 hacker:: [[turmio]]
<<TableOfContents()>>
= Hacking Samsung SmartTV =

I bought new TV and as usual I will try to figure out what is inside of it and write my raw notes here. 


== Serial port ==
 * Serial port is in Audio Jack (seems to work)::
  * http://wiki.samygo.tv/index.php5/Enable_Serial_Console_on_B_series_TV
  * http://wiki.samygo.tv/index.php5/Ex-Link_Cable_for_C/D/E_Series_and_BD_players
  * http://wiki.samygo.tv/index.php5/Top_Debug_Menu:_TDM
 * You can enable the serial port on Audio Jack from service menu (When TV is turned off press Info, Menu, Mute and Power)

  * Serial port has couple of different mode in service menu
   * Debug (/DebugOutput)
   * UART (/UartOutpu)
   * Logic
   * FANET

 
== Links ==
 * Serial port is in Audio Jack (seems to work): http://wiki.samygo.tv/index.php5/Enable_Serial_Console_on_B_series_TV
 * Control codes for serial port (rs232) [[https://github.com/iamcanadian2222/SamsungExLink/blob/master/Samsung.py]]
 * [[http://samygo.tv]] 
 * [[http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Hacking-my-smart-TV-an-old-new-thing/ba-p/6645844#.VKHH9AIqA]]
 * [[http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/How-I-learned-to-hack-my-TV-and-started-worrying-about-the/ba-p/6383829#.VKHC8AIqA]]
 * [[http://sourceforge.net/projects/samygo/]]
 * [[http://www.delaat.net/rp/2012-2013/p39/report.pdf]]
 * [[http://nerdyjunkyard.wordpress.com/2014/01/20/getting-your-smart-tv-app-to-samsung-tv-from-mac-os-x/]]
 * [[ServiceMenu]] ( Press Info, Menu, Mute and Power and you get access to advanced menu with factory reset )  https://www.youtube.com/watch?v=wHO1CReFOLU
 * [[https://iicybersecurity.wordpress.com/2015/07/07/how-to-easily-hack-your-smart-tv-samsung-and-lg/]]
== NMAP ==
 * Latest nmap run (2016-05-25)
{{{
Nmap scan report for guest-33.home.lan (10.0.2.33)
Host is up (0.0064s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE  VERSION
7676/tcp  open  upnp     AllShare UPnP
8000/tcp  open  http-alt
|_http-cors: GET POST PUT DELETE OPTIONS
|_http-favicon: Unknown favicon MD5: 33E3EA7FC9C08D2E72730482906A676C
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Site doesn't have a title.
8001/tcp  open  http     Node.js Express framework
|_http-cors: GET POST PUT DELETE
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Debug Config
8080/tcp  open  http     lighttpd
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-title: 404 - Not Found
8443/tcp  open  ssl/http lighttpd
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-title: 404 - Not Found
| ssl-cert: Subject: commonName=server1/organizationName=Samsung SERI/stateOrProvinceName=Surrey/countryName=GB
| Issuer: commonName=CA root/organizationName=Samsung SERI/stateOrProvinceName=Surrey/countryName=GB
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 1970-01-01T00:00:00
| Not valid after:  2030-01-01T00:00:00
| MD5:   cfed beba 8b97 cd23 a4ea 2111 dd6f 0827
|_SHA-1: 4242 3dc7 c308 b648 7d0c 3630 542d a4af c462 33ca
|_ssl-date: 1970-01-01T04:44:39+00:00; -46y145d14h49m47s from scanner time.
9090/tcp  open  http     Samsung UE55D7000 TV http config
|_hadoop-datanode-info: 
|_hadoop-jobtracker-info: 
|_hadoop-tasktracker-info: 
|_hbase-master-info: 
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (application/octet-stream).
15500/tcp open  unknown

}}}
[[/NMAP-archive]]

== URL's seen ==
{{{
http://10.0.2.33:8000/common/1.0.0/service/startService?appID=com.samsung.compan        ion
http://10.0.2.33:8000/socket.io/1/?t=1419883780635

http://10.0.2.33:8000/socket.io/1/websocket/S9LZX9RqHaa1QbJXAPg3

http://10.0.2.33:9090/liveStream/1
http://10.0.2.33:7676/smp_2_
http://10.0.2.33:7676/smp_15_
http://10.0.2.33:7676/smp_16_
http://10.0.2.33:7676/smp_19_
http://10.0.2.33:7676/smp_22_
http://10.0.2.33:7676/smp_24_

}}}
= Services =

== Port 8001 ==
{{{
$ curl -v http://10.0.2.33:8001/ms/1.0/
* Hostname was NOT found in DNS cache
*   Trying 10.0.2.33...
* Connected to 10.0.2.33 (10.0.2.33) port 8001 (#0)
> GET /ms/1.0/ HTTP/1.1
> User-Agent: curl/7.37.1
> Host: 10.0.2.33:8001
> Accept: */*
> 
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: GET,PUT,POST,DELETE
< Access-Control-Allow-Headers: Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, SilentLaunch
< Content-Type: application/json; charset=utf-8
< Content-Length: 633
< Date: Thu, 01 Jan 1970 00:48:16 GMT
< Connection: keep-alive
< 
{
  "DUID": "EXCL6GDVW6246",
  "Model": "14_X14_BT",
  "NetworkType": "wireless",
  "SSID": "turmio-lan",
  "IP": "10.0.2.33",
  "FirmwareVersion": "T-MST14DEUC-2600.4",
  "CountryCode": "FI",
  "DeviceName": "[TV]Samsung LED50fgh",
  "DeviceID": "SHCM4M3HDEQG2",
  "ModelDescription": "Samsung TV RCR",
  "ModelName": "UE50H6400",
  "UDN": "08583b01-008c-1000-911b-c4576e6f3695",
  "Resolution": "1920x1080",
  "ServiceURI": "http://10.0.2.33:8001/ms/1.0/",
  "DialURI": "http://10.0.2.33:8001/ws/apps/",
  "Capabilities": [
    {
      "name": "samsung:multiscreen:1",
      "port": "8001",
      "location": "/ms/1.0/"
    }
  ]
}}}

= Network connections =
== First boot ==
<<Include(HackingSamsungSmartTV/FirstBootConnections)>>


 description:: Reversing Samsung Smart TV
 started:: 2014-12-29
----
CategoryProjekti
