I had truly good “hacking” session with Codex. It’s not hacking, I wasn’t breaking anything, just jumping over the fences TP-Link put for me, owning the router, inside the network, knowing the admin password. But TP-Link really tried everything so you cannot access the router you own via API. They really tried to be smart with some very very broken and custom auth and encryption scheme. It took some half a day with Codex, but in the end I have a pretty Python API to access my router, tested, reliable, and exporting beautiful Prometheus metrics.
I’m sure there is some over eager product manager sitting in such companies, trying to splits markets into customer and enterprise sections, just by making APIs not useable by humans and adding 200% useless “security by obscurity”.
Many eons ago I wrote a Python version of tmpcli for this exact reason. Made some minor improvements a few years ago but haven’t touched it since. Curious what methodology Codex came up with, I haven’t revisited it since models got really good.
The idea is that tmpServer listens on localhost, but dropbear allows port forwarding with admin creds (you’ll need to specify -N). That program has full device access and is the API the Tether app primarily uses to interact with the device.
Ha kudos! I went across this project - thanks for your work :) It didn't work on the specific model I own (Archer NX600).
My solution is really just using their pseudo-JWT over their obscured APIs (with reverse-engineered names of endpoints and params). Limitation is that there is still only one client allowed to be authenticated at one moment, so my daemon has priority and I need to stop it to actually access Admin panel.
We’re splitting this across two threads, but if you give Codex access to jadx and the Archer android app you might be able to get something without that problem. The TPLink management protocol has a few different “transport” types - tmpcli uses SSH, but your device might only support one of the other transports.
Of course! Happy to contribute. As is the case with your device, there's a lot of weird TP-Link firmware variants (even an RTOS called TPOS based on VxWorks), so no guarantee it'll work all the time. Glad there's more research being done in the space!
I have one of these Smiirl flip counters. It runs a version of OpenWrt without the web UI, but has a uhttpd to serve an api. I'm hoping Mythos can help me find an exploit to get into it and enable ssh since they have now disabled the simple api switch that would let you turn it on.
I've had good success doing something similar. Recording requests into an .har file using the web UI and providing it for analysis was a good starting point for me, orders of magnitude faster than it would be without an assistant.
If you're into it, you could always re-flash your TP-Link hardware with some open-source firmware that is more automation friendly. I used to be intimidated by it, but a friend showed me how to do it and it's remarkably simple and pain-free (provided it's a commonly supported router of course).
Generally, if the device is compatible and not new to the market, openwrt has been ported or is in the process (though it may not be the latest version of openwrt). You can search for your device in the compatibility drop downs and get the current status. If it's not listed, searching the device on the openwrt forums may tell you why (which is almost always the chipset).
Would definitely be interested in this. Moved to TP Link at the start of the year and I am generally very happy with it, but would like to be able to interact with my router in something other than their phone app.
Any tips to share? I tried to do something similar but failed.
My router has a backup/restore feature with an encrypted export, I figured I could use that to control or at least inspect all of its state, but I/codex could not figure out the encryption.
It's on my long list of projects "to-opensource" (but I need to figure out licensing, for those things CC-BY-SA I think is the way to go), I don't want a random lawyer sitting on my ass though.
I started with a simple assumption: if I can access the router via web-browser, then I can also automate that. From that the proof-of-concept was headless Chrome in Docker and AI-directed code (code written via LLM, not using it all the time) that uses Selenium to navigate the code. This worked, but it internally hurt me to run 300MiB browser just to access like 200B of metrics every 10s or so. So from there we (me + codex) worked together towards reverse engineering their minimised JS and their funky encryption scheme, and it eventually worked (in the end it's just OpenSSL with some useless paddings here or there). Give it a shot, it's a fun day adventure. :)
Edit: that's the end result (kinda, I have whole infra around it, and another story with WiFi extender with another semi-broken different encryption scheme from the same provider) - https://imgur.com/a/VGbNmBp
You should give codex access to the mobile app :) The app, for a lot of routers, connects via an ssh tunnel to UDP/TCP sockets on the router. Would probably give you access to more data/control.
Made a comment up above, but that's tdpServer and tmpServer (sometimes tdpd and tmpd) and it's what I use in my python implementation of tmpcli, the (somewhat broken) client binary on some TP-Link devices.
You're correct, it gives you access to everything the Tether app can do.
I had been trying to find that again! It was instrumental in some RE/VR I did last year on tmp and the differences between the UDP socket (available without auth) and the TCP socket. Thanks for making that.
I can't remember the details of the scheme, but it also allows you to authenticate using your TPLink cloud credential. If my memory is correct, the username is md5(tplink_account_email) and the password is the cloud account password. If you care, I can find my notes on that to confirm.
I don't feel like I own the code itself (hey, GPT wrote 99.5% of it), I own the product and the thought process and everything that lead to it - do whatever you want, just don't forget my name somewhere in the process. Feels more like art project than coding project hence CC license.
I had fun “hacking” my router that turned out to be just unzipping the file with slight binary modifications, it was so simple in fact I just implemented it in a few lines of js, even works in the browser :-D
While Darktable has a lot of nice niche features, from UX point of view it’s 20 years behind any of commercial offerings. If GIMP is like open source Photoshop, then Darktable is like open source Lightroom - both GIMP and Darktable are absolutely crap when it comes to UX, unless you mastered them for 10 years. Darktable should focus on some UX/UI GSOC-like project and figure out their usability to be considered useful.
I'm some ways I'd argue the UI of darktable is ahead of its time and fairly snazzy. It's just a much more sophisticated tool. What is one thing about the UI that specifically feels dated? Burried maybe, but dated?
I'm using Linux Mint 22.3 so Ubuntu 24.04... Haven't solved the problem yet - either going to install/build needed libs and use LD_* vars to point to correct libs, or pack this in Docker/Podman container (but X11 apps and docker are quite a challenge too).
Same, I use Restic + Backrest (plus monitoring on Healthchecks, self-hosted + Prometheus/AlertManager/Pushover), with some decent structure - local backups every half-an-hour to raid1, every hour a backup to my old NAS, every day a backup to FTP in Helsinki, and once a week some backups to Backblaze (via Restic). Gives me local backups, observability, remote backups spread across different providers - seems quite safe :) I highly recommend to everyone figuring out a good backup strategy, takes a day or two.
Edit: on top of that I've built a custom one-page monitoring dashboard, so I see everything in one place (https://imgur.com/B3hppIW) - I'll opensource, it's decent architecture, I just need to cleanup some secrets from Git history...
I don't have an usecase, I don't own a printer even. But this is actually a good piece of software - it seems non-trivial from algorithmic point of view, UX is also well polished. Kudos to authors.
Same — as someone building macOS utilities I have a soft spot for indie apps that tackle genuinely hard algorithmic problems and still manage to ship a clean UI. The gap between "technically interesting" and "actually usable by non-experts" is huge, and it looks like they've bridged it well here.
The usecase for Unfolder or Pepkura isn't 3D printing. They're targeted at paper crafting. You print the unfolded file onto paper, cut, fold, and glue to create a 3D object. Something like these samples <https://duckduckgo.com/?t=ffab&q=paper%20craft%20models&ia=i...>
Question, do you "build LEGO" as in "make what's on the box it came in", or do you use LEGO to build things yourself and not following instructions?
(I am old, but as a kid, I remember building what the kit was supposed to build once or _maybe_ twice, but using the parts from the kit and various other kits I had to make things purely out of my head pretty mush all the time. I _think_ that's not how people "play with LEGO" these days?)
Both, I enjoy the process of building, so following instructions. But then it's done and boring. I.e. LEGO supercars sets are nice, they're so nice until you marriage chassis with drivetrain - you can play with all the gears and see them, after the marriage it's just boring. So now I'm working more towards reusing parts and building things of my own.
Edit: LEGO Architecture Set (not sure if they still make it) is super nice for building random stuff - it's a set of pure white bricks, super fun.
What's native about it? It seems like custom GPU rendered thingy with nothing "native".
Linux GUI frameworks are hot potato, I tried to write "native-feeling" app with taskbar icon lately on Linux (Cinnamon), intuition says GTK3, Internet says GTK4. Cinnamon says write it in JS and plug it in as an applet. Qt seems like the most complete GUI framework, but I don't like KDE (and Qt on mostly GTK based env looks weird). Windows is the same, Microsoft has like 10 different UI frameworks from different epochs. MacOS seems to be the only one with some common UI framework.
Indeed. I try not to use the word "native" these days as it has such ambiguous meaning. I also have thought for a while that Windows no longer has native UI, only legacy (Win32) and a rotating carousel of mostly-failed attempts. There have been a few HN stories in the last week that bear me out, notably [1]. Mac of course is in better shape, as AppKit and SwiftUI are both viable (and interop well enough).
It's a step forward. If someone makes an app which is some Electron/WebView thing and call it "native", my thoughts are immediately rather illegal. Cool, so it's UI framework that doesn't actually make a webpage presented as an app. Truly native for me means: using UI framework that is the gold standard for given OS, UX native for given OS, and using native OS APIs, so my laptop can actually survive 24h on battery. It's truly hilarious that Claude app (and ChatGPT) is just Electron app - argument that writing UI in Electron is cheaper is no longer valid in AI age, but yet they did it. Weird times.
I never said that. Ofc Qt apps work just fine on any desktop environment you have (or even none), but they still look off if run Qt app on Gnome. Looking off == not native.
From the main page: "The Hyper-Performant AI-First Postmodern Zero-Cost Fractal Metacircular Phantom-Typed Auto-Disposing Monadic Event Continuation Language with Semantic Space Lifting and Event Taps" - not sure if this is a joke or not
Hi! I am the owner of this project. It is not a joke; the tagline is meant to make it hard to ignore. The project is highly AI-driven, and that will put a lot of people off. I have decades of "pre AI" professional coding experience if that counts for anything.
The high-perf kernel is just a tiny thing compared to what's coming, we actually already have more interesting features than just high-perf in the language. Small side-effect of being highly metacircular.
If you come join us on Discord, I'll be lazily streaming on Twitch tonight (working mostly on a memory system, I think) and will be happy to answer any Koru-related questions.
It seems like it's not a joke. There's clearly been a lot of effort put into it, and they're clearly trying to prove it with hard evidence rather than making outrageous claims with no backing. I'm still skeptical, but the effort at least looks genuine.
I’m sure there is some over eager product manager sitting in such companies, trying to splits markets into customer and enterprise sections, just by making APIs not useable by humans and adding 200% useless “security by obscurity”.
reply