Modding Cable Modems

[DNR]

This is a result of a split thread, it went offtopic in the Kevin Pulson discussion and had good results.
This is now a thread on hacking cable modems and understanding the cable network topology.

DNR

[computathug]

Ok, we have been doing this with modems for the last 5 years or so. We have been bypassing the tv boxes for cable tv since before that. Over here we have virgin media, which was NTL, Starview(25 years ago) but it should all work on the same principle as its all cable.

The modded modems are now running at 50mb and usually last quite a long time as long as certain rules are followed, like making sure you dont use the mac address within the same district as if you are both online at the same time it is possible to get the modem flagged.

This works by using a looper and flashing the modem and then changing the mac address. Once the modem is connected the isp auto issues an ip address so this isnt a significant here, its the mac address thats the most important thing to take care of.

If any one wants some more info on this i will write a tut but this will be based on the services that are running in my country so wont be directly applicable to yours but should give a basic idea of what needs to be accomplished.

This information will be only available for learning purposes only. What you use the information for will not be my responsibility!!

[Still_Learning]

I allready have a modem which fits specifications, and its under warranty so i can break it as many times as I want and get a new one. I think i will read more into it, I have the ebook just havent read it yet. There needs to be a software or something as well from what i read in the wired article, its called Sigma. Should find it like this pretty easy

Code: Select all

http://www.google.com/search?hl=en&q=inurl%3A%22Sigma%22%2Btorrent&btnG=Google+Search&aq=f&oq=

I may check the ebook out

and thug; I've known about the free cable TV forever lol since the black box with a dail and like 90 channels to the satellite cards, and YES please post a tut on it, something maybe for info for US people as well

[DNR]

The reason modem hacking works, each segment of the cable company's network is a wide open port on the company's backbone. Your apartment building or neighborhood all tie in to a single pipe into the cable company's hub.

DSL means you use a direct-line, like your telco line - so they know who you are via your location. Trying to mess with your upload or download speeds will be noticeable, and traceable. You cannot sniff your neighbor's traffic as he is isolated from you via the telco's network. This is considered a proper digital network, each client has a direct line to a single port on the hub.

The cable system is different, its messed up. All these open lines bundled together, and the signal picked up at the end of the bundle - hence you can't be sure where the signal actually came from inside the bundle. Remember, the cable company is using a cabled network that was originally intended for distributing TV Signals! This was not a proper network setup like a direct-line DSL/telco network. So hacks on the cable service is much like hacks on a local network segment - an open port on a hub.

The legitimate use of modded modems makes sense, if you want to download big files, you want to be able to mod your modem to increase your tx/rx rate. Why should an elite user be restricted to 'normal user' rates? This is called Uncapping, when you mod your modem to go faster.

The cable company controls the badnwidth used by all clients on the local network by fixing modems to a moderate level of recieving and sending, tx/rx. This way they can offer all the clients the same level of service, QoS. They call it service provider limit, or upload cap. Yes, when you speed up your download speeds - you are killing your neighborhood's QoS.

The spooky thing about modding modems is changing your MAC and IP to send and recieve packets just as if you were your neighbor. ARP attacks are possible, man-in-the-middle attacks, or total anonymity!
You can spoof your neighbor's MAC/IP, it would be just like you were wardriving, and sat on his open wifi connex. This is just a simple local network exploit, the cable company's Hub does not know the difference between your packets and your neighbor's. You could route everyone in your neighborhood through your computer and sniff like a bloodhound looking for pussy!

But thats illegal and violates your ToS with your cable company.

DNR

[Still_Learning]

Nice post DNR, yet another great reason to mod my modem. My cable company offers a certain amount of bandwidth for a price, for example say they are suppose to gaurentee 15/Mb/ps for 50$ a month. What am I to do if i am getting only 400Kb/ps download speeds and their help desk is no help? I will have to edit the modem myself. I see nothing wrong with it, if they really wanted to fix it, their company could create more jobs and new software to help prevent it from happening. More jobs for programmers

[DNR]

This software will sniff out all the users on your cable modem server, giving you the information shown below. Once you get a modded cable modem, (preferably from www.tcniso.net) then you can actually clone anyone you want and become them. There is no tracing you in any easy ways, so most cable companies wont even bother.. they will waste too much money. It will all lead just back to the original owner of whoever you're cloning. Just make sure not to sniff out machines on YOUR network, find a friend on a different gateway so you're not coming from the same node.
--
You get blackcat and a modded motorolla modem which has been sodered and has a modified serial cable to connect to the mainboard for flashing, which gives you the ability to change your burnt in MAC Address, not your hardware level, and hundreds more options. This would change the whole modems identity.

For one, you can get free cable internet, thats the biggest and best thing about it. Once you clone someones MAC address, that modem instantly becomes them. Given you are now anonymous on someone elses cable MAC, you can sniff out other peoples configuration files, download them and re-upload them via Blackcat (a hacked firmware that gives you all options that a developer would have for Motorolla cable modems) and have business level cable.

"sounds pretty cool, doesn't it cause problems when two modems are online as the same one?"

Nope, no problems at all. All they are is a MAC Address, and since your cable modem will be assigned through DHCP it will just be assigned a new IP address different from the original modem you cloned. Best way to do it is to make sure the person you cloned is on a different gateway, so atleast the same MAC is coming from a diff gateway, less chances of raising a red flag.

---

Cable Modems broadcast packets just have to be converted into readable format, which is what mine does along with the sniffing and capturing.

The main reason why it's always been a tip of being a different gateway is more then likely because the software they use to manage the modem MACs are split into seperate lists for each gateway. This would allow you to basically register a a whole new person, in general terms, since you're on a whole different gateway, chances are they wont notice.

Hmm, I don't believe there has a ever been a cbale modem company who has determined this from a computer name. @Home I believe was once Comcast, and they have always been determiend by the MAC Address, they just used to make you have a computer name associated with your account, which you never really needed to use anyways. The cable modem would work without all that extra information.
----


Is it possible to change the MAC address of a cable modem?
Yes, the MAC address of a cable modem is usually written on the Flash memory used to store the modem's firmware. This data can be often be changed in many ways and varies by cable modem model. The methods include using a RS-232 V2 board (effective on Surfboard models SB3100, SB4100, and SB4200) to boot shell enabled firmware that allow you to execute the 'factdef ' command. You can also use a E-JTAG cable such as BlackcatUSB to manually reprogram the Flash data which is effective on Surfboard models SB5100 and SB5101. Additionally, cable modems that have been modified with SIGMA enhanced firmware allow you to change the MAC address from the modem's diagnostic HTTP menu.

Can two cable modems go online with the same MAC address?
It is possible for two cable modems to connect with the same MAC address, but only under certain circumstances. If a cable modem has been cloned (its MAC address has been changed to match that of another modem) it will not be able to go online in the same area because the two MAC addresses will conflict with each other. However, if you move the modem to another part of your city, you may be able to go online with it because it will be using a different coax hub/router at the ISP’s head end.

What is SIGMA firmware?
SIGMA is a firmware modification designed to give the end user complete control over a cable modem; it is not designed to allow users to steal service. It is intended to be used only by users who own their own cable modem as opposed to those renting one from their service provider. SIGMA is configured through its own easy to access HTTP interface or Telnet shell. SIGMA also gives users many embedded tools such as a firmware or MAC changer. SIGMA enhanced modems have more features and capabilities than regular modems. It The SIGMA is a highly portable assembly module that is not limited to a single cable modem; however the SIGMA-X firmware is designed only for use with the Surfboard SB5100 cable modem.

---

DOCSIS® (Data Over Cable Service Interface Specification), defines interface requirements for cable modems involved in high-speed data distribution over cable television system networks. The certified cable modem project also provides cable modem equipment suppliers with a fast, market-oriented method for attaining cable industry acknowledgment of DOCSIS compliance and has resulted in high-speed modems being certified for retail sale.

Cable operators and CableLabs require interoperability among DOCSIS modems. While no CableLabs member company will be required to purchase DOCSIS modems, it is expected that the majority of modems purchased will be DOCSIS certified.

--

Overview
The Cable Modem & The CMTS
Cable modems are devices at the subscriber premises that convert digital information into a modulated radio frequency (RF) signal in the upstream direction, and convert the RF signals to digital information in the downstream direction. Another piece of equipment, called a cable modem termination system (CMTS), performs the converse operation for multiple subscribers at the cable operator's headend. .

DOCSIS
Cable television operators have transitioned from a traditional core business of entertainment programming to a position as full-service providers of video, voice, and data telecommunications services. Cable modems based on Data Over Cable Service Interface Specifications (DOCSIS®) are among the fundamental devices making this transition possible. To date, the most successful and cost-effective method for providing high-speed data services is via cable modems compliant with the DOCSIS specifications

DOCSIS 1.0 provides basic broadband Internet connectivity for one or more devices in the home. Among other things, it includes the ability to rate-limit (cap) a particular customer's data rate to a cable operator selected value.

The ARRIS C4 Cable Modem Termination System is an industry-leading high-performance carrier-class CMTS for advanced IP services. The C4 CMTS allows cable operators and multiple system operators (MSOs) to provide advanced voice, data, and multimedia services over a converged IP network to residential and business subscribers.

The C4 CMTS features a superior set of integrated Layer 3 edge routing capabilities combined with DOCSIS® RF functionality in a single carrier-grade system architecture.The C4 CMTS is DOCSIS® 2.0, Euro-DOCSIS 2.0 and PacketCable™ 1.0 qualified. The ARRIS C4 Integrated CMTS (I-CMTS) acheived DOCSIS 3.0 Bronze qualification in CableLabs® Certification Wave 56

A headend cable modem termination system (CMTS) communicates through these channels with cable modems located in subscriber homes to create a virtual local area network (LAN) connection. Most cable modems are external devices that connect to a personal computer (PC) through a standard 10Base-T Ethernet card or Universal Serial Bus (USB) connection.

The cable modem access network operates at Layer 1 (physical) and Layer 2 (media access control/logical link control) of the Open System Interconnect (OSI) Reference Model. Thus, Layer 3 (network) protocols, such as IP traffic, can be seamlessly delivered over the cable modem platform to end users.

Unlike circuit-switched telephone networks where a caller is allocated a dedicated connection, cable modem users do not occupy a fixed amount of bandwidth during their online sessions. Instead, they share the network with other active users and use the network's resources only when they actually send or receive data in quick bursts. So instead of 200 cable online users each being allocated 135 kbit/s, they are able to grab all the bandwidth available during the millisecond they need to download their data packets – up to many megabits per second.

a CMTS..


you are before a FIBER NODE


--
reference
http://bbs.progenic.com/Topic2824-11-2.aspx

http://www.tcniso.net/
http://www.tcniso.net/Nav/Tutorials/

<nothing here!, seriously! WTF!>
http://www.moorer-software.com/

http://www.cablemodem.com/specification ... ons11.html

Real nice guide on CMTS controls, with illustrations
http://slimjim100.com/commands.pdf

http://www.arrisi.com/products/c4/index.asp

Nice primer with illustrations
http://www.lightreading.com/document.as ... 9&site=cdn

DNR