Sunday, 24 July 2016

My ISP's Router Does Not Comply with UPNP

Hello everyone.
As you may or may not know I am working on my smart light project.
One of the goals was to control the light from the internet. In order to that I need to make port forward from the router to my openhab server. One way to do that is using the port forward feature of my router. Another way is by requesting forward using UPNP protocol. My ISP got CGNAT, and regular port forward does not work. I am not sure about it but it seems that UPNP still works despite the CGNAT. After I decided I am using UPNP, I searched for some CLI UPNP utility, and found Miniupnp, Very simple tool. Tried it, didnt work :(


Maybe my router does not support UPNP? that can not be right, I am using uTorrent, and its UPNP process succeeds.
If uTorrent works, and Miniupnp don't, it's time for Wireshark!
First of all I started looking in uTorrent UPNP process, and indeed, everything looks well.
At first look I didnt see anything, but when I compare the data with Miniupnp I saw the bug clearly.

uTorrent starts the upnp discovery process, finds the router, and asks it for upnp services at port 5431. It looks like this

GET /dyndev/uuid:acf1df18-12ff-ff12-18df-f1acf118ff0000 HTTP/1.1
Host: 10.0.0.138:5431
Connection: close
HTTP/1.0 200 OK
SERVER: LINUX/2.4 UPnP/1.0 BRCM400/1.0
DATE: Thu, 21 Jul 2016 22:56:53 GMT
CONTENT-TYPE: application/octet-stream
Cache-Control: max-age=1
PRAGMA: no-cache
Connection: Close
<?xml version="1.0"?>
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<URLBase>http://10.0.0.138:80/</URLBase>
....
view raw gistfile1.txt hosted with ❤ by GitHub
I ended the stream on URLBase for a reason. The router UPNP server return URLBase parameter with its own ip at port #80. But then, instead of switching to port 80, uTorrent continue in port 5431 and the UPNP process succeeds.

Miniupnp actually listen to what my UPNP server has to say, and switches to port 80, and failing as there is no UPNP service there!
One way to fix this problem is to patch Miniupnp

MINIUPNP_LIBSPEC void
GetUPNPUrls(struct UPNPUrls * urls, struct IGDdatas * data,
const char * descURL, unsigned int scope_id)
{
/* strdup descURL */
urls->rootdescURL = strdup(descURL);
/* get description of WANIPConnection */
urls->ipcondescURL = build_absolute_url(data->urlbase, descURL,
data->first.scpdurl, scope_id);
urls->controlURL = build_absolute_url(data->urlbase, descURL,
data->first.controlurl, scope_id);
urls->controlURL_CIF = build_absolute_url(data->urlbase, descURL,
data->CIF.controlurl, scope_id);
urls->controlURL_6FC = build_absolute_url(data->urlbase, descURL,
data->IPv6FC.controlurl, scope_id);
#ifdef DEBUG
printf("urls->ipcondescURL='%s'\n", urls->ipcondescURL);
printf("urls->controlURL='%s'\n", urls->controlURL);
printf("urls->controlURL_CIF='%s'\n", urls->controlURL_CIF);
printf("urls->controlURL_6FC='%s'\n", urls->controlURL_6FC);
#endif
}
view raw gistfile1.txt hosted with ❤ by GitHub
Replacing data->urlbase with some hardcoded url or ignoring the port in the url string,
Which works, but patching Miniupnp is wrong, it's not a problem with miniupnp!
Now that we decided that patching the router UPNP server is the way let's get started.
If you remember, I once managed to compile my router firmware from "source",  so going back to firmware "source" will get the UNP server code. Wrong!
Under the firmware there is the open source tools, with their code, and the closed source tools.. with their binaries. Got the UPNP server binary, open it up with hex editor, finds the URLBase string, actually the entire XML response was one string. Removed some "\r\n" in XML response so I can push the right port number instead of 80
and voila! it's working!
I mean it is a real dumb bug. My router firmware is influenced by my ISP, probably my ISP and d'link had miscommunicated and this bug happened on the way.
Hope this trick can help you with UPNP
Thanks for reading!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)