FOR LG SMART TV (WEBOS)

[PLKHawaR]

I loved the private listening mode can u do this the Private Listening Mode for LG SMART TV.It will be helpful for me

[msdrigg]

Unfortunately this isn't something that is on the roadmap for me. The Roam app uses all roku-specific API's and it's not something that WebOS supports natively. So I would need to rewrite everything for WebOS if WebOS even supports a audio-streaming protocol (which I'm not sure if it does), which is not something I have time for right now.

[PLKHawaR]

The only app that offers this feature is LG ThinQ, the official app for LG TVs. No other competitors provide this functionality, which is why I thought you might be capable of implementing it—especially since you've done something similar for Roku. That's why I reached out to you. I appreciate your response!

[msdrigg]

That's good to know. I'll leave this issue open for now because I think this is something I think would be valuable and could be done with this codebase even if I don't have time for it (for the foreseeable future).

[PLKHawaR]

That's good to know. I'll leave this issue open for now because I think this is something I think would be valuable and could be done with this codebase even if I don't have time for it (for the foreseeable future).

Any Update?

[msdrigg]

This isn't something I will be doing any time soon unfortunately because I do not have time. There will not be any updates on this. I am leaving the issue open for others to see and contribute to if they have the capability and desire, not to track my own progress with it.

[PLKHawaR]

I apologize for reaching out. After conducting some research, I discovered that the command for changing the TV's sound output from the TV speaker to a mobile phone (specifically an iPhone) causes the sound to disappear from the TV, similar to how the LG official app functions. I am experiencing the same behavior, but I am unsure where the TV is sending these audio packets. Is there a way to listen for those packets? My goal is to turn off the TV sound, just like the LG ThinQ app does. I believe this can be accomplished, and I am confident in my ability to do so. I am using ConnectSDK for the connection, which utilizes NSStreams for input and output communication.

[msdrigg]

No worries at all for reaching out! In general when researching an unknown protocol to try to replicate it I typically do these steps:

1. Get a packet capture of the actual official application doing what you are trying to do (e.g. setting up the audio stream and streaming the audio)
2. Open this packet capture in Wireshark. For audio, you are typically looking for UDP packets between your device's IP address and your TV's. There are a lot of guides out there on how to filter for certain ip addresses or packet types in wireshark if you want to get good at using it. It's a super useful took for this kind of job.
3. Once you find the packets you are looking for in Wireshark, hopefully Wireshark can provide some details on how the audio is being streamed (OPUS-encoded audio over RTP is how Roku streams it), but it could be using one of several protocols. If Wireshark can tell what packets are getting sent, then you are in luck and you are basically done with the research phase. All you need now is to replicate this in your own program. If Wireshark can't provide any meaningful information on what the packets mean, then it's likely LG is using a custom protocol or a variation of a known protocol and it's going to be much harder to reverse engineer this. I actually tried to take a stab at the voice-command API for Roku but they use a custom protocol and I am currently stuck trying to reverse it.

If you are having trouble getting a packet capture of the official application, I would suggest these options

1. If you have a wifi router you can run commands on, try running tcpdump on it (see here for how I did it in my process: https://scottdriggers.com/blog/how-i-built-roam/#ecp-api) to capture traffic from your phone <-> LG TV
2. If you don't have a router that can do this (most routers), then I would suggest trying to run the official LG ThinQ application from within a simulator (it would probably be easier to do this with the android emulator) on your main computer. Then you can open Wireshark on the computer at the same time and directly capture your computer's wifi traffic from the Wireshark GUI (which will include the emulator packets as well)

I know this is a long response, but it's a pretty open ended process that's going to take some problem solving to get to work. The audio-streaming portion of this application probably took 1/2 the time that it took to build the whole app.

[PLKHawaR]

Thanks for your response. I used Burp Suite on the LG ThinQ app but couldn't find anything relevant to what I need—perhaps LG has hidden the data. I haven't tried using Wireshark yet, but I plan to do so. I'll keep you updated on my findings.

When I enabled private listening on the app, I tracked the traffic using the command sudo tcpdump -i en0 host 192.168.88.114 to capture the packets. Below are some of the key details I obtained:

1. *16:46:12.560678 IP 192.168.88.114.mdns > mdns.mcast.net.mdns: 0- [0q] 1/0/1 (Cache flush) TXT "acl=0" "deviceid=3A:35:26:5C:CF:90" "features=0x7F8AD0,0x38BCF46" "fex=0Ip/AEbPiwNAAg" "rsf=0x3" "fv=p20.04.41.39" "at=0x1" "flags=0x244" "model=55UQ80006LD" "integrator=LG Electronics" "manufacturer=LG" "serialNumber=208EGVJKK359_ac:5a:f0:49:de:9f" "protovers=1.1" "srcvers=377.40.00" "pi=3A:35:26:5C:CF:90" "psi=00000000-0000-0000-0000-3A35265CCF90" "gid=00000000-0000-0000-0000-3A35265CCF90" "gcgl=0" "pk=ff2ec069f0a0e439c2a24fbcead0ea41b76def25ba1d2961c99a27910a0157f3" (525)
2. 16:46:13.481628 IP 192.168.88.114.mdns > mdns.mcast.net.mdns: 0*- [0q] 1/0/1 (Cache flush) TXT "acl=0" "deviceid=3A:35:26:5C:CF:90" "features=0x7F8AD0,0x38BCF46" "fex=0Ip/AEbPiwNAAg" "rsf=0x3" "fv=p20.04.41.39" "at=0x1" "flags=0x244" "model=55UQ80006LD" "integrator=LG Electronics" "manufacturer=LG" "serialNumber=208EGVJKK359_ac:5a:f0:49:de:9f" "protovers=1.1" "srcvers=377.40.00" "pi=3A:35:26:5C:CF:90" "psi=00000000-0000-0000-0000-3A35265CCF90" "gid=00000000-0000-0000-0000-3A35265CCF90" "gcgl=0" "pk=ff2ec069f0a0e439c2a24fbcead0ea41b76def25ba1d2961c99a27910a0157f3" (525)
3. 16:46:15.029335 IP 192.168.88.114.mdns > mdns.mcast.net.mdns: 0*- [0q] 1/0/1 (Cache flush) TXT "acl=0" "deviceid=3A:35:26:5C:CF:90" "features=0x7F8AD0,0x38BCF46" "fex=0Ip/AEbPiwNACA" "rsf=0x3" "fv=p20.04.41.39" "at=0x1" "flags=0x244" "model=55UQ80006LD" "integrator=LG Electronics" "manufacturer=LG" "serialNumber=208EGVJKK359_ac:5a:f0:49:de:9f" "protovers=1.1" "srcvers=377.40.00" "pi=3A:35:26:5C:CF:90" "psi=00000000-0000-0000-0000-3A35265CCF90" "gid=00000000-0000-0000-0000-3A35265CCF90" "gcgl=0" "pk=ff2ec069f0a0e439c2a24fbcead0ea41b76def25ba1d2961c99a27910a0157f3" (525)**

This is some kind of TXT record 16:46:12.560678 IP 192.168.88.114.mdns > mdns.mcast.net.mdns: Cache flush TXT:

acl=0 deviceid=3A:35:26:5C:CF:90 features=0x7F8AD0,0x38BCF46 fex=0Ip/AEbPiwNAAg rsf=0x3 fv=p20.04.41.39 at=0x1 flags=0x244 model=55UQ80006LD integrator=LG Electronics manufacturer=LG serialNumber=208EGVJKK359_ac:5a:f0:49:de:9f protovers=1.1 srcvers=377.40.00 pi=3A:35:26:5C:CF:90 psi=00000000-0000-0000-0000-3A35265CCF90 gid=00000000-0000-0000-0000-3A35265CCF90 gcgl=0 pk=ff2ec069f0a0e439c2a24fbcead0ea41b76def25ba1d2961c99a27910a0157f3 (525 bytes)

I know this is a long response, but let me know if you think any of this information could be useful, or if you need further clarification on specific details!

[msdrigg]

I found an article about BURP suite saying it can't do any other protocols besides HTTP, so it wouldn't capture any UDP-based protocols (these are the most common for audio). It looks like Wireshark is gonna be the way to go: https://forum.portswigger.net/thread/intercept-non-http-protocols-47c977d1

As for the tcpdump capture, you are seeing MDNS packets which are used for device discovery (how your LG THINQ app can detect LG TV's on your network without you entering the IP address manually). These are probably unrelated to the audio.

Are you running TCPDUMP on your router or on your computer that has the simulator running THINQ on it? Because the TCPDUMP command needs to be run on a device where the traffic originates from or on a device where the traffic passes through it. It can't just capture traffic over the air. For example if you run tcpdump on your computer and then run THINQ on your physical phone, it won't work.

If you are running TCPDUMP in one of the places that will work, try this: variation of the command tcpdump -i en0 -s 0 -w thinq.pcap host 192.168.88.114 (I assume that the 192.168.88.114 is your LG TV IP address). Adding the -s 0 flag will not filter out bigger packets and adding the -w thinq.pcap will save the full packets to a pcap file. This file can then be opened in wireshark and it will show the details better than what you were seeing above.

[PLKHawaR]

I ran the LG ThinQ app on a physical device and attempted to monitor the traffic on my Mac, but as you mentioned, this approach won't work. What are the alternative methods I can use to effectively monitor the traffic?

[msdrigg]

You need to download android studio on your computer and run thinQ on the emulator that comes with it. Here's a guide to getting the emulator setup in android studio: https://21zerixpm.medium.com/running-android-emulator-without-android-studio-on-macbook-1065b097e930. That will be the easiest way. Once you have android up and running, you need to install the LG ThinQ app and then capture traffic from your computer.

All the other ways would involve weird networking or buying a router you can ssh into.