RG-fun

Messing around with residential gateways (home routers)

View the Project on GitHub

TR064 info from Huawei HG659

An nmap scan with the upnp-info script provides the main UPNP file:

$ sudo nmap -sU -p 1900 --script=upnp-info 10.2.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-16 19:51 NZST
Nmap scan report for 10.2.1.1
Host is up (0.00034s latency).
PORT     STATE SERVICE
1900/udp open  upnp
| upnp-info:
| 10.2.1.1
|     Server: Linux UPnP/1.0 Huawei-ATP-IGD
|_    Location: http://10.2.1.1:37215/upnpdev.xml
MAC Address: FE:ED:DE:AD:BE:EF (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds

Looking at the upnpdev.xml file shows a bunch of SCPDURL tags pointing to XML files located in /desc/:

Contents of http://10.2.1.1:37215/upnpdev.xml ```xml 1 0 urn:schemas-upnp-org:device:InternetGatewayDevice:1 Huawei Home Gateway Huawei Technologies Co., Ltd. http://www.huawei.com Huawei Home Gateway HG659 Huawei Model http://www.huawei.com redacted uuid:00e0fc37-2525-2828-2500-redacted 000000000001 urn:schemas-upnp-org:service:Layer3Forwarding:1 urn:upnp-org:serviceId:L3Forwarding1 /desc/L3Fwd.xml /ctrlu/Layer3Forwarding_1 /evt/Layer3Forwarding_1 urn:schemas-upnp-org:device:WANDevice:1 WANDevice Huawei Technologies Co., Ltd. http://www.huawei.com Huawei Home Gateway HG659 Huawei Model http://www.huawei.com redacted uuid:00e0fc37-2525-2828-2501-redacted 000000000001 urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1 urn:upnp-org:serviceId:WANCommonIFC1 /desc/WanCommonIfc1.xml /ctrlu/WANCommonInterfaceConfig_1 /evt/WANCommonInterfaceConfig_1 urn:schemas-upnp-org:device:WANConnectionDevice:1 WANConnectionDevice Huawei Technologies Co., Ltd. http://www.huawei.com Huawei Home Gateway HG659 Huawei Model http://www.huawei.com redacted uuid:00e0fc37-2525-2828-2502-redacted 000000000001 urn:schemas-upnp-org:service:WANIPConnection:1 urn:upnp-org:serviceId:WANIPConn1 /desc/WanIpConn.xml /ctrlu/WANIPConnection_1 /evt/WANIPConnection_1 urn:schemas-upnp-org:service:WANDSLLinkConfig:1 urn:upnp-org:serviceId:WANDSLLinkC1 /desc/WanDslLink.xml /ctrlu/WANDSLLinkConfig_1 /evt/WANDSLLinkConfig_1 urn:schemas-upnp-org:device:LANDevice:1 LANDevice Huawei Technologies Co., Ltd. http://www.huawei.com Huawei Home Gateway HG659 Huawei Model http://www.huawei.com redacted uuid:00e0fc37-2525-2828-2503-redacted 000000000001 urn:schemas-upnp-org:service:LANHostConfigManagement:1 urn:upnp-org:serviceId:LANHostCfg1 /desc/LanHostCfgMgmt.xml /ctrlu/LANHostConfigManagement_1 /evt/LANHostConfigManagement_1 http://10.2.1.1 ```

Turns out that isn’t a complete list, more are available. From extracting the firmware we get this list of UPNP/TR064 files:

$ ls etc/upnp/
DevCfg.xml
DevUpg.xml
IGDInfoScpd.xml
L3Fwd.xml
LANEthernetInterfaceCf.xml
LanHostCfgMgmt.xml
LANSec.xml
UpnpWanPppConn.xml
WanCommonIfc1.xml
WanDslIfCfg.xml
WanDslLink.xml
WanEthLink.xml
WanIpConn.xml
WanPppConn.xml
WLANCfg.xml

Grab all the files and tidy them up with indents:

$ for file in `ls etc/upnp`; do wget http://10.2.1.1:37215/desc/$file -qO /tmp/$file; done
 for file in `ls etc/upnp`; do tidy -xml -qim /tmp/$file; done

And here they are

Extracted using modified fritzconnection

Servicename:        LANHostConfigManagement:1
Actionname:         DeleteDNSServer
                        ('NewDNSServers', 'in', 'string')
Actionname:         DeleteIPRouter
                        ('NewIPRouters', 'in', 'string')
Actionname:         DeleteReservedAddress
                        ('NewReservedAddresses', 'in', 'string')
Actionname:         GetAddressRange
                        ('NewMaxAddress', 'out', 'string')
                        ('NewMinAddress', 'out', 'string')
Actionname:         GetDHCPRelay
                        ('NewDHCPRelay', 'out', 'boolean')
Actionname:         GetDHCPServerConfigurable
                        ('NewDHCPServerConfigurable', 'out', 'boolean')
Actionname:         GetDNSServers
                        ('NewDNSServers', 'out', 'string')
Actionname:         GetDomainName
                        ('NewDomainName', 'out', 'string')
Actionname:         GetIPRoutersList
                        ('NewIPRouters', 'out', 'string')
Actionname:         GetReservedAddresses
                        ('NewReservedAddresses', 'out', 'string')
Actionname:         GetSubnetMask
                        ('NewSubnetMask', 'out', 'string')
Actionname:         SetAddressRange
                        ('NewMaxAddress', 'in', 'string')
                        ('NewMinAddress', 'in', 'string')
Actionname:         SetDHCPRelay
                        ('NewDHCPRelay', 'in', 'boolean')
Actionname:         SetDHCPServerConfigurable
                        ('NewDHCPServerConfigurable', 'in', 'boolean')
Actionname:         SetDNSServer
                        ('NewDNSServers', 'in', 'string')
Actionname:         SetDomainName
                        ('NewDomainName', 'in', 'string')
Actionname:         SetIPRouter
                        ('NewIPRouters', 'in', 'string')
Actionname:         SetReservedAddress
                        ('NewReservedAddresses', 'in', 'string')
Actionname:         SetSubnetMask
                        ('NewSubnetMask', 'in', 'string')

Servicename:        Layer3Forwarding:1
Actionname:         GetDefaultConnectionService
                        ('NewDefaultConnectionService', 'out', 'string')
Actionname:         SetDefaultConnectionService
                        ('NewDefaultConnectionService', 'in', 'string')

Servicename:        WANCommonInterfaceConfig:1
Actionname:         GetCommonLinkProperties
                        ('NewLayer1DownstreamMaxBitRate', 'out', 'ui4')
                        ('NewLayer1UpstreamMaxBitRate', 'out', 'ui4')
                        ('NewPhysicalLinkStatus', 'out', 'string')
                        ('NewWANAccessType', 'out', 'string')
Actionname:         GetEnabledForInternet
                        ('NewEnabledForInternet', 'out', 'boolean')
Actionname:         GetTotalBytesReceived
                        ('NewTotalBytesReceived', 'out', 'ui4')
Actionname:         GetTotalBytesSent
                        ('NewTotalBytesSent', 'out', 'ui4')
Actionname:         GetTotalPacketsReceived
                        ('NewTotalPacketsReceived', 'out', 'ui4')
Actionname:         GetTotalPacketsSent
                        ('NewTotalPacketsSent', 'out', 'ui4')
Actionname:         SetEnabledForInternet
                        ('NewEnabledForInternet', 'in', 'boolean')

Servicename:        WANDSLLinkConfig:1
Actionname:         GetATMEncapsulation
                        ('NewATMEncapsulation', 'out', 'string')
Actionname:         GetAutoConfig
                        ('NewAutoConfig', 'out', 'boolean')
Actionname:         GetDSLLinkInfo
                        ('NewLinkStatus', 'out', 'string')
                        ('NewLinkType', 'out', 'string')
Actionname:         GetDestinationAddress
                        ('NewDestinationAddress', 'out', 'string')
Actionname:         GetFCSPreserved
                        ('NewFCSPreserved', 'out', 'boolean')
Actionname:         GetModulationType
                        ('NewModulationType', 'out', 'string')
Actionname:         SetATMEncapsulation
                        ('NewATMEncapsulation', 'in', 'string')
Actionname:         SetDSLLinkType
                        ('NewLinkType', 'in', 'string')
Actionname:         SetDestinationAddress
                        ('NewDestinationAddress', 'in', 'string')
Actionname:         SetFCSPreserved
                        ('NewFCSPreserved', 'in', 'boolean')

Servicename:        WANIPConnection:1
Actionname:         AddPortMapping
                        ('NewEnabled', 'in', 'boolean')
                        ('NewExternalPort', 'in', 'ui2')
                        ('NewInternalClient', 'in', 'string')
                        ('NewInternalPort', 'in', 'ui2')
                        ('NewLeaseDuration', 'in', 'ui4')
                        ('NewPortMappingDescription', 'in', 'string')
                        ('NewProtocol', 'in', 'string')
                        ('NewRemoteHost', 'in', 'string')
Actionname:         DeletePortMapping
                        ('NewExternalPort', 'in', 'ui2')
                        ('NewProtocol', 'in', 'string')
                        ('NewRemoteHost', 'in', 'string')
Actionname:         ForceTermination
Actionname:         GetAutoDisconnectTime
                        ('NewAutoDisconnectTime', 'out', 'ui4')
Actionname:         GetConnectionTypeInfo
                        ('NewConnectionType', 'out', 'string')
                        ('NewPossibleConnectionTypes', 'out', 'string')
Actionname:         GetExternalIPAddress
                        ('NewExternalIPAddress', 'out', 'string')
Actionname:         GetGenericPortMappingEntry
                        ('NewEnabled', 'out', 'boolean')
                        ('NewExternalPort', 'out', 'ui2')
                        ('NewInternalClient', 'out', 'string')
                        ('NewInternalPort', 'out', 'ui2')
                        ('NewLeaseDuration', 'out', 'ui4')
                        ('NewPortMappingDescription', 'out', 'string')
                        ('NewPortMappingIndex', 'in', 'ui2')
                        ('NewProtocol', 'out', 'string')
                        ('NewRemoteHost', 'out', 'string')
Actionname:         GetNATRSIPStatus
                        ('NewNATEnabled', 'out', 'boolean')
                        ('NewRSIPAvailable', 'out', 'boolean')
Actionname:         GetSpecificPortMappingEntry
                        ('NewEnabled', 'out', 'boolean')
                        ('NewExternalPort', 'in', 'ui2')
                        ('NewInternalClient', 'out', 'string')
                        ('NewInternalPort', 'out', 'ui2')
                        ('NewLeaseDuration', 'out', 'ui4')
                        ('NewPortMappingDescription', 'out', 'string')
                        ('NewProtocol', 'in', 'string')
                        ('NewRemoteHost', 'in', 'string')
Actionname:         GetStatusInfo
                        ('NewConnectionStatus', 'out', 'string')
                        ('NewLastConnectionError', 'out', 'string')
                        ('NewUptime', 'out', 'ui4')
Actionname:         RequestConnection
Actionname:         SetAutoDisconnectTime
                        ('NewAutoDisconnectTime', 'in', 'ui4')
Actionname:         SetConnectionType
                        ('NewConnectionType', 'in', 'string')