in Reversing

Samsung TV network remote control protocol

It happens, that I get my new 32″ Samsung TV – model LE32D550. Like most of new Samsung TV’s (if not everyone) it could be connected into the LAN. Of course, one of the first thing I do when the network cable was connected was port-scan.

C:\Users\Michal>nmap -p 1-65535 tv.lan

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-16 22:19 îrodkowoeuropejski czas stand.
Nmap scan report for tv.lan (192.168.1.102)
Host is up (0.0016s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
52235/tcp open  unknown
52396/tcp open  unknown
55000/tcp open  unknown
55001/tcp open  unknown
MAC Address: 60:6B:BD:AB:FC:95 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds

55000 is used for remote control over network. There is application for iPhone and Android smartphones (unfortunately only these created by Samsung) to control TV through WiFi. I did some research, and now I understand the protocol quite well.

1. Authentication

When connection on port 55000 is established, remote control must be authenticated. It sends datagram.

0000   00 13 00 69 70 68 6f 6e 65 2e 69 61 70 70 2e 73  ...iphone.iapp.s
0010   61 6d 73 75 6e 67 38 00 64 00 14 00 4d 54 6b 79  amsung8.d...MTky
0020   4c 6a 45 32 4f 43 34 78 4c 6a 45 77 4d 41 3d 3d  LjE2OC4xLjEwMA==
0030   10 00 5a 32 52 7a 4e 7a 4d 30 64 47 64 30 5a 41  ..Z2RzNzM0dGd0ZA
0040   3d 3d 0c 00 63 32 4d 77 64 48 6b 75 63 47 77 3d  ==..c2MwdHkucGw=

And the meaning of this bytes.

offset  value and description
------	---------------------
0x00   	0x00 - datagram type?
0x01	0x0013 - string length (little endian)
0x03	"iphone.iapp.samsung" - string content
0x16	0x0038 - payload size (little endian)
0x18	payload

I don’t know the meaning of the string above, my TV is accepting any string in here, but I suggest to use this particular one just for compatibility reason.

Payload starts with 2 bytes: 0x64 and 0x00, then comes 3 strings encoded with base64 algorithm. Every string is preceded by 2-bytes field containing encoded string length. These three strings are as follow:

  • remote control device IP,
  • unique ID – value to distinguish controllers,
  • name – it will be displayed as controller name.

TV reply us giving following datagram:

0000    02 0c 00 69 61 70 70 2e 73 61 6d 73 75 6e 67 06  ...iapp.samsung.
0010    00 0a 00 02 00 00 00                             .......

It means:

offset  value and description
------	---------------------
0x00   	don't know, it it always 0x00 or 0x02
0x01	0x000c - string length (little endian)
0x03	"iapp.samsung" - string content
0x0f	0x0006 - payload size (little endian)
0x11	payload

String content is always iapp.samsung or iphone.livingroom.iapp.samsung. Meaning of these strings is unclear, I suggest to not compare it with any specific value during response parsing (maybe other devices using another values).

Payload is one of the following:

  • 0x64, 0x00, 0x01, 0x00 – access granted, you can now send key codes and it will be executed by TV,
  • 0x64, 0x00, 0x00, 0x00 – access denied – user rejected your network remote controller,
  • 0x0A, 0x00, 0x02, 0x00, 0x00, 0x00 – waiting for user to grant or deny access for your app,
  • 0x65, 0x00 – timeout or cancelled by user.
Access is granted only during current TCP connection, when your app or TV disconnect, you have to repeat the authentication process.

 2. Sending key codes

Now you can send simple datagrams containing key codes.

0000    00 13 00 69 70 68 6f 6e 65 2e 69 61 70 70 2e 73  ...iphone.iapp.s
0010    61 6d 73 75 6e 67 11 00 00 00 00 0c 00 53 30 56  amsung.......S0V
0020    5a 58 31 5a 50 54 46 56 51                       ZX1ZPTFVQ

It means:

offset  value and description
------	---------------------
0x00   	always 0x00
0x01	0x0013 - string length (little endian)
0x03	"iphone.iapp.samsung" - string content
0x16	0x0011 - payload size (little endian)
0x18	payload

And the payload is:

offset  value and description
------	---------------------
0x18   	three 0x00 bytes
0x1b	0x000c - key code size (little endian)
0x1d	key code encoded as base64 string

TV response will be similar to authentication response, but with different payload data. I will not describe this data detailed because I wasn’t investigated it much.

Key codes list is published in SamyGO wiki: http://wiki.samygo.tv/index.php5/D-Series_Key_Codes

Useful information can be found also in SamyGO Android Remote sources.

[EDIT]

Benoit Dumasin created easy to use C++ class (using QT library) able to control Samsung TV: https://github.com/Bntdumas/SamsungIPRemote  (he also provided an example QT widget).

[EDIT]

Here is Wireshark protocol dissector create by Konstantin Salikhov (Koka58).

Write a Comment

Comment

37 Comments

  1. Hi

    Well Done on decoding the above

    I am also trying to do the same but having a few problems

    Basically I have created a LUA script to control the Samsung TV’s over IP

    I can Send THe KEY CODES to the set with no problem!

    My problem is that i want to go a bit further and do the folowing

    send a command to the TV that opens the Web Browser, or the Photos APP, or even BBC IPLAYER.

    I have sniffed ( wireshark) the set whilst opening the Photos app and managed to find in the TCP Stream the following

    L2FjdGlvbj9zZWxlY3Q9MzFfcGhvdG9z

    Running this against a Base 64 decoder the result is:

    /action?select=31_photos

    I have also noticed that IT is a HTTP GET command.

    Now I am completely stuck not knowing what to do next!

    Interested in Helping?

    If So could you create a simple python script that opens say the web browser or the photos app in the TV?
    you can come back to me on marcodias@me.com

    Thanks

  2. Sorry, but my TV doesn’t support web browsing. You could try to sniff other urls or try to find strings from this url in app you are sniffing. Or reverse the app if you could.

  3. I’d be rather interesed int that sc0ty.pl script that appears on the first message dump… 😉

  4. There is no script, I’ve done it by sending packet from simple application written in c++.

  5. Oh, I’ve seen you plan to release some c++ libs. I’m looking forward to it. Meanwhile I think some ugly-code programs would do the trick. 🙂

  6. Hi!
    The page is very informative. I could develop the application to control the tv. The only issue I am facing is that I cannot power on the TV once it is power off using the application. I am using UA32ES6200 Model of Samsung.

    Thanks

  7. @juzis: sure, it is always good to know that my work is useful to someone.

  8. Hi, thank you for your article, it was really helpful for me.

    I made a little C++ Qt library and a test QWidget to control the TV.
    It basically allows you to:
    – open the TCP socket
    – send the ID packet
    – send strings as payloads.
    I can send it to you if you think it could be usefull.

  9. @bntdumas: maybe you consider to publish it as open source on github/googlecode/anywhere? It can be useful for many people.

  10. Nice job. I’ve added this link to my post, hope you don’t mind.

  11. Nice to have people with this knowledge (y) Im new with TCP/IP commands, but very intrested in that, I did get that authentication code to work with my tv and I have accepted with my tv remote, how locks the command example for “power off”.

  12. Hello! I want to make an HTML5 application to remote control the tv. I don’t want to create an application for the tv. Just run the index, authenticate by the tv and then send remote commands for channel change, volume up e.t.c. Should i put the samsungremote.cgi file in the same folder with index.html and just change the ip’s and mac addresses to match these i have?

  13. How do you connect to port 55000?

    Can you explain the simplest way to send the key values or gently borrow your code so I can try it in my own tv?

    Thank you!

  14. Thank you for the protocol information! I’ve now also used it for a remote app for Pebble.

  15. Hello,

    great Job!

    How can i enter a two digit ChannelNr?

    After i enter the first digit, the tcp connection is still open. After the second digit the connection drops and the TV change the Channel only to the first digit.

    Best regards

  16. Anybody have any of the network protocols figured out for the 2014/2015 “H” series Samsung TV’s?

    – John “S”

  17. Hi John,

    I would like to know the same, I have just replaced my Sony which I got to work well over the LAN but have just replaced it with a Samsung.

    I have installed Smart View on my computer and monitor with Wireshark but I still haven’t been able to work it out.

    Best regards,
    Steve B

  18. Wow, you guys are off the charts smart.

    Is there any way to use these commands to allow Amazon Echo (Alexa) to control my Samsung LN55c650 TV, perhaps using IFTTT?

  19. hi all,

    anyone able to create an Alexa skill for this? How do i send the TV the codes?

    thx!

  20. Many thanks for your work! Due to your work and useful https://github.com/makermusings/fauxmo library, I can now remote control from within Android app. However, I have a question:
    How to send >1 keycode in sequence, e.g. key_4,key_2, key_enter to select channel 42? I tried async and sync sending, but almost always only the first char is accepted. After trying a lot of combinations, I’ve found out that key-clear between codes helps: key_4,key_clear, key_2,key_clear, key_enter. But I think there should be something like key_up.
    Also, I’d like to know the meaning of key_clear, and the meaning of the rest key in list. Most of them is understandable, but not all.

    Thanks again for the work!

  21. Everything I know is here, I didn’t do any more research. Can’t help you, sorry.

  22. anyone can provide driver for rti x8 processor?

  23. i am looking samsung ud46c ip command integrated widget designer control

  24. Hi, can some one please help me how to use Rest Client(chrome) to control the TV over IP. I am struck with Pairing request not sure how to send.

  25. Does anyone have an idea how to unblock the port?
    I accidently blocked it as it popped up on the screen :/
    I’ve also tried a factory reset of my tv but with no success.

  26. I have an old c630 series and no ports opened.
    Do you know if there is a way to enable it to use the script?

  27. Thanks you so much. Can you help me decode below :
    0000 00 14 00 69 70 68 6f 6e 65 2e 2e 69 61 70 70 2e …iphon e..iapp.
    0010 73 61 6d 73 75 6e 67 0e 00 07 00 0d 00 00 00 b0 samsung. ……..
    0020 04 00 00 3b fe ff ff …;…