It happens, that I get my new 32″ Samsung TV – model LE32D550. Like most of new Samsung TV’s (if not everyone) it could be connected into the LAN. Of course, one of the first thing I do when the network cable was connected was port-scan.
C:\Users\Michal>nmap -p 1-65535 tv.lan Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-16 22:19 îrodkowoeuropejski czas stand. Nmap scan report for tv.lan (192.168.1.102) Host is up (0.0016s latency). Not shown: 65531 closed ports PORT STATE SERVICE 52235/tcp open unknown 52396/tcp open unknown 55000/tcp open unknown 55001/tcp open unknown MAC Address: 60:6B:BD:AB:FC:95 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds
55000 is used for remote control over network. There is application for iPhone and Android smartphones (unfortunately only these created by Samsung) to control TV through WiFi. I did some research, and now I understand the protocol quite well.
1. Authentication
When connection on port 55000 is established, remote control must be authenticated. It sends datagram.
0000 00 13 00 69 70 68 6f 6e 65 2e 69 61 70 70 2e 73 ...iphone.iapp.s 0010 61 6d 73 75 6e 67 38 00 64 00 14 00 4d 54 6b 79 amsung8.d...MTky 0020 4c 6a 45 32 4f 43 34 78 4c 6a 45 77 4d 41 3d 3d LjE2OC4xLjEwMA== 0030 10 00 5a 32 52 7a 4e 7a 4d 30 64 47 64 30 5a 41 ..Z2RzNzM0dGd0ZA 0040 3d 3d 0c 00 63 32 4d 77 64 48 6b 75 63 47 77 3d ==..c2MwdHkucGw=
And the meaning of this bytes.
offset value and description ------ --------------------- 0x00 0x00 - datagram type? 0x01 0x0013 - string length (little endian) 0x03 "iphone.iapp.samsung" - string content 0x16 0x0038 - payload size (little endian) 0x18 payload
I don’t know the meaning of the string above, my TV is accepting any string in here, but I suggest to use this particular one just for compatibility reason.
Payload starts with 2 bytes: 0x64 and 0x00, then comes 3 strings encoded with base64 algorithm. Every string is preceded by 2-bytes field containing encoded string length. These three strings are as follow:
- remote control device IP,
- unique ID – value to distinguish controllers,
- name – it will be displayed as controller name.
TV reply us giving following datagram:
0000 02 0c 00 69 61 70 70 2e 73 61 6d 73 75 6e 67 06 ...iapp.samsung. 0010 00 0a 00 02 00 00 00 .......
It means:
offset value and description ------ --------------------- 0x00 don't know, it it always 0x00 or 0x02 0x01 0x000c - string length (little endian) 0x03 "iapp.samsung" - string content 0x0f 0x0006 - payload size (little endian) 0x11 payload
String content is always iapp.samsung or iphone.livingroom.iapp.samsung. Meaning of these strings is unclear, I suggest to not compare it with any specific value during response parsing (maybe other devices using another values).
Payload is one of the following:
- 0x64, 0x00, 0x01, 0x00 – access granted, you can now send key codes and it will be executed by TV,
- 0x64, 0x00, 0x00, 0x00 – access denied – user rejected your network remote controller,
- 0x0A, 0x00, 0x02, 0x00, 0x00, 0x00 – waiting for user to grant or deny access for your app,
- 0x65, 0x00 – timeout or cancelled by user.
2. Sending key codes
Now you can send simple datagrams containing key codes.
0000 00 13 00 69 70 68 6f 6e 65 2e 69 61 70 70 2e 73 ...iphone.iapp.s 0010 61 6d 73 75 6e 67 11 00 00 00 00 0c 00 53 30 56 amsung.......S0V 0020 5a 58 31 5a 50 54 46 56 51 ZX1ZPTFVQ
It means:
offset value and description ------ --------------------- 0x00 always 0x00 0x01 0x0013 - string length (little endian) 0x03 "iphone.iapp.samsung" - string content 0x16 0x0011 - payload size (little endian) 0x18 payload
And the payload is:
offset value and description ------ --------------------- 0x18 three 0x00 bytes 0x1b 0x000c - key code size (little endian) 0x1d key code encoded as base64 string
TV response will be similar to authentication response, but with different payload data. I will not describe this data detailed because I wasn’t investigated it much.
Key codes list is published in SamyGO wiki: http://wiki.samygo.tv/index.php5/D-Series_Key_Codes
Useful information can be found also in SamyGO Android Remote sources.
[EDIT]
Benoit Dumasin created easy to use C++ class (using QT library) able to control Samsung TV: https://github.com/Bntdumas/SamsungIPRemote (he also provided an example QT widget).
[EDIT]
Here is Wireshark protocol dissector create by Konstantin Salikhov (Koka58).