Hacking the Cable Modem: What Cable Companies Don't Want You to Know

Acknowledgments
Introduction
	My Origin
	Why a Book on Hacking Cable Modems?
	Why Should I Read This Book?
		Cable Modem Hacking Secrets Exposed
		This Is the Only Book That Includes Everything!
	How This Book Is Organized
	Always Hack Responsibly
1   A History of Cable Modem Hacking
	In the Beginning
	The Cap
	DOCSIS: The Cable Modem Standard
		DOCSIS Takes Effect
	Finding the Holes
		TFTP Settings and Config Files
		ARP Poisoning
		How This Hack Could Have Been Prevented
		Cable Modem Hacking Begins
	Creating an Executable Hack
	Defeating the Message Integrity Check
	Fireball and Cable Modem Firmware
		How the Firmware Is Upgraded
	Isabella
		Controlling the Firmware with SIGMA
	DOCSIS 2.0
		Blackcat
	What’s to Come
2   The Cable Modem Showcase
	DOCSIS vs. Non-DOCSIS
		Standard Features
		Wireless Support
		Universal Serial Bus Port
		External Case
		Voice over IP Support
		Additional Features
	Purchasing Guide
		Available Features
	The Showcase
3   A Faster Internet
	About Coaxial Cable
	Hybrid Cable Modems
	The Creation of DSL
	DSL vs. Cable Modem Service
	The Physical Network Layer
		Hybrid Fiber-Coax Networks
	Problems with Cable Modems
		Myths
		Sniffing
		What’s Really Important?
	The Truth
4   The DOCSIS Standard
	CableLabs
	About DOCSIS Certification
	How Data Is Communicated
		Detecting Packet Errors
	The Basic DOCSIS Network Topology
		Data Link Transport Layer
		Media Access Control
	How Modems Register Online
	Versions of DOCSIS
		DOCSIS 1.0
			Key Features
		DOCSIS 1.1
			Key Features
		DOCSIS 2.0
			Key Features
		DOCSIS 3.0
	Consequences
	Why Certify?
5   What’s Inside?
	Opening the Case
	Debug Ports
	The Microcontroller
	Input/Output Ports
	Hardware Components
6   Firmware
	Overview of Hardware Components
	Flash Memory
	MIPS Microprocessor
	VxWorks Operating System
	Bootup Process
	Firmware Upgrade Process
	Firmware Naming Scheme
	Study the Firmware
7   Our Limitations
	Restrictions on Technology
		Why the Limits?
	Restrictions on Cable Modems
		The Cap
		Network Overhead and Bottlenecks
	Removing Port Restrictions
		Using the VxWorks Shell (SURFboard-Specific Solution)
		Using SNMP (Generic Solution)
	Know Your Limitations
8   Reverse Engineering
	A History of Reverse Engineering
	Recommended Tools
		Soldering Irons
		Dental Picks
		Cutting Tools
		Chip Quik
		Desoldering Braid
	Opening the Case
	My Methods
		Record Everything
		Download the Firmware
		Research the Components
9   Cable Modem Security
	Upgradeable Firmware
	Message Integrity Check
	Minimal User Interaction
	Cryptography
	Certification
	Dynamic Configuration
	Other Security Measures
10 Buffer Overflows
	Types of Buffer Overflow Attacks
		The Origin of Buffer Overflow Vulnerabilities
	Developing a Buffer Overflow Exploit
	The Long Process
	The Phone Conversation
	The Drawing Board
	The Dead Modem
		A Quick Lesson About MIPS Assembly Language
	Disassembling the Firmware
	Our Downfall
	Our Comeback
	No Time to Rest
	The Source Code
11 SIGMA Firmware
	Interface
	Features
		Advanced Page
		Addresses Page
		Configuration Page
	A New Kind of SIGMA
	SIGMA-X
		Symbol File
		Telnet Shell
		SIGMA Memory Manager
		The Finished Firmware
	The Future
12 Hacking Frequencies
	The Difference Between DOCSIS and EuroDOCSIS
	Changing a SURFboard Modem’s Frequency Plan
		Using the VxWorks Console Shell
		Using SNMP
		Using the SURFboard Factory Mode
	When It Doesn’t Work
13 Useful Software
	Necessities
		FileZilla Server
		TFTPD32
		TCPOptimizer
		HexEdit
		OneStep
	Information Discovery Software
		DocsDiag
		Net-SNMP
		Ethereal
		DiFile Thief
	Soft Modding Software
	Hard Modding Software
		EtherBoot
		Schwarze Katze
	Fireball Software
		Firmware Image Packager
		Patch!
		Disassembler
		Symbol Utility
		The Firmware Assembler
	Advanced Software
		The Interactive Disassembler
		SPIM
		Reverse Engineering Compiler
	Advantages of Firmware Hacking
14 Gathering Information
	Using the Modem’s Diagnostic HT TP Pages
	Using Ethereal to Find Configs
		Set Capture Options
		Set Up an Express Filter
		The Ethereal User Interface
	Using Coax Thief
	Using SNMP
		SNMP Scanner
		DocsDiag
	Using SIGMA
		NodeScanner
		Coax Side Sniffer
15 The Blackcat Programmer
	In the Beginning
	Developing Blackcat
	Building a Blackcat Cable
		Parts List
		Schematic
		Constructing the Cable
			Prepare the Common Voltage and Ground Connections
			Connect the DB25 Connector to the IC
			Connect the IC to the Ribbon Cable
	Connecting the Cable
	Obtaining the Software
		The Blackcat Engine
		The Graphical User Interface
	How to Hack a SURFboard SB5100
16 Traditional Uncapping
	Step 1: Know Your ISP
	Step 2: Retrieve the Config Files
	Step 3: Change Your Config File
	Step 4: Change Your IP Address
		Windows 2000 and Later Versions
		Windows 98/98SE/Me
	Step 5: Upload Your Own Config File
	Uncapped
17 Building a Console Cable
	The Console Port
		What Is TTL?
		Examining the Schematic
	How to Build a Console Port
		Step 1: Gather the Parts
		Step 2: Gather the Tools
		Step 3: Put the Pieces Together
		Step 4: Connect the RS-232 Cable
		Step 5: Connect the TTL Lines
		Step 6: Connect the Cable
			Search for the Console Port
		Step 7: Test Your Console Cable
	Limitations of a Console Port
18 Changing Firmware
	Standard Methods
		Method 1: Using a Config File
		Method 2: Using SNMP
			How to Use SNMP to Change Firmware
			Other Methods
	Changing Firmware on SB4xxx Series Modems
		Using Shelled Firmware
		Using Open Sesame
		Using Blackcat
		Using the Console Port
			Some Circuit-Board Console Locations
			How to Halt the Boot Process
			How to Boot Firmware
			Understanding the Bootline
		Accessing the Developers’ Back Door
			The Hard Way
			The Easier Way
			Accessing the Back Door
	Changing Firmware on SB5100 Series Modems
19 Hacking the RCA
	Opening the Modem
	Installing the Console Cable
	Shorting the EEPROM
	Permanently Enabling the Developer’s Menu
	Changing the HFC MAC Address
20 Hacking the WebSTAR
	Installing a Console Cable
	Bootloader Commands
	The Firmware Shell
	Hacking the Web Interface
	New Possibilities
21 The SURFboard Factory Mode
	About the SURFboard Factory Mode
	Finding the Exploit
		The Importance of Assembly Code
			About MIPS Assembly Code
			Examining the DownloadBitFile() Assembly Code
	Enabling Factory Mode
		Enabling Factory Mode in SIGMA
	Using Factory Mode
		Changing the HFC MAC Address
		Changing the Serial Number
	The Factory MIB Look-up Table
		cmFactoryDbgBootEnable
		cmFactoryHtmlReadOnly
	Hacking with the SURFboard Factory Mode
		Devising a Plan
		Creating Executable Data
			Encoding the JAL Command
		Writing Data to Memory
			Automating This Process
		Executing Your Data
			Choosing the Right Function
			Disassembling Firmware
		Wrapping Up
		Viewing the Result
	Using Factory Mode to Change Firmware
		Writing a Function to Change Firmware
		The Symbol Table
		The ChangeFirmware() Assembly Function
			Understanding the Assembly Code
			Hacking the TFTP Client
			Installing and Using This Function
	Downgrading DOCSIS 1.1 Firmware
		Patching the Upgrade Procedure
		Obtaining Digitally Signed DOCSIS 1.0 Firmware
		Downgrading the Firmware
	Additional Resources
22 Hacking the D-Link Modem
	The Diagnostic Interface
		System Info Page
		Cable Status Page
		Signal Page
		Event Log Page
		Maintenance Page
	Hacking the DMC-202 Using the Telnet Shell
		The Main Menu and Beyond
			Main Menu Commands
			atp Menu Commands
			qos Menu Commands
			setup Menu Commands
			Debug Menu Commands
			show Menu Commands
			vxshell Menu Commands
			bpi Menu Commands
			certificates Menu Commands
			TurboDox Menu Commands
		How to Change the MAC Address
		How to Change the Firmware
	The Production Menu
		How to Access the Production Menu
			Commands for the Production Menu
		How to Change the Hardware Parameters
	Why Open the Case?
23 Securing the Future
	Securing the DOCSIS Network
	What Network Engineers Can Do
		Upgrade to DOCSIS 1.1/2.0
		Disable Backward Compatibility
		Enable Baseline Privacy (BPI/BPI+)
		Create Custom CMTS Scripts
		Prevent MAC Collisions
			Wardriving and Cable Modems
		Consider Custom Firmware
		Use Signed Firmware
		Secure the SNMP
			docsDevNmAccessIp and docsDevNmAccessIpMask Objects
			docsDevNmAccessCommunity Object
			docsDevNmAccessControl Object
			docsDevNmAccessInterfaces Object
			docsDevNmAccessStatus Object
		Use Active Monitoring
		Keep Up to Date
	Cable Modem Hackers
		Hackers Often Use Spare Modems
		Hackers Rarely Use Their Own MAC Addresses
		Hackers Often Use Common Exploits and Hacks
		When the Cable Company Finds Out
	The Future
Frequently Asked Questions
	General Questions
		Do I need cable television in order to have cable Internet?
		How do I know if my service provider is DOCSIS or EuroDOCSIS?
		Which was the first cable modem to be hacked?
		My cable modem has both a USB and an Ethernet interface. Which one should I use?
		Is it possible to change the MAC address of a cable modem?
		Can two computers use one cable modem to access the Internet?
		Can two cable modems go online with the same MAC address?
		Which cable modems can be uncapped (or are hackable)?
		Should I uncap my cable modem because my service is slow?
		Is DOCSIS 2.0 faster than DOCSIS 1.1?
		What does the term “uncapped” mean?
		How can I change my modem’s firmware?
		Where is my modem’s diagnostic web page?
		How do I unblock port . . . ?
		What is SIGMA firmware?
		Can I use a router with SIGMA?
		Can I download the config file from a cable modem?
		If I am uncapped, how fast can I download or upload?
		Are there any good Internet cable modem resources?
		Can I contact you?
	Motorola SURFboard-Specific Questions
		How many different SURFboard models exist?
		What are the differences between the SB4100 and the SB4101?
		What are the differences between the SB5100 and the SB5101?
		Can I install EuroDOCSIS firmware into a DOCSIS modem (or vice versa)?
		Are there any secret web pages in SURFboard modems?
		Can I change the SURFboard’s default IP address, 192.168.100.1?
		Can I turn off the standby feature through the Ethernet port?
		Can I disable the DHCP server on a SURFboard modem?
		Can I remove the community string from my cable modem’s SNMP server?
		Which SURFboard modems are compatible with DOCSIS 1.1?
Disassembling
	Obtaining Firmware
		On the Web
		From Your Service Provider
		Directly from the Flash
	Unpacking a Firmware Image
		Uncompressing Firmware for SB3100, SB4100, and SB4200 Modems
			Interfacing with the ZLIB Decompression Library
			Creating Your Own Decompression Program
		Uncompressing Firmware for the SB5100 Modem
	Extracting the Symbol File
		Writing a Program to Extract the Symbol File
	Creating an IDC Script
		Setting Up the Interactive Disassembler
		Working with the Interactive Disassembler
	Using What You’ve Learned
Cross-Compiling
	Setting Up the Platform Environment
		Emulating a Linux Environment
	Compiling the Cross-Compiler
	Compiling the GNU Compiler Collection (for MIPS)
	Compiling Your First Program
	Loading the Compiled Program into Your Cable Modem
	Obtaining Plug-ins
		TftpGet
		nmEdit
Acronyms
	A
	B
	C
	D
	E
	F
	G
	H
	I
	K
	L
	M
	N
	O
	P
	Q
	R
	S
	T
	U
	V
	W
Index
About the Author