src/de/quist/samy/remocon SamyGO Android Remote sources.]
==Reference==
#[http://sc0ty.pl/2012/02/samsung-tv-network-remote-control-protocol Original article]

Samsung TV network remote control protocol - Revision history

Juzis28: Created page with "Here is an example of reversing network remote protocol on LE32D550 and an application for iPhone and Android smartphones to control TV through WiFi. If you check open ports o..."