New TPLink not found by AM Server

[ChrisM]

Hi Mike, I purchased and installed a new TP Link HS200 and I'm unable to get AM server to access it.  Its a basic smart switch and I have many of these operating in my network controlled by AM server.  They are all on the same network, 2.4GHz as the AM Server. I've never had any issues with AM finding these switches after installation.  They typical just appear automatically in AM server.

This message appears when trying to manually add the TP LInk device:  

2024.07.28 18:03:21.257 TP Link search to 192.168.4.212: java.net.ConnectException: failed to connect to /192.168.4.212 (port 9999) from /192.168.4.22 (port 53411) after 5000ms: isConnected failed: ECONNREFUSED (Connection refused)

The switch is otherwise functioning well using the Kasa App and was upgraded to the latest TP Link firmware during installation.  I did notice that this switch has a newer hardware version 5.26 with fw 1.0.2.  All of the other HS200's in my network are HW version 5.0.

I was searching for the remote control switch in the Kasa App and its gone.  I read online in their support pages that "The Remote Control function of the Kasa device is enabled automatically once the device is configured and linked to the TP-Link Cloud successfully, and on the Device Settings page of the Kasa device, the Remote Control option is not visible."   So I guess you can no longer block these devices from their cloud service. https://www.tp-link.com/ca/support/faq/2243/

As always, any help / suggestions to troubleshoot are appreciated.

Thanks

Chris

[sergey]

I might be wrong , but I heard the newest HS200 is built on new chipset.., that is why they became as much as twice cheaper ...  Look at hardware version - that is 5.0 ?
192.168.4.212 , 212 - such huge network? what is the mask ?

[ChrisM]

Hi Sergey, I missed cc'ing the group so let me paste our conversation back into this thread.  Maybe it will help someone in the future.  

I think you are correct about the security change.  I did some searching online and discovered this recent post in the TP-Link community describing the same problem.  He discovered that the local API is still working but authentication is required to access the device: 

My recent HS200's that are 5.26HW and 1.0.2SW do have the local API still. And can be controlled locally. However they DO require authentication, where the others have not. I've confirmed this by using the python-kasa script locally. Which can control/poll the switches locally as long as you authenticate with whatever credentials used when you set them up with the Kasa App.

https://community.tp-link.com/en/smart-home/forum/topic/676384

I passed this info onto Mike and he is planning to have a look when he can.

Thanks

On Tue, Jul 30, 2024 sergey wrote:

Hi Chris , It's only my assumption , but I think they've added a security , so you experienced difficulties with connection non-native software. I wander - have you tried to scan for open ports on new HS200 ? If you do that on the old HW you have to see port 9999 is open , but when you scan the new HW - you more likely will see it closed, and port 80 open instead. That tell me that they have changed security approach to their new devices, at first they establish connection with the cloud , using standard http port 80 , than secure this connection , closing 80 and open some SSL ... - again - that is my assumption. I haven't any of new one at home, one of my fellow told me about the problem. 

On Mon, Jul 29, 2024 ChrisM wrote:

Hi Sergey the HS200 HW is 5.26 and FW is 1.0.2 and it’s the only device at this HW and FW level and the only device giving me a problem. I have a bunch of HS200’s in the network that are HW 5.0 running FW 1.0.11 and there is no issue with them. 

I’m wondering if TPLink has disabled the local API in this FW release?

Thanks

Chris

[Chris McGaffey]

Hi Sergey the HS200 HW is 5.26 and FW is 1.0.2 and it’s the only device at this HW and FW level and the only device giving me a problem. I have a bunch of HS200’s in the network that are HW 5.0 running FW 1.0.11 and there is no issue with them. 

I’m wondering if TPLink has disabled the local API in this FW release?

Thanks

Chris

--
You received this message because you are subscribed to the Google Groups "MppDevices" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mppdevices+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/5acd34e4-9d3d-47c0-a58b-652c518fe29dn%40googlegroups.com.

[ChrisM]

I received the below response from TP-Link concerning my question on support for a local access wiping their hands of it.  

I just wish there was an option to downgrade the TP-Link firmware.  Anyway, I'd better block internet access for the TP-Link devices in my network that are working with AM Server just to prevent a FW upgrade. I wouldn't be surprised to see a Kasa App upgrade come along that automatically updates device firmware. 

Chris

Wayne-TP

Yesterday

Re:HS200 v5.26 Bad Firmware update?

  @Groundhog 

 

TP-Link Kasa or Tapo API has not released any APIs to the public, and the resources you can find are unauthorized and not officially certified, so we can't guarantee their effectiveness or stability.

[sergey]

Hi, I bet your old HS-200 are about 1.0 - 3.0 hardware version , so it's highly unlikely they will get update for new software...  But anyway it's a good idea to block all these TPLInk's devices from internet due to their high hackers targeting , excessive gathering information about local network and etc...  Unfortunately there is no official way to downgrade software..

And yeah - the TPLINK support was right - all these API is unofficial ..

As for me I stopped using all these "branded devices", moving on my own, after several of mine HS-100 where hacked with malware..

[trogli...@gmail.com]

Wait, what, someone was able to hack your HS100s?  How, and what did they do with them?

 

If the hackers had access to your network it might be possible.  Internal devices can’t expose ports outside your network, they can only make outgoing calls.  Was it a man in the middle attack?

 

From: mppde...@googlegroups.com <mppde...@googlegroups.com> On Behalf Of sergey
Sent: Thursday, August 1, 2024 3:50 AM
To: MppDevices <mppde...@googlegroups.com>
Subject: Re: [MppDevices] Re: New TPLink not found by AM Server

 

Hi, I bet your old HS-200 are about 1.0 - 3.0 hardware version , so it's highly unlikely they will get update for new software...  But anyway it's a good idea to block all these TPLInk's devices from internet due to their high hackers targeting , excessive gathering information about local network and etc...  Unfortunately there is no official way to downgrade software..

And yeah - the TPLINK support was right - all these API is unofficial ..

As for me I stopped using all these "branded devices", moving on my own, after several of mine HS-100 where hacked with malware..

On Wednesday, July 31, 2024 at 8:43:21 PM UTC+3 ChrisM wrote:

I received the below response from TP-Link concerning my question on support for a local access wiping their hands of it.  

 

I just wish there was an option to downgrade the TP-Link firmware.  Anyway, I'd better block internet access for the TP-Link devices in my network that are working with AM Server just to prevent a FW upgrade. I wouldn't be surprised to see a Kasa App upgrade come along that automatically updates device firmware. 

 

Chris

 

 

Wayne-TP

Yesterday

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/95209602-d0b5-4768-8cc3-96d9dffd184fn%40googlegroups.com.

[sergey]

Hi Mike, hopefully that wasn't my home network . I've got a small garage community where we're sharing one router with 3g modem for several garage. I used to keeping a boat there. Due to temperature sensitivity I use to using conventional electric heater installed over  the HS-100 and two more for light and air pump all over a cloud. Once the guard had called me by the reason that possible heater and light was switched on , when I came I saw the heater and light are on , despite I definitely keep them off. Further I couldn't connect to 2 of  HS100  due to changed admin password (the one was intact). One of those socket still on shelve   ,because I can't revive it. The second I've managed to reprogram.  I believe it was  KARMA attack that exploited some holes in HS100 security ... It wasn't a problem to break connection with weak protected router and re-use  new connection for getting root access. There where a lot of info about HS100 hacking. 

[trogli...@gmail.com]

Yeah, it’s definitely risky if your devices are physically accessible – any device (including matter) can be hijacked if they can be reset and the setup credentials are usually printed on them.

 

It might be possible to use matter or homekit devices safely on a shared or open network if they’re not physically accessible, but I’d want to be cautious.  Anything else could probably be hacked if the hacker was motivated.  I doubt it was a weak router connection, but if the router wasn’t properly protected they could gain access to the network (if it wasn’t done by someone in the community already on the network).

 

I’m not sure what you mean by “admin password”, are you talking about the security key TP Link would use for setup?  There have been attacks that used a password through the on board serial port, they need to break open the device to do that.  It might have made resets impossible.  You’re certain it wasn’t a power surge that bricked them and perhaps welded the relays closed?

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/415999e8-ae39-4f73-a7bb-e6b4ce76cee0n%40googlegroups.com.

[sergey]

Nope, there where no physical access to the device .. If you mean that they connected to serial, no , it was definitely wifi  hijacking , that is not so difficult. Under "admin" password I meant - that all these sockets just simple - Linux machine , and when you pressing reset button for quite a time , it reboots in AP mode - open for new job and you can connect them by Kasa. For two of those socket I couldn't reconnect , when I tried to look what's up over serial - I saw blocking start for device.  Hopefully the flash memory  is based 25Q32 and I could rewrite it . But the one still out of life.

Yeah, I quite certain it wasn't power surge problem , the guard would notice that.

[trogli...@gmail.com]

If it was karma/wifi it was someone local then, right?  They couldn’t log into the linux box over wifi, so they must have updated the firmware - is that what you suspect?  That’d be a lot of trouble as it’s protected by an encryption key – to what end?  Just malicious?

 

The ones that wouldn’t reconnect – you mean they wouldn’t broadcast their AP?

 

Honestly it sounds more like corrupted flash to me… how would the guard notice a power surge?  When it’s happened to me all I noticed was some of my electronics stopped working after a thunderstorm…

 

I’m asking because this would be the first real evidence of an OTA hack of an IoT device – every time I’ve pressed one of the z-wave or zigbee guys for evidence of a hack of a wifi device they wave their hands and point to published vulnerabilities that need physical access or old unprotected cameras that were open to the internet.  I’m hoping we have some real evidence here.  Even CRACK was overblown, it was never a real risk to home plugs, switches, or bulbs.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/f6671eeb-63ed-411c-aeeb-e74b0f5dcc49n%40googlegroups.com.

[sergey]

What was in reality - we would never known. But as a fact - there where 3 absolutely good working sockets , but right after the case two of them turns to modified firmware (somehow) . For both of them I could check  malfunctional behavior by boot ( I even would find the log) over serial.  

Maybe , you right - it was flash corruption by power surge...- but that weird.. , What I usually saw after power surge - is burned devices ....
"The ones that wouldn’t reconnect – you mean they wouldn’t broadcast their AP?"  - No, they wouldn't , but they where connected to the router , with green light.

[trogli...@gmail.com]

I get why hackers would go after cameras and routers, it was relatively easy to steal the feeds and for some reason appealing to them – those CPUs could do more too.  Plugs have low RAM and slow CPUs.  It’s a lot of work to take over and flash an alternate binary so I was skeptical and dismissive of the z-wave/zigbee folks claiming wifi plugs were being used for botnet DDOS attacks or bitcoin mining…  Even the vulnerability reports that needed physical access were never actually completed - they stopped at proving it was possible.

 

I’ve yet to see a vulnerability report of an OTA flash, most are buffer overflow attacks done over serial.  I do realize absence of evidence isn’t evidence of absence… so it’d be interesting to get solid proof to keep me from being dismissive to them 😊.

 

When the plug electronics fail the LEDs are often left solid on or off  (the output pins feeding them staying in the default/reset state), same with relay pins – depends on the hardware.  My house (or the power line) was hit by lightning once, no smoke or burning, just dead appliance boards.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/7db84218-72d7-4d94-b160-62f2b68372edn%40googlegroups.com.

[ChrisM]

I'm using Eero mesh and these routers have a "pause" feature that blocks internet for a specific device or group of devices.  So I put all of my TP Link devices in a group and paused them and quickly saw them go unreachable by AM server.  Same for my Sonoff devices that I had flashed MPP FW.  So I guess the feature blocks more than internet access.  It seems to block local routing as well.  This was an unexpected glitch in my plan to block them from an unplanned FW upgrade by their cloud master! Not sure what to do now other than delete the Kasa App.

[trogli...@gmail.com]

So far firmware updates I’ve seen for kasa and tapo (I have some cameras) have all required to be initiated by me in the kasa or tapo app.

 

From: mppde...@googlegroups.com <mppde...@googlegroups.com> On Behalf Of ChrisM
Sent: Friday, August 2, 2024 8:52 AM
To: MppDevices <mppde...@googlegroups.com>
Subject: Re: [MppDevices] Re: New TPLink not found by AM Server

 

I'm using Eero mesh and these routers have a "pause" feature that blocks internet for a specific device or group of devices.  So I put all of my TP Link devices in a group and paused them and quickly saw them go unreachable by AM server.  Same for my Sonoff devices that I had flashed MPP FW.  So I guess the feature blocks more than internet access.  It seems to block local routing as well.  This was an unexpected glitch in my plan to block them from an unplanned FW upgrade by their cloud master! Not sure what to do now other than delete the Kasa App.

On Thursday, August 1, 2024 at 3:49:59 AM UTC-4 serg.s...@gmail.com wrote:

Hi, I bet your old HS-200 are about 1.0 - 3.0 hardware version , so it's highly unlikely they will get update for new software...  But anyway it's a good idea to block all these TPLInk's devices from internet due to their high hackers targeting , excessive gathering information about local network and etc...  Unfortunately there is no official way to downgrade software..

And yeah - the TPLINK support was right - all these API is unofficial ..

As for me I stopped using all these "branded devices", moving on my own, after several of mine HS-100 where hacked with malware..

On Wednesday, July 31, 2024 at 8:43:21 PM UTC+3 ChrisM wrote:

I received the below response from TP-Link concerning my question on support for a local access wiping their hands of it.  

 

I just wish there was an option to downgrade the TP-Link firmware.  Anyway, I'd better block internet access for the TP-Link devices in my network that are working with AM Server just to prevent a FW upgrade. I wouldn't be surprised to see a Kasa App upgrade come along that automatically updates device firmware. 

 

Chris

 

 

Wayne-TP

Yesterday

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/38fc1451-4d75-4db9-af2c-fd9f36d6451bn%40googlegroups.com.

[Chris McGaffey]

Thanks Mike and me too. But you can see where this industry is heading. Everything connected to their clouds for data harvesting end to end support through integration between clouds. 

We need open hardware that’s UL approved to avoid the cloud. 

Thanks

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/080801dae4de%24411ca580%24c355f080%24%40gmail.com.

[trogli...@gmail.com]

Yeah.  I don’t sweat about data harvesting, but I do worry that a cloud vendor could get hacked or coerced by an unfriendly government to inject malicious behavior into their secure data stream to take over devices.  The biggest risk for this is probably with phones and routers vs IoT and an awful lot of those are from offshore companies.

 

It’s my understanding that in normal operation it’s too risky to update firmware without permission due to lawsuits, e.g. a plug update turning off a cpap or similar.

 

The TPLink & Tapo devices can act a bit odd when they can’t reach the internet - the old ones won’t run time based rules, and some newer ones will reboot after a while to try to recover their cloud connection.

[sergey]

Chris :  "So I put all of my TP Link devices in a group and paused them and quickly saw them go unreachable by AM server."

I'm afraid the issue goes right way , for instance if you have fragmented/segmented  network  such as 192.168.1.xxx, 192.168.2.xxx  or similar, you usually don't have routing between them.

Moving the devices in "paused" group just simple restricted device's MAC address send packets outside the group or segment - this is how usually routers does restriction .

Because the AM server sits in different group (it won't work properly without  internet connection due to Google license issue) you might break connection among AM server and HS200 sokets...

Frankly I don't believe that TPLINK can autoupdate the firmware without noticing you... I saw the people who have never updated their socket since 19.

If I were you - I'd save "good working" firmware . It's difficult for people who didn't experience in hardware modification, soldering and etc.... It would need such device:

 

and physical access to the flash memory.

The flash is U5 chip depicted below: (unfortunately I can only show you HS110 ,that I've got)

The device depicted on the first picture just simple flash memory programmer - it can read and write the flash chip where the firmware sits.

So - you just put the pliers on the chip , insert the programmer into PC USB port , run the software (I can share with you) and get your firmware...

That is the way...))

Mike:

If someone have made it once , he can share the technology with others , beginner hackers - who interested in growing their skills .

I'll send you two boot logs!

[Chris McGaffey]

Thanks Sergey for all of that info.  In my case all of the devices on my network reside in the same segment 192.168.4.xxx

In the Eero router configuration you can select an individual device and set "pause" or you can create a profile and assign devices to that profile and then "pause" the profile or set up a schedule where the profile is paused during a certain period of time each day.  They describe this as a parental control feature to limit internet access to children.  

In my case, I assigned my TP-Link devices to a profile and then paused the profile.  The IP addresses of the devices does not change.

Thanks

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/7211338a-b0e5-4c93-b583-e877e58833cfn%40googlegroups.com.

[sergey]

The IP addresses of the devices does not change.

Right, I didn't mean that the IP is changing , I meant that the router takes all the device's MAC address from the group and restricted packets  transmission whenever outside this group.  Have you tried to include AM server that group too ? I wander if it help ?

[Chris McGaffey]

I will try that.

On Fri, Aug 2, 2024 at 1:58 PM sergey <serg.s...@gmail.com> wrote:

The IP addresses of the devices does not change.

Right, I didn't mean that the IP is changing , I meant that the router takes all the device's MAC address from the group and restricted packets  transmission whenever outside this group.  Have you tried to include AM server that group too ? I wander if it help ?

--

You received this message because you are subscribed to the Google Groups "MppDevices" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mppdevices+...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/8bf64c48-aebc-4e86-bf09-30b9e3889034n%40googlegroups.com.

[Chris McGaffey]

Hi Sergey, I just checked and adding AM Server to the profile with the TP-Link devices still results in the TP-Link devices no longer being reachable by the AM Server.  

Thanks

On Fri, Aug 2, 2024 at 1:58 PM sergey <serg.s...@gmail.com> wrote:

The IP addresses of the devices does not change.

Right, I didn't mean that the IP is changing , I meant that the router takes all the device's MAC address from the group and restricted packets  transmission whenever outside this group.  Have you tried to include AM server that group too ? I wander if it help ?

--

You received this message because you are subscribed to the Google Groups "MppDevices" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mppdevices+...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/8bf64c48-aebc-4e86-bf09-30b9e3889034n%40googlegroups.com.

[sergey]

Yeah, Unfortunately , The bad result also the result.  

[trogli...@gmail.com]

First attempt at supporting the new TP Link authenticated API is available in beta 17.4.0 (as soon as it’s approved by google).

 

The TP Link username and password (the tp link account you used in the app when you setup the device) is set in the app user preferences.  There’s only one per WemoManager instance so they need to be the same for all devices you manage.  They’re encrypted internally by AM when it saves them so you can’t see what AM is using.  If they need to be updated you need to re-enter them.

 

I only have an HS200v5.2 so it’s the only one I can verify.  I suspect all of the single switch/relay devices will function with this API, but bulbs, dimmers, and multi-devices will need additional work.  If anyone has any they want to see if I can get working, discover them then send me the log – let me know which IP or device type to look at.  There might be some back and forth with betas to get them going…

 

This *might* be the same API that’s used for Tapo devices – I don’t have one so I’m not sure – if anyone wants to give it a try let me know how it goes, and if it’s close to working (send me the log) I’ll see if I can get it sorted.  If the API is completely different it’ll need to wait till I get one…

 

Any device that shows up broken you can mark “ignore” to get it out of the main path.  If you use “forget” or it’ll probably be found by AM again.

 

[Chris McGaffey]

Hi Mike I entered my TP Link username and password and was able to manually add the new HS200. Thank you for resolving this!  

Chris

--

You received this message because you are subscribed to the Google Groups "MppDevices" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mppdevices+...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/004d01dae875%2483bc62f0%248b3528d0%24%40gmail.com.

[ChrisM]

Hi Mike, after upgrading to the latest Beta a few days ago I haven't been able to re-establish communication with this new TP LInk device.  

Also when I select the new TP Link device in AM (which is off line) and then select "details" the AM app restarts.  

I have re-entered my account credentials in AM preferences.

Thanks

[ChrisM]

From the log after doing manual TP Link search:

2024.09.15 08:09:58.183 TpLink searching at 192.168.4.212...
2024.09.15 08:09:59.250 poll to HB_LGHT_LoadingDock(HS200_40AE301761A0) failed: java.lang.Exception: Could not get key from handshake to HB_LGHT_LoadingDock(HS200_40AE301761A0):java.lang.Exception: Error {"error_code":1003} in doHandshake

AM version 17.5.3-584

[trogli...@gmail.com]

I think that error code means the encryption is broken.  My HS200 is still working but I see there’s a firmware update 1.0.3 for it which may be the new encryption algorithm.  Mine’s working on 1.0.2, I’ll upgrade to see if it stops working, and if so I’ll see if I can get it sorted.

 

From: mppde...@googlegroups.com <mppde...@googlegroups.com> On Behalf Of ChrisM
Sent: Sunday, September 15, 2024 8:19 AM
To: MppDevices <mppde...@googlegroups.com>
Subject: Re: [MppDevices] Re: New TPLink not found by AM Server

 

From the log after doing manual TP Link search:

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/1d87ec27-18f3-4b76-a9dd-f24cf018f632n%40googlegroups.com.

[trogli...@gmail.com]

 

Yep, I’m getting a 1003 on it now too.

[Chris McGaffey]

Thanks Mike. Mine is running 1.0.3 but it was 1.0.2 when I installed it. I didn’t upgrade it. Not sure how that happened. 

Chris

On Sun, Sep 15, 2024 at 1:32 PM <trogli...@gmail.com> wrote:

 

Yep, I’m getting a 1003 on it now too.

--

You received this message because you are subscribed to the Google Groups "MppDevices" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mppdevices+...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/00ba01db0795%2443d8ba00%24cb8a2e00%24%40gmail.com.

[trogli...@gmail.com]

There is an “auto firmware upgrade” button in the tapo app, I have mine disabled.

 

From: Chris McGaffey <chris.m...@gmail.com>
Sent: Sunday, September 15, 2024 7:11 PM
To: trogli...@gmail.com
Cc: MppDevices <mppde...@googlegroups.com>
Subject: Re: [MppDevices] Re: New TPLink not found by AM Server

 

Thanks Mike. Mine is running 1.0.3 but it was 1.0.2 when I installed it. I didn’t upgrade it. Not sure how that happened. 

[Mike P 4 MPP]

Ok, AM beta 17.5.6 seems to be working with HS200v5 1.0.3 now, should be available from play within 24hrs or so.  That was not fun :(, their security is really over the top now.  If they do another version I'm not sure how enthusiastic I'll be about support it...

[Chris McGaffey]

Working now Mike.  Thank you

Chris

On Wed, Sep 25, 2024 at 12:08 PM Mike P 4 MPP <trogli...@gmail.com> wrote:

Ok, AM beta 17.5.6 seems to be working with HS200v5 1.0.3 now, should be available from play within 24hrs or so.  That was not fun :(, their security is really over the top now.  If they do another version I'm not sure how enthusiastic I'll be about support it...

--
You received this message because you are subscribed to the Google Groups "MppDevices" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mppdevices+...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mppdevices/306f2a95-edcb-4e03-8850-23744cf27f29n%40googlegroups.com.