TPAP Implementation by ZeliardM · Pull Request #1592 · python-kasa/python-kasa

ZeliardM · 2025-10-18T19:48:21Z

Discovered with new firmware for devices, TP-Link is implementing a new Encryption Type, TPAP. This is an initial implementation to see if the coding works for the handshake. Testing of the code coverage still has to be worked on. The initial implementation includes the new transport, changes to the device_factory to allow devices to select the new transport, and a change to the project to include ecdsa as a new dependency along with cryptography for the new tpaptransport.py.

Copilot

Pull Request Overview

Implements the new TPAP (TP-Link Adaptive Protocol) encryption type with SPAKE2+ HTTPS transport for TP-Link devices. This is an initial implementation to test handshake functionality with new firmware that uses TPAP encryption.

Added complete TPAP transport implementation using SPAKE2+ P-256 handshake and AEAD data channel
Updated device factory to support TPAP encryption type routing
Added ecdsa dependency for elliptic curve operations

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pyproject.toml	Added ecdsa dependency and mypy overrides for the new package
kasa/transports/tpaptransport.py	New TPAP transport implementation with SPAKE2+ handshake and secure channel
kasa/transports/init.py	Added TpapTransport to module exports
kasa/deviceconfig.py	Added Tpap enum value to DeviceEncryptionType
kasa/device_factory.py	Added SMART.TPAP.HTTPS protocol mapping and fixed typo

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

kasa/transports/tpaptransport.py

codecov · 2025-10-18T19:51:39Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.75%. Comparing base (be5ce08) to head (0e9f22e).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1592      +/-   ##
==========================================
+ Coverage   93.22%   93.75%   +0.53%     
==========================================
  Files         157      158       +1     
  Lines        9815    10654     +839     
  Branches     1003     1112     +109     
==========================================
+ Hits         9150     9989     +839     
  Misses        472      472              
  Partials      193      193

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

kasa/transports/tpaptransport.py

tests/transports/test_tpaptransport.py

kasa/transports/tpaptransport.py

tests/transports/test_tpaptransport.py

ZeliardM · 2025-10-19T04:08:07Z

@rytilahti Ok, I think this is a good first pass. I just need someone with a RV device to test it. The CodeQL Security flags, from my understanding, will always come up with md5 and sha1 hashing in the code, but it's required for the device communication, just like with the other transports.

danieyal · 2025-10-19T05:09:29Z

Sanitized discovery, logs, and TLS observations for the RV30 Max Plus(EU)-Firmware:1.3.0 Build 250909 Rel.135514 using TPAP. Personally identifying values are redacted. Hope this help.

Discovery advertises TPAP with tls=2 and PAKE suite [2]; HTTPS on 4433.
TLS1.3 fails immediately; TLS1.2 handshake succeeds with ECDHE-ECDSA-CHACHA20-POLY1305; no ALPN.
AES “/app” login on this device returns text/html “200 OK” (likely wrong endpoint for this family).
TPAP transport attempts hit TLS alert 40 initially; after constraining to TLS1.2, device still doesn’t accept our HTTP request format (suspect different login paths/headers/body or a pre-HTTP step).

uv run kasa --username '' --password '' --debug --host 192.168.68.63 discover config

DEBUG    Trying to connect with SmartProtocol                                                            discover.py:681
DEBUG    Using SmartDevice for SMART.TAPOROBOVAC                                                   device_factory.py:180
DEBUG    Initializing 192.168.68.63 of type <class 'kasa.smart.smartdevice.SmartDevice'>                   device.py:214
DEBUG    192.168.68.63 multi-request-batch-1-of-1 >>                                                smartprotocol.py:241
         '{"method":"multipleRequest","request_time_milis":1760838809450,"terminal_uuid":"qHsKLwgAV
         HlHIO3ZttV4Mw==","params":{"requests":[{"method":"component_nego"},{"method":"get_device_i
         nfo"},{"method":"get_connect_cloud_state"}]}}'
DEBUG    Posting to https://192.168.68.63:4433/                                                         httpclient.py:88
DEBUG    Device 192.168.68.63 received an os error, enabling sequential request delay: Cannot connect  httpclient.py:136
         to host 192.168.68.63:4433 ssl:<ssl.SSLContext object at 0x000001B6D6A4F7D0> [[SSL:
         SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)]
DEBUG    Device 192.168.68.63 got a connection error, will retry 3 times: ('Device connection       smartprotocol.py:145
         error: 192.168.68.63: Cannot connect to host 192.168.68.63:4433 ssl:<ssl.SSLContext object
         at 0x000001B6D6A4F7D0> [[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure
         (_ssl.c:1000)]', ClientConnectorSSLError(ConnectionKey(host='192.168.68.63', port=4433,
         is_ssl=True, ssl=<ssl.SSLContext object at 0x000001B6D6A4F7D0>, proxy=None,
         proxy_auth=None, proxy_headers_hash=None), SSLError(1, '[SSL:
         SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)')))
DEBUG    192.168.68.63 multi-request-batch-1-of-1 >>                                                smartprotocol.py:241
         '{"method":"multipleRequest","request_time_milis":1760838809471,"terminal_uuid":"qHsKLwgAV
         HlHIO3ZttV4Mw==","params":{"requests":[{"method":"component_nego"},{"method":"get_device_i
         nfo"},{"method":"get_connect_cloud_state"}]}}'
DEBUG    Device 192.168.68.63 waiting 0.25 seconds to send request                                      httpclient.py:81
DEBUG    Posting to https://192.168.68.63:4433/                                                         httpclient.py:88
DEBUG    192.168.68.63 multi-request-batch-1-of-1 >>                                                smartprotocol.py:241
         '{"method":"multipleRequest","request_time_milis":1760838809754,"terminal_uuid":"qHsKLwgAV
         HlHIO3ZttV4Mw==","params":{"requests":[{"method":"component_nego"},{"method":"get_device_i
         nfo"},{"method":"get_connect_cloud_state"}]}}'
DEBUG    Device 192.168.68.63 waiting 0.25 seconds to send request                                      httpclient.py:81
DEBUG    Posting to https://192.168.68.63:4433/                                                         httpclient.py:88
DEBUG    192.168.68.63 multi-request-batch-1-of-1 >>                                                smartprotocol.py:241
         '{"method":"multipleRequest","request_time_milis":1760838810228,"terminal_uuid":"qHsKLwgAV
         HlHIO3ZttV4Mw==","params":{"requests":[{"method":"component_nego"},{"method":"get_device_i
         nfo"},{"method":"get_connect_cloud_state"}]}}'
DEBUG    Device 192.168.68.63 waiting 0.25 seconds to send request                                      httpclient.py:81
DEBUG    Posting to https://192.168.68.63:4433/                                                         httpclient.py:88
DEBUG    Giving up on 192.168.68.63 after 3 retries                                                 smartprotocol.py:152
DEBUG    Unable to connect with SmartProtocol: ('Device connection error: 192.168.68.63: Cannot connect  discover.py:684
         to host 192.168.68.63:4433 ssl:<ssl.SSLContext object at 0x000001B6D6A4F7D0> [[SSL:
         SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)]',
         ClientConnectorSSLError(ConnectionKey(host='192.168.68.63', port=4433, is_ssl=True,
         ssl=<ssl.SSLContext object at 0x000001B6D6A4F7D0>, proxy=None, proxy_auth=None,
         proxy_headers_hash=None), SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert
         handshake failure (_ssl.c:1000)')))
Attempt to connect to 192.168.68.63 with SmartProtocol + TpapTransport + SmartDevice + https failed
Unable to connect to 192.168.68.63

uv run kasa --username '' --password '' --debug --host 192.168.68.63 discover raw

Discovering device 192.168.68.63 for 10 seconds
DEBUG    [DISCOVERY] 192.168.68.63 >> {'system': {'get_sysinfo': {}}}                                    discover.py:326
DEBUG    Waiting a total of 10 seconds for responses...                                                  discover.py:587
{
  "discovery_response": {
    "result": {
      "device_id": "REDACTED_f47bb068b8aacda06dec54e",
      "owner": "REDACTED_96B05E0B002C122F61EC032",
      "device_type": "SMART.TAPOROBOVAC",
      "device_model": "RV30 Max Plus(EU)",
      "ip": "192.168.68.63",
      "mac": "BC-07-1D-00-00-00",
      "is_support_iot_cloud": true,
      "tpap": {
        "tls": 2,
        "dac": 1,
        "noc": 1,
        "pake": [
          2
        ],
        "port": 4433
      },
      "obd_src": "tplink",
      "protocol_version": 1,
      "factory_default": false,
      "mgt_encrypt_schm": {
        "is_support_https": true,
        "http_port": 4433,
        "encrypt_type": "TPAP",
        "lv": 2
      }
    },
    "error_code": 0
  },
  "meta": {
    "ip": "192.168.68.63",
    "port": 20002
  }
}
DEBUG    Using SmartDevice for SMART.TAPOROBOVAC                                                   device_factory.py:180
DEBUG    Finding protocol for 192.168.68.63                                                        device_factory.py:195
DEBUG    Finding protocol for DeviceFamily.SmartTapoRobovac                                        device_factory.py:198
DEBUG    Finding transport for SMART.TPAP.HTTPS                                                    device_factory.py:227
DEBUG    [DISCOVERY] 192.168.68.63 << {'error_code': 0,                                                  discover.py:924
          'result': {'device_id': 'REDACTED_f47bb068b8aacda06dec54e',
                     'device_model': 'RV30 Max Plus(EU)',
                     'device_type': 'SMART.TAPOROBOVAC',
                     'factory_default': False,
                     'ip': '192.168.68.63',
                     'is_support_iot_cloud': True,
                     'mac': 'BC-07-1D-00-00-00',
                     'mgt_encrypt_schm': {'encrypt_type': 'TPAP',
                                          'http_port': 4433,
                                          'is_support_https': True,
                                          'lv': 2},
                     'obd_src': 'tplink',
                     'owner': 'REDACTED_96B05E0B002C122F61EC032',
                     'protocol_version': 1,
                     'tpap': {'dac': 1, 'noc': 1, 'pake': [2], 'port': 4433, 'tls': 2}}}
DEBUG    Initializing 192.168.68.63 of type <class 'kasa.smart.smartdevice.SmartDevice'>                   device.py:214

SSL:

root@pve:~# openssl s_client -connect 192.168.68.63:4433 -tls1_3 -alpn h2
Connecting to 192.168.68.63
CONNECTED(00000003)
40D767A1D0750000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:../ssl/record/rec_layer_s3.c:916:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 7 bytes and written 1469 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
root@pve:~# openssl s_client -connect 192.168.68.63:4433 -tls1_2 -alpn h2
Connecting to 192.168.68.63
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN=SMART.TAPOROBOVAC CA, O=TP-LINK SYSTEMS INC., L=Irvine, ST=California, C=US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=RV30 Max Plus(EU), OU=SMART.TAPOHUB
verify return:1
---
Certificate chain
 0 s:CN=RV30 Max Plus(EU), OU=SMART.TAPOHUB
   i:CN=SMART.TAPOROBOVAC CA, O=TP-LINK SYSTEMS INC., L=Irvine, ST=California, C=US
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
   v:NotBefore: Sep 19 20:43:33 2025 GMT; NotAfter: Sep 19 20:43:33 2030 GMT
 1 s:CN=SMART.TAPOROBOVAC CA, O=TP-LINK SYSTEMS INC., L=Irvine, ST=California, C=US
   i:CN=TP-LINK SYSTEMS DEVICE ROOT CA, O=TP-LINK SYSTEMS INC., L=Irvine, ST=California, C=US
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
   v:NotBefore: Nov 22 04:07:54 2024 GMT; NotAfter: Nov 20 04:07:54 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<REDACTED>
-----END CERTIFICATE-----
subject=CN=RV30 Max Plus(EU), OU=SMART.TAPOHUB
issuer=CN=SMART.TAPOROBOVAC CA, O=TP-LINK SYSTEMS INC., L=Irvine, ST=California, C=US
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Peer Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 1476 bytes and written 350 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Protocol: TLSv1.2
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: <REDACTED>
    Session-ID-ctx:
    Master-Key: <REDACTED>
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1760847175
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---

Wireshark:

Frame 221: Packet, 234 bytes on wire (1872 bits), 234 bytes captured (1872 bits) on interface \Device\NPF_{5B7CFEBB-96D4-4EA5-A9EB-AEB90614BE7A}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{5B7CFEBB-96D4-4EA5-A9EB-AEB90614BE7A})
        Interface name: \Device\NPF_{5B7CFEBB-96D4-4EA5-A9EB-AEB90614BE7A}
        Interface description: Ethernet
    Encapsulation type: Ethernet (1)
    Arrival Time: Oct 19, 2025 11:35:25.271976000 Malay Peninsula Standard Time
    UTC Arrival Time: Oct 19, 2025 03:35:25.271976000 UTC
    Epoch Arrival Time: 1760844925.271976000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 1.073000 milliseconds]
    [Time delta from previous displayed frame: 1.073000 milliseconds]
    [Time since reference or first frame: 3 minutes, 2.003639000 seconds]
    Frame Number: 221
    Frame Length: 234 bytes (1872 bits)
    Capture Length: 234 bytes (1872 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    Character encoding: ASCII (0)
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: CompalInform_02:ed:ec (38:a7:46:02:ed:ec), Dst: TPLink_77:0e:7d (bc:07:1d:77:0e:7d)
    Destination: TPLink_77:0e:7d (bc:07:1d:77:0e:7d)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: CompalInform_02:ed:ec (38:a7:46:02:ed:ec)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 0]
Internet Protocol Version 4, Src: 192.168.68.91, Dst: 192.168.68.63
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 220
    Identification: 0x2625 (9765)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.68.91
    Destination Address: 192.168.68.63
    [Stream index: 0]
Transmission Control Protocol, Src Port: 46387, Dst Port: 4433, Seq: 1, Ack: 1, Len: 180
    Source Port: 46387
    Destination Port: 4433
    [Stream index: 5]
    [Stream Packet Number: 4]
    [Conversation completeness: Incomplete, DATA (15)]
        ..0. .... = RST: Absent
        ...0 .... = FIN: Absent
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: ··DASS]
    [TCP Segment Len: 180]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 2124410112
    [Next Sequence Number: 181    (relative sequence number)]
    Acknowledgment Number: 1    (relative ack number)
    Acknowledgment number (raw): 1100174539
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 255
    [Calculated window size: 65280]
    [Window size scaling factor: 256]
    Checksum: 0x0aba [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 8.459000 milliseconds]
        [Time since previous frame in this TCP stream: 1.073000 milliseconds]
    [SEQ/ACK analysis]
        [iRTT: 7.386000 milliseconds]
        [Bytes in flight: 180]
        [Bytes sent since last PSH flag: 180]
    [Client Contiguous Streams: 1]
    [Server Contiguous Streams: 1]
    TCP payload (180 bytes)
Transport Layer Security
    [Stream index: 2]
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 175
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 171
            Version: TLS 1.2 (0x0303)
            Random: 3cbe0eae6e3be4e450edfdf4d611302985ecb513dc5d147633b7e16465777bf3
                GMT Unix Time: Apr 18, 2002 08:09:18.000000000 Malay Peninsula Standard Time
                Random Bytes: 6e3be4e450edfdf4d611302985ecb513dc5d147633b7e16465777bf3
            Session ID Length: 32
            Session ID: 1b04dc59c6d238c56aff3701dc937ef2e4a14eed2c195aa26d2a880c4b9c8af1
            Cipher Suites Length: 16
            Cipher Suites (8 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 82
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: session_ticket (len=0)
                Type: session_ticket (35)
                Length: 0
                Session Ticket: <MISSING>
            Extension: signature_algorithms (len=20)
                Type: signature_algorithms (13)
                Length: 20
                Signature Hash Algorithms Length: 18
                Signature Hash Algorithms (9 algorithms)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (4)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (5)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (6)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: application_layer_protocol_negotiation (len=14)
                Type: application_layer_protocol_negotiation (16)
                Length: 14
                ALPN Extension Length: 12
                ALPN Protocol
                    ALPN string length: 2
                    ALPN Next Protocol: h2
                    ALPN string length: 8
                    ALPN Next Protocol: http/1.1
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)

Frame 224: Packet, 63 bytes on wire (504 bits), 63 bytes captured (504 bits) on interface \Device\NPF_{5B7CFEBB-96D4-4EA5-A9EB-AEB90614BE7A}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{5B7CFEBB-96D4-4EA5-A9EB-AEB90614BE7A})
        Interface name: \Device\NPF_{5B7CFEBB-96D4-4EA5-A9EB-AEB90614BE7A}
        Interface description: Ethernet
    Encapsulation type: Ethernet (1)
    Arrival Time: Oct 19, 2025 11:35:25.281849000 Malay Peninsula Standard Time
    UTC Arrival Time: Oct 19, 2025 03:35:25.281849000 UTC
    Epoch Arrival Time: 1760844925.281849000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 4.004000 milliseconds]
    [Time delta from previous displayed frame: 4.004000 milliseconds]
    [Time since reference or first frame: 3 minutes, 2.013512000 seconds]
    Frame Number: 224
    Frame Length: 63 bytes (504 bits)
    Capture Length: 63 bytes (504 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    Character encoding: ASCII (0)
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: TPLink_77:0e:7d (bc:07:1d:77:0e:7d), Dst: CompalInform_02:ed:ec (38:a7:46:02:ed:ec)
    Destination: CompalInform_02:ed:ec (38:a7:46:02:ed:ec)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: TPLink_77:0e:7d (bc:07:1d:77:0e:7d)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 0]
Internet Protocol Version 4, Src: 192.168.68.63, Dst: 192.168.68.91
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 49
    Identification: 0x2213 (8723)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0x0ec9 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.68.63
    Destination Address: 192.168.68.91
    [Stream index: 0]
Transmission Control Protocol, Src Port: 4433, Dst Port: 46386, Seq: 1426, Ack: 181, Len: 9
    Source Port: 4433
    Destination Port: 46386
    [Stream index: 4]
    [Stream Packet Number: 12]
    [Conversation completeness: Incomplete, DATA (15)]
        ..0. .... = RST: Absent
        ...0 .... = FIN: Absent
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: ··DASS]
    [TCP Segment Len: 9]
    Sequence Number: 1426    (relative sequence number)
    Sequence Number (raw): 1085180748
    [Next Sequence Number: 1435    (relative sequence number)]
    Acknowledgment Number: 181    (relative ack number)
    Acknowledgment number (raw): 241256951
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 1892
    [Calculated window size: 30272]
    [Window size scaling factor: 16]
    Checksum: 0x968c [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 216.772000 milliseconds]
        [Time since previous frame in this TCP stream: 4.204000 milliseconds]
    [SEQ/ACK analysis]
        [iRTT: 11.499000 milliseconds]
        [Bytes in flight: 9]
        [Bytes sent since last PSH flag: 9]
    [Client Contiguous Streams: 1]
    [Server Contiguous Streams: 1]
    TCP payload (9 bytes)
Transport Layer Security
    [Stream index: 1]
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

Frame 225: Packet, 212 bytes on wire (1696 bits), 212 bytes captured (1696 bits) on interface \Device\NPF_{5B7CFEBB-96D4-4EA5-A9EB-AEB90614BE7A}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{5B7CFEBB-96D4-4EA5-A9EB-AEB90614BE7A})
        Interface name: \Device\NPF_{5B7CFEBB-96D4-4EA5-A9EB-AEB90614BE7A}
        Interface description: Ethernet
    Encapsulation type: Ethernet (1)
    Arrival Time: Oct 19, 2025 11:35:25.284112000 Malay Peninsula Standard Time
    UTC Arrival Time: Oct 19, 2025 03:35:25.284112000 UTC
    Epoch Arrival Time: 1760844925.284112000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 2.263000 milliseconds]
    [Time delta from previous displayed frame: 2.263000 milliseconds]
    [Time since reference or first frame: 3 minutes, 2.015775000 seconds]
    Frame Number: 225
    Frame Length: 212 bytes (1696 bits)
    Capture Length: 212 bytes (1696 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    Character encoding: ASCII (0)
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: CompalInform_02:ed:ec (38:a7:46:02:ed:ec), Dst: TPLink_77:0e:7d (bc:07:1d:77:0e:7d)
    Destination: TPLink_77:0e:7d (bc:07:1d:77:0e:7d)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: CompalInform_02:ed:ec (38:a7:46:02:ed:ec)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
    [Stream index: 0]
Internet Protocol Version 4, Src: 192.168.68.91, Dst: 192.168.68.63
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 198
    Identification: 0x2627 (9767)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.68.91
    Destination Address: 192.168.68.63
    [Stream index: 0]
Transmission Control Protocol, Src Port: 46386, Dst Port: 4433, Seq: 181, Ack: 1435, Len: 158
    Source Port: 46386
    Destination Port: 4433
    [Stream index: 4]
    [Stream Packet Number: 13]
    [Conversation completeness: Incomplete, DATA (15)]
        ..0. .... = RST: Absent
        ...0 .... = FIN: Absent
        .... 1... = Data: Present
        .... .1.. = ACK: Present
        .... ..1. = SYN-ACK: Present
        .... ...1 = SYN: Present
        [Completeness Flags: ··DASS]
    [TCP Segment Len: 158]
    Sequence Number: 181    (relative sequence number)
    Sequence Number (raw): 241256951
    [Next Sequence Number: 339    (relative sequence number)]
    Acknowledgment Number: 1435    (relative ack number)
    Acknowledgment number (raw): 1085180757
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Accurate ECN: Not set
        .... 0... .... = Congestion Window Reduced: Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 250
    [Calculated window size: 64000]
    [Window size scaling factor: 256]
    Checksum: 0x0aa4 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 219.035000 milliseconds]
        [Time since previous frame in this TCP stream: 2.263000 milliseconds]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 224]
        [The RTT to ACK the segment was: 2.263000 milliseconds]
        [iRTT: 11.499000 milliseconds]
        [Bytes in flight: 158]
        [Bytes sent since last PSH flag: 158]
    [Client Contiguous Streams: 1]
    [Server Contiguous Streams: 1]
    TCP payload (158 bytes)
Transport Layer Security
    [Stream index: 1]
    TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 102
        Handshake Protocol: Client Key Exchange
            Handshake Type: Client Key Exchange (16)
            Length: 98
            EC Diffie-Hellman Client Params
                Pubkey Length: 97
                Pubkey: 0495574c7aa82261d993d4498805cc1090590eb703e0f85f77a68b4ca4f6dc148b8d401ff25e0359f99a06473e8fa771956ecbcf6512de82961734bc2584546b0ffc4ebcd2d787aa39402881fb51297e8dab3dc0f887e863494fa8b8fba336c0c6
    TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.2 (0x0303)
        Length: 1
        Change Cipher Spec Message
    TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 40
        Handshake Protocol: Encrypted Handshake Message

ZeliardM · 2025-10-19T12:34:40Z

@danieyal Pull the latest commit and try giving it a shot again.

danieyal · 2025-10-19T15:37:11Z

unfortunately, still the same error.

DEBUG    Trying to connect with SmartProtocol                                                             discover.py:681
DEBUG    Using SmartDevice for SMART.TAPOROBOVAC                                                    device_factory.py:180
DEBUG    Initializing 192.168.68.63 of type <class 'kasa.smart.smartdevice.SmartDevice'>                    device.py:214
DEBUG    192.168.68.63 multi-request-batch-1-of-1 >>                                                 smartprotocol.py:241
         '{"method":"multipleRequest","request_time_milis":1760887822371,"terminal_uuid":"mRY0IrNONh
         G5kZRhIPcYrg==","params":{"requests":[{"method":"component_nego"},{"method":"get_device_inf
         o"},{"method":"get_connect_cloud_state"}]}}'
DEBUG    Posting to https://192.168.68.63:4433/                                                          httpclient.py:88
DEBUG    Device 192.168.68.63 received an os error, enabling sequential request delay: Cannot connect   httpclient.py:157
         to host 192.168.68.63:4433 ssl:<ssl.SSLContext object at 0x0000025A3D7D7550> [[SSL:
         SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)]
DEBUG    Device 192.168.68.63 got a connection error, will retry 3 times: ('Device connection error: smartprotocol.py:145
         192.168.68.63: Cannot connect to host 192.168.68.63:4433 ssl:<ssl.SSLContext object at
         0x0000025A3D7D7550> [[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure
         (_ssl.c:1000)]', ClientConnectorSSLError(ConnectionKey(host='192.168.68.63', port=4433,
         is_ssl=True, ssl=<ssl.SSLContext object at 0x0000025A3D7D7550>, proxy=None,
         proxy_auth=None, proxy_headers_hash=None), SSLError(1, '[SSL:
         SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)')))
DEBUG    192.168.68.63 multi-request-batch-1-of-1 >>                                                 smartprotocol.py:241
         '{"method":"multipleRequest","request_time_milis":1760887822496,"terminal_uuid":"mRY0IrNONh
         G5kZRhIPcYrg==","params":{"requests":[{"method":"component_nego"},{"method":"get_device_inf
         o"},{"method":"get_connect_cloud_state"}]}}'
DEBUG    Device 192.168.68.63 waiting 0.25 seconds to send request                                       httpclient.py:81
DEBUG    Posting to https://192.168.68.63:4433/                                                          httpclient.py:88
DEBUG    192.168.68.63 multi-request-batch-1-of-1 >>                                                 smartprotocol.py:241
         '{"method":"multipleRequest","request_time_milis":1760887823014,"terminal_uuid":"mRY0IrNONh
         G5kZRhIPcYrg==","params":{"requests":[{"method":"component_nego"},{"method":"get_device_inf
         o"},{"method":"get_connect_cloud_state"}]}}'
DEBUG    Device 192.168.68.63 waiting 0.25 seconds to send request                                       httpclient.py:81
DEBUG    Posting to https://192.168.68.63:4433/                                                          httpclient.py:88
DEBUG    192.168.68.63 multi-request-batch-1-of-1 >>                                                 smartprotocol.py:241
         '{"method":"multipleRequest","request_time_milis":1760887823298,"terminal_uuid":"mRY0IrNONh
         G5kZRhIPcYrg==","params":{"requests":[{"method":"component_nego"},{"method":"get_device_inf
         o"},{"method":"get_connect_cloud_state"}]}}'
DEBUG    Device 192.168.68.63 waiting 0.25 seconds to send request                                       httpclient.py:81
DEBUG    Posting to https://192.168.68.63:4433/                                                          httpclient.py:88
DEBUG    Giving up on 192.168.68.63 after 3 retries                                                  smartprotocol.py:152
DEBUG    Unable to connect with SmartProtocol: ('Device connection error: 192.168.68.63: Cannot connect   discover.py:684
         to host 192.168.68.63:4433 ssl:<ssl.SSLContext object at 0x0000025A3D7D7550> [[SSL:
         SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)]',
         ClientConnectorSSLError(ConnectionKey(host='192.168.68.63', port=4433, is_ssl=True,
         ssl=<ssl.SSLContext object at 0x0000025A3D7D7550>, proxy=None, proxy_auth=None,
         proxy_headers_hash=None), SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert
         handshake failure (_ssl.c:1000)')))
Attempt to connect to 192.168.68.63 with SmartProtocol + TpapTransport + SmartDevice + https failed
Unable to connect to 192.168.68.63

danieyal · 2025-10-19T19:22:24Z

I think i have got the TLS working now but stuck on the authentication now.

TLS 1.2, cipher ECDHE-ECDSA-AES-256-GCM-SHA384
No SNI (IP direct)
ALPN offered: h2, http/1.1
Server certificate chain: TP-LINK SYSTEMS DEVICE ROOT CA → SMART.TAPOROBOVAC CA → device leaf (CN RV30 Max Plus(EU), OU SMART.TAPOHUB)
OCSP AIA: http://ocsp-tss.tplinkcloud.com
No CertificateRequest observed → not mTLS

CIPHERS = ":".join(
        [
            "ECDHE-ECDSA-AES256-GCM-SHA384",
            "ECDHE-ECDSA-CHACHA20-POLY1305",
            "ECDHE-ECDSA-AES128-GCM-SHA256",
            "AES256-GCM-SHA384",
            "AES256-SHA256",
            "AES128-GCM-SHA256",
            "AES128-SHA256",
            "AES256-SHA",
        ]
    )

The device is returning a JSON response with 'error_code': -2402 along with authentication failure details like failedAttempts and remainAttempts. The device is rejecting the authentication attempt at the pake_register stage returning error code -2402. My theory is the device is actively rejecting our credentials/authentication attempt before we even get to the SPAKE2+ cryptographic exchange. This suggests the device needs something we're not providing, most likely DAC support.

DEBUG    TPAP register(empty) response: status=200, data_type=dict, data_len=3,
         data={'error_info': {'lockedMinute': 0, 'failedAttempts': 4, 'remainAttempts': 11},
         'result': {'sub_method': 'pake_register'}, 'error_code': -2402}

ZeliardM · 2025-10-20T21:04:40Z

I have been working on this today without much movement, still trying to figure out the authentication pieces. Looks like I will have to implement NOC but having issues getting the information and URLs for the certificate registration with the Tapo cloud. There is an API rate limit which causes problems as well. So, I'm still working on this, but nothing yet.

ZeliardM · 2025-10-21T14:38:37Z

@danieyal Are you able to use the Tapo app on your computer with Wireshark? I'm trying to reverse engineer the url for the certificates and the requests are not working. I am looking for something to do with:
nbu.cvm-server-v2

This is what points to where to apply for the certificates, but I can't get the communication to work correctly on my end. I'm trying to get the signature correct with the app to the cloud so I can pull the url, but I can't get that either. Until I have the URL to work with the serviceId: nbu.cvm-server-v2, then I can't get the library to handle the noc certificates.

ZeliardM · 2025-10-21T17:53:12Z

@danieyal try pulling again and let me know. I updated the ciphers like you found and I also corrected the last error you posted, it went to the stok field in the register parameters, it needed to be sessionId instead. Let me know what you get with this.

danieyal · 2025-10-22T14:06:44Z

@ZeliardM Thanks for the updates, and to clarify my side:

I can’t use Wireshark alone due to TLS/Cert pinning; I’m using Frida. I’ve posted sanitized findings (TLS, DS wrapper, discovery, logs) in my report and can share more privately if needed.
RV30 appears to commission via cloud and only then uses local DS:
- Local DS: POST https://<ip>:4433/stok=<REDACTED>/ds with headers Accept: application/octet-stream, Connection: keep-alive, body wrapper:
  {"inputParams":{"requestData":{<SMART JSON>}},"serviceId":"passthrough"}
- Plain JSON to /ds returns {"error_code": -2402} on this firmware, implying DS expects the SPAKE-protected binary frames tied to the cloud-issued session.
TLS (local): TLS 1.2 only, ECDHE‑ECDSA (AES‑256‑GCM/CHACHA20), no SNI, ALPN offered h2/http/1.1, device ECDSA leaf via SMART.TAPOROBOVAC CA.

Re: NOC/nbu.cvm-server-v2:

I haven’t seen any local pake_register at all; the app drives commissioning over cloud (…/v1/things/<thing-id>/services-sync) and then hits local DS.
I’ll keep trying to capture the exact services-sync request/response for serviceId: nbu.cvm-server-v2 with Frida (and sanitize), but so far, I have not seen it at all. If someone already has the signed payload/URL shape, that would unblock wiring NOC into the library much faster.
I cannot directly see DAC/NOC (Matter) details locally since those are invoked against the cloud endpoints.

I also pulled the latest branch:

Cipher updates look good.
Current failure is still -2402 at register.

Frida Log for device commissioning, I reset my device to see if pake_register appear at all, but it seems like nope, it just communicates over cloud regardless, other Tapo devices (plug, bulb, hub, camera) that I own still communicates locally (so probably not local network issue), I can 'see' the local endpoint for other devices but only vacuum just straight to cloud endpoint. Sorry, if it takes too long, setting up Frida took longer than expected.

frida -U -f com.tplink.iot -l .\unpin.js -l .\okhttp_log.js -l .\mac_sniff.js -l .\json_watch.js -l .\native_sock_hook.js -l .\hook_socket_write.js -l .\hook_socket_java.js -l .\okhttp_resp_tap.js
     ____
    / _  |   Frida 17.4.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Waiting for USB device to appear...
   . . . .
   . . . .   Connected to Redmi Note 5 (id=adb-21f3ca07-4K2z0L._adb-tls-connect._tcp)
Spawned `com.tplink.iot`. Resuming main thread!

---- OKHTTP REQUEST ----
URL: https://n-aps1-wap.i.tplinkcloud.com/api/v2/account/checkPassword
Method: POST
Headers:
signature-required: true
token-required: false

Body:
{"appType":"TP-Link_Tapo_Android","cloudPassword":"<REDACTED>","cloudUserName":"<REDACTED>"}
------------------------
[KeySpec] algo=HmacSHA1 key=54,101,100,55,100,57,55,102,51,101,55,51,52,54,55,......
[Mac] getInstance: HmacSHA1
---- OKHTTP REQUEST ----
URL: https://nbu.iot-app-server.app-v2/v1/families/thing-onboarding
Method: POST
Headers:

Body:
{"familyId":"default","roomId":"2sVeb2pm","thingNames":["<REDACTED>"]}
------------------------
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
---- OKHTTP REQUEST ----
URL: https://192.168.68.63:4433/stok=<REDACTED>/ds
Method: POST
Headers:
Connection: keep-alive
Accept: application/octet-stream

Body:
  fDɣ   S5*:  3  @ 2 ԧ  k JٗhC W x~  I   p 
------------------------
[Socket.connect] addr=/192.168.68.63:4433 timeout=30000
---- OKHTTP REQUEST ----
URL: https://n-aps1-wap.i.tplinkcloud.com/api/v2/common/getDeviceListByPage
Method: POST
Headers:
signature-required: true

Body:
{"deviceTypeList":["SMART.TAPOPLUG","SMART.TAPOBULB","SMART.IPCAMERA","SMART.TAPOHUB","SMART.TAPOSENSOR","SMART.TAPOSWITCH","SMART.TAPOROBOVAC","SMART.TAPODOORBELL","SMART.TAPOLOCK","SMART.TAPOREMOTE","SMART.TAPOCHIME","SMART.KASAPLUG","SMART.KASASWITCH","SMART.KASAHUB","SMART.KASAENERGY","IOT.IPCAMERA"],"index":0,"limit":20}
------------------------
[KeySpec] algo=HmacSHA1 key=54,101,100,55,100,57,55,102,51,101,55,51,52,54,55,......
[Mac] getInstance: HmacSHA1
[Socket.connect] addr=n-aps1-wap.i.tplinkcloud.com/47.130.43.98:443 timeout=30000
---- OKHTTP REQUEST ----
URL: https://nbu.iot-app-server.app-v2/v2/things?page=0&pageSize=100&deviceTypes=SMART.TAPOPLUG%2CSMART.TAPOBULB%2CSMART.IPCAMERA%2CSMART.TAPOHUB%2CSMART.TAPOSENSOR%2CSMART.TAPOSWITCH%2CSMART.TAPOROBOVAC%2CSMART.TAPODOORBELL%2CSMART.TAPOLOCK%2CSMART.TAPOREMOTE%2CSMART.TAPOCHIME%2CIOT.SMARTPLUGSWITCH%2CIOT.SMARTBULB%2CIOT.IPCAMERA%2CIOT.HUB%2CIOT.RANGEEXTENDER%2CIOT.RANGEEXTENDER.SMARTPLUG%2CIOT.ROUTER%2CSMART.KASAPLUG%2CSMART.KASASWITCH%2CSMART.KASAHUB%2CSMART.KASAENERGY%2CSMART.MATTERPLUG%2CSMART.MATTERBULB&includePcDevice=false&includeKasaShareDevices=true&includeMatterDevice=false
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/rt-info
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://192.168.68.63:4433/stok=<REDACTED>/ds
Method: POST
Headers:
Connection: keep-alive
Accept: application/octet-stream

Body:
  g  6B
  Y >   Q!Tf ^  FsD  NHL
------------------------
[Socket.connect] addr=/192.168.68.63:4433 timeout=30000
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/details
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/settings
Method: GET
Headers:

logReq err: TypeError: not a function
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/components
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/shadows?thingNames=<REDACTED>
Method: GET
Headers:
isEdgeRequest: false

logReq err: TypeError: not a function
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
---- OKHTTP REQUEST ----
URL: https://n-aps1-wap.i.tplinkcloud.com/api/v2/common/getIntlFwList
Method: POST
Headers:
signature-required: true

Body:
{"devFwCurrentVer":"1.3.0","deviceId":"<REDACTED>","fwId":"00000000000000000000000000000000","hwId":"FE727A169352FE69<REDACTED>","locale":"en_US","oemId":"E24B0568952B79<REDACTED>"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"setQuickSetupExtraInfo","params":{"nickname":"Um9ib3QgVmFjdXVt"}}]}}},"serviceId":"passthrough"}
------------------------
[KeySpec] algo=HmacSHA1 key=54,101,100,55,100,57,55,102,51,101,55,51,52,54,55,......
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"account_sync","params":{"cloud_account":{"password":"<REDACTED>","username":"<REDACTED>,"serviceId":"passthrough"}
------------------------
[Mac] getInstance: HmacSHA1
[Socket.connect] addr=n-aps1-wap.i.tplinkcloud.com/47.130.43.98:443 timeout=30000
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/components
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/voice-packages?deviceModel=RV30%20Max%20Plus
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://192.168.68.63:4433/stok=<REDACTED>/ds
Method: POST
Headers:
Connection: keep-alive
Accept: application/octet-stream

Body:
      _Tt3 v LB Q[iw LaG    @ T 24 ؏ 
------------------------
[Socket.connect] addr=/192.168.68.63:4433 timeout=30000
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/components
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/features/autoUpdateMode
Method: PATCH
Headers:

Body:
{"enable":true,"random_range":120,"time":180}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getCurrentVoiceLanguage"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/voice-packages?deviceModel=RV30
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://192.168.68.63:4433/stok=<REDACTED>/ds
Method: POST
Headers:
Connection: keep-alive
Accept: application/octet-stream

Body:
  Ô{ F ZR  =F    |ZK0K  @   A  8    v;|Z  e 
------------------------
[Socket.connect] addr=/192.168.68.63:4433 timeout=30000
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/components
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/voice-packages/signed-url?voicePackageId=2
Method: GET
Headers:

logReq err: TypeError: not a function
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"setVoiceLanguage","params":{"md5":"055ba03d9973ac5dd","name":"bb053ca2c56f3902b","url":"https://prd-iot-as-aps1.s3.ap-southeast-1.amazonaws.com/%2FvoicePackages/voicePackages2/2_English_Female_American.tar.gz?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHYaDmFwLXNvdXRoZWFzdC0xIkgwRgIhAM3vt3Fd2jRBA8aYB71rzzu1Woohe1O%2BvnvOlH4wLz3CAiEAzvdnJc4HuMUxH%2Fdq0hUmUUXVrYvkG3jP%2Ba%2FB6Vj3jI8qnQUILxADGgw3NDYxNjY3NTYyNjUiDFr71TsbnRtbNUX4ACr6BPGn9lOCsTm5n34KJtuhT33sBzsxQes0I2AamY%2B73JvPJMc08a%2FQ%2FqNM%2BtdxjDcxILd%2F%2BGgSeAJVl5WpSuyeG1gs3cpOkcQY6yvsm8PoCHlb5EyugCp2oDmm6HgMj%2Bkuf4IXODgZmohgtRNculKigHe2c9i7A5w4V2psD4YYdjBQBZFApSaKd%2BhloX3ctD7m0KGaeKxJeJzjD1zN5wBzmGh8UAY1a6iLSont%2BHnljSQsZu9U7iDe99%2FSxcbWZL2nEjvjyVENN%2B94m1a3yLeWg8WpaLpcPj%2FUeBHA&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251022T132901Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3599&X-Amz-Credential=ASIA23OYBEOUZHYDRAAJ%2F20251022%2Fap-southeast-1%2Fs3%2Faws4_request&X-Amz-Signature=b165c66043b59fac66d120144f8e51f","version":2}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/shadows?thingNames=<REDACTED>
Method: GET
Headers:
isEdgeRequest: false

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getCleanAttr","params":{"type":"global"}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapInfo"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/details
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/settings
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/shadows?thingNames=<REDACTED>
Method: GET
Headers:
isEdgeRequest: false

logReq err: TypeError: not a function
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getCleanAttr","params":{"type":"running"}},{"method":"getAreaUnit"},{"method":"getCleanRecords"},{"method":"getDoNotDisturb"},{"method":"getConsumablesInfo"},{"method":"getMopState"},{"method":"getDeviceTime"},{"method":"getCurrentVoiceLanguage"},{"method":"getCustomizationRulesInfo"}]}}},"serviceId":"passthrough"}
------------------------
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/voice-packages?deviceModel=RV30%20Max%20Plus
Method: GET
Headers:

logReq err: TypeError: not a function
[Socket.connect] addr=aps1-app-server.iot.i.tplinkcloud.com/54.254.71.245:443 timeout=30000
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapData","params":{}},{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/rt-info
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getCleanAttr","params":{"type":"global"}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/firmwares/latest
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"startUpdateMapData","params":{"map_upload_start":true}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapData","params":{}},{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"startUpdateMapData","params":{"map_upload_start":true}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapInfo"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapData","params":{"map_id":0}},{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getCleanRecords"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getCleanRecords"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapData","params":{}},{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/shadows?thingNames=<REDACTED>
Method: GET
Headers:
isEdgeRequest: false

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/rules?ruleType=schedule&startIndex=0
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapData","params":{}},{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/firmwares/latest
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getDeviceTime"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/shadows?thingNames=<REDACTED>
Method: GET
Headers:
isEdgeRequest: false

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/settings
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/details
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getCarpetClean"},{"method":"getChildLockInfo"},{"method":"getDoNotDisturb"},{"method":"getCleanAttr","params":{"type":"pose"}},{"method":"getConsumablesInfo"},{"method":"getDustCollectionInfo"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapInfo"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/rt-info
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapData","params":{"map_id":0}},{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/shadows?thingNames=<REDACTED>
Method: GET
Headers:
isEdgeRequest: false

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapInfo"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/details
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/shadows?thingNames=<REDACTED>
Method: GET
Headers:
isEdgeRequest: false

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/settings
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/voice-packages?deviceModel=RV30%20Max%20Plus
Method: GET
Headers:

logReq err: TypeError: not a function
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getMapData","params":{"map_id":0}},{"method":"getPathData","params":{"start_pos":0}}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/services-sync
Method: POST
Headers:
isEdgeRequest: false

Body:
{"inputParams":{"requestData":{"method":"multipleRequest","params":{"requests":[{"method":"getCleanAttr","params":{"type":"running"}},{"method":"getAreaUnit"},{"method":"getCleanRecords"},{"method":"getDoNotDisturb"},{"method":"getConsumablesInfo"},{"method":"getMopState"},{"method":"getDeviceTime"},{"method":"getCurrentVoiceLanguage"},{"method":"getCustomizationRulesInfo"}]}}},"serviceId":"passthrough"}
------------------------
---- OKHTTP REQUEST ----
URL: https://aps1-app-server.iot.i.tplinkcloud.com/v1/things/<REDACTED>/rt-info
Method: GET
Headers

ZeliardM · 2025-10-22T14:24:06Z

@danieyal That's great, I do see something in your logs about nbu, that may help point me where I need to go.

Yea, Frida is a pain. I've used it in the past but lost my devices to do so, so it's been rough lately.

I appreciate your work so far. I am going through the encryption pieces again. Yea, the pake_register phase is essentially handshake1 and I still need to see what is going on.

ZeliardM · 2025-10-22T21:14:54Z

@danieyal Ok, I've spent most of the day going over things, and I think I'm at an impasse. I can't get the URLs to communicate with the cloud for the NOC certificates. I've gotten close, but what happens is that the APK uses a call, gets a cloud token, then pulls the URLs from the cloud. I can get the cloud token, but the I cannot get the signature matches for the calls out that have 'signature-required' set to true. I need to see if there is a way to reverse engineer these signatures so we can get them to match from my code based on how everything is supposed to be. I have some scripts and code that I've got for testing if you would be able to take it along with some of the Frida work you've done and possibly see if you can get the URL? I can send them via Discord if that works?

danieyal · 2025-10-23T01:38:21Z

@ZeliardM yeah sure, I will try but since I am working during the day, I might not have enough time to dedicate to it, but I'll try. Discord works for me.

ZeliardM · 2025-10-23T01:42:05Z

@danieyal All good, give it a shot and let me know and we will go from there. Thanks!

ZeliardM · 2025-10-23T16:48:11Z

@danieyal What I have been able to pull apart today is that the checkpassword call that is used in the frida logs you posted earlier, this has the same signature requirements that I am looking for. If you can get me some wireshark pulls of this actual communication so I can see the actual headers and packet information, then I might be able to reverse engineer this from there. If you want, we can keep going on Discord, my username is the same there.

ZeliardM · 2025-10-23T17:20:20Z

@danieyal nevermind, I finally got the matching signature and figured out how to get the right url for getting the certificates!

ZeliardM · 2025-10-24T00:44:44Z

Ok, now that I have all of this, my plan is as follows:

Add certificate handling and a certificate store to the python-kasa API and CLI. This will be both as callable functions and storage. python-kasa itself is stateless and does not hold information, so these will be configured to store data in predefined areas based on Operating Systems.
Update the TPAP Transport to handle NOC Authentication with SPAKE2+ and DAC Authentication. This will use the NOC data from the new modules to handle everything hopefully seamlessly, at least that's how I'm going to try to get it configured.

It's going to take quite some time for me to get through all of this, I want to put it together cleanly.

I'm headed out of town with my family for the weekend so I may not work on it much right now, but will keep everyone updated as I keep working on it.

ZeliardM · 2025-10-27T22:13:18Z

I am still slowly working on this. I have the NOC capabilities set up, now I'm working on testing the code. Having issues with the CSR formatting so I'll keep plugging away at it and keep you in the loop.

ZeliardM · 2025-12-17T00:13:29Z

@krx252525 Not at this time, thanks for testing and reporting. I'm happy to help!

bobsusedtires · 2026-01-04T02:27:10Z

Is this merged into the repo? So my RV30 Max Plus will be supported, then the tapo homeassistant integration can get updated?

ZeliardM · 2026-01-04T02:48:22Z

@bobsusedtires Not yet, I still have some things we are working out with this first. Have to break up some of the pieces to make it easier to keep updated and working better in the future. A little more modular, once all of that is done, it should be ready. The holidays threw everything off track but I hope to get back to it later this month.

aureliandevel · 2026-02-21T06:28:07Z

Hi @ZeliardM

Very late to the party ...

I have a P110 that the app refuses to provision. It was provisioned but I wanted to move it to another network and factory reset it (ie full 10s button hold) and since then it's a brick. I have another plug that's still fine. Even moved it to the new network (though, using the 5s button method).

Anyway, recently came across your work and thought I'd found the solution. Alas, not.

You mentioned above that you have a P110 working for the SPAKE2+ (though, I admit at this point, I don't know what that is) but my device persists in resisting.

I'm hoping these might provide you with some new information:
state2.txt
discover2.txt

ZeliardM · 2026-02-21T07:43:00Z

@aureliandevel Hey, thanks for the logs. I see where it's trying, but the information back from the device all out of whack and the connection is getting refused.

Have you tried factory resetting it again? Setup on a different device? Android vs iOS? Setting it up in Android vs iOS?

aureliandevel · 2026-02-21T08:29:03Z

@ZeliardM, yeah, factory-reset, and soft-reset, numerous times. I don't have any iOS devices, but I've tried setting it up from a different Android device, and made sure I have the latest version (currently 3.17.109)

It's interesting that you say the device information is all screwy. What are you expecting to see that isn't there?

FYI, both devices are hardware version 1.0, so there's no Bluetooth. Firmware from the registered device is 1.4.0 build 251020 Rel. 161559 (as I assume every else's is too) ... obviously I can't see what FW version the unregistered device is but it was in daily use before I tried switching networks so I'm assuming it's the latest.

ZeliardM · 2026-02-21T13:52:13Z

@aureliandevel this information:

DEBUG:kasa.discover:[DISCOVERY] 192.168.0.1 << {'error_code': 0,
'result': {'device_id': 'REDACTED_cabe754788c45cabda813a4',
'device_model': 'P110(AU)',
'device_type': 'SMART.TAPOPLUG',
'factory_default': True,
'ip': '192.168.0.1',
'is_support_iot_cloud': True,
'mac': '14-EB-B6-00-00-00',
'mgt_encrypt_schm': {'encrypt_type': 'TPAP',
'http_port': 80,
'is_support_https': False,
'lv': 2},
'obd_src': 'tplink',
'owner': '',
'protocol_version': 1,
'tpap': {'dac': 0, 'noc': 0, 'pake': [], 'port': 80, 'tls': 0},
'tpap_preferred': True}}

The tpap information is off, there's nothing reported really, so it doesn't know how to authenticate. The odb_src is still reported too, so it's like either the reset didn't work or something else is going on with the device, but factory_default is true so it should be ready to go.

epg-pers · 2026-02-23T21:20:44Z

Hi @ZeliardM — thanks for the TPAP/SPAKE2+ reverse engineering work here, it was the starting point for a local Home Assistant integration I've built for the RV30 Max Plus: https://github.com/epg-pers/tapo-rv30-ha

As a bonus it includes working selective room cleaning, which required a bit of its own reverse engineering — documented in the README if useful to anyone.

Hope it's helpful!

ZeliardM · 2026-02-23T21:25:58Z

@epg-pers I'm glad I could help. I looked over that implementation and while it does work, there are certain aspects of it that I have yet to completely verify on everything and once the fixes are pushed here it should be more robust for future firmware where I cannot guarantee the code in your integration will continue to work if firmware changes. If you would like to pull together the code changes for the individual room cleaning, a PR here might be helpful in getting all of that in the official implementation as well.

epg-pers · 2026-02-23T21:36:16Z

@ZeliardM Thanks, that makes sense, and I'd be happy to put together a PR for the room cleaning side. Before I do, would it be worth waiting until this transport PR is merged and settled? That way the room cleaning work can be built cleanly on top of the final upstream version. Happy to go ahead now if you'd prefer, just wanted to check.

ZeliardM · 2026-02-23T21:38:14Z

@epg-pers If you want to look over the existing code and modules and see how they have them setup, you can just build it off the latest main branch and then when this is finally merged in, we can update and test from there before we merge it in.

epg-pers · 2026-02-23T21:58:21Z

@ZeliardM Thanks for the steer. I've put together the room cleaning changes here: #1660 — happy to adjust anything based on your feedback.

kasa/transports/tpaptransport.py

ZeliardM · 2026-03-20T11:01:23Z

I am making some major changes to the TPAP Implementation. I would like anyone's help testing it. I need to make sure that it functions and works with all of the device types that currently support TPAP, plugs, vacuums, and cameras. I am finalizing the changes now and should be able to get something out later today, but I will need people to test and get me debug plain discover logs from the CLI of kasa to be specific in the handling. If you have any questions, let me know.

kasa/transports/tpaptransport.py

+
+    @staticmethod
+    def _md5_hex(value: str) -> str:
+        return hashlib.md5(value.encode()).hexdigest()  # noqa: S324


kasa/transports/tpaptransport.py

+
+    @staticmethod
+    def _sha256_hex_upper(value: str) -> str:
+        return hashlib.sha256(value.encode()).hexdigest().upper()  # noqa: S324


kasa/transports/tpaptransport.py

+
+    @staticmethod
+    def _sha1_hex(value: str) -> str:
+        return hashlib.sha1(value.encode()).hexdigest()  # noqa: S324


kasa/transports/tpaptransport.py

+                )
+                return passcode
+            return hashlib.sha256(
+                (username_hint + decoded_salt + passcode).encode()


ZeliardM · 2026-03-21T04:20:43Z

Ok, I have pushed all my changes. I still have some clean up, but we should be pretty close now.

I made a lot of changes and the first thing to do is see if the device connections for tpap still work at all. There are two paths:

Remove-Item Env:KASA_TEST_DISABLE_TPAP_TLS2_VERIFY -ErrorAction SilentlyContinue

This command is in Powershell and you can change it to whatever environment you're working in. This will remove any test flags and force the code to use a hardcoded Root CA Certificate for TLS Cert Verify if TLS = 2. This certificate in the old code was retrieved via the NOC/Cloud dependency and since we have removed that, I pulled it and hardcoded it in. Test here to see if the TPAP Transport now works with this hardcoded and SPAKE2+ only communication.

$env:KASA_TEST_DISABLE_TPAP_TLS2_VERIFY="1"

This command is in Powershell and you can change it to whatever environment you're working in. This will set the test flag and force the code to skip a hardcoded Root CA Certificate for TLS Cert Verify if TLS = 2 and instead use CERT_NONE. This certificate in the old code was retrieved via the NOC/Cloud dependency and since we have removed that, I want to simulate the code running without that for SPAKE2+ Test here to see if the TPAP Transport now works without Cert Verify and SPAKE2+ only communication.

If you have any questions about this, let me know. And thanks for testing.

Initial TPAP Implementation

3f82910

Copilot AI review requested due to automatic review settings October 18, 2025 19:48

Copilot AI reviewed Oct 18, 2025

View reviewed changes

kasa/transports/tpaptransport.py Outdated Show resolved Hide resolved

kasa/transports/tpaptransport.py Outdated Show resolved Hide resolved

kasa/transports/tpaptransport.py Outdated Show resolved Hide resolved

github-advanced-security bot found potential problems Oct 18, 2025

View reviewed changes

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

ZeliardM mentioned this pull request Oct 18, 2025

Missing support for TPAP encryption type #1590

Open

Clean up and coverage testing

c7a3405

github-advanced-security bot found potential problems Oct 19, 2025

View reviewed changes

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

tests/transports/test_tpaptransport.py Fixed Show fixed Hide fixed

Try to fix CodeQL Security Warnings

3b15fdd

github-advanced-security bot found potential problems Oct 19, 2025

View reviewed changes

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

tests/transports/test_tpaptransport.py Fixed Show fixed Hide fixed

Change request headers and ssl context

4afa9eb

ZeliardM added 2 commits October 21, 2025 13:45

Correct sessionId

65fe12b

Update ciphers

6a1c037

JurajNyiri mentioned this pull request Jan 17, 2026

❗Invalid Cloud Password: New communication protocol on new firmwares JurajNyiri/HomeAssistant-Tapo-Control#1151

Closed

ZeliardM mentioned this pull request Jan 25, 2026

Out of box Tapo TC40: discovery not working, authentication failure on wifi setup #1628

Open

Merge branch 'python-kasa:master' into feature/tpap

34c89f3

Merge branch 'python-kasa:master' into feature/tpap

7c6bc64

epg-pers mentioned this pull request Feb 23, 2026

Add selective room cleaning to vacuum clean module #1660

Open

ZeliardM added 2 commits February 27, 2026 12:12

Merge branch 'master' into feature/tpap

a88995e

Update for additional SPAKE2+ Curves

a170141

github-advanced-security bot found potential problems Feb 27, 2026

View reviewed changes

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

Possible CodeQL Scanning Fix

60c7a00

github-advanced-security bot found potential problems Feb 27, 2026

View reviewed changes

kasa/transports/tpaptransport.py Fixed Show fixed Hide fixed

ZeliardM and others added 2 commits February 27, 2026 15:29

Remove inline code security scanning blocks

987097c

Merge branch 'python-kasa:master' into feature/tpap

18736c2

Complete re-write of TPAP Implementation

84e2aad

github-advanced-security bot found potential problems Mar 20, 2026

View reviewed changes

ZeliardM added 2 commits March 20, 2026 23:41

Revert httpclient.py handling and cleanup tpaptransport.py

894db97

Revert test_discovery.py changes

0e9f22e

Uh oh!

Conversation

ZeliardM commented Oct 18, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

codecov bot commented Oct 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ZeliardM commented Oct 19, 2025

Uh oh!

danieyal commented Oct 19, 2025

Uh oh!

ZeliardM commented Oct 19, 2025

Uh oh!

danieyal commented Oct 19, 2025

Uh oh!

danieyal commented Oct 19, 2025

Uh oh!

ZeliardM commented Oct 20, 2025

Uh oh!

ZeliardM commented Oct 21, 2025

Uh oh!

ZeliardM commented Oct 21, 2025

Uh oh!

danieyal commented Oct 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ZeliardM commented Oct 22, 2025

Uh oh!

ZeliardM commented Oct 22, 2025

Uh oh!

danieyal commented Oct 23, 2025

Uh oh!

ZeliardM commented Oct 23, 2025

Uh oh!

ZeliardM commented Oct 23, 2025

Uh oh!

ZeliardM commented Oct 23, 2025

Uh oh!

ZeliardM commented Oct 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ZeliardM commented Oct 27, 2025

Uh oh!

ZeliardM commented Dec 17, 2025

Uh oh!

bobsusedtires commented Jan 4, 2026

Uh oh!

ZeliardM commented Jan 4, 2026

Uh oh!

aureliandevel commented Feb 21, 2026

Uh oh!

ZeliardM commented Feb 21, 2026

Uh oh!

aureliandevel commented Feb 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ZeliardM commented Feb 21, 2026

Uh oh!

epg-pers commented Feb 23, 2026

Uh oh!

ZeliardM commented Feb 23, 2026

codecov bot commented Oct 18, 2025 •

edited

Loading

danieyal commented Oct 22, 2025 •

edited

Loading

ZeliardM commented Oct 24, 2025 •

edited

Loading

aureliandevel commented Feb 21, 2026 •

edited

Loading

ZeliardM commented Feb 23, 2026 •

edited

Loading