Advanced Touch REMOTE reverse engineering

Ideas and dreaming will go this forum

User avatar
mad_ady
SamyGO Project Donor
Posts: 246
Joined: Sun May 03, 2015 10:42 am

Advanced Touch REMOTE reverse engineering

Post by mad_ady » Wed Sep 23, 2015 9:55 am

Hello everyone,

My goal is to find a way to control an H-Series TV (e.g. H6400) remotely (without having it rooted - at least not until a suitable root is released). I've looked at ways to control it over wifi, but it can only be done with Samsung's apps (for Windows/Android), and sadly the Android app doesn't run on my phone. From all I read, H series (and beyond) use encrypted communication for Wifi remote, and Samsung is determined to keep third party remotes out.

So, I was thinking of what would be needed to reverse the protocol used by the bluetooth remote (Advanced Touch Remote) and have a different device (phone or Linux PC) pretend to be the Advanced Touch Remote instead. This would allow me to control the TV remotely, over the internet (with the phone/PC as a wifi-to-bluetooth bridge).

So, let's experiment. A simple test with a camera will show you that the smart remote has an IR diode that is used to power the TV on or off. So, power can't be controlled via Bluetooth. Boo!

Next: if you use a phone and press the remote's Return + Guide buttons, you will see the bluetooth device as discoverable by your phone and you can connect to it (it didn't require any PIN). It then behaves like a keyboard (input device). The TV is not discoverable, but you can find out the bluetooth MAC in the service menu.

I also tried pairing my remote to my Linux PC, but I wasn't able to pair with it. I tried the standard codes, 0000, 1234, etc, but nothing worked. Does anybody know what the pairing code is? It's probably hardcoded somewhere in the TV firmware.

Here's my plan after I can pair with it via PC:
1. Use Wireshark to sniff bluetooth traffic and see what gets sent
2. Or use something like xev to sniff out the keycodes being sent on keypresses or remote movement.

If getting the remote to pair with a PC, or extracting the keypresses is more difficult, there would be two more options:
1. Use specialized hardware + software defined radio to sniff the bluetooth traffic at radio level - possible, but requires expensive hardware: https://www.usenix.org/legacy/event/woo ... index.html
2. Use a rooted TV to do the packet capture at the bluetooth level or intercept process calls to see what happens/what packets get sent.

With this information, my next plan is to do this:
1. Create a program using uinput that will generate those keycodes to a /dev/input/* device: http://thiemonge.org/getting-started-with-uinput. Ideally the program registers a new input device and listens for keys on a particular network port. It then converts those keys to their keycodes and sends them as input.
2. Export the /dev/input device as a HID keyboard emulating the Advanced Touch Remote using hidclient: http://anselm.hoffmeister.be/computer/h ... ex.html.en. (Note, by using this program you can temporarly use your hardware keyboard from your Linux PC as a keyboard for your Samsung TV via Bluetooth - needs testing): http://support-us.samsung.com/cyber/pop ... idx=411196&

So, I'd like to ask the community's help further in case this idea is helpful for anyone. Ideally, it should lead to tools to control the TV via bluetooth from linux (command-line), and could be used by NAS, HTPC and other Linux devices lying around. Also, with rooted android phones, it might be portable to android one day.

Let me know what to try next!
H6400, firmware 2602.2 downgraded to 2130

nono2lozere
SamyGO Project Donor
Posts: 38
Joined: Sat Sep 20, 2014 3:55 pm

Re: Advanced Touch REMOTE reverse engineering

Post by nono2lozere » Wed Sep 23, 2015 10:16 am

mad_ady wrote: I also tried pairing my remote to my Linux PC, but I wasn't able to pair with it. I tried the standard codes, 0000, 1234, etc, but nothing worked. Does anybody know what the pairing code is? It's probably hardcoded somewhere in the TV firmware.
Hello,
I think it's because smart remote is a BLE (Bluetooth 4) device, so unless you have a BLE adapter on your PC it won't work. But after that if it's an HID device you will be able to log keycode under Linux and maybe under android with nRF Master Control Panel (BLE): https://play.google.com/store/apps/deta ... .mcp&hl=fr.

Good luck
Samsung UE40F7000 T-FXPDEUC1115.0

User avatar
mad_ady
SamyGO Project Donor
Posts: 246
Joined: Sun May 03, 2015 10:42 am

Re: Advanced Touch REMOTE reverse engineering

Post by mad_ady » Wed Sep 23, 2015 10:32 am

You're right! I swapped my Bluetooth dongle with a Bluetooth 4.0 dongle and I was able to pair with the remote!

Code: Select all

[73389.854659] input: Advanced Touch REMOTE as /devices/pci0000:00/0000:00:14.0/usb1/1-6/1-6:1.0/bluetooth/hci0/hci0:70/0005:04E8:2075.0008/input/input20
[73389.854890] hid-generic 0005:04E8:2075.0008: input,hidraw4: BLUETOOTH HID v1.00 Keyboard [Advanced Touch REMOTE] on 00:1a:7d:da:71:13
Many thanks!
H6400, firmware 2602.2 downgraded to 2130

User avatar
mad_ady
SamyGO Project Donor
Posts: 246
Joined: Sun May 03, 2015 10:42 am

Re: Advanced Touch REMOTE reverse engineering

Post by mad_ady » Wed Sep 23, 2015 11:50 am

Ok, by using evtest I was able to create a mapping of the keycodes sent by the remote:

Code: Select all

Search: 115
Keypad: 210
Source: 1
Voice: 160
Volume +: 7
Volume -: 11
Channel +: 18
Channel -: 16
Mute: 15
Up: 96
Down: 97
Right: 98
Left: 101
Enter: 214
Return: 88
SmartHub: 121
Guide: 79
Rew: 69
Play: 71
Pause: 74
FForward: 72
A: 108
B: 20
C: 21
D: 22
Football: 184
Menu: 26

Pairing sequence: 88 (sent as code 11)
To access other functions on the remote (e.g. Ch List), the user has to long-press a key. This causes the same keycode to be sent out in rapid succession and is interpreted by the TV, so no separate keycodes are sent for those.

Here's the dump:

Code: Select all

adrianp@frost:~$ sudo evtest /dev/input/event14
[sudo] password for adrianp: 
Input driver version is 1.0.1
Input device ID: bus 0x5 vendor 0x4e8 product 0x2075 version 0x100
Input device name: "Advanced Touch REMOTE"
Supported events:
  Event type 0 (EV_SYN)
  Event type 1 (EV_KEY)
    Event code 1 (KEY_ESC)
    Event code 2 (KEY_1)
    Event code 3 (KEY_2)
    Event code 4 (KEY_3)
    Event code 5 (KEY_4)
    Event code 6 (KEY_5)
    Event code 7 (KEY_6)
    Event code 8 (KEY_7)
    Event code 9 (KEY_8)
    Event code 10 (KEY_9)
    Event code 11 (KEY_0)
    Event code 12 (KEY_MINUS)
    Event code 13 (KEY_EQUAL)
    Event code 14 (KEY_BACKSPACE)
    Event code 15 (KEY_TAB)
    Event code 16 (KEY_Q)
    Event code 17 (KEY_W)
    Event code 18 (KEY_E)
    Event code 19 (KEY_R)
    Event code 20 (KEY_T)
    Event code 21 (KEY_Y)
    Event code 22 (KEY_U)
    Event code 23 (KEY_I)
    Event code 24 (KEY_O)
    Event code 25 (KEY_P)
    Event code 26 (KEY_LEFTBRACE)
    Event code 27 (KEY_RIGHTBRACE)
    Event code 28 (KEY_ENTER)
    Event code 29 (KEY_LEFTCTRL)
    Event code 30 (KEY_A)
    Event code 31 (KEY_S)
    Event code 32 (KEY_D)
    Event code 33 (KEY_F)
    Event code 34 (KEY_G)
    Event code 35 (KEY_H)
    Event code 36 (KEY_J)
    Event code 37 (KEY_K)
    Event code 38 (KEY_L)
    Event code 39 (KEY_SEMICOLON)
    Event code 40 (KEY_APOSTROPHE)
    Event code 41 (KEY_GRAVE)
    Event code 42 (KEY_LEFTSHIFT)
    Event code 43 (KEY_BACKSLASH)
    Event code 44 (KEY_Z)
    Event code 45 (KEY_X)
    Event code 46 (KEY_C)
    Event code 47 (KEY_V)
    Event code 48 (KEY_B)
    Event code 49 (KEY_N)
    Event code 50 (KEY_M)
    Event code 51 (KEY_COMMA)
    Event code 52 (KEY_DOT)
    Event code 53 (KEY_SLASH)
    Event code 54 (KEY_RIGHTSHIFT)
    Event code 55 (KEY_KPASTERISK)
    Event code 56 (KEY_LEFTALT)
    Event code 57 (KEY_SPACE)
    Event code 58 (KEY_CAPSLOCK)
    Event code 59 (KEY_F1)
    Event code 60 (KEY_F2)
    Event code 61 (KEY_F3)
    Event code 62 (KEY_F4)
    Event code 63 (KEY_F5)
    Event code 64 (KEY_F6)
    Event code 65 (KEY_F7)
    Event code 66 (KEY_F8)
    Event code 67 (KEY_F9)
    Event code 68 (KEY_F10)
    Event code 69 (KEY_NUMLOCK)
    Event code 70 (KEY_SCROLLLOCK)
    Event code 71 (KEY_KP7)
    Event code 72 (KEY_KP8)
    Event code 73 (KEY_KP9)
    Event code 74 (KEY_KPMINUS)
    Event code 75 (KEY_KP4)
    Event code 76 (KEY_KP5)
    Event code 77 (KEY_KP6)
    Event code 78 (KEY_KPPLUS)
    Event code 79 (KEY_KP1)
    Event code 80 (KEY_KP2)
    Event code 81 (KEY_KP3)
    Event code 82 (KEY_KP0)
    Event code 83 (KEY_KPDOT)
    Event code 85 (KEY_ZENKAKUHANKAKU)
    Event code 86 (KEY_102ND)
    Event code 87 (KEY_F11)
    Event code 88 (KEY_F12)
    Event code 89 (KEY_RO)
    Event code 90 (KEY_KATAKANA)
    Event code 91 (KEY_HIRAGANA)
    Event code 92 (KEY_HENKAN)
    Event code 93 (KEY_KATAKANAHIRAGANA)
    Event code 94 (KEY_MUHENKAN)
    Event code 95 (KEY_KPJPCOMMA)
    Event code 96 (KEY_KPENTER)
    Event code 97 (KEY_RIGHTCTRL)
    Event code 98 (KEY_KPSLASH)
    Event code 99 (KEY_SYSRQ)
    Event code 100 (KEY_RIGHTALT)
    Event code 102 (KEY_HOME)
    Event code 103 (KEY_UP)
    Event code 104 (KEY_PAGEUP)
    Event code 105 (KEY_LEFT)
    Event code 106 (KEY_RIGHT)
    Event code 107 (KEY_END)
    Event code 108 (KEY_DOWN)
    Event code 109 (KEY_PAGEDOWN)
    Event code 110 (KEY_INSERT)
    Event code 111 (KEY_DELETE)
    Event code 113 (KEY_MUTE)
    Event code 114 (KEY_VOLUMEDOWN)
    Event code 115 (KEY_VOLUMEUP)
    Event code 116 (KEY_POWER)
    Event code 117 (KEY_KPEQUAL)
    Event code 119 (KEY_PAUSE)
    Event code 121 (KEY_KPCOMMA)
    Event code 122 (KEY_HANGUEL)
    Event code 123 (KEY_HANJA)
    Event code 124 (KEY_YEN)
    Event code 125 (KEY_LEFTMETA)
    Event code 126 (KEY_RIGHTMETA)
    Event code 127 (KEY_COMPOSE)
    Event code 128 (KEY_STOP)
    Event code 129 (KEY_AGAIN)
    Event code 130 (KEY_PROPS)
    Event code 131 (KEY_UNDO)
    Event code 132 (KEY_FRONT)
    Event code 133 (KEY_COPY)
    Event code 134 (KEY_OPEN)
    Event code 135 (KEY_PASTE)
    Event code 136 (KEY_FIND)
    Event code 137 (KEY_CUT)
    Event code 138 (KEY_HELP)
    Event code 140 (KEY_CALC)
    Event code 142 (KEY_SLEEP)
    Event code 150 (KEY_WWW)
    Event code 152 (KEY_SCREENLOCK)
    Event code 158 (KEY_BACK)
    Event code 159 (KEY_FORWARD)
    Event code 161 (KEY_EJECTCD)
    Event code 163 (KEY_NEXTSONG)
    Event code 164 (KEY_PLAYPAUSE)
    Event code 165 (KEY_PREVIOUSSONG)
    Event code 166 (KEY_STOPCD)
    Event code 173 (KEY_REFRESH)
    Event code 176 (KEY_EDIT)
    Event code 177 (KEY_SCROLLUP)
    Event code 178 (KEY_SCROLLDOWN)
    Event code 179 (KEY_KPLEFTPAREN)
    Event code 180 (KEY_KPRIGHTPAREN)
    Event code 183 (KEY_F13)
    Event code 184 (KEY_F14)
    Event code 185 (KEY_F15)
    Event code 186 (KEY_F16)
    Event code 187 (KEY_F17)
    Event code 188 (KEY_F18)
    Event code 189 (KEY_F19)
    Event code 190 (KEY_F20)
    Event code 191 (KEY_F21)
    Event code 192 (KEY_F22)
    Event code 193 (KEY_F23)
    Event code 194 (KEY_F24)
    Event code 240 (KEY_UNKNOWN)
    Event code 272 (BTN_LEFT)
    Event code 273 (BTN_RIGHT)
    Event code 274 (BTN_MIDDLE)
  Event type 2 (EV_REL)
    Event code 0 (REL_X)
    Event code 1 (REL_Y)
    Event code 9 (REL_MISC)
    Event code 10 (?)
    Event code 11 (?)
    Event code 12 (?)
    Event code 13 (?)
    Event code 14 (?)
    Event code 15 (?)
  Event type 4 (EV_MSC)
    Event code 4 (MSC_SCAN)
  Event type 17 (EV_LED)
    Event code 0 (LED_NUML)
    Event code 1 (LED_CAPSL)
    Event code 2 (LED_SCROLLL)
    Event code 3 (LED_COMPOSE)
    Event code 4 (LED_KANA)
Key repeat handling:
  Repeat type 20 (EV_REP)
    Repeat code 0 (REP_DELAY)
      Value    250
    Repeat code 1 (REP_PERIOD)
      Value     33
Properties:
Testing ... (interrupt to exit)
Event: time 1443004955.126264, type 2 (EV_REL), code 9 (REL_MISC), value 115
Event: time 1443004955.126264, -------------- EV_SYN ------------
Event: time 1443004968.736026, type 2 (EV_REL), code 9 (REL_MISC), value 210
Event: time 1443004968.736026, -------------- EV_SYN ------------
Event: time 1443004968.847288, type 2 (EV_REL), code 9 (REL_MISC), value 210
Event: time 1443004968.847288, -------------- EV_SYN ------------
Event: time 1443004977.155905, type 2 (EV_REL), code 9 (REL_MISC), value 1
Event: time 1443004977.155905, -------------- EV_SYN ------------
Event: time 1443004977.267112, type 2 (EV_REL), code 9 (REL_MISC), value 1
Event: time 1443004977.267112, -------------- EV_SYN ------------
Event: time 1443004988.327108, type 2 (EV_REL), code 9 (REL_MISC), value 160
Event: time 1443004988.327108, -------------- EV_SYN ------------
Event: time 1443004998.589238, type 2 (EV_REL), code 9 (REL_MISC), value 7
Event: time 1443004998.589238, -------------- EV_SYN ------------
Event: time 1443004998.701820, type 2 (EV_REL), code 9 (REL_MISC), value 7
Event: time 1443004998.701820, -------------- EV_SYN ------------
Event: time 1443005012.675534, type 2 (EV_REL), code 9 (REL_MISC), value 11
Event: time 1443005012.675534, -------------- EV_SYN ------------
Event: time 1443005012.776749, type 2 (EV_REL), code 9 (REL_MISC), value 11
Event: time 1443005012.776749, -------------- EV_SYN ------------
Event: time 1443005023.285426, type 2 (EV_REL), code 9 (REL_MISC), value 18
Event: time 1443005023.285426, -------------- EV_SYN ------------
Event: time 1443005023.396598, type 2 (EV_REL), code 9 (REL_MISC), value 18
Event: time 1443005023.396598, -------------- EV_SYN ------------
Event: time 1443005032.185234, type 2 (EV_REL), code 9 (REL_MISC), value 16
Event: time 1443005032.185234, -------------- EV_SYN ------------
Event: time 1443005041.565141, type 2 (EV_REL), code 9 (REL_MISC), value 15
Event: time 1443005041.565141, -------------- EV_SYN ------------
Event: time 1443005041.676357, type 2 (EV_REL), code 9 (REL_MISC), value 15
Event: time 1443005041.676357, -------------- EV_SYN ------------
Event: time 1443005052.554986, type 2 (EV_REL), code 9 (REL_MISC), value 96
Event: time 1443005052.554986, -------------- EV_SYN ------------
Event: time 1443005052.656241, type 2 (EV_REL), code 9 (REL_MISC), value 96
Event: time 1443005052.656241, -------------- EV_SYN ------------
Event: time 1443005060.744912, type 2 (EV_REL), code 9 (REL_MISC), value 97
Event: time 1443005060.744912, -------------- EV_SYN ------------
Event: time 1443005060.856137, type 2 (EV_REL), code 9 (REL_MISC), value 97
Event: time 1443005060.856137, -------------- EV_SYN ------------
Event: time 1443005066.994761, type 2 (EV_REL), code 9 (REL_MISC), value 98
Event: time 1443005066.994761, -------------- EV_SYN ------------
Event: time 1443005067.106070, type 2 (EV_REL), code 9 (REL_MISC), value 98
Event: time 1443005067.106070, -------------- EV_SYN ------------
Event: time 1443005079.234654, type 2 (EV_REL), code 9 (REL_MISC), value 101
Event: time 1443005079.234654, -------------- EV_SYN ------------
Event: time 1443005084.504560, type 2 (EV_REL), code 9 (REL_MISC), value 214
Event: time 1443005084.504560, -------------- EV_SYN ------------
Event: time 1443005084.615827, type 2 (EV_REL), code 9 (REL_MISC), value 214
Event: time 1443005084.615827, -------------- EV_SYN ------------
Event: time 1443005093.474416, type 2 (EV_REL), code 9 (REL_MISC), value 88
Event: time 1443005093.474416, -------------- EV_SYN ------------
Event: time 1443005093.575711, type 2 (EV_REL), code 9 (REL_MISC), value 88
Event: time 1443005093.575711, -------------- EV_SYN ------------
Event: time 1443005100.374335, type 2 (EV_REL), code 9 (REL_MISC), value 121
Event: time 1443005100.374335, -------------- EV_SYN ------------
Event: time 1443005100.485665, type 2 (EV_REL), code 9 (REL_MISC), value 121
Event: time 1443005100.485665, -------------- EV_SYN ------------
Event: time 1443005108.324292, type 2 (EV_REL), code 9 (REL_MISC), value 79
Event: time 1443005108.324292, -------------- EV_SYN ------------
Event: time 1443005108.435557, type 2 (EV_REL), code 9 (REL_MISC), value 79
Event: time 1443005108.435557, -------------- EV_SYN ------------
Event: time 1443005119.354181, type 2 (EV_REL), code 9 (REL_MISC), value 69
Event: time 1443005119.354181, -------------- EV_SYN ------------
Event: time 1443005119.455334, type 2 (EV_REL), code 9 (REL_MISC), value 69
Event: time 1443005119.455334, -------------- EV_SYN ------------
Event: time 1443005130.004043, type 2 (EV_REL), code 9 (REL_MISC), value 71
Event: time 1443005130.004043, -------------- EV_SYN ------------
Event: time 1443005130.113978, type 2 (EV_REL), code 9 (REL_MISC), value 71
Event: time 1443005130.113978, -------------- EV_SYN ------------
Event: time 1443005140.103849, type 2 (EV_REL), code 9 (REL_MISC), value 74
Event: time 1443005140.103849, -------------- EV_SYN ------------
Event: time 1443005140.215177, type 2 (EV_REL), code 9 (REL_MISC), value 74
Event: time 1443005140.215177, -------------- EV_SYN ------------
Event: time 1443005146.323769, type 2 (EV_REL), code 9 (REL_MISC), value 72
Event: time 1443005146.323769, -------------- EV_SYN ------------
Event: time 1443005146.425056, type 2 (EV_REL), code 9 (REL_MISC), value 72
Event: time 1443005146.425056, -------------- EV_SYN ------------
Event: time 1443005158.213717, type 2 (EV_REL), code 9 (REL_MISC), value 108
Event: time 1443005158.213717, -------------- EV_SYN ------------
Event: time 1443005158.324921, type 2 (EV_REL), code 9 (REL_MISC), value 108
Event: time 1443005158.324921, -------------- EV_SYN ------------
Event: time 1443005163.694952, type 2 (EV_REL), code 9 (REL_MISC), value 20
Event: time 1443005163.694952, -------------- EV_SYN ------------
Event: time 1443005163.804902, type 2 (EV_REL), code 9 (REL_MISC), value 20
Event: time 1443005163.804902, -------------- EV_SYN ------------
Event: time 1443005174.813439, type 2 (EV_REL), code 9 (REL_MISC), value 21
Event: time 1443005174.813439, -------------- EV_SYN ------------
Event: time 1443005174.924696, type 2 (EV_REL), code 9 (REL_MISC), value 21
Event: time 1443005174.924696, -------------- EV_SYN ------------
Event: time 1443005181.773382, type 2 (EV_REL), code 9 (REL_MISC), value 22
Event: time 1443005181.773382, -------------- EV_SYN ------------
Event: time 1443005181.884645, type 2 (EV_REL), code 9 (REL_MISC), value 22
Event: time 1443005181.884645, -------------- EV_SYN ------------
Event: time 1443005189.973264, type 2 (EV_REL), code 9 (REL_MISC), value 184
Event: time 1443005189.973264, -------------- EV_SYN ------------
Event: time 1443005190.084522, type 2 (EV_REL), code 9 (REL_MISC), value 184
Event: time 1443005190.084522, -------------- EV_SYN ------------
Event: time 1443005195.263223, type 2 (EV_REL), code 9 (REL_MISC), value 26
Event: time 1443005195.263223, -------------- EV_SYN ------------
Event: time 1443005195.364522, type 2 (EV_REL), code 9 (REL_MISC), value 26
Event: time 1443005195.364522, -------------- EV_SYN ------------

Next step will be to write a uninput program to generate these events and see if they match. :)
Thanks for the tip!
Last edited by mad_ady on Sat Sep 26, 2015 5:35 am, edited 1 time in total.
H6400, firmware 2602.2 downgraded to 2130

zoelechat
SamyGO Moderator
Posts: 7930
Joined: Fri Apr 12, 2013 7:32 pm
Location: France

Re: Advanced Touch REMOTE reverse engineering

Post by zoelechat » Wed Sep 23, 2015 12:10 pm

Keycodes are known:
viewtopic.php?f=63&t=6393
I do NOT receive any PM. Please use forum.

User avatar
mad_ady
SamyGO Project Donor
Posts: 246
Joined: Sun May 03, 2015 10:42 am

Re: Advanced Touch REMOTE reverse engineering

Post by mad_ady » Thu Sep 24, 2015 7:30 am

Thanks zoelechat, you're right, the keys I found correspond to the keys in your post. This means, that theoretically, if we can spoof the advanced touch remote, we can also spoof any remote, including sending FACTORY + 3SPEED :) This should work for H/J series with bluetooth remote.

Wow, this is better than I thought.
H6400, firmware 2602.2 downgraded to 2130

User avatar
mad_ady
SamyGO Project Donor
Posts: 246
Joined: Sun May 03, 2015 10:42 am

Re: Advanced Touch REMOTE reverse engineering

Post by mad_ady » Thu Sep 24, 2015 9:07 am

Ok, I was able to start a small framework project to test key emulation for this remote. I set up a remote that only sends Channel Up (once). Naturally the code needs to evolve a lot before it's useful, but it should be enough to try the bluetooth keyboard spoofing I was mentioning.

https://github.com/mad-ady/advanced-tou ... or-samsung

Code: Select all

adrianp@frost:~/temp$ sudo evtest /dev/input/event5
Input driver version is 1.0.1
Input device ID: bus 0x3 vendor 0x1 product 0x1 version 0x1
Input device name: "Advanced-Touch-Remote-Fake-Keyboard"
Supported events:
  Event type 0 (EV_SYN)
  Event type 2 (EV_REL)
    Event code 9 (REL_MISC)
Properties:
Testing ... (interrupt to exit)
Event: time 1443079544.832518, type 2 (EV_REL), code 9 (REL_MISC), value 18
Event: time 1443079544.832518, -------------- EV_SYN ------------
expected 24 bytes, got -1

evtest: error reading: No such device

H6400, firmware 2602.2 downgraded to 2130

rysmario
SamyGO Project Donor
Posts: 8
Joined: Tue Dec 30, 2014 12:45 pm

Re: Advanced Touch REMOTE reverse engineering

Post by rysmario » Fri Sep 25, 2015 10:24 pm

i tried it the other way round - i'd love to use the remote for other purposes.
if you look at it closely (with a screwdriver :)) you'll find an amazing controller.
keyboard, touch and motion controller (keyboard and a "relative device" [mouse / joy] as evtest said so) - unfortunately i haven't figured out how to switch modes on the remote to get motion or touch events.
--> all events are visible through l2cap...


i2c ids inside:
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- 18 -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- 28 -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- 4a -- -- -- -- --
50: 50 -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- 68 -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

some ic's I identified while open
broadcom 20733A3KML1G (broadcom 20733) - bluetooth hid

i2c 0x18: ti adc 3101: audio IC
i2c 0x4a: touch element
i2c 0x50: 24C512 compatible i2c eeprom

out of curiosity i dumped the eeprom

-edit - ROM infos
own bt-address @ 0x15-0x1b - reversed order [last address byte first]
attaced bt device id seems to be stored @ 0x2cb & 2d1 in "correct" order.
- Edit:
got two more remotes and firmwares, the addresses and remote-codes can be modified easily and flashed around :)
now it is time to dissect and dig around...
--> edit 201511xx: the eeprom complies mostly to the bcm20730 layout.

--> ida was happy with ARM7TDMI
all firmwares are more or less the same - just a few bugfixes (and other addresses) from what it seems in IDA.

no clear info on bcm20733, bcm 20730 is cortex m3 based, or BCM20702 compatible - the latter supports ARM7TDMI (ARMv4T softfp)
- went further with Cortex-M3 for the application-elements in eeprom

there are testpins underneath the button-foil


cheers!
Last edited by rysmario on Mon Nov 23, 2015 6:11 pm, edited 10 times in total.
what's any invention good for if we shall not tinker with it?

User avatar
mad_ady
SamyGO Project Donor
Posts: 246
Joined: Sun May 03, 2015 10:42 am

Re: Advanced Touch REMOTE reverse engineering

Post by mad_ady » Sat Sep 26, 2015 5:34 am

Nice work. I guess it could be used to control other bluetooth things, but it doesn't send "normal" keyboard events. It sends keypresses as "mouse" events. It's weird that the motion of the remote is not picked up by evtest. Maybe after initial pairing with the TV there is a TV command sent that enables that functionality - I don't know...

Anyway, I found out something extra: when holding the Return + Guide buttons (to perform the pairing sequence), I get a new event generated in evdev:

Code: Select all

Event: time 1443208465.562333, type 2 (EV_REL), code 11 (?), value 88
I added it to the list
H6400, firmware 2602.2 downgraded to 2130

rysmario
SamyGO Project Donor
Posts: 8
Joined: Tue Dec 30, 2014 12:45 pm

Re: Advanced Touch REMOTE reverse engineering

Post by rysmario » Sun Oct 25, 2015 12:26 am

rysmario wrote:
-edit - ROM infos
own bt-address @ 0x15-0x1b - reversed order [last address byte first]
attaced bt device id seems to be stored @ 0x2cb & 2d1 in "correct" order.
- Edit:
got two more remotes and firmwares, the addresses and remote-codes can be modified easily and flashed around :)
now it is time to dissect and dig around...
--> ida was happy with ARM7TDMI
all firmwares are more or less the same - just a few bugfixes (and other addresses) from what it seems in IDA.
:lol:
no way to get firmware out of the BCM20733

the eeprom just carries data...
pretty simple layout...
-1c0 / 2c0 paired devices
-2c0 with 51 datasets
- i.e.
set 26 with report-name
set 48 carries the whole HID stuff

simple as it is: the eeprom contains just BCM2073X config & data entries.
now that this is clear, time to edit :)
what's any invention good for if we shall not tinker with it?

Post Reply

Return to “[H] Brainstorm”