René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"KLAP v2 Authentication Failure on TP-Link HS300 (US) — Hardware Version 2.0","articleBody":"\u003ch1 data-pm-slice=\"1 1 []\"\u003eKLAP v2 Authentication Failure on TP-Link HS300 (US) — Hardware Version 2.0\u003c/h1\u003e\u003ch2\u003eSummary\u003c/h2\u003e\u003cp\u003eI'm testing several \u003cstrong\u003eTP-Link HS300 (US)\u003c/strong\u003e power strips (\u003cstrong\u003eHardware Version 2.0\u003c/strong\u003e) using the latest \u003ccode\u003efeature/tpap\u003c/code\u003e branch of \u003cstrong\u003epython-kasa\u003c/strong\u003e.\nDiscovery succeeds and the initial handshake completes, but all devices fail authentication with the message:\u003c/p\u003e\u003cblockquote\u003e\u003cp\u003eDevice response did not match our challenge ... check that your e-mail and password (both case-sensitive) are correct.\u003c/p\u003e\u003c/blockquote\u003e\u003cp\u003eAll three devices are reachable and respond to \u003ccode\u003e/app/handshake1\u003c/code\u003e, but the returned server hash never matches the client challenge, causing the session to abort.\u003c/p\u003e\u003ch2\u003eEnvironment\u003c/h2\u003e\nComponent | Version / Details\n-- | --\nDevice Model | HS300 (US)\nHardware Version | 2.0\nFirmware Version | 1.1.6 Build 240130 Rel.173828\nEncrypt Type | KLAP\nLogin Version | 2\nHost OS | Ubuntu 24.04 LTS\npython-kasa Branch | feature/tpap (PR #1592)\nNetwork | Local LAN (192.168.0.x), no firewall, UFW inactive\n\n\u003ch2\u003eObserved Behavior\u003c/h2\u003e\u003cp\u003eTrimmed \u003ccode\u003ekasa --debug discover\u003c/code\u003e output:\u003c/p\u003e\u003cpre\u003e\u003ccode\u003eDEBUG:kasa.transports.klaptransport:Starting handshake with 192.168.0.98\nDEBUG:kasa.httpclient:Posting to [http://192.168.0.98/app/handshake1](http://192.168.0.98/app/handshake1)\nDEBUG:kasa.transports.klaptransport:Handshake1 success ... Server remote_seed is ...\nDEBUG:kasa.transports.klaptransport:Device response did not match our challenge on ip 192.168.0.98,\ncheck that your e-mail and password (both case-sensitive) are correct.\nDEBUG:kasa.protocols.iotprotocol:Unable to authenticate with 192.168.0.98, not retrying\n== Authentication failed for device ==\n\u003c/code\u003e\u003c/pre\u003e\u003cp\u003eEach device reports the following discovery payload (sanitized):\u003c/p\u003e\u003cpre\u003e\u003ccode\u003e{\n  \"device_type\": \"IOT.SMARTPLUGSWITCH\",\n  \"device_model\": \"HS300(US)\",\n  \"hw_ver\": \"2.0\",\n  \"mgt_encrypt_schm\": {\n    \"encrypt_type\": \"KLAP\",\n    \"lv\": 2,\n    \"new_klap\": 1,\n    \"http_port\": 80,\n    \"is_support_https\": false\n  },\n  \"login_version\": 2\n}\n\u003c/code\u003e\u003c/pre\u003e\u003ch3\u003eNetwork Connectivity\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eICMP ping ✅\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eTCP 80 ✅\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eUDP 9999 (now deprecated) ❌ Closed\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eExpected Behavior\u003c/h3\u003e\u003cp\u003eOlder HS300 firmware (KLAP v1) authenticated successfully with email + password and allowed full local control via UDP 9999 or HTTP port 80.\nUnder the new firmware (KLAP v2 / Login Version 2), the initial handshake completes but authentication fails even with correct credentials.\u003c/p\u003e\u003ch3\u003eHypothesis\u003c/h3\u003e\u003cp\u003eThe new HS300 firmware likely implements KLAP v2 using a token- or certificate-based challenge hash, similar to TPAP / SPAKE2+ used in newer Tapo devices.\u003c/p\u003e\u003cp\u003eThe current library still derives the challenge hash from plain credentials, so the computed client hash never matches the device’s expected value.\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003ccode\u003e/app/handshake1\u003c/code\u003e → works ✅\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003ccode\u003e/app/handshake2\u003c/code\u003e → validation fails ❌\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eReproduction Steps\u003c/h3\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eConnect HS300 (US v2.0) to local LAN.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eRun:\u003c/p\u003e\u003cpre\u003e\u003ccode\u003ekasa --debug discover\n\u003c/code\u003e\u003c/pre\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eObserve handshake success followed by:\u003c/p\u003e\u003cpre\u003e\u003ccode\u003eDevice response did not match our challenge\n\u003c/code\u003e\u003c/pre\u003e\u003c/li\u003e\u003c/ol\u003e\u003ch3\u003eAdditional Notes\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eOccurs on all three HS300 v2.0 units tested.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eConfirmed not a network or firewall issue (UPike IoT VLAN, unrestricted inter-VLAN traffic).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003ccode\u003e/app/handshake1\u003c/code\u003e returns 200 OK with \u003ccode\u003eremote_seed\u003c/code\u003e and \u003ccode\u003eserver_hash\u003c/code\u003e.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eLikely related to:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eIssue #1590 (TPAP encryption)\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003ePR #1592 (SPAKE2+/TPAP implementation)\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThese devices may require new KLAP v2 handling logic parallel to the TPAP branch.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRequest\u003c/h3\u003e\u003cp\u003ePlease confirm whether KLAP v2 / Login Version 2 devices (HS300 v2.0) still use credential-derived hashing or require cloud-issued tokens for the second handshake stage.\u003c/p\u003e\u003cp\u003eIf a new derivation scheme is known, I can provide full \u003ccode\u003e--debug\u003c/code\u003e logs or packet captures of the \u003ccode\u003e/app/handshake1\u003c/code\u003e → \u003ccode\u003e/app/handshake2\u003c/code\u003e exchange for implementation testing.\u003c/p\u003e\u003ch3\u003eExample Device IDs (Sanitized)\u003c/h3\u003e\u003cpre\u003e\u003ccode\u003eDevice Id (hash): eff8dcab310ffac89b042df8a35da5c1\nOwner (hash):     44D82453FD26F2F462DA5F77E58808FC\n\u003c/code\u003e\u003c/pre\u003e\u003cp\u003eThank you for maintaining python-kasa — happy to run any extra debugging or packet captures needed to help finish KLAP v2 support.\u003c/p\u003e","author":{"url":"https://github.com/leviwheeling","@type":"Person","name":"leviwheeling"},"datePublished":"2025-10-30T14:23:13.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":35},"url":"https://github.com/1604/python-kasa/issues/1604"}