TP-Link Tapo P100

So i am using charles web proxy on the iOS and i can get this from the tapo app

Request to 192.168.1.10

{
	"params": {
		"key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GN____(removed)____\n-----END PUBLIC KEY-----\n"
	},
	"method": "handshake",
	"terminalUUID": "EE77ED1B-xxxx-4AE2-8F54-21DC7F74xxxx"
}

Response

{
	"error_code": 0,
	"result": {
		"key": "gXlObI8mQQjYe6E___(removed)__"
	}
}

Request to 192.168.1.10

{
	"params": {
		"request": "mTrvviLX4YgghM5Okeu6OfM0___(removed)___"
	},
	"method": "securePassthrough",
	"terminalUUID": "EE77ED1B-3EEA-xxxxx"
}

Response:

{
	"error_code": -1009
}

Using the program Proxyman i can see other stuff

When I request to turn off device the tapo is encrypting all the things

http://192.168.1.10/app?token=60E3E2E4xxxxxxxxxxxxxxxxxxxx

{
  "params": {
    "request": "OtCEvtNnKt5yA/lhUk/fs4Zt/A6l3JwpTLvyVGDi79OFHCTpaSz8rJsAoAgAa488qgEIyTG08fqMLyZ8enrUmngNFYg8ALDd7NBVSVoMVVUK0t47q55fgiGFIQrpuq5x"
  },
  "method": "securePassthrough",
  "terminalUUID": "EE77ED1B-3EEA-4AE2-8F54-21DC7F74XXXX"
}

Response

{
  "error_code": 0,
  "result": {
    "response": "KFDk3AnnjPNDWLUqdbdhnitVBmq/n+X/BHB+6ceVLfOSduZe71pLsNKjLrCm7GgbhlDDJ2UyAlpLandI2Bb7l04+oXg+KbZgm5VkFxiCOI5vFIfTiqUJjJ2IhPNHvgDnNI++FWjBkeRjloobrBmVo8ht0X3ulmyybvKhz33vAc+ytJfoI18B1ClLLFsqq56CwfVEFNIcpkeGc+yW3oSMct3t4pM6NDD1J7oNvmyFHLwBZTggOZlYILqfb8nrAUsUj8QeOg7BES1PizTsPYNgErk0qqnR9S94UIVHVhM36n6yc3L+gAg+Gz0GrYrNI837lGKoHcvyCRUVXMDq9FHkro50lvbcRL30Uvk/o0kr/4CJfrpJMp4EAsboKHnmVxrpQ7KlW7TjqAjY0TrYq7NgpDakBqTYWTdxkqJl2wNCoaE="
  }
}

Hi Tiago,

I believe some mentioned earlier that the payload is AES, have you tried decrypting the requests and responses that way and with your public key? May be a dumb suggestion, but it’s all I can think right now, by the way do you have an alternative t o Proxyman for windows?

Thanks!

Hey,
Not much news this evening but after quite a bit of digging and trying many many combinations of commands from the HS110 API I think I can conclude that the {'error_code': -1} is caused by invalid syntax in the request field of the api call

Hope this helped (Sorry if you’d already worked this out)

I was not able to figure out how this working, i don’t have to much knowledge about how to find information about API but with will be very cool if someone with better knowledge that me to use tools like apktool and ClassyShark.

I opened one of these last night.
Its a snap fit, no glue or ultrasonic weld.
The device is using a Realtek Ameba Z2 RTL8720CF
Single PCB with components both sides. To remove the PCB, the two large solder contacts need to be removed - beware, the PCB has tracks both sides here.
There’s no additional flash/rom on the PCB.
Very simple circuit, very little to see.
The antenna is on the main PCB and towards the bottom of the case.
The relay is an Omron brand.
I’ve attached a photo.

PICT00302016×1512 2.14 MB

Hi all,

Also tried to go through this method describe here unfortunately no luck still…

Hey,
Have you tried unpacking the android app? I have no idea how easy/hard it is but it may help in decoding the communication protocol.

So I’ve unpacked the APK, and it doesn’t tell me much… Yet.

The app did download a firmware update, so I’m hoping that the binary is cached on my phone somewhere (haven’t found it yet) and I can look through that.

X2 did the same thing, the only thing I found interesting in the app contents was the certificates used for communication. Other than that my coding skills are quite limited to find anything interesting.
Thanks all for the contributions and suggestions!

Hi guys! Any update on how to add these plugs? I’m looking everywhere for a solution but nothing yet…

Hi all,

So looks like somebody already broke down the entire communication path for the TP Link Kasa App.

great find - way beyond my capabilities but this would seem to open up a whole load of options for tplink/tapo stuff - full local control of the cameras for example - motion detection/remote movement/ like in the app rather than just the crippled rtsp support tplink currently offer.

Urm, Kasa != Tapo.

“urm” tapo is in fact a tplink brand. " TP-Link manufactures smart home devices under their Kasa Smart and Tapo product lines." See: https://en.wikipedia.org/wiki/TP-Link

Whilst they may use different branding they are highly likely to use the same or at least very similar code base.

It’s actually pretty different.
From Wireshark, I’ve seen that they post a Public Key to the broadcast address of the network where the App sits.
Thanks to Dibr I’ve found out that they have to http endpoints exposed:

• http://youroutletip/app
• http://youroutletip/net

When trying to access both it returns a Json Object with error code:

 {"error_code":-1009}

I don’t think that the way it communicates has anything to do with the Kasa App, when I’m starting to exhaust all of my research resources

Interesting, where are you running DIBR, on your router?
Wireshark live or pcap playback?

Stuart

Actually was running DIBR from a Kali VM.
Wireshark findings were live.
Any more suggestions on new approaches?

Hi guys,

Also just bought one of these because it was cheap and smaller than some of the alternatives. It’s on a fairly non-critical item of my home (old TV in the basement). My temporarily (possibly permanent) hack is to use hook the thing up to Google Assistant, then use Assistant Relay to send a a message like “Turn on basement TV Plug” and “Turn off basement TV Plug”. This seems to work most o the time, provided you don’t try and toggle things too quickly. The issue of course is that I can’t see current state. Ah well, it sort of works. Thought you guys might be interested for a temporary hack.

Wireshark can interpret Bluetooth captures, so my next avenue is to pair a new device, logging the Bluetooth packets for analysis using wireshark.

Stuart