Some TV models are not working

[Random-Stack-Random-Day]

Edited by @Ape: I hijacked this issue to collect all instances where some random TV model does not work, but we don't know what is the cause or how it could be fixed. Some TV models might not simply support TCP/IP control at all, and some models may require a whole new protocol. When you have techinical details about a specific case that could be fixed please open a new issue.

---

Original message: I'm wondering if anyone can confirm if this works for their JS9000 or H5203? Getting 'Connection refused' from the 9000 and no response from the 5203.

[scottgrobinson]

@eclair4151 Sounds reasonable. I'm no expert with the samsungctl module but my python isn't terrible either so I'll take a look as I've got access to a a H series. I wasn't able to find any app though - Can you confirm and I'll get wiresharking with it and see what I can find!

[scottgrobinson]

Just for 'completness' I've uploaded the output of debug.py following a TV reboot.

https://pastebin.com/5P2WS2G4

[lucianf]

I think @eclair4151 means the Samsung Smart View 2 app. Alternatively there's myTifi which also handles the pairing just fine.

[scottgrobinson]

@lucianf Great - Thanks. I'll give both of those a try. Will probably be a few days before I can get anything meaningful but will let you know results.

[eclair4151]

Oh its crashing before it even starts the websocket connection. its while getting the url /socket.io/1/?t=XXXXX. the connectoin is refused. This might sound weird but trying waiting longer before trying to make a request after a reboot. maybe you are request the url before the internal server has started up or something. Also maybe it would work if we save the response from the previous socket.io call and try making a connection to the same url. i assumed they were one time use but maybe not

[timelery]

Regarding the wrapped library that we are using for encryption and decryption. Right now we are using the DLL that sits on the back of the windows Smart view app.

If utilization of a DLL does not make sense, we can use a Java native/shared library file that sits on the back of the Samsung Android smart view client. I am sure the interfaces are very similar. They probably took the same underlying c code and wrapped it under an SO just as they did under the DLL. This wont afford anything in my opinion but if someone is trying to build an app that does not play well with a windows DLL, maybe they can interface with a java SO file. the SO file is attached here.

I took a stab at dissembling this SO file in IDA but it was useless. They did a very good job at hiding the secret sauce.

[eclair4151]

i also used IDA to open the so file, and yea its pretty unreadable. the problem is that SO file is only compiled for android on ARM, so you wont be able to hook into it on any x86 based computer

[flashydave]

On 11:42, Wed 03 Jan 18, Tomer Shemesh wrote:

i also used IDA to open the so file, and yea its pretty unreadable. the problem is that SO file is only compiled for android on ARM, so you wont be able to hook into it on any x86 based computer

qemu under linux can emulate various ARM CPU's or maybe a raspberry pi?

-- Yo are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/Ape/samsungctl/issues/22#issuecomment-355106916

[scottgrobinson]

@eclair4151 Tested this morning and yes, I was just being impatient. Worked again with the same key. Your branch of samsungctl worked without issue too.

The internal webserver taking upwards of a minute to start up is problematic for me and my use case so I'll have to investigate potential other solutions at the same time :(

[openmotion]

hello i have this response when i launch the command python main.py Enter TV Pin: xxxx

Traceback (most recent call last): File "main.py", line 49, in enc_key = r.json()['session_key'] KeyError: 'session_key'

"the frame" UE55LS003

[scottgrobinson]

Ensure you are running python 3 or run:

python3 main.py

On 6 Jan 2018, 12:21 +0000, openmotion notifications@github.com, wrote:

hello i have this response when i launch the command python main.py Enter TV Pin: xxxx Traceback (most recent call last): File "main.py", line 49, in enc_key = r.json()['session_key'] KeyError: 'session_key' — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[openmotion]

i executed the python script with python 3 (archlinux)

[orzechszek]

Is it possible to read state of source - e.g. if it's HDMI1 or HDMI2 ?

[misterx]

I have found JS encryption implementation. Download APK https://play.google.com/store/apps/details?id=com.peel.samsungtv extract file /assets/index.android.bundle. Try to search by generateServerHello. Looks like this is ported official Samsung code, because i see other functions such as parseClientHello, generateServerAcknowledge, parseClientAcknowledge . I have problem with understanding function that can be found by function e(e,r,a,t) that used in final encryption phase for PIN hashing. By the way, you can run this script in browser (with small modification) and this will work.

Ported in nodejs https://runkit.com/embed/fpdrxai6m8xt

[eclair4151]

well shit. im looking at it now. It looks like he was able port/reverse engineer the code into JS. @timelery

[scottgrobinson]

Is anyone able to share as I don't have an android phone to hand at the minute. Details are on my profile if you want to email but can look at converting that over to python if all looks OK in the JS.

On Fri, Jan 12, 2018 at 9:31 PM Tomer Shemesh notifications@github.com wrote:

well shit. im looking at it now. It looks like he was able port/reverse engineer the code into JS.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Ape/samsungctl/issues/22#issuecomment-357359741, or mute the thread https://github.com/notifications/unsubscribe-auth/AAMo49I0x4OFRlseES6mMu3hwct5jeFyks5tJ88jgaJpZM4LYxp6 .

[eclair4151]

@scottgrobinson ya posting it now

[flashydave]

Me too. I am not surprised you cant work out what the function is doing. I will see if I can single step it in a debug session Great detective work btw!

[eclair4151]

https://github.com/eclair4151/SamsungEncryptionJS

[misterx]

First part of function is very simple, just encrypting hardcoded message by AES-128-CBC and SHA(pin) as key, without iv (zero iv). Second part has specific algorithm and very obfuscated that hard to be ported

[timelery]

Nice work. I will take a look at the code myself this evening.

[orzechszek]

Hi, anybody knows if somehow can I read state of TV source ?

[eclair4151]

@orzechszek No, not with this library at least. For future reference please create a new issue.

[Mcgurk125]

After spending time building a IR blaster and using LIRC to control my new Samsung TV via Google Home (which happens to work fairly well) I found this! Tried it last night and it worked really well for basic remote presses. The app (Samsung Smart View) seems to have the ability to launch applications on the TV (Netflix,Amazon,Plex etc.). I was wondering if it would be possible to do this via this module? I was hoping to go home and MITM the app to work it out but having read this thread it doesn't sound as easy as first thought. Do you guys think this will be possible? Awesome work btw! @eclair4151

[misterx]

Guys, i've found interesting links to good javascript sources for samsung 2014 and 2016 models In PeelRemote. That can be downloaded from https://s3.amazonaws.com/programmableremotes/TV/samsung/samsung2014-1.0.zip and https://s3.amazonaws.com/programmableremotes/TV/samsung/samsung2016-1.0.zip

[eclair4151]

oh nice. the 2014 lib has all the encryption javascript stuff thats actually formatted and readable. This will make it much easier to use

[misterx]

@eclair4151 I think it's not difficult to create simple console app in nodejs for pairing

[sectroyer]

@eclair4151 Sent you an email, I played with this stuff for quite some time 😄

[sectroyer]

Okay it took me a while but FULL handshake API reversed, reformated and cleaned code. Info in this issue was also very helpful to finish what I started some time ago. Let me know in what form you would like to have this API prepared. Here is a sneak peak: https://ctrlv.it/id/94093/1569420340 😄

@misterx function e(e,r,a,t) is actually just badly decompiled version of SWAPv2_ProcNormal function that I have attached part above

[misterx]

@sectroyer https://s3.amazonaws.com/programmableremotes/TV/samsung/samsung2014-1.0.zip this is newest version, you can look at SimpleTransform_ProcNormal function. BTW, i've tried to use this code in my test nodejs app so this is working fine. I mean full pairing process without WS.

[sectroyer]

@misterx Yeah it is okay, just horrible code. Written so badly that at first glance I didn't recognise it but in reality SimpleTransform_ProcNormal is very similar to SWAPv2_ProcNormal 😄 Take a look: https://ctrlv.it/id/94125/4278079795 I worked on this pairing stuff some time ago but got bored and dropped. This JS API does work but it is really, really poorly written 😞 Tough when I combined it with my notes it was enough to do little more reversing to develop missing parts 👍 No idea what "WS" is but NOW my code also does full pairing: https://ctrlv.it/id/94129/2349222015 ATM it's written in C but can port to something else if needed 😄

[misterx]

@sectroyer Javascript code looks like was ported from decompiled sources and functions names was left as is that explain why JS code is very poor. WS is WebSocket ( communication protocol after pairing)

[sectroyer]

@misterx Yeah but after the decompilation such code requires cleaning or you end up with such blah-blah-blah-code 😄 I think WS part is in samsungctl only crypto stuff needs to be added 😄 From what I see they simply encrypt SKPrime with request number and thats used to auth requests 😄 Strangest thing for me was AES part in parseClientHello. OpenSSL implementation failed and got me an error LOL. Then I used custom one on the basis of SamyGO one and that worked. I think I got bad results even with JS stuff in browser, don't remember 😄

[tdudek]

@misterx thanks for posting the JS encryption code :-)

I can confirm, the code works as expected. I've successfully created a JS proof of concept which is working with my TV. You can find the code here: https://github.com/tdudek/samsung-remote-models-2014-and-newer

Crossing fingers it works with your devices as good as it does with mine. Please share your results.

[riemers]

Tested it with @tdudek code, works for me too. If @Ape or anyone can bump this into samsungctl then we have what the thread started with completed 👍

But i already want to express my thanks to everyone for the effort in getting this done!

[sectroyer]

@riemers well now wonder it "does work". It's simply IDA decompiled code pasted into JS file 😄 Instead of using some JS blob as part of the project IMHO it would be best to implement whole handshake as a python module. Tough as PoC it's sufficient 😄

[eclair4151]

@sectroyer i tried seeing if i could port it to python when we first found it for like 10 minutes but quickly found it will be nearly impossible https://github.com/tdudek/samsung-remote-models-2014-and-newer/blob/master/lib/Pairing/Encryption/index.js https://github.com/tdudek/samsung-remote-models-2014-and-newer/blob/master/lib/Pairing/Encryption/bn.js

taking a look at these 2 files i don't see a way to do it without thousands of hours of work. for now we are prob better off using something like https://github.com/PiotrDabkowski/Js2Py and calling the important encryption methods in JS straight from python

[riemers]

Looked at those files and now noticed what you mean too. Thats a bit much indeed for just a simple remote action. Tried the online version to translate the first index.js but that spit out an error though.

[tdudek]

Yap, it is the encryption code which was posted by @misterx above, almost as it is. Some parts are known libraries like bn.js (https://github.com/indutny/bn.js/) or asmcrypto.js (https://github.com/asmcrypto/asmcrypto.js), but the handshake code is pretty awful :(

[eclair4151]

See but his is what make me think this isnt just code pulled from IDA and converted to JS. how would it have asmcrypto and BN in it? Unless they somehow converted the code the then was able to use those libs in place of what was there before from another language. which im guessing didn't happen. I think this js lib may be from some other product we don't know of that works with samsung TVs, which written by samsung and they are the ones who obfuscated it ect. and this other person happened to find it and just pull the JS code out of it and use it in their android app.

[sectroyer]

@eclair4151 It's DEFINITELY "pulled from IDA" 😄 Just with some adjusting. They "quick fixed" IDA output by changing Samsung BN lib to BN and their crypto to asmCrypto. Tough such code should be rewritten and reversed correctly and not blindly copy&pasted. Especially if you want to write a documentation 😄 I did the same with my lib by replacing those with OpenSSL just OpenSSL aes didn't work as I said before. For example BN stuff is now this: https://ctrlv.it/id/95115/1912491112

[eclair4151]

hmm ok. fair enough

[sectroyer]

@eclair4151 Here is simplified version of IDA output for Samsung lib. You can quickly notice resemblance: https://ctrlv.it/id/95116/4219719203 Anyway if what this js stuff does is okay with you we can stick with such API and rewrite it to python 😄

[McKael]

@sectroyer

No idea what "WS" is but NOW my code also does full pairing: https://ctrlv.it/id/94129/2349222015 ATM it's written in C but can port to something else if needed smile

Nice! Is your C code available somewhere?

[sectroyer]

@McKael not yet. I still consider it PoC and wanted to rewrite it before releasing. Also I am still not sure if I should leave as C code or rewrite to python?

[McKael]

@sectroyer I'm actually interested in the C code because I'd eventually would like to use it in a Go application...

[sectroyer]

@McKael well it's not something you can copy&paste to third party application 😄 That's precisely why I wanted to first establish some API before rewriting it 😄

[McKael]

@sectroyer Ok, thanks... Please keep us posted!

[stromnet]

Confirmed working on Model 14_GOLFS ModelName UE55H7000, example pairs fine and send keys work!

[ghaabor]

@tdudek just tried your example with UE40H5500, works like a charm!