Annoyances

Apart from the real grave bugs there are also a few bugs that are maybe somewhat less evil, but can still annoy the hell out of ordinary users. A few of them are presented below.

• Broadcom and nvram
• 'Router' and maximum mappings
• ForceTermination

Broadcom and nvram

Many Broadcom devices (such as Linksys WRT54G routers) store the UPnP mappings in nvram. The reason for this is when the device is rebooted the stored mappings will be there, as if nothing happened. This is very convenient, as long as the programs you have behave properly. But what happens if they are not?

As it turns out, Broadcom based devices can handle a maximum of 32 mappings in nvram. For a normal home network this should be plenty. The amazing part is that as soon as you have added 32 mappings and add another one the UPnP stack will still allow you to do this and never present you an error. In fact, it will return a valid response code. Programs will think that the mapping was made and try to use the connection (for example, for file transfers) and it will fail. The following "hack" will irritate the hell out of people and render a router useless for normal people, who don't know how to delete portmappings:

• add 32 portmappings to a port that is never used, like port 1 or 9

And that's it. Since the Broadcom devices don't have an option in the web interface to delete portmappings there is only one solution: full factory reset.

There are two fixes to this problem that Broadcom should implement:

• return an error if there are too many port mappings
• let a user remove the mappings through a web interface
  

'Router' and maximum mappings

Devices using the 'Router' UPnP stack have a maximum of 160 mappings. After this no new mappings will be accepted, but no warning will be given either. The mappings can easily be erased by disabling and reenabling UPnP in the administrative interface.

ForceTermination

With the 4.21.1 firmware of a Linksys WRT54G it is fairly easy to annoy the hell out of users.

One of the methods in the WANIPConnection subprofile is the ForceTermination method. With this method it is possible to terminate the WAN connection of the router immediately. Its counterpart to enable it using UPnP is the RequestConnection method. Needless to say, this is hard to debug for an end user, especially since you can't see it on the router, because the LEDs don't change, so it appears the WAN connection is just working fine. There are a few possibilities for an unknowing user to restore the connection:

• powercycle the router
• use the webinterface to restart the connection

The first is by far the easiest. The second method is not too hard either in the WRT54G, but it is not where you would expect it: in the administrative interface go to Setup and choose the Basic Setup menu (default). Save the configuration, wait a few seconds, and the connection should be back.

In other routers it is often enough to simply renew the DHCP release of the router. Many Linux IGD based routers don't even have the functionality, since it has never been implemented in that stack (yet).

A few devices, such as the Linksys WRT350Nv2, have made ForceTermination a configurable option. In the management interface under Administration there is the option "Allow Users to Disable Internet Access" and it is disabled by default.

• UPnP workings
• UPnP IGD hacking
  • IGD stacks
  • Vulnerable IGD devices
  • Possibly vulnerable IGD devices
  • IGD Annoyances
  • Getting access to DNS with UPnP
• UPnP A/V hacking
• UPnP RemoteUI hacking
• Unresearched UPnP hacks
• Downloads
• News
• Media
• Frequently Asked Questions
• Contact
• Links