Cloudless TP‑Link Tapo onboarding MITM, APK reversing, and s...

src/mobile-pentesting/android-app-pentesting/README.md

@@ -78,6 +78,20 @@ Just taking a look to the **strings** of the APK you can search for **passwords*
 
 Pay special attention to **firebase URLs** and check if it is bad configured. [More information about whats is FIrebase and how to exploit it here.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
 
+#### Case study: Extracting default device credentials from an APK (TP‑Link Tapo)
+
+Some IoT onboarding flows authenticate to the device before any cloud password is known. That implies a default device credential somewhere in the client. You can often extract it directly from the vendor app:
+
+- Decompile the APK with Jadx, and search for the initial login path referencing `username: "admin"` (e.g., within classes like a `CameraOnboardingViewModel`).
+- Trace the value passed into new account/auth objects (e.g., `new Account(...)`). In obfuscated builds, look for small helper methods returning a `String` used as the password (names like `m98131y2` etc.).
+- For TP‑Link Tapo, when `encrypt_type: 3` is used during the pre‑cloud login, the APK reveals the default device password:
+
+```
+TPL075526460603
+```
+
+This allows pre‑cloud local authentication as `admin` to configure the device, enable RTSP/ONVIF, or change settings. Be aware that specific values may change across app/device versions.
+
 ### Basic understanding of the application - Manifest.xml, strings.xml
 
 The **examination of an application's _Manifest.xml_ and **_strings.xml_** files can reveal potential security vulnerabilities**. These files can be accessed using decompilers or by renaming the APK file extension to .zip and then unzipping it.
@@ -522,6 +536,47 @@ When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS
 
 It's important to also search for common web vulnerabilities within the application. Detailed information on identifying and mitigating these vulnerabilities is beyond the scope of this summary but is extensively covered elsewhere.
 
+### Decrypting proprietary encrypted APIs from handshake artifacts (TP‑Link Tapo securePassthrough)
+
+Many vendor apps encapsulate local device APIs inside an opaque encrypted channel to resist traffic analysis. You can often still decrypt these by deriving the session keys from the initial login handshake captured via MITM.
+
+Pattern
+- Clear pre‑password‑change login, e.g.:
+
+```json
+{
+  "method": "login",
+  "params": { "cnonce": "AD0E189F6E1BA335", "encrypt_type": "3", "username": "admin" }
+}
+```
+
+- All subsequent calls are wrapped with a passthrough, carrying base64 ciphertext:
+
+```json
+{
+  "method": "securePassthrough",
+  "params": { "request": "...base64..." }
+}
+```
+
+Key derivation & inline decryption
+- Capture the handshake triplet: `cnonce` (client nonce), server `nonce`, and `device_confirm`.
+- Derive the session key(s) and IV (commonly referred to as `lsk` and `ivb` in community tools) from these values, then decrypt/encrypt the passthrough payloads.
+- Use PyTapo as a reference implementation for the auth flow and key derivation: https://github.com/JurajNyiri/pytapo
+- Implement decryption inline with a mitmproxy addon that detects the handshake, computes keys, and annotates flows with `request_decrypted` / `response_decrypted`. Example addon: https://github.com/kennedn/tapo-onboarding/blob/main/tapo_decrypt_pretty.py
+
+Actionable onboarding without cloud (Tapo example)
+- Decrypted method map includes: `scanApList`, `setAccountEnabled`, `changeThirdAccount`, `changeAdminPassword`, `connectAp`, `getConnectStatus`, `setTimezone`, `setRecordPlan`, `setDeviceLocation`, `bindToCloud` …
+- Minimal local sequence to configure device:
+  1) `scanApList` – list Wi‑Fi APs
+  2) `setAccountEnabled` + `changeThirdAccount` – enable and set RTSP/ONVIF credentials
+  3) `changeAdminPassword` – set the device’s own admin password
+  4) `connectAp` – join target Wi‑Fi network
+
+Notes
+- TP‑Link’s app/device may desynchronize the device password from the cloud password after changes; local auth may keep working with the previous password.
+- For Frigate two‑way audio, use go2rtc’s `tapo://` scheme (TP‑Link only exposes 2‑way audio via proprietary APIs, not RTSP).
+
 ### Frida
 
 [Frida](https://www.frida.re) is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.\
@@ -867,6 +922,10 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [SSLPinDetect GitHub](https://github.com/aancw/SSLPinDetect)
 - [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
 - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
+- [HTTP Toolkit universal interception & unpinning (Frida hooks)](https://github.com/httptoolkit/frida-interception-and-unpinning)
+- [PyTapo (Tapo local API and crypto reference)](https://github.com/JurajNyiri/pytapo)
+- [Cloudless TP‑Link Tapo onboarding: MITM, APK reversing, and securePassthrough decryption](https://kennedn.com/blog/posts/tapo/)
+- [tapo-onboarding (mitmproxy addon + automation)](https://github.com/kennedn/tapo-onboarding)
 
 ## Yet to try
 

src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md

@@ -185,6 +185,32 @@ Notes
 - Extend for OkHttp: hook okhttp3.CertificatePinner and HostnameVerifier as needed, or use a universal unpinning script from CodeShare.
 - Run example: `frida -U -f com.target.app -l ssl-bypass.js --no-pause`
 
+### Universal proxy forcing + TLS unpinning (HTTP Toolkit Frida hooks)
+
+Modern apps often ignore system proxies and enforce multiple layers of pinning (Java + native), making traffic capture painful even with user/system CAs installed. A practical approach is to combine universal TLS unpinning with proxy forcing via ready-made Frida hooks, and route everything through mitmproxy/Burp.
+
+Workflow
+- Run mitmproxy on your host (or Burp). Ensure the device can reach the host IP/port.
+- Load HTTP Toolkit’s consolidated Frida hooks to both unpin TLS and force proxy usage across common stacks (OkHttp/OkHttp3, HttpsURLConnection, Conscrypt, WebView, etc.). This bypasses CertificatePinner/TrustManager checks and overrides proxy selectors, so traffic is always sent via your proxy even if the app explicitly disables proxies.
+- Start the target app with Frida and the hook script, and capture requests in mitmproxy.
+
+Example
+```bash
+# Device connected via ADB or over network (-U)
+# See the repo for the exact script names & options
+frida -U -f com.vendor.app \
+  -l ./android-unpinning-with-proxy.js \
+  --no-pause
+
+# mitmproxy listening locally
+mitmproxy -p 8080
+```
+
+Notes
+- Combine with a system-wide proxy via `adb shell settings put global http_proxy <host>:<port>` when possible. The Frida hooks will enforce proxy use even when apps bypass global settings.
+- This technique is ideal when you need to MITM mobile-to-IoT onboarding flows where pinning/proxy avoidance is common.
+- Hooks: https://github.com/httptoolkit/frida-interception-and-unpinning
+
 ## Step 6 — Follow the JNI/native trail when Java hooks fail
 
 Trace JNI entry points to locate native loaders and detection init:
@@ -299,5 +325,7 @@ apk-mitm app.apk
 - [Magisk](https://github.com/topjohnwu/Magisk)
 - [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa)
 - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
+- [HTTP Toolkit universal interception & unpinning (Frida hooks)](https://github.com/httptoolkit/frida-interception-and-unpinning)
+- [Cloudless TP‑Link Tapo onboarding: MITM, APK reversing, and securePassthrough decryption](https://kennedn.com/blog/posts/tapo/)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}