Online (previously Wanadoo/Orange) is currently testing a new modem to replace the ‘Livebox’. The new modem is a Speedtouch 706 (WL) and to prevent people from accidently breaking it or use the modem on different DSL networks nearly all administrative options are disabled.
Unlike the old Livebox, you only get limited access to forward ports and change the wifi SSID and password. Even DynDNS support, which was perfectly usable in the Livebox, is disabled.
Looking for a way to disable the built-in DHCP server and change the default IP address of the Speedtouch 706 I tried flashing the device with the original firmware instead of the locked one. However, the firmware updater refuses to flash because of incompatibility.
This didn’t stop me and using TFTP I tried forcing the flash, but again, this didn’t work.
After some googling I came across a vulnerability in the Speedtouch 780, that allows you to access any page of the webinterface, even the ones you shouldn’t have access to. Using this vulnerability it’s possible to download the modem’s configuration, change it in a text editor and upload it again.
Thanks to this vulnerability I was able to disable the DHCP server and change the symmetric NAT implementation to cone NAT. The default configuration makes it nearly impossible to play online games based on a player-to-player architecture. C&C3 and Supreme Commander are two games that use this technique to allow players to play against eachother. With the original configuration I was unable to connect to about 80% of players in Supreme Commander, now with the cone NAT configuration I no longer have any issues.
You can find instructions to download/upload the Speedtouch configuration here and you can find/replace these bits in the user.ini to get cone NAT instead of symmetric NAT:
connection bind application=CONE(UDP) port=0
connection appconfig application=CONE(UDP) timeout=0
ids config state disabled