Indeed it is there:
{"method":"do","preset":{"remove_preset":{"id":["CHANGEME"]}}}
But I haven’t tried this, just to create one.
1 Like
Priceless!
Amazing work.
Home Assistant custom component is available here: https://github.com/JurajNyiri/HomeAssistant-Tapo-Control
Please continue discussion about it at community forum Tapo: Cameras Control.
Right now it allows to move ptz to prefixes created through apps and allows for multiple cameras.
It also creates entities having base information in attributes.
A lot of new features coming soon!
8 Likes
I am glad that my research is being put to good use in the home automation area. What are you missing in terms of API? I can look at my original code/research notes and try to fill in the gaps.
2 Likes
This is very interesting, thanks for sharing.
Does the tapo camera use Bluetooth?
I’m looking at the Tapo 100 plug and it’s using Bluetooth as a part of the setup process.
Many thanks.
Hi Dale,
What I have had in my mind, is to find some option through the API, to set up the device’s wifi connection without the Tapo app, to ditch that step as well, if possible.
Secondly, I couldn’t find any way to get the motion detection status from the camera. Or to find what the address the device pushes the status message, and is it possible to change that. I hope, there is some way to get that pushed to HA and not to the TP-Link cloud, or to do polling on the status, as some other integrations do it (ie.: Foscam).
Otherwise, the Mercury cameras API showed that this little camera capable even to do motion tracking as well, what I haven’t seen in the Tapo App as a function, and do some other enhancement stuff too. (I haven’t tried that…)
{"method":"set","target_track":{"target_track_info":{"enabled":"on"}}}
{"method":"set","target_track":{"target_track_info":{"enabled":"off"}}}
If you have some list of the Error codes, that would be helpful as well.
I think, that the API commands what you have found in the app, might be a bit different from the ones from the Mercury cameras, as they use the generic get, set, do methods but not the multipleRequest ones. Maybe it is just a shortcut built in to the API.
If you are planning to continue the research on other cameras, I would strongly advise to look at Wyze (Xiaomi) and Blink cameras as well. They are quite cheap, and many people uses them. There is even a dedicated hack for Wyze/Xiaomi Dafang cameras to replace the firmware.
Thank you very much for your research, it is really appreciated to kickstart this integration.
1 Like
No, it is not using Bluetooth, it is pure Wifi I believe. As the camera creates a wifi hotspot what your phone has to connect to, to be able to set up the wifi connection to the Tp-Link cloud.
Can you try with the plug, that you log in with the stok method and can get the basic information of it?
{"method":"get","device_info":{"name":["basic_info"]}}
{"method":"get","function":{"name":["module_spec"]}}
I forgot to mention the image capture, if you have any reference to that. I just guess that it might have an option, as it is quite standard, but it can be that the app does only a screenshot from the RTSP feed.
Hey @Dpavey !
If you found some time and found out how to do things below it would be really awesome and I think many people would be using these features.
- Subscribtion to events (ie. motion tracking) or maybe just a pull on schedule
- A way to download photos / videos, app can do this so it should be possible through API. Not necessarily for HASS, but I would love to have a script which downloads saved videos from sd card and backs them up to NAS/Cloud.
- Biggest wish of everyone is of course API documentation or a list of functions/parameters but I think that is really hard to get
On another note, I was trying to do research on my own when I bought the camera back in early 2020 but the communication was encrypted and any attempt to decode it failed (it also uses cert binding and I could not remove that). I tried to decompile the app and remove the cert pinning but couldn’t find the relevant part of the code and none of the automated ways worked.
Have you only used Heartbleed to discover the communication or did you find also some other ways that we could replicate to figure out more functions? With the patched devices now I think I am not able to use the method you have described.
@GSzabados I have tested tracking yesterday and it works very nicely. I wonder why its not included in the app, maybe it causes some stability issues or they just keep it out on purpose because of the price?
1 Like
Hi @JurajNyiri
If you have a rooted android device and Burp Suit Pro (or a free open source alternatives), you can bypass cert pinning all together. This can be done using Frida to inject the Burp CA into the mobile application and then proxying the mobile device to Burp Suit Pro running on your network. If you have some issues with this, I can try and make a how-to guide.
I think I saw some API calls to pull down schedules, I will double check this for you.
The heartbleed function was just used to implement the attack and take full control of the device from an attacker point of view. Thankfully we got this patched up!
In terms of the RTSP feed, you can create on via the API function I found to create a local account on the device but I have not found a way for it to ignore the signature checks.
For the setting up of the device or changing the Wi-Fi, this again I will need to check to see how it does this!
2 Likes
@Dpavey Thank you for all the information!
I was trying to do this with Fiddler and Frida following more or less this article for Frida part Technique 3 – Frida Hook: https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/
I was still unsuccessful and traffic was still encoded. I am not sure what the error message was as it was around half a year ago. I was doing this on Tapo: Cameras app.
I might give it another go and try again with the current app version.
When/If you decide to write a guide please let me know!
1 Like
Does the Tapo C310 work with HA and MotionEye, like the C200? Thanks.
Hi, is it possible this, on Camera Tapo c200? Or any other kind of record or snapshot by home assistant.
- action: call-service
- service: camera.snapshot
- service_data:
- entity_id: camera.camera_hd
- filename: >-
/config/tmp/kitchen_{{ now ().year }}_{{ now ().month
}}_{{now().day }}_{{ now ().hour }}_{{ now ().minute }}.jpg
Yep:
Make sure you have the path ok. (You have tmp in config and it’s accessible?)
- alias: Cam snapshot
trigger: <whatever you want>
action:
- service: camera.snapshot
entity_id: camera.camera_hd
data:
filename: '/config/tmp/kitchen_{{now().year}}_{{now().month}}_{{now().day}}_{{now().hour}}_{{now().minute}}.jpg'
Martin/
Thank, it is now correct. A have other one question yet. Do you have any idea, how can I connect HA to net shared foldet? I would like save camera.record video to net storage. Thanks
This is possible but is dependent on your environment.
You should search for something like “home assistant mount network storage”.
No plans to make a ptz script for zoneminder? 
This is possibly one of the best posts I’ve read… very good work all, much appreciated 
This camera model works in HA via Wi-Fi or it is mandatory to use Ethernet cable?
Thank you.
To be honest, no idea. But as the Tapo Camera Control was built based on the Tapo cameras which have the same controls, I guess it will work both ways, you need only the IP address of the camera.
@JurajNyiri, has anyone used your module with a Mercury camera?
1 Like