TP-Link-Archer-C50-API icon indicating copy to clipboard operation
TP-Link-Archer-C50-API copied to clipboard

TP-Link Deco M9 Plus Mesh Wi-Fi Support Data

Open OJ7 opened this issue 4 years ago • 7 comments

Items clicked:

Network Map button

  • Internet button
  • Clients button
  • SSID name button -- each of the three mesh units

Advanced button

  • Status tab
  • System tab -- Firmware Upgrade tab -- System Log tab -- Time Settings tab -- Reboot tab -- System Parameters tab

10.0.0.100.har.zip

OJ7 avatar Nov 01 '20 15:11 OJ7

Okay this seems relatively straightforward. The only two keys to the puzzle are the cookie string and the signed HTTPS request.

There are two things you can try out right now.

  1. Use existing cookie to check if login succeeds
import requests

url = 'http://10.0.0.100/cgi-bin/luci/;stok=/login?form=auth'
data = {'operation': 'read'}
cookies = {
    'sysauth': 'ab80bb5727e1aa2850b259863c6218bb'
}
headers = {
    'Referer': 'http://10.0.0.100/webpages/index.html',
    'Origin': 'http://10.0.0.100',
    'Content-Type': 'application/json'
}
r = requests.post(url, data=data, cookies=cookies, headers=headers)

print(r.text)
print(r.status_code)
print(r.cookies)
print(r.headers)
  1. Execute C80_test1.py.zip (beta) to attempt to receive new sysauth cookie

menahishayan avatar Nov 04 '20 13:11 menahishayan

Just got a chance to try this out now. FYI I re-ran the network inspector to get new cookies before trying this and used those instead.

Using the first one, I get the following:

Failed to execute call dispatcher target for entry '/login'.
The called action terminated with an exception:
?:0: attempt to index a nil value
stack traceback:
        [C]: in function 'assert'
        ?: in function 'dispatch'
        ?: in function <?:218>
500
<RequestsCookieJar[]>
{'Connection': 'close', 'Transfer-Encoding': 'chunked', 'Content-Type': 'text/plain', 'Cache-Control': 'no-cache', 'Expires': '0'}

If I change the url to http://10.0.0.100/webpages/index.html

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="apple-touch-fullscreen" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="format-detection" content="telephone=no"><link rel="shortcut icon" href="favicon.ico"><link href="themes/default/css/perfect-scrollbar.css" rel="stylesheet"><link href="themes/default/css/total.css" rel="stylesheet"><!--[if lt IE 9]>
    <link type="text/css" href="themes/default/css/total.ie8.css" rel="stylesheet" />
    <![endif]--><title id="title">Opening...</title><noscript><meta http-equiv="refresh" content="0; url=error.html"/></noscript></head><body><div id="main-container"></div><script src="js/libs/jquery.min.js"></script><script src="js/libs/jquery.backgroundSize.js"></script><script src="js/libs/base64.js"></script><script src="js/libs/encrypt.js"></script><script src="js/libs/cryptoJS.min.js"></script><script src="js/libs/tpEncrypt.js"></script><!--[if lt IE 9]><script src="js/libs/respond.min.js"></script><![endif]--><script src="js/app/url.js"></script><script src="js/su/char.js"></script><script src="js/su/language.js"></script><script>try{$.su.language=new $.su.Language}catch(a){location.href="./error.html"}</script><script src="js/su/frame.js"></script><script>$(document).ready(function(n){App=new $.su.App,App.setContainer("main-container"),App.init().done(function(){App.launch()})})</script></body></html>
200
<RequestsCookieJar[]>
{'Connection': 'close', 'ETag': '"eb-698-5f64aada"', 'Last-Modified': 'Fri, 18 Sep 2020 12:40:58 GMT', 'Date': 'Tue, 19 Jan 2021 13:37:24 GMT', 'Content-Type': 'text/html', 'Content-Length': '1688'}

The second script, when ran as-is, got stuck on Retrieving PublicKey.... I wasn't sure how to configure it but when attempting to put in my password at the end of the file, I got:

[VR600] Loading wireless clients...
Retrieving PublicKey...
Pub key fetch failed
Failed to get AuthTokens. Retrying in 3 secs.
Retrieving PublicKey...
Pub key fetch failed

OJ7 avatar Jan 19 '21 13:01 OJ7

Just got a chance to try this out now. FYI I re-ran the network inspector to get new cookies before trying this and used those instead.

Using the first one, I get the following:

Failed to execute call dispatcher target for entry '/login'.
The called action terminated with an exception:
?:0: attempt to index a nil value
stack traceback:
        [C]: in function 'assert'
        ?: in function 'dispatch'
        ?: in function <?:218>
500
<RequestsCookieJar[]>
{'Connection': 'close', 'Transfer-Encoding': 'chunked', 'Content-Type': 'text/plain', 'Cache-Control': 'no-cache', 'Expires': '0'}

If I change the url to http://10.0.0.100/webpages/index.html

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="apple-touch-fullscreen" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="format-detection" content="telephone=no"><link rel="shortcut icon" href="favicon.ico"><link href="themes/default/css/perfect-scrollbar.css" rel="stylesheet"><link href="themes/default/css/total.css" rel="stylesheet"><!--[if lt IE 9]>
    <link type="text/css" href="themes/default/css/total.ie8.css" rel="stylesheet" />
    <![endif]--><title id="title">Opening...</title><noscript><meta http-equiv="refresh" content="0; url=error.html"/></noscript></head><body><div id="main-container"></div><script src="js/libs/jquery.min.js"></script><script src="js/libs/jquery.backgroundSize.js"></script><script src="js/libs/base64.js"></script><script src="js/libs/encrypt.js"></script><script src="js/libs/cryptoJS.min.js"></script><script src="js/libs/tpEncrypt.js"></script><!--[if lt IE 9]><script src="js/libs/respond.min.js"></script><![endif]--><script src="js/app/url.js"></script><script src="js/su/char.js"></script><script src="js/su/language.js"></script><script>try{$.su.language=new $.su.Language}catch(a){location.href="./error.html"}</script><script src="js/su/frame.js"></script><script>$(document).ready(function(n){App=new $.su.App,App.setContainer("main-container"),App.init().done(function(){App.launch()})})</script></body></html>
200
<RequestsCookieJar[]>
{'Connection': 'close', 'ETag': '"eb-698-5f64aada"', 'Last-Modified': 'Fri, 18 Sep 2020 12:40:58 GMT', 'Date': 'Tue, 19 Jan 2021 13:37:24 GMT', 'Content-Type': 'text/html', 'Content-Length': '1688'}

The second script, when ran as-is, got stuck on Retrieving PublicKey.... I wasn't sure how to configure it but when attempting to put in my password at the end of the file, I got:

[VR600] Loading wireless clients...
Retrieving PublicKey...
Pub key fetch failed
Failed to get AuthTokens. Retrying in 3 secs.
Retrieving PublicKey...
Pub key fetch failed

OJ7 avatar Jan 19 '21 13:01 OJ7

Hello, I'm looking for the same thing. I got the first part working by only changing the data variable from data = {'operation': 'read'} to data = '{"operation":"read"}'

It looks like that the serialization is not working properly in python (or the router implemented it's own Json serialiser).

The second part also fails for me on the retrieving the PublicKey. The HttpPost in method _get_pub_key in VR600TplinkDeviceScanner returns a 404 error.

======================== I did some more digging. The steps that are written in the CONTRIBUTING.md is missing a part. Once I open the management web-page, there is a request send to get "keys" which will contain 2 passwords that (i think) are used to encrypt the password (see attached keys.har.txt ).

The management web-page for the Deco M9 only asks for a password, no username is required.

bvermolen avatar Jan 20 '21 20:01 bvermolen

A little late to reply, but if you're still interested, try the script mentioned in Issue 5 and let me know if the script worked

menahishayan avatar Mar 26 '21 13:03 menahishayan

Hi @menahishayan

Sorry for the very late reply, I had forgotten about this project. I have picked this up and run the c6_test.py script from Issue 5).

The requests in that script look to be matching with the requests for the M9, but it still fails on retrieving auth tokens. I think the issue is that the body the "/cgi-bin/luci/;stok=/login?form=login" request is not encrypted. The keys to encrypt the body can be retrieved by a request to "/cgi-bin/luci/;stok=/login?form=keys".

bvermolen avatar Jan 08 '23 16:01 bvermolen

@OJ7 @bvermolen If you are still looking for a client for Deco M9 - I have the client which supports it https://github.com/AlexandrErohin/TP-Link-Archer-C6U

AlexandrErohin avatar Sep 18 '24 14:09 AlexandrErohin