Some TV models are not working

[Random-Stack-Random-Day]

Edited by @Ape: I hijacked this issue to collect all instances where some random TV model does not work, but we don't know what is the cause or how it could be fixed. Some TV models might not simply support TCP/IP control at all, and some models may require a whole new protocol. When you have techinical details about a specific case that could be fixed please open a new issue.

---

Original message: I'm wondering if anyone can confirm if this works for their JS9000 or H5203? Getting 'Connection refused' from the 9000 and no response from the 5203.

[davorf]

Hello!

I have H series TV too (H6500) and it doesn't work for me. No error message is shown and nothing is displayed on the TV.

Best regards, Davor

[jessiewestlake]

Have you tried using the --method websocket parameter?

[ProZsolt]

Sadly H and J series TVs are using websockets, but a different protocol.

[riemers]

Newer models need to authorize the device first no? Do we have the new protocol, sounds like someone normally does :)

https://github.com/timelery/Samsung-RemoteControl

Although .net, i tried it and it can control my t.v. perhaps you can look at the code?

[Ape]

@riemers Which TV models did you test? I would be happy to merge new protocol support to samsungctl.

[riemers]

My tv is a UE55HU7500 above .net repo did seem to work with my t.v. i tried all combo's with your library but i never got a pincode. Perhaps yours has the 'authorize' only button and the pincode is newer? Just speculation here. But ofcourse, more then happy to help with testing on this particular model.

[phd1963]

Hello,

@riemers Thanks a lot for the link for remote control app! It works for my UE50H6400 model. However I need some more commands like the source changing (HDMI1, HDMI2...). Did you succeed to send such commands to your TV ? @Ape I confirm that unfortunately your app doesn't work with my TV, with any parameter (port, protocol). If I can support in any way, feel free to contact me.

Friendly

Philippe

[jonny190]

Is there any progress on this? Browsing to my TV http://192.168.5.91:8001/api/v2/ outputs : { "id": "09896801-00a0-1000-b47c-fc8f9080e621", "name": "[TV]Samsung LED40", "version": "2.0.24", "device": { "type": "Samsung SmartTV", "duid": "09896801-00a0-1000-b47c-fc8f9080e621", "model": "14_NT14U_2D_BT", "modelName": "UE40HU6900", "description": "Samsung TV RCR", "networkType": "wired", "ssid": "", "ip": "192.168.5.91", "firmwareVersion": "Unknown", "name": "[TV]Samsung LED40", "id": "09896801-00a0-1000-b47c-fc8f9080e621", "udn": "09896801-00a0-1000-b47c-fc8f9080e621", "resolution": "1920x1080", "countryCode": "GB", "msfVersion": "2.0.24", "smartHubAgreement": "true", "developerMode": "1", "developerIP": "173.230.139.54" }, "type": "Samsung SmartTV", "uri": "http://192.168.5.91:8001/api/v2/" }

[onemico]

Hi,

Anyone have any updates or ideas on this, the Windows .NET works on my TV too and I am 99% sure it is due to the PIN request for authentication, so is there any method to replicate that PIN input within this application.

I don't want to have to use a Windows system to do this, when i have multiple Pis setup that should be able to.

Any assistance greatly appreciated. my model is UE55H6200

[dextorer]

I tried both protocols (legacy/websocket), but no way of communicating with my UE55JU6000. I haven't had the chance of trying the .NET library, but it would be great if support could be added!

[Ape]

I'm hijacking this issue for all the cases where there is some random TV model that nobody has been able to get working.

There is no way for me to support all possible TV models. Some might not just support TCP/IP control at all, some probably use a different protocol, and there are probably some issues reported here that are just user errors and could be fixed with a correct configuration. The point is I cannot really help unless you can debug the issue to some specific cause. In that case, please open a new issue with technical details.

[riemers]

I don't mind giving you more debug details, i just don't know what type or how to get the correct debug information you need. If you can give any pointers on that i would be more then happy to supply you with any information i can gather.

[lucianf]

Seconded. I have a H6670, probably in the same boat as #38 - would love to debug this further just don't know what I should be looking for. My gut feeling is that (at least in my case) the problem is that remote control needs to be PIN authenticated first, which samsungctl doesn't seem to handle.

[jonny190]

thirded but the same i dont know how to debug this. but using openhap's implementation of Samsung remote i get pin prompt and can control the tv

[riemers]

@Ape i think that most cases here is due to the pin code, if you can tell us what we need to do the be able to debug/get this to work then let us know. I can even give you ssh access to a box which has a samsun t.v. on the network if needed. (although the pin code thingy might be hard to do without actually seeing the t.v.) heck, i can even put a webcam in front of the tv if that is what it takes.

[Ape]

I appreciate your offer to help. However, I'm afraid I cannot implement and maintain new features for TV models I don't have and use myself, but with your help we can get this done.

First, it would help if somebody with the hardware could capture and reverse engineer the protocol using the official remote app (if there is any). With that we can write a proof-of-concept remote software and ultimately merge the functionality to samsungctl.

[ultrara1n]

There is the Samsung Smart View App which is connecting via the local network to my UE55KU6079UXZG.

I'll capture the packets from first connection to sending keys to the tv with Wireshark and hope to find out some information about the used way of communication.

[Ape]

One problem is also that there are so many different TV models out there using so many protocols. We need to somehow detect the protocols and categorize the TV models.

[riemers]

We can start by asking people to report their 'nmap -T5 -F --top-ports 65535 ' so we get an indications which ports are used per models. We can then add that to the wiki here, i have a new t.v. and 2 old ones (i doubt they even work their old) but its a start.

Only need model number, people can use http://en.tab-tv.com/?page_id=7123 as reference.

Some information that might be of help https://community.smartthings.com/t/samsung-smart-tv-support/741/81 (https://github.com/timelery/Samsung-RemoteControl) see some talks about models here too https://github.com/imbrianj/switchBoard/issues/55

Anyways, my nmap on UE55HU7500 (so we should just say HU7500 as model, rest is not important)

PORT     STATE    SERVICE
6000/tcp filtered X11
7011/tcp open     talon-disc
7676/tcp open     imqbrokerd
8000/tcp open     http-alt
8001/tcp open     vcom-tunnel
8080/tcp open     http-proxy
8443/tcp open     https-alt
8889/tcp open     ddi-tcp-2

[nspinelli]

I am testing on a JS6900 and here is my nmap.

PORT     STATE SERVICE
7676/tcp open  imqbrokerd
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
8002/tcp open  teradataordbms
8080/tcp open  http-proxy
9999/tcp open  abyss

Method 1: Samsungctl When I run samsungctl --websocket everything runs fine with no error, but no response from the TV. After looking at the response from the TV i get this error:

{"event":"ms.error","data":{"message":"unrecognized method value : ms.remote.control"}}

I tried changing the command line to just send the key command and this is the response I am getting from the TV:

{"event":"ms.error","data":{"message":"unable to handle message : Cannot set property 'clientIp' of undefined"}}

@Ape How did you determine the 'method' for sending the commands? I am wondering if it is as simple as that, but I doubt it.

Method2: Pairing The only app that I was able to get TV commands to send to my TV was the 'myTifi' app from my iPhone. I tried sniffing the network activity and this is what I saw. (I am a noob using wireshark)

Step 1: GET - http://<TVIP>:7676/rcr/ Step 2: GET - http://<TVIP>:8080/ws/apps/CloudPINPage Step 2 appears just to check whether or not the device is already connected to the TV, if it is it will skip to the last step.

Step 3: GET - http://<TVIP>:8080/ws/pairing?step=0&app_id=<some_app_id>&device_id=<some_device_id>&type=1

Step 3 initiates the PIN screen on the TV to pair with the device

Step 4: POST - http://<TVIP>:8080/ws/pairing?step=1&app_id=<some_app_id>&device_id=<some_device_id>

Step 4 Posting Parameters : {"auth_Data": {"auth_type": "SPC", "GeneratorServerHello": <pin_something_hash>}}

Step 5: POST - http://<ip>:8080/ws/pairing?step=2&app_id=<some_app_id>&device_id=<some_device_id>

Step 5 Posting Parameters: {"auth_Data": {"auth_type": "SPC", "request_id": <some_number>, "ServerAckMsg": <some_ack_msg>}}

Step 6: DELETE - http://<TVIP>:8080/ws/apps/CloudPINPage/run

Than finally the actual communication is done through this link: http://<TVIP>:8000/socket.io/1/websocket/

There appears to be some token generated. This script (tested on JU6400) is a request to http://<TVIP>:8000/socket.io/1/websocket/ to get the token and I am assuming uses that to communicate, but I was unable to get this working on my TV.

Method 3: uPnP I am thinking that we might be able to send key commands via uPnP. If I look at http://<TVIP>:7676/rcr I think that I might be able to use the controlUrl to send these commands. Looking at the XML response from that link i see that the one action is "SendKeyCode". From what I have been able to google so far is that for the control link it is expecting a SOAP response (assuming where the key command would go).

I am unfamiliar with this so currently doing more investigation. I hope this helps, and hopefully get this working soon!

[lucianf]

nmap from a H6670 (2014 version with PIN-based auth):

PORT      STATE SERVICE
7676/tcp  open  imqbrokerd
8000/tcp  open  http-alt
8001/tcp  open  vcom-tunnel
8080/tcp  open  http-proxy
8443/tcp  open  https-alt
15500/tcp open  unknown

With samsungctl==0.7.0 when I send any command (e.g. samsungctl --host tv --method websocket -v KEY_VOLDOWN) I get Error: Operation now in progress and nothing happens on the tv. With version 0.6.0 I don't get any error (it just says Sending control command) but again nothing happens on the tv.

[johntdyer]

Not sure if this helps but my JS9000 has the following ports open

💥  samsungctl  (master)  nmap -Pn -p1-65535 192.168.100.213

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-05 11:59 EST
Nmap scan report for localhost.home.local (192.168.100.213)
Host is up (0.021s latency).
Not shown: 65521 filtered ports
PORT      STATE SERVICE
7236/tcp  open  display
7237/tcp  open  pads
7676/tcp  open  imqbrokerd
7677/tcp  open  sun-user-https
7678/tcp  open  unknown
8000/tcp  open  http-alt
8001/tcp  open  vcom-tunnel
8002/tcp  open  teradataordbms
8080/tcp  open  http-proxy
8187/tcp  open  unknown
9090/tcp  open  zeus-admin
9197/tcp  open  unknown
9999/tcp  open  abyss
15500/tcp open  unknown

Results

  samsungctl  (master)  samsungctl --host 192.168.100.213 -v KEY_VOLDOWN
Error: Connection refused
  samsungctl  (master) 

[Lachris100]

I got the following for my JS8000, hope it gives something: (2015 version with PIN-based auth)

@Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-07 22:48 Rom, normaltid
Nmap scan report for XX.X.X.XX
Host is up (0.0038s latency).
Not shown: 8285 closed ports
PORT     STATE SERVICE
7236/tcp open  display
7237/tcp open  pads
7676/tcp open  imqbrokerd
7677/tcp open  sun-user-https
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
8002/tcp open  teradataordbms
8080/tcp open  http-proxy
9080/tcp open  glrpc
9197/tcp open  unknown
9999/tcp open  abyss

Also get a Error: Connection refused

[riemers]

@Ape perhaps you can setup a discord channel, so that we can combine resources there. I don't mind creating a wiki with the supported models, what type and what ports are open etc etc.

[Ape]

@riemers Please collect the data here: https://github.com/Ape/samsungctl/wiki

[riemers]

I will, but i do notice something. That guy that made the windows app, at some point i found this post of his: https://github.com/timelery/Samsung-RemoteControl/issues/1#issuecomment-274946759 that means he is using a dll from the smartview app so he doesn't have the protocol itself it seems. So if i read it correctly it would be impossible to implement since your tool needs to create/decrypt etc. (nothing is impossible, but it would be more tricky then initially thought off)

[Walek001]

I found samsung sdk with support for I think most of 2014+ samsung tvs, but they only provide android , iOS and JS libs.

http://developer.samsung.com/tv/develop/extension-libraries/smart-view-sdk/introduction

[eclair4151]

@riemers but the app myTifi on iOS is able to connect to my tv that has a 4 digit pin. i asked the developer and he said he reverse engineered it himself. i think the best bet is to decompile this app on android : https://play.google.com/store/apps/details?id=com.samsung.smartviewad&hl=en the official samsung smart view app and see how that does it. im looking into it now to see if i can figure some things out

[johntdyer]

@eclair4151 The developer won’t share the protocol ?

[eclair4151]

@johntdyer nope i asked the developer of myTifi and the developer of this app on android https://play.google.com/store/apps/details?id=wifi.control.samsung&hl=en which also supports the pin encrytpion.

Both said the wouldn't share anything with me. I ran MITM on both their apps and the both go as far as running all encryption for the app on their own server to avoid users decompiling thier apps to figure our how they do it. for example on myTifi it makes requests like these

POST https://tvpairing.azure-mobile.net

{"id":"eebd7b00a22f4f018fc62d8122ed504e","auth":"010100000000000000009E00000006363534333231FF5834E835A9A8E674CBAB066B762A9F663A5BB73B03941F445207AB5B72B3AAE795CFE162363F024B4C0FD4A654C371539DA1697E7787D44E73E1829AEC77B71A288C6A94E1A11B33B35A93CECFFADAEDC684F573E251F3E144CC4289111AC4D699F62218FC2B89AFC81FC82B515BC25BABEDCD5E2FE29039347862D6FA8044AF4995F2D830BC1C1E3845A721307555FE0A43E60000000000","step":2}

{"pin":"5307","step":2,"udid":"666AB1A7-C764-4CB6-A42D-F1B6A968B722","auth":"010100000000000000009E00000006363534333231FF5834E835A9A8E674CBAB066B762A9F663A5BB73B03941F445207AB5B72B3AAE795CFE162363F024B4C0FD4A654C371539DA1697E7787D44E73E1829AEC77B71A288C6A94E1A11B33B35A93CECFFADAEDC684F573E251F3E144CC4289111AC4D699F62218FC2B89AFC81FC82B515BC25BABEDCD5E2FE29039347862D6FA8044AF4995F2D830BC1C1E3845A721307555FE0A43E60000000000","id":"eebd7b00a22f4f018fc62d8122ed504e","version":"AAAAAARLiyw=","createdAt":"2017-11-12T22:50:56.163Z","__updatedAt":"2017-11-12T22:50:58.601Z"}

the other app does basically the same thing. I am currently trying to reverse engineer the official app which handles all encryption locally to figure out how they do it. but they have self signed ssl certs on the tv and the apps are doing ssl cert pinning to make sure you arent doing a MITM attack to see what it is doing. i am currently trying to modify the APK to disable ssl pinning and see how they the do all the encryption stuff. its taking a while though haha will update you as i figure stuff out.

[jonny190]

Can the openhab implementation not be used as that's seems to work?

[eclair4151]

Hmm I’ve never heard/tried that before. Does it work for you?

[jonny190]

It works for me, but it also prompts for pin Auth

[johntdyer]

jeeze, We’re talking about paring with a tv from 2015, why the secrecy on this protocol for a free app... anyways... thanks for your work, hopefully you crack it

[eclair4151]

@jonny190 I don't think it works. i tried it and no success. it even says in the notes on the github page:

"Note: New models (H-Series TV´s like e.g. UEH5570 ) use a different (encrypted) protocol; they are not yet supported by this binding."

[eclair4151]

Update: well this is going to be a bit more complicated. i decompiled and see whats going on in the app. if you decompile the samsung smart view app and go to class /com/sec/android/app/qwertyremocon/rccore/TvRemoconApi.java

thats where they are doing everything with websockets and connections. unfortunately in that class to handle all encryption they call methods that they wrote in c++ using the JNI in these files

Binary file ./lib/armeabi/libpairinglib-jni.so Binary file ./lib/armeabi/libRemoteApi.so

In these classes are compiled c++ which handle all encryption. im no expert at c++ and assembly so im going to need more help to get any farther from someones who knows that stuff better. the only thing i can tell from it is that its use 128 bit AES encryption scheme for all communication

Update 2: i found this one line that looks pretty promising. EncryptedMessage = PairingObj.EncryptHttpBodyMsg(getPairingResponse().session_key.getBytes(), mMessage.getBytes(), mMessage.getBytes().length);

this calls a c function called EncryptHttpBodyMsg but we know it just involves encrypting the message with the session key. after more debugging the message format is this: Normal,KEY_0,false

then it sends it as an http command to http://" + TV_IP + ":" + Integer.toString(TV_PORT) + "/ws/remote/keys with the session id and device id in the header and the the post data as the encrypted message.

im trying to see if i can debug to get the session_key and see if i cant just try a bunch of standard encryption protocols so see if i get lucky and can figure out what they are doing (hopefully its just aes 128)

[riemers]

I am no pro coder or anything but i can do a MITM on any ios app, assuming you tried android apps so far. I'll see if i can find any apps on ios that can do remote to the t.v. too. See if i can help in that part.

JustABlip but i cannot test that really since you can only find it in the u.s. store. (nvm read on the site that H is not supported)

@eclair4151 See https://github.com/aclytle/samsung_tv_ip_remote perhaps its of some use to you. SmartRemote for IOS does have pin support too for all newer models. Remotie 2 for IOS also pin support.

I tried to use Charles proxy on the mac but it cannot find the t.v. anymore if i sit in between, still trying some things.

[riemers]

I have updated the wiki with supported models, i only added the series, if there is some difference in it, let me know but i just checked some pages openhab, home assistant, domoticz etc to find a list of devices that did and didn't work. See https://github.com/Ape/samsungctl/wiki/Supported-Models

[riemers]

@eclair4151 i managed to get in between and see some information back and forth. samsung-H.zip its a Charles export. Perhaps its of some use (its from start to pairing to clicking on the remote)

As far as i can tell it uses port 7676 to check what services the device has. On port 8080 it does the pin pairing and on port 8000 it has a json polling connecting on which it sends the information to talk to the t.v. Sadly i cannot see those commands over the line.. either way similar to what https://github.com/Ape/samsungctl/issues/22#issuecomment-341980253 said.

Update: i did the same for mytifi just to check, but i could see all the calls they did (to their server) i have added the export of that too. Perhaps its of some use for someone. tvpairingmytifi.zip

[eclair4151]

@riemers Thanks. i have these network requests from Charles already. The biggest problem is that in the post to http://:8080/ws/pairing?step=1&app_id=&device_id=

its already hashed or encrypted in some way so network requests arent really helping me haha. we need to dig down into the source to see how they are generating these codes. As for the commands sent. they are sent over web sockets which my Charles instance cant see either. i was able to view it in just plain wire shark though. which makes me confused because in the java it looks like its somehow sending the commands over http... but when i run it its sent over WS. very confusing

[riemers]

Doesn't that fall under http upgrades, that upgrade the http call to WS:// call instead? In your browser it would be a ws:// call instead of http. (as far as i know, i could be wrong) so bottom line is that we need to know how that is encrypted.

But are you referring to the socket.io call like this one:

3i9rfqHwDixfa5C7AQFH:60:60:websocket,htmlfile,xhr-polling,jsonp-polling

That encryption?

[eclair4151]

well thats not the encryption. thats just the token i think. in order to send the pin back to the tv it makes a call post to http://:8080/ws/pairing?step=1&app_id=&device_id=

with the data like this. this is the pin that has been hashed or encrypted in some way

{"auth":"010100000000000000009E00000006363534333231FF5834E835A9A8E674CBAB066B762A9F663A5BB73B03941F445207AB5B72B3AAE795CFE162363F024B4C0FD4A654C371539DA1697E7787D44E73E1829AEC77B71A288C6A94E1A11B33B35A93CECFFADAEDC684F573E251F3E144CC4289111AC4D699F62218FC2B89AFC81FC82B515BC25BABEDCD5E2FE29039347862D6FA8044AF4995F2D830BC1C1E3845A721307555FE0A43E60000000000"}

[riemers]

I see now.. the only thing that we can see is that "010200000000000000008A00000006363534333231" is always at the start also ends with 0000000000. Only need to know what is in the middle, i tried online https://www.onlinehashcrack.com/hash-identification.php but nothing came up sadly. Running the pairing again always gives you a new hash.

I mailed Smart Remote, Remotie 2 and SamMote asking if they could give a hand. Doesn't hurt to try right? 👍

[eclair4151]

yea its some custom encryption thing. i have a new theory of how they all do it and im pretty confident. None of them figured out the encryption. after looking into it I am now almost 100 percent sure the reason they all do it on private servers isnt to stop us from figuring it out. its because they have no idea how the encryption works and are are using this

https://github.com/timelery/Samsung-RemoteControl

the same thing they just pulled the encryption dll from the windows sdk and are making calls directly to it on a server and supplying the commands back to the mobile apps. ill keep looking but maybe we should be considering taking the compiled dll or so files and finding out how to just call it directly from python

something like this https://docs.python.org/3/library/ctypes.html

[riemers]

Did you check the gist from the other thread? https://gist.github.com/imbrianj/77c51bf029148ec166b9f74b4e7a9160 ? He tried base64, but i doubt that is the one..

And indeed, it might be that simple. Although some apps don't use external tools. I did see in the MITM that another one was using a amazon server to get the string but others didn't so perhaps there is still some small hope. (Samsung smart view app works, perhaps somewhere there?)

Update: had a reply from sammote (quick) and they also use the same trick. They had no luck in reversing. He indicated that most others also use the same thing.

[eclair4151]

Yea that js file is only for the new 2017 WS stuff. as for the smart view app thats the one im working on but its the one that has the .so files which are just compiled C which it calls so its very hard to reverse engineer unless someone has hex rays and the ARM add on handy which is like a couple grand haha. yea i imagine every one is doing that trick. did he say if he is using that dll from the other library

[riemers]

He was using the dll from the windows samsung remote.

[eclair4151]

Ok. I’m going to see if I can quickly get A POC working from the dll in python

[riemers]

If you can do that, i just always thought dll's is just windows and a no-no to work with linux

[eclair4151]

I think it’s possible. I’m going to see i can figure it out. I highly doubt all the servers everyone is using are windows servers