Yesterday, I noticed some ads for upcoming Amazon Prime TV shows have appeared on my Samsung “smart” TV (Serie 6). Apparently, they are provided by a preinstalled app called “Tv Plus”, developped by Rakuten Group and which I cannot uninstall. I cannot uninstall other preinstalled apps as well, such as Netflix.
I really don’t like paying an expensive smart TV and getting ads on it, so I investigated it a bit, trying to find a way to shut them down. Here are my findings.
First idea was to simply run mitmproxy on my laptop and find what was going on on the TV. Unfortunately, no matter how smart the TV is, there is no way to set some proxy settings, and I did not want to look for a workaround for too long. Then, I simply connected my TV to my Ethernet port on my laptop and created a bridge with Wifi interface to monitor what was going on with Wireshark, using this script.
I discovered that, even when the TV was shutdown (or at least seemed to be), it was making several queries per minute to a bunch of servers! Here is a quick list of servers contacted at least once per minute for about 15 mins:
ads.samsungads.com samsungads.com gpm.samsungqbe.com osb.samsungqbe.com osb-apps.samsungqbe.com osb-eusvc.samsungqbe.com cdn.samsungcloudsolution.com musicid.samsungcloudsolution.com notice.samsungcloudsolution.com noticecdn.samsungcloudsolution.com time.samsungcloudsolution.com lcprd2.samsungcloudsolution.net configprd.samsungcloudsolution.net otnprd8.samsungcloudsolution.net otnprd9.samsungcloudsolution.net otn.samsungcloudcdn.com samsungotn.net www.samsungotn.net prod-kami.wuaki.tv prod-tvplus-pmd.akamai.cdn.wuaki.tv netflix.com api-global.geo.netflix.com many other *.netflix.com
Wow, that’s a lot! Besides samsung domains, it contacts
netflix.com at least
once per minute (WTF, I don’t even have a Netflix account…) and
which is owned by Rakuten Group.
Then, I set up my local resolver to resolve all these domains to
and the ads went away! Or so I thought…
Two major things happened at this point:
1. First, the TV started contacting
probably some crash-reporting endpoint to notify Samsung about not being
able to contact other domains anymore. That’s not a big deal, one should
just include it as well in the local resolver config.
2. Second, and more concerning, the TV started contacting
Google Public DNS…) because I was blocking requests through my DNS
resolver. This seems to be hardcoded and to be a fallback whenever the DNS
resolver is not responding what the TV expects.
My ISP router (Freebox Mini) does not let me add static routes to block
220.127.116.11. The TV is behing an OpenWRT bridge (without routing as it is a pity
to configure to let DLNA pass through), and bridges can’t filter out at L3
level (apparently, it could be possible with
ebtables, but I could not get
In the end, a quick and dirty solution was to make the local resolver return
an IP address of a local webserver I control and would answer any requests,
and the number of DNS queries to
18.104.22.168 dropped. That’s not perfect and it
still makes some queries, but at least I no longer have ads.
Finally, the TL,DR is: Your Samsung TV is contacting a LOT of domains, even when it is offline. My Unbound config which helped me get rid of the ads is:
# TV starts querying for eth0 domain, WTF? This is just to prevent unnecessary # traffic upstream. local-zone: "eth0" redirect local-data: "eth0 86400 IN AAAA ::1" local-zone: "samsungads.com" redirect local-data: "samsungads.com 86400 IN A 192.168.0.1" local-data: "samsungads.com 86400 IN AAAA ::1" local-zone: "samsungqbe.com" redirect local-data: "samsungqbe.com 86400 IN A 192.168.0.1" local-data: "samsungqbe.com 86400 IN AAAA ::1" local-zone: "samsungacr.com" redirect local-data: "samsungacr.com 86400 IN A 192.168.0.1" local-data: "samsungacr.com 86400 IN AAAA ::1" local-zone: "samsungcloudsolution.com" redirect local-data: "samsungcloudsolution.com 86400 IN A 192.168.0.1" local-data: "samsungcloudsolution.com 86400 IN AAAA ::1" local-zone: "samsungcloudsolution.net" redirect local-data: "samsungcloudsolution.net 86400 IN A 192.168.0.1" local-data: "samsungcloudsolution.net 86400 IN AAAA ::1" local-zone: "samsungcloudcdn.com" redirect local-data: "samsungcloudcdn.com 86400 IN A 192.168.0.1" local-data: "samsungcloudcdn.com 86400 IN AAAA ::1" local-zone: "samsungotn.net" redirect local-data: "samsungotn.net 86400 IN A 192.168.0.1" local-data: "samsungotn.net 86400 IN AAAA ::1" local-zone: "wuaki.tv" redirect local-data: "wuaki.tv 86400 IN A 192.168.0.1" local-data: "wuaki.tv 86400 IN AAAA ::1" # This trick with TV_IP and local-zone-override is here to block Netflix only # on TV, in case other computers on my network want to use Netflix. TV has to # get a static DHCP lease. local-zone: "netflix.com" always_transparent local-data: "netflix.com 86400 IN A 192.168.0.1" local-data: "netflix.com 86400 IN AAAA ::1" local-zone-override: "netflix.com" TV_IP redirect
192.168.0.1 is a webserver answering any request.
- It still makes some API calls to Samsung domains, by resolving through
22.214.171.124, but it is a pity to block in my setup. If you happen to have some ideas, I’m really interested! (Or I might simply buy a router…)
Note: Of course, one of the obvious thing to do would be to simply not connect the TV to the network. But then, there is no point in having a smart TV… (and stuff such as UPnP/DLNA streaming are very convenient, I don’t want to loose it). Other option would be to simply let it access the local network and not the internet, but my boyfriend sometimes watches Youtube and web services directly on the TV, so whatever solution I could come up with should leave these features intact.
Note: These API calls made by the TV might be legit. Still, blocking them
did not result in any loss of functionnality so far (besides maybe
auto-update). They are all encrypted and I did not set up a
check what actual data was sent. If anyone has a simple idea to set it quickly
when the other device don’t let us set proxy settings, I’m more than
Update: I tried to sniff the queries with
mitmproxy used as a
transparent proxy, but there is no way to make the TV trust
certificate, then it does not seem to be feasible (TV drops connections when
it realizes that the certificate is invalid).
Update: Actually it is quite simple to set up an OpenWRT to let it pass
DLNA content from WAN to LAN (see the
Basically, you have to install
igmpproxy and follow the wiki
igmpproxy to set it. Don’t forget to disable
you want WiFi clients from your router to be able to broadcast to wired
clients (otherwise only wired clients can stream apparently). In the end, it
works great and I can isolate the TV :) Then, it is better to simply use
127.0.0.1 rather than redirecting to a catchall webserver.
Update: I discovered that actually the apps on the TV can run in background, and it appears there is no way to close them. Then, if you open Netflix once, even without connecting, the Netflix app will stay in background and it is the reason why I had so many requests to Netflix. It seems that after some time the app will close and the TV will no longer make such requests.