Thursday, January 24, 2013

How the Samsung SMART Air conditioners/appliances work remotely

I bought a smart air conditioner, and am marvelling at the fact I can control it from my phone.

What I'm less happy about is the fact I can only control it from my phone; and that my local network has decided to stop letting me talk to the air con.

I fired up wireshark, and here's what I know so far:

Like most devices, the Air Conditioner is running UPnP services basically. There's packets being sent via http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol for my Android phone and the air con to discover each other.


Here's my phone asking over HTTPU (HTTP UDP) for air conditioners via multicast:
NOTIFY * HTTP/1.1
LOCATION: 192.168.1.2
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=20
SERVER: AIR CONDITIONER
MAC_ADDR: 98:0c:82:f4:d4:5c
SPEC_VER: MSpec-1.00
SERVICE_NAME: ControlServer-MLib
MESSAGE_TYPE: CONTROLLER_START



... and the air conditioner starts to respond:

NOTIFY * HTTP/1.1
LOCATION: http://192.168.1.4
NTS: ssdp:alive
CACHE_CONTROL: max-age=60
HOST: 255.255.255.255:1900
SERVER: SSDP,SAMSUNG-AC-BORACAY
MAC_ADDR: 7825AD103D06
SERVICE_NAME: ControlServer-MLib
SPEC_VER: MSpec-1.00
MESSAGE_TYPE: DEVICEDESCRIPTION
NICKNAME: 536D61727420412F432837383235414431303344303629
MODELCODE: SAMSUNG_DEVICE

Unfortunately, my air con actually lives at 192.168.1.7, the web application isn't smart enough to respond to changing IP addresses; even if the web server and everything else is.



I'm not entirely sure why, but my phone tends to flood packets out there - I presume the people who put the phone app together wanted to avoid dodgy local wireless problems; and this now explains why my air con is always discovered quickly, but the screen keeps 'loading'.



Strangely, for the local in home network stuff, it looks like my air conditioner is talking to a samsung owned service to give it status updates, even when I'm on my local network:
211.45.27.216

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 111
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 24 Jan 2013 10:38:31 GMT


<rsp stat="ok"></rsp>
<device duid="7825AD103D06" message="Off"></device>

Attempt #2: There's an online service you can use.
Now, our clever friends at Samsung have done the right thing and made communication with their services via HTTPS - at least from the android to the soap service. Weirdly, the air conditioner does not speak HTTPS; and seems to be sending packets to the samsung control service, not my phone directly.

I looked at a few packets, but at this point, I was pretty much fed up - I'm not going to do a MITM attack via my router, and redirect traffic to a HTTP proxy I control; I'm not going to reroute traffic, and sticking the app in an android emulator to sniff the packets is annoyingly hard.

So, what's really left to do but... log in to the website and look at what's going on there?





This looks like paydirt - there are numerous javascript files which are hitting endpoints to execute commands.
It's probably a fairly safe assumption to think those endpoints are just RESTful wrappers around the underlying webservice.

Two are of quite a lot of interest, if ... dubious quality:
http://global.samsungsmartappliance.com/Content/js/communication/commMgr.js
http://global.samsungsmartappliance.com/Content/js/communication/Device/Device.js

Looking in firebug/chrome's console, you can see that the device traffic is going back and forth, with an incrementing token continually polling my air conditioner for status.

When you actually execute a command, a fairly simple request is sent:


  1. Request URL:
    http://global.samsungsmartappliance.com/Communication/setControl
  2. Request Method:
    POST
  3. Status Code:
    200 OK
  4. Request Headersview source
    1. Accept:
      application/xml, text/xml, */*; q=0.01
    2. Accept-Charset:
      ISO-8859-1,utf-8;q=0.7,*;q=0.3
    3. Accept-Encoding:
      gzip,deflate,sdch
    4. Accept-Language:
      en-GB,en-US;q=0.8,en;q=0.6
    5. Connection:
      keep-alive
    6. Content-Length:
      122
    7. Content-Type:
      text/xml
    8. Cookie:
      ASP.NET_SessionId=y3akcf55bfxtcnzhd0hyz5ru; Language=en; Country=GB; LoginLanguage=en; iPlanetDirectoryPro=AQIC5wM2LY4Sfcy5aJdOInrRhyDKEyNfWseX44FQLVR9hZI%3D%40AAJTSQACMDIAAlMxAAIwNQ%3D%3D%23; GMT=10.5
    9. Host:
      global.samsungsmartappliance.com
    10. Origin:
      http://global.samsungsmartappliance.com
    11. Referer:
      http://global.samsungsmartappliance.com/
    12. User-Agent:
      Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17
    13. X-Requested-With:
      XMLHttpRequest
  5. Request Payload
  6. Response Headersview source
    1. Cache-Control:
      private
    2. Content-Length:
      100
    3. Content-Type:
      text/html; charset=utf-8
    4. Date:
      Thu, 24 Jan 2013 12:40:11 GMT
    5. Server:
      Microsoft-IIS/7.5
    6. X-AspNet-Version:
      2.0.50727
    7. X-AspNetMvc-Version:
      1.0
    8. X-Powered-By:
      ASP.NET


Most of the other status information has included the MAC address of the air conditioner as the "DUID" - it's stripped of colons, but otherwise identical. While we can't tell what's in the session on the samsung side, I would not be surprised if it were a simple variable named DUID, which identifies where the command should be sent.

More interestingly, the requests can be replayed; so assuming you have a valid cookie that contains the right DUID, you can just send restful requests.

I'm going to assume that there's some kind of ESB or similar taking these requests and distributing them from my phone/browser to the aircon; as the traffic to the aircon is different to the endpoint my phone / browser speaks to.
There is a delay, perhaps 3-5 seconds, which is about what I would expect if there was a Giant Messaging Queue in use here; and to be honest the site seems to go down regularly - some service faceplanting it seems likely.

The fact it's jquery + xml being used also suggests there's an Enterprise Service Beast in play - though json is more common, the transformation between formats is a bit easier if you can hit it with an XSLT.


The use of a session would normally make things more secure... but the control to manipulate that value appears to be right out in the open.


  1. Request URL:
    http://global.samsungsmartappliance.com/Communication/selectDevice?_=1359032361539
  2. Request Method:
    GET
  3. Status Code:
    200 OK
  4. Request Headersview source
    1. Accept:
      application/xml, text/xml, */*; q=0.01
    2. Accept-Charset:
      ISO-8859-1,utf-8;q=0.7,*;q=0.3
    3. Accept-Encoding:
      gzip,deflate,sdch
    4. Accept-Language:
      en-GB,en-US;q=0.8,en;q=0.6
    5. Connection:
      keep-alive
    6. Cookie:
      ASP.NET_SessionId=y3akcf55bfxtcnzhd0hyz5ru; Language=en; Country=GB; LoginLanguage=en; iPlanetDirectoryPro=AQIC5wM2LY4Sfcy5aJdOInrRhyDKEyNfWseX44FQLVR9hZI%3D%40AAJTSQACMDIAAlMxAAIwNQ%3D%3D%23; GMT=10.5
    7. duid:
      7825AD103D06
    8. Host:
      global.samsungsmartappliance.com
    9. master_duid:
    10. Referer:
      http://global.samsungsmartappliance.com/
    11. User-Agent:
      Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17
    12. X-Requested-With:
      XMLHttpRequest

I doubt you could hijack someone else's air con if you knew the mac address, but for devices associated with your account...


At this point I have two good avenues to explore:
  • Local network - I need to fix the IP addresses, and see what's going on after the SSDP phase. I had to authorise my phone, so I suspect that Samsung provides a third party service that verifies allowed MAC addresses prior to opening all of the communication flood gates.
  • Pretend to be a browser, and invoke the restful services. If I supply my credentials, I can get the session I need - then the API is just a few POST requests away.

I'm likely to do the latter, unless I can figure out how to power cycle my aircon properly, and get it understanding its IP address.


7 comments:

michaelbelow said...

When relocating to new house these tips are kinda helpful. Inspection before new AC unit replaced is necessary.
Heating and Cooling Mississauga

Danwil02 said...

Hey mate, looking at doing something similar at my house with the same aircon setup. Did you end up implementing your second approach?

John said...

Thanks for sharing this article, We are Distrebuter of Mitshubhishi Air Conditioner please contact us for more info.
Mitsubishi VRF VRV AC Dealer in Delhi

BB. said...

I feel really happy to have seen your webpage
Transport fans

michaelbelow said...

These are some of the very effective tips given for a better HVAC system. And the maintenance guide is distinguish and useful.


https://www.furnaceac.com

moulanakarunya said...

Ifb washing machine service center in Borivali Mumbai
Ifb washing machine service center in Borivali Mumbai. Now day’s washing machine very important role the daily life. We are providing quality service to the customers. This is Service Center Charges 350/ One month Service Warranty Service Center and 3 months spare warranty. Ifb washing machine service center in Borivali Mumbai Call Now 8688821393. IFB service center customer care, IFB service center near me, IFB care near me, IFB service center near me, IFB call center, IFB customer center, IFB care phone number, IFB service center contact number, IFB call center number, IFB service centering repair center, IFB service center.
Ifb washing machine service center in Dahisar Mumbai
Ifb washing machine service center in Dahisar Mumbai. Our Service Center Solve the any washing machine problems Our Service Center Solve the any washing machine problems Washer Wont Run, Washer Wont Drain, Detergent Wont Dispense and Smelly Washer. Our service center provides doorstep service to our customer satisfaction. Our service center provides good service to our reliable customers. Ifb washing machine service center in Dahisar Mumbai Call Now 8688821745. IFB appliances service center, IFB repair center, IFB appliances service center, IFB care phone number, IFB call Centre number, IFB appliances service center, IFB contact center, IFB repair customer care.
IFB microwave oven service center in mumbaimaharashtra
IFB microwave oven service center in Mumbai Maharashtra. This is Kitchen appliance service center. Microwave ovens they are three types of microwave ovens like solo, grill, convection. So, if you have any trouble in your product just make a call, we will send our technicians to your house they will provide warranty of repaired product. IFB microwave oven service center in Mumbai Maharashtra Call Now 8688821387. IFB service center contact number, IFB call center number, IFB service centering repair center, IFB service center, IFB appliances service center, IFB repair center, IFB appliances service center, IFB care phone number, IFB call Centre number, IFB appliances service center, IFB contact center, IFB repair customer care.
Ifb microwave oven service center in Parbhadevi Mumbai
Ifb microwave oven service center in Parbhadevi Mumbai. If have any issue with your product just make a call, we will send our professionals to your house they will provide the best service and explain the problem in your product. Microwave ovens are the only best product for cooking confidences. Ifb microwave oven service center in Parbhadevi Mumbai Call Now 9390110225. IFB service center contact number, IFB call center number, IFB service centering repair center, IFB service center, IFB appliances service center, IFB repair center, IFB appliances service center, IFB care phone number, IFB call Centre number, IFB appliances service center, IFB contact center, IFB repair customer care.

Samsung Service Center Mumbai said...

Samsung Washing Machine Service Center Mumbai
Washing machines are used to wash the clothes. Samsung Washing machines are giving the best performance. Here we also provide you the best services for your washing machine. We have well-known and trained technicians. We only do service for non-warranty appliances. If you want to book a service request the call our service center Samsung Washing Machine Service Center Mumbai. We are available any time to do service for your washing machine. We will charge our service at a reasonable price and you will get 30days of free service for that charge. Contact us on 9100055546, 9177722257
https://samsungservicecentermumbai.co.in/samsung-washing-machine-service-center-mumbai/
Samsung Refrigerator Service Center Mumbai
Our refrigerator service center will genuinely help you to solve or resolve the problem of your refrigerator at a reasonable cost and charges will apply for the extra work and spare parts of the refrigerator. We will also serve you all types of refrigerators like top load refrigerators, front load refrigerators, and semi-automatic refrigerators, etc. we will cost at reasonable crises. Samsung Refrigerator Service Center Mumbai book your request for the best assistance for all models of the refrigerator. We do service at your place for quality assistance. Contact us on 9100055546, 9177722257
https://samsungservicecentermumbai.co.in/samsung-refrigerator-service-center-mumbai/
Whirlpool Microwave Oven Repair Mumbai
We will repair all types of microwave ovens like faulty triad (A group of three is a semi-conductor gadget having three terminals and it can work in two ways.), microwave tray won't turn (Most basic microwaves highlight a plate that consistently turns while being used, giving even warmth to microwave dishes.), microwave touchpad does not work (A microwave's touch cushion controls permit you to program an assortment of cooking capacities with the bit of a catch.), etc and so many problems like this. Whirlpool Microwave Oven Repair Mumbai we will rectify the all problems above mentioned. For those repairs, our service people will charge you at a reasonable price. Contact us on 9100055546, 9177722257
https://whirlpoolservicecentermumbai.co.in/whirlpool-microwave-oven-repair-mumbai/
Whirlpool AC Repair Mumbai
The air conditioner is used in our day-to-day life to cool our rooms below the normal room temperature. Sometimes we can face problems with our air conditioner. We see here some problems which were faced by our air conditioner they are air conditioner is not cooling properly, an air conditioner is not blowing out, drainage problem, etc. These are the reasons to overcome our air conditioner to go under repair. Then call tour repair center Whirlpool AC Repair Mumbai. We will give you the best experience with repair techniques. We will charge you separately for spare parts. Contact us on 9100055546, 9177722257
https://whirlpoolservicecentermumbai.co.in/whirlpool-ac-repair-mumbai/
IFB Service Center Mumbai
Our company is the best service provider in Mumbai. Our service center will provide all types of services of electrical appliances like microwave oven, air conditioner, washing machine, and refrigerators. We can provide you with a great service with the best-trained technicians in our company to solve your problems. Our IFB service center will provide you with genuine spare parts with a genuine service. IFB Service Center Mumbai this our service center you can do this to book a service. We will expect to visit charge for our service with a low cost of rupees 350/-. Contact us on 9100055546, 9177722257
https://ifbservicecentremumbai.co.in/ifb-service-center-mumbai/
LG Washing Machine Repair Mumbai