Thomson Cable Modem Hack Software
Playlists werden geladen. I've got a unit the cable provider does not want back, so it is time to open it up and check for the two UART. Hacking Cable Modems (higher speeds, free internet) Cable Modem hacking is a medium-difficulty task. In this tutorial I will show you how to hack a cable.
Hundreds of thousands of internet gateway devices around the world, primarily residential cable modems, are vulnerable to hacking because of a serious weakness in their Simple Network Management Protocol implementation. SNMP is used for automated network device identification, monitoring and remote configuration. It is supported and enabled by default in many devices, including servers, printers, networking hubs, switches and routers. Independent researchers Ezequiel Fernandez and Bertin Bervis recently found a way to bypass SNMP authentication on 78 models of cable modems that ISPs from around the world have provided to their customers. Their internet scans revealed hundreds of thousands of devices whose configurations could be changed remotely through the SNMP weakness that. Versions 1 and 2 of the SNMP protocol don't have strong authentication to begin with. They provide either read-only or write access to a device's configuration through passwords called community strings.
By default these passwords are 'public' for read-only access and 'private' for write access, but device manufacturers can change them in their implementations and it's generally recommended to do so. The leaking of sensitive configuration data through the default 'public' SNMP community string is a known problem that has affected many devices over the years. In 2014, researchers from Rapid7 in almost half a million internet-connected devices made by Brocade, Ambit and Netopia. However, what Fernandez and Bervis found is much worse: devices from multiple vendors that accept virtually any value for the SNMP community string and unlock both read and write access to their configuration data.
The two researchers first located a small number of vulnerable devices, including the Cisco DPC3928SL cable modem that's now part of Technicolor's product portfolio following the company's acquisition of Cisco's Connected Devices division in 2015. The researchers claim that when they reported the issue to Technicolor, the company told them that it was the result of an access misconfiguration by a single ISP in Mexico rather than a problem with the device itself. This prompted the researchers to perform a wider internet scan that resulted in the discovery of 78 vulnerable cable modem models from 19 manufacturers, including Cisco, Technicolor, Motorola, D-Link and Thomson.
The number of vulnerable devices that can be targeted directly over the internet range from less than 10 for some models to tens and hundreds of thousands for others. For example, there are almost 280,000 vulnerable Thomson DWG850-4 devices on the internet, most of them are in Brazil, according to the researchers. The researchers believe that the underlying problem is located in the SNMP implementation used by the modems, rather than being the result of misconfiguration by ISPs. Regardless of the cause, the problem is serious, as attackers could exploit this flaw to extract administrative and Wi-Fi passwords or to hijack devices by modifying their configurations.
There's not much that users can do if their ISP supplied them with a vulnerable device, other than ask for a different model or install their own modem. Unfortunately, not many ISPs allow their residential customers to use their own gateway devices, because they want uniformity and remote management capabilities on their networks.
Determining if a particular device is vulnerable to this issue is possible, but requires a bit of work. An online port scanner like ShieldsUp can be used to over its public IP address. If SNMP is open, can be used to check if the device's SNMP server returns valid responses when the 'public' or random community strings are used.
At the very least this would indicate an information leak problem.
An anonymous reader writes 'Those un-employed are at it again. The group known as TCNiSO has released a very interesting hardware for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth on my v710 phone.' Just remember that some cable ISPs use modem MAC authentication and changing your MAC address could possibly disable your access to the Internet.
Some cable ISPs use 'bottom-up' provisioning which allows you to re-register your modem's MAC address and tie it to your account (useful if you buy your own modem) but others could still be using manual provisioning which could cause delays in regaining block-sync. Personally, don't fuck around w/your cable modem. It works just fine the way it is. Hacks are a wonderful educational/mental exercise but I wouldn't exactly be trying this if you don't want to lose connectivity to your ISP. As a Time Warner employee for the Austin TX area, our cable modems (regardless of brand, be it 3com, Ambit, Toshiba.etc) have a 10.x.x.x IP address that is not accessable to the public. Only if you have direct access to the CMTS system can you upload new BIN configuration files to these modems on the fly. If you make any changes to the modem by chance and uncap your modem, some fuzzy-logic software will check the checksum of the bin files on that modem (so I've been told by the abuse department).
If that bin file has been modified or the firmware flashed to something other than what its supposed to have; expect your account to be disabled. Chances are at this point, there will be no nogotiation. If so, you will have to find another ISP as we do not tollorate what-so-ever of people uncapping their modems.
And believe me, we have quite a nice tech-savy population in Austin that DO try to get away with it. Heh, I suspect you dont have much clout with the policy guys at time warner. Technically would the intra network idea be possible and essentially free to the company? Interesting that you mention games because the San Antonio(Im from there, now in Austin at UT) RR team actually runs a few game servers inside the network.
Which makes for really good ping times, but still High bandwidth between my neighbors would be awsome. What is the max bandwidth for a cable system? I've heard people saying that the docsys.
However, one could easily make a note of the original MAC address, and change it back to the original, if it causes a problem. On the topic of MAC addresses, i'm not sure if enough people treat it as a privacy issue. AFAIK, MAC addresses are globally unique, thus uniquely identifying an individual user. Even IP addresses are sometimes dynamic (depending on the ISP), and can be 'masked' by using a suitable proxy. MAC, OTOH, is almost like a digital fingerprint. Does anyone else share the same con. I was wondering about this.
It seems, to me, that this hack will render your modem useless on the cable network. What's the advantage of that? Changing tha MAC address will effectively cut off service to your modem. Being able to update the firmware sounds nifty but, do you have new firmware that you need to install? Is there some service that you need so badly, on a cable modem, that you would spend your time writing new firmware for it?
I just don't see the advantage to this hack. I can see the advantage.
It works just fine the way it is. And what if it doesn't? I know I was calling my cable company ever week, month after month, and they sent a different trained monkey out every time, to change a different section of wire, and declare the problem all fixed. For about 5 minutes after they left. I'm glad I switched to DSL. But for those who might not have such an option, it's nice to be able to get detailed info yourself, and possibly make the necessary changes to get your service working.
Isn't this sla. I just wish the US ISPs would open their eyes and allow us higher speeds, like almost the rest of the world. Not to disagree with you because I like fast downloads as much as the next guy but how much bandwidth do we really need with current technology? Hell, Roadrunner is upgrading from 3.0mbits to 5.0. What do you really need all that speed for? At 3.0 I can download an entire Linux CD in less then 40 minutes. If you bump up the speed to insane amounts on the current infrastructure (what's the tops f.
Until they are discovered and those modified cable modems are de-serviced? I was wondering if people could use a modified firmware that would report a valid modem config file back to the ISP when the ISP scans for ones that were not sanctioned.
The ISP could powercycle the modems remotely and push new firmware to all the modems rather easily. I would assume that the pushed firmware would include a way to block unauthorized firmware from connecting to the network. Who knows if they'd be that interested though?
Remember these cable modem tweakers that were raided by the FBI? Those individuals were 'uncapping' their cable modems by changing their modem config file and uploading it to their modems. That could be labeled theft of service as you are effectively stealing bandwith that you didn't pay for. Modifying the firmware on your cable modem doesn't necessarily have to mean uncapping your modem config file and upping your possible bathwidth. In fact, this method is quite a bit more difficult than just editing the modem config file (as it requires a hardware interface not just a TFTP server). Those individuals were 'uncapping' their cable modems by changing their modem config file and uploading it to their modems.
That could be labeled theft of service as you are effectively stealing bandwith that you didn't pay for. Silly question. How does one measure the amount of theft in these cases? If you are not paying for the service this is easy, the theft would be equal to the monthly rate normally charged.
But if you are paying for service how can you measure the amount of theft th. They didn't circumvent any mechanisms protecting copyrighted data in order to use that data. (and this is strictly what DMCA is about) You could say they circumvented the protection (doubtful, the protection wasn't anywhere near to 'efficient' as DMCA states) to access the copyrighted firmware. Except their aim is not to steal the original firmware but to replace it with their own, so the intent part isn't fulfilled at all. If they downloaded the firmware and started spreading it over BitTorrent, sure, t. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone.
Try the discussion forums over at wirelessadvisor.com I posted a teaser message there once regarding the Motorola T720. By using the USB modem cable and a COM port sniffer, I determined that extended AT modem commands were used to synchronize the phone with the desktop. By posting my findings, someone took the initiative and started a Yahoo! Group for hacking the T720.
Within a month, the group had 400 members and within five months the group had collectively hacked the T720. The only way you can possibly benefit from this is to uncap the modem, which is about as kosher as petty shoplifting.
And you wouldn't need to reflash the modem for it anyways. So, if you are not uncapping it, then what's the point? It's not like you are going to add any badly missed features, or make a linux print server out of it. Maybe it's just my lack of imagination, but I just don't see any practical uses for a hacked cable modem. I mean, other than getting the inner satisfaction from proving that you are actually able to read and flash the EEPROM:-). But then, you could just use a screwdriver and an EEPROM programmer. The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems.
The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone.'
Whoa, slow down. Corky here can't handle frontpage paragraphs like that first thing in the morning. I worked for a startup cablemodem ISP.
This was the mid-90's, before DOCSIS; we used proprietary equipment. We discovered and hounded the vendor relentlessly about the fact that the modems had a serial port for dial-upstream service. If you jumped a couple pins on the serial port, reset the modem, and plugged in a serial line 9600/8/n/1 you'd get the modem's diagnostics (password protected, albeit with a very weak password). The things you could do from the diag screen were downright scary. All this and more. You could determine the downstream and upstream freqs; you could also set the modem to transmit on any upstream frequecncy at any level up to 60dB.
Thomson Cable Modem Drivers
We played around with it for a bit. We set up a test modem and had it transmit for a second at 60dB on one of our upstream freqs; it took out 400 users' service for about a half hour. Had we done it on the PPV freqs, it would have taken out PPV for a few thousand people. And to my knowlege, they never fixed it. I have been reading the comments thus so far and am surprised that no one has hit upon this.
In fact, this is very purpose of changing your MAC address of your modem. A certain cable ISP around here, their national network is setup such that a user with a MAC address in one part of the country can duplicate their MAC address onto another cable modem and go else where in the country (to another subnet of the ISP), and thus gain free service merely by hooking their cable modem up to a line with their cable TV.