SamyGO

Posted: **Sat May 17, 2014 12:20 am**

Has anyone made heads or tails of the new protocol for this year's models? The Samsung protocol that was used for many years seems to be completely gone this year and replaced with something even more opaque. Basically looks like this after stripping away all the Websockets gunk:

Code: Select all

5::/com.samsung.companion:{"name":"receivePush","args":"[219,119,28,14,238,188,98,165,255,246,181,95,247,134,212,165,137,98,254,8,180,218,246,18,159...

And those numbers go on and on and on. They don't decode to friendly ASCII if you convert those decimals to bytes. Not sure yet what they've done. Before I go disassemble the Allshare SDK, I'm wondering if anyone has already figured out this layer? I don't recognize this protocol as being any kind of standard.

Posted: **Sun Jul 27, 2014 2:36 am**

I spent my weekend trying to reverse engineer the new remote app for iOS (Samsung Smart View 2.0) which connects to my 2014 H-series TV.

Did not get very far in understanding how it all connects together, though. I managed to capture some traffic by setting up a proxy from my iPhone to my computer and intercepting all outgoing traffic using the BURP Suite and Wireshark.

192.168.1.159 is the IP of my TV

When connecting the app, the first thing that happens:

Code: Select all

POST http://192.168.1.159:8001/ms/1.0

POST Body:
{
  "method" : "ms.device.getInfo",
  "id" : "C61806B0-4FAB-4CBA-95A8-493970E30727",
  "jsonrpc" : "2.0",
  "params" : {

  }
}

..which responses this info:

{
  "method": "ms.device.getInfo",
  "result": {
    "DUID": "SHCHVWLLD3JAM",
    "Model": "14_GOLFS",
    "NetworkType": "wireless",
    "SSID": "Lojtis",
    "IP": "192.168.1.159",
    "FirmwareVersion": "T-GFSDEUC-1142.0",
    "CountryCode": "SE",
    "DeviceName": "[TV]Samsung LED46",
    "DeviceID": "7XCHU5ARPRFEG",
    "ModelDescription": "Samsung TV RCR",
    "ModelName": "UE46H7000",
    "UDN": "07bfa480-0082-1000-8cd0-5056bf7cf441",
    "Resolution": "1920x1080",
    "ServiceURI": "http://192.168.1.159:8001/ms/1.0/",
    "DialURI": "http://192.168.1.159:8001/ws/apps/",
    "Capabilities": [
      {
        "name": "samsung:multiscreen:1",
        "port": "8001",
        "location": "/ms/1.0/"
      }
    ]
  },
  "id": "C61806B0-4FAB-4CBA-95A8-493970E30727",
  "jsonrpc": "2.0"
}

Then, a GET request to http://192.168.1.159:7676/smp_25_ is made:

Code: Select all

GET http://192.168.1.159:7676/smp_25_

response:

<?xml version="1.0"?>
<root xmlns='urn:schemas-upnp-org:device-1-0' xmlns:sec='http://www.sec.co.kr/dlna' xmlns:dlna='urn:schemas-dlna-org:device-1-0'>
 <specVersion>
  <major>1</major>
  <minor>0</minor>
 </specVersion>
 <device>
  <deviceType>urn:dial-multiscreen-org:device:dialreceiver:1</deviceType>
  <friendlyName>[TV]Samsung LED46</friendlyName>
  <manufacturer>Samsung Electronics</manufacturer>
  <manufacturerURL>http://www.samsung.com/sec</manufacturerURL>
  <modelDescription>Samsung TV NS</modelDescription>
  <modelName>UE46H7000</modelName>
  <modelNumber>1.0</modelNumber>
  <modelURL>http://www.samsung.com/sec</modelURL>
  <serialNumber>20090804RCR</serialNumber>
  <UDN>uuid:07bfa481-0082-1000-b3aa-5056bf7cf441</UDN>
  <sec:deviceID>7XCHU5ARPRFEG</sec:deviceID>
  <sec:ProductCap>Resolution:1280X720,Y2014</sec:ProductCap>
  <serviceList>
   <service>
    <serviceType>urn:dial-multiscreen-org:service:dial:1</serviceType>
    <serviceId>urn:dial-multiscreen-org:serviceId:dial</serviceId>
    <controlURL>/smp_27_</controlURL>
    <eventSubURL>/smp_28_</eventSubURL>
    <SCPDURL>/smp_26_</SCPDURL>
   </service>
  </serviceList>
  <sec:Capabilities>
   <sec:Capability name='samsung:multiscreen:1' port='8001' location='/ms/1.0/'></sec:Capability>
  </sec:Capabilities>
 </device>
</root>

After that, the app locates the TV on the network according to the UPNP protocol (looks like it in wireshark anyway..). Then the following requests are made:

Code: Select all

POST http://192.168.1.159:8080/ws/pairing?step=1&app_id=12345&device_id=7E808D46-D5B4-45F8-9D4D-3195C13DDE1D&type=1&type=1

response:

"auth_Data":{"auth_type":"SPC","GeneratorServerHello":"010200000000000000008A000000063635343332319EE66F7B6A48BAAEEC88C795A8EF11AE8FB74C2D2520CDB3A578E2B324883F2F85253F165CEB73A8F621D0E77C073F4FDC34D6707E51E9A0C519554D2F620321C63CBF9D3D4F0FE9B961A5AD3E19DC2A63091360A67263F0A115C0AD075F33C9C027210C1FE636AB36C7EC598774D2FE130A81E3F11DDC387C48387D5130ED6A0000000000"}

Code: Select all

POST http://192.168.1.159:8080/ws/pairing?step=2&app_id=12345&device_id=7E808D46-D5B4-45F8-9D4D-3195C13DDE1D&type=1&type=1

response:

"auth_Data":{"auth_type":"SPC","request_id":"0","ServerAckMsg":"01030000000000000000146F0C01563895DDAE104D3DB6A6F230129F1CFB550000000000"}

Code: Select all

DELETE http://192.168.1.159:8080/ws/apps/CloudPINPage/run

Code: Select all

GET http://192.168.1.159:8000/common/1.0.0/service/startService?appID=com.samsung.companion

Code: Select all

GET http://192.168.1.159:8000/socket.io/1/?t=1406423639422

response:

z1dV9gDLH1YOgMq2APc9:60:60:websocket,htmlfile,xhr-polling,jsonp-polling

After all these requests, the app is connected to the TV and I can see the remote control UI. However, when I push a button, no commands are sent over either the sockets or other HTTP traffic, so it must be using some UDP protocol. But! I tried to log all tcp/udp events to intercept volume changes etc but did not manage to make any sense of it. Very annoying!

It would be really neat if the websocket actually could be used for controlling the TV without having to use UPNP or other non-familiar protocol.

Posted: **Sun Jul 27, 2014 4:52 am**

I've looked at it. There are definitely commands sent when you push a button from the app. It's inside the Websocket protocol on the same TCP link, so likely what is throwing you off is that you're looking for a new connection/command when actually once it sets up the Websocket, it never needs to connect again so it's all on the same link.

So the question I'm still struggling with is, having looked at the inside of the Websocket connection, some sample contents of that are in my first post in this thread. Wireshark does an excellent job of decoding to that point actually with built-in Websocket decoding. But the contents are encoded in a way that I have not been able to parse yet. It's some kind of RPC that labels its calls "receivePush" and "receiveCommon" and then encodes the body of its packets as decimal numbers in an 8 bit range e.g.. "238,188,98,165,255". Just trying to convert that directly to binary or ASCII doesn't immediately show anything interesting.

Posted: **Sun Jul 27, 2014 1:51 pm**

Interesting, would like to investigate, but don't see your data with wireshark even though I only look at existing connections. Can you describe your setup/process for retreiving the socket data you mention above?

Posted: **Mon Jul 28, 2014 7:14 pm**

Once you have it paired, let a few commands pass and then select one of the TCP packets from the communication and choose "Follow TCP Connection". That will reassemble everything.

If you're really not seeing the packets then something else is wrong with your Wireshark setup. It is a huge pain these days with everything switching packets to set it up properly.

Posted: **Sat Aug 02, 2014 12:21 am**

Hi all,

I am also interested in controlling the H Series, but right now I have no H Series at home.
It would be nice if someone can post some wireshark capture files together with a description what was made and which buttons were pressed.

It would help, if more users can start analyze the protocol at the same time.

Thanks
Schani

Posted: **Sun Aug 03, 2014 1:48 pm**

Hello, i also own a H Series TV (UE48H6410). I set up a mirror port on my HP managed switch and plugged my tv into lan. (Because Proxy Usage isnt very useful to capture ALL packets...). I Could see lots of ACK messages, Udp and TCP traffic to several ports. but all my other hardware in my network was also captured. How to remove it from the file you could save, that i could upload it? I set up a filter for tv and my iphone but when i save all things are getting stored.

The UDP Traffic looks encrypted (it might be the stream, cuz it runs partially over :9090)

Any interests on the saved file? i compressed it down to 2mib.

BTW ive also seen those companion things with the strange 222,2323,423434, numbers....

Oh Cool, i found a part where Channel ID and whats up on the channel is mentioned:

Code: Select all

:/com.samsung.companion:{"name":"receiveCommon","args":["{\"plugin\":\"SecondTV\",\"api\":\"ExecuteSecondTVEMP\",\"result\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\" ?><GetBannerInformationResponse><Result>OK</Result><BannerInformation><?xml version="1.0" encoding="UTF-8" ?><BannerInformation><CurMode>CloneView</CurMode><Channel><ChType>CDTV</ChType><MajorCh>6</MajorCh><MinorCh>65534</MinorCh><PTC>73</PTC><ProgNum>33102</ProgNum></Channel><DispChNum>6</DispChNum><DispChName>RTL2 HD</DispChName><ChInfo>0xCB00</ChInfo><ProgTitle>Die Geissens - Eine schrecklich glamour..se Familie!</ProgTitle><StartTime>2014-08-03T10:55:00</StartTime><EndTime>2014-08-03T12:00:00<

I was watching Die Geissens on RTL 2 HD!

But the Things my iphone sends to the tv seems to be encrypted or sth else, it sends back data via :8000 via websocket version 13.

looks like that:

Code: Select all

...Y...c...6...8...7...6...7......G5....&.-Vs.,F}.q@r.,Vs.rTr.m[&. Tn.q.&. N<.".@.`Zx.^.&. n-...(...-.3.0.7.-.6.%...,...-...,...+...+.:.0.2.)...+...-.3.).0...0.+.3...1.0.1.0...,...,.....1
0.1.0.3...;./...)...+.0.+.3
).1.0.2...5.(...(......
).;.-.0.-.5./...%...(..
%.0...0.).3.-.3.%.3.-.0.-.3.*.5.0.4.*.../.4
0.4.0.4.A. .<.".@.QPo.kZr.KQ@.8.a._.>.cXy.8.n.e\o.gGL.q]>....J~..TK..{...z
..'...z...$...;...v...'\..v...t^..6....\..v%..xL..xK..eI..aR..`R..xO..xO..xL..xO..xM..lJ..dR..xO..xL..eO..fL..fO..eN..gO..gI..xO..xL..xM..gF..gM..eR..mR..xO..xI..bN..gN..eG..lL..cM..eJ..xL..xO..xI..eM..cN..bL..mH..mR..cR..eR..mR..gR..xK..eH..`L..`F..gG..aN..lR..`R..eR..c#..x^..t"..1

WTF

Posted: **Wed Aug 06, 2014 1:51 pm**

Posted: **Thu Oct 30, 2014 1:28 pm**

Does anybody managed to get the remote control codes ?

Posted: **Thu Nov 27, 2014 9:50 am**

I'm very interested in figuring out this too, but have no skills in Wireshark

Did some of you guys get any further on this?

SamyGO

HU Websockets receiveCommon protocol

HU Websockets receiveCommon protocol

Re: HU Websockets receiveCommon protocol

Re: HU Websockets receiveCommon protocol

Re: HU Websockets receiveCommon protocol

Re: HU Websockets receiveCommon protocol

Re: HU Websockets receiveCommon protocol

Re: HU Websockets receiveCommon protocol

Re: HU Websockets receiveCommon protocol

Re: HU Websockets receiveCommon protocol

Re: HU Websockets receiveCommon protocol