- #ABYSS WEB SERVER JSON HOW TO#
- #ABYSS WEB SERVER JSON UPDATE#
- #ABYSS WEB SERVER JSON DRIVER#
- #ABYSS WEB SERVER JSON MAC#
The possibility for device-specific special commands ( CMD_SPE_OPR) has potential to uncover undocumented functions, vulnerabilities or even backdoors. The binary TDDP protocol merits further research since it is available on a broad range of TP-Link devices.
#ABYSS WEB SERVER JSON MAC#
We also found additional values which changed the deviceID ( 0x13, 0x15), the hardwareID ( 0x12) and the MAC address ( 0x06). They might return different types of information on other types of TP-Link devices. The DES key is determined by concatenating the device's username and password, building an MD5 hash of that string, and then using the first half of the MD5 (16-digit hex number or 8 bytes) or as the DES key:Ġx0A returns the test string " ABCD0110", 0x012 return the deviceID and 0x14 returns the hardwareID. This means that any configuration data we read out will be encrypted in the reply, and any configuration we want to write needs to be sent encrypted. It also encrypts the packet payload using DES. TDDP provides integrity through an MD5 digest of the whole packet included in the packet header: Block 1 TDDP can be used to ping or discover a TP-Link Device on the network through broadcasts, read and set configuration options and execute special device-specific commands.
#ABYSS WEB SERVER JSON HOW TO#
Reverse-engineering the protocol would have been a major new undertaking and fortunately, we didn't have to.Īfter quite a bit of googling for "TP-Link" and "TDDP", we discovered the protocol had been patented in China as patents " CN 102096654 A" and " CN 102123140 B" which Google handily auto-translates into English:Ī complete protocol specification is included in the patent description and shows you how to construct a TDDP packet. The protocol seemed to be binary and designed in a very stealthy manner so that no reply is given whatsoever unless a fully valid packet was sent to the port. Analyzing the shd binary for setsockopt() calls, we could see the port was being bound by a component called "TDDP". TP-Link Device Debug ProtocolĪ portscan of the HS110 Smart Plug revealed an open UDP port of 1040. This likely means that the function call to that part was commented out. While there is a reference to the wlan_start_art function in the remote test mode code, it is in a part without any references leading to it. Unfortunately, the Smart Plug's behavior was no different in test mode than after a regular boot. We then observe the Smart Plug going through its regular setup: Request an IP via DHCP, synchronize the time using a server from the NTP-Pool ( cn.) and connect to the TP-Link Cloud server at :50443.
#ABYSS WEB SERVER JSON DRIVER#
Interface = wlan0 driver = nl80211 ssid = hs_test wpa = 2 wpa_passphrase = 12345670 channel = 1Īs expected, the HS110 Smart Plug connects to our hs_test AP.
We can turn the HS110 Smart Plug on and off using the set_relay_state command, using 1 for on and 0 for off: "Wi-Fi Smart Plug With Energy Monitoring" The get_sysinfo reply will contain the following information: Command This allows to send any of the commands listed in tplink-smarthome-commands.txt. Public static byte (] m7377b ( byte bArr )' A quick search on WiGLE reveals several unconfigured TP-Link Smart Plugs in the wild: When plugged in, an unconfigured or freshly reset Smart Plug will start an unsecured open Access Point with the SSID " TP-LINK_Smart Plug_XXXX" where XXXX are four hexadecimal numbers. The Smart Plug has two physical buttons: An on/off relay switch and a device reset button that resets the device if pushed for five seconds or longer.
#ABYSS WEB SERVER JSON UPDATE#
0 kommentar(er)
