Samsung TV hacking & Snooping on WiFi Traffic in Windows 7

When working with a new software product/system, I am one of those guys who is not satisfied just knowing the external interface. I need to know what is going on “under the hood” as well.

Couple of months back, I bought a Samsung LED TV that has cool Internet features. With couple of fun TV app ideas in mind, I wanted to get down to do some coding during the weekends. So, I finally spent some time reading up the documentation and started coding.

In the meantime, I was playing around with some apps that come with TV. It has some nice apps like Skype, Google Maps, Twitter, Facebook etc. The functionality offered in twitter and facebook apps is so limited that one cannot even navigate to the links.  While there is no app store for Samsung India, there seem to be one for Samsung USA. It is so disappointing to see that there is lot more content and apps for USA customers and Samsung India has no clue when they will be made available here. Samsung India customer support is not even aware of an app store or tv apps – I had fun time talking to them though 🙂

I didn’t think that this logic of what apps to be made available is embedded in the firmware. It must be some pre-set region code or something like that set in the TV that the software  further uses to restrict or extend the features. Since the list of apps are not hard-wired into the TV, the software must be talking to some Samsung servers out there. So, I thought I will find out what is going on by looking into the traffic as I turn on the TV.

I had my TV connected to Internet via WiFi to the Linksys WiFi router. Since my windows laptop is also connected to the WiFi in the same network, I thought I could easily snoop on the traffic by firing up Wireshark in promiscuous mode. Apparently not so easy in windows. Unlike linux, it seems that Windows doesn’t allow or has limited support for promiscuous mode with WiFi adaptors. I learnt this hard way though.  Thanks to my former colleagues on LinkedIn Abhijit and MikeB, it seems that  this apparently works on linux and that there are some commercial solutions like AirPcap, I didn’t want to go that far. Plus, I didn’t have access to a linux machine readily.

But with some more time and help from google, I came to know that windows 7 has this cool feature called virtual WiFi adapter using which the windows laptop itself could act as an AccessPoint. That means, TV could now connect to the access point provided by laptop instead of the router. My laptop instead connected to the router via Ethernet.

With this setup, I was able to combine another of windows feature called ICS (Internet Connection Sharing) and configure internet sharing between Ethernet and virtual WiFi adapters. Now, I could snoop on the TV traffic by using promiscuous mode on the Ethernet adapter.  I also found that snooping works perfectly fine on virtual WiFi adapter too.

Next few hours was pure hacking delight looking at all the API calls the TV was making. TV is running on Linux. Luckily, only the initial authentication calls are on HTTPS. Once an auth token is retrieved, subsequent calls are made over HTTP itself.

• authenticating to samsung servers in Korea
• getting details of capabilities(like paid apps) to be exposed,
• catalog calls to retrieve list of apps,
• get list of installed apps,
• retrieve service notifications etc.

Not sure if it is a serious privacy issue, TV also logs several user actions to the server including how many times an app is launched etc.

While doing this, I also came across a project on sourceforge called SamyGo. These guys have been hacking Samsung TVs for a while – including enabling telnet/ftp support, hidden PVR functionality and even modifying the firmware in some cases. Check it out here. While I haven’t rooted my TV yet, I was able to gain lot more insights using their tools.

Anyway, here are the instructions on how to snoop on WiFi traffic on windows, if you ever want to do. You can  use this approach to snoop on your mobile phone app traffic too.

• Start a command window in administrative mode. You can do this by right-clicking on the “Command prompt” menu item in Start | All Programs | Accessories

• Run the following two commands to setup a virtual WiFi adpater

c:>netsh wlan set hostednetwork mode=allow ssid=ssid1 key=password

This creates a virtual WiFi adapter acting as an AccessPoint. Replace ssid1 and password with your own. You can get more help on this command by running “netsh wlan set hostednetwork ?”

c:>netsh wlan start hostednetwork

This actually starts the access point. You may need to re-run this command if you reboot the laptop.

• Enable internet connection sharing

Go to Control Panel | Network & Sharing Center | Change Adapter Settings and right-click on your Ethernet adapter (or any adapter with internet connection) and bring up properties. Change to “Sharing” tab and enable the check box “Allow other network users …”. In the combo box below, select the newly created virtual WiFi adapter.

• Now, go back to the device (TV or mobile) and refresh WiFi access points. You should see the newly created access point ssid1 that the device can connect to.
• That’s it. Have fun with the hacking.

PS: btw, there are some free tools like Vritual Router and Connectify that simplify the steps above into simple UI, but I had little success in snooping on WiFi traffic with them.

Scheduling tasks in Windows 2003 – Mysterious “0x80070005: Access is denied” Error

Yesterday, I was trying to automate couple of backup related tasks on a production windows 2003 server. My estimate was about an hour at max but turned out to be more than half a day’s work 😦

Windows has this little known featured called “Task Scheduler” that lets you create a batch task and schedule it. This is one feature that morphs into different shapes and gets hidden in unknown places with every release of new windows version. There is a good chance that you would have noticed this service in services applet but not the UI to invoke it.

Anyway, one good way to find this on windows 2003 is via Control Panel | Scheduled Tasks. I bet this is changed in windows 7.

Another way is to navigate to <Windows Folder>\Tasks folder in Explorer. Although this is not a real folder, you can operate as one (editing, deleting files etc).

So, I created a new task with all scheduling parameters. Since the backup program requires the user running the task to be an administrator, I specified the user to “run as” administrator with the right password. When I try to save the newly created task, I get this mysterious error although the task gets saved.

The message “Access is denied” calls out for my subconscious response of double checking the password (but I was pretty sure it was correct) and try again. No luck, the error message doesn’t go away. I don’t try to think when I see these kind of errors these days – thanks to Google. So, I fire few quick searches. Searching for “0x80070005: Access is denied” is not good enough as  0x80070005 is a generic error code like E_FAIL. So, I add some context and try again. I also tried searching for exact message.  Tried searching at support.microsoft.com as their knowledge base is usually good. The search results point me to the following few solutions but said in umpteen different ways.

• Scheduling tasks doesn’t support blank passwords, so must use a non-blank password
• The permissions on <Windows Folder>\Tasks folder may have been messed up, try resetting them (CACLS TASKS /E /G builtin\administrators:F )
• Try deleting the task, restart “Task Scheduler” service and create the task again
• Reboot windows

None worked. I expected at least the last one to do the usual magic, but naah, not this time.  Looking at the search results and the forum discussions, it is surprising that so many people are facing this issue since 2005 and many of them left with no solutions. Also looking at the irrelevant search results coming up in the first few pages, I wonder if google search engine is hacked badly by SEO optimizations.

I thought, I will give up and find some open source or a third party scheduling solution. Keeping google aside, I started looking at the message more carefully and trying to understand what is going wrong.  Clearly, the problem is with setting the “Run as” user details because I do see the task getting created. So, I fired up “Event Viewer” and was trying to dig in for any useful information.

What catches my attention is this event:

The highlighted text brought back painful debugging memories of COM/DCOM days, trying to troubleshoot processes not having rights like “Act as part of Operating System”, “Log on as service” etc. Even though this message doesn’t specify which “Log on as” right is the problem (other than the numeral 4), I knew where to look next. I brought up the Local Security Policy Manager and started looking at the rights assignments.

I see “Log on as a batch job” and “Log on as a service” rights. Clearly, the latter cannot be the rights in question. But Administrator has both of these rights. It doesn’t make sense. And there are no other “Log on” rights to worry about.  As I scroll up, I notice that there are a series of “Deny log on as …” rights.

To my surprise, Administrator is part of “Deny log on as a batch job”.  Since “Deny” rights are processed before the “Allow” rights, my “Scheduled Task” creation is failing. Once I fixed this, everything started working fine.

This is a brand new instance of Windows 2003 R2 server. It is not clear to me as to why “Administrator” is not allowed, by default, to run batch jobs. It could have been added due to some exploits, but I didn’t bother to spend more time on this as it is already past midnight. I wish the error messages could have been little more detailed…