| ▲ | alfanick 3 hours ago |
| I had truly good “hacking” session with Codex. It’s not hacking, I wasn’t breaking anything, just jumping over the fences TP-Link put for me, owning the router, inside the network, knowing the admin password. But TP-Link really tried everything so you cannot access the router you own via API. They really tried to be smart with some very very broken and custom auth and encryption scheme. It took some half a day with Codex, but in the end I have a pretty Python API to access my router, tested, reliable, and exporting beautiful Prometheus metrics. I’m sure there is some over eager product manager sitting in such companies, trying to splits markets into customer and enterprise sections, just by making APIs not useable by humans and adding 200% useless “security by obscurity”. |
|
| ▲ | ropbear 3 hours ago | parent | next [-] |
| Many eons ago I wrote a Python version of tmpcli for this exact reason. Made some minor improvements a few years ago but haven’t touched it since. Curious what methodology Codex came up with, I haven’t revisited it since models got really good. The idea is that tmpServer listens on localhost, but dropbear allows port forwarding with admin creds (you’ll need to specify -N). That program has full device access and is the API the Tether app primarily uses to interact with the device. https://github.com/ropbear/tmpcli |
| |
| ▲ | alfanick 2 hours ago | parent [-] | | Ha kudos! I went across this project - thanks for your work :) It didn't work on the specific model I own (Archer NX600). My solution is really just using their pseudo-JWT over their obscured APIs (with reverse-engineered names of endpoints and params). Limitation is that there is still only one client allowed to be authenticated at one moment, so my daemon has priority and I need to stop it to actually access Admin panel. | | |
| ▲ | mtud an hour ago | parent | next [-] | | We’re splitting this across two threads, but if you give Codex access to jadx and the Archer android app you might be able to get something without that problem. The TPLink management protocol has a few different “transport” types - tmpcli uses SSH, but your device might only support one of the other transports. | |
| ▲ | baq an hour ago | parent | prev | next [-] | | Would be amazing if it worked with decos, these are locked down so much you don’t even get an admin interface inside your own network. | |
| ▲ | ropbear an hour ago | parent | prev [-] | | Of course! Happy to contribute. As is the case with your device, there's a lot of weird TP-Link firmware variants (even an RTOS called TPOS based on VxWorks), so no guarantee it'll work all the time. Glad there's more research being done in the space! |
|
|
|
| ▲ | 0x_rs 2 hours ago | parent | prev | next [-] |
| I've had good success doing something similar. Recording requests into an .har file using the web UI and providing it for analysis was a good starting point for me, orders of magnitude faster than it would be without an assistant. |
|
| ▲ | tclancy 3 hours ago | parent | prev | next [-] |
| Would definitely be interested in this. Moved to TP Link at the start of the year and I am generally very happy with it, but would like to be able to interact with my router in something other than their phone app. |
| |
| ▲ | alfanick 3 hours ago | parent [-] | | That was actually my first thought, to go through TP-Link cloud (ZERO DOCS), but it was too much effort :) |
|
|
| ▲ | srcreigh 3 hours ago | parent | prev | next [-] |
| Any tips to share? I tried to do something similar but failed. My router has a backup/restore feature with an encrypted export, I figured I could use that to control or at least inspect all of its state, but I/codex could not figure out the encryption. |
| |
| ▲ | alfanick 3 hours ago | parent | next [-] | | It's on my long list of projects "to-opensource" (but I need to figure out licensing, for those things CC-BY-SA I think is the way to go), I don't want a random lawyer sitting on my ass though. I started with a simple assumption: if I can access the router via web-browser, then I can also automate that. From that the proof-of-concept was headless Chrome in Docker and AI-directed code (code written via LLM, not using it all the time) that uses Selenium to navigate the code. This worked, but it internally hurt me to run 300MiB browser just to access like 200B of metrics every 10s or so. So from there we (me + codex) worked together towards reverse engineering their minimised JS and their funky encryption scheme, and it eventually worked (in the end it's just OpenSSL with some useless paddings here or there). Give it a shot, it's a fun day adventure. :) Edit: that's the end result (kinda, I have whole infra around it, and another story with WiFi extender with another semi-broken different encryption scheme from the same provider) - https://imgur.com/a/VGbNmBp | | |
| ▲ | TurkTurkleton 44 minutes ago | parent | next [-] | | For what it's worth, the Creative Commons organization recommends against using CC licenses on software: https://creativecommons.org/faq/#can-i-apply-a-creative-comm... | |
| ▲ | mtud 3 hours ago | parent | prev [-] | | You should give codex access to the mobile app :) The app, for a lot of routers, connects via an ssh tunnel to UDP/TCP sockets on the router. Would probably give you access to more data/control. | | |
| ▲ | ropbear an hour ago | parent [-] | | Made a comment up above, but that's tdpServer and tmpServer (sometimes tdpd and tmpd) and it's what I use in my python implementation of tmpcli, the (somewhat broken) client binary on some TP-Link devices. You're correct, it gives you access to everything the Tether app can do. https://github.com/ropbear/tmpcli | | |
| ▲ | mtud an hour ago | parent [-] | | I had been trying to find that again! It was instrumental in some RE/VR I did last year on tmp and the differences between the UDP socket (available without auth) and the TCP socket. Thanks for making that. I can't remember the details of the scheme, but it also allows you to authenticate using your TPLink cloud credential. If my memory is correct, the username is md5(tplink_account_email) and the password is the cloud account password. If you care, I can find my notes on that to confirm. |
|
|
| |
| ▲ | seer an hour ago | parent | prev [-] | | I had fun “hacking” my router that turned out to be just unzipping the file with slight binary modifications, it was so simple in fact I just implemented it in a few lines of js, even works in the browser :-D https://ivank.github.io/ddecryptor/ |
|
|
| ▲ | jack_pp 3 hours ago | parent | prev [-] |
| that could make a for a nice blog / gist |
