From 36a9823b63652a1faaad01e404fd087913b55ca8 Mon Sep 17 00:00:00 2001 From: Steven B <51370195+sdb9696@users.noreply.github.com> Date: Tue, 10 Dec 2024 17:56:20 +0000 Subject: [PATCH] Try variations of hashing and passwords --- kasa/transports/sslaestransport.py | 49 ++++++++++++++++++++++-------- 1 file changed, 36 insertions(+), 13 deletions(-) diff --git a/kasa/transports/sslaestransport.py b/kasa/transports/sslaestransport.py index 677c0447..cf90dcc8 100644 --- a/kasa/transports/sslaestransport.py +++ b/kasa/transports/sslaestransport.py @@ -43,6 +43,9 @@ def _sha256(payload: bytes) -> bytes: def _md5_hash(payload: bytes) -> str: return hashlib.md5(payload).hexdigest().upper() # noqa: S324 +def _sha256_hash32(payload: bytes) -> str: + digest = hashlib.sha256(payload).digest() # noqa: S324 + return base64.b32hexencode(digest).decode().upper() def _sha256_hash(payload: bytes) -> str: return hashlib.sha256(payload).hexdigest().upper() # noqa: S324 @@ -71,6 +74,7 @@ class SslAesTransport(BaseTransport): "Content-Type": "application/json; charset=UTF-8", "requestByApp": "true", "Accept": "application/json", + "Connection": "close", "Accept-Encoding": "gzip, deflate", "User-Agent": "Tapo CameraClient Android", } @@ -114,7 +118,7 @@ class SslAesTransport(BaseTransport): self._headers = { **self.COMMON_HEADERS, "Host": self._host, - "Referer": f"https://{self._host}", + "Referer": f"https://{self._host_port}", } self._seq: int | None = None self._pwd_hash: str | None = None @@ -346,18 +350,24 @@ class SslAesTransport(BaseTransport): local_nonce, server_nonce, pwd_hash = result await self.perform_handshake2(local_nonce, server_nonce, pwd_hash) - async def try_perform_login(self) -> bool: + async def try_perform_login(self, server_nonce, local_nonce) -> bool: """Perform the md5 login.""" _LOGGER.debug("Performing insecure login ...") - pwd_hash = _md5_hash(self._pwd_to_hash().encode()) - username = self._username + pwd = self._pwd_to_hash() + #to_hash = server_nonce + ":" + pwd + pwd_hash = _md5_hash(pwd.encode()) + #pwd_hash = _sha256_hash(pwd.encode()) + #to_hash = self._username + ":" + server_nonce + #un_hash = _md5_hash(to_hash.encode()) + #username = self._username body = { "method": "login", "params": { + #"cnonce": local_nonce, "hashed": True, "password": pwd_hash, - "username": username, + "username": self._username, }, } @@ -371,7 +381,7 @@ class SslAesTransport(BaseTransport): if status_code != 200: raise KasaException( f"{self._host} responded with an unexpected " - + f"status code {status_code} to handshake2" + + f"status code {status_code} to login" ) resp_dict = cast(dict, resp_dict) if resp_dict.get("error_code") == 0 and ( @@ -459,10 +469,9 @@ class SslAesTransport(BaseTransport): resp_dict and (error_code := self._get_response_error(resp_dict)) is SmartErrorCode.SESSION_EXPIRED + and (data := resp_dict.get("result", {}).get("data", {})) and ( - encrypt_type := resp_dict.get("result", {}) - .get("data", {}) - .get("encrypt_type") + encrypt_type := data.get("encrypt_type") ) and (encrypt_type != ["3"]) ): @@ -471,7 +480,7 @@ class SslAesTransport(BaseTransport): encrypt_type, self._host, ) - if await self.try_perform_login(): + if await self.try_perform_login(data.get("nonce"), local_nonce): return None # Try the default username. If it fails raise the original error_code @@ -482,7 +491,7 @@ class SslAesTransport(BaseTransport): or "nonce" not in resp_dict["result"].get("data", {}) ): _LOGGER.debug("Trying default credentials to %s", self._host) - local_nonce = secrets.token_bytes(8).hex().upper() + #local_nonce = secrets.token_bytes(8).hex().upper() default_resp_dict = await self.try_send_handshake1( self._default_credentials.username, local_nonce ) @@ -533,8 +542,22 @@ class SslAesTransport(BaseTransport): _LOGGER.debug("Credentials match") return local_nonce, server_nonce, pwd_hash - for val in {"admin", "tpadmin", "slprealtek"}: - for func in {_sha256_hash, _md5_hash, _sha1_hash, lambda x: x.decode()}: + # For testing purposes only. + from ..credentials import DEFAULT_CREDENTIALS, get_default_credentials + device_or_wifi_mac = "12:34:56:AB:CD:EF" + default_passes = {get_default_credentials(cred).password for cred in DEFAULT_CREDENTIALS.values()} + vals = { + "admin", + "tpadmin", + "slprealtek", + self._password, + self._credentials.username, + f"{self._credentials.username}_{device_or_wifi_mac}", + f"{self._credentials.username}_{device_or_wifi_mac.lower()}", + } + vals.update(default_passes) + for val in vals: + for func in {_sha256_hash, _md5_hash, _sha1_hash, _sha256_hash32, lambda x: x.decode()}: pwd_hash = func(val.encode()) ec = self.generate_confirm_hash(local_nonce, server_nonce, pwd_hash) if device_confirm == ec: