TP-Link Tapo P100

Hi guys,

I’m on the same boat, got 4 of these and really wanted to get them integrated.
I tried the method suggested by lorenzor95 but unfortunately after having my Token issued when I’m trying to get the devices list I get the following error:

{
    "error_code": -20104,
    "msg": "Parameter doesn't exist"
}

So right now I’m trying to follow the process that was used on the HS1XX series posted by iain on his second link, but so far my Nmaps haven’t proved very usefull.

Anyone had any progress with this?

Hi guys,

A couple of advances:

After using these parameters:

{
        "method" : "login",
        "params": {
            "appType": "Tapo_Ios",
            "cloudPassword": "password",
            "cloudUserName": "[email protected]",
            "terminalUUID": "6ff68c53-6057-40f3-a266-b2e41404c809"
        }
}

I’m getting my list of devices:

{
    "error_code": 0,
    "result": {
        "deviceList": [
            {
                "deviceType": "SMART.TAPOPLUG",
                "role": 0,
                "fwVer": "1.3.2",
                "appServerUrl": "https://eu-wap.tplinkcloud.com",
                "deviceRegion": "eu-west-1",
                "deviceId": "deviceId",
                "deviceName": "P100",
                "deviceHwVer": "1.0",
                "alias": "alias",
                "deviceMac": "Mac",
                "oemId": "9552772F906C60A9AEEA36A3347B6EBC",
                "deviceModel": "P100",
                "hwId": "9994A0A7D5B29645B8150C392284029D",
                "fwId": "1D18AD293A25ABDE41405B20C6F98816",
                "isSameRegion": true,
                "status": 0
            },

However when using old requests from TP-Link KASA Api I’m getting the following:

{
    "method": "passthrough",
    "params": {
        "deviceId": "deviceId", 
   }
}

Response:

{
    "error_code": -20571,
    "msg": "Device is offline"
}

I’m running out of ideas now, I’ve been trying to Nmap the devices and so far I just see requests from the IOs App to UDP port 20002 but they go to the broadcast address.
Anyone made any other progress?

Alright guys another update:
Although the TAPO devices are listed in the API, I’m not able to manipulate them.
But my NC220 IPCamera, does appear on the list of devices on TPCloud.
That makes me wonder if the API for the TAPO devices is actually the same as the ones from KASA, or if the API is even prepared to deal with them.
Will try to dig up a bit more tonight.

Hi,

I just sent through the same method with that body (Not sure what you meant by this)

but I was still getting the same Error_code: -1

In other news I have played around with the appType field of the login and I believe that it doesn’t actually effect the outcome as I could add any string to it and I could still see all my devices.

I’m going to continue some digging this evening,
Thanks

So i am using charles web proxy on the iOS and i can get this from the tapo app

Request to 192.168.1.10

{
	"params": {
		"key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GN____(removed)____\n-----END PUBLIC KEY-----\n"
	},
	"method": "handshake",
	"terminalUUID": "EE77ED1B-xxxx-4AE2-8F54-21DC7F74xxxx"
}

Response

{
	"error_code": 0,
	"result": {
		"key": "gXlObI8mQQjYe6E___(removed)__"
	}
}

Request to 192.168.1.10

{
	"params": {
		"request": "mTrvviLX4YgghM5Okeu6OfM0___(removed)___"
	},
	"method": "securePassthrough",
	"terminalUUID": "EE77ED1B-3EEA-xxxxx"
}

Response:

{
	"error_code": -1009
}

Using the program Proxyman i can see other stuff

When I request to turn off device the tapo is encrypting all the things

http://192.168.1.10/app?token=60E3E2E4xxxxxxxxxxxxxxxxxxxx

{
  "params": {
    "request": "OtCEvtNnKt5yA/lhUk/fs4Zt/A6l3JwpTLvyVGDi79OFHCTpaSz8rJsAoAgAa488qgEIyTG08fqMLyZ8enrUmngNFYg8ALDd7NBVSVoMVVUK0t47q55fgiGFIQrpuq5x"
  },
  "method": "securePassthrough",
  "terminalUUID": "EE77ED1B-3EEA-4AE2-8F54-21DC7F74XXXX"
}

Response

{
  "error_code": 0,
  "result": {
    "response": "KFDk3AnnjPNDWLUqdbdhnitVBmq/n+X/BHB+6ceVLfOSduZe71pLsNKjLrCm7GgbhlDDJ2UyAlpLandI2Bb7l04+oXg+KbZgm5VkFxiCOI5vFIfTiqUJjJ2IhPNHvgDnNI++FWjBkeRjloobrBmVo8ht0X3ulmyybvKhz33vAc+ytJfoI18B1ClLLFsqq56CwfVEFNIcpkeGc+yW3oSMct3t4pM6NDD1J7oNvmyFHLwBZTggOZlYILqfb8nrAUsUj8QeOg7BES1PizTsPYNgErk0qqnR9S94UIVHVhM36n6yc3L+gAg+Gz0GrYrNI837lGKoHcvyCRUVXMDq9FHkro50lvbcRL30Uvk/o0kr/4CJfrpJMp4EAsboKHnmVxrpQ7KlW7TjqAjY0TrYq7NgpDakBqTYWTdxkqJl2wNCoaE="
  }
}

Hi Tiago,

I believe some mentioned earlier that the payload is AES, have you tried decrypting the requests and responses that way and with your public key? May be a dumb suggestion, but it’s all I can think right now, by the way do you have an alternative t o Proxyman for windows?

Thanks!

Hey,
Not much news this evening but after quite a bit of digging and trying many many combinations of commands from the HS110 API I think I can conclude that the {'error_code': -1} is caused by invalid syntax in the request field of the api call

Hope this helped (Sorry if you’d already worked this out)

I was not able to figure out how this working, i don’t have to much knowledge about how to find information about API but with will be very cool if someone with better knowledge that me to use tools like apktool and ClassyShark.

I opened one of these last night.
Its a snap fit, no glue or ultrasonic weld.
The device is using a Realtek Ameba Z2 RTL8720CF
Single PCB with components both sides. To remove the PCB, the two large solder contacts need to be removed - beware, the PCB has tracks both sides here.
There’s no additional flash/rom on the PCB.
Very simple circuit, very little to see.
The antenna is on the main PCB and towards the bottom of the case.
The relay is an Omron brand.
I’ve attached a photo.

PICT00302016×1512 2.14 MB

Hi all,

Also tried to go through this method describe here unfortunately no luck still…

Hey,
Have you tried unpacking the android app? I have no idea how easy/hard it is but it may help in decoding the communication protocol.

So I’ve unpacked the APK, and it doesn’t tell me much… Yet.

The app did download a firmware update, so I’m hoping that the binary is cached on my phone somewhere (haven’t found it yet) and I can look through that.

X2 did the same thing, the only thing I found interesting in the app contents was the certificates used for communication. Other than that my coding skills are quite limited to find anything interesting.
Thanks all for the contributions and suggestions!

Hi guys! Any update on how to add these plugs? I’m looking everywhere for a solution but nothing yet…

Hi all,

So looks like somebody already broke down the entire communication path for the TP Link Kasa App.

great find - way beyond my capabilities but this would seem to open up a whole load of options for tplink/tapo stuff - full local control of the cameras for example - motion detection/remote movement/ like in the app rather than just the crippled rtsp support tplink currently offer.

Urm, Kasa != Tapo.

“urm” tapo is in fact a tplink brand. " TP-Link manufactures smart home devices under their Kasa Smart and Tapo product lines." See: https://en.wikipedia.org/wiki/TP-Link

Whilst they may use different branding they are highly likely to use the same or at least very similar code base.

It’s actually pretty different.
From Wireshark, I’ve seen that they post a Public Key to the broadcast address of the network where the App sits.
Thanks to Dibr I’ve found out that they have to http endpoints exposed:

• http://youroutletip/app
• http://youroutletip/net

When trying to access both it returns a Json Object with error code:

 {"error_code":-1009}

I don’t think that the way it communicates has anything to do with the Kasa App, when I’m starting to exhaust all of my research resources