Forem: ad1s0n The latest articles on Forem by ad1s0n (@ad1s0n). https://forem.com/ad1s0n https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2190281%2F69d658dc-7388-4a89-a1b0-11654d8cc9fd.jpeg Forem: ad1s0n https://forem.com/ad1s0n en Reverse engineering TP-Link Tapo's REST API - part 1 ad1s0n Wed, 09 Oct 2024 17:00:09 +0000 https://forem.com/ad1s0n/reverse-engineering-tp-link-tapos-rest-api-part-1-4g6 https://forem.com/ad1s0n/reverse-engineering-tp-link-tapos-rest-api-part-1-4g6 <h2> Target overview </h2> <p>Ecosystem of TP-Link Tapo consists of:</p> <ol> <li>Client - Tapo mobile app</li> <li>Cloud</li> <li>Endpoint device - in following case it's smart lightbulb: Tapo L530E</li> </ol> <p>In this scenario Tapo utilizes Cloud Centric Architecture, which means that devices are directly connected to home Wi-Fi network without any need of additional hub.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnnfjx10fuawqpd8jn1ht.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnnfjx10fuawqpd8jn1ht.png" alt="Image description" width="800" height="484"></a></p> <p>Communication between Tapo App and Cloud is based on HTTP protocol. Every action that user want to perform must go through Tapo's cloud.</p> <p>Purpose is to find out, how the communication between app and cloud works in detail - what endpoints are called during lifetime of application - authentication, device endpoints, etc. Since, there is no public API documentation, all those endpoints have to be explored manually by performing reverse engineering.</p> <p>It can be achieved by intercepting every request which is sent from client and intercepting every response which is sent by cloud. Traffic interception can be performed using proxy such as Burp Suite.</p> <p>However, as it turns out, setting up proxy is not everything we need to do. Targeted app performs SSL pinning which means, that client can communicate only with trusted server. Since Burp certificate will be used, we need to bypass SSL pinning.</p> <h2> SSL Pinning </h2> <h3> What is SSL Pinning </h3> <p>SSL Pinning is technique used by developers of mobile apps to prevent MITM attack by hardcoding valid TLS/SSL certificates into app or device. Client verifies whether remote server has valid certificate or not. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffzmd6jmmhuv8yxqw8d5q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffzmd6jmmhuv8yxqw8d5q.png" alt="Image description" width="800" height="529"></a></p> <p>SSL Pinning is often implemented with external libraries such as <code>okhttp3</code>, however it is possible to come up with manual implementations of SSL Pinning, which can be harder to bypass.</p> <h3> How to bypass SSL Pinning </h3> <p>Bypassing SSL pinning on various of factors such as:</p> <ul> <li>technology stack of application - was it written in Flutter, Kotlin or Java?</li> <li>how SSL pinning is implemented - common library or custom implementation?</li> </ul> <p>However the last one is the most important, common library can be hooked easily with Objection and Frida. Bypassing custom implementation can be very easy or very hard, it strictly depends on its implementation. </p> <p>But, SSL pinning in most cases can be easily bypassed, in case of Tapo app, developers decided to use <code>okhttp3</code> library, so Objection and Frida should do the work.</p> <p>Objection will hook and bypass <code>okhttp3</code> classes which implements SSL pinning.</p> <h2> Setting up emulator </h2> <p>For emulator, Google Pixel 6 with Android 12 (API 31) and without Google Store was used.<br> After downloading and setting up device in Android Studio, emulator was run with following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>emulator -avd "Pixel6" -writable-system -http-proxy 192.168.0.172:8081 </code></pre> </div> <h2> Installing Tapo </h2> <p>Tapo app was downloaded from <a href="https://apkpure.com/pl/tp-link-tapo/com.tplink.iot" rel="noopener noreferrer">Apkpure</a>. It is in XAPK format, so before installing, it has to be unzipped.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>unzip TP-Link<span class="se">\ </span>Tapo_3.7.113_APKPure.xapk </code></pre> </div> <p>Installation is done with <code>install-multiple</code> command, because of multiple apk files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>adb install-multiple com.tplink.iot.apk config.ar.apk config.arm64_v8a.apk config.armeabi_v7a.apk config.en.apk config.tvdpi.apk config.vi.apk config.xhdpi.apk config.xxhdpi.apk config.xxxhdpi.apk config.zh.apk config.de.apk config.fr.apk config.hi.apk config.in.apk config.it.apk config.ja.apk config.ldpi.apk config.mdpi.apk config.ms.apk config.nl.apk config.pl.apk config.pt.apk config.ru.apk config.th.apk </code></pre> </div> <p>Now Tapo app should be accessible in emulator.</p> <h2> Setting up Burp proxy </h2> <p>Setting up Burp proxy in web application is very simple, however setting it up in Android application is little bit more challenging, because of security measures implemented at the operating system level.</p> <p>First of all, I added new proxy listener and exported CA certificate in DER format.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn1s62brtjma45rw3lteq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn1s62brtjma45rw3lteq.png" alt="Image description" width="800" height="239"></a></p> <p>Android stores certificates in PEM format using strict naming convention, so I changed certificate name and format.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">(</span>Source: https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/install-burp-certificate<span class="o">)</span> openssl x509 <span class="nt">-inform</span> DER <span class="nt">-in</span> burp_cacert.der <span class="nt">-out</span> burp_cacert.pem <span class="nv">CERTHASHNAME</span><span class="o">=</span><span class="s2">"</span><span class="sb">`</span>openssl x509 <span class="nt">-inform</span> PEM <span class="nt">-subject_hash_old</span> <span class="nt">-in</span> burp_cacert.pem | <span class="nb">head</span> <span class="nt">-1</span><span class="sb">`</span><span class="s2">.0"</span> <span class="nb">mv </span>burp_cacert.pem <span class="nv">$CERTHASHNAME</span> </code></pre> </div> <p>Uploading Burp certificate to system's certificate storage requires remounting file system.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>adb root adb remount adb push <span class="nv">$CERTHASHNAME</span> /sdcard/ adb shell <span class="nb">mv</span> /sdcard/<span class="nv">$CERTHASHNAME</span> /system/etc/security/cacerts adb shell <span class="nb">chmod </span>644 /system/etc/security/cacerts/<span class="nv">$CERTHASHNAME</span> adb reboot </code></pre> </div> <p>Now, proxy should be ready.</p> <h2> SSL pinning bypass </h2> <p>After downloading <a href="https://github.com/frida/frida/releases" rel="noopener noreferrer">Frida Server</a> (Android, x86_64), I pushed it into device and executed it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>unxz frida-server-16.5.2-android-x86_64.xz <span class="nb">mv </span>frida-server-16.5.2-android-x86_64 frida-server adb push frida-server /data/local/tmp/ adb shell <span class="s2">"chmod 755 /data/local/tmp/frida-server"</span> adb shell <span class="s2">"/data/local/tmp/frida-server &amp;"</span> </code></pre> </div> <p>Installing Objection is very convenient, since it can be done with <code>pip</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">python3</span> <span class="o">-</span><span class="n">m</span> <span class="n">pip</span> <span class="n">install</span> <span class="n">objection</span> </code></pre> </div> <p>Used <code>frida-ps -U</code> to list running processes with their PIDs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> PID Name ---- ------------------------------------------------------------- 4538 Chrome 1426 Google 1442 Messages 3816 Phone 4736 Photos 889 SIM Toolkit 4228 Settings 2721 Tapo 3496 YouTube </code></pre> </div> <p>With Tapo's PID, objection can be run in explore mode. Finally, after entering <code>android sslpinning disable</code>, <code>CertificatePinner</code> class is bypassed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>objection <span class="nt">-g</span> 2721 explore Using USB device <span class="sb">`</span>Android Emulator 5554<span class="sb">`</span> Agent injected and responds ok! _ _ _ _ ___| |_|_|___ ___| |_|_|___ ___ | <span class="nb">.</span> | <span class="nb">.</span> | | <span class="nt">-_</span>| _| _| | <span class="nb">.</span> | | |___|___| |___|___|_| |_|___|_|_| |___|<span class="o">(</span>object<span class="o">)</span>inject<span class="o">(</span>ion<span class="o">)</span> v1.11.0 Runtime Mobile Exploration by: @leonjza from @sensepost <span class="o">[</span>tab] <span class="k">for </span><span class="nb">command </span>suggestions com.tplink.iot on <span class="o">(</span>google: 12<span class="o">)</span> <span class="o">[</span>usb] <span class="c"># android sslpinning disable</span> <span class="o">(</span>agent<span class="o">)</span> Custom TrustManager ready, overriding SSLContext.init<span class="o">()</span> <span class="o">(</span>agent<span class="o">)</span> Found okhttp3.CertificatePinner, overriding CertificatePinner.check<span class="o">()</span> <span class="o">(</span>agent<span class="o">)</span> Found okhttp3.CertificatePinner, overriding CertificatePinner.check<span class="nv">$okhttp</span><span class="o">()</span> <span class="o">(</span>agent<span class="o">)</span> Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.verifyChain<span class="o">()</span> <span class="o">(</span>agent<span class="o">)</span> Found com.android.org.conscrypt.TrustManagerImpl, overriding TrustManagerImpl.checkTrustedRecursive<span class="o">()</span> <span class="o">(</span>agent<span class="o">)</span> Registering job 613823. Type: android-sslpinning-disable </code></pre> </div> <h2> Intercepting authentication request </h2> <p>After bypassing SSL pinning it is possible to intercept requests, e.g. authentication request below.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqrgrxtc718uopy0ltnl3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqrgrxtc718uopy0ltnl3.png" alt="Image description" width="800" height="643"></a></p> <p>However, Tapo is not giving up at this point, some endpoints require HTTP request signature. So, it is still not possible to use requests without application support.</p> <h2> Reverse engineering signature algorithm </h2> <p>HTTP request is attached with its signature, so it is not possible to change body of request and resent it with same signature, because remote target returns error indicating that signature is not valid. For example I changed password from <code>test</code> to <code>test2</code> - notice that error does not indicate that password is incorrect.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbo5p3om6pamc2l1bzij0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbo5p3om6pamc2l1bzij0.png" alt="Image description" width="800" height="371"></a></p> <p>So, at the moment, there is no possibility of sending arbitrary HTTP requests because every request is signed. However, signing process is performed on client (app) side, so some sort of algorithm, which generates signature has to be implemented somewhere in the application. </p> <p>By performing static analysis of decompiled source code with a little help of dynamic instrumentation I developed a Proof-of-Concept, which generates valid signature - the way how it was achieved is shown below.</p> <h3> Source code analysis </h3> <p>Application <code>com.tplink.iot.apk</code> was decompiled with <code>jadx-gui</code>. So, I started with searching for targeted endpoint: <code>/api/v2/account/login</code>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fchv0n47dhq4vsqjofkew.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fchv0n47dhq4vsqjofkew.png" alt="Image description" width="800" height="50"></a></p> <p>It is only an interface, so there is nothing more interesting here. However, it was confirmed that, targeted endpoint indeed requires signature - <code>@k</code> annotation.</p> <blockquote> <p>As it turns out all endpoints under <code>/api/v2/accout</code> requires signature.</p> </blockquote> <p>Creating signature is probably done by interceptor, so I started searching for interesting interceptors.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzcitvg34rfoy8liyjs47.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzcitvg34rfoy8liyjs47.png" alt="Image description" width="800" height="495"></a></p> <p>In the <code>SingatureIncerceptror</code>, there was whole logic responsible for calculating signature. I renamed particular methods and variables to make this code more readable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">SignatureInterceptor</span> <span class="kd">implements</span> <span class="nc">Interceptor</span> <span class="o">{</span> <span class="cm">/* renamed from: a */</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">accessKey</span><span class="o">;</span> <span class="cm">/* renamed from: b */</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">secret</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">SignatureInterceptor</span><span class="o">(</span><span class="nc">String</span> <span class="n">str</span><span class="o">,</span> <span class="nc">String</span> <span class="n">secret</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">accessKey</span> <span class="o">=</span> <span class="n">str</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">secret</span> <span class="o">=</span> <span class="n">secret</span><span class="o">;</span> <span class="o">}</span> <span class="cm">/* renamed from: a */</span> <span class="kd">private</span> <span class="nc">String</span> <span class="nf">createPresignature</span><span class="o">(</span><span class="nc">RequestBody</span> <span class="n">requestBody</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">IOException</span> <span class="o">{</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bytes</span><span class="o">;</span> <span class="k">if</span> <span class="o">(</span><span class="n">requestBody</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Buffer</span> <span class="n">buffer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Buffer</span><span class="o">();</span> <span class="n">requestBody</span><span class="o">.</span><span class="na">writeTo</span><span class="o">(</span><span class="n">buffer</span><span class="o">);</span> <span class="n">bytes</span> <span class="o">=</span> <span class="n">buffer</span><span class="o">.</span><span class="na">readByteArray</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">bytes</span><span class="o">.</span><span class="na">length</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span> <span class="n">bytes</span> <span class="o">=</span> <span class="s">"{}"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">bytes</span> <span class="o">=</span> <span class="s">"{}"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">();</span> <span class="o">}</span> <span class="k">return</span> <span class="n">mf0</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">b64encode</span><span class="o">(</span><span class="n">mf0</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">calculateMD5</span><span class="o">(</span><span class="n">bytes</span><span class="o">));</span> <span class="o">}</span> <span class="cm">/* renamed from: b */</span> <span class="kd">private</span> <span class="nc">String</span> <span class="nf">sign</span><span class="o">(</span><span class="nc">String</span> <span class="n">encodedReqSignature</span><span class="o">,</span> <span class="kt">long</span> <span class="n">timestamp</span><span class="o">,</span> <span class="nc">String</span> <span class="n">nonce</span><span class="o">,</span> <span class="nc">String</span> <span class="n">apiUrl</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">InvalidKeyException</span> <span class="o">{</span> <span class="nc">StringBuilder</span> <span class="n">sb2</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StringBuilder</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">encodedReqSignature</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">encodedReqSignature</span><span class="o">);</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="o">}</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">timestamp</span><span class="o">);</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">nonce</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">nonce</span><span class="o">);</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="o">}</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">apiUrl</span><span class="o">);</span> <span class="nc">SecretKeySpec</span> <span class="n">secretKeySpec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">secret</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(),</span> <span class="s">"HmacSHA1"</span><span class="o">);</span> <span class="nc">Mac</span> <span class="n">mac</span> <span class="o">=</span> <span class="nc">Mac</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"HmacSHA1"</span><span class="o">);</span> <span class="n">mac</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="n">secretKeySpec</span><span class="o">);</span> <span class="k">return</span> <span class="n">mf0</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">bytesToHexstring</span><span class="o">(</span><span class="n">mac</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="n">sb2</span><span class="o">.</span><span class="na">toString</span><span class="o">().</span><span class="na">getBytes</span><span class="o">()));</span> <span class="o">}</span> <span class="o">...</span> <span class="o">}</span> </code></pre> </div> <p>The method responsible for intercepting unfortunately wasn't decompiled properly. So I had to analyse it manually. I didn't placed entire algorithm here, because it was quite long, I focused on most important labels.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhv5enf9tr50veh4t6zs8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhv5enf9tr50veh4t6zs8.png" alt="Image description" width="800" height="424"></a></p> <p>There are two interesting things in above code:</p> <ul> <li>value of <code>timestamp</code> is constant and is equal to 9999999999 (<code>r6</code> in <code>L50</code>).</li> <li> <code>nonce</code> is generated using UUID schema in 4th version</li> </ul> <h4> Presignature algorithm analysis </h4> <p>The final signature is calculated with HmacSHA1, however before that, request body is being processed with some other algorithm too.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="nc">String</span> <span class="nf">createPresignature</span><span class="o">(</span><span class="nc">RequestBody</span> <span class="n">requestBody</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">IOException</span> <span class="o">{</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bytes</span><span class="o">;</span> <span class="k">if</span> <span class="o">(</span><span class="n">requestBody</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Buffer</span> <span class="n">buffer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Buffer</span><span class="o">();</span> <span class="n">requestBody</span><span class="o">.</span><span class="na">writeTo</span><span class="o">(</span><span class="n">buffer</span><span class="o">);</span> <span class="n">bytes</span> <span class="o">=</span> <span class="n">buffer</span><span class="o">.</span><span class="na">readByteArray</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">bytes</span><span class="o">.</span><span class="na">length</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span> <span class="n">bytes</span> <span class="o">=</span> <span class="s">"{}"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">bytes</span> <span class="o">=</span> <span class="s">"{}"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">();</span> <span class="o">}</span> <span class="k">return</span> <span class="n">mf0</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">b64encode</span><span class="o">(</span><span class="n">mf0</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">calculateMD5</span><span class="o">(</span><span class="n">bytes</span><span class="o">));</span> <span class="o">}</span> </code></pre> </div> <ol> <li>Request Body is saved into bytes buffer.</li> <li>MD5 digest is calculated for <code>bytes</code> </li> <li>MD5 digest is encoded with base64.</li> </ol> <h4> Signature algorithm analysis </h4> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="nc">String</span> <span class="nf">sign</span><span class="o">(</span><span class="nc">String</span> <span class="n">encodedReqSignature</span><span class="o">,</span> <span class="kt">long</span> <span class="n">timestamp</span><span class="o">,</span> <span class="nc">String</span> <span class="n">nonce</span><span class="o">,</span> <span class="nc">String</span> <span class="n">apiUrl</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">InvalidKeyException</span> <span class="o">{</span> <span class="nc">StringBuilder</span> <span class="n">sb2</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StringBuilder</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">encodedReqSignature</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">encodedReqSignature</span><span class="o">);</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="o">}</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">timestamp</span><span class="o">);</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">nonce</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">nonce</span><span class="o">);</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="o">}</span> <span class="n">sb2</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">apiUrl</span><span class="o">);</span> <span class="nc">SecretKeySpec</span> <span class="n">secretKeySpec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">secret</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(),</span> <span class="s">"HmacSHA1"</span><span class="o">);</span> <span class="nc">Mac</span> <span class="n">mac</span> <span class="o">=</span> <span class="nc">Mac</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"HmacSHA1"</span><span class="o">);</span> <span class="n">mac</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="n">secretKeySpec</span><span class="o">);</span> <span class="k">return</span> <span class="n">mf0</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">bytesToHexstring</span><span class="o">(</span><span class="n">mac</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="n">sb2</span><span class="o">.</span><span class="na">toString</span><span class="o">().</span><span class="na">getBytes</span><span class="o">()));</span> <span class="o">}</span> </code></pre> </div> <ol> <li>String Builder is instantiated.</li> <li>In first place, <code>presignature</code> is appended, along with new line. </li> <li> <code>Timestamp</code> is appended along with new line</li> <li> <code>Nonce</code> is also appended with new line</li> <li>Finally, <code>apiUrl</code> is appended.</li> <li>New secret key is instantiated with some <code>secret</code> and HmacSHA1 function.</li> <li>In the end, HMAC is calculated.</li> </ol> <p>Secret used for <code>SecretKeySpec</code> is hardcoded in application. I couldn't find it manually, so I hooked <code>SignatureInterceptor</code> constructor with Frida.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">classLoaders</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">enumerateClassLoadersSync</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">classLoader</span> <span class="k">in</span> <span class="nx">classLoaders</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">classLoader</span><span class="p">.</span><span class="nf">findClass</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.tplink.cloud.api.AccountV2Api</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Java</span><span class="p">.</span><span class="nx">classFactory</span><span class="p">.</span><span class="nx">loader</span> <span class="o">=</span> <span class="nx">classLoader</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`classLoader=</span><span class="p">${</span><span class="nx">classLoader</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">SignatureInterceptor</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">m7.m</span><span class="dl">"</span><span class="p">);</span> <span class="nx">SignatureInterceptor</span><span class="p">[</span><span class="dl">"</span><span class="s2">$init</span><span class="dl">"</span><span class="p">].</span><span class="nx">implementation</span> <span class="o">=</span> <span class="nf">function </span><span class="p">(</span><span class="nx">str</span><span class="p">,</span> <span class="nx">str2</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`SignatureInterceptor.$init is called: str=</span><span class="p">${</span><span class="nx">str</span><span class="p">}</span><span class="s2">, str2=</span><span class="p">${</span><span class="nx">str2</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">this</span><span class="p">[</span><span class="dl">"</span><span class="s2">$init</span><span class="dl">"</span><span class="p">](</span><span class="nx">str</span><span class="p">,</span> <span class="nx">str2</span><span class="p">);</span> <span class="p">};</span> <span class="p">})</span> </code></pre> </div> <ul> <li> <code>str</code> is Access Key and it is not considered during signature calculation</li> <li> <code>str2</code> is secret, which is used during secret key instantiation - so it it the most interesting part</li> </ul> <blockquote> <p>Above Frida code was generated by <code>jadx-gui</code> (except for <code>classLoaders</code> part)</p> </blockquote> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvokodq4rjxs3fox3ic1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frvokodq4rjxs3fox3ic1.png" alt="Image description" width="800" height="132"></a></p> <p>So <code>secret=6ed7d97f3e73467f8a5bab90b577ba4c</code>. I assured also that, this is in fact hardcoded value by simply searching it in <code>jadx-gui</code>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdduae7h3lygmz7cmqo9l.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdduae7h3lygmz7cmqo9l.png" alt="Image description" width="780" height="223"></a></p> <p>With above knowledge, prototype of PoC can be created.</p> <h2> Constructing PoC and verifying it along with Frida scripts </h2> <p>Suppose that there is a following authentication request with valid signature:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fahprb1a987inegm1fb6q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fahprb1a987inegm1fb6q.png" alt="Image description" width="800" height="421"></a></p> <p>PoC as an input takes:</p> <ul> <li>Nonce (UUIDv4) - which generated per every request</li> <li>Timestamp - which is constant</li> <li>Secret - secret value used in HMAC</li> <li>Endpoint name</li> <li>Request body - order of fields in JSON matters! </li> </ul> <p>As an output it returns valid signature.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">main.org.poc</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">okhttp3.MediaType</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">okhttp3.RequestBody</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">okio.Buffer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.Mac</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.spec.SecretKeySpec</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.IOException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.InvalidKeyException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.MessageDigest</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.NoSuchAlgorithmException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Base64</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">PoC</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">InvalidKeyException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">json</span> <span class="o">=</span> <span class="s">"{\"appType\":\"TP-Link_Tapo_Android\",\"appVersion\":\"3.7.113\",\"cloudPassword\":\"test\",\"cloudUserName\":\"ad1s0n@test.com\",\"platform\":\"Android 12\",\"refreshTokenNeeded\":false,\"terminalMeta\":\"1\",\"terminalName\":\"Google sdk_gphone64_x86_64\",\"terminalUUID\":\"2F5AC7AD94F77F91BC2419DE55CA3C0A\"}"</span><span class="o">;</span> <span class="nc">String</span> <span class="n">presignature</span> <span class="o">=</span> <span class="n">createPresignature</span><span class="o">(</span><span class="n">json</span><span class="o">);</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="s">"Presignature: "</span> <span class="o">+</span> <span class="n">presignature</span><span class="o">);</span> <span class="nc">String</span> <span class="n">key</span> <span class="o">=</span> <span class="s">"6ed7d97f3e73467f8a5bab90b577ba4c"</span><span class="o">;</span> <span class="nc">String</span> <span class="n">nonce</span> <span class="o">=</span> <span class="s">"55bcd878-5c44-45c2-9d5a-e011c24a7ac8"</span><span class="o">;</span> <span class="nc">String</span> <span class="n">apiUrl</span> <span class="o">=</span> <span class="s">"/api/v2/account/login"</span><span class="o">;</span> <span class="kt">long</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="mi">9999999999L</span><span class="o">;</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="s">"Signature: "</span> <span class="o">+</span> <span class="n">createSignature</span><span class="o">(</span><span class="n">presignature</span><span class="o">,</span> <span class="n">timestamp</span><span class="o">,</span> <span class="n">nonce</span><span class="o">,</span> <span class="n">apiUrl</span><span class="o">,</span> <span class="n">key</span><span class="o">));</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">byte</span><span class="o">[]</span> <span class="nf">requestToBytes</span><span class="o">(</span><span class="nc">String</span> <span class="n">json</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span> <span class="o">{</span> <span class="nc">RequestBody</span> <span class="n">body</span> <span class="o">=</span> <span class="nc">RequestBody</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">parse</span><span class="o">(</span><span class="s">"application/json"</span><span class="o">),</span> <span class="n">json</span><span class="o">);</span> <span class="nc">Buffer</span> <span class="n">buffer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Buffer</span><span class="o">();</span> <span class="n">body</span><span class="o">.</span><span class="na">writeTo</span><span class="o">(</span><span class="n">buffer</span><span class="o">);</span> <span class="k">return</span> <span class="n">buffer</span><span class="o">.</span><span class="na">readByteArray</span><span class="o">();</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">byte</span><span class="o">[]</span> <span class="nf">calculateMD5</span><span class="o">(</span><span class="kt">byte</span><span class="o">[]</span> <span class="n">bytes</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">NoSuchAlgorithmException</span> <span class="o">{</span> <span class="nc">MessageDigest</span> <span class="n">md5</span> <span class="o">=</span> <span class="nc">MessageDigest</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"MD5"</span><span class="o">);</span> <span class="n">md5</span><span class="o">.</span><span class="na">update</span><span class="o">(</span><span class="n">bytes</span><span class="o">);</span> <span class="k">return</span> <span class="n">md5</span><span class="o">.</span><span class="na">digest</span><span class="o">();</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">b64encode</span><span class="o">(</span><span class="kt">byte</span><span class="o">[]</span> <span class="n">bytes</span><span class="o">){</span> <span class="k">return</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getEncoder</span><span class="o">().</span><span class="na">encodeToString</span><span class="o">(</span><span class="n">bytes</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">createPresignature</span><span class="o">(</span><span class="nc">String</span> <span class="n">json</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">NoSuchAlgorithmException</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">b64encode</span><span class="o">(</span><span class="n">calculateMD5</span><span class="o">(</span><span class="n">requestToBytes</span><span class="o">(</span><span class="n">json</span><span class="o">)));</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">bytesToHexstring</span><span class="o">(</span><span class="kt">byte</span><span class="o">[]</span> <span class="n">bytes</span><span class="o">){</span> <span class="nc">StringBuilder</span> <span class="n">builder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StringBuilder</span><span class="o">();</span> <span class="k">for</span> <span class="o">(</span><span class="kt">byte</span> <span class="n">b</span> <span class="o">:</span> <span class="n">bytes</span><span class="o">){</span> <span class="nc">String</span> <span class="n">hex</span> <span class="o">=</span> <span class="nc">Integer</span><span class="o">.</span><span class="na">toHexString</span><span class="o">(</span><span class="n">b</span> <span class="o">&amp;</span> <span class="mi">255</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">hex</span><span class="o">.</span><span class="na">length</span><span class="o">()</span> <span class="o">==</span> <span class="mi">1</span><span class="o">){</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="mi">0</span><span class="o">);</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">hex</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span><span class="o">{</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">hex</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="n">builder</span><span class="o">.</span><span class="na">toString</span><span class="o">();</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">createSignature</span><span class="o">(</span><span class="nc">String</span> <span class="n">presignature</span><span class="o">,</span> <span class="kt">long</span> <span class="n">timestamp</span><span class="o">,</span> <span class="nc">String</span> <span class="n">nonce</span><span class="o">,</span> <span class="nc">String</span> <span class="n">apiUrl</span><span class="o">,</span> <span class="nc">String</span> <span class="n">key</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">InvalidKeyException</span> <span class="o">{</span> <span class="nc">StringBuilder</span> <span class="n">builder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StringBuilder</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">presignature</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">){</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">presignature</span><span class="o">);</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="o">}</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">timestamp</span><span class="o">);</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">nonce</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">){</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">nonce</span><span class="o">);</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="o">}</span> <span class="n">builder</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">apiUrl</span><span class="o">);</span> <span class="nc">SecretKeySpec</span> <span class="n">secretKeySpec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="n">key</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(),</span> <span class="s">"HmacSHA1"</span><span class="o">);</span> <span class="nc">Mac</span> <span class="n">mac</span> <span class="o">=</span> <span class="nc">Mac</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"HmacSHA1"</span><span class="o">);</span> <span class="n">mac</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="n">secretKeySpec</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bytes</span> <span class="o">=</span> <span class="n">mac</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="n">builder</span><span class="o">.</span><span class="na">toString</span><span class="o">().</span><span class="na">getBytes</span><span class="o">());</span> <span class="k">return</span> <span class="nf">bytesToHexstring</span><span class="o">(</span><span class="n">bytes</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>I put the request body into PoC program and required headers in a result I got:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F125rhyxi5n7wohmogvbz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F125rhyxi5n7wohmogvbz.png" alt="Image description" width="512" height="104"></a></p> <p>Signature matches signature in the screen from Burp above. I also developed custom Frida script (with help of <code>jadx-gui</code>) to hook functions responsible for calculating presignature and signature.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">classLoaders</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">enumerateClassLoadersSync</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">classLoader</span> <span class="k">in</span> <span class="nx">classLoaders</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">classLoader</span><span class="p">.</span><span class="nf">findClass</span><span class="p">(</span><span class="dl">"</span><span class="s2">com.tplink.cloud.api.AccountV2Api</span><span class="dl">"</span><span class="p">);</span> <span class="nx">Java</span><span class="p">.</span><span class="nx">classFactory</span><span class="p">.</span><span class="nx">loader</span> <span class="o">=</span> <span class="nx">classLoader</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`classLoader=</span><span class="p">${</span><span class="nx">classLoader</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">perform</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">SignatureInterceptor</span> <span class="o">=</span> <span class="nx">Java</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">m7.m</span><span class="dl">"</span><span class="p">);</span> <span class="nx">SignatureInterceptor</span><span class="p">[</span><span class="dl">"</span><span class="s2">$init</span><span class="dl">"</span><span class="p">].</span><span class="nx">implementation</span> <span class="o">=</span> <span class="nf">function </span><span class="p">(</span><span class="nx">str</span><span class="p">,</span> <span class="nx">str2</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`SignatureInterceptor constructor is called: accessKey=</span><span class="p">${</span><span class="nx">str</span><span class="p">}</span><span class="s2">, secret=</span><span class="p">${</span><span class="nx">str2</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">this</span><span class="p">[</span><span class="dl">"</span><span class="s2">$init</span><span class="dl">"</span><span class="p">](</span><span class="nx">str</span><span class="p">,</span> <span class="nx">str2</span><span class="p">);</span> <span class="p">};</span> <span class="nx">SignatureInterceptor</span><span class="p">[</span><span class="dl">"</span><span class="s2">a</span><span class="dl">"</span><span class="p">].</span><span class="nx">implementation</span> <span class="o">=</span> <span class="nf">function </span><span class="p">(</span><span class="nx">requestBody</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">this</span><span class="p">[</span><span class="dl">"</span><span class="s2">a</span><span class="dl">"</span><span class="p">](</span><span class="nx">requestBody</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`SignatureInterceptor.createSignatureAndEncode presignature=</span><span class="p">${</span><span class="nx">result</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">};</span> <span class="nx">SignatureInterceptor</span><span class="p">[</span><span class="dl">"</span><span class="s2">b</span><span class="dl">"</span><span class="p">].</span><span class="nx">implementation</span> <span class="o">=</span> <span class="nf">function </span><span class="p">(</span><span class="nx">encodedReqSignature</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">nonce</span><span class="p">,</span> <span class="nx">apiUrl</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`SignatureInterceptor.sign is called: encodedReqSignature=</span><span class="p">${</span><span class="nx">encodedReqSignature</span><span class="p">}</span><span class="s2">, timestamp=</span><span class="p">${</span><span class="nx">timestamp</span><span class="p">}</span><span class="s2">, nonce=</span><span class="p">${</span><span class="nx">nonce</span><span class="p">}</span><span class="s2">, apiUrl=</span><span class="p">${</span><span class="nx">apiUrl</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">this</span><span class="p">[</span><span class="dl">"</span><span class="s2">b</span><span class="dl">"</span><span class="p">](</span><span class="nx">encodedReqSignature</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">nonce</span><span class="p">,</span> <span class="nx">apiUrl</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`SignatureInterceptor.sign result=</span><span class="p">${</span><span class="nx">result</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">};</span> <span class="p">})</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8bf1i44fvmvs8xn5nygu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8bf1i44fvmvs8xn5nygu.png" alt="Image description" width="800" height="91"></a></p> <p>It can be seen that above values matches values in headers (Burp suite screen), so PoC works!</p> <p>Now, there is possibility of invoking arbitrary endpoints without necessity of using Tapo application.</p> <p>That's all for the first part of that series.</p> security android cybersecurity computerscience