hacker:: [[turmio]] <> = Hacking Samsung SmartTV = I bought new TV and as usual I will try to figure out what is inside of it and write my raw notes here. == Serial port == * Serial port is in Audio Jack (seems to work):: * http://wiki.samygo.tv/index.php5/Enable_Serial_Console_on_B_series_TV * http://wiki.samygo.tv/index.php5/Ex-Link_Cable_for_C/D/E_Series_and_BD_players * http://wiki.samygo.tv/index.php5/Top_Debug_Menu:_TDM * You can enable the serial port on Audio Jack from service menu (When TV is turned off press Info, Menu, Mute and Power) * Serial port has couple of different mode in service menu * Debug (/DebugOutput) * UART (/UartOutpu) * Logic * FANET == Links == * Serial port is in Audio Jack (seems to work): http://wiki.samygo.tv/index.php5/Enable_Serial_Console_on_B_series_TV * Control codes for serial port (rs232) [[https://github.com/iamcanadian2222/SamsungExLink/blob/master/Samsung.py]] * [[http://samygo.tv]] * [[http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Hacking-my-smart-TV-an-old-new-thing/ba-p/6645844#.VKHH9AIqA]] * [[http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/How-I-learned-to-hack-my-TV-and-started-worrying-about-the/ba-p/6383829#.VKHC8AIqA]] * [[http://sourceforge.net/projects/samygo/]] * [[http://www.delaat.net/rp/2012-2013/p39/report.pdf]] * [[http://nerdyjunkyard.wordpress.com/2014/01/20/getting-your-smart-tv-app-to-samsung-tv-from-mac-os-x/]] * [[ServiceMenu]] ( Press Info, Menu, Mute and Power and you get access to advanced menu with factory reset ) https://www.youtube.com/watch?v=wHO1CReFOLU * [[https://iicybersecurity.wordpress.com/2015/07/07/how-to-easily-hack-your-smart-tv-samsung-and-lg/]] == NMAP == * Latest nmap run (2016-05-25) {{{ Nmap scan report for guest-33.home.lan (10.0.2.33) Host is up (0.0064s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 7676/tcp open upnp AllShare UPnP 8000/tcp open http-alt |_http-cors: GET POST PUT DELETE OPTIONS |_http-favicon: Unknown favicon MD5: 33E3EA7FC9C08D2E72730482906A676C | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-open-proxy: Proxy might be redirecting requests |_http-title: Site doesn't have a title. 8001/tcp open http Node.js Express framework |_http-cors: GET POST PUT DELETE | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Debug Config 8080/tcp open http lighttpd | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-title: 404 - Not Found 8443/tcp open ssl/http lighttpd | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-title: 404 - Not Found | ssl-cert: Subject: commonName=server1/organizationName=Samsung SERI/stateOrProvinceName=Surrey/countryName=GB | Issuer: commonName=CA root/organizationName=Samsung SERI/stateOrProvinceName=Surrey/countryName=GB | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: md5WithRSAEncryption | Not valid before: 1970-01-01T00:00:00 | Not valid after: 2030-01-01T00:00:00 | MD5: cfed beba 8b97 cd23 a4ea 2111 dd6f 0827 |_SHA-1: 4242 3dc7 c308 b648 7d0c 3630 542d a4af c462 33ca |_ssl-date: 1970-01-01T04:44:39+00:00; -46y145d14h49m47s from scanner time. 9090/tcp open http Samsung UE55D7000 TV http config |_hadoop-datanode-info: |_hadoop-jobtracker-info: |_hadoop-tasktracker-info: |_hbase-master-info: |_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Site doesn't have a title (application/octet-stream). 15500/tcp open unknown }}} [[/NMAP-archive]] == URL's seen == {{{ http://10.0.2.33:8000/common/1.0.0/service/startService?appID=com.samsung.compan ion http://10.0.2.33:8000/socket.io/1/?t=1419883780635 http://10.0.2.33:8000/socket.io/1/websocket/S9LZX9RqHaa1QbJXAPg3 http://10.0.2.33:9090/liveStream/1 http://10.0.2.33:7676/smp_2_ http://10.0.2.33:7676/smp_15_ http://10.0.2.33:7676/smp_16_ http://10.0.2.33:7676/smp_19_ http://10.0.2.33:7676/smp_22_ http://10.0.2.33:7676/smp_24_ }}} = Services = == Port 8001 == {{{ $ curl -v http://10.0.2.33:8001/ms/1.0/ * Hostname was NOT found in DNS cache * Trying 10.0.2.33... * Connected to 10.0.2.33 (10.0.2.33) port 8001 (#0) > GET /ms/1.0/ HTTP/1.1 > User-Agent: curl/7.37.1 > Host: 10.0.2.33:8001 > Accept: */* > < HTTP/1.1 200 OK < X-Powered-By: Express < Access-Control-Allow-Origin: * < Access-Control-Allow-Credentials: true < Access-Control-Allow-Methods: GET,PUT,POST,DELETE < Access-Control-Allow-Headers: Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, SilentLaunch < Content-Type: application/json; charset=utf-8 < Content-Length: 633 < Date: Thu, 01 Jan 1970 00:48:16 GMT < Connection: keep-alive < { "DUID": "EXCL6GDVW6246", "Model": "14_X14_BT", "NetworkType": "wireless", "SSID": "turmio-lan", "IP": "10.0.2.33", "FirmwareVersion": "T-MST14DEUC-2600.4", "CountryCode": "FI", "DeviceName": "[TV]Samsung LED50fgh", "DeviceID": "SHCM4M3HDEQG2", "ModelDescription": "Samsung TV RCR", "ModelName": "UE50H6400", "UDN": "08583b01-008c-1000-911b-c4576e6f3695", "Resolution": "1920x1080", "ServiceURI": "http://10.0.2.33:8001/ms/1.0/", "DialURI": "http://10.0.2.33:8001/ws/apps/", "Capabilities": [ { "name": "samsung:multiscreen:1", "port": "8001", "location": "/ms/1.0/" } ] }}} = Network connections = == First boot == <> description:: Reversing Samsung Smart TV started:: 2014-12-29 ---- CategoryProjekti