@Alpe12 

Hello, sorry to tell you that the router does not support PHP login method.

Good day.

@Kevin_Z 

Perhaps I wansn't clear enough.
 

I already have a PHP that logins to the router. But I have to first login on the browser, get the "password" of the "login" POST request, put it in my script. And then it works. Until the router reboots and I have to do this process again.

What I asked for, is how to generate this "password" myself.
I tried to dig on the JS used by the web browser to generate it, but couldn't extract the relevant part.


I need a way to generate the "password" that the browser generates (via javascript). Form data "password" below:
https://user-images.githubusercontent.com/8551127/75626011-6ffe7c80-5ba2-11ea-8cc2-e72b9dfbe85f.png

Once I have the code that does that (Javascript), I can convert it myself to PHP.

Please take a look into it. I don't have enough knowledge of JS to extract this myself.

Since you guys haven't been able to resolve my ticket (#334308) after months, this is the least you (tp-link, not you personally) could do. So I can workaround that issue myself.


PS: As soon as the router login page is loaded, it makes a request to "login?form=login" with "operation=read" and get a response with a "password" field (see img below). I believe it uses this to salt the actual password. So it could be as simples as >>encryptlibraryhere.encrypt(password, salt)<< to get what I want.

@Alpe12 I don't really think they're going to help you programatically access the web UI, so you will have to continue reverse engineering it. 

I'm actually glad the password is not sent in clear text and that the actual password field is different each time (to avoid capturing attacks). I was actually curious about that and your post just solved the question haha

It looks like the password field is generated locally by the javascript, no need to receive any salt from the server. In fact, if you type a wrong password, there's just a reply saying it is wrong. So no need for a salt (otherwise you would need to send something, get the response, send again). Whatever you need is in the html.

But... it's not so easy as "let's call this encrypt method with the password". Well, it is if you're in a browser, the function is called doEncrypt and it's in forms.min.js. But you'll have to follow it, analyze the variables (most of them are default values), call the actual encrypt library, etc. 

Plus, js files are minimized so it's a bit more fun haha, good luck!

P.S: I was wondering if someone already published a Python script or whatever to make an APi but looks like the only ones are for old routers or for remote cloud management.

@mocelet 

Thanks for the attention.

"otherwise you would need to send something, get the response, send again"

Not entirely true.
It could just do one request the moment the page is loaded, store it, and then use it for every password typed.

If the request "operation=read" that returns a "password" as soon as the page is opened (way before login) is not something like a salt, this "operation=read" request is really weird.

"I was wondering if someone already published a Python script or whatever to make an APi but looks like the only ones are for old routers or for remote cloud management."
Yeah, that would've been great. :/
The closest I found is this: (added a request)

https://github.com/mariusmuntean/RouterAutomator/issues/1

But it uses Selenium, so it's quite heavy CPU wise.

The only reason I'm asking this is because I found a bug on the C7 that really disturb me, and it hasn't been fixed yet (my first report was about 1 year ago).

The bug is: When IPv6 is set to work on the same PPPoE connection that IPv4, on every reboot, all user set static routes stops working. The user have to manually disable and enable them all, and only then it works.

So I want this for me to write a script on my Pi that detect when static route isn't working and then login->disable all->enable all.

@techharsit 

?

@Alpe12 That was spam, there's a lot in this forum. The user/bot was very smooth copying your text so it sounds legit and inserting a link to a website.

@mocelet 

Oh, I though he intended to reply to that quote but send it early by mistake.