Open Source software runs the world (or “how to hack you TV”)

Por Fernando Apesteguía
Project Manager en OpenSistemas

Open Source software runs the world. Literally. Thirty years ago, most of the critical and noncritical systems that required software used proprietary systems. Bank data centers run on Solaris, HP-UX, AIX, etc. Some other companies would use Windows 2000 and other operating systems in that family.

Talking about non-critical systems, most of them used obscure proprietary systems. The source code was not available and the protocols used to talk to other devices were not public either.

With the expansion of Open Source software over twenty years ago, this situation started to change. Big data centers are ruled by Linux and (at some extent) FreeBSD (look at Google, Yahoo, Whatsapp, Yandex…). Big Government Agencies use these systems too. Bank data centers now run Linux in favour of proprietary Unix systems. Most of the specific software running on this systems is developed using open source tools too.

Network infrastructure world wide is based on open source operating systems. Take JunOS as an example of a FreeBSD-based operating system behaving rock solid at the core of the Internet.

And what about consumer electronics? Well… Linux is everywhere! Android is a linux kernel wrapped in Java software, media centers run either Android or specific Linux distributions. Smart watches, TV, DVD players… the list is unlimited. Panasonic has been reported to use FreeBSD in their Viera receivers. Orbis OS, the operating system of the Sony Play Station 4 is based on FreeBSD too.

Take my TV as an example (LG 32LH301C). It has Linux inside among with other software like busybox and uClibc. That’s pretty cool because they (LG) are obliged by the license to provide me with the software. I need to ask them for a DVD and they’ll send it.

This philosophy spreads rapidly: open software, open standards, open protocols. The TV I talk about has a serial port that can be used as a communication channel by sending commands. And the protocol is specified in the instructions. No reverse engineering, no time lost. Just openness. Well, let’s do something with it 🙂

The protocol is extremely simple. It’s based on ASCII codes. Every letter is a command (it has a meaning). Some of them need parameters too. So basically we just need to send strings. With these strings (or commands) we can ask the TV to do things like change the channel, dim the brightness, lower the volume, etc. What are we going to need?

Arduino Duemilanove board (other Arduino/Raspberry/Beaglebone will do just fine).
Some cables.

– 4 micro F. Capacitors
– 2 10K resistors (other values could play find with your own photoresistor).
– A max232
– A breadboard.
– Some sensors to play with: I used a photoresistance and a ultrasonic distance sensor.

“Wow, wow, wow… what’s a max232?” Yep, that need explanation. The Arduino uses TTL logic. This means that 5V maps to a logic 1 and 0V maps to a logic 0. Actually something above 3V is considered to be 1 and something below 1.5V usually is considered to be a 0. This ranges can vary with low power electronics too… but let’s get to the point. A serial port (RS232) does not use TTL logic. It uses -15V..-3V to transmit a binary 1 and 3V..15V to transmit a binary 0. This means that when 5V means “1” for the Arduino, it means something different for the serial port. RS232 voltages are way too high for today electronics and they are inverted too. That’s where the max232 saves our day. This simple chip converts from TTL to RS232 and the other way around. And that’s all we need to know about the max232 🙂

Below there’s a picture of the schematics. The connections are simple:

Post1_ok_ok

The one above uses a photoresistance to capture the illumination of room and act accordingly. I used two resistances of 10K to calibrate the readings of the photoresistance and have a range of values I felt comfortable with. However you could use different values for the resistors accordingly to your preferences.

The rest of the schematics just sets up the max232. The capacitors are pump capacitors used to raise or lower the voltage.

Let’s look at the other schematics:

Post2

Pretty similar to the previous one. I use a SRF05 to get distance measurements. According to that values, we send the commands to the TV to raise or lower the volume.

Now for the software: the library is just a collection of small functions. Every one of them compose the string that represent its command and use the _lg_create_command and _lg_send_command function to send it out of the Arduino, through the max232 all the way to the serial port of the TV. Here is a snippet of the library code:

/* Command composition */
int
_lg_create_command(const char cmd1, const char cmd2, const char data)
{
/* Clear buffer */
memset(cmd_buff, 0, BUF_SZ);

/* Build the command string */
if (sprintf(cmd_buff, CMD_FMT, cmd1, cmd2, ID, data) < 0) {
/* Some error occurred */
return -1;
}

return 0;
}

void
_lg_send_command()
{
LG_DEBUG(cmd_buff);
printf("%s", cmd_buff);
}

void
_lg_tv_send_command(const char cmd1, const char cmd2, const char data)
{
_lg_create_command(cmd1, cmd2, data);
_lg_send_command();
}

I wrote two small programs as a proof of concept. The first one implements what LG calls “intelligent sensor“. This technology allows the TV to change the brightness of the screen in function of the illumination of the room, hence saving power. We can use the library and a small photoresistance to implement our own intelligent sensor!

Video LG’s intelligent sensor

The other code uses an SRF05 sensor to measure the distance and change the volume accordingly. This is pretty cool! It’s like changing the volume like a Jedi! See, the code is basically the same. There are just some small differences because the two sensors use different number of pins and the calibration is different.

Video: volume control

I hope you enjoyed the videos. One must back his words with actions so, here you have all the code. It is licensed under the Simplified BSD License so you can use it freely 🙂

Share and be happy!