TP-Link Tapo C120 401 Unauthorized using Tapo Protocol

[grantland]

I have two C120 units on the same Tapo Cloud account and am having authentication issues using the Tapo Protocol tapo:// on only one of them.

My config:

go2rtc:
  streams:
   c120_A_stream1: 
      - "rtsp://{username_A}:{password_A}@{ip_A}/stream1"
      - "ffmpeg:c120_A_stream1#audio=opus"
    c120_A_stream2: 
      - "rtsp://{username_A}:{password_A}@{ip_A}/stream2"
      - "ffmpeg:c120_A_stream2#audio=opus"
    c120_A_2way: "tapo://admin:{UPPERCASE-MD5}@{ip_A}"

   c120_B_stream1: 
      - "rtsp://{username_B}:{password_B}@{ip_B}/stream1"
      - "ffmpeg:c120_B_stream1#audio=opus"
    c120_B_stream2: 
      - "rtsp://{username_B}:{password_B}@{ip_B}/stream2"
      - "ffmpeg:c120_B_stream2#audio=opus"
    c120_B_2way: "tapo://admin:{UPPERCASE-MD5}@{ip_B}"

Using the stream link for c120_B_2way results in a viewer with the following errors, while using the stream link for c120_A_2way works just fine: webrtc/offer: streams: 401 Unauthorized and sometimes mse: streams: 401 Unauthorized

Unsure if related, but I'm seeing the following logs:

2023-12-28 22:12:39.766041191  22:12:39.765 ERR github.com/AlexxIT/go2rtc/internal/mjpeg/init.go:166 > error="streams: 401 Unauthorized"

What's weird is that I was originally having this issue with both c120_A_2way and c120_B_2way and found #781 so I attempted to remove and reconnect c120_B_2way. After,c120_A_2way started working again and c120_B_2way still didn't work.

Also before I reconnected c120_B_2way, I attempted to use tapo://{cloud-password}@{IP_A} and changed by password to not have special characters and this didn't resolve anything.

Lastly, the normal RTSP streams for both A and B work just fine and I've double checked that the passwords between c120_A_2way and c120_B_2way are the same as well as the IPs on c120_B_stream1 and c120_B_2way are the same.

[AlexxIT]

Are you sure you using latest go2rtc version?

[grantland]

Yes, I'm on version 1.8.4

[grantland]

For what it's worth I just restarted Frigate and therefore go2rtc and now both cameras are now showing the 401 Unauthorized error

[AlexxIT]

Have you upgrade firmware before this problem?

[grantland]

I have not. c120_A_stream1 is relatively new, has been deployed with 1.1.7, and working for at least a week prior to this issue. c120_B_stream1 is brand new, also on 1.1.7, and was working for a day or so before this issue.

[AlexxIT]

Well. I have same issue with my TC60 camera. You need to open stream from mobile app once and all will be fixed.

[pelayolartategui]

I am suffering same issue with C210. After trying clear test, md5 and sha256 combinations. Thanks in advance.

[grantland]

Well. I have same issue with my TC60 camera. You need to open stream from mobile app once and all will be fixed.

Do you mean just opening it from the Tapo app? If so, I've done this and the issue still persists

[benchen27]

I just purchased C520WS. I have the 401 unauthorized error, when using tapo protocol.
The camera's firmware is 1.2.6. I am running go2rtc 1.5.
I did not use go2rtc 1.8.5, because my two-way audio with Amcrest camera was lagging. So, I am using go2rtc 1.5 for the moment.
BTW, I used both MD5 and SHA256, got same error.

[AlexxIT]

You need to open stream from the tapo mobile app once.

[benchen27]

Thanks very much for your quick response. Yes. I saw your earlier comments, and did open the tapo app. But still got the same error. I tried to login to the camera via its IP address. But I saw no content. However, it provided some connection info, including SHA-256 fingerprint. But it is different from that I created using the app password (I didn't sign up for cloud service), which I think is the cloud password, using the echo command you provided in your document. Regards. Benjamin Chen

…

On Thu, Feb 29, 2024, 10:05 AM Alex X ***@***.***> wrote: You need to open stream from the tapo mobile app once. — Reply to this email directly, view it on GitHub <#849 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUEOBEL4YERUVQZHG72GHZ3YV5PWFAVCNFSM6AAAAABBF6M4KOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZRGU4DANRZG4> . You are receiving this because you commented.Message ID: ***@***.***>

[MohitDeshwal]

Same issues, none of my tapo cameras work with tapo protocol. They work with RSTP though.

[mateuszdrab]

I wonder if the cause why this isn't working could be the same as to why the HASS integration for Tapo is also experiencing issues. It appears TP-Link are rolling out a security fix in waves which most likely broke the way go2rtc was making the connection to the cameras. The only workaround seems to be a factory reset followed by blocking internet access for the cameras which is unacceptable for me as I am using the cloud storage subscription.

JurajNyiri/HomeAssistant-Tapo-Control#551

[JurajNyiri]

@AlexxIT reach out to me in discord if you want and are affected as well, i can provide more details about what is going on and might be able to help find the solution for both of us. I am not affected yet unfortunately.

[ArbiterGR]

Same issue here. My C320WS, C200, C100 and C220 all started to show the same 401 unauthorized error, after restarting my frigate & go2rtc instance today. I reverted to rtsp streams for now, but that sucks. Note, there was no prompt for a firmware update on these cameras in the tapo app. It has to be something OTA though. If there are any logs i can provide you to help you track this, will be glad to help.

[mateuszdrab]

@AlexxIT reach out to me in discord if you want and are affected as well, i can provide more details about what is going on and might be able to help find the solution for both of us. I am not affected yet unfortunately.

My Tapo integration in HASS was working fine even with latest firmware until I changed my tapo password which broke all my cameras. I only changed it because I was setting up the tapo integration in go2rtc.

Is go2rtc working for you?

[JurajNyiri]

JurajNyiri/HomeAssistant-Tapo-Control#551 (comment)

[edith101]

Same issue for tapo protocol.
WRN [rtsp] error="streams: 401 Unauthorized" stream=garage_camera

edit: Tried few more options and it only breaks when SHA or MD5 password is used.

[ArbiterGR]

Reseting the camera, re-adding it to tapo app and immediately blocking internet access for it, seems to do the trick for now on the latest firmware (1.3.13) for C200. It has to be something server side that gets provisioned as soon as the camera calls home.

[AlexxIT]

@JurajNyiri thanks, maybe later

[aminasadi0]

ArbiterGR

401 unautorized here too though I can't get rtsp streams to work. Do you still have them running?

[ArbiterGR]

ArbiterGR

401 unautorized here too though I can't get rtsp streams to work. Do you still have them running?

Yes, RTSP streams are running fine for all my tapo cameras. It sucks though that i'm missing out on 2way microphone :/ Just Make sure you create a local account/password in tapo app -> camera -> advanced settings -> local account for them to work.

[aminasadi0]

ArbiterGR

401 unautorized here too though I can't get rtsp streams to work. Do you still have them running?

Yes, RTSP streams are running fine for all my tapo cameras. It sucks though that i'm missing out on 2way microphone :/ Just Make sure you create a local account/password in tapo app -> camera -> advanced settings -> local account for them to work.

I have those account set and I used to get rtsp before but now I can't. Was using go2rtc's tapo protocol of course and don't know since when they stopped working. Now that tapo is not going to work for a while need to get back to rtsp. Tried all of these combination:

rtsp://ip/stream1
rtsp://user:pass@ip/stream1
rtsp://user:sha256(pass)@ip:554/stream1
rtsp://user:md5(pass)@ip:554/stream1

also tried adding :554 port.

[ArbiterGR]

ArbiterGR

401 unautorized here too though I can't get rtsp streams to work. Do you still have them running?

Yes, RTSP streams are running fine for all my tapo cameras. It sucks though that i'm missing out on 2way microphone :/ Just Make sure you create a local account/password in tapo app -> camera -> advanced settings -> local account for them to work.

I have those account set and I used to get rtsp before but now I can't. Was using go2rtc's tapo protocol of course and don't know since when they stopped working. Now that tapo is not going to work for a while need to get back to rtsp. Tried all of these combination:

rtsp://ip/stream1 rtsp://user:pass@ip/stream1 rtsp://user:sha256(pass)@ip:554/stream1 rtsp://user:md5(pass)@ip:554/stream1

also tried adding :554 port.

What works for me is: rtsp://username:password@camera_ip:554/stream1 . Stream 1 for high res stream, Stream 2 for the lower res. username and password in plaintext, Did you trie deleting the local account from the tapo app and recreate it ?

[AlexxIT]

Tapo RTSP user/pass not related to cloud user/pass. They are totally different.

[derekcentrico]

I'm having this issue on 1.9.2 (default in Frigate 0.14 beta 4). I have Tapo C120 cameras. I cannot get two-way audio. RTSP streams work fine, but do not provide for two-way.

Using tapo:// is the same 401 error reported. "streams: 401 Unauthorized" when using tapo:// options only.

I tried using various streams:

    kitchen:
      - rtsp://tapocam:[email protected]:554/stream1#backchannel=0
      - rtsp://tapocam:[email protected]:554/stream1
      - tapo://[email protected]
      - tapo://192.168.1.246
      - tapo://admin:[email protected]
      - tapo://admin:[email protected]

No two-way audio.

Probing shows:

{
  "producers": [
    {
      "type": "RTSP active producer",
      "url": "rtsp://192.168.1.246:554/stream1/",
      "remote_addr": "192.168.1.246:554",
      "user_agent": "go2rtc/1.9.2",
      "sdp": "v=0\r\no=- 14665860 31787219 1 IN IP4 192.168.1.246\r\ns=Session streamed by \"TP-LINK RTSP Server\"\r\nt=0 0\r\nm=video 0 RTP/AVP 96\r\nc=IN IP4 0.0.0.0\r\nb=AS:4096\r\na=range:npt=0-\r\na=control:track1\r\na=rtpmap:96 H264/90000\r\na=fmtp:96 packetization-mode=1; profile-level-id=640032; sprop-parameter-sets=Z2QAMqzSAKAC1oQAAA+kAAJxoBA=,aOqPLA==\r\nm=audio 0 RTP/AVP 8\r\na=rtpmap:8 PCMA/8000\r\na=control:track2\r\n",
      "medias": [
        "video, recvonly, H.264 High 5.0",
        "audio, recvonly, PCMA/8000"
      ],
      "receivers": [
        "96 H264, bytes=2945351, senders=2",
        "8 PCMA/8000, bytes=54272, senders=1"
      ],
      "recv": 3030943
    },
    {
      "type": "RTSP active producer",
      "url": "rtsp://192.168.1.246:554/stream1/",
      "remote_addr": "192.168.1.246:554",
      "user_agent": "go2rtc/1.9.2",
      "sdp": "v=0\r\no=- 14665860 31787219 1 IN IP4 192.168.1.246\r\ns=Session streamed by \"TP-LINK RTSP Server\"\r\nt=0 0\r\nm=video 0 RTP/AVP 96\r\nc=IN IP4 0.0.0.0\r\nb=AS:4096\r\na=range:npt=0-\r\na=control:track1\r\na=rtpmap:96 H264/90000\r\na=fmtp:96 packetization-mode=1; profile-level-id=640032; sprop-parameter-sets=Z2QAMqzSAKAC1oQAAA+kAAJxoBA=,aOqPLA==\r\nm=audio 0 RTP/AVP 8\r\na=rtpmap:8 PCMA/8000\r\na=control:track2\r\n",
      "medias": [
        "video, recvonly, H.264 High 5.0",
        "audio, recvonly, PCMA/8000"
      ],
      "receivers": [
        "8 PCMA/8000, bytes=0, senders=1",
        "96 H264, bytes=0, senders=1"
      ]
    },
    {
      "url": "tapo://[email protected]"
    },
    {
      "url": "tapo://192.168.1.246"
    },
    {
      "url": "tapo://admin:[email protected]"
    },
    {
      "url": "tapo://admin:[email protected]"
    }
  ],
  "consumers": [
    {
      "type": "RTSP passive consumer",
      "url": "rtsp://127.0.0.1:8554/kitchen",
      "remote_addr": "127.0.0.1:39546",
      "user_agent": "FFmpeg Frigate/0.14.0-a4eb435",
      "sdp": "v=0\r\no=- 1 1 IN IP4 0.0.0.0\r\ns=go2rtc/1.9.2\r\nc=IN IP4 0.0.0.0\r\nt=0 0\r\nm=video 0 RTP/AVP 96\r\na=rtpmap:96 H264/90000\r\na=fmtp:96 packetization-mode=1; profile-level-id=640032; sprop-parameter-sets=Z2QAMqzSAKAC1oQAAA+kAAJxoBA=,aOqPLA==\r\na=control:trackID=0\r\n",
      "medias": [
        "video, sendonly, H264, H265",
        "audio, sendonly, MPEG4-GENERIC"
      ],
      "senders": [
        "96 H264, bytes=2945351, receivers=1"
      ],
      "send": 2982919
    },
    {
      "type": "probe",
      "remote_addr": "192.168.1.140:50545",
      "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
      "medias": [
        "audio, sendonly, ALL",
        "video, sendonly, ALL",
        "audio, recvonly, ANY"
      ],
      "senders": [
        "8 PCMA/8000, bytes=0, receivers=1",
        "8 PCMA/8000, bytes=0, receivers=1",
        "96 H264, bytes=0, receivers=1",
        "96 H264, bytes=0, receivers=1"
      ]
    }
  ]
}

I'm at a loss on how to further debug/try to get this to work. You'll see that there is no senders under the producers section. The tapo:// URLs don't probe anything.

[ppfeister]

Adding that this issue is being experience on the tc85 running version 1.2.21. Note that the tapo:// protocol worked with the tc85 while on 1.2.18, and I believe 1.2.20 (by memory, could be wrong about the #)? Affects cleartext, md5, and sha256 alike.

[patlux]

Had the same issue with "user/pass wrong" on my C200, but after upgrading the c200 to 1.0.17 Build 240806 it worked.

[rursache]

i'm having the same 401 unauthorized issue with a C110 with firmware 1.3.14.
a new firmware is available (1.4.3) but i wouldn't mess with updating if not strictly needed

[nvitaterna]

Just got a new C110. Updated to 1.4.3, tried connecting to it via the tapo protocol and was getting 401s. After reading over this thread, and some others, I reset my password on my TP Link account, and I've now got a working stream via tapo://admin:[sha256password]@IP.

[rursache]

Just got a new C110. Updated to 1.4.3, tried connecting to it via the tapo protocol and was getting 401s. After reading over this thread, and some others, I reset my password on my TP Link account, and I've now got a working stream via tapo://admin:[sha256password]@IP.

i tried just that with my C110:

1. update to 1.4.3
2. reboot camera
3. changed my tapo account password (only letters and numbers, 32 chars)
4. reboot camera
5. opened camera in tapo app
6. add this config in go2rtc (demo, not real data!):

streams:
    tapo_test:
        - tapo://admin:37UU946A3B825CE46716D605E787C7BCFD4C69072C3320D3FC85D843187C3975@192.168.1.10

7. restart go2rtc container
8. access the go2rtc link to the cam (stream.html?src=tapo_test) and still 401...

EDIT: i even disabled 2FA to no avail

EDIT 2: bought a new camera, returned the old one. never updated the firmware so im running 1.3.7

using the md5 hash instead of SHA1 works perfectly!

[nvitaterna]

Just got a new C110. Updated to 1.4.3, tried connecting to it via the tapo protocol and was getting 401s. After reading over this thread, and some others, I reset my password on my TP Link account, and I've now got a working stream via tapo://admin:[sha256password]@IP.

i tried just that with my C110:

1. update to 1.4.3
2. reboot camera
3. changed my tapo account password (only letters and numbers, 32 chars)
4. reboot camera
5. opened camera in tapo app
6. add this config in go2rtc (demo, not real data!):

streams:
    tapo_test:
        - tapo://admin:37UU946A3B825CE46716D605E787C7BCFD4C69072C3320D3FC85D843187C3975@192.168.1.10

7. restart go2rtc container
8. access the go2rtc link to the cam (stream.html?src=tapo_test) and still 401...

EDIT: i even disabled 2FA to no avail

@nvitaterna is your setup different?

This is exactly what I did, unfortunately. Was hoping it may be useful, but it seems to be random.

[rici44]

The same problem with TP-LINK Tapo C120 with version 1.2.2. Don't you know how to solve this?

[latel]

@rici44 downgrade the firmware. my v1.1.15 is working fine.

[rici44]

thanks for the info @latel Where did you downloaded firmware? On this link, there are only these:
firmware/Tapo_C120v1_en_1.0.3_Build_230713_Rel.77621n_up_boot-signed_1691150849176.bin
firmware/Tapo_C120v1_en_1.0.3_Build_230713_Rel.77621n_up_boot-signed_1691150883724.bin
firmware/Tapo_C120v1_en_1.1.1_Build_230821_Rel.71367n_up_boot-signed_1697190749422.bin
firmware/Tapo_C120v1_en_1.1.1_Build_230821_Rel.71367n_up_boot-signed_1697190849015.bin
firmware/Tapo_C120v1_en_1.1.3_Build_230930_Rel.56236n_up_boot-signed_1697190793364.bin
firmware/Tapo_C120v1_en_1.1.3_Build_230930_Rel.56236n_up_boot-signed_1697192563556.bin
firmware/Tapo_C120v1_en_1.1.3_Build_230930_Rel.56236n_up_boot-signed_1697194362284.bin

[latel]

I thins this one or previous is fine: Tapo_C120v1_en_1.1.3_Build_230930_Rel.56236n_up_boot-signed_1697190793364.bin,
mine is v1.1.15, it's also ok but not in the list, the list is currently outed, missing some working versions.

[rici44]

I tried these bins:
firmware/Tapo_C120v1_en_1.1.1_Build_230821_Rel.71367n_up_boot-signed_1697190849015.bin
firmware/Tapo_C120v1_en_1.1.3_Build_230930_Rel.56236n_up_boot-signed_1697190793364.bin
But camera led is blinking green and nothing happens after I insert formatted card with correct bin as factory_up_boot.bin
I waited 5 mins but there is only green flashing.
I rebooted it and there is no downgraded firmware.

[mofman]

All 4 of my C120s are running latest 1.2.2 firmware and working perfectly with go2rtc including two way audio.
If you are having problems:

• Block domains n-device-api.tplinkcloud.com and security.iot.i.tplinknbu.com at DNS/Router level
• Reset device to factory setting using paperclip
• Set up devce as normal, do not connect to Camera Account
• admin and then sha256 uppercase for your tapo account
• tapo://admin:XXXXXX88C3CA4184XXX2362896XXXAC1EA681A2E82ED40XXX25C8E25EEXXXXXX@192.168.0.1

[mofman]

pip3 install pytapo

from pytapo import Tapo

user = "admin"
password = "XXXXXXXXX" # password for your **tapo account**
host = "192.168.0.1" # ip of the camera, example: 192.168.1.52

tapo = Tapo(host, user, password)

print(tapo.getBasicInfo())

can also use this to debug if you want

[rici44]

• Block domains n-device-api.tplinkcloud.com and security.iot.i.tplinknbu.com

@mofman thank you for the info. Blocked and configured with tapo://..
TAPO C120 now works with 2-way audio in Home Assistant.

[latel]

• Block domains n-device-api.tplinkcloud.com and security.iot.i.tplinknbu.com

@mofman thank you for the info. Blocked and configured with tapo://.. TAPO C120 now works with 2-way audio in Home Assistant.

is https required for 2-way audio in homeassistant?

[AlexxIT]

HTTPS required for any modern browser for open access to microphone. This is not related to HA or go2rtc or anything else. This only related to the privacy policies of modern browsers.

[rursache]

@derekcentrico / @rici44 please keep this issue on point. it's not about frigate configs or anything else than the 401 unauthorized error some users get.

[rici44]

please keep this issue on point

yeap, ok, got it
for me the problem with 401 Unauthorized using Tapo Protocol is solved

[derekcentrico]

@rici44 which firmware did you go with in the end?

[rici44]

@derekcentrico v1.2.2

[derekcentrico]

@rici44 do you have the firmware download filename? I don't see it on the master blob.

EDIT: wait isn't that the latest available? Did you meant something else? I'm running that on another camera and it won't work.

[rici44]

@derekcentrico no, as @mofman wrote here it's just the latest version available from the app

[dgibbs64]

Big update on this thread that might help JurajNyiri/HomeAssistant-Tapo-Control#551