CPE903-2 4G Router config problem - port 8080 blocked on all interfaces by router web interface

mikiberkovich · June 10, 2023, 5:52pm

I got a CPE903-2 4G Router from "Tianjie" (also "Kuwfi" has a similar router).

The router basically works fine, but it has one major issue: its built-in webserver (used to login to the router's admin panel) listens on port 8080 on ANY interface and any IP (even non-existing ones like 250.2.5.5:8080 are "picked" up by it) - essentially restricting access to any external website using this port.

I need this port to be open as part of my job is to work with services hosted on port 8080.

Here's what I know so far:

The router uses MediaTek's MT6735 chip as cpu, and has a preinstalled Android 6 (ro.build.version.sdk=23) running Eclipse Jetty (I-Jetty) webserver v7.5.4.v20111024 with Maven plugin (appears as: "Server: Jetty(i-jetty 6.0-1663646889)" in HTTP response).

I searched in Google and apparently Jetty has a default setting of listening to all interfaces on port 8080 - which is what I believe is also the case here.

I want to change this setting and I believe that if i will set it to listen on a specific interface (say 192.168.199.1 - which is the default address for the web admin) on port 8080 - this will fix the issue.

After finding a thread in a russian forum about this router (4pda.to) I managed to get into the router's shell (using adb) but I have no idea what setting I should change in order to apply this change.

Here's some information I collected from the router:

Router photo:

Output of "ifconfig" in the router's shell (in ADB):

root@cpf906_35_c2k_36g_p:/ # ifconfig
ap0       Link encap:Ethernet  HWaddr 9A:80:BB:92:1F:25
          inet6 addr: fe80::9880:bbff:fe92:1f25/64 Scope: Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13352 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:27887 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:1000 
          RX bytes:2856503 TX bytes:28533560 

br0       Link encap:Ethernet  HWaddr 00:E0:99:9F:EF:F9
          inet addr:192.168.199.1  Bcast:192.168.199.255  Mask:255.255.255.0 
          inet6 addr: fe80::e83d:dbff:fe10:bb7b/64 Scope: Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:47292 errors:0 dropped:19 overruns:0 frame:0 
          TX packets:74975 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:0 
          RX bytes:7051935 TX bytes:63437894 

ccmni0    Link encap:Ethernet  HWaddr 96:C8:89:A1:DF:90
          inet addr:10.228.76.59  Mask:255.0.0.0 
          inet6 addr: fe80::5263:5401:24e9:9c9e/64 Scope: Link
          UP RUNNING NOARP  MTU:1500  Metric:1
          RX packets:57637 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:32802 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:1000 
          RX bytes:55935246 TX bytes:5891840 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0 
          inet6 addr: ::1/128 Scope: Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:0 
          RX bytes:272 TX bytes:272 

eth0      Link encap:Ethernet  HWaddr 00:E0:99:9F:EF:F9
          inet6 addr: fe80::2e0:99ff:fe9f:eff9/64 Scope: Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:34030 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:47413 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:1000 
          RX bytes:4392072 TX bytes:36009043

List of files in directory /data/data/com.android.phone/cache/jetty-0.0.0.0-80-ROOT.war--any-/webinf/WEB-INF/lib (This seems to be the location of the Jetty server runtime classes):

-rw------- radio    radio    10474232 2022-09-06 21:06 classes.zip
-rw------- radio    radio       77587 2020-04-26 23:31 jetty-client-7.5.4.v20111024.jar
-rw------- radio    radio       20195 2020-04-26 23:31 jetty-continuation-7.5.4.v20111024.jar
-rw------- radio    radio      115084 2020-04-26 23:31 jetty-http-7.5.4.v20111024.jar
-rw------- radio    radio       90950 2020-04-26 23:31 jetty-io-7.5.4.v20111024.jar
-rw------- radio    radio       70093 2020-04-26 23:31 jetty-servlets-7.5.4.v20111024.jar
-rw------- radio    radio      215624 2020-04-26 23:31 jetty-util-7.5.4.v20111024.jar

Location of the web interface itself (named ROOT.war and is located in /storage/emulated/0/lrserver):

root@cpf906_35_c2k_36g_p:/storage/emulated/0 # ls -l
drwxrwx--x root     sdcard_rw          2017-01-01 02:00 0
drwxrwx--x root     sdcard_rw          2016-01-01 02:00 apkupdate
drwxrwx--x root     sdcard_rw          2016-01-01 02:00 imgss
drwxrwx--x root     sdcard_rw          2016-01-01 02:00 lrserver
drwxrwx--x root     sdcard_rw          2017-01-01 02:00 obb
root@cpf906_35_c2k_36g_p:/storage/emulated/0 # cd lrserver
root@cpf906_35_c2k_36g_p:/storage/emulated/0/lrserver # ls -l
drwxrwx--x root     sdcard_rw          2016-01-01 02:00 contexts
drwxrwx--x root     sdcard_rw          2023-06-10 17:51 etc
drwxrwx--x root     sdcard_rw          2016-01-01 02:00 tmp
-rw-rw---- root     sdcard_rw       10 2016-01-01 02:00 version.code
drwxrwx--x root     sdcard_rw          2016-01-01 02:00 webapps
root@cpf906_35_c2k_36g_p:/storage/emulated/0/lrserver # ls -lR

.:
drwxrwx--x root     sdcard_rw          2016-01-01 02:00 contexts
drwxrwx--x root     sdcard_rw          2023-06-10 17:51 etc
drwxrwx--x root     sdcard_rw          2016-01-01 02:00 tmp
-rw-rw---- root     sdcard_rw       10 2016-01-01 02:00 version.code
drwxrwx--x root     sdcard_rw          2016-01-01 02:00 webapps

./contexts:

./etc:
-rw-rw---- root     sdcard_rw     1420 2016-01-01 02:00 keystore
-rw-rw---- root     sdcard_rw       49 2016-01-01 02:00 realm.properties
-rw-rw---- root     sdcard_rw    23528 2016-01-01 02:00 webdefault.xml

./tmp:

./webapps:
-rw-rw---- root     sdcard_rw 13773890 2016-01-01 02:00 ROOT.war

(The ROOT.war file seems to contain all the .jar files from the previous quote + the html files required to run the web interface from the first picture).

The .jar files of the jetty server each contains a directory named "META-INF/maven/org.eclipse.jetty/<name_of_jar>" that contains a pom.xml and pom.properties files, but I don't know where the setting needs to be changed at, and also I'm worried that if I apply a wrong setting - the web server won't load at all and then i'll basically have no way of connecting to the router.

So I also thought about starting adbd from startup - but that seems to be an even more difficult task.. because from what I checked the init.*.rc files are hardcoded into the boot partition of the router's internal boot disk, and can't be changed without extracting that partition to the disk using dd - unzipping it - changing - zipping - and storing it back to the device .. which I'm quite afraid of doing.

Does anyone here know how to change the settings for this i-jetty server to change the default configuration of listening to all interfaces on port 8080?

Also, if you guys need more information from the device - please let me know and i'll edit the post and add the relevant information.
Thanks in advance.

psherman · June 10, 2023, 6:39pm

This device does not appear to be supported by OpenWrt.

Can you clarify how this question is related to OoenWrt?

frollic · June 10, 2023, 7:00pm

You could try to play around with it, as described in https://www.blinkenlights.ch/ccms/posts/aliexpress-lte-1/

mikiberkovich · June 12, 2023, 9:58am

Thanks - that link you posted realy helped me!

Just wanted to update - in the end, the problem was not in the software, but it was in the iptables rules on the router. There was a rule on NAT that did a redirection from port 8080 to port 80 - once I removed it, it opened up this port block.

Now I just need to figure out how to make this change permanent, because still after all.. it's an android OS.. and all the iptables rules and stuff are hardcoded in the java classes there.. and the boot sequence is hardcoded into the boot partition.. so.. it's still not completely over.. but at least i found a fix to the problem..

P.S: @psherman why doesn't OpenWrt support this device? It is quite popular. is it a problem with porting MT6735 kernel or something?

frollic · June 12, 2023, 11:45am

seems there's no support for it in Linux - UFI6735 - MediaTek MT6735 4G/LTE + WiFi + USB-stick-router

psherman · June 13, 2023, 12:34am

Popularity is not the whole picture for supporting a device... as @frollic stated, there's apparently no support for it in the Linux upstream... that makes development nearly impossible (and/or it would have to be added from scratch which would be a massive undertaking).

psherman · June 23, 2023, 12:35am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.