search

menahishayan / TP-Link-Archer-C50-API

HTTP based python script for API access and router management of the TP-Link Archer C50
GNU General Public License v3.0
36 stars 2 forks source link

TP-Link Deco M9 Plus Mesh Wi-Fi Support Data #2

Open OJ7 opened 3 years ago

OJ7 commented 3 years ago

Items clicked:

Network Map button

Advanced button

10.0.0.100.har.zip

menahishayan commented 3 years ago

Okay this seems relatively straightforward. The only two keys to the puzzle are the cookie string and the signed HTTPS request.

There are two things you can try out right now.

  1. Use existing cookie to check if login succeeds
import requests

url = 'http://10.0.0.100/cgi-bin/luci/;stok=/login?form=auth'
data = {'operation': 'read'}
cookies = {
    'sysauth': 'ab80bb5727e1aa2850b259863c6218bb'
}
headers = {
    'Referer': 'http://10.0.0.100/webpages/index.html',
    'Origin': 'http://10.0.0.100',
    'Content-Type': 'application/json'
}
r = requests.post(url, data=data, cookies=cookies, headers=headers)

print(r.text)
print(r.status_code)
print(r.cookies)
print(r.headers)
  1. Execute C80_test1.py.zip (beta) to attempt to receive new sysauth cookie
OJ7 commented 3 years ago

Just got a chance to try this out now. FYI I re-ran the network inspector to get new cookies before trying this and used those instead.

Using the first one, I get the following:

Failed to execute call dispatcher target for entry '/login'.
The called action terminated with an exception:
?:0: attempt to index a nil value
stack traceback:
        [C]: in function 'assert'
        ?: in function 'dispatch'
        ?: in function <?:218>
500
<RequestsCookieJar[]>
{'Connection': 'close', 'Transfer-Encoding': 'chunked', 'Content-Type': 'text/plain', 'Cache-Control': 'no-cache', 'Expires': '0'}

If I change the url to http://10.0.0.100/webpages/index.html

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="apple-touch-fullscreen" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="format-detection" content="telephone=no"><link rel="shortcut icon" href="favicon.ico"><link href="themes/default/css/perfect-scrollbar.css" rel="stylesheet"><link href="themes/default/css/total.css" rel="stylesheet"><!--[if lt IE 9]>
    <link type="text/css" href="themes/default/css/total.ie8.css" rel="stylesheet" />
    <![endif]--><title id="title">Opening...</title><noscript><meta http-equiv="refresh" content="0; url=error.html"/></noscript></head><body><div id="main-container"></div><script src="js/libs/jquery.min.js"></script><script src="js/libs/jquery.backgroundSize.js"></script><script src="js/libs/base64.js"></script><script src="js/libs/encrypt.js"></script><script src="js/libs/cryptoJS.min.js"></script><script src="js/libs/tpEncrypt.js"></script><!--[if lt IE 9]><script src="js/libs/respond.min.js"></script><![endif]--><script src="js/app/url.js"></script><script src="js/su/char.js"></script><script src="js/su/language.js"></script><script>try{$.su.language=new $.su.Language}catch(a){location.href="./error.html"}</script><script src="js/su/frame.js"></script><script>$(document).ready(function(n){App=new $.su.App,App.setContainer("main-container"),App.init().done(function(){App.launch()})})</script></body></html>
200
<RequestsCookieJar[]>
{'Connection': 'close', 'ETag': '"eb-698-5f64aada"', 'Last-Modified': 'Fri, 18 Sep 2020 12:40:58 GMT', 'Date': 'Tue, 19 Jan 2021 13:37:24 GMT', 'Content-Type': 'text/html', 'Content-Length': '1688'}

The second script, when ran as-is, got stuck on Retrieving PublicKey.... I wasn't sure how to configure it but when attempting to put in my password at the end of the file, I got:

[VR600] Loading wireless clients...
Retrieving PublicKey...
Pub key fetch failed
Failed to get AuthTokens. Retrying in 3 secs.
Retrieving PublicKey...
Pub key fetch failed
OJ7 commented 3 years ago

Just got a chance to try this out now. FYI I re-ran the network inspector to get new cookies before trying this and used those instead.

Using the first one, I get the following:

Failed to execute call dispatcher target for entry '/login'.
The called action terminated with an exception:
?:0: attempt to index a nil value
stack traceback:
        [C]: in function 'assert'
        ?: in function 'dispatch'
        ?: in function <?:218>
500
<RequestsCookieJar[]>
{'Connection': 'close', 'Transfer-Encoding': 'chunked', 'Content-Type': 'text/plain', 'Cache-Control': 'no-cache', 'Expires': '0'}

If I change the url to http://10.0.0.100/webpages/index.html

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="apple-touch-fullscreen" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="format-detection" content="telephone=no"><link rel="shortcut icon" href="favicon.ico"><link href="themes/default/css/perfect-scrollbar.css" rel="stylesheet"><link href="themes/default/css/total.css" rel="stylesheet"><!--[if lt IE 9]>
    <link type="text/css" href="themes/default/css/total.ie8.css" rel="stylesheet" />
    <![endif]--><title id="title">Opening...</title><noscript><meta http-equiv="refresh" content="0; url=error.html"/></noscript></head><body><div id="main-container"></div><script src="js/libs/jquery.min.js"></script><script src="js/libs/jquery.backgroundSize.js"></script><script src="js/libs/base64.js"></script><script src="js/libs/encrypt.js"></script><script src="js/libs/cryptoJS.min.js"></script><script src="js/libs/tpEncrypt.js"></script><!--[if lt IE 9]><script src="js/libs/respond.min.js"></script><![endif]--><script src="js/app/url.js"></script><script src="js/su/char.js"></script><script src="js/su/language.js"></script><script>try{$.su.language=new $.su.Language}catch(a){location.href="./error.html"}</script><script src="js/su/frame.js"></script><script>$(document).ready(function(n){App=new $.su.App,App.setContainer("main-container"),App.init().done(function(){App.launch()})})</script></body></html>
200
<RequestsCookieJar[]>
{'Connection': 'close', 'ETag': '"eb-698-5f64aada"', 'Last-Modified': 'Fri, 18 Sep 2020 12:40:58 GMT', 'Date': 'Tue, 19 Jan 2021 13:37:24 GMT', 'Content-Type': 'text/html', 'Content-Length': '1688'}

The second script, when ran as-is, got stuck on Retrieving PublicKey.... I wasn't sure how to configure it but when attempting to put in my password at the end of the file, I got:

[VR600] Loading wireless clients...
Retrieving PublicKey...
Pub key fetch failed
Failed to get AuthTokens. Retrying in 3 secs.
Retrieving PublicKey...
Pub key fetch failed
bvermolen commented 3 years ago

Hello, I'm looking for the same thing. I got the first part working by only changing the data variable from data = {'operation': 'read'} to data = '{"operation":"read"}'

It looks like that the serialization is not working properly in python (or the router implemented it's own Json serialiser).

The second part also fails for me on the retrieving the PublicKey. The HttpPost in method _get_pub_key in VR600TplinkDeviceScanner returns a 404 error.

======================== I did some more digging. The steps that are written in the CONTRIBUTING.md is missing a part. Once I open the management web-page, there is a request send to get "keys" which will contain 2 passwords that (i think) are used to encrypt the password (see attached keys.har.txt ).

The management web-page for the Deco M9 only asks for a password, no username is required.

menahishayan commented 3 years ago

A little late to reply, but if you're still interested, try the script mentioned in Issue 5 and let me know if the script worked

bvermolen commented 1 year ago

Hi @menahishayan

Sorry for the very late reply, I had forgotten about this project. I have picked this up and run the c6_test.py script from Issue 5).

The requests in that script look to be matching with the requests for the M9, but it still fails on retrieving auth tokens. I think the issue is that the body the "/cgi-bin/luci/;stok=/login?form=login" request is not encrypted. The keys to encrypt the body can be retrieved by a request to "/cgi-bin/luci/;stok=/login?form=keys".