gssdp-discover utility can scan for uPnP devices:
# Install gupnp tools sudo apt install gupnp-tools # Discover uPnP devices sudo apt install gupnp-tools Using network interface eth0 Scanning for all resources Showing "available" messages resource available USN: uuid:febed3e7-12b5-d981-39b3-ee171492f3e6 Location: http://192.168.8.8:1990/WFADevice.xml resource available USN: uuid:febed3e7-12b5-d981-39b3-ee171492f3e6::upnp:rootdevice Location: http://192.168.8.8:1990/WFADevice.xml resource available USN: uuid:e7d6ff43-6f80-31a0-bd00-8afb93ca713d Location: http://192.168.8.1:60000/e7d6ff43/gatedesc.xml resource available USN: uuid:e7d6ff43-6f80-31a0-bd00-8afb93ca713d::upnp:rootdevice Location: http://192.168.8.1:60000/e7d6ff43/gatedesc.xml # Get uPnP devices list: gssdp-discover -i eth0 -n 5 | grep Location | sort | uniq Location: http://192.168.8.1:60000/e7d6ff43/gatedesc.xml Location: http://192.168.8.8:1990/WFADevice.xml
To subscribe to uPnP events...
uPnP devices should not allow subscribe from non-LAN device (eg: CallStranger exploit)
wget -qO - http://192.168.8.8:1990/WFADevice.xml <?xml version="1.0"?> <root xmlns="urn:schemas-upnp-org:device-1-0"> <specVersion> <major>1</major> <minor>0</minor> </specVersion> <device> <deviceType>urn:schemas-wifialliance-org:device:WFADevice:1</deviceType> <friendlyName>WFADevice</friendlyName> <manufacturer>Broadcom Corporation</manufacturer> <manufacturerURL>http://www.broadcom.com</manufacturerURL> <modelDescription>Wireless Device</modelDescription> <modelName>WPS</modelName> <modelNumber>X1</modelNumber> <serialNumber>0000001</serialNumber> <UDN>uuid:febed3e7-12b5-d981-39b3-ee171492f3e6</UDN> <serviceList> <service> <serviceType>urn:schemas-wifialliance-org:service:WFAWLANConfig:1</serviceType> <serviceId>urn:wifialliance-org:serviceId:WFAWLANConfig1</serviceId> <SCPDURL>/x_wfawlanconfig.xml</SCPDURL> <controlURL>/control?WFAWLANConfig</controlURL> <eventSubURL>/event?WFAWLANConfig</eventSubURL> </service> </serviceList> </device> </root> curl -v http://192.168.8.8:1990/event?WFAWLANConfig -H "CALLBACK: <http://192.168.8.253:80>" -H "NT: upnp:event" -H "TIMEOUT: Second-1800" -X SUBSCRIBE * Trying 192.168.8.8... * TCP_NODELAY set * Connected to 192.168.8.8 (192.168.8.8) port 1990 (#0) > SUBSCRIBE /event?WFAWLANConfig HTTP/1.1 > Host: 192.168.8.8:1990 > User-Agent: curl/7.58.0 > Accept: */* > CALLBACK: <http://192.168.8.253:80> > NT: upnp:event > TIMEOUT: Second-1800 > < HTTP/1.1 200 OK < Server: POSIX, UPnP/1.0 UPnP Stack/2013.4.3.0 < Date: Fri, 12 Jun 2020 10:01:51 GMT < SID: uuid:5ee3528f-07bd-07bd-07bd-07bd00000022 < Timeout: Second-1800 < Connection: close < * Closing connection 0
uPnP allows remote control to SmartTV
To remote power device compatible with Wake-on-LAN, magic packet can be sent using wakeonlan utility
# Install wakeonlan utility sudo apt install wakeonlan # Remote wake up a device wakeonlan e4:7d:bd:31:40:c6
To use remote control:
wget -qO - http://192.168.0.21:7676/rcr/
<?xml version="1.0"?>
<root xmlns="urn:schemas-upnp-org:device-1-0" xmlns:sec="http://www.sec.co.kr/dlna" xmlns:dlna="urn:schemas-dlna-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:samsung.com:device:RemoteControlReceiver:1</deviceType>
<friendlyName>[TV] Samsung 6 Series (40)</friendlyName>
<manufacturer>Samsung Electronics</manufacturer>
<manufacturerURL>http://www.samsung.com/sec</manufacturerURL>
<modelDescription>Samsung DTV RCR</modelDescription>
<modelName>UE40KU6400</modelName>
<modelNumber>1.0</modelNumber>
<modelURL>http://www.samsung.com/sec</modelURL>
<serialNumber>20090804RCR</serialNumber>
<UDN>uuid:ee5ac016-1dfb-4dbc-8d72-321fa6cccd8c</UDN>
<sec:deviceID>SHCHC5ZTTO2RS</sec:deviceID>
<sec:ProductCap>Resolution:1920X1080,Tizen,Y2016</sec:ProductCap>
<serviceList>
<service>
<serviceType>urn:samsung.com:service:MultiScreenService:1</serviceType>
<serviceId>urn:samsung.com:serviceId:MultiScreenService</serviceId>
<controlURL>/RCR/control/MultiScreenService</controlURL>
<eventSubURL>/RCR/event/MultiScreenService</eventSubURL>
<SCPDURL>MultiScreenService.xml</SCPDURL>
</service>
</serviceList>
<sec:Capabilities>
<sec:Capability name="samsung:multiscreen:1" port="8001" location="/ms/1.0/"/>
</sec:Capabilities>
</device>
</root>
http://192.168.0.21:7676/RCR/control/MultiScreenService/MultiScreenService.xml
<?xml version="1.0" encoding="utf-8"?>
<scpd xmlns="urn:schemas-upnp-org:service-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<actionList>
<action>
<name>SendKeyCode</name>
<argumentList>
<argument>
<name>KeyCode</name>
<direction>in</direction>
<relatedStateVariable>A_ARG_TYPE_KeyCode</relatedStateVariable>
</argument>
<argument>
<name>KeyDescription</name>
<direction>in</direction>
<relatedStateVariable>A_ARG_TYPE_KeyDescription</relatedStateVariable>
</argument>
</argumentList>
</action>
</actionList>
<serviceStateTable>
<stateVariable sendEvents="no">
<name>A_ARG_TYPE_KeyCode</name>
<dataType>ui4</dataType>
</stateVariable>
<stateVariable sendEvents="no">
<name>A_ARG_TYPE_KeyDescription</name>
<dataType>string</dataType>
</stateVariable>
</serviceStateTable>
</scpd>
04-Sep-2020
