I believe some mentioned earlier that the payload is AES, have you tried decrypting the requests and responses that way and with your public key? May be a dumb suggestion, but it’s all I can think right now, by the way do you have an alternative t o Proxyman for windows?
Hey,
Not much news this evening but after quite a bit of digging and trying many many combinations of commands from the HS110 API I think I can conclude that the {'error_code': -1} is caused by invalid syntax in the request field of the api call
Hope this helped (Sorry if you’d already worked this out)
I was not able to figure out how this working, i don’t have to much knowledge about how to find information about API but with will be very cool if someone with better knowledge that me to use tools like apktool and ClassyShark.
I opened one of these last night.
Its a snap fit, no glue or ultrasonic weld.
The device is using a Realtek Ameba Z2 RTL8720CF
Single PCB with components both sides. To remove the PCB, the two large solder contacts need to be removed - beware, the PCB has tracks both sides here.
There’s no additional flash/rom on the PCB.
Very simple circuit, very little to see.
The antenna is on the main PCB and towards the bottom of the case.
The relay is an Omron brand.
I’ve attached a photo.
So I’ve unpacked the APK, and it doesn’t tell me much… Yet.
The app did download a firmware update, so I’m hoping that the binary is cached on my phone somewhere (haven’t found it yet) and I can look through that.
X2 did the same thing, the only thing I found interesting in the app contents was the certificates used for communication. Other than that my coding skills are quite limited to find anything interesting.
Thanks all for the contributions and suggestions!
great find - way beyond my capabilities but this would seem to open up a whole load of options for tplink/tapo stuff - full local control of the cameras for example - motion detection/remote movement/ like in the app rather than just the crippled rtsp support tplink currently offer.
“urm” tapo is in fact a tplink brand. " TP-Link manufactures smart home devices under their Kasa Smart and Tapo product lines." See: https://en.wikipedia.org/wiki/TP-Link
Whilst they may use different branding they are highly likely to use the same or at least very similar code base.
It’s actually pretty different.
From Wireshark, I’ve seen that they post a Public Key to the broadcast address of the network where the App sits.
Thanks to Dibr I’ve found out that they have to http endpoints exposed:
Also just bought one of these because it was cheap and smaller than some of the alternatives. It’s on a fairly non-critical item of my home (old TV in the basement). My temporarily (possibly permanent) hack is to use hook the thing up to Google Assistant, then use Assistant Relay to send a a message like “Turn on basement TV Plug” and “Turn off basement TV Plug”. This seems to work most o the time, provided you don’t try and toggle things too quickly. The issue of course is that I can’t see current state. Ah well, it sort of works. Thought you guys might be interested for a temporary hack.