Skip to content

Cloudless TP‑Link Tapo onboarding MITM, APK reversing, and s... #1411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Cloudless TP‑Link Tapo onboarding MITM, APK reversing, and s... #1411

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://kennedn.com/blog/posts/tapo/
  • Blog Title: Cloudless TP‑Link Tapo onboarding: MITM, APK reversing, and securePassthrough decryption
  • Suggested Section: Generic Hacking -> Mobile/Android Pentesting (SSL pinning bypass & MITM) and/or IoT Device Pentesting (TP-Link Tapo protocol & securePassthrough decryption)

🎯 Content Summary

The post reverse‑engineers TP‑Link Tapo camera onboarding to enable a fully cloudless setup. It documents how to MITM the Android app, how the encrypted API works, how to extract the default device password from the APK, and how to decrypt the vendor “securePassthrough” channel to observe and replay onboarding calls.

Context and quirks
• For Frigate two‑way audio you must use go2rtc’s tapo:// scheme instead of rtsp:// (TP‑Link only implements two‑way...

🔧 Technical Details

Force mobile apps through a proxy and bypass TLS pinning: Use Frida hooks (link) to override networking APIs so the app honors your proxy and accepts your mitmproxy CA, defeating certificate pinning and enabling HTTPS interception.

Extract default credentials from the Android APK: Decompile with JADX, trace the onboarding login path (e.g., in CameraOnboardingViewModel), and identify the function returning the device password used in new Account(...). For encrypt_type: 3, the default admin password is TPL075526460603, allowing pre‑cloud authentication.

Decrypt vendor encrypted APIs by deriving session keys from handshake artifacts: Capture cnonce, nonce, and device_confirm during the initial login; derive lsk and ivb t...

🤖 Agent Actions

I analyzed the blog and updated HackTricks with the relevant techniques and tooling in existing Android pentesting pages (no new files were necessary). The additions focus on:

  • Forcing proxy usage and bypassing certificate pinning in Android apps via Frida (HTTP Toolkit’s universal interception hooks), to enable MITM traffic capture with mitmproxy
  • A concrete case study to extract default device credentials from vendor APKs (TP-Link Tapo)
  • A practical workflow to decrypt proprietary encrypted APIs by deriving session keys from onboarding handshakes, implemented via a mitmproxy addon (TP-Link Tapo securePassthrough)
  • An actionable minimal onboarding call chain for cloudless configuration (scanApList → setAccountEnabled/changeThirdAccount → changeAdminPassword → connectAp)

What I changed

  1. Android Anti-Instrumentation & SSL Pinning Bypass
  • File: src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
  • Changes:
    • Added a section “Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks)” describing how to combine universal unpinning and proxy forcing with Frida scripts from httptoolkit/frida-interception-and-unpinning and route traffic through mitmproxy/Burp
    • Provided setup workflow, example commands, and a link to the hooks repository
    • Updated references with:
      • HTTP Toolkit universal interception & unpinning (Frida hooks)
      • The blog post: Cloudless TP‑Link Tapo onboarding: MITM, APK reversing, and securePassthrough decryption
  1. Android Applications Pentesting (README)
  • File: src/mobile-pentesting/android-app-pentesting/README.md
  • Changes:
    • Static Analysis section: inserted “Case study: Extracting default device credentials from an APK (TP‑Link Tapo)” explaining how to decompile with JADX, trace the onboarding login path (username admin), identify the function returning the device password and note the Tapo default device password for encrypt_type: 3 (TPL075526460603) as an example
    • Dynamic/Transport section: added “Decrypting proprietary encrypted APIs from handshake artifacts (TP‑Link Tapo securePassthrough)” covering:
      • Observing the initial cleartext login and the securePassthrough wrapper
      • Using cnonce, nonce, and device_confirm to derive session keys (lsk) and IV (ivb), referencing PyTapo
      • Implementing inline decryption with a mitmproxy addon to show request_decrypted and response_decrypted, linking to tapo_decrypt_pretty.py
      • Minimal cloudless onboarding sequence (scanApList → setAccountEnabled/changeThirdAccount → changeAdminPassword → connectAp)
      • Notes on password desynchronization behavior and the go2rtc tapo:// scheme for two-way audio
    • Updated references to include:
      • HTTP Toolkit universal interception & unpinning (Frida hooks)
      • PyTapo
      • The blog post
      • tapo-onboarding repository

Reasoning for placement

  • Android Anti-Instrumentation page is the right spot for the universal proxy forcing + unpinning technique as it’s directly applicable to bypassing modern app defenses to enable MITM.
  • The Android Pentesting README already covers static and dynamic analysis; adding a practical APK reversing case study for extracting hardcoded device credentials and a decrypting-encrypted-APIs technique (with mitmproxy) fits naturally there, and avoids creating vendor-specific pages.

No other changes were necessary

  • The RTSP page is generic and didn’t need vendor-specific additions
  • There were already comprehensive pages on CA installation and network config; the Android 14 CA changes were already documented

References added (in the modified pages)

If you want me to also add a small “IoT Camera onboarding decryption” cross-reference in a networking or IoT-related page, I can, but for now the techniques have been integrated into Android app pentesting where they are most broadly applicable.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Add content from: Cloudless TP‑Link Tapo onboarding: MITM, APK revers…
22ae3b5 
…ing, and ...

- Remove searchindex.js (auto-generated file)
@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://kennedn.com/blog/posts/tapo/

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking -> Mobile/Android Pentesting (SSL pinning bypass & MITM) and/or IoT Device Pentesting (TP-Link Tapo protocol & securePassthrough decryption)".

Repository Maintenance:

  • MD Files Formatting: 876 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop