Your One-Stop I.T. Source

Monday 04 November 2024  



Page Last Updated:
5/17/04 8:13 PM*
Page Creation Date:
2/05/04 3:51 PM*
* Eastern Time Zone

Join the Mailing List:
Name: 
Email:  


Hosted By:


Hacking Your Cable Modem...


I am not responsible for misuse of this information. I am not the author either!

This article describes how to uncap your cable modem. I am not sure if this really works (although it sounds like it does) because I have not tried it.


As the site owner, let me say that this is ILLEGAL! It violates nearly EVERY ISP's "acceptable usage policy." Do this at your own risk. Penalties could include: termination of service, fines, or jail time. I found this tutorial while surfing around the Internet.

Hello.

I will remain anonymous for the time being.

There has been several debates on how to unlock/uncap DOCsis cablemodems.  
There are many trivial attempts out there that claim to have succeeded in 
doing this, which may be true.  It is very much possible to do this.  With 
luck your CISP (Cable Internet Service Providers), are very uneducated on how 
this very new technology works and leave some key loopholes open for you to 
grab vital information on how to accomplish this task.

As for myself,  before the modified configuration was downloaded into the 
modem.  My speed cap varied depending on the time of day.  I seemed to reach 
a limit of around 42 KB/s upstream and around 250KB/s Downstream.  Of 
course, this varied by the time of day.  My Downstream only seemed affected, 
since its vastly used up by others more often than the upstream would be, 
considering the knowledge of all the users having cablemodems on my Node, 
for them to know how to set up a FTP server and serve files, is limited.  So 
the upstream seemed consistant.  Don't get me wrong 42 KB/s upstream is not 
toooo horribly bad, unless you've been awfully spoiled by some other means 
of a broadband service.

Okay here we go.  I'm going to try to explain myself as best as I can to 
accompish re-configuring your SB4100 or SB3100 cablemodem (Haven't tried the 
Toshiba DOCsis).


For Linux users  your going to need some type of capturing device to look @ 
incomming packets.  BOOTP & DHCP server requests and sends.  Some CISP's 
packets can be torn apart to find some key information, such as,  your TFTP 
server address.  I will discuss what the TFTP server does for you, later.

Also, I didn't complete this task using Linux totally.  The only program I 
used in Linux was 'docsis'. http://docsis.sourceforge.net and 
http://docsis.sourceforge.net for the latest news on this software.

I think the latest version is 0.6.2 and is packed in 
'docsis-0.6.2-RELEASE.tar' This program requires the  latest version of 
uucd-snmp.  So make sure to look for it on your distro CD, as in most cases 
its not installed by default.

As far as Windows 2000 apps.  It seems as if more programs were made for 
this OS to make this task eaiser.  There's a program called QUERY.EXE
 which is a BOOTP packet request program that will tell you 
everything you need to know, without all these extra steps.    It will 
display the  Image Filename, TFTP server address, which is really all you 
need to get started.  You can download TFTP server software here.


The image filename is called a 'octet'.  Which is a binary file that is 
encrypted with MD5 to set particular configurations on the cablemodem.  One 
of which is the   MaxRateDown 2621440;    MaxRateUp 393216;.  This was my 
CISP settings. Which you can see is similar to what speed I was getting.  
40KB/s up and 250 KB/s down.

To use this BOOTP QUERY tool, you need the MAC address of your cablemodem.  
You can either look @ the back of the modem to get this Address or you can 
logon to your Cablemodem with your Web Browser @ http://192.168.100.1.  
This are internal HTML pages stored within your DOCsis cablemodem (SB4100 
and SB3100)  That gives you even more vital information on configuration.  
On the SB3100 it actually shows your bandwidth cap.  On the SB4100 it 
doesn't seem to give you that information under Signals.  Unless its turned 
off by your CISP.  This feature might be totally turned off by your CISP.  
But your not out of luck yet.  Just get the MAC address from the back of the 
modem, and Type/Paste it in the  MAC address field within the QUERY tool, 
and let it go to work.  It might take a few minutes to get a request.  It 
will eventually show the information you need.  TFTP server address & image 
path/filename.

Also commview 2.3 is a sweet ass capturing/sniffing tool for Windows.  Make 
sure you install this app also, to actually debug your progress and to 
better understand how this is actually performed.

Once you have this information, your pretty much set almost.

Now, in Linux you can retrieve this octet file straight to your harddrive.

# tftp server ip
  tftp> get image
Received 'x' bytes in 0.0 seconds
  tftp> quit

# ./docsis -d image

! sample information decoded from a octet configuration image file.

Main {
NetworkAccess 1;    !Set this to 0, and get no access to Internet!
ClassOfService  {   !Could do some damage w/ this SNMP config!
ClassID 5;
MaxRateDown 2621440; !har har har!
MaxRateUp 393216;    !har har har!
}
MaxCPE 2;            ! How many computers you can connect & get IP's for
CmMic 8ba1d8a612c718a44eeaf9198354eee4;
CmtsMic 60937b8b4e92b336d87f9bf79e15db98;
/* EndOfDataMarker */

In Windows:

C:\tftp -i server IP GET source file local file name
Okay now you have your octet config.

There is not program for Windows that will decode this octet as far as I 
know.  Must get this file over to a Linux box and decode it and then use the 
program to change what you want and then re-encode it.  If your unsucessful 
with encoding a file, there are some /examples with the 'docsis' program.  I 
also have a modified octet that might work on your network also. Depending.


How to download the new config to your cablemodem.

Your going to need a tftpd server started up pointing to the base directory 
in which the octet file is located. REMEMBER!  If your cablemodem requests a 
path along with the filename, you need to replicate that process.  AS for 
me, there was no pathname, meaning pathnames were turned off.  If your bootp 
query tool, says that the image filename was /image/cflrrIP1.bin , then you 
need to replicate these variables, so the cablemodem will accept.  So it 
most cases you would just create a directory /image  and put the octet in 
that directory making it /image/cflrrIP1.bin on a tftp request.

In Windows, download tftpd32.exe  and set up accordingly, and make sure to 
turn the Security off.  The static UDP port for tftp is 69,  so with 
security on its only going to listen to that port.   Most of these 
cablemodems will request the packet on UDP port 1025.

Set the Base Directory to where the filename is, and whalla, your server is 
set up.  If you need to replicate a directory pathname along w/ the octet, 
then make a directory from root, that cooresponds to the image pathname, and 
select Translate Unix Filenames.


Once you've got the tftp server up and running,  you can test a request from 
the command line. See if its working properly.  If it is, your ready to 
IPALAIAS your NIC card, to trick the modem that your NIC is the TFTP server.

To do this, in Linux, use ifconfig to manually set the IP of the NIC card.

In Windows, just go into your Network Interface properties, select TCP/IP 
protocal properties, and then click on Use the Following IP address.

!Linux Users use this also!

IP Address : TFTP server address
Subnet MASK: 255.255.255.0
Gateway:     192.168.100.1

Make sure you set the gateway to 192.168.100.1 or it will not work properly, 
  tftpd or tftpd32 won't be able to send a 'ack' to initate the transfer, 
and the modem will just sit there, the Online LED will just sit and blink, 
cause it cannot reteive the config file.


Now, just cycle power on your cablemodem w/ all these 
settings/configurations and wait.  The modem will boot back up, and AS SOON 
as the SEND light goes solid, you should see a receive on your server window 
(In Windows).  In Linux, I have no idea, if you can even see the transfer, 
cause its a background process.  Might be a logfile in /etc/xinetd.d 
possibly.



Whalla!  You are uncapped now,  Test out by setting up a FTP server and 
start serving files.  Bandwidth meters are shit, and they are very 
inacurate.  The best way is to get a bunch of people sucking bandwidth from 
you and watching to see how high it goes upstream

On the downstream side, hewh, you know what to do!

If any of you need any clarification on this matter, please don't hesitate 
to e-mail me @ goldtitty@hotmail.com. goldtitty@hotmail.com  I will respond as fast as I can.  You 
can reach me on irc.dal.net n0risc,  yes thats a Zero. 0



Have Skullbox Webmail? Check it here





Copyright © 2002-2004 Skullbo