When working with a new software product/system, I am one of those guys who is not satisfied just knowing the external interface. I need to know what is going on “under the hood” as well.
Couple of months back, I bought a Samsung LED TV that has cool Internet features. With couple of fun TV app ideas in mind, I wanted to get down to do some coding during the weekends. So, I finally spent some time reading up the documentation and started coding.
In the meantime, I was playing around with some apps that come with TV. It has some nice apps like Skype, Google Maps, Twitter, Facebook etc. The functionality offered in twitter and facebook apps is so limited that one cannot even navigate to the links. While there is no app store for Samsung India, there seem to be one for Samsung USA. It is so disappointing to see that there is lot more content and apps for USA customers and Samsung India has no clue when they will be made available here. Samsung India customer support is not even aware of an app store or tv apps – I had fun time talking to them though 🙂
I didn’t think that this logic of what apps to be made available is embedded in the firmware. It must be some pre-set region code or something like that set in the TV that the software further uses to restrict or extend the features. Since the list of apps are not hard-wired into the TV, the software must be talking to some Samsung servers out there. So, I thought I will find out what is going on by looking into the traffic as I turn on the TV.
I had my TV connected to Internet via WiFi to the Linksys WiFi router. Since my windows laptop is also connected to the WiFi in the same network, I thought I could easily snoop on the traffic by firing up Wireshark in promiscuous mode. Apparently not so easy in windows. Unlike linux, it seems that Windows doesn’t allow or has limited support for promiscuous mode with WiFi adaptors. I learnt this hard way though. Thanks to my former colleagues on LinkedIn Abhijit and MikeB, it seems that this apparently works on linux and that there are some commercial solutions like AirPcap, I didn’t want to go that far. Plus, I didn’t have access to a linux machine readily.
But with some more time and help from google, I came to know that windows 7 has this cool feature called virtual WiFi adapter using which the windows laptop itself could act as an AccessPoint. That means, TV could now connect to the access point provided by laptop instead of the router. My laptop instead connected to the router via Ethernet.
With this setup, I was able to combine another of windows feature called ICS (Internet Connection Sharing) and configure internet sharing between Ethernet and virtual WiFi adapters. Now, I could snoop on the TV traffic by using promiscuous mode on the Ethernet adapter. I also found that snooping works perfectly fine on virtual WiFi adapter too.
Next few hours was pure hacking delight looking at all the API calls the TV was making. TV is running on Linux. Luckily, only the initial authentication calls are on HTTPS. Once an auth token is retrieved, subsequent calls are made over HTTP itself.
- authenticating to samsung servers in Korea
- getting details of capabilities(like paid apps) to be exposed,
- catalog calls to retrieve list of apps,
- get list of installed apps,
- retrieve service notifications etc.
Not sure if it is a serious privacy issue, TV also logs several user actions to the server including how many times an app is launched etc.
While doing this, I also came across a project on sourceforge called SamyGo. These guys have been hacking Samsung TVs for a while – including enabling telnet/ftp support, hidden PVR functionality and even modifying the firmware in some cases. Check it out here. While I haven’t rooted my TV yet, I was able to gain lot more insights using their tools.
Anyway, here are the instructions on how to snoop on WiFi traffic on windows, if you ever want to do. You can use this approach to snoop on your mobile phone app traffic too.
- Start a command window in administrative mode. You can do this by right-clicking on the “Command prompt” menu item in Start | All Programs | Accessories
- Run the following two commands to setup a virtual WiFi adpater
c:>netsh wlan set hostednetwork mode=allow ssid=ssid1 key=password
This creates a virtual WiFi adapter acting as an AccessPoint. Replace ssid1 and password with your own. You can get more help on this command by running “netsh wlan set hostednetwork ?”
c:>netsh wlan start hostednetwork
This actually starts the access point. You may need to re-run this command if you reboot the laptop.
- Enable internet connection sharing
Go to Control Panel | Network & Sharing Center | Change Adapter Settings and right-click on your Ethernet adapter (or any adapter with internet connection) and bring up properties. Change to “Sharing” tab and enable the check box “Allow other network users …”. In the combo box below, select the newly created virtual WiFi adapter.
- Now, go back to the device (TV or mobile) and refresh WiFi access points. You should see the newly created access point ssid1 that the device can connect to.
- That’s it. Have fun with the hacking.