No, it is not using Bluetooth, it is pure Wifi I believe. As the camera creates a wifi hotspot what your phone has to connect to, to be able to set up the wifi connection to the Tp-Link cloud.
Can you try with the plug, that you log in with the stok method and can get the basic information of it?
{"method":"get","device_info":{"name":["basic_info"]}}
{"method":"get","function":{"name":["module_spec"]}}
I forgot to mention the image capture, if you have any reference to that. I just guess that it might have an option, as it is quite standard, but it can be that the app does only a screenshot from the RTSP feed.
Hey @Dpavey !
If you found some time and found out how to do things below it would be really awesome and I think many people would be using these features.
On another note, I was trying to do research on my own when I bought the camera back in early 2020 but the communication was encrypted and any attempt to decode it failed (it also uses cert binding and I could not remove that). I tried to decompile the app and remove the cert pinning but couldn’t find the relevant part of the code and none of the automated ways worked.
Have you only used Heartbleed to discover the communication or did you find also some other ways that we could replicate to figure out more functions? With the patched devices now I think I am not able to use the method you have described.
@GSzabados I have tested tracking yesterday and it works very nicely. I wonder why its not included in the app, maybe it causes some stability issues or they just keep it out on purpose because of the price?
Hi @JurajNyiri
If you have a rooted android device and Burp Suit Pro (or a free open source alternatives), you can bypass cert pinning all together. This can be done using Frida to inject the Burp CA into the mobile application and then proxying the mobile device to Burp Suit Pro running on your network. If you have some issues with this, I can try and make a how-to guide.
I think I saw some API calls to pull down schedules, I will double check this for you.
The heartbleed function was just used to implement the attack and take full control of the device from an attacker point of view. Thankfully we got this patched up!
In terms of the RTSP feed, you can create on via the API function I found to create a local account on the device but I have not found a way for it to ignore the signature checks.
For the setting up of the device or changing the Wi-Fi, this again I will need to check to see how it does this!
@Dpavey Thank you for all the information!
I was trying to do this with Fiddler and Frida following more or less this article for Frida part Technique 3 – Frida Hook: https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/
I was still unsuccessful and traffic was still encoded. I am not sure what the error message was as it was around half a year ago. I was doing this on Tapo: Cameras app.
I might give it another go and try again with the current app version.
When/If you decide to write a guide please let me know!
Does the Tapo C310 work with HA and MotionEye, like the C200? Thanks.
Hi, is it possible this, on Camera Tapo c200? Or any other kind of record or snapshot by home assistant.
- action: call-service
- service: camera.snapshot
- service_data:
- entity_id: camera.camera_hd
- filename: >-
/config/tmp/kitchen_{{ now ().year }}_{{ now ().month
}}_{{now().day }}_{{ now ().hour }}_{{ now ().minute }}.jpg
Yep:
Make sure you have the path ok. (You have tmp in config and it’s accessible?)
- alias: Cam snapshot
trigger: <whatever you want>
action:
- service: camera.snapshot
entity_id: camera.camera_hd
data:
filename: '/config/tmp/kitchen_{{now().year}}_{{now().month}}_{{now().day}}_{{now().hour}}_{{now().minute}}.jpg'
Martin/
Thank, it is now correct. A have other one question yet. Do you have any idea, how can I connect HA to net shared foldet? I would like save camera.record video to net storage. Thanks
This is possible but is dependent on your environment.
You should search for something like “home assistant mount network storage”.
No plans to make a ptz script for zoneminder? 
This is possibly one of the best posts I’ve read… very good work all, much appreciated 
This camera model works in HA via Wi-Fi or it is mandatory to use Ethernet cable?
Thank you.
To be honest, no idea. But as the Tapo Camera Control was built based on the Tapo cameras which have the same controls, I guess it will work both ways, you need only the IP address of the camera.
@JurajNyiri, has anyone used your module with a Mercury camera?
I have no idea, nobody reported that yet.
So PTZ works with HA with this this integration? Tapo c200 ?
Yes, it does works.
translation for the italian gui:
sinistra -> left
destra -> right
su -> up
giu -> down
salva pos1/2 -> save position 1/2
vai pos1/2 -> go position 1/2
Thanks for quick reply! Just got home from buying one
Is it possible to share yout ptz config ? 
I added the camera in “Integrations”. It’s pretty straightforward.
This is the code for the card:
type: vertical-stack
cards:
- aspect_ratio: 50%
entity: camera.tapo_camera_f11f_hd
type: picture-entity
camera_view: live
- type: horizontal-stack
cards:
- type: button
tap_action:
action: call-service
service: tapo_control.ptz
service_data:
entity_id: camera.tapo_camera_f11f_hd
pan: LEFT
distance: 0.1
entity: camera.tapo_camera_f11f_hd
name: sinistra
show_state: false
show_icon: true
icon_height: 32px
- type: button
tap_action:
action: call-service
service: tapo_control.ptz
service_data:
entity_id: camera.tapo_camera_f11f_hd
pan: RIGHT
distance: 0.1
entity: camera.tapo_camera_f11f_hd
name: destra
show_state: false
show_icon: true
icon_height: 32px
- type: button
tap_action:
action: call-service
service: tapo_control.ptz
service_data:
entity_id: camera.tapo_camera_f11f_hd
tilt: UP
distance: 0.1
entity: camera.tapo_camera_f11f_hd
name: sù
show_state: false
show_icon: true
icon_height: 32px
- type: button
tap_action:
action: call-service
service: tapo_control.ptz
service_data:
entity_id: camera.tapo_camera_f11f_hd
tilt: DOWN
distance: 0.1
entity: camera.tapo_camera_f11f_hd
name: giù
show_state: false
show_icon: true
icon_height: 32px
- type: horizontal-stack
cards:
- type: button
tap_action:
action: call-service
service: tapo_control.save_preset
service_data:
entity_id: camera.tapo_camera_f11f_hd
name: pos1
entity: camera.tapo_camera_f11f_hd
name: salva pos1
show_state: false
show_icon: true
icon_height: 32px
- type: button
tap_action:
action: call-service
service: tapo_control.ptz
service_data:
entity_id: camera.tapo_camera_f11f_hd
preset: pos1
entity: camera.tapo_camera_f11f_hd
name: vai pos1
show_state: false
show_icon: true
icon_height: 32px
- type: button
tap_action:
action: call-service
service: tapo_control.save_preset
service_data:
entity_id: camera.tapo_camera_f11f_hd
name: pos2
entity: camera.tapo_camera_f11f_hd
name: salva pos2
show_state: false
show_icon: true
icon_height: 32px
- type: button
tap_action:
action: call-service
service: tapo_control.ptz
service_data:
entity_id: camera.tapo_camera_f11f_hd
preset: pos2
entity: camera.tapo_camera_f11f_hd
name: vai pos2
show_state: false
show_icon: true
icon_height: 32px
big note: there’s a considerable delay (around 8 seconds) between the “movement command” and the video on the camera. The PTZ command is executed immediatly, but the video is delayed. I still haven’t looked into it.
You can disable stream in options of integration for near instant video at the cost of hw resources. That’s just how home assistant works.