Georg Lukas, 2024-05-22 18:04

Starting in 2009, Samsung has created a wide range of compact cameras with built-in WiFi support, spread over multiple product lines. This is a reference and data collection of those cameras, with the goal to understand their WiFi functionality, and to implement image uploads on the go.

This is a follow-up to the Samsung NX mirrorless archaeology article, which also covers the Android-based compact cameras.

If you are in Europe and can donate one of the "untested" models, please let me know!

Model Line Overview

Samsung created a mind-boggling number of different compact cameras over the years, apparently with different teams working on different form factors and specification targets. They were grouped into product lines, of which only a few were officially explained:

  • DV: DualView (with a second LCD on the front side for selfies)
  • ES: unknown, no WiFi
  • EX: high-end compact (maybe "expert"?)
  • NV: New Vision, no WiFi
  • MV: MultiView
  • PL: unknown, no WiFi
  • SH: unknown
  • ST: Style feature
  • WB: long-zoom models

Samsung compact cameras on a shelf

Quite a few of those model ranges also featured cameras with a WiFi controller, allowing to upload pictures to social media or send them via email. For the WiFi-enabled cameras, Samsung has been using two different SoC brands, with multiple generations each:

  1. Zoran COACH ("Camera On A CHip") based on a MIPS CPU.

  2. DRIM engine ("Digital Real Image & Movie Engine") ARM CPU, based on the Milbeaut (later Fujitsu) SoC.

WiFi Cameras

This table should contain all Samsung compacts with WiFi (I did quite a comprehensive search of everything they released since 2009). It is ordered by SoC type and release date:

Camera Release SoC Firmware Upload Working
Zoran COACH (MIPS)
ST1000 2009-09 COACH 10 N/A unknown serviceproviders API endpoint
SH100 2011-01 COACH ?? 1107201 ✔️ (fw. 1103021)
ST200F 2012-01 COACH 12: ZR364249NCCG 1303204 ✔️ Yahoo (fw. 1303204(*))
DV300F 2012-01 COACH 12 1211084 ✔️ (fw. 1211084)
WB150F 2012-01 COACH 12 ML? 1208074 ✔️ (fw. 1210238)
WB35F, WB36F, WB37F 2014-01 COACH 12: ZR364249BGCG N/A ✔️ MSN (WB35F 1.81; WB37F 1.60 and 1.72)
WB50F 2014-01 COACH ?? N/A ✔️ MSN cookie (fw. 1.61)
WB1100F 2014-01 COACH 12: ZR364249BGCG N/A ✔️ MSN (fw. 1.72?)
WB2200F 2014-01 COACH ??: ZR364302BGCG N/A 🤷 email (fw. 0.c4)
Milbeaut / DRIM engine (ARM)
WB850F 2012-01 DRIM engine III? 210086 ✔️ Yahoo (fw. 210086)
EX2F 2012-07 DRIM engine III 1301144 ✔️ Yahoo (fw. 303194)
WB200F 2013-01 Milbeaut MB91696 N/A ❌ hotspot (fw. 1411171)
✔️ MSN (fw. 1311191)
WB250F 2013-01 Milbeaut MB91696 1302211 ✔️ (fw. 1302181)
WB800F 2013-01 Milbeaut MB91696 1311061 ✔️ MSN redirect (fw. 1308052)
DV150F 2013-01 Milbeaut MB91696 N/A ✔️ MSN redirect (fw. 1310101)
ST150F 2013-01 Milbeaut MB91696 N/A ✔️ MSN redirect (fw. 1310151)
WB30F, WB31F, WB32F 2013-01 Milbeaut M6M2 (MB91696?) 1310151 ✔️ hotspot (WB31F fw. 1310151(**))
WB350F, WB351F 2014-01 Milbeaut MB865254? N/A ✔️ (WB351F fw. GLUANC1)
WB380F 2015-06? Milbeaut MB865254? N/A ✔️ (fw. GLUANL6)
Unknown / unconfirmed SoC
MV900F 2012-07 Zoran??? N/A untested
DV180F 2015? same Milbeaut as DV150F? N/A untested

Legend:

  • ✔️ = works with samsung-nx-emailservice.
  • ✔️ Yahoo/MSN = works with a respective cookie response.
  • ❌ hotspot = camera mis-detects a hotspot with a login requirement, opens browser.
  • 🤷 WB220F = there is a strange issue with the number of email attachments
  • untested = I wasn't (yet) able to obtain this model. Donations are highly welcome.
  • pending = I'm hopefully going to receive this model soon.
  • (*) the ST200F failed with the 1203294 firmware but worked after the upgrade
  • (**) the WB31F failed with the 1411221 firmware but worked after the downgrade to the WB30F firmware 1310151! to 1303204.
  • "N/A" for firmware means, there are no known downloads / mirrors since Samsung disabled iLauncher.
  • "fw. ???" means that the firmware version could not be found out due to lack of a service manual.

There are also quite a few similarly named cameras that do not have WiFi:

  • DV300/DV305 (without the F)
  • ST200 (no F)
  • WB100, WB150, WB210, WB500, WB600, WB650, WB700, WB750, WB1000 and WB2100 (again, no F)

Hotspot Detection Mode

Most of the cameras only do a HTTP GET request for http://gld.samsungosp.com (shut down in 2021) before failing into a browser. This is supposed to help you login in a WiFi hotspot so that you can proceed to the upload.

Redirecting the DNS for gld.samsungosp.com to my own server and feeding back a HTTP 200 with the body "200 OK", as documented in 2013 doesn't help to make it pass the detection.

There is nothing obvious in the PCAP that would indicate what is going wrong there, and blindly providing different HTTP responses only goes this far.

Brief Firmware Analysis

Samsung used to provide firmware through the iLauncher PC application, which downloaded them from samsungmobile.com. The download service was discontinued in 2021 as well. Most camera models never had alternative firmware download locations, so suddenly it's impossible to get firmware files for them. Thanks, Samsung.

The alternative download locations that I could find are documented in the firmware table above.

Obviously, the ZORAN and the DRIMe models have different firmware structure. The ZORAN firmware files are called <model>-DSP-<version>-full.elf but are not actually ELF files. Luckily, @jam1garner already analyzed the WB35F firmware and created tools to dissect the ELFs. Unfortunately, none of the inner ELFs seem to contain any strings matching the social media upload APIs known from reverse-engineering the upload API. Also the MIPS disassembler seems to be misbehaving for some reason, detecting all addresses as 0x0:

int DevHTTPResponseData(int param_1,int param_2,int param_3)
{
  /* snip variables */
  if (uRam00000000 != 0) {
    (*(code *)0x0)(0,param_1);
  }
  (*(code *)0x0)(0,param_1,param_3);
  if (uRam00000000 != 1) {
    (*(code *)0x0)(param_2,param_3);
    ...

The DRIMe firmware files follow different conventions. WB850F and EX2F images are uncompressed multi-partition files that are analyzed in the WB850F reverse engineering blog post.

All other DRIMe models have compressed DATA<model>.bin files like the NX mini, where an anlysis of the bootloader / compression mechanism needs to be performed prior to analyzing the actual network stack.

Yahoo! Hotspot Detection

Some models (at least the ST200F and the WB850F) will try to connect to http://www.yahoo.co.kr/ instead of the Samsung server. The WB1100F will load http://www.msn.com/. Today, these sites will redirect to HTTPS, but the 2012 cameras won't manage modern TLS Root CAs and encryption, so they will fail instead:

WB850F showing an SSL error

Redirecting the Yahoo hostname via DNS will also make them connect to our magic server, but it won't be detected as proper Yahoo!, showing the hotspot detector. Preliminary reverse engineering of the uncompressed WB850F firmware shows that the code checks for the presence of the string domain=.yahoo in the response (headers). This is normally a part of a cookie set by the server, which we can emulate to pass the hotspot check. Similarly, it's possible to send back a cookie for domain=.msn.com to pass the WB1100F check.

Screw the CORK

The Zoran models have a very fragile TCP stack. It's so fragile that it won't process an HTTP response served in two separate TCP segments (TCP is a byte stream, fragmentation into segments should be fully abstracted from the application). To find that out, the author had to compare the 2014 PCAP with the PCAPs from samsung-nx-emailservice line by line, and see that the latter will send the headers and the body in two TCP segments.

Luckily, TCP stacks offer an "optimization" where small payloads will be delayed by the sender's operating system, hoping that the application will add more data. On Linux, this is called TCP_CORK and can be activated on any connection. Testing it out of pure despair suddenly made at least the ST200F and the WB1100F work. Other cameras were only tested with this patch applied.

GPS Cameras

Of the WiFi enabled models, two cameras are also equipped with built-in GPS.

The ST1000 (also called CL65 in the USA), Samsung's first WiFi model, comes with GPS. It also contains a location database with the names of relevant towns / cities in its firmware, so it will show your current location on screen. Looks like places with more than ~10'000 inhabitants are listed. Obviously, the data is from 2009 as well.

The WB850F, a 2012 super-zoom, goes even further. You can download map files from Samsung for different parts of the world and install the maps on the SD card. It will show the location of taken photos as well, but not from the ones shot with the ST1000.

WB850F showing a geo-tagged photo

And it has a map renderer, and might even navigate you to POIs!

WB850F showing a map

WiFi Camcorders

Yes, those are a thing as well. It's exceptionally hard to find any info on them. Samsung also created a large number of camcorders, but it looks like only three models came with WiFi.

From a glance at the available firmware files, they also have Linux SoCs inside, but they are not built around the known ZORAN or DRIMe chips.

The HMX-S10/S15/S16 firmware contains a number of S5PC110 string references, indicating that it's the Exynos 3110 1GHz smartphone CPU that also powered a number of Android phones.

The QF20 and QF30 again are based on the well-researched Ambarella A5s. The internet is full of reverse-engineering info on action cameras and drones based on Ambarella SoCs of all generations, including tools to disassemble and reassemble firmware images.

The QF30 is using a similar (but different!) API as the still cameras, but over SSL and without encrypting the sensitive XML elements, and does not accept the <Response> element yet.

Camera Release SoC Firmware Working
HMX-S10, HMX-S15, HMX-S16 2010-01 Samsung S5PC110/Exynos 3110(??) 2011-11-14 untested
HMX-QF20 2012-01 Ambarella A5s 1203160 untested
HMX-QF30 2013-01 Ambarella A5s 14070801 ✔️ SSLv2 (fw. 201212200)

Legend:

  • ✔️ SSLv2 = sends request via SSLv2 to port 443, needs something like socat23

Discuss on Mastodon