About getting firmware

[Vincent550102]

I have been researching Tapo devices similar to the c200 recently and have been struggling to figure out how to obtain the firmware. I came across your article at https://drmnsamoliu.github.io/firmware.html, and I tried to capture the update firmware packets as you described. However, the app always tells me that my firmware is up to date, making it impossible for me to obtain the firmware URL.

I wanted to ask how you initially forced the device to update and subsequently obtain the download URL.

[DrmnSamoLiu]

1. Is the device fw really up to date? If it is, then you will most likely have to wait for a new version to trigger the update. I did not do anything special, the camera was just not having the latest fw when I bought it.

2. Are older versions of fw accessible? You can try to find the "check for latest fw" API call in some binaries if you put time into it and do some reverse engineering.

3. Is it possible to do MITM between the device and update server? You might be able to intercept the "check for latest fw" API, and modify the version number sent by the device to an older one to trigger the update.

4. If the device has a companion mobile app, the version check may be done by the app and not the device itself.

[JayFoxRox]

1. Is the device fw really up to date? [...]

That works. See my steps in #9

2. Are older versions of fw accessible? [...] do some reverse engineering.

No. Probably not.

I have reverse engineered the download_fw call and I have (privately so far) documented 2 APIs (1 legacy using a custom SSL TCP protocol, another one is just standard HTTPS) which can be used to retrieve the download_url. However, the tplink server only ever provides you with the latest URL.

It also needs a fair bit of information about the camera:

• to auth (which also means you should keep these secret as someone might remote control your camera otherwise!):
  • deviceId = from your device
  • deviceMac = from your device, without any separators (e.g. "AABBCCDDEEFF")
  • hwId = from your device
  • Maybe:
    • hwVer = from your device (unknown formatting)
    • fwVer = unknown (unknown formatting)
    • deviceType = from your device (unknown formatting)
    • bindCode = from your device (if your camera is bound)
• to get the firmware "list":
  • devFwCurrentVer = your current firmware (something like "1.1.16" for Tapo_C200v1_en_1.1.16_Build_211209_Rel.37726n__1640684337995.bin)
  • oemId = from your device

They explicitly check if hwId and deviceMac belong to said `deviceId. Because you uniquely identify yourself here, there's a high risk of getting your device banned probably.

The "Maybe" fields are some that I usually just put dummy values in.

The server then provides you with the data that gets stored to cloud_config.upgrade_info. However, this is always the latest firmware and only for your specific device. It's also not possible to swap deviceId (or similar) between auth and getting the firmware list.

I therefore theorize that we can get the URL for the latest firmware again by spoofing the devFwCurrentVer, but we probably can't get older firmware URLs.

3. Is it possible to do MITM between the device and update server?

No, they use certificate pinning. I tried mitmproxy but I didn't get anywhere.

4. If the device has a companion mobile app, the version check may be done by the app and not the device itself.

No, but:

• If you have the camera login you can change the download_url using the cameras "hidden" /ds API. That way you can force it to download the firmware from a local server. I only checked it connects to my server but didn't want to actually risk updating.
• There's also code to upgrade from SD-card. Again, I didn't want to risk it.

---

I have a lot more findings on the camera (tool to dump all ds/ commands, more documentation on the tplink binaries etc.). I plan to document it some time in the future. I'm mostly interesting in operating this camera cloudless and denying internet access for it. If I can move some tasks onto the camera itself, that's a plus.

I'd also like to have shell access and I found about 5-10 different RCE exploits in the C200, C210 and C310 firmwares (which were linked on this repository). However, I have a C220 which has an encrypted firmware and all of the RCEs I have found don't work on my camera.

Because my RCEs work in the decompiled binaries, I suspect that they strengthened security a lot for the C220 (and probably C225?). Hence I'm desperately searching for more recent firmware images (and ideally someone willing to risk their camera / able to reflash using hardware).

[DrmnSamoLiu]

@JayFoxRox

Your work seems promising. I haven't touched anything about tapo cams for a long while now, but I'll visit a store today and see what I can do about these Cx20 series cameras.