Open Random-Stack-Random-Day opened 7 years ago
It's possible to use the DLL on linux with mono, as we do
If only we could find a samsung dev that would just say the magic ;) And hi there SamMote đź‘Ť
Ok this is what we do (i'm looking our source code, maybe i will miss something, tell me if it's the case)
TVID
(you will need it later). (UUID format)Step 1: GET - http://<TVIP>:8080/ws/apps/CloudPINPage
-> Test if the PIN Page is already displaying on TV. Close if needed (as we re-open it later)
Step 2: POST - http://<TVIP>:8001/ms/1.0/
POST: {"method":"ms.device.getInfo", "id":"<TVID>", "jsonrpc":"2.0", "params":{}}
-> You will get some infos, like capabilities, model (...): You will need it, as some models don't have the 'smart' capabilities (and, btw, no remote)
Step 3: POST - http://<TVIP>:8080/ws/apps/CloudPINPage
POST: pin4
-> You will get the PIN on the TV screen.
Step 4: GET - http://<TVIP>:8080/ws/pairing?step=0&app_id=<some_app_id>&device_id=<TVID>&type=1
-> Init the crypto, will reply with empty {"auth_data":""}
Step 5 (DLL): Call GenerateServerHello(pincode)
-> Get CODE1
Step 6: POST - http://<TVIP>:8080/ws/pairing?step=1&app_id=<some_app_id>&device_id=<TVID>
POST: "auth_Data":{"auth_type":"SPC","GeneratorServerHello":"CODE1"}
Step 7 (DLL): Extract, from the reply of STEP 6, requestId
and GeneratorClientHello
.
Call ParseClientHello(pincode, GeneratorClientHello)
Call GenerateServerAck()
You will now have requestId
and the result of GenerateServerAck()
Step 8: POST - http://<ip>:8080/ws/pairing?step=2&app_id=<some_app_id>&device_id=<TVID>
POST: "auth_Data":{"auth_type":"SPC","request_id":"<requestId>","ServerAckMsg":"<GenerateServerAck>"}"
-> You will get session_id
, it's for the Websocket session !
Step 9 (DLL): Concatenate "<requestId>,<serverAckMsg>"
in a String (note the comma)
Call ParseClientAck(concatenatedString)
call GetKey()
-> Hey ! This is the key for the websocket encryption !
Step 10: DELETE - http://<TVIP>:8080/ws/apps/CloudPINPage/run
You are now logged and have all you need for the Websocket session. You can send commands and get services, like EPG infos or list of channels.
Note, it's not finished for you, but a last hint: The websocket session are encrypted with AES128. You will get the key for the AES encryption in the step 9.
Good luck !
Thanks that’s very helpful. For the aes I think I already found that out but I’m not sure I think it’s Normal,KEY_0,false Encrypted with the key. But it could be something else
@eclair4151 You mean for sending remote key via websocket ?
Yea. Although from that response I’m guessing I was looking at the wrong thing haha
Yes i think too :)
This is what i send (before encryption) for the mute key:
{"method":"POST","body":{"plugin":"RemoteControl","param1":"ZPCNHA5IU7SK4","param2":"Click","param3":"KEY_MUTE","param4":false,"api":"SendRemoteKey","version":"1.000"}}
Btw, the Remotie2 app does the same, also use that dll (got reply back)
damn. i was able to decompile their arm c libraries from the android app and even they are obfuscated beyond belief https://pastebin.com/gugVHEMp
i can export it all but i imagine you would need someone amazing at c to understand wtf is going on this is just part of step 1
Are there any other apps/dll's you can decompile, that might be 'easier' ? I'll ask around in my network if someone has knowledge about it. (as in, can decrypt C)
The only option are the dlls which are even worse, those arm libraries from android or the iOS libraries. I pulled the app file off my jailbroken iPhone and am trying to run it the the hopper disassembled to see if I can get anywhere. Other than that I can’t think of any other app or program that we could access. The best bet for us would have been if they had some c library that was compiled for x86. Then we could just call that, but the mobile apps are compiled for ARM and the dlls use .net so we would need mono on any computer that wanted to use it. Do we know of any other application that has access to it that we could try?
Is there any official channel / SDK from Samsung we could explore ? Where did the original dll come from ?
Im not sure. i asked the guy who originally got them but he hasnt responded.
maybe he got it from here http://developer.samsung.com/tv/develop/tools/tv-extension/archive/
but these have options for mac/ linux so im not sure.
just downloaded this http://developer.samsung.com/tv/develop/tools/tv-extension/download the ubuntu version. just started looking around but maybe we will get lucky
@johntdyer i found where the drivers are from. http://www.samsung.com/us/apps/smart-view-2/
its from their windows remote control app. available on windows only :(
I asked a friend who has a contact at Samsung if he could help. Can't hurt to try.
Update: i was able to pull the decrypted ipa of my jailbroken phone and run it through the hopper disassembler. its just of obfucated... https://pastebin.com/DqJi1EL5
but its funny because it has this hard coded reference /Users/a.shvetsov/Desktop/DEV-SecurePairing-a.shvetsov/SecurityLib/libSource/Src/SPCApi.cpp
if only this a.shvetsov guy could help us :)
im starting to think our best bet is to just use one of the existing encryption apis from one of the remotes already out there. and hopefully they just dont mind us using it lol
not sure if this is any help on port 8081 instead https://github.com/mmende/homebridge-samsungtv-control/issues/1#issuecomment-253145913
Awesome to see this effort here. Let me know if there is anything I can do to help. I am not afraid to try stuff on my TV even if there is risk of bricking it. Been developer for past 25 years and have a lot of experience so maybe I can help out here. TV model is 'UN40H5203'.
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-20 15:12 EST
Nmap scan report for tv (192.168.1.17)
Host is up (0.021s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
4443/tcp open pharos
7011/tcp open talon-disc
7676/tcp open imqbrokerd
8080/tcp open http-proxy
8443/tcp open https-alt
9080/tcp open glrpc
@raydog153 Hey, thanks for your interest. at this point there is not much to be done. We know how everything works, and the blocker is figuring out their encryption scheme. we would need someone who is amazing at low level C to figure out what they are doing. If anyone wants i can export the full decompiled libraries from the windows dll, Android ARM c libraries, or the iOS c code. You can see some samples of what it looks like here:
iOS: https://pastebin.com/DqJi1EL5 Android: https://pastebin.com/gugVHEMp Windows dll: https://pastebin.com/vNFtxwtk
My next step is this weekend im going to try and add compatibility by using the existing servers that use mono to directly call the dll's encryption library.
@eclair4151 if you can paste the full too, and friend of mine wanted to take a look but was asking for IPA? Don't know all the parts.
Sure. Does he want the full IPA that was decrypted with Clutch, or just the dumped disassembly once its run through Hopper.
That is a good question, perhaps you can chuck it both onto a dropbox or something similar.
sure. ill do that later tonight
I've done a lot of low-level c programming back in the day...thou encryption is not my one of my strengths...still I'll take a look. I would assume they are using standard encryption algorithms and handling for which I am familiar with. Are they using SSL/HTTPS ports at all? I ask because I see that 2 of my ports open are for SSL. Usually with encryption thou you need a secret key and sometimes they even combine that with a salt. This is probably one reason for needing a server....so long as you know how the encryption is done and is the same on client/server.
So we know they use AES128 for encryption. Anything else we know? They must be passing base64 encoded values for the encryption...or is that only for the non-encrypted code path? Do we know what the AES encryption mode (CBC ECB CTR OCB CFB) being used is? I would assume these are using CBC.
@raydog153 SSl looks to be supported by some calls but is not required. all calls we have been making are without ssl and they have been working fine. As for the encryption we really have no idea. If they are using standard encryption they must be using a salt or something crazy because when you send the 4 digit pin it gets turned into a 200 character string. As far as i can tell they arent using base64 anywhere in the encrypted communication.
@riemers here are the files : https://drive.google.com/open?id=1UmflFlh6dBLQ0en4f6RnOgECIgO85qN6
in there is the ipa as well as the extracted app that goes into hopper
i only have the demo version of hopper so i cant export anything. but he just get the demo of hopper and import it
Running step 1 'GET - http://\
<?xml version="1.0" encoding="UTF-8"?><service xmlns="urn:dial-multiscreen-org:schemas:dial" xmlns:atom="http://www.w3.org/2005/Atom"><name>CloudPINPage</name><options allowStop="true"/><state>stopped</state><atom:link rel="run" href="run"/></service>
Indicating something is stopped and has href to 'run'. Wouldn't 'GET - http://\
Seems like I need to enable something first. There is header returned 'API-Version: v1.0'.
A get 'http://\
I got the PIN page on TV to display by manually running step 4...but none of the mobile apps invoke the PIN page on TV....why is that?
If I add query param '&type=1' then the PIN page is not shown on TV, but if I change to '&type=0' PIN page is again displayed. Why are we using type=1 in step 4?
If you look at my post, the app does ask for a pin. Make sure you delete your old keys on the tv too, I always got the pop up as long as you use one of the apps that use the dll trick.
@riemers As I said, the app asks for a PIN, but I never see PIN page on TV...no app has ever triggered that, not even any version of Smart View. Only manually running step 4 with or without other steps gets PIN page on TV to show. If I run it again it closes and opens new PIN page with a new PIN.
Also there is no place in my TV menu that allows me to delete old keys.
Hmm thats odd. what model tv do you have? maybe its some network config thing? i have no idea.
TV model is 'UN40H5203'. As I noted above, using type=1 for step 4 does not show the PIN page on TV, but using type=0 does. Perhaps the type is for PIN vs Allow/Deny page and depends on which model?
I'm sure people have seen this, not sure it helps: http://developer.samsung.com/tv/develop/legacy-platform-library/art00030/index There is comment in there 'When the user selects Allow , the TV sends an Authentication Success response message to the mobile device'. Hence indicating authentication support PIN vs Allow/Deny which most likely is based on model.
I keep getting step number wrong in my comments, updated my comments, but had mentioned step 3 by mistake and meant step 4. I'm only doing GET request and that invokes the PIN page on TV. i.e....
Step 4: GET - http://
Oh....there are 2 sets of steps and I must be referring to wrong set from time to time....as I jump around the comments. I'm sure this is confusing depending on which set one is also viewing.
Hello everyone. I spent some time reading through this thread and it sounds like everyone is beginning to reach the same conclusion I did back in 2016. The encryption is not open source and for that I relied on the dll that shipped with smart view 2. Its definitely wrapped c++ and for that we will never get to the source. Last time I researched it back in 2016 Samsung did not open this up and release it. I spent a significant amount of time decompiling various mobile apps before ultimately using the dll. Nothing I found had the magic sauce.
Wrapping the dll for use by python, Java, and other languages should assist in accomplishing the various goals for the time being.
If there is anything I can do to expand on the command line app I built please let me know. I am glad to see it is proving useful.
Happy holidays!
https://github.com/timelery/Samsung-RemoteControl
Tim
Aside from using the dll in the old smart view app, maybe Samsung has provided more insight with newer apps such as,
https://www.samsung.com/us/explore/connect/
Has anyone decompiled this or similar?
Tim
@riemers @timelery just made this proof of concept here: https://github.com/eclair4151/samsung_encrypted_POC/tree/master
its pretty rough right now but it pairs and send the volume down key
also @timelery i tried looking into the samsung connect app. it actually only supports 2016 tvs and newer so it doesnt have any of the encrypted stuff in it.
Background: Samsung has equipped the H and J devices in part with Tizen, the new platform generation. Officially this is done since September. We are now seeing a mix of different generations of devices at home, with many devices supporting more than one version.
There are 2 Apis (plus one Api for F-Series and earlier), which used to run parallel on the H and J series. It seems that they have now been separated and each series supports only one of the two Apis - each one different. With the H-series Samsung has switched off with the update of the firmware from 26xx to 27xx one of the Apis, which is why Smartview 2 with the H series then no longer works. Smartview 2.0 is now only with the J-series.
@eclair4151 That proof of concept helps a lot...
Does anyone understand the different values for 'type'? Based on my earlier comment, I feel like after I authenticate my session I should be using a different API/port based on the tv model. Is there a different version of the websocket API that one runs on either port 7676, 8080, or 9080?
I can confirm that it works on UE32H4500. can you share with us the server part ?
@marius1968 its not actually mine. i just am using the one from this app i got from wireshark https://itunes.apple.com/us/app/remotie-2-samsung-tv-remote/id1250882919?mt=8
All they are doing is using this app https://github.com/timelery/Samsung-RemoteControl on the backend and calling the dll using mono to run the encryption parts
@eclair4151 , @timelery, guys, Can you help us with a server-side script implementation?
I can also confirm eclairs4151's script pairs up and works great with my UE65JU6500. Amazing work, guys!
I confirm too that it work with my UE48H6200, great! But I have to wait about 1 minutes after power ON to send commands. seems that ioserver is not immediatly available :-/ ... Do you have the same problem?
As long as we cannot make something locally it would not have much use in a library since it would require internet. (and it would require a always on server) the latency between commands with having to go to a external server doesn't make this any faster too. (just my 2 cents)
@riemers Thanks for your response, but I have 'cut' gateway ip address and DNS ip address to block internet access on my TV. Eclair4151 's script works in local mode then you have 'registered' once a valid key on internet.
@kitsen13 still requires you to have internet and need something to be online forever. Perhaps we can use a tiny free server somewhere but i prefer to just use a docker image to do something locally.
Edited by @Ape: I hijacked this issue to collect all instances where some random TV model does not work, but we don't know what is the cause or how it could be fixed. Some TV models might not simply support TCP/IP control at all, and some models may require a whole new protocol. When you have techinical details about a specific case that could be fixed please open a new issue.
Original message: I'm wondering if anyone can confirm if this works for their JS9000 or H5203? Getting 'Connection refused' from the 9000 and no response from the 5203.