Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

TP-Link Deco M9 Plus Mesh Wi-Fi Support Data #2

Open
OJ7 opened this issue Nov 1, 2020 · 7 comments
Open

TP-Link Deco M9 Plus Mesh Wi-Fi Support Data #2

OJ7 opened this issue Nov 1, 2020 · 7 comments

Comments

@OJ7
Copy link

OJ7 commented Nov 1, 2020
edited
Loading

Items clicked:

Network Map button

  • Internet button
  • Clients button
  • SSID name button
    -- each of the three mesh units

Advanced button

  • Status tab
  • System tab
    -- Firmware Upgrade tab
    -- System Log tab
    -- Time Settings tab
    -- Reboot tab
    -- System Parameters tab

10.0.0.100.har.zip
@menahishayan
Copy link
Owner

Okay this seems relatively straightforward. The only two keys to the puzzle are the cookie string and the signed HTTPS request.

There are two things you can try out right now.

  1. Use existing cookie to check if login succeeds
import requests

url = 'http://10.0.0.100/cgi-bin/luci/;stok=/#?form=auth'
data = {'operation': 'read'}
cookies = {
    'sysauth': 'ab80bb5727e1aa2850b259863c6218bb'
}
headers = {
    'Referer': 'http://10.0.0.100/webpages/index.html',
    'Origin': 'http://10.0.0.100',
    'Content-Type': 'application/json'
}
r = requests.post(url, data=data, cookies=cookies, headers=headers)

print(r.text)
print(r.status_code)
print(r.cookies)
print(r.headers)
  1. Execute C80_test1.py.zip (beta) to attempt to receive new sysauth cookie

@OJ7
Copy link
Author

OJ7 commented Jan 19, 2021

Just got a chance to try this out now. FYI I re-ran the network inspector to get new cookies before trying this and used those instead.

Using the first one, I get the following:

Failed to execute call dispatcher target for entry '/#'.
The called action terminated with an exception:
?:0: attempt to index a nil value
stack traceback:
        [C]: in function 'assert'
        ?: in function 'dispatch'
        ?: in function <?:218>
500
<RequestsCookieJar[]>
{'Connection': 'close', 'Transfer-Encoding': 'chunked', 'Content-Type': 'text/plain', 'Cache-Control': 'no-cache', 'Expires': '0'}

If I change the url to http://10.0.0.100/webpages/index.html

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="apple-touch-fullscreen" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="format-detection" content="telephone=no"><link rel="shortcut icon" href="favicon.ico"><link href="themes/default/css/perfect-scrollbar.css" rel="stylesheet"><link href="themes/default/css/total.css" rel="stylesheet"><!--[if lt IE 9]>
    <link type="text/css" href="themes/default/css/total.ie8.css" rel="stylesheet" />
    <![endif]--><title id="title">Opening...</title><noscript><meta http-equiv="refresh" content="0; url=error.html"/></noscript></head><body><div id="main-container"></div><script src="js/libs/jquery.min.js"></script><script src="js/libs/jquery.backgroundSize.js"></script><script src="js/libs/base64.js"></script><script src="js/libs/encrypt.js"></script><script src="js/libs/cryptoJS.min.js"></script><script src="js/libs/tpEncrypt.js"></script><!--[if lt IE 9]><script src="js/libs/respond.min.js"></script><![endif]--><script src="js/app/url.js"></script><script src="js/su/char.js"></script><script src="js/su/language.js"></script><script>try{$.su.language=new $.su.Language}catch(a){location.href="./error.html"}</script><script src="js/su/frame.js"></script><script>$(document).ready(function(n){App=new $.su.App,App.setContainer("main-container"),App.init().done(function(){App.launch()})})</script></body></html>
200
<RequestsCookieJar[]>
{'Connection': 'close', 'ETag': '"eb-698-5f64aada"', 'Last-Modified': 'Fri, 18 Sep 2020 12:40:58 GMT', 'Date': 'Tue, 19 Jan 2021 13:37:24 GMT', 'Content-Type': 'text/html', 'Content-Length': '1688'}

The second script, when ran as-is, got stuck on Retrieving PublicKey....
I wasn't sure how to configure it but when attempting to put in my password at the end of the file, I got:

[VR600] Loading wireless clients...
Retrieving PublicKey...
Pub key fetch failed
Failed to get AuthTokens. Retrying in 3 secs.
Retrieving PublicKey...
Pub key fetch failed

1 similar comment
@OJ7
Copy link
Author

OJ7 commented Jan 19, 2021

Just got a chance to try this out now. FYI I re-ran the network inspector to get new cookies before trying this and used those instead.

Using the first one, I get the following:

Failed to execute call dispatcher target for entry '/#'.
The called action terminated with an exception:
?:0: attempt to index a nil value
stack traceback:
        [C]: in function 'assert'
        ?: in function 'dispatch'
        ?: in function <?:218>
500
<RequestsCookieJar[]>
{'Connection': 'close', 'Transfer-Encoding': 'chunked', 'Content-Type': 'text/plain', 'Cache-Control': 'no-cache', 'Expires': '0'}

If I change the url to http://10.0.0.100/webpages/index.html

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="apple-touch-fullscreen" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="format-detection" content="telephone=no"><link rel="shortcut icon" href="favicon.ico"><link href="themes/default/css/perfect-scrollbar.css" rel="stylesheet"><link href="themes/default/css/total.css" rel="stylesheet"><!--[if lt IE 9]>
    <link type="text/css" href="themes/default/css/total.ie8.css" rel="stylesheet" />
    <![endif]--><title id="title">Opening...</title><noscript><meta http-equiv="refresh" content="0; url=error.html"/></noscript></head><body><div id="main-container"></div><script src="js/libs/jquery.min.js"></script><script src="js/libs/jquery.backgroundSize.js"></script><script src="js/libs/base64.js"></script><script src="js/libs/encrypt.js"></script><script src="js/libs/cryptoJS.min.js"></script><script src="js/libs/tpEncrypt.js"></script><!--[if lt IE 9]><script src="js/libs/respond.min.js"></script><![endif]--><script src="js/app/url.js"></script><script src="js/su/char.js"></script><script src="js/su/language.js"></script><script>try{$.su.language=new $.su.Language}catch(a){location.href="./error.html"}</script><script src="js/su/frame.js"></script><script>$(document).ready(function(n){App=new $.su.App,App.setContainer("main-container"),App.init().done(function(){App.launch()})})</script></body></html>
200
<RequestsCookieJar[]>
{'Connection': 'close', 'ETag': '"eb-698-5f64aada"', 'Last-Modified': 'Fri, 18 Sep 2020 12:40:58 GMT', 'Date': 'Tue, 19 Jan 2021 13:37:24 GMT', 'Content-Type': 'text/html', 'Content-Length': '1688'}

The second script, when ran as-is, got stuck on Retrieving PublicKey....
I wasn't sure how to configure it but when attempting to put in my password at the end of the file, I got:

[VR600] Loading wireless clients...
Retrieving PublicKey...
Pub key fetch failed
Failed to get AuthTokens. Retrying in 3 secs.
Retrieving PublicKey...
Pub key fetch failed

@bvermolen
Copy link

bvermolen commented Jan 20, 2021
edited
Loading

Hello,
I'm looking for the same thing. I got the first part working by only changing the data variable from
data = {'operation': 'read'}
to
data = '{"operation":"read"}'

It looks like that the serialization is not working properly in python (or the router implemented it's own Json serialiser).

The second part also fails for me on the retrieving the PublicKey. The HttpPost in method _get_pub_key in VR600TplinkDeviceScanner returns a 404 error.

========================
I did some more digging. The steps that are written in the CONTRIBUTING.md is missing a part. Once I open the management web-page, there is a request send to get "keys" which will contain 2 passwords that (i think) are used to encrypt the password (see attached keys.har.txt ).

The management web-page for the Deco M9 only asks for a password, no username is required.

@menahishayan
Copy link
Owner

A little late to reply, but if you're still interested, try the script mentioned in Issue 5 and let me know if the script worked

@bvermolen
Copy link

Hi @menahishayan

Sorry for the very late reply, I had forgotten about this project. I have picked this up and run the c6_test.py script from Issue 5).

The requests in that script look to be matching with the requests for the M9, but it still fails on retrieving auth tokens. I think the issue is that the body the "/cgi-bin/luci/;stok=/#?form=login" request is not encrypted. The keys to encrypt the body can be retrieved by a request to "/cgi-bin/luci/;stok=/#?form=keys".

@AlexandrErohin
Copy link

@OJ7 @bvermolen If you are still looking for a client for Deco M9 - I have the client which supports it https://github.com/AlexandrErohin/TP-Link-Archer-C6U

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@OJ7 @menahishayan @bvermolen @AlexandrErohin