Here is an example of reversing network remote protocol on LE32D550 and an application for iPhone and Android smartphones to control TV through WiFi. If you check open ports on TV with nmap, you`ll see some of them are open:

nmap -p 1-65535 tv.lan

Starting Nmap 5.21 ( http://nmap.org )
Nmap scan report for tv.lan (192.168.1.102)
Host is up (0.0016s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
52235/tcp open  unknown
52396/tcp open  unknown
55000/tcp open  unknown
55001/tcp open  unknown
MAC Address: 60:6B:BD:AB:FC:95 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds

55000 port is used for remote control over network.

Authentication

When connection on port 55000 is established, remote control must be authenticated. It sends datagram.

0000   00 13 00 69 70 68 6f 6e 65 2e 69 61 70 70 2e 73  ...iphone.iapp.s
0010   61 6d 73 75 6e 67 38 00 64 00 14 00 4d 54 6b 79  amsung8.d...MTky
0020   4c 6a 45 32 4f 43 34 78 4c 6a 45 77 4d 41 3d 3d  LjE2OC4xLjEwMA==
0030   10 00 5a 32 52 7a 4e 7a 4d 30 64 47 64 30 5a 41  ..Z2RzNzM0dGd0ZA
0040   3d 3d 0c 00 63 32 4d 77 64 48 6b 75 63 47 77 3d  ==..c2MwdHkucGw=

And the meaning of this bytes.

offset  value and description
------	---------------------
0x00   	0x00 - datagram type?
0x01	0x0013 - string length (little endian)
0x03	"iphone.iapp.samsung" - string content
0x16	0x0038 - payload size (little endian)
0x18	payload

It is unknown the meaning of the string above, TV can accept any string in here. Payload starts with 2 bytes: 0×64 and 0×00, then comes 3 strings encoded with base64 algorithm. Every string is preceded by 2-bytes field containing encoded string length. These three strings are as follow:

• remote control device IP,
• unique ID – value to distinguish controllers,
• name – it will be displayed as controller name.

TV replies with giving us following datagram:

0000   02 0c 00 69 61 70 70 2e 73 61 6d 73 75 6e 67 06  ...iapp.samsung.
0010   00 0a 00 02 00 00 00                             .......

It means: offset value and description

---------------------

0x00   	don't know, it it always 0x00 or 0x02
0x01	0x000c - string length (little endian)
0x03	"iapp.samsung" - string content
0x0f	0x0006 - payload size (little endian)
0x11	payload

String content is always iapp.samsung or iphone.livingroom.iapp.samsung. Meaning of these strings is unclear, I suggest to not compare it with any specific value during response parsing (maybe other devices using another values).

Payload is one of the following:

• 0×64, 0×00, 0×01, 0×00 – access granted, you can now send key codes and it will be executed by TV,
• 0×64, 0×00, 0×00, 0×00 – access denied – user rejected your network remote controller,
• 0x0A, 0×00, 0×02, 0×00, 0×00, 0×00 – waiting for user to grant or deny access for your app,
• 0×65, 0×00 – timeout or cancelled by user.

Access is granted only during current TCP connection, when your app or TV disconnect, you have to repeat the authentication process.

Sending key codes

Now you can send simple datagrams containing key codes.

0000   00 13 00 69 70 68 6f 6e 65 2e 69 61 70 70 2e 73  ...iphone.iapp.s
0010   61 6d 73 75 6e 67 11 00 00 00 00 0c 00 53 30 56  amsung.......S0V
0020   5a 58 31 5a 50 54 46 56 51                       ZX1ZPTFVQ

It means: offset value and description

---------------------

0x00  	always 0x00
0x01   0x0013 - string length (little endian)
0x03	"iphone.iapp.samsung" - string content
0x16	0x0011 - payload size (little endian)
0x18	payload

And the payload is:

offset  value and description
------	---------------------
0x18   	three 0x00 bytes
0x1b	0x000c - key code size (little endian)
0x1d	key code encoded as base64 string

TV response will be similar to authentication response, but with different payload data. I will not describe this data detailed because I wasn’t investigated it much. Key codes list is published in SamyGO wiki
Useful information can be found also in SamyGO Android Remote sources.

Reference

1. Original article